You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sentry.apache.org by co...@apache.org on 2016/06/24 06:00:30 UTC
[01/44] sentry git commit: SENTRY-1287: Create sentry-service-server
module(Colin Ma, reviewed by Dapeng Sun)
Repository: sentry
Updated Branches:
refs/heads/SENTRY-1205 4767ec38e -> e72e6eacf
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestUserManagement.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestUserManagement.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestUserManagement.java
index 02ac514..c18a839 100644
--- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestUserManagement.java
+++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestUserManagement.java
@@ -29,7 +29,7 @@ import java.sql.Statement;
import org.apache.hadoop.mapreduce.JobContext;
import org.apache.hive.service.cli.HiveSQLException;
-import org.apache.sentry.provider.file.PolicyFile;
+import org.apache.sentry.core.common.utils.PolicyFile;
import org.junit.After;
import org.junit.Before;
import org.junit.Test;
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestViewPrivileges.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestViewPrivileges.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestViewPrivileges.java
index 79e9548..24fbe7e 100644
--- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestViewPrivileges.java
+++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestViewPrivileges.java
@@ -30,7 +30,7 @@ import java.util.Map;
import org.junit.Assert;
-import org.apache.sentry.provider.file.PolicyFile;
+import org.apache.sentry.core.common.utils.PolicyFile;
import org.junit.AfterClass;
import org.junit.Assume;
import org.junit.Before;
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/metastore/AbstractMetastoreTestWithStaticConfiguration.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/metastore/AbstractMetastoreTestWithStaticConfiguration.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/metastore/AbstractMetastoreTestWithStaticConfiguration.java
index f1e6d75..9f35991 100644
--- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/metastore/AbstractMetastoreTestWithStaticConfiguration.java
+++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/metastore/AbstractMetastoreTestWithStaticConfiguration.java
@@ -40,7 +40,7 @@ import org.apache.hadoop.hive.ql.session.SessionState;
import org.apache.hadoop.hive.serde.serdeConstants;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.pig.PigServer;
-import org.apache.sentry.provider.file.PolicyFile;
+import org.apache.sentry.core.common.utils.PolicyFile;
import org.apache.sentry.tests.e2e.hive.AbstractTestWithStaticConfiguration;
import org.apache.sentry.tests.e2e.hive.hiveserver.HiveServerFactory.HiveServer2Type;
import org.junit.BeforeClass;
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/metastore/SentryPolicyProviderForDb.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/metastore/SentryPolicyProviderForDb.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/metastore/SentryPolicyProviderForDb.java
index 875e9aa..2463a2f 100644
--- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/metastore/SentryPolicyProviderForDb.java
+++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/metastore/SentryPolicyProviderForDb.java
@@ -34,7 +34,7 @@ import org.apache.sentry.core.model.db.DBModelAuthorizable.AuthorizableType;
import org.apache.sentry.core.model.db.DBModelAuthorizables;
import org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient;
import org.apache.sentry.provider.db.service.thrift.TSentryRole;
-import org.apache.sentry.provider.file.PolicyFile;
+import org.apache.sentry.core.common.utils.PolicyFile;
import org.apache.sentry.tests.e2e.hive.StaticUserGroup;
import org.apache.tools.ant.util.StringUtils;
import org.mortbay.log.Log;
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/metastore/TestAuthorizingObjectStore.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/metastore/TestAuthorizingObjectStore.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/metastore/TestAuthorizingObjectStore.java
index 3c28fd0..d8e45b5 100644
--- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/metastore/TestAuthorizingObjectStore.java
+++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/metastore/TestAuthorizingObjectStore.java
@@ -29,7 +29,7 @@ import org.apache.hadoop.hive.metastore.api.FieldSchema;
import org.apache.hadoop.hive.metastore.api.MetaException;
import org.apache.hadoop.hive.metastore.api.NoSuchObjectException;
import org.apache.hadoop.hive.metastore.api.Table;
-import org.apache.sentry.provider.file.PolicyFile;
+import org.apache.sentry.core.common.utils.PolicyFile;
import org.apache.sentry.tests.e2e.hive.StaticUserGroup;
import org.apache.thrift.TException;
import org.junit.Before;
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/metastore/TestMetaStoreWithPigHCat.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/metastore/TestMetaStoreWithPigHCat.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/metastore/TestMetaStoreWithPigHCat.java
index f406fd7..3e9abd5 100644
--- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/metastore/TestMetaStoreWithPigHCat.java
+++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/metastore/TestMetaStoreWithPigHCat.java
@@ -27,7 +27,7 @@ import org.apache.hadoop.hive.metastore.HiveMetaStoreClient;
import org.apache.hive.hcatalog.pig.HCatStorer;
import org.apache.pig.ExecType;
import org.apache.pig.PigServer;
-import org.apache.sentry.provider.file.PolicyFile;
+import org.apache.sentry.core.common.utils.PolicyFile;
import org.apache.sentry.tests.e2e.hive.StaticUserGroup;
import org.junit.Before;
import org.junit.BeforeClass;
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/metastore/TestMetastoreEndToEnd.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/metastore/TestMetastoreEndToEnd.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/metastore/TestMetastoreEndToEnd.java
index 98ec814..c0f5fe8 100644
--- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/metastore/TestMetastoreEndToEnd.java
+++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/metastore/TestMetastoreEndToEnd.java
@@ -35,7 +35,7 @@ import org.apache.hadoop.hive.metastore.api.FieldSchema;
import org.apache.hadoop.hive.metastore.api.MetaException;
import org.apache.hadoop.hive.metastore.api.Partition;
import org.apache.hadoop.hive.metastore.api.Table;
-import org.apache.sentry.provider.file.PolicyFile;
+import org.apache.sentry.core.common.utils.PolicyFile;
import org.apache.sentry.tests.e2e.hive.Context;
import org.apache.sentry.tests.e2e.hive.StaticUserGroup;
import org.apache.sentry.tests.e2e.hive.hiveserver.HiveServerFactory;
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-tests/sentry-tests-kafka/pom.xml
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-kafka/pom.xml b/sentry-tests/sentry-tests-kafka/pom.xml
index 44ee045..4c0ae77 100644
--- a/sentry-tests/sentry-tests-kafka/pom.xml
+++ b/sentry-tests/sentry-tests-kafka/pom.xml
@@ -58,7 +58,8 @@ limitations under the License.
</dependency>
<dependency>
<groupId>org.apache.sentry</groupId>
- <artifactId>sentry-provider-db</artifactId>
+ <artifactId>sentry-service-server</artifactId>
+ <scope>test</scope>
</dependency>
</dependencies>
<profiles>
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-tests/sentry-tests-kafka/src/test/java/org/apache/sentry/tests/e2e/kafka/AbstractKafkaSentryTestBase.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-kafka/src/test/java/org/apache/sentry/tests/e2e/kafka/AbstractKafkaSentryTestBase.java b/sentry-tests/sentry-tests-kafka/src/test/java/org/apache/sentry/tests/e2e/kafka/AbstractKafkaSentryTestBase.java
index 74fe421..10d6af7 100644
--- a/sentry-tests/sentry-tests-kafka/src/test/java/org/apache/sentry/tests/e2e/kafka/AbstractKafkaSentryTestBase.java
+++ b/sentry-tests/sentry-tests-kafka/src/test/java/org/apache/sentry/tests/e2e/kafka/AbstractKafkaSentryTestBase.java
@@ -34,7 +34,7 @@ import org.apache.sentry.provider.db.generic.service.thrift.TAuthorizable;
import org.apache.sentry.provider.db.generic.service.thrift.TSentryPrivilege;
import org.apache.sentry.provider.db.generic.tools.KafkaTSentryPrivilegeConverter;
import org.apache.sentry.provider.file.LocalGroupResourceAuthorizationProvider;
-import org.apache.sentry.provider.file.PolicyFile;
+import org.apache.sentry.core.common.utils.PolicyFile;
import org.apache.sentry.service.thrift.SentryService;
import org.apache.sentry.service.thrift.SentryServiceFactory;
import org.apache.sentry.service.thrift.ServiceConstants.ClientConfig;
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-tests/sentry-tests-solr/pom.xml
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-solr/pom.xml b/sentry-tests/sentry-tests-solr/pom.xml
index 2f802ab..a60b4ee 100644
--- a/sentry-tests/sentry-tests-solr/pom.xml
+++ b/sentry-tests/sentry-tests-solr/pom.xml
@@ -45,7 +45,7 @@ limitations under the License.
</dependency>
<dependency>
<groupId>org.apache.sentry</groupId>
- <artifactId>sentry-provider-db</artifactId>
+ <artifactId>sentry-service-server</artifactId>
<scope>test</scope>
</dependency>
<dependency>
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/db/integration/AbstractSolrSentryTestWithDbProvider.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/db/integration/AbstractSolrSentryTestWithDbProvider.java b/sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/db/integration/AbstractSolrSentryTestWithDbProvider.java
index ccea82e..2abd9d2 100644
--- a/sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/db/integration/AbstractSolrSentryTestWithDbProvider.java
+++ b/sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/db/integration/AbstractSolrSentryTestWithDbProvider.java
@@ -47,7 +47,7 @@ import org.apache.sentry.provider.db.generic.service.thrift.TAuthorizable;
import org.apache.sentry.provider.db.generic.service.thrift.TSentryGrantOption;
import org.apache.sentry.provider.db.generic.service.thrift.TSentryPrivilege;
import org.apache.sentry.provider.file.LocalGroupResourceAuthorizationProvider;
-import org.apache.sentry.provider.file.PolicyFile;
+import org.apache.sentry.core.common.utils.PolicyFile;
import org.apache.sentry.service.thrift.SentryService;
import org.apache.sentry.service.thrift.SentryServiceFactory;
import org.apache.sentry.service.thrift.ServiceConstants.ClientConfig;
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-tests/sentry-tests-sqoop/pom.xml
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-sqoop/pom.xml b/sentry-tests/sentry-tests-sqoop/pom.xml
index c494b5a..f70c5c3 100644
--- a/sentry-tests/sentry-tests-sqoop/pom.xml
+++ b/sentry-tests/sentry-tests-sqoop/pom.xml
@@ -74,7 +74,7 @@ limitations under the License.
</dependency>
<dependency>
<groupId>org.apache.sentry</groupId>
- <artifactId>sentry-provider-db</artifactId>
+ <artifactId>sentry-service-server</artifactId>
<scope>test</scope>
</dependency>
<dependency>
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-tests/sentry-tests-sqoop/src/test/java/org/apache/sentry/tests/e2e/sqoop/AbstractSqoopSentryTestBase.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-sqoop/src/test/java/org/apache/sentry/tests/e2e/sqoop/AbstractSqoopSentryTestBase.java b/sentry-tests/sentry-tests-sqoop/src/test/java/org/apache/sentry/tests/e2e/sqoop/AbstractSqoopSentryTestBase.java
index 8a01e1c..67de5ac 100644
--- a/sentry-tests/sentry-tests-sqoop/src/test/java/org/apache/sentry/tests/e2e/sqoop/AbstractSqoopSentryTestBase.java
+++ b/sentry-tests/sentry-tests-sqoop/src/test/java/org/apache/sentry/tests/e2e/sqoop/AbstractSqoopSentryTestBase.java
@@ -41,7 +41,7 @@ import org.apache.sentry.provider.db.generic.service.thrift.SentryGenericService
import org.apache.sentry.provider.db.generic.service.thrift.TAuthorizable;
import org.apache.sentry.provider.db.generic.service.thrift.TSentryPrivilege;
import org.apache.sentry.provider.file.LocalGroupResourceAuthorizationProvider;
-import org.apache.sentry.provider.file.PolicyFile;
+import org.apache.sentry.core.common.utils.PolicyFile;
import org.apache.sentry.service.thrift.SentryService;
import org.apache.sentry.service.thrift.SentryServiceFactory;
import org.apache.sentry.service.thrift.ServiceConstants.ClientConfig;
[30/44] sentry git commit: SENTRY-1287: Create sentry-service-server
module(Colin Ma, reviewed by Dapeng Sun)
Posted by co...@apache.org.
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/tools/TestSentryShellKafka.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/tools/TestSentryShellKafka.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/tools/TestSentryShellKafka.java
deleted file mode 100644
index 7db5426..0000000
--- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/tools/TestSentryShellKafka.java
+++ /dev/null
@@ -1,542 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.sentry.provider.db.generic.tools;
-
-import com.google.common.collect.Sets;
-import com.google.common.io.Files;
-import org.apache.commons.io.FileUtils;
-import org.apache.sentry.core.common.exception.SentryUserException;
-import org.apache.sentry.core.model.kafka.validator.KafkaPrivilegeValidator;
-import org.apache.sentry.provider.db.generic.service.thrift.SentryGenericServiceIntegrationBase;
-import org.apache.sentry.provider.db.generic.service.thrift.TSentryPrivilege;
-import org.apache.sentry.provider.db.generic.service.thrift.TSentryRole;
-import org.apache.sentry.provider.db.tools.SentryShellCommon;
-import org.apache.shiro.config.ConfigurationException;
-import org.junit.After;
-import org.junit.Before;
-import org.junit.Test;
-
-import java.io.ByteArrayOutputStream;
-import java.io.File;
-import java.io.FileOutputStream;
-import java.io.PrintStream;
-import java.util.Arrays;
-import java.util.HashSet;
-import java.util.Iterator;
-import java.util.Set;
-
-import static org.junit.Assert.*;
-
-public class TestSentryShellKafka extends SentryGenericServiceIntegrationBase {
- private File confDir;
- private File confPath;
- private static String TEST_ROLE_NAME_1 = "testRole1";
- private static String TEST_ROLE_NAME_2 = "testRole2";
- private static String KAFKA = "kafka";
- private String requestorName = "";
- private String service = "kafka1";
-
- @Before
- public void prepareForTest() throws Exception {
- confDir = Files.createTempDir();
- confPath = new File(confDir, "sentry-site.xml");
- if (confPath.createNewFile()) {
- FileOutputStream to = new FileOutputStream(confPath);
- conf.writeXml(to);
- to.close();
- }
- requestorName = clientUgi.getShortUserName();//.getProperty("user.name", "");
- Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
- setLocalGroupMapping(requestorName, requestorUserGroupNames);
- // add ADMIN_USER for the after() in SentryServiceIntegrationBase
- setLocalGroupMapping(ADMIN_USER, requestorUserGroupNames);
- writePolicyFile();
- }
-
- @After
- public void clearTestData() throws Exception {
- FileUtils.deleteQuietly(confDir);
- }
-
- @Test
- public void testCreateDropRole() throws Exception {
- runTestAsSubject(new TestOperation() {
- @Override
- public void runTestAsSubject() throws Exception {
- // test: create role with -cr
- String[] args = { "-cr", "-r", TEST_ROLE_NAME_1, "-conf", confPath.getAbsolutePath() };
- SentryShellKafka.main(args);
- // test: create role with --create_role
- args = new String[] { "--create_role", "-r", TEST_ROLE_NAME_2, "-conf",
- confPath.getAbsolutePath() };
- SentryShellKafka.main(args);
-
- // validate the result, list roles with -lr
- args = new String[] { "-lr", "-conf", confPath.getAbsolutePath() };
- SentryShellKafka sentryShell = new SentryShellKafka();
- Set<String> roleNames = getShellResultWithOSRedirect(sentryShell, args, true);
- validateRoleNames(roleNames, TEST_ROLE_NAME_1, TEST_ROLE_NAME_2);
-
- // validate the result, list roles with --list_role
- args = new String[] { "--list_role", "-conf", confPath.getAbsolutePath() };
- sentryShell = new SentryShellKafka();
- roleNames = getShellResultWithOSRedirect(sentryShell, args, true);
- validateRoleNames(roleNames, TEST_ROLE_NAME_1, TEST_ROLE_NAME_2);
-
- // test: drop role with -dr
- args = new String[] { "-dr", "-r", TEST_ROLE_NAME_1, "-conf", confPath.getAbsolutePath() };
- SentryShellKafka.main(args);
- // test: drop role with --drop_role
- args = new String[] { "--drop_role", "-r", TEST_ROLE_NAME_2, "-conf",
- confPath.getAbsolutePath() };
- SentryShellKafka.main(args);
-
- // validate the result
- Set<TSentryRole> roles = client.listAllRoles(requestorName, KAFKA);
- assertEquals("Incorrect number of roles", 0, roles.size());
- }
- });
- }
-
- @Test
- public void testAddDeleteRoleForGroup() throws Exception {
- runTestAsSubject(new TestOperation() {
- @Override
- public void runTestAsSubject() throws Exception {
- // Group names are case sensitive - mixed case names should work
- String TEST_GROUP_1 = "testGroup1";
- String TEST_GROUP_2 = "testGroup2";
- String TEST_GROUP_3 = "testGroup3";
-
- // create the role for test
- client.createRole(requestorName, TEST_ROLE_NAME_1, KAFKA);
- client.createRole(requestorName, TEST_ROLE_NAME_2, KAFKA);
- // test: add role to group with -arg
- String[] args = { "-arg", "-r", TEST_ROLE_NAME_1, "-g", TEST_GROUP_1, "-conf",
- confPath.getAbsolutePath() };
- SentryShellKafka.main(args);
- // test: add role to multiple groups
- args = new String[] { "-arg", "-r", TEST_ROLE_NAME_1, "-g", TEST_GROUP_2 + "," + TEST_GROUP_3,
- "-conf",
- confPath.getAbsolutePath() };
- SentryShellKafka.main(args);
- // test: add role to group with --add_role_group
- args = new String[] { "--add_role_group", "-r", TEST_ROLE_NAME_2, "-g", TEST_GROUP_1,
- "-conf",
- confPath.getAbsolutePath() };
- SentryShellKafka.main(args);
-
- // validate the result list roles with -lr and -g
- args = new String[] { "-lr", "-g", TEST_GROUP_1, "-conf", confPath.getAbsolutePath() };
- SentryShellKafka sentryShell = new SentryShellKafka();
- Set<String> roleNames = getShellResultWithOSRedirect(sentryShell, args, true);
- validateRoleNames(roleNames, TEST_ROLE_NAME_1, TEST_ROLE_NAME_2);
-
- // list roles with --list_role and -g
- args = new String[] { "--list_role", "-g", TEST_GROUP_2, "-conf",
- confPath.getAbsolutePath() };
- sentryShell = new SentryShellKafka();
- roleNames = getShellResultWithOSRedirect(sentryShell, args, true);
- validateRoleNames(roleNames, TEST_ROLE_NAME_1);
-
- args = new String[] { "--list_role", "-g", TEST_GROUP_3, "-conf",
- confPath.getAbsolutePath() };
- sentryShell = new SentryShellKafka();
- roleNames = getShellResultWithOSRedirect(sentryShell, args, true);
- validateRoleNames(roleNames, TEST_ROLE_NAME_1);
-
- // test: delete role from group with -drg
- args = new String[] { "-drg", "-r", TEST_ROLE_NAME_1, "-g", TEST_GROUP_1, "-conf",
- confPath.getAbsolutePath() };
- SentryShellKafka.main(args);
- // test: delete role to multiple groups
- args = new String[] { "-drg", "-r", TEST_ROLE_NAME_1, "-g", TEST_GROUP_2 + "," + TEST_GROUP_3,
- "-conf",
- confPath.getAbsolutePath() };
- SentryShellKafka.main(args);
- // test: delete role from group with --delete_role_group
- args = new String[] { "--delete_role_group", "-r", TEST_ROLE_NAME_2, "-g", TEST_GROUP_1,
- "-conf", confPath.getAbsolutePath() };
- SentryShellKafka.main(args);
-
- // validate the result
- Set<TSentryRole> roles = client.listRolesByGroupName(requestorName, TEST_GROUP_1, KAFKA);
- assertEquals("Incorrect number of roles", 0, roles.size());
- roles = client.listRolesByGroupName(requestorName, TEST_GROUP_2, KAFKA);
- assertEquals("Incorrect number of roles", 0, roles.size());
- roles = client.listRolesByGroupName(requestorName, TEST_GROUP_3, KAFKA);
- assertEquals("Incorrect number of roles", 0, roles.size());
- // clear the test data
- client.dropRole(requestorName, TEST_ROLE_NAME_1, KAFKA);
- client.dropRole(requestorName, TEST_ROLE_NAME_2, KAFKA);
- }
- });
- }
-
- @Test
- public void testCaseSensitiveGroupName() throws Exception {
- runTestAsSubject(new TestOperation() {
- @Override
- public void runTestAsSubject() throws Exception {
-
- // create the role for test
- client.createRole(requestorName, TEST_ROLE_NAME_1, KAFKA);
- // add role to a group (lower case)
- String[] args = {"-arg", "-r", TEST_ROLE_NAME_1, "-g", "group1", "-conf",
- confPath.getAbsolutePath()};
- SentryShellKafka.main(args);
-
- // validate the roles when group name is same case as above
- args = new String[]{"-lr", "-g", "group1", "-conf", confPath.getAbsolutePath()};
- SentryShellKafka sentryShell = new SentryShellKafka();
- Set<String> roleNames = getShellResultWithOSRedirect(sentryShell, args, true);
- validateRoleNames(roleNames, TEST_ROLE_NAME_1);
-
- // roles should be empty when group name is different case than above
- args = new String[]{"-lr", "-g", "GROUP1", "-conf", confPath.getAbsolutePath()};
- roleNames = getShellResultWithOSRedirect(sentryShell, args, true);
- validateRoleNames(roleNames);
- }
- });
- }
-
- public static String grant(boolean shortOption) {
- return shortOption ? "-gpr" : "--grant_privilege_role";
- }
-
- public static String revoke(boolean shortOption) {
- return shortOption ? "-rpr" : "--revoke_privilege_role";
- }
-
- public static String list(boolean shortOption) {
- return shortOption ? "-lp" : "--list_privilege";
- }
-
- private void assertGrantRevokePrivilege(final boolean shortOption) throws Exception {
- runTestAsSubject(new TestOperation() {
- @Override
- public void runTestAsSubject() throws Exception {
- // create the role for test
- client.createRole(requestorName, TEST_ROLE_NAME_1, KAFKA);
- client.createRole(requestorName, TEST_ROLE_NAME_2, KAFKA);
-
- String [] privs = {
- "HOST=*->CLUSTER=kafka-cluster->action=read",
- "HOST=h1->TOPIC=t1->action=write",
- "HOST=*->CONSUMERGROUP=cg1->action=read",
- "CLUSTER=kafka-cluster->action=write",
- "CONSUMERGROUP=cg2->action=write"
- };
- for (int i = 0; i < privs.length; ++i) {
- // test: grant privilege to role
- String [] args = new String [] { grant(shortOption), "-r", TEST_ROLE_NAME_1, "-p",
- privs[ i ],
- "-conf", confPath.getAbsolutePath() };
- SentryShellKafka.main(args);
- }
-
- // test the list privilege
- String [] args = new String[] { list(shortOption), "-r", TEST_ROLE_NAME_1, "-conf", confPath.getAbsolutePath() };
- SentryShellKafka sentryShell = new SentryShellKafka();
- Set<String> privilegeStrs = getShellResultWithOSRedirect(sentryShell, args, true);
-
- assertEquals("Incorrect number of privileges", privs.length, privilegeStrs.size());
- for (int i = 0; i < privs.length; ++i) {
- assertTrue("Expected privilege: " + privs[i] + " in " + Arrays.toString(privilegeStrs.toArray()), privilegeStrs.contains(privs[i].startsWith("HOST=") ? privs[i] : "HOST=*->" + privs[i]));
- }
-
- for (int i = 0; i < privs.length; ++i) {
- args = new String[] { revoke(shortOption), "-r", TEST_ROLE_NAME_1, "-p",
- privs[ i ], "-conf",
- confPath.getAbsolutePath() };
- SentryShellKafka.main(args);
- Set<TSentryPrivilege> privileges = client.listPrivilegesByRoleName(requestorName,
- TEST_ROLE_NAME_1, KAFKA, service);
- assertEquals("Incorrect number of privileges. Received privileges: " + Arrays.toString(privileges.toArray()), privs.length - (i + 1), privileges.size());
- }
-
- // clear the test data
- client.dropRole(requestorName, TEST_ROLE_NAME_1, KAFKA);
- client.dropRole(requestorName, TEST_ROLE_NAME_2, KAFKA);
- }
- });
- }
-
-
- @Test
- public void testGrantRevokePrivilegeWithShortOption() throws Exception {
- assertGrantRevokePrivilege(true);
- }
-
- @Test
- public void testGrantRevokePrivilegeWithLongOption() throws Exception {
- assertGrantRevokePrivilege(false);
- }
-
-
- @Test
- public void testNegativeCaseWithInvalidArgument() throws Exception {
- runTestAsSubject(new TestOperation() {
- @Override
- public void runTestAsSubject() throws Exception {
- client.createRole(requestorName, TEST_ROLE_NAME_1, KAFKA);
- // test: create duplicate role with -cr
- String[] args = { "-cr", "-r", TEST_ROLE_NAME_1, "-conf", confPath.getAbsolutePath() };
- SentryShellKafka sentryShell = new SentryShellKafka();
- try {
- sentryShell.executeShell(args);
- fail("Exception should be thrown for creating duplicate role");
- } catch (SentryUserException e) {
- // expected exception
- } catch (Exception e) {
- fail ("Unexpected exception received. " + e);
- }
-
- // test: drop non-exist role with -dr
- args = new String[] { "-dr", "-r", TEST_ROLE_NAME_2, "-conf", confPath.getAbsolutePath() };
- sentryShell = new SentryShellKafka();
- try {
- sentryShell.executeShell(args);
- fail("Exception should be thrown for dropping non-exist role");
- } catch (SentryUserException e) {
- // excepted exception
- } catch (Exception e) {
- fail ("Unexpected exception received. " + e);
- }
-
- // test: add non-exist role to group with -arg
- args = new String[] { "-arg", "-r", TEST_ROLE_NAME_2, "-g", "testGroup1", "-conf",
- confPath.getAbsolutePath() };
- sentryShell = new SentryShellKafka();
- try {
- sentryShell.executeShell(args);
- fail("Exception should be thrown for granting non-exist role to group");
- } catch (SentryUserException e) {
- // excepted exception
- } catch (Exception e) {
- fail ("Unexpected exception received. " + e);
- }
-
- // test: drop group from non-exist role with -drg
- args = new String[] { "-drg", "-r", TEST_ROLE_NAME_2, "-g", "testGroup1", "-conf",
- confPath.getAbsolutePath() };
- sentryShell = new SentryShellKafka();
- try {
- sentryShell.executeShell(args);
- fail("Exception should be thrown for drop group from non-exist role");
- } catch (SentryUserException e) {
- // excepted exception
- } catch (Exception e) {
- fail ("Unexpected exception received. " + e);
- }
-
- // test: grant privilege to role with the error privilege format
- args = new String[] { "-gpr", "-r", TEST_ROLE_NAME_1, "-p", "serverserver1->action=all",
- "-conf", confPath.getAbsolutePath() };
- sentryShell = new SentryShellKafka();
- try {
- sentryShell.executeShell(args);
- fail("Exception should be thrown for the error privilege format, invalid key value.");
- } catch (IllegalArgumentException e) {
- // excepted exception
- } catch (Exception e) {
- fail ("Unexpected exception received. " + e);
- }
-
- // test: grant privilege to role with the error privilege hierarchy
- args = new String[] { "-gpr", "-r", TEST_ROLE_NAME_1, "-p",
- "consumergroup=cg1->host=h1->action=create", "-conf",
- confPath.getAbsolutePath() };
- sentryShell = new SentryShellKafka();
- try {
- sentryShell.executeShell(args);
- fail("Exception should be thrown for the error privilege format, invalid key value.");
- } catch (ConfigurationException e) {
- // expected exception
- } catch (Exception e) {
- fail ("Unexpected exception received. " + e);
- }
-
- // clear the test data
- client.dropRole(requestorName, TEST_ROLE_NAME_1, KAFKA);
- }
- });
- }
-
- @Test
- public void testNegativeCaseWithoutRequiredArgument() throws Exception {
- runTestAsSubject(new TestOperation() {
- @Override
- public void runTestAsSubject() throws Exception {
- String strOptionConf = "conf";
- client.createRole(requestorName, TEST_ROLE_NAME_1, KAFKA);
- // test: the conf is required argument
- String[] args = { "-cr", "-r", TEST_ROLE_NAME_1 };
- SentryShellKafka sentryShell = new SentryShellKafka();
- validateMissingParameterMsg(sentryShell, args,
- SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + strOptionConf);
-
- // test: -r is required when create role
- args = new String[] { "-cr", "-conf", confPath.getAbsolutePath() };
- sentryShell = new SentryShellKafka();
- validateMissingParameterMsg(sentryShell, args,
- SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_ROLE_NAME);
-
- // test: -r is required when drop role
- args = new String[] { "-dr", "-conf", confPath.getAbsolutePath() };
- sentryShell = new SentryShellKafka();
- validateMissingParameterMsg(sentryShell, args,
- SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_ROLE_NAME);
-
- // test: -r is required when add role to group
- args = new String[] { "-arg", "-g", "testGroup1", "-conf", confPath.getAbsolutePath() };
- sentryShell = new SentryShellKafka();
- validateMissingParameterMsg(sentryShell, args,
- SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_ROLE_NAME);
-
- // test: -g is required when add role to group
- args = new String[] { "-arg", "-r", TEST_ROLE_NAME_2, "-conf", confPath.getAbsolutePath() };
- sentryShell = new SentryShellKafka();
- validateMissingParameterMsg(sentryShell, args,
- SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_GROUP_NAME);
-
- // test: -r is required when delete role from group
- args = new String[] { "-drg", "-g", "testGroup1", "-conf", confPath.getAbsolutePath() };
- sentryShell = new SentryShellKafka();
- validateMissingParameterMsg(sentryShell, args,
- SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_ROLE_NAME);
-
- // test: -g is required when delete role from group
- args = new String[] { "-drg", "-r", TEST_ROLE_NAME_2, "-conf", confPath.getAbsolutePath() };
- sentryShell = new SentryShellKafka();
- validateMissingParameterMsg(sentryShell, args,
- SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_GROUP_NAME);
-
- // test: -r is required when grant privilege to role
- args = new String[] { "-gpr", "-p", "server=server1", "-conf", confPath.getAbsolutePath() };
- sentryShell = new SentryShellKafka();
- validateMissingParameterMsg(sentryShell, args,
- SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_ROLE_NAME);
-
- // test: -p is required when grant privilege to role
- args = new String[] { "-gpr", "-r", TEST_ROLE_NAME_1, "-conf", confPath.getAbsolutePath() };
- sentryShell = new SentryShellKafka();
- validateMissingParameterMsg(sentryShell, args,
- SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_PRIVILEGE);
-
- // test: action is required in privilege
- args = new String[] { "-gpr", "-r", TEST_ROLE_NAME_1, "-conf", confPath.getAbsolutePath(), "-p", "host=*->topic=t1" };
- sentryShell = new SentryShellKafka();
- try {
- getShellResultWithOSRedirect(sentryShell, args, false);
- fail("Expected IllegalArgumentException");
- } catch (ConfigurationException e) {
- assert(("Kafka privilege must end with a valid action.\n" + KafkaPrivilegeValidator.KafkaPrivilegeHelpMsg).equals(e.getMessage()));
- } catch (Exception e) {
- fail ("Unexpected exception received. " + e);
- }
-
- // test: -r is required when revoke privilege from role
- args = new String[] { "-rpr", "-p", "host=h1", "-conf", confPath.getAbsolutePath() };
- sentryShell = new SentryShellKafka();
- validateMissingParameterMsg(sentryShell, args,
- SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_ROLE_NAME);
-
- // test: -p is required when revoke privilege from role
- args = new String[] { "-rpr", "-r", TEST_ROLE_NAME_1, "-conf", confPath.getAbsolutePath() };
- sentryShell = new SentryShellKafka();
- validateMissingParameterMsg(sentryShell, args,
- SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_PRIVILEGE);
-
- // test: command option is required for shell
- args = new String[] {"-conf", confPath.getAbsolutePath() };
- sentryShell = new SentryShellKafka();
- validateMissingParameterMsgsContains(sentryShell, args,
- SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + "[",
- "-arg Add role to group",
- "-cr Create role",
- "-rpr Revoke privilege from role",
- "-drg Delete role from group",
- "-lr List role",
- "-lp List privilege",
- "-gpr Grant privilege to role",
- "-dr Drop role");
-
- // clear the test data
- client.dropRole(requestorName, TEST_ROLE_NAME_1, KAFKA);
- }
- });
- }
-
- // redirect the System.out to ByteArrayOutputStream, then execute the command and parse the result.
- private Set<String> getShellResultWithOSRedirect(SentryShellKafka sentryShell,
- String[] args, boolean expectedExecuteResult) throws Exception {
- PrintStream oldOut = System.out;
- ByteArrayOutputStream outContent = new ByteArrayOutputStream();
- System.setOut(new PrintStream(outContent));
- assertEquals(expectedExecuteResult, sentryShell.executeShell(args));
- Set<String> resultSet = Sets.newHashSet(outContent.toString().split("\n"));
- System.setOut(oldOut);
- return resultSet;
- }
-
- private void validateRoleNames(Set<String> roleNames, String ... expectedRoleNames) {
- if (expectedRoleNames != null && expectedRoleNames.length > 0) {
- assertEquals("Found: " + roleNames.size() + " roles, expected: " + expectedRoleNames.length,
- expectedRoleNames.length, roleNames.size());
- Set<String> lowerCaseRoles = new HashSet<String>();
- for (String role : roleNames) {
- lowerCaseRoles.add(role.toLowerCase());
- }
-
- for (String expectedRole : expectedRoleNames) {
- assertTrue("Expected role: " + expectedRole,
- lowerCaseRoles.contains(expectedRole.toLowerCase()));
- }
- }
- }
-
- private void validateMissingParameterMsg(SentryShellKafka sentryShell, String[] args,
- String expectedErrorMsg) throws Exception {
- Set<String> errorMsgs = getShellResultWithOSRedirect(sentryShell, args, false);
- assertTrue("Expected error message: " + expectedErrorMsg, errorMsgs.contains(expectedErrorMsg));
- }
-
- private void validateMissingParameterMsgsContains(SentryShellKafka sentryShell, String[] args,
- String ... expectedErrorMsgsContains) throws Exception {
- Set<String> errorMsgs = getShellResultWithOSRedirect(sentryShell, args, false);
- boolean foundAllMessages = false;
- Iterator<String> it = errorMsgs.iterator();
- while (it.hasNext()) {
- String errorMessage = it.next();
- boolean missingExpected = false;
- for (String expectedContains : expectedErrorMsgsContains) {
- if (!errorMessage.contains(expectedContains)) {
- missingExpected = true;
- break;
- }
- }
- if (!missingExpected) {
- foundAllMessages = true;
- break;
- }
- }
- assertTrue(foundAllMessages);
- }
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/tools/TestSentryShellSolr.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/tools/TestSentryShellSolr.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/tools/TestSentryShellSolr.java
deleted file mode 100644
index d4e26e8..0000000
--- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/tools/TestSentryShellSolr.java
+++ /dev/null
@@ -1,525 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.sentry.provider.db.generic.tools;
-
-import com.google.common.io.Files;
-import com.google.common.collect.Sets;
-
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertTrue;
-import static org.junit.Assert.fail;
-
-import java.io.ByteArrayOutputStream;
-import java.io.File;
-import java.io.FileOutputStream;
-import java.io.PrintStream;
-import java.util.HashSet;
-import java.util.Iterator;
-import java.util.Set;
-
-import org.apache.commons.io.FileUtils;
-import org.apache.sentry.core.common.exception.SentryUserException;
-import org.apache.sentry.provider.db.generic.service.thrift.SentryGenericServiceIntegrationBase;
-import org.apache.sentry.provider.db.generic.service.thrift.TSentryRole;
-import org.apache.sentry.provider.db.generic.service.thrift.TSentryPrivilege;
-import org.apache.sentry.provider.db.tools.SentryShellCommon;
-
-import org.junit.After;
-import org.junit.Before;
-import org.junit.Test;
-
-public class TestSentryShellSolr extends SentryGenericServiceIntegrationBase {
- private File confDir;
- private File confPath;
- private static String TEST_ROLE_NAME_1 = "testRole1";
- private static String TEST_ROLE_NAME_2 = "testRole2";
- private String requestorName = "";
- private String service = "service1";
-
- @Before
- public void prepareForTest() throws Exception {
- confDir = Files.createTempDir();
- confPath = new File(confDir, "sentry-site.xml");
- if (confPath.createNewFile()) {
- FileOutputStream to = new FileOutputStream(confPath);
- conf.writeXml(to);
- to.close();
- }
- requestorName = clientUgi.getShortUserName();//System.getProperty("user.name", "");
- Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
- setLocalGroupMapping(requestorName, requestorUserGroupNames);
- // add ADMIN_USER for the after() in SentryServiceIntegrationBase
- setLocalGroupMapping(ADMIN_USER, requestorUserGroupNames);
- writePolicyFile();
- }
-
- @After
- public void clearTestData() throws Exception {
- FileUtils.deleteQuietly(confDir);
- }
-
- @Test
- public void testCreateDropRole() throws Exception {
- runTestAsSubject(new TestOperation() {
- @Override
- public void runTestAsSubject() throws Exception {
- // test: create role with -cr
- String[] args = { "-cr", "-r", TEST_ROLE_NAME_1, "-conf", confPath.getAbsolutePath() };
- SentryShellSolr.main(args);
- // test: create role with --create_role
- args = new String[] { "--create_role", "-r", TEST_ROLE_NAME_2, "-conf",
- confPath.getAbsolutePath() };
- SentryShellSolr.main(args);
-
- // validate the result, list roles with -lr
- args = new String[] { "-lr", "-conf", confPath.getAbsolutePath() };
- SentryShellSolr sentryShell = new SentryShellSolr();
- Set<String> roleNames = getShellResultWithOSRedirect(sentryShell, args, true);
- validateRoleNames(roleNames, TEST_ROLE_NAME_1, TEST_ROLE_NAME_2);
-
- // validate the result, list roles with --list_role
- args = new String[] { "--list_role", "-conf", confPath.getAbsolutePath() };
- sentryShell = new SentryShellSolr();
- roleNames = getShellResultWithOSRedirect(sentryShell, args, true);
- validateRoleNames(roleNames, TEST_ROLE_NAME_1, TEST_ROLE_NAME_2);
-
- // test: drop role with -dr
- args = new String[] { "-dr", "-r", TEST_ROLE_NAME_1, "-conf", confPath.getAbsolutePath() };
- SentryShellSolr.main(args);
- // test: drop role with --drop_role
- args = new String[] { "--drop_role", "-r", TEST_ROLE_NAME_2, "-conf",
- confPath.getAbsolutePath() };
- SentryShellSolr.main(args);
-
- // validate the result
- Set<TSentryRole> roles = client.listAllRoles(requestorName, SOLR);
- assertEquals("Incorrect number of roles", 0, roles.size());
- }
- });
- }
-
- @Test
- public void testAddDeleteRoleForGroup() throws Exception {
- runTestAsSubject(new TestOperation() {
- @Override
- public void runTestAsSubject() throws Exception {
- // Group names are case sensitive - mixed case names should work
- String TEST_GROUP_1 = "testGroup1";
- String TEST_GROUP_2 = "testGroup2";
- String TEST_GROUP_3 = "testGroup3";
-
- // create the role for test
- client.createRole(requestorName, TEST_ROLE_NAME_1, SOLR);
- client.createRole(requestorName, TEST_ROLE_NAME_2, SOLR);
- // test: add role to group with -arg
- String[] args = { "-arg", "-r", TEST_ROLE_NAME_1, "-g", TEST_GROUP_1, "-conf",
- confPath.getAbsolutePath() };
- SentryShellSolr.main(args);
- // test: add role to multiple groups
- args = new String[] { "-arg", "-r", TEST_ROLE_NAME_1, "-g", TEST_GROUP_2 + "," + TEST_GROUP_3,
- "-conf",
- confPath.getAbsolutePath() };
- SentryShellSolr.main(args);
- // test: add role to group with --add_role_group
- args = new String[] { "--add_role_group", "-r", TEST_ROLE_NAME_2, "-g", TEST_GROUP_1,
- "-conf",
- confPath.getAbsolutePath() };
- SentryShellSolr.main(args);
-
- // validate the result list roles with -lr and -g
- args = new String[] { "-lr", "-g", TEST_GROUP_1, "-conf", confPath.getAbsolutePath() };
- SentryShellSolr sentryShell = new SentryShellSolr();
- Set<String> roleNames = getShellResultWithOSRedirect(sentryShell, args, true);
- validateRoleNames(roleNames, TEST_ROLE_NAME_1, TEST_ROLE_NAME_2);
-
- // list roles with --list_role and -g
- args = new String[] { "--list_role", "-g", TEST_GROUP_2, "-conf",
- confPath.getAbsolutePath() };
- sentryShell = new SentryShellSolr();
- roleNames = getShellResultWithOSRedirect(sentryShell, args, true);
- validateRoleNames(roleNames, TEST_ROLE_NAME_1);
-
- args = new String[] { "--list_role", "-g", TEST_GROUP_3, "-conf",
- confPath.getAbsolutePath() };
- sentryShell = new SentryShellSolr();
- roleNames = getShellResultWithOSRedirect(sentryShell, args, true);
- validateRoleNames(roleNames, TEST_ROLE_NAME_1);
-
- // test: delete role from group with -drg
- args = new String[] { "-drg", "-r", TEST_ROLE_NAME_1, "-g", TEST_GROUP_1, "-conf",
- confPath.getAbsolutePath() };
- SentryShellSolr.main(args);
- // test: delete role to multiple groups
- args = new String[] { "-drg", "-r", TEST_ROLE_NAME_1, "-g", TEST_GROUP_2 + "," + TEST_GROUP_3,
- "-conf",
- confPath.getAbsolutePath() };
- SentryShellSolr.main(args);
- // test: delete role from group with --delete_role_group
- args = new String[] { "--delete_role_group", "-r", TEST_ROLE_NAME_2, "-g", TEST_GROUP_1,
- "-conf", confPath.getAbsolutePath() };
- SentryShellSolr.main(args);
-
- // validate the result
- Set<TSentryRole> roles = client.listRolesByGroupName(requestorName, TEST_GROUP_1, SOLR);
- assertEquals("Incorrect number of roles", 0, roles.size());
- roles = client.listRolesByGroupName(requestorName, TEST_GROUP_2, SOLR);
- assertEquals("Incorrect number of roles", 0, roles.size());
- roles = client.listRolesByGroupName(requestorName, TEST_GROUP_3, SOLR);
- assertEquals("Incorrect number of roles", 0, roles.size());
- // clear the test data
- client.dropRole(requestorName, TEST_ROLE_NAME_1, SOLR);
- client.dropRole(requestorName, TEST_ROLE_NAME_2, SOLR);
- }
- });
- }
-
- @Test
- public void testCaseSensitiveGroupName() throws Exception {
- runTestAsSubject(new TestOperation() {
- @Override
- public void runTestAsSubject() throws Exception {
-
- // create the role for test
- client.createRole(requestorName, TEST_ROLE_NAME_1, SOLR);
- // add role to a group (lower case)
- String[] args = { "-arg", "-r", TEST_ROLE_NAME_1, "-g", "group1", "-conf",
- confPath.getAbsolutePath() };
- SentryShellSolr.main(args);
-
- // validate the roles when group name is same case as above
- args = new String[] { "-lr", "-g", "group1", "-conf", confPath.getAbsolutePath() };
- SentryShellSolr sentryShell = new SentryShellSolr();
- Set<String> roleNames = getShellResultWithOSRedirect(sentryShell, args, true);
- validateRoleNames(roleNames, TEST_ROLE_NAME_1);
-
- // roles should be empty when group name is different case than above
- args = new String[] { "-lr", "-g", "GROUP1", "-conf", confPath.getAbsolutePath() };
- roleNames = getShellResultWithOSRedirect(sentryShell, args, true);
- validateRoleNames(roleNames);
- }
- });
- }
-
- public static String grant(boolean shortOption) {
- return shortOption ? "-gpr" : "--grant_privilege_role";
- }
-
- public static String revoke(boolean shortOption) {
- return shortOption ? "-rpr" : "--revoke_privilege_role";
- }
-
- public static String list(boolean shortOption) {
- return shortOption ? "-lp" : "--list_privilege";
- }
-
- private void assertGrantRevokePrivilege(final boolean shortOption) throws Exception {
- runTestAsSubject(new TestOperation() {
- @Override
- public void runTestAsSubject() throws Exception {
- // create the role for test
- client.createRole(requestorName, TEST_ROLE_NAME_1, SOLR);
- client.createRole(requestorName, TEST_ROLE_NAME_2, SOLR);
-
- String [] privs = {
- "Collection=*->action=*",
- "Collection=collection2->action=update",
- "Collection=collection3->action=query",
- };
- for (int i = 0; i < privs.length; ++i) {
- // test: grant privilege to role
- String [] args = new String [] { grant(shortOption), "-r", TEST_ROLE_NAME_1, "-p",
- privs[ i ],
- "-conf", confPath.getAbsolutePath() };
- SentryShellSolr.main(args);
- }
-
- // test the list privilege
- String [] args = new String[] { list(shortOption), "-r", TEST_ROLE_NAME_1, "-conf", confPath.getAbsolutePath() };
- SentryShellSolr sentryShell = new SentryShellSolr();
- Set<String> privilegeStrs = getShellResultWithOSRedirect(sentryShell, args, true);
- assertEquals("Incorrect number of privileges", privs.length, privilegeStrs.size());
- for (int i = 0; i < privs.length; ++i) {
- assertTrue("Expected privilege: " + privs[ i ], privilegeStrs.contains(privs[ i ]));
- }
-
- for (int i = 0; i < privs.length; ++i) {
- args = new String[] { revoke(shortOption), "-r", TEST_ROLE_NAME_1, "-p",
- privs[ i ], "-conf",
- confPath.getAbsolutePath() };
- SentryShellSolr.main(args);
- Set<TSentryPrivilege> privileges = client.listPrivilegesByRoleName(requestorName,
- TEST_ROLE_NAME_1, SOLR, service);
- assertEquals("Incorrect number of privileges", privs.length - (i + 1), privileges.size());
- }
-
- // clear the test data
- client.dropRole(requestorName, TEST_ROLE_NAME_1, SOLR);
- client.dropRole(requestorName, TEST_ROLE_NAME_2, SOLR);
- }
- });
- }
-
-
- @Test
- public void testGrantRevokePrivilegeWithShortOption() throws Exception {
- assertGrantRevokePrivilege(true);
- }
-
- @Test
- public void testGrantRevokePrivilegeWithLongOption() throws Exception {
- assertGrantRevokePrivilege(false);
- }
-
-
- @Test
- public void testNegativeCaseWithInvalidArgument() throws Exception {
- runTestAsSubject(new TestOperation() {
- @Override
- public void runTestAsSubject() throws Exception {
- client.createRole(requestorName, TEST_ROLE_NAME_1, SOLR);
- // test: create duplicate role with -cr
- String[] args = { "-cr", "-r", TEST_ROLE_NAME_1, "-conf", confPath.getAbsolutePath() };
- SentryShellSolr sentryShell = new SentryShellSolr();
- try {
- sentryShell.executeShell(args);
- fail("Exception should be thrown for creating duplicate role");
- } catch (SentryUserException e) {
- // expected exception
- }
-
- // test: drop non-exist role with -dr
- args = new String[] { "-dr", "-r", TEST_ROLE_NAME_2, "-conf", confPath.getAbsolutePath() };
- sentryShell = new SentryShellSolr();
- try {
- sentryShell.executeShell(args);
- fail("Exception should be thrown for dropping non-exist role");
- } catch (SentryUserException e) {
- // excepted exception
- }
-
- // test: add non-exist role to group with -arg
- args = new String[] { "-arg", "-r", TEST_ROLE_NAME_2, "-g", "testGroup1", "-conf",
- confPath.getAbsolutePath() };
- sentryShell = new SentryShellSolr();
- try {
- sentryShell.executeShell(args);
- fail("Exception should be thrown for granting non-exist role to group");
- } catch (SentryUserException e) {
- // excepted exception
- }
-
- // test: drop group from non-exist role with -drg
- args = new String[] { "-drg", "-r", TEST_ROLE_NAME_2, "-g", "testGroup1", "-conf",
- confPath.getAbsolutePath() };
- sentryShell = new SentryShellSolr();
- try {
- sentryShell.executeShell(args);
- fail("Exception should be thrown for drop group from non-exist role");
- } catch (SentryUserException e) {
- // excepted exception
- }
-
- // test: grant privilege to role with the error privilege format
- args = new String[] { "-gpr", "-r", TEST_ROLE_NAME_1, "-p", "serverserver1->action=*",
- "-conf", confPath.getAbsolutePath() };
- sentryShell = new SentryShellSolr();
- try {
- sentryShell.executeShell(args);
- fail("Exception should be thrown for the error privilege format, invalid key value.");
- } catch (IllegalArgumentException e) {
- // excepted exception
- }
-
- // test: grant privilege to role with the error privilege hierarchy
- args = new String[] { "-gpr", "-r", TEST_ROLE_NAME_1, "-p",
- "server=server1->table=tbl1->column=col2->action=insert", "-conf",
- confPath.getAbsolutePath() };
- sentryShell = new SentryShellSolr();
- try {
- sentryShell.executeShell(args);
- fail("Exception should be thrown for the error privilege format, invalid key value.");
- } catch (IllegalArgumentException e) {
- // expected exception
- }
-
- // clear the test data
- client.dropRole(requestorName, TEST_ROLE_NAME_1, SOLR);
- }
- });
- }
-
- @Test
- public void testNegativeCaseWithoutRequiredArgument() throws Exception {
- runTestAsSubject(new TestOperation() {
- @Override
- public void runTestAsSubject() throws Exception {
- String strOptionConf = "conf";
- client.createRole(requestorName, TEST_ROLE_NAME_1, SOLR);
- // test: the conf is required argument
- String[] args = { "-cr", "-r", TEST_ROLE_NAME_1 };
- SentryShellSolr sentryShell = new SentryShellSolr();
- validateMissingParameterMsg(sentryShell, args,
- SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + strOptionConf);
-
- // test: -r is required when create role
- args = new String[] { "-cr", "-conf", confPath.getAbsolutePath() };
- sentryShell = new SentryShellSolr();
- validateMissingParameterMsg(sentryShell, args,
- SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_ROLE_NAME);
-
- // test: -r is required when drop role
- args = new String[] { "-dr", "-conf", confPath.getAbsolutePath() };
- sentryShell = new SentryShellSolr();
- validateMissingParameterMsg(sentryShell, args,
- SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_ROLE_NAME);
-
- // test: -r is required when add role to group
- args = new String[] { "-arg", "-g", "testGroup1", "-conf", confPath.getAbsolutePath() };
- sentryShell = new SentryShellSolr();
- validateMissingParameterMsg(sentryShell, args,
- SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_ROLE_NAME);
-
- // test: -g is required when add role to group
- args = new String[] { "-arg", "-r", TEST_ROLE_NAME_2, "-conf", confPath.getAbsolutePath() };
- sentryShell = new SentryShellSolr();
- validateMissingParameterMsg(sentryShell, args,
- SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_GROUP_NAME);
-
- // test: -r is required when delete role from group
- args = new String[] { "-drg", "-g", "testGroup1", "-conf", confPath.getAbsolutePath() };
- sentryShell = new SentryShellSolr();
- validateMissingParameterMsg(sentryShell, args,
- SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_ROLE_NAME);
-
- // test: -g is required when delete role from group
- args = new String[] { "-drg", "-r", TEST_ROLE_NAME_2, "-conf", confPath.getAbsolutePath() };
- sentryShell = new SentryShellSolr();
- validateMissingParameterMsg(sentryShell, args,
- SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_GROUP_NAME);
-
- // test: -r is required when grant privilege to role
- args = new String[] { "-gpr", "-p", "server=server1", "-conf", confPath.getAbsolutePath() };
- sentryShell = new SentryShellSolr();
- validateMissingParameterMsg(sentryShell, args,
- SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_ROLE_NAME);
-
- // test: -p is required when grant privilege to role
- args = new String[] { "-gpr", "-r", TEST_ROLE_NAME_1, "-conf", confPath.getAbsolutePath() };
- sentryShell = new SentryShellSolr();
- validateMissingParameterMsg(sentryShell, args,
- SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_PRIVILEGE);
-
- // test: action is required in privilege
- args = new String[] { "-gpr", "-r", TEST_ROLE_NAME_1, "-conf", confPath.getAbsolutePath(), "-p", "collection=collection1" };
- sentryShell = new SentryShellSolr();
- try {
- getShellResultWithOSRedirect(sentryShell, args, false);
- fail("Expected IllegalArgumentException");
- } catch (IllegalArgumentException e) {
- assert("Privilege is invalid: action required but not specified.".equals(e.getMessage()));
- }
-
- // test: -r is required when revoke privilege from role
- args = new String[] { "-rpr", "-p", "server=server1", "-conf", confPath.getAbsolutePath() };
- sentryShell = new SentryShellSolr();
- validateMissingParameterMsg(sentryShell, args,
- SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_ROLE_NAME);
-
- // test: -p is required when revoke privilege from role
- args = new String[] { "-rpr", "-r", TEST_ROLE_NAME_1, "-conf", confPath.getAbsolutePath() };
- sentryShell = new SentryShellSolr();
- validateMissingParameterMsg(sentryShell, args,
- SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_PRIVILEGE);
-
- // test: command option is required for shell
- args = new String[] {"-conf", confPath.getAbsolutePath() };
- sentryShell = new SentryShellSolr();
- validateMissingParameterMsgsContains(sentryShell, args,
- SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + "[",
- "-arg Add role to group",
- "-cr Create role",
- "-rpr Revoke privilege from role",
- "-drg Delete role from group",
- "-lr List role",
- "-lp List privilege",
- "-gpr Grant privilege to role",
- "-dr Drop role");
-
- // clear the test data
- client.dropRole(requestorName, TEST_ROLE_NAME_1, SOLR);
- }
- });
- }
-
- // redirect the System.out to ByteArrayOutputStream, then execute the command and parse the result.
- private Set<String> getShellResultWithOSRedirect(SentryShellSolr sentryShell,
- String[] args, boolean expectedExecuteResult) throws Exception {
- PrintStream oldOut = System.out;
- ByteArrayOutputStream outContent = new ByteArrayOutputStream();
- System.setOut(new PrintStream(outContent));
- assertEquals(expectedExecuteResult, sentryShell.executeShell(args));
- Set<String> resultSet = Sets.newHashSet(outContent.toString().split("\n"));
- System.setOut(oldOut);
- return resultSet;
- }
-
- private void validateRoleNames(Set<String> roleNames, String ... expectedRoleNames) {
- if (expectedRoleNames != null && expectedRoleNames.length > 0) {
- assertEquals("Found: " + roleNames.size() + " roles, expected: " + expectedRoleNames.length,
- expectedRoleNames.length, roleNames.size());
- Set<String> lowerCaseRoles = new HashSet<String>();
- for (String role : roleNames) {
- lowerCaseRoles.add(role.toLowerCase());
- }
-
- for (String expectedRole : expectedRoleNames) {
- assertTrue("Expected role: " + expectedRole,
- lowerCaseRoles.contains(expectedRole.toLowerCase()));
- }
- }
- }
-
- private void validateMissingParameterMsg(SentryShellSolr sentryShell, String[] args,
- String expectedErrorMsg) throws Exception {
- Set<String> errorMsgs = getShellResultWithOSRedirect(sentryShell, args, false);
- assertTrue("Expected error message: " + expectedErrorMsg, errorMsgs.contains(expectedErrorMsg));
- }
-
- private void validateMissingParameterMsgsContains(SentryShellSolr sentryShell, String[] args,
- String ... expectedErrorMsgsContains) throws Exception {
- Set<String> errorMsgs = getShellResultWithOSRedirect(sentryShell, args, false);
- boolean foundAllMessages = false;
- Iterator<String> it = errorMsgs.iterator();
- while (it.hasNext()) {
- String errorMessage = it.next();
- boolean missingExpected = false;
- for (String expectedContains : expectedErrorMsgsContains) {
- if (!errorMessage.contains(expectedContains)) {
- missingExpected = true;
- break;
- }
- }
- if (!missingExpected) {
- foundAllMessages = true;
- break;
- }
- }
- assertTrue(foundAllMessages);
- }
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/log/appender/TestRollingFileWithoutDeleteAppender.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/log/appender/TestRollingFileWithoutDeleteAppender.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/log/appender/TestRollingFileWithoutDeleteAppender.java
deleted file mode 100644
index ca9062b..0000000
--- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/log/appender/TestRollingFileWithoutDeleteAppender.java
+++ /dev/null
@@ -1,106 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.sentry.provider.db.log.appender;
-
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.fail;
-import static org.junit.Assert.assertTrue;
-
-import java.io.File;
-
-import org.apache.commons.io.FileUtils;
-import org.apache.log4j.Logger;
-import org.apache.log4j.PatternLayout;
-import org.junit.After;
-import org.junit.Before;
-import org.junit.Test;
-
-import com.google.common.io.Files;
-
-public class TestRollingFileWithoutDeleteAppender {
- private Logger sentryLogger = Logger.getRootLogger();
- private File dataDir;
-
- @Before
- public void init() {
- dataDir = Files.createTempDir();
- }
-
- @Test
- public void testRollOver() throws Throwable {
- if (dataDir == null) {
- fail("Excepted temp folder for audit log is created.");
- }
- RollingFileWithoutDeleteAppender appender = new RollingFileWithoutDeleteAppender(
- new PatternLayout("%m%n"), dataDir.getPath() + "/auditLog.log");
- appender.setMaximumFileSize(100);
- sentryLogger.addAppender(appender);
- // Write exactly 10 bytes with each log
- for (int i = 0; i < 99; i++) {
- if (i < 10) {
- sentryLogger.debug("Hello---" + i);
- } else if (i < 100) {
- sentryLogger.debug("Hello--" + i);
- }
- }
-
- if (dataDir != null) {
- File[] files = dataDir.listFiles();
- if (files != null) {
- assertEquals(files.length, 10);
- } else {
- fail("Excepted 10 log files.");
- }
- } else {
- fail("Excepted 10 log files.");
- }
-
- }
-
- /***
- * Generate log enough to cause a single rollover. Verify the file name format
- * @throws Throwable
- */
- @Test
- public void testFileNamePattern() throws Throwable {
- if (dataDir == null) {
- fail("Excepted temp folder for audit log is created.");
- }
- RollingFileWithoutDeleteAppender appender = new RollingFileWithoutDeleteAppender(
- new PatternLayout("%m%n"), dataDir.getPath() + "/auditLog.log");
- appender.setMaximumFileSize(10);
- sentryLogger.addAppender(appender);
- sentryLogger.debug("123456789012345");
- File[] files = dataDir.listFiles();
- if (files != null) {
- assertEquals(files.length, 2);
- assertTrue(files[0].getName().contains("auditLog.log."));
- assertTrue(files[1].getName().contains("auditLog.log."));
- } else {
- fail("Excepted 2 log files.");
- }
- }
-
- @After
- public void destroy() {
- if (dataDir != null) {
- FileUtils.deleteQuietly(dataDir);
- }
- }
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/log/entity/TestDbAuditMetadataLogEntity.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/log/entity/TestDbAuditMetadataLogEntity.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/log/entity/TestDbAuditMetadataLogEntity.java
deleted file mode 100644
index 3d336af..0000000
--- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/log/entity/TestDbAuditMetadataLogEntity.java
+++ /dev/null
@@ -1,69 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.sentry.provider.db.log.entity;
-
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.fail;
-
-import org.apache.sentry.provider.db.log.util.Constants;
-import org.codehaus.jackson.JsonNode;
-import org.codehaus.jackson.node.ContainerNode;
-import org.junit.Test;
-
-public class TestDbAuditMetadataLogEntity {
-
- @Test
- public void testToJsonFormatLog() throws Throwable {
- DBAuditMetadataLogEntity amle = new DBAuditMetadataLogEntity("serviceName", "userName",
- "impersonator", "ipAddress", "operation", "eventTime", "operationText", "allowed",
- "objectType", "component", "databaseName", "tableName", "columnName", "resourcePath");
- String jsonAuditLog = amle.toJsonFormatLog();
- ContainerNode rootNode = AuditMetadataLogEntity.parse(jsonAuditLog);
- assertEntryEquals(rootNode, Constants.LOG_FIELD_SERVICE_NAME, "serviceName");
- assertEntryEquals(rootNode, Constants.LOG_FIELD_USER_NAME, "userName");
- assertEntryEquals(rootNode, Constants.LOG_FIELD_IMPERSONATOR,
- "impersonator");
- assertEntryEquals(rootNode, Constants.LOG_FIELD_IP_ADDRESS, "ipAddress");
- assertEntryEquals(rootNode, Constants.LOG_FIELD_OPERATION, "operation");
- assertEntryEquals(rootNode, Constants.LOG_FIELD_EVENT_TIME, "eventTime");
- assertEntryEquals(rootNode, Constants.LOG_FIELD_OPERATION_TEXT,
- "operationText");
- assertEntryEquals(rootNode, Constants.LOG_FIELD_ALLOWED, "allowed");
- assertEntryEquals(rootNode, Constants.LOG_FIELD_DATABASE_NAME,
- "databaseName");
- assertEntryEquals(rootNode, Constants.LOG_FIELD_TABLE_NAME, "tableName");
- assertEntryEquals(rootNode, Constants.LOG_FIELD_COLUMN_NAME, "columnName");
- assertEntryEquals(rootNode, Constants.LOG_FIELD_RESOURCE_PATH,
- "resourcePath");
- assertEntryEquals(rootNode, Constants.LOG_FIELD_OBJECT_TYPE, "objectType");
- }
-
- void assertEntryEquals(ContainerNode rootNode, String key, String value) {
- JsonNode node = assertNodeContains(rootNode, key);
- assertEquals(value, node.getTextValue());
- }
-
- private JsonNode assertNodeContains(ContainerNode rootNode, String key) {
- JsonNode node = rootNode.get(key);
- if (node == null) {
- fail("No entry of name \"" + key + "\" found in " + rootNode.toString());
- }
- return node;
- }
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/log/entity/TestGMAuditMetadataLogEntity.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/log/entity/TestGMAuditMetadataLogEntity.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/log/entity/TestGMAuditMetadataLogEntity.java
deleted file mode 100644
index bbee1b4..0000000
--- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/log/entity/TestGMAuditMetadataLogEntity.java
+++ /dev/null
@@ -1,74 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.sentry.provider.db.log.entity;
-
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.fail;
-
-import java.util.HashMap;
-import java.util.Map;
-
-import org.apache.sentry.provider.db.log.util.Constants;
-import org.codehaus.jackson.JsonNode;
-import org.codehaus.jackson.node.ContainerNode;
-import org.junit.Test;
-
-public class TestGMAuditMetadataLogEntity {
- @Test
- public void testToJsonFormatLog() throws Throwable {
-
- Map<String, String> privilegesMap = new HashMap<String, String>();
- privilegesMap.put("resourceType1", "resourceName1");
- privilegesMap.put("resourceType2", "resourceName2");
- privilegesMap.put("resourceType3", "resourceName3");
- privilegesMap.put("resourceType4", "resourceName4");
- GMAuditMetadataLogEntity gmamle = new GMAuditMetadataLogEntity("serviceName", "userName",
- "impersonator", "ipAddress", "operation", "eventTime", "operationText", "allowed",
- "objectType", "component", privilegesMap);
- String jsonAuditLog = gmamle.toJsonFormatLog();
- ContainerNode rootNode = AuditMetadataLogEntity.parse(jsonAuditLog);
- assertEntryEquals(rootNode, Constants.LOG_FIELD_SERVICE_NAME, "serviceName");
- assertEntryEquals(rootNode, Constants.LOG_FIELD_USER_NAME, "userName");
- assertEntryEquals(rootNode, Constants.LOG_FIELD_IMPERSONATOR, "impersonator");
- assertEntryEquals(rootNode, Constants.LOG_FIELD_IP_ADDRESS, "ipAddress");
- assertEntryEquals(rootNode, Constants.LOG_FIELD_OPERATION, "operation");
- assertEntryEquals(rootNode, Constants.LOG_FIELD_EVENT_TIME, "eventTime");
- assertEntryEquals(rootNode, Constants.LOG_FIELD_OPERATION_TEXT, "operationText");
- assertEntryEquals(rootNode, Constants.LOG_FIELD_ALLOWED, "allowed");
- assertEntryEquals(rootNode, Constants.LOG_FIELD_OBJECT_TYPE, "objectType");
- assertEntryEquals(rootNode, Constants.LOG_FIELD_COMPONENT, "component");
- assertEntryEquals(rootNode, "resourceType1", "resourceName1");
- assertEntryEquals(rootNode, "resourceType2", "resourceName2");
- assertEntryEquals(rootNode, "resourceType3", "resourceName3");
- assertEntryEquals(rootNode, "resourceType4", "resourceName4");
- }
-
- void assertEntryEquals(ContainerNode rootNode, String key, String value) {
- JsonNode node = assertNodeContains(rootNode, key);
- assertEquals(value, node.getTextValue());
- }
-
- private JsonNode assertNodeContains(ContainerNode rootNode, String key) {
- JsonNode node = rootNode.get(key);
- if (node == null) {
- fail("No entry of name \"" + key + "\" found in " + rootNode.toString());
- }
- return node;
- }
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/log/entity/TestJsonLogEntityFactory.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/log/entity/TestJsonLogEntityFactory.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/log/entity/TestJsonLogEntityFactory.java
deleted file mode 100644
index 1ec8840..0000000
--- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/log/entity/TestJsonLogEntityFactory.java
+++ /dev/null
@@ -1,272 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.sentry.provider.db.log.entity;
-
-import static org.junit.Assert.assertEquals;
-
-import java.util.LinkedHashSet;
-import java.util.Set;
-
-import org.apache.hadoop.conf.Configuration;
-import org.apache.sentry.core.model.db.AccessConstants;
-import org.apache.sentry.provider.db.log.util.Constants;
-import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleAddGroupsRequest;
-import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleAddGroupsResponse;
-import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleDeleteGroupsRequest;
-import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleDeleteGroupsResponse;
-import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleGrantPrivilegeRequest;
-import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleGrantPrivilegeResponse;
-import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleRevokePrivilegeRequest;
-import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleRevokePrivilegeResponse;
-import org.apache.sentry.provider.db.service.thrift.TCreateSentryRoleRequest;
-import org.apache.sentry.provider.db.service.thrift.TCreateSentryRoleResponse;
-import org.apache.sentry.provider.db.service.thrift.TDropSentryRoleRequest;
-import org.apache.sentry.provider.db.service.thrift.TDropSentryRoleResponse;
-import org.apache.sentry.provider.db.service.thrift.TSentryGroup;
-import org.apache.sentry.provider.db.service.thrift.TSentryPrivilege;
-import org.apache.sentry.provider.db.service.thrift.ThriftUtil;
-import org.apache.sentry.service.thrift.ServiceConstants.PrivilegeScope;
-import org.apache.sentry.service.thrift.ServiceConstants.ServerConfig;
-import org.apache.sentry.service.thrift.Status;
-import org.junit.BeforeClass;
-import org.junit.Test;
-
-import com.google.common.collect.Sets;
-
-public class TestJsonLogEntityFactory {
-
- private static Configuration conf;
-
- private static String TEST_IP = "localhost/127.0.0.1";
- private static String TEST_IMPERSONATOR = "impersonator";
- private static String TEST_ROLE_NAME = "testRole";
- private static String TEST_USER_NAME = "requestUser";
- private static String TEST_DATABASE_NAME = "testDB";
- private static String TEST_TABLE_NAME = "testTable";
- private static String TEST_GROUP = "testGroup";
-
- @BeforeClass
- public static void init() {
- conf = new Configuration();
- conf.set(ServerConfig.SENTRY_SERVICE_NAME,
- ServerConfig.SENTRY_SERVICE_NAME_DEFAULT);
- ThriftUtil.setIpAddress(TEST_IP);
- ThriftUtil.setImpersonator(TEST_IMPERSONATOR);
- }
-
- @Test
- public void testCreateRole() {
- TCreateSentryRoleRequest request = new TCreateSentryRoleRequest();
- TCreateSentryRoleResponse response = new TCreateSentryRoleResponse();
- request.setRequestorUserName(TEST_USER_NAME);
- request.setRoleName(TEST_ROLE_NAME);
- response.setStatus(Status.OK());
- DBAuditMetadataLogEntity amle = (DBAuditMetadataLogEntity) JsonLogEntityFactory
- .getInstance().createJsonLogEntity(request, response, conf);
- assertCommon(amle, Constants.TRUE, Constants.OPERATION_CREATE_ROLE,
- "CREATE ROLE testRole", null, null, null, Constants.OBJECT_TYPE_ROLE);
-
- response.setStatus(Status.InvalidInput("", null));
- amle = (DBAuditMetadataLogEntity) JsonLogEntityFactory.getInstance()
- .createJsonLogEntity(request, response, conf);
- assertCommon(amle, Constants.FALSE, Constants.OPERATION_CREATE_ROLE,
- "CREATE ROLE testRole", null, null, null, Constants.OBJECT_TYPE_ROLE);
- }
-
- @Test
- public void testDropRole() {
- TDropSentryRoleRequest request = new TDropSentryRoleRequest();
- TDropSentryRoleResponse response = new TDropSentryRoleResponse();
- request.setRequestorUserName(TEST_USER_NAME);
- request.setRoleName(TEST_ROLE_NAME);
- response.setStatus(Status.OK());
- DBAuditMetadataLogEntity amle = (DBAuditMetadataLogEntity) JsonLogEntityFactory
- .getInstance().createJsonLogEntity(request, response, conf);
- assertCommon(amle, Constants.TRUE, Constants.OPERATION_DROP_ROLE,
- "DROP ROLE testRole", null, null, null, Constants.OBJECT_TYPE_ROLE);
-
- response.setStatus(Status.InvalidInput("", null));
- amle = (DBAuditMetadataLogEntity) JsonLogEntityFactory.getInstance()
- .createJsonLogEntity(request, response, conf);
- assertCommon(amle, Constants.FALSE, Constants.OPERATION_DROP_ROLE,
- "DROP ROLE testRole", null, null, null, Constants.OBJECT_TYPE_ROLE);
- }
-
- @Test
- public void testGrantRole() {
- TAlterSentryRoleGrantPrivilegeRequest request = new TAlterSentryRoleGrantPrivilegeRequest();
- request.setRequestorUserName(TEST_USER_NAME);
- request.setRoleName(TEST_ROLE_NAME);
-
- TAlterSentryRoleGrantPrivilegeResponse response = new TAlterSentryRoleGrantPrivilegeResponse();
-
- TSentryPrivilege privilege = getPrivilege(AccessConstants.ALL,
- PrivilegeScope.DATABASE.name(), TEST_DATABASE_NAME, null, null, null);
- Set<TSentryPrivilege> privileges = Sets.newHashSet();
- privileges.add(privilege);
- request.setPrivileges(privileges);
- response.setStatus(Status.OK());
- DBAuditMetadataLogEntity amle = new DBAuditMetadataLogEntity();
- Set<JsonLogEntity> amles = JsonLogEntityFactory
- .getInstance().createJsonLogEntitys(request, response, conf);
- assertEquals(amles.size(),1);
- amle = (DBAuditMetadataLogEntity) amles.iterator().next();
-
- assertCommon(amle, Constants.TRUE, Constants.OPERATION_GRANT_PRIVILEGE,
- "GRANT ALL ON DATABASE testDB TO ROLE testRole", TEST_DATABASE_NAME,
- null, null, Constants.OBJECT_TYPE_PRINCIPAL);
-
- privilege = getPrivilege(AccessConstants.ALL, PrivilegeScope.TABLE.name(),
- null, TEST_TABLE_NAME, null, null);
- privileges = Sets.newHashSet();
- privileges.add(privilege);
- request.setPrivileges(privileges);
- response.setStatus(Status.InvalidInput("", null));
- amles = JsonLogEntityFactory.getInstance()
- .createJsonLogEntitys(request, response, conf);
- assertEquals(amles.size(),1);
- amle = (DBAuditMetadataLogEntity) amles.iterator().next();
-
- assertCommon(amle, Constants.FALSE, Constants.OPERATION_GRANT_PRIVILEGE,
- "GRANT ALL ON TABLE testTable TO ROLE testRole", null, TEST_TABLE_NAME,
- null, Constants.OBJECT_TYPE_PRINCIPAL);
- }
-
- @Test
- public void testRevokeRole() {
- TAlterSentryRoleRevokePrivilegeRequest request = new TAlterSentryRoleRevokePrivilegeRequest();
- TAlterSentryRoleRevokePrivilegeResponse response = new TAlterSentryRoleRevokePrivilegeResponse();
- request.setRequestorUserName(TEST_USER_NAME);
- request.setRoleName(TEST_ROLE_NAME);
-
- TSentryPrivilege privilege = getPrivilege(AccessConstants.ALL,
- PrivilegeScope.DATABASE.name(), TEST_DATABASE_NAME, null, null, null);
- Set<TSentryPrivilege> privileges = Sets.newHashSet();
- privileges.add(privilege);
- request.setPrivileges(privileges);
- response.setStatus(Status.OK());
- DBAuditMetadataLogEntity amle = new DBAuditMetadataLogEntity();
- Set<JsonLogEntity> amles = JsonLogEntityFactory
- .getInstance().createJsonLogEntitys(request, response, conf);
- assertEquals(amles.size(),1);
- amle = (DBAuditMetadataLogEntity) amles.iterator().next();
-
- assertCommon(amle, Constants.TRUE, Constants.OPERATION_REVOKE_PRIVILEGE,
- "REVOKE ALL ON DATABASE testDB FROM ROLE testRole", TEST_DATABASE_NAME,
- null, null, Constants.OBJECT_TYPE_PRINCIPAL);
-
- privilege = getPrivilege(AccessConstants.ALL, PrivilegeScope.TABLE.name(),
- null, TEST_TABLE_NAME, null, null);
- privileges = Sets.newHashSet();
- privileges.add(privilege);
- request.setPrivileges(privileges);
- response.setStatus(Status.InvalidInput("", null));
- amles = JsonLogEntityFactory.getInstance()
- .createJsonLogEntitys(request, response, conf);
- assertEquals(amles.size(),1);
- amle = (DBAuditMetadataLogEntity) amles.iterator().next();
-
- assertCommon(amle, Constants.FALSE, Constants.OPERATION_REVOKE_PRIVILEGE,
- "REVOKE ALL ON TABLE testTable FROM ROLE testRole", null,
- TEST_TABLE_NAME, null, Constants.OBJECT_TYPE_PRINCIPAL);
- }
-
- @Test
- public void testAddRole() {
- TAlterSentryRoleAddGroupsRequest request = new TAlterSentryRoleAddGroupsRequest();
- TAlterSentryRoleAddGroupsResponse response = new TAlterSentryRoleAddGroupsResponse();
- request.setRequestorUserName(TEST_USER_NAME);
- request.setRoleName(TEST_ROLE_NAME);
- request.setGroups(getGroups());
- response.setStatus(Status.OK());
- DBAuditMetadataLogEntity amle = (DBAuditMetadataLogEntity) JsonLogEntityFactory
- .getInstance().createJsonLogEntity(request, response, conf);
- assertCommon(amle, Constants.TRUE, Constants.OPERATION_ADD_ROLE,
- "GRANT ROLE testRole TO GROUP testGroup", null, null, null,
- Constants.OBJECT_TYPE_ROLE);
-
- response.setStatus(Status.InvalidInput("", null));
- amle = (DBAuditMetadataLogEntity) JsonLogEntityFactory.getInstance()
- .createJsonLogEntity(request, response, conf);
- assertCommon(amle, Constants.FALSE, Constants.OPERATION_ADD_ROLE,
- "GRANT ROLE testRole TO GROUP testGroup", null, null, null,
- Constants.OBJECT_TYPE_ROLE);
- }
-
- @Test
- public void testDeleteRole() {
- TAlterSentryRoleDeleteGroupsRequest request = new TAlterSentryRoleDeleteGroupsRequest();
- TAlterSentryRoleDeleteGroupsResponse response = new TAlterSentryRoleDeleteGroupsResponse();
- request.setRequestorUserName(TEST_USER_NAME);
- request.setRoleName(TEST_ROLE_NAME);
- request.setGroups(getGroups());
- response.setStatus(Status.OK());
- DBAuditMetadataLogEntity amle = (DBAuditMetadataLogEntity) JsonLogEntityFactory
- .getInstance().createJsonLogEntity(request, response, conf);
- assertCommon(amle, Constants.TRUE, Constants.OPERATION_DELETE_ROLE,
- "REVOKE ROLE testRole FROM GROUP testGroup", null, null, null,
- Constants.OBJECT_TYPE_ROLE);
-
- response.setStatus(Status.InvalidInput("", null));
- amle = (DBAuditMetadataLogEntity) JsonLogEntityFactory.getInstance()
- .createJsonLogEntity(request, response, conf);
- assertCommon(amle, Constants.FALSE, Constants.OPERATION_DELETE_ROLE,
- "REVOKE ROLE testRole FROM GROUP testGroup", null, null, null,
- Constants.OBJECT_TYPE_ROLE);
- }
-
- private void assertCommon(DBAuditMetadataLogEntity amle,
- String allowedExcepted, String operationExcepted,
- String operationTextExcepted, String databaseNameExcepted,
- String tableNameExcepted, String resourcePathExcepted,
- String objectTypeExcepted) {
- assertEquals(ServerConfig.SENTRY_SERVICE_NAME_DEFAULT,
- amle.getServiceName());
- assertEquals(TEST_IP, amle.getIpAddress());
- assertEquals(TEST_USER_NAME, amle.getUserName());
- assertEquals(TEST_IMPERSONATOR, amle.getImpersonator());
- assertEquals(allowedExcepted, amle.getAllowed());
- assertEquals(operationExcepted, amle.getOperation());
- assertEquals(operationTextExcepted, amle.getOperationText());
- assertEquals(tableNameExcepted, amle.getTableName());
- assertEquals(databaseNameExcepted, amle.getDatabaseName());
- assertEquals(resourcePathExcepted, amle.getResourcePath());
- assertEquals(objectTypeExcepted, amle.getObjectType());
- }
-
- private TSentryPrivilege getPrivilege(String action, String privilegeScope,
- String dbName, String tableName, String serverName, String URI) {
- TSentryPrivilege privilege = new TSentryPrivilege();
- privilege.setAction(action);
- privilege.setPrivilegeScope(privilegeScope);
- privilege.setDbName(dbName);
- privilege.setTableName(tableName);
- privilege.setServerName(serverName);
- privilege.setURI(URI);
- return privilege;
- }
-
- private Set<TSentryGroup> getGroups() {
- Set<TSentryGroup> groups = new LinkedHashSet<TSentryGroup>();
- TSentryGroup group = new TSentryGroup();
- group.setGroupName(TEST_GROUP);
- groups.add(group);
- return groups;
- }
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/log/entity/TestJsonLogEntityFactoryGM.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/log/entity/TestJsonLogEntityFactoryGM.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/log/entity/TestJsonLogEntityFactoryGM.java
deleted file mode 100644
index dfae5ab..0000000
--- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/log/entity/TestJsonLogEntityFactoryGM.java
+++ /dev/null
@@ -1,259 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.sentry.provider.db.log.entity;
-
-import static org.junit.Assert.assertEquals;
-
-import java.util.ArrayList;
-import java.util.HashMap;
-import java.util.HashSet;
-import java.util.List;
-import java.util.Map;
-import java.util.Set;
-
-import org.apache.hadoop.conf.Configuration;
-import org.apache.sentry.provider.db.generic.service.thrift.TAlterSentryRoleAddGroupsRequest;
-import org.apache.sentry.provider.db.generic.service.thrift.TAlterSentryRoleAddGroupsResponse;
-import org.apache.sentry.provider.db.generic.service.thrift.TAlterSentryRoleDeleteGroupsRequest;
-import org.apache.sentry.provider.db.generic.service.thrift.TAlterSentryRoleDeleteGroupsResponse;
-import org.apache.sentry.provider.db.generic.service.thrift.TAlterSentryRoleGrantPrivilegeRequest;
-import org.apache.sentry.provider.db.generic.service.thrift.TAlterSentryRoleGrantPrivilegeResponse;
-import org.apache.sentry.provider.db.generic.service.thrift.TAlterSentryRoleRevokePrivilegeRequest;
-import org.apache.sentry.provider.db.generic.service.thrift.TAlterSentryRoleRevokePrivilegeResponse;
-import org.apache.sentry.provider.db.generic.service.thrift.TAuthorizable;
-import org.apache.sentry.provider.db.generic.service.thrift.TCreateSentryRoleRequest;
-import org.apache.sentry.provider.db.generic.service.thrift.TCreateSentryRoleResponse;
-import org.apache.sentry.provider.db.generic.service.thrift.TDropSentryRoleRequest;
-import org.apache.sentry.provider.db.generic.service.thrift.TDropSentryRoleResponse;
-import org.apache.sentry.provider.db.generic.service.thrift.TSentryPrivilege;
-import org.apache.sentry.provider.db.log.util.Constants;
-import org.apache.sentry.provider.db.service.thrift.ThriftUtil;
-import org.apache.sentry.service.thrift.ServiceConstants.ServerConfig;
-import org.apache.sentry.service.thrift.Status;
-import org.junit.BeforeClass;
-import org.junit.Test;
-
-public class TestJsonLogEntityFactoryGM {
-
- private static Configuration conf;
- private static String TEST_IP = "localhost/127.0.0.1";
- private static String TEST_IMPERSONATOR = "impersonator";
- private static String TEST_ROLE_NAME = "testRole";
- private static String TEST_USER_NAME = "requestUser";
- private static String TEST_GROUP = "testGroup";
- private static String TEST_ACTION = "action";
- private static String TEST_COMPONENT = "component";
- private static Map<String, String> TEST_PRIVILEGES_MAP = new HashMap<String, String>();
-
- @BeforeClass
- public static void init() {
- conf = new Configuration();
- conf.set(ServerConfig.SENTRY_SERVICE_NAME, ServerConfig.SENTRY_SERVICE_NAME_DEFAULT);
- ThriftUtil.setIpAddress(TEST_IP);
- ThriftUtil.setImpersonator(TEST_IMPERSONATOR);
- TEST_PRIVILEGES_MAP.put("resourceType1", "resourceName1");
- TEST_PRIVILEGES_MAP.put("resourceType2", "resourceName2");
- TEST_PRIVILEGES_MAP.put("resourceType3", "resourceName3");
- }
-
- @Test
- public void testCreateRole() {
- TCreateSentryRoleRequest request = new TCreateSentryRoleRequest();
- TCreateSentryRoleResponse response = new TCreateSentryRoleResponse();
- request.setRequestorUserName(TEST_USER_NAME);
- request.setRoleName(TEST_ROLE_NAME);
- response.setStatus(Status.OK());
- GMAuditMetadataLogEntity amle = (GMAuditMetadataLogEntity) JsonLogEntityFactory.getInstance()
- .createJsonLogEntity(request, response, conf);
- assertCommon(amle, Constants.TRUE, Constants.OPERATION_CREATE_ROLE, "CREATE ROLE testRole",
- Constants.OBJECT_TYPE_ROLE, new HashMap<String, String>());
-
- response.setStatus(Status.InvalidInput("", null));
- amle = (GMAuditMetadataLogEntity) JsonLogEntityFactory.getInstance().createJsonLogEntity(
- request, response, conf);
- assertCommon(amle, Constants.FALSE, Constants.OPERATION_CREATE_ROLE, "CREATE ROLE testRole",
- Constants.OBJECT_TYPE_ROLE, new HashMap<String, String>());
- }
-
- @Test
- public void testDropRole() {
- TDropSentryRoleRequest request = new TDropSentryRoleRequest();
- TDropSentryRoleResponse response = new TDropSentryRoleResponse();
- request.setRequestorUserName(TEST_USER_NAME);
- request.setRoleName(TEST_ROLE_NAME);
- response.setStatus(Status.OK());
- GMAuditMetadataLogEntity amle = (GMAuditMetadataLogEntity) JsonLogEntityFactory
- .getInstance().createJsonLogEntity(request, response, conf);
- assertCommon(amle, Constants.TRUE, Constants.OPERATION_DROP_ROLE, "DROP ROLE testRole",
- Constants.OBJECT_TYPE_ROLE, new HashMap<String, String>());
-
- response.setStatus(Status.InvalidInput("", null));
- amle = (GMAuditMetadataLogEntity) JsonLogEntityFactory.getInstance().createJsonLogEntity(
- request, response, conf);
- assertCommon(amle, Constants.FALSE, Constants.OPERATION_DROP_ROLE, "DROP ROLE testRole",
- Constants.OBJECT_TYPE_ROLE, new HashMap<String, String>());
- }
-
- @Test
- public void testGrantRole() {
- TAlterSentryRoleGrantPrivilegeRequest request = new TAlterSentryRoleGrantPrivilegeRequest();
- request.setRequestorUserName(TEST_USER_NAME);
- request.setRoleName(TEST_ROLE_NAME);
-
- TAlterSentryRoleGrantPrivilegeResponse response = new TAlterSentryRoleGrantPrivilegeResponse();
-
- TSentryPrivilege privilege = getPrivilege();
- request.setPrivilege(privilege);
- response.setStatus(Status.OK());
- GMAuditMetadataLogEntity amle = (GMAuditMetadataLogEntity) JsonLogEntityFactory.getInstance()
- .createJsonLogEntity(
- request, response, conf);
- assertCommon(
- amle,
- Constants.TRUE,
- Constants.OPERATION_GRANT_PRIVILEGE,
- "GRANT ACTION ON resourceType1 resourceName1 resourceType2 resourceName2 resourceType3 resourceName3 TO ROLE testRole",
- Constants.OBJECT_TYPE_PRINCIPAL, TEST_PRIVILEGES_MAP);
-
- response.setStatus(Status.InvalidInput("", null));
- amle = (GMAuditMetadataLogEntity) JsonLogEntityFactory.getInstance().createJsonLogEntity(
- request, response, conf);
- assertCommon(
- amle,
- Constants.FALSE,
- Constants.OPERATION_GRANT_PRIVILEGE,
- "GRANT ACTION ON resourceType1 resourceName1 resourceType2 resourceName2 resourceType3 resourceName3 TO ROLE testRole",
- Constants.OBJECT_TYPE_PRINCIPAL, TEST_PRIVILEGES_MAP);
- }
-
- @Test
- public void testRevokeRole() {
- TAlterSentryRoleRevokePrivilegeRequest request = new TAlterSentryRoleRevokePrivilegeRequest();
- TAlterSentryRoleRevokePrivilegeResponse response = new TAlterSentryRoleRevokePrivilegeResponse();
- request.setRequestorUserName(TEST_USER_NAME);
- request.setRoleName(TEST_ROLE_NAME);
-
- TSentryPrivilege privilege = getPrivilege();
- request.setPrivilege(privilege);
- response.setStatus(Status.OK());
- GMAuditMetadataLogEntity amle = (GMAuditMetadataLogEntity) JsonLogEntityFactory.getInstance()
- .createJsonLogEntity(request, response, conf);
- assertCommon(
- amle,
- Constants.TRUE,
- Constants.OPERATION_REVOKE_PRIVILEGE,
- "REVOKE ACTION ON resourceType1 resourceName1 resourceType2 resourceName2 resourceType3 resourceName3 FROM ROLE testRole",
- Constants.OBJECT_TYPE_PRINCIPAL, TEST_PRIVILEGES_MAP);
-
- response.setStatus(Status.InvalidInput("", null));
- amle = (GMAuditMetadataLogEntity) JsonLogEntityFactory.getInstance().createJsonLogEntity(
- request, response, conf);
-
- assertCommon(
- amle,
- Constants.FALSE,
- Constants.OPERATION_REVOKE_PRIVILEGE,
- "REVOKE ACTION ON resourceType1 resourceName1 resourceType2 resourceName2 resourceType3 resourceName3 FROM ROLE testRole",
- Constants.OBJECT_TYPE_PRINCIPAL, TEST_PRIVILEGES_MAP);
- }
-
- @Test
- public void testAddRole() {
- TAlterSentryRoleAddGroupsRequest request = new TAlterSentryRoleAddGroupsRequest();
- TAlterSentryRoleAddGroupsResponse response = new TAlterSentryRoleAddGroupsResponse();
- request.setRequestorUserName(TEST_USER_NAME);
- request.setRoleName(TEST_ROLE_NAME);
- request.setGroups(getGroups());
- response.setStatus(Status.OK());
- GMAuditMetadataLogEntity amle = (GMAuditMetadataLogEntity) JsonLogEntityFactory.getInstance()
- .createJsonLogEntity(request, response, conf);
- assertCommon(amle, Constants.TRUE, Constants.OPERATION_ADD_ROLE,
- "GRANT ROLE testRole TO GROUP testGroup", Constants.OBJECT_TYPE_ROLE,
- new HashMap<String, String>());
-
- response.setStatus(Status.InvalidInput("", null));
- amle = (GMAuditMetadataLogEntity) JsonLogEntityFactory.getInstance().createJsonLogEntity(
- request, response, conf);
- assertCommon(amle, Constants.FALSE, Constants.OPERATION_ADD_ROLE,
- "GRANT ROLE testRole TO GROUP testGroup", Constants.OBJECT_TYPE_ROLE,
- new HashMap<String, String>());
- }
-
- @Test
- public void testDeleteRole() {
- TAlterSentryRoleDeleteGroupsRequest request = new TAlterSentryRoleDeleteGroupsRequest();
- TAlterSentryRoleDeleteGroupsResponse response = new TAlterSentryRoleDeleteGroupsResponse();
- request.setRequestorUserName(TEST_USER_NAME);
- request.setRoleName(TEST_ROLE_NAME);
- request.setGroups(getGroups());
- response.setStatus(Status.OK());
- GMAuditMetadataLogEntity amle = (GMAuditMetadataLogEntity) JsonLogEntityFactory
- .getInstance().createJsonLogEntity(request, response, conf);
- assertCommon(amle, Constants.TRUE, Constants.OPERATION_DELETE_ROLE,
- "REVOKE ROLE testRole FROM GROUP testGroup", Constants.OBJECT_TYPE_ROLE,
- new HashMap<String, String>());
-
- response.setStatus(Status.InvalidInput("", null));
- amle = (GMAuditMetadataLogEntity) JsonLogEntityFactory.getInstance().createJsonLogEntity(
- request, response, conf);
- assertCommon(amle, Constants.FALSE, Constants.OPERATION_DELETE_ROLE,
- "REVOKE ROLE testRole FROM GROUP testGroup", Constants.OBJECT_TYPE_ROLE,
- new HashMap<String, String>());
- }
-
- private void assertCommon(GMAuditMetadataLogEntity amle, String allowedExcepted,
- String operationExcepted, String operationTextExcepted, String objectTypeExcepted,
- Map<String, String> privilegesExcepted) {
- assertEquals(ServerConfig.SENTRY_SERVICE_NAME_DEFAULT, amle.getServiceName());
- assertEquals(TEST_IP, amle.getIpAddress());
- assertEquals(TEST_USER_NAME, amle.getUserName());
- assertEquals(TEST_IMPERSONATOR, amle.getImpersonator());
- assertEquals(allowedExcepted, amle.getAllowed());
- assertEquals(operationExcepted, amle.getOperation());
- assertEquals(operationTextExcepted, amle.getOperationText());
- assertEquals(objectTypeExcepted, amle.getObjectType());
- assertPrivilegesMap(privilegesExcepted, amle.getPrivilegesMap());
- }
-
- private void assertPrivilegesMap(Map<String, String> privilegesExcepted,
- Map<String, String> privilegesActual) {
- assertEquals(privilegesExcepted.size(), privilegesActual.size());
- for (Map.Entry<String, String> privilege : privilegesExcepted.entrySet()) {
- assertEquals(privilege.getValue(), privilegesActual.get(privilege.getKey()));
- }
- }
-
- private TSentryPrivilege getPrivilege() {
- TSentryPrivilege privilege = new TSentryPrivilege();
- privilege.setAction(TEST_ACTION);
- privilege.setComponent(TEST_COMPONENT);
- List<TAuthorizable> authorizables = new ArrayList<TAuthorizable>();
- authorizables.add(new TAuthorizable("resourceType1", "resourceName1"));
- authorizables.add(new TAuthorizable("resourceType2", "resourceName2"));
- authorizables.add(new TAuthorizable("resourceType3", "resourceName3"));
- privilege.setAuthorizables(authorizables);
- return privilege;
- }
-
- private Set<String> getGroups() {
- Set<String> groups = new HashSet<String>();
- groups.add(TEST_GROUP);
- return groups;
- }
-}
[13/44] sentry git commit: SENTRY-1287: Create sentry-service-server
module(Colin Ma, reviewed by Dapeng Sun)
Posted by co...@apache.org.
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/main/resources/sentry-postgres-1.6.0.sql
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/main/resources/sentry-postgres-1.6.0.sql b/sentry-service/sentry-service-server/src/main/resources/sentry-postgres-1.6.0.sql
new file mode 100644
index 0000000..62edf3e
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/main/resources/sentry-postgres-1.6.0.sql
@@ -0,0 +1,182 @@
+--Licensed to the Apache Software Foundation (ASF) under one or more
+--contributor license agreements. See the NOTICE file distributed with
+--this work for additional information regarding copyright ownership.
+--The ASF licenses this file to You under the Apache License, Version 2.0
+--(the "License"); you may not use this file except in compliance with
+--the License. You may obtain a copy of the License at
+--
+-- http://www.apache.org/licenses/LICENSE-2.0
+--
+--Unless required by applicable law or agreed to in writing, software
+--distributed under the License is distributed on an "AS IS" BASIS,
+--WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+--See the License for the specific language governing permissions and
+--limitations under the License.
+
+START TRANSACTION;
+
+SET statement_timeout = 0;
+SET client_encoding = 'UTF8';
+SET standard_conforming_strings = off;
+SET check_function_bodies = false;
+SET client_min_messages = warning;
+SET escape_string_warning = off;
+SET search_path = public, pg_catalog;
+SET default_tablespace = '';
+SET default_with_oids = false;
+
+CREATE TABLE "SENTRY_DB_PRIVILEGE" (
+ "DB_PRIVILEGE_ID" BIGINT NOT NULL,
+ "PRIVILEGE_SCOPE" character varying(32) NOT NULL,
+ "SERVER_NAME" character varying(128) NOT NULL,
+ "DB_NAME" character varying(128) DEFAULT '__NULL__',
+ "TABLE_NAME" character varying(128) DEFAULT '__NULL__',
+ "COLUMN_NAME" character varying(128) DEFAULT '__NULL__',
+ "URI" character varying(4000) DEFAULT '__NULL__',
+ "ACTION" character varying(128) NOT NULL,
+ "CREATE_TIME" BIGINT NOT NULL,
+ "WITH_GRANT_OPTION" CHAR(1) NOT NULL
+);
+
+CREATE TABLE "SENTRY_ROLE" (
+ "ROLE_ID" BIGINT NOT NULL,
+ "ROLE_NAME" character varying(128) NOT NULL,
+ "CREATE_TIME" BIGINT NOT NULL
+);
+
+CREATE TABLE "SENTRY_GROUP" (
+ "GROUP_ID" BIGINT NOT NULL,
+ "GROUP_NAME" character varying(128) NOT NULL,
+ "CREATE_TIME" BIGINT NOT NULL
+);
+
+CREATE TABLE "SENTRY_ROLE_DB_PRIVILEGE_MAP" (
+ "ROLE_ID" BIGINT NOT NULL,
+ "DB_PRIVILEGE_ID" BIGINT NOT NULL,
+ "GRANTOR_PRINCIPAL" character varying(128)
+);
+
+CREATE TABLE "SENTRY_ROLE_GROUP_MAP" (
+ "ROLE_ID" BIGINT NOT NULL,
+ "GROUP_ID" BIGINT NOT NULL,
+ "GRANTOR_PRINCIPAL" character varying(128)
+);
+
+CREATE TABLE "SENTRY_VERSION" (
+ "VER_ID" bigint,
+ "SCHEMA_VERSION" character varying(127) NOT NULL,
+ "VERSION_COMMENT" character varying(255) NOT NULL
+);
+
+
+ALTER TABLE ONLY "SENTRY_DB_PRIVILEGE"
+ ADD CONSTRAINT "SENTRY_DB_PRIV_PK" PRIMARY KEY ("DB_PRIVILEGE_ID");
+
+ALTER TABLE ONLY "SENTRY_ROLE"
+ ADD CONSTRAINT "SENTRY_ROLE_PK" PRIMARY KEY ("ROLE_ID");
+
+ALTER TABLE ONLY "SENTRY_GROUP"
+ ADD CONSTRAINT "SENTRY_GROUP_PK" PRIMARY KEY ("GROUP_ID");
+
+ALTER TABLE ONLY "SENTRY_VERSION" ADD CONSTRAINT "SENTRY_VERSION_PK" PRIMARY KEY ("VER_ID");
+
+ALTER TABLE ONLY "SENTRY_DB_PRIVILEGE"
+ ADD CONSTRAINT "SENTRY_DB_PRIV_PRIV_NAME_UNIQ" UNIQUE ("SERVER_NAME","DB_NAME","TABLE_NAME","COLUMN_NAME","URI", "ACTION","WITH_GRANT_OPTION");
+
+CREATE INDEX "SENTRY_PRIV_SERV_IDX" ON "SENTRY_DB_PRIVILEGE" USING btree ("SERVER_NAME");
+
+CREATE INDEX "SENTRY_PRIV_DB_IDX" ON "SENTRY_DB_PRIVILEGE" USING btree ("DB_NAME");
+
+CREATE INDEX "SENTRY_PRIV_TBL_IDX" ON "SENTRY_DB_PRIVILEGE" USING btree ("TABLE_NAME");
+
+CREATE INDEX "SENTRY_PRIV_COL_IDX" ON "SENTRY_DB_PRIVILEGE" USING btree ("COLUMN_NAME");
+
+CREATE INDEX "SENTRY_PRIV_URI_IDX" ON "SENTRY_DB_PRIVILEGE" USING btree ("URI");
+
+ALTER TABLE ONLY "SENTRY_ROLE"
+ ADD CONSTRAINT "SENTRY_ROLE_ROLE_NAME_UNIQUE" UNIQUE ("ROLE_NAME");
+
+ALTER TABLE ONLY "SENTRY_GROUP"
+ ADD CONSTRAINT "SENTRY_GRP_GRP_NAME_UNIQUE" UNIQUE ("GROUP_NAME");
+
+ALTER TABLE "SENTRY_ROLE_DB_PRIVILEGE_MAP"
+ ADD CONSTRAINT "SENTRY_ROLE_DB_PRIVILEGE_MAP_PK" PRIMARY KEY ("ROLE_ID","DB_PRIVILEGE_ID");
+
+ALTER TABLE "SENTRY_ROLE_GROUP_MAP"
+ ADD CONSTRAINT "SENTRY_ROLE_GROUP_MAP_PK" PRIMARY KEY ("ROLE_ID","GROUP_ID");
+
+ALTER TABLE ONLY "SENTRY_ROLE_DB_PRIVILEGE_MAP"
+ ADD CONSTRAINT "SEN_RLE_DB_PRV_MAP_SN_RLE_FK"
+ FOREIGN KEY ("ROLE_ID") REFERENCES "SENTRY_ROLE"("ROLE_ID") DEFERRABLE;
+
+ALTER TABLE ONLY "SENTRY_ROLE_DB_PRIVILEGE_MAP"
+ ADD CONSTRAINT "SEN_RL_DB_PRV_MAP_SN_DB_PRV_FK"
+ FOREIGN KEY ("DB_PRIVILEGE_ID") REFERENCES "SENTRY_DB_PRIVILEGE"("DB_PRIVILEGE_ID") DEFERRABLE;
+
+ALTER TABLE ONLY "SENTRY_ROLE_GROUP_MAP"
+ ADD CONSTRAINT "SEN_ROLE_GROUP_MAP_SEN_ROLE_FK"
+ FOREIGN KEY ("ROLE_ID") REFERENCES "SENTRY_ROLE"("ROLE_ID") DEFERRABLE;
+
+ALTER TABLE ONLY "SENTRY_ROLE_GROUP_MAP"
+ ADD CONSTRAINT "SEN_ROLE_GROUP_MAP_SEN_GRP_FK"
+ FOREIGN KEY ("GROUP_ID") REFERENCES "SENTRY_GROUP"("GROUP_ID") DEFERRABLE;
+
+INSERT INTO "SENTRY_VERSION" ("VER_ID", "SCHEMA_VERSION", "VERSION_COMMENT") VALUES (1, '1.6.0', 'Sentry release version 1.6.0');
+
+-- Generic Model
+-- Table SENTRY_GM_PRIVILEGE for classes [org.apache.sentry.provider.db.service.model.MSentryGMPrivilege]
+CREATE TABLE "SENTRY_GM_PRIVILEGE" (
+ "GM_PRIVILEGE_ID" BIGINT NOT NULL,
+ "COMPONENT_NAME" character varying(32) NOT NULL,
+ "SERVICE_NAME" character varying(64) NOT NULL,
+ "RESOURCE_NAME_0" character varying(64) DEFAULT '__NULL__',
+ "RESOURCE_NAME_1" character varying(64) DEFAULT '__NULL__',
+ "RESOURCE_NAME_2" character varying(64) DEFAULT '__NULL__',
+ "RESOURCE_NAME_3" character varying(64) DEFAULT '__NULL__',
+ "RESOURCE_TYPE_0" character varying(64) DEFAULT '__NULL__',
+ "RESOURCE_TYPE_1" character varying(64) DEFAULT '__NULL__',
+ "RESOURCE_TYPE_2" character varying(64) DEFAULT '__NULL__',
+ "RESOURCE_TYPE_3" character varying(64) DEFAULT '__NULL__',
+ "ACTION" character varying(32) NOT NULL,
+ "SCOPE" character varying(128) NOT NULL,
+ "CREATE_TIME" BIGINT NOT NULL,
+ "WITH_GRANT_OPTION" CHAR(1) NOT NULL
+);
+ALTER TABLE ONLY "SENTRY_GM_PRIVILEGE"
+ ADD CONSTRAINT "SENTRY_GM_PRIV_PK" PRIMARY KEY ("GM_PRIVILEGE_ID");
+-- Constraints for table SENTRY_GM_PRIVILEGE for class(es) [org.apache.sentry.provider.db.service.model.MSentryGMPrivilege]
+ALTER TABLE ONLY "SENTRY_GM_PRIVILEGE"
+ ADD CONSTRAINT "SENTRY_GM_PRIV_PRIV_NAME_UNIQ" UNIQUE ("COMPONENT_NAME","SERVICE_NAME","RESOURCE_NAME_0","RESOURCE_NAME_1","RESOURCE_NAME_2",
+ "RESOURCE_NAME_3","RESOURCE_TYPE_0","RESOURCE_TYPE_1","RESOURCE_TYPE_2","RESOURCE_TYPE_3","ACTION","WITH_GRANT_OPTION");
+
+CREATE INDEX "SENTRY_GM_PRIV_COMP_IDX" ON "SENTRY_GM_PRIVILEGE" USING btree ("COMPONENT_NAME");
+
+CREATE INDEX "SENTRY_GM_PRIV_SERV_IDX" ON "SENTRY_GM_PRIVILEGE" USING btree ("SERVICE_NAME");
+
+CREATE INDEX "SENTRY_GM_PRIV_RES0_IDX" ON "SENTRY_GM_PRIVILEGE" USING btree ("RESOURCE_NAME_0","RESOURCE_TYPE_0");
+
+CREATE INDEX "SENTRY_GM_PRIV_RES1_IDX" ON "SENTRY_GM_PRIVILEGE" USING btree ("RESOURCE_NAME_1","RESOURCE_TYPE_1");
+
+CREATE INDEX "SENTRY_GM_PRIV_RES2_IDX" ON "SENTRY_GM_PRIVILEGE" USING btree ("RESOURCE_NAME_2","RESOURCE_TYPE_2");
+
+CREATE INDEX "SENTRY_GM_PRIV_RES3_IDX" ON "SENTRY_GM_PRIVILEGE" USING btree ("RESOURCE_NAME_3","RESOURCE_TYPE_3");
+
+-- Table SENTRY_ROLE_GM_PRIVILEGE_MAP for join relationship
+CREATE TABLE "SENTRY_ROLE_GM_PRIVILEGE_MAP" (
+ "ROLE_ID" BIGINT NOT NULL,
+ "GM_PRIVILEGE_ID" BIGINT NOT NULL
+);
+
+ALTER TABLE "SENTRY_ROLE_GM_PRIVILEGE_MAP"
+ ADD CONSTRAINT "SENTRY_ROLE_GM_PRIVILEGE_MAP_PK" PRIMARY KEY ("ROLE_ID","GM_PRIVILEGE_ID");
+
+-- Constraints for table SENTRY_ROLE_GM_PRIVILEGE_MAP
+ALTER TABLE ONLY "SENTRY_ROLE_GM_PRIVILEGE_MAP"
+ ADD CONSTRAINT "SEN_RLE_GM_PRV_MAP_SN_RLE_FK"
+ FOREIGN KEY ("ROLE_ID") REFERENCES "SENTRY_ROLE"("ROLE_ID") DEFERRABLE;
+
+ALTER TABLE ONLY "SENTRY_ROLE_GM_PRIVILEGE_MAP"
+ ADD CONSTRAINT "SEN_RL_GM_PRV_MAP_SN_DB_PRV_FK"
+ FOREIGN KEY ("GM_PRIVILEGE_ID") REFERENCES "SENTRY_GM_PRIVILEGE"("GM_PRIVILEGE_ID") DEFERRABLE;
+
+COMMIT;
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/main/resources/sentry-postgres-1.7.0.sql
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/main/resources/sentry-postgres-1.7.0.sql b/sentry-service/sentry-service-server/src/main/resources/sentry-postgres-1.7.0.sql
new file mode 100644
index 0000000..9f4f85b
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/main/resources/sentry-postgres-1.7.0.sql
@@ -0,0 +1,182 @@
+--Licensed to the Apache Software Foundation (ASF) under one or more
+--contributor license agreements. See the NOTICE file distributed with
+--this work for additional information regarding copyright ownership.
+--The ASF licenses this file to You under the Apache License, Version 2.0
+--(the "License"); you may not use this file except in compliance with
+--the License. You may obtain a copy of the License at
+--
+-- http://www.apache.org/licenses/LICENSE-2.0
+--
+--Unless required by applicable law or agreed to in writing, software
+--distributed under the License is distributed on an "AS IS" BASIS,
+--WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+--See the License for the specific language governing permissions and
+--limitations under the License.
+
+START TRANSACTION;
+
+SET statement_timeout = 0;
+SET client_encoding = 'UTF8';
+SET standard_conforming_strings = off;
+SET check_function_bodies = false;
+SET client_min_messages = warning;
+SET escape_string_warning = off;
+SET search_path = public, pg_catalog;
+SET default_tablespace = '';
+SET default_with_oids = false;
+
+CREATE TABLE "SENTRY_DB_PRIVILEGE" (
+ "DB_PRIVILEGE_ID" BIGINT NOT NULL,
+ "PRIVILEGE_SCOPE" character varying(32) NOT NULL,
+ "SERVER_NAME" character varying(128) NOT NULL,
+ "DB_NAME" character varying(128) DEFAULT '__NULL__',
+ "TABLE_NAME" character varying(128) DEFAULT '__NULL__',
+ "COLUMN_NAME" character varying(128) DEFAULT '__NULL__',
+ "URI" character varying(4000) DEFAULT '__NULL__',
+ "ACTION" character varying(128) NOT NULL,
+ "CREATE_TIME" BIGINT NOT NULL,
+ "WITH_GRANT_OPTION" CHAR(1) NOT NULL
+);
+
+CREATE TABLE "SENTRY_ROLE" (
+ "ROLE_ID" BIGINT NOT NULL,
+ "ROLE_NAME" character varying(128) NOT NULL,
+ "CREATE_TIME" BIGINT NOT NULL
+);
+
+CREATE TABLE "SENTRY_GROUP" (
+ "GROUP_ID" BIGINT NOT NULL,
+ "GROUP_NAME" character varying(128) NOT NULL,
+ "CREATE_TIME" BIGINT NOT NULL
+);
+
+CREATE TABLE "SENTRY_ROLE_DB_PRIVILEGE_MAP" (
+ "ROLE_ID" BIGINT NOT NULL,
+ "DB_PRIVILEGE_ID" BIGINT NOT NULL,
+ "GRANTOR_PRINCIPAL" character varying(128)
+);
+
+CREATE TABLE "SENTRY_ROLE_GROUP_MAP" (
+ "ROLE_ID" BIGINT NOT NULL,
+ "GROUP_ID" BIGINT NOT NULL,
+ "GRANTOR_PRINCIPAL" character varying(128)
+);
+
+CREATE TABLE "SENTRY_VERSION" (
+ "VER_ID" bigint,
+ "SCHEMA_VERSION" character varying(127) NOT NULL,
+ "VERSION_COMMENT" character varying(255) NOT NULL
+);
+
+
+ALTER TABLE ONLY "SENTRY_DB_PRIVILEGE"
+ ADD CONSTRAINT "SENTRY_DB_PRIV_PK" PRIMARY KEY ("DB_PRIVILEGE_ID");
+
+ALTER TABLE ONLY "SENTRY_ROLE"
+ ADD CONSTRAINT "SENTRY_ROLE_PK" PRIMARY KEY ("ROLE_ID");
+
+ALTER TABLE ONLY "SENTRY_GROUP"
+ ADD CONSTRAINT "SENTRY_GROUP_PK" PRIMARY KEY ("GROUP_ID");
+
+ALTER TABLE ONLY "SENTRY_VERSION" ADD CONSTRAINT "SENTRY_VERSION_PK" PRIMARY KEY ("VER_ID");
+
+ALTER TABLE ONLY "SENTRY_DB_PRIVILEGE"
+ ADD CONSTRAINT "SENTRY_DB_PRIV_PRIV_NAME_UNIQ" UNIQUE ("SERVER_NAME","DB_NAME","TABLE_NAME","COLUMN_NAME","URI", "ACTION","WITH_GRANT_OPTION");
+
+CREATE INDEX "SENTRY_PRIV_SERV_IDX" ON "SENTRY_DB_PRIVILEGE" USING btree ("SERVER_NAME");
+
+CREATE INDEX "SENTRY_PRIV_DB_IDX" ON "SENTRY_DB_PRIVILEGE" USING btree ("DB_NAME");
+
+CREATE INDEX "SENTRY_PRIV_TBL_IDX" ON "SENTRY_DB_PRIVILEGE" USING btree ("TABLE_NAME");
+
+CREATE INDEX "SENTRY_PRIV_COL_IDX" ON "SENTRY_DB_PRIVILEGE" USING btree ("COLUMN_NAME");
+
+CREATE INDEX "SENTRY_PRIV_URI_IDX" ON "SENTRY_DB_PRIVILEGE" USING btree ("URI");
+
+ALTER TABLE ONLY "SENTRY_ROLE"
+ ADD CONSTRAINT "SENTRY_ROLE_ROLE_NAME_UNIQUE" UNIQUE ("ROLE_NAME");
+
+ALTER TABLE ONLY "SENTRY_GROUP"
+ ADD CONSTRAINT "SENTRY_GRP_GRP_NAME_UNIQUE" UNIQUE ("GROUP_NAME");
+
+ALTER TABLE "SENTRY_ROLE_DB_PRIVILEGE_MAP"
+ ADD CONSTRAINT "SENTRY_ROLE_DB_PRIVILEGE_MAP_PK" PRIMARY KEY ("ROLE_ID","DB_PRIVILEGE_ID");
+
+ALTER TABLE "SENTRY_ROLE_GROUP_MAP"
+ ADD CONSTRAINT "SENTRY_ROLE_GROUP_MAP_PK" PRIMARY KEY ("ROLE_ID","GROUP_ID");
+
+ALTER TABLE ONLY "SENTRY_ROLE_DB_PRIVILEGE_MAP"
+ ADD CONSTRAINT "SEN_RLE_DB_PRV_MAP_SN_RLE_FK"
+ FOREIGN KEY ("ROLE_ID") REFERENCES "SENTRY_ROLE"("ROLE_ID") DEFERRABLE;
+
+ALTER TABLE ONLY "SENTRY_ROLE_DB_PRIVILEGE_MAP"
+ ADD CONSTRAINT "SEN_RL_DB_PRV_MAP_SN_DB_PRV_FK"
+ FOREIGN KEY ("DB_PRIVILEGE_ID") REFERENCES "SENTRY_DB_PRIVILEGE"("DB_PRIVILEGE_ID") DEFERRABLE;
+
+ALTER TABLE ONLY "SENTRY_ROLE_GROUP_MAP"
+ ADD CONSTRAINT "SEN_ROLE_GROUP_MAP_SEN_ROLE_FK"
+ FOREIGN KEY ("ROLE_ID") REFERENCES "SENTRY_ROLE"("ROLE_ID") DEFERRABLE;
+
+ALTER TABLE ONLY "SENTRY_ROLE_GROUP_MAP"
+ ADD CONSTRAINT "SEN_ROLE_GROUP_MAP_SEN_GRP_FK"
+ FOREIGN KEY ("GROUP_ID") REFERENCES "SENTRY_GROUP"("GROUP_ID") DEFERRABLE;
+
+INSERT INTO "SENTRY_VERSION" ("VER_ID", "SCHEMA_VERSION", "VERSION_COMMENT") VALUES (1, '1.7.0', 'Sentry release version 1.7.0');
+
+-- Generic Model
+-- Table SENTRY_GM_PRIVILEGE for classes [org.apache.sentry.provider.db.service.model.MSentryGMPrivilege]
+CREATE TABLE "SENTRY_GM_PRIVILEGE" (
+ "GM_PRIVILEGE_ID" BIGINT NOT NULL,
+ "COMPONENT_NAME" character varying(32) NOT NULL,
+ "SERVICE_NAME" character varying(64) NOT NULL,
+ "RESOURCE_NAME_0" character varying(64) DEFAULT '__NULL__',
+ "RESOURCE_NAME_1" character varying(64) DEFAULT '__NULL__',
+ "RESOURCE_NAME_2" character varying(64) DEFAULT '__NULL__',
+ "RESOURCE_NAME_3" character varying(64) DEFAULT '__NULL__',
+ "RESOURCE_TYPE_0" character varying(64) DEFAULT '__NULL__',
+ "RESOURCE_TYPE_1" character varying(64) DEFAULT '__NULL__',
+ "RESOURCE_TYPE_2" character varying(64) DEFAULT '__NULL__',
+ "RESOURCE_TYPE_3" character varying(64) DEFAULT '__NULL__',
+ "ACTION" character varying(32) NOT NULL,
+ "SCOPE" character varying(128) NOT NULL,
+ "CREATE_TIME" BIGINT NOT NULL,
+ "WITH_GRANT_OPTION" CHAR(1) NOT NULL
+);
+ALTER TABLE ONLY "SENTRY_GM_PRIVILEGE"
+ ADD CONSTRAINT "SENTRY_GM_PRIV_PK" PRIMARY KEY ("GM_PRIVILEGE_ID");
+-- Constraints for table SENTRY_GM_PRIVILEGE for class(es) [org.apache.sentry.provider.db.service.model.MSentryGMPrivilege]
+ALTER TABLE ONLY "SENTRY_GM_PRIVILEGE"
+ ADD CONSTRAINT "SENTRY_GM_PRIV_PRIV_NAME_UNIQ" UNIQUE ("COMPONENT_NAME","SERVICE_NAME","RESOURCE_NAME_0","RESOURCE_NAME_1","RESOURCE_NAME_2",
+ "RESOURCE_NAME_3","RESOURCE_TYPE_0","RESOURCE_TYPE_1","RESOURCE_TYPE_2","RESOURCE_TYPE_3","ACTION","WITH_GRANT_OPTION");
+
+CREATE INDEX "SENTRY_GM_PRIV_COMP_IDX" ON "SENTRY_GM_PRIVILEGE" USING btree ("COMPONENT_NAME");
+
+CREATE INDEX "SENTRY_GM_PRIV_SERV_IDX" ON "SENTRY_GM_PRIVILEGE" USING btree ("SERVICE_NAME");
+
+CREATE INDEX "SENTRY_GM_PRIV_RES0_IDX" ON "SENTRY_GM_PRIVILEGE" USING btree ("RESOURCE_NAME_0","RESOURCE_TYPE_0");
+
+CREATE INDEX "SENTRY_GM_PRIV_RES1_IDX" ON "SENTRY_GM_PRIVILEGE" USING btree ("RESOURCE_NAME_1","RESOURCE_TYPE_1");
+
+CREATE INDEX "SENTRY_GM_PRIV_RES2_IDX" ON "SENTRY_GM_PRIVILEGE" USING btree ("RESOURCE_NAME_2","RESOURCE_TYPE_2");
+
+CREATE INDEX "SENTRY_GM_PRIV_RES3_IDX" ON "SENTRY_GM_PRIVILEGE" USING btree ("RESOURCE_NAME_3","RESOURCE_TYPE_3");
+
+-- Table SENTRY_ROLE_GM_PRIVILEGE_MAP for join relationship
+CREATE TABLE "SENTRY_ROLE_GM_PRIVILEGE_MAP" (
+ "ROLE_ID" BIGINT NOT NULL,
+ "GM_PRIVILEGE_ID" BIGINT NOT NULL
+);
+
+ALTER TABLE "SENTRY_ROLE_GM_PRIVILEGE_MAP"
+ ADD CONSTRAINT "SENTRY_ROLE_GM_PRIVILEGE_MAP_PK" PRIMARY KEY ("ROLE_ID","GM_PRIVILEGE_ID");
+
+-- Constraints for table SENTRY_ROLE_GM_PRIVILEGE_MAP
+ALTER TABLE ONLY "SENTRY_ROLE_GM_PRIVILEGE_MAP"
+ ADD CONSTRAINT "SEN_RLE_GM_PRV_MAP_SN_RLE_FK"
+ FOREIGN KEY ("ROLE_ID") REFERENCES "SENTRY_ROLE"("ROLE_ID") DEFERRABLE;
+
+ALTER TABLE ONLY "SENTRY_ROLE_GM_PRIVILEGE_MAP"
+ ADD CONSTRAINT "SEN_RL_GM_PRV_MAP_SN_DB_PRV_FK"
+ FOREIGN KEY ("GM_PRIVILEGE_ID") REFERENCES "SENTRY_GM_PRIVILEGE"("GM_PRIVILEGE_ID") DEFERRABLE;
+
+COMMIT;
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/main/resources/sentry-postgres-1.8.0.sql
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/main/resources/sentry-postgres-1.8.0.sql b/sentry-service/sentry-service-server/src/main/resources/sentry-postgres-1.8.0.sql
new file mode 100644
index 0000000..6d56332
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/main/resources/sentry-postgres-1.8.0.sql
@@ -0,0 +1,211 @@
+--Licensed to the Apache Software Foundation (ASF) under one or more
+--contributor license agreements. See the NOTICE file distributed with
+--this work for additional information regarding copyright ownership.
+--The ASF licenses this file to You under the Apache License, Version 2.0
+--(the "License"); you may not use this file except in compliance with
+--the License. You may obtain a copy of the License at
+--
+-- http://www.apache.org/licenses/LICENSE-2.0
+--
+--Unless required by applicable law or agreed to in writing, software
+--distributed under the License is distributed on an "AS IS" BASIS,
+--WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+--See the License for the specific language governing permissions and
+--limitations under the License.
+
+START TRANSACTION;
+
+SET statement_timeout = 0;
+SET client_encoding = 'UTF8';
+SET standard_conforming_strings = off;
+SET check_function_bodies = false;
+SET client_min_messages = warning;
+SET escape_string_warning = off;
+SET search_path = public, pg_catalog;
+SET default_tablespace = '';
+SET default_with_oids = false;
+
+CREATE TABLE "SENTRY_DB_PRIVILEGE" (
+ "DB_PRIVILEGE_ID" BIGINT NOT NULL,
+ "PRIVILEGE_SCOPE" character varying(32) NOT NULL,
+ "SERVER_NAME" character varying(128) NOT NULL,
+ "DB_NAME" character varying(128) DEFAULT '__NULL__',
+ "TABLE_NAME" character varying(128) DEFAULT '__NULL__',
+ "COLUMN_NAME" character varying(128) DEFAULT '__NULL__',
+ "URI" character varying(4000) DEFAULT '__NULL__',
+ "ACTION" character varying(128) NOT NULL,
+ "CREATE_TIME" BIGINT NOT NULL,
+ "WITH_GRANT_OPTION" CHAR(1) NOT NULL
+);
+
+CREATE TABLE "SENTRY_ROLE" (
+ "ROLE_ID" BIGINT NOT NULL,
+ "ROLE_NAME" character varying(128) NOT NULL,
+ "CREATE_TIME" BIGINT NOT NULL
+);
+
+CREATE TABLE "SENTRY_GROUP" (
+ "GROUP_ID" BIGINT NOT NULL,
+ "GROUP_NAME" character varying(128) NOT NULL,
+ "CREATE_TIME" BIGINT NOT NULL
+);
+
+CREATE TABLE "SENTRY_ROLE_DB_PRIVILEGE_MAP" (
+ "ROLE_ID" BIGINT NOT NULL,
+ "DB_PRIVILEGE_ID" BIGINT NOT NULL,
+ "GRANTOR_PRINCIPAL" character varying(128)
+);
+
+CREATE TABLE "SENTRY_ROLE_GROUP_MAP" (
+ "ROLE_ID" BIGINT NOT NULL,
+ "GROUP_ID" BIGINT NOT NULL,
+ "GRANTOR_PRINCIPAL" character varying(128)
+);
+
+CREATE TABLE "SENTRY_VERSION" (
+ "VER_ID" bigint,
+ "SCHEMA_VERSION" character varying(127) NOT NULL,
+ "VERSION_COMMENT" character varying(255) NOT NULL
+);
+
+
+ALTER TABLE ONLY "SENTRY_DB_PRIVILEGE"
+ ADD CONSTRAINT "SENTRY_DB_PRIV_PK" PRIMARY KEY ("DB_PRIVILEGE_ID");
+
+ALTER TABLE ONLY "SENTRY_ROLE"
+ ADD CONSTRAINT "SENTRY_ROLE_PK" PRIMARY KEY ("ROLE_ID");
+
+ALTER TABLE ONLY "SENTRY_GROUP"
+ ADD CONSTRAINT "SENTRY_GROUP_PK" PRIMARY KEY ("GROUP_ID");
+
+ALTER TABLE ONLY "SENTRY_VERSION" ADD CONSTRAINT "SENTRY_VERSION_PK" PRIMARY KEY ("VER_ID");
+
+ALTER TABLE ONLY "SENTRY_DB_PRIVILEGE"
+ ADD CONSTRAINT "SENTRY_DB_PRIV_PRIV_NAME_UNIQ" UNIQUE ("SERVER_NAME","DB_NAME","TABLE_NAME","COLUMN_NAME","URI", "ACTION","WITH_GRANT_OPTION");
+
+CREATE INDEX "SENTRY_PRIV_SERV_IDX" ON "SENTRY_DB_PRIVILEGE" USING btree ("SERVER_NAME");
+
+CREATE INDEX "SENTRY_PRIV_DB_IDX" ON "SENTRY_DB_PRIVILEGE" USING btree ("DB_NAME");
+
+CREATE INDEX "SENTRY_PRIV_TBL_IDX" ON "SENTRY_DB_PRIVILEGE" USING btree ("TABLE_NAME");
+
+CREATE INDEX "SENTRY_PRIV_COL_IDX" ON "SENTRY_DB_PRIVILEGE" USING btree ("COLUMN_NAME");
+
+CREATE INDEX "SENTRY_PRIV_URI_IDX" ON "SENTRY_DB_PRIVILEGE" USING btree ("URI");
+
+ALTER TABLE ONLY "SENTRY_ROLE"
+ ADD CONSTRAINT "SENTRY_ROLE_ROLE_NAME_UNIQUE" UNIQUE ("ROLE_NAME");
+
+ALTER TABLE ONLY "SENTRY_GROUP"
+ ADD CONSTRAINT "SENTRY_GRP_GRP_NAME_UNIQUE" UNIQUE ("GROUP_NAME");
+
+ALTER TABLE "SENTRY_ROLE_DB_PRIVILEGE_MAP"
+ ADD CONSTRAINT "SENTRY_ROLE_DB_PRIVILEGE_MAP_PK" PRIMARY KEY ("ROLE_ID","DB_PRIVILEGE_ID");
+
+ALTER TABLE "SENTRY_ROLE_GROUP_MAP"
+ ADD CONSTRAINT "SENTRY_ROLE_GROUP_MAP_PK" PRIMARY KEY ("ROLE_ID","GROUP_ID");
+
+ALTER TABLE ONLY "SENTRY_ROLE_DB_PRIVILEGE_MAP"
+ ADD CONSTRAINT "SEN_RLE_DB_PRV_MAP_SN_RLE_FK"
+ FOREIGN KEY ("ROLE_ID") REFERENCES "SENTRY_ROLE"("ROLE_ID") DEFERRABLE;
+
+ALTER TABLE ONLY "SENTRY_ROLE_DB_PRIVILEGE_MAP"
+ ADD CONSTRAINT "SEN_RL_DB_PRV_MAP_SN_DB_PRV_FK"
+ FOREIGN KEY ("DB_PRIVILEGE_ID") REFERENCES "SENTRY_DB_PRIVILEGE"("DB_PRIVILEGE_ID") DEFERRABLE;
+
+ALTER TABLE ONLY "SENTRY_ROLE_GROUP_MAP"
+ ADD CONSTRAINT "SEN_ROLE_GROUP_MAP_SEN_ROLE_FK"
+ FOREIGN KEY ("ROLE_ID") REFERENCES "SENTRY_ROLE"("ROLE_ID") DEFERRABLE;
+
+ALTER TABLE ONLY "SENTRY_ROLE_GROUP_MAP"
+ ADD CONSTRAINT "SEN_ROLE_GROUP_MAP_SEN_GRP_FK"
+ FOREIGN KEY ("GROUP_ID") REFERENCES "SENTRY_GROUP"("GROUP_ID") DEFERRABLE;
+
+INSERT INTO "SENTRY_VERSION" ("VER_ID", "SCHEMA_VERSION", "VERSION_COMMENT") VALUES (1, '1.8.0', 'Sentry release version 1.8.0');
+
+-- Generic Model
+-- Table SENTRY_GM_PRIVILEGE for classes [org.apache.sentry.provider.db.service.model.MSentryGMPrivilege]
+CREATE TABLE "SENTRY_GM_PRIVILEGE" (
+ "GM_PRIVILEGE_ID" BIGINT NOT NULL,
+ "COMPONENT_NAME" character varying(32) NOT NULL,
+ "SERVICE_NAME" character varying(64) NOT NULL,
+ "RESOURCE_NAME_0" character varying(64) DEFAULT '__NULL__',
+ "RESOURCE_NAME_1" character varying(64) DEFAULT '__NULL__',
+ "RESOURCE_NAME_2" character varying(64) DEFAULT '__NULL__',
+ "RESOURCE_NAME_3" character varying(64) DEFAULT '__NULL__',
+ "RESOURCE_TYPE_0" character varying(64) DEFAULT '__NULL__',
+ "RESOURCE_TYPE_1" character varying(64) DEFAULT '__NULL__',
+ "RESOURCE_TYPE_2" character varying(64) DEFAULT '__NULL__',
+ "RESOURCE_TYPE_3" character varying(64) DEFAULT '__NULL__',
+ "ACTION" character varying(32) NOT NULL,
+ "SCOPE" character varying(128) NOT NULL,
+ "CREATE_TIME" BIGINT NOT NULL,
+ "WITH_GRANT_OPTION" CHAR(1) NOT NULL
+);
+ALTER TABLE ONLY "SENTRY_GM_PRIVILEGE"
+ ADD CONSTRAINT "SENTRY_GM_PRIV_PK" PRIMARY KEY ("GM_PRIVILEGE_ID");
+-- Constraints for table SENTRY_GM_PRIVILEGE for class(es) [org.apache.sentry.provider.db.service.model.MSentryGMPrivilege]
+ALTER TABLE ONLY "SENTRY_GM_PRIVILEGE"
+ ADD CONSTRAINT "SENTRY_GM_PRIV_PRIV_NAME_UNIQ" UNIQUE ("COMPONENT_NAME","SERVICE_NAME","RESOURCE_NAME_0","RESOURCE_NAME_1","RESOURCE_NAME_2",
+ "RESOURCE_NAME_3","RESOURCE_TYPE_0","RESOURCE_TYPE_1","RESOURCE_TYPE_2","RESOURCE_TYPE_3","ACTION","WITH_GRANT_OPTION");
+
+CREATE INDEX "SENTRY_GM_PRIV_COMP_IDX" ON "SENTRY_GM_PRIVILEGE" USING btree ("COMPONENT_NAME");
+
+CREATE INDEX "SENTRY_GM_PRIV_SERV_IDX" ON "SENTRY_GM_PRIVILEGE" USING btree ("SERVICE_NAME");
+
+CREATE INDEX "SENTRY_GM_PRIV_RES0_IDX" ON "SENTRY_GM_PRIVILEGE" USING btree ("RESOURCE_NAME_0","RESOURCE_TYPE_0");
+
+CREATE INDEX "SENTRY_GM_PRIV_RES1_IDX" ON "SENTRY_GM_PRIVILEGE" USING btree ("RESOURCE_NAME_1","RESOURCE_TYPE_1");
+
+CREATE INDEX "SENTRY_GM_PRIV_RES2_IDX" ON "SENTRY_GM_PRIVILEGE" USING btree ("RESOURCE_NAME_2","RESOURCE_TYPE_2");
+
+CREATE INDEX "SENTRY_GM_PRIV_RES3_IDX" ON "SENTRY_GM_PRIVILEGE" USING btree ("RESOURCE_NAME_3","RESOURCE_TYPE_3");
+
+-- Table SENTRY_ROLE_GM_PRIVILEGE_MAP for join relationship
+CREATE TABLE "SENTRY_ROLE_GM_PRIVILEGE_MAP" (
+ "ROLE_ID" BIGINT NOT NULL,
+ "GM_PRIVILEGE_ID" BIGINT NOT NULL
+);
+
+ALTER TABLE "SENTRY_ROLE_GM_PRIVILEGE_MAP"
+ ADD CONSTRAINT "SENTRY_ROLE_GM_PRIVILEGE_MAP_PK" PRIMARY KEY ("ROLE_ID","GM_PRIVILEGE_ID");
+
+-- Constraints for table SENTRY_ROLE_GM_PRIVILEGE_MAP
+ALTER TABLE ONLY "SENTRY_ROLE_GM_PRIVILEGE_MAP"
+ ADD CONSTRAINT "SEN_RLE_GM_PRV_MAP_SN_RLE_FK"
+ FOREIGN KEY ("ROLE_ID") REFERENCES "SENTRY_ROLE"("ROLE_ID") DEFERRABLE;
+
+ALTER TABLE ONLY "SENTRY_ROLE_GM_PRIVILEGE_MAP"
+ ADD CONSTRAINT "SEN_RL_GM_PRV_MAP_SN_DB_PRV_FK"
+ FOREIGN KEY ("GM_PRIVILEGE_ID") REFERENCES "SENTRY_GM_PRIVILEGE"("GM_PRIVILEGE_ID") DEFERRABLE;
+
+CREATE TABLE "SENTRY_USER" (
+ "USER_ID" BIGINT NOT NULL,
+ "USER_NAME" character varying(128) NOT NULL,
+ "CREATE_TIME" BIGINT NOT NULL
+);
+
+ALTER TABLE ONLY "SENTRY_USER"
+ ADD CONSTRAINT "SENTRY_USER_PK" PRIMARY KEY ("USER_ID");
+
+ALTER TABLE ONLY "SENTRY_USER"
+ ADD CONSTRAINT "SENTRY_USER_USER_NAME_UNIQUE" UNIQUE ("USER_NAME");
+
+CREATE TABLE "SENTRY_ROLE_USER_MAP" (
+ "ROLE_ID" BIGINT NOT NULL,
+ "USER_ID" BIGINT NOT NULL,
+ "GRANTOR_PRINCIPAL" character varying(128)
+);
+
+ALTER TABLE "SENTRY_ROLE_USER_MAP"
+ ADD CONSTRAINT "SENTRY_ROLE_USER_MAP_PK" PRIMARY KEY ("ROLE_ID","USER_ID");
+
+ALTER TABLE ONLY "SENTRY_ROLE_USER_MAP"
+ ADD CONSTRAINT "SEN_ROLE_USER_MAP_SEN_ROLE_FK"
+ FOREIGN KEY ("ROLE_ID") REFERENCES "SENTRY_ROLE"("ROLE_ID") DEFERRABLE;
+
+ALTER TABLE ONLY "SENTRY_ROLE_USER_MAP"
+ ADD CONSTRAINT "SEN_ROLE_USER_MAP_SEN_USER_FK"
+ FOREIGN KEY ("USER_ID") REFERENCES "SENTRY_USER"("USER_ID") DEFERRABLE;
+
+COMMIT;
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/main/resources/sentry-upgrade-db2-1.4.0-to-1.5.0.sql
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/main/resources/sentry-upgrade-db2-1.4.0-to-1.5.0.sql b/sentry-service/sentry-service-server/src/main/resources/sentry-upgrade-db2-1.4.0-to-1.5.0.sql
new file mode 100644
index 0000000..26721c9
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/main/resources/sentry-upgrade-db2-1.4.0-to-1.5.0.sql
@@ -0,0 +1,61 @@
+-- SENTRY-327
+ALTER TABLE SENTRY_DB_PRIVILEGE ADD WITH_GRANT_OPTION CHAR(1) NOT NULL;
+
+-- SENTRY-339
+DROP INDEX SENTRYPRIVILEGENAME;
+CREATE UNIQUE INDEX SENTRYPRIVILEGENAME ON SENTRY_DB_PRIVILEGE ("SERVER_NAME",DB_NAME,"TABLE_NAME",URI,"ACTION",WITH_GRANT_OPTION);
+ALTER TABLE SENTRY_DB_PRIVILEGE DROP PRIVILEGE_NAME;
+
+-- SENTRY-380
+ALTER TABLE `SENTRY_DB_PRIVILEGE` DROP `GRANTOR_PRINCIPAL`;
+ALTER TABLE `SENTRY_ROLE` DROP `GRANTOR_PRINCIPAL`;
+ALTER TABLE `SENTRY_GROUP` DROP `GRANTOR_PRINCIPAL`;
+
+ALTER TABLE `SENTRY_ROLE_DB_PRIVILEGE_MAP` ADD `GRANTOR_PRINCIPAL` VARCHAR(128);
+ALTER TABLE `SENTRY_ROLE_GROUP_MAP` ADD `GRANTOR_PRINCIPAL` VARCHAR(128);
+
+-- SENTRY-74
+ALTER TABLE `SENTRY_DB_PRIVILEGE` ADD `COLUMN_NAME` CHAR(4000);
+DROP INDEX SENTRYPRIVILEGENAME;
+CREATE UNIQUE INDEX SENTRYPRIVILEGENAME ON SENTRY_DB_PRIVILEGE ("SERVER_NAME",DB_NAME,"TABLE_NAME","COLUMN_NAME",URI,"ACTION",WITH_GRANT_OPTION);
+
+-- SENTRY-398
+CREATE TABLE SENTRY_GM_PRIVILEGE
+(
+ GM_PRIVILEGE_ID BIGINT NOT NULL,
+ "ACTION" VARCHAR(40),
+ COMPONENT_NAME VARCHAR(400),
+ CREATE_TIME BIGINT NOT NULL,
+ WITH_GRANT_OPTION CHAR(1),
+ RESOURCE_NAME_0 VARCHAR(400),
+ RESOURCE_NAME_1 VARCHAR(400),
+ RESOURCE_NAME_2 VARCHAR(400),
+ RESOURCE_NAME_3 VARCHAR(400),
+ RESOURCE_TYPE_0 VARCHAR(400),
+ RESOURCE_TYPE_1 VARCHAR(400),
+ RESOURCE_TYPE_2 VARCHAR(400),
+ RESOURCE_TYPE_3 VARCHAR(400),
+ "SCOPE" VARCHAR(40),
+ SERVICE_NAME VARCHAR(400)
+);
+ALTER TABLE SENTRY_GM_PRIVILEGE ADD CONSTRAINT SENTRY_GM_PRIVILEGE_PK PRIMARY KEY (GM_PRIVILEGE_ID);
+
+CREATE UNIQUE INDEX GM_PRIVILEGE_INDEX ON SENTRY_GM_PRIVILEGE (COMPONENT_NAME,SERVICE_NAME,RESOURCE_NAME_0,RESOURCE_TYPE_0,RESOURCE_NAME_1,RESOURCE_TYPE_1,RESOURCE_NAME_2,RESOURCE_TYPE_2,RESOURCE_NAME_3,RESOURCE_TYPE_3,"ACTION",WITH_GRANT_OPTION);
+
+CREATE TABLE SENTRY_ROLE_GM_PRIVILEGE_MAP
+(
+ ROLE_ID BIGINT NOT NULL,
+ GM_PRIVILEGE_ID BIGINT NOT NULL
+);
+ALTER TABLE SENTRY_ROLE_GM_PRIVILEGE_MAP ADD CONSTRAINT SENTRY_ROLE_GM_PRIVILEGE_MAP_PK PRIMARY KEY (ROLE_ID,GM_PRIVILEGE_ID);
+
+CREATE INDEX SENTRY_ROLE_GM_PRIVILEGE_MAP_N50 ON SENTRY_ROLE_GM_PRIVILEGE_MAP (ROLE_ID);
+
+CREATE INDEX SENTRY_ROLE_GM_PRIVILEGE_MAP_N49 ON SENTRY_ROLE_GM_PRIVILEGE_MAP (GM_PRIVILEGE_ID);
+
+ALTER TABLE SENTRY_ROLE_GM_PRIVILEGE_MAP ADD CONSTRAINT SENTRY_ROLE_GM_PRIVILEGE_MAP_FK2 FOREIGN KEY (GM_PRIVILEGE_ID) REFERENCES SENTRY_GM_PRIVILEGE (GM_PRIVILEGE_ID);
+
+ALTER TABLE SENTRY_ROLE_GM_PRIVILEGE_MAP ADD CONSTRAINT SENTRY_ROLE_GM_PRIVILEGE_MAP_FK1 FOREIGN KEY (ROLE_ID) REFERENCES SENTRY_ROLE (ROLE_ID);
+
+-- Version update
+UPDATE SENTRY_VERSION SET SCHEMA_VERSION='1.5.0', VERSION_COMMENT='Sentry release version 1.5.0' WHERE VER_ID=1;
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/main/resources/sentry-upgrade-db2-1.5.0-to-1.6.0.sql
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/main/resources/sentry-upgrade-db2-1.5.0-to-1.6.0.sql b/sentry-service/sentry-service-server/src/main/resources/sentry-upgrade-db2-1.5.0-to-1.6.0.sql
new file mode 100644
index 0000000..5560d9f
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/main/resources/sentry-upgrade-db2-1.5.0-to-1.6.0.sql
@@ -0,0 +1,2 @@
+-- Version update
+UPDATE SENTRY_VERSION SET SCHEMA_VERSION='1.6.0', VERSION_COMMENT='Sentry release version 1.6.0' WHERE VER_ID=1;
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/main/resources/sentry-upgrade-db2-1.6.0-to-1.7.0.sql
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/main/resources/sentry-upgrade-db2-1.6.0-to-1.7.0.sql b/sentry-service/sentry-service-server/src/main/resources/sentry-upgrade-db2-1.6.0-to-1.7.0.sql
new file mode 100644
index 0000000..e2494a2
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/main/resources/sentry-upgrade-db2-1.6.0-to-1.7.0.sql
@@ -0,0 +1,2 @@
+-- Version update
+UPDATE SENTRY_VERSION SET SCHEMA_VERSION='1.7.0', VERSION_COMMENT='Sentry release version 1.7.0' WHERE VER_ID=1;
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/main/resources/sentry-upgrade-db2-1.7.0-to-1.8.0.sql
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/main/resources/sentry-upgrade-db2-1.7.0-to-1.8.0.sql b/sentry-service/sentry-service-server/src/main/resources/sentry-upgrade-db2-1.7.0-to-1.8.0.sql
new file mode 100644
index 0000000..927f302
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/main/resources/sentry-upgrade-db2-1.7.0-to-1.8.0.sql
@@ -0,0 +1,31 @@
+-- SENTRY-711
+CREATE TABLE SENTRY_USER
+(
+ USER_ID BIGINT NOT NULL generated always as identity (start with 1),
+ CREATE_TIME BIGINT NOT NULL,
+ USER_NAME VARCHAR(128)
+);
+
+ALTER TABLE SENTRY_USER ADD CONSTRAINT SENTRY_USER_PK PRIMARY KEY (USER_ID);
+
+CREATE UNIQUE INDEX SENTRYUSERNAME ON SENTRY_USER (USER_NAME);
+
+CREATE TABLE SENTRY_ROLE_USER_MAP
+(
+ USER_ID BIGINT NOT NULL,
+ ROLE_ID BIGINT NOT NULL,
+ GRANTOR_PRINCIPAL VARCHAR(128)
+);
+
+ALTER TABLE SENTRY_ROLE_USER_MAP ADD CONSTRAINT SENTRY_ROLE_USER_MAP_PK PRIMARY KEY (USER_ID,ROLE_ID);
+
+CREATE INDEX SENTRY_ROLE_USER_MAP_N49 ON SENTRY_ROLE_USER_MAP (USER_ID);
+
+CREATE INDEX SENTRY_ROLE_USER_MAP_N50 ON SENTRY_ROLE_USER_MAP (ROLE_ID);
+
+ALTER TABLE SENTRY_ROLE_USER_MAP ADD CONSTRAINT SENTRY_ROLE_USER_MAP_FK2 FOREIGN KEY (ROLE_ID) REFERENCES SENTRY_ROLE (ROLE_ID) ;
+
+ALTER TABLE SENTRY_ROLE_USER_MAP ADD CONSTRAINT SENTRY_ROLE_USER_MAP_FK1 FOREIGN KEY (USER_ID) REFERENCES SENTRY_USER (USER_ID) ;
+
+-- Version update
+UPDATE SENTRY_VERSION SET SCHEMA_VERSION='1.8.0', VERSION_COMMENT='Sentry release version 1.8.0' WHERE VER_ID=1;
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/main/resources/sentry-upgrade-derby-1.4.0-to-1.5.0.sql
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/main/resources/sentry-upgrade-derby-1.4.0-to-1.5.0.sql b/sentry-service/sentry-service-server/src/main/resources/sentry-upgrade-derby-1.4.0-to-1.5.0.sql
new file mode 100644
index 0000000..bc06849
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/main/resources/sentry-upgrade-derby-1.4.0-to-1.5.0.sql
@@ -0,0 +1,8 @@
+RUN '001-SENTRY-327.derby.sql';
+RUN '002-SENTRY-339.derby.sql';
+RUN '003-SENTRY-380.derby.sql';
+RUN '004-SENTRY-74.derby.sql';
+RUN '005-SENTRY-398.derby.sql';
+
+-- Version update
+UPDATE SENTRY_VERSION SET SCHEMA_VERSION='1.5.0', VERSION_COMMENT='Sentry release version 1.5.0' WHERE VER_ID=1;
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/main/resources/sentry-upgrade-derby-1.5.0-to-1.6.0.sql
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/main/resources/sentry-upgrade-derby-1.5.0-to-1.6.0.sql b/sentry-service/sentry-service-server/src/main/resources/sentry-upgrade-derby-1.5.0-to-1.6.0.sql
new file mode 100644
index 0000000..5560d9f
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/main/resources/sentry-upgrade-derby-1.5.0-to-1.6.0.sql
@@ -0,0 +1,2 @@
+-- Version update
+UPDATE SENTRY_VERSION SET SCHEMA_VERSION='1.6.0', VERSION_COMMENT='Sentry release version 1.6.0' WHERE VER_ID=1;
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/main/resources/sentry-upgrade-derby-1.6.0-to-1.7.0.sql
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/main/resources/sentry-upgrade-derby-1.6.0-to-1.7.0.sql b/sentry-service/sentry-service-server/src/main/resources/sentry-upgrade-derby-1.6.0-to-1.7.0.sql
new file mode 100644
index 0000000..e2494a2
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/main/resources/sentry-upgrade-derby-1.6.0-to-1.7.0.sql
@@ -0,0 +1,2 @@
+-- Version update
+UPDATE SENTRY_VERSION SET SCHEMA_VERSION='1.7.0', VERSION_COMMENT='Sentry release version 1.7.0' WHERE VER_ID=1;
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/main/resources/sentry-upgrade-derby-1.7.0-to-1.8.0.sql
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/main/resources/sentry-upgrade-derby-1.7.0-to-1.8.0.sql b/sentry-service/sentry-service-server/src/main/resources/sentry-upgrade-derby-1.7.0-to-1.8.0.sql
new file mode 100644
index 0000000..fbe2dc8
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/main/resources/sentry-upgrade-derby-1.7.0-to-1.8.0.sql
@@ -0,0 +1,4 @@
+RUN '006-SENTRY-711.derby.sql';
+
+-- Version update
+UPDATE SENTRY_VERSION SET SCHEMA_VERSION='1.8.0', VERSION_COMMENT='Sentry release version 1.8.0' WHERE VER_ID=1;
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/main/resources/sentry-upgrade-mysql-1.4.0-to-1.5.0.sql
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/main/resources/sentry-upgrade-mysql-1.4.0-to-1.5.0.sql b/sentry-service/sentry-service-server/src/main/resources/sentry-upgrade-mysql-1.4.0-to-1.5.0.sql
new file mode 100644
index 0000000..a7bc9d0
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/main/resources/sentry-upgrade-mysql-1.4.0-to-1.5.0.sql
@@ -0,0 +1,10 @@
+SELECT 'Upgrading Sentry store schema from 1.4.0 to 1.5.0' AS ' ';
+SOURCE 001-SENTRY-327.mysql.sql;
+SOURCE 002-SENTRY-339.mysql.sql;
+SOURCE 003-SENTRY-380.mysql.sql;
+SOURCE 004-SENTRY-74.mysql.sql;
+SOURCE 005-SENTRY-398.mysql.sql;
+
+UPDATE SENTRY_VERSION SET SCHEMA_VERSION='1.5.0', VERSION_COMMENT='Sentry release version 1.5.0' WHERE VER_ID=1;
+SELECT 'Finish upgrading Sentry store schema from 1.4.0 to 1.5.0' AS ' ';
+
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/main/resources/sentry-upgrade-mysql-1.5.0-to-1.6.0.sql
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/main/resources/sentry-upgrade-mysql-1.5.0-to-1.6.0.sql b/sentry-service/sentry-service-server/src/main/resources/sentry-upgrade-mysql-1.5.0-to-1.6.0.sql
new file mode 100644
index 0000000..352332c
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/main/resources/sentry-upgrade-mysql-1.5.0-to-1.6.0.sql
@@ -0,0 +1,5 @@
+SELECT 'Upgrading Sentry store schema from 1.5.0 to 1.6.0' AS ' ';
+
+UPDATE SENTRY_VERSION SET SCHEMA_VERSION='1.6.0', VERSION_COMMENT='Sentry release version 1.6.0' WHERE VER_ID=1;
+
+SELECT 'Finish upgrading Sentry store schema from 1.5.0 to 1.6.0' AS ' ';
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/main/resources/sentry-upgrade-mysql-1.6.0-to-1.7.0.sql
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/main/resources/sentry-upgrade-mysql-1.6.0-to-1.7.0.sql b/sentry-service/sentry-service-server/src/main/resources/sentry-upgrade-mysql-1.6.0-to-1.7.0.sql
new file mode 100644
index 0000000..3413ede
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/main/resources/sentry-upgrade-mysql-1.6.0-to-1.7.0.sql
@@ -0,0 +1,5 @@
+SELECT 'Upgrading Sentry store schema from 1.6.0 to 1.7.0' AS ' ';
+
+UPDATE SENTRY_VERSION SET SCHEMA_VERSION='1.7.0', VERSION_COMMENT='Sentry release version 1.7.0' WHERE VER_ID=1;
+
+SELECT 'Finish upgrading Sentry store schema from 1.6.0 to 1.7.0' AS ' ';
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/main/resources/sentry-upgrade-mysql-1.7.0-to-1.8.0.sql
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/main/resources/sentry-upgrade-mysql-1.7.0-to-1.8.0.sql b/sentry-service/sentry-service-server/src/main/resources/sentry-upgrade-mysql-1.7.0-to-1.8.0.sql
new file mode 100644
index 0000000..f0df187
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/main/resources/sentry-upgrade-mysql-1.7.0-to-1.8.0.sql
@@ -0,0 +1,6 @@
+SELECT 'Upgrading Sentry store schema from 1.7.0 to 1.8.0' AS ' ';
+SOURCE 006-SENTRY-711.mysql.sql;
+
+UPDATE SENTRY_VERSION SET SCHEMA_VERSION='1.8.0', VERSION_COMMENT='Sentry release version 1.8.0' WHERE VER_ID=1;
+
+SELECT 'Finish upgrading Sentry store schema from 1.7.0 to 1.8.0' AS ' ';
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/main/resources/sentry-upgrade-oracle-1.4.0-to-1.5.0.sql
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/main/resources/sentry-upgrade-oracle-1.4.0-to-1.5.0.sql b/sentry-service/sentry-service-server/src/main/resources/sentry-upgrade-oracle-1.4.0-to-1.5.0.sql
new file mode 100644
index 0000000..9526366
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/main/resources/sentry-upgrade-oracle-1.4.0-to-1.5.0.sql
@@ -0,0 +1,9 @@
+SELECT 'Upgrading Sentry store schema from 1.4.0 to 1.5.0' AS Status from dual;
+@001-SENTRY-327.oracle.sql;
+@002-SENTRY-339.oracle.sql;
+@003-SENTRY-380.oracle.sql;
+@004-SENTRY-74.oracle.sql;
+@005-SENTRY-398.oracle.sql;
+
+UPDATE SENTRY_VERSION SET SCHEMA_VERSION='1.5.0', VERSION_COMMENT='Sentry release version 1.5.0' WHERE VER_ID=1;
+SELECT 'Finished upgrading Sentry store schema from 1.4.0 to 1.5.0' AS Status from dual;
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/main/resources/sentry-upgrade-oracle-1.5.0-to-1.6.0.sql
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/main/resources/sentry-upgrade-oracle-1.5.0-to-1.6.0.sql b/sentry-service/sentry-service-server/src/main/resources/sentry-upgrade-oracle-1.5.0-to-1.6.0.sql
new file mode 100644
index 0000000..3437075
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/main/resources/sentry-upgrade-oracle-1.5.0-to-1.6.0.sql
@@ -0,0 +1,5 @@
+SELECT 'Upgrading Sentry store schema from 1.5.0 to 1.6.0' AS Status from dual;
+
+UPDATE SENTRY_VERSION SET SCHEMA_VERSION='1.6.0', VERSION_COMMENT='Sentry release version 1.6.0' WHERE VER_ID=1;
+
+SELECT 'Finished upgrading Sentry store schema from 1.5.0 to 1.6.0' AS Status from dual;
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/main/resources/sentry-upgrade-oracle-1.6.0-to-1.7.0.sql
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/main/resources/sentry-upgrade-oracle-1.6.0-to-1.7.0.sql b/sentry-service/sentry-service-server/src/main/resources/sentry-upgrade-oracle-1.6.0-to-1.7.0.sql
new file mode 100644
index 0000000..fa82c87
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/main/resources/sentry-upgrade-oracle-1.6.0-to-1.7.0.sql
@@ -0,0 +1,5 @@
+SELECT 'Upgrading Sentry store schema from 1.6.0 to 1.7.0' AS Status from dual;
+
+UPDATE SENTRY_VERSION SET SCHEMA_VERSION='1.7.0', VERSION_COMMENT='Sentry release version 1.7.0' WHERE VER_ID=1;
+
+SELECT 'Finished upgrading Sentry store schema from 1.6.0 to 1.7.0' AS Status from dual;
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/main/resources/sentry-upgrade-oracle-1.7.0-to-1.8.0.sql
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/main/resources/sentry-upgrade-oracle-1.7.0-to-1.8.0.sql b/sentry-service/sentry-service-server/src/main/resources/sentry-upgrade-oracle-1.7.0-to-1.8.0.sql
new file mode 100644
index 0000000..f1666be
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/main/resources/sentry-upgrade-oracle-1.7.0-to-1.8.0.sql
@@ -0,0 +1,6 @@
+SELECT 'Upgrading Sentry store schema from 1.7.0 to 1.8.0' AS Status from dual;
+@006-SENTRY-711.oracle.sql;
+
+UPDATE SENTRY_VERSION SET SCHEMA_VERSION='1.8.0', VERSION_COMMENT='Sentry release version 1.8.0' WHERE VER_ID=1;
+
+SELECT 'Finished upgrading Sentry store schema from 1.7.0 to 1.8.0' AS Status from dual;
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/main/resources/sentry-upgrade-postgres-1.4.0-to-1.5.0.sql
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/main/resources/sentry-upgrade-postgres-1.4.0-to-1.5.0.sql b/sentry-service/sentry-service-server/src/main/resources/sentry-upgrade-postgres-1.4.0-to-1.5.0.sql
new file mode 100644
index 0000000..2f03d5e
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/main/resources/sentry-upgrade-postgres-1.4.0-to-1.5.0.sql
@@ -0,0 +1,9 @@
+SELECT 'Upgrading Sentry store schema from 1.4.0 to 1.5.0';
+\i 001-SENTRY-327.postgres.sql;
+\i 002-SENTRY-339.postgres.sql;
+\i 003-SENTRY-380.postgres.sql;
+\i 004-SENTRY-74.postgres.sql;
+\i 005-SENTRY-398.postgres.sql;
+
+UPDATE "SENTRY_VERSION" SET "SCHEMA_VERSION"='1.5.0', "VERSION_COMMENT"='Sentry release version 1.5.0' WHERE "VER_ID"=1;
+SELECT 'Finished upgrading Sentry store schema from 1.4.0 to 1.5.0';
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/main/resources/sentry-upgrade-postgres-1.5.0-to-1.6.0.sql
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/main/resources/sentry-upgrade-postgres-1.5.0-to-1.6.0.sql b/sentry-service/sentry-service-server/src/main/resources/sentry-upgrade-postgres-1.5.0-to-1.6.0.sql
new file mode 100644
index 0000000..5982596
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/main/resources/sentry-upgrade-postgres-1.5.0-to-1.6.0.sql
@@ -0,0 +1,5 @@
+SELECT 'Upgrading Sentry store schema from 1.5.0 to 1.6.0';
+
+UPDATE "SENTRY_VERSION" SET "SCHEMA_VERSION"='1.6.0', "VERSION_COMMENT"='Sentry release version 1.6.0' WHERE "VER_ID"=1;
+
+SELECT 'Finished upgrading Sentry store schema from 1.5.0 to 1.6.0';
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/main/resources/sentry-upgrade-postgres-1.6.0-to-1.7.0.sql
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/main/resources/sentry-upgrade-postgres-1.6.0-to-1.7.0.sql b/sentry-service/sentry-service-server/src/main/resources/sentry-upgrade-postgres-1.6.0-to-1.7.0.sql
new file mode 100644
index 0000000..ff10e10
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/main/resources/sentry-upgrade-postgres-1.6.0-to-1.7.0.sql
@@ -0,0 +1,5 @@
+SELECT 'Upgrading Sentry store schema from 1.6.0 to 1.7.0';
+
+UPDATE "SENTRY_VERSION" SET "SCHEMA_VERSION"='1.7.0', "VERSION_COMMENT"='Sentry release version 1.7.0' WHERE "VER_ID"=1;
+
+SELECT 'Finished upgrading Sentry store schema from 1.6.0 to 1.7.0';
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/main/resources/sentry-upgrade-postgres-1.7.0-to-1.8.0.sql
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/main/resources/sentry-upgrade-postgres-1.7.0-to-1.8.0.sql b/sentry-service/sentry-service-server/src/main/resources/sentry-upgrade-postgres-1.7.0-to-1.8.0.sql
new file mode 100644
index 0000000..b39292d
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/main/resources/sentry-upgrade-postgres-1.7.0-to-1.8.0.sql
@@ -0,0 +1,6 @@
+SELECT 'Upgrading Sentry store schema from 1.7.0 to 1.8.0';
+\i 006-SENTRY-711.postgres.sql;
+
+UPDATE "SENTRY_VERSION" SET "SCHEMA_VERSION"='1.8.0', "VERSION_COMMENT"='Sentry release version 1.8.0' WHERE "VER_ID"=1;
+
+SELECT 'Finished upgrading Sentry store schema from 1.7.0 to 1.8.0';
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/main/resources/upgrade.order.db2
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/main/resources/upgrade.order.db2 b/sentry-service/sentry-service-server/src/main/resources/upgrade.order.db2
new file mode 100644
index 0000000..8da8c9c
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/main/resources/upgrade.order.db2
@@ -0,0 +1,4 @@
+1.4.0-to-1.5.0
+1.5.0-to-1.6.0
+1.6.0-to-1.7.0
+1.7.0-to-1.8.0
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/main/resources/upgrade.order.derby
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/main/resources/upgrade.order.derby b/sentry-service/sentry-service-server/src/main/resources/upgrade.order.derby
new file mode 100644
index 0000000..8da8c9c
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/main/resources/upgrade.order.derby
@@ -0,0 +1,4 @@
+1.4.0-to-1.5.0
+1.5.0-to-1.6.0
+1.6.0-to-1.7.0
+1.7.0-to-1.8.0
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/main/resources/upgrade.order.mysql
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/main/resources/upgrade.order.mysql b/sentry-service/sentry-service-server/src/main/resources/upgrade.order.mysql
new file mode 100644
index 0000000..8da8c9c
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/main/resources/upgrade.order.mysql
@@ -0,0 +1,4 @@
+1.4.0-to-1.5.0
+1.5.0-to-1.6.0
+1.6.0-to-1.7.0
+1.7.0-to-1.8.0
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/main/resources/upgrade.order.oracle
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/main/resources/upgrade.order.oracle b/sentry-service/sentry-service-server/src/main/resources/upgrade.order.oracle
new file mode 100644
index 0000000..8da8c9c
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/main/resources/upgrade.order.oracle
@@ -0,0 +1,4 @@
+1.4.0-to-1.5.0
+1.5.0-to-1.6.0
+1.6.0-to-1.7.0
+1.7.0-to-1.8.0
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/main/resources/upgrade.order.postgres
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/main/resources/upgrade.order.postgres b/sentry-service/sentry-service-server/src/main/resources/upgrade.order.postgres
new file mode 100644
index 0000000..8da8c9c
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/main/resources/upgrade.order.postgres
@@ -0,0 +1,4 @@
+1.4.0-to-1.5.0
+1.5.0-to-1.6.0
+1.6.0-to-1.7.0
+1.7.0-to-1.8.0
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/main/webapp/SentryService.html
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/main/webapp/SentryService.html b/sentry-service/sentry-service-server/src/main/webapp/SentryService.html
new file mode 100644
index 0000000..9eb5f0e
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/main/webapp/SentryService.html
@@ -0,0 +1,61 @@
+<!--
+Licensed to the Apache Software Foundation (ASF) under one or more
+contributor license agreements. See the NOTICE file distributed with
+this work for additional information regarding copyright ownership.
+The ASF licenses this file to You under the Apache License, Version 2.0
+(the "License"); you may not use this file except in compliance with
+the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+-->
+<!DOCTYPE HTML>
+<html lang="en">
+ <head>
+ <meta charset="utf-8">
+ <title>Sentry Service</title>
+ <meta name="viewport" content="width=device-width, initial-scale=1.0">
+ <meta name="description" content="">
+ <link href="css/bootstrap.min.css" rel="stylesheet">
+ <link href="css/bootstrap-theme.min.css" rel="stylesheet">
+ <link href="css/sentry.css" rel="stylesheet">
+ </head>
+
+ <body>
+ <nav class="navbar navbar-default navbar-fixed-top">
+ <div class="container">
+ <div class="navbar-header">
+ <a class="navbar-brand" href="#"><img src="sentry.png" alt="Sentry Logo"/></a>
+ </div>
+ <div class="collapse navbar-collapse">
+ <ul class="nav navbar-nav">
+ <li class="active"><a href="#">Home</a></li>
+ <li><a href="/metrics?pretty=true">Metrics</a></li>
+ <li><a href="/threads">Threads</a></li>
+ <li><a href="/conf">Configuration</a></li>
+ </ul>
+ </div>
+ </div>
+ </nav>
+
+ <div class="container">
+ <div class="page-header"><h2>Sentry Service</h2></div>
+ <ul>
+ <li><a href="/metrics?pretty=true">Metrics</a></li>
+ <li><a href="/threads">Threads</a></li>
+ <li><a href="/conf">Configuration</a></li>
+ </ul>
+ </div>
+
+ <footer class="footer">
+ <div class="container">
+ <p class="text-muted">SENTRY 1.8.0-SNAPSHOT</p>
+ </div>
+ </footer>
+ </body>
+</html>
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/main/webapp/css/bootstrap-theme.min.css
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/main/webapp/css/bootstrap-theme.min.css b/sentry-service/sentry-service-server/src/main/webapp/css/bootstrap-theme.min.css
new file mode 100644
index 0000000..c31428b
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/main/webapp/css/bootstrap-theme.min.css
@@ -0,0 +1,10 @@
+/*!
+ * Bootstrap v3.0.0
+ *
+ * Copyright 2013 Twitter, Inc
+ * Licensed under the Apache License v2.0
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Designed and built with all the love in the world by @mdo and @fat.
+ */
+.btn-default,.btn-primary,.btn-success,.btn-info,.btn-warning,.btn-danger{text-shadow:0 -1px 0 rgba(0,0,0,0.2);-webkit-box-shadow:inset 0 1px 0 rgba(255,255,255,0.15),0 1px 1px rgba(0,0,0,0.075);box-shadow:inset 0 1px 0 rgba(255,255,255,0.15),0 1px 1px rgba(0,0,0,0.075)}.btn-default:active,.btn-primary:active,.btn-success:active,.btn-info:active,.btn-warning:active,.btn-danger:active,.btn-default.active,.btn-primary.active,.btn-success.active,.btn-info.active,.btn-warning.active,.btn-danger.active{-webkit-box-shadow:inset 0 3px 5px rgba(0,0,0,0.125);box-shadow:inset 0 3px 5px rgba(0,0,0,0.125)}.btn:active,.btn.active{background-image:none}.btn-default{text-shadow:0 1px 0 #fff;background-image:-webkit-gradient(linear,left 0,left 100%,from(#fff),to(#e6e6e6));background-image:-webkit-linear-gradient(top,#fff,0%,#e6e6e6,100%);background-image:-moz-linear-gradient(top,#fff 0,#e6e6e6 100%);background-image:linear-gradient(to bottom,#fff 0,#e6e6e6 100%);background-repeat:repeat-x;border-co
lor:#e0e0e0;border-color:#ccc;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ffffffff',endColorstr='#ffe6e6e6',GradientType=0)}.btn-default:active,.btn-default.active{background-color:#e6e6e6;border-color:#e0e0e0}.btn-primary{background-image:-webkit-gradient(linear,left 0,left 100%,from(#428bca),to(#3071a9));background-image:-webkit-linear-gradient(top,#428bca,0%,#3071a9,100%);background-image:-moz-linear-gradient(top,#428bca 0,#3071a9 100%);background-image:linear-gradient(to bottom,#428bca 0,#3071a9 100%);background-repeat:repeat-x;border-color:#2d6ca2;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ff428bca',endColorstr='#ff3071a9',GradientType=0)}.btn-primary:active,.btn-primary.active{background-color:#3071a9;border-color:#2d6ca2}.btn-success{background-image:-webkit-gradient(linear,left 0,left 100%,from(#5cb85c),to(#449d44));background-image:-webkit-linear-gradient(top,#5cb85c,0%,#449d44,100%);background-image:-moz-linear-gradient(top,#5cb
85c 0,#449d44 100%);background-image:linear-gradient(to bottom,#5cb85c 0,#449d44 100%);background-repeat:repeat-x;border-color:#419641;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ff5cb85c',endColorstr='#ff449d44',GradientType=0)}.btn-success:active,.btn-success.active{background-color:#449d44;border-color:#419641}.btn-warning{background-image:-webkit-gradient(linear,left 0,left 100%,from(#f0ad4e),to(#ec971f));background-image:-webkit-linear-gradient(top,#f0ad4e,0%,#ec971f,100%);background-image:-moz-linear-gradient(top,#f0ad4e 0,#ec971f 100%);background-image:linear-gradient(to bottom,#f0ad4e 0,#ec971f 100%);background-repeat:repeat-x;border-color:#eb9316;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#fff0ad4e',endColorstr='#ffec971f',GradientType=0)}.btn-warning:active,.btn-warning.active{background-color:#ec971f;border-color:#eb9316}.btn-danger{background-image:-webkit-gradient(linear,left 0,left 100%,from(#d9534f),to(#c9302c));background-i
mage:-webkit-linear-gradient(top,#d9534f,0%,#c9302c,100%);background-image:-moz-linear-gradient(top,#d9534f 0,#c9302c 100%);background-image:linear-gradient(to bottom,#d9534f 0,#c9302c 100%);background-repeat:repeat-x;border-color:#c12e2a;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ffd9534f',endColorstr='#ffc9302c',GradientType=0)}.btn-danger:active,.btn-danger.active{background-color:#c9302c;border-color:#c12e2a}.btn-info{background-image:-webkit-gradient(linear,left 0,left 100%,from(#5bc0de),to(#31b0d5));background-image:-webkit-linear-gradient(top,#5bc0de,0%,#31b0d5,100%);background-image:-moz-linear-gradient(top,#5bc0de 0,#31b0d5 100%);background-image:linear-gradient(to bottom,#5bc0de 0,#31b0d5 100%);background-repeat:repeat-x;border-color:#2aabd2;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ff5bc0de',endColorstr='#ff31b0d5',GradientType=0)}.btn-info:active,.btn-info.active{background-color:#31b0d5;border-color:#2aabd2}.thumbnail,.img-
thumbnail{-webkit-box-shadow:0 1px 2px rgba(0,0,0,0.075);box-shadow:0 1px 2px rgba(0,0,0,0.075)}.dropdown-menu>li>a:hover,.dropdown-menu>li>a:focus,.dropdown-menu>.active>a,.dropdown-menu>.active>a:hover,.dropdown-menu>.active>a:focus{background-color:#357ebd;background-image:-webkit-gradient(linear,left 0,left 100%,from(#428bca),to(#357ebd));background-image:-webkit-linear-gradient(top,#428bca,0%,#357ebd,100%);background-image:-moz-linear-gradient(top,#428bca 0,#357ebd 100%);background-image:linear-gradient(to bottom,#428bca 0,#357ebd 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ff428bca',endColorstr='#ff357ebd',GradientType=0)}.navbar{background-image:-webkit-gradient(linear,left 0,left 100%,from(#fff),to(#f8f8f8));background-image:-webkit-linear-gradient(top,#fff,0%,#f8f8f8,100%);background-image:-moz-linear-gradient(top,#fff 0,#f8f8f8 100%);background-image:linear-gradient(to bottom,#fff 0,#f8f8f8 100%);background-repeat:repe
at-x;border-radius:4px;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ffffffff',endColorstr='#fff8f8f8',GradientType=0);-webkit-box-shadow:inset 0 1px 0 rgba(255,255,255,0.15),0 1px 5px rgba(0,0,0,0.075);box-shadow:inset 0 1px 0 rgba(255,255,255,0.15),0 1px 5px rgba(0,0,0,0.075)}.navbar .navbar-nav>.active>a{background-color:#f8f8f8}.navbar-brand,.navbar-nav>li>a{text-shadow:0 1px 0 rgba(255,255,255,0.25)}.navbar-inverse{background-image:-webkit-gradient(linear,left 0,left 100%,from(#3c3c3c),to(#222));background-image:-webkit-linear-gradient(top,#3c3c3c,0%,#222,100%);background-image:-moz-linear-gradient(top,#3c3c3c 0,#222 100%);background-image:linear-gradient(to bottom,#3c3c3c 0,#222 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ff3c3c3c',endColorstr='#ff222222',GradientType=0)}.navbar-inverse .navbar-nav>.active>a{background-color:#222}.navbar-inverse .navbar-brand,.navbar-inverse .navbar-nav>li>a{text-shadow
:0 -1px 0 rgba(0,0,0,0.25)}.navbar-static-top,.navbar-fixed-top,.navbar-fixed-bottom{border-radius:0}.alert{text-shadow:0 1px 0 rgba(255,255,255,0.2);-webkit-box-shadow:inset 0 1px 0 rgba(255,255,255,0.25),0 1px 2px rgba(0,0,0,0.05);box-shadow:inset 0 1px 0 rgba(255,255,255,0.25),0 1px 2px rgba(0,0,0,0.05)}.alert-success{background-image:-webkit-gradient(linear,left 0,left 100%,from(#dff0d8),to(#c8e5bc));background-image:-webkit-linear-gradient(top,#dff0d8,0%,#c8e5bc,100%);background-image:-moz-linear-gradient(top,#dff0d8 0,#c8e5bc 100%);background-image:linear-gradient(to bottom,#dff0d8 0,#c8e5bc 100%);background-repeat:repeat-x;border-color:#b2dba1;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ffdff0d8',endColorstr='#ffc8e5bc',GradientType=0)}.alert-info{background-image:-webkit-gradient(linear,left 0,left 100%,from(#d9edf7),to(#b9def0));background-image:-webkit-linear-gradient(top,#d9edf7,0%,#b9def0,100%);background-image:-moz-linear-gradient(top,#d9edf7 0,#b9
def0 100%);background-image:linear-gradient(to bottom,#d9edf7 0,#b9def0 100%);background-repeat:repeat-x;border-color:#9acfea;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ffd9edf7',endColorstr='#ffb9def0',GradientType=0)}.alert-warning{background-image:-webkit-gradient(linear,left 0,left 100%,from(#fcf8e3),to(#f8efc0));background-image:-webkit-linear-gradient(top,#fcf8e3,0%,#f8efc0,100%);background-image:-moz-linear-gradient(top,#fcf8e3 0,#f8efc0 100%);background-image:linear-gradient(to bottom,#fcf8e3 0,#f8efc0 100%);background-repeat:repeat-x;border-color:#f5e79e;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#fffcf8e3',endColorstr='#fff8efc0',GradientType=0)}.alert-danger{background-image:-webkit-gradient(linear,left 0,left 100%,from(#f2dede),to(#e7c3c3));background-image:-webkit-linear-gradient(top,#f2dede,0%,#e7c3c3,100%);background-image:-moz-linear-gradient(top,#f2dede 0,#e7c3c3 100%);background-image:linear-gradient(to bottom,#f2dede 0,
#e7c3c3 100%);background-repeat:repeat-x;border-color:#dca7a7;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#fff2dede',endColorstr='#ffe7c3c3',GradientType=0)}.progress{background-image:-webkit-gradient(linear,left 0,left 100%,from(#ebebeb),to(#f5f5f5));background-image:-webkit-linear-gradient(top,#ebebeb,0%,#f5f5f5,100%);background-image:-moz-linear-gradient(top,#ebebeb 0,#f5f5f5 100%);background-image:linear-gradient(to bottom,#ebebeb 0,#f5f5f5 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ffebebeb',endColorstr='#fff5f5f5',GradientType=0)}.progress-bar{background-image:-webkit-gradient(linear,left 0,left 100%,from(#428bca),to(#3071a9));background-image:-webkit-linear-gradient(top,#428bca,0%,#3071a9,100%);background-image:-moz-linear-gradient(top,#428bca 0,#3071a9 100%);background-image:linear-gradient(to bottom,#428bca 0,#3071a9 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient
(startColorstr='#ff428bca',endColorstr='#ff3071a9',GradientType=0)}.progress-bar-success{background-image:-webkit-gradient(linear,left 0,left 100%,from(#5cb85c),to(#449d44));background-image:-webkit-linear-gradient(top,#5cb85c,0%,#449d44,100%);background-image:-moz-linear-gradient(top,#5cb85c 0,#449d44 100%);background-image:linear-gradient(to bottom,#5cb85c 0,#449d44 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ff5cb85c',endColorstr='#ff449d44',GradientType=0)}.progress-bar-info{background-image:-webkit-gradient(linear,left 0,left 100%,from(#5bc0de),to(#31b0d5));background-image:-webkit-linear-gradient(top,#5bc0de,0%,#31b0d5,100%);background-image:-moz-linear-gradient(top,#5bc0de 0,#31b0d5 100%);background-image:linear-gradient(to bottom,#5bc0de 0,#31b0d5 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ff5bc0de',endColorstr='#ff31b0d5',GradientType=0)}.progress-bar-warning{backg
round-image:-webkit-gradient(linear,left 0,left 100%,from(#f0ad4e),to(#ec971f));background-image:-webkit-linear-gradient(top,#f0ad4e,0%,#ec971f,100%);background-image:-moz-linear-gradient(top,#f0ad4e 0,#ec971f 100%);background-image:linear-gradient(to bottom,#f0ad4e 0,#ec971f 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#fff0ad4e',endColorstr='#ffec971f',GradientType=0)}.progress-bar-danger{background-image:-webkit-gradient(linear,left 0,left 100%,from(#d9534f),to(#c9302c));background-image:-webkit-linear-gradient(top,#d9534f,0%,#c9302c,100%);background-image:-moz-linear-gradient(top,#d9534f 0,#c9302c 100%);background-image:linear-gradient(to bottom,#d9534f 0,#c9302c 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ffd9534f',endColorstr='#ffc9302c',GradientType=0)}.list-group{border-radius:4px;-webkit-box-shadow:0 1px 2px rgba(0,0,0,0.075);box-shadow:0 1px 2px rgba(0,0,0,0.075)}.li
st-group-item.active,.list-group-item.active:hover,.list-group-item.active:focus{text-shadow:0 -1px 0 #3071a9;background-image:-webkit-gradient(linear,left 0,left 100%,from(#428bca),to(#3278b3));background-image:-webkit-linear-gradient(top,#428bca,0%,#3278b3,100%);background-image:-moz-linear-gradient(top,#428bca 0,#3278b3 100%);background-image:linear-gradient(to bottom,#428bca 0,#3278b3 100%);background-repeat:repeat-x;border-color:#3278b3;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ff428bca',endColorstr='#ff3278b3',GradientType=0)}.panel{-webkit-box-shadow:0 1px 2px rgba(0,0,0,0.05);box-shadow:0 1px 2px rgba(0,0,0,0.05)}.panel-default>.panel-heading{background-image:-webkit-gradient(linear,left 0,left 100%,from(#f5f5f5),to(#e8e8e8));background-image:-webkit-linear-gradient(top,#f5f5f5,0%,#e8e8e8,100%);background-image:-moz-linear-gradient(top,#f5f5f5 0,#e8e8e8 100%);background-image:linear-gradient(to bottom,#f5f5f5 0,#e8e8e8 100%);background-repeat:repeat-x
;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#fff5f5f5',endColorstr='#ffe8e8e8',GradientType=0)}.panel-primary>.panel-heading{background-image:-webkit-gradient(linear,left 0,left 100%,from(#428bca),to(#357ebd));background-image:-webkit-linear-gradient(top,#428bca,0%,#357ebd,100%);background-image:-moz-linear-gradient(top,#428bca 0,#357ebd 100%);background-image:linear-gradient(to bottom,#428bca 0,#357ebd 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ff428bca',endColorstr='#ff357ebd',GradientType=0)}.panel-success>.panel-heading{background-image:-webkit-gradient(linear,left 0,left 100%,from(#dff0d8),to(#d0e9c6));background-image:-webkit-linear-gradient(top,#dff0d8,0%,#d0e9c6,100%);background-image:-moz-linear-gradient(top,#dff0d8 0,#d0e9c6 100%);background-image:linear-gradient(to bottom,#dff0d8 0,#d0e9c6 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ffdff0d8
',endColorstr='#ffd0e9c6',GradientType=0)}.panel-info>.panel-heading{background-image:-webkit-gradient(linear,left 0,left 100%,from(#d9edf7),to(#c4e3f3));background-image:-webkit-linear-gradient(top,#d9edf7,0%,#c4e3f3,100%);background-image:-moz-linear-gradient(top,#d9edf7 0,#c4e3f3 100%);background-image:linear-gradient(to bottom,#d9edf7 0,#c4e3f3 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ffd9edf7',endColorstr='#ffc4e3f3',GradientType=0)}.panel-warning>.panel-heading{background-image:-webkit-gradient(linear,left 0,left 100%,from(#fcf8e3),to(#faf2cc));background-image:-webkit-linear-gradient(top,#fcf8e3,0%,#faf2cc,100%);background-image:-moz-linear-gradient(top,#fcf8e3 0,#faf2cc 100%);background-image:linear-gradient(to bottom,#fcf8e3 0,#faf2cc 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#fffcf8e3',endColorstr='#fffaf2cc',GradientType=0)}.panel-danger>.panel-heading{backgro
und-image:-webkit-gradient(linear,left 0,left 100%,from(#f2dede),to(#ebcccc));background-image:-webkit-linear-gradient(top,#f2dede,0%,#ebcccc,100%);background-image:-moz-linear-gradient(top,#f2dede 0,#ebcccc 100%);background-image:linear-gradient(to bottom,#f2dede 0,#ebcccc 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#fff2dede',endColorstr='#ffebcccc',GradientType=0)}.well{background-image:-webkit-gradient(linear,left 0,left 100%,from(#e8e8e8),to(#f5f5f5));background-image:-webkit-linear-gradient(top,#e8e8e8,0%,#f5f5f5,100%);background-image:-moz-linear-gradient(top,#e8e8e8 0,#f5f5f5 100%);background-image:linear-gradient(to bottom,#e8e8e8 0,#f5f5f5 100%);background-repeat:repeat-x;border-color:#dcdcdc;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ffe8e8e8',endColorstr='#fff5f5f5',GradientType=0);-webkit-box-shadow:inset 0 1px 3px rgba(0,0,0,0.05),0 1px 0 rgba(255,255,255,0.1);box-shadow:inset 0 1px 3px rgba(0
,0,0,0.05),0 1px 0 rgba(255,255,255,0.1)}
\ No newline at end of file
[41/44] sentry git commit: SENTRY-1287: Create sentry-service-server
module(Colin Ma, reviewed by Dapeng Sun)
Posted by co...@apache.org.
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/model/MSentryPrivilege.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/model/MSentryPrivilege.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/model/MSentryPrivilege.java
deleted file mode 100644
index 4c3af79..0000000
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/model/MSentryPrivilege.java
+++ /dev/null
@@ -1,332 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.sentry.provider.db.service.model;
-
-import java.util.HashSet;
-import java.util.Set;
-
-import javax.jdo.annotations.PersistenceCapable;
-
-import org.apache.sentry.core.common.utils.PathUtils;
-import org.apache.sentry.core.model.db.AccessConstants;
-import org.apache.sentry.provider.db.service.persistent.SentryStore;
-
-/**
- * Database backed Sentry Privilege. Any changes to this object
- * require re-running the maven build so DN an re-enhance.
- */
-@PersistenceCapable
-public class MSentryPrivilege {
-
- private String privilegeScope;
- /**
- * Privilege name is unique
- */
- private String serverName = "";
- private String dbName = "";
- private String tableName = "";
- private String columnName = "";
- private String URI = "";
- private String action = "";
- private Boolean grantOption = false;
- // roles this privilege is a part of
- private Set<MSentryRole> roles;
- private long createTime;
-
- public MSentryPrivilege() {
- this.roles = new HashSet<MSentryRole>();
- }
-
- public MSentryPrivilege(String privilegeScope,
- String serverName, String dbName, String tableName, String columnName,
- String URI, String action, Boolean grantOption) {
- this.privilegeScope = privilegeScope;
- this.serverName = serverName;
- this.dbName = SentryStore.toNULLCol(dbName);
- this.tableName = SentryStore.toNULLCol(tableName);
- this.columnName = SentryStore.toNULLCol(columnName);
- this.URI = SentryStore.toNULLCol(URI);
- this.action = SentryStore.toNULLCol(action);
- this.grantOption = grantOption;
- this.roles = new HashSet<MSentryRole>();
- }
-
- public MSentryPrivilege(String privilegeScope,
- String serverName, String dbName, String tableName, String columnName,
- String URI, String action) {
- this(privilegeScope, serverName, dbName, tableName,
- columnName, URI, action, false);
- }
-
- public MSentryPrivilege(MSentryPrivilege other) {
- this.privilegeScope = other.privilegeScope;
- this.serverName = other.serverName;
- this.dbName = SentryStore.toNULLCol(other.dbName);
- this.tableName = SentryStore.toNULLCol(other.tableName);
- this.columnName = SentryStore.toNULLCol(other.columnName);
- this.URI = SentryStore.toNULLCol(other.URI);
- this.action = SentryStore.toNULLCol(other.action);
- this.grantOption = other.grantOption;
- this.roles = new HashSet<MSentryRole>();
- for (MSentryRole role : other.roles) {
- roles.add(role);
- }
- }
-
- public String getServerName() {
- return serverName;
- }
-
- public void setServerName(String serverName) {
- this.serverName = (serverName == null) ? "" : serverName;
- }
-
- public String getDbName() {
- return dbName;
- }
-
- public void setDbName(String dbName) {
- this.dbName = (dbName == null) ? "" : dbName;
- }
-
- public String getTableName() {
- return tableName;
- }
-
- public void setTableName(String tableName) {
- this.tableName = (tableName == null) ? "" : tableName;
- }
-
- public String getColumnName() {
- return columnName;
- }
-
- public void setColumnName(String columnName) {
- this.columnName = (columnName == null) ? "" : columnName;
- }
-
- public String getURI() {
- return URI;
- }
-
- public void setURI(String uRI) {
- URI = (uRI == null) ? "" : uRI;
- }
-
- public String getAction() {
- return action;
- }
-
- public void setAction(String action) {
- this.action = (action == null) ? "" : action;
- }
-
- public long getCreateTime() {
- return createTime;
- }
-
- public void setCreateTime(long createTime) {
- this.createTime = createTime;
- }
-
- public String getPrivilegeScope() {
- return privilegeScope;
- }
-
- public void setPrivilegeScope(String privilegeScope) {
- this.privilegeScope = privilegeScope;
- }
-
- public Boolean getGrantOption() {
- return grantOption;
- }
-
- public void setGrantOption(Boolean grantOption) {
- this.grantOption = grantOption;
- }
-
- public void appendRole(MSentryRole role) {
- roles.add(role);
- }
-
- public Set<MSentryRole> getRoles() {
- return roles;
- }
-
- public void removeRole(MSentryRole role) {
- roles.remove(role);
- role.removePrivilege(this);
- }
-
- @Override
- public String toString() {
- return "MSentryPrivilege [privilegeScope=" + privilegeScope
- + ", serverName=" + serverName + ", dbName=" + dbName
- + ", tableName=" + tableName + ", columnName=" + columnName
- + ", URI=" + URI + ", action=" + action + ", roles=[...]"
- + ", createTime=" + createTime + ", grantOption=" + grantOption +"]";
- }
-
- @Override
- public int hashCode() {
- final int prime = 31;
- int result = 1;
- result = prime * result + ((URI == null) ? 0 : URI.hashCode());
- result = prime * result + ((action == null) ? 0 : action.hashCode());
- result = prime * result + ((dbName == null) ? 0 : dbName.hashCode());
- result = prime * result
- + ((serverName == null) ? 0 : serverName.hashCode());
- result = prime * result + ((tableName == null) ? 0 : tableName.hashCode());
- result = prime * result
- + ((columnName == null) ? 0 : columnName.hashCode());
- result = prime * result
- + ((grantOption == null) ? 0 : grantOption.hashCode());
- return result;
- }
-
- @Override
- public boolean equals(Object obj) {
- if (this == obj) {
- return true;
- }
- if (obj == null) {
- return false;
- }
- if (getClass() != obj.getClass()) {
- return false;
- }
- MSentryPrivilege other = (MSentryPrivilege) obj;
- if (URI == null) {
- if (other.URI != null) {
- return false;
- }
- } else if (!URI.equals(other.URI)) {
- return false;
- }
- if (action == null) {
- if (other.action != null) {
- return false;
- }
- } else if (!action.equals(other.action)) {
- return false;
- }
- if (dbName == null) {
- if (other.dbName != null) {
- return false;
- }
- } else if (!dbName.equals(other.dbName)) {
- return false;
- }
- if (serverName == null) {
- if (other.serverName != null) {
- return false;
- }
- } else if (!serverName.equals(other.serverName)) {
- return false;
- }
- if (tableName == null) {
- if (other.tableName != null) {
- return false;
- }
- } else if (!tableName.equals(other.tableName)) {
- return false;
- }
- if (columnName == null) {
- if (other.columnName != null) {
- return false;
- }
- } else if (!columnName.equals(other.columnName)) {
- return false;
- }
- if (grantOption == null) {
- if (other.grantOption != null) {
- return false;
- }
- } else if (!grantOption.equals(other.grantOption)) {
- return false;
- }
- return true;
- }
-
- /**
- * Return true if this privilege implies other privilege
- * Otherwise, return false
- * @param other, other privilege
- */
- public boolean implies(MSentryPrivilege other) {
- // serverName never be null
- if (isNULL(serverName) || isNULL(other.serverName)) {
- return false;
- } else if (!serverName.equals(other.serverName)) {
- return false;
- }
-
- // check URI implies
- if (!isNULL(URI) && !isNULL(other.URI)) {
- if (!PathUtils.impliesURI(URI, other.URI)) {
- return false;
- }
- // if URI is NULL, check dbName and tableName
- } else if (isNULL(URI) && isNULL(other.URI)) {
- if (!isNULL(dbName)) {
- if (isNULL(other.dbName)) {
- return false;
- } else if (!dbName.equals(other.dbName)) {
- return false;
- }
- }
- if (!isNULL(tableName)) {
- if (isNULL(other.tableName)) {
- return false;
- } else if (!tableName.equals(other.tableName)) {
- return false;
- }
- }
- if (!isNULL(columnName)) {
- if (isNULL(other.columnName)) {
- return false;
- } else if (!columnName.equals(other.columnName)) {
- return false;
- }
- }
- // if URI is not NULL, but other's URI is NULL, return false
- } else if (!isNULL(URI) && isNULL(other.URI)){
- return false;
- }
-
- // check action implies
- if (!action.equalsIgnoreCase(AccessConstants.ALL)
- && !action.equalsIgnoreCase(other.action)
- && !action.equalsIgnoreCase(AccessConstants.ACTION_ALL)) {
- return false;
- }
-
- return true;
- }
-
- private boolean isNULL(String s) {
- return SentryStore.isNULL(s);
- }
-
- public boolean isActionALL() {
- return AccessConstants.ACTION_ALL.equalsIgnoreCase(action)
- || AccessConstants.ALL.equals(action);
- }
-
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/model/MSentryRole.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/model/MSentryRole.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/model/MSentryRole.java
deleted file mode 100644
index 0484eaa..0000000
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/model/MSentryRole.java
+++ /dev/null
@@ -1,216 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.sentry.provider.db.service.model;
-
-import java.util.HashSet;
-import java.util.Set;
-
-import javax.jdo.annotations.PersistenceCapable;
-
-import com.google.common.base.Preconditions;
-import com.google.common.collect.ImmutableSet;
-
-/**
- * Database backed Sentry Role. Any changes to this object
- * require re-running the maven build so DN an re-enhance.
- */
-@PersistenceCapable
-public class MSentryRole {
-
- private String roleName;
- // set of privileges granted to this role
- private Set<MSentryPrivilege> privileges;
- // set of generic model privileges grant ro this role
- private Set<MSentryGMPrivilege> gmPrivileges;
-
- // set of groups this role belongs to
- private Set<MSentryGroup> groups;
- // set of users this role belongs to
- private Set<MSentryUser> users;
- private long createTime;
-
- public MSentryRole(String roleName, long createTime) {
- this.roleName = roleName;
- this.createTime = createTime;
- privileges = new HashSet<MSentryPrivilege>();
- gmPrivileges = new HashSet<MSentryGMPrivilege>();
- groups = new HashSet<MSentryGroup>();
- users = new HashSet<MSentryUser>();
- }
-
- public long getCreateTime() {
- return createTime;
- }
-
- public void setCreateTime(long createTime) {
- this.createTime = createTime;
- }
-
- public String getRoleName() {
- return roleName;
- }
-
- public void setRoleName(String roleName) {
- this.roleName = roleName;
- }
-
- public void setPrivileges(Set<MSentryPrivilege> privileges) {
- this.privileges = privileges;
- }
-
- public Set<MSentryPrivilege> getPrivileges() {
- return privileges;
- }
-
- public Set<MSentryGMPrivilege> getGmPrivileges() {
- return gmPrivileges;
- }
-
- public void setGmPrivileges(Set<MSentryGMPrivilege> gmPrivileges) {
- this.gmPrivileges = gmPrivileges;
- }
-
- public void setGroups(Set<MSentryGroup> groups) {
- this.groups = groups;
- }
-
- public Set<MSentryGroup> getGroups() {
- return groups;
- }
-
- public Set<MSentryUser> getUsers() {
- return users;
- }
-
- public void setUsers(Set<MSentryUser> users) {
- this.users = users;
- }
-
- public void removePrivilege(MSentryPrivilege privilege) {
- if (privileges.remove(privilege)) {
- privilege.removeRole(this);
- }
- }
-
- public void appendPrivileges(Set<MSentryPrivilege> privileges) {
- this.privileges.addAll(privileges);
- }
-
- public void appendPrivilege(MSentryPrivilege privilege) {
- if (privileges.add(privilege)) {
- privilege.appendRole(this);
- }
- }
-
- public void removeGMPrivilege(MSentryGMPrivilege gmPrivilege) {
- if (gmPrivileges.remove(gmPrivilege)) {
- gmPrivilege.removeRole(this);
- }
- }
-
- public void appendGMPrivilege(MSentryGMPrivilege gmPrivilege) {
- if (gmPrivileges.add(gmPrivilege)) {
- gmPrivilege.appendRole(this);
- }
- }
-
- public void removeGMPrivileges() {
- for (MSentryGMPrivilege privilege : ImmutableSet.copyOf(gmPrivileges)) {
- privilege.removeRole(this);
- }
- Preconditions.checkState(gmPrivileges.isEmpty(), "gmPrivileges should be empty: " + gmPrivileges);
- }
-
- public void appendGroups(Set<MSentryGroup> groups) {
- this.groups.addAll(groups);
- }
-
- public void appendGroup(MSentryGroup group) {
- if (groups.add(group)) {
- group.appendRole(this);
- }
- }
-
- public void removeGroup(MSentryGroup group) {
- if (groups.remove(group)) {
- group.removeRole(this);
- }
- }
-
- public void appendUsers(Set<MSentryUser> users) {
- this.users.addAll(users);
- }
-
- public void appendUser(MSentryUser user) {
- if (users.add(user)) {
- user.appendRole(this);
- }
- }
-
- public void removeUser(MSentryUser user) {
- if (users.remove(user)) {
- user.removeRole(this);
- }
- }
-
- public void removePrivileges() {
- // copy is required since privilege.removeRole will call remotePrivilege
- for (MSentryPrivilege privilege : ImmutableSet.copyOf(privileges)) {
- privilege.removeRole(this);
- }
- Preconditions.checkState(privileges.isEmpty(), "Privileges should be empty: " + privileges);
- }
-
- @Override
- public String toString() {
- return "MSentryRole [roleName=" + roleName + ", privileges=[..]" + ", gmPrivileges=[..]"
- + ", groups=[...]" + ", users=[...]" + ", createTime=" + createTime + "]";
- }
-
- @Override
- public int hashCode() {
- final int prime = 31;
- int result = 1;
- result = prime * result + ((roleName == null) ? 0 : roleName.hashCode());
- return result;
- }
-
- @Override
- public boolean equals(Object obj) {
- if (this == obj) {
- return true;
- }
- if (obj == null) {
- return false;
- }
- if (getClass() != obj.getClass()) {
- return false;
- }
- MSentryRole other = (MSentryRole) obj;
- if (roleName == null) {
- if (other.roleName != null) {
- return false;
- }
- } else if (!roleName.equals(other.roleName)) {
- return false;
- }
- return true;
- }
-
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/model/MSentryUser.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/model/MSentryUser.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/model/MSentryUser.java
deleted file mode 100644
index ff57249..0000000
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/model/MSentryUser.java
+++ /dev/null
@@ -1,116 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.sentry.provider.db.service.model;
-
-import java.util.Set;
-
-import javax.jdo.annotations.PersistenceCapable;
-
-/**
- * Database backed Sentry User. Any changes to this object
- * require re-running the maven build so DN an re-enhance.
- */
-@PersistenceCapable
-public class MSentryUser {
-
- /**
- * User name is unique
- */
- private String userName;
- // set of roles granted to this user
- private Set<MSentryRole> roles;
- private long createTime;
-
- public MSentryUser(String userName, long createTime, Set<MSentryRole> roles) {
- this.setUserName(userName);
- this.createTime = createTime;
- this.roles = roles;
- }
-
- public long getCreateTime() {
- return createTime;
- }
-
- public void setCreateTime(long createTime) {
- this.createTime = createTime;
- }
-
- public Set<MSentryRole> getRoles() {
- return roles;
- }
-
- public String getUserName() {
- return userName;
- }
-
- public void setUserName(String userName) {
- this.userName = userName;
- }
-
- public void appendRole(MSentryRole role) {
- if (roles.add(role)) {
- role.appendUser(this);
- }
- }
-
- public void removeRole(MSentryRole role) {
- if (roles.remove(role)) {
- role.removeUser(this);
- }
- }
-
- @Override
- public String toString() {
- return "MSentryUser [userName=" + userName + ", roles=[...]" + ", createTime=" + createTime
- + "]";
- }
-
- @Override
- public int hashCode() {
- final int prime = 31;
- int result = 1;
- result = prime * result + ((userName == null) ? 0 : userName.hashCode());
- return result;
- }
-
- @Override
- public boolean equals(Object obj) {
- if (this == obj) {
- return true;
- }
- if (obj == null) {
- return false;
- }
- if (getClass() != obj.getClass()) {
- return false;
- }
- MSentryUser other = (MSentryUser) obj;
- if (createTime != other.createTime) {
- return false;
- }
- if (userName == null) {
- if (other.userName != null) {
- return false;
- }
- } else if (!userName.equals(other.userName)) {
- return false;
- }
- return true;
- }
-}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/model/MSentryVersion.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/model/MSentryVersion.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/model/MSentryVersion.java
deleted file mode 100644
index ff8830f..0000000
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/model/MSentryVersion.java
+++ /dev/null
@@ -1,66 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.sentry.provider.db.service.model;
-
-import javax.jdo.annotations.PersistenceCapable;
-
-@PersistenceCapable
-public class MSentryVersion {
- private String schemaVersion;
- private String versionComment;
-
- public MSentryVersion() {
- }
-
- public MSentryVersion(String schemaVersion, String versionComment) {
- this.schemaVersion = schemaVersion;
- this.versionComment = versionComment;
- }
-
- /**
- * @return the versionComment
- */
- public String getVersionComment() {
- return versionComment;
- }
-
- /**
- * @param versionComment
- * the versionComment to set
- */
- public void setVersionComment(String versionComment) {
- this.versionComment = versionComment;
- }
-
- /**
- * @return the schemaVersion
- */
- public String getSchemaVersion() {
- return schemaVersion;
- }
-
- /**
- * @param schemaVersion
- * the schemaVersion to set
- */
- public void setSchemaVersion(String schemaVersion) {
- this.schemaVersion = schemaVersion;
- }
-
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/model/package.jdo
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/model/package.jdo b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/model/package.jdo
deleted file mode 100644
index b3b9494..0000000
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/model/package.jdo
+++ /dev/null
@@ -1,242 +0,0 @@
-<?xml version="1.0"?>
-<!--
- Licensed to the Apache Software Foundation (ASF) under one
- or more contributor license agreements. See the NOTICE file
- distributed with this work for additional information
- regarding copyright ownership. The ASF licenses this file
- to you under the Apache License, Version 2.0 (the
- "License"); you may not use this file except in compliance
- with the License. You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
--->
-<!DOCTYPE jdo PUBLIC "-//Sun Microsystems, Inc.//DTD Java Data Objects Metadata 2.0//EN"
- "http://java.sun.com/dtd/jdo_2_0.dtd">
-<!--
- Size Limitations:
-
- Indexed VARCHAR: 767 bytes (MySQL running on InnoDB Engine http://bugs.mysql.com/bug.php?id=13315)
- Non-indexed VARCHAR: 4000 bytes (max length on Oracle 9i/10g/11g)
-
--->
-<jdo>
- <package name="org.apache.sentry.provider.db.service.model">
- <class name="MSentryGroup" identity-type="datastore" table="SENTRY_GROUP" detachable="true">
- <datastore-identity>
- <column name="GROUP_ID"/>
- </datastore-identity>
- <field name="groupName">
- <column name="GROUP_NAME" length="128" jdbc-type="VARCHAR"/>
- <index name="SentryGroupName" unique="true"/>
- </field>
- <field name = "createTime">
- <column name = "CREATE_TIME" jdbc-type="BIGINT"/>
- </field>
-
- <field name="roles" mapped-by="groups">
- <collection element-type="org.apache.sentry.provider.db.service.model.MSentryRole"/>
- </field>
-
- </class>
-
- <class name="MSentryUser" identity-type="datastore" table="SENTRY_USER" detachable="true">
- <datastore-identity>
- <column name="USER_ID"/>
- </datastore-identity>
- <field name="userName">
- <column name="USER_NAME" length="128" jdbc-type="VARCHAR"/>
- <index name="SentryUserName" unique="true"/>
- </field>
- <field name = "createTime">
- <column name = "CREATE_TIME" jdbc-type="BIGINT"/>
- </field>
-
- <field name="roles" mapped-by="users">
- <collection element-type="org.apache.sentry.provider.db.service.model.MSentryRole"/>
- </field>
-
- </class>
-
- <class name="MSentryRole" identity-type="datastore" table="SENTRY_ROLE" detachable="true">
- <datastore-identity>
- <column name="ROLE_ID"/>
- </datastore-identity>
- <field name="roleName">
- <column name="ROLE_NAME" length="128" jdbc-type="VARCHAR"/>
- <index name="SentryRoleName" unique="true"/>
- </field>
- <field name = "createTime">
- <column name = "CREATE_TIME" jdbc-type="BIGINT"/>
- </field>
- <field name = "privileges" table="SENTRY_ROLE_DB_PRIVILEGE_MAP" default-fetch-group="true">
- <collection element-type="org.apache.sentry.provider.db.service.model.MSentryPrivilege"/>
- <join>
- <column name="ROLE_ID"/>
- </join>
- <element>
- <column name="DB_PRIVILEGE_ID"/>
- </element>
- </field>
-
- <field name = "gmPrivileges" table="SENTRY_ROLE_GM_PRIVILEGE_MAP" default-fetch-group="true">
- <collection element-type="org.apache.sentry.provider.db.service.model.MSentryGMPrivilege"/>
- <join>
- <column name="ROLE_ID"/>
- </join>
- <element>
- <column name="GM_PRIVILEGE_ID"/>
- </element>
- </field>
-
- <field name = "groups" table="SENTRY_ROLE_GROUP_MAP" default-fetch-group="true">
- <collection element-type="org.apache.sentry.provider.db.service.model.MSentryGroup"/>
- <join>
- <column name="ROLE_ID"/>
- </join>
- <element>
- <column name="GROUP_ID"/>
- </element>
- </field>
-
- <field name = "users" table="SENTRY_ROLE_USER_MAP" default-fetch-group="true">
- <collection element-type="org.apache.sentry.provider.db.service.model.MSentryUser"/>
- <join>
- <column name="ROLE_ID"/>
- </join>
- <element>
- <column name="USER_ID"/>
- </element>
- </field>
- </class>
-
- <class name="MSentryPrivilege" identity-type="datastore" table="SENTRY_DB_PRIVILEGE" detachable="true">
- <datastore-identity>
- <column name="DB_PRIVILEGE_ID"/>
- </datastore-identity>
- <index name="PRIVILEGE_INDEX" unique="true">
- <field name="serverName"/>
- <field name="dbName"/>
- <field name="tableName"/>
- <field name="columnName"/>
- <field name="URI"/>
- <field name="action"/>
- <field name="grantOption"/>
- </index>
- <field name="privilegeScope">
- <column name="PRIVILEGE_SCOPE" length="40" jdbc-type="VARCHAR"/>
- </field>
- <field name="serverName">
- <column name="SERVER_NAME" length="4000" jdbc-type="VARCHAR"/>
- </field>
- <field name="dbName">
- <column name="DB_NAME" length="4000" jdbc-type="VARCHAR"/>
- </field>
- <field name="tableName">
- <column name="TABLE_NAME" length="4000" jdbc-type="VARCHAR"/>
- </field>
- <field name="columnName">
- <column name="COLUMN_NAME" length="4000" jdbc-type="VARCHAR"/>
- </field>
- <field name="URI">
- <column name="URI" length="4000" jdbc-type="VARCHAR"/>
- </field>
- <field name="action">
- <column name="ACTION" length="40" jdbc-type="VARCHAR"/>
- </field>
- <field name = "createTime">
- <column name = "CREATE_TIME" jdbc-type="BIGINT"/>
- </field>
- <field name="grantOption">
- <column name="WITH_GRANT_OPTION" length="1" jdbc-type="CHAR"/>
- </field>
- <field name="roles" mapped-by="privileges">
- <collection element-type="org.apache.sentry.provider.db.service.model.MSentryRole"/>
- </field>
- </class>
-
- <class name="MSentryGMPrivilege" identity-type="datastore" table="SENTRY_GM_PRIVILEGE" detachable="true">
- <datastore-identity>
- <column name="GM_PRIVILEGE_ID"/>
- </datastore-identity>
- <index name="GM_PRIVILEGE_INDEX" unique="true">
- <field name="componentName"/>
- <field name="serviceName"/>
- <field name="resourceName0"/>
- <field name="resourceType0"/>
- <field name="resourceName1"/>
- <field name="resourceType1"/>
- <field name="resourceName2"/>
- <field name="resourceType2"/>
- <field name="resourceName3"/>
- <field name="resourceType3"/>
- <field name="action"/>
- <field name="grantOption"/>
- </index>
- <field name="componentName">
- <column name="COMPONENT_NAME" length="100" jdbc-type="VARCHAR"/>
- </field>
- <field name="serviceName">
- <column name="SERVICE_NAME" length="100" jdbc-type="VARCHAR"/>
- </field>
- <field name="resourceName0">
- <column name="RESOURCE_NAME_0" length="100" jdbc-type="VARCHAR"/>
- </field>
- <field name="resourceType0">
- <column name="RESOURCE_TYPE_0" length="100" jdbc-type="VARCHAR"/>
- </field>
- <field name="resourceName1">
- <column name="RESOURCE_NAME_1" length="100" jdbc-type="VARCHAR"/>
- </field>
- <field name="resourceType1">
- <column name="RESOURCE_TYPE_1" length="100" jdbc-type="VARCHAR"/>
- </field>
- <field name="resourceName2">
- <column name="RESOURCE_NAME_2" length="100" jdbc-type="VARCHAR"/>
- </field>
- <field name="resourceType2">
- <column name="RESOURCE_TYPE_2" length="100" jdbc-type="VARCHAR"/>
- </field>
- <field name="resourceName3">
- <column name="RESOURCE_NAME_3" length="100" jdbc-type="VARCHAR"/>
- </field>
- <field name="resourceType3">
- <column name="RESOURCE_TYPE_3" length="100" jdbc-type="VARCHAR"/>
- </field>
- <field name="action">
- <column name="ACTION" length="100" jdbc-type="VARCHAR"/>
- </field>
- <field name="scope">
- <column name="SCOPE" length="100" jdbc-type="VARCHAR"/>
- </field>
- <field name = "createTime">
- <column name = "CREATE_TIME" jdbc-type="BIGINT"/>
- </field>
- <field name="grantOption">
- <column name="WITH_GRANT_OPTION" length="1" jdbc-type="CHAR"/>
- </field>
- <field name="roles" mapped-by="gmPrivileges">
- <collection element-type="org.apache.sentry.provider.db.service.model.MSentryRole"/>
- </field>
- </class>
-
- <class name="MSentryVersion" table="SENTRY_VERSION" identity-type="datastore" detachable="true">
- <datastore-identity>
- <column name="VER_ID"/>
- </datastore-identity>
- <field name ="schemaVersion">
- <column name="SCHEMA_VERSION" length="127" jdbc-type="VARCHAR" allows-null="false"/>
- </field>
- <field name ="versionComment">
- <column name="VERSION_COMMENT" length="255" jdbc-type="VARCHAR" allows-null="false"/>
- </field>
- </class>
-
- </package>
-</jdo>
-
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/CommitContext.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/CommitContext.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/CommitContext.java
deleted file mode 100644
index c74dbf3..0000000
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/CommitContext.java
+++ /dev/null
@@ -1,42 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.sentry.provider.db.service.persistent;
-
-import java.util.UUID;
-
-/**
- * Stores the UUID associated with the server who processed
- * a commit and a commit order sequence id.
- */
-public class CommitContext {
-
- private final String serverUUID;
- private final long sequenceId;
-
- public CommitContext(UUID serverUUID, long sequenceId) {
- this.serverUUID = serverUUID.toString();
- this.sequenceId = sequenceId;
- }
- public String getServerUUID() {
- return serverUUID;
- }
- public long getSequenceId() {
- return sequenceId;
- }
-}
\ No newline at end of file
[07/44] sentry git commit: SENTRY-1287: Create sentry-service-server
module(Colin Ma, reviewed by Dapeng Sun)
Posted by co...@apache.org.
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryStore.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryStore.java b/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryStore.java
new file mode 100644
index 0000000..600e118
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryStore.java
@@ -0,0 +1,2090 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.provider.db.service.persistent;
+
+import java.io.File;
+import java.util.Arrays;
+import java.util.Collections;
+import java.util.HashSet;
+import java.util.Map;
+import java.util.Set;
+
+import org.apache.commons.io.FileUtils;
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.security.alias.CredentialProvider;
+import org.apache.hadoop.security.alias.CredentialProviderFactory;
+import org.apache.hadoop.security.alias.UserProvider;
+import org.apache.sentry.core.common.exception.SentryAccessDeniedException;
+import org.apache.sentry.core.model.db.AccessConstants;
+import org.apache.sentry.core.common.exception.SentryAlreadyExistsException;
+import org.apache.sentry.core.common.exception.SentryGrantDeniedException;
+import org.apache.sentry.core.common.exception.SentryNoSuchObjectException;
+import org.apache.sentry.provider.db.service.model.MSentryPrivilege;
+import org.apache.sentry.provider.db.service.model.MSentryRole;
+import org.apache.sentry.provider.db.service.thrift.TSentryActiveRoleSet;
+import org.apache.sentry.provider.db.service.thrift.TSentryAuthorizable;
+import org.apache.sentry.provider.db.service.thrift.TSentryGrantOption;
+import org.apache.sentry.provider.db.service.thrift.TSentryGroup;
+import org.apache.sentry.provider.db.service.thrift.TSentryPrivilege;
+import org.apache.sentry.provider.db.service.thrift.TSentryRole;
+import org.apache.sentry.core.common.utils.PolicyFile;
+import org.apache.sentry.service.thrift.ServiceConstants.ServerConfig;
+import org.junit.After;
+import org.junit.AfterClass;
+import org.junit.Before;
+import org.junit.BeforeClass;
+import org.junit.Ignore;
+import org.junit.Test;
+
+import com.google.common.collect.Iterables;
+import com.google.common.collect.Maps;
+import com.google.common.collect.Sets;
+import com.google.common.io.Files;
+
+public class TestSentryStore extends org.junit.Assert {
+
+ private static File dataDir;
+ private static SentryStore sentryStore;
+ private static String[] adminGroups = { "adminGroup1" };
+ private static PolicyFile policyFile;
+ private static File policyFilePath;
+ final long NUM_PRIVS = 60; // > SentryStore.PrivCleaner.NOTIFY_THRESHOLD
+ private static Configuration conf = null;
+ private static char[] passwd = new char[] { '1', '2', '3'};
+
+ @BeforeClass
+ public static void setup() throws Exception {
+ conf = new Configuration(false);
+ final String ourUrl = UserProvider.SCHEME_NAME + ":///";
+ conf.set(CredentialProviderFactory.CREDENTIAL_PROVIDER_PATH, ourUrl);
+ CredentialProvider provider = CredentialProviderFactory.getProviders(conf).get(0);
+ provider.createCredentialEntry(ServerConfig.
+ SENTRY_STORE_JDBC_PASS, passwd);
+ provider.flush();
+
+ dataDir = new File(Files.createTempDir(), "sentry_policy_db");
+ conf.set(ServerConfig.SENTRY_VERIFY_SCHEM_VERSION, "false");
+ conf.set(ServerConfig.SENTRY_STORE_JDBC_URL,
+ "jdbc:derby:;databaseName=" + dataDir.getPath() + ";create=true");
+ conf.set(ServerConfig.SENTRY_STORE_JDBC_PASS, "dummy");
+ conf.setStrings(ServerConfig.ADMIN_GROUPS, adminGroups);
+ conf.set(ServerConfig.SENTRY_STORE_GROUP_MAPPING,
+ ServerConfig.SENTRY_STORE_LOCAL_GROUP_MAPPING);
+ policyFilePath = new File(dataDir, "local_policy_file.ini");
+ conf.set(ServerConfig.SENTRY_STORE_GROUP_MAPPING_RESOURCE,
+ policyFilePath.getPath());
+ sentryStore = new SentryStore(conf);
+ }
+
+ @Before
+ public void before() throws Exception {
+ policyFile = new PolicyFile();
+ String adminUser = "g1";
+ addGroupsToUser(adminUser, adminGroups);
+ writePolicyFile();
+ }
+
+ @After
+ public void after() {
+ sentryStore.clearAllTables();
+ }
+
+ @AfterClass
+ public static void teardown() {
+ if (sentryStore != null) {
+ sentryStore.stop();
+ }
+ if (dataDir != null) {
+ FileUtils.deleteQuietly(dataDir);
+ }
+ }
+
+ @Test
+ public void testCredentialProvider() throws Exception {
+ assertArrayEquals(passwd, conf.getPassword(ServerConfig.
+ SENTRY_STORE_JDBC_PASS));
+ }
+
+ @Test
+ public void testCaseInsensitiveRole() throws Exception {
+ String roleName = "newRole";
+ String grantor = "g1";
+ Set<TSentryGroup> groups = Sets.newHashSet();
+ TSentryGroup group = new TSentryGroup();
+ group.setGroupName("test-groups-g1");
+ groups.add(group);
+
+ TSentryPrivilege privilege = new TSentryPrivilege();
+ privilege.setPrivilegeScope("TABLE");
+ privilege.setServerName("server1");
+ privilege.setDbName("default");
+ privilege.setTableName("table1");
+ privilege.setAction(AccessConstants.ALL);
+ privilege.setCreateTime(System.currentTimeMillis());
+
+ Set<String> users = Sets.newHashSet("user1");
+
+ long seqId = sentryStore.createSentryRole(roleName).getSequenceId();
+ assertEquals(seqId + 1, sentryStore.alterSentryRoleAddGroups(grantor, roleName, groups).getSequenceId());
+ assertEquals(seqId + 2, sentryStore.alterSentryRoleDeleteGroups(roleName, groups).getSequenceId());
+ assertEquals(seqId + 3, sentryStore.alterSentryRoleAddUsers(roleName, users).getSequenceId());
+ assertEquals(seqId + 4, sentryStore.alterSentryRoleDeleteUsers(roleName, users).getSequenceId());
+ assertEquals(seqId + 5, sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName, privilege)
+ .getSequenceId());
+ assertEquals(seqId + 6, sentryStore
+ .alterSentryRoleRevokePrivilege(grantor, roleName, privilege).getSequenceId());
+ }
+
+ @Test
+ public void testURI() throws Exception {
+ String roleName = "test-dup-role";
+ String grantor = "g1";
+ String uri = "file:///var/folders/dt/9zm44z9s6bjfxbrm4v36lzdc0000gp/T/1401860678102-0/data/kv1.dat";
+ sentryStore.createSentryRole(roleName);
+ TSentryPrivilege tSentryPrivilege = new TSentryPrivilege("URI", "server1", "ALL");
+ tSentryPrivilege.setURI(uri);
+ sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName, tSentryPrivilege);
+
+ TSentryAuthorizable tSentryAuthorizable = new TSentryAuthorizable();
+ tSentryAuthorizable.setUri(uri);
+ tSentryAuthorizable.setServer("server1");
+
+ Set<TSentryPrivilege> privileges =
+ sentryStore.getTSentryPrivileges(new HashSet<String>(Arrays.asList(roleName)), tSentryAuthorizable);
+
+ assertTrue(privileges.size() == 1);
+
+ Set<TSentryGroup> tSentryGroups = new HashSet<TSentryGroup>();
+ tSentryGroups.add(new TSentryGroup("group1"));
+ sentryStore.alterSentryRoleAddGroups(grantor, roleName, tSentryGroups);
+ sentryStore.alterSentryRoleAddUsers(roleName, Sets.newHashSet("user1"));
+
+ TSentryActiveRoleSet thriftRoleSet = new TSentryActiveRoleSet(true, new HashSet<String>(Arrays.asList(roleName)));
+
+ // list privilege for group only
+ Set<String> privs = sentryStore.listSentryPrivilegesForProvider(
+ new HashSet<String>(Arrays.asList("group1")), Sets.newHashSet(""), thriftRoleSet,
+ tSentryAuthorizable);
+
+ assertTrue(privs.size()==1);
+ assertTrue(privs.contains("server=server1->uri=" + uri + "->action=all"));
+
+ // list privilege for user only
+ privs = sentryStore.listSentryPrivilegesForProvider(new HashSet<String>(Arrays.asList("")),
+ Sets.newHashSet("user1"), thriftRoleSet, tSentryAuthorizable);
+ assertTrue(privs.size() == 1);
+ assertTrue(privs.contains("server=server1->uri=" + uri + "->action=all"));
+
+ // list privilege for both user and group
+ privs = sentryStore.listSentryPrivilegesForProvider(
+ new HashSet<String>(Arrays.asList("group1")), Sets.newHashSet("user1"), thriftRoleSet,
+ tSentryAuthorizable);
+ assertTrue(privs.size() == 1);
+ assertTrue(privs.contains("server=server1->uri=" + uri + "->action=all"));
+ }
+
+ @Test
+ public void testCreateDuplicateRole() throws Exception {
+ String roleName = "test-dup-role";
+ sentryStore.createSentryRole(roleName);
+ try {
+ sentryStore.createSentryRole(roleName);
+ fail("Expected SentryAlreadyExistsException");
+ } catch(SentryAlreadyExistsException e) {
+ // expected
+ }
+ }
+
+ @Test
+ public void testCaseSensitiveScope() throws Exception {
+ String roleName = "role1";
+ String grantor = "g1";
+ long seqId = sentryStore.createSentryRole(roleName).getSequenceId();
+ TSentryPrivilege sentryPrivilege = new TSentryPrivilege("Database", "server1", "all");
+ sentryPrivilege.setDbName("db1");
+ assertEquals(seqId + 1, sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName, sentryPrivilege).getSequenceId());
+ }
+
+ @Test
+ public void testCreateDropRole() throws Exception {
+ String roleName = "test-drop-role";
+ long seqId = sentryStore.createSentryRole(roleName).getSequenceId();
+ assertEquals(seqId + 1, sentryStore.dropSentryRole(roleName).getSequenceId());
+ }
+
+ @Test
+ public void testAddDeleteGroupsNonExistantRole()
+ throws Exception {
+ String roleName = "non-existant-role";
+ String grantor = "g1";
+ Set<TSentryGroup> groups = Sets.newHashSet();
+ Set<String> users = Sets.newHashSet(grantor);
+ try {
+ sentryStore.alterSentryRoleAddGroups(grantor, roleName, groups);
+ fail("Expected SentryNoSuchObjectException exception");
+ } catch (SentryNoSuchObjectException e) {
+ // excepted exception
+ }
+ try {
+ sentryStore.alterSentryRoleAddUsers(roleName, users);
+ fail("Expected SentryNoSuchObjectException exception");
+ } catch (SentryNoSuchObjectException e) {
+ // excepted exception
+ }
+ }
+
+ @Test
+ public void testAddDeleteGroups() throws Exception {
+ String roleName = "test-groups";
+ String grantor = "g1";
+ long seqId = sentryStore.createSentryRole(roleName).getSequenceId();
+ Set<TSentryGroup> groups = Sets.newHashSet();
+ TSentryGroup group = new TSentryGroup();
+ group.setGroupName("test-groups-g1");
+ groups.add(group);
+ group = new TSentryGroup();
+ group.setGroupName("test-groups-g2");
+ groups.add(group);
+ assertEquals(seqId + 1, sentryStore.alterSentryRoleAddGroups(grantor,
+ roleName, groups).getSequenceId());
+ assertEquals(seqId + 2, sentryStore.alterSentryRoleDeleteGroups(roleName, groups)
+ .getSequenceId());
+ MSentryRole role = sentryStore.getMSentryRoleByName(roleName);
+ assertEquals(Collections.emptySet(), role.getGroups());
+ }
+
+ @Test
+ public void testAddDeleteUsers() throws Exception {
+ String roleName = "test-users";
+ long seqId = sentryStore.createSentryRole(roleName).getSequenceId();
+ Set<String> users = Sets.newHashSet("test-user-u1", "test-user-u2");
+ assertEquals(seqId + 1, sentryStore.alterSentryRoleAddUsers(roleName, users).getSequenceId());
+ MSentryRole role = sentryStore.getMSentryRoleByName(roleName);
+ assertEquals(2, role.getUsers().size());
+ assertEquals(seqId + 2, sentryStore.alterSentryRoleDeleteUsers(roleName, users).getSequenceId());
+ role = sentryStore.getMSentryRoleByName(roleName);
+ assertEquals(0, role.getUsers().size());
+ }
+
+ @Test
+ public void testGetTSentryRolesForUser() throws Exception {
+ // Test the method GetTSentryRolesForUser according to the following test data:
+ // user1->group1
+ // user2->group1
+ // user3->group1, group2
+ // user4->group2, group3
+ // group1->r1
+ // group2->r2
+ // group3->r2
+ // user2->r3
+ // user4->r3
+ String roleName1 = "r1";
+ String roleName2 = "r2";
+ String roleName3 = "r3";
+ String user1 = "u1";
+ String user2 = "u2";
+ String user3 = "u3";
+ String user4 = "u4";
+ String group1 = "group1";
+ String group2 = "group2";
+ String group3 = "group3";
+ Map<String, Set<String>> userToGroups = Maps.newHashMap();
+ userToGroups.put(user1, Sets.newHashSet(group1));
+ userToGroups.put(user2, Sets.newHashSet(group1));
+ userToGroups.put(user3, Sets.newHashSet(group1, group2));
+ userToGroups.put(user4, Sets.newHashSet(group2, group3));
+
+ sentryStore.createSentryRole(roleName1);
+ sentryStore.createSentryRole(roleName2);
+ sentryStore.createSentryRole(roleName3);
+ sentryStore.alterSentryRoleAddUsers(roleName1, Sets.newHashSet(user1));
+ sentryStore.alterSentryRoleAddUsers(roleName2, Sets.newHashSet(user2));
+ sentryStore.alterSentryRoleAddUsers(roleName2, Sets.newHashSet(user3));
+ sentryStore.alterSentryRoleAddUsers(roleName3, Sets.newHashSet(user2, user4));
+
+ Set<TSentryRole> roles = sentryStore.getTSentryRolesByUserNames(Sets.newHashSet(user1));
+ assertEquals(1, roles.size());
+ for (TSentryRole role : roles) {
+ assertTrue(roleName1.equals(role.getRoleName()));
+ }
+
+ roles = sentryStore.getTSentryRolesByUserNames(Sets.newHashSet(user2));
+ assertEquals(2, roles.size());
+ for (TSentryRole role : roles) {
+ assertTrue(roleName2.equals(role.getRoleName()) || roleName3.equals(role.getRoleName()));
+ }
+
+ roles = sentryStore.getTSentryRolesByUserNames(Sets.newHashSet(user3));
+ assertEquals(1, roles.size());
+ for (TSentryRole role : roles) {
+ assertTrue(roleName2.equals(role.getRoleName()));
+ }
+
+ roles = sentryStore.getTSentryRolesByUserNames(Sets.newHashSet(user4));
+ assertEquals(1, roles.size());
+ for (TSentryRole role : roles) {
+ assertTrue(roleName3.equals(role.getRoleName()));
+ }
+ }
+
+ @Test
+ public void testGrantRevokePrivilege() throws Exception {
+ String roleName = "test-privilege";
+ String grantor = "g1";
+ String server = "server1";
+ String db = "db1";
+ String table = "tbl1";
+ long seqId = sentryStore.createSentryRole(roleName).getSequenceId();
+ TSentryPrivilege privilege = new TSentryPrivilege();
+ privilege.setPrivilegeScope("TABLE");
+ privilege.setServerName(server);
+ privilege.setDbName(db);
+ privilege.setTableName(table);
+ privilege.setAction(AccessConstants.ALL);
+ privilege.setCreateTime(System.currentTimeMillis());
+ assertEquals(seqId + 1, sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName, privilege)
+ .getSequenceId());
+ MSentryRole role = sentryStore.getMSentryRoleByName(roleName);
+ Set<MSentryPrivilege> privileges = role.getPrivileges();
+ assertEquals(privileges.toString(), 1, privileges.size());
+ privilege.setAction(AccessConstants.SELECT);
+ assertEquals(seqId + 2, sentryStore.alterSentryRoleRevokePrivilege(grantor, roleName, privilege)
+ .getSequenceId());
+ // after having ALL and revoking SELECT, we should have INSERT
+ role = sentryStore.getMSentryRoleByName(roleName);
+ privileges = role.getPrivileges();
+ assertEquals(privileges.toString(), 1, privileges.size());
+ MSentryPrivilege mPrivilege = Iterables.get(privileges, 0);
+ assertEquals(server, mPrivilege.getServerName());
+ assertEquals(db, mPrivilege.getDbName());
+ assertEquals(table, mPrivilege.getTableName());
+ assertEquals(AccessConstants.INSERT, mPrivilege.getAction());
+ assertFalse(mPrivilege.getGrantOption());
+ }
+
+ private void verifyOrphanCleanup() throws Exception {
+ boolean success = false;
+ int iterations = 30;
+ while (!success && iterations > 0) {
+ Thread.sleep(1000);
+ long numDBPrivs = sentryStore.countMSentryPrivileges();
+ if (numDBPrivs < NUM_PRIVS) {
+ assertEquals(0, numDBPrivs);
+ success = true;
+ }
+ iterations--;
+ }
+ assertTrue("Failed to cleanup orphaned privileges", success);
+ }
+
+ /**
+ * Create several privileges in the database, then delete the role that
+ * created them. This makes them all orphans. Wait a bit to ensure the
+ * cleanup thread runs, and expect them all to be gone from the database.
+ * @throws Exception
+ */
+ @Ignore("Disabled with SENTRY-545 following SENTRY-140 problems")
+ @Test
+ public void testPrivilegeCleanup() throws Exception {
+ final String roleName = "test-priv-cleanup";
+ final String grantor = "g1";
+ final String server = "server";
+ final String dBase = "db";
+ final String table = "table-";
+
+ sentryStore.createSentryRole(roleName);
+
+ // Create NUM_PRIVS unique privilege objects in the database
+ for (int i = 0; i < NUM_PRIVS; i++) {
+ TSentryPrivilege priv = new TSentryPrivilege();
+ priv.setPrivilegeScope("TABLE");
+ priv.setServerName(server);
+ priv.setAction(AccessConstants.ALL);
+ priv.setCreateTime(System.currentTimeMillis());
+ priv.setTableName(table + i);
+ priv.setDbName(dBase);
+ sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName, priv);
+ }
+
+ // Make sure we really have the expected number of privs in the database
+ assertEquals(sentryStore.countMSentryPrivileges(), NUM_PRIVS);
+
+ // Now to make a bunch of orphans, we just remove the role that
+ // created them.
+ sentryStore.dropSentryRole(roleName);
+
+ // Now wait and see if the orphans get cleaned up
+ verifyOrphanCleanup();
+ }
+
+ /**
+ * Much like testPrivilegeCleanup, make a lot of privileges and make sure
+ * they get cleaned up. The difference here is that the privileges are
+ * created by granting ALL and then removing SELECT - thus leaving INSERT.
+ * This test exists because the revocation plays havoc with the orphan
+ * cleanup thread.
+ * @throws Exception
+ */
+ @Ignore("Disabled with SENTRY-545 following SENTRY-140 problems")
+ @Test
+ public void testPrivilegeCleanup2() throws Exception {
+ final String roleName = "test-priv-cleanup";
+ final String grantor = "g1";
+ final String server = "server";
+ final String dBase = "db";
+ final String table = "table-";
+
+ sentryStore.createSentryRole(roleName);
+
+ // Create NUM_PRIVS unique privilege objects in the database once more,
+ // this time granting ALL and revoking SELECT to make INSERT.
+ for (int i=0 ; i < NUM_PRIVS; i++) {
+ TSentryPrivilege priv = new TSentryPrivilege();
+ priv.setPrivilegeScope("DATABASE");
+ priv.setServerName(server);
+ priv.setAction(AccessConstants.ALL);
+ priv.setCreateTime(System.currentTimeMillis());
+ priv.setTableName(table + i);
+ priv.setDbName(dBase);
+ priv.setGrantOption(TSentryGrantOption.TRUE);
+ sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName, priv);
+
+ priv.setAction(AccessConstants.SELECT);
+ priv.setGrantOption(TSentryGrantOption.UNSET);
+ sentryStore.alterSentryRoleRevokePrivilege(grantor, roleName, priv);
+ // after having ALL and revoking SELECT, we should have INSERT
+ MSentryRole role = sentryStore.getMSentryRoleByName(roleName);
+ Set<MSentryPrivilege> privileges = role.getPrivileges();
+ assertEquals(privileges.toString(), i+1, privileges.size());
+ MSentryPrivilege mPrivilege = Iterables.get(privileges, 0);
+ assertEquals(AccessConstants.INSERT, mPrivilege.getAction());
+ }
+
+ // Drop the role and clean up as before
+ sentryStore.dropSentryRole(roleName);
+ verifyOrphanCleanup();
+ }
+
+ @Test
+ public void testGrantRevokeMultiPrivileges() throws Exception {
+ String roleName = "test-privilege";
+ String grantor = "g1";
+ String server = "server1";
+ String db = "db1";
+ String table = "tbl1";
+ String[] columns = {"c1","c2","c3","c4"};
+ long seqId = sentryStore.createSentryRole(roleName).getSequenceId();
+ Set<TSentryPrivilege> tPrivileges = Sets.newHashSet();
+ for (String column : columns) {
+ TSentryPrivilege privilege = new TSentryPrivilege();
+ privilege.setPrivilegeScope("Column");
+ privilege.setServerName(server);
+ privilege.setDbName(db);
+ privilege.setTableName(table);
+ privilege.setColumnName(column);
+ privilege.setAction(AccessConstants.SELECT);
+ privilege.setCreateTime(System.currentTimeMillis());
+ tPrivileges.add(privilege);
+ }
+ assertEquals(seqId + 1, sentryStore.alterSentryRoleGrantPrivileges(grantor, roleName, tPrivileges)
+ .getSequenceId());
+ MSentryRole role = sentryStore.getMSentryRoleByName(roleName);
+ Set<MSentryPrivilege> privileges = role.getPrivileges();
+ assertEquals(privileges.toString(), 4, privileges.size());
+
+ tPrivileges = Sets.newHashSet();
+ for (int i = 0; i < 2; i++) {
+ TSentryPrivilege privilege = new TSentryPrivilege();
+ privilege.setPrivilegeScope("Column");
+ privilege.setServerName(server);
+ privilege.setDbName(db);
+ privilege.setTableName(table);
+ privilege.setColumnName(columns[i]);
+ privilege.setAction(AccessConstants.SELECT);
+ privilege.setCreateTime(System.currentTimeMillis());
+ tPrivileges.add(privilege);
+ }
+ assertEquals(seqId + 2, sentryStore.alterSentryRoleRevokePrivileges(grantor, roleName, tPrivileges)
+ .getSequenceId());
+ role = sentryStore.getMSentryRoleByName(roleName);
+ privileges = role.getPrivileges();
+ assertEquals(privileges.toString(), 2, privileges.size());
+
+ TSentryPrivilege privilege = new TSentryPrivilege();
+ privilege.setPrivilegeScope("Table");
+ privilege.setServerName(server);
+ privilege.setDbName(db);
+ privilege.setTableName(table);
+ privilege.setAction(AccessConstants.SELECT);
+ privilege.setCreateTime(System.currentTimeMillis());
+ assertEquals(seqId + 3, sentryStore.alterSentryRoleRevokePrivilege(grantor, roleName, privilege)
+ .getSequenceId());
+ // After revoking table scope, we will have 0 privileges
+ role = sentryStore.getMSentryRoleByName(roleName);
+ privileges = role.getPrivileges();
+ assertEquals(privileges.toString(), 0, privileges.size());
+ }
+
+ /**
+ * Regression test for SENTRY-74 and SENTRY-552
+ */
+ @Test
+ public void testGrantRevokePrivilegeWithColumn() throws Exception {
+ String roleName = "test-col-privilege";
+ String grantor = "g1";
+ String server = "server1";
+ String db = "db1";
+ String table = "tbl1";
+ String column1 = "c1";
+ String column2 = "c2";
+ long seqId = sentryStore.createSentryRole(roleName).getSequenceId();
+ TSentryPrivilege privilege = new TSentryPrivilege();
+ privilege.setPrivilegeScope("COLUMN");
+ privilege.setServerName(server);
+ privilege.setDbName(db);
+ privilege.setTableName(table);
+ privilege.setColumnName(column1);
+ privilege.setAction(AccessConstants.ALL);
+ privilege.setCreateTime(System.currentTimeMillis());
+
+ // Grant ALL on c1 and c2
+ assertEquals(seqId + 1, sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName, privilege)
+ .getSequenceId());
+ privilege.setColumnName(column2);
+ assertEquals(seqId + 2, sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName, privilege)
+ .getSequenceId());
+ MSentryRole role = sentryStore.getMSentryRoleByName(roleName);
+ Set<MSentryPrivilege> privileges = role.getPrivileges();
+ assertEquals(privileges.toString(), 2, privileges.size());
+
+ // Revoke SELECT on c2
+ privilege.setAction(AccessConstants.SELECT);
+ assertEquals(seqId + 3, sentryStore.alterSentryRoleRevokePrivilege(grantor, roleName, privilege)
+ .getSequenceId());
+
+ // At this point c1 has ALL privileges and c2 should have INSERT after revoking SELECT
+ role = sentryStore.getMSentryRoleByName(roleName);
+ privileges = role.getPrivileges();
+ assertEquals(privileges.toString(), 2, privileges.size());
+ for (MSentryPrivilege mPrivilege: privileges) {
+ assertEquals(server, mPrivilege.getServerName());
+ assertEquals(db, mPrivilege.getDbName());
+ assertEquals(table, mPrivilege.getTableName());
+ assertFalse(mPrivilege.getGrantOption());
+ if (mPrivilege.getColumnName().equals(column1)) {
+ assertEquals(AccessConstants.ALL, mPrivilege.getAction());
+ } else if (mPrivilege.getColumnName().equals(column2)) {
+ assertEquals(AccessConstants.INSERT, mPrivilege.getAction());
+ } else {
+ fail("Unexpected column name: " + mPrivilege.getColumnName());
+ }
+ }
+
+ // after revoking INSERT table level privilege will remove privileges from column2
+ // and downgrade column1 to SELECT privileges.
+ privilege = new TSentryPrivilege();
+ privilege.setPrivilegeScope("TABLE");
+ privilege.setServerName(server);
+ privilege.setDbName(db);
+ privilege.setTableName(table);
+ privilege.setAction(AccessConstants.INSERT);
+ privilege.setCreateTime(System.currentTimeMillis());
+ assertEquals(seqId + 4, sentryStore.alterSentryRoleRevokePrivilege(grantor, roleName, privilege)
+ .getSequenceId());
+ role = sentryStore.getMSentryRoleByName(roleName);
+ privileges = role.getPrivileges();
+ assertEquals(privileges.toString(), 1, privileges.size());
+ assertEquals(column1, Iterables.get(privileges, 0).getColumnName());
+ assertEquals(AccessConstants.SELECT, Iterables.get(privileges, 0).getAction());
+
+ // Revoke ALL from the table should now remove all the column privileges.
+ privilege.setAction(AccessConstants.ALL);
+ privilege.setCreateTime(System.currentTimeMillis());
+ assertEquals(seqId + 5, sentryStore.alterSentryRoleRevokePrivilege(grantor, roleName, privilege)
+ .getSequenceId());
+ role = sentryStore.getMSentryRoleByName(roleName);
+ privileges = role.getPrivileges();
+ assertEquals(privileges.toString(), 0, privileges.size());
+ }
+
+ /**
+ * Regression test for SENTRY-552
+ */
+ @Test
+ public void testGrantRevokeTablePrivilegeDowngradeByDb() throws Exception {
+ String roleName = "test-table-db-downgrade-privilege";
+ String grantor = "g1";
+ String server = "server1";
+ String db = "db1";
+ String table1 = "tbl1";
+ String table2 = "tbl2";
+ long seqId = sentryStore.createSentryRole(roleName).getSequenceId();
+ TSentryPrivilege privilegeTable1 = new TSentryPrivilege();
+ privilegeTable1.setPrivilegeScope("TABLE");
+ privilegeTable1.setServerName(server);
+ privilegeTable1.setDbName(db);
+ privilegeTable1.setTableName(table1);
+ privilegeTable1.setAction(AccessConstants.ALL);
+ privilegeTable1.setCreateTime(System.currentTimeMillis());
+ TSentryPrivilege privilegeTable2 = privilegeTable1.deepCopy();
+ privilegeTable2.setTableName(table2);
+
+ // Grant ALL on table1 and table2
+ assertEquals(seqId + 1, sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName, privilegeTable1)
+ .getSequenceId());
+ assertEquals(seqId + 2, sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName, privilegeTable2)
+ .getSequenceId());
+ MSentryRole role = sentryStore.getMSentryRoleByName(roleName);
+ Set<MSentryPrivilege> privileges = role.getPrivileges();
+ assertEquals(privileges.toString(), 2, privileges.size());
+
+ // Revoke SELECT on table2
+ privilegeTable2.setAction(AccessConstants.SELECT);
+ assertEquals(seqId + 3, sentryStore.alterSentryRoleRevokePrivilege(grantor, roleName, privilegeTable2)
+ .getSequenceId());
+ // after having ALL and revoking SELECT, we should have INSERT
+ role = sentryStore.getMSentryRoleByName(roleName);
+ privileges = role.getPrivileges();
+ assertEquals(privileges.toString(), 2, privileges.size());
+
+ // At this point table1 has ALL privileges and table2 should have INSERT after revoking SELECT
+ role = sentryStore.getMSentryRoleByName(roleName);
+ privileges = role.getPrivileges();
+ assertEquals(privileges.toString(), 2, privileges.size());
+ for (MSentryPrivilege mPrivilege: privileges) {
+ assertEquals(server, mPrivilege.getServerName());
+ assertEquals(db, mPrivilege.getDbName());
+ assertFalse(mPrivilege.getGrantOption());
+ if (mPrivilege.getTableName().equals(table1)) {
+ assertEquals(AccessConstants.ALL, mPrivilege.getAction());
+ } else if (mPrivilege.getTableName().equals(table2)) {
+ assertEquals(AccessConstants.INSERT, mPrivilege.getAction());
+ } else {
+ fail("Unexpected table name: " + mPrivilege.getTableName());
+ }
+ }
+
+ // Revoke INSERT on Database
+ privilegeTable2.setAction(AccessConstants.INSERT);
+ privilegeTable2.setPrivilegeScope("DATABASE");
+ privilegeTable2.unsetTableName();
+ assertEquals(seqId + 4, sentryStore.alterSentryRoleRevokePrivilege(grantor, roleName, privilegeTable2)
+ .getSequenceId());
+ role = sentryStore.getMSentryRoleByName(roleName);
+ privileges = role.getPrivileges();
+
+ // after revoking INSERT database level privilege will remove privileges from table2
+ // and downgrade table1 to SELECT privileges.
+ assertEquals(privileges.toString(), 1, privileges.size());
+ MSentryPrivilege mPrivilege = Iterables.get(privileges, 0);
+ assertEquals(server, mPrivilege.getServerName());
+ assertEquals(db, mPrivilege.getDbName());
+ assertEquals(table1, mPrivilege.getTableName());
+ assertEquals(AccessConstants.SELECT, mPrivilege.getAction());
+ assertFalse(mPrivilege.getGrantOption());
+ }
+
+ /**
+ * Regression test for SENTRY-552
+ */
+ @Test
+ public void testGrantRevokeColumnPrivilegeDowngradeByDb() throws Exception {
+ String roleName = "test-column-db-downgrade-privilege";
+ String grantor = "g1";
+ String server = "server1";
+ String db = "db1";
+ String table = "tbl1";
+ String column1 = "c1";
+ String column2 = "c2";
+ long seqId = sentryStore.createSentryRole(roleName).getSequenceId();
+ TSentryPrivilege privilegeCol1 = new TSentryPrivilege();
+ privilegeCol1.setPrivilegeScope("COLUMN");
+ privilegeCol1.setServerName(server);
+ privilegeCol1.setDbName(db);
+ privilegeCol1.setTableName(table);
+ privilegeCol1.setColumnName(column1);
+ privilegeCol1.setAction(AccessConstants.ALL);
+ privilegeCol1.setCreateTime(System.currentTimeMillis());
+ TSentryPrivilege privilegeCol2 = privilegeCol1.deepCopy();
+ privilegeCol2.setColumnName(column2);
+
+ // Grant ALL on column1 and column2
+ assertEquals(seqId + 1, sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName, privilegeCol1)
+ .getSequenceId());
+ assertEquals(seqId + 2, sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName, privilegeCol2)
+ .getSequenceId());
+ MSentryRole role = sentryStore.getMSentryRoleByName(roleName);
+ Set<MSentryPrivilege> privileges = role.getPrivileges();
+ assertEquals(privileges.toString(), 2, privileges.size());
+
+ // Revoke SELECT on column2
+ privilegeCol2.setAction(AccessConstants.SELECT);
+ assertEquals(seqId + 3, sentryStore.alterSentryRoleRevokePrivilege(grantor, roleName, privilegeCol2)
+ .getSequenceId());
+ // after having ALL and revoking SELECT, we should have INSERT
+ role = sentryStore.getMSentryRoleByName(roleName);
+ privileges = role.getPrivileges();
+ assertEquals(privileges.toString(), 2, privileges.size());
+
+ // At this point column1 has ALL privileges and column2 should have INSERT after revoking SELECT
+ role = sentryStore.getMSentryRoleByName(roleName);
+ privileges = role.getPrivileges();
+ assertEquals(privileges.toString(), 2, privileges.size());
+ for (MSentryPrivilege mPrivilege: privileges) {
+ assertEquals(server, mPrivilege.getServerName());
+ assertEquals(db, mPrivilege.getDbName());
+ assertEquals(table, mPrivilege.getTableName());
+ assertFalse(mPrivilege.getGrantOption());
+ if (mPrivilege.getColumnName().equals(column1)) {
+ assertEquals(AccessConstants.ALL, mPrivilege.getAction());
+ } else if (mPrivilege.getColumnName().equals(column2)) {
+ assertEquals(AccessConstants.INSERT, mPrivilege.getAction());
+ } else {
+ fail("Unexpected column name: " + mPrivilege.getColumnName());
+ }
+ }
+
+ // Revoke INSERT on Database
+ privilegeCol2.setAction(AccessConstants.INSERT);
+ privilegeCol2.setPrivilegeScope("DATABASE");
+ privilegeCol2.unsetTableName();
+ privilegeCol2.unsetColumnName();
+ assertEquals(seqId + 4, sentryStore.alterSentryRoleRevokePrivilege(grantor, roleName, privilegeCol2)
+ .getSequenceId());
+ role = sentryStore.getMSentryRoleByName(roleName);
+ privileges = role.getPrivileges();
+
+ // after revoking INSERT database level privilege will remove privileges from column2
+ // and downgrade column1 to SELECT privileges.
+ assertEquals(privileges.toString(), 1, privileges.size());
+ MSentryPrivilege mPrivilege = Iterables.get(privileges, 0);
+ assertEquals(server, mPrivilege.getServerName());
+ assertEquals(db, mPrivilege.getDbName());
+ assertEquals(table, mPrivilege.getTableName());
+ assertEquals(column1, mPrivilege.getColumnName());
+ assertEquals(AccessConstants.SELECT, mPrivilege.getAction());
+ assertFalse(mPrivilege.getGrantOption());
+ }
+
+ @Test
+ public void testGrantRevokePrivilegeWithGrantOption() throws Exception {
+ String roleName = "test-grantOption-table";
+ String grantor = "g1";
+ String server = "server1";
+ String db = "db1";
+ String table = "tbl1";
+ TSentryGrantOption grantOption = TSentryGrantOption.TRUE;
+ long seqId = sentryStore.createSentryRole(roleName).getSequenceId();
+
+ TSentryPrivilege privilege = new TSentryPrivilege();
+ privilege.setPrivilegeScope("TABLE");
+ privilege.setServerName(server);
+ privilege.setDbName(db);
+ privilege.setTableName(table);
+ privilege.setAction(AccessConstants.ALL);
+ privilege.setCreateTime(System.currentTimeMillis());
+ privilege.setGrantOption(grantOption);
+ assertEquals(seqId + 1, sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName, privilege)
+ .getSequenceId());
+ MSentryRole role = sentryStore.getMSentryRoleByName(roleName);
+ Set<MSentryPrivilege> privileges = role.getPrivileges();
+ assertEquals(privileges.toString(), 1, privileges.size());
+ assertEquals(Boolean.valueOf(privilege.getGrantOption().toString()), Iterables.get(privileges, 0).getGrantOption());
+ assertEquals(seqId + 2, sentryStore.alterSentryRoleRevokePrivilege(grantor, roleName, privilege)
+ .getSequenceId());
+ role = sentryStore.getMSentryRoleByName(roleName);
+ privileges = role.getPrivileges();
+ assertEquals(0, privileges.size());
+
+ roleName = "test-grantOption-db";
+ sentryStore.createSentryRole(roleName);
+ privilege = new TSentryPrivilege();
+ privilege.setPrivilegeScope("DATABASE");
+ privilege.setServerName(server);
+ privilege.setDbName(db);
+ privilege.setAction(AccessConstants.ALL);
+ privilege.setGrantOption(TSentryGrantOption.TRUE);
+ privilege.setCreateTime(System.currentTimeMillis());
+ privilege.setGrantOption(grantOption);
+ sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName, privilege);
+ role = sentryStore.getMSentryRoleByName(roleName);
+ privileges = role.getPrivileges();
+ assertEquals(privileges.toString(), 1, privileges.size());
+
+ privilege.setAction(AccessConstants.SELECT);
+ privilege.setGrantOption(TSentryGrantOption.UNSET);
+ sentryStore.alterSentryRoleRevokePrivilege(grantor, roleName, privilege);
+ // after having ALL and revoking SELECT, we should have INSERT
+ role = sentryStore.getMSentryRoleByName(roleName);
+ privileges = role.getPrivileges();
+ assertEquals(privileges.toString(), 1, privileges.size());
+ MSentryPrivilege mPrivilege = Iterables.get(privileges, 0);
+ assertEquals(server, mPrivilege.getServerName());
+ assertEquals(db, mPrivilege.getDbName());
+ assertEquals(AccessConstants.INSERT, mPrivilege.getAction());
+ }
+
+ @Test
+ public void testGrantCheckWithGroupAndUser() throws Exception {
+ // 1. set local group mapping and group-role, user-role mapping
+ // user0_0->group0
+ // user0_1->group0
+ // user1_0->group1
+ // user1_1->group1
+ // group0->roleG0
+ // group1->roleG1
+ // user0_0->roleU00
+ // user0_1->roleU01
+ // user1_0->roleU10
+ // user1_1->roleU11
+ String grantor = "g1";
+ String[][] users = { { "user0_0", "user0_1" }, { "user1_0", "user1_1" } };
+ String[] groups = { "group0", "group1" };
+ String[] rolesForGroup = { "roleG0", "roleG1" };
+ String[] rolesForUser = { "roleU0", "roleU1", "roleU2", "roleU3" };
+ for (int i = 0; i < groups.length; i++) {
+ for (int j = 0; j < users[i].length; j++) {
+ addGroupsToUser(users[i][j], groups[i]);
+ sentryStore.createSentryRole(rolesForUser[i * 2 + j]);
+ sentryStore.alterSentryRoleAddUsers(rolesForUser[i * 2 + j], Sets.newHashSet(users[i][j]));
+ }
+ sentryStore.createSentryRole(rolesForGroup[i]);
+ Set<TSentryGroup> tGroups = Sets.newHashSet();
+ TSentryGroup tGroup = new TSentryGroup(groups[i]);
+ tGroups.add(tGroup);
+ sentryStore.alterSentryRoleAddGroups(grantor, rolesForGroup[i], tGroups);
+ }
+ writePolicyFile();
+
+ // 2. g1 grant all on database db1 to roleG0, roleU0 without grant option
+ String server = "server1";
+ String db = "db1";
+ grantor = "g1";
+ TSentryPrivilege privilege1 = new TSentryPrivilege();
+ privilege1.setPrivilegeScope("DATABASE");
+ privilege1.setServerName(server);
+ privilege1.setDbName(db);
+ privilege1.setAction(AccessConstants.ALL);
+ privilege1.setCreateTime(System.currentTimeMillis());
+ privilege1.setGrantOption(TSentryGrantOption.FALSE);
+ // user0_0 has the privilege without grant option
+ sentryStore.alterSentryRoleGrantPrivilege(grantor, "roleG0", privilege1);
+ sentryStore.alterSentryRoleGrantPrivilege(grantor, "roleU0", privilege1);
+ try {
+ sentryStore.alterSentryRoleGrantPrivilege("user0_0", "roleG1", privilege1);
+ fail("Expected SentryGrantDeniedException exception");
+ } catch (SentryGrantDeniedException e) {
+ // excepted exception
+ }
+ try {
+ sentryStore.alterSentryRoleRevokePrivilege("user0_0", "roleG1", privilege1);
+ fail("Expected SentryGrantDeniedException exception");
+ } catch (SentryGrantDeniedException e) {
+ // excepted exception
+ }
+
+ // 3. g1 grant all on database db1 to roleG0 with grant option
+ TSentryPrivilege privilege2 = new TSentryPrivilege();
+ privilege2.setPrivilegeScope("DATABASE");
+ privilege2.setServerName(server);
+ privilege2.setDbName(db);
+ privilege2.setAction(AccessConstants.ALL);
+ privilege2.setCreateTime(System.currentTimeMillis());
+ privilege2.setGrantOption(TSentryGrantOption.TRUE);
+ // user0_0, user0_1 can grant the same privilege to other roles
+ sentryStore.alterSentryRoleGrantPrivilege(grantor, "roleG0", privilege2);
+ sentryStore.alterSentryRoleGrantPrivilege("user0_0", "roleG1", privilege2);
+ validatePrivilegeByRoleName("roleG1", privilege2);
+ sentryStore.alterSentryRoleRevokePrivilege("user0_0", "roleG1", privilege2);
+ validateEmptyPrivilegeByRoleName("roleG1");
+ sentryStore.alterSentryRoleGrantPrivilege("user0_1", "roleG1", privilege2);
+ validatePrivilegeByRoleName("roleG1", privilege2);
+ sentryStore.alterSentryRoleRevokePrivilege("user0_1", "roleG1", privilege2);
+ validateEmptyPrivilegeByRoleName("roleG1");
+ // clear privilege for roleG0
+ sentryStore.alterSentryRoleRevokePrivilege(grantor, "roleG0", privilege2);
+
+ // 4. g1 grant all on database db1 to roleU0 with grant option
+ sentryStore.alterSentryRoleGrantPrivilege(grantor, "roleU0", privilege2);
+ sentryStore.alterSentryRoleGrantPrivilege("user0_0", "roleG1", privilege2);
+ validatePrivilegeByRoleName("roleG1", privilege2);
+ sentryStore.alterSentryRoleRevokePrivilege("user0_0", "roleG1", privilege2);
+ validateEmptyPrivilegeByRoleName("roleG1");
+ try {
+ sentryStore.alterSentryRoleGrantPrivilege("user0_1", "roleG1", privilege2);
+ fail("Expected SentryGrantDeniedException exception");
+ } catch (SentryGrantDeniedException e) {
+ // excepted exception
+ }
+ try {
+ sentryStore.alterSentryRoleRevokePrivilege("user0_1", "roleG1", privilege2);
+ fail("Expected SentryGrantDeniedException exception");
+ } catch (SentryGrantDeniedException e) {
+ // excepted exception
+ }
+ // clear privilege for roleG0
+ sentryStore.alterSentryRoleRevokePrivilege(grantor, "roleU0", privilege2);
+
+ // 5. g1 grant all on database db1 to roleU2, roleG0 with grant option
+ sentryStore.alterSentryRoleGrantPrivilege(grantor, "roleU2", privilege2);
+ sentryStore.alterSentryRoleGrantPrivilege(grantor, "roleG0", privilege2);
+ sentryStore.alterSentryRoleGrantPrivilege("user0_0", "roleG1", privilege2);
+ validatePrivilegeByRoleName("roleG1", privilege2);
+ sentryStore.alterSentryRoleRevokePrivilege("user0_0", "roleG1", privilege2);
+ validateEmptyPrivilegeByRoleName("roleG1");
+ sentryStore.alterSentryRoleGrantPrivilege("user0_1", "roleG1", privilege2);
+ validatePrivilegeByRoleName("roleG1", privilege2);
+ sentryStore.alterSentryRoleRevokePrivilege("user0_1", "roleG1", privilege2);
+ validateEmptyPrivilegeByRoleName("roleG1");
+
+ sentryStore.alterSentryRoleGrantPrivilege("user1_0", "roleG1", privilege2);
+ validatePrivilegeByRoleName("roleG1", privilege2);
+ sentryStore.alterSentryRoleRevokePrivilege("user1_0", "roleG1", privilege2);
+ validateEmptyPrivilegeByRoleName("roleG1");
+ try {
+ sentryStore.alterSentryRoleGrantPrivilege("user1_1", "roleG1", privilege2);
+ fail("Expected SentryGrantDeniedException exception");
+ } catch (SentryGrantDeniedException e) {
+ // excepted exception
+ }
+ try {
+ sentryStore.alterSentryRoleRevokePrivilege("user1_1", "roleG1", privilege2);
+ fail("Expected SentryGrantDeniedException exception");
+ } catch (SentryGrantDeniedException e) {
+ // excepted exception
+ }
+ // clear privilege for roleG0
+ sentryStore.alterSentryRoleRevokePrivilege(grantor, "roleG0", privilege2);
+ sentryStore.alterSentryRoleRevokePrivilege(grantor, "roleU2", privilege2);
+ }
+
+ private void validatePrivilegeByRoleName(String roleName, TSentryPrivilege exceptedTPrivelege)
+ throws Exception {
+ MSentryRole role = sentryStore.getMSentryRoleByName(roleName);
+ Set<MSentryPrivilege> privileges = role.getPrivileges();
+ assertEquals(privileges.toString(), 1, privileges.size());
+ MSentryPrivilege mPrivilege = Iterables.get(privileges, 0);
+ assertEquals(exceptedTPrivelege.getServerName(), mPrivilege.getServerName());
+ assertEquals(exceptedTPrivelege.getDbName(), mPrivilege.getDbName());
+ assertEquals(AccessConstants.ALL, mPrivilege.getAction());
+ }
+
+ private void validateEmptyPrivilegeByRoleName(String roleName) throws Exception {
+ MSentryRole role = sentryStore.getMSentryRoleByName(roleName);
+ Set<MSentryPrivilege> privileges = role.getPrivileges();
+ assertEquals(privileges.toString(), 0, privileges.size());
+ }
+
+ @Test
+ public void testGrantCheckWithGrantOption() throws Exception {
+ // 1. set local group mapping
+ // user0->group0->role0
+ // user1->group1->role1
+ // user2->group2->role2
+ // user3->group3->role3
+ // user4->group4->role4
+ String grantor = "g1";
+ String[] users = {"user0","user1","user2","user3","user4"};
+ String[] groups = { "group0", "group1", "group2", "group3", "group4" };
+ String[] roles = {"role0","role1","role2","role3","role4"};
+ for (int i = 0; i < users.length; i++) {
+ addGroupsToUser(users[i], groups[i]);
+ sentryStore.createSentryRole(roles[i]);
+ Set<TSentryGroup> tGroups = Sets.newHashSet();
+ TSentryGroup tGroup = new TSentryGroup(groups[i]);
+ tGroups.add(tGroup);
+ sentryStore.alterSentryRoleAddGroups(grantor, roles[i], tGroups);
+ }
+ writePolicyFile();
+
+ // 2. g1 grant all on database db1 to role0 with grant option
+ String server = "server1";
+ String db = "db1";
+ String table = "tbl1";
+ String roleName = roles[0];
+ grantor = "g1";
+ TSentryPrivilege privilege1 = new TSentryPrivilege();
+ privilege1.setPrivilegeScope("DATABASE");
+ privilege1.setServerName(server);
+ privilege1.setDbName(db);
+ privilege1.setAction(AccessConstants.ALL);
+ privilege1.setCreateTime(System.currentTimeMillis());
+ privilege1.setGrantOption(TSentryGrantOption.TRUE);
+ sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName, privilege1);
+ MSentryRole role = sentryStore.getMSentryRoleByName(roleName);
+ Set<MSentryPrivilege> privileges = role.getPrivileges();
+ assertEquals(privileges.toString(), 1, privileges.size());
+
+ // 3. user0 grant select on database db1 to role1, with grant option
+ roleName = roles[1];
+ grantor = users[0];
+ TSentryPrivilege privilege2 = new TSentryPrivilege();
+ privilege2.setPrivilegeScope("DATABASE");
+ privilege2.setServerName(server);
+ privilege2.setDbName(db);
+ privilege2.setAction(AccessConstants.SELECT);
+ privilege2.setCreateTime(System.currentTimeMillis());
+ privilege2.setGrantOption(TSentryGrantOption.TRUE);
+ sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName, privilege2);
+
+ // 4. user0 grant all on table tb1 to role2, no grant option
+ roleName = roles[2];
+ grantor = users[0];
+ TSentryPrivilege privilege3 = new TSentryPrivilege();
+ privilege3.setPrivilegeScope("TABLE");
+ privilege3.setServerName(server);
+ privilege3.setDbName(db);
+ privilege3.setTableName(table);
+ privilege3.setAction(AccessConstants.ALL);
+ privilege3.setCreateTime(System.currentTimeMillis());
+ privilege3.setGrantOption(TSentryGrantOption.FALSE);
+ sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName, privilege3);
+
+ // 5. user1 has role1, no insert privilege,
+ // grant insert to role3, will throw no grant exception
+ roleName = roles[3];
+ grantor = users[1];
+ TSentryPrivilege privilege4 = new TSentryPrivilege();
+ privilege4.setPrivilegeScope("DATABASE");
+ privilege4.setServerName(server);
+ privilege4.setDbName(db);
+ privilege4.setAction(AccessConstants.INSERT);
+ privilege4.setCreateTime(System.currentTimeMillis());
+ privilege4.setGrantOption(TSentryGrantOption.FALSE);
+ try {
+ sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName, privilege4);
+ fail("Expected SentryGrantDeniedException exception");
+ } catch (SentryGrantDeniedException e) {
+ // excepted exception
+ }
+
+ // 6. user2 has role2, no grant option,
+ // grant insert to role4, will throw no grant exception
+ roleName = roles[4];
+ grantor = users[2];
+ TSentryPrivilege privilege5 = new TSentryPrivilege();
+ privilege5.setPrivilegeScope("TABLE");
+ privilege5.setServerName(server);
+ privilege5.setDbName(db);
+ privilege5.setTableName(table);
+ privilege5.setAction(AccessConstants.INSERT);
+ privilege5.setCreateTime(System.currentTimeMillis());
+ privilege5.setGrantOption(TSentryGrantOption.FALSE);
+ try {
+ sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName, privilege5);
+ fail("Expected SentryGrantDeniedException exception");
+ } catch (SentryGrantDeniedException e) {
+ // excepted exception
+ }
+ }
+
+ @Test
+ public void testRevokeCheckWithGrantOption() throws Exception {
+ // 1. set local group mapping
+ // user0->group0->role0
+ // user1->group1->role1
+ // user2->group2->role2
+ String grantor = "g1";
+ String[] users = {"user0","user1","user2"};
+ String[] roles = {"role0","role1","role2"};
+ String[] groups = {"group0","group1","group2"};
+ for (int i = 0; i < users.length; i++) {
+ addGroupsToUser(users[i], groups[i]);
+ sentryStore.createSentryRole(roles[i]);
+ Set<TSentryGroup> tGroups = Sets.newHashSet();
+ TSentryGroup tGroup = new TSentryGroup(groups[i]);
+ tGroups.add(tGroup);
+ sentryStore.alterSentryRoleAddGroups(grantor, roles[i], tGroups);
+ sentryStore.alterSentryRoleAddUsers(roles[i], Sets.newHashSet(users[i]));
+ }
+ writePolicyFile();
+
+ // 2. g1 grant select on database db1 to role0, with grant option
+ String server = "server1";
+ String db = "db1";
+ String table = "tbl1";
+ String roleName = roles[0];
+ grantor = "g1";
+ TSentryPrivilege privilege1 = new TSentryPrivilege();
+ privilege1.setPrivilegeScope("DATABASE");
+ privilege1.setServerName(server);
+ privilege1.setDbName(db);
+ privilege1.setAction(AccessConstants.SELECT);
+ privilege1.setCreateTime(System.currentTimeMillis());
+ privilege1.setGrantOption(TSentryGrantOption.TRUE);
+ sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName, privilege1);
+ MSentryRole role = sentryStore.getMSentryRoleByName(roleName);
+ Set<MSentryPrivilege> privileges = role.getPrivileges();
+ assertEquals(privileges.toString(), 1, privileges.size());
+
+ // 3. g1 grant all on table tb1 to role1, no grant option
+ roleName = roles[1];
+ grantor = "g1";
+ TSentryPrivilege privilege2 = new TSentryPrivilege();
+ privilege2.setPrivilegeScope("TABLE");
+ privilege2.setServerName(server);
+ privilege2.setDbName(db);
+ privilege2.setTableName(table);
+ privilege2.setAction(AccessConstants.ALL);
+ privilege2.setCreateTime(System.currentTimeMillis());
+ privilege2.setGrantOption(TSentryGrantOption.FALSE);
+ sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName, privilege2);
+
+ // 4. g1 grant select on table tb1 to role2, no grant option
+ roleName = roles[2];
+ grantor = "g1";
+ TSentryPrivilege privilege3 = new TSentryPrivilege();
+ privilege3.setPrivilegeScope("TABLE");
+ privilege3.setServerName(server);
+ privilege3.setDbName(db);
+ privilege3.setTableName(table);
+ privilege3.setAction(AccessConstants.SELECT);
+ privilege3.setCreateTime(System.currentTimeMillis());
+ privilege3.setGrantOption(TSentryGrantOption.FALSE);
+ sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName, privilege3);
+
+ // 5. user1 has role1, no grant option,
+ // revoke from role2 will throw no grant exception
+ roleName = roles[2];
+ grantor = users[1];
+ try {
+ sentryStore.alterSentryRoleRevokePrivilege(grantor, roleName, privilege3);
+ fail("Expected SentryGrantDeniedException exception");
+ } catch (SentryGrantDeniedException e) {
+ // excepted exception
+ }
+
+ // 6. user0 has role0, only have select,
+ // revoke all from role1 will throw no grant exception
+ roleName = roles[1];
+ grantor = users[0];
+ try {
+ sentryStore.alterSentryRoleRevokePrivilege(grantor, roleName, privilege2);
+ fail("Expected SentryGrantDeniedException exception");
+ } catch (SentryGrantDeniedException e) {
+ // excepted exception
+ }
+
+ // 7. user0 has role0, has select and grant option,
+ // revoke select from role2
+ roleName = roles[2];
+ grantor = users[0];
+ sentryStore.alterSentryRoleRevokePrivilege(grantor, roleName, privilege3);
+ role = sentryStore.getMSentryRoleByName(roleName);
+ privileges = role.getPrivileges();
+ assertEquals(0, privileges.size());
+ }
+
+ @Test
+ public void testRevokeAllGrantOption() throws Exception {
+ // 1. set local group mapping
+ // user0->group0->role0
+ String grantor = "g1";
+ String[] users = {"user0"};
+ String[] roles = {"role0"};
+ String[] groups = {"group0"};
+ for (int i = 0; i < users.length; i++) {
+ addGroupsToUser(users[i], groups[i]);
+ sentryStore.createSentryRole(roles[i]);
+ Set<TSentryGroup> tGroups = Sets.newHashSet();
+ TSentryGroup tGroup = new TSentryGroup(groups[i]);
+ tGroups.add(tGroup);
+ sentryStore.alterSentryRoleAddGroups(grantor, roles[i], tGroups);
+ }
+ writePolicyFile();
+
+ // 2. g1 grant select on table tb1 to role0, with grant option
+ String server = "server1";
+ String db = "db1";
+ String table = "tbl1";
+ String roleName = roles[0];
+ grantor = "g1";
+ TSentryPrivilege privilege = new TSentryPrivilege();
+ privilege.setPrivilegeScope("TABLE");
+ privilege.setServerName(server);
+ privilege.setDbName(db);
+ privilege.setTableName(table);
+ privilege.setAction(AccessConstants.SELECT);
+ privilege.setCreateTime(System.currentTimeMillis());
+ privilege.setGrantOption(TSentryGrantOption.TRUE);
+ sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName, privilege);
+
+ // 3. g1 grant select on table tb1 to role0, no grant option
+ roleName = roles[0];
+ grantor = "g1";
+ privilege.setGrantOption(TSentryGrantOption.FALSE);
+ sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName, privilege);
+
+ // 4. g1 revoke all privilege from role0
+ roleName = roles[0];
+ grantor = "g1";
+ privilege.setGrantOption(TSentryGrantOption.UNSET);
+ sentryStore.alterSentryRoleRevokePrivilege(grantor, roleName, privilege);
+ MSentryRole role = sentryStore.getMSentryRoleByName(roleName);
+ Set<MSentryPrivilege> privileges = role.getPrivileges();
+ assertEquals(privileges.toString(), 0, privileges.size());
+ }
+
+ @Test
+ public void testGrantCheckWithColumn() throws Exception {
+ // 1. set local group mapping
+ // user0->group0->role0
+ // user1->group1->role1
+ String grantor = "g1";
+ String[] users = {"user0","user1"};
+ String[] roles = {"role0","role1"};
+ String[] groups = {"group0","group1"};
+ for (int i = 0; i < users.length; i++) {
+ addGroupsToUser(users[i], groups[i]);
+ sentryStore.createSentryRole(roles[i]);
+ Set<TSentryGroup> tGroups = Sets.newHashSet();
+ TSentryGroup tGroup = new TSentryGroup(groups[i]);
+ tGroups.add(tGroup);
+ sentryStore.alterSentryRoleAddGroups(grantor, roles[i], tGroups);
+ }
+ writePolicyFile();
+
+ // 2. g1 grant select on table tb1 to role0, with grant option
+ String server = "server1";
+ String db = "db1";
+ String table = "tbl1";
+ String roleName = roles[0];
+ grantor = "g1";
+ TSentryPrivilege privilege1 = new TSentryPrivilege();
+ privilege1.setPrivilegeScope("TABLE");
+ privilege1.setServerName(server);
+ privilege1.setDbName(db);
+ privilege1.setTableName(table);
+ privilege1.setAction(AccessConstants.SELECT);
+ privilege1.setCreateTime(System.currentTimeMillis());
+ privilege1.setGrantOption(TSentryGrantOption.TRUE);
+ sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName, privilege1);
+ MSentryRole role = sentryStore.getMSentryRoleByName(roleName);
+ Set<MSentryPrivilege> privileges = role.getPrivileges();
+ assertEquals(privileges.toString(), 1, privileges.size());
+
+ // 3. user0 grant select on column tb1.c1 to role1, with grant option
+ roleName = roles[1];
+ grantor = users[0];
+ String column = "c1";
+ TSentryPrivilege privilege2 = new TSentryPrivilege();
+ privilege2.setPrivilegeScope("COLUMN");
+ privilege2.setServerName(server);
+ privilege2.setDbName(db);
+ privilege2.setTableName(table);
+ privilege2.setColumnName(column);
+ privilege2.setAction(AccessConstants.SELECT);
+ privilege2.setCreateTime(System.currentTimeMillis());
+ privilege2.setGrantOption(TSentryGrantOption.TRUE);
+ sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName, privilege2);
+
+ // 4. user1 revoke table level privilege from user0, will throw grant denied exception
+ roleName = roles[0];
+ grantor = users[1];
+ try {
+ sentryStore.alterSentryRoleRevokePrivilege(grantor, roleName, privilege1);
+ fail("Expected SentryGrantDeniedException exception");
+ } catch (SentryGrantDeniedException e) {
+ // excepted exception
+ }
+
+ // 5. user0 revoke column level privilege from user1
+ roleName = roles[1];
+ grantor = users[0];
+ sentryStore.alterSentryRoleRevokePrivilege(grantor, roleName, privilege2);
+ role = sentryStore.getMSentryRoleByName(roleName);
+ privileges = role.getPrivileges();
+ assertEquals(0, privileges.size());
+ }
+
+ @Test
+ public void testGrantDuplicatePrivilege() throws Exception {
+ String roleName = "test-privilege";
+ String grantor = "g1";
+ String server = "server1";
+ String db = "db1";
+ String table = "tbl1";
+ long seqId = sentryStore.createSentryRole(roleName).getSequenceId();
+ TSentryPrivilege privilege = new TSentryPrivilege();
+ privilege.setPrivilegeScope("TABLE");
+ privilege.setServerName(server);
+ privilege.setDbName(db);
+ privilege.setTableName(table);
+ privilege.setAction(AccessConstants.ALL);
+ privilege.setCreateTime(System.currentTimeMillis());
+ assertEquals(seqId + 1, sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName, privilege)
+ .getSequenceId());
+ assertEquals(seqId + 2, sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName, privilege)
+ .getSequenceId());
+ privilege.setServerName("Server1");
+ privilege.setDbName("DB1");
+ privilege.setTableName("TBL1");
+ assertEquals(seqId + 3, sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName, privilege)
+ .getSequenceId());
+ MSentryRole role = sentryStore.getMSentryRoleByName(roleName);
+ Set<MSentryPrivilege> privileges = role.getPrivileges();
+ assertEquals(privileges.toString(), 1, privileges.size());
+ }
+
+ @Test
+ public void testListSentryPrivilegesForProvider() throws Exception {
+ String roleName1 = "list-privs-r1", roleName2 = "list-privs-r2";
+ String groupName1 = "list-privs-g1", groupName2 = "list-privs-g2";
+ String userName1 = "list-privs-u1", userName2 = "list-privs-u2";
+ String userWithoutRole = "user-no-privs";
+ Set<String> noRoleUsers = Sets.newHashSet(userWithoutRole);
+ String grantor = "g1";
+ long seqId = sentryStore.createSentryRole(roleName1).getSequenceId();
+ assertEquals(seqId + 1, sentryStore.createSentryRole(roleName2).getSequenceId());
+ TSentryPrivilege privilege1 = new TSentryPrivilege();
+ privilege1.setPrivilegeScope("TABLE");
+ privilege1.setServerName("server1");
+ privilege1.setDbName("db1");
+ privilege1.setTableName("tbl1");
+ privilege1.setAction("SELECT");
+ privilege1.setCreateTime(System.currentTimeMillis());
+ assertEquals(seqId + 2, sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName1, privilege1)
+ .getSequenceId());
+ assertEquals(seqId + 3, sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName2, privilege1)
+ .getSequenceId());
+ TSentryPrivilege privilege2 = new TSentryPrivilege();
+ privilege2.setPrivilegeScope("SERVER");
+ privilege2.setServerName("server1");
+ privilege2.setCreateTime(System.currentTimeMillis());
+ assertEquals(seqId + 4, sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName2, privilege2)
+ .getSequenceId());
+ Set<TSentryGroup> groups = Sets.newHashSet();
+ Set<String> users = Sets.newHashSet();
+ TSentryGroup group = new TSentryGroup();
+ group.setGroupName(groupName1);
+ groups.add(group);
+ users.add(userName1);
+ assertEquals(seqId + 5, sentryStore.alterSentryRoleAddGroups(grantor,
+ roleName1, groups).getSequenceId());
+ assertEquals(seqId + 6, sentryStore.alterSentryRoleAddUsers(roleName1, users).getSequenceId());
+ groups.clear();
+ users.clear();
+ group = new TSentryGroup();
+ group.setGroupName(groupName2);
+ groups.add(group);
+ users.add(userName2);
+ // group 2 and user2 has both roles 1 and 2
+ assertEquals(seqId + 7, sentryStore.alterSentryRoleAddGroups(grantor, roleName1, groups)
+ .getSequenceId());
+ assertEquals(seqId + 8, sentryStore.alterSentryRoleAddGroups(grantor, roleName2, groups)
+ .getSequenceId());
+ assertEquals(seqId + 9, sentryStore.alterSentryRoleAddUsers(roleName1, users).getSequenceId());
+ assertEquals(seqId + 10, sentryStore.alterSentryRoleAddUsers(roleName2, users).getSequenceId());
+ // group1 all roles
+ assertEquals(Sets.newHashSet("server=server1->db=db1->table=tbl1->action=select"),
+ SentryStore.toTrimedLower(sentryStore.listAllSentryPrivilegesForProvider(Sets
+ .newHashSet(groupName1), noRoleUsers, new TSentryActiveRoleSet(true,
+ new HashSet<String>()))));
+ // user1 all roles
+ assertEquals(Sets.newHashSet("server=server1->db=db1->table=tbl1->action=select"),
+ SentryStore.toTrimedLower(sentryStore.listAllSentryPrivilegesForProvider(Sets
+ .newHashSet(""), Sets.newHashSet(userName1), new TSentryActiveRoleSet(true,
+ new HashSet<String>()))));
+ // group1 and user1 all roles
+ assertEquals(Sets.newHashSet("server=server1->db=db1->table=tbl1->action=select"),
+ SentryStore.toTrimedLower(sentryStore.listAllSentryPrivilegesForProvider(Sets
+ .newHashSet(groupName1), Sets.newHashSet(userName1), new TSentryActiveRoleSet(true,
+ new HashSet<String>()))));
+ // one active role
+ assertEquals(
+ Sets.newHashSet("server=server1->db=db1->table=tbl1->action=select"),
+ SentryStore.toTrimedLower(sentryStore.listAllSentryPrivilegesForProvider(
+ Sets.newHashSet(groupName1), noRoleUsers,
+ new TSentryActiveRoleSet(false, Sets.newHashSet(roleName1)))));
+ // unknown active role
+ assertEquals(
+ Sets.newHashSet(),
+ SentryStore.toTrimedLower(sentryStore.listAllSentryPrivilegesForProvider(
+ Sets.newHashSet(groupName1), noRoleUsers,
+ new TSentryActiveRoleSet(false, Sets.newHashSet("not a role")))));
+ // no active roles
+ assertEquals(Sets.newHashSet(), SentryStore.toTrimedLower(sentryStore
+ .listAllSentryPrivilegesForProvider(Sets.newHashSet(groupName1), noRoleUsers,
+ new TSentryActiveRoleSet(false, new HashSet<String>()))));
+
+ // group2 all roles
+ assertEquals(Sets.newHashSet("server=server1->db=db1->table=tbl1->action=select",
+ "server=server1"), SentryStore.toTrimedLower(sentryStore
+ .listAllSentryPrivilegesForProvider(Sets.newHashSet(groupName2), Sets.newHashSet(""),
+ new TSentryActiveRoleSet(true, new HashSet<String>()))));
+ // user2 all roles
+ assertEquals(Sets.newHashSet("server=server1->db=db1->table=tbl1->action=select",
+ "server=server1"), SentryStore.toTrimedLower(sentryStore
+ .listAllSentryPrivilegesForProvider(Sets.newHashSet(""), Sets.newHashSet(userName2),
+ new TSentryActiveRoleSet(true, new HashSet<String>()))));
+ // user2 and group2 all roles
+ assertEquals(Sets.newHashSet("server=server1->db=db1->table=tbl1->action=select",
+ "server=server1"), SentryStore.toTrimedLower(sentryStore
+ .listAllSentryPrivilegesForProvider(Sets.newHashSet(groupName2),
+ Sets.newHashSet(userName2), new TSentryActiveRoleSet(true, new HashSet<String>()))));
+
+ // one active role
+ assertEquals(
+ Sets.newHashSet("server=server1->db=db1->table=tbl1->action=select"),
+ SentryStore.toTrimedLower(sentryStore.listAllSentryPrivilegesForProvider(
+ Sets.newHashSet(groupName2), noRoleUsers,
+ new TSentryActiveRoleSet(false, Sets.newHashSet(roleName1)))));
+ assertEquals(
+ Sets.newHashSet("server=server1->db=db1->table=tbl1->action=select", "server=server1"),
+ SentryStore.toTrimedLower(sentryStore.listAllSentryPrivilegesForProvider(
+ Sets.newHashSet(groupName2), noRoleUsers,
+ new TSentryActiveRoleSet(false, Sets.newHashSet(roleName2)))));
+ // unknown active role
+ assertEquals(
+ Sets.newHashSet(),
+ SentryStore.toTrimedLower(sentryStore.listAllSentryPrivilegesForProvider(
+ Sets.newHashSet(groupName2), noRoleUsers,
+ new TSentryActiveRoleSet(false, Sets.newHashSet("not a role")))));
+ // no active roles
+ assertEquals(Sets.newHashSet(), SentryStore.toTrimedLower(sentryStore
+ .listAllSentryPrivilegesForProvider(Sets.newHashSet(groupName2), noRoleUsers,
+ new TSentryActiveRoleSet(false, new HashSet<String>()))));
+
+ // both groups, all active roles
+ assertEquals(Sets.newHashSet("server=server1->db=db1->table=tbl1->action=select",
+ "server=server1"), SentryStore.toTrimedLower(sentryStore
+ .listAllSentryPrivilegesForProvider(Sets.newHashSet(groupName1, groupName2), noRoleUsers,
+ new TSentryActiveRoleSet(true, new HashSet<String>()))));
+ // both users and groups, all active roles
+ assertEquals(Sets.newHashSet("server=server1->db=db1->table=tbl1->action=select",
+ "server=server1"), SentryStore.toTrimedLower(sentryStore
+ .listAllSentryPrivilegesForProvider(Sets.newHashSet(groupName1, groupName2), Sets
+ .newHashSet(userName1, userName2),
+ new TSentryActiveRoleSet(true, new HashSet<String>()))));
+ // one active role
+ assertEquals(Sets.newHashSet("server=server1->db=db1->table=tbl1->action=select"),
+ SentryStore.toTrimedLower(sentryStore.listAllSentryPrivilegesForProvider(Sets.newHashSet(
+ groupName1, groupName2), noRoleUsers,
+ new TSentryActiveRoleSet(false, Sets.newHashSet(roleName1)))));
+ assertEquals(Sets.newHashSet("server=server1->db=db1->table=tbl1->action=select",
+ "server=server1"), SentryStore.toTrimedLower(sentryStore
+ .listAllSentryPrivilegesForProvider(Sets.newHashSet(groupName1, groupName2), noRoleUsers,
+ new TSentryActiveRoleSet(false, Sets.newHashSet(roleName2)))));
+ // unknown active role
+ assertEquals(Sets.newHashSet(), SentryStore.toTrimedLower(sentryStore
+ .listAllSentryPrivilegesForProvider(Sets.newHashSet(groupName1, groupName2), noRoleUsers,
+ new TSentryActiveRoleSet(false, Sets.newHashSet("not a role")))));
+ // no active roles
+ assertEquals(Sets.newHashSet(), SentryStore.toTrimedLower(sentryStore
+ .listAllSentryPrivilegesForProvider(Sets.newHashSet(groupName1, groupName2), noRoleUsers,
+ new TSentryActiveRoleSet(false, new HashSet<String>()))));
+ }
+
+ @Test
+ public void testListRole() throws Exception {
+ String roleName1 = "role1", roleName2 = "role2", roleName3 = "role3";
+ String group1 = "group1", group2 = "group2";
+ String grantor = "g1";
+
+ sentryStore.createSentryRole(roleName1);
+ sentryStore.createSentryRole(roleName2);
+ sentryStore.createSentryRole(roleName3);
+
+ sentryStore.alterSentryRoleAddGroups(grantor, roleName1, Sets.newHashSet(new TSentryGroup(group1)));
+ sentryStore.alterSentryRoleAddGroups(grantor, roleName2, Sets.newHashSet(new TSentryGroup(group2)));
+ sentryStore.alterSentryRoleAddGroups(grantor, roleName3,
+ Sets.newHashSet(new TSentryGroup(group1), new TSentryGroup(group2)));
+
+ assertEquals(2, sentryStore.getTSentryRolesByGroupName(Sets.newHashSet(group1), false).size());
+ assertEquals(2, sentryStore.getTSentryRolesByGroupName(Sets.newHashSet(group2), false).size());
+ assertEquals(3, sentryStore.getTSentryRolesByGroupName(Sets.newHashSet(group1,group2), false).size());
+ assertEquals(0,
+ sentryStore.getTSentryRolesByGroupName(Sets.newHashSet("foo"), true)
+ .size());
+ }
+
+ /**
+ * Assign multiple table and SERVER privileges to roles
+ * drop privilege for the object verify that it's removed correctl
+ * @throws Exception
+ */
+ @Test
+ public void testDropDbObject() throws Exception {
+ String roleName1 = "list-privs-r1", roleName2 = "list-privs-r2", roleName3 = "list-privs-r3";
+ String grantor = "g1";
+ sentryStore.createSentryRole(roleName1);
+ sentryStore.createSentryRole(roleName2);
+ sentryStore.createSentryRole(roleName3);
+
+ TSentryPrivilege privilege_tbl1 = new TSentryPrivilege();
+ privilege_tbl1.setPrivilegeScope("TABLE");
+ privilege_tbl1.setServerName("server1");
+ privilege_tbl1.setDbName("db1");
+ privilege_tbl1.setTableName("tbl1");
+ privilege_tbl1.setCreateTime(System.currentTimeMillis());
+
+ TSentryPrivilege privilege1 = new TSentryPrivilege(privilege_tbl1);
+ privilege1.setAction("SELECT");
+
+ TSentryPrivilege privilege2_1 = new TSentryPrivilege(privilege_tbl1);
+ privilege2_1.setAction("INSERT");
+ TSentryPrivilege privilege3_1 = new TSentryPrivilege(privilege_tbl1);
+ privilege3_1.setAction("*");
+
+ TSentryPrivilege privilege_server = new TSentryPrivilege();
+ privilege_server.setPrivilegeScope("SERVER");
+ privilege_server.setServerName("server1");
+ privilege_server.setCreateTime(System.currentTimeMillis());
+
+ TSentryPrivilege privilege_tbl2 = new TSentryPrivilege();
+ privilege_tbl2.setPrivilegeScope("TABLE");
+ privilege_tbl2.setServerName("server1");
+ privilege_tbl2.setDbName("db1");
+ privilege_tbl2.setTableName("tbl2");
+ privilege_tbl2.setCreateTime(System.currentTimeMillis());
+
+ TSentryPrivilege privilege2_3 = new TSentryPrivilege(privilege_tbl2);
+ privilege2_3.setAction("SELECT");
+
+ TSentryPrivilege privilege3_2 = new TSentryPrivilege(privilege_tbl2);
+ privilege3_2.setAction("INSERT");
+
+ sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName1, privilege1);
+
+ sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName2, privilege2_1);
+ sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName2, privilege_server);
+ sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName2, privilege2_3);
+
+ sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName3, privilege3_1);
+ sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName3, privilege3_2);
+
+ sentryStore.dropPrivilege(toTSentryAuthorizable(privilege_tbl1));
+ assertEquals(0, sentryStore.getAllTSentryPrivilegesByRoleName(roleName1)
+ .size());
+ assertEquals(2, sentryStore.getAllTSentryPrivilegesByRoleName(roleName2)
+ .size());
+ assertEquals(1, sentryStore.getAllTSentryPrivilegesByRoleName(roleName3)
+ .size());
+
+ sentryStore.dropPrivilege(toTSentryAuthorizable(privilege_tbl2));
+ assertEquals(0, sentryStore.getAllTSentryPrivilegesByRoleName(roleName1)
+ .size());
+ assertEquals(1, sentryStore.getAllTSentryPrivilegesByRoleName(roleName2)
+ .size());
+ assertEquals(0, sentryStore.getAllTSentryPrivilegesByRoleName(roleName3)
+ .size());
+ }
+
+ /**
+ * Regression test for SENTRY-547 and SENTRY-548
+ * Use case:
+ * GRANT INSERT on TABLE tbl1 to ROLE role1
+ * GRANT SELECT on TABLE tbl1 to ROLE role1
+ * GRANT ALTER on TABLE tbl1 to ROLE role1
+ * GRANT DROP on TABLE tbl1 to ROLE role1
+ * DROP TABLE tbl1
+ *
+ * After drop tbl1, role1 should have 0 privileges
+ */
+ @Test
+ public void testDropTableWithMultiAction() throws Exception {
+ String roleName1 = "role1";
+ String grantor = "g1";
+ sentryStore.createSentryRole(roleName1);
+
+ TSentryPrivilege privilege_tbl1 = new TSentryPrivilege();
+ privilege_tbl1.setPrivilegeScope("TABLE");
+ privilege_tbl1.setServerName("server1");
+ privilege_tbl1.setDbName("db1");
+ privilege_tbl1.setTableName("tbl1");
+ privilege_tbl1.setCreateTime(System.currentTimeMillis());
+
+ TSentryPrivilege privilege_tbl1_insert = new TSentryPrivilege(
+ privilege_tbl1);
+ privilege_tbl1_insert.setAction(AccessConstants.INSERT);
+
+ TSentryPrivilege privilege_tbl1_select = new TSentryPrivilege(
+ privilege_tbl1);
+ privilege_tbl1_select.setAction(AccessConstants.SELECT);
+
+ TSentryPrivilege privilege_tbl1_alter = new TSentryPrivilege(
+ privilege_tbl1);
+ privilege_tbl1_alter.setAction(AccessConstants.ALTER);
+
+ TSentryPrivilege privilege_tbl1_drop = new TSentryPrivilege(
+ privilege_tbl1);
+ privilege_tbl1_drop.setAction(AccessConstants.DROP);
+
+ sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName1, privilege_tbl1_insert);
+ sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName1, privilege_tbl1_select);
+ sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName1, privilege_tbl1_alter);
+ sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName1, privilege_tbl1_drop);
+
+ assertEquals(4, sentryStore.getAllTSentryPrivilegesByRoleName(roleName1).size());
+
+ // after drop privilege_tbl1, role1 should have 0 privileges
+ sentryStore.dropPrivilege(toTSentryAuthorizable(privilege_tbl1));
+ assertEquals(0, sentryStore.getAllTSentryPrivilegesByRoleName(roleName1).size());
+ }
+
+ @Test
+ public void testDropTableWithColumn() throws Exception {
+ String roleName1 = "role1", roleName2 = "role2";
+ String grantor = "g1";
+ String table1 = "tbl1";
+
+ sentryStore.createSentryRole(roleName1);
+ sentryStore.createSentryRole(roleName2);
+
+ TSentryPrivilege privilege_tbl1 = new TSentryPrivilege();
+ privilege_tbl1.setPrivilegeScope("TABLE");
+ privilege_tbl1.setServerName("server1");
+ privilege_tbl1.setDbName("db1");
+ privilege_tbl1.setTableName(table1);
+ privilege_tbl1.setAction(AccessConstants.SELECT);
+ privilege_tbl1.setCreateTime(System.currentTimeMillis());
+
+ TSentryPrivilege privilege_tbl1_c1 = new TSentryPrivilege(privilege_tbl1);
+ privilege_tbl1_c1.setPrivilegeScope("COLUMN");
+ privilege_tbl1_c1.setColumnName("c1");
+ privilege_tbl1_c1.setCreateTime(System.currentTimeMillis());
+
+ TSentryPrivilege privilege_tbl1_c2 = new TSentryPrivilege(privilege_tbl1);
+ privilege_tbl1_c2.setPrivilegeScope("COLUMN");
+ privilege_tbl1_c2.setColumnName("c2");
+ privilege_tbl1_c2.setCreateTime(System.currentTimeMillis());
+
+ TSentryPrivilege privilege_tbl1_c3 = new TSentryPrivilege(privilege_tbl1);
+ privilege_tbl1_c3.setPrivilegeScope("COLUMN");
+ privilege_tbl1_c3.setColumnName("c3");
+ privilege_tbl1_c3.setCreateTime(System.currentTimeMillis());
+
+ sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName1, privilege_tbl1_c1);
+ sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName1, privilege_tbl1_c2);
+ sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName2, privilege_tbl1_c3);
+
+ Set<TSentryPrivilege> privilegeSet = sentryStore.getAllTSentryPrivilegesByRoleName(roleName1);
+ assertEquals(2, privilegeSet.size());
+ privilegeSet = sentryStore.getAllTSentryPrivilegesByRoleName(roleName2);
+ assertEquals(1, privilegeSet.size());
+
+ TSentryAuthorizable tableAuthorizable = toTSentryAuthorizable(privilege_tbl1);
+ sentryStore.dropPrivilege(tableAuthorizable);
+
+ privilegeSet = sentryStore.getAllTSentryPrivilegesByRoleName(roleName1);
+ assertEquals(0, privilegeSet.size());
+ privilegeSet = sentryStore.getAllTSentryPrivilegesByRoleName(roleName2);
+ assertEquals(0, privilegeSet.size());
+ }
+
+ @Test
+ public void testDropOverlappedPrivileges() throws Exception {
+ String roleName1 = "list-privs-r1";
+ String grantor = "g1";
+ sentryStore.createSentryRole(roleName1);
+
+ TSentryPrivilege privilege_tbl1 = new TSentryPrivilege();
+ privilege_tbl1.setPrivilegeScope("TABLE");
+ privilege_tbl1.setServerName("server1");
+ privilege_tbl1.setDbName("db1");
+ privilege_tbl1.setTableName("tbl1");
+ privilege_tbl1.setCreateTime(System.currentTimeMillis());
+
+ TSentryPrivilege privilege_tbl1_insert = new TSentryPrivilege(
+ privilege_tbl1);
+ privilege_tbl1_insert.setAction("INSERT");
+
+ TSentryPrivilege privilege_tbl1_all = new TSentryPrivilege(privilege_tbl1);
+ privilege_tbl1_all.setAction("*");
+
+ sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName1, privilege_tbl1_insert);
+ sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName1, privilege_tbl1_all);
+
+ sentryStore.dropPrivilege(toTSentryAuthorizable(privilege_tbl1));
+ assertEquals(0, sentryStore.getAllTSentryPrivilegesByRoleName(roleName1)
+ .size());
+ }
+
+ private TSentryAuthorizable toTSentryAuthorizable(
+ TSentryPrivilege tSentryPrivilege) {
+ TSentryAuthorizable tSentryAuthorizable = new TSentryAuthorizable();
+ tSentryAuthorizable.setServer(tSentryPrivilege.getServerName());
+ tSentryAuthorizable.setDb(tSentryPrivilege.getDbName());
+ tSentryAuthorizable.setTable(tSentryPrivilege.getTableName());
+ tSentryAuthorizable.setUri(tSentryPrivilege.getURI());
+ return tSentryAuthorizable;
+ }
+
+ /***
+ * Create roles and assign privileges for same table rename the privileges for
+ * the table and verify the new privileges
+ * @throws Exception
+ */
+ @Test
+ public void testRenameTable() throws Exception {
+ String roleName1 = "role1", roleName2 = "role2", roleName3 = "role3";
+ String grantor = "g1";
+ String table1 = "tbl1", table2 = "tbl2";
+
+ sentryStore.createSentryRole(roleName1);
+ sentryStore.createSentryRole(roleName2);
+ sentryStore.createSentryRole(roleName3);
+
+ TSentryPrivilege privilege_tbl1 = new TSentryPrivilege();
+ privilege_tbl1.setPrivilegeScope("TABLE");
+ privilege_tbl1.setServerName("server1");
+ privilege_tbl1.setDbName("db1");
+ privilege_tbl1.setTableName(table1);
+ privilege_tbl1.setCreateTime(System.currentTimeMillis());
+
+ TSentryPrivilege privilege_tbl1_insert = new TSentryPrivilege(
+ privilege_tbl1);
+ privilege_tbl1_insert.setAction(AccessConstants.INSERT);
+
+ TSentryPrivilege privilege_tbl1_select = new TSentryPrivilege(
+ privilege_tbl1);
+ privilege_tbl1_select.setAction(AccessConstants.SELECT);
+
+ TSentryPrivilege privilege_tbl1_all = new TSentryPrivilege(privilege_tbl1);
+ privilege_tbl1_all.setAction(AccessConstants.ALL);
+
+ sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName1, privilege_tbl1_insert);
+ sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName2, privilege_tbl1_select);
+ sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName3, privilege_tbl1_all);
+
+ TSentryAuthorizable oldTable = toTSentryAuthorizable(privilege_tbl1);
+ TSentryAuthorizable newTable = toTSentryAuthorizable(privilege_tbl1);
+ newTable.setTable(table2);
+ sentryStore.renamePrivilege(oldTable, newTable);
+
+ for (String roleName : Sets.newHashSet(roleName1, roleName2, roleName3)) {
+ Set<TSentryPrivilege> privilegeSet = sentryStore
+ .getAllTSentryPrivilegesByRoleName(roleName);
+ assertEquals(1, privilegeSet.size());
+ for (TSentryPrivilege privilege : privilegeSet) {
+ assertTrue(table2.equalsIgnoreCase(privilege.getTableName()));
+ }
+ }
+ }
+
+ /**
+ * Regression test for SENTRY-550
+ * Use case:
+ * GRANT INSERT on TABLE tbl1 to ROLE role1
+ * GRANT SELECT on TABLE tbl1 to ROLE role1
+ * GRANT ALTER on TABLE tbl1 to ROLE role1
+ * GRANT DROP on TABLE tbl1 to ROLE role1
+ * RENAME TABLE tbl1 to tbl2
+ *
+ * After rename tbl1 to tbl2, table name of all role1's privileges should be "tbl2"
+ */
+ @Test
+ public void testRenameTableWithMultiAction() throws Exception {
+ String roleName1 = "role1";
+ String grantor = "g1";
+ String table1 = "tbl1", table2 = "tbl2";
+ sentryStore.createSentryRole(roleName1);
+
+ TSentryPrivilege privilege_tbl1 = new TSentryPrivilege();
+ privilege_tbl1.setPrivilegeScope("TABLE");
+ privilege_tbl1.setServerName("server1");
+ privilege_tbl1.setDbName("db1");
+ privilege_tbl1.setTableName(table1);
+ privilege_tbl1.setCreateTime(System.currentTimeMillis());
+
+ TSentryPrivilege privilege_tbl1_insert = new TSentryPrivilege(
+ privilege_tbl1);
+ privilege_tbl1_insert.setAction(AccessConstants.INSERT);
+
+ TSentryPrivilege privilege_tbl1_select = new TSentryPrivilege(
+ privilege_tbl1);
+ privilege_tbl1_select.setAction(AccessConstants.SELECT);
+
+ TSentryPrivilege privilege_tbl1_alter = new TSentryPrivilege(
+ privilege_tbl1);
+ privilege_tbl1_alter.setAction(AccessConstants.ALTER);
+
+ TSentryPrivilege privilege_tbl1_drop = new TSentryPrivilege(
+ privilege_tbl1);
+ privilege_tbl1_drop.setAction(AccessConstants.DROP);
+
+ sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName1, privilege_tbl1_insert);
+ sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName1, privilege_tbl1_select);
+ sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName1, privilege_tbl1_alter);
+ sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName1, privilege_tbl1_drop);
+
+ TSentryAuthorizable oldTable = toTSentryAuthorizable(privilege_tbl1);
+ TSentryAuthorizable newTable = toTSentryAuthorizable(privilege_tbl1);
+ newTable.setTable(table2);
+ sentryStore.renamePrivilege(oldTable, newTable);
+
+ // after rename tbl1 to tbl2, all table name of role's privilege will be tbl2
+ Set<TSentryPrivilege> privilegeSet = sentryStore
+ .getAllTSentryPrivilegesByRoleName(roleName1);
+ assertEquals(4, privilegeSet.size());
+ for (TSentryPrivilege privilege : privilegeSet) {
+ assertTrue(table2.equalsIgnoreCase(privilege.getTableName()));
+ }
+ }
+
+ @Test
+ public void testSentryRoleSize() throws Exception {
+ for( long i = 0; i< 5; i++ ) {
+ assertEquals((Long)i, sentryStore.getRoleCountGauge().getValue());
+ sentryStore.createSentryRole("role" + i);
+ }
+ }
+ @Test
+ public void testSentryPrivilegeSize() throws Exception {
+ String role1 = "role1";
+ String role2 = "role2";
+
+ sentryStore.createSentryRole(role1);
+ sentryStore.createSentryRole(role2);
+
+ TSentryPrivilege privilege = new TSentryPrivilege();
+ privilege.setPrivilegeScope("TABLE");
+ privilege.setServerName("server1");
+ privilege.setDbName("db1");
+ privilege.setTableName("tb1");
+ privilege.setCreateTime(System.currentTimeMillis());
+
+ String grantor = "g1";
+
+ assertEquals(Long.valueOf(0), sentryStore.getPrivilegeCountGauge().getValue());
+
+ sentryStore.alterSentryRoleGrantPrivilege(grantor, role1, privilege);
+ assertEquals(Long.valueOf(1), sentryStore.getPrivilegeCountGauge().getValue());
+
+ sentryStore.alterSentryRoleGrantPrivilege(grantor, role2, privilege);
+ assertEquals(Long.valueOf(1), sentryStore.getPrivilegeCountGauge().getValue());
+
+ privilege.setTableName("tb2");
+ sentryStore.alterSentryRoleGrantPrivilege(grantor, role2, privilege);
+ assertEquals(Long.valueOf(2), sentryStore.getPrivilegeCountGauge().getValue());
+ }
+
+ @Test
+ public void testSentryGroupsSize() throws Exception {
+ String role1 = "role1";
+ String role2 = "role2";
+
+ sentryStore.createSentryRole(role1);
+ sentryStore.createSentryRole(role2);
+
+ Set<TSentryGroup> groups = Sets.newHashSet();
+ TSentryGroup group = new TSentryGroup();
+ group.setGroupName("group1");
+ groups.add(group);
+
+ String grantor = "g1";
+
+ sentryStore.alterSentryRoleAddGroups(grantor, role1, groups);
+ assertEquals(Long.valueOf(1), sentryStore.getGroupCountGauge().getValue());
+
+ sentryStore.alterSentryRoleAddGroups(grantor, role2, groups);
+ assertEquals(Long.valueOf(1), sentryStore.getGroupCountGauge().getValue());
+
+ groups.add(new TSentryGroup("group2"));
+ sentryStore.alterSentryRoleAddGroups(grantor, role2, groups);
+ assertEquals(Long.valueOf(2), sentryStore.getGroupCountGauge().getValue());
+
+ }
+
+ @Test
+ public void testSentryUsersSize() throws Exception {
+ String role1 = "role1";
+ String role2 = "role2";
+
+ sentryStore.createSentryRole(role1);
+ sentryStore.createSentryRole(role2);
+
+ Set<String> users = Sets.newHashSet("user1");
+
+ sentryStore.alterSentryRoleAddUsers(role1, users);
+ assertEquals(Long.valueOf(1), sentryStore.getUserCountGauge().getValue());
+
+ sentryStore.alterSentryRoleAddUsers(role2, users);
+ assertEquals(Long.valueOf(1), sentryStore.getUserCountGauge().getValue());
+
+ users.add("user2");
+ sentryStore.alterSentryRoleAddUsers(role2, users);
+ assertEquals(Long.valueOf(2), sentryStore.getUserCountGauge().getValue());
+
+ }
+
+ @Test
+ public void testRenameTableWithColumn() throws Exception {
+ String roleName1 = "role1", roleName2 = "role2";
+ String grantor = "g1";
+ String table1 = "tbl1", table2 = "tbl2";
+
+ sentryStore.createSentryRole(roleName1);
+ sentryStore.createSentryRole(roleName2);
+
+ TSentryPrivilege privilege_tbl1 = new TSentryPrivilege();
+ privilege_tbl1.setPrivilegeScope("TABLE");
+ privilege_tbl1.setServerName("server1");
+ privilege_tbl1.setDbName("db1");
+ privilege_tbl1.setTableName(table1);
+ privilege_tbl1.setAction(AccessConstants.SELECT);
+ privilege_tbl1.setCreateTime(System.currentTimeMillis());
+
+ TSentryPrivilege privilege_tbl1_c1 = new TSentryPrivilege(privilege_tbl1);
+ privilege_tbl1_c1.setPrivilegeScope("COLUMN");
+ privilege_tbl1_c1.setColumnName("c1");
+ privilege_tbl1_c1.setCreateTime(System.currentTimeMillis());
+
+ TSentryPrivilege privilege_tbl1_c2 = new TSentryPrivilege(privilege_tbl1);
+ privilege_tbl1_c2.setPrivilegeScope("COLUMN");
+ privilege_tbl1_c2.setColumnName("c2");
+ privilege_tbl1_c2.setCreateTime(System.currentTimeMillis());
+
+ TSentryPrivilege privilege_tbl1_c3 = new TSentryPrivilege(privilege_tbl1);
+ privilege_tbl1_c3.setPrivilegeScope("COLUMN");
+ privilege_tbl1_c3.setColumnName("c3");
+ privilege_tbl1_c3.setCreateTime(System.currentTimeMillis());
+
+ sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName1, privilege_tbl1_c1);
+ sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName1, privilege_tbl1_c2);
+ sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName2, privilege_tbl1_c3);
+
+ Set<TSentryPrivilege> privilegeSet = sentryStore.getAllTSentryPrivilegesByRoleName(roleName1);
+ assertEquals(2, privilegeSet.size());
+ privilegeSet = sentryStore.getAllTSentryPrivilegesByRoleName(roleName2);
+ assertEquals(1, privilegeSet.size());
+
+ TSentryAuthorizable oldTable = toTSentryAuthorizable(privilege_tbl1);
+ TSentryAuthorizable newTable = toTSentryAuthorizable(privilege_tbl1);
+ newTable.setTable(table2);
+ sentryStore.renamePrivilege(oldTable, newTable);
+
+ privilegeSet = sentryStore.getAllTSentryPrivilegesByRoleName(roleName1);
+ assertEquals(2, privilegeSet.size());
+ for (TSentryPrivilege privilege : privilegeSet) {
+ assertTrue(table2.equalsIgnoreCase(privilege.getTableName()));
+ }
+ privilegeSet = sentryStore.getAllTSentryPrivilegesByRoleName(roleName2);
+ assertEquals(1, privilegeSet.size());
+ }
+
+ @Test
+ public void testSentryTablePrivilegeSome() throws Exception {
+ String roleName = "test-table-privilege-some";
+ String grantor = "g1";
+ String dbName = "db1";
+ String table = "tb1";
+ sentryStore.createSentryRole(roleName);
+ TSentryPrivilege tSentryPrivilege = new TSentryPrivilege("TABLE", "server1", "ALL");
+ tSentryPrivilege.setDbName(dbName);
+ tSentryPrivilege.setTableName(table);
+ sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName, tSentryPrivilege);
+
+ TSentryAuthorizable tSentryAuthorizable = new TSentryAuthorizable();
+ tSentryAuthorizable.setDb(dbName);
+ tSentryAuthorizable.setTable(AccessConstants.SOME);
+ tSentryAuthorizable.setServer("server1");
+
+ Set<TSentryPrivilege> privileges =
+ sentryStore.getTSentryPrivileges(new HashSet<String>(Arrays.asList(roleName)), tSentryAuthorizable);
+
+ assertTrue(privileges.size() == 1);
+
+ Set<TSentryGroup> tSentryGroups = new HashSet<TSentryGroup>();
+ tSentryGroups.add(new TSentry
<TRUNCATED>
[02/44] sentry git commit: SENTRY-1287: Create sentry-service-server
module(Colin Ma, reviewed by Dapeng Sun)
Posted by co...@apache.org.
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/tools/TestSentryShellHive.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/tools/TestSentryShellHive.java b/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/tools/TestSentryShellHive.java
new file mode 100644
index 0000000..81059c5
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/tools/TestSentryShellHive.java
@@ -0,0 +1,608 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.provider.db.tools;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.fail;
+
+import java.io.ByteArrayOutputStream;
+import java.io.File;
+import java.io.FileOutputStream;
+import java.io.PrintStream;
+import java.util.HashSet;
+import java.util.Iterator;
+import java.util.Set;
+
+import org.apache.commons.io.FileUtils;
+import org.apache.sentry.core.common.exception.SentryUserException;
+import org.apache.sentry.provider.db.service.thrift.TSentryPrivilege;
+import org.apache.sentry.provider.db.service.thrift.TSentryRole;
+import org.apache.sentry.service.thrift.SentryServiceIntegrationBase;
+import org.junit.After;
+import org.junit.Before;
+import org.junit.Test;
+
+import com.google.common.collect.Sets;
+import com.google.common.io.Files;
+
+public class TestSentryShellHive extends SentryServiceIntegrationBase {
+
+ private File confDir;
+ private File confPath;
+ private static String TEST_ROLE_NAME_1 = "testRole1";
+ private static String TEST_ROLE_NAME_2 = "testRole2";
+ private String requestorName = "";
+
+ @Before
+ public void prepareForTest() throws Exception {
+ confDir = Files.createTempDir();
+ confPath = new File(confDir, "sentry-site.xml");
+ if (confPath.createNewFile()) {
+ FileOutputStream to = new FileOutputStream(confPath);
+ conf.writeXml(to);
+ to.close();
+ }
+ requestorName = clientUgi.getShortUserName();
+ Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
+ setLocalGroupMapping(requestorName, requestorUserGroupNames);
+ // add ADMIN_USER for the after() in SentryServiceIntegrationBase
+ setLocalGroupMapping(ADMIN_USER, requestorUserGroupNames);
+ writePolicyFile();
+ }
+
+ @After
+ public void clearTestData() throws Exception {
+ FileUtils.deleteQuietly(confDir);
+ }
+
+ @Test
+ public void testCreateDropRole() throws Exception {
+ runTestAsSubject(new TestOperation() {
+ @Override
+ public void runTestAsSubject() throws Exception {
+ // test: create role with -cr
+ String[] args = { "-cr", "-r", TEST_ROLE_NAME_1, "-conf", confPath.getAbsolutePath() };
+ SentryShellHive.main(args);
+ // test: create role with --create_role
+ args = new String[] { "--create_role", "-r", TEST_ROLE_NAME_2, "-conf",
+ confPath.getAbsolutePath() };
+ SentryShellHive.main(args);
+
+ // validate the result, list roles with -lr
+ args = new String[] { "-lr", "-conf", confPath.getAbsolutePath() };
+ SentryShellHive sentryShell = new SentryShellHive();
+ Set<String> roleNames = getShellResultWithOSRedirect(sentryShell, args, true);
+ validateRoleNames(roleNames, TEST_ROLE_NAME_1, TEST_ROLE_NAME_2);
+
+ // validate the result, list roles with --list_role
+ args = new String[] { "--list_role", "-conf", confPath.getAbsolutePath() };
+ sentryShell = new SentryShellHive();
+ roleNames = getShellResultWithOSRedirect(sentryShell, args, true);
+ validateRoleNames(roleNames, TEST_ROLE_NAME_1, TEST_ROLE_NAME_2);
+
+ // test: drop role with -dr
+ args = new String[] { "-dr", "-r", TEST_ROLE_NAME_1, "-conf", confPath.getAbsolutePath() };
+ SentryShellHive.main(args);
+ // test: drop role with --drop_role
+ args = new String[] { "--drop_role", "-r", TEST_ROLE_NAME_2, "-conf",
+ confPath.getAbsolutePath() };
+ SentryShellHive.main(args);
+
+ // validate the result
+ Set<TSentryRole> roles = client.listRoles(requestorName);
+ assertEquals("Incorrect number of roles", 0, roles.size());
+ }
+ });
+ }
+
+ @Test
+ public void testAddDeleteRoleForGroup() throws Exception {
+ runTestAsSubject(new TestOperation() {
+ @Override
+ public void runTestAsSubject() throws Exception {
+ // create the role for test
+ client.createRole(requestorName, TEST_ROLE_NAME_1);
+ client.createRole(requestorName, TEST_ROLE_NAME_2);
+ // test: add role to group with -arg
+ String[] args = { "-arg", "-r", TEST_ROLE_NAME_1, "-g", "testGroup1", "-conf",
+ confPath.getAbsolutePath() };
+ SentryShellHive.main(args);
+ // test: add role to multiple groups
+ args = new String[] { "-arg", "-r", TEST_ROLE_NAME_1, "-g", "testGroup2,testGroup3",
+ "-conf",
+ confPath.getAbsolutePath() };
+ SentryShellHive.main(args);
+ // test: add role to group with --add_role_group
+ args = new String[] { "--add_role_group", "-r", TEST_ROLE_NAME_2, "-g", "testGroup1",
+ "-conf",
+ confPath.getAbsolutePath() };
+ SentryShellHive.main(args);
+
+ // validate the result list roles with -lr and -g
+ args = new String[] { "-lr", "-g", "testGroup1", "-conf", confPath.getAbsolutePath() };
+ SentryShellHive sentryShell = new SentryShellHive();
+ Set<String> roleNames = getShellResultWithOSRedirect(sentryShell, args, true);
+ validateRoleNames(roleNames, TEST_ROLE_NAME_1, TEST_ROLE_NAME_2);
+
+
+ // list roles with --list_role and -g
+ args = new String[] { "--list_role", "-g", "testGroup2", "-conf",
+ confPath.getAbsolutePath() };
+ sentryShell = new SentryShellHive();
+ roleNames = getShellResultWithOSRedirect(sentryShell, args, true);
+ validateRoleNames(roleNames, TEST_ROLE_NAME_1);
+
+ args = new String[] { "--list_role", "-g", "testGroup3", "-conf",
+ confPath.getAbsolutePath() };
+ sentryShell = new SentryShellHive();
+ roleNames = getShellResultWithOSRedirect(sentryShell, args, true);
+ validateRoleNames(roleNames, TEST_ROLE_NAME_1);
+
+ // test: delete role from group with -drg
+ args = new String[] { "-drg", "-r", TEST_ROLE_NAME_1, "-g", "testGroup1", "-conf",
+ confPath.getAbsolutePath() };
+ SentryShellHive.main(args);
+ // test: delete role to multiple groups
+ args = new String[] { "-drg", "-r", TEST_ROLE_NAME_1, "-g", "testGroup2,testGroup3",
+ "-conf",
+ confPath.getAbsolutePath() };
+ SentryShellHive.main(args);
+ // test: delete role from group with --delete_role_group
+ args = new String[] { "--delete_role_group", "-r", TEST_ROLE_NAME_2, "-g", "testGroup1",
+ "-conf", confPath.getAbsolutePath() };
+ SentryShellHive.main(args);
+
+ // validate the result
+ Set<TSentryRole> roles = client.listRolesByGroupName(requestorName, "testGroup1");
+ assertEquals("Incorrect number of roles", 0, roles.size());
+ roles = client.listRolesByGroupName(requestorName, "testGroup2");
+ assertEquals("Incorrect number of roles", 0, roles.size());
+ roles = client.listRolesByGroupName(requestorName, "testGroup3");
+ assertEquals("Incorrect number of roles", 0, roles.size());
+ // clear the test data
+ client.dropRole(requestorName, TEST_ROLE_NAME_1);
+ client.dropRole(requestorName, TEST_ROLE_NAME_2);
+ }
+ });
+ }
+
+ @Test
+ public void testGrantRevokePrivilegeWithShortOption() throws Exception {
+ runTestAsSubject(new TestOperation() {
+ @Override
+ public void runTestAsSubject() throws Exception {
+ // create the role for test
+ client.createRole(requestorName, TEST_ROLE_NAME_1);
+ client.createRole(requestorName, TEST_ROLE_NAME_2);
+
+ // test: grant privilege to role with -gpr
+ String[] args = { "-gpr", "-r", TEST_ROLE_NAME_1, "-p",
+ "server=server1->action=*",
+ "-conf", confPath.getAbsolutePath() };
+ SentryShellHive.main(args);
+ args = new String[] { "-gpr", "-r", TEST_ROLE_NAME_1, "-p",
+ "server=server1->db=db1->action=select", "-conf", confPath.getAbsolutePath() };
+ SentryShellHive.main(args);
+ args = new String[] { "-gpr", "-r", TEST_ROLE_NAME_1, "-p",
+ "server=server1->db=db1->table=tbl1->action=insert", "-conf",
+ confPath.getAbsolutePath() };
+ SentryShellHive.main(args);
+ args = new String[] { "-gpr", "-r", TEST_ROLE_NAME_1, "-p",
+ "server=server1->db=db1->table=tbl1->column=col1->action=insert", "-conf",
+ confPath.getAbsolutePath() };
+ SentryShellHive.main(args);
+ args = new String[] { "-gpr", "-r", TEST_ROLE_NAME_1, "-p",
+ "server=server1->db=db1->table=tbl1->column=col2->action=insert->grantoption=true",
+ "-conf", confPath.getAbsolutePath() };
+ SentryShellHive.main(args);
+ // for the uri privilege, the action will be awalys *
+ args = new String[] { "-gpr", "-r", TEST_ROLE_NAME_1, "-p",
+ "server=server1->uri=hdfs://path/testuri", "-conf", confPath.getAbsolutePath() };
+ SentryShellHive.main(args);
+
+ // test the list privilege with -lp
+ args = new String[] { "-lp", "-r", TEST_ROLE_NAME_1, "-conf", confPath.getAbsolutePath() };
+ SentryShellHive sentryShell = new SentryShellHive();
+ Set<String> privilegeStrs = getShellResultWithOSRedirect(sentryShell, args, true);
+ // validate the result for -lp
+ assertEquals("Incorrect number of privileges", 6, privilegeStrs.size());
+ assertTrue(privilegeStrs.contains("server=server1->action=*"));
+ assertTrue(privilegeStrs.contains("server=server1->db=db1->action=select"));
+ assertTrue(privilegeStrs.contains("server=server1->db=db1->table=tbl1->action=insert"));
+ assertTrue(privilegeStrs
+ .contains("server=server1->db=db1->table=tbl1->column=col1->action=insert"));
+ assertTrue(privilegeStrs
+ .contains("server=server1->db=db1->table=tbl1->column=col2->action=insert->grantoption=true"));
+ // for the uri privilege, the action will be awalys *
+ assertTrue(privilegeStrs.contains("server=server1->uri=hdfs://path/testuri->action=*"));
+
+ // test: revoke privilege from role with -rpr
+ args = new String[] { "-rpr", "-r", TEST_ROLE_NAME_1, "-p",
+ "server=server1->db=db1->table=tbl1->column=col1->action=insert", "-conf",
+ confPath.getAbsolutePath() };
+ SentryShellHive.main(args);
+ Set<TSentryPrivilege> privileges = client.listAllPrivilegesByRoleName(requestorName,
+ TEST_ROLE_NAME_1);
+ assertEquals("Incorrect number of privileges", 5, privileges.size());
+
+ args = new String[] { "-rpr", "-r", TEST_ROLE_NAME_1, "-p",
+ "server=server1->db=db1->table=tbl1->column=col2->action=insert->grantoption=true",
+ "-conf", confPath.getAbsolutePath() };
+ SentryShellHive.main(args);
+ privileges = client.listAllPrivilegesByRoleName(requestorName, TEST_ROLE_NAME_1);
+ assertEquals("Incorrect number of privileges", 4, privileges.size());
+
+ args = new String[] { "-rpr", "-r", TEST_ROLE_NAME_1, "-p",
+ "server=server1->uri=hdfs://path/testuri", "-conf", confPath.getAbsolutePath() };
+ SentryShellHive.main(args);
+ privileges = client.listAllPrivilegesByRoleName(requestorName, TEST_ROLE_NAME_1);
+ assertEquals("Incorrect number of privileges", 3, privileges.size());
+
+ args = new String[] { "-rpr", "-r", TEST_ROLE_NAME_1, "-p",
+ "server=server1->db=db1->table=tbl1->action=insert", "-conf",
+ confPath.getAbsolutePath() };
+ SentryShellHive.main(args);
+ privileges = client.listAllPrivilegesByRoleName(requestorName, TEST_ROLE_NAME_1);
+ assertEquals("Incorrect number of privileges", 2, privileges.size());
+
+ args = new String[] { "-rpr", "-r", TEST_ROLE_NAME_1, "-p",
+ "server=server1->db=db1->action=select", "-conf", confPath.getAbsolutePath() };
+ SentryShellHive.main(args);
+ privileges = client.listAllPrivilegesByRoleName(requestorName, TEST_ROLE_NAME_1);
+ assertEquals("Incorrect number of privileges", 1, privileges.size());
+
+ args = new String[] { "-rpr", "-r", TEST_ROLE_NAME_1, "-p", "server=server1->action=*",
+ "-conf",
+ confPath.getAbsolutePath() };
+ SentryShellHive.main(args);
+ privileges = client.listAllPrivilegesByRoleName(requestorName, TEST_ROLE_NAME_1);
+ assertEquals("Incorrect number of privileges", 0, privileges.size());
+
+ // clear the test data
+ client.dropRole(requestorName, TEST_ROLE_NAME_1);
+ client.dropRole(requestorName, TEST_ROLE_NAME_2);
+ }
+ });
+ }
+
+ @Test
+ public void testGrantRevokePrivilegeWithLongOption() throws Exception {
+ runTestAsSubject(new TestOperation() {
+ @Override
+ public void runTestAsSubject() throws Exception {
+ // create the role for test
+ client.createRole(requestorName, TEST_ROLE_NAME_1);
+ client.createRole(requestorName, TEST_ROLE_NAME_2);
+
+ // test: grant privilege to role with -gpr
+ String[] args = { "--grant_privilege_role", "-r", TEST_ROLE_NAME_1, "-p",
+ "server=server1->action=*", "-conf", confPath.getAbsolutePath() };
+ SentryShellHive.main(args);
+ args = new String[] { "--grant_privilege_role", "-r", TEST_ROLE_NAME_1, "-p",
+ "server=server1->db=db1->action=select", "-conf", confPath.getAbsolutePath() };
+ SentryShellHive.main(args);
+ args = new String[] { "--grant_privilege_role", "-r", TEST_ROLE_NAME_1, "-p",
+ "server=server1->db=db1->table=tbl1->action=insert", "-conf",
+ confPath.getAbsolutePath() };
+ SentryShellHive.main(args);
+ args = new String[] { "--grant_privilege_role", "-r", TEST_ROLE_NAME_1, "-p",
+ "server=server1->db=db1->table=tbl1->column=col1->action=insert", "-conf",
+ confPath.getAbsolutePath() };
+ SentryShellHive.main(args);
+ args = new String[] { "--grant_privilege_role", "-r", TEST_ROLE_NAME_1, "-p",
+ "server=server1->db=db1->table=tbl1->column=col2->action=insert->grantoption=true",
+ "-conf", confPath.getAbsolutePath() };
+ SentryShellHive.main(args);
+ // for the uri privilege, the action will be awalys *
+ args = new String[] { "--grant_privilege_role", "-r", TEST_ROLE_NAME_1, "-p",
+ "server=server1->uri=hdfs://path/testuri", "-conf", confPath.getAbsolutePath() };
+ SentryShellHive.main(args);
+
+ // test the list privilege with -lp
+ args = new String[] { "--list_privilege", "-r", TEST_ROLE_NAME_1, "-conf",
+ confPath.getAbsolutePath() };
+ SentryShellHive sentryShell = new SentryShellHive();
+ Set<String> privilegeStrs = getShellResultWithOSRedirect(sentryShell, args, true);
+ // validate the result for -lp
+ assertEquals("Incorrect number of privileges", 6, privilegeStrs.size());
+ assertTrue(privilegeStrs.contains("server=server1->action=*"));
+ assertTrue(privilegeStrs.contains("server=server1->db=db1->action=select"));
+ assertTrue(privilegeStrs.contains("server=server1->db=db1->table=tbl1->action=insert"));
+ assertTrue(privilegeStrs
+ .contains("server=server1->db=db1->table=tbl1->column=col1->action=insert"));
+ assertTrue(privilegeStrs
+ .contains("server=server1->db=db1->table=tbl1->column=col2->action=insert->grantoption=true"));
+ // for the uri privilege, the action will be awalys *
+ assertTrue(privilegeStrs.contains("server=server1->uri=hdfs://path/testuri->action=*"));
+
+ // test: revoke privilege from role with -rpr
+ args = new String[] { "--revoke_privilege_role", "-r", TEST_ROLE_NAME_1, "-p",
+ "server=server1->db=db1->table=tbl1->column=col1->action=insert", "-conf",
+ confPath.getAbsolutePath() };
+ SentryShellHive.main(args);
+ Set<TSentryPrivilege> privileges = client.listAllPrivilegesByRoleName(requestorName,
+ TEST_ROLE_NAME_1);
+ assertEquals("Incorrect number of privileges", 5, privileges.size());
+
+ args = new String[] { "--revoke_privilege_role", "-r", TEST_ROLE_NAME_1, "-p",
+ "server=server1->db=db1->table=tbl1->column=col2->action=insert->grantoption=true",
+ "-conf", confPath.getAbsolutePath() };
+ SentryShellHive.main(args);
+ privileges = client.listAllPrivilegesByRoleName(requestorName, TEST_ROLE_NAME_1);
+ assertEquals("Incorrect number of privileges", 4, privileges.size());
+
+ args = new String[] { "--revoke_privilege_role", "-r", TEST_ROLE_NAME_1, "-p",
+ "server=server1->uri=hdfs://path/testuri", "-conf", confPath.getAbsolutePath() };
+ SentryShellHive.main(args);
+ privileges = client.listAllPrivilegesByRoleName(requestorName, TEST_ROLE_NAME_1);
+ assertEquals("Incorrect number of privileges", 3, privileges.size());
+
+ args = new String[] { "--revoke_privilege_role", "-r", TEST_ROLE_NAME_1, "-p",
+ "server=server1->db=db1->table=tbl1->action=insert", "-conf",
+ confPath.getAbsolutePath() };
+ SentryShellHive.main(args);
+ privileges = client.listAllPrivilegesByRoleName(requestorName, TEST_ROLE_NAME_1);
+ assertEquals("Incorrect number of privileges", 2, privileges.size());
+
+ args = new String[] { "--revoke_privilege_role", "-r", TEST_ROLE_NAME_1, "-p",
+ "server=server1->db=db1->action=select", "-conf", confPath.getAbsolutePath() };
+ SentryShellHive.main(args);
+ privileges = client.listAllPrivilegesByRoleName(requestorName, TEST_ROLE_NAME_1);
+ assertEquals("Incorrect number of privileges", 1, privileges.size());
+
+ args = new String[] { "--revoke_privilege_role", "-r", TEST_ROLE_NAME_1, "-p",
+ "server=server1->action=*", "-conf", confPath.getAbsolutePath() };
+ SentryShellHive.main(args);
+ privileges = client.listAllPrivilegesByRoleName(requestorName, TEST_ROLE_NAME_1);
+ assertEquals("Incorrect number of privileges", 0, privileges.size());
+
+ // clear the test data
+ client.dropRole(requestorName, TEST_ROLE_NAME_1);
+ client.dropRole(requestorName, TEST_ROLE_NAME_2);
+ }
+ });
+ }
+
+ @Test
+ public void testNegativeCaseWithInvalidArgument() throws Exception {
+ runTestAsSubject(new TestOperation() {
+ @Override
+ public void runTestAsSubject() throws Exception {
+ client.createRole(requestorName, TEST_ROLE_NAME_1);
+ // test: create duplicate role with -cr
+ String[] args = { "-cr", "-r", TEST_ROLE_NAME_1, "-conf", confPath.getAbsolutePath() };
+ SentryShellHive sentryShell = new SentryShellHive();
+ try {
+ sentryShell.executeShell(args);
+ fail("Exception should be thrown for creating duplicate role");
+ } catch (SentryUserException e) {
+ // excepted exception
+ }
+
+ // test: drop non-exist role with -dr
+ args = new String[] { "-dr", "-r", TEST_ROLE_NAME_2, "-conf", confPath.getAbsolutePath() };
+ sentryShell = new SentryShellHive();
+ try {
+ sentryShell.executeShell(args);
+ fail("Exception should be thrown for dropping non-exist role");
+ } catch (SentryUserException e) {
+ // excepted exception
+ }
+
+ // test: add non-exist role to group with -arg
+ args = new String[] { "-arg", "-r", TEST_ROLE_NAME_2, "-g", "testGroup1", "-conf",
+ confPath.getAbsolutePath() };
+ sentryShell = new SentryShellHive();
+ try {
+ sentryShell.executeShell(args);
+ fail("Exception should be thrown for granting non-exist role to group");
+ } catch (SentryUserException e) {
+ // excepted exception
+ }
+
+ // test: drop group from non-exist role with -drg
+ args = new String[] { "-drg", "-r", TEST_ROLE_NAME_2, "-g", "testGroup1", "-conf",
+ confPath.getAbsolutePath() };
+ sentryShell = new SentryShellHive();
+ try {
+ sentryShell.executeShell(args);
+ fail("Exception should be thrown for drop group from non-exist role");
+ } catch (SentryUserException e) {
+ // excepted exception
+ }
+
+ // test: grant privilege to role with the error privilege format
+ args = new String[] { "-gpr", "-r", TEST_ROLE_NAME_1, "-p", "serverserver1->action=*",
+ "-conf", confPath.getAbsolutePath() };
+ sentryShell = new SentryShellHive();
+ try {
+ sentryShell.executeShell(args);
+ fail("Exception should be thrown for the error privilege format, invalid key value.");
+ } catch (IllegalArgumentException e) {
+ // excepted exception
+ }
+
+ // test: grant privilege to role with the error privilege hierarchy
+ args = new String[] { "-gpr", "-r", TEST_ROLE_NAME_1, "-p",
+ "server=server1->table=tbl1->column=col2->action=insert", "-conf",
+ confPath.getAbsolutePath() };
+ sentryShell = new SentryShellHive();
+ try {
+ sentryShell.executeShell(args);
+ fail("Exception should be thrown for the error privilege format, invalid key value.");
+ } catch (IllegalArgumentException e) {
+ // excepted exception
+ }
+
+ // clear the test data
+ client.dropRole(requestorName, TEST_ROLE_NAME_1);
+ }
+ });
+ }
+
+ @Test
+ public void testNegativeCaseWithoutRequiredArgument() throws Exception {
+ runTestAsSubject(new TestOperation() {
+ @Override
+ public void runTestAsSubject() throws Exception {
+ String strOptionConf = "conf";
+ client.createRole(requestorName, TEST_ROLE_NAME_1);
+ // test: the conf is required argument
+ String[] args = { "-cr", "-r", TEST_ROLE_NAME_1 };
+ SentryShellHive sentryShell = new SentryShellHive();
+ validateMissingParameterMsg(sentryShell, args,
+ SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + strOptionConf);
+
+ // test: -r is required when create role
+ args = new String[] { "-cr", "-conf", confPath.getAbsolutePath() };
+ sentryShell = new SentryShellHive();
+ validateMissingParameterMsg(sentryShell, args,
+ SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_ROLE_NAME);
+
+ // test: -r is required when drop role
+ args = new String[] { "-dr", "-conf", confPath.getAbsolutePath() };
+ sentryShell = new SentryShellHive();
+ validateMissingParameterMsg(sentryShell, args,
+ SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_ROLE_NAME);
+
+ // test: -r is required when add role to group
+ args = new String[] { "-arg", "-g", "testGroup1", "-conf", confPath.getAbsolutePath() };
+ sentryShell = new SentryShellHive();
+ validateMissingParameterMsg(sentryShell, args,
+ SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_ROLE_NAME);
+
+ // test: -g is required when add role to group
+ args = new String[] { "-arg", "-r", TEST_ROLE_NAME_2, "-conf", confPath.getAbsolutePath() };
+ sentryShell = new SentryShellHive();
+ validateMissingParameterMsg(sentryShell, args,
+ SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_GROUP_NAME);
+
+ // test: -r is required when delete role from group
+ args = new String[] { "-drg", "-g", "testGroup1", "-conf", confPath.getAbsolutePath() };
+ sentryShell = new SentryShellHive();
+ validateMissingParameterMsg(sentryShell, args,
+ SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_ROLE_NAME);
+
+ // test: -g is required when delete role from group
+ args = new String[] { "-drg", "-r", TEST_ROLE_NAME_2, "-conf", confPath.getAbsolutePath() };
+ sentryShell = new SentryShellHive();
+ validateMissingParameterMsg(sentryShell, args,
+ SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_GROUP_NAME);
+
+ // test: -r is required when grant privilege to role
+ args = new String[] { "-gpr", "-p", "server=server1", "-conf", confPath.getAbsolutePath() };
+ sentryShell = new SentryShellHive();
+ validateMissingParameterMsg(sentryShell, args,
+ SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_ROLE_NAME);
+
+ // test: -p is required when grant privilege to role
+ args = new String[] { "-gpr", "-r", TEST_ROLE_NAME_1, "-conf", confPath.getAbsolutePath() };
+ sentryShell = new SentryShellHive();
+ validateMissingParameterMsg(sentryShell, args,
+ SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_PRIVILEGE);
+
+ // test: -r is required when revoke privilege from role
+ args = new String[] { "-rpr", "-p", "server=server1", "-conf", confPath.getAbsolutePath() };
+ sentryShell = new SentryShellHive();
+ validateMissingParameterMsg(sentryShell, args,
+ SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_ROLE_NAME);
+
+ // test: -p is required when revoke privilege from role
+ args = new String[] { "-rpr", "-r", TEST_ROLE_NAME_1, "-conf", confPath.getAbsolutePath() };
+ sentryShell = new SentryShellHive();
+ validateMissingParameterMsg(sentryShell, args,
+ SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_PRIVILEGE);
+
+ // test: command option is required for shell
+ args = new String[] {"-conf", confPath.getAbsolutePath() };
+ sentryShell = new SentryShellHive();
+ validateMissingParameterMsgsContains(sentryShell, args,
+ SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + "[",
+ "-arg Add role to group",
+ "-cr Create role",
+ "-rpr Revoke privilege from role",
+ "-drg Delete role from group",
+ "-lr List role",
+ "-lp List privilege",
+ "-gpr Grant privilege to role",
+ "-dr Drop role");
+
+ // clear the test data
+ client.dropRole(requestorName, TEST_ROLE_NAME_1);
+ }
+ });
+ }
+
+ // redirect the System.out to ByteArrayOutputStream, then execute the command and parse the result.
+ private Set<String> getShellResultWithOSRedirect(SentryShellHive sentryShell,
+ String[] args, boolean exceptedExecuteResult) throws Exception {
+ PrintStream oldOut = System.out;
+ ByteArrayOutputStream outContent = new ByteArrayOutputStream();
+ System.setOut(new PrintStream(outContent));
+ assertEquals(exceptedExecuteResult, sentryShell.executeShell(args));
+ Set<String> resultSet = Sets.newHashSet(outContent.toString().split("\n"));
+ System.setOut(oldOut);
+ return resultSet;
+ }
+
+ private void validateRoleNames(Set<String> roleNames, String ... expectedRoleNames) {
+ if (expectedRoleNames != null && expectedRoleNames.length > 0) {
+ assertEquals("Found: " + roleNames.size() + " roles, expected: " + expectedRoleNames.length,
+ expectedRoleNames.length, roleNames.size());
+ Set<String> lowerCaseRoles = new HashSet<String>();
+ for (String role : roleNames) {
+ lowerCaseRoles.add(role.toLowerCase());
+ }
+
+ for (String expectedRole : expectedRoleNames) {
+ assertTrue("Expected role: " + expectedRole,
+ lowerCaseRoles.contains(expectedRole.toLowerCase()));
+ }
+ }
+ }
+
+ private void validateMissingParameterMsg(SentryShellHive sentryShell, String[] args,
+ String exceptedErrorMsg) throws Exception {
+ Set<String> errorMsgs = getShellResultWithOSRedirect(sentryShell, args, false);
+ assertTrue(errorMsgs.contains(exceptedErrorMsg));
+ }
+
+ private void validateMissingParameterMsgsContains(SentryShellHive sentryShell, String[] args,
+ String ... expectedErrorMsgsContains) throws Exception {
+ Set<String> errorMsgs = getShellResultWithOSRedirect(sentryShell, args, false);
+ boolean foundAllMessages = false;
+ Iterator<String> it = errorMsgs.iterator();
+ while (it.hasNext()) {
+ String errorMessage = it.next();
+ boolean missingExpected = false;
+ for (String expectedContains : expectedErrorMsgsContains) {
+ if (!errorMessage.contains(expectedContains)) {
+ missingExpected = true;
+ break;
+ }
+ }
+ if (!missingExpected) {
+ foundAllMessages = true;
+ break;
+ }
+ }
+ assertTrue(foundAllMessages);
+ }
+}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/service/thrift/SentryServiceIntegrationBase.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/service/thrift/SentryServiceIntegrationBase.java b/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/service/thrift/SentryServiceIntegrationBase.java
new file mode 100644
index 0000000..9dfe6a8
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/service/thrift/SentryServiceIntegrationBase.java
@@ -0,0 +1,355 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.service.thrift;
+import java.io.File;
+import java.security.PrivilegedExceptionAction;
+import java.util.Properties;
+import java.util.Set;
+import java.util.concurrent.TimeoutException;
+
+
+import com.google.common.io.Resources;
+import org.apache.commons.io.FileUtils;
+import org.apache.curator.test.TestingServer;
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.minikdc.MiniKdc;
+import org.apache.hadoop.net.NetUtils;
+import org.apache.hadoop.security.UserGroupInformation;
+import org.apache.sentry.core.common.utils.PolicyFile;
+import org.apache.sentry.provider.db.service.persistent.HAContext;
+import org.apache.sentry.provider.db.service.thrift.SentryMiniKdcTestcase;
+import org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient;
+import org.apache.sentry.provider.db.service.thrift.TSentryRole;
+import org.apache.sentry.service.thrift.ServiceConstants.ClientConfig;
+import org.apache.sentry.service.thrift.ServiceConstants.ServerConfig;
+import org.apache.zookeeper.server.ZooKeeperSaslServer;
+import org.junit.After;
+import org.junit.AfterClass;
+import org.junit.Assert;
+import org.junit.Before;
+import org.junit.BeforeClass;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import com.google.common.base.Strings;
+import com.google.common.io.Files;
+
+public abstract class SentryServiceIntegrationBase extends SentryMiniKdcTestcase {
+ private static final Logger LOGGER = LoggerFactory.getLogger(SentryServiceIntegrationBase.class);
+
+ protected static final String SERVER_HOST = NetUtils.createSocketAddr("localhost:80").getAddress().getCanonicalHostName();
+ protected static final String REALM = "EXAMPLE.COM";
+ protected static final String SERVER_PRINCIPAL = "sentry/" + SERVER_HOST;
+ protected static String SERVER_KERBEROS_NAME = "sentry/" + SERVER_HOST + "@" + REALM;
+ protected static final String HTTP_PRINCIPAL = "HTTP/" + SERVER_HOST;
+ protected static final String CLIENT_PRINCIPAL = "hive/" + SERVER_HOST;
+ protected static final String CLIENT_KERBEROS_SHORT_NAME = "hive";
+ protected static final String CLIENT_KERBEROS_NAME = CLIENT_KERBEROS_SHORT_NAME
+ + "/" + SERVER_HOST + "@" + REALM;
+ protected static final String ADMIN_USER = "admin_user";
+ protected static final String ADMIN_GROUP = "admin_group";
+
+ protected static SentryService server;
+ protected SentryPolicyServiceClient client;
+ protected static MiniKdc kdc;
+ protected static File kdcWorkDir;
+ protected static File dbDir;
+ protected static File serverKeytab;
+ protected static File httpKeytab;
+ protected static File clientKeytab;
+ protected static UserGroupInformation clientUgi;
+ protected static boolean kerberos;
+ protected final static Configuration conf = new Configuration(false);
+ protected PolicyFile policyFile;
+ protected File policyFilePath;
+ protected static Properties kdcConfOverlay = new Properties();
+
+ protected static boolean haEnabled = false;
+ protected static final String ZK_SERVER_PRINCIPAL = "zookeeper/" + SERVER_HOST;
+ protected static TestingServer zkServer;
+
+ private static File ZKKeytabFile;
+
+ protected static boolean webServerEnabled = false;
+ protected static int webServerPort = ServerConfig.SENTRY_WEB_PORT_DEFAULT;
+ protected static boolean webSecurity = false;
+
+ protected static boolean pooled = false;
+
+ protected static boolean useSSL = false;
+
+ @BeforeClass
+ public static void setup() throws Exception {
+ kerberos = true;
+ pooled = true;
+ beforeSetup();
+ setupConf();
+ startSentryService();
+ afterSetup();
+ }
+
+ private static void setupKdc() throws Exception {
+ startMiniKdc(kdcConfOverlay);
+ }
+
+ public static void startSentryService() throws Exception {
+ server.start();
+ final long start = System.currentTimeMillis();
+ while(!server.isRunning()) {
+ Thread.sleep(1000);
+ if(System.currentTimeMillis() - start > 60000L) {
+ throw new TimeoutException("Server did not start after 60 seconds");
+ }
+ }
+ }
+
+ public void stopSentryService() throws Exception {
+ server.stop();
+ Thread.sleep(30000);
+ }
+
+ public static void setupConf() throws Exception {
+ if (kerberos) {
+ setupKdc();
+ kdc = getKdc();
+ kdcWorkDir = getWorkDir();
+ serverKeytab = new File(kdcWorkDir, "server.keytab");
+ clientKeytab = new File(kdcWorkDir, "client.keytab");
+ kdc.createPrincipal(serverKeytab, SERVER_PRINCIPAL);
+ kdc.createPrincipal(clientKeytab, CLIENT_PRINCIPAL);
+ conf.set(ServerConfig.PRINCIPAL, getServerKerberosName());
+ conf.set(ServerConfig.KEY_TAB, serverKeytab.getPath());
+ conf.set(ServerConfig.ALLOW_CONNECT, CLIENT_KERBEROS_SHORT_NAME);
+ conf.set(ServerConfig.SERVER_HA_ZOOKEEPER_CLIENT_PRINCIPAL,
+ getServerKerberosName());
+ conf.set(ServerConfig.SERVER_HA_ZOOKEEPER_CLIENT_KEYTAB,
+ serverKeytab.getPath());
+
+ conf.set(ServerConfig.SECURITY_USE_UGI_TRANSPORT, "true");
+ conf.set("hadoop.security.authentication", "kerberos");
+ UserGroupInformation.setConfiguration(conf);
+ UserGroupInformation.loginUserFromKeytab(CLIENT_PRINCIPAL, clientKeytab.getPath());
+ clientUgi = UserGroupInformation.getLoginUser();
+ } else {
+ LOGGER.info("Stopped KDC");
+ conf.set(ServerConfig.SECURITY_MODE, ServerConfig.SECURITY_MODE_NONE);
+ }
+ if (haEnabled) {
+ zkServer = getZKServer();
+ conf.set(ServerConfig.SENTRY_HA_ENABLED, "true");
+ conf.set(ServerConfig.SENTRY_HA_ZOOKEEPER_QUORUM, zkServer.getConnectString());
+ conf.set(ServerConfig.SENTRY_HA_ZOOKEEPER_NAMESPACE, "sentry-test-case");
+ if (kerberos) {
+ conf.set(ServerConfig.SENTRY_HA_ZOOKEEPER_SECURITY, "true");
+ }
+ }
+ if (webServerEnabled) {
+ conf.set(ServerConfig.SENTRY_WEB_ENABLE, "true");
+ conf.set(ServerConfig.SENTRY_WEB_PORT, String.valueOf(webServerPort));
+ if (webSecurity) {
+ httpKeytab = new File(kdcWorkDir, "http.keytab");
+ kdc.createPrincipal(httpKeytab, HTTP_PRINCIPAL);
+ conf.set(ServerConfig.SENTRY_WEB_SECURITY_TYPE,
+ ServerConfig.SENTRY_WEB_SECURITY_TYPE_KERBEROS);
+ conf.set(ServerConfig.SENTRY_WEB_SECURITY_PRINCIPAL, HTTP_PRINCIPAL);
+ conf.set(ServerConfig.SENTRY_WEB_SECURITY_KEYTAB, httpKeytab.getPath());
+ } else {
+ conf.set(ServerConfig.SENTRY_WEB_SECURITY_TYPE,
+ ServerConfig.SENTRY_WEB_SECURITY_TYPE_NONE);
+ }
+ } else {
+ conf.set(ServerConfig.SENTRY_WEB_ENABLE, "false");
+ }
+ if (pooled) {
+ conf.set(ClientConfig.SENTRY_POOL_ENABLED, "true");
+ }
+ if (useSSL) {
+ conf.set(ServerConfig.SENTRY_WEB_USE_SSL, "true");
+ conf.set(ServerConfig.SENTRY_WEB_SSL_KEYSTORE_PATH,
+ Resources.getResource("keystore.jks").getPath());
+ conf.set(ServerConfig.SENTRY_WEB_SSL_KEYSTORE_PASSWORD, "password");
+ }
+ conf.set(ServerConfig.SENTRY_VERIFY_SCHEM_VERSION, "false");
+ conf.set(ServerConfig.ADMIN_GROUPS, ADMIN_GROUP);
+ conf.set(ServerConfig.RPC_ADDRESS, SERVER_HOST);
+ conf.set(ServerConfig.RPC_PORT, String.valueOf(0));
+ dbDir = new File(Files.createTempDir(), "sentry_policy_db");
+ conf.set(ServerConfig.SENTRY_STORE_JDBC_URL,
+ "jdbc:derby:;databaseName=" + dbDir.getPath() + ";create=true");
+ conf.set(ServerConfig.SENTRY_STORE_JDBC_PASS, "dummy");
+ server = new SentryServiceFactory().create(conf);
+ conf.set(ClientConfig.SERVER_RPC_ADDRESS, server.getAddress().getHostName());
+ conf.set(ClientConfig.SERVER_RPC_PORT, String.valueOf(server.getAddress().getPort()));
+ conf.set(ServerConfig.SENTRY_STORE_GROUP_MAPPING,
+ ServerConfig.SENTRY_STORE_LOCAL_GROUP_MAPPING);
+ }
+
+ @Before
+ public void before() throws Exception {
+ policyFilePath = new File(dbDir, "local_policy_file.ini");
+ conf.set(ServerConfig.SENTRY_STORE_GROUP_MAPPING_RESOURCE,
+ policyFilePath.getPath());
+ policyFile = new PolicyFile();
+ connectToSentryService();
+ }
+
+ @After
+ public void after() {
+ try {
+ runTestAsSubject(new TestOperation() {
+ @Override
+ public void runTestAsSubject() throws Exception {
+ if (client != null) {
+ Set<TSentryRole> tRoles = client.listRoles(ADMIN_USER);
+ if (tRoles != null) {
+ for (TSentryRole tRole : tRoles) {
+ client.dropRole(ADMIN_USER, tRole.getRoleName());
+ }
+ }
+ client.close();
+ }
+ }
+ });
+ } catch (Exception e) {
+ LOGGER.error(e.getMessage(), e);
+ } finally {
+ policyFilePath.delete();
+ }
+ }
+
+ public void connectToSentryService() throws Exception {
+ if (kerberos) {
+ client = clientUgi.doAs(new PrivilegedExceptionAction<SentryPolicyServiceClient>() {
+ @Override
+ public SentryPolicyServiceClient run() throws Exception {
+ return SentryServiceClientFactory.create(conf);
+ }
+ });
+ } else {
+ client = SentryServiceClientFactory.create(conf);
+ }
+ }
+
+ @AfterClass
+ public static void tearDown() throws Exception {
+ beforeTeardown();
+
+ if(server != null) {
+ server.stop();
+ }
+ if (dbDir != null) {
+ FileUtils.deleteQuietly(dbDir);
+ }
+ stopMiniKdc();
+ afterTeardown();
+ }
+
+ public static String getServerKerberosName() {
+ return SERVER_KERBEROS_NAME;
+ }
+
+ public static void beforeSetup() throws Exception {
+
+ }
+ public static void afterSetup() throws Exception {
+
+ }
+ public static void beforeTeardown() throws Exception {
+
+ }
+ public static void afterTeardown() throws Exception {
+
+ }
+ protected static void assertOK(TSentryResponseStatus resp) {
+ assertStatus(Status.OK, resp);
+ }
+
+ protected static void assertStatus(Status status, TSentryResponseStatus resp) {
+ if (resp.getValue() != status.getCode()) {
+ String message = "Expected: " + status + ", Response: " + Status.fromCode(resp.getValue())
+ + ", Code: " + resp.getValue() + ", Message: " + resp.getMessage();
+ String stackTrace = Strings.nullToEmpty(resp.getStack()).trim();
+ if (!stackTrace.isEmpty()) {
+ message += ", StackTrace: " + stackTrace;
+ }
+ Assert.fail(message);
+ }
+ }
+
+ protected void setLocalGroupMapping(String user, Set<String> groupSet) {
+ for (String group : groupSet) {
+ policyFile.addGroupsToUser(user, group);
+ }
+ }
+
+ protected void writePolicyFile() throws Exception {
+ policyFile.write(policyFilePath);
+ }
+
+ protected static TestingServer getZKServer() throws Exception {
+ if (!kerberos) {
+ LOGGER.info("Creating a non-security ZooKeeper Server.");
+ return new TestingServer();
+ } else {
+ LOGGER.info("Creating a security ZooKeeper Server.");
+ // Not entirely sure exactly what "javax.security.auth.useSubjectCredsOnly=false" does, but it has something to do with
+ // re-authenticating in cases where it otherwise wouldn't. One of the sections on this page briefly mentions it:
+ // http://docs.oracle.com/javase/7/docs/technotes/guides/security/jgss/tutorials/Troubleshooting.html
+ System.setProperty("javax.security.auth.useSubjectCredsOnly", "false");
+
+ // Setup KDC and principal
+ kdc = getKdc();
+ ZKKeytabFile = new File(kdcWorkDir, "test.keytab");
+ kdc.createPrincipal(ZKKeytabFile, ZK_SERVER_PRINCIPAL);
+
+ System.setProperty("zookeeper.authProvider.1", "org.apache.zookeeper.server.auth.SASLAuthenticationProvider");
+ System.setProperty("zookeeper.kerberos.removeHostFromPrincipal", "true");
+ System.setProperty("zookeeper.kerberos.removeRealmFromPrincipal", "true");
+
+ JaasConfiguration.addEntryForKeytab("Server", ZK_SERVER_PRINCIPAL, ZKKeytabFile.getAbsolutePath());
+ // Here's where we add the "Client" to the jaas configuration, even though we'd like not to
+ JaasConfiguration.addEntryForKeytab(HAContext.SENTRY_ZK_JAAS_NAME,
+ SERVER_KERBEROS_NAME, serverKeytab.getAbsolutePath());
+ javax.security.auth.login.Configuration.setConfiguration(JaasConfiguration.getInstance());
+
+ System.setProperty(ZooKeeperSaslServer.LOGIN_CONTEXT_NAME_KEY, "Server");
+
+ return new TestingServer();
+ }
+
+ }
+
+ protected void runTestAsSubject(final TestOperation test) throws Exception {
+ /*if (false) {
+ clientUgi.doAs(new PrivilegedExceptionAction<Void>() {
+ @Override
+ public Void run() throws Exception {
+ test.runTestAsSubject();
+ return null;
+ }});
+ } else {
+ */ test.runTestAsSubject();
+ //}
+ }
+
+ protected interface TestOperation {
+ void runTestAsSubject() throws Exception;
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/test/resources/cacerts.jks
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/test/resources/cacerts.jks b/sentry-service/sentry-service-server/src/test/resources/cacerts.jks
new file mode 100644
index 0000000..6ac6495
Binary files /dev/null and b/sentry-service/sentry-service-server/src/test/resources/cacerts.jks differ
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/test/resources/keystore.jks
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/test/resources/keystore.jks b/sentry-service/sentry-service-server/src/test/resources/keystore.jks
new file mode 100644
index 0000000..a6beece
Binary files /dev/null and b/sentry-service/sentry-service-server/src/test/resources/keystore.jks differ
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/test/resources/log4j.properties
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/test/resources/log4j.properties b/sentry-service/sentry-service-server/src/test/resources/log4j.properties
new file mode 100644
index 0000000..9766758
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/test/resources/log4j.properties
@@ -0,0 +1,34 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+# Define some default values that can be overridden by system properties.
+#
+# For testing, it may also be convenient to specify
+
+log4j.rootLogger=DEBUG,console
+
+log4j.appender.console=org.apache.log4j.ConsoleAppender
+log4j.appender.console.target=System.err
+log4j.appender.console.layout=org.apache.log4j.PatternLayout
+log4j.appender.console.layout.ConversionPattern=%d (%t) [%p - %l] %m%n
+
+log4j.logger.org.apache.hadoop.conf.Configuration=INFO
+log4j.logger.org.apache.hadoop.metrics2=INFO
+log4j.logger.org.apache.directory=INFO
+log4j.logger.org.apache.directory.api.ldap.model.entry.AbstractValue=WARN
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/test/resources/solr_case.ini
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/test/resources/solr_case.ini b/sentry-service/sentry-service-server/src/test/resources/solr_case.ini
new file mode 100644
index 0000000..fbbebfc
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/test/resources/solr_case.ini
@@ -0,0 +1,26 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+[groups]
+groupa = RoLe1
+groupb = rOlE1
+groupc = ROLE2
+
+[roles]
+RoLe1 = collection=*
+rOlE1 = collection=*
+ROLE2 = collection=*
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/test/resources/solr_config_import_tool.ini
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/test/resources/solr_config_import_tool.ini b/sentry-service/sentry-service-server/src/test/resources/solr_config_import_tool.ini
new file mode 100644
index 0000000..da7df4c
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/test/resources/solr_config_import_tool.ini
@@ -0,0 +1,29 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+[groups]
+corporal = corporal_role
+sergeant = corporal_role, sergeant_role
+general = corporal_role, sergeant_role, general_role
+commander_in_chief = corporal_role, sergeant_role, general_role, commander_in_chief_role
+
+[roles]
+corporal_role = collection=info->action=query, \
+ collection=info->action=update
+sergeant_role = collection=info->action=update
+general_role = collection=info->action=*
+commander_in_chief_role = collection=*
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/test/resources/solr_invalid.ini
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/test/resources/solr_invalid.ini b/sentry-service/sentry-service-server/src/test/resources/solr_invalid.ini
new file mode 100644
index 0000000..03083a7
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/test/resources/solr_invalid.ini
@@ -0,0 +1,21 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+[groups]
+
+[roles]
+
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-tests/sentry-tests-hive/pom.xml
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-hive/pom.xml b/sentry-tests/sentry-tests-hive/pom.xml
index 02bfa49..2979b45 100644
--- a/sentry-tests/sentry-tests-hive/pom.xml
+++ b/sentry-tests/sentry-tests-hive/pom.xml
@@ -220,7 +220,7 @@ limitations under the License.
</dependency>
<dependency>
<groupId>org.apache.sentry</groupId>
- <artifactId>sentry-provider-db</artifactId>
+ <artifactId>sentry-service-server</artifactId>
<scope>test</scope>
</dependency>
<dependency>
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/AbstractTestWithDbProvider.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/AbstractTestWithDbProvider.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/AbstractTestWithDbProvider.java
index a315843..e7cccbf 100644
--- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/AbstractTestWithDbProvider.java
+++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/AbstractTestWithDbProvider.java
@@ -31,7 +31,7 @@ import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.hive.conf.HiveConf.ConfVars;
import org.apache.sentry.binding.hive.SentryHiveAuthorizationTaskFactoryImpl;
import org.apache.sentry.provider.db.SimpleDBProviderBackend;
-import org.apache.sentry.provider.file.PolicyFile;
+import org.apache.sentry.core.common.utils.PolicyFile;
import org.apache.sentry.service.thrift.SentryService;
import org.apache.sentry.service.thrift.SentryServiceFactory;
import org.apache.sentry.service.thrift.ServiceConstants.ClientConfig;
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestConcurrentClients.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestConcurrentClients.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestConcurrentClients.java
index 13b6e62..224691e 100644
--- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestConcurrentClients.java
+++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestConcurrentClients.java
@@ -21,7 +21,7 @@ import org.apache.hadoop.hive.conf.HiveConf;
import org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient;
import org.apache.sentry.provider.db.service.thrift.TSentryPrivilege;
import org.apache.sentry.provider.db.service.thrift.TSentryRole;
-import org.apache.sentry.provider.file.PolicyFile;
+import org.apache.sentry.core.common.utils.PolicyFile;
import org.apache.sentry.tests.e2e.hive.AbstractTestWithStaticConfiguration;
import org.apache.sentry.tests.e2e.hive.StaticUserGroup;
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDbComplexView.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDbComplexView.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDbComplexView.java
index 35f41c6..baba166 100644
--- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDbComplexView.java
+++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDbComplexView.java
@@ -28,7 +28,7 @@ import java.util.List;
import static org.junit.Assert.assertTrue;
import static org.junit.Assert.assertFalse;
-import org.apache.sentry.provider.file.PolicyFile;
+import org.apache.sentry.core.common.utils.PolicyFile;
import org.apache.sentry.tests.e2e.hive.AbstractTestWithStaticConfiguration;
import org.junit.Before;
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDbConnections.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDbConnections.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDbConnections.java
index f3bca9c..24bbf6f 100644
--- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDbConnections.java
+++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDbConnections.java
@@ -24,7 +24,7 @@ import java.sql.Statement;
import org.apache.sentry.core.common.exception.SentryAccessDeniedException;
import org.apache.sentry.core.common.exception.SentryAlreadyExistsException;
-import org.apache.sentry.provider.file.PolicyFile;
+import org.apache.sentry.core.common.utils.PolicyFile;
import org.apache.sentry.tests.e2e.hive.AbstractTestWithStaticConfiguration;
import static org.junit.Assume.assumeThat;
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDbEndToEnd.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDbEndToEnd.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDbEndToEnd.java
index a0450af..a0a5afe 100644
--- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDbEndToEnd.java
+++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDbEndToEnd.java
@@ -27,7 +27,7 @@ import java.sql.ResultSet;
import java.sql.Statement;
import org.apache.sentry.core.common.exception.SentryAccessDeniedException;
-import org.apache.sentry.provider.file.PolicyFile;
+import org.apache.sentry.core.common.utils.PolicyFile;
import org.apache.sentry.tests.e2e.hive.AbstractTestWithStaticConfiguration;
import org.junit.Before;
import org.junit.BeforeClass;
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/ha/TestHaEnd2End.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/ha/TestHaEnd2End.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/ha/TestHaEnd2End.java
index 07d74b5..36f0471 100644
--- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/ha/TestHaEnd2End.java
+++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/ha/TestHaEnd2End.java
@@ -24,7 +24,7 @@ import java.sql.ResultSet;
import java.sql.Statement;
import org.apache.sentry.core.common.exception.SentryAccessDeniedException;
-import org.apache.sentry.provider.file.PolicyFile;
+import org.apache.sentry.core.common.utils.PolicyFile;
import org.apache.sentry.service.thrift.HAClientInvocationHandler;
import org.apache.sentry.tests.e2e.hive.AbstractTestWithStaticConfiguration;
import org.junit.Before;
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hdfs/TestHDFSIntegration.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hdfs/TestHDFSIntegration.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hdfs/TestHDFSIntegration.java
index 1606b6d..52e6fe4 100644
--- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hdfs/TestHDFSIntegration.java
+++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hdfs/TestHDFSIntegration.java
@@ -71,7 +71,7 @@ import org.apache.sentry.hdfs.SentryAuthorizationProvider;
import org.apache.sentry.core.common.exception.SentryAlreadyExistsException;
import org.apache.sentry.provider.db.SimpleDBProviderBackend;
import org.apache.sentry.provider.file.LocalGroupResourceAuthorizationProvider;
-import org.apache.sentry.provider.file.PolicyFile;
+import org.apache.sentry.core.common.utils.PolicyFile;
import org.apache.sentry.service.thrift.ServiceConstants.ServerConfig;
import org.apache.sentry.tests.e2e.hive.StaticUserGroup;
import org.apache.sentry.tests.e2e.hive.fs.MiniDFS;
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/AbstractTestWithStaticConfiguration.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/AbstractTestWithStaticConfiguration.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/AbstractTestWithStaticConfiguration.java
index ced9d1c..fede2a8 100644
--- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/AbstractTestWithStaticConfiguration.java
+++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/AbstractTestWithStaticConfiguration.java
@@ -64,7 +64,7 @@ import org.apache.sentry.core.model.db.DBModelAuthorizable;
import org.apache.sentry.core.model.db.DBModelAuthorizables;
import org.apache.sentry.provider.db.SimpleDBProviderBackend;
import org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient;
-import org.apache.sentry.provider.file.PolicyFile;
+import org.apache.sentry.core.common.utils.PolicyFile;
import org.apache.sentry.service.thrift.KerberosConfiguration;
import org.apache.sentry.service.thrift.SentryServiceClientFactory;
import org.apache.sentry.service.thrift.ServiceConstants.ClientConfig;
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestConfigTool.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestConfigTool.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestConfigTool.java
index 6531560..e4c9b27 100644
--- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestConfigTool.java
+++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestConfigTool.java
@@ -32,7 +32,7 @@ import org.apache.sentry.binding.hive.authz.SentryConfigTool;
import org.apache.sentry.binding.hive.conf.HiveAuthzConf;
import org.apache.sentry.core.common.exception.SentryConfigurationException;
import org.apache.sentry.core.common.Subject;
-import org.apache.sentry.provider.file.PolicyFile;
+import org.apache.sentry.core.common.utils.PolicyFile;
import org.junit.Before;
import org.junit.Test;
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestCrossDbOps.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestCrossDbOps.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestCrossDbOps.java
index b123dcd..95ef8f0 100644
--- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestCrossDbOps.java
+++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestCrossDbOps.java
@@ -17,7 +17,7 @@
package org.apache.sentry.tests.e2e.hive;
-import org.apache.sentry.provider.file.PolicyFile;
+import org.apache.sentry.core.common.utils.PolicyFile;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertTrue;
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestCustomSerdePrivileges.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestCustomSerdePrivileges.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestCustomSerdePrivileges.java
index 2723815..d74c183 100644
--- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestCustomSerdePrivileges.java
+++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestCustomSerdePrivileges.java
@@ -19,7 +19,7 @@ package org.apache.sentry.tests.e2e.hive;
import com.google.common.collect.Maps;
import org.apache.sentry.binding.hive.conf.HiveAuthzConf;
-import org.apache.sentry.provider.file.PolicyFile;
+import org.apache.sentry.core.common.utils.PolicyFile;
import org.junit.AfterClass;
import org.junit.Assert;
import org.junit.Before;
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestEndToEnd.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestEndToEnd.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestEndToEnd.java
index 23577c2..c5560a6 100644
--- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestEndToEnd.java
+++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestEndToEnd.java
@@ -22,7 +22,7 @@ import java.io.FileOutputStream;
import java.sql.Connection;
import java.sql.Statement;
-import org.apache.sentry.provider.file.PolicyFile;
+import org.apache.sentry.core.common.utils.PolicyFile;
import org.junit.Before;
import org.junit.Test;
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestExportImportPrivileges.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestExportImportPrivileges.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestExportImportPrivileges.java
index 5242bb1..b38eaaf 100644
--- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestExportImportPrivileges.java
+++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestExportImportPrivileges.java
@@ -16,7 +16,7 @@
*/
package org.apache.sentry.tests.e2e.hive;
-import org.apache.sentry.provider.file.PolicyFile;
+import org.apache.sentry.core.common.utils.PolicyFile;
import static org.junit.Assert.assertTrue;
import java.io.File;
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestJDBCInterface.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestJDBCInterface.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestJDBCInterface.java
index bc5c08b..41ea86f 100644
--- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestJDBCInterface.java
+++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestJDBCInterface.java
@@ -27,7 +27,7 @@ import java.sql.Statement;
import java.util.ArrayList;
import java.util.List;
-import org.apache.sentry.provider.file.PolicyFile;
+import org.apache.sentry.core.common.utils.PolicyFile;
import org.junit.Before;
import org.junit.BeforeClass;
import org.junit.Test;
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestLockPrivileges.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestLockPrivileges.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestLockPrivileges.java
index 0e403d8..d9415c5 100644
--- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestLockPrivileges.java
+++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestLockPrivileges.java
@@ -27,7 +27,7 @@ import java.sql.Statement;
import java.util.HashMap;
import java.util.Map;
-import org.apache.sentry.provider.file.PolicyFile;
+import org.apache.sentry.core.common.utils.PolicyFile;
import org.junit.Before;
import org.junit.BeforeClass;
import org.junit.Test;
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestMetadataObjectRetrieval.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestMetadataObjectRetrieval.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestMetadataObjectRetrieval.java
index fb0ef19..51267c3 100644
--- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestMetadataObjectRetrieval.java
+++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestMetadataObjectRetrieval.java
@@ -17,7 +17,7 @@
package org.apache.sentry.tests.e2e.hive;
-import org.apache.sentry.provider.file.PolicyFile;
+import org.apache.sentry.core.common.utils.PolicyFile;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertTrue;
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestMetadataPermissions.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestMetadataPermissions.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestMetadataPermissions.java
index 05420d1..524fa1c 100644
--- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestMetadataPermissions.java
+++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestMetadataPermissions.java
@@ -21,7 +21,7 @@ import java.sql.Statement;
import org.junit.Assert;
-import org.apache.sentry.provider.file.PolicyFile;
+import org.apache.sentry.core.common.utils.PolicyFile;
import org.junit.Before;
import org.junit.Test;
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestMovingToProduction.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestMovingToProduction.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestMovingToProduction.java
index a6edf03..b8907de 100644
--- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestMovingToProduction.java
+++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestMovingToProduction.java
@@ -17,7 +17,7 @@
package org.apache.sentry.tests.e2e.hive;
-import org.apache.sentry.provider.file.PolicyFile;
+import org.apache.sentry.core.common.utils.PolicyFile;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertTrue;
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestOperationsPart1.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestOperationsPart1.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestOperationsPart1.java
index a13aef5..39f136d 100644
--- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestOperationsPart1.java
+++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestOperationsPart1.java
@@ -26,7 +26,7 @@ import java.sql.Statement;
import java.util.HashMap;
import java.util.Map;
-import org.apache.sentry.provider.file.PolicyFile;
+import org.apache.sentry.core.common.utils.PolicyFile;
import org.junit.Before;
import org.junit.Test;
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestOperationsPart2.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestOperationsPart2.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestOperationsPart2.java
index 8eb2851..3f9a631 100644
--- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestOperationsPart2.java
+++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestOperationsPart2.java
@@ -27,7 +27,7 @@ import java.util.HashMap;
import java.util.Map;
import org.apache.hadoop.hive.conf.HiveConf;
-import org.apache.sentry.provider.file.PolicyFile;
+import org.apache.sentry.core.common.utils.PolicyFile;
import static org.junit.Assert.assertTrue;
import org.junit.Before;
import org.junit.Ignore;
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestPerDBConfiguration.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestPerDBConfiguration.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestPerDBConfiguration.java
index d1a34a8..3b62cea 100644
--- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestPerDBConfiguration.java
+++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestPerDBConfiguration.java
@@ -27,7 +27,7 @@ import java.sql.SQLException;
import java.sql.Statement;
import org.apache.sentry.core.common.utils.SentryConstants;
-import org.apache.sentry.provider.file.PolicyFile;
+import org.apache.sentry.core.common.utils.PolicyFile;
import org.junit.After;
import org.junit.Before;
import org.junit.BeforeClass;
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestPerDatabasePolicyFile.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestPerDatabasePolicyFile.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestPerDatabasePolicyFile.java
index c8712e7..0e82660 100644
--- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestPerDatabasePolicyFile.java
+++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestPerDatabasePolicyFile.java
@@ -18,7 +18,7 @@
package org.apache.sentry.tests.e2e.hive;
import com.google.common.io.Resources;
-import org.apache.sentry.provider.file.PolicyFile;
+import org.apache.sentry.core.common.utils.PolicyFile;
import org.junit.Before;
import org.junit.Test;
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestPrivilegeAtTransform.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestPrivilegeAtTransform.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestPrivilegeAtTransform.java
index 310610e..0304256 100644
--- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestPrivilegeAtTransform.java
+++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestPrivilegeAtTransform.java
@@ -24,7 +24,7 @@ import java.io.FileOutputStream;
import java.sql.Connection;
import java.sql.Statement;
-import org.apache.sentry.provider.file.PolicyFile;
+import org.apache.sentry.core.common.utils.PolicyFile;
import org.junit.Before;
import org.junit.Test;
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestPrivilegesAtColumnScope.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestPrivilegesAtColumnScope.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestPrivilegesAtColumnScope.java
index c2fee2a..793dc4a 100644
--- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestPrivilegesAtColumnScope.java
+++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestPrivilegesAtColumnScope.java
@@ -25,7 +25,7 @@ import java.sql.Statement;
import org.junit.Assert;
-import org.apache.sentry.provider.file.PolicyFile;
+import org.apache.sentry.core.common.utils.PolicyFile;
import org.junit.Before;
import org.junit.BeforeClass;
import org.junit.Test;
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestPrivilegesAtDatabaseScope.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestPrivilegesAtDatabaseScope.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestPrivilegesAtDatabaseScope.java
index b28b6f4..5df4627 100644
--- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestPrivilegesAtDatabaseScope.java
+++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestPrivilegesAtDatabaseScope.java
@@ -17,7 +17,7 @@
package org.apache.sentry.tests.e2e.hive;
-import org.apache.sentry.provider.file.PolicyFile;
+import org.apache.sentry.core.common.utils.PolicyFile;
import static org.junit.Assert.assertFalse;
import static org.junit.Assert.assertTrue;
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestPrivilegesAtFunctionScope.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestPrivilegesAtFunctionScope.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestPrivilegesAtFunctionScope.java
index ef7a86c..cb3922a 100644
--- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestPrivilegesAtFunctionScope.java
+++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestPrivilegesAtFunctionScope.java
@@ -29,7 +29,7 @@ import java.sql.ResultSet;
import java.sql.SQLException;
import java.sql.Statement;
-import org.apache.sentry.provider.file.PolicyFile;
+import org.apache.sentry.core.common.utils.PolicyFile;
import org.junit.Before;
import org.junit.Test;
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestPrivilegesAtTableScopePart1.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestPrivilegesAtTableScopePart1.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestPrivilegesAtTableScopePart1.java
index 5e8ed79..7e6e111 100644
--- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestPrivilegesAtTableScopePart1.java
+++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestPrivilegesAtTableScopePart1.java
@@ -29,7 +29,7 @@ import java.sql.Statement;
import org.junit.Assert;
-import org.apache.sentry.provider.file.PolicyFile;
+import org.apache.sentry.core.common.utils.PolicyFile;
import org.junit.Before;
import org.junit.BeforeClass;
import org.junit.Test;
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestPrivilegesAtTableScopePart2.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestPrivilegesAtTableScopePart2.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestPrivilegesAtTableScopePart2.java
index 0cd272e..8eb0bd6 100644
--- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestPrivilegesAtTableScopePart2.java
+++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestPrivilegesAtTableScopePart2.java
@@ -26,7 +26,7 @@ import java.sql.Connection;
import java.sql.ResultSet;
import java.sql.Statement;
-import org.apache.sentry.provider.file.PolicyFile;
+import org.apache.sentry.core.common.utils.PolicyFile;
import org.junit.Before;
import org.junit.BeforeClass;
import org.junit.Test;
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestReloadPrivileges.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestReloadPrivileges.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestReloadPrivileges.java
index 6d4e8d3..bd9a70b 100644
--- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestReloadPrivileges.java
+++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestReloadPrivileges.java
@@ -21,7 +21,7 @@ package org.apache.sentry.tests.e2e.hive;
import java.sql.Connection;
import java.sql.Statement;
-import org.apache.sentry.provider.file.PolicyFile;
+import org.apache.sentry.core.common.utils.PolicyFile;
import org.junit.Before;
import org.junit.BeforeClass;
import org.junit.Test;
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestRuntimeMetadataRetrieval.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestRuntimeMetadataRetrieval.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestRuntimeMetadataRetrieval.java
index efb588e..de74f5d 100644
--- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestRuntimeMetadataRetrieval.java
+++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestRuntimeMetadataRetrieval.java
@@ -26,7 +26,7 @@ import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
-import org.apache.sentry.provider.file.PolicyFile;
+import org.apache.sentry.core.common.utils.PolicyFile;
import org.junit.Assert;
import org.junit.Before;
import org.junit.BeforeClass;
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestSandboxOps.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestSandboxOps.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestSandboxOps.java
index da3b90f..79f1792 100644
--- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestSandboxOps.java
+++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestSandboxOps.java
@@ -27,7 +27,7 @@ import java.sql.ResultSet;
import java.sql.Statement;
import org.apache.hadoop.fs.Path;
-import org.apache.sentry.provider.file.PolicyFile;
+import org.apache.sentry.core.common.utils.PolicyFile;
import org.apache.sentry.provider.file.PolicyFiles;
import org.junit.Before;
import org.junit.Test;
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestSentryOnFailureHookLoading.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestSentryOnFailureHookLoading.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestSentryOnFailureHookLoading.java
index 4a64072..ecd199f 100644
--- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestSentryOnFailureHookLoading.java
+++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestSentryOnFailureHookLoading.java
@@ -31,7 +31,7 @@ import java.util.Map;
import org.junit.Assert;
import org.apache.sentry.binding.hive.conf.HiveAuthzConf;
-import org.apache.sentry.provider.file.PolicyFile;
+import org.apache.sentry.core.common.utils.PolicyFile;
import org.apache.sentry.tests.e2e.hive.hiveserver.HiveServerFactory;
import org.junit.After;
import org.junit.Before;
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestServerConfiguration.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestServerConfiguration.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestServerConfiguration.java
index 56e0e00..b566ee8 100644
--- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestServerConfiguration.java
+++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestServerConfiguration.java
@@ -33,7 +33,7 @@ import org.apache.hadoop.hive.conf.HiveConf;
import org.apache.hadoop.hive.conf.HiveConf.ConfVars;
import org.apache.sentry.binding.hive.HiveAuthzBindingSessionHook;
import org.apache.sentry.binding.hive.conf.HiveAuthzConf;
-import org.apache.sentry.provider.file.PolicyFile;
+import org.apache.sentry.core.common.utils.PolicyFile;
import org.apache.sentry.tests.e2e.hive.hiveserver.HiveServerFactory;
import org.junit.After;
import org.junit.Assert;
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestUriPermissions.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestUriPermissions.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestUriPermissions.java
index a1b89ae..a2850b9 100644
--- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestUriPermissions.java
+++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestUriPermissions.java
@@ -25,7 +25,7 @@ import java.sql.Statement;
import com.google.common.io.Resources;
import org.junit.Assert;
-import org.apache.sentry.provider.file.PolicyFile;
+import org.apache.sentry.core.common.utils.PolicyFile;
import org.apache.sentry.tests.e2e.hive.hiveserver.HiveServerFactory;
import org.junit.Before;
import org.junit.BeforeClass;
[36/44] sentry git commit: SENTRY-1287: Create sentry-service-server
module(Colin Ma, reviewed by Dapeng Sun)
Posted by co...@apache.org.
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/main/resources/005-SENTRY-398.oracle.sql
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/resources/005-SENTRY-398.oracle.sql b/sentry-provider/sentry-provider-db/src/main/resources/005-SENTRY-398.oracle.sql
deleted file mode 100644
index 412bc45..0000000
--- a/sentry-provider/sentry-provider-db/src/main/resources/005-SENTRY-398.oracle.sql
+++ /dev/null
@@ -1,55 +0,0 @@
--- Table SENTRY_GM_PRIVILEGE for classes [org.apache.sentry.provider.db.service.model.MSentryGMPrivilege]
-CREATE TABLE "SENTRY_GM_PRIVILEGE" (
- "GM_PRIVILEGE_ID" NUMBER NOT NULL,
- "COMPONENT_NAME" VARCHAR2(32) NOT NULL,
- "CREATE_TIME" NUMBER NOT NULL,
- "WITH_GRANT_OPTION" CHAR(1) DEFAULT 'N' NOT NULL,
- "RESOURCE_NAME_0" VARCHAR2(64) DEFAULT '__NULL__',
- "RESOURCE_NAME_1" VARCHAR2(64) DEFAULT '__NULL__',
- "RESOURCE_NAME_2" VARCHAR2(64) DEFAULT '__NULL__',
- "RESOURCE_NAME_3" VARCHAR2(64) DEFAULT '__NULL__',
- "RESOURCE_TYPE_0" VARCHAR2(64) DEFAULT '__NULL__',
- "RESOURCE_TYPE_1" VARCHAR2(64) DEFAULT '__NULL__',
- "RESOURCE_TYPE_2" VARCHAR2(64) DEFAULT '__NULL__',
- "RESOURCE_TYPE_3" VARCHAR2(64) DEFAULT '__NULL__',
- "ACTION" VARCHAR2(32) NOT NULL,
- "SCOPE" VARCHAR2(128) NOT NULL,
- "SERVICE_NAME" VARCHAR2(64) NOT NULL
-);
-
-ALTER TABLE "SENTRY_GM_PRIVILEGE"
- ADD CONSTRAINT "SENTRY_GM_PRIV_PK" PRIMARY KEY ("GM_PRIVILEGE_ID");
--- Constraints for table SENTRY_GM_PRIVILEGE for class(es) [org.apache.sentry.provider.db.service.model.MSentryGMPrivilege]
-ALTER TABLE "SENTRY_GM_PRIVILEGE"
- ADD CONSTRAINT "SENTRY_GM_PRIV_PRIV_NAME_UNIQ" UNIQUE ("COMPONENT_NAME","SERVICE_NAME","RESOURCE_NAME_0","RESOURCE_NAME_1","RESOURCE_NAME_2",
- "RESOURCE_NAME_3","RESOURCE_TYPE_0","RESOURCE_TYPE_1","RESOURCE_TYPE_2","RESOURCE_TYPE_3","ACTION","WITH_GRANT_OPTION");
-
-CREATE INDEX "SENTRY_GM_PRIV_COMP_IDX" ON "SENTRY_GM_PRIVILEGE" ("COMPONENT_NAME");
-
-CREATE INDEX "SENTRY_GM_PRIV_SERV_IDX" ON "SENTRY_GM_PRIVILEGE" ("SERVICE_NAME");
-
-CREATE INDEX "SENTRY_GM_PRIV_RES0_IDX" ON "SENTRY_GM_PRIVILEGE" ("RESOURCE_NAME_0","RESOURCE_TYPE_0");
-
-CREATE INDEX "SENTRY_GM_PRIV_RES1_IDX" ON "SENTRY_GM_PRIVILEGE" ("RESOURCE_NAME_1","RESOURCE_TYPE_1");
-
-CREATE INDEX "SENTRY_GM_PRIV_RES2_IDX" ON "SENTRY_GM_PRIVILEGE" ("RESOURCE_NAME_2","RESOURCE_TYPE_2");
-
-CREATE INDEX "SENTRY_GM_PRIV_RES3_IDX" ON "SENTRY_GM_PRIVILEGE" ("RESOURCE_NAME_3","RESOURCE_TYPE_3");
-
--- Table SENTRY_ROLE_GM_PRIVILEGE_MAP for join relationship
-CREATE TABLE "SENTRY_ROLE_GM_PRIVILEGE_MAP" (
- "ROLE_ID" NUMBER NOT NULL,
- "GM_PRIVILEGE_ID" NUMBER NOT NULL
-);
-
-ALTER TABLE "SENTRY_ROLE_GM_PRIVILEGE_MAP"
- ADD CONSTRAINT "SEN_RLE_GM_PRIV_MAP_PK" PRIMARY KEY ("ROLE_ID","GM_PRIVILEGE_ID");
-
--- Constraints for table SENTRY_ROLE_GM_PRIVILEGE_MAP
-ALTER TABLE "SENTRY_ROLE_GM_PRIVILEGE_MAP"
- ADD CONSTRAINT "SEN_RLE_GM_PRV_MAP_SN_RLE_FK"
- FOREIGN KEY ("ROLE_ID") REFERENCES "SENTRY_ROLE"("ROLE_ID") INITIALLY DEFERRED;
-
-ALTER TABLE "SENTRY_ROLE_GM_PRIVILEGE_MAP"
- ADD CONSTRAINT "SEN_RL_GM_PRV_MAP_SN_DB_PRV_FK"
- FOREIGN KEY ("GM_PRIVILEGE_ID") REFERENCES "SENTRY_GM_PRIVILEGE"("GM_PRIVILEGE_ID") INITIALLY DEFERRED;
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/main/resources/005-SENTRY-398.postgres.sql
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/resources/005-SENTRY-398.postgres.sql b/sentry-provider/sentry-provider-db/src/main/resources/005-SENTRY-398.postgres.sql
deleted file mode 100644
index e9e1655..0000000
--- a/sentry-provider/sentry-provider-db/src/main/resources/005-SENTRY-398.postgres.sql
+++ /dev/null
@@ -1,54 +0,0 @@
--- Table SENTRY_GM_PRIVILEGE for classes [org.apache.sentry.provider.db.service.model.MSentryGMPrivilege]
-CREATE TABLE "SENTRY_GM_PRIVILEGE" (
- "GM_PRIVILEGE_ID" BIGINT NOT NULL,
- "COMPONENT_NAME" character varying(32) NOT NULL,
- "CREATE_TIME" BIGINT NOT NULL,
- "WITH_GRANT_OPTION" CHAR(1) NOT NULL DEFAULT 'N',
- "RESOURCE_NAME_0" character varying(64) DEFAULT '__NULL__',
- "RESOURCE_NAME_1" character varying(64) DEFAULT '__NULL__',
- "RESOURCE_NAME_2" character varying(64) DEFAULT '__NULL__',
- "RESOURCE_NAME_3" character varying(64) DEFAULT '__NULL__',
- "RESOURCE_TYPE_0" character varying(64) DEFAULT '__NULL__',
- "RESOURCE_TYPE_1" character varying(64) DEFAULT '__NULL__',
- "RESOURCE_TYPE_2" character varying(64) DEFAULT '__NULL__',
- "RESOURCE_TYPE_3" character varying(64) DEFAULT '__NULL__',
- "ACTION" character varying(32) NOT NULL,
- "SCOPE" character varying(128) NOT NULL,
- "SERVICE_NAME" character varying(64) NOT NULL
-);
-ALTER TABLE ONLY "SENTRY_GM_PRIVILEGE"
- ADD CONSTRAINT "SENTRY_GM_PRIV_PK" PRIMARY KEY ("GM_PRIVILEGE_ID");
--- Constraints for table SENTRY_GM_PRIVILEGE for class(es) [org.apache.sentry.provider.db.service.model.MSentryGMPrivilege]
-ALTER TABLE ONLY "SENTRY_GM_PRIVILEGE"
- ADD CONSTRAINT "SENTRY_GM_PRIV_PRIV_NAME_UNIQ" UNIQUE ("COMPONENT_NAME","SERVICE_NAME","RESOURCE_NAME_0","RESOURCE_NAME_1","RESOURCE_NAME_2",
- "RESOURCE_NAME_3","RESOURCE_TYPE_0","RESOURCE_TYPE_1","RESOURCE_TYPE_2","RESOURCE_TYPE_3","ACTION","WITH_GRANT_OPTION");
-
-CREATE INDEX "SENTRY_GM_PRIV_COMP_IDX" ON "SENTRY_GM_PRIVILEGE" USING btree ("COMPONENT_NAME");
-
-CREATE INDEX "SENTRY_GM_PRIV_SERV_IDX" ON "SENTRY_GM_PRIVILEGE" USING btree ("SERVICE_NAME");
-
-CREATE INDEX "SENTRY_GM_PRIV_RES0_IDX" ON "SENTRY_GM_PRIVILEGE" USING btree ("RESOURCE_NAME_0","RESOURCE_TYPE_0");
-
-CREATE INDEX "SENTRY_GM_PRIV_RES1_IDX" ON "SENTRY_GM_PRIVILEGE" USING btree ("RESOURCE_NAME_1","RESOURCE_TYPE_1");
-
-CREATE INDEX "SENTRY_GM_PRIV_RES2_IDX" ON "SENTRY_GM_PRIVILEGE" USING btree ("RESOURCE_NAME_2","RESOURCE_TYPE_2");
-
-CREATE INDEX "SENTRY_GM_PRIV_RES3_IDX" ON "SENTRY_GM_PRIVILEGE" USING btree ("RESOURCE_NAME_3","RESOURCE_TYPE_3");
-
--- Table SENTRY_ROLE_GM_PRIVILEGE_MAP for join relationship
-CREATE TABLE "SENTRY_ROLE_GM_PRIVILEGE_MAP" (
- "ROLE_ID" BIGINT NOT NULL,
- "GM_PRIVILEGE_ID" BIGINT NOT NULL
-);
-
-ALTER TABLE "SENTRY_ROLE_GM_PRIVILEGE_MAP"
- ADD CONSTRAINT "SENTRY_ROLE_GM_PRIVILEGE_MAP_PK" PRIMARY KEY ("ROLE_ID","GM_PRIVILEGE_ID");
-
--- Constraints for table SENTRY_ROLE_GM_PRIVILEGE_MAP
-ALTER TABLE ONLY "SENTRY_ROLE_GM_PRIVILEGE_MAP"
- ADD CONSTRAINT "SEN_RLE_GM_PRV_MAP_SN_RLE_FK"
- FOREIGN KEY ("ROLE_ID") REFERENCES "SENTRY_ROLE"("ROLE_ID") DEFERRABLE;
-
-ALTER TABLE ONLY "SENTRY_ROLE_GM_PRIVILEGE_MAP"
- ADD CONSTRAINT "SEN_RL_GM_PRV_MAP_SN_DB_PRV_FK"
- FOREIGN KEY ("GM_PRIVILEGE_ID") REFERENCES "SENTRY_GM_PRIVILEGE"("GM_PRIVILEGE_ID") DEFERRABLE;
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/main/resources/006-SENTRY-711.derby.sql
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/resources/006-SENTRY-711.derby.sql b/sentry-provider/sentry-provider-db/src/main/resources/006-SENTRY-711.derby.sql
deleted file mode 100644
index 807a62b..0000000
--- a/sentry-provider/sentry-provider-db/src/main/resources/006-SENTRY-711.derby.sql
+++ /dev/null
@@ -1,27 +0,0 @@
-CREATE TABLE SENTRY_USER
-(
- USER_ID BIGINT NOT NULL generated always as identity (start with 1),
- CREATE_TIME BIGINT NOT NULL,
- USER_NAME VARCHAR(128)
-);
-
-ALTER TABLE SENTRY_USER ADD CONSTRAINT SENTRY_USER_PK PRIMARY KEY (USER_ID);
-
-CREATE UNIQUE INDEX SENTRYUSERNAME ON SENTRY_USER (USER_NAME);
-
-CREATE TABLE SENTRY_ROLE_USER_MAP
-(
- USER_ID BIGINT NOT NULL,
- ROLE_ID BIGINT NOT NULL,
- GRANTOR_PRINCIPAL VARCHAR(128)
-);
-
-ALTER TABLE SENTRY_ROLE_USER_MAP ADD CONSTRAINT SENTRY_ROLE_USER_MAP_PK PRIMARY KEY (USER_ID,ROLE_ID);
-
-CREATE INDEX SENTRY_ROLE_USER_MAP_N49 ON SENTRY_ROLE_USER_MAP (USER_ID);
-
-CREATE INDEX SENTRY_ROLE_USER_MAP_N50 ON SENTRY_ROLE_USER_MAP (ROLE_ID);
-
-ALTER TABLE SENTRY_ROLE_USER_MAP ADD CONSTRAINT SENTRY_ROLE_USER_MAP_FK2 FOREIGN KEY (ROLE_ID) REFERENCES SENTRY_ROLE (ROLE_ID) ;
-
-ALTER TABLE SENTRY_ROLE_USER_MAP ADD CONSTRAINT SENTRY_ROLE_USER_MAP_FK1 FOREIGN KEY (USER_ID) REFERENCES SENTRY_USER (USER_ID) ;
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/main/resources/006-SENTRY-711.mysql.sql
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/resources/006-SENTRY-711.mysql.sql b/sentry-provider/sentry-provider-db/src/main/resources/006-SENTRY-711.mysql.sql
deleted file mode 100644
index b3a9828..0000000
--- a/sentry-provider/sentry-provider-db/src/main/resources/006-SENTRY-711.mysql.sql
+++ /dev/null
@@ -1,28 +0,0 @@
-CREATE TABLE `SENTRY_USER` (
- `USER_ID` BIGINT NOT NULL,
- `USER_NAME` VARCHAR(128) CHARACTER SET utf8 COLLATE utf8_bin NOT NULL,
- `CREATE_TIME` BIGINT NOT NULL
-) ENGINE=InnoDB DEFAULT CHARSET=utf8;
-
-ALTER TABLE `SENTRY_USER`
- ADD CONSTRAINT `SENTRY_USER_PK` PRIMARY KEY (`USER_ID`);
-
-ALTER TABLE `SENTRY_USER`
- ADD CONSTRAINT `SENTRY_USER_USER_NAME_UNIQUE` UNIQUE (`USER_NAME`);
-
-CREATE TABLE `SENTRY_ROLE_USER_MAP` (
- `ROLE_ID` BIGINT NOT NULL,
- `USER_ID` BIGINT NOT NULL,
- `GRANTOR_PRINCIPAL` VARCHAR(128) CHARACTER SET utf8 COLLATE utf8_bin
-) ENGINE=InnoDB DEFAULT CHARSET=utf8;
-
-ALTER TABLE `SENTRY_ROLE_USER_MAP`
- ADD CONSTRAINT `SENTRY_ROLE_USER_MAP_PK` PRIMARY KEY (`ROLE_ID`,`USER_ID`);
-
-ALTER TABLE `SENTRY_ROLE_USER_MAP`
- ADD CONSTRAINT `SEN_ROLE_USER_MAP_SEN_ROLE_FK`
- FOREIGN KEY (`ROLE_ID`) REFERENCES `SENTRY_ROLE`(`ROLE_ID`);
-
-ALTER TABLE `SENTRY_ROLE_USER_MAP`
- ADD CONSTRAINT `SEN_ROLE_USER_MAP_SEN_USER_FK`
- FOREIGN KEY (`USER_ID`) REFERENCES `SENTRY_USER`(`USER_ID`);
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/main/resources/006-SENTRY-711.oracle.sql
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/resources/006-SENTRY-711.oracle.sql b/sentry-provider/sentry-provider-db/src/main/resources/006-SENTRY-711.oracle.sql
deleted file mode 100644
index 76ae0d5..0000000
--- a/sentry-provider/sentry-provider-db/src/main/resources/006-SENTRY-711.oracle.sql
+++ /dev/null
@@ -1,28 +0,0 @@
-CREATE TABLE "SENTRY_USER" (
- "USER_ID" NUMBER NOT NULL,
- "USER_NAME" VARCHAR2(128) NOT NULL,
- "CREATE_TIME" NUMBER NOT NULL
-);
-
-ALTER TABLE "SENTRY_USER"
- ADD CONSTRAINT "SENTRY_USER_PK" PRIMARY KEY ("USER_ID");
-
-ALTER TABLE "SENTRY_USER"
- ADD CONSTRAINT "SENTRY_USER_USER_NAME_UNIQUE" UNIQUE ("USER_NAME");
-
-CREATE TABLE "SENTRY_ROLE_USER_MAP" (
- "ROLE_ID" NUMBER NOT NULL,
- "USER_ID" NUMBER NOT NULL,
- "GRANTOR_PRINCIPAL" VARCHAR2(128)
-);
-
-ALTER TABLE "SENTRY_ROLE_USER_MAP"
- ADD CONSTRAINT "SENTRY_ROLE_USER_MAP_PK" PRIMARY KEY ("ROLE_ID","USER_ID");
-
-ALTER TABLE "SENTRY_ROLE_USER_MAP"
- ADD CONSTRAINT "SEN_ROLE_USER_MAP_SEN_ROLE_FK"
- FOREIGN KEY ("ROLE_ID") REFERENCES "SENTRY_ROLE"("ROLE_ID") INITIALLY DEFERRED;
-
-ALTER TABLE "SENTRY_ROLE_USER_MAP"
- ADD CONSTRAINT "SEN_ROLE_USER_MAP_SEN_USER_FK"
- FOREIGN KEY ("USER_ID") REFERENCES "SENTRY_USER"("USER_ID") INITIALLY DEFERRED;
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/main/resources/006-SENTRY-711.postgres.sql
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/resources/006-SENTRY-711.postgres.sql b/sentry-provider/sentry-provider-db/src/main/resources/006-SENTRY-711.postgres.sql
deleted file mode 100644
index 37e8abc..0000000
--- a/sentry-provider/sentry-provider-db/src/main/resources/006-SENTRY-711.postgres.sql
+++ /dev/null
@@ -1,28 +0,0 @@
-CREATE TABLE "SENTRY_USER" (
- "USER_ID" BIGINT NOT NULL,
- "USER_NAME" character varying(128) NOT NULL,
- "CREATE_TIME" BIGINT NOT NULL
-);
-
-ALTER TABLE ONLY "SENTRY_USER"
- ADD CONSTRAINT "SENTRY_USER_PK" PRIMARY KEY ("USER_ID");
-
-ALTER TABLE ONLY "SENTRY_USER"
- ADD CONSTRAINT "SENTRY_USER_USER_NAME_UNIQUE" UNIQUE ("USER_NAME");
-
-CREATE TABLE "SENTRY_ROLE_USER_MAP" (
- "ROLE_ID" BIGINT NOT NULL,
- "USER_ID" BIGINT NOT NULL,
- "GRANTOR_PRINCIPAL" character varying(128)
-);
-
-ALTER TABLE "SENTRY_ROLE_USER_MAP"
- ADD CONSTRAINT "SENTRY_ROLE_USER_MAP_PK" PRIMARY KEY ("ROLE_ID","USER_ID");
-
-ALTER TABLE ONLY "SENTRY_ROLE_USER_MAP"
- ADD CONSTRAINT "SEN_ROLE_USER_MAP_SEN_ROLE_FK"
- FOREIGN KEY ("ROLE_ID") REFERENCES "SENTRY_ROLE"("ROLE_ID") DEFERRABLE;
-
-ALTER TABLE ONLY "SENTRY_ROLE_USER_MAP"
- ADD CONSTRAINT "SEN_ROLE_USER_MAP_SEN_USER_FK"
- FOREIGN KEY ("USER_ID") REFERENCES "SENTRY_USER"("USER_ID") DEFERRABLE;
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/main/resources/sentry-db2-1.4.0.sql
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/resources/sentry-db2-1.4.0.sql b/sentry-provider/sentry-provider-db/src/main/resources/sentry-db2-1.4.0.sql
deleted file mode 100644
index f2a62d2..0000000
--- a/sentry-provider/sentry-provider-db/src/main/resources/sentry-db2-1.4.0.sql
+++ /dev/null
@@ -1,112 +0,0 @@
---Licensed to the Apache Software Foundation (ASF) under one or more
---contributor license agreements. See the NOTICE file distributed with
---this work for additional information regarding copyright ownership.
---The ASF licenses this file to You under the Apache License, Version 2.0
---(the "License"); you may not use this file except in compliance with
---the License. You may obtain a copy of the License at
---
--- http://www.apache.org/licenses/LICENSE-2.0
---
---Unless required by applicable law or agreed to in writing, software
---distributed under the License is distributed on an "AS IS" BASIS,
---WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
---See the License for the specific language governing permissions and
---limitations under the License.
-
--- Table SENTRY_DB_PRIVILEGE for classes [org.apache.sentry.provider.db.service.model.MSentryPrivilege]
-CREATE TABLE SENTRY_DB_PRIVILEGE
-(
- DB_PRIVILEGE_ID BIGINT NOT NULL generated always as identity (start with 1),
- URI VARCHAR(4000),
- "ACTION" VARCHAR(40),
- CREATE_TIME BIGINT NOT NULL,
- DB_NAME VARCHAR(4000),
- GRANTOR_PRINCIPAL VARCHAR(4000),
- PRIVILEGE_NAME VARCHAR(4000),
- PRIVILEGE_SCOPE VARCHAR(40),
- "SERVER_NAME" VARCHAR(4000),
- "TABLE_NAME" VARCHAR(4000)
-);
-
-ALTER TABLE SENTRY_DB_PRIVILEGE ADD CONSTRAINT SENTRY_DB_PRIVILEGE_PK PRIMARY KEY (DB_PRIVILEGE_ID);
-
--- Table SENTRY_ROLE for classes [org.apache.sentry.provider.db.service.model.MSentryRole]
-CREATE TABLE SENTRY_ROLE
-(
- ROLE_ID BIGINT NOT NULL generated always as identity (start with 1),
- CREATE_TIME BIGINT NOT NULL,
- GRANTOR_PRINCIPAL VARCHAR(4000),
- ROLE_NAME VARCHAR(128)
-);
-
-ALTER TABLE SENTRY_ROLE ADD CONSTRAINT SENTRY_ROLE_PK PRIMARY KEY (ROLE_ID);
-
--- Table SENTRY_GROUP for classes [org.apache.sentry.provider.db.service.model.MSentryGroup]
-CREATE TABLE SENTRY_GROUP
-(
- GROUP_ID BIGINT NOT NULL generated always as identity (start with 1),
- CREATE_TIME BIGINT NOT NULL,
- GRANTOR_PRINCIPAL VARCHAR(4000),
- GROUP_NAME VARCHAR(128)
-);
-
-ALTER TABLE SENTRY_GROUP ADD CONSTRAINT SENTRY_GROUP_PK PRIMARY KEY (GROUP_ID);
-
--- Table SENTRY_ROLE_GROUP_MAP for join relationship
-CREATE TABLE SENTRY_ROLE_GROUP_MAP
-(
- GROUP_ID BIGINT NOT NULL,
- ROLE_ID BIGINT NOT NULL
-);
-
-ALTER TABLE SENTRY_ROLE_GROUP_MAP ADD CONSTRAINT SENTRY_ROLE_GROUP_MAP_PK PRIMARY KEY (GROUP_ID,ROLE_ID);
-
--- Table SENTRY_ROLE_DB_PRIVILEGE_MAP for join relationship
-CREATE TABLE SENTRY_ROLE_DB_PRIVILEGE_MAP
-(
- ROLE_ID BIGINT NOT NULL,
- DB_PRIVILEGE_ID BIGINT NOT NULL
-);
-
-ALTER TABLE SENTRY_ROLE_DB_PRIVILEGE_MAP ADD CONSTRAINT SENTRY_ROLE_DB_PRIVILEGE_MAP_PK PRIMARY KEY (ROLE_ID,DB_PRIVILEGE_ID);
-
-CREATE TABLE "SENTRY_VERSION" (
- VER_ID BIGINT NOT NULL,
- SCHEMA_VERSION VARCHAR(127),
- VERSION_COMMENT VARCHAR(255)
-);
-
-ALTER TABLE SENTRY_VERSION ADD CONSTRAINT SENTRY_VERSION_PK PRIMARY KEY (VER_ID);
-
--- Constraints for table SENTRY_DB_PRIVILEGE for class(es) [org.apache.sentry.provider.db.service.model.MSentryPrivilege]
-CREATE UNIQUE INDEX SENTRYPRIVILEGENAME ON SENTRY_DB_PRIVILEGE (PRIVILEGE_NAME);
-
-
--- Constraints for table SENTRY_ROLE for class(es) [org.apache.sentry.provider.db.service.model.MSentryRole]
-CREATE UNIQUE INDEX SENTRYROLENAME ON SENTRY_ROLE (ROLE_NAME);
-
-
--- Constraints for table SENTRY_GROUP for class(es) [org.apache.sentry.provider.db.service.model.MSentryGroup]
-CREATE UNIQUE INDEX SENTRYGROUPNAME ON SENTRY_GROUP (GROUP_NAME);
-
-
--- Constraints for table SENTRY_ROLE_GROUP_MAP
-CREATE INDEX SENTRY_ROLE_GROUP_MAP_N49 ON SENTRY_ROLE_GROUP_MAP (GROUP_ID);
-
-CREATE INDEX SENTRY_ROLE_GROUP_MAP_N50 ON SENTRY_ROLE_GROUP_MAP (ROLE_ID);
-
-ALTER TABLE SENTRY_ROLE_GROUP_MAP ADD CONSTRAINT SENTRY_ROLE_GROUP_MAP_FK2 FOREIGN KEY (ROLE_ID) REFERENCES SENTRY_ROLE (ROLE_ID) ;
-
-ALTER TABLE SENTRY_ROLE_GROUP_MAP ADD CONSTRAINT SENTRY_ROLE_GROUP_MAP_FK1 FOREIGN KEY (GROUP_ID) REFERENCES SENTRY_GROUP (GROUP_ID) ;
-
-
--- Constraints for table SENTRY_ROLE_DB_PRIVILEGE_MAP
-CREATE INDEX SENTRY_ROLE_DB_PRIVILEGE_MAP_N50 ON SENTRY_ROLE_DB_PRIVILEGE_MAP (ROLE_ID);
-
-CREATE INDEX SENTRY_ROLE_DB_PRIVILEGE_MAP_N49 ON SENTRY_ROLE_DB_PRIVILEGE_MAP (DB_PRIVILEGE_ID);
-
-ALTER TABLE SENTRY_ROLE_DB_PRIVILEGE_MAP ADD CONSTRAINT SENTRY_ROLE_DB_PRIVILEGE_MAP_FK2 FOREIGN KEY (DB_PRIVILEGE_ID) REFERENCES SENTRY_DB_PRIVILEGE (DB_PRIVILEGE_ID) ;
-
-ALTER TABLE SENTRY_ROLE_DB_PRIVILEGE_MAP ADD CONSTRAINT SENTRY_ROLE_DB_PRIVILEGE_MAP_FK1 FOREIGN KEY (ROLE_ID) REFERENCES SENTRY_ROLE (ROLE_ID) ;
-
-INSERT INTO SENTRY_VERSION (VER_ID, SCHEMA_VERSION, VERSION_COMMENT) VALUES (1, '1.4.0', 'Sentry release version 1.4.0');
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/main/resources/sentry-db2-1.5.0.sql
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/resources/sentry-db2-1.5.0.sql b/sentry-provider/sentry-provider-db/src/main/resources/sentry-db2-1.5.0.sql
deleted file mode 100644
index 53b163a..0000000
--- a/sentry-provider/sentry-provider-db/src/main/resources/sentry-db2-1.5.0.sql
+++ /dev/null
@@ -1,155 +0,0 @@
---Licensed to the Apache Software Foundation (ASF) under one or more
---contributor license agreements. See the NOTICE file distributed with
---this work for additional information regarding copyright ownership.
---The ASF licenses this file to You under the Apache License, Version 2.0
---(the "License"); you may not use this file except in compliance with
---the License. You may obtain a copy of the License at
---
--- http://www.apache.org/licenses/LICENSE-2.0
---
---Unless required by applicable law or agreed to in writing, software
---distributed under the License is distributed on an "AS IS" BASIS,
---WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
---See the License for the specific language governing permissions and
---limitations under the License.
-
--- Table SENTRY_DB_PRIVILEGE for classes [org.apache.sentry.provider.db.service.model.MSentryPrivilege]
-CREATE TABLE SENTRY_DB_PRIVILEGE
-(
- DB_PRIVILEGE_ID BIGINT NOT NULL generated always as identity (start with 1),
- URI VARCHAR(4000),
- "ACTION" VARCHAR(40),
- CREATE_TIME BIGINT NOT NULL,
- DB_NAME VARCHAR(4000),
- PRIVILEGE_SCOPE VARCHAR(40),
- "SERVER_NAME" VARCHAR(4000),
- "TABLE_NAME" VARCHAR(4000),
- "COLUMN_NAME" VARCHAR(4000),
- WITH_GRANT_OPTION CHAR(1) NOT NULL
-);
-
-ALTER TABLE SENTRY_DB_PRIVILEGE ADD CONSTRAINT SENTRY_DB_PRIVILEGE_PK PRIMARY KEY (DB_PRIVILEGE_ID);
-
--- Table SENTRY_ROLE for classes [org.apache.sentry.provider.db.service.model.MSentryRole]
-CREATE TABLE SENTRY_ROLE
-(
- ROLE_ID BIGINT NOT NULL generated always as identity (start with 1),
- CREATE_TIME BIGINT NOT NULL,
- ROLE_NAME VARCHAR(128)
-);
-
-ALTER TABLE SENTRY_ROLE ADD CONSTRAINT SENTRY_ROLE_PK PRIMARY KEY (ROLE_ID);
-
--- Table SENTRY_GROUP for classes [org.apache.sentry.provider.db.service.model.MSentryGroup]
-CREATE TABLE SENTRY_GROUP
-(
- GROUP_ID BIGINT NOT NULL generated always as identity (start with 1),
- CREATE_TIME BIGINT NOT NULL,
- GROUP_NAME VARCHAR(128)
-);
-
-ALTER TABLE SENTRY_GROUP ADD CONSTRAINT SENTRY_GROUP_PK PRIMARY KEY (GROUP_ID);
-
--- Table SENTRY_ROLE_GROUP_MAP for join relationship
-CREATE TABLE SENTRY_ROLE_GROUP_MAP
-(
- GROUP_ID BIGINT NOT NULL,
- ROLE_ID BIGINT NOT NULL,
- GRANTOR_PRINCIPAL VARCHAR(128)
-);
-
-ALTER TABLE SENTRY_ROLE_GROUP_MAP ADD CONSTRAINT SENTRY_ROLE_GROUP_MAP_PK PRIMARY KEY (GROUP_ID,ROLE_ID);
-
--- Table SENTRY_ROLE_DB_PRIVILEGE_MAP for join relationship
-CREATE TABLE SENTRY_ROLE_DB_PRIVILEGE_MAP
-(
- ROLE_ID BIGINT NOT NULL,
- DB_PRIVILEGE_ID BIGINT NOT NULL,
- GRANTOR_PRINCIPAL VARCHAR(128)
-);
-
-ALTER TABLE SENTRY_ROLE_DB_PRIVILEGE_MAP ADD CONSTRAINT SENTRY_ROLE_DB_PRIVILEGE_MAP_PK PRIMARY KEY (ROLE_ID,DB_PRIVILEGE_ID);
-
-CREATE TABLE "SENTRY_VERSION" (
- VER_ID BIGINT NOT NULL,
- SCHEMA_VERSION VARCHAR(127),
- VERSION_COMMENT VARCHAR(255)
-);
-
-ALTER TABLE SENTRY_VERSION ADD CONSTRAINT SENTRY_VERSION_PK PRIMARY KEY (VER_ID);
-
--- Constraints for table SENTRY_DB_PRIVILEGE for class(es) [org.apache.sentry.provider.db.service.model.MSentryPrivilege]
-CREATE UNIQUE INDEX SENTRYPRIVILEGENAME ON SENTRY_DB_PRIVILEGE ("SERVER_NAME",DB_NAME,"TABLE_NAME","COLUMN_NAME",URI,"ACTION",WITH_GRANT_OPTION);
-
-
--- Constraints for table SENTRY_ROLE for class(es) [org.apache.sentry.provider.db.service.model.MSentryRole]
-CREATE UNIQUE INDEX SENTRYROLENAME ON SENTRY_ROLE (ROLE_NAME);
-
-
--- Constraints for table SENTRY_GROUP for class(es) [org.apache.sentry.provider.db.service.model.MSentryGroup]
-CREATE UNIQUE INDEX SENTRYGROUPNAME ON SENTRY_GROUP (GROUP_NAME);
-
-
--- Constraints for table SENTRY_ROLE_GROUP_MAP
-CREATE INDEX SENTRY_ROLE_GROUP_MAP_N49 ON SENTRY_ROLE_GROUP_MAP (GROUP_ID);
-
-CREATE INDEX SENTRY_ROLE_GROUP_MAP_N50 ON SENTRY_ROLE_GROUP_MAP (ROLE_ID);
-
-ALTER TABLE SENTRY_ROLE_GROUP_MAP ADD CONSTRAINT SENTRY_ROLE_GROUP_MAP_FK2 FOREIGN KEY (ROLE_ID) REFERENCES SENTRY_ROLE (ROLE_ID) ;
-
-ALTER TABLE SENTRY_ROLE_GROUP_MAP ADD CONSTRAINT SENTRY_ROLE_GROUP_MAP_FK1 FOREIGN KEY (GROUP_ID) REFERENCES SENTRY_GROUP (GROUP_ID) ;
-
-
--- Constraints for table SENTRY_ROLE_DB_PRIVILEGE_MAP
-CREATE INDEX SENTRY_ROLE_DB_PRIVILEGE_MAP_N50 ON SENTRY_ROLE_DB_PRIVILEGE_MAP (ROLE_ID);
-
-CREATE INDEX SENTRY_ROLE_DB_PRIVILEGE_MAP_N49 ON SENTRY_ROLE_DB_PRIVILEGE_MAP (DB_PRIVILEGE_ID);
-
-ALTER TABLE SENTRY_ROLE_DB_PRIVILEGE_MAP ADD CONSTRAINT SENTRY_ROLE_DB_PRIVILEGE_MAP_FK2 FOREIGN KEY (DB_PRIVILEGE_ID) REFERENCES SENTRY_DB_PRIVILEGE (DB_PRIVILEGE_ID) ;
-
-ALTER TABLE SENTRY_ROLE_DB_PRIVILEGE_MAP ADD CONSTRAINT SENTRY_ROLE_DB_PRIVILEGE_MAP_FK1 FOREIGN KEY (ROLE_ID) REFERENCES SENTRY_ROLE (ROLE_ID) ;
-
-INSERT INTO SENTRY_VERSION (VER_ID, SCHEMA_VERSION, VERSION_COMMENT) VALUES (1, '1.5.0', 'Sentry release version 1.5.0');
-
--- Generic model
--- Table SENTRY_GM_PRIVILEGE for classes [org.apache.sentry.provider.db.service.model.MSentryGMPrivilege]
-CREATE TABLE SENTRY_GM_PRIVILEGE
-(
- GM_PRIVILEGE_ID BIGINT NOT NULL,
- "ACTION" VARCHAR(40),
- COMPONENT_NAME VARCHAR(400),
- CREATE_TIME BIGINT NOT NULL,
- WITH_GRANT_OPTION CHAR(1),
- RESOURCE_NAME_0 VARCHAR(400),
- RESOURCE_NAME_1 VARCHAR(400),
- RESOURCE_NAME_2 VARCHAR(400),
- RESOURCE_NAME_3 VARCHAR(400),
- RESOURCE_TYPE_0 VARCHAR(400),
- RESOURCE_TYPE_1 VARCHAR(400),
- RESOURCE_TYPE_2 VARCHAR(400),
- RESOURCE_TYPE_3 VARCHAR(400),
- "SCOPE" VARCHAR(40),
- SERVICE_NAME VARCHAR(400)
-);
--- Primary key(GM_PRIVILEGE_ID)
-ALTER TABLE SENTRY_GM_PRIVILEGE ADD CONSTRAINT SENTRY_GM_PRIVILEGE_PK PRIMARY KEY (GM_PRIVILEGE_ID);
-
--- Constraints for table SENTRY_GM_PRIVILEGE for class(es) [org.apache.sentry.provider.db.service.model.MSentryGMPrivilege]
-CREATE UNIQUE INDEX GM_PRIVILEGE_INDEX ON SENTRY_GM_PRIVILEGE (COMPONENT_NAME,SERVICE_NAME,RESOURCE_NAME_0,RESOURCE_TYPE_0,RESOURCE_NAME_1,RESOURCE_TYPE_1,RESOURCE_NAME_2,RESOURCE_TYPE_2,RESOURCE_NAME_3,RESOURCE_TYPE_3,"ACTION",WITH_GRANT_OPTION);
-
--- Table SENTRY_ROLE_GM_PRIVILEGE_MAP for join relationship
-CREATE TABLE SENTRY_ROLE_GM_PRIVILEGE_MAP
-(
- ROLE_ID BIGINT NOT NULL,
- GM_PRIVILEGE_ID BIGINT NOT NULL
-);
-ALTER TABLE SENTRY_ROLE_GM_PRIVILEGE_MAP ADD CONSTRAINT SENTRY_ROLE_GM_PRIVILEGE_MAP_PK PRIMARY KEY (ROLE_ID,GM_PRIVILEGE_ID);
-
--- Constraints for table SENTRY_ROLE_GM_PRIVILEGE_MAP
-CREATE INDEX SENTRY_ROLE_GM_PRIVILEGE_MAP_N50 ON SENTRY_ROLE_GM_PRIVILEGE_MAP (ROLE_ID);
-
-CREATE INDEX SENTRY_ROLE_GM_PRIVILEGE_MAP_N49 ON SENTRY_ROLE_GM_PRIVILEGE_MAP (GM_PRIVILEGE_ID);
-
-ALTER TABLE SENTRY_ROLE_GM_PRIVILEGE_MAP ADD CONSTRAINT SENTRY_ROLE_GM_PRIVILEGE_MAP_FK2 FOREIGN KEY (GM_PRIVILEGE_ID) REFERENCES SENTRY_GM_PRIVILEGE (GM_PRIVILEGE_ID);
-
-ALTER TABLE SENTRY_ROLE_GM_PRIVILEGE_MAP ADD CONSTRAINT SENTRY_ROLE_GM_PRIVILEGE_MAP_FK1 FOREIGN KEY (ROLE_ID) REFERENCES SENTRY_ROLE (ROLE_ID);
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/main/resources/sentry-db2-1.6.0.sql
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/resources/sentry-db2-1.6.0.sql b/sentry-provider/sentry-provider-db/src/main/resources/sentry-db2-1.6.0.sql
deleted file mode 100644
index 0f8f0af..0000000
--- a/sentry-provider/sentry-provider-db/src/main/resources/sentry-db2-1.6.0.sql
+++ /dev/null
@@ -1,155 +0,0 @@
---Licensed to the Apache Software Foundation (ASF) under one or more
---contributor license agreements. See the NOTICE file distributed with
---this work for additional information regarding copyright ownership.
---The ASF licenses this file to You under the Apache License, Version 2.0
---(the "License"); you may not use this file except in compliance with
---the License. You may obtain a copy of the License at
---
--- http://www.apache.org/licenses/LICENSE-2.0
---
---Unless required by applicable law or agreed to in writing, software
---distributed under the License is distributed on an "AS IS" BASIS,
---WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
---See the License for the specific language governing permissions and
---limitations under the License.
-
--- Table SENTRY_DB_PRIVILEGE for classes [org.apache.sentry.provider.db.service.model.MSentryPrivilege]
-CREATE TABLE SENTRY_DB_PRIVILEGE
-(
- DB_PRIVILEGE_ID BIGINT NOT NULL generated always as identity (start with 1),
- URI VARCHAR(4000),
- "ACTION" VARCHAR(40),
- CREATE_TIME BIGINT NOT NULL,
- DB_NAME VARCHAR(4000),
- PRIVILEGE_SCOPE VARCHAR(40),
- "SERVER_NAME" VARCHAR(4000),
- "TABLE_NAME" VARCHAR(4000),
- "COLUMN_NAME" VARCHAR(4000),
- WITH_GRANT_OPTION CHAR(1) NOT NULL
-);
-
-ALTER TABLE SENTRY_DB_PRIVILEGE ADD CONSTRAINT SENTRY_DB_PRIVILEGE_PK PRIMARY KEY (DB_PRIVILEGE_ID);
-
--- Table SENTRY_ROLE for classes [org.apache.sentry.provider.db.service.model.MSentryRole]
-CREATE TABLE SENTRY_ROLE
-(
- ROLE_ID BIGINT NOT NULL generated always as identity (start with 1),
- CREATE_TIME BIGINT NOT NULL,
- ROLE_NAME VARCHAR(128)
-);
-
-ALTER TABLE SENTRY_ROLE ADD CONSTRAINT SENTRY_ROLE_PK PRIMARY KEY (ROLE_ID);
-
--- Table SENTRY_GROUP for classes [org.apache.sentry.provider.db.service.model.MSentryGroup]
-CREATE TABLE SENTRY_GROUP
-(
- GROUP_ID BIGINT NOT NULL generated always as identity (start with 1),
- CREATE_TIME BIGINT NOT NULL,
- GROUP_NAME VARCHAR(128)
-);
-
-ALTER TABLE SENTRY_GROUP ADD CONSTRAINT SENTRY_GROUP_PK PRIMARY KEY (GROUP_ID);
-
--- Table SENTRY_ROLE_GROUP_MAP for join relationship
-CREATE TABLE SENTRY_ROLE_GROUP_MAP
-(
- GROUP_ID BIGINT NOT NULL,
- ROLE_ID BIGINT NOT NULL,
- GRANTOR_PRINCIPAL VARCHAR(128)
-);
-
-ALTER TABLE SENTRY_ROLE_GROUP_MAP ADD CONSTRAINT SENTRY_ROLE_GROUP_MAP_PK PRIMARY KEY (GROUP_ID,ROLE_ID);
-
--- Table SENTRY_ROLE_DB_PRIVILEGE_MAP for join relationship
-CREATE TABLE SENTRY_ROLE_DB_PRIVILEGE_MAP
-(
- ROLE_ID BIGINT NOT NULL,
- DB_PRIVILEGE_ID BIGINT NOT NULL,
- GRANTOR_PRINCIPAL VARCHAR(128)
-);
-
-ALTER TABLE SENTRY_ROLE_DB_PRIVILEGE_MAP ADD CONSTRAINT SENTRY_ROLE_DB_PRIVILEGE_MAP_PK PRIMARY KEY (ROLE_ID,DB_PRIVILEGE_ID);
-
-CREATE TABLE "SENTRY_VERSION" (
- VER_ID BIGINT NOT NULL,
- SCHEMA_VERSION VARCHAR(127),
- VERSION_COMMENT VARCHAR(255)
-);
-
-ALTER TABLE SENTRY_VERSION ADD CONSTRAINT SENTRY_VERSION_PK PRIMARY KEY (VER_ID);
-
--- Constraints for table SENTRY_DB_PRIVILEGE for class(es) [org.apache.sentry.provider.db.service.model.MSentryPrivilege]
-CREATE UNIQUE INDEX SENTRYPRIVILEGENAME ON SENTRY_DB_PRIVILEGE ("SERVER_NAME",DB_NAME,"TABLE_NAME","COLUMN_NAME",URI,"ACTION",WITH_GRANT_OPTION);
-
-
--- Constraints for table SENTRY_ROLE for class(es) [org.apache.sentry.provider.db.service.model.MSentryRole]
-CREATE UNIQUE INDEX SENTRYROLENAME ON SENTRY_ROLE (ROLE_NAME);
-
-
--- Constraints for table SENTRY_GROUP for class(es) [org.apache.sentry.provider.db.service.model.MSentryGroup]
-CREATE UNIQUE INDEX SENTRYGROUPNAME ON SENTRY_GROUP (GROUP_NAME);
-
-
--- Constraints for table SENTRY_ROLE_GROUP_MAP
-CREATE INDEX SENTRY_ROLE_GROUP_MAP_N49 ON SENTRY_ROLE_GROUP_MAP (GROUP_ID);
-
-CREATE INDEX SENTRY_ROLE_GROUP_MAP_N50 ON SENTRY_ROLE_GROUP_MAP (ROLE_ID);
-
-ALTER TABLE SENTRY_ROLE_GROUP_MAP ADD CONSTRAINT SENTRY_ROLE_GROUP_MAP_FK2 FOREIGN KEY (ROLE_ID) REFERENCES SENTRY_ROLE (ROLE_ID) ;
-
-ALTER TABLE SENTRY_ROLE_GROUP_MAP ADD CONSTRAINT SENTRY_ROLE_GROUP_MAP_FK1 FOREIGN KEY (GROUP_ID) REFERENCES SENTRY_GROUP (GROUP_ID) ;
-
-
--- Constraints for table SENTRY_ROLE_DB_PRIVILEGE_MAP
-CREATE INDEX SENTRY_ROLE_DB_PRIVILEGE_MAP_N50 ON SENTRY_ROLE_DB_PRIVILEGE_MAP (ROLE_ID);
-
-CREATE INDEX SENTRY_ROLE_DB_PRIVILEGE_MAP_N49 ON SENTRY_ROLE_DB_PRIVILEGE_MAP (DB_PRIVILEGE_ID);
-
-ALTER TABLE SENTRY_ROLE_DB_PRIVILEGE_MAP ADD CONSTRAINT SENTRY_ROLE_DB_PRIVILEGE_MAP_FK2 FOREIGN KEY (DB_PRIVILEGE_ID) REFERENCES SENTRY_DB_PRIVILEGE (DB_PRIVILEGE_ID) ;
-
-ALTER TABLE SENTRY_ROLE_DB_PRIVILEGE_MAP ADD CONSTRAINT SENTRY_ROLE_DB_PRIVILEGE_MAP_FK1 FOREIGN KEY (ROLE_ID) REFERENCES SENTRY_ROLE (ROLE_ID) ;
-
-INSERT INTO SENTRY_VERSION (VER_ID, SCHEMA_VERSION, VERSION_COMMENT) VALUES (1, '1.6.0', 'Sentry release version 1.6.0');
-
--- Generic model
--- Table SENTRY_GM_PRIVILEGE for classes [org.apache.sentry.provider.db.service.model.MSentryGMPrivilege]
-CREATE TABLE SENTRY_GM_PRIVILEGE
-(
- GM_PRIVILEGE_ID BIGINT NOT NULL,
- "ACTION" VARCHAR(40),
- COMPONENT_NAME VARCHAR(400),
- CREATE_TIME BIGINT NOT NULL,
- WITH_GRANT_OPTION CHAR(1),
- RESOURCE_NAME_0 VARCHAR(400),
- RESOURCE_NAME_1 VARCHAR(400),
- RESOURCE_NAME_2 VARCHAR(400),
- RESOURCE_NAME_3 VARCHAR(400),
- RESOURCE_TYPE_0 VARCHAR(400),
- RESOURCE_TYPE_1 VARCHAR(400),
- RESOURCE_TYPE_2 VARCHAR(400),
- RESOURCE_TYPE_3 VARCHAR(400),
- "SCOPE" VARCHAR(40),
- SERVICE_NAME VARCHAR(400)
-);
--- Primary key(GM_PRIVILEGE_ID)
-ALTER TABLE SENTRY_GM_PRIVILEGE ADD CONSTRAINT SENTRY_GM_PRIVILEGE_PK PRIMARY KEY (GM_PRIVILEGE_ID);
-
--- Constraints for table SENTRY_GM_PRIVILEGE for class(es) [org.apache.sentry.provider.db.service.model.MSentryGMPrivilege]
-CREATE UNIQUE INDEX GM_PRIVILEGE_INDEX ON SENTRY_GM_PRIVILEGE (COMPONENT_NAME,SERVICE_NAME,RESOURCE_NAME_0,RESOURCE_TYPE_0,RESOURCE_NAME_1,RESOURCE_TYPE_1,RESOURCE_NAME_2,RESOURCE_TYPE_2,RESOURCE_NAME_3,RESOURCE_TYPE_3,"ACTION",WITH_GRANT_OPTION);
-
--- Table SENTRY_ROLE_GM_PRIVILEGE_MAP for join relationship
-CREATE TABLE SENTRY_ROLE_GM_PRIVILEGE_MAP
-(
- ROLE_ID BIGINT NOT NULL,
- GM_PRIVILEGE_ID BIGINT NOT NULL
-);
-ALTER TABLE SENTRY_ROLE_GM_PRIVILEGE_MAP ADD CONSTRAINT SENTRY_ROLE_GM_PRIVILEGE_MAP_PK PRIMARY KEY (ROLE_ID,GM_PRIVILEGE_ID);
-
--- Constraints for table SENTRY_ROLE_GM_PRIVILEGE_MAP
-CREATE INDEX SENTRY_ROLE_GM_PRIVILEGE_MAP_N50 ON SENTRY_ROLE_GM_PRIVILEGE_MAP (ROLE_ID);
-
-CREATE INDEX SENTRY_ROLE_GM_PRIVILEGE_MAP_N49 ON SENTRY_ROLE_GM_PRIVILEGE_MAP (GM_PRIVILEGE_ID);
-
-ALTER TABLE SENTRY_ROLE_GM_PRIVILEGE_MAP ADD CONSTRAINT SENTRY_ROLE_GM_PRIVILEGE_MAP_FK2 FOREIGN KEY (GM_PRIVILEGE_ID) REFERENCES SENTRY_GM_PRIVILEGE (GM_PRIVILEGE_ID);
-
-ALTER TABLE SENTRY_ROLE_GM_PRIVILEGE_MAP ADD CONSTRAINT SENTRY_ROLE_GM_PRIVILEGE_MAP_FK1 FOREIGN KEY (ROLE_ID) REFERENCES SENTRY_ROLE (ROLE_ID);
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/main/resources/sentry-db2-1.7.0.sql
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/resources/sentry-db2-1.7.0.sql b/sentry-provider/sentry-provider-db/src/main/resources/sentry-db2-1.7.0.sql
deleted file mode 100644
index b1e8649..0000000
--- a/sentry-provider/sentry-provider-db/src/main/resources/sentry-db2-1.7.0.sql
+++ /dev/null
@@ -1,155 +0,0 @@
---Licensed to the Apache Software Foundation (ASF) under one or more
---contributor license agreements. See the NOTICE file distributed with
---this work for additional information regarding copyright ownership.
---The ASF licenses this file to You under the Apache License, Version 2.0
---(the "License"); you may not use this file except in compliance with
---the License. You may obtain a copy of the License at
---
--- http://www.apache.org/licenses/LICENSE-2.0
---
---Unless required by applicable law or agreed to in writing, software
---distributed under the License is distributed on an "AS IS" BASIS,
---WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
---See the License for the specific language governing permissions and
---limitations under the License.
-
--- Table SENTRY_DB_PRIVILEGE for classes [org.apache.sentry.provider.db.service.model.MSentryPrivilege]
-CREATE TABLE SENTRY_DB_PRIVILEGE
-(
- DB_PRIVILEGE_ID BIGINT NOT NULL generated always as identity (start with 1),
- URI VARCHAR(4000),
- "ACTION" VARCHAR(40),
- CREATE_TIME BIGINT NOT NULL,
- DB_NAME VARCHAR(4000),
- PRIVILEGE_SCOPE VARCHAR(40),
- "SERVER_NAME" VARCHAR(4000),
- "TABLE_NAME" VARCHAR(4000),
- "COLUMN_NAME" VARCHAR(4000),
- WITH_GRANT_OPTION CHAR(1) NOT NULL
-);
-
-ALTER TABLE SENTRY_DB_PRIVILEGE ADD CONSTRAINT SENTRY_DB_PRIVILEGE_PK PRIMARY KEY (DB_PRIVILEGE_ID);
-
--- Table SENTRY_ROLE for classes [org.apache.sentry.provider.db.service.model.MSentryRole]
-CREATE TABLE SENTRY_ROLE
-(
- ROLE_ID BIGINT NOT NULL generated always as identity (start with 1),
- CREATE_TIME BIGINT NOT NULL,
- ROLE_NAME VARCHAR(128)
-);
-
-ALTER TABLE SENTRY_ROLE ADD CONSTRAINT SENTRY_ROLE_PK PRIMARY KEY (ROLE_ID);
-
--- Table SENTRY_GROUP for classes [org.apache.sentry.provider.db.service.model.MSentryGroup]
-CREATE TABLE SENTRY_GROUP
-(
- GROUP_ID BIGINT NOT NULL generated always as identity (start with 1),
- CREATE_TIME BIGINT NOT NULL,
- GROUP_NAME VARCHAR(128)
-);
-
-ALTER TABLE SENTRY_GROUP ADD CONSTRAINT SENTRY_GROUP_PK PRIMARY KEY (GROUP_ID);
-
--- Table SENTRY_ROLE_GROUP_MAP for join relationship
-CREATE TABLE SENTRY_ROLE_GROUP_MAP
-(
- GROUP_ID BIGINT NOT NULL,
- ROLE_ID BIGINT NOT NULL,
- GRANTOR_PRINCIPAL VARCHAR(128)
-);
-
-ALTER TABLE SENTRY_ROLE_GROUP_MAP ADD CONSTRAINT SENTRY_ROLE_GROUP_MAP_PK PRIMARY KEY (GROUP_ID,ROLE_ID);
-
--- Table SENTRY_ROLE_DB_PRIVILEGE_MAP for join relationship
-CREATE TABLE SENTRY_ROLE_DB_PRIVILEGE_MAP
-(
- ROLE_ID BIGINT NOT NULL,
- DB_PRIVILEGE_ID BIGINT NOT NULL,
- GRANTOR_PRINCIPAL VARCHAR(128)
-);
-
-ALTER TABLE SENTRY_ROLE_DB_PRIVILEGE_MAP ADD CONSTRAINT SENTRY_ROLE_DB_PRIVILEGE_MAP_PK PRIMARY KEY (ROLE_ID,DB_PRIVILEGE_ID);
-
-CREATE TABLE "SENTRY_VERSION" (
- VER_ID BIGINT NOT NULL,
- SCHEMA_VERSION VARCHAR(127),
- VERSION_COMMENT VARCHAR(255)
-);
-
-ALTER TABLE SENTRY_VERSION ADD CONSTRAINT SENTRY_VERSION_PK PRIMARY KEY (VER_ID);
-
--- Constraints for table SENTRY_DB_PRIVILEGE for class(es) [org.apache.sentry.provider.db.service.model.MSentryPrivilege]
-CREATE UNIQUE INDEX SENTRYPRIVILEGENAME ON SENTRY_DB_PRIVILEGE ("SERVER_NAME",DB_NAME,"TABLE_NAME","COLUMN_NAME",URI,"ACTION",WITH_GRANT_OPTION);
-
-
--- Constraints for table SENTRY_ROLE for class(es) [org.apache.sentry.provider.db.service.model.MSentryRole]
-CREATE UNIQUE INDEX SENTRYROLENAME ON SENTRY_ROLE (ROLE_NAME);
-
-
--- Constraints for table SENTRY_GROUP for class(es) [org.apache.sentry.provider.db.service.model.MSentryGroup]
-CREATE UNIQUE INDEX SENTRYGROUPNAME ON SENTRY_GROUP (GROUP_NAME);
-
-
--- Constraints for table SENTRY_ROLE_GROUP_MAP
-CREATE INDEX SENTRY_ROLE_GROUP_MAP_N49 ON SENTRY_ROLE_GROUP_MAP (GROUP_ID);
-
-CREATE INDEX SENTRY_ROLE_GROUP_MAP_N50 ON SENTRY_ROLE_GROUP_MAP (ROLE_ID);
-
-ALTER TABLE SENTRY_ROLE_GROUP_MAP ADD CONSTRAINT SENTRY_ROLE_GROUP_MAP_FK2 FOREIGN KEY (ROLE_ID) REFERENCES SENTRY_ROLE (ROLE_ID) ;
-
-ALTER TABLE SENTRY_ROLE_GROUP_MAP ADD CONSTRAINT SENTRY_ROLE_GROUP_MAP_FK1 FOREIGN KEY (GROUP_ID) REFERENCES SENTRY_GROUP (GROUP_ID) ;
-
-
--- Constraints for table SENTRY_ROLE_DB_PRIVILEGE_MAP
-CREATE INDEX SENTRY_ROLE_DB_PRIVILEGE_MAP_N50 ON SENTRY_ROLE_DB_PRIVILEGE_MAP (ROLE_ID);
-
-CREATE INDEX SENTRY_ROLE_DB_PRIVILEGE_MAP_N49 ON SENTRY_ROLE_DB_PRIVILEGE_MAP (DB_PRIVILEGE_ID);
-
-ALTER TABLE SENTRY_ROLE_DB_PRIVILEGE_MAP ADD CONSTRAINT SENTRY_ROLE_DB_PRIVILEGE_MAP_FK2 FOREIGN KEY (DB_PRIVILEGE_ID) REFERENCES SENTRY_DB_PRIVILEGE (DB_PRIVILEGE_ID) ;
-
-ALTER TABLE SENTRY_ROLE_DB_PRIVILEGE_MAP ADD CONSTRAINT SENTRY_ROLE_DB_PRIVILEGE_MAP_FK1 FOREIGN KEY (ROLE_ID) REFERENCES SENTRY_ROLE (ROLE_ID) ;
-
-INSERT INTO SENTRY_VERSION (VER_ID, SCHEMA_VERSION, VERSION_COMMENT) VALUES (1, '1.7.0', 'Sentry release version 1.7.0');
-
--- Generic model
--- Table SENTRY_GM_PRIVILEGE for classes [org.apache.sentry.provider.db.service.model.MSentryGMPrivilege]
-CREATE TABLE SENTRY_GM_PRIVILEGE
-(
- GM_PRIVILEGE_ID BIGINT NOT NULL,
- "ACTION" VARCHAR(40),
- COMPONENT_NAME VARCHAR(400),
- CREATE_TIME BIGINT NOT NULL,
- WITH_GRANT_OPTION CHAR(1),
- RESOURCE_NAME_0 VARCHAR(400),
- RESOURCE_NAME_1 VARCHAR(400),
- RESOURCE_NAME_2 VARCHAR(400),
- RESOURCE_NAME_3 VARCHAR(400),
- RESOURCE_TYPE_0 VARCHAR(400),
- RESOURCE_TYPE_1 VARCHAR(400),
- RESOURCE_TYPE_2 VARCHAR(400),
- RESOURCE_TYPE_3 VARCHAR(400),
- "SCOPE" VARCHAR(40),
- SERVICE_NAME VARCHAR(400)
-);
--- Primary key(GM_PRIVILEGE_ID)
-ALTER TABLE SENTRY_GM_PRIVILEGE ADD CONSTRAINT SENTRY_GM_PRIVILEGE_PK PRIMARY KEY (GM_PRIVILEGE_ID);
-
--- Constraints for table SENTRY_GM_PRIVILEGE for class(es) [org.apache.sentry.provider.db.service.model.MSentryGMPrivilege]
-CREATE UNIQUE INDEX GM_PRIVILEGE_INDEX ON SENTRY_GM_PRIVILEGE (COMPONENT_NAME,SERVICE_NAME,RESOURCE_NAME_0,RESOURCE_TYPE_0,RESOURCE_NAME_1,RESOURCE_TYPE_1,RESOURCE_NAME_2,RESOURCE_TYPE_2,RESOURCE_NAME_3,RESOURCE_TYPE_3,"ACTION",WITH_GRANT_OPTION);
-
--- Table SENTRY_ROLE_GM_PRIVILEGE_MAP for join relationship
-CREATE TABLE SENTRY_ROLE_GM_PRIVILEGE_MAP
-(
- ROLE_ID BIGINT NOT NULL,
- GM_PRIVILEGE_ID BIGINT NOT NULL
-);
-ALTER TABLE SENTRY_ROLE_GM_PRIVILEGE_MAP ADD CONSTRAINT SENTRY_ROLE_GM_PRIVILEGE_MAP_PK PRIMARY KEY (ROLE_ID,GM_PRIVILEGE_ID);
-
--- Constraints for table SENTRY_ROLE_GM_PRIVILEGE_MAP
-CREATE INDEX SENTRY_ROLE_GM_PRIVILEGE_MAP_N50 ON SENTRY_ROLE_GM_PRIVILEGE_MAP (ROLE_ID);
-
-CREATE INDEX SENTRY_ROLE_GM_PRIVILEGE_MAP_N49 ON SENTRY_ROLE_GM_PRIVILEGE_MAP (GM_PRIVILEGE_ID);
-
-ALTER TABLE SENTRY_ROLE_GM_PRIVILEGE_MAP ADD CONSTRAINT SENTRY_ROLE_GM_PRIVILEGE_MAP_FK2 FOREIGN KEY (GM_PRIVILEGE_ID) REFERENCES SENTRY_GM_PRIVILEGE (GM_PRIVILEGE_ID);
-
-ALTER TABLE SENTRY_ROLE_GM_PRIVILEGE_MAP ADD CONSTRAINT SENTRY_ROLE_GM_PRIVILEGE_MAP_FK1 FOREIGN KEY (ROLE_ID) REFERENCES SENTRY_ROLE (ROLE_ID);
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/main/resources/sentry-db2-1.8.0.sql
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/resources/sentry-db2-1.8.0.sql b/sentry-provider/sentry-provider-db/src/main/resources/sentry-db2-1.8.0.sql
deleted file mode 100644
index 6d08b5c..0000000
--- a/sentry-provider/sentry-provider-db/src/main/resources/sentry-db2-1.8.0.sql
+++ /dev/null
@@ -1,183 +0,0 @@
---Licensed to the Apache Software Foundation (ASF) under one or more
---contributor license agreements. See the NOTICE file distributed with
---this work for additional information regarding copyright ownership.
---The ASF licenses this file to You under the Apache License, Version 2.0
---(the "License"); you may not use this file except in compliance with
---the License. You may obtain a copy of the License at
---
--- http://www.apache.org/licenses/LICENSE-2.0
---
---Unless required by applicable law or agreed to in writing, software
---distributed under the License is distributed on an "AS IS" BASIS,
---WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
---See the License for the specific language governing permissions and
---limitations under the License.
-
--- Table SENTRY_DB_PRIVILEGE for classes [org.apache.sentry.provider.db.service.model.MSentryPrivilege]
-CREATE TABLE SENTRY_DB_PRIVILEGE
-(
- DB_PRIVILEGE_ID BIGINT NOT NULL generated always as identity (start with 1),
- URI VARCHAR(4000),
- "ACTION" VARCHAR(40),
- CREATE_TIME BIGINT NOT NULL,
- DB_NAME VARCHAR(4000),
- PRIVILEGE_SCOPE VARCHAR(40),
- "SERVER_NAME" VARCHAR(4000),
- "TABLE_NAME" VARCHAR(4000),
- "COLUMN_NAME" VARCHAR(4000),
- WITH_GRANT_OPTION CHAR(1) NOT NULL
-);
-
-ALTER TABLE SENTRY_DB_PRIVILEGE ADD CONSTRAINT SENTRY_DB_PRIVILEGE_PK PRIMARY KEY (DB_PRIVILEGE_ID);
-
--- Table SENTRY_ROLE for classes [org.apache.sentry.provider.db.service.model.MSentryRole]
-CREATE TABLE SENTRY_ROLE
-(
- ROLE_ID BIGINT NOT NULL generated always as identity (start with 1),
- CREATE_TIME BIGINT NOT NULL,
- ROLE_NAME VARCHAR(128)
-);
-
-ALTER TABLE SENTRY_ROLE ADD CONSTRAINT SENTRY_ROLE_PK PRIMARY KEY (ROLE_ID);
-
--- Table SENTRY_GROUP for classes [org.apache.sentry.provider.db.service.model.MSentryGroup]
-CREATE TABLE SENTRY_GROUP
-(
- GROUP_ID BIGINT NOT NULL generated always as identity (start with 1),
- CREATE_TIME BIGINT NOT NULL,
- GROUP_NAME VARCHAR(128)
-);
-
-ALTER TABLE SENTRY_GROUP ADD CONSTRAINT SENTRY_GROUP_PK PRIMARY KEY (GROUP_ID);
-
--- Table SENTRY_ROLE_GROUP_MAP for join relationship
-CREATE TABLE SENTRY_ROLE_GROUP_MAP
-(
- GROUP_ID BIGINT NOT NULL,
- ROLE_ID BIGINT NOT NULL,
- GRANTOR_PRINCIPAL VARCHAR(128)
-);
-
-ALTER TABLE SENTRY_ROLE_GROUP_MAP ADD CONSTRAINT SENTRY_ROLE_GROUP_MAP_PK PRIMARY KEY (GROUP_ID,ROLE_ID);
-
--- Table SENTRY_ROLE_DB_PRIVILEGE_MAP for join relationship
-CREATE TABLE SENTRY_ROLE_DB_PRIVILEGE_MAP
-(
- ROLE_ID BIGINT NOT NULL,
- DB_PRIVILEGE_ID BIGINT NOT NULL,
- GRANTOR_PRINCIPAL VARCHAR(128)
-);
-
-ALTER TABLE SENTRY_ROLE_DB_PRIVILEGE_MAP ADD CONSTRAINT SENTRY_ROLE_DB_PRIVILEGE_MAP_PK PRIMARY KEY (ROLE_ID,DB_PRIVILEGE_ID);
-
-CREATE TABLE "SENTRY_VERSION" (
- VER_ID BIGINT NOT NULL,
- SCHEMA_VERSION VARCHAR(127),
- VERSION_COMMENT VARCHAR(255)
-);
-
-ALTER TABLE SENTRY_VERSION ADD CONSTRAINT SENTRY_VERSION_PK PRIMARY KEY (VER_ID);
-
--- Constraints for table SENTRY_DB_PRIVILEGE for class(es) [org.apache.sentry.provider.db.service.model.MSentryPrivilege]
-CREATE UNIQUE INDEX SENTRYPRIVILEGENAME ON SENTRY_DB_PRIVILEGE ("SERVER_NAME",DB_NAME,"TABLE_NAME","COLUMN_NAME",URI,"ACTION",WITH_GRANT_OPTION);
-
-
--- Constraints for table SENTRY_ROLE for class(es) [org.apache.sentry.provider.db.service.model.MSentryRole]
-CREATE UNIQUE INDEX SENTRYROLENAME ON SENTRY_ROLE (ROLE_NAME);
-
-
--- Constraints for table SENTRY_GROUP for class(es) [org.apache.sentry.provider.db.service.model.MSentryGroup]
-CREATE UNIQUE INDEX SENTRYGROUPNAME ON SENTRY_GROUP (GROUP_NAME);
-
-
--- Constraints for table SENTRY_ROLE_GROUP_MAP
-CREATE INDEX SENTRY_ROLE_GROUP_MAP_N49 ON SENTRY_ROLE_GROUP_MAP (GROUP_ID);
-
-CREATE INDEX SENTRY_ROLE_GROUP_MAP_N50 ON SENTRY_ROLE_GROUP_MAP (ROLE_ID);
-
-ALTER TABLE SENTRY_ROLE_GROUP_MAP ADD CONSTRAINT SENTRY_ROLE_GROUP_MAP_FK2 FOREIGN KEY (ROLE_ID) REFERENCES SENTRY_ROLE (ROLE_ID) ;
-
-ALTER TABLE SENTRY_ROLE_GROUP_MAP ADD CONSTRAINT SENTRY_ROLE_GROUP_MAP_FK1 FOREIGN KEY (GROUP_ID) REFERENCES SENTRY_GROUP (GROUP_ID) ;
-
-
--- Constraints for table SENTRY_ROLE_DB_PRIVILEGE_MAP
-CREATE INDEX SENTRY_ROLE_DB_PRIVILEGE_MAP_N50 ON SENTRY_ROLE_DB_PRIVILEGE_MAP (ROLE_ID);
-
-CREATE INDEX SENTRY_ROLE_DB_PRIVILEGE_MAP_N49 ON SENTRY_ROLE_DB_PRIVILEGE_MAP (DB_PRIVILEGE_ID);
-
-ALTER TABLE SENTRY_ROLE_DB_PRIVILEGE_MAP ADD CONSTRAINT SENTRY_ROLE_DB_PRIVILEGE_MAP_FK2 FOREIGN KEY (DB_PRIVILEGE_ID) REFERENCES SENTRY_DB_PRIVILEGE (DB_PRIVILEGE_ID) ;
-
-ALTER TABLE SENTRY_ROLE_DB_PRIVILEGE_MAP ADD CONSTRAINT SENTRY_ROLE_DB_PRIVILEGE_MAP_FK1 FOREIGN KEY (ROLE_ID) REFERENCES SENTRY_ROLE (ROLE_ID) ;
-
-INSERT INTO SENTRY_VERSION (VER_ID, SCHEMA_VERSION, VERSION_COMMENT) VALUES (1, '1.8.0', 'Sentry release version 1.8.0');
-
--- Generic model
--- Table SENTRY_GM_PRIVILEGE for classes [org.apache.sentry.provider.db.service.model.MSentryGMPrivilege]
-CREATE TABLE SENTRY_GM_PRIVILEGE
-(
- GM_PRIVILEGE_ID BIGINT NOT NULL,
- "ACTION" VARCHAR(40),
- COMPONENT_NAME VARCHAR(400),
- CREATE_TIME BIGINT NOT NULL,
- WITH_GRANT_OPTION CHAR(1),
- RESOURCE_NAME_0 VARCHAR(400),
- RESOURCE_NAME_1 VARCHAR(400),
- RESOURCE_NAME_2 VARCHAR(400),
- RESOURCE_NAME_3 VARCHAR(400),
- RESOURCE_TYPE_0 VARCHAR(400),
- RESOURCE_TYPE_1 VARCHAR(400),
- RESOURCE_TYPE_2 VARCHAR(400),
- RESOURCE_TYPE_3 VARCHAR(400),
- "SCOPE" VARCHAR(40),
- SERVICE_NAME VARCHAR(400)
-);
--- Primary key(GM_PRIVILEGE_ID)
-ALTER TABLE SENTRY_GM_PRIVILEGE ADD CONSTRAINT SENTRY_GM_PRIVILEGE_PK PRIMARY KEY (GM_PRIVILEGE_ID);
-
--- Constraints for table SENTRY_GM_PRIVILEGE for class(es) [org.apache.sentry.provider.db.service.model.MSentryGMPrivilege]
-CREATE UNIQUE INDEX GM_PRIVILEGE_INDEX ON SENTRY_GM_PRIVILEGE (COMPONENT_NAME,SERVICE_NAME,RESOURCE_NAME_0,RESOURCE_TYPE_0,RESOURCE_NAME_1,RESOURCE_TYPE_1,RESOURCE_NAME_2,RESOURCE_TYPE_2,RESOURCE_NAME_3,RESOURCE_TYPE_3,"ACTION",WITH_GRANT_OPTION);
-
--- Table SENTRY_ROLE_GM_PRIVILEGE_MAP for join relationship
-CREATE TABLE SENTRY_ROLE_GM_PRIVILEGE_MAP
-(
- ROLE_ID BIGINT NOT NULL,
- GM_PRIVILEGE_ID BIGINT NOT NULL
-);
-ALTER TABLE SENTRY_ROLE_GM_PRIVILEGE_MAP ADD CONSTRAINT SENTRY_ROLE_GM_PRIVILEGE_MAP_PK PRIMARY KEY (ROLE_ID,GM_PRIVILEGE_ID);
-
--- Constraints for table SENTRY_ROLE_GM_PRIVILEGE_MAP
-CREATE INDEX SENTRY_ROLE_GM_PRIVILEGE_MAP_N50 ON SENTRY_ROLE_GM_PRIVILEGE_MAP (ROLE_ID);
-
-CREATE INDEX SENTRY_ROLE_GM_PRIVILEGE_MAP_N49 ON SENTRY_ROLE_GM_PRIVILEGE_MAP (GM_PRIVILEGE_ID);
-
-ALTER TABLE SENTRY_ROLE_GM_PRIVILEGE_MAP ADD CONSTRAINT SENTRY_ROLE_GM_PRIVILEGE_MAP_FK2 FOREIGN KEY (GM_PRIVILEGE_ID) REFERENCES SENTRY_GM_PRIVILEGE (GM_PRIVILEGE_ID);
-
-ALTER TABLE SENTRY_ROLE_GM_PRIVILEGE_MAP ADD CONSTRAINT SENTRY_ROLE_GM_PRIVILEGE_MAP_FK1 FOREIGN KEY (ROLE_ID) REFERENCES SENTRY_ROLE (ROLE_ID);
-
-CREATE TABLE SENTRY_USER
-(
- USER_ID BIGINT NOT NULL generated always as identity (start with 1),
- CREATE_TIME BIGINT NOT NULL,
- USER_NAME VARCHAR(128)
-);
-
-ALTER TABLE SENTRY_USER ADD CONSTRAINT SENTRY_USER_PK PRIMARY KEY (USER_ID);
-
-CREATE UNIQUE INDEX SENTRYUSERNAME ON SENTRY_USER (USER_NAME);
-
-CREATE TABLE SENTRY_ROLE_USER_MAP
-(
- USER_ID BIGINT NOT NULL,
- ROLE_ID BIGINT NOT NULL,
- GRANTOR_PRINCIPAL VARCHAR(128)
-);
-
-ALTER TABLE SENTRY_ROLE_USER_MAP ADD CONSTRAINT SENTRY_ROLE_USER_MAP_PK PRIMARY KEY (USER_ID,ROLE_ID);
-
-CREATE INDEX SENTRY_ROLE_USER_MAP_N49 ON SENTRY_ROLE_USER_MAP (USER_ID);
-
-CREATE INDEX SENTRY_ROLE_USER_MAP_N50 ON SENTRY_ROLE_USER_MAP (ROLE_ID);
-
-ALTER TABLE SENTRY_ROLE_USER_MAP ADD CONSTRAINT SENTRY_ROLE_USER_MAP_FK2 FOREIGN KEY (ROLE_ID) REFERENCES SENTRY_ROLE (ROLE_ID) ;
-
-ALTER TABLE SENTRY_ROLE_USER_MAP ADD CONSTRAINT SENTRY_ROLE_USER_MAP_FK1 FOREIGN KEY (USER_ID) REFERENCES SENTRY_USER (USER_ID) ;
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/main/resources/sentry-derby-1.4.0.sql
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/resources/sentry-derby-1.4.0.sql b/sentry-provider/sentry-provider-db/src/main/resources/sentry-derby-1.4.0.sql
deleted file mode 100644
index f2a62d2..0000000
--- a/sentry-provider/sentry-provider-db/src/main/resources/sentry-derby-1.4.0.sql
+++ /dev/null
@@ -1,112 +0,0 @@
---Licensed to the Apache Software Foundation (ASF) under one or more
---contributor license agreements. See the NOTICE file distributed with
---this work for additional information regarding copyright ownership.
---The ASF licenses this file to You under the Apache License, Version 2.0
---(the "License"); you may not use this file except in compliance with
---the License. You may obtain a copy of the License at
---
--- http://www.apache.org/licenses/LICENSE-2.0
---
---Unless required by applicable law or agreed to in writing, software
---distributed under the License is distributed on an "AS IS" BASIS,
---WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
---See the License for the specific language governing permissions and
---limitations under the License.
-
--- Table SENTRY_DB_PRIVILEGE for classes [org.apache.sentry.provider.db.service.model.MSentryPrivilege]
-CREATE TABLE SENTRY_DB_PRIVILEGE
-(
- DB_PRIVILEGE_ID BIGINT NOT NULL generated always as identity (start with 1),
- URI VARCHAR(4000),
- "ACTION" VARCHAR(40),
- CREATE_TIME BIGINT NOT NULL,
- DB_NAME VARCHAR(4000),
- GRANTOR_PRINCIPAL VARCHAR(4000),
- PRIVILEGE_NAME VARCHAR(4000),
- PRIVILEGE_SCOPE VARCHAR(40),
- "SERVER_NAME" VARCHAR(4000),
- "TABLE_NAME" VARCHAR(4000)
-);
-
-ALTER TABLE SENTRY_DB_PRIVILEGE ADD CONSTRAINT SENTRY_DB_PRIVILEGE_PK PRIMARY KEY (DB_PRIVILEGE_ID);
-
--- Table SENTRY_ROLE for classes [org.apache.sentry.provider.db.service.model.MSentryRole]
-CREATE TABLE SENTRY_ROLE
-(
- ROLE_ID BIGINT NOT NULL generated always as identity (start with 1),
- CREATE_TIME BIGINT NOT NULL,
- GRANTOR_PRINCIPAL VARCHAR(4000),
- ROLE_NAME VARCHAR(128)
-);
-
-ALTER TABLE SENTRY_ROLE ADD CONSTRAINT SENTRY_ROLE_PK PRIMARY KEY (ROLE_ID);
-
--- Table SENTRY_GROUP for classes [org.apache.sentry.provider.db.service.model.MSentryGroup]
-CREATE TABLE SENTRY_GROUP
-(
- GROUP_ID BIGINT NOT NULL generated always as identity (start with 1),
- CREATE_TIME BIGINT NOT NULL,
- GRANTOR_PRINCIPAL VARCHAR(4000),
- GROUP_NAME VARCHAR(128)
-);
-
-ALTER TABLE SENTRY_GROUP ADD CONSTRAINT SENTRY_GROUP_PK PRIMARY KEY (GROUP_ID);
-
--- Table SENTRY_ROLE_GROUP_MAP for join relationship
-CREATE TABLE SENTRY_ROLE_GROUP_MAP
-(
- GROUP_ID BIGINT NOT NULL,
- ROLE_ID BIGINT NOT NULL
-);
-
-ALTER TABLE SENTRY_ROLE_GROUP_MAP ADD CONSTRAINT SENTRY_ROLE_GROUP_MAP_PK PRIMARY KEY (GROUP_ID,ROLE_ID);
-
--- Table SENTRY_ROLE_DB_PRIVILEGE_MAP for join relationship
-CREATE TABLE SENTRY_ROLE_DB_PRIVILEGE_MAP
-(
- ROLE_ID BIGINT NOT NULL,
- DB_PRIVILEGE_ID BIGINT NOT NULL
-);
-
-ALTER TABLE SENTRY_ROLE_DB_PRIVILEGE_MAP ADD CONSTRAINT SENTRY_ROLE_DB_PRIVILEGE_MAP_PK PRIMARY KEY (ROLE_ID,DB_PRIVILEGE_ID);
-
-CREATE TABLE "SENTRY_VERSION" (
- VER_ID BIGINT NOT NULL,
- SCHEMA_VERSION VARCHAR(127),
- VERSION_COMMENT VARCHAR(255)
-);
-
-ALTER TABLE SENTRY_VERSION ADD CONSTRAINT SENTRY_VERSION_PK PRIMARY KEY (VER_ID);
-
--- Constraints for table SENTRY_DB_PRIVILEGE for class(es) [org.apache.sentry.provider.db.service.model.MSentryPrivilege]
-CREATE UNIQUE INDEX SENTRYPRIVILEGENAME ON SENTRY_DB_PRIVILEGE (PRIVILEGE_NAME);
-
-
--- Constraints for table SENTRY_ROLE for class(es) [org.apache.sentry.provider.db.service.model.MSentryRole]
-CREATE UNIQUE INDEX SENTRYROLENAME ON SENTRY_ROLE (ROLE_NAME);
-
-
--- Constraints for table SENTRY_GROUP for class(es) [org.apache.sentry.provider.db.service.model.MSentryGroup]
-CREATE UNIQUE INDEX SENTRYGROUPNAME ON SENTRY_GROUP (GROUP_NAME);
-
-
--- Constraints for table SENTRY_ROLE_GROUP_MAP
-CREATE INDEX SENTRY_ROLE_GROUP_MAP_N49 ON SENTRY_ROLE_GROUP_MAP (GROUP_ID);
-
-CREATE INDEX SENTRY_ROLE_GROUP_MAP_N50 ON SENTRY_ROLE_GROUP_MAP (ROLE_ID);
-
-ALTER TABLE SENTRY_ROLE_GROUP_MAP ADD CONSTRAINT SENTRY_ROLE_GROUP_MAP_FK2 FOREIGN KEY (ROLE_ID) REFERENCES SENTRY_ROLE (ROLE_ID) ;
-
-ALTER TABLE SENTRY_ROLE_GROUP_MAP ADD CONSTRAINT SENTRY_ROLE_GROUP_MAP_FK1 FOREIGN KEY (GROUP_ID) REFERENCES SENTRY_GROUP (GROUP_ID) ;
-
-
--- Constraints for table SENTRY_ROLE_DB_PRIVILEGE_MAP
-CREATE INDEX SENTRY_ROLE_DB_PRIVILEGE_MAP_N50 ON SENTRY_ROLE_DB_PRIVILEGE_MAP (ROLE_ID);
-
-CREATE INDEX SENTRY_ROLE_DB_PRIVILEGE_MAP_N49 ON SENTRY_ROLE_DB_PRIVILEGE_MAP (DB_PRIVILEGE_ID);
-
-ALTER TABLE SENTRY_ROLE_DB_PRIVILEGE_MAP ADD CONSTRAINT SENTRY_ROLE_DB_PRIVILEGE_MAP_FK2 FOREIGN KEY (DB_PRIVILEGE_ID) REFERENCES SENTRY_DB_PRIVILEGE (DB_PRIVILEGE_ID) ;
-
-ALTER TABLE SENTRY_ROLE_DB_PRIVILEGE_MAP ADD CONSTRAINT SENTRY_ROLE_DB_PRIVILEGE_MAP_FK1 FOREIGN KEY (ROLE_ID) REFERENCES SENTRY_ROLE (ROLE_ID) ;
-
-INSERT INTO SENTRY_VERSION (VER_ID, SCHEMA_VERSION, VERSION_COMMENT) VALUES (1, '1.4.0', 'Sentry release version 1.4.0');
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/main/resources/sentry-derby-1.5.0.sql
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/resources/sentry-derby-1.5.0.sql b/sentry-provider/sentry-provider-db/src/main/resources/sentry-derby-1.5.0.sql
deleted file mode 100644
index 89d73bb..0000000
--- a/sentry-provider/sentry-provider-db/src/main/resources/sentry-derby-1.5.0.sql
+++ /dev/null
@@ -1,155 +0,0 @@
---Licensed to the Apache Software Foundation (ASF) under one or more
---contributor license agreements. See the NOTICE file distributed with
---this work for additional information regarding copyright ownership.
---The ASF licenses this file to You under the Apache License, Version 2.0
---(the "License"); you may not use this file except in compliance with
---the License. You may obtain a copy of the License at
---
--- http://www.apache.org/licenses/LICENSE-2.0
---
---Unless required by applicable law or agreed to in writing, software
---distributed under the License is distributed on an "AS IS" BASIS,
---WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
---See the License for the specific language governing permissions and
---limitations under the License.
-
--- Table SENTRY_DB_PRIVILEGE for classes [org.apache.sentry.provider.db.service.model.MSentryPrivilege]
-CREATE TABLE SENTRY_DB_PRIVILEGE
-(
- DB_PRIVILEGE_ID BIGINT NOT NULL generated always as identity (start with 1),
- URI VARCHAR(4000) DEFAULT '__NULL__',
- "ACTION" VARCHAR(40),
- CREATE_TIME BIGINT NOT NULL,
- DB_NAME VARCHAR(4000) DEFAULT '__NULL__',
- PRIVILEGE_SCOPE VARCHAR(40),
- "SERVER_NAME" VARCHAR(4000),
- "TABLE_NAME" VARCHAR(4000) DEFAULT '__NULL__',
- "COLUMN_NAME" VARCHAR(4000) DEFAULT '__NULL__',
- WITH_GRANT_OPTION CHAR(1) NOT NULL
-);
-
-ALTER TABLE SENTRY_DB_PRIVILEGE ADD CONSTRAINT SENTRY_DB_PRIVILEGE_PK PRIMARY KEY (DB_PRIVILEGE_ID);
-
--- Table SENTRY_ROLE for classes [org.apache.sentry.provider.db.service.model.MSentryRole]
-CREATE TABLE SENTRY_ROLE
-(
- ROLE_ID BIGINT NOT NULL generated always as identity (start with 1),
- CREATE_TIME BIGINT NOT NULL,
- ROLE_NAME VARCHAR(128)
-);
-
-ALTER TABLE SENTRY_ROLE ADD CONSTRAINT SENTRY_ROLE_PK PRIMARY KEY (ROLE_ID);
-
--- Table SENTRY_GROUP for classes [org.apache.sentry.provider.db.service.model.MSentryGroup]
-CREATE TABLE SENTRY_GROUP
-(
- GROUP_ID BIGINT NOT NULL generated always as identity (start with 1),
- CREATE_TIME BIGINT NOT NULL,
- GROUP_NAME VARCHAR(128)
-);
-
-ALTER TABLE SENTRY_GROUP ADD CONSTRAINT SENTRY_GROUP_PK PRIMARY KEY (GROUP_ID);
-
--- Table SENTRY_ROLE_GROUP_MAP for join relationship
-CREATE TABLE SENTRY_ROLE_GROUP_MAP
-(
- GROUP_ID BIGINT NOT NULL,
- ROLE_ID BIGINT NOT NULL,
- GRANTOR_PRINCIPAL VARCHAR(128)
-);
-
-ALTER TABLE SENTRY_ROLE_GROUP_MAP ADD CONSTRAINT SENTRY_ROLE_GROUP_MAP_PK PRIMARY KEY (GROUP_ID,ROLE_ID);
-
--- Table SENTRY_ROLE_DB_PRIVILEGE_MAP for join relationship
-CREATE TABLE SENTRY_ROLE_DB_PRIVILEGE_MAP
-(
- ROLE_ID BIGINT NOT NULL,
- DB_PRIVILEGE_ID BIGINT NOT NULL,
- GRANTOR_PRINCIPAL VARCHAR(128)
-);
-
-ALTER TABLE SENTRY_ROLE_DB_PRIVILEGE_MAP ADD CONSTRAINT SENTRY_ROLE_DB_PRIVILEGE_MAP_PK PRIMARY KEY (ROLE_ID,DB_PRIVILEGE_ID);
-
-CREATE TABLE "SENTRY_VERSION" (
- VER_ID BIGINT NOT NULL,
- SCHEMA_VERSION VARCHAR(127),
- VERSION_COMMENT VARCHAR(255)
-);
-
-ALTER TABLE SENTRY_VERSION ADD CONSTRAINT SENTRY_VERSION_PK PRIMARY KEY (VER_ID);
-
--- Constraints for table SENTRY_DB_PRIVILEGE for class(es) [org.apache.sentry.provider.db.service.model.MSentryPrivilege]
-CREATE UNIQUE INDEX SENTRYPRIVILEGENAME ON SENTRY_DB_PRIVILEGE ("SERVER_NAME",DB_NAME,"TABLE_NAME","COLUMN_NAME",URI,"ACTION",WITH_GRANT_OPTION);
-
-
--- Constraints for table SENTRY_ROLE for class(es) [org.apache.sentry.provider.db.service.model.MSentryRole]
-CREATE UNIQUE INDEX SENTRYROLENAME ON SENTRY_ROLE (ROLE_NAME);
-
-
--- Constraints for table SENTRY_GROUP for class(es) [org.apache.sentry.provider.db.service.model.MSentryGroup]
-CREATE UNIQUE INDEX SENTRYGROUPNAME ON SENTRY_GROUP (GROUP_NAME);
-
-
--- Constraints for table SENTRY_ROLE_GROUP_MAP
-CREATE INDEX SENTRY_ROLE_GROUP_MAP_N49 ON SENTRY_ROLE_GROUP_MAP (GROUP_ID);
-
-CREATE INDEX SENTRY_ROLE_GROUP_MAP_N50 ON SENTRY_ROLE_GROUP_MAP (ROLE_ID);
-
-ALTER TABLE SENTRY_ROLE_GROUP_MAP ADD CONSTRAINT SENTRY_ROLE_GROUP_MAP_FK2 FOREIGN KEY (ROLE_ID) REFERENCES SENTRY_ROLE (ROLE_ID) ;
-
-ALTER TABLE SENTRY_ROLE_GROUP_MAP ADD CONSTRAINT SENTRY_ROLE_GROUP_MAP_FK1 FOREIGN KEY (GROUP_ID) REFERENCES SENTRY_GROUP (GROUP_ID) ;
-
-
--- Constraints for table SENTRY_ROLE_DB_PRIVILEGE_MAP
-CREATE INDEX SENTRY_ROLE_DB_PRIVILEGE_MAP_N50 ON SENTRY_ROLE_DB_PRIVILEGE_MAP (ROLE_ID);
-
-CREATE INDEX SENTRY_ROLE_DB_PRIVILEGE_MAP_N49 ON SENTRY_ROLE_DB_PRIVILEGE_MAP (DB_PRIVILEGE_ID);
-
-ALTER TABLE SENTRY_ROLE_DB_PRIVILEGE_MAP ADD CONSTRAINT SENTRY_ROLE_DB_PRIVILEGE_MAP_FK2 FOREIGN KEY (DB_PRIVILEGE_ID) REFERENCES SENTRY_DB_PRIVILEGE (DB_PRIVILEGE_ID) ;
-
-ALTER TABLE SENTRY_ROLE_DB_PRIVILEGE_MAP ADD CONSTRAINT SENTRY_ROLE_DB_PRIVILEGE_MAP_FK1 FOREIGN KEY (ROLE_ID) REFERENCES SENTRY_ROLE (ROLE_ID) ;
-
-INSERT INTO SENTRY_VERSION (VER_ID, SCHEMA_VERSION, VERSION_COMMENT) VALUES (1, '1.5.0', 'Sentry release version 1.5.0');
-
--- Generic Model
--- Table SENTRY_GM_PRIVILEGE for classes [org.apache.sentry.provider.db.service.model.MSentryGMPrivilege]
-CREATE TABLE SENTRY_GM_PRIVILEGE
-(
- GM_PRIVILEGE_ID BIGINT NOT NULL,
- "ACTION" VARCHAR(40),
- COMPONENT_NAME VARCHAR(400),
- CREATE_TIME BIGINT NOT NULL,
- WITH_GRANT_OPTION CHAR(1),
- RESOURCE_NAME_0 VARCHAR(400) DEFAULT '__NULL__',
- RESOURCE_NAME_1 VARCHAR(400) DEFAULT '__NULL__',
- RESOURCE_NAME_2 VARCHAR(400) DEFAULT '__NULL__',
- RESOURCE_NAME_3 VARCHAR(400) DEFAULT '__NULL__',
- RESOURCE_TYPE_0 VARCHAR(400) DEFAULT '__NULL__',
- RESOURCE_TYPE_1 VARCHAR(400) DEFAULT '__NULL__',
- RESOURCE_TYPE_2 VARCHAR(400) DEFAULT '__NULL__',
- RESOURCE_TYPE_3 VARCHAR(400) DEFAULT '__NULL__',
- "SCOPE" VARCHAR(40),
- SERVICE_NAME VARCHAR(400)
-);
--- Primary key(GM_PRIVILEGE_ID)
-ALTER TABLE SENTRY_GM_PRIVILEGE ADD CONSTRAINT SENTRY_GM_PRIVILEGE_PK PRIMARY KEY (GM_PRIVILEGE_ID);
-
--- Constraints for table SENTRY_GM_PRIVILEGE for class(es) [org.apache.sentry.provider.db.service.model.MSentryGMPrivilege]
-CREATE UNIQUE INDEX GM_PRIVILEGE_INDEX ON SENTRY_GM_PRIVILEGE (COMPONENT_NAME,SERVICE_NAME,RESOURCE_NAME_0,RESOURCE_TYPE_0,RESOURCE_NAME_1,RESOURCE_TYPE_1,RESOURCE_NAME_2,RESOURCE_TYPE_2,RESOURCE_NAME_3,RESOURCE_TYPE_3,"ACTION",WITH_GRANT_OPTION);
-
--- Table SENTRY_ROLE_GM_PRIVILEGE_MAP for join relationship
-CREATE TABLE SENTRY_ROLE_GM_PRIVILEGE_MAP
-(
- ROLE_ID BIGINT NOT NULL,
- GM_PRIVILEGE_ID BIGINT NOT NULL
-);
-ALTER TABLE SENTRY_ROLE_GM_PRIVILEGE_MAP ADD CONSTRAINT SENTRY_ROLE_GM_PRIVILEGE_MAP_PK PRIMARY KEY (ROLE_ID,GM_PRIVILEGE_ID);
-
--- Constraints for table SENTRY_ROLE_GM_PRIVILEGE_MAP
-CREATE INDEX SENTRY_ROLE_GM_PRIVILEGE_MAP_N50 ON SENTRY_ROLE_GM_PRIVILEGE_MAP (ROLE_ID);
-
-CREATE INDEX SENTRY_ROLE_GM_PRIVILEGE_MAP_N49 ON SENTRY_ROLE_GM_PRIVILEGE_MAP (GM_PRIVILEGE_ID);
-
-ALTER TABLE SENTRY_ROLE_GM_PRIVILEGE_MAP ADD CONSTRAINT SENTRY_ROLE_GM_PRIVILEGE_MAP_FK2 FOREIGN KEY (GM_PRIVILEGE_ID) REFERENCES SENTRY_GM_PRIVILEGE (GM_PRIVILEGE_ID);
-
-ALTER TABLE SENTRY_ROLE_GM_PRIVILEGE_MAP ADD CONSTRAINT SENTRY_ROLE_GM_PRIVILEGE_MAP_FK1 FOREIGN KEY (ROLE_ID) REFERENCES SENTRY_ROLE (ROLE_ID);
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/main/resources/sentry-derby-1.6.0.sql
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/resources/sentry-derby-1.6.0.sql b/sentry-provider/sentry-provider-db/src/main/resources/sentry-derby-1.6.0.sql
deleted file mode 100644
index 9ceb4c5..0000000
--- a/sentry-provider/sentry-provider-db/src/main/resources/sentry-derby-1.6.0.sql
+++ /dev/null
@@ -1,155 +0,0 @@
---Licensed to the Apache Software Foundation (ASF) under one or more
---contributor license agreements. See the NOTICE file distributed with
---this work for additional information regarding copyright ownership.
---The ASF licenses this file to You under the Apache License, Version 2.0
---(the "License"); you may not use this file except in compliance with
---the License. You may obtain a copy of the License at
---
--- http://www.apache.org/licenses/LICENSE-2.0
---
---Unless required by applicable law or agreed to in writing, software
---distributed under the License is distributed on an "AS IS" BASIS,
---WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
---See the License for the specific language governing permissions and
---limitations under the License.
-
--- Table SENTRY_DB_PRIVILEGE for classes [org.apache.sentry.provider.db.service.model.MSentryPrivilege]
-CREATE TABLE SENTRY_DB_PRIVILEGE
-(
- DB_PRIVILEGE_ID BIGINT NOT NULL generated always as identity (start with 1),
- URI VARCHAR(4000) DEFAULT '__NULL__',
- "ACTION" VARCHAR(40),
- CREATE_TIME BIGINT NOT NULL,
- DB_NAME VARCHAR(4000) DEFAULT '__NULL__',
- PRIVILEGE_SCOPE VARCHAR(40),
- "SERVER_NAME" VARCHAR(4000),
- "TABLE_NAME" VARCHAR(4000) DEFAULT '__NULL__',
- "COLUMN_NAME" VARCHAR(4000) DEFAULT '__NULL__',
- WITH_GRANT_OPTION CHAR(1) NOT NULL
-);
-
-ALTER TABLE SENTRY_DB_PRIVILEGE ADD CONSTRAINT SENTRY_DB_PRIVILEGE_PK PRIMARY KEY (DB_PRIVILEGE_ID);
-
--- Table SENTRY_ROLE for classes [org.apache.sentry.provider.db.service.model.MSentryRole]
-CREATE TABLE SENTRY_ROLE
-(
- ROLE_ID BIGINT NOT NULL generated always as identity (start with 1),
- CREATE_TIME BIGINT NOT NULL,
- ROLE_NAME VARCHAR(128)
-);
-
-ALTER TABLE SENTRY_ROLE ADD CONSTRAINT SENTRY_ROLE_PK PRIMARY KEY (ROLE_ID);
-
--- Table SENTRY_GROUP for classes [org.apache.sentry.provider.db.service.model.MSentryGroup]
-CREATE TABLE SENTRY_GROUP
-(
- GROUP_ID BIGINT NOT NULL generated always as identity (start with 1),
- CREATE_TIME BIGINT NOT NULL,
- GROUP_NAME VARCHAR(128)
-);
-
-ALTER TABLE SENTRY_GROUP ADD CONSTRAINT SENTRY_GROUP_PK PRIMARY KEY (GROUP_ID);
-
--- Table SENTRY_ROLE_GROUP_MAP for join relationship
-CREATE TABLE SENTRY_ROLE_GROUP_MAP
-(
- GROUP_ID BIGINT NOT NULL,
- ROLE_ID BIGINT NOT NULL,
- GRANTOR_PRINCIPAL VARCHAR(128)
-);
-
-ALTER TABLE SENTRY_ROLE_GROUP_MAP ADD CONSTRAINT SENTRY_ROLE_GROUP_MAP_PK PRIMARY KEY (GROUP_ID,ROLE_ID);
-
--- Table SENTRY_ROLE_DB_PRIVILEGE_MAP for join relationship
-CREATE TABLE SENTRY_ROLE_DB_PRIVILEGE_MAP
-(
- ROLE_ID BIGINT NOT NULL,
- DB_PRIVILEGE_ID BIGINT NOT NULL,
- GRANTOR_PRINCIPAL VARCHAR(128)
-);
-
-ALTER TABLE SENTRY_ROLE_DB_PRIVILEGE_MAP ADD CONSTRAINT SENTRY_ROLE_DB_PRIVILEGE_MAP_PK PRIMARY KEY (ROLE_ID,DB_PRIVILEGE_ID);
-
-CREATE TABLE "SENTRY_VERSION" (
- VER_ID BIGINT NOT NULL,
- SCHEMA_VERSION VARCHAR(127),
- VERSION_COMMENT VARCHAR(255)
-);
-
-ALTER TABLE SENTRY_VERSION ADD CONSTRAINT SENTRY_VERSION_PK PRIMARY KEY (VER_ID);
-
--- Constraints for table SENTRY_DB_PRIVILEGE for class(es) [org.apache.sentry.provider.db.service.model.MSentryPrivilege]
-CREATE UNIQUE INDEX SENTRYPRIVILEGENAME ON SENTRY_DB_PRIVILEGE ("SERVER_NAME",DB_NAME,"TABLE_NAME","COLUMN_NAME",URI,"ACTION",WITH_GRANT_OPTION);
-
-
--- Constraints for table SENTRY_ROLE for class(es) [org.apache.sentry.provider.db.service.model.MSentryRole]
-CREATE UNIQUE INDEX SENTRYROLENAME ON SENTRY_ROLE (ROLE_NAME);
-
-
--- Constraints for table SENTRY_GROUP for class(es) [org.apache.sentry.provider.db.service.model.MSentryGroup]
-CREATE UNIQUE INDEX SENTRYGROUPNAME ON SENTRY_GROUP (GROUP_NAME);
-
-
--- Constraints for table SENTRY_ROLE_GROUP_MAP
-CREATE INDEX SENTRY_ROLE_GROUP_MAP_N49 ON SENTRY_ROLE_GROUP_MAP (GROUP_ID);
-
-CREATE INDEX SENTRY_ROLE_GROUP_MAP_N50 ON SENTRY_ROLE_GROUP_MAP (ROLE_ID);
-
-ALTER TABLE SENTRY_ROLE_GROUP_MAP ADD CONSTRAINT SENTRY_ROLE_GROUP_MAP_FK2 FOREIGN KEY (ROLE_ID) REFERENCES SENTRY_ROLE (ROLE_ID) ;
-
-ALTER TABLE SENTRY_ROLE_GROUP_MAP ADD CONSTRAINT SENTRY_ROLE_GROUP_MAP_FK1 FOREIGN KEY (GROUP_ID) REFERENCES SENTRY_GROUP (GROUP_ID) ;
-
-
--- Constraints for table SENTRY_ROLE_DB_PRIVILEGE_MAP
-CREATE INDEX SENTRY_ROLE_DB_PRIVILEGE_MAP_N50 ON SENTRY_ROLE_DB_PRIVILEGE_MAP (ROLE_ID);
-
-CREATE INDEX SENTRY_ROLE_DB_PRIVILEGE_MAP_N49 ON SENTRY_ROLE_DB_PRIVILEGE_MAP (DB_PRIVILEGE_ID);
-
-ALTER TABLE SENTRY_ROLE_DB_PRIVILEGE_MAP ADD CONSTRAINT SENTRY_ROLE_DB_PRIVILEGE_MAP_FK2 FOREIGN KEY (DB_PRIVILEGE_ID) REFERENCES SENTRY_DB_PRIVILEGE (DB_PRIVILEGE_ID) ;
-
-ALTER TABLE SENTRY_ROLE_DB_PRIVILEGE_MAP ADD CONSTRAINT SENTRY_ROLE_DB_PRIVILEGE_MAP_FK1 FOREIGN KEY (ROLE_ID) REFERENCES SENTRY_ROLE (ROLE_ID) ;
-
-INSERT INTO SENTRY_VERSION (VER_ID, SCHEMA_VERSION, VERSION_COMMENT) VALUES (1, '1.6.0', 'Sentry release version 1.6.0');
-
--- Generic Model
--- Table SENTRY_GM_PRIVILEGE for classes [org.apache.sentry.provider.db.service.model.MSentryGMPrivilege]
-CREATE TABLE SENTRY_GM_PRIVILEGE
-(
- GM_PRIVILEGE_ID BIGINT NOT NULL,
- "ACTION" VARCHAR(40),
- COMPONENT_NAME VARCHAR(400),
- CREATE_TIME BIGINT NOT NULL,
- WITH_GRANT_OPTION CHAR(1),
- RESOURCE_NAME_0 VARCHAR(400) DEFAULT '__NULL__',
- RESOURCE_NAME_1 VARCHAR(400) DEFAULT '__NULL__',
- RESOURCE_NAME_2 VARCHAR(400) DEFAULT '__NULL__',
- RESOURCE_NAME_3 VARCHAR(400) DEFAULT '__NULL__',
- RESOURCE_TYPE_0 VARCHAR(400) DEFAULT '__NULL__',
- RESOURCE_TYPE_1 VARCHAR(400) DEFAULT '__NULL__',
- RESOURCE_TYPE_2 VARCHAR(400) DEFAULT '__NULL__',
- RESOURCE_TYPE_3 VARCHAR(400) DEFAULT '__NULL__',
- "SCOPE" VARCHAR(40),
- SERVICE_NAME VARCHAR(400)
-);
--- Primary key(GM_PRIVILEGE_ID)
-ALTER TABLE SENTRY_GM_PRIVILEGE ADD CONSTRAINT SENTRY_GM_PRIVILEGE_PK PRIMARY KEY (GM_PRIVILEGE_ID);
-
--- Constraints for table SENTRY_GM_PRIVILEGE for class(es) [org.apache.sentry.provider.db.service.model.MSentryGMPrivilege]
-CREATE UNIQUE INDEX GM_PRIVILEGE_INDEX ON SENTRY_GM_PRIVILEGE (COMPONENT_NAME,SERVICE_NAME,RESOURCE_NAME_0,RESOURCE_TYPE_0,RESOURCE_NAME_1,RESOURCE_TYPE_1,RESOURCE_NAME_2,RESOURCE_TYPE_2,RESOURCE_NAME_3,RESOURCE_TYPE_3,"ACTION",WITH_GRANT_OPTION);
-
--- Table SENTRY_ROLE_GM_PRIVILEGE_MAP for join relationship
-CREATE TABLE SENTRY_ROLE_GM_PRIVILEGE_MAP
-(
- ROLE_ID BIGINT NOT NULL,
- GM_PRIVILEGE_ID BIGINT NOT NULL
-);
-ALTER TABLE SENTRY_ROLE_GM_PRIVILEGE_MAP ADD CONSTRAINT SENTRY_ROLE_GM_PRIVILEGE_MAP_PK PRIMARY KEY (ROLE_ID,GM_PRIVILEGE_ID);
-
--- Constraints for table SENTRY_ROLE_GM_PRIVILEGE_MAP
-CREATE INDEX SENTRY_ROLE_GM_PRIVILEGE_MAP_N50 ON SENTRY_ROLE_GM_PRIVILEGE_MAP (ROLE_ID);
-
-CREATE INDEX SENTRY_ROLE_GM_PRIVILEGE_MAP_N49 ON SENTRY_ROLE_GM_PRIVILEGE_MAP (GM_PRIVILEGE_ID);
-
-ALTER TABLE SENTRY_ROLE_GM_PRIVILEGE_MAP ADD CONSTRAINT SENTRY_ROLE_GM_PRIVILEGE_MAP_FK2 FOREIGN KEY (GM_PRIVILEGE_ID) REFERENCES SENTRY_GM_PRIVILEGE (GM_PRIVILEGE_ID);
-
-ALTER TABLE SENTRY_ROLE_GM_PRIVILEGE_MAP ADD CONSTRAINT SENTRY_ROLE_GM_PRIVILEGE_MAP_FK1 FOREIGN KEY (ROLE_ID) REFERENCES SENTRY_ROLE (ROLE_ID);
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/main/resources/sentry-derby-1.7.0.sql
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/resources/sentry-derby-1.7.0.sql b/sentry-provider/sentry-provider-db/src/main/resources/sentry-derby-1.7.0.sql
deleted file mode 100644
index b06fc4a..0000000
--- a/sentry-provider/sentry-provider-db/src/main/resources/sentry-derby-1.7.0.sql
+++ /dev/null
@@ -1,155 +0,0 @@
---Licensed to the Apache Software Foundation (ASF) under one or more
---contributor license agreements. See the NOTICE file distributed with
---this work for additional information regarding copyright ownership.
---The ASF licenses this file to You under the Apache License, Version 2.0
---(the "License"); you may not use this file except in compliance with
---the License. You may obtain a copy of the License at
---
--- http://www.apache.org/licenses/LICENSE-2.0
---
---Unless required by applicable law or agreed to in writing, software
---distributed under the License is distributed on an "AS IS" BASIS,
---WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
---See the License for the specific language governing permissions and
---limitations under the License.
-
--- Table SENTRY_DB_PRIVILEGE for classes [org.apache.sentry.provider.db.service.model.MSentryPrivilege]
-CREATE TABLE SENTRY_DB_PRIVILEGE
-(
- DB_PRIVILEGE_ID BIGINT NOT NULL generated always as identity (start with 1),
- URI VARCHAR(4000) DEFAULT '__NULL__',
- "ACTION" VARCHAR(40),
- CREATE_TIME BIGINT NOT NULL,
- DB_NAME VARCHAR(4000) DEFAULT '__NULL__',
- PRIVILEGE_SCOPE VARCHAR(40),
- "SERVER_NAME" VARCHAR(4000),
- "TABLE_NAME" VARCHAR(4000) DEFAULT '__NULL__',
- "COLUMN_NAME" VARCHAR(4000) DEFAULT '__NULL__',
- WITH_GRANT_OPTION CHAR(1) NOT NULL
-);
-
-ALTER TABLE SENTRY_DB_PRIVILEGE ADD CONSTRAINT SENTRY_DB_PRIVILEGE_PK PRIMARY KEY (DB_PRIVILEGE_ID);
-
--- Table SENTRY_ROLE for classes [org.apache.sentry.provider.db.service.model.MSentryRole]
-CREATE TABLE SENTRY_ROLE
-(
- ROLE_ID BIGINT NOT NULL generated always as identity (start with 1),
- CREATE_TIME BIGINT NOT NULL,
- ROLE_NAME VARCHAR(128)
-);
-
-ALTER TABLE SENTRY_ROLE ADD CONSTRAINT SENTRY_ROLE_PK PRIMARY KEY (ROLE_ID);
-
--- Table SENTRY_GROUP for classes [org.apache.sentry.provider.db.service.model.MSentryGroup]
-CREATE TABLE SENTRY_GROUP
-(
- GROUP_ID BIGINT NOT NULL generated always as identity (start with 1),
- CREATE_TIME BIGINT NOT NULL,
- GROUP_NAME VARCHAR(128)
-);
-
-ALTER TABLE SENTRY_GROUP ADD CONSTRAINT SENTRY_GROUP_PK PRIMARY KEY (GROUP_ID);
-
--- Table SENTRY_ROLE_GROUP_MAP for join relationship
-CREATE TABLE SENTRY_ROLE_GROUP_MAP
-(
- GROUP_ID BIGINT NOT NULL,
- ROLE_ID BIGINT NOT NULL,
- GRANTOR_PRINCIPAL VARCHAR(128)
-);
-
-ALTER TABLE SENTRY_ROLE_GROUP_MAP ADD CONSTRAINT SENTRY_ROLE_GROUP_MAP_PK PRIMARY KEY (GROUP_ID,ROLE_ID);
-
--- Table SENTRY_ROLE_DB_PRIVILEGE_MAP for join relationship
-CREATE TABLE SENTRY_ROLE_DB_PRIVILEGE_MAP
-(
- ROLE_ID BIGINT NOT NULL,
- DB_PRIVILEGE_ID BIGINT NOT NULL,
- GRANTOR_PRINCIPAL VARCHAR(128)
-);
-
-ALTER TABLE SENTRY_ROLE_DB_PRIVILEGE_MAP ADD CONSTRAINT SENTRY_ROLE_DB_PRIVILEGE_MAP_PK PRIMARY KEY (ROLE_ID,DB_PRIVILEGE_ID);
-
-CREATE TABLE "SENTRY_VERSION" (
- VER_ID BIGINT NOT NULL,
- SCHEMA_VERSION VARCHAR(127),
- VERSION_COMMENT VARCHAR(255)
-);
-
-ALTER TABLE SENTRY_VERSION ADD CONSTRAINT SENTRY_VERSION_PK PRIMARY KEY (VER_ID);
-
--- Constraints for table SENTRY_DB_PRIVILEGE for class(es) [org.apache.sentry.provider.db.service.model.MSentryPrivilege]
-CREATE UNIQUE INDEX SENTRYPRIVILEGENAME ON SENTRY_DB_PRIVILEGE ("SERVER_NAME",DB_NAME,"TABLE_NAME","COLUMN_NAME",URI,"ACTION",WITH_GRANT_OPTION);
-
-
--- Constraints for table SENTRY_ROLE for class(es) [org.apache.sentry.provider.db.service.model.MSentryRole]
-CREATE UNIQUE INDEX SENTRYROLENAME ON SENTRY_ROLE (ROLE_NAME);
-
-
--- Constraints for table SENTRY_GROUP for class(es) [org.apache.sentry.provider.db.service.model.MSentryGroup]
-CREATE UNIQUE INDEX SENTRYGROUPNAME ON SENTRY_GROUP (GROUP_NAME);
-
-
--- Constraints for table SENTRY_ROLE_GROUP_MAP
-CREATE INDEX SENTRY_ROLE_GROUP_MAP_N49 ON SENTRY_ROLE_GROUP_MAP (GROUP_ID);
-
-CREATE INDEX SENTRY_ROLE_GROUP_MAP_N50 ON SENTRY_ROLE_GROUP_MAP (ROLE_ID);
-
-ALTER TABLE SENTRY_ROLE_GROUP_MAP ADD CONSTRAINT SENTRY_ROLE_GROUP_MAP_FK2 FOREIGN KEY (ROLE_ID) REFERENCES SENTRY_ROLE (ROLE_ID) ;
-
-ALTER TABLE SENTRY_ROLE_GROUP_MAP ADD CONSTRAINT SENTRY_ROLE_GROUP_MAP_FK1 FOREIGN KEY (GROUP_ID) REFERENCES SENTRY_GROUP (GROUP_ID) ;
-
-
--- Constraints for table SENTRY_ROLE_DB_PRIVILEGE_MAP
-CREATE INDEX SENTRY_ROLE_DB_PRIVILEGE_MAP_N50 ON SENTRY_ROLE_DB_PRIVILEGE_MAP (ROLE_ID);
-
-CREATE INDEX SENTRY_ROLE_DB_PRIVILEGE_MAP_N49 ON SENTRY_ROLE_DB_PRIVILEGE_MAP (DB_PRIVILEGE_ID);
-
-ALTER TABLE SENTRY_ROLE_DB_PRIVILEGE_MAP ADD CONSTRAINT SENTRY_ROLE_DB_PRIVILEGE_MAP_FK2 FOREIGN KEY (DB_PRIVILEGE_ID) REFERENCES SENTRY_DB_PRIVILEGE (DB_PRIVILEGE_ID) ;
-
-ALTER TABLE SENTRY_ROLE_DB_PRIVILEGE_MAP ADD CONSTRAINT SENTRY_ROLE_DB_PRIVILEGE_MAP_FK1 FOREIGN KEY (ROLE_ID) REFERENCES SENTRY_ROLE (ROLE_ID) ;
-
-INSERT INTO SENTRY_VERSION (VER_ID, SCHEMA_VERSION, VERSION_COMMENT) VALUES (1, '1.7.0', 'Sentry release version 1.7.0');
-
--- Generic Model
--- Table SENTRY_GM_PRIVILEGE for classes [org.apache.sentry.provider.db.service.model.MSentryGMPrivilege]
-CREATE TABLE SENTRY_GM_PRIVILEGE
-(
- GM_PRIVILEGE_ID BIGINT NOT NULL,
- "ACTION" VARCHAR(40),
- COMPONENT_NAME VARCHAR(400),
- CREATE_TIME BIGINT NOT NULL,
- WITH_GRANT_OPTION CHAR(1),
- RESOURCE_NAME_0 VARCHAR(400) DEFAULT '__NULL__',
- RESOURCE_NAME_1 VARCHAR(400) DEFAULT '__NULL__',
- RESOURCE_NAME_2 VARCHAR(400) DEFAULT '__NULL__',
- RESOURCE_NAME_3 VARCHAR(400) DEFAULT '__NULL__',
- RESOURCE_TYPE_0 VARCHAR(400) DEFAULT '__NULL__',
- RESOURCE_TYPE_1 VARCHAR(400) DEFAULT '__NULL__',
- RESOURCE_TYPE_2 VARCHAR(400) DEFAULT '__NULL__',
- RESOURCE_TYPE_3 VARCHAR(400) DEFAULT '__NULL__',
- "SCOPE" VARCHAR(40),
- SERVICE_NAME VARCHAR(400)
-);
--- Primary key(GM_PRIVILEGE_ID)
-ALTER TABLE SENTRY_GM_PRIVILEGE ADD CONSTRAINT SENTRY_GM_PRIVILEGE_PK PRIMARY KEY (GM_PRIVILEGE_ID);
-
--- Constraints for table SENTRY_GM_PRIVILEGE for class(es) [org.apache.sentry.provider.db.service.model.MSentryGMPrivilege]
-CREATE UNIQUE INDEX GM_PRIVILEGE_INDEX ON SENTRY_GM_PRIVILEGE (COMPONENT_NAME,SERVICE_NAME,RESOURCE_NAME_0,RESOURCE_TYPE_0,RESOURCE_NAME_1,RESOURCE_TYPE_1,RESOURCE_NAME_2,RESOURCE_TYPE_2,RESOURCE_NAME_3,RESOURCE_TYPE_3,"ACTION",WITH_GRANT_OPTION);
-
--- Table SENTRY_ROLE_GM_PRIVILEGE_MAP for join relationship
-CREATE TABLE SENTRY_ROLE_GM_PRIVILEGE_MAP
-(
- ROLE_ID BIGINT NOT NULL,
- GM_PRIVILEGE_ID BIGINT NOT NULL
-);
-ALTER TABLE SENTRY_ROLE_GM_PRIVILEGE_MAP ADD CONSTRAINT SENTRY_ROLE_GM_PRIVILEGE_MAP_PK PRIMARY KEY (ROLE_ID,GM_PRIVILEGE_ID);
-
--- Constraints for table SENTRY_ROLE_GM_PRIVILEGE_MAP
-CREATE INDEX SENTRY_ROLE_GM_PRIVILEGE_MAP_N50 ON SENTRY_ROLE_GM_PRIVILEGE_MAP (ROLE_ID);
-
-CREATE INDEX SENTRY_ROLE_GM_PRIVILEGE_MAP_N49 ON SENTRY_ROLE_GM_PRIVILEGE_MAP (GM_PRIVILEGE_ID);
-
-ALTER TABLE SENTRY_ROLE_GM_PRIVILEGE_MAP ADD CONSTRAINT SENTRY_ROLE_GM_PRIVILEGE_MAP_FK2 FOREIGN KEY (GM_PRIVILEGE_ID) REFERENCES SENTRY_GM_PRIVILEGE (GM_PRIVILEGE_ID);
-
-ALTER TABLE SENTRY_ROLE_GM_PRIVILEGE_MAP ADD CONSTRAINT SENTRY_ROLE_GM_PRIVILEGE_MAP_FK1 FOREIGN KEY (ROLE_ID) REFERENCES SENTRY_ROLE (ROLE_ID);
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/main/resources/sentry-derby-1.8.0.sql
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/resources/sentry-derby-1.8.0.sql b/sentry-provider/sentry-provider-db/src/main/resources/sentry-derby-1.8.0.sql
deleted file mode 100644
index d522026..0000000
--- a/sentry-provider/sentry-provider-db/src/main/resources/sentry-derby-1.8.0.sql
+++ /dev/null
@@ -1,184 +0,0 @@
---Licensed to the Apache Software Foundation (ASF) under one or more
---contributor license agreements. See the NOTICE file distributed with
---this work for additional information regarding copyright ownership.
---The ASF licenses this file to You under the Apache License, Version 2.0
---(the "License"); you may not use this file except in compliance with
---the License. You may obtain a copy of the License at
---
--- http://www.apache.org/licenses/LICENSE-2.0
---
---Unless required by applicable law or agreed to in writing, software
---distributed under the License is distributed on an "AS IS" BASIS,
---WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
---See the License for the specific language governing permissions and
---limitations under the License.
-
--- Table SENTRY_DB_PRIVILEGE for classes [org.apache.sentry.provider.db.service.model.MSentryPrivilege]
-CREATE TABLE SENTRY_DB_PRIVILEGE
-(
- DB_PRIVILEGE_ID BIGINT NOT NULL generated always as identity (start with 1),
- URI VARCHAR(4000) DEFAULT '__NULL__',
- "ACTION" VARCHAR(40),
- CREATE_TIME BIGINT NOT NULL,
- DB_NAME VARCHAR(4000) DEFAULT '__NULL__',
- PRIVILEGE_SCOPE VARCHAR(40),
- "SERVER_NAME" VARCHAR(4000),
- "TABLE_NAME" VARCHAR(4000) DEFAULT '__NULL__',
- "COLUMN_NAME" VARCHAR(4000) DEFAULT '__NULL__',
- WITH_GRANT_OPTION CHAR(1) NOT NULL
-);
-
-ALTER TABLE SENTRY_DB_PRIVILEGE ADD CONSTRAINT SENTRY_DB_PRIVILEGE_PK PRIMARY KEY (DB_PRIVILEGE_ID);
-
--- Table SENTRY_ROLE for classes [org.apache.sentry.provider.db.service.model.MSentryRole]
-CREATE TABLE SENTRY_ROLE
-(
- ROLE_ID BIGINT NOT NULL generated always as identity (start with 1),
- CREATE_TIME BIGINT NOT NULL,
- ROLE_NAME VARCHAR(128)
-);
-
-ALTER TABLE SENTRY_ROLE ADD CONSTRAINT SENTRY_ROLE_PK PRIMARY KEY (ROLE_ID);
-
--- Table SENTRY_GROUP for classes [org.apache.sentry.provider.db.service.model.MSentryGroup]
-CREATE TABLE SENTRY_GROUP
-(
- GROUP_ID BIGINT NOT NULL generated always as identity (start with 1),
- CREATE_TIME BIGINT NOT NULL,
- GROUP_NAME VARCHAR(128)
-);
-
-ALTER TABLE SENTRY_GROUP ADD CONSTRAINT SENTRY_GROUP_PK PRIMARY KEY (GROUP_ID);
-
--- Table SENTRY_ROLE_GROUP_MAP for join relationship
-CREATE TABLE SENTRY_ROLE_GROUP_MAP
-(
- GROUP_ID BIGINT NOT NULL,
- ROLE_ID BIGINT NOT NULL,
- GRANTOR_PRINCIPAL VARCHAR(128)
-);
-
-ALTER TABLE SENTRY_ROLE_GROUP_MAP ADD CONSTRAINT SENTRY_ROLE_GROUP_MAP_PK PRIMARY KEY (GROUP_ID,ROLE_ID);
-
--- Table SENTRY_ROLE_DB_PRIVILEGE_MAP for join relationship
-CREATE TABLE SENTRY_ROLE_DB_PRIVILEGE_MAP
-(
- ROLE_ID BIGINT NOT NULL,
- DB_PRIVILEGE_ID BIGINT NOT NULL,
- GRANTOR_PRINCIPAL VARCHAR(128)
-);
-
-ALTER TABLE SENTRY_ROLE_DB_PRIVILEGE_MAP ADD CONSTRAINT SENTRY_ROLE_DB_PRIVILEGE_MAP_PK PRIMARY KEY (ROLE_ID,DB_PRIVILEGE_ID);
-
-CREATE TABLE "SENTRY_VERSION" (
- VER_ID BIGINT NOT NULL,
- SCHEMA_VERSION VARCHAR(127),
- VERSION_COMMENT VARCHAR(255)
-);
-
-ALTER TABLE SENTRY_VERSION ADD CONSTRAINT SENTRY_VERSION_PK PRIMARY KEY (VER_ID);
-
--- Constraints for table SENTRY_DB_PRIVILEGE for class(es) [org.apache.sentry.provider.db.service.model.MSentryPrivilege]
-CREATE UNIQUE INDEX SENTRYPRIVILEGENAME ON SENTRY_DB_PRIVILEGE ("SERVER_NAME",DB_NAME,"TABLE_NAME","COLUMN_NAME",URI,"ACTION",WITH_GRANT_OPTION);
-
-
--- Constraints for table SENTRY_ROLE for class(es) [org.apache.sentry.provider.db.service.model.MSentryRole]
-CREATE UNIQUE INDEX SENTRYROLENAME ON SENTRY_ROLE (ROLE_NAME);
-
-
--- Constraints for table SENTRY_GROUP for class(es) [org.apache.sentry.provider.db.service.model.MSentryGroup]
-CREATE UNIQUE INDEX SENTRYGROUPNAME ON SENTRY_GROUP (GROUP_NAME);
-
-
--- Constraints for table SENTRY_ROLE_GROUP_MAP
-CREATE INDEX SENTRY_ROLE_GROUP_MAP_N49 ON SENTRY_ROLE_GROUP_MAP (GROUP_ID);
-
-CREATE INDEX SENTRY_ROLE_GROUP_MAP_N50 ON SENTRY_ROLE_GROUP_MAP (ROLE_ID);
-
-ALTER TABLE SENTRY_ROLE_GROUP_MAP ADD CONSTRAINT SENTRY_ROLE_GROUP_MAP_FK2 FOREIGN KEY (ROLE_ID) REFERENCES SENTRY_ROLE (ROLE_ID) ;
-
-ALTER TABLE SENTRY_ROLE_GROUP_MAP ADD CONSTRAINT SENTRY_ROLE_GROUP_MAP_FK1 FOREIGN KEY (GROUP_ID) REFERENCES SENTRY_GROUP (GROUP_ID) ;
-
-
--- Constraints for table SENTRY_ROLE_DB_PRIVILEGE_MAP
-CREATE INDEX SENTRY_ROLE_DB_PRIVILEGE_MAP_N50 ON SENTRY_ROLE_DB_PRIVILEGE_MAP (ROLE_ID);
-
-CREATE INDEX SENTRY_ROLE_DB_PRIVILEGE_MAP_N49 ON SENTRY_ROLE_DB_PRIVILEGE_MAP (DB_PRIVILEGE_ID);
-
-ALTER TABLE SENTRY_ROLE_DB_PRIVILEGE_MAP ADD CONSTRAINT SENTRY_ROLE_DB_PRIVILEGE_MAP_FK2 FOREIGN KEY (DB_PRIVILEGE_ID) REFERENCES SENTRY_DB_PRIVILEGE (DB_PRIVILEGE_ID) ;
-
-ALTER TABLE SENTRY_ROLE_DB_PRIVILEGE_MAP ADD CONSTRAINT SENTRY_ROLE_DB_PRIVILEGE_MAP_FK1 FOREIGN KEY (ROLE_ID) REFERENCES SENTRY_ROLE (ROLE_ID) ;
-
-INSERT INTO SENTRY_VERSION (VER_ID, SCHEMA_VERSION, VERSION_COMMENT) VALUES (1, '1.8.0', 'Sentry release version 1.8.0');
-
--- Generic Model
--- Table SENTRY_GM_PRIVILEGE for classes [org.apache.sentry.provider.db.service.model.MSentryGMPrivilege]
-CREATE TABLE SENTRY_GM_PRIVILEGE
-(
- GM_PRIVILEGE_ID BIGINT NOT NULL,
- "ACTION" VARCHAR(40),
- COMPONENT_NAME VARCHAR(400),
- CREATE_TIME BIGINT NOT NULL,
- WITH_GRANT_OPTION CHAR(1),
- RESOURCE_NAME_0 VARCHAR(400) DEFAULT '__NULL__',
- RESOURCE_NAME_1 VARCHAR(400) DEFAULT '__NULL__',
- RESOURCE_NAME_2 VARCHAR(400) DEFAULT '__NULL__',
- RESOURCE_NAME_3 VARCHAR(400) DEFAULT '__NULL__',
- RESOURCE_TYPE_0 VARCHAR(400) DEFAULT '__NULL__',
- RESOURCE_TYPE_1 VARCHAR(400) DEFAULT '__NULL__',
- RESOURCE_TYPE_2 VARCHAR(400) DEFAULT '__NULL__',
- RESOURCE_TYPE_3 VARCHAR(400) DEFAULT '__NULL__',
- "SCOPE" VARCHAR(40),
- SERVICE_NAME VARCHAR(400)
-);
--- Primary key(GM_PRIVILEGE_ID)
-ALTER TABLE SENTRY_GM_PRIVILEGE ADD CONSTRAINT SENTRY_GM_PRIVILEGE_PK PRIMARY KEY (GM_PRIVILEGE_ID);
-
--- Constraints for table SENTRY_GM_PRIVILEGE for class(es) [org.apache.sentry.provider.db.service.model.MSentryGMPrivilege]
-CREATE UNIQUE INDEX GM_PRIVILEGE_INDEX ON SENTRY_GM_PRIVILEGE (COMPONENT_NAME,SERVICE_NAME,RESOURCE_NAME_0,RESOURCE_TYPE_0,RESOURCE_NAME_1,RESOURCE_TYPE_1,RESOURCE_NAME_2,RESOURCE_TYPE_2,RESOURCE_NAME_3,RESOURCE_TYPE_3,"ACTION",WITH_GRANT_OPTION);
-
--- Table SENTRY_ROLE_GM_PRIVILEGE_MAP for join relationship
-CREATE TABLE SENTRY_ROLE_GM_PRIVILEGE_MAP
-(
- ROLE_ID BIGINT NOT NULL,
- GM_PRIVILEGE_ID BIGINT NOT NULL
-);
-ALTER TABLE SENTRY_ROLE_GM_PRIVILEGE_MAP ADD CONSTRAINT SENTRY_ROLE_GM_PRIVILEGE_MAP_PK PRIMARY KEY (ROLE_ID,GM_PRIVILEGE_ID);
-
--- Constraints for table SENTRY_ROLE_GM_PRIVILEGE_MAP
-CREATE INDEX SENTRY_ROLE_GM_PRIVILEGE_MAP_N50 ON SENTRY_ROLE_GM_PRIVILEGE_MAP (ROLE_ID);
-
-CREATE INDEX SENTRY_ROLE_GM_PRIVILEGE_MAP_N49 ON SENTRY_ROLE_GM_PRIVILEGE_MAP (GM_PRIVILEGE_ID);
-
-ALTER TABLE SENTRY_ROLE_GM_PRIVILEGE_MAP ADD CONSTRAINT SENTRY_ROLE_GM_PRIVILEGE_MAP_FK2 FOREIGN KEY (GM_PRIVILEGE_ID) REFERENCES SENTRY_GM_PRIVILEGE (GM_PRIVILEGE_ID);
-
-ALTER TABLE SENTRY_ROLE_GM_PRIVILEGE_MAP ADD CONSTRAINT SENTRY_ROLE_GM_PRIVILEGE_MAP_FK1 FOREIGN KEY (ROLE_ID) REFERENCES SENTRY_ROLE (ROLE_ID);
-
-CREATE TABLE SENTRY_USER
-(
- USER_ID BIGINT NOT NULL generated always as identity (start with 1),
- CREATE_TIME BIGINT NOT NULL,
- USER_NAME VARCHAR(128)
-);
-
-ALTER TABLE SENTRY_USER ADD CONSTRAINT SENTRY_USER_PK PRIMARY KEY (USER_ID);
-
-CREATE UNIQUE INDEX SENTRYUSERNAME ON SENTRY_USER (USER_NAME);
-
-CREATE TABLE SENTRY_ROLE_USER_MAP
-(
- USER_ID BIGINT NOT NULL,
- ROLE_ID BIGINT NOT NULL,
- GRANTOR_PRINCIPAL VARCHAR(128)
-);
-
-ALTER TABLE SENTRY_ROLE_USER_MAP ADD CONSTRAINT SENTRY_ROLE_USER_MAP_PK PRIMARY KEY (USER_ID,ROLE_ID);
-
-CREATE INDEX SENTRY_ROLE_USER_MAP_N49 ON SENTRY_ROLE_USER_MAP (USER_ID);
-
-CREATE INDEX SENTRY_ROLE_USER_MAP_N50 ON SENTRY_ROLE_USER_MAP (ROLE_ID);
-
-ALTER TABLE SENTRY_ROLE_USER_MAP ADD CONSTRAINT SENTRY_ROLE_USER_MAP_FK2 FOREIGN KEY (ROLE_ID) REFERENCES SENTRY_ROLE (ROLE_ID) ;
-
-ALTER TABLE SENTRY_ROLE_USER_MAP ADD CONSTRAINT SENTRY_ROLE_USER_MAP_FK1 FOREIGN KEY (USER_ID) REFERENCES SENTRY_USER (USER_ID) ;
-
[40/44] sentry git commit: SENTRY-1287: Create sentry-service-server
module(Colin Ma, reviewed by Dapeng Sun)
Posted by co...@apache.org.
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java
deleted file mode 100644
index b7ef0e9..0000000
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java
+++ /dev/null
@@ -1,2672 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.sentry.provider.db.service.persistent;
-
-import static org.apache.sentry.core.common.utils.SentryConstants.AUTHORIZABLE_JOINER;
-import static org.apache.sentry.core.common.utils.SentryConstants.KV_JOINER;
-
-import java.io.IOException;
-import java.util.ArrayList;
-import java.util.Collection;
-import java.util.HashMap;
-import java.util.HashSet;
-import java.util.LinkedList;
-import java.util.List;
-import java.util.Map;
-import java.util.Properties;
-import java.util.Set;
-import java.util.UUID;
-import java.util.concurrent.locks.Condition;
-import java.util.concurrent.locks.Lock;
-import java.util.concurrent.locks.ReentrantLock;
-
-import javax.jdo.FetchGroup;
-import javax.jdo.JDODataStoreException;
-import javax.jdo.JDOHelper;
-import javax.jdo.PersistenceManager;
-import javax.jdo.PersistenceManagerFactory;
-import javax.jdo.Query;
-import javax.jdo.Transaction;
-
-import org.apache.commons.lang.StringUtils;
-import org.apache.hadoop.conf.Configuration;
-import org.apache.sentry.core.common.exception.SentryUserException;
-import org.apache.sentry.core.common.utils.SentryConstants;
-import org.apache.sentry.core.common.exception.SentrySiteConfigurationException;
-import org.apache.sentry.core.model.db.AccessConstants;
-import org.apache.sentry.core.model.db.DBModelAuthorizable.AuthorizableType;
-import org.apache.sentry.core.common.exception.SentryAccessDeniedException;
-import org.apache.sentry.core.common.exception.SentryAlreadyExistsException;
-import org.apache.sentry.core.common.exception.SentryGrantDeniedException;
-import org.apache.sentry.core.common.exception.SentryInvalidInputException;
-import org.apache.sentry.core.common.exception.SentryNoSuchObjectException;
-import org.apache.sentry.provider.db.service.model.MSentryGroup;
-import org.apache.sentry.provider.db.service.model.MSentryPrivilege;
-import org.apache.sentry.provider.db.service.model.MSentryRole;
-import org.apache.sentry.provider.db.service.model.MSentryUser;
-import org.apache.sentry.provider.db.service.model.MSentryVersion;
-import org.apache.sentry.provider.db.service.thrift.SentryPolicyStoreProcessor;
-import org.apache.sentry.provider.db.service.thrift.TSentryActiveRoleSet;
-import org.apache.sentry.provider.db.service.thrift.TSentryAuthorizable;
-import org.apache.sentry.provider.db.service.thrift.TSentryGrantOption;
-import org.apache.sentry.provider.db.service.thrift.TSentryGroup;
-import org.apache.sentry.provider.db.service.thrift.TSentryMappingData;
-import org.apache.sentry.provider.db.service.thrift.TSentryPrivilege;
-import org.apache.sentry.provider.db.service.thrift.TSentryPrivilegeMap;
-import org.apache.sentry.provider.db.service.thrift.TSentryRole;
-import org.apache.sentry.service.thrift.ServiceConstants.PrivilegeScope;
-import org.apache.sentry.service.thrift.ServiceConstants.ServerConfig;
-import org.datanucleus.store.rdbms.exceptions.MissingTableException;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-import com.codahale.metrics.Gauge;
-import com.google.common.annotations.VisibleForTesting;
-import com.google.common.base.Function;
-import com.google.common.base.Joiner;
-import com.google.common.base.Preconditions;
-import com.google.common.base.Strings;
-import com.google.common.collect.Collections2;
-import com.google.common.collect.ImmutableSet;
-import com.google.common.collect.Lists;
-import com.google.common.collect.Maps;
-import com.google.common.collect.Sets;
-
-/**
- * SentryStore is the data access object for Sentry data. Strings
- * such as role and group names will be normalized to lowercase
- * in addition to starting and ending whitespace.
- */
-public class SentryStore {
- private static final UUID SERVER_UUID = UUID.randomUUID();
- private static final Logger LOGGER = LoggerFactory
- .getLogger(SentryStore.class);
-
- public static final String NULL_COL = "__NULL__";
- public static int INDEX_GROUP_ROLES_MAP = 0;
- public static int INDEX_USER_ROLES_MAP = 1;
- static final String DEFAULT_DATA_DIR = "sentry_policy_db";
-
- private static final Set<String> ALL_ACTIONS = Sets.newHashSet(AccessConstants.ALL,
- AccessConstants.SELECT, AccessConstants.INSERT, AccessConstants.ALTER,
- AccessConstants.CREATE, AccessConstants.DROP, AccessConstants.INDEX,
- AccessConstants.LOCK);
-
- // Now partial revoke just support action with SELECT,INSERT and ALL.
- // e.g. If we REVOKE SELECT from a privilege with action ALL, it will leads to INSERT
- // Otherwise, if we revoke other privilege(e.g. ALTER,DROP...), we will remove it from a role directly.
- private static final Set<String> PARTIAL_REVOKE_ACTIONS = Sets.newHashSet(AccessConstants.ALL,
- AccessConstants.ACTION_ALL.toLowerCase(), AccessConstants.SELECT, AccessConstants.INSERT);
-
- /**
- * Commit order sequence id. This is used by notification handlers
- * to know the order in which events where committed to the database.
- * This instance variable is incremented in incrementGetSequenceId
- * and read in commitUpdateTransaction. Synchronization on this
- * is required to read commitSequenceId.
- */
- private long commitSequenceId;
- private final PersistenceManagerFactory pmf;
- private Configuration conf;
- private PrivCleaner privCleaner = null;
- private Thread privCleanerThread = null;
-
- public SentryStore(Configuration conf) throws SentryNoSuchObjectException,
- SentryAccessDeniedException, SentrySiteConfigurationException, IOException {
- commitSequenceId = 0;
- this.conf = conf;
- Properties prop = new Properties();
- prop.putAll(ServerConfig.SENTRY_STORE_DEFAULTS);
- String jdbcUrl = conf.get(ServerConfig.SENTRY_STORE_JDBC_URL, "").trim();
- Preconditions.checkArgument(!jdbcUrl.isEmpty(), "Required parameter " +
- ServerConfig.SENTRY_STORE_JDBC_URL + " is missed");
- String user = conf.get(ServerConfig.SENTRY_STORE_JDBC_USER, ServerConfig.
- SENTRY_STORE_JDBC_USER_DEFAULT).trim();
- //Password will be read from Credential provider specified using property
- // CREDENTIAL_PROVIDER_PATH("hadoop.security.credential.provider.path" in sentry-site.xml
- // it falls back to reading directly from sentry-site.xml
- char[] passTmp = conf.getPassword(ServerConfig.SENTRY_STORE_JDBC_PASS);
- String pass = null;
- if(passTmp != null) {
- pass = new String(passTmp);
- } else {
- throw new SentrySiteConfigurationException("Error reading " + ServerConfig.SENTRY_STORE_JDBC_PASS);
- }
-
- String driverName = conf.get(ServerConfig.SENTRY_STORE_JDBC_DRIVER,
- ServerConfig.SENTRY_STORE_JDBC_DRIVER_DEFAULT);
- prop.setProperty(ServerConfig.JAVAX_JDO_URL, jdbcUrl);
- prop.setProperty(ServerConfig.JAVAX_JDO_USER, user);
- prop.setProperty(ServerConfig.JAVAX_JDO_PASS, pass);
- prop.setProperty(ServerConfig.JAVAX_JDO_DRIVER_NAME, driverName);
- for (Map.Entry<String, String> entry : conf) {
- String key = entry.getKey();
- if (key.startsWith(ServerConfig.SENTRY_JAVAX_JDO_PROPERTY_PREFIX) ||
- key.startsWith(ServerConfig.SENTRY_DATANUCLEUS_PROPERTY_PREFIX)) {
- key = StringUtils.removeStart(key, ServerConfig.SENTRY_DB_PROPERTY_PREFIX);
- prop.setProperty(key, entry.getValue());
- }
- }
-
-
- boolean checkSchemaVersion = conf.get(
- ServerConfig.SENTRY_VERIFY_SCHEM_VERSION,
- ServerConfig.SENTRY_VERIFY_SCHEM_VERSION_DEFAULT).equalsIgnoreCase(
- "true");
- if (!checkSchemaVersion) {
- prop.setProperty("datanucleus.schema.autoCreateAll", "true");
- prop.setProperty("datanucleus.autoCreateSchema", "true");
- prop.setProperty("datanucleus.fixedDatastore", "false");
- }
-
- // Disallow operations outside of transactions
- prop.setProperty("datanucleus.NontransactionalRead", "false");
- prop.setProperty("datanucleus.NontransactionalWrite", "false");
-
- pmf = JDOHelper.getPersistenceManagerFactory(prop);
- verifySentryStoreSchema(checkSchemaVersion);
-
- // Kick off the thread that cleans orphaned privileges (unless told not to)
- privCleaner = this.new PrivCleaner();
- if (conf.get(ServerConfig.SENTRY_STORE_ORPHANED_PRIVILEGE_REMOVAL,
- ServerConfig.SENTRY_STORE_ORPHANED_PRIVILEGE_REMOVAL_DEFAULT)
- .equalsIgnoreCase("true")) {
- privCleanerThread = new Thread(privCleaner);
- privCleanerThread.start();
- }
- }
-
- // ensure that the backend DB schema is set
- public void verifySentryStoreSchema(boolean checkVersion)
- throws SentryNoSuchObjectException, SentryAccessDeniedException {
- if (!checkVersion) {
- setSentryVersion(SentryStoreSchemaInfo.getSentryVersion(),
- "Schema version set implicitly");
- } else {
- String currentVersion = getSentryVersion();
- if (!SentryStoreSchemaInfo.getSentryVersion().equals(currentVersion)) {
- throw new SentryAccessDeniedException(
- "The Sentry store schema version " + currentVersion
- + " is different from distribution version "
- + SentryStoreSchemaInfo.getSentryVersion());
- }
- }
- }
-
- public synchronized void stop() {
- if (privCleanerThread != null) {
- privCleaner.exit();
- try {
- privCleanerThread.join();
- } catch (InterruptedException e) {
- // Ignore...
- }
- }
- if (pmf != null) {
- pmf.close();
- }
- }
-
- /**
- * PersistenceManager object and Transaction object have a one to one
- * correspondence. Each PersistenceManager object is associated with a
- * transaction object and vice versa. Hence we create a persistence manager
- * instance when we create a new transaction. We create a new transaction
- * for every store API since we want that unit of work to behave as a
- * transaction.
- *
- * Note that there's only one instance of PersistenceManagerFactory object
- * for the service.
- *
- * Synchronized because we obtain persistence manager
- */
- public synchronized PersistenceManager openTransaction() {
- PersistenceManager pm = pmf.getPersistenceManager();
- Transaction currentTransaction = pm.currentTransaction();
- currentTransaction.begin();
- return pm;
- }
-
- /**
- * Synchronized due to sequence id generation
- */
- public synchronized CommitContext commitUpdateTransaction(PersistenceManager pm) {
- commitTransaction(pm);
- return new CommitContext(SERVER_UUID, incrementGetSequenceId());
- }
-
- /**
- * Increments commitSequenceId which should not be modified outside
- * this method.
- *
- * @return sequence id
- */
- private synchronized long incrementGetSequenceId() {
- return ++commitSequenceId;
- }
-
- public void commitTransaction(PersistenceManager pm) {
- Transaction currentTransaction = pm.currentTransaction();
- try {
- Preconditions.checkState(currentTransaction.isActive(), "Transaction is not active");
- currentTransaction.commit();
- } finally {
- pm.close();
- }
- }
-
- public void rollbackTransaction(PersistenceManager pm) {
- if (pm == null || pm.isClosed()) {
- return;
- }
- Transaction currentTransaction = pm.currentTransaction();
- if (currentTransaction.isActive()) {
- try {
- currentTransaction.rollback();
- } finally {
- pm.close();
- }
- }
- }
- /**
- Get the MSentry object from roleName
- Note: Should be called inside a transaction
- */
- public MSentryRole getMSentryRole(PersistenceManager pm, String roleName) {
- Query query = pm.newQuery(MSentryRole.class);
- query.setFilter("this.roleName == t");
- query.declareParameters("java.lang.String t");
- query.setUnique(true);
- return (MSentryRole) query.execute(roleName);
- }
-
- /**
- * Normalize the string values
- */
- private String trimAndLower(String input) {
- return input.trim().toLowerCase();
- }
- /**
- * Create a sentry role and persist it.
- * @param roleName: Name of the role being persisted
- * @returns commit context used for notification handlers
- * @throws SentryAlreadyExistsException
- */
- public CommitContext createSentryRole(String roleName)
- throws SentryAlreadyExistsException {
- boolean rollbackTransaction = true;
- PersistenceManager pm = null;
- try {
- pm = openTransaction();
- createSentryRoleCore(pm, roleName);
- CommitContext commit = commitUpdateTransaction(pm);
- rollbackTransaction = false;
- return commit;
- } finally {
- if (rollbackTransaction) {
- rollbackTransaction(pm);
- }
- }
- }
-
- private void createSentryRoleCore(PersistenceManager pm, String roleName)
- throws SentryAlreadyExistsException {
- String trimmedRoleName = trimAndLower(roleName);
- MSentryRole mSentryRole = getMSentryRole(pm, trimmedRoleName);
- if (mSentryRole == null) {
- MSentryRole mRole = new MSentryRole(trimmedRoleName, System.currentTimeMillis());
- pm.makePersistent(mRole);
- } else {
- throw new SentryAlreadyExistsException("Role: " + trimmedRoleName);
- }
- }
-
- private <T> Long getCount(Class<T> tClass) {
- PersistenceManager pm = null;
- Long size = Long.valueOf(-1);
- try {
- pm = openTransaction();
- Query query = pm.newQuery();
- query.setClass(tClass);
- query.setResult("count(this)");
- size = (Long)query.execute();
-
- } finally {
- if (pm != null) {
- commitTransaction(pm);
- }
- }
- return size;
- }
- public Gauge<Long> getRoleCountGauge() {
- return new Gauge< Long >() {
- @Override
- public Long getValue() {
- return getCount(MSentryRole.class);
- }
- };
- }
-
- public Gauge<Long> getPrivilegeCountGauge() {
- return new Gauge< Long >() {
- @Override
- public Long getValue() {
- return getCount(MSentryPrivilege.class);
- }
- };
- }
-
- public Gauge<Long> getGroupCountGauge() {
- return new Gauge< Long >() {
- @Override
- public Long getValue() {
- return getCount(MSentryGroup.class);
- }
- };
- }
-
- public Gauge<Long> getUserCountGauge() {
- return new Gauge<Long>() {
- @Override
- public Long getValue() {
- return getCount(MSentryUser.class);
- }
- };
- }
-
- /**
- * Lets the test code know how many privs are in the db, so that we know
- * if they are in fact being cleaned up when not being referenced any more.
- * @return The number of rows in the db priv table.
- */
- @VisibleForTesting
- long countMSentryPrivileges() {
- return getCount(MSentryPrivilege.class);
- }
-
- @VisibleForTesting
- void clearAllTables() {
- boolean rollbackTransaction = true;
- PersistenceManager pm = null;
- try {
- pm = openTransaction();
- pm.newQuery(MSentryRole.class).deletePersistentAll();
- pm.newQuery(MSentryGroup.class).deletePersistentAll();
- pm.newQuery(MSentryUser.class).deletePersistentAll();
- pm.newQuery(MSentryPrivilege.class).deletePersistentAll();
- commitUpdateTransaction(pm);
- rollbackTransaction = false;
- } finally {
- if (rollbackTransaction) {
- rollbackTransaction(pm);
- }
- }
- }
-
- public CommitContext alterSentryRoleGrantPrivilege(String grantorPrincipal,
- String roleName, TSentryPrivilege privilege)
- throws SentryUserException {
- return alterSentryRoleGrantPrivileges(grantorPrincipal,
- roleName, Sets.newHashSet(privilege));
- }
-
- public CommitContext alterSentryRoleGrantPrivileges(String grantorPrincipal,
- String roleName, Set<TSentryPrivilege> privileges)
- throws SentryUserException {
- boolean rollbackTransaction = true;
- PersistenceManager pm = null;
- String trimmedRoleName = trimAndLower(roleName);
- try {
- pm = openTransaction();
- for (TSentryPrivilege privilege : privileges) {
- // first do grant check
- grantOptionCheck(pm, grantorPrincipal, privilege);
-
- MSentryPrivilege mPrivilege = alterSentryRoleGrantPrivilegeCore(pm, trimmedRoleName, privilege);
-
- if (mPrivilege != null) {
- convertToTSentryPrivilege(mPrivilege, privilege);
- }
- }
- CommitContext commit = commitUpdateTransaction(pm);
- rollbackTransaction = false;
- return commit;
- } finally {
- if (rollbackTransaction) {
- rollbackTransaction(pm);
- }
- }
- }
-
- private MSentryPrivilege alterSentryRoleGrantPrivilegeCore(PersistenceManager pm,
- String roleName, TSentryPrivilege privilege)
- throws SentryNoSuchObjectException, SentryInvalidInputException {
- MSentryPrivilege mPrivilege = null;
- MSentryRole mRole = getMSentryRole(pm, roleName);
- if (mRole == null) {
- throw new SentryNoSuchObjectException("Role: " + roleName + " doesn't exist");
- } else {
-
- if (!isNULL(privilege.getColumnName()) || !isNULL(privilege.getTableName())
- || !isNULL(privilege.getDbName())) {
- // If Grant is for ALL and Either INSERT/SELECT already exists..
- // need to remove it and GRANT ALL..
- if (AccessConstants.ALL.equalsIgnoreCase(privilege.getAction())
- || AccessConstants.ACTION_ALL.equalsIgnoreCase(privilege.getAction())) {
- TSentryPrivilege tNotAll = new TSentryPrivilege(privilege);
- tNotAll.setAction(AccessConstants.SELECT);
- MSentryPrivilege mSelect = getMSentryPrivilege(tNotAll, pm);
- tNotAll.setAction(AccessConstants.INSERT);
- MSentryPrivilege mInsert = getMSentryPrivilege(tNotAll, pm);
- if (mSelect != null && mRole.getPrivileges().contains(mSelect)) {
- mSelect.removeRole(mRole);
- privCleaner.incPrivRemoval();
- pm.makePersistent(mSelect);
- }
- if (mInsert != null && mRole.getPrivileges().contains(mInsert)) {
- mInsert.removeRole(mRole);
- privCleaner.incPrivRemoval();
- pm.makePersistent(mInsert);
- }
- } else {
- // If Grant is for Either INSERT/SELECT and ALL already exists..
- // do nothing..
- TSentryPrivilege tAll = new TSentryPrivilege(privilege);
- tAll.setAction(AccessConstants.ALL);
- MSentryPrivilege mAll1 = getMSentryPrivilege(tAll, pm);
- tAll.setAction(AccessConstants.ACTION_ALL);
- MSentryPrivilege mAll2 = getMSentryPrivilege(tAll, pm);
- if (mAll1 != null && mRole.getPrivileges().contains(mAll1)) {
- return null;
- }
- if (mAll2 != null && mRole.getPrivileges().contains(mAll2)) {
- return null;
- }
- }
- }
-
- mPrivilege = getMSentryPrivilege(privilege, pm);
- if (mPrivilege == null) {
- mPrivilege = convertToMSentryPrivilege(privilege);
- }
- mPrivilege.appendRole(mRole);
- pm.makePersistent(mRole);
- pm.makePersistent(mPrivilege);
- }
- return mPrivilege;
- }
-
- public CommitContext alterSentryRoleRevokePrivilege(String grantorPrincipal,
- String roleName, TSentryPrivilege tPrivilege) throws SentryUserException {
- return alterSentryRoleRevokePrivileges(grantorPrincipal,
- roleName, Sets.newHashSet(tPrivilege));
- }
-
- public CommitContext alterSentryRoleRevokePrivileges(String grantorPrincipal,
- String roleName, Set<TSentryPrivilege> tPrivileges) throws SentryUserException {
- boolean rollbackTransaction = true;
- PersistenceManager pm = null;
- String trimmedRoleName = safeTrimLower(roleName);
- try {
- pm = openTransaction();
- for (TSentryPrivilege tPrivilege : tPrivileges) {
- // first do revoke check
- grantOptionCheck(pm, grantorPrincipal, tPrivilege);
-
- alterSentryRoleRevokePrivilegeCore(pm, trimmedRoleName, tPrivilege);
- }
-
- CommitContext commit = commitUpdateTransaction(pm);
- rollbackTransaction = false;
- return commit;
- } finally {
- if (rollbackTransaction) {
- rollbackTransaction(pm);
- }
- }
- }
-
- private void alterSentryRoleRevokePrivilegeCore(PersistenceManager pm,
- String roleName, TSentryPrivilege tPrivilege)
- throws SentryNoSuchObjectException, SentryInvalidInputException {
- Query query = pm.newQuery(MSentryRole.class);
- query.setFilter("this.roleName == t");
- query.declareParameters("java.lang.String t");
- query.setUnique(true);
- MSentryRole mRole = (MSentryRole) query.execute(roleName);
- if (mRole == null) {
- throw new SentryNoSuchObjectException("Role: " + roleName + " doesn't exist");
- } else {
- query = pm.newQuery(MSentryPrivilege.class);
- MSentryPrivilege mPrivilege = getMSentryPrivilege(tPrivilege, pm);
- if (mPrivilege == null) {
- mPrivilege = convertToMSentryPrivilege(tPrivilege);
- } else {
- mPrivilege = (MSentryPrivilege) pm.detachCopy(mPrivilege);
- }
-
- Set<MSentryPrivilege> privilegeGraph = Sets.newHashSet();
- if (mPrivilege.getGrantOption() != null) {
- privilegeGraph.add(mPrivilege);
- } else {
- MSentryPrivilege mTure = new MSentryPrivilege(mPrivilege);
- mTure.setGrantOption(true);
- privilegeGraph.add(mTure);
- MSentryPrivilege mFalse = new MSentryPrivilege(mPrivilege);
- mFalse.setGrantOption(false);
- privilegeGraph.add(mFalse);
- }
- // Get the privilege graph
- populateChildren(pm, Sets.newHashSet(roleName), mPrivilege, privilegeGraph);
- for (MSentryPrivilege childPriv : privilegeGraph) {
- revokePrivilegeFromRole(pm, tPrivilege, mRole, childPriv);
- }
- pm.makePersistent(mRole);
- }
- }
-
- /**
- * Roles can be granted ALL, SELECT, and INSERT on tables. When
- * a role has ALL and SELECT or INSERT are revoked, we need to remove the ALL
- * privilege and add SELECT (INSERT was revoked) or INSERT (SELECT was revoked).
- */
- private void revokePartial(PersistenceManager pm,
- TSentryPrivilege requestedPrivToRevoke, MSentryRole mRole,
- MSentryPrivilege currentPrivilege) throws SentryInvalidInputException {
- MSentryPrivilege persistedPriv = getMSentryPrivilege(convertToTSentryPrivilege(currentPrivilege), pm);
- if (persistedPriv == null) {
- persistedPriv = convertToMSentryPrivilege(convertToTSentryPrivilege(currentPrivilege));
- }
-
- if (requestedPrivToRevoke.getAction().equalsIgnoreCase("ALL") || requestedPrivToRevoke.getAction().equalsIgnoreCase("*")) {
- persistedPriv.removeRole(mRole);
- privCleaner.incPrivRemoval();
- pm.makePersistent(persistedPriv);
- } else if (requestedPrivToRevoke.getAction().equalsIgnoreCase(AccessConstants.SELECT)
- && !currentPrivilege.getAction().equalsIgnoreCase(AccessConstants.INSERT)) {
- revokeRolePartial(pm, mRole, currentPrivilege, persistedPriv, AccessConstants.INSERT);
- } else if (requestedPrivToRevoke.getAction().equalsIgnoreCase(AccessConstants.INSERT)
- && !currentPrivilege.getAction().equalsIgnoreCase(AccessConstants.SELECT)) {
- revokeRolePartial(pm, mRole, currentPrivilege, persistedPriv, AccessConstants.SELECT);
- }
- }
-
- private void revokeRolePartial(PersistenceManager pm, MSentryRole mRole,
- MSentryPrivilege currentPrivilege, MSentryPrivilege persistedPriv, String addAction)
- throws SentryInvalidInputException {
- // If table / URI, remove ALL
- persistedPriv.removeRole(mRole);
- privCleaner.incPrivRemoval();
- pm.makePersistent(persistedPriv);
-
- currentPrivilege.setAction(AccessConstants.ALL);
- persistedPriv = getMSentryPrivilege(convertToTSentryPrivilege(currentPrivilege), pm);
- if (persistedPriv != null && mRole.getPrivileges().contains(persistedPriv)) {
- persistedPriv.removeRole(mRole);
- privCleaner.incPrivRemoval();
- pm.makePersistent(persistedPriv);
-
- currentPrivilege.setAction(addAction);
- persistedPriv = getMSentryPrivilege(convertToTSentryPrivilege(currentPrivilege), pm);
- if (persistedPriv == null) {
- persistedPriv = convertToMSentryPrivilege(convertToTSentryPrivilege(currentPrivilege));
- mRole.appendPrivilege(persistedPriv);
- }
- persistedPriv.appendRole(mRole);
- pm.makePersistent(persistedPriv);
- }
- }
-
- /**
- * Revoke privilege from role
- */
- private void revokePrivilegeFromRole(PersistenceManager pm, TSentryPrivilege tPrivilege,
- MSentryRole mRole, MSentryPrivilege mPrivilege) throws SentryInvalidInputException {
- if (PARTIAL_REVOKE_ACTIONS.contains(mPrivilege.getAction())) {
- // if this privilege is in {ALL,SELECT,INSERT}
- // we will do partial revoke
- revokePartial(pm, tPrivilege, mRole, mPrivilege);
- } else {
- // if this privilege is not ALL, SELECT nor INSERT,
- // we will revoke it from role directly
- MSentryPrivilege persistedPriv = getMSentryPrivilege(convertToTSentryPrivilege(mPrivilege), pm);
- if (persistedPriv != null) {
- mPrivilege.removeRole(mRole);
- privCleaner.incPrivRemoval();
- pm.makePersistent(mPrivilege);
- }
- }
- }
-
- /**
- * Explore Privilege graph and collect child privileges.
- * The responsibility to commit/rollback the transaction should be handled by the caller.
- */
- private void populateChildren(PersistenceManager pm, Set<String> roleNames, MSentryPrivilege priv,
- Set<MSentryPrivilege> children) throws SentryInvalidInputException {
- Preconditions.checkNotNull(pm);
- if (!isNULL(priv.getServerName()) || !isNULL(priv.getDbName())
- || !isNULL(priv.getTableName())) {
- // Get all TableLevel Privs
- Set<MSentryPrivilege> childPrivs = getChildPrivileges(pm, roleNames, priv);
- for (MSentryPrivilege childPriv : childPrivs) {
- // Only recurse for table level privs..
- if (!isNULL(childPriv.getDbName()) && !isNULL(childPriv.getTableName())
- && !isNULL(childPriv.getColumnName())) {
- populateChildren(pm, roleNames, childPriv, children);
- }
- // The method getChildPrivileges() didn't do filter on "action",
- // if the action is not "All", it should judge the action of children privilege.
- // For example: a user has a privilege \u201cAll on Col1\u201d,
- // if the operation is \u201cREVOKE INSERT on table\u201d
- // the privilege should be the child of table level privilege.
- // but the privilege may still have other meaning, likes "SELECT on Col1".
- // and the privileges like "SELECT on Col1" should not be revoke.
- if (!priv.isActionALL()) {
- if (childPriv.isActionALL()) {
- // If the child privilege is All, we should convert it to the same
- // privilege with parent
- childPriv.setAction(priv.getAction());
- }
- // Only include privilege that imply the parent privilege.
- if (!priv.implies(childPriv)) {
- continue;
- }
- }
- children.add(childPriv);
- }
- }
- }
-
- private Set<MSentryPrivilege> getChildPrivileges(PersistenceManager pm, Set<String> roleNames,
- MSentryPrivilege parent) throws SentryInvalidInputException {
- // Column and URI do not have children
- if (!isNULL(parent.getColumnName()) || !isNULL(parent.getURI())) {
- return new HashSet<MSentryPrivilege>();
- }
-
- Query query = pm.newQuery(MSentryPrivilege.class);
- query.declareVariables("org.apache.sentry.provider.db.service.model.MSentryRole role");
- List<String> rolesFiler = new LinkedList<String>();
- for (String rName : roleNames) {
- rolesFiler.add("role.roleName == \"" + trimAndLower(rName) + "\"");
- }
- StringBuilder filters = new StringBuilder("roles.contains(role) "
- + "&& (" + Joiner.on(" || ").join(rolesFiler) + ")");
- filters.append(" && serverName == \"" + parent.getServerName() + "\"");
- if (!isNULL(parent.getDbName())) {
- filters.append(" && dbName == \"" + parent.getDbName() + "\"");
- if (!isNULL(parent.getTableName())) {
- filters.append(" && tableName == \"" + parent.getTableName() + "\"");
- filters.append(" && columnName != \"__NULL__\"");
- } else {
- filters.append(" && tableName != \"__NULL__\"");
- }
- } else {
- filters.append(" && (dbName != \"__NULL__\" || URI != \"__NULL__\")");
- }
-
- query.setFilter(filters.toString());
- query.setResult("privilegeScope, serverName, dbName, tableName, columnName," +
- " URI, action, grantOption");
- Set<MSentryPrivilege> privileges = new HashSet<MSentryPrivilege>();
- for (Object[] privObj : (List<Object[]>) query.execute()) {
- MSentryPrivilege priv = new MSentryPrivilege();
- priv.setPrivilegeScope((String) privObj[0]);
- priv.setServerName((String) privObj[1]);
- priv.setDbName((String) privObj[2]);
- priv.setTableName((String) privObj[3]);
- priv.setColumnName((String) privObj[4]);
- priv.setURI((String) privObj[5]);
- priv.setAction((String) privObj[6]);
- priv.setGrantOption((Boolean) privObj[7]);
- privileges.add(priv);
- }
- return privileges;
- }
-
- private List<MSentryPrivilege> getMSentryPrivileges(TSentryPrivilege tPriv, PersistenceManager pm) {
- Query query = pm.newQuery(MSentryPrivilege.class);
- StringBuilder filters = new StringBuilder("this.serverName == \""
- + toNULLCol(safeTrimLower(tPriv.getServerName())) + "\" ");
- if (!isNULL(tPriv.getDbName())) {
- filters.append("&& this.dbName == \"" + toNULLCol(safeTrimLower(tPriv.getDbName())) + "\" ");
- if (!isNULL(tPriv.getTableName())) {
- filters.append("&& this.tableName == \"" + toNULLCol(safeTrimLower(tPriv.getTableName())) + "\" ");
- if (!isNULL(tPriv.getColumnName())) {
- filters.append("&& this.columnName == \"" + toNULLCol(safeTrimLower(tPriv.getColumnName())) + "\" ");
- }
- }
- }
- // if db is null, uri is not null
- else if (!isNULL(tPriv.getURI())){
- filters.append("&& this.URI == \"" + toNULLCol(safeTrim(tPriv.getURI())) + "\" ");
- }
- filters.append("&& this.action == \"" + toNULLCol(safeTrimLower(tPriv.getAction())) + "\"");
-
- query.setFilter(filters.toString());
- return (List<MSentryPrivilege>) query.execute();
- }
-
- private MSentryPrivilege getMSentryPrivilege(TSentryPrivilege tPriv, PersistenceManager pm) {
- Query query = pm.newQuery(MSentryPrivilege.class);
- query.setFilter("this.serverName == \"" + toNULLCol(safeTrimLower(tPriv.getServerName())) + "\" "
- + "&& this.dbName == \"" + toNULLCol(safeTrimLower(tPriv.getDbName())) + "\" "
- + "&& this.tableName == \"" + toNULLCol(safeTrimLower(tPriv.getTableName())) + "\" "
- + "&& this.columnName == \"" + toNULLCol(safeTrimLower(tPriv.getColumnName())) + "\" "
- + "&& this.URI == \"" + toNULLCol(safeTrim(tPriv.getURI())) + "\" "
- + "&& this.grantOption == grantOption "
- + "&& this.action == \"" + toNULLCol(safeTrimLower(tPriv.getAction())) + "\"");
- query.declareParameters("Boolean grantOption");
- query.setUnique(true);
- Boolean grantOption = null;
- if (tPriv.getGrantOption().equals(TSentryGrantOption.TRUE)) {
- grantOption = true;
- } else if (tPriv.getGrantOption().equals(TSentryGrantOption.FALSE)) {
- grantOption = false;
- }
- Object obj = query.execute(grantOption);
- if (obj != null) {
- return (MSentryPrivilege) obj;
- }
- return null;
- }
-
- public CommitContext dropSentryRole(String roleName)
- throws SentryNoSuchObjectException {
- boolean rollbackTransaction = true;
- PersistenceManager pm = null;
- try {
- pm = openTransaction();
- dropSentryRoleCore(pm, roleName);
- CommitContext commit = commitUpdateTransaction(pm);
- rollbackTransaction = false;
- return commit;
- } finally {
- if (rollbackTransaction) {
- rollbackTransaction(pm);
- }
- }
- }
-
- private void dropSentryRoleCore(PersistenceManager pm, String roleName)
- throws SentryNoSuchObjectException {
- String lRoleName = trimAndLower(roleName);
- Query query = pm.newQuery(MSentryRole.class);
- query.setFilter("this.roleName == t");
- query.declareParameters("java.lang.String t");
- query.setUnique(true);
- MSentryRole sentryRole = (MSentryRole) query.execute(lRoleName);
- if (sentryRole == null) {
- throw new SentryNoSuchObjectException("Role: " + lRoleName + " doesn't exist");
- } else {
- pm.retrieve(sentryRole);
- int numPrivs = sentryRole.getPrivileges().size();
- sentryRole.removePrivileges();
- // with SENTRY-398 generic model
- sentryRole.removeGMPrivileges();
- privCleaner.incPrivRemoval(numPrivs);
- pm.deletePersistent(sentryRole);
- }
- }
-
- public CommitContext alterSentryRoleAddGroups(String grantorPrincipal, String roleName,
- Set<TSentryGroup> groupNames)
- throws SentryNoSuchObjectException {
- boolean rollbackTransaction = true;
- PersistenceManager pm = null;
- try {
- pm = openTransaction();
- alterSentryRoleAddGroupsCore(pm, roleName, groupNames);
- CommitContext commit = commitUpdateTransaction(pm);
- rollbackTransaction = false;
- return commit;
- } finally {
- if (rollbackTransaction) {
- rollbackTransaction(pm);
- }
- }
- }
-
- private void alterSentryRoleAddGroupsCore(PersistenceManager pm, String roleName,
- Set<TSentryGroup> groupNames) throws SentryNoSuchObjectException {
- String lRoleName = trimAndLower(roleName);
- Query query = pm.newQuery(MSentryRole.class);
- query.setFilter("this.roleName == t");
- query.declareParameters("java.lang.String t");
- query.setUnique(true);
- MSentryRole role = (MSentryRole) query.execute(lRoleName);
- if (role == null) {
- throw new SentryNoSuchObjectException("Role: " + lRoleName + " doesn't exist");
- } else {
- query = pm.newQuery(MSentryGroup.class);
- query.setFilter("this.groupName == t");
- query.declareParameters("java.lang.String t");
- query.setUnique(true);
- List<MSentryGroup> groups = Lists.newArrayList();
- for (TSentryGroup tGroup : groupNames) {
- String groupName = tGroup.getGroupName().trim();
- MSentryGroup group = (MSentryGroup) query.execute(groupName);
- if (group == null) {
- group = new MSentryGroup(groupName, System.currentTimeMillis(), Sets.newHashSet(role));
- }
- group.appendRole(role);
- groups.add(group);
- }
- pm.makePersistentAll(groups);
- }
- }
-
- public CommitContext alterSentryRoleAddUsers(String roleName,
- Set<String> userNames) throws SentryNoSuchObjectException {
- boolean rollbackTransaction = true;
- PersistenceManager pm = null;
- try {
- pm = openTransaction();
- alterSentryRoleAddUsersCore(pm, roleName, userNames);
- CommitContext commit = commitUpdateTransaction(pm);
- rollbackTransaction = false;
- return commit;
- } finally {
- if (rollbackTransaction) {
- rollbackTransaction(pm);
- }
- }
- }
-
- private void alterSentryRoleAddUsersCore(PersistenceManager pm, String roleName,
- Set<String> userNames) throws SentryNoSuchObjectException {
- String trimmedRoleName = trimAndLower(roleName);
- MSentryRole role = getMSentryRole(pm, trimmedRoleName);
- if (role == null) {
- throw new SentryNoSuchObjectException("Role: " + trimmedRoleName);
- } else {
- Query query = pm.newQuery(MSentryUser.class);
- query.setFilter("this.userName == t");
- query.declareParameters("java.lang.String t");
- query.setUnique(true);
- List<MSentryUser> users = Lists.newArrayList();
- for (String userName : userNames) {
- userName = userName.trim();
- MSentryUser user = (MSentryUser) query.execute(userName);
- if (user == null) {
- user = new MSentryUser(userName, System.currentTimeMillis(), Sets.newHashSet(role));
- }
- user.appendRole(role);
- users.add(user);
- }
- pm.makePersistentAll(users);
- }
- }
-
- public CommitContext alterSentryRoleDeleteUsers(String roleName, Set<String> userNames)
- throws SentryNoSuchObjectException {
- boolean rollbackTransaction = true;
- PersistenceManager pm = null;
- String trimmedRoleName = trimAndLower(roleName);
- try {
- pm = openTransaction();
- MSentryRole role = getMSentryRole(pm, trimmedRoleName);
- if (role == null) {
- throw new SentryNoSuchObjectException("Role: " + trimmedRoleName);
- } else {
- Query query = pm.newQuery(MSentryUser.class);
- query.setFilter("this.userName == t");
- query.declareParameters("java.lang.String t");
- query.setUnique(true);
- List<MSentryUser> users = Lists.newArrayList();
- for (String userName : userNames) {
- userName = userName.trim();
- MSentryUser user = (MSentryUser) query.execute(userName);
- if (user != null) {
- user.removeRole(role);
- users.add(user);
- }
- }
- pm.makePersistentAll(users);
- CommitContext commit = commitUpdateTransaction(pm);
- rollbackTransaction = false;
- return commit;
- }
- } finally {
- if (rollbackTransaction) {
- rollbackTransaction(pm);
- }
- }
- }
-
- public CommitContext alterSentryRoleDeleteGroups(String roleName,
- Set<TSentryGroup> groupNames)
- throws SentryNoSuchObjectException {
- boolean rollbackTransaction = true;
- PersistenceManager pm = null;
- String trimmedRoleName = trimAndLower(roleName);
- try {
- pm = openTransaction();
- Query query = pm.newQuery(MSentryRole.class);
- query.setFilter("this.roleName == t");
- query.declareParameters("java.lang.String t");
- query.setUnique(true);
- MSentryRole role = (MSentryRole) query.execute(trimmedRoleName);
- if (role == null) {
- throw new SentryNoSuchObjectException("Role: " + trimmedRoleName + " doesn't exist");
- } else {
- query = pm.newQuery(MSentryGroup.class);
- query.setFilter("this.groupName == t");
- query.declareParameters("java.lang.String t");
- query.setUnique(true);
- List<MSentryGroup> groups = Lists.newArrayList();
- for (TSentryGroup tGroup : groupNames) {
- String groupName = tGroup.getGroupName().trim();
- MSentryGroup group = (MSentryGroup) query.execute(groupName);
- if (group != null) {
- group.removeRole(role);
- groups.add(group);
- }
- }
- pm.makePersistentAll(groups);
- CommitContext commit = commitUpdateTransaction(pm);
- rollbackTransaction = false;
- return commit;
- }
- } finally {
- if (rollbackTransaction) {
- rollbackTransaction(pm);
- }
- }
- }
-
- @VisibleForTesting
- MSentryRole getMSentryRoleByName(String roleName)
- throws SentryNoSuchObjectException {
- boolean rollbackTransaction = true;
- PersistenceManager pm = null;
- String trimmedRoleName = trimAndLower(roleName);
- try {
- pm = openTransaction();
- Query query = pm.newQuery(MSentryRole.class);
- query.setFilter("this.roleName == t");
- query.declareParameters("java.lang.String t");
- query.setUnique(true);
- MSentryRole sentryRole = (MSentryRole) query.execute(trimmedRoleName);
- if (sentryRole == null) {
- throw new SentryNoSuchObjectException("Role: " + trimmedRoleName + " doesn't exist");
- } else {
- pm.retrieve(sentryRole);
- }
- rollbackTransaction = false;
- commitTransaction(pm);
- return sentryRole;
- } finally {
- if (rollbackTransaction) {
- rollbackTransaction(pm);
- }
- }
- }
-
- private boolean hasAnyServerPrivileges(Set<String> roleNames, String serverName) {
- if (roleNames == null || roleNames.isEmpty()) {
- return false;
- }
- boolean rollbackTransaction = true;
- PersistenceManager pm = null;
- try {
- pm = openTransaction();
- Query query = pm.newQuery(MSentryPrivilege.class);
- query.declareVariables("org.apache.sentry.provider.db.service.model.MSentryRole role");
- List<String> rolesFiler = new LinkedList<String>();
- for (String rName : roleNames) {
- rolesFiler.add("role.roleName == \"" + trimAndLower(rName) + "\"");
- }
- StringBuilder filters = new StringBuilder("roles.contains(role) "
- + "&& (" + Joiner.on(" || ").join(rolesFiler) + ") ");
- filters.append("&& serverName == \"" + trimAndLower(serverName) + "\"");
- query.setFilter(filters.toString());
- query.setResult("count(this)");
-
- Long numPrivs = (Long) query.execute();
- rollbackTransaction = false;
- commitTransaction(pm);
- return numPrivs > 0;
- } finally {
- if (rollbackTransaction) {
- rollbackTransaction(pm);
- }
- }
- }
-
- List<MSentryPrivilege> getMSentryPrivileges(Set<String> roleNames, TSentryAuthorizable authHierarchy) {
- if (roleNames == null || roleNames.isEmpty()) {
- return new ArrayList<MSentryPrivilege>();
- }
- boolean rollbackTransaction = true;
- PersistenceManager pm = null;
- try {
- pm = openTransaction();
- Query query = pm.newQuery(MSentryPrivilege.class);
- query.declareVariables("org.apache.sentry.provider.db.service.model.MSentryRole role");
- List<String> rolesFiler = new LinkedList<String>();
- for (String rName : roleNames) {
- rolesFiler.add("role.roleName == \"" + trimAndLower(rName) + "\"");
- }
- StringBuilder filters = new StringBuilder("roles.contains(role) "
- + "&& (" + Joiner.on(" || ").join(rolesFiler) + ") ");
- if (authHierarchy != null && authHierarchy.getServer() != null) {
- filters.append("&& serverName == \"" + authHierarchy.getServer().toLowerCase() + "\"");
- if (authHierarchy.getDb() != null) {
- filters.append(" && ((dbName == \"" + authHierarchy.getDb().toLowerCase() + "\") || (dbName == \"__NULL__\")) && (URI == \"__NULL__\")");
- if (authHierarchy.getTable() != null
- && !AccessConstants.ALL.equalsIgnoreCase(authHierarchy.getTable())) {
- if (!AccessConstants.SOME.equalsIgnoreCase(authHierarchy.getTable())) {
- filters.append(" && ((tableName == \"" + authHierarchy.getTable().toLowerCase() + "\") || (tableName == \"__NULL__\")) && (URI == \"__NULL__\")");
- }
- if (authHierarchy.getColumn() != null
- && !AccessConstants.ALL.equalsIgnoreCase(authHierarchy.getColumn())
- && !AccessConstants.SOME.equalsIgnoreCase(authHierarchy.getColumn())) {
- filters.append(" && ((columnName == \"" + authHierarchy.getColumn().toLowerCase() + "\") || (columnName == \"__NULL__\")) && (URI == \"__NULL__\")");
- }
- }
- }
- if (authHierarchy.getUri() != null) {
- filters.append(" && ((URI != \"__NULL__\") && (\"" + authHierarchy.getUri() + "\".startsWith(URI)) || (URI == \"__NULL__\")) && (dbName == \"__NULL__\")");
- }
- }
- query.setFilter(filters.toString());
- List<MSentryPrivilege> privileges = (List<MSentryPrivilege>) query.execute();
- rollbackTransaction = false;
- commitTransaction(pm);
- return privileges;
- } finally {
- if (rollbackTransaction) {
- rollbackTransaction(pm);
- }
- }
- }
-
- List<MSentryPrivilege> getMSentryPrivilegesByAuth(Set<String> roleNames, TSentryAuthorizable authHierarchy) {
- boolean rollbackTransaction = true;
- PersistenceManager pm = null;
- try {
- pm = openTransaction();
- Query query = pm.newQuery(MSentryPrivilege.class);
- StringBuilder filters = new StringBuilder();
- if (roleNames == null || roleNames.isEmpty()) {
- filters.append(" !roles.isEmpty() ");
- } else {
- query.declareVariables("org.apache.sentry.provider.db.service.model.MSentryRole role");
- List<String> rolesFiler = new LinkedList<String>();
- for (String rName : roleNames) {
- rolesFiler.add("role.roleName == \"" + trimAndLower(rName) + "\"");
- }
- filters.append("roles.contains(role) "
- + "&& (" + Joiner.on(" || ").join(rolesFiler) + ") ");
- }
- if (authHierarchy.getServer() != null) {
- filters.append("&& serverName == \"" +
- authHierarchy.getServer().toLowerCase() + "\"");
- if (authHierarchy.getDb() != null) {
- filters.append(" && (dbName == \"" +
- authHierarchy.getDb().toLowerCase() + "\") && (URI == \"__NULL__\")");
- if (authHierarchy.getTable() != null) {
- filters.append(" && (tableName == \"" +
- authHierarchy.getTable().toLowerCase() + "\")");
- } else {
- filters.append(" && (tableName == \"__NULL__\")");
- }
- } else if (authHierarchy.getUri() != null) {
- filters.append(" && (URI != \"__NULL__\") && (\"" + authHierarchy.getUri() +
- "\".startsWith(URI)) && (dbName == \"__NULL__\")");
- } else {
- filters.append(" && (dbName == \"__NULL__\") && (URI == \"__NULL__\")");
- }
- } else {
- // if no server, then return empty resultset
- return new ArrayList<MSentryPrivilege>();
- }
- FetchGroup grp = pm.getFetchGroup(MSentryPrivilege.class, "fetchRole");
- grp.addMember("roles");
- pm.getFetchPlan().addGroup("fetchRole");
- query.setFilter(filters.toString());
- List<MSentryPrivilege> privileges = (List<MSentryPrivilege>) query.execute();
- rollbackTransaction = false;
- commitTransaction(pm);
- return privileges;
- } finally {
- if (rollbackTransaction) {
- rollbackTransaction(pm);
- }
- }
- }
-
- public TSentryPrivilegeMap listSentryPrivilegesByAuthorizable(Set<String> groups,
- TSentryActiveRoleSet activeRoles,
- TSentryAuthorizable authHierarchy, boolean isAdmin)
- throws SentryInvalidInputException {
- Map<String, Set<TSentryPrivilege>> resultPrivilegeMap = Maps.newTreeMap();
- Set<String> roles = getRolesToQuery(groups, null, new TSentryActiveRoleSet(true, null));
-
- if (activeRoles != null && !activeRoles.isAll()) {
- // need to check/convert to lowercase here since this is from user input
- for (String aRole : activeRoles.getRoles()) {
- roles.add(aRole.toLowerCase());
- }
- }
-
- // An empty 'roles' is a treated as a wildcard (in case of admin role)..
- // so if not admin, don't return anything if 'roles' is empty..
- if (isAdmin || !roles.isEmpty()) {
- List<MSentryPrivilege> mSentryPrivileges = getMSentryPrivilegesByAuth(roles,
- authHierarchy);
- for (MSentryPrivilege priv : mSentryPrivileges) {
- for (MSentryRole role : priv.getRoles()) {
- TSentryPrivilege tPriv = convertToTSentryPrivilege(priv);
- if (resultPrivilegeMap.containsKey(role.getRoleName())) {
- resultPrivilegeMap.get(role.getRoleName()).add(tPriv);
- } else {
- Set<TSentryPrivilege> tPrivSet = Sets.newTreeSet();
- tPrivSet.add(tPriv);
- resultPrivilegeMap.put(role.getRoleName(), tPrivSet);
- }
- }
- }
- }
- return new TSentryPrivilegeMap(resultPrivilegeMap);
- }
-
- private Set<MSentryPrivilege> getMSentryPrivilegesByRoleName(String roleName)
- throws SentryNoSuchObjectException {
- MSentryRole mSentryRole = getMSentryRoleByName(roleName);
- return mSentryRole.getPrivileges();
- }
-
- /**
- * Gets sentry privilege objects for a given roleName from the persistence layer
- * @param roleName : roleName to look up
- * @return : Set of thrift sentry privilege objects
- * @throws SentryNoSuchObjectException
- */
-
- public Set<TSentryPrivilege> getAllTSentryPrivilegesByRoleName(String roleName)
- throws SentryNoSuchObjectException {
- return convertToTSentryPrivileges(getMSentryPrivilegesByRoleName(roleName));
- }
-
-
- /**
- * Gets sentry privilege objects for criteria from the persistence layer
- * @param roleNames : roleNames to look up (required)
- * @param authHierarchy : filter push down based on auth hierarchy (optional)
- * @return : Set of thrift sentry privilege objects
- * @throws SentryNoSuchObjectException
- */
-
- public Set<TSentryPrivilege> getTSentryPrivileges(Set<String> roleNames, TSentryAuthorizable authHierarchy) throws SentryInvalidInputException {
- if (authHierarchy.getServer() == null) {
- throw new SentryInvalidInputException("serverName cannot be null !!");
- }
- if (authHierarchy.getTable() != null && authHierarchy.getDb() == null) {
- throw new SentryInvalidInputException("dbName cannot be null when tableName is present !!");
- }
- if (authHierarchy.getColumn() != null && authHierarchy.getTable() == null) {
- throw new SentryInvalidInputException("tableName cannot be null when columnName is present !!");
- }
- if (authHierarchy.getUri() == null && authHierarchy.getDb() == null) {
- throw new SentryInvalidInputException("One of uri or dbName must not be null !!");
- }
- return convertToTSentryPrivileges(getMSentryPrivileges(roleNames, authHierarchy));
- }
-
-
- private Set<MSentryRole> getMSentryRolesByGroupName(String groupName)
- throws SentryNoSuchObjectException {
- boolean rollbackTransaction = true;
- PersistenceManager pm = null;
- try {
- Set<MSentryRole> roles;
- pm = openTransaction();
-
- //If no group name was specified, return all roles
- if (groupName == null) {
- Query query = pm.newQuery(MSentryRole.class);
- roles = new HashSet<MSentryRole>((List<MSentryRole>)query.execute());
- } else {
- Query query = pm.newQuery(MSentryGroup.class);
- MSentryGroup sentryGroup;
- String trimmedGroupName = groupName.trim();
- query.setFilter("this.groupName == t");
- query.declareParameters("java.lang.String t");
- query.setUnique(true);
- sentryGroup = (MSentryGroup) query.execute(trimmedGroupName);
- if (sentryGroup == null) {
- throw new SentryNoSuchObjectException("Group: " + trimmedGroupName + " doesn't exist");
- } else {
- pm.retrieve(sentryGroup);
- }
- roles = sentryGroup.getRoles();
- }
- for ( MSentryRole role: roles) {
- pm.retrieve(role);
- }
- commitTransaction(pm);
- rollbackTransaction = false;
- return roles;
- } finally {
- if (rollbackTransaction) {
- rollbackTransaction(pm);
- }
- }
- }
-
- /**
- * Gets sentry role objects for a given groupName from the persistence layer
- * @param groupName : groupName to look up ( if null returns all roles for all groups)
- * @return : Set of thrift sentry role objects
- * @throws SentryNoSuchObjectException
- */
- public Set<TSentryRole> getTSentryRolesByGroupName(Set<String> groupNames,
- boolean checkAllGroups) throws SentryNoSuchObjectException {
- Set<MSentryRole> roleSet = Sets.newHashSet();
- for (String groupName : groupNames) {
- try {
- roleSet.addAll(getMSentryRolesByGroupName(groupName));
- } catch (SentryNoSuchObjectException e) {
- // if we are checking for all the given groups, then continue searching
- if (!checkAllGroups) {
- throw e;
- }
- }
- }
- return convertToTSentryRoles(roleSet);
- }
-
- public Set<String> getRoleNamesForGroups(Set<String> groups) {
- if (groups == null || groups.isEmpty()) {
- return ImmutableSet.of();
- }
- boolean rollbackTransaction = true;
- PersistenceManager pm = null;
- try {
- pm = openTransaction();
- Set<String> result = getRoleNamesForGroupsCore(pm, groups);
- rollbackTransaction = false;
- commitTransaction(pm);
- return result;
- } finally {
- if (rollbackTransaction) {
- rollbackTransaction(pm);
- }
- }
- }
-
- private Set<String> getRoleNamesForGroupsCore(PersistenceManager pm, Set<String> groups) {
- return convertToRoleNameSet(getRolesForGroups(pm, groups));
- }
-
- public Set<String> getRoleNamesForUsers(Set<String> users) {
- if (users == null || users.isEmpty()) {
- return ImmutableSet.of();
- }
- boolean rollbackTransaction = true;
- PersistenceManager pm = null;
- try {
- pm = openTransaction();
- Set<String> result = getRoleNamesForUsersCore(pm,users);
- rollbackTransaction = false;
- commitTransaction(pm);
- return result;
- } finally {
- if (rollbackTransaction) {
- rollbackTransaction(pm);
- }
- }
- }
-
- private Set<String> getRoleNamesForUsersCore(PersistenceManager pm, Set<String> users) {
- return convertToRoleNameSet(getRolesForUsers(pm, users));
- }
-
- public Set<TSentryRole> getTSentryRolesByUserNames(Set<String> users) {
- boolean rollbackTransaction = true;
- PersistenceManager pm = null;
- try {
- pm = openTransaction();
- Set<MSentryRole> mSentryRoles = getRolesForUsers(pm, users);
- // Since {@link MSentryRole#getGroups()} is lazy-loading, the converting should be call
- // before transaction committed.
- Set<TSentryRole> result = convertToTSentryRoles(mSentryRoles);
- rollbackTransaction = false;
- commitTransaction(pm);
- return result;
- } finally {
- if (rollbackTransaction) {
- rollbackTransaction(pm);
- }
- }
- }
-
- public Set<MSentryRole> getRolesForGroups(PersistenceManager pm, Set<String> groups) {
- Set<MSentryRole> result = Sets.newHashSet();
- if (groups != null) {
- Query query = pm.newQuery(MSentryGroup.class);
- query.setFilter("this.groupName == t");
- query.declareParameters("java.lang.String t");
- query.setUnique(true);
- for (String group : groups) {
- MSentryGroup sentryGroup = (MSentryGroup) query.execute(group.trim());
- if (sentryGroup != null) {
- result.addAll(sentryGroup.getRoles());
- }
- }
- }
- return result;
- }
-
- public Set<MSentryRole> getRolesForUsers(PersistenceManager pm, Set<String> users) {
- Set<MSentryRole> result = Sets.newHashSet();
- if (users != null) {
- Query query = pm.newQuery(MSentryUser.class);
- query.setFilter("this.userName == t");
- query.declareParameters("java.lang.String t");
- query.setUnique(true);
- for (String user : users) {
- MSentryUser sentryUser = (MSentryUser) query.execute(user.trim());
- if (sentryUser != null) {
- result.addAll(sentryUser.getRoles());
- }
- }
- }
- return result;
- }
-
- public Set<String> listAllSentryPrivilegesForProvider(Set<String> groups, Set<String> users,
- TSentryActiveRoleSet roleSet) throws SentryInvalidInputException {
- return listSentryPrivilegesForProvider(groups, users, roleSet, null);
- }
-
-
- public Set<String> listSentryPrivilegesForProvider(Set<String> groups, Set<String> users,
- TSentryActiveRoleSet roleSet, TSentryAuthorizable authHierarchy) throws SentryInvalidInputException {
- Set<String> result = Sets.newHashSet();
- Set<String> rolesToQuery = getRolesToQuery(groups, users, roleSet);
- List<MSentryPrivilege> mSentryPrivileges = getMSentryPrivileges(rolesToQuery, authHierarchy);
- for (MSentryPrivilege priv : mSentryPrivileges) {
- result.add(toAuthorizable(priv));
- }
-
- return result;
- }
-
- public boolean hasAnyServerPrivileges(Set<String> groups, Set<String> users,
- TSentryActiveRoleSet roleSet, String server) {
- Set<String> rolesToQuery = getRolesToQuery(groups, users, roleSet);
- return hasAnyServerPrivileges(rolesToQuery, server);
- }
-
- private Set<String> getRolesToQuery(Set<String> groups, Set<String> users,
- TSentryActiveRoleSet roleSet) {
- Set<String> activeRoleNames = toTrimedLower(roleSet.getRoles());
-
- Set<String> roleNames = Sets.newHashSet();
- boolean rollbackTransaction = true;
- PersistenceManager pm = null;
- try {
- pm = openTransaction();
- roleNames.addAll(toTrimedLower(getRoleNamesForGroupsCore(pm, groups)));
- roleNames.addAll(toTrimedLower(getRoleNamesForUsersCore(pm, users)));
- rollbackTransaction = false;
- commitTransaction(pm);
- return roleSet.isAll() ? roleNames : Sets.intersection(activeRoleNames,
- roleNames);
- } finally {
- if (rollbackTransaction) {
- rollbackTransaction(pm);
- }
- }
- }
-
- @VisibleForTesting
- static String toAuthorizable(MSentryPrivilege privilege) {
- List<String> authorizable = new ArrayList<String>(4);
- authorizable.add(KV_JOINER.join(AuthorizableType.Server.name().toLowerCase(),
- privilege.getServerName()));
- if (isNULL(privilege.getURI())) {
- if (!isNULL(privilege.getDbName())) {
- authorizable.add(KV_JOINER.join(AuthorizableType.Db.name().toLowerCase(),
- privilege.getDbName()));
- if (!isNULL(privilege.getTableName())) {
- authorizable.add(KV_JOINER.join(AuthorizableType.Table.name().toLowerCase(),
- privilege.getTableName()));
- if (!isNULL(privilege.getColumnName())) {
- authorizable.add(KV_JOINER.join(AuthorizableType.Column.name().toLowerCase(),
- privilege.getColumnName()));
- }
- }
- }
- } else {
- authorizable.add(KV_JOINER.join(AuthorizableType.URI.name().toLowerCase(),
- privilege.getURI()));
- }
- if (!isNULL(privilege.getAction())
- && !privilege.getAction().equalsIgnoreCase(AccessConstants.ALL)) {
- authorizable
- .add(KV_JOINER.join(SentryConstants.PRIVILEGE_NAME.toLowerCase(),
- privilege.getAction()));
- }
- return AUTHORIZABLE_JOINER.join(authorizable);
- }
-
- @VisibleForTesting
- static Set<String> toTrimedLower(Set<String> s) {
- if (null == s) {
- return new HashSet<String>();
- }
- Set<String> result = Sets.newHashSet();
- for (String v : s) {
- result.add(v.trim().toLowerCase());
- }
- return result;
- }
-
-
- /**
- * Converts model object(s) to thrift object(s).
- * Additionally does normalization
- * such as trimming whitespace and setting appropriate case. Also sets the create
- * time.
- */
-
- private Set<TSentryPrivilege> convertToTSentryPrivileges(Collection<MSentryPrivilege> mSentryPrivileges) {
- Set<TSentryPrivilege> privileges = new HashSet<TSentryPrivilege>();
- for(MSentryPrivilege mSentryPrivilege:mSentryPrivileges) {
- privileges.add(convertToTSentryPrivilege(mSentryPrivilege));
- }
- return privileges;
- }
-
- private Set<TSentryRole> convertToTSentryRoles(Set<MSentryRole> mSentryRoles) {
- Set<TSentryRole> roles = new HashSet<TSentryRole>();
- for(MSentryRole mSentryRole:mSentryRoles) {
- roles.add(convertToTSentryRole(mSentryRole));
- }
- return roles;
- }
-
- private Set<String> convertToRoleNameSet(Set<MSentryRole> mSentryRoles) {
- Set<String> roleNameSet = Sets.newHashSet();
- for (MSentryRole role : mSentryRoles) {
- roleNameSet.add(role.getRoleName());
- }
- return roleNameSet;
- }
-
- private TSentryRole convertToTSentryRole(MSentryRole mSentryRole) {
- TSentryRole role = new TSentryRole();
- role.setRoleName(mSentryRole.getRoleName());
- role.setGrantorPrincipal("--");
- Set<TSentryGroup> sentryGroups = new HashSet<TSentryGroup>();
- for(MSentryGroup mSentryGroup:mSentryRole.getGroups()) {
- TSentryGroup group = convertToTSentryGroup(mSentryGroup);
- sentryGroups.add(group);
- }
-
- role.setGroups(sentryGroups);
- return role;
- }
-
- private TSentryGroup convertToTSentryGroup(MSentryGroup mSentryGroup) {
- TSentryGroup group = new TSentryGroup();
- group.setGroupName(mSentryGroup.getGroupName());
- return group;
- }
-
- protected TSentryPrivilege convertToTSentryPrivilege(MSentryPrivilege mSentryPrivilege) {
- TSentryPrivilege privilege = new TSentryPrivilege();
- convertToTSentryPrivilege(mSentryPrivilege, privilege);
- return privilege;
- }
-
- private void convertToTSentryPrivilege(MSentryPrivilege mSentryPrivilege,
- TSentryPrivilege privilege) {
- privilege.setCreateTime(mSentryPrivilege.getCreateTime());
- privilege.setAction(fromNULLCol(mSentryPrivilege.getAction()));
- privilege.setPrivilegeScope(mSentryPrivilege.getPrivilegeScope());
- privilege.setServerName(fromNULLCol(mSentryPrivilege.getServerName()));
- privilege.setDbName(fromNULLCol(mSentryPrivilege.getDbName()));
- privilege.setTableName(fromNULLCol(mSentryPrivilege.getTableName()));
- privilege.setColumnName(fromNULLCol(mSentryPrivilege.getColumnName()));
- privilege.setURI(fromNULLCol(mSentryPrivilege.getURI()));
- if (mSentryPrivilege.getGrantOption() != null) {
- privilege.setGrantOption(TSentryGrantOption.valueOf(mSentryPrivilege.getGrantOption().toString().toUpperCase()));
- } else {
- privilege.setGrantOption(TSentryGrantOption.UNSET);
- }
- }
-
- /**
- * Converts thrift object to model object. Additionally does normalization
- * such as trimming whitespace and setting appropriate case.
- * @throws SentryInvalidInputException
- */
- private MSentryPrivilege convertToMSentryPrivilege(TSentryPrivilege privilege)
- throws SentryInvalidInputException {
- MSentryPrivilege mSentryPrivilege = new MSentryPrivilege();
- mSentryPrivilege.setServerName(toNULLCol(safeTrimLower(privilege.getServerName())));
- mSentryPrivilege.setDbName(toNULLCol(safeTrimLower(privilege.getDbName())));
- mSentryPrivilege.setTableName(toNULLCol(safeTrimLower(privilege.getTableName())));
- mSentryPrivilege.setColumnName(toNULLCol(safeTrimLower(privilege.getColumnName())));
- mSentryPrivilege.setPrivilegeScope(safeTrim(privilege.getPrivilegeScope()));
- mSentryPrivilege.setAction(toNULLCol(safeTrimLower(privilege.getAction())));
- mSentryPrivilege.setCreateTime(System.currentTimeMillis());
- mSentryPrivilege.setURI(toNULLCol(safeTrim(privilege.getURI())));
- if ( !privilege.getGrantOption().equals(TSentryGrantOption.UNSET) ) {
- mSentryPrivilege.setGrantOption(Boolean.valueOf(privilege.getGrantOption().toString()));
- } else {
- mSentryPrivilege.setGrantOption(null);
- }
- return mSentryPrivilege;
- }
- private static String safeTrim(String s) {
- if (s == null) {
- return null;
- }
- return s.trim();
- }
- private static String safeTrimLower(String s) {
- if (s == null) {
- return null;
- }
- return s.trim().toLowerCase();
- }
-
- public String getSentryVersion() throws SentryNoSuchObjectException,
- SentryAccessDeniedException {
- MSentryVersion mVersion = getMSentryVersion();
- return mVersion.getSchemaVersion();
- }
-
- public void setSentryVersion(String newVersion, String verComment)
- throws SentryNoSuchObjectException, SentryAccessDeniedException {
- MSentryVersion mVersion;
- boolean rollbackTransaction = true;
- PersistenceManager pm = null;
-
- try {
- mVersion = getMSentryVersion();
- if (newVersion.equals(mVersion.getSchemaVersion())) {
- // specified version already in there
- return;
- }
- } catch (SentryNoSuchObjectException e) {
- // if the version doesn't exist, then create it
- mVersion = new MSentryVersion();
- }
- mVersion.setSchemaVersion(newVersion);
- mVersion.setVersionComment(verComment);
- try {
- pm = openTransaction();
- pm.makePersistent(mVersion);
- rollbackTransaction = false;
- commitTransaction(pm);
- } finally {
- if (rollbackTransaction) {
- rollbackTransaction(pm);
- }
- }
- }
-
- @SuppressWarnings("unchecked")
- private MSentryVersion getMSentryVersion()
- throws SentryNoSuchObjectException, SentryAccessDeniedException {
- boolean rollbackTransaction = true;
- PersistenceManager pm = null;
- try {
- pm = openTransaction();
- Query query = pm.newQuery(MSentryVersion.class);
- List<MSentryVersion> mSentryVersions = (List<MSentryVersion>) query
- .execute();
- pm.retrieveAll(mSentryVersions);
- rollbackTransaction = false;
- commitTransaction(pm);
- if (mSentryVersions.isEmpty()) {
- throw new SentryNoSuchObjectException("No matching version found");
- }
- if (mSentryVersions.size() > 1) {
- throw new SentryAccessDeniedException(
- "Metastore contains multiple versions");
- }
- return mSentryVersions.get(0);
- } catch (JDODataStoreException e) {
- if (e.getCause() instanceof MissingTableException) {
- throw new SentryAccessDeniedException("Version table not found. "
- + "The sentry store is not set or corrupt ");
- } else {
- throw e;
- }
- } finally {
- if (rollbackTransaction) {
- rollbackTransaction(pm);
- }
- }
- }
-
- /**
- * Drop given privilege from all roles
- */
- public void dropPrivilege(TSentryAuthorizable tAuthorizable)
- throws SentryNoSuchObjectException, SentryInvalidInputException {
- PersistenceManager pm = null;
- boolean rollbackTransaction = true;
-
- TSentryPrivilege tPrivilege = toSentryPrivilege(tAuthorizable);
- try {
- pm = openTransaction();
-
- if (isMultiActionsSupported(tPrivilege)) {
- for (String privilegeAction : ALL_ACTIONS) {
- tPrivilege.setAction(privilegeAction);
- dropPrivilegeForAllRoles(pm, new TSentryPrivilege(tPrivilege));
- }
- } else {
- dropPrivilegeForAllRoles(pm, new TSentryPrivilege(tPrivilege));
- }
- rollbackTransaction = false;
- commitTransaction(pm);
- } catch (JDODataStoreException e) {
- throw new SentryInvalidInputException("Failed to get privileges: "
- + e.getMessage());
- } finally {
- if (rollbackTransaction) {
- rollbackTransaction(pm);
- }
- }
- }
-
- /**
- * Rename given privilege from all roles drop the old privilege and create the new one
- * @param tAuthorizable
- * @param newTAuthorizable
- * @throws SentryNoSuchObjectException
- * @throws SentryInvalidInputException
- */
- public void renamePrivilege(TSentryAuthorizable tAuthorizable,
- TSentryAuthorizable newTAuthorizable)
- throws SentryNoSuchObjectException, SentryInvalidInputException {
- PersistenceManager pm = null;
- boolean rollbackTransaction = true;
-
- TSentryPrivilege tPrivilege = toSentryPrivilege(tAuthorizable);
- TSentryPrivilege newPrivilege = toSentryPrivilege(newTAuthorizable);
-
- try {
- pm = openTransaction();
- // In case of tables or DBs, check all actions
- if (isMultiActionsSupported(tPrivilege)) {
- for (String privilegeAction : ALL_ACTIONS) {
- tPrivilege.setAction(privilegeAction);
- newPrivilege.setAction(privilegeAction);
- renamePrivilegeForAllRoles(pm, tPrivilege, newPrivilege);
- }
- } else {
- renamePrivilegeForAllRoles(pm, tPrivilege, newPrivilege);
- }
- rollbackTransaction = false;
- commitTransaction(pm);
- } catch (JDODataStoreException e) {
- throw new SentryInvalidInputException("Failed to get privileges: "
- + e.getMessage());
- } finally {
- if (rollbackTransaction) {
- rollbackTransaction(pm);
- }
- }
- }
-
- // Currently INSERT/SELECT/ALL are supported for Table and DB level privileges
- private boolean isMultiActionsSupported(TSentryPrivilege tPrivilege) {
- return tPrivilege.getDbName() != null;
-
- }
- // wrapper for dropOrRename
- private void renamePrivilegeForAllRoles(PersistenceManager pm,
- TSentryPrivilege tPrivilege,
- TSentryPrivilege newPrivilege) throws SentryNoSuchObjectException,
- SentryInvalidInputException {
- dropOrRenamePrivilegeForAllRoles(pm, tPrivilege, newPrivilege);
- }
-
- /**
- * Drop given privilege from all roles
- * @param tPrivilege
- * @throws SentryNoSuchObjectException
- * @throws SentryInvalidInputException
- */
- private void dropPrivilegeForAllRoles(PersistenceManager pm,
- TSentryPrivilege tPrivilege)
- throws SentryNoSuchObjectException, SentryInvalidInputException {
- dropOrRenamePrivilegeForAllRoles(pm, tPrivilege, null);
- }
-
- /**
- * Drop given privilege from all roles Create the new privilege if asked
- * @param tPrivilege
- * @param pm
- * @throws SentryNoSuchObjectException
- * @throws SentryInvalidInputException
- */
- private void dropOrRenamePrivilegeForAllRoles(PersistenceManager pm,
- TSentryPrivilege tPrivilege,
- TSentryPrivilege newTPrivilege) throws SentryNoSuchObjectException,
- SentryInvalidInputException {
- HashSet<MSentryRole> roleSet = Sets.newHashSet();
-
- List<MSentryPrivilege> mPrivileges = getMSentryPrivileges(tPrivilege, pm);
- if (mPrivileges != null && !mPrivileges.isEmpty()) {
- for (MSentryPrivilege mPrivilege : mPrivileges) {
- roleSet.addAll(ImmutableSet.copyOf(mPrivilege.getRoles()));
- }
- }
-
- MSentryPrivilege parent = getMSentryPrivilege(tPrivilege, pm);
- for (MSentryRole role : roleSet) {
- // 1. get privilege and child privileges
- Set<MSentryPrivilege> privilegeGraph = Sets.newHashSet();
- if (parent != null) {
- privilegeGraph.add(parent);
- populateChildren(pm, Sets.newHashSet(role.getRoleName()), parent, privilegeGraph);
- } else {
- populateChildren(pm, Sets.newHashSet(role.getRoleName()), convertToMSentryPrivilege(tPrivilege),
- privilegeGraph);
- }
- // 2. revoke privilege and child privileges
- alterSentryRoleRevokePrivilegeCore(pm, role.getRoleName(), tPrivilege);
- // 3. add new privilege and child privileges with new tableName
- if (newTPrivilege != null) {
- for (MSentryPrivilege m : privilegeGraph) {
- TSentryPrivilege t = convertToTSentryPrivilege(m);
- if (newTPrivilege.getPrivilegeScope().equals(PrivilegeScope.DATABASE.name())) {
- t.setDbName(newTPrivilege.getDbName());
- } else if (newTPrivilege.getPrivilegeScope().equals(PrivilegeScope.TABLE.name())) {
- t.setTableName(newTPrivilege.getTableName());
- }
- alterSentryRoleGrantPrivilegeCore(pm, role.getRoleName(), t);
- }
- }
- }
- }
-
- private TSentryPrivilege toSentryPrivilege(TSentryAuthorizable tAuthorizable)
- throws SentryInvalidInputException {
- TSentryPrivilege tSentryPrivilege = new TSentryPrivilege();
- tSentryPrivilege.setDbName(fromNULLCol(tAuthorizable.getDb()));
- tSentryPrivilege.setServerName(fromNULLCol(tAuthorizable.getServer()));
- tSentryPrivilege.setTableName(fromNULLCol(tAuthorizable.getTable()));
- tSentryPrivilege.setColumnName(fromNULLCol(tAuthorizable.getColumn()));
- tSentryPrivilege.setURI(fromNULLCol(tAuthorizable.getUri()));
- PrivilegeScope scope;
- if (!isNULL(tSentryPrivilege.getColumnName())) {
- scope = PrivilegeScope.COLUMN;
- } else if (!isNULL(tSentryPrivilege.getTableName())) {
- scope = PrivilegeScope.TABLE;
- } else if (!isNULL(tSentryPrivilege.getDbName())) {
- scope = PrivilegeScope.DATABASE;
- } else if (!isNULL(tSentryPrivilege.getURI())) {
- scope = PrivilegeScope.URI;
- } else {
- scope = PrivilegeScope.SERVER;
- }
- tSentryPrivilege.setPrivilegeScope(scope.name());
- tSentryPrivilege.setAction(AccessConstants.ALL);
- return tSentryPrivilege;
- }
-
- public static String toNULLCol(String s) {
- return Strings.isNullOrEmpty(s) ? NULL_COL : s;
- }
-
- public static String fromNULLCol(String s) {
- return isNULL(s) ? "" : s;
- }
-
- public static boolean isNULL(String s) {
- return Strings.isNullOrEmpty(s) || s.equals(NULL_COL);
- }
-
- /**
- * Grant option check
- * @param pm
- * @param privilege
- * @throws SentryUserException
- */
- private void grantOptionCheck(PersistenceManager pm, String grantorPrincipal, TSentryPrivilege privilege)
- throws SentryUserException {
- MSentryPrivilege mPrivilege = convertToMSentryPrivilege(privilege);
- if (grantorPrincipal == null) {
- throw new SentryInvalidInputException("grantorPrincipal should not be null");
- }
-
- Set<String> groups = SentryPolicyStoreProcessor.getGroupsFromUserName(conf, grantorPrincipal);
-
- // if grantor is in adminGroup, don't need to do check
- Set<String> admins = getAdminGroups();
- boolean isAdminGroup = false;
- if (groups != null && admins != null && !admins.isEmpty()) {
- for (String g : groups) {
- if (admins.contains(g)) {
- isAdminGroup = true;
- break;
- }
- }
- }
-
- if (!isAdminGroup) {
- boolean hasGrant = false;
- // get all privileges for group and user
- Set<MSentryRole> roles = getRolesForGroups(pm, groups);
- roles.addAll(getRolesForUsers(pm, Sets.newHashSet(grantorPrincipal)));
- if (roles != null && !roles.isEmpty()) {
- for (MSentryRole role : roles) {
- Set<MSentryPrivilege> privilegeSet = role.getPrivileges();
- if (privilegeSet != null && !privilegeSet.isEmpty()) {
- // if role has a privilege p with grant option
- // and mPrivilege is a child privilege of p
- for (MSentryPrivilege p : privilegeSet) {
- if (p.getGrantOption() && p.implies(mPrivilege)) {
- hasGrant = true;
- break;
- }
- }
- }
- }
- }
-
- if (!hasGrant) {
- throw new SentryGrantDeniedException(grantorPrincipal
- + " has no grant!");
- }
- }
- }
-
- // get adminGroups from conf
- private Set<String> getAdminGroups() {
- return Sets.newHashSet(conf.getStrings(
- ServerConfig.ADMIN_GROUPS, new String[]{}));
- }
-
- /**
- * This returns a Mapping of AuthZObj(db/table) -> (Role -> permission)
- */
- public Map<String, HashMap<String, String>> retrieveFullPrivilegeImage() {
- Map<String, HashMap<String, String>> retVal = new HashMap<String, HashMap<String,String>>();
- boolean rollbackTransaction = true;
- PersistenceManager pm = null;
- try {
- pm = openTransaction();
- Query query = pm.newQuery(MSentryPrivilege.class);
- String filters = "(serverName != \"__NULL__\") "
- + "&& (dbName != \"__NULL__\") " + "&& (URI == \"__NULL__\")";
- query.setFilter(filters.toString());
- query
- .setOrdering("serverName ascending, dbName ascending, tableName ascending");
- List<MSentryPrivilege> privileges = (List<MSentryPrivilege>) query
- .execute();
- rollbackTransaction = false;
- for (MSentryPrivilege mPriv : privileges) {
- String authzObj = mPriv.getDbName();
- if (!isNULL(mPriv.getTableName())) {
- authzObj = authzObj + "." + mPriv.getTableName();
- }
- HashMap<String, String> pUpdate = retVal.get(authzObj);
- if (pUpdate == null) {
- pUpdate = new HashMap<String, String>();
- retVal.put(authzObj, pUpdate);
- }
- for (MSentryRole mRole : mPriv.getRoles()) {
- String existingPriv = pUpdate.get(mRole.getRoleName());
- if (existingPriv == null) {
- pUpdate.put(mRole.getRoleName(), mPriv.getAction().toUpperCase());
- } else {
- pUpdate.put(mRole.getRoleName(), existingPriv + ","
- + mPriv.getAction().toUpperCase());
- }
- }
- }
- commitTransaction(pm);
- return retVal;
- } finally {
- if (rollbackTransaction) {
- rollbackTransaction(pm);
- }
- }
- }
-
- /**
- * This returns a Mapping of Role -> [Groups]
- */
- public Map<String, LinkedList<String>> retrieveFullRoleImage() {
- Map<String, LinkedList<String>> retVal = new HashMap<String, LinkedList<String>>();
- boolean rollbackTransaction = true;
- PersistenceManager pm = null;
- try {
- pm = openTransaction();
- Query query = pm.newQuery(MSentryGroup.class);
- List<MSentryGroup> groups = (List<MSentryGroup>) query.execute();
- for (MSentryGroup mGroup : groups) {
- for (MSentryRole role : mGroup.getRoles()) {
- LinkedList<String> rUpdate = retVal.get(role.getRoleName());
- if (rUpdate == null) {
- rUpdate = new LinkedList<String>();
- retVal.put(role.getRoleName(), rUpdate);
- }
- rUpdate.add(mGroup.getGroupName());
- }
- }
- commitTransaction(pm);
- return retVal;
- } finally {
- if (rollbackTransaction) {
- rollbackTransaction(pm);
- }
- }
- }
-
- /**
- * This thread exists to clean up "orphaned" privilege rows in the database.
- * These rows aren't removed automatically due to the fact that there is
- * a many-to-many mapping between the roles and privileges, and the
- * detection and removal of orphaned privileges is a wee bit involved.
- * This thread hangs out until notified by the parent (the outer class)
- * and then runs a custom SQL statement that detects and removes orphans.
- */
- private class PrivCleaner implements Runnable {
- // Kick off priv orphan removal after this many notifies
- private static final int NOTIFY_THRESHOLD = 50;
-
- // How many times we've been notified; reset to zero after orphan removal
- private int currentNotifies = 0;
-
- // Internal state for threads
- private boolean exitRequired = false;
-
- // This lock and condition are needed to implement a way to drop the
- // lock inside a while loop, and not hold the lock across the orphan
- // removal.
- private final Lock lock = new ReentrantLock();
- private final Condition cond = lock.newCondition();
-
- /**
- * Waits in a loop, running the orphan removal function when notified.
- * Will exit after exitRequired is set to true by exit(). We are careful
- * to not hold our lock while removing orphans; that operation might
- * take a long time. There's also the matter of lock ordering. Other
- * threads start a transaction first, and then grab our lock; this thread
- * grabs the lock and then starts a transaction. Handling this correctly
- * requires explicit locking/unlocking through the loop.
- */
- public void run() {
- while (true) {
- lock.lock();
- try {
- // Check here in case this was set during removeOrphanedPrivileges()
- if (exitRequired) {
- return;
- }
- while (currentNotifies <= NOTIFY_THRESHOLD) {
- try {
- cond.await();
- } catch (InterruptedException e) {
- // Interrupted
- }
- // Check here in case this was set while waiting
- if (exitRequired) {
- return;
- }
- }
- currentNotifies = 0;
- } finally {
- lock.unlock();
- }
- try {
- removeOrphanedPrivileges();
- } catch (Exception e) {
- LOGGER.warn("Privilege cleaning thread encountered an error: " +
- e.getMessage());
- }
- }
- }
-
- /**
- * This is called when a privilege is removed from a role. This may
- * or may not mean that the privilege needs to be removed from the
- * database; there may be more references to it from other roles.
- * As a result, we'll lazily run the orphan cleaner every
- * NOTIFY_THRESHOLD times this routine is called.
- * @param numDeletions The number of potentially orphaned privileges
- */
- public void incPrivRemoval(int numDeletions) {
- if (privCleanerThread != null) {
- try {
- lock.lock();
- currentNotifies += numDeletions;
- if (currentNotifies > NOTIFY_THRESHOLD) {
- cond.signal();
- }
- } finally {
- lock.unlock();
- }
- }
- }
-
- /**
- * Simple form of incPrivRemoval when only one privilege is deleted.
- */
- public void incPrivRemoval() {
- incPrivRemoval(1);
- }
-
- /**
- * Tell this thread to exit. Safe to call multiple times, as it just
- * notifies the run() loop to finish up.
- */
- public void exit() {
- if (privCleanerThread != null) {
- lock.lock();
- try {
- exitRequired = true;
- cond.signal();
- } finally {
- lock.unlock();
- }
- }
- }
-
- /**
- * Run a SQL query to detect orphaned privileges, and then delete
- * each one. This is complicated by the fact that datanucleus does
- * not seem to play well with the mix between a direct SQL query
- * and operations on the database. The solution that seems to work
- * is to split the operation into two transactions: the first is
- * just a read for privileges that look like they're orphans, the
- * second transaction will go and get each of those privilege objects,
- * verify that there are no roles attached, and then delete them.
- */
- private void removeOrphanedPrivileges() {
- final String privDB = "SENTRY_DB_PRIVILEGE";
- final String privId = "DB_PRIVILEGE_ID";
- final String mapDB = "SENTRY_ROLE_DB_PRIVILEGE_MAP";
- final String privFilter =
- "select " + privId +
- " from " + privDB + " p" +
- " where not exists (" +
- " select 1 from " + mapDB + " d" +
- " where p." + privId + " != d." + privId +
- " )";
- boolean rollback = true;
- int orphansRemoved = 0;
- ArrayList<Object> idList = new ArrayList<Object>();
- PersistenceManager pm = pmf.getPersistenceManager();
-
- // Transaction 1: Perform a SQL query to get things that look like orphans
- try {
- Transaction transaction = pm.currentTransaction();
- transaction.begin();
- transaction.setRollbackOnly(); // Makes the tx read-only
- Query query = pm.newQuery("javax.jdo.query.SQL", privFilter);
- query.setClass(MSentryPrivilege.class);
- List<MSentryPrivilege> results = (List<MSentryPrivilege>) query.execute();
- for (MSentryPrivilege orphan : results) {
- idList.add(pm.getObjectId(orphan));
- }
- transaction.rollback();
- rollback = false;
- } finally {
- if (rollback && pm.currentTransaction().isActive()) {
- pm.currentTransaction().rollback();
- } else {
- LOGGER.debug("Found {} potential orphans", idList.size());
- }
- }
-
- if (idList.isEmpty()) {
- pm.close();
- return;
- }
-
- Preconditions.checkState(!rollback);
-
- // Transaction 2: For each potential orphan, verify it's really an
- // orphan and delete it if so
- rollback = true;
- try {
- Transaction transaction = pm.currentTransaction();
- transaction.begin();
- pm.refreshAll(); // Try to ensure we really have correct objects
- for (Object id : idList) {
- MSentryPrivilege priv = (MSentryPrivilege) pm.getObjectById(id);
- if (priv.getRoles().isEmpty()) {
- pm.deletePersistent(priv);
- orphansRemoved++;
- }
- }
- transaction.commit();
- pm.close();
- rollback = false;
- } finally {
- if (rollback) {
- rollbackTransaction(pm);
- } else {
- LOGGER.debug("Cleaned up {} orphaned privileges", orphansRemoved);
- }
- }
- }
- }
-
- // get mapping datas for [group,role], [user,role] with the specific roles
- public List<Map<String, Set<String>>> getGroupUserRoleMapList(Set<String> roleNames) {
- boolean rollbackTransaction = true;
- PersistenceManager pm = null;
- try {
- pm = openTransaction();
- Query query = pm.newQuery(MSentryRole.class);
-
- List<String> rolesFiler = new LinkedList<String>();
- if (roleNames != null) {
- for (String rName : roleNames) {
- rolesFiler.add("(roleName == \"" + rName.trim().toLowerCase() + "\")");
- }
- }
- if (rolesFiler.size() > 0) {
- query.setFilter(Joiner.on(" || ").join(rolesFiler));
- }
-
- List<MSentryRole> mSentryRoles = (List<MSentryRole>) query.execute();
- Map<String, Set<String>> groupRolesMap = getGroupRolesMap(mSentryRoles);
- Map<String, Set<String>> userRolesMap = getUserRolesMap(mSentryRoles);
- List<Map<String, Set<String>>> mapsList = new ArrayList<>();
- mapsList.add(INDEX_GROUP_ROLES_MAP, groupRolesMap);
- mapsList.add(INDEX_USER_ROLES_MAP, userRolesMap);
- commitTransaction(pm);
- rollbackTransaction = false;
- return mapsList;
- } finally {
- if (rollbackTransaction) {
- rollbackTransaction(pm);
- }
- }
- }
-
- private Map<String, Set<String>> getGroupRolesMap(List<MSentryRole> mSentryRoles) {
- Map<String, Set<String>> groupRolesMap = Maps.newHashMap();
- if (mSentryRoles == null) {
- return groupRolesMap;
- }
- // change the List<MSentryRole> -> Map<groupName, Set<roleName>>
- for (MSentryRole mSentryRole : mSentryRoles) {
- Set<MSentryGroup> groups = mSentryRole.getGroups();
- for (MSentryGroup group : groups) {
- String groupName = group.getGroupName();
- Set<String> rNames = groupRolesMap.get(groupName);
- if (rNames == null) {
- rNames = new HashSet<String>();
- }
- rNames.add(mSentryRole.getRoleName());
- groupRolesMap.put(groupName, rNames);
- }
- }
- return groupRolesMap;
- }
-
- private Map<String, Set<String>> getUserRolesMap(List<MSentryRole> mSentryRoles) {
- Map<String, Set<String>> userRolesMap = Maps.newHashMap();
- if (mSentryRoles == null) {
- return userRolesMap;
- }
- // change the List<MSentryRole> -> Map<userName, Set<roleName>>
- for (MSentryRole mSentryRole : mSentryRoles) {
- Set<MSentryUser> users = mSentryRole.getUsers();
- for (MSentryUser user : users) {
- String userName = user.getUserName();
- Set<String> rNames = userRolesMap.get(userName);
- if (rNames == null) {
- rNames = new HashSet<String>();
- }
- rNames.add(mSentryRole.getRoleName());
- userRolesMap.put(userName, rNames);
- }
- }
- return userRolesMap;
- }
-
- // get all mapping data for [role,privilege]
- public Map<String, Set<TSentryPrivilege>> getRoleNameTPrivilegesMap() throws Exception {
- return getRoleNameTPrivilegesMap(null, null);
- }
-
- // get mapping data for [role,privilege] with the specific auth object
- public Map<String, Set<TSentryPrivilege>> getRoleNameTPrivilegesMap(String dbName,
- String tableName) throws Exception {
- boolean rollbackTransaction = true;
- PersistenceManage
<TRUNCATED>
[08/44] sentry git commit: SENTRY-1287: Create sentry-service-server
module(Colin Ma, reviewed by Dapeng Sun)
Posted by co...@apache.org.
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/log/util/TestCommandUtil.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/log/util/TestCommandUtil.java b/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/log/util/TestCommandUtil.java
new file mode 100644
index 0000000..74e9dd8
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/log/util/TestCommandUtil.java
@@ -0,0 +1,416 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.provider.db.log.util;
+
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Set;
+
+import org.apache.sentry.core.model.db.AccessConstants;
+import org.apache.sentry.provider.db.generic.service.thrift.TAuthorizable;
+import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleGrantPrivilegeRequest;
+import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleRevokePrivilegeRequest;
+import org.apache.sentry.provider.db.service.thrift.TSentryGrantOption;
+import org.apache.sentry.provider.db.service.thrift.TSentryPrivilege;
+import org.apache.sentry.service.thrift.ServiceConstants.PrivilegeScope;
+import org.junit.Assert;
+import org.junit.Test;
+
+import com.google.common.collect.Sets;
+
+public class TestCommandUtil extends Assert {
+
+ @Test
+ public void testCreateCmdForCreateOrDropRole() {
+ String roleName = "testRole";
+
+ String createRoleCmdResult = CommandUtil.createCmdForCreateOrDropRole(
+ roleName, true);
+ String dropRoleCmdResult = CommandUtil.createCmdForCreateOrDropRole(
+ roleName, false);
+ String createRoleCmdExcepted = "CREATE ROLE testRole";
+ String dropRoleCmdExcepted = "DROP ROLE testRole";
+
+ Assert.assertEquals(createRoleCmdExcepted, createRoleCmdResult);
+ Assert.assertEquals(dropRoleCmdResult, dropRoleCmdExcepted);
+ }
+
+ @Test
+ public void testCreateCmdForRoleAddOrDeleteGroup1() {
+
+ String createRoleAddGroupCmdResult = CommandUtil.createCmdForRoleAddGroup("testRole",
+ getGroupStr(1));
+ String createRoleAddGroupCmdExcepted = "GRANT ROLE testRole TO GROUP testGroup1";
+ String createRoleDeleteGroupCmdResult = CommandUtil.createCmdForRoleDeleteGroup("testRole",
+ getGroupStr(1));
+ String createRoleDeleteGroupCmdExcepted = "REVOKE ROLE testRole FROM GROUP testGroup1";
+
+ Assert.assertEquals(createRoleAddGroupCmdExcepted, createRoleAddGroupCmdResult);
+ Assert.assertEquals(createRoleDeleteGroupCmdExcepted,
+ createRoleDeleteGroupCmdResult);
+ }
+
+ @Test
+ public void testCreateCmdForRoleAddOrDeleteGroup2() {
+ String createRoleAddGroupCmdResult = CommandUtil.createCmdForRoleAddGroup("testRole",
+ getGroupStr(3));
+ String createRoleAddGroupCmdExcepted = "GRANT ROLE testRole TO GROUP testGroup1, testGroup2, testGroup3";
+ String createRoleDeleteGroupCmdResult = CommandUtil.createCmdForRoleDeleteGroup("testRole",
+ getGroupStr(3));
+ String createRoleDeleteGroupCmdExcepted = "REVOKE ROLE testRole FROM GROUP testGroup1, testGroup2, testGroup3";
+
+ Assert.assertEquals(createRoleAddGroupCmdExcepted, createRoleAddGroupCmdResult);
+ Assert.assertEquals(createRoleDeleteGroupCmdExcepted,
+ createRoleDeleteGroupCmdResult);
+ }
+
+ @Test
+ public void testCreateCmdForRoleAddOrDeleteUser1() {
+ String createRoleAddGroupCmdResult =
+ CommandUtil.createCmdForRoleAddUser("testRole", getUserStr(1));
+ String createRoleAddGroupCmdExcepted = "GRANT ROLE testRole TO USER testUser1";
+ String createRoleDeleteGroupCmdResult =
+ CommandUtil.createCmdForRoleDeleteUser("testRole", getUserStr(1));
+ String createRoleDeleteGroupCmdExcepted = "REVOKE ROLE testRole FROM USER testUser1";
+
+ Assert.assertEquals(createRoleAddGroupCmdExcepted, createRoleAddGroupCmdResult);
+ Assert.assertEquals(createRoleDeleteGroupCmdExcepted, createRoleDeleteGroupCmdResult);
+ }
+
+ @Test
+ public void testCreateCmdForRoleAddOrDeleteUser2() {
+ String createRoleAddGroupCmdResult =
+ CommandUtil.createCmdForRoleAddUser("testRole", getUserStr(3));
+ String createRoleAddGroupCmdExcepted =
+ "GRANT ROLE testRole TO USER testUser1, testUser2, testUser3";
+ String createRoleDeleteGroupCmdResult =
+ CommandUtil.createCmdForRoleDeleteUser("testRole", getUserStr(3));
+ String createRoleDeleteGroupCmdExcepted =
+ "REVOKE ROLE testRole FROM USER testUser1, testUser2, testUser3";
+
+ Assert.assertEquals(createRoleAddGroupCmdExcepted, createRoleAddGroupCmdResult);
+ Assert.assertEquals(createRoleDeleteGroupCmdExcepted, createRoleDeleteGroupCmdResult);
+ }
+
+ @Test
+ public void testCreateCmdForGrantOrRevokePrivilege1() {
+ TAlterSentryRoleGrantPrivilegeRequest grantRequest = getGrantPrivilegeRequest();
+ TAlterSentryRoleRevokePrivilegeRequest revokeRequest = getRevokePrivilegeRequest();
+
+ TSentryPrivilege privilege = getPrivilege(AccessConstants.ALL,
+ PrivilegeScope.DATABASE.name(), "dbTest", "tableTest", "serverTest",
+ "hdfs://namenode:port/path/to/dir");
+ Set<TSentryPrivilege> privileges = Sets.newHashSet();
+ privileges.add(privilege);
+ grantRequest.setPrivileges(privileges);
+ revokeRequest.setPrivileges(privileges);
+
+ String createGrantPrivilegeCmdResult = CommandUtil
+ .createCmdForGrantPrivilege(grantRequest);
+ String createGrantPrivilegeCmdExcepted = "GRANT ALL ON DATABASE dbTest TO ROLE testRole";
+ String createRevokePrivilegeCmdResult = CommandUtil
+ .createCmdForRevokePrivilege(revokeRequest);
+ String createRevokePrivilegeCmdExcepted = "REVOKE ALL ON DATABASE dbTest FROM ROLE testRole";
+
+ Assert.assertEquals(createGrantPrivilegeCmdExcepted, createGrantPrivilegeCmdResult);
+ Assert.assertEquals(createRevokePrivilegeCmdExcepted,
+ createRevokePrivilegeCmdResult);
+ }
+
+ @Test
+ public void testCreateCmdForGrantOrRevokePrivilege2() {
+ TAlterSentryRoleGrantPrivilegeRequest grantRequest = getGrantPrivilegeRequest();
+ TAlterSentryRoleRevokePrivilegeRequest revokeRequest = getRevokePrivilegeRequest();
+
+ TSentryPrivilege privilege = getPrivilege(AccessConstants.INSERT,
+ PrivilegeScope.DATABASE.name(), "dbTest", "tableTest", "serverTest",
+ "hdfs://namenode:port/path/to/dir");
+ Set<TSentryPrivilege> privileges = Sets.newHashSet();
+ privileges.add(privilege);
+ grantRequest.setPrivileges(privileges);
+ revokeRequest.setPrivileges(privileges);
+
+ String createGrantPrivilegeCmdResult = CommandUtil
+ .createCmdForGrantPrivilege(grantRequest);
+ String createGrantPrivilegeCmdExcepted = "GRANT INSERT ON DATABASE dbTest TO ROLE testRole";
+ String createRevokePrivilegeCmdResult = CommandUtil
+ .createCmdForRevokePrivilege(revokeRequest);
+ String createRevokePrivilegeCmdExcepted = "REVOKE INSERT ON DATABASE dbTest FROM ROLE testRole";
+
+ Assert.assertEquals(createGrantPrivilegeCmdExcepted, createGrantPrivilegeCmdResult);
+ Assert.assertEquals(createRevokePrivilegeCmdExcepted,
+ createRevokePrivilegeCmdResult);
+ }
+
+ @Test
+ public void testCreateCmdForGrantOrRevokePrivilege3() {
+ TAlterSentryRoleGrantPrivilegeRequest grantRequest = getGrantPrivilegeRequest();
+ TAlterSentryRoleRevokePrivilegeRequest revokeRequest = getRevokePrivilegeRequest();
+
+ TSentryPrivilege privilege = getPrivilege(AccessConstants.SELECT,
+ PrivilegeScope.DATABASE.name(), "dbTest", "tableTest", "serverTest",
+ "hdfs://namenode:port/path/to/dir");
+ Set<TSentryPrivilege> privileges = Sets.newHashSet();
+ privileges.add(privilege);
+ grantRequest.setPrivileges(privileges);
+ revokeRequest.setPrivileges(privileges);
+
+ String createGrantPrivilegeCmdResult = CommandUtil
+ .createCmdForGrantPrivilege(grantRequest);
+ String createGrantPrivilegeCmdExcepted = "GRANT SELECT ON DATABASE dbTest TO ROLE testRole";
+ String createRevokePrivilegeCmdResult = CommandUtil
+ .createCmdForRevokePrivilege(revokeRequest);
+ String createRevokePrivilegeCmdExcepted = "REVOKE SELECT ON DATABASE dbTest FROM ROLE testRole";
+
+ Assert.assertEquals(createGrantPrivilegeCmdExcepted, createGrantPrivilegeCmdResult);
+ Assert.assertEquals(createRevokePrivilegeCmdExcepted,
+ createRevokePrivilegeCmdResult);
+ }
+
+ @Test
+ public void testCreateCmdForGrantOrRevokePrivilege4() {
+ TAlterSentryRoleGrantPrivilegeRequest grantRequest = getGrantPrivilegeRequest();
+ TAlterSentryRoleRevokePrivilegeRequest revokeRequest = getRevokePrivilegeRequest();
+
+ TSentryPrivilege privilege = getPrivilege(null,
+ PrivilegeScope.DATABASE.name(), "dbTest", "tableTest", "serverTest",
+ "hdfs://namenode:port/path/to/dir");
+ Set<TSentryPrivilege> privileges = Sets.newHashSet();
+ privileges.add(privilege);
+ grantRequest.setPrivileges(privileges);
+ revokeRequest.setPrivileges(privileges);
+
+ String createGrantPrivilegeCmdResult = CommandUtil
+ .createCmdForGrantPrivilege(grantRequest);
+ String createGrantPrivilegeCmdExcepted = "GRANT null ON DATABASE dbTest TO ROLE testRole";
+ String createRevokePrivilegeCmdResult = CommandUtil
+ .createCmdForRevokePrivilege(revokeRequest);
+ String createRevokePrivilegeCmdExcepted = "REVOKE null ON DATABASE dbTest FROM ROLE testRole";
+
+ Assert.assertEquals(createGrantPrivilegeCmdExcepted, createGrantPrivilegeCmdResult);
+ Assert.assertEquals(createRevokePrivilegeCmdExcepted,
+ createRevokePrivilegeCmdResult);
+ }
+
+ @Test
+ public void testCreateCmdForGrantOrRevokePrivilege5() {
+ TAlterSentryRoleGrantPrivilegeRequest grantRequest = getGrantPrivilegeRequest();
+ TAlterSentryRoleRevokePrivilegeRequest revokeRequest = getRevokePrivilegeRequest();
+
+ TSentryPrivilege privilege = getPrivilege(AccessConstants.SELECT,
+ PrivilegeScope.TABLE.name(), "dbTest", "tableTest", "serverTest",
+ "hdfs://namenode:port/path/to/dir");
+ Set<TSentryPrivilege> privileges = Sets.newHashSet();
+ privileges.add(privilege);
+ grantRequest.setPrivileges(privileges);
+ revokeRequest.setPrivileges(privileges);
+
+ String createGrantPrivilegeCmdResult = CommandUtil
+ .createCmdForGrantPrivilege(grantRequest);
+ String createGrantPrivilegeCmdExcepted = "GRANT SELECT ON TABLE tableTest TO ROLE testRole";
+ String createRevokePrivilegeCmdResult = CommandUtil
+ .createCmdForRevokePrivilege(revokeRequest);
+ String createRevokePrivilegeCmdExcepted = "REVOKE SELECT ON TABLE tableTest FROM ROLE testRole";
+
+ Assert.assertEquals(createGrantPrivilegeCmdExcepted, createGrantPrivilegeCmdResult);
+ Assert.assertEquals(createRevokePrivilegeCmdExcepted,
+ createRevokePrivilegeCmdResult);
+ }
+
+ @Test
+ public void testCreateCmdForGrantOrRevokePrivilege6() {
+ TAlterSentryRoleGrantPrivilegeRequest grantRequest = getGrantPrivilegeRequest();
+ TAlterSentryRoleRevokePrivilegeRequest revokeRequest = getRevokePrivilegeRequest();
+
+ TSentryPrivilege privilege = getPrivilege(AccessConstants.SELECT,
+ PrivilegeScope.SERVER.name(), "dbTest", "tableTest", "serverTest",
+ "hdfs://namenode:port/path/to/dir");
+ Set<TSentryPrivilege> privileges = Sets.newHashSet();
+ privileges.add(privilege);
+ grantRequest.setPrivileges(privileges);
+ revokeRequest.setPrivileges(privileges);
+
+ String createGrantPrivilegeCmdResult = CommandUtil
+ .createCmdForGrantPrivilege(grantRequest);
+ String createGrantPrivilegeCmdExcepted = "GRANT SELECT ON SERVER serverTest TO ROLE testRole";
+ String createRevokePrivilegeCmdResult = CommandUtil
+ .createCmdForRevokePrivilege(revokeRequest);
+ String createRevokePrivilegeCmdExcepted = "REVOKE SELECT ON SERVER serverTest FROM ROLE testRole";
+
+ Assert.assertEquals(createGrantPrivilegeCmdExcepted, createGrantPrivilegeCmdResult);
+ Assert.assertEquals(createRevokePrivilegeCmdExcepted,
+ createRevokePrivilegeCmdResult);
+ }
+
+ @Test
+ public void testCreateCmdForGrantOrRevokePrivilege7() {
+ TAlterSentryRoleGrantPrivilegeRequest grantRequest = getGrantPrivilegeRequest();
+ TAlterSentryRoleRevokePrivilegeRequest revokeRequest = getRevokePrivilegeRequest();
+
+ TSentryPrivilege privilege = getPrivilege(AccessConstants.SELECT,
+ PrivilegeScope.URI.name(), "dbTest", "tableTest", "serverTest",
+ "hdfs://namenode:port/path/to/dir");
+ Set<TSentryPrivilege> privileges = Sets.newHashSet();
+ privileges.add(privilege);
+ grantRequest.setPrivileges(privileges);
+ revokeRequest.setPrivileges(privileges);
+
+ String createGrantPrivilegeCmdResult = CommandUtil
+ .createCmdForGrantPrivilege(grantRequest);
+ String createGrantPrivilegeCmdExcepted = "GRANT SELECT ON URI hdfs://namenode:port/path/to/dir TO ROLE testRole";
+ String createRevokePrivilegeCmdResult = CommandUtil
+ .createCmdForRevokePrivilege(revokeRequest);
+ String createRevokePrivilegeCmdExcepted = "REVOKE SELECT ON URI hdfs://namenode:port/path/to/dir FROM ROLE testRole";
+
+ Assert.assertEquals(createGrantPrivilegeCmdExcepted, createGrantPrivilegeCmdResult);
+ Assert.assertEquals(createRevokePrivilegeCmdExcepted,
+ createRevokePrivilegeCmdResult);
+ }
+
+ @Test
+ public void testCreateCmdForGrantOrRevokePrivilege8() {
+ TAlterSentryRoleGrantPrivilegeRequest grantRequest = getGrantPrivilegeRequest();
+ TAlterSentryRoleRevokePrivilegeRequest revokeRequest = getRevokePrivilegeRequest();
+
+ TSentryPrivilege privilege = getPrivilege(AccessConstants.SELECT, PrivilegeScope.SERVER.name(),
+ "dbTest", "tableTest", "serverTest", "hdfs://namenode:port/path/to/dir");
+ privilege.setGrantOption(TSentryGrantOption.TRUE);
+ Set<TSentryPrivilege> privileges = Sets.newHashSet();
+ privileges.add(privilege);
+ grantRequest.setPrivileges(privileges);
+ revokeRequest.setPrivileges(privileges);
+
+ String createGrantPrivilegeCmdResult = CommandUtil.createCmdForGrantPrivilege(grantRequest);
+ String createGrantPrivilegeCmdExcepted = "GRANT SELECT ON SERVER serverTest TO ROLE testRole WITH GRANT OPTION";
+ String createRevokePrivilegeCmdResult = CommandUtil.createCmdForRevokePrivilege(revokeRequest);
+ String createRevokePrivilegeCmdExcepted = "REVOKE SELECT ON SERVER serverTest FROM ROLE testRole WITH GRANT OPTION";
+
+ Assert.assertEquals(createGrantPrivilegeCmdExcepted, createGrantPrivilegeCmdResult);
+ Assert.assertEquals(createRevokePrivilegeCmdExcepted, createRevokePrivilegeCmdResult);
+ }
+
+ // generate the command without grant option
+ @Test
+ public void testCreateCmdForGrantOrRevokeGMPrivilege1() {
+ org.apache.sentry.provider.db.generic.service.thrift.TAlterSentryRoleGrantPrivilegeRequest grantRequest = getGrantGMPrivilegeRequest();
+ org.apache.sentry.provider.db.generic.service.thrift.TAlterSentryRoleRevokePrivilegeRequest revokeRequest = getRevokeGMPrivilegeRequest();
+ org.apache.sentry.provider.db.generic.service.thrift.TSentryPrivilege privilege = getGMPrivilege();
+ grantRequest.setPrivilege(privilege);
+ revokeRequest.setPrivilege(privilege);
+
+ String createGrantPrivilegeCmdResult = CommandUtil.createCmdForGrantGMPrivilege(grantRequest);
+ String createGrantPrivilegeCmdExcepted = "GRANT ACTION ON resourceType1 resourceName1 resourceType2 resourceName2 TO ROLE testRole";
+ String createRevokePrivilegeCmdResult = CommandUtil
+ .createCmdForRevokeGMPrivilege(revokeRequest);
+ String createRevokePrivilegeCmdExcepted = "REVOKE ACTION ON resourceType1 resourceName1 resourceType2 resourceName2 FROM ROLE testRole";
+
+ Assert.assertEquals(createGrantPrivilegeCmdExcepted, createGrantPrivilegeCmdResult);
+ Assert.assertEquals(createRevokePrivilegeCmdExcepted, createRevokePrivilegeCmdResult);
+ }
+
+ // generate the command with grant option
+ @Test
+ public void testCreateCmdForGrantOrRevokeGMPrivilege2() {
+ org.apache.sentry.provider.db.generic.service.thrift.TAlterSentryRoleGrantPrivilegeRequest grantRequest = getGrantGMPrivilegeRequest();
+ org.apache.sentry.provider.db.generic.service.thrift.TAlterSentryRoleRevokePrivilegeRequest revokeRequest = getRevokeGMPrivilegeRequest();
+ org.apache.sentry.provider.db.generic.service.thrift.TSentryPrivilege privilege = getGMPrivilege();
+ privilege
+ .setGrantOption(org.apache.sentry.provider.db.generic.service.thrift.TSentryGrantOption.TRUE);
+ grantRequest.setPrivilege(privilege);
+ revokeRequest.setPrivilege(privilege);
+
+ String createGrantPrivilegeCmdResult = CommandUtil.createCmdForGrantGMPrivilege(grantRequest);
+ String createGrantPrivilegeCmdExcepted = "GRANT ACTION ON resourceType1 resourceName1 resourceType2 resourceName2 TO ROLE testRole WITH GRANT OPTION";
+ String createRevokePrivilegeCmdResult = CommandUtil
+ .createCmdForRevokeGMPrivilege(revokeRequest);
+ String createRevokePrivilegeCmdExcepted = "REVOKE ACTION ON resourceType1 resourceName1 resourceType2 resourceName2 FROM ROLE testRole WITH GRANT OPTION";
+
+ Assert.assertEquals(createGrantPrivilegeCmdExcepted, createGrantPrivilegeCmdResult);
+ Assert.assertEquals(createRevokePrivilegeCmdExcepted, createRevokePrivilegeCmdResult);
+ }
+
+ private String getGroupStr(int num) {
+ StringBuilder sb = new StringBuilder();
+ for (int i = 0; i < num; i++) {
+ if (i > 0) {
+ sb.append(", ");
+ }
+ sb.append("testGroup" + (i + 1));
+ }
+ return sb.toString();
+ }
+
+ private String getUserStr(int num) {
+ StringBuilder sb = new StringBuilder();
+ for (int i = 0; i < num; i++) {
+ if (i > 0) {
+ sb.append(", ");
+ }
+ sb.append("testUser" + (i + 1));
+ }
+ return sb.toString();
+ }
+
+ private TAlterSentryRoleGrantPrivilegeRequest getGrantPrivilegeRequest() {
+ TAlterSentryRoleGrantPrivilegeRequest request = new TAlterSentryRoleGrantPrivilegeRequest();
+ request.setRoleName("testRole");
+ return request;
+ }
+
+ private TAlterSentryRoleRevokePrivilegeRequest getRevokePrivilegeRequest() {
+ TAlterSentryRoleRevokePrivilegeRequest request = new TAlterSentryRoleRevokePrivilegeRequest();
+ request.setRoleName("testRole");
+ return request;
+ }
+
+ private org.apache.sentry.provider.db.generic.service.thrift.TAlterSentryRoleGrantPrivilegeRequest getGrantGMPrivilegeRequest() {
+ org.apache.sentry.provider.db.generic.service.thrift.TAlterSentryRoleGrantPrivilegeRequest request = new org.apache.sentry.provider.db.generic.service.thrift.TAlterSentryRoleGrantPrivilegeRequest();
+ request.setRoleName("testRole");
+ return request;
+ }
+
+ private org.apache.sentry.provider.db.generic.service.thrift.TAlterSentryRoleRevokePrivilegeRequest getRevokeGMPrivilegeRequest() {
+ org.apache.sentry.provider.db.generic.service.thrift.TAlterSentryRoleRevokePrivilegeRequest request = new org.apache.sentry.provider.db.generic.service.thrift.TAlterSentryRoleRevokePrivilegeRequest();
+ request.setRoleName("testRole");
+ return request;
+ }
+
+ private TSentryPrivilege getPrivilege(String action, String privilegeScope,
+ String dbName, String tableName, String serverName, String URI) {
+ TSentryPrivilege privilege = new TSentryPrivilege();
+ privilege.setAction(action);
+ privilege.setPrivilegeScope(privilegeScope);
+ privilege.setDbName(dbName);
+ privilege.setTableName(tableName);
+ privilege.setServerName(serverName);
+ privilege.setURI(URI);
+ return privilege;
+ }
+
+ private org.apache.sentry.provider.db.generic.service.thrift.TSentryPrivilege getGMPrivilege() {
+ org.apache.sentry.provider.db.generic.service.thrift.TSentryPrivilege privilege = new org.apache.sentry.provider.db.generic.service.thrift.TSentryPrivilege();
+ privilege.setAction("ACTION");
+ privilege.setComponent("COMPONENT");
+ List<TAuthorizable> authorizables = new ArrayList<TAuthorizable>();
+ authorizables.add(new TAuthorizable("resourceType1", "resourceName1"));
+ authorizables.add(new TAuthorizable("resourceType2", "resourceName2"));
+ privilege.setAuthorizables(authorizables);
+ return privilege;
+ }
+}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryPrivilege.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryPrivilege.java b/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryPrivilege.java
new file mode 100644
index 0000000..c31233b
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryPrivilege.java
@@ -0,0 +1,245 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.provider.db.service.persistent;
+
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertTrue;
+
+import org.apache.sentry.core.model.db.AccessConstants;
+import org.apache.sentry.provider.db.service.model.MSentryPrivilege;
+import org.junit.Test;
+
+public class TestSentryPrivilege {
+ @Test
+ public void testImpliesPrivilegePositive() throws Exception {
+ // 1.test server+database+table+action
+ MSentryPrivilege my = new MSentryPrivilege();
+ MSentryPrivilege your = new MSentryPrivilege();
+ my.setServerName("server1");
+ my.setDbName("db1");
+ my.setTableName("tb1");
+ my.setAction(AccessConstants.SELECT);
+ your.setServerName("server1");
+ your.setDbName("db1");
+ your.setTableName("tb1");
+ your.setAction(AccessConstants.SELECT);
+ assertTrue(my.implies(your));
+
+ my.setAction(AccessConstants.ALL);
+ assertTrue(my.implies(your));
+
+ my.setTableName("");
+ assertTrue(my.implies(your));
+
+ my.setDbName("");
+ assertTrue(my.implies(your));
+
+ my.setAction(AccessConstants.ACTION_ALL);
+ assertTrue(my.implies(your));
+
+ my.setTableName("");
+ assertTrue(my.implies(your));
+
+ my.setDbName("");
+ assertTrue(my.implies(your));
+
+ // 2.test server+URI+action using all combinations of * and ALL for action
+ String[][] actionMap = new String[][] {
+ { AccessConstants.ALL, AccessConstants.ALL },
+ { AccessConstants.ALL, AccessConstants.ACTION_ALL },
+ { AccessConstants.ACTION_ALL, AccessConstants.ALL },
+ { AccessConstants.ACTION_ALL, AccessConstants.ACTION_ALL } };
+
+ for (int actions = 0; actions < actionMap.length; actions++) {
+ my = new MSentryPrivilege();
+ your = new MSentryPrivilege();
+ my.setServerName("server1");
+ my.setAction(actionMap[actions][0]);
+ your.setServerName("server1");
+ your.setAction(actionMap[actions][1]);
+ my.setURI("hdfs://namenode:9000/path");
+ your.setURI("hdfs://namenode:9000/path");
+ assertTrue(my.implies(your));
+
+ my.setURI("hdfs://namenode:9000/path");
+ your.setURI("hdfs://namenode:9000/path/to/some/dir");
+ assertTrue(my.implies(your));
+
+ my.setURI("file:///path");
+ your.setURI("file:///path");
+ assertTrue(my.implies(your));
+
+ my.setURI("file:///path");
+ your.setURI("file:///path/to/some/dir");
+ assertTrue(my.implies(your));
+
+ // my is SERVER level privilege, your is URI level privilege
+ my.setURI("");
+ your.setURI("file:///path");
+ assertTrue(my.implies(your));
+ }
+ }
+
+ @Test
+ public void testImpliesPrivilegeNegative() throws Exception {
+ // 1.test server+database+table+action
+ MSentryPrivilege my = new MSentryPrivilege();
+ MSentryPrivilege your = new MSentryPrivilege();
+ // bad action
+ my.setServerName("server1");
+ my.setDbName("db1");
+ my.setTableName("tb1");
+ my.setAction(AccessConstants.SELECT);
+ your.setServerName("server1");
+ your.setDbName("db1");
+ your.setTableName("tb1");
+ your.setAction(AccessConstants.INSERT);
+ assertFalse(my.implies(your));
+
+ // bad action
+ your.setAction(AccessConstants.ALL);
+ assertFalse(my.implies(your));
+
+
+ // bad table
+ your.setTableName("tb2");
+ assertFalse(my.implies(your));
+
+ // bad database
+ your.setTableName("tb1");
+ your.setDbName("db2");
+ assertFalse(my.implies(your));
+
+ // bad server
+ your.setTableName("tb1");
+ your.setDbName("db1");
+ your.setServerName("server2");
+ assertFalse(my.implies(your));
+
+ // 2.test server+URI+action
+ my = new MSentryPrivilege();
+ your = new MSentryPrivilege();
+ my.setServerName("server1");
+ my.setAction(AccessConstants.ALL);
+ your.setServerName("server2");
+ your.setAction(AccessConstants.ALL);
+
+ // relative path
+ my.setURI("hdfs://namenode:9000/path");
+ your.setURI("hdfs://namenode:9000/path/to/../../other");
+ assertFalse(my.implies(your));
+ my.setURI("file:///path");
+ your.setURI("file:///path/to/../../other");
+ assertFalse(my.implies(your));
+
+ // bad uri
+ my.setURI("blah");
+ your.setURI("hdfs://namenode:9000/path/to/some/dir");
+ assertFalse(my.implies(your));
+ my.setURI("hdfs://namenode:9000/path/to/some/dir");
+ your.setURI("blah");
+ assertFalse(my.implies(your));
+
+ // bad scheme
+ my.setURI("hdfs://namenode:9000/path");
+ your.setURI("file:///path/to/some/dir");
+ assertFalse(my.implies(your));
+ my.setURI("hdfs://namenode:9000/path");
+ your.setURI("file://namenode:9000/path/to/some/dir");
+ assertFalse(my.implies(your));
+
+ // bad hostname
+ my.setURI("hdfs://namenode1:9000/path");
+ your.setURI("hdfs://namenode2:9000/path");
+ assertFalse(my.implies(your));
+
+ // bad port
+ my.setURI("hdfs://namenode:9000/path");
+ your.setURI("hdfs://namenode:9001/path");
+ assertFalse(my.implies(your));
+
+ // bad path
+ my.setURI("hdfs://namenode:9000/path1");
+ your.setURI("hdfs://namenode:9000/path2");
+ assertFalse(my.implies(your));
+ my.setURI("file:///path1");
+ your.setURI("file:///path2");
+ assertFalse(my.implies(your));
+
+ // bad server
+ your.setServerName("server2");
+ my.setURI("hdfs://namenode:9000/path1");
+ your.setURI("hdfs://namenode:9000/path1");
+ assertFalse(my.implies(your));
+
+ // bad implies
+ my.setServerName("server1");
+ my.setURI("hdfs://namenode:9000/path1");
+ your.setServerName("server1");
+ your.setURI("");
+ assertFalse(my.implies(your));
+ }
+
+ @Test
+ public void testImpliesPrivilegePositiveWithColumn() throws Exception {
+ // 1.test server+database+table+column+action
+ MSentryPrivilege my = new MSentryPrivilege();
+ MSentryPrivilege your = new MSentryPrivilege();
+ my.setServerName("server1");
+ my.setAction(AccessConstants.SELECT);
+ your.setServerName("server1");
+ your.setDbName("db1");
+ your.setTableName("tb1");
+ your.setColumnName("c1");
+ your.setAction(AccessConstants.SELECT);
+ assertTrue(my.implies(your));
+
+ my.setDbName("db1");
+ assertTrue(my.implies(your));
+
+ my.setTableName("tb1");
+ assertTrue(my.implies(your));
+
+ my.setColumnName("c1");
+ assertTrue(my.implies(your));
+ }
+
+ @Test
+ public void testImpliesPrivilegeNegativeWithColumn() throws Exception {
+ // 1.test server+database+table+column+action
+ MSentryPrivilege my = new MSentryPrivilege();
+ MSentryPrivilege your = new MSentryPrivilege();
+ // bad column
+ my.setServerName("server1");
+ my.setDbName("db1");
+ my.setTableName("tb1");
+ my.setColumnName("c1");
+ my.setAction(AccessConstants.SELECT);
+ your.setServerName("server1");
+ your.setDbName("db1");
+ your.setTableName("tb1");
+ your.setColumnName("c2");
+ your.setAction(AccessConstants.SELECT);
+ assertFalse(my.implies(your));
+
+ // bad scope
+ your.setColumnName("");
+ assertFalse(my.implies(your));
+ }
+}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryServiceDiscovery.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryServiceDiscovery.java b/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryServiceDiscovery.java
new file mode 100644
index 0000000..7cbcc11
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryServiceDiscovery.java
@@ -0,0 +1,123 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.provider.db.service.persistent;
+
+import java.io.IOException;
+import java.util.HashMap;
+import java.util.Map;
+
+import org.apache.hadoop.conf.Configuration;
+
+import org.apache.curator.test.TestingServer;
+import org.apache.curator.x.discovery.ServiceInstance;
+import org.apache.sentry.service.thrift.ServiceConstants.ServerConfig;
+import org.junit.After;
+import org.junit.Before;
+import org.junit.Test;
+import static org.junit.Assert.assertEquals;
+
+public class TestSentryServiceDiscovery {
+
+ private HAContext haContext;
+ private TestingServer server;
+
+ @Before
+ public void setup() throws Exception {
+ server = new TestingServer();
+ // HA conf
+ Configuration conf = new Configuration(false);
+ conf.set(ServerConfig.SENTRY_HA_ENABLED, "true");
+ conf.set(ServerConfig.SENTRY_HA_ZOOKEEPER_NAMESPACE, "sentry-test");
+ conf.set(ServerConfig.SENTRY_HA_ZOOKEEPER_QUORUM, server.getConnectString());
+ haContext = HAContext.getHAContext(conf);
+ }
+
+ @After
+ public void teardown() {
+ HAContext.clearServerContext();
+ if (server != null) {
+ try {
+ server.stop();
+ } catch (IOException e) {
+ }
+ }
+ }
+
+ @Test
+ public void testRegisterOneService() throws Exception {
+ final String hostname = "localhost1";
+ final Integer port = 123;
+ ServiceRegister register = new ServiceRegister(haContext);
+ register.regService(hostname, port);
+ ServiceManager manager = new ServiceManager(haContext);
+ ServiceInstance<Void> instance = manager.getServiceInstance();
+ assertEquals("'hostname' doesn't match.", hostname, instance.getAddress());
+ assertEquals("'port' doesn't match.", port, instance.getPort());
+ }
+
+ @Test
+ public void testRegisterMultiService() throws Exception {
+
+ final String hostname1 = "localhost1";
+ final Integer port1 = 123;
+ final String hostname2 = "localhost2";
+ final Integer port2 = 456;
+ final String hostname3 = "localhost3";
+ final Integer port3 = 789;
+
+ Map<String, Integer> servicesMap = new HashMap<String, Integer>();
+ servicesMap.put(hostname1, port1);
+ servicesMap.put(hostname2, port2);
+ servicesMap.put(hostname3, port3);
+
+ ServiceRegister register1 = new ServiceRegister(haContext);
+ register1.regService(hostname1, port1);
+ ServiceRegister register2 = new ServiceRegister(haContext);
+ register2.regService(hostname2, port2);
+ ServiceRegister register3 = new ServiceRegister(haContext);
+ register3.regService(hostname3, port3);
+
+ ServiceManager manager = new ServiceManager(haContext);
+ ServiceInstance<Void> instance = manager.getServiceInstance();
+ assertEquals("'instance' doesn't match.", instance.getPort(), servicesMap.get(instance.getAddress()));
+ instance = manager.getServiceInstance();
+ assertEquals("'instance' doesn't match.", instance.getPort(), servicesMap.get(instance.getAddress()));
+ instance = manager.getServiceInstance();
+ assertEquals("'instance' doesn't match.", instance.getPort(), servicesMap.get(instance.getAddress()));
+ }
+
+ @Test
+ public void testReportError() throws Exception {
+ final String hostname1 = "localhost1";
+ final Integer port1 = 123;
+
+ ServiceRegister register1 = new ServiceRegister(haContext);
+ register1.regService(hostname1, port1);
+
+ ServiceManager manager = new ServiceManager(haContext);
+ ServiceInstance<Void> instance = manager.getServiceInstance();
+ manager.reportError(instance);
+ // report twice, manager will not return temporarily
+ instance = manager.getServiceInstance();
+ manager.reportError(instance);
+ instance = manager.getServiceInstance();
+ assertEquals("'instance' should be null.", null, instance);
+ }
+
+}
[38/44] sentry git commit: SENTRY-1287: Create sentry-service-server
module(Colin Ma, reviewed by Dapeng Sun)
Posted by co...@apache.org.
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessor.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessor.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessor.java
deleted file mode 100644
index 5fafec8..0000000
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessor.java
+++ /dev/null
@@ -1,1113 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.sentry.provider.db.service.thrift;
-
-import java.lang.reflect.Constructor;
-import java.lang.reflect.InvocationTargetException;
-import java.util.HashSet;
-import java.util.LinkedList;
-import java.util.List;
-import java.util.Map;
-import java.util.Set;
-import java.util.regex.Pattern;
-
-import org.apache.commons.lang.StringUtils;
-import org.apache.hadoop.conf.Configuration;
-import org.apache.sentry.core.common.exception.SentryUserException;
-import org.apache.sentry.core.common.exception.SentrySiteConfigurationException;
-import org.apache.sentry.core.model.db.AccessConstants;
-import org.apache.sentry.core.common.service.GroupMappingService;
-import org.apache.sentry.core.common.utils.PolicyFileConstants;
-import org.apache.sentry.core.common.exception.SentryGroupNotFoundException;
-import org.apache.sentry.core.common.exception.SentryAccessDeniedException;
-import org.apache.sentry.core.common.exception.SentryAlreadyExistsException;
-import org.apache.sentry.core.common.exception.SentryInvalidInputException;
-import org.apache.sentry.core.common.exception.SentryNoSuchObjectException;
-import org.apache.sentry.provider.db.SentryPolicyStorePlugin;
-import org.apache.sentry.provider.db.SentryPolicyStorePlugin.SentryPluginException;
-import org.apache.sentry.core.common.exception.SentryThriftAPIMismatchException;
-import org.apache.sentry.provider.db.log.entity.JsonLogEntity;
-import org.apache.sentry.provider.db.log.entity.JsonLogEntityFactory;
-import org.apache.sentry.provider.db.log.util.Constants;
-import org.apache.sentry.provider.db.service.persistent.CommitContext;
-import org.apache.sentry.provider.db.service.persistent.HAContext;
-import org.apache.sentry.provider.db.service.persistent.SentryStore;
-import org.apache.sentry.provider.db.service.persistent.ServiceRegister;
-import org.apache.sentry.provider.db.service.thrift.PolicyStoreConstants.PolicyStoreServerConfig;
-import org.apache.sentry.service.thrift.SentryServiceUtil;
-import org.apache.sentry.service.thrift.ServiceConstants;
-import org.apache.sentry.service.thrift.ServiceConstants.ConfUtilties;
-import org.apache.sentry.service.thrift.ServiceConstants.ServerConfig;
-import org.apache.sentry.service.thrift.ServiceConstants.ThriftConstants;
-import org.apache.sentry.service.thrift.Status;
-import org.apache.sentry.service.thrift.TSentryResponseStatus;
-import org.apache.thrift.TException;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-import com.codahale.metrics.Timer;
-import com.google.common.annotations.VisibleForTesting;
-import com.google.common.base.Preconditions;
-import com.google.common.base.Splitter;
-import com.google.common.collect.ImmutableSet;
-import com.google.common.collect.Lists;
-import com.google.common.collect.Maps;
-import com.google.common.collect.Sets;
-
-@SuppressWarnings("unused")
-public class SentryPolicyStoreProcessor implements SentryPolicyService.Iface {
- private static final Logger LOGGER = LoggerFactory.getLogger(SentryPolicyStoreProcessor.class);
- private static final Logger AUDIT_LOGGER = LoggerFactory.getLogger(Constants.AUDIT_LOGGER_NAME);
-
- public static final String SENTRY_POLICY_SERVICE_NAME = "SentryPolicyService";
-
- public static volatile SentryPolicyStoreProcessor instance;
-
- private final String name;
- private final Configuration conf;
- private final SentryStore sentryStore;
- private final NotificationHandlerInvoker notificationHandlerInvoker;
- private final ImmutableSet<String> adminGroups;
- private boolean isReady;
- SentryMetrics sentryMetrics;
- private HAContext haContext;
-
- private List<SentryPolicyStorePlugin> sentryPlugins = new LinkedList<SentryPolicyStorePlugin>();
-
- public SentryPolicyStoreProcessor(String name, Configuration conf) throws Exception {
- super();
- this.name = name;
- this.conf = conf;
- this.notificationHandlerInvoker = new NotificationHandlerInvoker(conf,
- createHandlers(conf));
- isReady = false;
- if (conf.getBoolean(ServerConfig.SENTRY_HA_ENABLED,
- ServerConfig.SENTRY_HA_ENABLED_DEFAULT)) {
- haContext = HAContext.getHAServerContext(conf);
- sentryStore = new SentryStore(conf);
- ServiceRegister reg = new ServiceRegister(haContext);
- reg.regService(conf.get(ServerConfig.RPC_ADDRESS),
- conf.getInt(ServerConfig.RPC_PORT,ServerConfig.RPC_PORT_DEFAULT));
- } else {
- sentryStore = new SentryStore(conf);
- }
- isReady = true;
- adminGroups = ImmutableSet.copyOf(toTrimedLower(Sets.newHashSet(conf.getStrings(
- ServerConfig.ADMIN_GROUPS, new String[]{}))));
- Iterable<String> pluginClasses = ConfUtilties.CLASS_SPLITTER
- .split(conf.get(ServerConfig.SENTRY_POLICY_STORE_PLUGINS,
- ServerConfig.SENTRY_POLICY_STORE_PLUGINS_DEFAULT).trim());
- for (String pluginClassStr : pluginClasses) {
- Class<?> clazz = conf.getClassByName(pluginClassStr);
- if (!SentryPolicyStorePlugin.class.isAssignableFrom(clazz)) {
- throw new IllegalArgumentException("Sentry Plugin ["
- + pluginClassStr + "] is not a "
- + SentryPolicyStorePlugin.class.getName());
- }
- SentryPolicyStorePlugin plugin = (SentryPolicyStorePlugin)clazz.newInstance();
- plugin.initialize(conf, sentryStore);
- sentryPlugins.add(plugin);
- }
- if (instance == null) {
- instance = this;
- }
- initMetrics();
- }
-
- private void initMetrics() {
- sentryMetrics = SentryMetrics.getInstance();
- sentryMetrics.addSentryStoreGauges(sentryStore);
-
- String sentryReporting = conf.get(ServerConfig.SENTRY_REPORTER);
- if (sentryReporting != null) {
- SentryMetrics.Reporting reporting;
- try {
- reporting = SentryMetrics.Reporting.valueOf(sentryReporting.toUpperCase());
- sentryMetrics.initReporting(reporting);
-
- } catch (IllegalArgumentException e) {
- LOGGER.warn("Metrics reporting not configured correctly, please set " + ServerConfig.SENTRY_REPORTER +
- " to: " + SentryMetrics.Reporting.CONSOLE.name() + "/" + SentryMetrics.Reporting.JMX.name());
- }
- }
- }
-
- public void stop() {
- if (isReady) {
- sentryStore.stop();
- }
- if (haContext != null) {
- try {
- haContext.getCuratorFramework().close();
- } catch (Exception e) {
- LOGGER.warn("Error in stopping processor", e);
- }
- }
- }
-
- public void registerPlugin(SentryPolicyStorePlugin plugin) throws SentryPluginException {
- plugin.initialize(conf, sentryStore);
- sentryPlugins.add(plugin);
- }
-
- @VisibleForTesting
- static List<NotificationHandler> createHandlers(Configuration conf)
- throws SentrySiteConfigurationException {
- List<NotificationHandler> handlers = Lists.newArrayList();
- Iterable<String> notificationHandlers = Splitter.onPattern("[\\s,]").trimResults()
- .omitEmptyStrings().split(conf.get(PolicyStoreServerConfig.NOTIFICATION_HANDLERS, ""));
- for (String notificationHandler : notificationHandlers) {
- Class<?> clazz = null;
- try {
- clazz = Class.forName(notificationHandler);
- if (!NotificationHandler.class.isAssignableFrom(clazz)) {
- throw new SentrySiteConfigurationException("Class " + notificationHandler + " is not a " +
- NotificationHandler.class.getName());
- }
- } catch (ClassNotFoundException e) {
- throw new SentrySiteConfigurationException("Value " + notificationHandler +
- " is not a class", e);
- }
- Preconditions.checkNotNull(clazz, "Error class cannot be null");
- try {
- Constructor<?> constructor = clazz.getConstructor(Configuration.class);
- handlers.add((NotificationHandler)constructor.newInstance(conf));
- } catch (Exception e) {
- throw new SentrySiteConfigurationException("Error attempting to create " + notificationHandler, e);
- }
- }
- return handlers;
- }
-
- @VisibleForTesting
- public Configuration getSentryStoreConf() {
- return conf;
- }
-
- private static Set<String> toTrimedLower(Set<String> s) {
- Set<String> result = Sets.newHashSet();
- for (String v : s) {
- result.add(v.trim().toLowerCase());
- }
- return result;
- }
-
- private boolean inAdminGroups(Set<String> requestorGroups) {
- Set<String> trimmedRequestorGroups = toTrimedLower(requestorGroups);
- return !Sets.intersection(adminGroups, trimmedRequestorGroups).isEmpty();
- }
-
- private void authorize(String requestorUser, Set<String> requestorGroups)
- throws SentryAccessDeniedException {
- if (!inAdminGroups(requestorGroups)) {
- String msg = "User: " + requestorUser + " is part of " + requestorGroups +
- " which does not, intersect admin groups " + adminGroups;
- LOGGER.warn(msg);
- throw new SentryAccessDeniedException("Access denied to " + requestorUser);
- }
- }
-
- @Override
- public TCreateSentryRoleResponse create_sentry_role(
- TCreateSentryRoleRequest request) throws TException {
- final Timer.Context timerContext = sentryMetrics.createRoleTimer.time();
- TCreateSentryRoleResponse response = new TCreateSentryRoleResponse();
- try {
- validateClientVersion(request.getProtocol_version());
- authorize(request.getRequestorUserName(),
- getRequestorGroups(request.getRequestorUserName()));
- CommitContext commitContext = sentryStore.createSentryRole(request.getRoleName());
- response.setStatus(Status.OK());
- notificationHandlerInvoker.create_sentry_role(commitContext,
- request, response);
- } catch (SentryAlreadyExistsException e) {
- String msg = "Role: " + request + " already exists.";
- LOGGER.error(msg, e);
- response.setStatus(Status.AlreadyExists(msg, e));
- } catch (SentryAccessDeniedException e) {
- LOGGER.error(e.getMessage(), e);
- response.setStatus(Status.AccessDenied(e.getMessage(), e));
- } catch (SentryThriftAPIMismatchException e) {
- LOGGER.error(e.getMessage(), e);
- response.setStatus(Status.THRIFT_VERSION_MISMATCH(e.getMessage(), e));
- } catch (Exception e) {
- String msg = "Unknown error for request: " + request + ", message: " + e.getMessage();
- LOGGER.error(msg, e);
- response.setStatus(Status.RuntimeError(msg, e));
- } finally {
- timerContext.stop();
- }
-
- try {
- AUDIT_LOGGER.info(JsonLogEntityFactory.getInstance()
- .createJsonLogEntity(request, response, conf).toJsonFormatLog());
- } catch (Exception e) {
- // if any exception, log the exception.
- String msg = "Error creating audit log for create role: " + e.getMessage();
- LOGGER.error(msg, e);
- }
- return response;
- }
-
- @Override
- public TAlterSentryRoleGrantPrivilegeResponse alter_sentry_role_grant_privilege
- (TAlterSentryRoleGrantPrivilegeRequest request) throws TException {
- final Timer.Context timerContext = sentryMetrics.grantTimer.time();
-
- TAlterSentryRoleGrantPrivilegeResponse response = new TAlterSentryRoleGrantPrivilegeResponse();
- try {
- validateClientVersion(request.getProtocol_version());
- // There should only one field be set
- if ( !(request.isSetPrivileges()^request.isSetPrivilege()) ) {
- throw new SentryUserException("SENTRY API version is not right!");
- }
- // Maintain compatibility for old API: Set privilege field to privileges field
- if (request.isSetPrivilege()) {
- request.setPrivileges(Sets.newHashSet(request.getPrivilege()));
- }
- CommitContext commitContext = sentryStore.alterSentryRoleGrantPrivileges(request.getRequestorUserName(),
- request.getRoleName(), request.getPrivileges());
- response.setStatus(Status.OK());
- response.setPrivileges(request.getPrivileges());
- // Maintain compatibility for old API: Set privilege field to response
- if (response.isSetPrivileges() && response.getPrivileges().size() == 1) {
- response.setPrivilege(response.getPrivileges().iterator().next());
- }
- notificationHandlerInvoker.alter_sentry_role_grant_privilege(commitContext,
- request, response);
- for (SentryPolicyStorePlugin plugin : sentryPlugins) {
- plugin.onAlterSentryRoleGrantPrivilege(request);
- }
- } catch (SentryNoSuchObjectException e) {
- String msg = "Role: " + request.getRoleName() + " doesn't exist";
- LOGGER.error(msg, e);
- response.setStatus(Status.NoSuchObject(msg, e));
- } catch (SentryInvalidInputException e) {
- String msg = "Invalid input privilege object";
- LOGGER.error(msg, e);
- response.setStatus(Status.InvalidInput(msg, e));
- } catch (SentryAccessDeniedException e) {
- LOGGER.error(e.getMessage(), e);
- response.setStatus(Status.AccessDenied(e.getMessage(), e));
- } catch (SentryThriftAPIMismatchException e) {
- LOGGER.error(e.getMessage(), e);
- response.setStatus(Status.THRIFT_VERSION_MISMATCH(e.getMessage(), e));
- } catch (Exception e) {
- String msg = "Unknown error for request: " + request + ", message: " + e.getMessage();
- LOGGER.error(msg, e);
- response.setStatus(Status.RuntimeError(msg, e));
- } finally {
- timerContext.stop();
- }
-
- try {
- Set<JsonLogEntity> jsonLogEntitys = JsonLogEntityFactory.getInstance().createJsonLogEntitys(
- request, response, conf);
- for (JsonLogEntity jsonLogEntity : jsonLogEntitys) {
- AUDIT_LOGGER.info(jsonLogEntity.toJsonFormatLog());
- }
- } catch (Exception e) {
- // if any exception, log the exception.
- String msg = "Error creating audit log for grant privilege to role: " + e.getMessage();
- LOGGER.error(msg, e);
- }
- return response;
- }
-
- @Override
- public TAlterSentryRoleRevokePrivilegeResponse alter_sentry_role_revoke_privilege
- (TAlterSentryRoleRevokePrivilegeRequest request) throws TException {
- final Timer.Context timerContext = sentryMetrics.revokeTimer.time();
- TAlterSentryRoleRevokePrivilegeResponse response = new TAlterSentryRoleRevokePrivilegeResponse();
- try {
- validateClientVersion(request.getProtocol_version());
- // There should only one field be set
- if ( !(request.isSetPrivileges()^request.isSetPrivilege()) ) {
- throw new SentryUserException("SENTRY API version is not right!");
- }
- // Maintain compatibility for old API: Set privilege field to privileges field
- if (request.isSetPrivilege()) {
- request.setPrivileges(Sets.newHashSet(request.getPrivilege()));
- }
- CommitContext commitContext = sentryStore.alterSentryRoleRevokePrivileges(request.getRequestorUserName(),
- request.getRoleName(), request.getPrivileges());
- response.setStatus(Status.OK());
- notificationHandlerInvoker.alter_sentry_role_revoke_privilege(commitContext,
- request, response);
- for (SentryPolicyStorePlugin plugin : sentryPlugins) {
- plugin.onAlterSentryRoleRevokePrivilege(request);
- }
- } catch (SentryNoSuchObjectException e) {
- StringBuilder msg = new StringBuilder();
- if (request.getPrivileges().size() > 0) {
- for (TSentryPrivilege privilege : request.getPrivileges()) {
- msg.append("Privilege: [server=");
- msg.append(privilege.getServerName());
- msg.append(",db=");
- msg.append(privilege.getDbName());
- msg.append(",table=");
- msg.append(privilege.getTableName());
- msg.append(",URI=");
- msg.append(privilege.getURI());
- msg.append(",action=");
- msg.append(privilege.getAction());
- msg.append("] ");
- }
- msg.append("doesn't exist.");
- }
- LOGGER.error(msg.toString(), e);
- response.setStatus(Status.NoSuchObject(msg.toString(), e));
- } catch (SentryInvalidInputException e) {
- String msg = "Invalid input privilege object";
- LOGGER.error(msg, e);
- response.setStatus(Status.InvalidInput(msg, e));
- } catch (SentryAccessDeniedException e) {
- LOGGER.error(e.getMessage(), e);
- response.setStatus(Status.AccessDenied(e.getMessage(), e));
- } catch (SentryThriftAPIMismatchException e) {
- LOGGER.error(e.getMessage(), e);
- response.setStatus(Status.THRIFT_VERSION_MISMATCH(e.getMessage(), e));
- } catch (Exception e) {
- String msg = "Unknown error for request: " + request + ", message: " + e.getMessage();
- LOGGER.error(msg, e);
- response.setStatus(Status.RuntimeError(msg, e));
- } finally {
- timerContext.stop();
- }
-
- try {
- Set<JsonLogEntity> jsonLogEntitys = JsonLogEntityFactory.getInstance().createJsonLogEntitys(
- request, response, conf);
- for (JsonLogEntity jsonLogEntity : jsonLogEntitys) {
- AUDIT_LOGGER.info(jsonLogEntity.toJsonFormatLog());
- }
- } catch (Exception e) {
- // if any exception, log the exception.
- String msg = "Error creating audit log for revoke privilege from role: " + e.getMessage();
- LOGGER.error(msg, e);
- }
- return response;
- }
-
- @Override
- public TDropSentryRoleResponse drop_sentry_role(
- TDropSentryRoleRequest request) throws TException {
- final Timer.Context timerContext = sentryMetrics.dropRoleTimer.time();
- TDropSentryRoleResponse response = new TDropSentryRoleResponse();
- TSentryResponseStatus status;
- try {
- validateClientVersion(request.getProtocol_version());
- authorize(request.getRequestorUserName(),
- getRequestorGroups(request.getRequestorUserName()));
- CommitContext commitContext = sentryStore.dropSentryRole(request.getRoleName());
- response.setStatus(Status.OK());
- notificationHandlerInvoker.drop_sentry_role(commitContext,
- request, response);
- for (SentryPolicyStorePlugin plugin : sentryPlugins) {
- plugin.onDropSentryRole(request);
- }
- } catch (SentryNoSuchObjectException e) {
- String msg = "Role :" + request + " doesn't exist";
- LOGGER.error(msg, e);
- response.setStatus(Status.NoSuchObject(msg, e));
- } catch (SentryAccessDeniedException e) {
- LOGGER.error(e.getMessage(), e);
- response.setStatus(Status.AccessDenied(e.getMessage(), e));
- } catch (SentryThriftAPIMismatchException e) {
- LOGGER.error(e.getMessage(), e);
- response.setStatus(Status.THRIFT_VERSION_MISMATCH(e.getMessage(), e));
- } catch (Exception e) {
- String msg = "Unknown error for request: " + request + ", message: " + e.getMessage();
- LOGGER.error(msg, e);
- response.setStatus(Status.RuntimeError(msg, e));
- } finally {
- timerContext.stop();
- }
-
- try {
- AUDIT_LOGGER.info(JsonLogEntityFactory.getInstance()
- .createJsonLogEntity(request, response, conf).toJsonFormatLog());
- } catch (Exception e) {
- // if any exception, log the exception.
- String msg = "Error creating audit log for drop role: " + e.getMessage();
- LOGGER.error(msg, e);
- }
- return response;
- }
-
- @Override
- public TAlterSentryRoleAddGroupsResponse alter_sentry_role_add_groups(
- TAlterSentryRoleAddGroupsRequest request) throws TException {
- final Timer.Context timerContext = sentryMetrics.grantRoleTimer.time();
- TAlterSentryRoleAddGroupsResponse response = new TAlterSentryRoleAddGroupsResponse();
- try {
- validateClientVersion(request.getProtocol_version());
- authorize(request.getRequestorUserName(),
- getRequestorGroups(request.getRequestorUserName()));
- CommitContext commitContext = sentryStore.alterSentryRoleAddGroups(
- request.getRequestorUserName(), request.getRoleName(),
- request.getGroups());
- response.setStatus(Status.OK());
- notificationHandlerInvoker.alter_sentry_role_add_groups(commitContext,
- request, response);
- for (SentryPolicyStorePlugin plugin : sentryPlugins) {
- plugin.onAlterSentryRoleAddGroups(request);
- }
- } catch (SentryNoSuchObjectException e) {
- String msg = "Role: " + request + " doesn't exist";
- LOGGER.error(msg, e);
- response.setStatus(Status.NoSuchObject(msg, e));
- } catch (SentryAccessDeniedException e) {
- LOGGER.error(e.getMessage(), e);
- response.setStatus(Status.AccessDenied(e.getMessage(), e));
- } catch (SentryThriftAPIMismatchException e) {
- LOGGER.error(e.getMessage(), e);
- response.setStatus(Status.THRIFT_VERSION_MISMATCH(e.getMessage(), e));
- } catch (Exception e) {
- String msg = "Unknown error for request: " + request + ", message: " + e.getMessage();
- LOGGER.error(msg, e);
- response.setStatus(Status.RuntimeError(msg, e));
- } finally {
- timerContext.stop();
- }
-
- try {
- AUDIT_LOGGER.info(JsonLogEntityFactory.getInstance()
- .createJsonLogEntity(request, response, conf).toJsonFormatLog());
- } catch (Exception e) {
- // if any exception, log the exception.
- String msg = "Error creating audit log for add role to group: " + e.getMessage();
- LOGGER.error(msg, e);
- }
- return response;
- }
-
- @Override
- public TAlterSentryRoleAddUsersResponse alter_sentry_role_add_users(
- TAlterSentryRoleAddUsersRequest request) throws TException {
- final Timer.Context timerContext = sentryMetrics.grantRoleTimer.time();
- TAlterSentryRoleAddUsersResponse response = new TAlterSentryRoleAddUsersResponse();
- try {
- validateClientVersion(request.getProtocol_version());
- authorize(request.getRequestorUserName(), getRequestorGroups(request.getRequestorUserName()));
- CommitContext commitContext = sentryStore.alterSentryRoleAddUsers(request.getRoleName(),
- request.getUsers());
- response.setStatus(Status.OK());
- notificationHandlerInvoker.alter_sentry_role_add_users(commitContext, request, response);
- } catch (SentryNoSuchObjectException e) {
- String msg = "Role: " + request + " does not exist.";
- LOGGER.error(msg, e);
- response.setStatus(Status.NoSuchObject(msg, e));
- } catch (SentryAccessDeniedException e) {
- LOGGER.error(e.getMessage(), e);
- response.setStatus(Status.AccessDenied(e.getMessage(), e));
- } catch (SentryThriftAPIMismatchException e) {
- LOGGER.error(e.getMessage(), e);
- response.setStatus(Status.THRIFT_VERSION_MISMATCH(e.getMessage(), e));
- } catch (Exception e) {
- String msg = "Unknown error for request: " + request + ", message: " + e.getMessage();
- LOGGER.error(msg, e);
- response.setStatus(Status.RuntimeError(msg, e));
- } finally {
- timerContext.stop();
- }
-
- try {
- AUDIT_LOGGER.info(JsonLogEntityFactory.getInstance()
- .createJsonLogEntity(request, response, conf).toJsonFormatLog());
- } catch (Exception e) {
- // if any exception, log the exception.
- String msg = "Error creating audit log for add role to user: " + e.getMessage();
- LOGGER.error(msg, e);
- }
- return response;
- }
-
- @Override
- public TAlterSentryRoleDeleteUsersResponse alter_sentry_role_delete_users(
- TAlterSentryRoleDeleteUsersRequest request) throws TException {
- final Timer.Context timerContext = sentryMetrics.grantRoleTimer.time();
- TAlterSentryRoleDeleteUsersResponse response = new TAlterSentryRoleDeleteUsersResponse();
- try {
- validateClientVersion(request.getProtocol_version());
- authorize(request.getRequestorUserName(), getRequestorGroups(request.getRequestorUserName()));
- CommitContext commitContext = sentryStore.alterSentryRoleDeleteUsers(request.getRoleName(),
- request.getUsers());
- response.setStatus(Status.OK());
- notificationHandlerInvoker.alter_sentry_role_delete_users(commitContext, request, response);
- } catch (SentryNoSuchObjectException e) {
- String msg = "Role: " + request + " does not exist.";
- LOGGER.error(msg, e);
- response.setStatus(Status.NoSuchObject(msg, e));
- } catch (SentryAccessDeniedException e) {
- LOGGER.error(e.getMessage(), e);
- response.setStatus(Status.AccessDenied(e.getMessage(), e));
- } catch (SentryThriftAPIMismatchException e) {
- LOGGER.error(e.getMessage(), e);
- response.setStatus(Status.THRIFT_VERSION_MISMATCH(e.getMessage(), e));
- } catch (Exception e) {
- String msg = "Unknown error for request: " + request + ", message: " + e.getMessage();
- LOGGER.error(msg, e);
- response.setStatus(Status.RuntimeError(msg, e));
- } finally {
- timerContext.stop();
- }
-
- try {
- AUDIT_LOGGER.info(JsonLogEntityFactory.getInstance()
- .createJsonLogEntity(request, response, conf).toJsonFormatLog());
- } catch (Exception e) {
- // if any exception, log the exception.
- String msg = "Error creating audit log for delete role from user: " + e.getMessage();
- LOGGER.error(msg, e);
- }
- return response;
- }
-
- @Override
- public TAlterSentryRoleDeleteGroupsResponse alter_sentry_role_delete_groups(
- TAlterSentryRoleDeleteGroupsRequest request) throws TException {
- final Timer.Context timerContext = sentryMetrics.revokeRoleTimer.time();
- TAlterSentryRoleDeleteGroupsResponse response = new TAlterSentryRoleDeleteGroupsResponse();
- try {
- validateClientVersion(request.getProtocol_version());
- authorize(request.getRequestorUserName(),
- getRequestorGroups(request.getRequestorUserName()));
- CommitContext commitContext = sentryStore.alterSentryRoleDeleteGroups(request.getRoleName(),
- request.getGroups());
- response.setStatus(Status.OK());
- notificationHandlerInvoker.alter_sentry_role_delete_groups(commitContext,
- request, response);
- for (SentryPolicyStorePlugin plugin : sentryPlugins) {
- plugin.onAlterSentryRoleDeleteGroups(request);
- }
- } catch (SentryNoSuchObjectException e) {
- String msg = "Role: " + request + " does not exist.";
- LOGGER.error(msg, e);
- response.setStatus(Status.NoSuchObject(msg, e));
- } catch (SentryAccessDeniedException e) {
- LOGGER.error(e.getMessage(), e);
- response.setStatus(Status.AccessDenied(e.getMessage(), e));
- } catch (SentryThriftAPIMismatchException e) {
- LOGGER.error(e.getMessage(), e);
- response.setStatus(Status.THRIFT_VERSION_MISMATCH(e.getMessage(), e));
- } catch (Exception e) {
- String msg = "Unknown error adding groups to role: " + request;
- LOGGER.error(msg, e);
- response.setStatus(Status.RuntimeError(msg, e));
- } finally {
- timerContext.stop();
- }
-
- try {
- AUDIT_LOGGER.info(JsonLogEntityFactory.getInstance()
- .createJsonLogEntity(request, response, conf).toJsonFormatLog());
- } catch (Exception e) {
- // if any exception, log the exception.
- String msg = "Error creating audit log for delete role from group: " + e.getMessage();
- LOGGER.error(msg, e);
- }
- return response;
- }
-
- @Override
- public TListSentryRolesResponse list_sentry_roles_by_group(
- TListSentryRolesRequest request) throws TException {
- final Timer.Context timerContext = sentryMetrics.listRolesByGroupTimer.time();
- TListSentryRolesResponse response = new TListSentryRolesResponse();
- TSentryResponseStatus status;
- Set<TSentryRole> roleSet = new HashSet<TSentryRole>();
- String subject = request.getRequestorUserName();
- boolean checkAllGroups = false;
- try {
- validateClientVersion(request.getProtocol_version());
- Set<String> groups = getRequestorGroups(subject);
- // Don't check admin permissions for listing requestor's own roles
- if (AccessConstants.ALL.equalsIgnoreCase(request.getGroupName())) {
- checkAllGroups = true;
- } else {
- boolean admin = inAdminGroups(groups);
- //Only admin users can list all roles in the system ( groupname = null)
- //Non admin users are only allowed to list only groups which they belong to
- if(!admin && (request.getGroupName() == null || !groups.contains(request.getGroupName()))) {
- throw new SentryAccessDeniedException("Access denied to " + subject);
- }else {
- groups.clear();
- groups.add(request.getGroupName());
- }
- }
- roleSet = sentryStore.getTSentryRolesByGroupName(groups, checkAllGroups);
- response.setRoles(roleSet);
- response.setStatus(Status.OK());
- } catch (SentryNoSuchObjectException e) {
- response.setRoles(roleSet);
- String msg = "Request: " + request + " couldn't be completed, message: " + e.getMessage();
- LOGGER.error(msg, e);
- response.setStatus(Status.NoSuchObject(msg, e));
- } catch (SentryAccessDeniedException e) {
- LOGGER.error(e.getMessage(), e);
- response.setStatus(Status.AccessDenied(e.getMessage(), e));
- } catch (SentryThriftAPIMismatchException e) {
- LOGGER.error(e.getMessage(), e);
- response.setStatus(Status.THRIFT_VERSION_MISMATCH(e.getMessage(), e));
- } catch (Exception e) {
- String msg = "Unknown error for request: " + request + ", message: " + e.getMessage();
- LOGGER.error(msg, e);
- response.setStatus(Status.RuntimeError(msg, e));
- } finally {
- timerContext.stop();
- }
- return response;
- }
-
- public TListSentryRolesResponse list_sentry_roles_by_user(TListSentryRolesForUserRequest request)
- throws TException {
- final Timer.Context timerContext = sentryMetrics.listRolesByGroupTimer.time();
- TListSentryRolesResponse response = new TListSentryRolesResponse();
- TSentryResponseStatus status;
- Set<TSentryRole> roleSet = new HashSet<TSentryRole>();
- String requestor = request.getRequestorUserName();
- String userName = request.getUserName();
- boolean checkAllGroups = false;
- try {
- validateClientVersion(request.getProtocol_version());
- // userName can't be empty
- if (StringUtils.isEmpty(userName)) {
- throw new SentryAccessDeniedException("The user name can't be empty.");
- }
-
- Set<String> requestorGroups = getRequestorGroups(requestor);
- Set<String> userGroups = getRequestorGroups(userName);
- boolean isAdmin = inAdminGroups(requestorGroups);
-
- // Only admin users can list other user's roles in the system
- // Non admin users are only allowed to list only their own roles related user and group
- if (!isAdmin && !userName.equals(requestor)) {
- throw new SentryAccessDeniedException("Access denied to list the roles for " + userName);
- }
- roleSet = sentryStore.getTSentryRolesByUserNames(Sets.newHashSet(userName));
- response.setRoles(roleSet);
- response.setStatus(Status.OK());
- } catch (SentryGroupNotFoundException e) {
- LOGGER.error(e.getMessage(), e);
- String msg = "Group couldn't be retrieved for " + requestor + " or " + userName + ".";
- response.setStatus(Status.AccessDenied(msg, e));
- } catch (SentryNoSuchObjectException e) {
- response.setRoles(roleSet);
- String msg = "Role: " + request + " couldn't be retrieved.";
- LOGGER.error(msg, e);
- response.setStatus(Status.NoSuchObject(msg, e));
- } catch (SentryAccessDeniedException e) {
- LOGGER.error(e.getMessage(), e);
- response.setStatus(Status.AccessDenied(e.getMessage(), e));
- } catch (SentryThriftAPIMismatchException e) {
- LOGGER.error(e.getMessage(), e);
- response.setStatus(Status.THRIFT_VERSION_MISMATCH(e.getMessage(), e));
- } catch (Exception e) {
- String msg = "Unknown error for request: " + request + ", message: " + e.getMessage();
- LOGGER.error(msg, e);
- response.setStatus(Status.RuntimeError(msg, e));
- } finally {
- timerContext.stop();
- }
- return response;
- }
-
- @Override
- public TListSentryPrivilegesResponse list_sentry_privileges_by_role(
- TListSentryPrivilegesRequest request) throws TException {
- final Timer.Context timerContext = sentryMetrics.listPrivilegesByRoleTimer.time();
- TListSentryPrivilegesResponse response = new TListSentryPrivilegesResponse();
- TSentryResponseStatus status;
- Set<TSentryPrivilege> privilegeSet = new HashSet<TSentryPrivilege>();
- String subject = request.getRequestorUserName();
- try {
- validateClientVersion(request.getProtocol_version());
- Set<String> groups = getRequestorGroups(subject);
- Boolean admin = inAdminGroups(groups);
- if(!admin) {
- Set<String> roleNamesForGroups = toTrimedLower(sentryStore.getRoleNamesForGroups(groups));
- if(!roleNamesForGroups.contains(request.getRoleName().trim().toLowerCase())) {
- throw new SentryAccessDeniedException("Access denied to " + subject);
- }
- }
- if (request.isSetAuthorizableHierarchy()) {
- TSentryAuthorizable authorizableHierarchy = request.getAuthorizableHierarchy();
- privilegeSet = sentryStore.getTSentryPrivileges(Sets.newHashSet(request.getRoleName()), authorizableHierarchy);
- } else {
- privilegeSet = sentryStore.getAllTSentryPrivilegesByRoleName(request.getRoleName());
- }
- response.setPrivileges(privilegeSet);
- response.setStatus(Status.OK());
- } catch (SentryNoSuchObjectException e) {
- response.setPrivileges(privilegeSet);
- String msg = "Privilege: " + request + " couldn't be retrieved.";
- LOGGER.error(msg, e);
- response.setStatus(Status.NoSuchObject(msg, e));
- } catch (SentryAccessDeniedException e) {
- LOGGER.error(e.getMessage(), e);
- response.setStatus(Status.AccessDenied(e.getMessage(), e));
- } catch (SentryThriftAPIMismatchException e) {
- LOGGER.error(e.getMessage(), e);
- response.setStatus(Status.THRIFT_VERSION_MISMATCH(e.getMessage(), e));
- } catch (Exception e) {
- String msg = "Unknown error for request: " + request + ", message: " + e.getMessage();
- LOGGER.error(msg, e);
- response.setStatus(Status.RuntimeError(msg, e));
- } finally {
- timerContext.stop();
- }
- return response;
- }
-
- /**
- * This method was created specifically for ProviderBackend.getPrivileges() and is not meant
- * to be used for general privilege retrieval. More details in the .thrift file.
- */
- @Override
- public TListSentryPrivilegesForProviderResponse list_sentry_privileges_for_provider(
- TListSentryPrivilegesForProviderRequest request) throws TException {
- final Timer.Context timerContext = sentryMetrics.listPrivilegesForProviderTimer.time();
- TListSentryPrivilegesForProviderResponse response = new TListSentryPrivilegesForProviderResponse();
- response.setPrivileges(new HashSet<String>());
- try {
- validateClientVersion(request.getProtocol_version());
- Set<String> privilegesForProvider =
- sentryStore.listSentryPrivilegesForProvider(request.getGroups(), request.getUsers(),
- request.getRoleSet(), request.getAuthorizableHierarchy());
- response.setPrivileges(privilegesForProvider);
- if (privilegesForProvider == null
- || privilegesForProvider.size() == 0
- && request.getAuthorizableHierarchy() != null
- && sentryStore.hasAnyServerPrivileges(request.getGroups(), request.getUsers(),
- request.getRoleSet(), request.getAuthorizableHierarchy().getServer())) {
-
- // REQUIRED for ensuring 'default' Db is accessible by any user
- // with privileges to atleast 1 object with the specific server as root
-
- // Need some way to specify that even though user has no privilege
- // For the specific AuthorizableHierarchy.. he has privilege on
- // atleast 1 object in the server hierarchy
- HashSet<String> serverPriv = Sets.newHashSet("server=+");
- response.setPrivileges(serverPriv);
- }
- response.setStatus(Status.OK());
- } catch (SentryThriftAPIMismatchException e) {
- LOGGER.error(e.getMessage(), e);
- response.setStatus(Status.THRIFT_VERSION_MISMATCH(e.getMessage(), e));
- } catch (Exception e) {
- String msg = "Unknown error for request: " + request + ", message: " + e.getMessage();
- LOGGER.error(msg, e);
- response.setStatus(Status.RuntimeError(msg, e));
- } finally {
- timerContext.stop();
- }
- return response;
- }
-
- // retrieve the group mapping for the given user name
- private Set<String> getRequestorGroups(String userName)
- throws SentryUserException {
- return getGroupsFromUserName(this.conf, userName);
- }
-
- public static Set<String> getGroupsFromUserName(Configuration conf,
- String userName) throws SentryUserException {
- String groupMapping = conf.get(ServerConfig.SENTRY_STORE_GROUP_MAPPING,
- ServerConfig.SENTRY_STORE_GROUP_MAPPING_DEFAULT);
- String authResoruce = conf
- .get(ServerConfig.SENTRY_STORE_GROUP_MAPPING_RESOURCE);
-
- // load the group mapping provider class
- GroupMappingService groupMappingService;
- try {
- Constructor<?> constrctor = Class.forName(groupMapping)
- .getDeclaredConstructor(Configuration.class, String.class);
- constrctor.setAccessible(true);
- groupMappingService = (GroupMappingService) constrctor
- .newInstance(new Object[] { conf, authResoruce });
- } catch (NoSuchMethodException e) {
- throw new SentryUserException("Unable to instantiate group mapping", e);
- } catch (SecurityException e) {
- throw new SentryUserException("Unable to instantiate group mapping", e);
- } catch (ClassNotFoundException e) {
- throw new SentryUserException("Unable to instantiate group mapping", e);
- } catch (InstantiationException e) {
- throw new SentryUserException("Unable to instantiate group mapping", e);
- } catch (IllegalAccessException e) {
- throw new SentryUserException("Unable to instantiate group mapping", e);
- } catch (IllegalArgumentException e) {
- throw new SentryUserException("Unable to instantiate group mapping", e);
- } catch (InvocationTargetException e) {
- throw new SentryUserException("Unable to instantiate group mapping", e);
- }
- return groupMappingService.getGroups(userName);
- }
-
- @Override
- public TDropPrivilegesResponse drop_sentry_privilege(
- TDropPrivilegesRequest request) throws TException {
- final Timer.Context timerContext = sentryMetrics.dropPrivilegeTimer.time();
- TDropPrivilegesResponse response = new TDropPrivilegesResponse();
- try {
- validateClientVersion(request.getProtocol_version());
- authorize(request.getRequestorUserName(), adminGroups);
- sentryStore.dropPrivilege(request.getAuthorizable());
- for (SentryPolicyStorePlugin plugin : sentryPlugins) {
- plugin.onDropSentryPrivilege(request);
- }
- response.setStatus(Status.OK());
- } catch (SentryAccessDeniedException e) {
- LOGGER.error(e.getMessage(), e);
- response.setStatus(Status.AccessDenied(e.getMessage(), e));
- } catch (SentryThriftAPIMismatchException e) {
- LOGGER.error(e.getMessage(), e);
- response.setStatus(Status.THRIFT_VERSION_MISMATCH(e.getMessage(), e));
- } catch (Exception e) {
- String msg = "Unknown error for request: " + request + ", message: "
- + e.getMessage();
- LOGGER.error(msg, e);
- response.setStatus(Status.RuntimeError(msg, e));
- } finally {
- timerContext.stop();
- }
- return response;
- }
-
- @Override
- public TRenamePrivilegesResponse rename_sentry_privilege(
- TRenamePrivilegesRequest request) throws TException {
- final Timer.Context timerContext = sentryMetrics.renamePrivilegeTimer.time();
- TRenamePrivilegesResponse response = new TRenamePrivilegesResponse();
- try {
- validateClientVersion(request.getProtocol_version());
- authorize(request.getRequestorUserName(), adminGroups);
- sentryStore.renamePrivilege(request.getOldAuthorizable(),
- request.getNewAuthorizable());
- for (SentryPolicyStorePlugin plugin : sentryPlugins) {
- plugin.onRenameSentryPrivilege(request);
- }
- response.setStatus(Status.OK());
- } catch (SentryAccessDeniedException e) {
- LOGGER.error(e.getMessage(), e);
- response.setStatus(Status.AccessDenied(e.getMessage(), e));
- } catch (SentryThriftAPIMismatchException e) {
- LOGGER.error(e.getMessage(), e);
- response.setStatus(Status.THRIFT_VERSION_MISMATCH(e.getMessage(), e));
- } catch (Exception e) {
- String msg = "Unknown error for request: " + request + ", message: "
- + e.getMessage();
- LOGGER.error(msg, e);
- response.setStatus(Status.RuntimeError(msg, e));
- } finally {
- timerContext.close();
- }
- return response;
- }
-
- @Override
- public TListSentryPrivilegesByAuthResponse list_sentry_privileges_by_authorizable(
- TListSentryPrivilegesByAuthRequest request) throws TException {
- final Timer.Context timerContext = sentryMetrics.listPrivilegesByAuthorizableTimer.time();
- TListSentryPrivilegesByAuthResponse response = new TListSentryPrivilegesByAuthResponse();
- Map<TSentryAuthorizable, TSentryPrivilegeMap> authRoleMap = Maps.newHashMap();
- String subject = request.getRequestorUserName();
- Set<String> requestedGroups = request.getGroups();
- TSentryActiveRoleSet requestedRoleSet = request.getRoleSet();
- try {
- validateClientVersion(request.getProtocol_version());
- Set<String> memberGroups = getRequestorGroups(subject);
- if(!inAdminGroups(memberGroups)) {
- // disallow non-admin to lookup groups that they are not part of
- if (requestedGroups != null && !requestedGroups.isEmpty()) {
- for (String requestedGroup : requestedGroups) {
- if (!memberGroups.contains(requestedGroup)) {
- // if user doesn't belong to one of the requested group then raise error
- throw new SentryAccessDeniedException("Access denied to " + subject);
- }
- }
- } else {
- // non-admin's search is limited to it's own groups
- requestedGroups = memberGroups;
- }
-
- // disallow non-admin to lookup roles that they are not part of
- if (requestedRoleSet != null && !requestedRoleSet.isAll()) {
- Set<String> roles = toTrimedLower(sentryStore
- .getRoleNamesForGroups(memberGroups));
- for (String role : toTrimedLower(requestedRoleSet.getRoles())) {
- if (!roles.contains(role)) {
- throw new SentryAccessDeniedException("Access denied to "
- + subject);
- }
- }
- }
- }
-
- // If user is not part of any group.. return empty response
- for (TSentryAuthorizable authorizable : request.getAuthorizableSet()) {
- authRoleMap.put(authorizable, sentryStore
- .listSentryPrivilegesByAuthorizable(requestedGroups,
- request.getRoleSet(), authorizable, inAdminGroups(memberGroups)));
- }
- response.setPrivilegesMapByAuth(authRoleMap);
- response.setStatus(Status.OK());
- // TODO : Sentry - HDFS : Have to handle this
- } catch (SentryAccessDeniedException e) {
- LOGGER.error(e.getMessage(), e);
- response.setStatus(Status.AccessDenied(e.getMessage(), e));
- } catch (SentryThriftAPIMismatchException e) {
- LOGGER.error(e.getMessage(), e);
- response.setStatus(Status.THRIFT_VERSION_MISMATCH(e.getMessage(), e));
- } catch (Exception e) {
- String msg = "Unknown error for request: " + request + ", message: "
- + e.getMessage();
- LOGGER.error(msg, e);
- response.setStatus(Status.RuntimeError(msg, e));
- } finally {
- timerContext.stop();
- }
- return response;
- }
-
- /**
- * Respond to a request for a config value in the sentry server. The client
- * can request any config value that starts with "sentry." and doesn't contain
- * "keytab".
- * @param request Contains config parameter sought and default if not found
- * @return The response, containing the value and status
- * @throws TException
- */
- @Override
- public TSentryConfigValueResponse get_sentry_config_value(
- TSentryConfigValueRequest request) throws TException {
-
- final String requirePattern = "^sentry\\..*";
- final String excludePattern = ".*keytab.*|.*\\.jdbc\\..*|.*password.*";
-
- TSentryConfigValueResponse response = new TSentryConfigValueResponse();
- String attr = request.getPropertyName();
-
- try {
- validateClientVersion(request.getProtocol_version());
- } catch (SentryThriftAPIMismatchException e) {
- LOGGER.error(e.getMessage(), e);
- response.setStatus(Status.THRIFT_VERSION_MISMATCH(e.getMessage(), e));
- }
- // Only allow config parameters like...
- if (!Pattern.matches(requirePattern, attr) ||
- Pattern.matches(excludePattern, attr)) {
- String msg = "Attempted access of the configuration property " + attr +
- " was denied";
- LOGGER.error(msg);
- response.setStatus(Status.AccessDenied(msg,
- new SentryAccessDeniedException(msg)));
- return response;
- }
-
- response.setValue(conf.get(attr,request.getDefaultValue()));
- response.setStatus(Status.OK());
- return response;
- }
-
- @VisibleForTesting
- static void validateClientVersion(int protocolVersion) throws SentryThriftAPIMismatchException {
- if (ServiceConstants.ThriftConstants.TSENTRY_SERVICE_VERSION_CURRENT != protocolVersion) {
- String msg = "Sentry thrift API protocol version mismatch: Client thrift version " +
- "is: " + protocolVersion + " , server thrift verion " +
- "is " + ThriftConstants.TSENTRY_SERVICE_VERSION_CURRENT;
- throw new SentryThriftAPIMismatchException(msg);
- }
- }
-
- // get the sentry mapping data and return the data with map structure
- @Override
- public TSentryExportMappingDataResponse export_sentry_mapping_data(
- TSentryExportMappingDataRequest request) throws TException {
- TSentryExportMappingDataResponse response = new TSentryExportMappingDataResponse();
- try {
- String requestor = request.getRequestorUserName();
- Set<String> memberGroups = getRequestorGroups(requestor);
- String objectPath = request.getObjectPath();
- String databaseName = null;
- String tableName = null;
-
- Map<String, String> objectMap =
- SentryServiceUtil.parseObjectPath(objectPath);
- databaseName = objectMap.get(PolicyFileConstants.PRIVILEGE_DATABASE_NAME);
- tableName = objectMap.get(PolicyFileConstants.PRIVILEGE_TABLE_NAME);
-
- if (!inAdminGroups(memberGroups)) {
- // disallow non-admin to import the metadata of sentry
- throw new SentryAccessDeniedException("Access denied to " + requestor
- + " for export the metadata of sentry.");
- }
- TSentryMappingData tSentryMappingData = new TSentryMappingData();
- Map<String, Set<TSentryPrivilege>> rolePrivileges =
- sentryStore.getRoleNameTPrivilegesMap(databaseName, tableName);
- tSentryMappingData.setRolePrivilegesMap(rolePrivileges);
- Set<String> roleNames = rolePrivileges.keySet();
- // roleNames should be null if databaseName == null and tableName == null
- if (databaseName == null && tableName == null) {
- roleNames = null;
- }
- List<Map<String, Set<String>>> mapList = sentryStore.getGroupUserRoleMapList(
- roleNames);
- tSentryMappingData.setGroupRolesMap(mapList.get(
- SentryStore.INDEX_GROUP_ROLES_MAP));
- tSentryMappingData.setUserRolesMap(mapList.get(SentryStore.INDEX_USER_ROLES_MAP));
-
- response.setMappingData(tSentryMappingData);
- response.setStatus(Status.OK());
- } catch (Exception e) {
- String msg = "Unknown error for request: " + request + ", message: " + e.getMessage();
- LOGGER.error(msg, e);
- response.setMappingData(new TSentryMappingData());
- response.setStatus(Status.RuntimeError(msg, e));
- }
- return response;
- }
-
- // import the sentry mapping data
- @Override
- public TSentryImportMappingDataResponse import_sentry_mapping_data(
- TSentryImportMappingDataRequest request) throws TException {
- TSentryImportMappingDataResponse response = new TSentryImportMappingDataResponse();
- try {
- String requestor = request.getRequestorUserName();
- Set<String> memberGroups = getRequestorGroups(requestor);
- if (!inAdminGroups(memberGroups)) {
- // disallow non-admin to import the metadata of sentry
- throw new SentryAccessDeniedException("Access denied to " + requestor
- + " for import the metadata of sentry.");
- }
- sentryStore.importSentryMetaData(request.getMappingData(), request.isOverwriteRole());
- response.setStatus(Status.OK());
- } catch (SentryInvalidInputException e) {
- String msg = "Invalid input privilege object";
- LOGGER.error(msg, e);
- response.setStatus(Status.InvalidInput(msg, e));
- } catch (Exception e) {
- String msg = "Unknown error for request: " + request + ", message: " + e.getMessage();
- LOGGER.error(msg, e);
- response.setStatus(Status.RuntimeError(msg, e));
- }
- return response;
- }
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessorFactory.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessorFactory.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessorFactory.java
deleted file mode 100644
index 691c1fb..0000000
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessorFactory.java
+++ /dev/null
@@ -1,39 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.provider.db.service.thrift;
-
-import org.apache.hadoop.conf.Configuration;
-import org.apache.sentry.service.thrift.ProcessorFactory;
-import org.apache.thrift.TMultiplexedProcessor;
-import org.apache.thrift.TProcessor;
-
-public class SentryPolicyStoreProcessorFactory extends ProcessorFactory {
- public SentryPolicyStoreProcessorFactory(Configuration conf) {
- super(conf);
- }
-
- public boolean register(TMultiplexedProcessor multiplexedProcessor) throws Exception {
- SentryPolicyStoreProcessor sentryServiceHandler =
- new SentryPolicyStoreProcessor(SentryPolicyStoreProcessor.SENTRY_POLICY_SERVICE_NAME,
- conf);
- TProcessor processor =
- new SentryProcessorWrapper<SentryPolicyService.Iface>(sentryServiceHandler);
- multiplexedProcessor.registerProcessor(SentryPolicyStoreProcessor.SENTRY_POLICY_SERVICE_NAME, processor);
- return true;
- }
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryProcessorWrapper.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryProcessorWrapper.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryProcessorWrapper.java
deleted file mode 100644
index a5f11a9..0000000
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryProcessorWrapper.java
+++ /dev/null
@@ -1,37 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.sentry.provider.db.service.thrift;
-
-import org.apache.thrift.TException;
-import org.apache.thrift.protocol.TProtocol;
-
-public class SentryProcessorWrapper<I extends SentryPolicyService.Iface> extends
- SentryPolicyService.Processor<SentryPolicyService.Iface> {
-
- public SentryProcessorWrapper(I iface) {
- super(iface);
- }
-
- @Override
- public boolean process(TProtocol in, TProtocol out) throws TException {
- ThriftUtil.setIpAddress(in);
- ThriftUtil.setImpersonator(in);
- return super.process(in, out);
- }
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryWebServer.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryWebServer.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryWebServer.java
deleted file mode 100644
index a42f395..0000000
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryWebServer.java
+++ /dev/null
@@ -1,184 +0,0 @@
-package org.apache.sentry.provider.db.service.thrift;
-
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-import com.codahale.metrics.servlets.AdminServlet;
-import com.google.common.base.Preconditions;
-
-import java.io.IOException;
-import java.util.EnumSet;
-import java.net.URL;
-import java.util.EventListener;
-import java.util.HashMap;
-import java.util.List;
-import java.util.Map;
-import java.util.Set;
-
-import com.google.common.base.Splitter;
-import com.google.common.base.Strings;
-import com.google.common.collect.Sets;
-import org.apache.hadoop.conf.Configuration;
-import org.apache.hadoop.security.SecurityUtil;
-import org.apache.hadoop.security.UserGroupInformation;
-import org.apache.hadoop.security.authentication.server.AuthenticationFilter;
-import org.apache.sentry.service.thrift.ServiceConstants.ServerConfig;
-import org.eclipse.jetty.server.DispatcherType;
-import org.eclipse.jetty.server.Handler;
-import org.eclipse.jetty.server.handler.ContextHandler;
-import org.eclipse.jetty.server.handler.ContextHandlerCollection;
-import org.eclipse.jetty.server.handler.ResourceHandler;
-import org.eclipse.jetty.server.nio.SelectChannelConnector;
-import org.eclipse.jetty.server.Server;
-import org.eclipse.jetty.server.ssl.SslSelectChannelConnector;
-import org.eclipse.jetty.servlet.FilterHolder;
-import org.eclipse.jetty.servlet.ServletContextHandler;
-import org.eclipse.jetty.servlet.ServletHolder;
-import org.eclipse.jetty.util.resource.Resource;
-import org.eclipse.jetty.util.ssl.SslContextFactory;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-public class SentryWebServer {
-
- private static final Logger LOGGER = LoggerFactory.getLogger(SentryWebServer.class);
- private static final String RESOURCE_DIR = "/webapp";
- private static final String WELCOME_PAGE = "SentryService.html";
-
- private Server server;
-
- public SentryWebServer(List<EventListener> listeners, int port, Configuration conf) {
- server = new Server();
-
- // Create a channel connector for "http/https" requests
- SelectChannelConnector connector = new SelectChannelConnector();
- if (conf.getBoolean(ServerConfig.SENTRY_WEB_USE_SSL, false)) {
- SslContextFactory sslContextFactory = new SslContextFactory();
- sslContextFactory.setKeyStorePath(conf.get(ServerConfig.SENTRY_WEB_SSL_KEYSTORE_PATH, ""));
- sslContextFactory.setKeyStorePassword(
- conf.get(ServerConfig.SENTRY_WEB_SSL_KEYSTORE_PASSWORD, ""));
- // Exclude SSL blacklist protocols
- sslContextFactory.setExcludeProtocols(ServerConfig.SENTRY_SSL_PROTOCOL_BLACKLIST_DEFAULT);
- Set<String> moreExcludedSSLProtocols =
- Sets.newHashSet(Splitter.on(",").trimResults().omitEmptyStrings()
- .split(Strings.nullToEmpty(conf.get(ServerConfig.SENTRY_SSL_PROTOCOL_BLACKLIST))));
- sslContextFactory.addExcludeProtocols(moreExcludedSSLProtocols.toArray(
- new String[moreExcludedSSLProtocols.size()]));
- connector = new SslSelectChannelConnector(sslContextFactory);
- LOGGER.info("Now using SSL mode.");
- }
-
- connector.setPort(port);
- server.addConnector(connector);
-
- ServletContextHandler servletContextHandler = new ServletContextHandler();
- ServletHolder servletHolder = new ServletHolder(AdminServlet.class);
- servletContextHandler.addServlet(servletHolder, "/*");
-
- for(EventListener listener:listeners) {
- servletContextHandler.addEventListener(listener);
- }
-
- ServletHolder confServletHolder = new ServletHolder(ConfServlet.class);
- servletContextHandler.addServlet(confServletHolder, "/conf");
- servletContextHandler.getServletContext()
- .setAttribute(ConfServlet.CONF_CONTEXT_ATTRIBUTE, conf);
-
- ResourceHandler resourceHandler = new ResourceHandler();
- resourceHandler.setDirectoriesListed(true);
- URL url = this.getClass().getResource(RESOURCE_DIR);
- try {
- resourceHandler.setBaseResource(Resource.newResource(url.toString()));
- } catch (IOException e) {
- LOGGER.error("Got exception while setBaseResource for Sentry Service web UI", e);
- }
- resourceHandler.setWelcomeFiles(new String[]{WELCOME_PAGE});
- ContextHandler contextHandler= new ContextHandler();
- contextHandler.setHandler(resourceHandler);
-
- ContextHandlerCollection contextHandlerCollection = new ContextHandlerCollection();
- contextHandlerCollection.setHandlers(new Handler[]{contextHandler, servletContextHandler});
-
- String authMethod = conf.get(ServerConfig.SENTRY_WEB_SECURITY_TYPE);
- if (!ServerConfig.SENTRY_WEB_SECURITY_TYPE_NONE.equals(authMethod)) {
- /**
- * SentryAuthFilter is a subclass of AuthenticationFilter and
- * AuthenticationFilter tagged as private and unstable interface:
- * While there are not guarantees that this interface will not change,
- * it is fairly stable and used by other projects (ie - Oozie)
- */
- FilterHolder filterHolder = servletContextHandler.addFilter(SentryAuthFilter.class, "/*", EnumSet.of(DispatcherType.REQUEST));
- filterHolder.setInitParameters(loadWebAuthenticationConf(conf));
- }
-
- server.setHandler(contextHandlerCollection);
- }
-
- public void start() throws Exception{
- server.start();
- }
- public void stop() throws Exception{
- server.stop();
- }
- public boolean isAlive() {
- return server != null && server.isStarted();
- }
- private static Map<String, String> loadWebAuthenticationConf(Configuration conf) {
- Map<String,String> prop = new HashMap<String, String>();
- prop.put(AuthenticationFilter.CONFIG_PREFIX, ServerConfig.SENTRY_WEB_SECURITY_PREFIX);
- String allowUsers = conf.get(ServerConfig.SENTRY_WEB_SECURITY_ALLOW_CONNECT_USERS);
- if (allowUsers == null || allowUsers.equals("")) {
- allowUsers = conf.get(ServerConfig.ALLOW_CONNECT);
- conf.set(ServerConfig.SENTRY_WEB_SECURITY_ALLOW_CONNECT_USERS, allowUsers);
- }
- validateConf(conf);
- for (Map.Entry<String, String> entry : conf) {
- String name = entry.getKey();
- if (name.startsWith(ServerConfig.SENTRY_WEB_SECURITY_PREFIX)) {
- String value = conf.get(name);
- prop.put(name, value);
- }
- }
- return prop;
- }
-
- private static void validateConf(Configuration conf) {
- String authHandlerName = conf.get(ServerConfig.SENTRY_WEB_SECURITY_TYPE);
- Preconditions.checkNotNull(authHandlerName, "Web authHandler should not be null.");
- String allowUsers = conf.get(ServerConfig.SENTRY_WEB_SECURITY_ALLOW_CONNECT_USERS);
- Preconditions.checkNotNull(allowUsers, "Allow connect user(s) should not be null.");
- if (ServerConfig.SENTRY_WEB_SECURITY_TYPE_KERBEROS.equalsIgnoreCase(authHandlerName)) {
- String principal = conf.get(ServerConfig.SENTRY_WEB_SECURITY_PRINCIPAL);
- Preconditions.checkNotNull(principal, "Kerberos principal should not be null.");
- Preconditions.checkArgument(principal.length() != 0, "Kerberos principal is not right.");
- String keytabFile = conf.get(ServerConfig.SENTRY_WEB_SECURITY_KEYTAB);
- Preconditions.checkNotNull(keytabFile, "Keytab File should not be null.");
- Preconditions.checkArgument(keytabFile.length() != 0, "Keytab File is not right.");
- try {
- UserGroupInformation.setConfiguration(conf);
- String hostPrincipal = SecurityUtil.getServerPrincipal(principal, ServerConfig.RPC_ADDRESS_DEFAULT);
- UserGroupInformation.loginUserFromKeytab(hostPrincipal, keytabFile);
- } catch (IOException ex) {
- throw new IllegalArgumentException("Can't use Kerberos authentication, principal ["
- + principal + "] keytab [" + keytabFile + "]", ex);
- }
- LOGGER.info("Using Kerberos authentication, principal ["
- + principal + "] keytab [" + keytabFile + "]");
- }
- }
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/ThriftUtil.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/ThriftUtil.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/ThriftUtil.java
deleted file mode 100644
index 3a96d0b..0000000
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/ThriftUtil.java
+++ /dev/null
@@ -1,112 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.sentry.provider.db.service.thrift;
-
-import org.apache.thrift.protocol.TProtocol;
-import org.apache.thrift.transport.TSaslClientTransport;
-import org.apache.thrift.transport.TSaslServerTransport;
-import org.apache.thrift.transport.TSocket;
-import org.apache.thrift.transport.TTransport;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-import com.google.common.base.Preconditions;
-
-public final class ThriftUtil {
-
- private static final Logger LOGGER = LoggerFactory.getLogger(ThriftUtil.class);
-
- public static void setImpersonator(final TProtocol in) {
- try {
- TTransport transport = in.getTransport();
- if (transport instanceof TSaslServerTransport) {
- String impersonator = ((TSaslServerTransport) transport).getSaslServer()
- .getAuthorizationID();
- setImpersonator(impersonator);
- }
- } catch (Exception e) {
- // If there has exception when get impersonator info, log the error information.
- LOGGER.warn("There is an error when get the impersonator:" + e.getMessage());
- }
- }
-
- public static void setIpAddress(final TProtocol in) {
- try {
- TTransport transport = in.getTransport();
- TSocket tSocket = getUnderlyingSocketFromTransport(transport);
- if (tSocket != null) {
- setIpAddress(tSocket.getSocket().getInetAddress().toString());
- } else {
- LOGGER.warn("Unknown Transport, cannot determine ipAddress");
- }
- } catch (Exception e) {
- // If there has exception when get impersonator info, log the error information.
- LOGGER.warn("There is an error when get the client's ip address:" + e.getMessage());
- }
- }
-
- /**
- * Returns the underlying TSocket from the transport, or null of the transport type is unknown.
- */
- private static TSocket getUnderlyingSocketFromTransport(TTransport transport) {
- Preconditions.checkNotNull(transport);
- if (transport instanceof TSaslServerTransport) {
- return (TSocket) ((TSaslServerTransport) transport).getUnderlyingTransport();
- } else if (transport instanceof TSaslClientTransport) {
- return (TSocket) ((TSaslClientTransport) transport).getUnderlyingTransport();
- } else if (transport instanceof TSocket) {
- return (TSocket) transport;
- }
- return null;
- }
-
- private static ThreadLocal<String> threadLocalIpAddress = new ThreadLocal<String>() {
- @Override
- protected synchronized String initialValue() {
- return "";
- }
- };
-
- public static void setIpAddress(String ipAddress) {
- threadLocalIpAddress.set(ipAddress);
- }
-
- public static String getIpAddress() {
- return threadLocalIpAddress.get();
- }
-
- private static ThreadLocal<String> threadLocalImpersonator = new ThreadLocal<String>() {
- @Override
- protected synchronized String initialValue() {
- return "";
- }
- };
-
- public static void setImpersonator(String impersonator) {
- threadLocalImpersonator.set(impersonator);
- }
-
- public static String getImpersonator() {
- return threadLocalImpersonator.get();
- }
-
- private ThriftUtil() {
- // Make constructor private to avoid instantiation
- }
-}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/SentrySchemaHelper.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/SentrySchemaHelper.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/SentrySchemaHelper.java
deleted file mode 100644
index cf1c725..0000000
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/SentrySchemaHelper.java
+++ /dev/null
@@ -1,315 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.provider.db.tools;
-
-import java.util.IllegalFormatException;
-
-public final class SentrySchemaHelper {
- public static final String DB_DERBY = "derby";
- public static final String DB_MYSQL = "mysql";
- public static final String DB_POSTGRACE = "postgres";
- public static final String DB_ORACLE = "oracle";
- public static final String DB_DB2 = "db2";
-
- public interface NestedScriptParser {
-
- public enum CommandType {
- PARTIAL_STATEMENT,
- TERMINATED_STATEMENT,
- COMMENT
- }
-
- String DEFAUTL_DELIMITER = ";";
- /***
- * Find the type of given command
- * @param dbCommand
- * @return
- */
- boolean isPartialCommand(String dbCommand) throws IllegalArgumentException;
-
- /** Parse the DB specific nesting format and extract the inner script name if any
- * @param dbCommand command from parent script
- * @return
- * @throws IllegalFormatException
- */
- String getScriptName(String dbCommand) throws IllegalArgumentException;
-
- /***
- * Find if the given command is a nested script execution
- * @param dbCommand
- * @return
- */
- boolean isNestedScript(String dbCommand);
-
- /***
- * Find if the given command is should be passed to DB
- * @param dbCommand
- * @return
- */
- boolean isNonExecCommand(String dbCommand);
-
- /***
- * Get the SQL statement delimiter
- * @return
- */
- String getDelimiter();
-
- /***
- * Clear any client specific tags
- * @return
- */
- String cleanseCommand(String dbCommand);
-
- /***
- * Does the DB required table/column names quoted
- * @return
- */
- boolean needsQuotedIdentifier();
-
- /***
- * Set DB specific options if any
- * @param dbOps
- */
- void setDbOpts(String dbOps);
- }
-
-
- /***
- * Base implemenation of NestedScriptParser
- * abstractCommandParser.
- *
- */
- private static abstract class AbstractCommandParser implements NestedScriptParser {
- private String dbOpts = null;
-
- @Override
- public boolean isPartialCommand(String dbCommand) throws IllegalArgumentException{
- if (dbCommand == null || dbCommand.isEmpty()) {
- throw new IllegalArgumentException("invalid command line " + dbCommand);
- }
- String trimmedDbCommand = dbCommand.trim();
- return !(trimmedDbCommand.endsWith(getDelimiter()) || isNonExecCommand(trimmedDbCommand));
- }
-
- @Override
- public boolean isNonExecCommand(String dbCommand) {
- return dbCommand.startsWith("--") || dbCommand.startsWith("#");
- }
-
- @Override
- public String getDelimiter() {
- return DEFAUTL_DELIMITER;
- }
-
- @Override
- public String cleanseCommand(String dbCommand) {
- // strip off the delimiter
- if (dbCommand.endsWith(getDelimiter())) {
- dbCommand = dbCommand.substring(0,
- dbCommand.length() - getDelimiter().length());
- }
- return dbCommand;
- }
-
- @Override
- public boolean needsQuotedIdentifier() {
- return false;
- }
-
- @Override
- public void setDbOpts(String dbOpts) {
- this.dbOpts = dbOpts;
- }
-
- protected String getDbOpts() {
- return dbOpts;
- }
- }
-
-
- // Derby commandline parser
- public static class DerbyCommandParser extends AbstractCommandParser {
- private static final String DERBY_NESTING_TOKEN = "RUN";
-
- @Override
- public String getScriptName(String dbCommand) throws IllegalArgumentException {
-
- if (!isNestedScript(dbCommand)) {
- throw new IllegalArgumentException("Not a script format " + dbCommand);
- }
- String[] tokens = dbCommand.split(" ");
- if (tokens.length != 2) {
- throw new IllegalArgumentException("Couldn't parse line " + dbCommand);
- }
- return tokens[1].replace(";", "").replaceAll("'", "");
- }
-
- @Override
- public boolean isNestedScript(String dbCommand) {
- // Derby script format is RUN '<file>'
- return dbCommand.startsWith(DERBY_NESTING_TOKEN);
- }
- }
-
-
- // MySQL parser
- public static class MySqlCommandParser extends AbstractCommandParser {
- private static final String MYSQL_NESTING_TOKEN = "SOURCE";
- private static final String DELIMITER_TOKEN = "DELIMITER";
- private String delimiter = DEFAUTL_DELIMITER;
-
- @Override
- public boolean isPartialCommand(String dbCommand) throws IllegalArgumentException{
- boolean isPartial = super.isPartialCommand(dbCommand);
- // if this is a delimiter directive, reset our delimiter
- if (dbCommand.startsWith(DELIMITER_TOKEN)) {
- String[] tokens = dbCommand.split(" ");
- if (tokens.length != 2) {
- throw new IllegalArgumentException("Couldn't parse line " + dbCommand);
- }
- delimiter = tokens[1];
- }
- return isPartial;
- }
-
- @Override
- public String getScriptName(String dbCommand) throws IllegalArgumentException {
- String[] tokens = dbCommand.split(" ");
- if (tokens.length != 2) {
- throw new IllegalArgumentException("Couldn't parse line " + dbCommand);
- }
- // remove ending ';'
- return tokens[1].replace(";", "");
- }
-
- @Override
- public boolean isNestedScript(String dbCommand) {
- return dbCommand.startsWith(MYSQL_NESTING_TOKEN);
- }
-
- @Override
- public String getDelimiter() {
- return delimiter;
- }
-
- @Override
- public boolean isNonExecCommand(String dbCommand) {
- return super.isNonExecCommand(dbCommand) ||
- dbCommand.startsWith("/*") && dbCommand.endsWith("*/") ||
- dbCommand.startsWith(DELIMITER_TOKEN);
- }
-
- @Override
- public String cleanseCommand(String dbCommand) {
- return super.cleanseCommand(dbCommand).replaceAll("/\\*.*?\\*/[^;]", "");
- }
-
- }
-
- // Postgres specific parser
- public static class PostgresCommandParser extends AbstractCommandParser {
- public static final String POSTGRES_STRING_COMMAND_FILTER = "SET standard_conforming_strings";
- public static final String POSTGRES_STRING_CLIENT_ENCODING = "SET client_encoding";
- public static final String POSTGRES_SKIP_STANDARD_STRING = "postgres.filter.81";
- private static final String POSTGRES_NESTING_TOKEN = "\\i";
-
- @Override
- public String getScriptName(String dbCommand) throws IllegalArgumentException {
- String[] tokens = dbCommand.split(" ");
- if (tokens.length != 2) {
- throw new IllegalArgumentException("Couldn't parse line " + dbCommand);
- }
- // remove ending ';'
- return tokens[1].replace(";", "");
- }
-
- @Override
- public boolean isNestedScript(String dbCommand) {
- return dbCommand.startsWith(POSTGRES_NESTING_TOKEN);
- }
-
- @Override
- public boolean needsQuotedIdentifier() {
- return true;
- }
-
- @Override
- public boolean isNonExecCommand(String dbCommand) {
- // Skip "standard_conforming_strings" command which is not supported in older postgres
- if (POSTGRES_SKIP_STANDARD_STRING.equalsIgnoreCase(getDbOpts())
- && (dbCommand.startsWith(POSTGRES_STRING_COMMAND_FILTER) || dbCommand.startsWith(POSTGRES_STRING_CLIENT_ENCODING))) {
- return true;
- }
- return super.isNonExecCommand(dbCommand);
- }
- }
-
- //Oracle specific parser
- public static class OracleCommandParser extends AbstractCommandParser {
- private static final String ORACLE_NESTING_TOKEN = "@";
- @Override
- public String getScriptName(String dbCommand) throws IllegalArgumentException {
- if (!isNestedScript(dbCommand)) {
- throw new IllegalArgumentException("Not a nested script format " + dbCommand);
- }
- // remove ending ';' and starting '@'
- return dbCommand.replace(";", "").replace(ORACLE_NESTING_TOKEN, "");
- }
-
- @Override
- public boolean isNestedScript(String dbCommand) {
- return dbCommand.startsWith(ORACLE_NESTING_TOKEN);
- }
- }
-
- // DB2 commandline parser
- public static class DB2CommandParser extends AbstractCommandParser {
-
- @Override
- public String getScriptName(String dbCommand) throws IllegalArgumentException {
- //DB2 does not support nesting script
- throw new IllegalArgumentException("DB2 does not support nesting script " + dbCommand);
- }
-
- @Override
- public boolean isNestedScript(String dbCommand) {
- //DB2 does not support nesting script
- return false;
- }
- }
-
- public static NestedScriptParser getDbCommandParser(String dbName) {
- if (dbName.equalsIgnoreCase(DB_DERBY)) {
- return new DerbyCommandParser();
- } else if (dbName.equalsIgnoreCase(DB_MYSQL)) {
- return new MySqlCommandParser();
- } else if (dbName.equalsIgnoreCase(DB_POSTGRACE)) {
- return new PostgresCommandParser();
- } else if (dbName.equalsIgnoreCase(DB_ORACLE)) {
- return new OracleCommandParser();
- } else if (dbName.equalsIgnoreCase(DB_DB2)) {
- return new DB2CommandParser();
- } else {
- throw new IllegalArgumentException("Unknown dbType " + dbName);
- }
- }
-
- private SentrySchemaHelper() {
- // Make constructor private to avoid instantiation
- }
-}
[14/44] sentry git commit: SENTRY-1287: Create sentry-service-server
module(Colin Ma, reviewed by Dapeng Sun)
Posted by co...@apache.org.
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/main/resources/sentry-mysql-1.5.0.sql
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/main/resources/sentry-mysql-1.5.0.sql b/sentry-service/sentry-service-server/src/main/resources/sentry-mysql-1.5.0.sql
new file mode 100644
index 0000000..d5d2e0a
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/main/resources/sentry-mysql-1.5.0.sql
@@ -0,0 +1,192 @@
+-- Licensed to the Apache Software Foundation (ASF) under one or more
+-- contributor license agreements. See the NOTICE file distributed with
+-- this work for additional information regarding copyright ownership.
+-- The ASF licenses this file to You under the Apache License, Version 2.0
+-- (the "License"); you may not use this file except in compliance with
+-- the License. You may obtain a copy of the License at
+--
+-- http://www.apache.org/licenses/LICENSE-2.0
+--
+-- Unless required by applicable law or agreed to in writing, software
+-- distributed under the License is distributed on an "AS IS" BASIS,
+-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+-- See the License for the specific language governing permissions and
+-- limitations under the License.
+
+
+/*!40101 SET @OLD_CHARACTER_SET_CLIENT=@@CHARACTER_SET_CLIENT */;
+/*!40101 SET @OLD_CHARACTER_SET_RESULTS=@@CHARACTER_SET_RESULTS */;
+/*!40101 SET @OLD_COLLATION_CONNECTION=@@COLLATION_CONNECTION */;
+/*!40101 SET NAMES utf8 */;
+/*!40103 SET @OLD_TIME_ZONE=@@TIME_ZONE */;
+/*!40103 SET TIME_ZONE='+00:00' */;
+/*!40014 SET @OLD_UNIQUE_CHECKS=@@UNIQUE_CHECKS, UNIQUE_CHECKS=0 */;
+/*!40014 SET @OLD_FOREIGN_KEY_CHECKS=@@FOREIGN_KEY_CHECKS, FOREIGN_KEY_CHECKS=0 */;
+/*!40101 SET @OLD_SQL_MODE=@@SQL_MODE, SQL_MODE='NO_AUTO_VALUE_ON_ZERO' */;
+/*!40111 SET @OLD_SQL_NOTES=@@SQL_NOTES, SQL_NOTES=0 */;
+
+CREATE TABLE `SENTRY_DB_PRIVILEGE` (
+ `DB_PRIVILEGE_ID` BIGINT NOT NULL,
+ `PRIVILEGE_SCOPE` VARCHAR(32) CHARACTER SET utf8 COLLATE utf8_bin NOT NULL,
+ `SERVER_NAME` VARCHAR(128) CHARACTER SET utf8 COLLATE utf8_bin NOT NULL,
+ `DB_NAME` VARCHAR(128) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT '__NULL__',
+ `TABLE_NAME` VARCHAR(128) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT '__NULL__',
+ `COLUMN_NAME` VARCHAR(128) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT '__NULL__',
+ `URI` VARCHAR(4000) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT '__NULL__',
+ `ACTION` VARCHAR(128) CHARACTER SET utf8 COLLATE utf8_bin NOT NULL,
+ `CREATE_TIME` BIGINT NOT NULL,
+ `WITH_GRANT_OPTION` CHAR(1) NOT NULL
+) ENGINE=InnoDB DEFAULT CHARSET=utf8;
+
+CREATE TABLE `SENTRY_ROLE` (
+ `ROLE_ID` BIGINT NOT NULL,
+ `ROLE_NAME` VARCHAR(128) CHARACTER SET utf8 COLLATE utf8_bin NOT NULL,
+ `CREATE_TIME` BIGINT NOT NULL
+) ENGINE=InnoDB DEFAULT CHARSET=utf8;
+
+CREATE TABLE `SENTRY_GROUP` (
+ `GROUP_ID` BIGINT NOT NULL,
+ `GROUP_NAME` VARCHAR(128) CHARACTER SET utf8 COLLATE utf8_bin NOT NULL,
+ `CREATE_TIME` BIGINT NOT NULL
+) ENGINE=InnoDB DEFAULT CHARSET=utf8;
+
+CREATE TABLE `SENTRY_ROLE_DB_PRIVILEGE_MAP` (
+ `ROLE_ID` BIGINT NOT NULL,
+ `DB_PRIVILEGE_ID` BIGINT NOT NULL,
+ `GRANTOR_PRINCIPAL` VARCHAR(128) CHARACTER SET utf8 COLLATE utf8_bin
+) ENGINE=InnoDB DEFAULT CHARSET=utf8;
+
+CREATE TABLE `SENTRY_ROLE_GROUP_MAP` (
+ `ROLE_ID` BIGINT NOT NULL,
+ `GROUP_ID` BIGINT NOT NULL,
+ `GRANTOR_PRINCIPAL` VARCHAR(128) CHARACTER SET utf8 COLLATE utf8_bin
+) ENGINE=InnoDB DEFAULT CHARSET=utf8;
+
+CREATE TABLE IF NOT EXISTS `SENTRY_VERSION` (
+ `VER_ID` BIGINT NOT NULL,
+ `SCHEMA_VERSION` VARCHAR(127) NOT NULL,
+ `VERSION_COMMENT` VARCHAR(255) NOT NULL
+) ENGINE=InnoDB DEFAULT CHARSET=utf8;
+
+ALTER TABLE `SENTRY_DB_PRIVILEGE`
+ ADD CONSTRAINT `SENTRY_DB_PRIV_PK` PRIMARY KEY (`DB_PRIVILEGE_ID`);
+
+ALTER TABLE `SENTRY_ROLE`
+ ADD CONSTRAINT `SENTRY_ROLE_PK` PRIMARY KEY (`ROLE_ID`);
+
+ALTER TABLE `SENTRY_GROUP`
+ ADD CONSTRAINT `SENTRY_GROUP_PK` PRIMARY KEY (`GROUP_ID`);
+
+ALTER TABLE `SENTRY_VERSION`
+ ADD CONSTRAINT `SENTRY_VERSION` PRIMARY KEY (`VER_ID`);
+
+ALTER TABLE `SENTRY_DB_PRIVILEGE`
+ ADD UNIQUE `SENTRY_DB_PRIV_PRIV_NAME_UNIQ` (`SERVER_NAME`,`DB_NAME`,`TABLE_NAME`,`COLUMN_NAME`,`URI`(250),`ACTION`,`WITH_GRANT_OPTION`);
+
+ALTER TABLE `SENTRY_DB_PRIVILEGE`
+ ADD INDEX `SENTRY_PRIV_SERV_IDX` (`SERVER_NAME`);
+
+ALTER TABLE `SENTRY_DB_PRIVILEGE`
+ ADD INDEX `SENTRY_PRIV_DB_IDX` (`DB_NAME`);
+
+ALTER TABLE `SENTRY_DB_PRIVILEGE`
+ ADD INDEX `SENTRY_PRIV_TBL_IDX` (`TABLE_NAME`);
+
+ALTER TABLE `SENTRY_DB_PRIVILEGE`
+ ADD INDEX `SENTRY_PRIV_COL_IDX` (`COLUMN_NAME`);
+
+ALTER TABLE `SENTRY_DB_PRIVILEGE`
+ ADD INDEX `SENTRY_PRIV_URI_IDX` (`URI`);
+
+ALTER TABLE `SENTRY_ROLE`
+ ADD CONSTRAINT `SENTRY_ROLE_ROLE_NAME_UNIQUE` UNIQUE (`ROLE_NAME`);
+
+ALTER TABLE `SENTRY_GROUP`
+ ADD CONSTRAINT `SENTRY_GRP_GRP_NAME_UNIQUE` UNIQUE (`GROUP_NAME`);
+
+ALTER TABLE `SENTRY_ROLE_DB_PRIVILEGE_MAP`
+ ADD CONSTRAINT `SENTRY_ROLE_DB_PRIVILEGE_MAP_PK` PRIMARY KEY (`ROLE_ID`,`DB_PRIVILEGE_ID`);
+
+ALTER TABLE `SENTRY_ROLE_GROUP_MAP`
+ ADD CONSTRAINT `SENTRY_ROLE_GROUP_MAP_PK` PRIMARY KEY (`ROLE_ID`,`GROUP_ID`);
+
+ALTER TABLE `SENTRY_ROLE_DB_PRIVILEGE_MAP`
+ ADD CONSTRAINT `SEN_RLE_DB_PRV_MAP_SN_RLE_FK`
+ FOREIGN KEY (`ROLE_ID`) REFERENCES `SENTRY_ROLE`(`ROLE_ID`);
+
+ALTER TABLE `SENTRY_ROLE_DB_PRIVILEGE_MAP`
+ ADD CONSTRAINT `SEN_RL_DB_PRV_MAP_SN_DB_PRV_FK`
+ FOREIGN KEY (`DB_PRIVILEGE_ID`) REFERENCES `SENTRY_DB_PRIVILEGE`(`DB_PRIVILEGE_ID`);
+
+ALTER TABLE `SENTRY_ROLE_GROUP_MAP`
+ ADD CONSTRAINT `SEN_ROLE_GROUP_MAP_SEN_ROLE_FK`
+ FOREIGN KEY (`ROLE_ID`) REFERENCES `SENTRY_ROLE`(`ROLE_ID`);
+
+ALTER TABLE `SENTRY_ROLE_GROUP_MAP`
+ ADD CONSTRAINT `SEN_ROLE_GROUP_MAP_SEN_GRP_FK`
+ FOREIGN KEY (`GROUP_ID`) REFERENCES `SENTRY_GROUP`(`GROUP_ID`);
+
+INSERT INTO SENTRY_VERSION (VER_ID, SCHEMA_VERSION, VERSION_COMMENT) VALUES (1, '1.5.0', 'Sentry release version 1.5.0');
+
+-- Generic Model
+-- Table SENTRY_GM_PRIVILEGE for classes [org.apache.sentry.provider.db.service.model.MSentryGMPrivilege]
+CREATE TABLE `SENTRY_GM_PRIVILEGE`
+(
+ `GM_PRIVILEGE_ID` BIGINT NOT NULL,
+ `ACTION` VARCHAR(32) CHARACTER SET utf8 COLLATE utf8_bin NOT NULL,
+ `COMPONENT_NAME` VARCHAR(32) CHARACTER SET utf8 COLLATE utf8_bin NOT NULL,
+ `CREATE_TIME` BIGINT NOT NULL,
+ `WITH_GRANT_OPTION` CHAR(1) NOT NULL,
+ `RESOURCE_NAME_0` VARCHAR(64) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT '__NULL__',
+ `RESOURCE_NAME_1` VARCHAR(64) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT '__NULL__',
+ `RESOURCE_NAME_2` VARCHAR(64) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT '__NULL__',
+ `RESOURCE_NAME_3` VARCHAR(64) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT '__NULL__',
+ `RESOURCE_TYPE_0` VARCHAR(64) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT '__NULL__',
+ `RESOURCE_TYPE_1` VARCHAR(64) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT '__NULL__',
+ `RESOURCE_TYPE_2` VARCHAR(64) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT '__NULL__',
+ `RESOURCE_TYPE_3` VARCHAR(64) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT '__NULL__',
+ `SCOPE` VARCHAR(128) CHARACTER SET utf8 COLLATE utf8_bin NOT NULL,
+ `SERVICE_NAME` VARCHAR(64) BINARY CHARACTER SET utf8 COLLATE utf8_bin NOT NULL
+) ENGINE=InnoDB DEFAULT CHARSET=utf8;
+
+ALTER TABLE `SENTRY_GM_PRIVILEGE`
+ ADD CONSTRAINT `SENTRY_GM_PRIVILEGE_PK` PRIMARY KEY (`GM_PRIVILEGE_ID`);
+-- Constraints for table SENTRY_GM_PRIVILEGE for class(es) [org.apache.sentry.provider.db.service.model.MSentryGMPrivilege]
+CREATE UNIQUE INDEX `GM_PRIVILEGE_INDEX` ON `SENTRY_GM_PRIVILEGE` (`COMPONENT_NAME`,`SERVICE_NAME`,`RESOURCE_NAME_0`,`RESOURCE_TYPE_0`,`RESOURCE_NAME_1`,`RESOURCE_TYPE_1`,`RESOURCE_NAME_2`,`RESOURCE_TYPE_2`,`RESOURCE_NAME_3`,`RESOURCE_TYPE_3`,`ACTION`,`WITH_GRANT_OPTION`);
+
+ALTER TABLE `SENTRY_GM_PRIVILEGE`
+ ADD INDEX `SENTRY_GM_PRIV_COMP_IDX` (`COMPONENT_NAME`);
+
+ALTER TABLE `SENTRY_GM_PRIVILEGE`
+ ADD INDEX `SENTRY_GM_PRIV_SERV_IDX` (`SERVICE_NAME`);
+
+ALTER TABLE `SENTRY_GM_PRIVILEGE`
+ ADD INDEX `SENTRY_GM_PRIV_RES0_IDX` (`RESOURCE_NAME_0`,`RESOURCE_TYPE_0`);
+
+ALTER TABLE `SENTRY_GM_PRIVILEGE`
+ ADD INDEX `SENTRY_GM_PRIV_RES1_IDX` (`RESOURCE_NAME_1`,`RESOURCE_TYPE_1`);
+
+ALTER TABLE `SENTRY_GM_PRIVILEGE`
+ ADD INDEX `SENTRY_GM_PRIV_RES2_IDX` (`RESOURCE_NAME_2`,`RESOURCE_TYPE_2`);
+
+ALTER TABLE `SENTRY_GM_PRIVILEGE`
+ ADD INDEX `SENTRY_GM_PRIV_RES3_IDX` (`RESOURCE_NAME_3`,`RESOURCE_TYPE_3`);
+
+-- Table SENTRY_ROLE_GM_PRIVILEGE_MAP for join relationship
+CREATE TABLE `SENTRY_ROLE_GM_PRIVILEGE_MAP`
+(
+ `ROLE_ID` BIGINT NOT NULL,
+ `GM_PRIVILEGE_ID` BIGINT NOT NULL
+) ENGINE=INNODB DEFAULT CHARSET=utf8;
+
+ALTER TABLE `SENTRY_ROLE_GM_PRIVILEGE_MAP`
+ ADD CONSTRAINT `SENTRY_ROLE_GM_PRIVILEGE_MAP_PK` PRIMARY KEY (`ROLE_ID`,`GM_PRIVILEGE_ID`);
+
+-- Constraints for table SENTRY_ROLE_GM_PRIVILEGE_MAP
+ALTER TABLE `SENTRY_ROLE_GM_PRIVILEGE_MAP`
+ ADD CONSTRAINT `SEN_RLE_GM_PRV_MAP_SN_RLE_FK`
+ FOREIGN KEY (`ROLE_ID`) REFERENCES `SENTRY_ROLE`(`ROLE_ID`);
+
+ALTER TABLE `SENTRY_ROLE_GM_PRIVILEGE_MAP`
+ ADD CONSTRAINT `SEN_RL_GM_PRV_MAP_SN_DB_PRV_FK`
+ FOREIGN KEY (`GM_PRIVILEGE_ID`) REFERENCES `SENTRY_GM_PRIVILEGE`(`GM_PRIVILEGE_ID`);
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/main/resources/sentry-mysql-1.6.0.sql
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/main/resources/sentry-mysql-1.6.0.sql b/sentry-service/sentry-service-server/src/main/resources/sentry-mysql-1.6.0.sql
new file mode 100644
index 0000000..1c1bb94
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/main/resources/sentry-mysql-1.6.0.sql
@@ -0,0 +1,193 @@
+-- Licensed to the Apache Software Foundation (ASF) under one or more
+-- contributor license agreements. See the NOTICE file distributed with
+-- this work for additional information regarding copyright ownership.
+-- The ASF licenses this file to You under the Apache License, Version 2.0
+-- (the "License"); you may not use this file except in compliance with
+-- the License. You may obtain a copy of the License at
+--
+-- http://www.apache.org/licenses/LICENSE-2.0
+--
+-- Unless required by applicable law or agreed to in writing, software
+-- distributed under the License is distributed on an "AS IS" BASIS,
+-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+-- See the License for the specific language governing permissions and
+-- limitations under the License.
+
+
+/*!40101 SET @OLD_CHARACTER_SET_CLIENT=@@CHARACTER_SET_CLIENT */;
+/*!40101 SET @OLD_CHARACTER_SET_RESULTS=@@CHARACTER_SET_RESULTS */;
+/*!40101 SET @OLD_COLLATION_CONNECTION=@@COLLATION_CONNECTION */;
+/*!40101 SET NAMES utf8 */;
+/*!40103 SET @OLD_TIME_ZONE=@@TIME_ZONE */;
+/*!40103 SET TIME_ZONE='+00:00' */;
+/*!40014 SET @OLD_UNIQUE_CHECKS=@@UNIQUE_CHECKS, UNIQUE_CHECKS=0 */;
+/*!40014 SET @OLD_FOREIGN_KEY_CHECKS=@@FOREIGN_KEY_CHECKS, FOREIGN_KEY_CHECKS=0 */;
+/*!40101 SET @OLD_SQL_MODE=@@SQL_MODE, SQL_MODE='NO_AUTO_VALUE_ON_ZERO' */;
+/*!40111 SET @OLD_SQL_NOTES=@@SQL_NOTES, SQL_NOTES=0 */;
+
+CREATE TABLE `SENTRY_DB_PRIVILEGE` (
+ `DB_PRIVILEGE_ID` BIGINT NOT NULL,
+ `PRIVILEGE_SCOPE` VARCHAR(32) CHARACTER SET utf8 COLLATE utf8_bin NOT NULL,
+ `SERVER_NAME` VARCHAR(128) CHARACTER SET utf8 COLLATE utf8_bin NOT NULL,
+ `DB_NAME` VARCHAR(128) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT '__NULL__',
+ `TABLE_NAME` VARCHAR(128) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT '__NULL__',
+ `COLUMN_NAME` VARCHAR(128) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT '__NULL__',
+ `URI` VARCHAR(4000) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT '__NULL__',
+ `ACTION` VARCHAR(128) CHARACTER SET utf8 COLLATE utf8_bin NOT NULL,
+ `CREATE_TIME` BIGINT NOT NULL,
+ `WITH_GRANT_OPTION` CHAR(1) NOT NULL
+) ENGINE=InnoDB DEFAULT CHARSET=utf8;
+
+CREATE TABLE `SENTRY_ROLE` (
+ `ROLE_ID` BIGINT NOT NULL,
+ `ROLE_NAME` VARCHAR(128) CHARACTER SET utf8 COLLATE utf8_bin NOT NULL,
+ `CREATE_TIME` BIGINT NOT NULL
+) ENGINE=InnoDB DEFAULT CHARSET=utf8;
+
+CREATE TABLE `SENTRY_GROUP` (
+ `GROUP_ID` BIGINT NOT NULL,
+ `GROUP_NAME` VARCHAR(128) CHARACTER SET utf8 COLLATE utf8_bin NOT NULL,
+ `CREATE_TIME` BIGINT NOT NULL
+) ENGINE=InnoDB DEFAULT CHARSET=utf8;
+
+CREATE TABLE `SENTRY_ROLE_DB_PRIVILEGE_MAP` (
+ `ROLE_ID` BIGINT NOT NULL,
+ `DB_PRIVILEGE_ID` BIGINT NOT NULL,
+ `GRANTOR_PRINCIPAL` VARCHAR(128) CHARACTER SET utf8 COLLATE utf8_bin
+) ENGINE=InnoDB DEFAULT CHARSET=utf8;
+
+CREATE TABLE `SENTRY_ROLE_GROUP_MAP` (
+ `ROLE_ID` BIGINT NOT NULL,
+ `GROUP_ID` BIGINT NOT NULL,
+ `GRANTOR_PRINCIPAL` VARCHAR(128) CHARACTER SET utf8 COLLATE utf8_bin
+) ENGINE=InnoDB DEFAULT CHARSET=utf8;
+
+CREATE TABLE IF NOT EXISTS `SENTRY_VERSION` (
+ `VER_ID` BIGINT NOT NULL,
+ `SCHEMA_VERSION` VARCHAR(127) NOT NULL,
+ `VERSION_COMMENT` VARCHAR(255) NOT NULL
+) ENGINE=InnoDB DEFAULT CHARSET=utf8;
+
+ALTER TABLE `SENTRY_DB_PRIVILEGE`
+ ADD CONSTRAINT `SENTRY_DB_PRIV_PK` PRIMARY KEY (`DB_PRIVILEGE_ID`);
+
+ALTER TABLE `SENTRY_ROLE`
+ ADD CONSTRAINT `SENTRY_ROLE_PK` PRIMARY KEY (`ROLE_ID`);
+
+ALTER TABLE `SENTRY_GROUP`
+ ADD CONSTRAINT `SENTRY_GROUP_PK` PRIMARY KEY (`GROUP_ID`);
+
+ALTER TABLE `SENTRY_VERSION`
+ ADD CONSTRAINT `SENTRY_VERSION` PRIMARY KEY (`VER_ID`);
+
+ALTER TABLE `SENTRY_DB_PRIVILEGE`
+ ADD UNIQUE `SENTRY_DB_PRIV_PRIV_NAME_UNIQ` (`SERVER_NAME`,`DB_NAME`,`TABLE_NAME`,`COLUMN_NAME`,`URI`(250),`ACTION`,`WITH_GRANT_OPTION`);
+
+ALTER TABLE `SENTRY_DB_PRIVILEGE`
+ ADD INDEX `SENTRY_PRIV_SERV_IDX` (`SERVER_NAME`);
+
+ALTER TABLE `SENTRY_DB_PRIVILEGE`
+ ADD INDEX `SENTRY_PRIV_DB_IDX` (`DB_NAME`);
+
+ALTER TABLE `SENTRY_DB_PRIVILEGE`
+ ADD INDEX `SENTRY_PRIV_TBL_IDX` (`TABLE_NAME`);
+
+ALTER TABLE `SENTRY_DB_PRIVILEGE`
+ ADD INDEX `SENTRY_PRIV_COL_IDX` (`COLUMN_NAME`);
+
+ALTER TABLE `SENTRY_DB_PRIVILEGE`
+ ADD INDEX `SENTRY_PRIV_URI_IDX` (`URI`);
+
+ALTER TABLE `SENTRY_ROLE`
+ ADD CONSTRAINT `SENTRY_ROLE_ROLE_NAME_UNIQUE` UNIQUE (`ROLE_NAME`);
+
+ALTER TABLE `SENTRY_GROUP`
+ ADD CONSTRAINT `SENTRY_GRP_GRP_NAME_UNIQUE` UNIQUE (`GROUP_NAME`);
+
+ALTER TABLE `SENTRY_ROLE_DB_PRIVILEGE_MAP`
+ ADD CONSTRAINT `SENTRY_ROLE_DB_PRIVILEGE_MAP_PK` PRIMARY KEY (`ROLE_ID`,`DB_PRIVILEGE_ID`);
+
+ALTER TABLE `SENTRY_ROLE_GROUP_MAP`
+ ADD CONSTRAINT `SENTRY_ROLE_GROUP_MAP_PK` PRIMARY KEY (`ROLE_ID`,`GROUP_ID`);
+
+ALTER TABLE `SENTRY_ROLE_DB_PRIVILEGE_MAP`
+ ADD CONSTRAINT `SEN_RLE_DB_PRV_MAP_SN_RLE_FK`
+ FOREIGN KEY (`ROLE_ID`) REFERENCES `SENTRY_ROLE`(`ROLE_ID`);
+
+ALTER TABLE `SENTRY_ROLE_DB_PRIVILEGE_MAP`
+ ADD CONSTRAINT `SEN_RL_DB_PRV_MAP_SN_DB_PRV_FK`
+ FOREIGN KEY (`DB_PRIVILEGE_ID`) REFERENCES `SENTRY_DB_PRIVILEGE`(`DB_PRIVILEGE_ID`);
+
+ALTER TABLE `SENTRY_ROLE_GROUP_MAP`
+ ADD CONSTRAINT `SEN_ROLE_GROUP_MAP_SEN_ROLE_FK`
+ FOREIGN KEY (`ROLE_ID`) REFERENCES `SENTRY_ROLE`(`ROLE_ID`);
+
+ALTER TABLE `SENTRY_ROLE_GROUP_MAP`
+ ADD CONSTRAINT `SEN_ROLE_GROUP_MAP_SEN_GRP_FK`
+ FOREIGN KEY (`GROUP_ID`) REFERENCES `SENTRY_GROUP`(`GROUP_ID`);
+
+INSERT INTO SENTRY_VERSION (VER_ID, SCHEMA_VERSION, VERSION_COMMENT) VALUES (1, '1.6.0', 'Sentry release version 1.6.0');
+
+-- Generic Model
+-- Table SENTRY_GM_PRIVILEGE for classes [org.apache.sentry.provider.db.service.model.MSentryGMPrivilege]
+CREATE TABLE `SENTRY_GM_PRIVILEGE`
+(
+ `GM_PRIVILEGE_ID` BIGINT NOT NULL,
+ `ACTION` VARCHAR(32) CHARACTER SET utf8 COLLATE utf8_bin NOT NULL,
+ `COMPONENT_NAME` VARCHAR(32) CHARACTER SET utf8 COLLATE utf8_bin NOT NULL,
+ `CREATE_TIME` BIGINT NOT NULL,
+ `WITH_GRANT_OPTION` CHAR(1) NOT NULL,
+ `RESOURCE_NAME_0` VARCHAR(64) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT '__NULL__',
+ `RESOURCE_NAME_1` VARCHAR(64) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT '__NULL__',
+ `RESOURCE_NAME_2` VARCHAR(64) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT '__NULL__',
+ `RESOURCE_NAME_3` VARCHAR(64) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT '__NULL__',
+ `RESOURCE_TYPE_0` VARCHAR(64) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT '__NULL__',
+ `RESOURCE_TYPE_1` VARCHAR(64) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT '__NULL__',
+ `RESOURCE_TYPE_2` VARCHAR(64) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT '__NULL__',
+ `RESOURCE_TYPE_3` VARCHAR(64) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT '__NULL__',
+ `SCOPE` VARCHAR(128) CHARACTER SET utf8 COLLATE utf8_bin NOT NULL,
+ `SERVICE_NAME` VARCHAR(64) BINARY CHARACTER SET utf8 COLLATE utf8_bin NOT NULL
+) ENGINE=InnoDB DEFAULT CHARSET=utf8;
+
+ALTER TABLE `SENTRY_GM_PRIVILEGE`
+ ADD CONSTRAINT `SENTRY_GM_PRIVILEGE_PK` PRIMARY KEY (`GM_PRIVILEGE_ID`);
+-- Constraints for table SENTRY_GM_PRIVILEGE for class(es) [org.apache.sentry.provider.db.service.model.MSentryGMPrivilege]
+ALTER TABLE `SENTRY_GM_PRIVILEGE`
+ ADD UNIQUE `GM_PRIVILEGE_UNIQUE` (`COMPONENT_NAME`,`SERVICE_NAME`,`RESOURCE_NAME_0`,`RESOURCE_TYPE_0`,`RESOURCE_NAME_1`,`RESOURCE_TYPE_1`,`RESOURCE_NAME_2`,`RESOURCE_TYPE_2`,`RESOURCE_NAME_3`,`RESOURCE_TYPE_3`,`ACTION`,`WITH_GRANT_OPTION`);
+
+ALTER TABLE `SENTRY_GM_PRIVILEGE`
+ ADD INDEX `SENTRY_GM_PRIV_COMP_IDX` (`COMPONENT_NAME`);
+
+ALTER TABLE `SENTRY_GM_PRIVILEGE`
+ ADD INDEX `SENTRY_GM_PRIV_SERV_IDX` (`SERVICE_NAME`);
+
+ALTER TABLE `SENTRY_GM_PRIVILEGE`
+ ADD INDEX `SENTRY_GM_PRIV_RES0_IDX` (`RESOURCE_NAME_0`,`RESOURCE_TYPE_0`);
+
+ALTER TABLE `SENTRY_GM_PRIVILEGE`
+ ADD INDEX `SENTRY_GM_PRIV_RES1_IDX` (`RESOURCE_NAME_1`,`RESOURCE_TYPE_1`);
+
+ALTER TABLE `SENTRY_GM_PRIVILEGE`
+ ADD INDEX `SENTRY_GM_PRIV_RES2_IDX` (`RESOURCE_NAME_2`,`RESOURCE_TYPE_2`);
+
+ALTER TABLE `SENTRY_GM_PRIVILEGE`
+ ADD INDEX `SENTRY_GM_PRIV_RES3_IDX` (`RESOURCE_NAME_3`,`RESOURCE_TYPE_3`);
+
+-- Table SENTRY_ROLE_GM_PRIVILEGE_MAP for join relationship
+CREATE TABLE `SENTRY_ROLE_GM_PRIVILEGE_MAP`
+(
+ `ROLE_ID` BIGINT NOT NULL,
+ `GM_PRIVILEGE_ID` BIGINT NOT NULL
+) ENGINE=INNODB DEFAULT CHARSET=utf8;
+
+ALTER TABLE `SENTRY_ROLE_GM_PRIVILEGE_MAP`
+ ADD CONSTRAINT `SENTRY_ROLE_GM_PRIVILEGE_MAP_PK` PRIMARY KEY (`ROLE_ID`,`GM_PRIVILEGE_ID`);
+
+-- Constraints for table SENTRY_ROLE_GM_PRIVILEGE_MAP
+ALTER TABLE `SENTRY_ROLE_GM_PRIVILEGE_MAP`
+ ADD CONSTRAINT `SEN_RLE_GM_PRV_MAP_SN_RLE_FK`
+ FOREIGN KEY (`ROLE_ID`) REFERENCES `SENTRY_ROLE`(`ROLE_ID`);
+
+ALTER TABLE `SENTRY_ROLE_GM_PRIVILEGE_MAP`
+ ADD CONSTRAINT `SEN_RL_GM_PRV_MAP_SN_DB_PRV_FK`
+ FOREIGN KEY (`GM_PRIVILEGE_ID`) REFERENCES `SENTRY_GM_PRIVILEGE`(`GM_PRIVILEGE_ID`);
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/main/resources/sentry-mysql-1.7.0.sql
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/main/resources/sentry-mysql-1.7.0.sql b/sentry-service/sentry-service-server/src/main/resources/sentry-mysql-1.7.0.sql
new file mode 100644
index 0000000..faff348
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/main/resources/sentry-mysql-1.7.0.sql
@@ -0,0 +1,193 @@
+-- Licensed to the Apache Software Foundation (ASF) under one or more
+-- contributor license agreements. See the NOTICE file distributed with
+-- this work for additional information regarding copyright ownership.
+-- The ASF licenses this file to You under the Apache License, Version 2.0
+-- (the "License"); you may not use this file except in compliance with
+-- the License. You may obtain a copy of the License at
+--
+-- http://www.apache.org/licenses/LICENSE-2.0
+--
+-- Unless required by applicable law or agreed to in writing, software
+-- distributed under the License is distributed on an "AS IS" BASIS,
+-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+-- See the License for the specific language governing permissions and
+-- limitations under the License.
+
+
+/*!40101 SET @OLD_CHARACTER_SET_CLIENT=@@CHARACTER_SET_CLIENT */;
+/*!40101 SET @OLD_CHARACTER_SET_RESULTS=@@CHARACTER_SET_RESULTS */;
+/*!40101 SET @OLD_COLLATION_CONNECTION=@@COLLATION_CONNECTION */;
+/*!40101 SET NAMES utf8 */;
+/*!40103 SET @OLD_TIME_ZONE=@@TIME_ZONE */;
+/*!40103 SET TIME_ZONE='+00:00' */;
+/*!40014 SET @OLD_UNIQUE_CHECKS=@@UNIQUE_CHECKS, UNIQUE_CHECKS=0 */;
+/*!40014 SET @OLD_FOREIGN_KEY_CHECKS=@@FOREIGN_KEY_CHECKS, FOREIGN_KEY_CHECKS=0 */;
+/*!40101 SET @OLD_SQL_MODE=@@SQL_MODE, SQL_MODE='NO_AUTO_VALUE_ON_ZERO' */;
+/*!40111 SET @OLD_SQL_NOTES=@@SQL_NOTES, SQL_NOTES=0 */;
+
+CREATE TABLE `SENTRY_DB_PRIVILEGE` (
+ `DB_PRIVILEGE_ID` BIGINT NOT NULL,
+ `PRIVILEGE_SCOPE` VARCHAR(32) CHARACTER SET utf8 COLLATE utf8_bin NOT NULL,
+ `SERVER_NAME` VARCHAR(128) CHARACTER SET utf8 COLLATE utf8_bin NOT NULL,
+ `DB_NAME` VARCHAR(128) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT '__NULL__',
+ `TABLE_NAME` VARCHAR(128) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT '__NULL__',
+ `COLUMN_NAME` VARCHAR(128) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT '__NULL__',
+ `URI` VARCHAR(4000) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT '__NULL__',
+ `ACTION` VARCHAR(128) CHARACTER SET utf8 COLLATE utf8_bin NOT NULL,
+ `CREATE_TIME` BIGINT NOT NULL,
+ `WITH_GRANT_OPTION` CHAR(1) NOT NULL
+) ENGINE=InnoDB DEFAULT CHARSET=utf8;
+
+CREATE TABLE `SENTRY_ROLE` (
+ `ROLE_ID` BIGINT NOT NULL,
+ `ROLE_NAME` VARCHAR(128) CHARACTER SET utf8 COLLATE utf8_bin NOT NULL,
+ `CREATE_TIME` BIGINT NOT NULL
+) ENGINE=InnoDB DEFAULT CHARSET=utf8;
+
+CREATE TABLE `SENTRY_GROUP` (
+ `GROUP_ID` BIGINT NOT NULL,
+ `GROUP_NAME` VARCHAR(128) CHARACTER SET utf8 COLLATE utf8_bin NOT NULL,
+ `CREATE_TIME` BIGINT NOT NULL
+) ENGINE=InnoDB DEFAULT CHARSET=utf8;
+
+CREATE TABLE `SENTRY_ROLE_DB_PRIVILEGE_MAP` (
+ `ROLE_ID` BIGINT NOT NULL,
+ `DB_PRIVILEGE_ID` BIGINT NOT NULL,
+ `GRANTOR_PRINCIPAL` VARCHAR(128) CHARACTER SET utf8 COLLATE utf8_bin
+) ENGINE=InnoDB DEFAULT CHARSET=utf8;
+
+CREATE TABLE `SENTRY_ROLE_GROUP_MAP` (
+ `ROLE_ID` BIGINT NOT NULL,
+ `GROUP_ID` BIGINT NOT NULL,
+ `GRANTOR_PRINCIPAL` VARCHAR(128) CHARACTER SET utf8 COLLATE utf8_bin
+) ENGINE=InnoDB DEFAULT CHARSET=utf8;
+
+CREATE TABLE IF NOT EXISTS `SENTRY_VERSION` (
+ `VER_ID` BIGINT NOT NULL,
+ `SCHEMA_VERSION` VARCHAR(127) NOT NULL,
+ `VERSION_COMMENT` VARCHAR(255) NOT NULL
+) ENGINE=InnoDB DEFAULT CHARSET=utf8;
+
+ALTER TABLE `SENTRY_DB_PRIVILEGE`
+ ADD CONSTRAINT `SENTRY_DB_PRIV_PK` PRIMARY KEY (`DB_PRIVILEGE_ID`);
+
+ALTER TABLE `SENTRY_ROLE`
+ ADD CONSTRAINT `SENTRY_ROLE_PK` PRIMARY KEY (`ROLE_ID`);
+
+ALTER TABLE `SENTRY_GROUP`
+ ADD CONSTRAINT `SENTRY_GROUP_PK` PRIMARY KEY (`GROUP_ID`);
+
+ALTER TABLE `SENTRY_VERSION`
+ ADD CONSTRAINT `SENTRY_VERSION` PRIMARY KEY (`VER_ID`);
+
+ALTER TABLE `SENTRY_DB_PRIVILEGE`
+ ADD UNIQUE `SENTRY_DB_PRIV_PRIV_NAME_UNIQ` (`SERVER_NAME`,`DB_NAME`,`TABLE_NAME`,`COLUMN_NAME`,`URI`(250),`ACTION`,`WITH_GRANT_OPTION`);
+
+ALTER TABLE `SENTRY_DB_PRIVILEGE`
+ ADD INDEX `SENTRY_PRIV_SERV_IDX` (`SERVER_NAME`);
+
+ALTER TABLE `SENTRY_DB_PRIVILEGE`
+ ADD INDEX `SENTRY_PRIV_DB_IDX` (`DB_NAME`);
+
+ALTER TABLE `SENTRY_DB_PRIVILEGE`
+ ADD INDEX `SENTRY_PRIV_TBL_IDX` (`TABLE_NAME`);
+
+ALTER TABLE `SENTRY_DB_PRIVILEGE`
+ ADD INDEX `SENTRY_PRIV_COL_IDX` (`COLUMN_NAME`);
+
+ALTER TABLE `SENTRY_DB_PRIVILEGE`
+ ADD INDEX `SENTRY_PRIV_URI_IDX` (`URI`);
+
+ALTER TABLE `SENTRY_ROLE`
+ ADD CONSTRAINT `SENTRY_ROLE_ROLE_NAME_UNIQUE` UNIQUE (`ROLE_NAME`);
+
+ALTER TABLE `SENTRY_GROUP`
+ ADD CONSTRAINT `SENTRY_GRP_GRP_NAME_UNIQUE` UNIQUE (`GROUP_NAME`);
+
+ALTER TABLE `SENTRY_ROLE_DB_PRIVILEGE_MAP`
+ ADD CONSTRAINT `SENTRY_ROLE_DB_PRIVILEGE_MAP_PK` PRIMARY KEY (`ROLE_ID`,`DB_PRIVILEGE_ID`);
+
+ALTER TABLE `SENTRY_ROLE_GROUP_MAP`
+ ADD CONSTRAINT `SENTRY_ROLE_GROUP_MAP_PK` PRIMARY KEY (`ROLE_ID`,`GROUP_ID`);
+
+ALTER TABLE `SENTRY_ROLE_DB_PRIVILEGE_MAP`
+ ADD CONSTRAINT `SEN_RLE_DB_PRV_MAP_SN_RLE_FK`
+ FOREIGN KEY (`ROLE_ID`) REFERENCES `SENTRY_ROLE`(`ROLE_ID`);
+
+ALTER TABLE `SENTRY_ROLE_DB_PRIVILEGE_MAP`
+ ADD CONSTRAINT `SEN_RL_DB_PRV_MAP_SN_DB_PRV_FK`
+ FOREIGN KEY (`DB_PRIVILEGE_ID`) REFERENCES `SENTRY_DB_PRIVILEGE`(`DB_PRIVILEGE_ID`);
+
+ALTER TABLE `SENTRY_ROLE_GROUP_MAP`
+ ADD CONSTRAINT `SEN_ROLE_GROUP_MAP_SEN_ROLE_FK`
+ FOREIGN KEY (`ROLE_ID`) REFERENCES `SENTRY_ROLE`(`ROLE_ID`);
+
+ALTER TABLE `SENTRY_ROLE_GROUP_MAP`
+ ADD CONSTRAINT `SEN_ROLE_GROUP_MAP_SEN_GRP_FK`
+ FOREIGN KEY (`GROUP_ID`) REFERENCES `SENTRY_GROUP`(`GROUP_ID`);
+
+INSERT INTO SENTRY_VERSION (VER_ID, SCHEMA_VERSION, VERSION_COMMENT) VALUES (1, '1.7.0', 'Sentry release version 1.7.0');
+
+-- Generic Model
+-- Table SENTRY_GM_PRIVILEGE for classes [org.apache.sentry.provider.db.service.model.MSentryGMPrivilege]
+CREATE TABLE `SENTRY_GM_PRIVILEGE`
+(
+ `GM_PRIVILEGE_ID` BIGINT NOT NULL,
+ `ACTION` VARCHAR(32) CHARACTER SET utf8 COLLATE utf8_bin NOT NULL,
+ `COMPONENT_NAME` VARCHAR(32) CHARACTER SET utf8 COLLATE utf8_bin NOT NULL,
+ `CREATE_TIME` BIGINT NOT NULL,
+ `WITH_GRANT_OPTION` CHAR(1) NOT NULL,
+ `RESOURCE_NAME_0` VARCHAR(64) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT '__NULL__',
+ `RESOURCE_NAME_1` VARCHAR(64) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT '__NULL__',
+ `RESOURCE_NAME_2` VARCHAR(64) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT '__NULL__',
+ `RESOURCE_NAME_3` VARCHAR(64) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT '__NULL__',
+ `RESOURCE_TYPE_0` VARCHAR(64) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT '__NULL__',
+ `RESOURCE_TYPE_1` VARCHAR(64) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT '__NULL__',
+ `RESOURCE_TYPE_2` VARCHAR(64) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT '__NULL__',
+ `RESOURCE_TYPE_3` VARCHAR(64) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT '__NULL__',
+ `SCOPE` VARCHAR(128) CHARACTER SET utf8 COLLATE utf8_bin NOT NULL,
+ `SERVICE_NAME` VARCHAR(64) BINARY CHARACTER SET utf8 COLLATE utf8_bin NOT NULL
+) ENGINE=InnoDB DEFAULT CHARSET=utf8;
+
+ALTER TABLE `SENTRY_GM_PRIVILEGE`
+ ADD CONSTRAINT `SENTRY_GM_PRIVILEGE_PK` PRIMARY KEY (`GM_PRIVILEGE_ID`);
+-- Constraints for table SENTRY_GM_PRIVILEGE for class(es) [org.apache.sentry.provider.db.service.model.MSentryGMPrivilege]
+ALTER TABLE `SENTRY_GM_PRIVILEGE`
+ ADD UNIQUE `GM_PRIVILEGE_UNIQUE` (`COMPONENT_NAME`,`SERVICE_NAME`,`RESOURCE_NAME_0`,`RESOURCE_TYPE_0`,`RESOURCE_NAME_1`,`RESOURCE_TYPE_1`,`RESOURCE_NAME_2`,`RESOURCE_TYPE_2`,`RESOURCE_NAME_3`,`RESOURCE_TYPE_3`,`ACTION`,`WITH_GRANT_OPTION`);
+
+ALTER TABLE `SENTRY_GM_PRIVILEGE`
+ ADD INDEX `SENTRY_GM_PRIV_COMP_IDX` (`COMPONENT_NAME`);
+
+ALTER TABLE `SENTRY_GM_PRIVILEGE`
+ ADD INDEX `SENTRY_GM_PRIV_SERV_IDX` (`SERVICE_NAME`);
+
+ALTER TABLE `SENTRY_GM_PRIVILEGE`
+ ADD INDEX `SENTRY_GM_PRIV_RES0_IDX` (`RESOURCE_NAME_0`,`RESOURCE_TYPE_0`);
+
+ALTER TABLE `SENTRY_GM_PRIVILEGE`
+ ADD INDEX `SENTRY_GM_PRIV_RES1_IDX` (`RESOURCE_NAME_1`,`RESOURCE_TYPE_1`);
+
+ALTER TABLE `SENTRY_GM_PRIVILEGE`
+ ADD INDEX `SENTRY_GM_PRIV_RES2_IDX` (`RESOURCE_NAME_2`,`RESOURCE_TYPE_2`);
+
+ALTER TABLE `SENTRY_GM_PRIVILEGE`
+ ADD INDEX `SENTRY_GM_PRIV_RES3_IDX` (`RESOURCE_NAME_3`,`RESOURCE_TYPE_3`);
+
+-- Table SENTRY_ROLE_GM_PRIVILEGE_MAP for join relationship
+CREATE TABLE `SENTRY_ROLE_GM_PRIVILEGE_MAP`
+(
+ `ROLE_ID` BIGINT NOT NULL,
+ `GM_PRIVILEGE_ID` BIGINT NOT NULL
+) ENGINE=INNODB DEFAULT CHARSET=utf8;
+
+ALTER TABLE `SENTRY_ROLE_GM_PRIVILEGE_MAP`
+ ADD CONSTRAINT `SENTRY_ROLE_GM_PRIVILEGE_MAP_PK` PRIMARY KEY (`ROLE_ID`,`GM_PRIVILEGE_ID`);
+
+-- Constraints for table SENTRY_ROLE_GM_PRIVILEGE_MAP
+ALTER TABLE `SENTRY_ROLE_GM_PRIVILEGE_MAP`
+ ADD CONSTRAINT `SEN_RLE_GM_PRV_MAP_SN_RLE_FK`
+ FOREIGN KEY (`ROLE_ID`) REFERENCES `SENTRY_ROLE`(`ROLE_ID`);
+
+ALTER TABLE `SENTRY_ROLE_GM_PRIVILEGE_MAP`
+ ADD CONSTRAINT `SEN_RL_GM_PRV_MAP_SN_DB_PRV_FK`
+ FOREIGN KEY (`GM_PRIVILEGE_ID`) REFERENCES `SENTRY_GM_PRIVILEGE`(`GM_PRIVILEGE_ID`);
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/main/resources/sentry-mysql-1.8.0.sql
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/main/resources/sentry-mysql-1.8.0.sql b/sentry-service/sentry-service-server/src/main/resources/sentry-mysql-1.8.0.sql
new file mode 100644
index 0000000..d27d7b9
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/main/resources/sentry-mysql-1.8.0.sql
@@ -0,0 +1,223 @@
+-- Licensed to the Apache Software Foundation (ASF) under one or more
+-- contributor license agreements. See the NOTICE file distributed with
+-- this work for additional information regarding copyright ownership.
+-- The ASF licenses this file to You under the Apache License, Version 2.0
+-- (the "License"); you may not use this file except in compliance with
+-- the License. You may obtain a copy of the License at
+--
+-- http://www.apache.org/licenses/LICENSE-2.0
+--
+-- Unless required by applicable law or agreed to in writing, software
+-- distributed under the License is distributed on an "AS IS" BASIS,
+-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+-- See the License for the specific language governing permissions and
+-- limitations under the License.
+
+
+/*!40101 SET @OLD_CHARACTER_SET_CLIENT=@@CHARACTER_SET_CLIENT */;
+/*!40101 SET @OLD_CHARACTER_SET_RESULTS=@@CHARACTER_SET_RESULTS */;
+/*!40101 SET @OLD_COLLATION_CONNECTION=@@COLLATION_CONNECTION */;
+/*!40101 SET NAMES utf8 */;
+/*!40103 SET @OLD_TIME_ZONE=@@TIME_ZONE */;
+/*!40103 SET TIME_ZONE='+00:00' */;
+/*!40014 SET @OLD_UNIQUE_CHECKS=@@UNIQUE_CHECKS, UNIQUE_CHECKS=0 */;
+/*!40014 SET @OLD_FOREIGN_KEY_CHECKS=@@FOREIGN_KEY_CHECKS, FOREIGN_KEY_CHECKS=0 */;
+/*!40101 SET @OLD_SQL_MODE=@@SQL_MODE, SQL_MODE='NO_AUTO_VALUE_ON_ZERO' */;
+/*!40111 SET @OLD_SQL_NOTES=@@SQL_NOTES, SQL_NOTES=0 */;
+
+CREATE TABLE `SENTRY_DB_PRIVILEGE` (
+ `DB_PRIVILEGE_ID` BIGINT NOT NULL,
+ `PRIVILEGE_SCOPE` VARCHAR(32) CHARACTER SET utf8 COLLATE utf8_bin NOT NULL,
+ `SERVER_NAME` VARCHAR(128) CHARACTER SET utf8 COLLATE utf8_bin NOT NULL,
+ `DB_NAME` VARCHAR(128) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT '__NULL__',
+ `TABLE_NAME` VARCHAR(128) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT '__NULL__',
+ `COLUMN_NAME` VARCHAR(128) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT '__NULL__',
+ `URI` VARCHAR(4000) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT '__NULL__',
+ `ACTION` VARCHAR(128) CHARACTER SET utf8 COLLATE utf8_bin NOT NULL,
+ `CREATE_TIME` BIGINT NOT NULL,
+ `WITH_GRANT_OPTION` CHAR(1) NOT NULL
+) ENGINE=InnoDB DEFAULT CHARSET=utf8;
+
+CREATE TABLE `SENTRY_ROLE` (
+ `ROLE_ID` BIGINT NOT NULL,
+ `ROLE_NAME` VARCHAR(128) CHARACTER SET utf8 COLLATE utf8_bin NOT NULL,
+ `CREATE_TIME` BIGINT NOT NULL
+) ENGINE=InnoDB DEFAULT CHARSET=utf8;
+
+CREATE TABLE `SENTRY_GROUP` (
+ `GROUP_ID` BIGINT NOT NULL,
+ `GROUP_NAME` VARCHAR(128) CHARACTER SET utf8 COLLATE utf8_bin NOT NULL,
+ `CREATE_TIME` BIGINT NOT NULL
+) ENGINE=InnoDB DEFAULT CHARSET=utf8;
+
+CREATE TABLE `SENTRY_ROLE_DB_PRIVILEGE_MAP` (
+ `ROLE_ID` BIGINT NOT NULL,
+ `DB_PRIVILEGE_ID` BIGINT NOT NULL,
+ `GRANTOR_PRINCIPAL` VARCHAR(128) CHARACTER SET utf8 COLLATE utf8_bin
+) ENGINE=InnoDB DEFAULT CHARSET=utf8;
+
+CREATE TABLE `SENTRY_ROLE_GROUP_MAP` (
+ `ROLE_ID` BIGINT NOT NULL,
+ `GROUP_ID` BIGINT NOT NULL,
+ `GRANTOR_PRINCIPAL` VARCHAR(128) CHARACTER SET utf8 COLLATE utf8_bin
+) ENGINE=InnoDB DEFAULT CHARSET=utf8;
+
+CREATE TABLE IF NOT EXISTS `SENTRY_VERSION` (
+ `VER_ID` BIGINT NOT NULL,
+ `SCHEMA_VERSION` VARCHAR(127) NOT NULL,
+ `VERSION_COMMENT` VARCHAR(255) NOT NULL
+) ENGINE=InnoDB DEFAULT CHARSET=utf8;
+
+ALTER TABLE `SENTRY_DB_PRIVILEGE`
+ ADD CONSTRAINT `SENTRY_DB_PRIV_PK` PRIMARY KEY (`DB_PRIVILEGE_ID`);
+
+ALTER TABLE `SENTRY_ROLE`
+ ADD CONSTRAINT `SENTRY_ROLE_PK` PRIMARY KEY (`ROLE_ID`);
+
+ALTER TABLE `SENTRY_GROUP`
+ ADD CONSTRAINT `SENTRY_GROUP_PK` PRIMARY KEY (`GROUP_ID`);
+
+ALTER TABLE `SENTRY_VERSION`
+ ADD CONSTRAINT `SENTRY_VERSION` PRIMARY KEY (`VER_ID`);
+
+ALTER TABLE `SENTRY_DB_PRIVILEGE`
+ ADD UNIQUE `SENTRY_DB_PRIV_PRIV_NAME_UNIQ` (`SERVER_NAME`,`DB_NAME`,`TABLE_NAME`,`COLUMN_NAME`,`URI`(250),`ACTION`,`WITH_GRANT_OPTION`);
+
+ALTER TABLE `SENTRY_DB_PRIVILEGE`
+ ADD INDEX `SENTRY_PRIV_SERV_IDX` (`SERVER_NAME`);
+
+ALTER TABLE `SENTRY_DB_PRIVILEGE`
+ ADD INDEX `SENTRY_PRIV_DB_IDX` (`DB_NAME`);
+
+ALTER TABLE `SENTRY_DB_PRIVILEGE`
+ ADD INDEX `SENTRY_PRIV_TBL_IDX` (`TABLE_NAME`);
+
+ALTER TABLE `SENTRY_DB_PRIVILEGE`
+ ADD INDEX `SENTRY_PRIV_COL_IDX` (`COLUMN_NAME`);
+
+ALTER TABLE `SENTRY_DB_PRIVILEGE`
+ ADD INDEX `SENTRY_PRIV_URI_IDX` (`URI`);
+
+ALTER TABLE `SENTRY_ROLE`
+ ADD CONSTRAINT `SENTRY_ROLE_ROLE_NAME_UNIQUE` UNIQUE (`ROLE_NAME`);
+
+ALTER TABLE `SENTRY_GROUP`
+ ADD CONSTRAINT `SENTRY_GRP_GRP_NAME_UNIQUE` UNIQUE (`GROUP_NAME`);
+
+ALTER TABLE `SENTRY_ROLE_DB_PRIVILEGE_MAP`
+ ADD CONSTRAINT `SENTRY_ROLE_DB_PRIVILEGE_MAP_PK` PRIMARY KEY (`ROLE_ID`,`DB_PRIVILEGE_ID`);
+
+ALTER TABLE `SENTRY_ROLE_GROUP_MAP`
+ ADD CONSTRAINT `SENTRY_ROLE_GROUP_MAP_PK` PRIMARY KEY (`ROLE_ID`,`GROUP_ID`);
+
+ALTER TABLE `SENTRY_ROLE_DB_PRIVILEGE_MAP`
+ ADD CONSTRAINT `SEN_RLE_DB_PRV_MAP_SN_RLE_FK`
+ FOREIGN KEY (`ROLE_ID`) REFERENCES `SENTRY_ROLE`(`ROLE_ID`);
+
+ALTER TABLE `SENTRY_ROLE_DB_PRIVILEGE_MAP`
+ ADD CONSTRAINT `SEN_RL_DB_PRV_MAP_SN_DB_PRV_FK`
+ FOREIGN KEY (`DB_PRIVILEGE_ID`) REFERENCES `SENTRY_DB_PRIVILEGE`(`DB_PRIVILEGE_ID`);
+
+ALTER TABLE `SENTRY_ROLE_GROUP_MAP`
+ ADD CONSTRAINT `SEN_ROLE_GROUP_MAP_SEN_ROLE_FK`
+ FOREIGN KEY (`ROLE_ID`) REFERENCES `SENTRY_ROLE`(`ROLE_ID`);
+
+ALTER TABLE `SENTRY_ROLE_GROUP_MAP`
+ ADD CONSTRAINT `SEN_ROLE_GROUP_MAP_SEN_GRP_FK`
+ FOREIGN KEY (`GROUP_ID`) REFERENCES `SENTRY_GROUP`(`GROUP_ID`);
+
+INSERT INTO SENTRY_VERSION (VER_ID, SCHEMA_VERSION, VERSION_COMMENT) VALUES (1, '1.8.0', 'Sentry release version 1.8.0');
+
+-- Generic Model
+-- Table SENTRY_GM_PRIVILEGE for classes [org.apache.sentry.provider.db.service.model.MSentryGMPrivilege]
+CREATE TABLE `SENTRY_GM_PRIVILEGE`
+(
+ `GM_PRIVILEGE_ID` BIGINT NOT NULL,
+ `ACTION` VARCHAR(32) CHARACTER SET utf8 COLLATE utf8_bin NOT NULL,
+ `COMPONENT_NAME` VARCHAR(32) CHARACTER SET utf8 COLLATE utf8_bin NOT NULL,
+ `CREATE_TIME` BIGINT NOT NULL,
+ `WITH_GRANT_OPTION` CHAR(1) NOT NULL,
+ `RESOURCE_NAME_0` VARCHAR(64) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT '__NULL__',
+ `RESOURCE_NAME_1` VARCHAR(64) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT '__NULL__',
+ `RESOURCE_NAME_2` VARCHAR(64) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT '__NULL__',
+ `RESOURCE_NAME_3` VARCHAR(64) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT '__NULL__',
+ `RESOURCE_TYPE_0` VARCHAR(64) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT '__NULL__',
+ `RESOURCE_TYPE_1` VARCHAR(64) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT '__NULL__',
+ `RESOURCE_TYPE_2` VARCHAR(64) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT '__NULL__',
+ `RESOURCE_TYPE_3` VARCHAR(64) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT '__NULL__',
+ `SCOPE` VARCHAR(128) CHARACTER SET utf8 COLLATE utf8_bin NOT NULL,
+ `SERVICE_NAME` VARCHAR(64) BINARY CHARACTER SET utf8 COLLATE utf8_bin NOT NULL
+) ENGINE=InnoDB DEFAULT CHARSET=utf8;
+
+ALTER TABLE `SENTRY_GM_PRIVILEGE`
+ ADD CONSTRAINT `SENTRY_GM_PRIVILEGE_PK` PRIMARY KEY (`GM_PRIVILEGE_ID`);
+-- Constraints for table SENTRY_GM_PRIVILEGE for class(es) [org.apache.sentry.provider.db.service.model.MSentryGMPrivilege]
+ALTER TABLE `SENTRY_GM_PRIVILEGE`
+ ADD UNIQUE `GM_PRIVILEGE_UNIQUE` (`COMPONENT_NAME`,`SERVICE_NAME`,`RESOURCE_NAME_0`,`RESOURCE_TYPE_0`,`RESOURCE_NAME_1`,`RESOURCE_TYPE_1`,`RESOURCE_NAME_2`,`RESOURCE_TYPE_2`,`RESOURCE_NAME_3`,`RESOURCE_TYPE_3`,`ACTION`,`WITH_GRANT_OPTION`);
+
+ALTER TABLE `SENTRY_GM_PRIVILEGE`
+ ADD INDEX `SENTRY_GM_PRIV_COMP_IDX` (`COMPONENT_NAME`);
+
+ALTER TABLE `SENTRY_GM_PRIVILEGE`
+ ADD INDEX `SENTRY_GM_PRIV_SERV_IDX` (`SERVICE_NAME`);
+
+ALTER TABLE `SENTRY_GM_PRIVILEGE`
+ ADD INDEX `SENTRY_GM_PRIV_RES0_IDX` (`RESOURCE_NAME_0`,`RESOURCE_TYPE_0`);
+
+ALTER TABLE `SENTRY_GM_PRIVILEGE`
+ ADD INDEX `SENTRY_GM_PRIV_RES1_IDX` (`RESOURCE_NAME_1`,`RESOURCE_TYPE_1`);
+
+ALTER TABLE `SENTRY_GM_PRIVILEGE`
+ ADD INDEX `SENTRY_GM_PRIV_RES2_IDX` (`RESOURCE_NAME_2`,`RESOURCE_TYPE_2`);
+
+ALTER TABLE `SENTRY_GM_PRIVILEGE`
+ ADD INDEX `SENTRY_GM_PRIV_RES3_IDX` (`RESOURCE_NAME_3`,`RESOURCE_TYPE_3`);
+
+-- Table SENTRY_ROLE_GM_PRIVILEGE_MAP for join relationship
+CREATE TABLE `SENTRY_ROLE_GM_PRIVILEGE_MAP`
+(
+ `ROLE_ID` BIGINT NOT NULL,
+ `GM_PRIVILEGE_ID` BIGINT NOT NULL
+) ENGINE=INNODB DEFAULT CHARSET=utf8;
+
+ALTER TABLE `SENTRY_ROLE_GM_PRIVILEGE_MAP`
+ ADD CONSTRAINT `SENTRY_ROLE_GM_PRIVILEGE_MAP_PK` PRIMARY KEY (`ROLE_ID`,`GM_PRIVILEGE_ID`);
+
+-- Constraints for table SENTRY_ROLE_GM_PRIVILEGE_MAP
+ALTER TABLE `SENTRY_ROLE_GM_PRIVILEGE_MAP`
+ ADD CONSTRAINT `SEN_RLE_GM_PRV_MAP_SN_RLE_FK`
+ FOREIGN KEY (`ROLE_ID`) REFERENCES `SENTRY_ROLE`(`ROLE_ID`);
+
+ALTER TABLE `SENTRY_ROLE_GM_PRIVILEGE_MAP`
+ ADD CONSTRAINT `SEN_RL_GM_PRV_MAP_SN_DB_PRV_FK`
+ FOREIGN KEY (`GM_PRIVILEGE_ID`) REFERENCES `SENTRY_GM_PRIVILEGE`(`GM_PRIVILEGE_ID`);
+
+CREATE TABLE `SENTRY_USER` (
+ `USER_ID` BIGINT NOT NULL,
+ `USER_NAME` VARCHAR(128) CHARACTER SET utf8 COLLATE utf8_bin NOT NULL,
+ `CREATE_TIME` BIGINT NOT NULL
+) ENGINE=InnoDB DEFAULT CHARSET=utf8;
+
+ALTER TABLE `SENTRY_USER`
+ ADD CONSTRAINT `SENTRY_USER_PK` PRIMARY KEY (`USER_ID`);
+
+ALTER TABLE `SENTRY_USER`
+ ADD CONSTRAINT `SENTRY_USER_USER_NAME_UNIQUE` UNIQUE (`USER_NAME`);
+
+CREATE TABLE `SENTRY_ROLE_USER_MAP` (
+ `ROLE_ID` BIGINT NOT NULL,
+ `USER_ID` BIGINT NOT NULL,
+ `GRANTOR_PRINCIPAL` VARCHAR(128) CHARACTER SET utf8 COLLATE utf8_bin
+) ENGINE=InnoDB DEFAULT CHARSET=utf8;
+
+ALTER TABLE `SENTRY_ROLE_USER_MAP`
+ ADD CONSTRAINT `SENTRY_ROLE_USER_MAP_PK` PRIMARY KEY (`ROLE_ID`,`USER_ID`);
+
+ALTER TABLE `SENTRY_ROLE_USER_MAP`
+ ADD CONSTRAINT `SEN_ROLE_USER_MAP_SEN_ROLE_FK`
+ FOREIGN KEY (`ROLE_ID`) REFERENCES `SENTRY_ROLE`(`ROLE_ID`);
+
+ALTER TABLE `SENTRY_ROLE_USER_MAP`
+ ADD CONSTRAINT `SEN_ROLE_USER_MAP_SEN_USER_FK`
+ FOREIGN KEY (`USER_ID`) REFERENCES `SENTRY_USER`(`USER_ID`);
+
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/main/resources/sentry-oracle-1.4.0.sql
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/main/resources/sentry-oracle-1.4.0.sql b/sentry-service/sentry-service-server/src/main/resources/sentry-oracle-1.4.0.sql
new file mode 100644
index 0000000..363590e
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/main/resources/sentry-oracle-1.4.0.sql
@@ -0,0 +1,110 @@
+--Licensed to the Apache Software Foundation (ASF) under one or more
+--contributor license agreements. See the NOTICE file distributed with
+--this work for additional information regarding copyright ownership.
+--The ASF licenses this file to You under the Apache License, Version 2.0
+--(the "License"); you may not use this file except in compliance with
+--the License. You may obtain a copy of the License at
+--
+-- http://www.apache.org/licenses/LICENSE-2.0
+--
+--Unless required by applicable law or agreed to in writing, software
+--distributed under the License is distributed on an "AS IS" BASIS,
+--WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+--See the License for the specific language governing permissions and
+--limitations under the License.
+
+CREATE TABLE "SENTRY_DB_PRIVILEGE" (
+ "DB_PRIVILEGE_ID" NUMBER NOT NULL,
+ "PRIVILEGE_NAME" VARCHAR2(4000) NOT NULL,
+ "PRIVILEGE_SCOPE" VARCHAR2(32) NOT NULL,
+ "SERVER_NAME" VARCHAR2(128) NOT NULL,
+ "DB_NAME" VARCHAR2(128) NULL,
+ "TABLE_NAME" VARCHAR2(128) NULL,
+ "URI" VARCHAR2(4000) NULL,
+ "ACTION" VARCHAR2(128) NOT NULL,
+ "CREATE_TIME" NUMBER NOT NULL,
+ "GRANTOR_PRINCIPAL" VARCHAR(128) NOT NULL
+);
+
+CREATE TABLE "SENTRY_ROLE" (
+ "ROLE_ID" NUMBER NOT NULL,
+ "ROLE_NAME" VARCHAR2(128) NOT NULL,
+ "CREATE_TIME" NUMBER NOT NULL,
+ "GRANTOR_PRINCIPAL" VARCHAR2(128) NOT NULL
+);
+
+CREATE TABLE "SENTRY_GROUP" (
+ "GROUP_ID" NUMBER NOT NULL,
+ "GROUP_NAME" VARCHAR2(128) NOT NULL,
+ "CREATE_TIME" NUMBER NOT NULL,
+ "GRANTOR_PRINCIPAL" VARCHAR2(128) NOT NULL
+);
+
+CREATE TABLE "SENTRY_ROLE_DB_PRIVILEGE_MAP" (
+ "ROLE_ID" NUMBER NOT NULL,
+ "DB_PRIVILEGE_ID" NUMBER NOT NULL
+);
+
+CREATE TABLE "SENTRY_ROLE_GROUP_MAP" (
+ "ROLE_ID" NUMBER NOT NULL,
+ "GROUP_ID" NUMBER NOT NULL
+);
+
+CREATE TABLE "SENTRY_VERSION" (
+ "VER_ID" NUMBER NOT NULL,
+ "SCHEMA_VERSION" VARCHAR(127) NOT NULL,
+ "VERSION_COMMENT" VARCHAR(255) NOT NULL
+);
+
+ALTER TABLE "SENTRY_DB_PRIVILEGE"
+ ADD CONSTRAINT "SENTRY_DB_PRIV_PK" PRIMARY KEY ("DB_PRIVILEGE_ID");
+
+ALTER TABLE "SENTRY_ROLE"
+ ADD CONSTRAINT "SENTRY_ROLE_PK" PRIMARY KEY ("ROLE_ID");
+
+ALTER TABLE "SENTRY_GROUP"
+ ADD CONSTRAINT "SENTRY_GROUP_PK" PRIMARY KEY ("GROUP_ID");
+
+ALTER TABLE "SENTRY_VERSION" ADD CONSTRAINT "SENTRY_VERSION_PK" PRIMARY KEY ("VER_ID");
+
+ALTER TABLE "SENTRY_DB_PRIVILEGE"
+ ADD CONSTRAINT "SENTRY_DB_PRIV_PRIV_NAME_UNIQ" UNIQUE ("PRIVILEGE_NAME");
+
+CREATE INDEX "SENTRY_SERV_PRIV_IDX" ON "SENTRY_DB_PRIVILEGE" ("SERVER_NAME");
+
+CREATE INDEX "SENTRY_DB_PRIV_IDX" ON "SENTRY_DB_PRIVILEGE" ("DB_NAME");
+
+CREATE INDEX "SENTRY_TBL_PRIV_IDX" ON "SENTRY_DB_PRIVILEGE" ("TABLE_NAME");
+
+CREATE INDEX "SENTRY_URI_PRIV_IDX" ON "SENTRY_DB_PRIVILEGE" ("URI");
+
+ALTER TABLE "SENTRY_ROLE"
+ ADD CONSTRAINT "SENTRY_ROLE_ROLE_NAME_UNIQUE" UNIQUE ("ROLE_NAME");
+
+ALTER TABLE "SENTRY_GROUP"
+ ADD CONSTRAINT "SENTRY_GRP_GRP_NAME_UNIQUE" UNIQUE ("GROUP_NAME");
+
+ALTER TABLE "SENTRY_ROLE_DB_PRIVILEGE_MAP"
+ ADD CONSTRAINT "SEN_RLE_PRIV_MAP_PK" PRIMARY KEY ("ROLE_ID","DB_PRIVILEGE_ID");
+
+ALTER TABLE "SENTRY_ROLE_GROUP_MAP"
+ ADD CONSTRAINT "SENTRY_ROLE_GROUP_MAP_PK" PRIMARY KEY ("ROLE_ID","GROUP_ID");
+
+ALTER TABLE "SENTRY_ROLE_DB_PRIVILEGE_MAP"
+ ADD CONSTRAINT "SEN_RLE_DB_PRV_MAP_SN_RLE_FK"
+ FOREIGN KEY ("ROLE_ID") REFERENCES "SENTRY_ROLE"("ROLE_ID") INITIALLY DEFERRED;
+
+ALTER TABLE "SENTRY_ROLE_DB_PRIVILEGE_MAP"
+ ADD CONSTRAINT "SEN_RL_DB_PRV_MAP_SN_DB_PRV_FK"
+ FOREIGN KEY ("DB_PRIVILEGE_ID") REFERENCES "SENTRY_DB_PRIVILEGE"("DB_PRIVILEGE_ID") INITIALLY DEFERRED;
+
+ALTER TABLE "SENTRY_ROLE_GROUP_MAP"
+ ADD CONSTRAINT "SEN_ROLE_GROUP_MAP_SEN_ROLE_FK"
+ FOREIGN KEY ("ROLE_ID") REFERENCES "SENTRY_ROLE"("ROLE_ID") INITIALLY DEFERRED;
+
+ALTER TABLE "SENTRY_ROLE_GROUP_MAP"
+ ADD CONSTRAINT "SEN_ROLE_GROUP_MAP_SEN_GRP_FK"
+ FOREIGN KEY ("GROUP_ID") REFERENCES "SENTRY_GROUP"("GROUP_ID") INITIALLY DEFERRED;
+
+INSERT INTO SENTRY_VERSION (VER_ID, SCHEMA_VERSION, VERSION_COMMENT) VALUES (1, '1.4.0', 'Sentry release version 1.4.0');
+
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/main/resources/sentry-oracle-1.5.0.sql
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/main/resources/sentry-oracle-1.5.0.sql b/sentry-service/sentry-service-server/src/main/resources/sentry-oracle-1.5.0.sql
new file mode 100644
index 0000000..fe8e93c
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/main/resources/sentry-oracle-1.5.0.sql
@@ -0,0 +1,168 @@
+--Licensed to the Apache Software Foundation (ASF) under one or more
+--contributor license agreements. See the NOTICE file distributed with
+--this work for additional information regarding copyright ownership.
+--The ASF licenses this file to You under the Apache License, Version 2.0
+--(the "License"); you may not use this file except in compliance with
+--the License. You may obtain a copy of the License at
+--
+-- http://www.apache.org/licenses/LICENSE-2.0
+--
+--Unless required by applicable law or agreed to in writing, software
+--distributed under the License is distributed on an "AS IS" BASIS,
+--WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+--See the License for the specific language governing permissions and
+--limitations under the License.
+
+CREATE TABLE "SENTRY_DB_PRIVILEGE" (
+ "DB_PRIVILEGE_ID" NUMBER NOT NULL,
+ "PRIVILEGE_SCOPE" VARCHAR2(32) NOT NULL,
+ "SERVER_NAME" VARCHAR2(128) NOT NULL,
+ "DB_NAME" VARCHAR2(128) DEFAULT '__NULL__',
+ "TABLE_NAME" VARCHAR2(128) DEFAULT '__NULL__',
+ "COLUMN_NAME" VARCHAR2(128) DEFAULT '__NULL__',
+ "URI" VARCHAR2(4000) DEFAULT '__NULL__',
+ "ACTION" VARCHAR2(128) NOT NULL,
+ "CREATE_TIME" NUMBER NOT NULL,
+ "WITH_GRANT_OPTION" CHAR(1) DEFAULT 'N' NOT NULL
+);
+
+CREATE TABLE "SENTRY_ROLE" (
+ "ROLE_ID" NUMBER NOT NULL,
+ "ROLE_NAME" VARCHAR2(128) NOT NULL,
+ "CREATE_TIME" NUMBER NOT NULL
+);
+
+CREATE TABLE "SENTRY_GROUP" (
+ "GROUP_ID" NUMBER NOT NULL,
+ "GROUP_NAME" VARCHAR2(128) NOT NULL,
+ "CREATE_TIME" NUMBER NOT NULL
+);
+
+CREATE TABLE "SENTRY_ROLE_DB_PRIVILEGE_MAP" (
+ "ROLE_ID" NUMBER NOT NULL,
+ "DB_PRIVILEGE_ID" NUMBER NOT NULL,
+ "GRANTOR_PRINCIPAL" VARCHAR2(128)
+);
+
+CREATE TABLE "SENTRY_ROLE_GROUP_MAP" (
+ "ROLE_ID" NUMBER NOT NULL,
+ "GROUP_ID" NUMBER NOT NULL,
+ "GRANTOR_PRINCIPAL" VARCHAR2(128)
+);
+
+CREATE TABLE "SENTRY_VERSION" (
+ "VER_ID" NUMBER NOT NULL,
+ "SCHEMA_VERSION" VARCHAR(127) NOT NULL,
+ "VERSION_COMMENT" VARCHAR(255) NOT NULL
+);
+
+ALTER TABLE "SENTRY_DB_PRIVILEGE"
+ ADD CONSTRAINT "SENTRY_DB_PRIV_PK" PRIMARY KEY ("DB_PRIVILEGE_ID");
+
+ALTER TABLE "SENTRY_ROLE"
+ ADD CONSTRAINT "SENTRY_ROLE_PK" PRIMARY KEY ("ROLE_ID");
+
+ALTER TABLE "SENTRY_GROUP"
+ ADD CONSTRAINT "SENTRY_GROUP_PK" PRIMARY KEY ("GROUP_ID");
+
+ALTER TABLE "SENTRY_VERSION" ADD CONSTRAINT "SENTRY_VERSION_PK" PRIMARY KEY ("VER_ID");
+
+ALTER TABLE "SENTRY_DB_PRIVILEGE"
+ ADD CONSTRAINT "SENTRY_DB_PRIV_PRIV_NAME_UNIQ" UNIQUE ("SERVER_NAME","DB_NAME","TABLE_NAME","COLUMN_NAME","URI","ACTION","WITH_GRANT_OPTION");
+
+CREATE INDEX "SENTRY_SERV_PRIV_IDX" ON "SENTRY_DB_PRIVILEGE" ("SERVER_NAME");
+
+CREATE INDEX "SENTRY_DB_PRIV_IDX" ON "SENTRY_DB_PRIVILEGE" ("DB_NAME");
+
+CREATE INDEX "SENTRY_TBL_PRIV_IDX" ON "SENTRY_DB_PRIVILEGE" ("TABLE_NAME");
+
+CREATE INDEX "SENTRY_COL_PRIV_IDX" ON "SENTRY_DB_PRIVILEGE" ("COLUMN_NAME");
+
+CREATE INDEX "SENTRY_URI_PRIV_IDX" ON "SENTRY_DB_PRIVILEGE" ("URI");
+
+ALTER TABLE "SENTRY_ROLE"
+ ADD CONSTRAINT "SENTRY_ROLE_ROLE_NAME_UNIQUE" UNIQUE ("ROLE_NAME");
+
+ALTER TABLE "SENTRY_GROUP"
+ ADD CONSTRAINT "SENTRY_GRP_GRP_NAME_UNIQUE" UNIQUE ("GROUP_NAME");
+
+ALTER TABLE "SENTRY_ROLE_DB_PRIVILEGE_MAP"
+ ADD CONSTRAINT "SEN_RLE_PRIV_MAP_PK" PRIMARY KEY ("ROLE_ID","DB_PRIVILEGE_ID");
+
+ALTER TABLE "SENTRY_ROLE_GROUP_MAP"
+ ADD CONSTRAINT "SENTRY_ROLE_GROUP_MAP_PK" PRIMARY KEY ("ROLE_ID","GROUP_ID");
+
+ALTER TABLE "SENTRY_ROLE_DB_PRIVILEGE_MAP"
+ ADD CONSTRAINT "SEN_RLE_DB_PRV_MAP_SN_RLE_FK"
+ FOREIGN KEY ("ROLE_ID") REFERENCES "SENTRY_ROLE"("ROLE_ID") INITIALLY DEFERRED;
+
+ALTER TABLE "SENTRY_ROLE_DB_PRIVILEGE_MAP"
+ ADD CONSTRAINT "SEN_RL_DB_PRV_MAP_SN_DB_PRV_FK"
+ FOREIGN KEY ("DB_PRIVILEGE_ID") REFERENCES "SENTRY_DB_PRIVILEGE"("DB_PRIVILEGE_ID") INITIALLY DEFERRED;
+
+ALTER TABLE "SENTRY_ROLE_GROUP_MAP"
+ ADD CONSTRAINT "SEN_ROLE_GROUP_MAP_SEN_ROLE_FK"
+ FOREIGN KEY ("ROLE_ID") REFERENCES "SENTRY_ROLE"("ROLE_ID") INITIALLY DEFERRED;
+
+ALTER TABLE "SENTRY_ROLE_GROUP_MAP"
+ ADD CONSTRAINT "SEN_ROLE_GROUP_MAP_SEN_GRP_FK"
+ FOREIGN KEY ("GROUP_ID") REFERENCES "SENTRY_GROUP"("GROUP_ID") INITIALLY DEFERRED;
+
+INSERT INTO SENTRY_VERSION (VER_ID, SCHEMA_VERSION, VERSION_COMMENT) VALUES (1, '1.5.0', 'Sentry release version 1.5.0');
+
+-- Generic Model
+-- Table SENTRY_GM_PRIVILEGE for classes [org.apache.sentry.provider.db.service.model.MSentryGMPrivilege]
+CREATE TABLE "SENTRY_GM_PRIVILEGE" (
+ "GM_PRIVILEGE_ID" NUMBER NOT NULL,
+ "COMPONENT_NAME" VARCHAR2(32) NOT NULL,
+ "SERVICE_NAME" VARCHAR2(64) NOT NULL,
+ "RESOURCE_NAME_0" VARCHAR2(64) DEFAULT '__NULL__',
+ "RESOURCE_NAME_1" VARCHAR2(64) DEFAULT '__NULL__',
+ "RESOURCE_NAME_2" VARCHAR2(64) DEFAULT '__NULL__',
+ "RESOURCE_NAME_3" VARCHAR2(64) DEFAULT '__NULL__',
+ "RESOURCE_TYPE_0" VARCHAR2(64) DEFAULT '__NULL__',
+ "RESOURCE_TYPE_1" VARCHAR2(64) DEFAULT '__NULL__',
+ "RESOURCE_TYPE_2" VARCHAR2(64) DEFAULT '__NULL__',
+ "RESOURCE_TYPE_3" VARCHAR2(64) DEFAULT '__NULL__',
+ "ACTION" VARCHAR2(32) NOT NULL,
+ "SCOPE" VARCHAR2(128) NOT NULL,
+ "CREATE_TIME" NUMBER NOT NULL,
+ "WITH_GRANT_OPTION" CHAR(1) DEFAULT 'N' NOT NULL
+);
+
+ALTER TABLE "SENTRY_GM_PRIVILEGE"
+ ADD CONSTRAINT "SENTRY_GM_PRIV_PK" PRIMARY KEY ("GM_PRIVILEGE_ID");
+-- Constraints for table SENTRY_GM_PRIVILEGE for class(es) [org.apache.sentry.provider.db.service.model.MSentryGMPrivilege]
+ALTER TABLE "SENTRY_GM_PRIVILEGE"
+ ADD CONSTRAINT "SENTRY_GM_PRIV_PRIV_NAME_UNIQ" UNIQUE ("COMPONENT_NAME","SERVICE_NAME","RESOURCE_NAME_0","RESOURCE_NAME_1","RESOURCE_NAME_2",
+ "RESOURCE_NAME_3","RESOURCE_TYPE_0","RESOURCE_TYPE_1","RESOURCE_TYPE_2","RESOURCE_TYPE_3","ACTION","WITH_GRANT_OPTION");
+
+CREATE INDEX "SENTRY_GM_PRIV_COMP_IDX" ON "SENTRY_GM_PRIVILEGE" ("COMPONENT_NAME");
+
+CREATE INDEX "SENTRY_GM_PRIV_SERV_IDX" ON "SENTRY_GM_PRIVILEGE" ("SERVICE_NAME");
+
+CREATE INDEX "SENTRY_GM_PRIV_RES0_IDX" ON "SENTRY_GM_PRIVILEGE" ("RESOURCE_NAME_0","RESOURCE_TYPE_0");
+
+CREATE INDEX "SENTRY_GM_PRIV_RES1_IDX" ON "SENTRY_GM_PRIVILEGE" ("RESOURCE_NAME_1","RESOURCE_TYPE_1");
+
+CREATE INDEX "SENTRY_GM_PRIV_RES2_IDX" ON "SENTRY_GM_PRIVILEGE" ("RESOURCE_NAME_2","RESOURCE_TYPE_2");
+
+CREATE INDEX "SENTRY_GM_PRIV_RES3_IDX" ON "SENTRY_GM_PRIVILEGE" ("RESOURCE_NAME_3","RESOURCE_TYPE_3");
+
+-- Table SENTRY_ROLE_GM_PRIVILEGE_MAP for join relationship
+CREATE TABLE "SENTRY_ROLE_GM_PRIVILEGE_MAP" (
+ "ROLE_ID" NUMBER NOT NULL,
+ "GM_PRIVILEGE_ID" NUMBER NOT NULL
+);
+
+ALTER TABLE "SENTRY_ROLE_GM_PRIVILEGE_MAP"
+ ADD CONSTRAINT "SEN_RLE_GM_PRIV_MAP_PK" PRIMARY KEY ("ROLE_ID","GM_PRIVILEGE_ID");
+
+-- Constraints for table SENTRY_ROLE_GM_PRIVILEGE_MAP
+ALTER TABLE "SENTRY_ROLE_GM_PRIVILEGE_MAP"
+ ADD CONSTRAINT "SEN_RLE_GM_PRV_MAP_SN_RLE_FK"
+ FOREIGN KEY ("ROLE_ID") REFERENCES "SENTRY_ROLE"("ROLE_ID") INITIALLY DEFERRED;
+
+ALTER TABLE "SENTRY_ROLE_GM_PRIVILEGE_MAP"
+ ADD CONSTRAINT "SEN_RL_GM_PRV_MAP_SN_DB_PRV_FK"
+ FOREIGN KEY ("GM_PRIVILEGE_ID") REFERENCES "SENTRY_GM_PRIVILEGE"("GM_PRIVILEGE_ID") INITIALLY DEFERRED;
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/main/resources/sentry-oracle-1.6.0.sql
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/main/resources/sentry-oracle-1.6.0.sql b/sentry-service/sentry-service-server/src/main/resources/sentry-oracle-1.6.0.sql
new file mode 100644
index 0000000..3a22335
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/main/resources/sentry-oracle-1.6.0.sql
@@ -0,0 +1,168 @@
+--Licensed to the Apache Software Foundation (ASF) under one or more
+--contributor license agreements. See the NOTICE file distributed with
+--this work for additional information regarding copyright ownership.
+--The ASF licenses this file to You under the Apache License, Version 2.0
+--(the "License"); you may not use this file except in compliance with
+--the License. You may obtain a copy of the License at
+--
+-- http://www.apache.org/licenses/LICENSE-2.0
+--
+--Unless required by applicable law or agreed to in writing, software
+--distributed under the License is distributed on an "AS IS" BASIS,
+--WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+--See the License for the specific language governing permissions and
+--limitations under the License.
+
+CREATE TABLE "SENTRY_DB_PRIVILEGE" (
+ "DB_PRIVILEGE_ID" NUMBER NOT NULL,
+ "PRIVILEGE_SCOPE" VARCHAR2(32) NOT NULL,
+ "SERVER_NAME" VARCHAR2(128) NOT NULL,
+ "DB_NAME" VARCHAR2(128) DEFAULT '__NULL__',
+ "TABLE_NAME" VARCHAR2(128) DEFAULT '__NULL__',
+ "COLUMN_NAME" VARCHAR2(128) DEFAULT '__NULL__',
+ "URI" VARCHAR2(4000) DEFAULT '__NULL__',
+ "ACTION" VARCHAR2(128) NOT NULL,
+ "CREATE_TIME" NUMBER NOT NULL,
+ "WITH_GRANT_OPTION" CHAR(1) DEFAULT 'N' NOT NULL
+);
+
+CREATE TABLE "SENTRY_ROLE" (
+ "ROLE_ID" NUMBER NOT NULL,
+ "ROLE_NAME" VARCHAR2(128) NOT NULL,
+ "CREATE_TIME" NUMBER NOT NULL
+);
+
+CREATE TABLE "SENTRY_GROUP" (
+ "GROUP_ID" NUMBER NOT NULL,
+ "GROUP_NAME" VARCHAR2(128) NOT NULL,
+ "CREATE_TIME" NUMBER NOT NULL
+);
+
+CREATE TABLE "SENTRY_ROLE_DB_PRIVILEGE_MAP" (
+ "ROLE_ID" NUMBER NOT NULL,
+ "DB_PRIVILEGE_ID" NUMBER NOT NULL,
+ "GRANTOR_PRINCIPAL" VARCHAR2(128)
+);
+
+CREATE TABLE "SENTRY_ROLE_GROUP_MAP" (
+ "ROLE_ID" NUMBER NOT NULL,
+ "GROUP_ID" NUMBER NOT NULL,
+ "GRANTOR_PRINCIPAL" VARCHAR2(128)
+);
+
+CREATE TABLE "SENTRY_VERSION" (
+ "VER_ID" NUMBER NOT NULL,
+ "SCHEMA_VERSION" VARCHAR(127) NOT NULL,
+ "VERSION_COMMENT" VARCHAR(255) NOT NULL
+);
+
+ALTER TABLE "SENTRY_DB_PRIVILEGE"
+ ADD CONSTRAINT "SENTRY_DB_PRIV_PK" PRIMARY KEY ("DB_PRIVILEGE_ID");
+
+ALTER TABLE "SENTRY_ROLE"
+ ADD CONSTRAINT "SENTRY_ROLE_PK" PRIMARY KEY ("ROLE_ID");
+
+ALTER TABLE "SENTRY_GROUP"
+ ADD CONSTRAINT "SENTRY_GROUP_PK" PRIMARY KEY ("GROUP_ID");
+
+ALTER TABLE "SENTRY_VERSION" ADD CONSTRAINT "SENTRY_VERSION_PK" PRIMARY KEY ("VER_ID");
+
+ALTER TABLE "SENTRY_DB_PRIVILEGE"
+ ADD CONSTRAINT "SENTRY_DB_PRIV_PRIV_NAME_UNIQ" UNIQUE ("SERVER_NAME","DB_NAME","TABLE_NAME","COLUMN_NAME","URI","ACTION","WITH_GRANT_OPTION");
+
+CREATE INDEX "SENTRY_SERV_PRIV_IDX" ON "SENTRY_DB_PRIVILEGE" ("SERVER_NAME");
+
+CREATE INDEX "SENTRY_DB_PRIV_IDX" ON "SENTRY_DB_PRIVILEGE" ("DB_NAME");
+
+CREATE INDEX "SENTRY_TBL_PRIV_IDX" ON "SENTRY_DB_PRIVILEGE" ("TABLE_NAME");
+
+CREATE INDEX "SENTRY_COL_PRIV_IDX" ON "SENTRY_DB_PRIVILEGE" ("COLUMN_NAME");
+
+CREATE INDEX "SENTRY_URI_PRIV_IDX" ON "SENTRY_DB_PRIVILEGE" ("URI");
+
+ALTER TABLE "SENTRY_ROLE"
+ ADD CONSTRAINT "SENTRY_ROLE_ROLE_NAME_UNIQUE" UNIQUE ("ROLE_NAME");
+
+ALTER TABLE "SENTRY_GROUP"
+ ADD CONSTRAINT "SENTRY_GRP_GRP_NAME_UNIQUE" UNIQUE ("GROUP_NAME");
+
+ALTER TABLE "SENTRY_ROLE_DB_PRIVILEGE_MAP"
+ ADD CONSTRAINT "SEN_RLE_PRIV_MAP_PK" PRIMARY KEY ("ROLE_ID","DB_PRIVILEGE_ID");
+
+ALTER TABLE "SENTRY_ROLE_GROUP_MAP"
+ ADD CONSTRAINT "SENTRY_ROLE_GROUP_MAP_PK" PRIMARY KEY ("ROLE_ID","GROUP_ID");
+
+ALTER TABLE "SENTRY_ROLE_DB_PRIVILEGE_MAP"
+ ADD CONSTRAINT "SEN_RLE_DB_PRV_MAP_SN_RLE_FK"
+ FOREIGN KEY ("ROLE_ID") REFERENCES "SENTRY_ROLE"("ROLE_ID") INITIALLY DEFERRED;
+
+ALTER TABLE "SENTRY_ROLE_DB_PRIVILEGE_MAP"
+ ADD CONSTRAINT "SEN_RL_DB_PRV_MAP_SN_DB_PRV_FK"
+ FOREIGN KEY ("DB_PRIVILEGE_ID") REFERENCES "SENTRY_DB_PRIVILEGE"("DB_PRIVILEGE_ID") INITIALLY DEFERRED;
+
+ALTER TABLE "SENTRY_ROLE_GROUP_MAP"
+ ADD CONSTRAINT "SEN_ROLE_GROUP_MAP_SEN_ROLE_FK"
+ FOREIGN KEY ("ROLE_ID") REFERENCES "SENTRY_ROLE"("ROLE_ID") INITIALLY DEFERRED;
+
+ALTER TABLE "SENTRY_ROLE_GROUP_MAP"
+ ADD CONSTRAINT "SEN_ROLE_GROUP_MAP_SEN_GRP_FK"
+ FOREIGN KEY ("GROUP_ID") REFERENCES "SENTRY_GROUP"("GROUP_ID") INITIALLY DEFERRED;
+
+INSERT INTO SENTRY_VERSION (VER_ID, SCHEMA_VERSION, VERSION_COMMENT) VALUES (1, '1.6.0', 'Sentry release version 1.6.0');
+
+-- Generic Model
+-- Table SENTRY_GM_PRIVILEGE for classes [org.apache.sentry.provider.db.service.model.MSentryGMPrivilege]
+CREATE TABLE "SENTRY_GM_PRIVILEGE" (
+ "GM_PRIVILEGE_ID" NUMBER NOT NULL,
+ "COMPONENT_NAME" VARCHAR2(32) NOT NULL,
+ "SERVICE_NAME" VARCHAR2(64) NOT NULL,
+ "RESOURCE_NAME_0" VARCHAR2(64) DEFAULT '__NULL__',
+ "RESOURCE_NAME_1" VARCHAR2(64) DEFAULT '__NULL__',
+ "RESOURCE_NAME_2" VARCHAR2(64) DEFAULT '__NULL__',
+ "RESOURCE_NAME_3" VARCHAR2(64) DEFAULT '__NULL__',
+ "RESOURCE_TYPE_0" VARCHAR2(64) DEFAULT '__NULL__',
+ "RESOURCE_TYPE_1" VARCHAR2(64) DEFAULT '__NULL__',
+ "RESOURCE_TYPE_2" VARCHAR2(64) DEFAULT '__NULL__',
+ "RESOURCE_TYPE_3" VARCHAR2(64) DEFAULT '__NULL__',
+ "ACTION" VARCHAR2(32) NOT NULL,
+ "SCOPE" VARCHAR2(128) NOT NULL,
+ "CREATE_TIME" NUMBER NOT NULL,
+ "WITH_GRANT_OPTION" CHAR(1) DEFAULT 'N' NOT NULL
+);
+
+ALTER TABLE "SENTRY_GM_PRIVILEGE"
+ ADD CONSTRAINT "SENTRY_GM_PRIV_PK" PRIMARY KEY ("GM_PRIVILEGE_ID");
+-- Constraints for table SENTRY_GM_PRIVILEGE for class(es) [org.apache.sentry.provider.db.service.model.MSentryGMPrivilege]
+ALTER TABLE "SENTRY_GM_PRIVILEGE"
+ ADD CONSTRAINT "SENTRY_GM_PRIV_PRIV_NAME_UNIQ" UNIQUE ("COMPONENT_NAME","SERVICE_NAME","RESOURCE_NAME_0","RESOURCE_NAME_1","RESOURCE_NAME_2",
+ "RESOURCE_NAME_3","RESOURCE_TYPE_0","RESOURCE_TYPE_1","RESOURCE_TYPE_2","RESOURCE_TYPE_3","ACTION","WITH_GRANT_OPTION");
+
+CREATE INDEX "SENTRY_GM_PRIV_COMP_IDX" ON "SENTRY_GM_PRIVILEGE" ("COMPONENT_NAME");
+
+CREATE INDEX "SENTRY_GM_PRIV_SERV_IDX" ON "SENTRY_GM_PRIVILEGE" ("SERVICE_NAME");
+
+CREATE INDEX "SENTRY_GM_PRIV_RES0_IDX" ON "SENTRY_GM_PRIVILEGE" ("RESOURCE_NAME_0","RESOURCE_TYPE_0");
+
+CREATE INDEX "SENTRY_GM_PRIV_RES1_IDX" ON "SENTRY_GM_PRIVILEGE" ("RESOURCE_NAME_1","RESOURCE_TYPE_1");
+
+CREATE INDEX "SENTRY_GM_PRIV_RES2_IDX" ON "SENTRY_GM_PRIVILEGE" ("RESOURCE_NAME_2","RESOURCE_TYPE_2");
+
+CREATE INDEX "SENTRY_GM_PRIV_RES3_IDX" ON "SENTRY_GM_PRIVILEGE" ("RESOURCE_NAME_3","RESOURCE_TYPE_3");
+
+-- Table SENTRY_ROLE_GM_PRIVILEGE_MAP for join relationship
+CREATE TABLE "SENTRY_ROLE_GM_PRIVILEGE_MAP" (
+ "ROLE_ID" NUMBER NOT NULL,
+ "GM_PRIVILEGE_ID" NUMBER NOT NULL
+);
+
+ALTER TABLE "SENTRY_ROLE_GM_PRIVILEGE_MAP"
+ ADD CONSTRAINT "SEN_RLE_GM_PRIV_MAP_PK" PRIMARY KEY ("ROLE_ID","GM_PRIVILEGE_ID");
+
+-- Constraints for table SENTRY_ROLE_GM_PRIVILEGE_MAP
+ALTER TABLE "SENTRY_ROLE_GM_PRIVILEGE_MAP"
+ ADD CONSTRAINT "SEN_RLE_GM_PRV_MAP_SN_RLE_FK"
+ FOREIGN KEY ("ROLE_ID") REFERENCES "SENTRY_ROLE"("ROLE_ID") INITIALLY DEFERRED;
+
+ALTER TABLE "SENTRY_ROLE_GM_PRIVILEGE_MAP"
+ ADD CONSTRAINT "SEN_RL_GM_PRV_MAP_SN_DB_PRV_FK"
+ FOREIGN KEY ("GM_PRIVILEGE_ID") REFERENCES "SENTRY_GM_PRIVILEGE"("GM_PRIVILEGE_ID") INITIALLY DEFERRED;
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/main/resources/sentry-oracle-1.7.0.sql
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/main/resources/sentry-oracle-1.7.0.sql b/sentry-service/sentry-service-server/src/main/resources/sentry-oracle-1.7.0.sql
new file mode 100644
index 0000000..ae9cd06
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/main/resources/sentry-oracle-1.7.0.sql
@@ -0,0 +1,168 @@
+--Licensed to the Apache Software Foundation (ASF) under one or more
+--contributor license agreements. See the NOTICE file distributed with
+--this work for additional information regarding copyright ownership.
+--The ASF licenses this file to You under the Apache License, Version 2.0
+--(the "License"); you may not use this file except in compliance with
+--the License. You may obtain a copy of the License at
+--
+-- http://www.apache.org/licenses/LICENSE-2.0
+--
+--Unless required by applicable law or agreed to in writing, software
+--distributed under the License is distributed on an "AS IS" BASIS,
+--WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+--See the License for the specific language governing permissions and
+--limitations under the License.
+
+CREATE TABLE "SENTRY_DB_PRIVILEGE" (
+ "DB_PRIVILEGE_ID" NUMBER NOT NULL,
+ "PRIVILEGE_SCOPE" VARCHAR2(32) NOT NULL,
+ "SERVER_NAME" VARCHAR2(128) NOT NULL,
+ "DB_NAME" VARCHAR2(128) DEFAULT '__NULL__',
+ "TABLE_NAME" VARCHAR2(128) DEFAULT '__NULL__',
+ "COLUMN_NAME" VARCHAR2(128) DEFAULT '__NULL__',
+ "URI" VARCHAR2(4000) DEFAULT '__NULL__',
+ "ACTION" VARCHAR2(128) NOT NULL,
+ "CREATE_TIME" NUMBER NOT NULL,
+ "WITH_GRANT_OPTION" CHAR(1) DEFAULT 'N' NOT NULL
+);
+
+CREATE TABLE "SENTRY_ROLE" (
+ "ROLE_ID" NUMBER NOT NULL,
+ "ROLE_NAME" VARCHAR2(128) NOT NULL,
+ "CREATE_TIME" NUMBER NOT NULL
+);
+
+CREATE TABLE "SENTRY_GROUP" (
+ "GROUP_ID" NUMBER NOT NULL,
+ "GROUP_NAME" VARCHAR2(128) NOT NULL,
+ "CREATE_TIME" NUMBER NOT NULL
+);
+
+CREATE TABLE "SENTRY_ROLE_DB_PRIVILEGE_MAP" (
+ "ROLE_ID" NUMBER NOT NULL,
+ "DB_PRIVILEGE_ID" NUMBER NOT NULL,
+ "GRANTOR_PRINCIPAL" VARCHAR2(128)
+);
+
+CREATE TABLE "SENTRY_ROLE_GROUP_MAP" (
+ "ROLE_ID" NUMBER NOT NULL,
+ "GROUP_ID" NUMBER NOT NULL,
+ "GRANTOR_PRINCIPAL" VARCHAR2(128)
+);
+
+CREATE TABLE "SENTRY_VERSION" (
+ "VER_ID" NUMBER NOT NULL,
+ "SCHEMA_VERSION" VARCHAR(127) NOT NULL,
+ "VERSION_COMMENT" VARCHAR(255) NOT NULL
+);
+
+ALTER TABLE "SENTRY_DB_PRIVILEGE"
+ ADD CONSTRAINT "SENTRY_DB_PRIV_PK" PRIMARY KEY ("DB_PRIVILEGE_ID");
+
+ALTER TABLE "SENTRY_ROLE"
+ ADD CONSTRAINT "SENTRY_ROLE_PK" PRIMARY KEY ("ROLE_ID");
+
+ALTER TABLE "SENTRY_GROUP"
+ ADD CONSTRAINT "SENTRY_GROUP_PK" PRIMARY KEY ("GROUP_ID");
+
+ALTER TABLE "SENTRY_VERSION" ADD CONSTRAINT "SENTRY_VERSION_PK" PRIMARY KEY ("VER_ID");
+
+ALTER TABLE "SENTRY_DB_PRIVILEGE"
+ ADD CONSTRAINT "SENTRY_DB_PRIV_PRIV_NAME_UNIQ" UNIQUE ("SERVER_NAME","DB_NAME","TABLE_NAME","COLUMN_NAME","URI","ACTION","WITH_GRANT_OPTION");
+
+CREATE INDEX "SENTRY_SERV_PRIV_IDX" ON "SENTRY_DB_PRIVILEGE" ("SERVER_NAME");
+
+CREATE INDEX "SENTRY_DB_PRIV_IDX" ON "SENTRY_DB_PRIVILEGE" ("DB_NAME");
+
+CREATE INDEX "SENTRY_TBL_PRIV_IDX" ON "SENTRY_DB_PRIVILEGE" ("TABLE_NAME");
+
+CREATE INDEX "SENTRY_COL_PRIV_IDX" ON "SENTRY_DB_PRIVILEGE" ("COLUMN_NAME");
+
+CREATE INDEX "SENTRY_URI_PRIV_IDX" ON "SENTRY_DB_PRIVILEGE" ("URI");
+
+ALTER TABLE "SENTRY_ROLE"
+ ADD CONSTRAINT "SENTRY_ROLE_ROLE_NAME_UNIQUE" UNIQUE ("ROLE_NAME");
+
+ALTER TABLE "SENTRY_GROUP"
+ ADD CONSTRAINT "SENTRY_GRP_GRP_NAME_UNIQUE" UNIQUE ("GROUP_NAME");
+
+ALTER TABLE "SENTRY_ROLE_DB_PRIVILEGE_MAP"
+ ADD CONSTRAINT "SEN_RLE_PRIV_MAP_PK" PRIMARY KEY ("ROLE_ID","DB_PRIVILEGE_ID");
+
+ALTER TABLE "SENTRY_ROLE_GROUP_MAP"
+ ADD CONSTRAINT "SENTRY_ROLE_GROUP_MAP_PK" PRIMARY KEY ("ROLE_ID","GROUP_ID");
+
+ALTER TABLE "SENTRY_ROLE_DB_PRIVILEGE_MAP"
+ ADD CONSTRAINT "SEN_RLE_DB_PRV_MAP_SN_RLE_FK"
+ FOREIGN KEY ("ROLE_ID") REFERENCES "SENTRY_ROLE"("ROLE_ID") INITIALLY DEFERRED;
+
+ALTER TABLE "SENTRY_ROLE_DB_PRIVILEGE_MAP"
+ ADD CONSTRAINT "SEN_RL_DB_PRV_MAP_SN_DB_PRV_FK"
+ FOREIGN KEY ("DB_PRIVILEGE_ID") REFERENCES "SENTRY_DB_PRIVILEGE"("DB_PRIVILEGE_ID") INITIALLY DEFERRED;
+
+ALTER TABLE "SENTRY_ROLE_GROUP_MAP"
+ ADD CONSTRAINT "SEN_ROLE_GROUP_MAP_SEN_ROLE_FK"
+ FOREIGN KEY ("ROLE_ID") REFERENCES "SENTRY_ROLE"("ROLE_ID") INITIALLY DEFERRED;
+
+ALTER TABLE "SENTRY_ROLE_GROUP_MAP"
+ ADD CONSTRAINT "SEN_ROLE_GROUP_MAP_SEN_GRP_FK"
+ FOREIGN KEY ("GROUP_ID") REFERENCES "SENTRY_GROUP"("GROUP_ID") INITIALLY DEFERRED;
+
+INSERT INTO SENTRY_VERSION (VER_ID, SCHEMA_VERSION, VERSION_COMMENT) VALUES (1, '1.7.0', 'Sentry release version 1.7.0');
+
+-- Generic Model
+-- Table SENTRY_GM_PRIVILEGE for classes [org.apache.sentry.provider.db.service.model.MSentryGMPrivilege]
+CREATE TABLE "SENTRY_GM_PRIVILEGE" (
+ "GM_PRIVILEGE_ID" NUMBER NOT NULL,
+ "COMPONENT_NAME" VARCHAR2(32) NOT NULL,
+ "SERVICE_NAME" VARCHAR2(64) NOT NULL,
+ "RESOURCE_NAME_0" VARCHAR2(64) DEFAULT '__NULL__',
+ "RESOURCE_NAME_1" VARCHAR2(64) DEFAULT '__NULL__',
+ "RESOURCE_NAME_2" VARCHAR2(64) DEFAULT '__NULL__',
+ "RESOURCE_NAME_3" VARCHAR2(64) DEFAULT '__NULL__',
+ "RESOURCE_TYPE_0" VARCHAR2(64) DEFAULT '__NULL__',
+ "RESOURCE_TYPE_1" VARCHAR2(64) DEFAULT '__NULL__',
+ "RESOURCE_TYPE_2" VARCHAR2(64) DEFAULT '__NULL__',
+ "RESOURCE_TYPE_3" VARCHAR2(64) DEFAULT '__NULL__',
+ "ACTION" VARCHAR2(32) NOT NULL,
+ "SCOPE" VARCHAR2(128) NOT NULL,
+ "CREATE_TIME" NUMBER NOT NULL,
+ "WITH_GRANT_OPTION" CHAR(1) DEFAULT 'N' NOT NULL
+);
+
+ALTER TABLE "SENTRY_GM_PRIVILEGE"
+ ADD CONSTRAINT "SENTRY_GM_PRIV_PK" PRIMARY KEY ("GM_PRIVILEGE_ID");
+-- Constraints for table SENTRY_GM_PRIVILEGE for class(es) [org.apache.sentry.provider.db.service.model.MSentryGMPrivilege]
+ALTER TABLE "SENTRY_GM_PRIVILEGE"
+ ADD CONSTRAINT "SENTRY_GM_PRIV_PRIV_NAME_UNIQ" UNIQUE ("COMPONENT_NAME","SERVICE_NAME","RESOURCE_NAME_0","RESOURCE_NAME_1","RESOURCE_NAME_2",
+ "RESOURCE_NAME_3","RESOURCE_TYPE_0","RESOURCE_TYPE_1","RESOURCE_TYPE_2","RESOURCE_TYPE_3","ACTION","WITH_GRANT_OPTION");
+
+CREATE INDEX "SENTRY_GM_PRIV_COMP_IDX" ON "SENTRY_GM_PRIVILEGE" ("COMPONENT_NAME");
+
+CREATE INDEX "SENTRY_GM_PRIV_SERV_IDX" ON "SENTRY_GM_PRIVILEGE" ("SERVICE_NAME");
+
+CREATE INDEX "SENTRY_GM_PRIV_RES0_IDX" ON "SENTRY_GM_PRIVILEGE" ("RESOURCE_NAME_0","RESOURCE_TYPE_0");
+
+CREATE INDEX "SENTRY_GM_PRIV_RES1_IDX" ON "SENTRY_GM_PRIVILEGE" ("RESOURCE_NAME_1","RESOURCE_TYPE_1");
+
+CREATE INDEX "SENTRY_GM_PRIV_RES2_IDX" ON "SENTRY_GM_PRIVILEGE" ("RESOURCE_NAME_2","RESOURCE_TYPE_2");
+
+CREATE INDEX "SENTRY_GM_PRIV_RES3_IDX" ON "SENTRY_GM_PRIVILEGE" ("RESOURCE_NAME_3","RESOURCE_TYPE_3");
+
+-- Table SENTRY_ROLE_GM_PRIVILEGE_MAP for join relationship
+CREATE TABLE "SENTRY_ROLE_GM_PRIVILEGE_MAP" (
+ "ROLE_ID" NUMBER NOT NULL,
+ "GM_PRIVILEGE_ID" NUMBER NOT NULL
+);
+
+ALTER TABLE "SENTRY_ROLE_GM_PRIVILEGE_MAP"
+ ADD CONSTRAINT "SEN_RLE_GM_PRIV_MAP_PK" PRIMARY KEY ("ROLE_ID","GM_PRIVILEGE_ID");
+
+-- Constraints for table SENTRY_ROLE_GM_PRIVILEGE_MAP
+ALTER TABLE "SENTRY_ROLE_GM_PRIVILEGE_MAP"
+ ADD CONSTRAINT "SEN_RLE_GM_PRV_MAP_SN_RLE_FK"
+ FOREIGN KEY ("ROLE_ID") REFERENCES "SENTRY_ROLE"("ROLE_ID") INITIALLY DEFERRED;
+
+ALTER TABLE "SENTRY_ROLE_GM_PRIVILEGE_MAP"
+ ADD CONSTRAINT "SEN_RL_GM_PRV_MAP_SN_DB_PRV_FK"
+ FOREIGN KEY ("GM_PRIVILEGE_ID") REFERENCES "SENTRY_GM_PRIVILEGE"("GM_PRIVILEGE_ID") INITIALLY DEFERRED;
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/main/resources/sentry-oracle-1.8.0.sql
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/main/resources/sentry-oracle-1.8.0.sql b/sentry-service/sentry-service-server/src/main/resources/sentry-oracle-1.8.0.sql
new file mode 100644
index 0000000..ced5c31
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/main/resources/sentry-oracle-1.8.0.sql
@@ -0,0 +1,197 @@
+--Licensed to the Apache Software Foundation (ASF) under one or more
+--contributor license agreements. See the NOTICE file distributed with
+--this work for additional information regarding copyright ownership.
+--The ASF licenses this file to You under the Apache License, Version 2.0
+--(the "License"); you may not use this file except in compliance with
+--the License. You may obtain a copy of the License at
+--
+-- http://www.apache.org/licenses/LICENSE-2.0
+--
+--Unless required by applicable law or agreed to in writing, software
+--distributed under the License is distributed on an "AS IS" BASIS,
+--WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+--See the License for the specific language governing permissions and
+--limitations under the License.
+
+CREATE TABLE "SENTRY_DB_PRIVILEGE" (
+ "DB_PRIVILEGE_ID" NUMBER NOT NULL,
+ "PRIVILEGE_SCOPE" VARCHAR2(32) NOT NULL,
+ "SERVER_NAME" VARCHAR2(128) NOT NULL,
+ "DB_NAME" VARCHAR2(128) DEFAULT '__NULL__',
+ "TABLE_NAME" VARCHAR2(128) DEFAULT '__NULL__',
+ "COLUMN_NAME" VARCHAR2(128) DEFAULT '__NULL__',
+ "URI" VARCHAR2(4000) DEFAULT '__NULL__',
+ "ACTION" VARCHAR2(128) NOT NULL,
+ "CREATE_TIME" NUMBER NOT NULL,
+ "WITH_GRANT_OPTION" CHAR(1) DEFAULT 'N' NOT NULL
+);
+
+CREATE TABLE "SENTRY_ROLE" (
+ "ROLE_ID" NUMBER NOT NULL,
+ "ROLE_NAME" VARCHAR2(128) NOT NULL,
+ "CREATE_TIME" NUMBER NOT NULL
+);
+
+CREATE TABLE "SENTRY_GROUP" (
+ "GROUP_ID" NUMBER NOT NULL,
+ "GROUP_NAME" VARCHAR2(128) NOT NULL,
+ "CREATE_TIME" NUMBER NOT NULL
+);
+
+CREATE TABLE "SENTRY_ROLE_DB_PRIVILEGE_MAP" (
+ "ROLE_ID" NUMBER NOT NULL,
+ "DB_PRIVILEGE_ID" NUMBER NOT NULL,
+ "GRANTOR_PRINCIPAL" VARCHAR2(128)
+);
+
+CREATE TABLE "SENTRY_ROLE_GROUP_MAP" (
+ "ROLE_ID" NUMBER NOT NULL,
+ "GROUP_ID" NUMBER NOT NULL,
+ "GRANTOR_PRINCIPAL" VARCHAR2(128)
+);
+
+CREATE TABLE "SENTRY_VERSION" (
+ "VER_ID" NUMBER NOT NULL,
+ "SCHEMA_VERSION" VARCHAR(127) NOT NULL,
+ "VERSION_COMMENT" VARCHAR(255) NOT NULL
+);
+
+ALTER TABLE "SENTRY_DB_PRIVILEGE"
+ ADD CONSTRAINT "SENTRY_DB_PRIV_PK" PRIMARY KEY ("DB_PRIVILEGE_ID");
+
+ALTER TABLE "SENTRY_ROLE"
+ ADD CONSTRAINT "SENTRY_ROLE_PK" PRIMARY KEY ("ROLE_ID");
+
+ALTER TABLE "SENTRY_GROUP"
+ ADD CONSTRAINT "SENTRY_GROUP_PK" PRIMARY KEY ("GROUP_ID");
+
+ALTER TABLE "SENTRY_VERSION" ADD CONSTRAINT "SENTRY_VERSION_PK" PRIMARY KEY ("VER_ID");
+
+ALTER TABLE "SENTRY_DB_PRIVILEGE"
+ ADD CONSTRAINT "SENTRY_DB_PRIV_PRIV_NAME_UNIQ" UNIQUE ("SERVER_NAME","DB_NAME","TABLE_NAME","COLUMN_NAME","URI","ACTION","WITH_GRANT_OPTION");
+
+CREATE INDEX "SENTRY_SERV_PRIV_IDX" ON "SENTRY_DB_PRIVILEGE" ("SERVER_NAME");
+
+CREATE INDEX "SENTRY_DB_PRIV_IDX" ON "SENTRY_DB_PRIVILEGE" ("DB_NAME");
+
+CREATE INDEX "SENTRY_TBL_PRIV_IDX" ON "SENTRY_DB_PRIVILEGE" ("TABLE_NAME");
+
+CREATE INDEX "SENTRY_COL_PRIV_IDX" ON "SENTRY_DB_PRIVILEGE" ("COLUMN_NAME");
+
+CREATE INDEX "SENTRY_URI_PRIV_IDX" ON "SENTRY_DB_PRIVILEGE" ("URI");
+
+ALTER TABLE "SENTRY_ROLE"
+ ADD CONSTRAINT "SENTRY_ROLE_ROLE_NAME_UNIQUE" UNIQUE ("ROLE_NAME");
+
+ALTER TABLE "SENTRY_GROUP"
+ ADD CONSTRAINT "SENTRY_GRP_GRP_NAME_UNIQUE" UNIQUE ("GROUP_NAME");
+
+ALTER TABLE "SENTRY_ROLE_DB_PRIVILEGE_MAP"
+ ADD CONSTRAINT "SEN_RLE_PRIV_MAP_PK" PRIMARY KEY ("ROLE_ID","DB_PRIVILEGE_ID");
+
+ALTER TABLE "SENTRY_ROLE_GROUP_MAP"
+ ADD CONSTRAINT "SENTRY_ROLE_GROUP_MAP_PK" PRIMARY KEY ("ROLE_ID","GROUP_ID");
+
+ALTER TABLE "SENTRY_ROLE_DB_PRIVILEGE_MAP"
+ ADD CONSTRAINT "SEN_RLE_DB_PRV_MAP_SN_RLE_FK"
+ FOREIGN KEY ("ROLE_ID") REFERENCES "SENTRY_ROLE"("ROLE_ID") INITIALLY DEFERRED;
+
+ALTER TABLE "SENTRY_ROLE_DB_PRIVILEGE_MAP"
+ ADD CONSTRAINT "SEN_RL_DB_PRV_MAP_SN_DB_PRV_FK"
+ FOREIGN KEY ("DB_PRIVILEGE_ID") REFERENCES "SENTRY_DB_PRIVILEGE"("DB_PRIVILEGE_ID") INITIALLY DEFERRED;
+
+ALTER TABLE "SENTRY_ROLE_GROUP_MAP"
+ ADD CONSTRAINT "SEN_ROLE_GROUP_MAP_SEN_ROLE_FK"
+ FOREIGN KEY ("ROLE_ID") REFERENCES "SENTRY_ROLE"("ROLE_ID") INITIALLY DEFERRED;
+
+ALTER TABLE "SENTRY_ROLE_GROUP_MAP"
+ ADD CONSTRAINT "SEN_ROLE_GROUP_MAP_SEN_GRP_FK"
+ FOREIGN KEY ("GROUP_ID") REFERENCES "SENTRY_GROUP"("GROUP_ID") INITIALLY DEFERRED;
+
+INSERT INTO SENTRY_VERSION (VER_ID, SCHEMA_VERSION, VERSION_COMMENT) VALUES (1, '1.8.0', 'Sentry release version 1.8.0');
+
+-- Generic Model
+-- Table SENTRY_GM_PRIVILEGE for classes [org.apache.sentry.provider.db.service.model.MSentryGMPrivilege]
+CREATE TABLE "SENTRY_GM_PRIVILEGE" (
+ "GM_PRIVILEGE_ID" NUMBER NOT NULL,
+ "COMPONENT_NAME" VARCHAR2(32) NOT NULL,
+ "SERVICE_NAME" VARCHAR2(64) NOT NULL,
+ "RESOURCE_NAME_0" VARCHAR2(64) DEFAULT '__NULL__',
+ "RESOURCE_NAME_1" VARCHAR2(64) DEFAULT '__NULL__',
+ "RESOURCE_NAME_2" VARCHAR2(64) DEFAULT '__NULL__',
+ "RESOURCE_NAME_3" VARCHAR2(64) DEFAULT '__NULL__',
+ "RESOURCE_TYPE_0" VARCHAR2(64) DEFAULT '__NULL__',
+ "RESOURCE_TYPE_1" VARCHAR2(64) DEFAULT '__NULL__',
+ "RESOURCE_TYPE_2" VARCHAR2(64) DEFAULT '__NULL__',
+ "RESOURCE_TYPE_3" VARCHAR2(64) DEFAULT '__NULL__',
+ "ACTION" VARCHAR2(32) NOT NULL,
+ "SCOPE" VARCHAR2(128) NOT NULL,
+ "CREATE_TIME" NUMBER NOT NULL,
+ "WITH_GRANT_OPTION" CHAR(1) DEFAULT 'N' NOT NULL
+);
+
+ALTER TABLE "SENTRY_GM_PRIVILEGE"
+ ADD CONSTRAINT "SENTRY_GM_PRIV_PK" PRIMARY KEY ("GM_PRIVILEGE_ID");
+-- Constraints for table SENTRY_GM_PRIVILEGE for class(es) [org.apache.sentry.provider.db.service.model.MSentryGMPrivilege]
+ALTER TABLE "SENTRY_GM_PRIVILEGE"
+ ADD CONSTRAINT "SENTRY_GM_PRIV_PRIV_NAME_UNIQ" UNIQUE ("COMPONENT_NAME","SERVICE_NAME","RESOURCE_NAME_0","RESOURCE_NAME_1","RESOURCE_NAME_2",
+ "RESOURCE_NAME_3","RESOURCE_TYPE_0","RESOURCE_TYPE_1","RESOURCE_TYPE_2","RESOURCE_TYPE_3","ACTION","WITH_GRANT_OPTION");
+
+CREATE INDEX "SENTRY_GM_PRIV_COMP_IDX" ON "SENTRY_GM_PRIVILEGE" ("COMPONENT_NAME");
+
+CREATE INDEX "SENTRY_GM_PRIV_SERV_IDX" ON "SENTRY_GM_PRIVILEGE" ("SERVICE_NAME");
+
+CREATE INDEX "SENTRY_GM_PRIV_RES0_IDX" ON "SENTRY_GM_PRIVILEGE" ("RESOURCE_NAME_0","RESOURCE_TYPE_0");
+
+CREATE INDEX "SENTRY_GM_PRIV_RES1_IDX" ON "SENTRY_GM_PRIVILEGE" ("RESOURCE_NAME_1","RESOURCE_TYPE_1");
+
+CREATE INDEX "SENTRY_GM_PRIV_RES2_IDX" ON "SENTRY_GM_PRIVILEGE" ("RESOURCE_NAME_2","RESOURCE_TYPE_2");
+
+CREATE INDEX "SENTRY_GM_PRIV_RES3_IDX" ON "SENTRY_GM_PRIVILEGE" ("RESOURCE_NAME_3","RESOURCE_TYPE_3");
+
+-- Table SENTRY_ROLE_GM_PRIVILEGE_MAP for join relationship
+CREATE TABLE "SENTRY_ROLE_GM_PRIVILEGE_MAP" (
+ "ROLE_ID" NUMBER NOT NULL,
+ "GM_PRIVILEGE_ID" NUMBER NOT NULL
+);
+
+ALTER TABLE "SENTRY_ROLE_GM_PRIVILEGE_MAP"
+ ADD CONSTRAINT "SEN_RLE_GM_PRIV_MAP_PK" PRIMARY KEY ("ROLE_ID","GM_PRIVILEGE_ID");
+
+-- Constraints for table SENTRY_ROLE_GM_PRIVILEGE_MAP
+ALTER TABLE "SENTRY_ROLE_GM_PRIVILEGE_MAP"
+ ADD CONSTRAINT "SEN_RLE_GM_PRV_MAP_SN_RLE_FK"
+ FOREIGN KEY ("ROLE_ID") REFERENCES "SENTRY_ROLE"("ROLE_ID") INITIALLY DEFERRED;
+
+ALTER TABLE "SENTRY_ROLE_GM_PRIVILEGE_MAP"
+ ADD CONSTRAINT "SEN_RL_GM_PRV_MAP_SN_DB_PRV_FK"
+ FOREIGN KEY ("GM_PRIVILEGE_ID") REFERENCES "SENTRY_GM_PRIVILEGE"("GM_PRIVILEGE_ID") INITIALLY DEFERRED;
+
+CREATE TABLE "SENTRY_USER" (
+ "USER_ID" NUMBER NOT NULL,
+ "USER_NAME" VARCHAR2(128) NOT NULL,
+ "CREATE_TIME" NUMBER NOT NULL
+);
+
+ALTER TABLE "SENTRY_USER"
+ ADD CONSTRAINT "SENTRY_USER_PK" PRIMARY KEY ("USER_ID");
+
+ALTER TABLE "SENTRY_USER"
+ ADD CONSTRAINT "SENTRY_USER_USER_NAME_UNIQUE" UNIQUE ("USER_NAME");
+
+CREATE TABLE "SENTRY_ROLE_USER_MAP" (
+ "ROLE_ID" NUMBER NOT NULL,
+ "USER_ID" NUMBER NOT NULL,
+ "GRANTOR_PRINCIPAL" VARCHAR2(128)
+);
+
+ALTER TABLE "SENTRY_ROLE_USER_MAP"
+ ADD CONSTRAINT "SENTRY_ROLE_USER_MAP_PK" PRIMARY KEY ("ROLE_ID","USER_ID");
+
+ALTER TABLE "SENTRY_ROLE_USER_MAP"
+ ADD CONSTRAINT "SEN_ROLE_USER_MAP_SEN_ROLE_FK"
+ FOREIGN KEY ("ROLE_ID") REFERENCES "SENTRY_ROLE"("ROLE_ID") INITIALLY DEFERRED;
+
+ALTER TABLE "SENTRY_ROLE_USER_MAP"
+ ADD CONSTRAINT "SEN_ROLE_USER_MAP_SEN_USER_FK"
+ FOREIGN KEY ("USER_ID") REFERENCES "SENTRY_USER"("USER_ID") INITIALLY DEFERRED;
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/main/resources/sentry-postgres-1.4.0.sql
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/main/resources/sentry-postgres-1.4.0.sql b/sentry-service/sentry-service-server/src/main/resources/sentry-postgres-1.4.0.sql
new file mode 100644
index 0000000..5dfae03
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/main/resources/sentry-postgres-1.4.0.sql
@@ -0,0 +1,124 @@
+--Licensed to the Apache Software Foundation (ASF) under one or more
+--contributor license agreements. See the NOTICE file distributed with
+--this work for additional information regarding copyright ownership.
+--The ASF licenses this file to You under the Apache License, Version 2.0
+--(the "License"); you may not use this file except in compliance with
+--the License. You may obtain a copy of the License at
+--
+-- http://www.apache.org/licenses/LICENSE-2.0
+--
+--Unless required by applicable law or agreed to in writing, software
+--distributed under the License is distributed on an "AS IS" BASIS,
+--WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+--See the License for the specific language governing permissions and
+--limitations under the License.
+
+START TRANSACTION;
+
+SET statement_timeout = 0;
+SET client_encoding = 'UTF8';
+SET standard_conforming_strings = off;
+SET check_function_bodies = false;
+SET client_min_messages = warning;
+SET escape_string_warning = off;
+SET search_path = public, pg_catalog;
+SET default_tablespace = '';
+SET default_with_oids = false;
+
+CREATE TABLE "SENTRY_DB_PRIVILEGE" (
+ "DB_PRIVILEGE_ID" BIGINT NOT NULL,
+ "PRIVILEGE_NAME" character varying(4000) NOT NULL,
+ "PRIVILEGE_SCOPE" character varying(32) NOT NULL,
+ "SERVER_NAME" character varying(128) NOT NULL,
+ "DB_NAME" character varying(128) DEFAULT NULL::character varying,
+ "TABLE_NAME" character varying(128) DEFAULT NULL::character varying,
+ "URI" character varying(4000) DEFAULT NULL::character varying,
+ "ACTION" character varying(128) NOT NULL,
+ "CREATE_TIME" BIGINT NOT NULL,
+ "GRANTOR_PRINCIPAL" VARCHAR(128) NOT NULL
+);
+
+CREATE TABLE "SENTRY_ROLE" (
+ "ROLE_ID" BIGINT NOT NULL,
+ "ROLE_NAME" character varying(128) NOT NULL,
+ "CREATE_TIME" BIGINT NOT NULL,
+ "GRANTOR_PRINCIPAL" character varying(128) NOT NULL
+);
+
+CREATE TABLE "SENTRY_GROUP" (
+ "GROUP_ID" BIGINT NOT NULL,
+ "GROUP_NAME" character varying(128) NOT NULL,
+ "CREATE_TIME" BIGINT NOT NULL,
+ "GRANTOR_PRINCIPAL" character varying(128) NOT NULL
+);
+
+CREATE TABLE "SENTRY_ROLE_DB_PRIVILEGE_MAP" (
+ "ROLE_ID" BIGINT NOT NULL,
+ "DB_PRIVILEGE_ID" BIGINT NOT NULL
+);
+
+CREATE TABLE "SENTRY_ROLE_GROUP_MAP" (
+ "ROLE_ID" BIGINT NOT NULL,
+ "GROUP_ID" BIGINT NOT NULL
+);
+
+CREATE TABLE "SENTRY_VERSION" (
+ "VER_ID" bigint,
+ "SCHEMA_VERSION" character varying(127) NOT NULL,
+ "VERSION_COMMENT" character varying(255) NOT NULL
+);
+
+
+ALTER TABLE ONLY "SENTRY_DB_PRIVILEGE"
+ ADD CONSTRAINT "SENTRY_DB_PRIV_PK" PRIMARY KEY ("DB_PRIVILEGE_ID");
+
+ALTER TABLE ONLY "SENTRY_ROLE"
+ ADD CONSTRAINT "SENTRY_ROLE_PK" PRIMARY KEY ("ROLE_ID");
+
+ALTER TABLE ONLY "SENTRY_GROUP"
+ ADD CONSTRAINT "SENTRY_GROUP_PK" PRIMARY KEY ("GROUP_ID");
+
+ALTER TABLE ONLY "SENTRY_VERSION" ADD CONSTRAINT "SENTRY_VERSION_PK" PRIMARY KEY ("VER_ID");
+
+ALTER TABLE ONLY "SENTRY_DB_PRIVILEGE"
+ ADD CONSTRAINT "SENTRY_DB_PRIV_PRIV_NAME_UNIQ" UNIQUE ("PRIVILEGE_NAME");
+
+CREATE INDEX "SENTRY_PRIV_SERV_IDX" ON "SENTRY_DB_PRIVILEGE" USING btree ("SERVER_NAME");
+
+CREATE INDEX "SENTRY_PRIV_DB_IDX" ON "SENTRY_DB_PRIVILEGE" USING btree ("DB_NAME");
+
+CREATE INDEX "SENTRY_PRIV_TBL_IDX" ON "SENTRY_DB_PRIVILEGE" USING btree ("TABLE_NAME");
+
+CREATE INDEX "SENTRY_PRIV_URI_IDX" ON "SENTRY_DB_PRIVILEGE" USING btree ("URI");
+
+ALTER TABLE ONLY "SENTRY_ROLE"
+ ADD CONSTRAINT "SENTRY_ROLE_ROLE_NAME_UNIQUE" UNIQUE ("ROLE_NAME");
+
+ALTER TABLE ONLY "SENTRY_GROUP"
+ ADD CONSTRAINT "SENTRY_GRP_GRP_NAME_UNIQUE" UNIQUE ("GROUP_NAME");
+
+ALTER TABLE "SENTRY_ROLE_DB_PRIVILEGE_MAP"
+ ADD CONSTRAINT "SENTRY_ROLE_DB_PRIVILEGE_MAP_PK" PRIMARY KEY ("ROLE_ID","DB_PRIVILEGE_ID");
+
+ALTER TABLE "SENTRY_ROLE_GROUP_MAP"
+ ADD CONSTRAINT "SENTRY_ROLE_GROUP_MAP_PK" PRIMARY KEY ("ROLE_ID","GROUP_ID");
+
+ALTER TABLE ONLY "SENTRY_ROLE_DB_PRIVILEGE_MAP"
+ ADD CONSTRAINT "SEN_RLE_DB_PRV_MAP_SN_RLE_FK"
+ FOREIGN KEY ("ROLE_ID") REFERENCES "SENTRY_ROLE"("ROLE_ID") DEFERRABLE;
+
+ALTER TABLE ONLY "SENTRY_ROLE_DB_PRIVILEGE_MAP"
+ ADD CONSTRAINT "SEN_RL_DB_PRV_MAP_SN_DB_PRV_FK"
+ FOREIGN KEY ("DB_PRIVILEGE_ID") REFERENCES "SENTRY_DB_PRIVILEGE"("DB_PRIVILEGE_ID") DEFERRABLE;
+
+ALTER TABLE ONLY "SENTRY_ROLE_GROUP_MAP"
+ ADD CONSTRAINT "SEN_ROLE_GROUP_MAP_SEN_ROLE_FK"
+ FOREIGN KEY ("ROLE_ID") REFERENCES "SENTRY_ROLE"("ROLE_ID") DEFERRABLE;
+
+ALTER TABLE ONLY "SENTRY_ROLE_GROUP_MAP"
+ ADD CONSTRAINT "SEN_ROLE_GROUP_MAP_SEN_GRP_FK"
+ FOREIGN KEY ("GROUP_ID") REFERENCES "SENTRY_GROUP"("GROUP_ID") DEFERRABLE;
+
+INSERT INTO "SENTRY_VERSION" ("VER_ID", "SCHEMA_VERSION", "VERSION_COMMENT") VALUES (1, '1.4.0', 'Sentry release version 1.4.0');
+
+COMMIT;
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/main/resources/sentry-postgres-1.5.0.sql
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/main/resources/sentry-postgres-1.5.0.sql b/sentry-service/sentry-service-server/src/main/resources/sentry-postgres-1.5.0.sql
new file mode 100644
index 0000000..fb26770
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/main/resources/sentry-postgres-1.5.0.sql
@@ -0,0 +1,182 @@
+--Licensed to the Apache Software Foundation (ASF) under one or more
+--contributor license agreements. See the NOTICE file distributed with
+--this work for additional information regarding copyright ownership.
+--The ASF licenses this file to You under the Apache License, Version 2.0
+--(the "License"); you may not use this file except in compliance with
+--the License. You may obtain a copy of the License at
+--
+-- http://www.apache.org/licenses/LICENSE-2.0
+--
+--Unless required by applicable law or agreed to in writing, software
+--distributed under the License is distributed on an "AS IS" BASIS,
+--WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+--See the License for the specific language governing permissions and
+--limitations under the License.
+
+START TRANSACTION;
+
+SET statement_timeout = 0;
+SET client_encoding = 'UTF8';
+SET standard_conforming_strings = off;
+SET check_function_bodies = false;
+SET client_min_messages = warning;
+SET escape_string_warning = off;
+SET search_path = public, pg_catalog;
+SET default_tablespace = '';
+SET default_with_oids = false;
+
+CREATE TABLE "SENTRY_DB_PRIVILEGE" (
+ "DB_PRIVILEGE_ID" BIGINT NOT NULL,
+ "PRIVILEGE_SCOPE" character varying(32) NOT NULL,
+ "SERVER_NAME" character varying(128) NOT NULL,
+ "DB_NAME" character varying(128) DEFAULT '__NULL__',
+ "TABLE_NAME" character varying(128) DEFAULT '__NULL__',
+ "COLUMN_NAME" character varying(128) DEFAULT '__NULL__',
+ "URI" character varying(4000) DEFAULT '__NULL__',
+ "ACTION" character varying(128) NOT NULL,
+ "CREATE_TIME" BIGINT NOT NULL,
+ "WITH_GRANT_OPTION" CHAR(1) NOT NULL
+);
+
+CREATE TABLE "SENTRY_ROLE" (
+ "ROLE_ID" BIGINT NOT NULL,
+ "ROLE_NAME" character varying(128) NOT NULL,
+ "CREATE_TIME" BIGINT NOT NULL
+);
+
+CREATE TABLE "SENTRY_GROUP" (
+ "GROUP_ID" BIGINT NOT NULL,
+ "GROUP_NAME" character varying(128) NOT NULL,
+ "CREATE_TIME" BIGINT NOT NULL
+);
+
+CREATE TABLE "SENTRY_ROLE_DB_PRIVILEGE_MAP" (
+ "ROLE_ID" BIGINT NOT NULL,
+ "DB_PRIVILEGE_ID" BIGINT NOT NULL,
+ "GRANTOR_PRINCIPAL" character varying(128)
+);
+
+CREATE TABLE "SENTRY_ROLE_GROUP_MAP" (
+ "ROLE_ID" BIGINT NOT NULL,
+ "GROUP_ID" BIGINT NOT NULL,
+ "GRANTOR_PRINCIPAL" character varying(128)
+);
+
+CREATE TABLE "SENTRY_VERSION" (
+ "VER_ID" bigint,
+ "SCHEMA_VERSION" character varying(127) NOT NULL,
+ "VERSION_COMMENT" character varying(255) NOT NULL
+);
+
+
+ALTER TABLE ONLY "SENTRY_DB_PRIVILEGE"
+ ADD CONSTRAINT "SENTRY_DB_PRIV_PK" PRIMARY KEY ("DB_PRIVILEGE_ID");
+
+ALTER TABLE ONLY "SENTRY_ROLE"
+ ADD CONSTRAINT "SENTRY_ROLE_PK" PRIMARY KEY ("ROLE_ID");
+
+ALTER TABLE ONLY "SENTRY_GROUP"
+ ADD CONSTRAINT "SENTRY_GROUP_PK" PRIMARY KEY ("GROUP_ID");
+
+ALTER TABLE ONLY "SENTRY_VERSION" ADD CONSTRAINT "SENTRY_VERSION_PK" PRIMARY KEY ("VER_ID");
+
+ALTER TABLE ONLY "SENTRY_DB_PRIVILEGE"
+ ADD CONSTRAINT "SENTRY_DB_PRIV_PRIV_NAME_UNIQ" UNIQUE ("SERVER_NAME","DB_NAME","TABLE_NAME","COLUMN_NAME","URI", "ACTION","WITH_GRANT_OPTION");
+
+CREATE INDEX "SENTRY_PRIV_SERV_IDX" ON "SENTRY_DB_PRIVILEGE" USING btree ("SERVER_NAME");
+
+CREATE INDEX "SENTRY_PRIV_DB_IDX" ON "SENTRY_DB_PRIVILEGE" USING btree ("DB_NAME");
+
+CREATE INDEX "SENTRY_PRIV_TBL_IDX" ON "SENTRY_DB_PRIVILEGE" USING btree ("TABLE_NAME");
+
+CREATE INDEX "SENTRY_PRIV_COL_IDX" ON "SENTRY_DB_PRIVILEGE" USING btree ("COLUMN_NAME");
+
+CREATE INDEX "SENTRY_PRIV_URI_IDX" ON "SENTRY_DB_PRIVILEGE" USING btree ("URI");
+
+ALTER TABLE ONLY "SENTRY_ROLE"
+ ADD CONSTRAINT "SENTRY_ROLE_ROLE_NAME_UNIQUE" UNIQUE ("ROLE_NAME");
+
+ALTER TABLE ONLY "SENTRY_GROUP"
+ ADD CONSTRAINT "SENTRY_GRP_GRP_NAME_UNIQUE" UNIQUE ("GROUP_NAME");
+
+ALTER TABLE "SENTRY_ROLE_DB_PRIVILEGE_MAP"
+ ADD CONSTRAINT "SENTRY_ROLE_DB_PRIVILEGE_MAP_PK" PRIMARY KEY ("ROLE_ID","DB_PRIVILEGE_ID");
+
+ALTER TABLE "SENTRY_ROLE_GROUP_MAP"
+ ADD CONSTRAINT "SENTRY_ROLE_GROUP_MAP_PK" PRIMARY KEY ("ROLE_ID","GROUP_ID");
+
+ALTER TABLE ONLY "SENTRY_ROLE_DB_PRIVILEGE_MAP"
+ ADD CONSTRAINT "SEN_RLE_DB_PRV_MAP_SN_RLE_FK"
+ FOREIGN KEY ("ROLE_ID") REFERENCES "SENTRY_ROLE"("ROLE_ID") DEFERRABLE;
+
+ALTER TABLE ONLY "SENTRY_ROLE_DB_PRIVILEGE_MAP"
+ ADD CONSTRAINT "SEN_RL_DB_PRV_MAP_SN_DB_PRV_FK"
+ FOREIGN KEY ("DB_PRIVILEGE_ID") REFERENCES "SENTRY_DB_PRIVILEGE"("DB_PRIVILEGE_ID") DEFERRABLE;
+
+ALTER TABLE ONLY "SENTRY_ROLE_GROUP_MAP"
+ ADD CONSTRAINT "SEN_ROLE_GROUP_MAP_SEN_ROLE_FK"
+ FOREIGN KEY ("ROLE_ID") REFERENCES "SENTRY_ROLE"("ROLE_ID") DEFERRABLE;
+
+ALTER TABLE ONLY "SENTRY_ROLE_GROUP_MAP"
+ ADD CONSTRAINT "SEN_ROLE_GROUP_MAP_SEN_GRP_FK"
+ FOREIGN KEY ("GROUP_ID") REFERENCES "SENTRY_GROUP"("GROUP_ID") DEFERRABLE;
+
+INSERT INTO "SENTRY_VERSION" ("VER_ID", "SCHEMA_VERSION", "VERSION_COMMENT") VALUES (1, '1.5.0', 'Sentry release version 1.5.0');
+
+-- Generic Model
+-- Table SENTRY_GM_PRIVILEGE for classes [org.apache.sentry.provider.db.service.model.MSentryGMPrivilege]
+CREATE TABLE "SENTRY_GM_PRIVILEGE" (
+ "GM_PRIVILEGE_ID" BIGINT NOT NULL,
+ "COMPONENT_NAME" character varying(32) NOT NULL,
+ "SERVICE_NAME" character varying(64) NOT NULL,
+ "RESOURCE_NAME_0" character varying(64) DEFAULT '__NULL__',
+ "RESOURCE_NAME_1" character varying(64) DEFAULT '__NULL__',
+ "RESOURCE_NAME_2" character varying(64) DEFAULT '__NULL__',
+ "RESOURCE_NAME_3" character varying(64) DEFAULT '__NULL__',
+ "RESOURCE_TYPE_0" character varying(64) DEFAULT '__NULL__',
+ "RESOURCE_TYPE_1" character varying(64) DEFAULT '__NULL__',
+ "RESOURCE_TYPE_2" character varying(64) DEFAULT '__NULL__',
+ "RESOURCE_TYPE_3" character varying(64) DEFAULT '__NULL__',
+ "ACTION" character varying(32) NOT NULL,
+ "SCOPE" character varying(128) NOT NULL,
+ "CREATE_TIME" BIGINT NOT NULL,
+ "WITH_GRANT_OPTION" CHAR(1) NOT NULL
+);
+ALTER TABLE ONLY "SENTRY_GM_PRIVILEGE"
+ ADD CONSTRAINT "SENTRY_GM_PRIV_PK" PRIMARY KEY ("GM_PRIVILEGE_ID");
+-- Constraints for table SENTRY_GM_PRIVILEGE for class(es) [org.apache.sentry.provider.db.service.model.MSentryGMPrivilege]
+ALTER TABLE ONLY "SENTRY_GM_PRIVILEGE"
+ ADD CONSTRAINT "SENTRY_GM_PRIV_PRIV_NAME_UNIQ" UNIQUE ("COMPONENT_NAME","SERVICE_NAME","RESOURCE_NAME_0","RESOURCE_NAME_1","RESOURCE_NAME_2",
+ "RESOURCE_NAME_3","RESOURCE_TYPE_0","RESOURCE_TYPE_1","RESOURCE_TYPE_2","RESOURCE_TYPE_3","ACTION","WITH_GRANT_OPTION");
+
+CREATE INDEX "SENTRY_GM_PRIV_COMP_IDX" ON "SENTRY_GM_PRIVILEGE" USING btree ("COMPONENT_NAME");
+
+CREATE INDEX "SENTRY_GM_PRIV_SERV_IDX" ON "SENTRY_GM_PRIVILEGE" USING btree ("SERVICE_NAME");
+
+CREATE INDEX "SENTRY_GM_PRIV_RES0_IDX" ON "SENTRY_GM_PRIVILEGE" USING btree ("RESOURCE_NAME_0","RESOURCE_TYPE_0");
+
+CREATE INDEX "SENTRY_GM_PRIV_RES1_IDX" ON "SENTRY_GM_PRIVILEGE" USING btree ("RESOURCE_NAME_1","RESOURCE_TYPE_1");
+
+CREATE INDEX "SENTRY_GM_PRIV_RES2_IDX" ON "SENTRY_GM_PRIVILEGE" USING btree ("RESOURCE_NAME_2","RESOURCE_TYPE_2");
+
+CREATE INDEX "SENTRY_GM_PRIV_RES3_IDX" ON "SENTRY_GM_PRIVILEGE" USING btree ("RESOURCE_NAME_3","RESOURCE_TYPE_3");
+
+-- Table SENTRY_ROLE_GM_PRIVILEGE_MAP for join relationship
+CREATE TABLE "SENTRY_ROLE_GM_PRIVILEGE_MAP" (
+ "ROLE_ID" BIGINT NOT NULL,
+ "GM_PRIVILEGE_ID" BIGINT NOT NULL
+);
+
+ALTER TABLE "SENTRY_ROLE_GM_PRIVILEGE_MAP"
+ ADD CONSTRAINT "SENTRY_ROLE_GM_PRIVILEGE_MAP_PK" PRIMARY KEY ("ROLE_ID","GM_PRIVILEGE_ID");
+
+-- Constraints for table SENTRY_ROLE_GM_PRIVILEGE_MAP
+ALTER TABLE ONLY "SENTRY_ROLE_GM_PRIVILEGE_MAP"
+ ADD CONSTRAINT "SEN_RLE_GM_PRV_MAP_SN_RLE_FK"
+ FOREIGN KEY ("ROLE_ID") REFERENCES "SENTRY_ROLE"("ROLE_ID") DEFERRABLE;
+
+ALTER TABLE ONLY "SENTRY_ROLE_GM_PRIVILEGE_MAP"
+ ADD CONSTRAINT "SEN_RL_GM_PRV_MAP_SN_DB_PRV_FK"
+ FOREIGN KEY ("GM_PRIVILEGE_ID") REFERENCES "SENTRY_GM_PRIVILEGE"("GM_PRIVILEGE_ID") DEFERRABLE;
+
+COMMIT;
[31/44] sentry git commit: SENTRY-1287: Create sentry-service-server
module(Colin Ma, reviewed by Dapeng Sun)
Posted by co...@apache.org.
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/service/thrift/TestAuditLogForSentryGenericService.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/service/thrift/TestAuditLogForSentryGenericService.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/service/thrift/TestAuditLogForSentryGenericService.java
deleted file mode 100644
index 6c7d22d..0000000
--- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/service/thrift/TestAuditLogForSentryGenericService.java
+++ /dev/null
@@ -1,296 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.sentry.provider.db.generic.service.thrift;
-
-import static org.hamcrest.core.Is.is;
-import static org.junit.Assert.assertThat;
-import static org.junit.Assert.assertTrue;
-import static org.junit.Assert.fail;
-
-import java.security.PrivilegedExceptionAction;
-import java.util.HashMap;
-import java.util.Map;
-import java.util.Set;
-
-import org.apache.log4j.Level;
-import org.apache.log4j.Logger;
-import org.apache.sentry.provider.db.log.appender.AuditLoggerTestAppender;
-import org.apache.sentry.provider.db.log.util.CommandUtil;
-import org.apache.sentry.provider.db.log.util.Constants;
-import org.apache.sentry.service.thrift.SentryServiceIntegrationBase;
-import org.codehaus.jettison.json.JSONObject;
-import org.junit.After;
-import org.junit.BeforeClass;
-import org.junit.Test;
-import org.slf4j.LoggerFactory;
-
-import com.google.common.collect.Lists;
-import com.google.common.collect.Sets;
-
-public class TestAuditLogForSentryGenericService extends SentryServiceIntegrationBase {
-
- private SentryGenericServiceClient client;
- private static final String COMPONENT = "SQOOP";
- private static final org.slf4j.Logger LOGGER = LoggerFactory
- .getLogger(TestAuditLogForSentryGenericService.class);
-
- @BeforeClass
- public static void setup() throws Exception {
- SentryServiceIntegrationBase.setup();
- Logger logger = Logger.getLogger("sentry.generic.authorization.ddl.logger");
- AuditLoggerTestAppender testAppender = new AuditLoggerTestAppender();
- logger.addAppender(testAppender);
- logger.setLevel(Level.INFO);
- }
-
- @Override
- @After
- public void after() {
- try {
- runTestAsSubject(new TestOperation() {
- @Override
- public void runTestAsSubject() throws Exception {
- Set<TSentryRole> tRoles = client.listAllRoles(ADMIN_USER, COMPONENT);
- for (TSentryRole tRole : tRoles) {
- client.dropRole(ADMIN_USER, tRole.getRoleName(), COMPONENT);
- }
- if (client != null) {
- client.close();
- }
- }
- });
- } catch (Exception e) {
- // log the exception
- LOGGER.warn("Exception happened after test case.", e);
- } finally {
- policyFilePath.delete();
- }
- }
-
- /**
- * use the generic client to connect sentry service
- */
- @Override
- public void connectToSentryService() throws Exception {
- if (kerberos) {
- this.client = clientUgi.doAs(new PrivilegedExceptionAction<SentryGenericServiceClient>() {
- @Override
- public SentryGenericServiceClient run() throws Exception {
- return SentryGenericServiceClientFactory.create(conf);
- }
- });
- } else {
- this.client = SentryGenericServiceClientFactory.create(conf);
- }
- }
-
- @Test
- public void testAuditLogForGenericModel() throws Exception {
- runTestAsSubject(new TestOperation() {
- @Override
- public void runTestAsSubject() throws Exception {
- String requestorUserName = ADMIN_USER;
- Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
- String roleName = "admin_r";
- String testGroupName = "g1";
- String action = "all";
- String service = "sentryService";
- setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
- writePolicyFile();
-
- // test the audit log for create role, success
- client.createRole(requestorUserName, roleName, COMPONENT);
- Map<String, String> fieldValueMap = new HashMap<String, String>();
- fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_CREATE_ROLE);
- fieldValueMap.put(Constants.LOG_FIELD_COMPONENT, COMPONENT);
- fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT, "CREATE ROLE " + roleName);
- fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.TRUE);
- fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null);
- assertAuditLog(fieldValueMap);
-
- // test the audit log for create role, failed
- try {
- client.createRole(requestorUserName, roleName, COMPONENT);
- fail("Exception should have been thrown");
- } catch (Exception e) {
- fieldValueMap.clear();
- fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_CREATE_ROLE);
- fieldValueMap.put(Constants.LOG_FIELD_COMPONENT, COMPONENT);
- fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT, "CREATE ROLE " + roleName);
- fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.FALSE);
- fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null);
- assertAuditLog(fieldValueMap);
- }
-
- // test the audit log for add role to group, success
- client.addRoleToGroups(requestorUserName, roleName, COMPONENT,
- Sets.newHashSet(testGroupName));
- fieldValueMap.clear();
- fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_ADD_ROLE);
- fieldValueMap.put(Constants.LOG_FIELD_COMPONENT, COMPONENT);
- fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT, "GRANT ROLE " + roleName
- + " TO GROUP " + testGroupName);
- fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.TRUE);
- fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null);
- assertAuditLog(fieldValueMap);
-
- // test the audit log for add role to group, failed
- try {
- client.addRoleToGroups(requestorUserName, "invalidRole", COMPONENT,
- Sets.newHashSet(testGroupName));
- fail("Exception should have been thrown");
- } catch (Exception e) {
- fieldValueMap.clear();
- fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_ADD_ROLE);
- fieldValueMap.put(Constants.LOG_FIELD_COMPONENT, COMPONENT);
- fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT, "GRANT ROLE invalidRole TO GROUP "
- + testGroupName);
- fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.FALSE);
- fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null);
- assertAuditLog(fieldValueMap);
- }
-
- // test the audit log for grant privilege, success
- TSentryPrivilege privilege = new TSentryPrivilege(COMPONENT, service, Lists.newArrayList(
- new TAuthorizable("resourceType1", "resourceName1"), new TAuthorizable("resourceType2",
- "resourceName2")), action);
- client.grantPrivilege(requestorUserName, roleName, COMPONENT, privilege);
- fieldValueMap.clear();
- fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_GRANT_PRIVILEGE);
- fieldValueMap.put(Constants.LOG_FIELD_COMPONENT, COMPONENT);
- fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT,
- "GRANT ALL ON resourceType1 resourceName1 resourceType2 resourceName2 TO ROLE "
- + roleName);
- fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.TRUE);
- fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null);
- assertAuditLog(fieldValueMap);
-
- // for error audit log
- TSentryPrivilege invalidPrivilege = new TSentryPrivilege(COMPONENT, service,
- Lists.newArrayList(new TAuthorizable("resourceType1", "resourceName1")),
- "invalidAction");
- // test the audit log for grant privilege, failed
- try {
- client.grantPrivilege(requestorUserName, roleName, COMPONENT, invalidPrivilege);
- fail("Exception should have been thrown");
- } catch (Exception e) {
- fieldValueMap.clear();
- fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_GRANT_PRIVILEGE);
- fieldValueMap.put(Constants.LOG_FIELD_COMPONENT, COMPONENT);
- fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT,
- "GRANT INVALIDACTION ON resourceType1 resourceName1 TO ROLE " + roleName);
- fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.FALSE);
- fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null);
- assertAuditLog(fieldValueMap);
- }
-
- // test the audit log for revoke privilege, success
- client.revokePrivilege(requestorUserName, roleName, COMPONENT, privilege);
- fieldValueMap.clear();
- fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_REVOKE_PRIVILEGE);
- fieldValueMap.put(Constants.LOG_FIELD_COMPONENT, COMPONENT);
- fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT,
- "REVOKE ALL ON resourceType1 resourceName1 resourceType2 resourceName2 FROM ROLE "
- + roleName);
- fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.TRUE);
- fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null);
- assertAuditLog(fieldValueMap);
-
- // test the audit log for revoke privilege, failed
- try {
- client.revokePrivilege(requestorUserName, "invalidRole", COMPONENT, invalidPrivilege);
- fail("Exception should have been thrown");
- } catch (Exception e) {
- fieldValueMap.clear();
- fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_REVOKE_PRIVILEGE);
- fieldValueMap.put(Constants.LOG_FIELD_COMPONENT, COMPONENT);
- fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT,
- "REVOKE INVALIDACTION ON resourceType1 resourceName1 FROM ROLE invalidRole");
- fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.FALSE);
- fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null);
- assertAuditLog(fieldValueMap);
- }
-
- // test the audit log for delete role from group, success
- client.deleteRoleToGroups(requestorUserName, roleName, COMPONENT,
- Sets.newHashSet(testGroupName));
- fieldValueMap.clear();
- fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_DELETE_ROLE);
- fieldValueMap.put(Constants.LOG_FIELD_COMPONENT, COMPONENT);
- fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT, "REVOKE ROLE " + roleName
- + " FROM GROUP " + testGroupName);
- fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.TRUE);
- fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null);
- assertAuditLog(fieldValueMap);
- // test the audit log for delete role from group, failed
- try {
- client.deleteRoleToGroups(requestorUserName, "invalidRole", COMPONENT,
- Sets.newHashSet(testGroupName));
- fail("Exception should have been thrown");
- } catch (Exception e) {
- fieldValueMap.clear();
- fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_DELETE_ROLE);
- fieldValueMap.put(Constants.LOG_FIELD_COMPONENT, COMPONENT);
- fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT,
- "REVOKE ROLE invalidRole FROM GROUP " + testGroupName);
- fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.FALSE);
- fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null);
- assertAuditLog(fieldValueMap);
- }
- // test the audit log for drop role, success
- client.dropRole(requestorUserName, roleName, COMPONENT);
- fieldValueMap.clear();
- fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_DROP_ROLE);
- fieldValueMap.put(Constants.LOG_FIELD_COMPONENT, COMPONENT);
- fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT, "DROP ROLE " + roleName);
- fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.TRUE);
- fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null);
- assertAuditLog(fieldValueMap);
- // test the audit log for drop role, failed
- try {
- client.dropRole(requestorUserName, roleName, COMPONENT);
- fail("Exception should have been thrown");
- } catch (Exception e) {
- fieldValueMap.clear();
- fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_DROP_ROLE);
- fieldValueMap.put(Constants.LOG_FIELD_COMPONENT, COMPONENT);
- fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT, "DROP ROLE " + roleName);
- fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.FALSE);
- fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null);
- assertAuditLog(fieldValueMap);
- }
- }
- });
- }
-
- private void assertAuditLog(Map<String, String> fieldValueMap) throws Exception {
- assertThat(AuditLoggerTestAppender.getLastLogLevel(), is(Level.INFO));
- JSONObject jsonObject = new JSONObject(AuditLoggerTestAppender.getLastLogEvent());
- if (fieldValueMap != null) {
- for (Map.Entry<String, String> entry : fieldValueMap.entrySet()) {
- String entryKey = entry.getKey();
- if (Constants.LOG_FIELD_IP_ADDRESS.equals(entryKey)) {
- assertTrue(CommandUtil.assertIPInAuditLog(jsonObject.get(entryKey).toString()));
- } else {
- assertTrue(entry.getValue().equalsIgnoreCase(jsonObject.get(entryKey).toString()));
- }
- }
- }
- }
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/service/thrift/TestSentryGenericPolicyProcessor.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/service/thrift/TestSentryGenericPolicyProcessor.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/service/thrift/TestSentryGenericPolicyProcessor.java
deleted file mode 100644
index d1fd94e..0000000
--- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/service/thrift/TestSentryGenericPolicyProcessor.java
+++ /dev/null
@@ -1,353 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.provider.db.generic.service.thrift;
-
-import static org.mockito.Matchers.any;
-import static org.mockito.Matchers.anyListOf;
-import static org.mockito.Matchers.anySetOf;
-import static org.mockito.Matchers.anyString;
-
-import java.util.*;
-
-import org.apache.hadoop.conf.Configuration;
-import org.apache.sentry.core.common.Authorizable;
-import org.apache.sentry.core.common.exception.SentrySiteConfigurationException;
-import org.apache.sentry.core.model.search.Collection;
-import org.apache.sentry.core.model.search.Field;
-import org.apache.sentry.core.model.search.SearchConstants;
-import org.apache.sentry.core.common.service.GroupMappingService;
-import org.apache.sentry.core.common.exception.SentryAlreadyExistsException;
-import org.apache.sentry.core.common.exception.SentryGrantDeniedException;
-import org.apache.sentry.core.common.exception.SentryInvalidInputException;
-import org.apache.sentry.core.common.exception.SentryNoSuchObjectException;
-import org.apache.sentry.provider.db.generic.service.persistent.PrivilegeObject;
-import org.apache.sentry.provider.db.generic.service.persistent.SentryStoreLayer;
-import org.apache.sentry.provider.db.generic.service.persistent.PrivilegeObject.Builder;
-import org.apache.sentry.provider.db.service.model.MSentryGMPrivilege;
-import org.apache.sentry.provider.db.service.model.MSentryRole;
-import org.apache.sentry.provider.db.service.persistent.CommitContext;
-import org.apache.sentry.provider.db.service.thrift.PolicyStoreConstants;
-import org.apache.sentry.service.thrift.ServiceConstants.ServerConfig;
-import org.apache.sentry.service.thrift.Status;
-import org.apache.sentry.service.thrift.TSentryResponseStatus;
-import org.junit.Before;
-import org.junit.Test;
-import org.mockito.Mockito;
-
-import com.google.common.collect.Sets;
-
-public class TestSentryGenericPolicyProcessor extends org.junit.Assert {
- private static final String ADMIN_GROUP = "admin_group";
- private static final String ADMIN_USER = "admin_user";
- private static final UUID SERVER_UUID = UUID.randomUUID();
- private static final long SEQ_ID = 10000;
-
- private SentryStoreLayer mockStore = Mockito.mock(SentryStoreLayer.class);
- private SentryGenericPolicyProcessor processor;
-
- @Before
- public void setup() throws Exception {
- Configuration conf = new Configuration();
- conf.set(ServerConfig.ADMIN_GROUPS, ADMIN_GROUP);
- conf.set(ServerConfig.SENTRY_STORE_GROUP_MAPPING, MockGroupMapping.class.getName());
- processor = new SentryGenericPolicyProcessor(conf, mockStore);
- }
-
- @Test
- public void testNotAdminOperation() throws Exception {
- String requestUser = "not_" + ADMIN_USER;
- Status validateStatus = Status.ACCESS_DENIED;
- testOperation(requestUser, validateStatus);
- }
-
- private void testOperation(String requestUser, Status validateStatus) throws Exception {
- TCreateSentryRoleRequest createrequest = new TCreateSentryRoleRequest();
- createrequest.setRequestorUserName(requestUser);
- createrequest.setRoleName("r1");
- assertEquals(validateStatus, fromTSentryStatus(processor.create_sentry_role(createrequest).getStatus()));
-
- TDropSentryRoleRequest dropRequest = new TDropSentryRoleRequest();
- dropRequest.setRequestorUserName(requestUser);
- dropRequest.setRoleName("r1");
- assertEquals(validateStatus, fromTSentryStatus(processor.drop_sentry_role(dropRequest).getStatus()));
-
- TAlterSentryRoleAddGroupsRequest addRequest = new TAlterSentryRoleAddGroupsRequest();
- addRequest.setRequestorUserName(requestUser);
- addRequest.setRoleName("r1");
- addRequest.setGroups(Sets.newHashSet("g1"));
- assertEquals(validateStatus, fromTSentryStatus(processor.alter_sentry_role_add_groups(addRequest).getStatus()));
-
- TAlterSentryRoleDeleteGroupsRequest delRequest = new TAlterSentryRoleDeleteGroupsRequest();
- delRequest.setRequestorUserName(requestUser);
- delRequest.setRoleName("r1");
- delRequest.setGroups(Sets.newHashSet("g1"));
- assertEquals(validateStatus, fromTSentryStatus(processor.alter_sentry_role_delete_groups(delRequest).getStatus()));
-
- TDropPrivilegesRequest dropPrivRequest = new TDropPrivilegesRequest();
- dropPrivRequest.setRequestorUserName(requestUser);
- dropPrivRequest.setPrivilege(new TSentryPrivilege("test", "test", new ArrayList<TAuthorizable>(), "test"));
- assertEquals(validateStatus, fromTSentryStatus(processor.drop_sentry_privilege(dropPrivRequest).getStatus()));
-
- TRenamePrivilegesRequest renameRequest = new TRenamePrivilegesRequest();
- renameRequest.setRequestorUserName(requestUser);
- assertEquals(validateStatus, fromTSentryStatus(processor.rename_sentry_privilege(renameRequest).getStatus()));
- }
-
- private Status fromTSentryStatus(TSentryResponseStatus status) {
- return Status.fromCode(status.getValue());
- }
-
- @Test
- public void testAdminOperation() throws Exception {
- Mockito.when(mockStore.createRole(anyString(), anyString(), anyString()))
- .thenReturn(new CommitContext(SERVER_UUID, SEQ_ID));
-
- Mockito.when(mockStore.dropRole(anyString(), anyString(), anyString()))
- .thenReturn(new CommitContext(SERVER_UUID, SEQ_ID + 1));
-
- Mockito.when(mockStore.alterRoleAddGroups(anyString(), anyString(), anySetOf(String.class),anyString()))
- .thenReturn(new CommitContext(SERVER_UUID, SEQ_ID + 2));
-
- Mockito.when(mockStore.alterRoleDeleteGroups(anyString(), anyString(),anySetOf(String.class), anyString()))
- .thenReturn(new CommitContext(SERVER_UUID, SEQ_ID + 3));
-
- Mockito.when(mockStore.dropPrivilege(anyString(), any(PrivilegeObject.class), anyString()))
- .thenReturn(new CommitContext(SERVER_UUID, SEQ_ID + 4));
-
- Mockito.when(mockStore.renamePrivilege(anyString(), anyString(), anyListOf(Authorizable.class),
- anyListOf(Authorizable.class), anyString()))
- .thenReturn(new CommitContext(SERVER_UUID, SEQ_ID + 5));
- testOperation(ADMIN_USER, Status.OK);
- }
-
- @Test
- public void testGrantAndRevokePrivilege() throws Exception {
- Mockito.when(mockStore.alterRoleGrantPrivilege(anyString(), anyString(), any(PrivilegeObject.class), anyString()))
- .thenReturn(new CommitContext(SERVER_UUID, SEQ_ID + 6));
-
- Mockito.when(mockStore.alterRoleRevokePrivilege(anyString(), anyString(),any(PrivilegeObject.class), anyString()))
- .thenReturn(new CommitContext(SERVER_UUID, SEQ_ID + 7));
- setup();
-
- TSentryPrivilege tprivilege = new TSentryPrivilege("test", "test", new ArrayList<TAuthorizable>(), "test");
- tprivilege.setGrantOption(TSentryGrantOption.UNSET);
-
- TAlterSentryRoleGrantPrivilegeRequest grantRequest = new TAlterSentryRoleGrantPrivilegeRequest();
- grantRequest.setRequestorUserName(ADMIN_USER);
- grantRequest.setRoleName("r1");
- grantRequest.setPrivilege(tprivilege);
- assertEquals(Status.OK, fromTSentryStatus(processor.alter_sentry_role_grant_privilege(grantRequest).getStatus()));
-
- TAlterSentryRoleRevokePrivilegeRequest revokeRequest = new TAlterSentryRoleRevokePrivilegeRequest();
- revokeRequest.setRequestorUserName(ADMIN_USER);
- revokeRequest.setRoleName("r1");
- revokeRequest.setPrivilege(tprivilege);
- assertEquals(Status.OK, fromTSentryStatus(processor.alter_sentry_role_revoke_privilege(revokeRequest).getStatus()));
- }
-
- @Test
- public void testOperationWithException() throws Exception {
- String roleName = anyString();
- Mockito.when(mockStore.createRole(anyString(), roleName, anyString()))
- .thenThrow(new SentryAlreadyExistsException("Role: " + roleName + " already exists"));
-
- roleName = anyString();
- Mockito.when(mockStore.dropRole(anyString(), roleName, anyString()))
- .thenThrow(new SentryNoSuchObjectException("Role: " + roleName + " doesn't exist"));
-
- roleName = anyString();
- Mockito.when(mockStore.alterRoleAddGroups(anyString(), roleName, anySetOf(String.class),anyString()))
- .thenThrow(new SentryNoSuchObjectException("Role: " + roleName + " doesn't exist"));
-
- roleName = anyString();
- Mockito.when(mockStore.alterRoleDeleteGroups(anyString(), roleName, anySetOf(String.class), anyString()))
- .thenThrow(new SentryNoSuchObjectException("Role: " + roleName + " doesn't exist"));
-
- roleName = anyString();
- Mockito.when(mockStore.alterRoleGrantPrivilege(anyString(), roleName, any(PrivilegeObject.class), anyString()))
- .thenThrow(new SentryGrantDeniedException("Role: " + roleName + " is not allowed to do grant"));
-
- roleName = anyString();
- Mockito.when(mockStore.alterRoleRevokePrivilege(anyString(), roleName, any(PrivilegeObject.class), anyString()))
- .thenThrow(new SentryGrantDeniedException("Role: " + roleName + " is not allowed to do grant"));
-
- Mockito.when(mockStore.dropPrivilege(anyString(), any(PrivilegeObject.class), anyString()))
- .thenThrow(new SentryInvalidInputException("Invalid input privilege object"));
-
- Mockito.when(mockStore.renamePrivilege(anyString(), anyString(), anyListOf(Authorizable.class),
- anyListOf(Authorizable.class), anyString()))
- .thenThrow(new RuntimeException("Unknown error"));
-
- setup();
-
- TCreateSentryRoleRequest createrequest = new TCreateSentryRoleRequest();
- createrequest.setRequestorUserName(ADMIN_USER);
- createrequest.setRoleName("r1");
- assertEquals(Status.ALREADY_EXISTS, fromTSentryStatus(processor.create_sentry_role(createrequest).getStatus()));
-
- TDropSentryRoleRequest dropRequest = new TDropSentryRoleRequest();
- dropRequest.setRequestorUserName(ADMIN_USER);
- dropRequest.setRoleName("r1");
- assertEquals(Status.NO_SUCH_OBJECT, fromTSentryStatus(processor.drop_sentry_role(dropRequest).getStatus()));
-
- TAlterSentryRoleAddGroupsRequest addRequest = new TAlterSentryRoleAddGroupsRequest();
- addRequest.setRequestorUserName(ADMIN_USER);
- addRequest.setRoleName("r1");
- addRequest.setGroups(Sets.newHashSet("g1"));
- assertEquals(Status.NO_SUCH_OBJECT, fromTSentryStatus(processor.alter_sentry_role_add_groups(addRequest).getStatus()));
-
- TAlterSentryRoleDeleteGroupsRequest delRequest = new TAlterSentryRoleDeleteGroupsRequest();
- delRequest.setRequestorUserName(ADMIN_USER);
- delRequest.setRoleName("r1");
- delRequest.setGroups(Sets.newHashSet("g1"));
- assertEquals(Status.NO_SUCH_OBJECT, fromTSentryStatus(processor.alter_sentry_role_delete_groups(delRequest).getStatus()));
-
- TDropPrivilegesRequest dropPrivRequest = new TDropPrivilegesRequest();
- dropPrivRequest.setRequestorUserName(ADMIN_USER);
- dropPrivRequest.setPrivilege(new TSentryPrivilege("test", "test", new ArrayList<TAuthorizable>(), "test"));
- assertEquals(Status.INVALID_INPUT, fromTSentryStatus(processor.drop_sentry_privilege(dropPrivRequest).getStatus()));
-
- TRenamePrivilegesRequest renameRequest = new TRenamePrivilegesRequest();
- renameRequest.setRequestorUserName(ADMIN_USER);
- assertEquals(Status.RUNTIME_ERROR, fromTSentryStatus(processor.rename_sentry_privilege(renameRequest).getStatus()));
-
- TSentryPrivilege tprivilege = new TSentryPrivilege("test", "test", new ArrayList<TAuthorizable>(), "test");
- tprivilege.setGrantOption(TSentryGrantOption.UNSET);
-
- TAlterSentryRoleGrantPrivilegeRequest grantRequest = new TAlterSentryRoleGrantPrivilegeRequest();
- grantRequest.setRequestorUserName(ADMIN_USER);
- grantRequest.setRoleName("r1");
- grantRequest.setPrivilege(tprivilege);
- assertEquals(Status.ACCESS_DENIED, fromTSentryStatus(processor.alter_sentry_role_grant_privilege(grantRequest).getStatus()));
-
- TAlterSentryRoleRevokePrivilegeRequest revokeRequest = new TAlterSentryRoleRevokePrivilegeRequest();
- revokeRequest.setRequestorUserName(ADMIN_USER);
- revokeRequest.setRoleName("r1");
- revokeRequest.setPrivilege(tprivilege);
- assertEquals(Status.ACCESS_DENIED, fromTSentryStatus(processor.alter_sentry_role_revoke_privilege(revokeRequest).getStatus()));
- }
-
- @Test
- public void testGetRolesAndPrivileges() throws Exception {
- String roleName = "r1";
- String groupName = "g1";
- PrivilegeObject queryPrivilege = new Builder()
- .setComponent("SOLR")
- .setAction(SearchConstants.QUERY)
- .setService("service1")
- .setAuthorizables(Arrays.asList(new Collection("c1"), new Field("f1")))
- .build();
- PrivilegeObject updatePrivilege = new Builder(queryPrivilege)
- .setAction(SearchConstants.UPDATE)
- .build();
-
- MSentryGMPrivilege mSentryGMPrivilege = new MSentryGMPrivilege("SOLR", "service1",
- Arrays.asList(new Collection("c1"), new Field("f1")),
- SearchConstants.QUERY, true);
-
- MSentryRole role = new MSentryRole("r1", 290);
- mSentryGMPrivilege.setRoles(Sets.newHashSet(role));
-
- Mockito.when(mockStore.getRolesByGroups(anyString(), anySetOf(String.class)))
- .thenReturn(Sets.newHashSet(roleName));
-
- Mockito.when(mockStore.getPrivilegesByProvider(anyString(), anyString(), anySetOf(String.class),
- anySetOf(String.class), anyListOf(Authorizable.class)))
- .thenReturn(Sets.newHashSet(queryPrivilege, updatePrivilege));
-
- Mockito.when(mockStore.getGroupsByRoles(anyString(), anySetOf(String.class)))
- .thenReturn(Sets.newHashSet(groupName));
-
- Mockito.when(mockStore.getPrivilegesByAuthorizable(anyString(), anyString(), anySetOf(String.class), anyListOf(Authorizable.class)))
- .thenReturn(Sets.newHashSet(mSentryGMPrivilege));
-
- Mockito.when(mockStore.getAllRoleNames())
- .thenReturn(Sets.newHashSet(roleName));
-
- TListSentryPrivilegesRequest request1 = new TListSentryPrivilegesRequest();
- request1.setRoleName(roleName);
- request1.setRequestorUserName(ADMIN_USER);
- TListSentryPrivilegesResponse response1 = processor.list_sentry_privileges_by_role(request1);
- assertEquals(Status.OK, fromTSentryStatus(response1.getStatus()));
- assertEquals(2, response1.getPrivileges().size());
-
- TListSentryRolesRequest request2 = new TListSentryRolesRequest();
- request2.setRequestorUserName(ADMIN_USER);
- request2.setGroupName(groupName);
- TListSentryRolesResponse response2 = processor.list_sentry_roles_by_group(request2);
- assertEquals(Status.OK, fromTSentryStatus(response2.getStatus()));
- assertEquals(1, response2.getRoles().size());
-
- TListSentryPrivilegesForProviderRequest request3 = new TListSentryPrivilegesForProviderRequest();
- request3.setGroups(Sets.newHashSet(groupName));
- request3.setRoleSet(new TSentryActiveRoleSet(true, null));
- TListSentryPrivilegesForProviderResponse response3 = processor.list_sentry_privileges_for_provider(request3);
- assertEquals(Status.OK, fromTSentryStatus(response3.getStatus()));
- assertEquals(2, response3.getPrivileges().size());
-
- // Optional parameters activeRoleSet and requested group name are both provided.
- TListSentryPrivilegesByAuthRequest request4 = new TListSentryPrivilegesByAuthRequest();
- request4.setGroups(Sets.newHashSet(groupName));
- request4.setRoleSet(new TSentryActiveRoleSet(true, null));
- request4.setRequestorUserName(ADMIN_USER);
- Set<String> authorizablesSet = Sets.newHashSet("Collection=c1->Field=f1");
- request4.setAuthorizablesSet(authorizablesSet);
-
- TListSentryPrivilegesByAuthResponse response4 = processor.list_sentry_privileges_by_authorizable(request4);
- assertEquals(Status.OK, fromTSentryStatus(response4.getStatus()));
- assertEquals(1, response4.getPrivilegesMapByAuth().size());
-
- // Optional parameters activeRoleSet and requested group name are both not provided.
- TListSentryPrivilegesByAuthRequest request5 = new TListSentryPrivilegesByAuthRequest();
- request5.setRequestorUserName("not_" + ADMIN_USER);
- authorizablesSet = Sets.newHashSet("Collection=c1->Field=f2");
- request5.setAuthorizablesSet(authorizablesSet);
-
- TListSentryPrivilegesByAuthResponse response5 = processor.list_sentry_privileges_by_authorizable(request5);
- assertEquals(Status.OK, fromTSentryStatus(response5.getStatus()));
- assertEquals(1, response5.getPrivilegesMapByAuth().size());
- }
-
- @Test(expected=SentrySiteConfigurationException.class)
- public void testConfigCannotCreateNotificationHandler() throws Exception {
- Configuration conf = new Configuration();
- conf.set(PolicyStoreConstants.SENTRY_GENERIC_POLICY_NOTIFICATION,"junk");
- SentryGenericPolicyProcessor.createHandlers(conf);
- }
-
- @Test(expected=SentrySiteConfigurationException.class)
- public void testConfigCannotCreateSentryStore() throws Exception {
- Configuration conf = new Configuration();
- conf.set(PolicyStoreConstants.SENTRY_GENERIC_POLICY_STORE,"junk");
- SentryGenericPolicyProcessor.createStore(conf);
- }
-
- public static class MockGroupMapping implements GroupMappingService {
- public MockGroupMapping(Configuration conf, String resource) { //NOPMD
- }
- @Override
- public Set<String> getGroups(String user) {
- if (user.equalsIgnoreCase(ADMIN_USER)) {
- return Sets.newHashSet(ADMIN_GROUP);
- } else {
- return Sets.newHashSet("not" + ADMIN_GROUP);
- }
- }
- }
-
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/service/thrift/TestSentryGenericServiceIntegration.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/service/thrift/TestSentryGenericServiceIntegration.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/service/thrift/TestSentryGenericServiceIntegration.java
deleted file mode 100644
index b59d172..0000000
--- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/service/thrift/TestSentryGenericServiceIntegration.java
+++ /dev/null
@@ -1,503 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.provider.db.generic.service.thrift;
-
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertTrue;
-import static org.junit.Assert.fail;
-
-import java.util.Arrays;
-import java.util.List;
-import java.util.Map;
-import java.util.Set;
-
-import org.apache.sentry.core.common.exception.SentryUserException;
-import org.apache.sentry.core.common.ActiveRoleSet;
-import org.apache.sentry.core.common.Authorizable;
-import org.apache.sentry.core.model.search.Collection;
-import org.apache.sentry.core.model.search.Field;
-import org.apache.sentry.core.model.search.SearchConstants;
-import org.junit.Test;
-
-import com.google.common.collect.Lists;
-import com.google.common.collect.Sets;
-
-public class TestSentryGenericServiceIntegration extends SentryGenericServiceIntegrationBase {
-
- @Test
- public void testCreateDropShowRole() throws Exception {
- runTestAsSubject(new TestOperation(){
- @Override
- public void runTestAsSubject() throws Exception {
- String requestorUserName = ADMIN_USER;
- Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
- String roleName = "admin_r";
- setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
- writePolicyFile();
-
- client.dropRoleIfExists(requestorUserName, roleName, SOLR);
-
- client.createRole(requestorUserName, roleName, SOLR);
-
- client.addRoleToGroups(requestorUserName, roleName, SOLR, Sets.newHashSet(requestorUserGroupNames));
-
- Set<TSentryRole> roles = client.listUserRoles(requestorUserName,SOLR);
- assertEquals("Incorrect number of roles", 1, roles.size());
- for (TSentryRole role:roles) {
- assertTrue(role.getRoleName(), role.getRoleName().equalsIgnoreCase(roleName));
- }
- client.dropRole(requestorUserName, roleName, SOLR);
- }});
- }
-
- @Test
- public void testAddDeleteRoleToGroup() throws Exception {
- runTestAsSubject(new TestOperation(){
- @Override
- public void runTestAsSubject() throws Exception {
- String requestorUserName = ADMIN_USER;
- Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
- String testGroupName = "g1";
- String roleName = "admin_r";
- setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
- setLocalGroupMapping(requestorUserName, Sets.newHashSet(testGroupName));
- writePolicyFile();
-
- client.dropRoleIfExists(requestorUserName, roleName, SOLR);
-
- client.createRole(requestorUserName, roleName, SOLR);
-
- client.addRoleToGroups(requestorUserName, roleName, SOLR, Sets.newHashSet(testGroupName));
-
- Set<TSentryRole> roles = client.listUserRoles(requestorUserName,SOLR);
- assertEquals("Incorrect number of roles", 1, roles.size());
- for (TSentryRole role:roles) {
- assertTrue(role.getRoleName(), role.getRoleName().equalsIgnoreCase(roleName));
- assertTrue(role.getGroups().size() == 1);
- for (String group :role.getGroups()) {
- assertEquals(testGroupName, group);
- }
- }
-
- client.deleteRoleToGroups(requestorUserName, roleName, SOLR, Sets.newHashSet(testGroupName));
- roles = client.listUserRoles(requestorUserName,SOLR);
- assertEquals("Incorrect number of roles", 0, roles.size());
-
- client.dropRole(requestorUserName, roleName, SOLR);
- }});
- }
-
- @Test
- public void testGranRevokePrivilege() throws Exception {
- runTestAsSubject(new TestOperation(){
- @Override
- public void runTestAsSubject() throws Exception {
- String requestorUserName = ADMIN_USER;
- Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
- setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
- writePolicyFile();
- String roleName1 = "admin_r1";
- String roleName2 = "admin_r2";
-
- client.dropRoleIfExists(requestorUserName, roleName1, SOLR);
- client.createRole(requestorUserName, roleName1, SOLR);
-
- client.dropRoleIfExists(requestorUserName, roleName2, SOLR);
- client.createRole(requestorUserName, roleName2, SOLR);
-
- TSentryPrivilege queryPrivilege = new TSentryPrivilege(SOLR, "service1",
- fromAuthorizable(Arrays.asList(new Collection("c1"), new Field("f1"))),
- SearchConstants.QUERY);
-
- TSentryPrivilege updatePrivilege = new TSentryPrivilege(SOLR, "service1",
- fromAuthorizable(Arrays.asList(new Collection("c1"), new Field("f1"))),
- SearchConstants.UPDATE);
-
- client.grantPrivilege(requestorUserName, roleName1, SOLR, queryPrivilege);
- client.grantPrivilege(requestorUserName, roleName2, SOLR, updatePrivilege);
-
- client.revokePrivilege(requestorUserName, roleName1, SOLR, queryPrivilege);
- client.revokePrivilege(requestorUserName, roleName2, SOLR, updatePrivilege);
- }});
- }
-
- @Test
- public void testMultipleRolesSamePrivilege() throws Exception {
- runTestAsSubject(new TestOperation(){
- @Override
- public void runTestAsSubject() throws Exception {
- String requestorUserName = ADMIN_USER;
- Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
- setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
- writePolicyFile();
- String roleName1 = "admin_r1";
- String roleName2 = "admin_r2";
-
- client.dropRoleIfExists(requestorUserName, roleName1, SOLR);
- client.createRole(requestorUserName, roleName1, SOLR);
-
- client.dropRoleIfExists(requestorUserName, roleName2, SOLR);
- client.createRole(requestorUserName, roleName2, SOLR);
-
- TSentryPrivilege queryPrivilege = new TSentryPrivilege(SOLR, "service1",
- fromAuthorizable(Arrays.asList(new Collection("c1"), new Field("f1"))),
- SearchConstants.QUERY);
-
- client.grantPrivilege(requestorUserName, roleName1, SOLR, queryPrivilege);
- Set<TSentryPrivilege> listPrivilegesByRoleName = client.listPrivilegesByRoleName(requestorUserName, roleName1, SOLR, "service1");
- assertTrue("Privilege not assigned to role1 !!", listPrivilegesByRoleName.size() == 1);
-
- client.grantPrivilege(requestorUserName, roleName2, SOLR, queryPrivilege);
- listPrivilegesByRoleName = client.listPrivilegesByRoleName(requestorUserName, roleName2, SOLR, "service1");
- assertTrue("Privilege not assigned to role2 !!", listPrivilegesByRoleName.size() == 1);
- }});
- }
-
- @Test
- public void testShowRoleGrant() throws Exception {
- runTestAsSubject(new TestOperation(){
- @Override
- public void runTestAsSubject() throws Exception {
- String requestorUserName = ADMIN_USER;
- Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
- String roleName = "admin_r1";
- String groupName = "group1";
- setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
- setLocalGroupMapping(requestorUserName, Sets.newHashSet(groupName));
- writePolicyFile();
-
- client.dropRoleIfExists(requestorUserName, roleName, SOLR);
- client.createRole(requestorUserName, roleName, SOLR);
- client.addRoleToGroups(requestorUserName, roleName, SOLR, Sets.newHashSet(groupName));
-
- Set<TSentryRole> groupRoles = client.listRolesByGroupName(requestorUserName, groupName,SOLR);
- assertTrue(groupRoles.size() == 1);
- for (TSentryRole role:groupRoles) {
- assertTrue(role.getRoleName(), role.getRoleName().equalsIgnoreCase(roleName));
- assertTrue(role.getGroups().size() == 1);
- for (String group :role.getGroups()) {
- assertEquals(groupName, group);
- }
- }
-
- client.dropRole(requestorUserName, roleName, SOLR);
- }});
- }
-
- @Test
- public void testShowGrant() throws Exception {
- runTestAsSubject(new TestOperation(){
- @Override
- public void runTestAsSubject() throws Exception {
- String requestorUserName = ADMIN_USER;
- Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
- String roleName = "admin_r1";
- setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
- writePolicyFile();
-
- client.dropRoleIfExists(requestorUserName, roleName, SOLR);
- client.createRole(requestorUserName, roleName, SOLR);
-
- TSentryPrivilege queryPrivilege = new TSentryPrivilege(SOLR, "service1",
- fromAuthorizable(Arrays.asList(new Collection("c1"), new Field("f1"))),
- SearchConstants.QUERY);
-
- TSentryPrivilege updatePrivilege = new TSentryPrivilege(SOLR, "service1",
- fromAuthorizable(Arrays.asList(new Collection("c1"), new Field("f1"))),
- SearchConstants.UPDATE);
-
- client.grantPrivilege(requestorUserName, roleName, SOLR, updatePrivilege);
- client.grantPrivilege(requestorUserName, roleName, SOLR, queryPrivilege);
- Set<TSentryPrivilege> privileges = client.listPrivilegesByRoleName(requestorUserName, roleName, SOLR, "service1");
- assertTrue(privileges.size() == 2);
-
- client.revokePrivilege(requestorUserName, roleName, SOLR, updatePrivilege);
- privileges = client.listPrivilegesByRoleName(requestorUserName, roleName, SOLR, "service1");
- assertTrue(privileges.size() == 1);
- }});
- }
-
- @Test
- public void testSameGrantTwice() throws Exception {
- runTestAsSubject(new TestOperation(){
- @Override
- public void runTestAsSubject() throws Exception {
- String requestorUserName = ADMIN_USER;
- Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
- setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
- writePolicyFile();
- String roleName = "admin_r1";
-
- client.createRole(requestorUserName, roleName, SOLR);
-
- TSentryPrivilege queryPrivilege = new TSentryPrivilege(SOLR, "service1",
- fromAuthorizable(Arrays.asList(new Collection("c1"), new Field("f1"))),
- SearchConstants.QUERY);
-
- client.grantPrivilege(requestorUserName, roleName, SOLR, queryPrivilege);
- assertEquals(1, client.listPrivilegesByRoleName(requestorUserName, roleName, SOLR, "service1").size());
- }});
- }
-
- @Test
- public void testGrantRevokeWithGrantOption() throws Exception {
- runTestAsSubject(new TestOperation(){
- @Override
- public void runTestAsSubject() throws Exception {
- String adminUser = ADMIN_USER;
- Set<String> adminGroup = Sets.newHashSet(ADMIN_GROUP);
- String grantOptionUser = "user1";
- Set<String> grantOptionGroup = Sets.newHashSet("group1");
- String noGrantOptionUser = "user2";
- Set<String> noGrantOptionGroup = Sets.newHashSet("group2");
-
- setLocalGroupMapping(adminUser, adminGroup);
- setLocalGroupMapping(grantOptionUser, grantOptionGroup);
- setLocalGroupMapping(noGrantOptionUser, noGrantOptionGroup);
- writePolicyFile();
-
- String grantRole = "grant_r";
- String noGrantRole = "no_grant_r";
- String testRole = "test_role";
-
- client.createRole(adminUser, grantRole, SOLR);
- client.createRole(adminUser, noGrantRole, SOLR);
- client.createRole(adminUser, testRole, SOLR);
-
- TSentryPrivilege grantPrivilege = new TSentryPrivilege(SOLR, "service1",
- fromAuthorizable(Arrays.asList(new Collection("c1"))),
- SearchConstants.QUERY);
- grantPrivilege.setGrantOption(TSentryGrantOption.TRUE);
-
- TSentryPrivilege noGrantPrivilege = new TSentryPrivilege(SOLR, "service1",
- fromAuthorizable(Arrays.asList(new Collection("c1"))),
- SearchConstants.QUERY);
- noGrantPrivilege.setGrantOption(TSentryGrantOption.FALSE);
-
- TSentryPrivilege testPrivilege = new TSentryPrivilege(SOLR, "service1",
- fromAuthorizable(Arrays.asList(new Collection("c1"), new Field("f1"))),
- SearchConstants.QUERY);
- testPrivilege.setGrantOption(TSentryGrantOption.FALSE);
-
- client.grantPrivilege(adminUser, grantRole, SOLR, grantPrivilege);
- client.grantPrivilege(adminUser, noGrantRole, SOLR, noGrantPrivilege);
-
- client.addRoleToGroups(adminUser, grantRole, SOLR, grantOptionGroup);
- client.addRoleToGroups(adminUser, noGrantRole, SOLR, noGrantOptionGroup);
-
- try {
- client.grantPrivilege(grantOptionUser,testRole,SOLR, testPrivilege);
- } catch (SentryUserException e) {
- fail("grantOptionUser failed grant privilege to user");
- }
-
- try {
- client.grantPrivilege(noGrantOptionUser, testRole, SOLR, testPrivilege);
- fail("noGrantOptionUser can't grant privilege to user");
- } catch (SentryUserException e) {
- }
-
- try {
- client.revokePrivilege(grantOptionUser, testRole, SOLR, testPrivilege);
- } catch(SentryUserException e) {
- fail("grantOptionUser failed revoke privilege to user");
- }
-
- try {
- client.revokePrivilege(noGrantOptionUser, testRole, SOLR, testPrivilege);
- fail("noGrantOptionUser can't revoke privilege to user");
- } catch (SentryUserException e) {
- }
- }});
- }
-
- @Test
- public void testGetPrivilegeByHierarchy() throws Exception {
- runTestAsSubject(new TestOperation(){
- @Override
- public void runTestAsSubject() throws Exception {
- String adminUser = ADMIN_USER;
- Set<String> adminGroup = Sets.newHashSet(ADMIN_GROUP);
- String testRole = "role1";
- Set<String> testGroup = Sets.newHashSet("group1");
- String testUser = "user1";
- setLocalGroupMapping(adminUser, adminGroup);
- setLocalGroupMapping(testUser, testGroup);
- writePolicyFile();
-
-
- client.createRole(adminUser, testRole, SOLR);
- client.addRoleToGroups(adminUser, testRole, SOLR, testGroup);
-
- TSentryPrivilege queryPrivilege = new TSentryPrivilege(SOLR, "service1",
- fromAuthorizable(Arrays.asList(new Collection("c1"), new Field("f1"))),
- SearchConstants.QUERY);
-
- TSentryPrivilege updatePrivilege = new TSentryPrivilege(SOLR, "service1",
- fromAuthorizable(Arrays.asList(new Collection("c2"), new Field("f2"))),
- SearchConstants.UPDATE);
-
- client.grantPrivilege(adminUser, testRole, SOLR, queryPrivilege);
- client.grantPrivilege(adminUser, testRole, SOLR, updatePrivilege);
-
- assertEquals(2, client.listPrivilegesByRoleName(testUser, testRole, SOLR, "service1").size());
-
- assertEquals(1, client.listPrivilegesByRoleName(testUser, testRole,
- SOLR, "service1", Arrays.asList(new Collection("c1"))).size());
-
- assertEquals(1, client.listPrivilegesByRoleName(testUser, testRole,
- SOLR, "service1", Arrays.asList(new Collection("c2"))).size());
-
- assertEquals(1, client.listPrivilegesByRoleName(testUser, testRole,
- SOLR, "service1", Arrays.asList(new Collection("c1"), new Field("f1"))).size());
-
- assertEquals(1, client.listPrivilegesByRoleName(testUser, testRole,
- SOLR, "service1", Arrays.asList(new Collection("c2"), new Field("f2"))).size());
-
- //test listPrivilegesForProvider by group(testGroup)
- ActiveRoleSet roleSet = ActiveRoleSet.ALL;
-
- assertEquals(1, client.listPrivilegesForProvider(SOLR, "service1", roleSet,
- testGroup, Arrays.asList(new Collection("c1"))).size());
-
- assertEquals(1, client.listPrivilegesForProvider(SOLR, "service1", roleSet,
- testGroup, Arrays.asList(new Collection("c2"))).size());
-
- assertEquals(1, client.listPrivilegesForProvider(SOLR, "service1", roleSet,
- testGroup, Arrays.asList(new Collection("c1"), new Field("f1"))).size());
-
- assertEquals(1, client.listPrivilegesForProvider(SOLR, "service1", roleSet,
- testGroup, Arrays.asList(new Collection("c2"), new Field("f2"))).size());
- }});
- }
-
- @Test
- public void testGetPrivilegeByAuthorizable() throws Exception {
- runTestAsSubject(new TestOperation(){
- @Override
- public void runTestAsSubject() throws Exception {
- String adminUser = ADMIN_USER;
- Set<String> adminGroup = Sets.newHashSet(ADMIN_GROUP);
- String testRole = "role1";
- Set<String> testGroup = Sets.newHashSet("group1");
- String testUser = "user1";
- setLocalGroupMapping(adminUser, adminGroup);
- setLocalGroupMapping(testUser, testGroup);
- writePolicyFile();
-
- client.createRole(adminUser, testRole, SOLR);
- client.addRoleToGroups(adminUser, testRole, SOLR, adminGroup);
-
- TSentryPrivilege queryPrivilege = new TSentryPrivilege(SOLR, "service1",
- fromAuthorizable(Arrays.asList(new Collection("c1"), new Field("f1"))),
- SearchConstants.QUERY);
-
- TSentryPrivilege updatePrivilege = new TSentryPrivilege(SOLR, "service1",
- fromAuthorizable(Arrays.asList(new Collection("c1"), new Field("f2"))),
- SearchConstants.UPDATE);
-
- client.grantPrivilege(adminUser, testRole, SOLR, queryPrivilege);
- client.grantPrivilege(adminUser, testRole, SOLR, updatePrivilege);
-
- //test listPrivilegsbyAuthorizable without requested group and active role set.
- assertEquals(1, client.listPrivilegsbyAuthorizable(SOLR, "service1", adminUser,
- Sets.newHashSet(new String("Collection=c1->Field=f1")), null, null).size());
-
- //test listPrivilegsbyAuthorizable with requested group (testGroup)
- Map<String, TSentryPrivilegeMap> privilegeMap = client.listPrivilegsbyAuthorizable(SOLR,
- "service1", adminUser, Sets.newHashSet(new String("Collection=c1->Field=f1")), testGroup, null);
- TSentryPrivilegeMap actualMap = privilegeMap.get(new String("Collection=c1->Field=f1"));
- assertEquals(0, actualMap.getPrivilegeMap().size());
-
- //test listPrivilegsbyAuthorizable with active role set.
- ActiveRoleSet roleSet = ActiveRoleSet.ALL;
- assertEquals(1, client.listPrivilegsbyAuthorizable(SOLR, "service1", adminUser,
- Sets.newHashSet(new String("Collection=c1->Field=f1")), null, roleSet).size());
- privilegeMap = client.listPrivilegsbyAuthorizable(SOLR,
- "service1", adminUser, Sets.newHashSet(new String("Collection=c1->Field=f1")), null, roleSet);
- actualMap = privilegeMap.get(new String("Collection=c1->Field=f1"));
- assertEquals(1, actualMap.getPrivilegeMap().size());
-
- privilegeMap = client.listPrivilegsbyAuthorizable(SOLR,
- "service1", testUser, Sets.newHashSet(new String("Collection=c1->Field=f1")), null, roleSet);
- actualMap = privilegeMap.get(new String("Collection=c1->Field=f1"));
- assertEquals(0, actualMap.getPrivilegeMap().size());
-
- // grant tesRole to testGroup.
- client.addRoleToGroups(adminUser, testRole, SOLR, testGroup);
-
- privilegeMap = client.listPrivilegsbyAuthorizable(SOLR,
- "service1", testUser, Sets.newHashSet(new String("Collection=c1")), null, roleSet);
- actualMap = privilegeMap.get(new String("Collection=c1"));
- assertEquals(1, actualMap.getPrivilegeMap().size());
- assertEquals(2, actualMap.getPrivilegeMap().get(testRole).size());
- }});
- }
-
- @Test
- public void testDropAndRenamePrivilege() throws Exception {
- runTestAsSubject(new TestOperation(){
- @Override
- public void runTestAsSubject() throws Exception {
- String requestorUserName = ADMIN_USER;
- Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
- setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
- writePolicyFile();
- String roleName = "admin_r1";
-
- client.createRole(requestorUserName, roleName, SOLR);
-
- TSentryPrivilege queryPrivilege = new TSentryPrivilege(SOLR, "service1",
- fromAuthorizable(Arrays.asList(new Collection("c1"), new Field("f1"))),
- SearchConstants.QUERY);
- client.grantPrivilege(requestorUserName, roleName, SOLR, queryPrivilege);
-
- assertEquals(1, client.listPrivilegesByRoleName(requestorUserName, roleName,
- SOLR, "service1", Arrays.asList(new Collection("c1"), new Field("f1"))).size());
-
- assertEquals(0, client.listPrivilegesByRoleName(requestorUserName, roleName,
- SOLR, "service1", Arrays.asList(new Collection("c2"), new Field("f2"))).size());
-
- client.renamePrivilege(requestorUserName, SOLR, "service1", Arrays.asList(new Collection("c1"), new Field("f1")),
- Arrays.asList(new Collection("c2"), new Field("f2")));
-
- assertEquals(0, client.listPrivilegesByRoleName(requestorUserName, roleName,
- SOLR, "service1", Arrays.asList(new Collection("c1"), new Field("f1"))).size());
-
- assertEquals(1, client.listPrivilegesByRoleName(requestorUserName, roleName,
- SOLR, "service1", Arrays.asList(new Collection("c2"), new Field("f2"))).size());
-
- TSentryPrivilege dropPrivilege = new TSentryPrivilege(SOLR, "service1",
- fromAuthorizable(Arrays.asList(new Collection("c2"), new Field("f2"))),
- SearchConstants.QUERY);
-
- client.dropPrivilege(requestorUserName, SOLR, dropPrivilege);
-
- assertEquals(0, client.listPrivilegesByRoleName(requestorUserName, roleName,
- SOLR, "service1", Arrays.asList(new Collection("c2"), new Field("f2"))).size());
- }});
- }
-
- private List<TAuthorizable> fromAuthorizable(List<? extends Authorizable> authorizables) {
- List<TAuthorizable> tAuthorizables = Lists.newArrayList();
- for (Authorizable authorizable : authorizables) {
- tAuthorizables.add(new TAuthorizable(authorizable.getTypeName(), authorizable.getName()));
- }
- return tAuthorizables;
- }
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/tools/TestSentryConfigToolSolr.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/tools/TestSentryConfigToolSolr.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/tools/TestSentryConfigToolSolr.java
deleted file mode 100644
index d199d20..0000000
--- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/tools/TestSentryConfigToolSolr.java
+++ /dev/null
@@ -1,261 +0,0 @@
- /**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.sentry.provider.db.generic.tools;
-
-import com.google.common.io.Files;
-import com.google.common.collect.Sets;
-
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertTrue;
-import static org.junit.Assert.fail;
-
-import java.io.File;
-import java.io.FileOutputStream;
-import java.util.HashMap;
-import java.util.HashSet;
-import java.util.Map;
-import java.util.Set;
-
-import org.apache.commons.io.FileUtils;
-import org.apache.sentry.provider.db.generic.service.thrift.SentryGenericServiceIntegrationBase;
-import org.apache.sentry.provider.db.generic.service.thrift.TSentryRole;
-import org.apache.sentry.provider.db.generic.service.thrift.TSentryPrivilege;
-import org.apache.sentry.core.common.exception.SentryConfigurationException;
-
-import org.junit.After;
-import org.junit.Before;
-import org.junit.Test;
-
-public class TestSentryConfigToolSolr extends SentryGenericServiceIntegrationBase {
- private static String RESOURCES_DIR = "target" + File.separator + "test-classes" + File.separator;
- private static String VALID_POLICY_INI = RESOURCES_DIR + "solr_config_import_tool.ini";
- private static String INVALID_POLICY_INI = RESOURCES_DIR + "solr_invalid.ini";
- private static String CASE_POLICY_INI = RESOURCES_DIR + "solr_case.ini";
- private File confDir;
- private File confPath;
- private String requestorName = "";
- private String service = "service1";
-
- @Before
- public void prepareForTest() throws Exception {
- confDir = Files.createTempDir();
- confPath = new File(confDir, "sentry-site.xml");
- if (confPath.createNewFile()) {
- FileOutputStream to = new FileOutputStream(confPath);
- conf.writeXml(to);
- to.close();
- }
- requestorName = clientUgi.getShortUserName();//System.getProperty("user.name", "");
- Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
- setLocalGroupMapping(requestorName, requestorUserGroupNames);
- // add ADMIN_USER for the after() in SentryServiceIntegrationBase
- setLocalGroupMapping(ADMIN_USER, requestorUserGroupNames);
- writePolicyFile();
- }
-
- @After
- public void clearTestData() throws Exception {
- FileUtils.deleteQuietly(confDir);
-
- // clear roles and privileges
- Set<TSentryRole> tRoles = client.listAllRoles(requestorName, SOLR);
- for (TSentryRole tRole : tRoles) {
- String role = tRole.getRoleName();
- Set<TSentryPrivilege> privileges = client.listPrivilegesByRoleName(
- requestorName, role, SOLR, service);
- for (TSentryPrivilege privilege : privileges) {
- client.revokePrivilege(requestorName, role, SOLR, privilege);
- }
- client.dropRole(requestorName, role, SOLR);
- }
- }
-
- @Test
- public void testConvertIni() throws Exception {
- runTestAsSubject(new TestOperation() {
- @Override
- public void runTestAsSubject() throws Exception {
- String[] args = { "-p", VALID_POLICY_INI, "-conf", confPath.getAbsolutePath(), "-v", "-i"};
- SentryConfigToolSolr sentryTool = new SentryConfigToolSolr();
- sentryTool.executeConfigTool(args);
-
- Map<String, Set<String>> groupMapping = new HashMap<String, Set<String>>();
- groupMapping.put("corporal_role", Sets.newHashSet("corporal", "sergeant", "general", "commander_in_chief"));
- groupMapping.put("sergeant_role", Sets.newHashSet("sergeant", "general", "commander_in_chief"));
- groupMapping.put("general_role", Sets.newHashSet("general", "commander_in_chief"));
- groupMapping.put("commander_in_chief_role", Sets.newHashSet("commander_in_chief"));
-
- Map<String, Set<String>> privilegeMapping = new HashMap<String, Set<String>>();
- privilegeMapping.put("corporal_role",
- Sets.newHashSet("Collection=info->action=query", "Collection=info->action=update"));
- privilegeMapping.put("sergeant_role",
- Sets.newHashSet("Collection=info->action=update"));
- privilegeMapping.put("general_role",
- Sets.newHashSet("Collection=info->action=*"));
- privilegeMapping.put("commander_in_chief_role",
- Sets.newHashSet("Collection=*->action=*"));
-
- // check roles
- Set<TSentryRole> tRoles = client.listAllRoles(requestorName, SOLR);
- assertEquals("Unexpected number of roles", groupMapping.keySet().size(), tRoles.size());
- Set<String> roles = new HashSet<String>();
- for (TSentryRole tRole : tRoles) {
- roles.add(tRole.getRoleName());
- }
-
- for (String expectedRole : groupMapping.keySet()) {
- assertTrue("Didn't find expected role: " + expectedRole, roles.contains(expectedRole));
- }
-
- // check groups
- for (TSentryRole tRole : tRoles) {
- Set<String> expectedGroups = groupMapping.get(tRole.getRoleName());
- assertEquals("Group size doesn't match for role: " + tRole.getRoleName(),
- expectedGroups.size(), tRole.getGroups().size());
- assertTrue("Group does not contain all expected members for role: " + tRole.getRoleName(),
- tRole.getGroups().containsAll(expectedGroups));
- }
-
- // check privileges
- SolrTSentryPrivilegeConverter convert = new SolrTSentryPrivilegeConverter(SOLR, service);
- for (String role : roles) {
- Set<TSentryPrivilege> privileges = client.listPrivilegesByRoleName(
- requestorName, role, SOLR, service);
- Set<String> expectedPrivileges = privilegeMapping.get(role);
- assertEquals("Privilege set size doesn't match for role: " + role,
- expectedPrivileges.size(), privileges.size());
-
- Set<String> privilegeStrs = new HashSet<String>();
- for (TSentryPrivilege privilege : privileges) {
- privilegeStrs.add(convert.toString(privilege));
- }
-
- for (String expectedPrivilege : expectedPrivileges) {
- assertTrue("Did not find expected privilege: " + expectedPrivilege,
- privilegeStrs.contains(expectedPrivilege));
- }
- }
- }
- });
- }
-
- @Test
- public void testNoPolicyFile() throws Exception {
- runTestAsSubject(new TestOperation() {
- @Override
- public void runTestAsSubject() throws Exception {
- String[] args = { "-p", INVALID_POLICY_INI + "Foobar", "-conf", confPath.getAbsolutePath(), "-v", "-i"};
- SentryConfigToolSolr sentryTool = new SentryConfigToolSolr();
- try {
- sentryTool.executeConfigTool(args);
- fail("Exception should be thrown for nonexistant ini");
- } catch (SentryConfigurationException e) {
- // expected exception
- }
- }
- });
- }
-
- @Test
- public void testNoValidateNorImport() throws Exception {
- runTestAsSubject(new TestOperation() {
- @Override
- public void runTestAsSubject() throws Exception {
- String[] args = { "-p", INVALID_POLICY_INI, "-conf", confPath.getAbsolutePath()};
- SentryConfigToolSolr sentryTool = new SentryConfigToolSolr();
- try {
- sentryTool.executeConfigTool(args);
- fail("Exception should be thrown for validating invalid ini");
- } catch (IllegalArgumentException e) {
- // expected exception
- }
- }
- });
- }
-
- @Test
- public void testConvertInvalidIni() throws Exception {
- runTestAsSubject(new TestOperation() {
- @Override
- public void runTestAsSubject() throws Exception {
- // test: validate an invalid ini
- String[] args = { "-p", INVALID_POLICY_INI, "-conf", confPath.getAbsolutePath(), "-v", "-i"};
- SentryConfigToolSolr sentryTool = new SentryConfigToolSolr();
- try {
- sentryTool.executeConfigTool(args);
- fail("Exception should be thrown for validating invalid ini");
- } catch (SentryConfigurationException e) {
- // expected exception
- }
-
- // test without validating, should not error
- args = new String[] { "-p", INVALID_POLICY_INI, "-conf", confPath.getAbsolutePath(), "-i"};
- sentryTool = new SentryConfigToolSolr();
- sentryTool.executeConfigTool(args);
- }
- });
- }
-
- @Test
- public void testCompatCheck() throws Exception {
- runTestAsSubject(new TestOperation() {
- @Override
- public void runTestAsSubject() throws Exception {
- // test: validate an invalid ini
- String[] args = { "-p", CASE_POLICY_INI, "-conf", confPath.getAbsolutePath(), "-v", "-i", "-c"};
- SentryConfigToolSolr sentryTool = new SentryConfigToolSolr();
- try {
- sentryTool.executeConfigTool(args);
- fail("Exception should be thrown for validating invalid ini");
- } catch (SentryConfigurationException e) {
- assertEquals("Expected error", 1, e.getConfigErrors().size());
- String error = e.getConfigErrors().get(0);
- assertCasedRoleNamesInMessage(error, "RoLe1", "rOlE1");
- String warning = e.getConfigWarnings().get(0);
- assertCasedRoleNamesInMessage(warning, "ROLE2", "RoLe1", "rOlE1");
- assertEquals("Expected warning", 1, e.getConfigWarnings().size());
- }
-
- // test without compat checking
- args = new String[] { "-p", CASE_POLICY_INI, "-conf", confPath.getAbsolutePath(), "-i", "-v"};
- sentryTool = new SentryConfigToolSolr();
- sentryTool.executeConfigTool(args);
- }
- });
- }
-
- // Test that a valid compat check doesn't throw an exception
- @Test
- public void testCompatCheckValid() throws Exception {
- runTestAsSubject(new TestOperation() {
- @Override
- public void runTestAsSubject() throws Exception {
- String[] args = { "-p", VALID_POLICY_INI, "-conf", confPath.getAbsolutePath(), "-v", "-i", "-c"};
- SentryConfigToolSolr sentryTool = new SentryConfigToolSolr();
- sentryTool.executeConfigTool(args);
- }
- });
- }
-
- private void assertCasedRoleNamesInMessage(String message, String ... casedRoleNames) {
- for (String casedRoleName : casedRoleNames) {
- assertTrue("Expected cased role name: " + casedRoleName, message.contains(casedRoleName));
- }
- }
-}
[19/44] sentry git commit: SENTRY-1287: Create sentry-service-server
module(Colin Ma, reviewed by Dapeng Sun)
Posted by co...@apache.org.
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java
new file mode 100644
index 0000000..3adf273
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java
@@ -0,0 +1,2672 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.provider.db.service.persistent;
+
+import static org.apache.sentry.core.common.utils.SentryConstants.AUTHORIZABLE_JOINER;
+import static org.apache.sentry.core.common.utils.SentryConstants.KV_JOINER;
+
+import java.io.IOException;
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.LinkedList;
+import java.util.List;
+import java.util.Map;
+import java.util.Properties;
+import java.util.Set;
+import java.util.UUID;
+import java.util.concurrent.locks.Condition;
+import java.util.concurrent.locks.Lock;
+import java.util.concurrent.locks.ReentrantLock;
+
+import javax.jdo.FetchGroup;
+import javax.jdo.JDODataStoreException;
+import javax.jdo.JDOHelper;
+import javax.jdo.PersistenceManager;
+import javax.jdo.PersistenceManagerFactory;
+import javax.jdo.Query;
+import javax.jdo.Transaction;
+
+import org.apache.commons.lang.StringUtils;
+import org.apache.hadoop.conf.Configuration;
+import org.apache.sentry.core.common.exception.SentryUserException;
+import org.apache.sentry.core.common.utils.SentryConstants;
+import org.apache.sentry.core.common.exception.SentrySiteConfigurationException;
+import org.apache.sentry.core.model.db.AccessConstants;
+import org.apache.sentry.core.model.db.DBModelAuthorizable.AuthorizableType;
+import org.apache.sentry.core.common.exception.SentryAccessDeniedException;
+import org.apache.sentry.core.common.exception.SentryAlreadyExistsException;
+import org.apache.sentry.core.common.exception.SentryGrantDeniedException;
+import org.apache.sentry.core.common.exception.SentryInvalidInputException;
+import org.apache.sentry.core.common.exception.SentryNoSuchObjectException;
+import org.apache.sentry.provider.db.service.model.MSentryGroup;
+import org.apache.sentry.provider.db.service.model.MSentryPrivilege;
+import org.apache.sentry.provider.db.service.model.MSentryUser;
+import org.apache.sentry.provider.db.service.model.MSentryVersion;
+import org.apache.sentry.provider.db.service.model.MSentryRole;
+import org.apache.sentry.provider.db.service.thrift.SentryPolicyStoreProcessor;
+import org.apache.sentry.provider.db.service.thrift.TSentryActiveRoleSet;
+import org.apache.sentry.provider.db.service.thrift.TSentryAuthorizable;
+import org.apache.sentry.provider.db.service.thrift.TSentryGrantOption;
+import org.apache.sentry.provider.db.service.thrift.TSentryGroup;
+import org.apache.sentry.provider.db.service.thrift.TSentryMappingData;
+import org.apache.sentry.provider.db.service.thrift.TSentryPrivilege;
+import org.apache.sentry.provider.db.service.thrift.TSentryPrivilegeMap;
+import org.apache.sentry.provider.db.service.thrift.TSentryRole;
+import org.apache.sentry.service.thrift.ServiceConstants.PrivilegeScope;
+import org.apache.sentry.service.thrift.ServiceConstants.ServerConfig;
+import org.datanucleus.store.rdbms.exceptions.MissingTableException;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import com.codahale.metrics.Gauge;
+import com.google.common.annotations.VisibleForTesting;
+import com.google.common.base.Function;
+import com.google.common.base.Joiner;
+import com.google.common.base.Preconditions;
+import com.google.common.base.Strings;
+import com.google.common.collect.Collections2;
+import com.google.common.collect.ImmutableSet;
+import com.google.common.collect.Lists;
+import com.google.common.collect.Maps;
+import com.google.common.collect.Sets;
+
+/**
+ * SentryStore is the data access object for Sentry data. Strings
+ * such as role and group names will be normalized to lowercase
+ * in addition to starting and ending whitespace.
+ */
+public class SentryStore {
+ private static final UUID SERVER_UUID = UUID.randomUUID();
+ private static final Logger LOGGER = LoggerFactory
+ .getLogger(SentryStore.class);
+
+ public static final String NULL_COL = "__NULL__";
+ public static int INDEX_GROUP_ROLES_MAP = 0;
+ public static int INDEX_USER_ROLES_MAP = 1;
+ static final String DEFAULT_DATA_DIR = "sentry_policy_db";
+
+ private static final Set<String> ALL_ACTIONS = Sets.newHashSet(AccessConstants.ALL,
+ AccessConstants.SELECT, AccessConstants.INSERT, AccessConstants.ALTER,
+ AccessConstants.CREATE, AccessConstants.DROP, AccessConstants.INDEX,
+ AccessConstants.LOCK);
+
+ // Now partial revoke just support action with SELECT,INSERT and ALL.
+ // e.g. If we REVOKE SELECT from a privilege with action ALL, it will leads to INSERT
+ // Otherwise, if we revoke other privilege(e.g. ALTER,DROP...), we will remove it from a role directly.
+ private static final Set<String> PARTIAL_REVOKE_ACTIONS = Sets.newHashSet(AccessConstants.ALL,
+ AccessConstants.ACTION_ALL.toLowerCase(), AccessConstants.SELECT, AccessConstants.INSERT);
+
+ /**
+ * Commit order sequence id. This is used by notification handlers
+ * to know the order in which events where committed to the database.
+ * This instance variable is incremented in incrementGetSequenceId
+ * and read in commitUpdateTransaction. Synchronization on this
+ * is required to read commitSequenceId.
+ */
+ private long commitSequenceId;
+ private final PersistenceManagerFactory pmf;
+ private Configuration conf;
+ private PrivCleaner privCleaner = null;
+ private Thread privCleanerThread = null;
+
+ public SentryStore(Configuration conf) throws SentryNoSuchObjectException,
+ SentryAccessDeniedException, SentrySiteConfigurationException, IOException {
+ commitSequenceId = 0;
+ this.conf = conf;
+ Properties prop = new Properties();
+ prop.putAll(ServerConfig.SENTRY_STORE_DEFAULTS);
+ String jdbcUrl = conf.get(ServerConfig.SENTRY_STORE_JDBC_URL, "").trim();
+ Preconditions.checkArgument(!jdbcUrl.isEmpty(), "Required parameter " +
+ ServerConfig.SENTRY_STORE_JDBC_URL + " is missed");
+ String user = conf.get(ServerConfig.SENTRY_STORE_JDBC_USER, ServerConfig.
+ SENTRY_STORE_JDBC_USER_DEFAULT).trim();
+ //Password will be read from Credential provider specified using property
+ // CREDENTIAL_PROVIDER_PATH("hadoop.security.credential.provider.path" in sentry-site.xml
+ // it falls back to reading directly from sentry-site.xml
+ char[] passTmp = conf.getPassword(ServerConfig.SENTRY_STORE_JDBC_PASS);
+ String pass = null;
+ if(passTmp != null) {
+ pass = new String(passTmp);
+ } else {
+ throw new SentrySiteConfigurationException("Error reading " + ServerConfig.SENTRY_STORE_JDBC_PASS);
+ }
+
+ String driverName = conf.get(ServerConfig.SENTRY_STORE_JDBC_DRIVER,
+ ServerConfig.SENTRY_STORE_JDBC_DRIVER_DEFAULT);
+ prop.setProperty(ServerConfig.JAVAX_JDO_URL, jdbcUrl);
+ prop.setProperty(ServerConfig.JAVAX_JDO_USER, user);
+ prop.setProperty(ServerConfig.JAVAX_JDO_PASS, pass);
+ prop.setProperty(ServerConfig.JAVAX_JDO_DRIVER_NAME, driverName);
+ for (Map.Entry<String, String> entry : conf) {
+ String key = entry.getKey();
+ if (key.startsWith(ServerConfig.SENTRY_JAVAX_JDO_PROPERTY_PREFIX) ||
+ key.startsWith(ServerConfig.SENTRY_DATANUCLEUS_PROPERTY_PREFIX)) {
+ key = StringUtils.removeStart(key, ServerConfig.SENTRY_DB_PROPERTY_PREFIX);
+ prop.setProperty(key, entry.getValue());
+ }
+ }
+
+
+ boolean checkSchemaVersion = conf.get(
+ ServerConfig.SENTRY_VERIFY_SCHEM_VERSION,
+ ServerConfig.SENTRY_VERIFY_SCHEM_VERSION_DEFAULT).equalsIgnoreCase(
+ "true");
+ if (!checkSchemaVersion) {
+ prop.setProperty("datanucleus.schema.autoCreateAll", "true");
+ prop.setProperty("datanucleus.autoCreateSchema", "true");
+ prop.setProperty("datanucleus.fixedDatastore", "false");
+ }
+
+ // Disallow operations outside of transactions
+ prop.setProperty("datanucleus.NontransactionalRead", "false");
+ prop.setProperty("datanucleus.NontransactionalWrite", "false");
+
+ pmf = JDOHelper.getPersistenceManagerFactory(prop);
+ verifySentryStoreSchema(checkSchemaVersion);
+
+ // Kick off the thread that cleans orphaned privileges (unless told not to)
+ privCleaner = this.new PrivCleaner();
+ if (conf.get(ServerConfig.SENTRY_STORE_ORPHANED_PRIVILEGE_REMOVAL,
+ ServerConfig.SENTRY_STORE_ORPHANED_PRIVILEGE_REMOVAL_DEFAULT)
+ .equalsIgnoreCase("true")) {
+ privCleanerThread = new Thread(privCleaner);
+ privCleanerThread.start();
+ }
+ }
+
+ // ensure that the backend DB schema is set
+ public void verifySentryStoreSchema(boolean checkVersion)
+ throws SentryNoSuchObjectException, SentryAccessDeniedException {
+ if (!checkVersion) {
+ setSentryVersion(SentryStoreSchemaInfo.getSentryVersion(),
+ "Schema version set implicitly");
+ } else {
+ String currentVersion = getSentryVersion();
+ if (!SentryStoreSchemaInfo.getSentryVersion().equals(currentVersion)) {
+ throw new SentryAccessDeniedException(
+ "The Sentry store schema version " + currentVersion
+ + " is different from distribution version "
+ + SentryStoreSchemaInfo.getSentryVersion());
+ }
+ }
+ }
+
+ public synchronized void stop() {
+ if (privCleanerThread != null) {
+ privCleaner.exit();
+ try {
+ privCleanerThread.join();
+ } catch (InterruptedException e) {
+ // Ignore...
+ }
+ }
+ if (pmf != null) {
+ pmf.close();
+ }
+ }
+
+ /**
+ * PersistenceManager object and Transaction object have a one to one
+ * correspondence. Each PersistenceManager object is associated with a
+ * transaction object and vice versa. Hence we create a persistence manager
+ * instance when we create a new transaction. We create a new transaction
+ * for every store API since we want that unit of work to behave as a
+ * transaction.
+ *
+ * Note that there's only one instance of PersistenceManagerFactory object
+ * for the service.
+ *
+ * Synchronized because we obtain persistence manager
+ */
+ public synchronized PersistenceManager openTransaction() {
+ PersistenceManager pm = pmf.getPersistenceManager();
+ Transaction currentTransaction = pm.currentTransaction();
+ currentTransaction.begin();
+ return pm;
+ }
+
+ /**
+ * Synchronized due to sequence id generation
+ */
+ public synchronized CommitContext commitUpdateTransaction(PersistenceManager pm) {
+ commitTransaction(pm);
+ return new CommitContext(SERVER_UUID, incrementGetSequenceId());
+ }
+
+ /**
+ * Increments commitSequenceId which should not be modified outside
+ * this method.
+ *
+ * @return sequence id
+ */
+ private synchronized long incrementGetSequenceId() {
+ return ++commitSequenceId;
+ }
+
+ public void commitTransaction(PersistenceManager pm) {
+ Transaction currentTransaction = pm.currentTransaction();
+ try {
+ Preconditions.checkState(currentTransaction.isActive(), "Transaction is not active");
+ currentTransaction.commit();
+ } finally {
+ pm.close();
+ }
+ }
+
+ public void rollbackTransaction(PersistenceManager pm) {
+ if (pm == null || pm.isClosed()) {
+ return;
+ }
+ Transaction currentTransaction = pm.currentTransaction();
+ if (currentTransaction.isActive()) {
+ try {
+ currentTransaction.rollback();
+ } finally {
+ pm.close();
+ }
+ }
+ }
+ /**
+ Get the MSentry object from roleName
+ Note: Should be called inside a transaction
+ */
+ public MSentryRole getMSentryRole(PersistenceManager pm, String roleName) {
+ Query query = pm.newQuery(MSentryRole.class);
+ query.setFilter("this.roleName == t");
+ query.declareParameters("java.lang.String t");
+ query.setUnique(true);
+ return (MSentryRole) query.execute(roleName);
+ }
+
+ /**
+ * Normalize the string values
+ */
+ private String trimAndLower(String input) {
+ return input.trim().toLowerCase();
+ }
+ /**
+ * Create a sentry role and persist it.
+ * @param roleName: Name of the role being persisted
+ * @returns commit context used for notification handlers
+ * @throws SentryAlreadyExistsException
+ */
+ public CommitContext createSentryRole(String roleName)
+ throws SentryAlreadyExistsException {
+ boolean rollbackTransaction = true;
+ PersistenceManager pm = null;
+ try {
+ pm = openTransaction();
+ createSentryRoleCore(pm, roleName);
+ CommitContext commit = commitUpdateTransaction(pm);
+ rollbackTransaction = false;
+ return commit;
+ } finally {
+ if (rollbackTransaction) {
+ rollbackTransaction(pm);
+ }
+ }
+ }
+
+ private void createSentryRoleCore(PersistenceManager pm, String roleName)
+ throws SentryAlreadyExistsException {
+ String trimmedRoleName = trimAndLower(roleName);
+ MSentryRole mSentryRole = getMSentryRole(pm, trimmedRoleName);
+ if (mSentryRole == null) {
+ MSentryRole mRole = new MSentryRole(trimmedRoleName, System.currentTimeMillis());
+ pm.makePersistent(mRole);
+ } else {
+ throw new SentryAlreadyExistsException("Role: " + trimmedRoleName);
+ }
+ }
+
+ private <T> Long getCount(Class<T> tClass) {
+ PersistenceManager pm = null;
+ Long size = Long.valueOf(-1);
+ try {
+ pm = openTransaction();
+ Query query = pm.newQuery();
+ query.setClass(tClass);
+ query.setResult("count(this)");
+ size = (Long)query.execute();
+
+ } finally {
+ if (pm != null) {
+ commitTransaction(pm);
+ }
+ }
+ return size;
+ }
+ public Gauge<Long> getRoleCountGauge() {
+ return new Gauge< Long >() {
+ @Override
+ public Long getValue() {
+ return getCount(MSentryRole.class);
+ }
+ };
+ }
+
+ public Gauge<Long> getPrivilegeCountGauge() {
+ return new Gauge< Long >() {
+ @Override
+ public Long getValue() {
+ return getCount(MSentryPrivilege.class);
+ }
+ };
+ }
+
+ public Gauge<Long> getGroupCountGauge() {
+ return new Gauge< Long >() {
+ @Override
+ public Long getValue() {
+ return getCount(MSentryGroup.class);
+ }
+ };
+ }
+
+ public Gauge<Long> getUserCountGauge() {
+ return new Gauge<Long>() {
+ @Override
+ public Long getValue() {
+ return getCount(MSentryUser.class);
+ }
+ };
+ }
+
+ /**
+ * Lets the test code know how many privs are in the db, so that we know
+ * if they are in fact being cleaned up when not being referenced any more.
+ * @return The number of rows in the db priv table.
+ */
+ @VisibleForTesting
+ long countMSentryPrivileges() {
+ return getCount(MSentryPrivilege.class);
+ }
+
+ @VisibleForTesting
+ void clearAllTables() {
+ boolean rollbackTransaction = true;
+ PersistenceManager pm = null;
+ try {
+ pm = openTransaction();
+ pm.newQuery(MSentryRole.class).deletePersistentAll();
+ pm.newQuery(MSentryGroup.class).deletePersistentAll();
+ pm.newQuery(MSentryUser.class).deletePersistentAll();
+ pm.newQuery(MSentryPrivilege.class).deletePersistentAll();
+ commitUpdateTransaction(pm);
+ rollbackTransaction = false;
+ } finally {
+ if (rollbackTransaction) {
+ rollbackTransaction(pm);
+ }
+ }
+ }
+
+ public CommitContext alterSentryRoleGrantPrivilege(String grantorPrincipal,
+ String roleName, TSentryPrivilege privilege)
+ throws SentryUserException {
+ return alterSentryRoleGrantPrivileges(grantorPrincipal,
+ roleName, Sets.newHashSet(privilege));
+ }
+
+ public CommitContext alterSentryRoleGrantPrivileges(String grantorPrincipal,
+ String roleName, Set<TSentryPrivilege> privileges)
+ throws SentryUserException {
+ boolean rollbackTransaction = true;
+ PersistenceManager pm = null;
+ String trimmedRoleName = trimAndLower(roleName);
+ try {
+ pm = openTransaction();
+ for (TSentryPrivilege privilege : privileges) {
+ // first do grant check
+ grantOptionCheck(pm, grantorPrincipal, privilege);
+
+ MSentryPrivilege mPrivilege = alterSentryRoleGrantPrivilegeCore(pm, trimmedRoleName, privilege);
+
+ if (mPrivilege != null) {
+ convertToTSentryPrivilege(mPrivilege, privilege);
+ }
+ }
+ CommitContext commit = commitUpdateTransaction(pm);
+ rollbackTransaction = false;
+ return commit;
+ } finally {
+ if (rollbackTransaction) {
+ rollbackTransaction(pm);
+ }
+ }
+ }
+
+ private MSentryPrivilege alterSentryRoleGrantPrivilegeCore(PersistenceManager pm,
+ String roleName, TSentryPrivilege privilege)
+ throws SentryNoSuchObjectException, SentryInvalidInputException {
+ MSentryPrivilege mPrivilege = null;
+ MSentryRole mRole = getMSentryRole(pm, roleName);
+ if (mRole == null) {
+ throw new SentryNoSuchObjectException("Role: " + roleName + " doesn't exist");
+ } else {
+
+ if (!isNULL(privilege.getColumnName()) || !isNULL(privilege.getTableName())
+ || !isNULL(privilege.getDbName())) {
+ // If Grant is for ALL and Either INSERT/SELECT already exists..
+ // need to remove it and GRANT ALL..
+ if (AccessConstants.ALL.equalsIgnoreCase(privilege.getAction())
+ || AccessConstants.ACTION_ALL.equalsIgnoreCase(privilege.getAction())) {
+ TSentryPrivilege tNotAll = new TSentryPrivilege(privilege);
+ tNotAll.setAction(AccessConstants.SELECT);
+ MSentryPrivilege mSelect = getMSentryPrivilege(tNotAll, pm);
+ tNotAll.setAction(AccessConstants.INSERT);
+ MSentryPrivilege mInsert = getMSentryPrivilege(tNotAll, pm);
+ if (mSelect != null && mRole.getPrivileges().contains(mSelect)) {
+ mSelect.removeRole(mRole);
+ privCleaner.incPrivRemoval();
+ pm.makePersistent(mSelect);
+ }
+ if (mInsert != null && mRole.getPrivileges().contains(mInsert)) {
+ mInsert.removeRole(mRole);
+ privCleaner.incPrivRemoval();
+ pm.makePersistent(mInsert);
+ }
+ } else {
+ // If Grant is for Either INSERT/SELECT and ALL already exists..
+ // do nothing..
+ TSentryPrivilege tAll = new TSentryPrivilege(privilege);
+ tAll.setAction(AccessConstants.ALL);
+ MSentryPrivilege mAll1 = getMSentryPrivilege(tAll, pm);
+ tAll.setAction(AccessConstants.ACTION_ALL);
+ MSentryPrivilege mAll2 = getMSentryPrivilege(tAll, pm);
+ if (mAll1 != null && mRole.getPrivileges().contains(mAll1)) {
+ return null;
+ }
+ if (mAll2 != null && mRole.getPrivileges().contains(mAll2)) {
+ return null;
+ }
+ }
+ }
+
+ mPrivilege = getMSentryPrivilege(privilege, pm);
+ if (mPrivilege == null) {
+ mPrivilege = convertToMSentryPrivilege(privilege);
+ }
+ mPrivilege.appendRole(mRole);
+ pm.makePersistent(mRole);
+ pm.makePersistent(mPrivilege);
+ }
+ return mPrivilege;
+ }
+
+ public CommitContext alterSentryRoleRevokePrivilege(String grantorPrincipal,
+ String roleName, TSentryPrivilege tPrivilege) throws SentryUserException {
+ return alterSentryRoleRevokePrivileges(grantorPrincipal,
+ roleName, Sets.newHashSet(tPrivilege));
+ }
+
+ public CommitContext alterSentryRoleRevokePrivileges(String grantorPrincipal,
+ String roleName, Set<TSentryPrivilege> tPrivileges) throws SentryUserException {
+ boolean rollbackTransaction = true;
+ PersistenceManager pm = null;
+ String trimmedRoleName = safeTrimLower(roleName);
+ try {
+ pm = openTransaction();
+ for (TSentryPrivilege tPrivilege : tPrivileges) {
+ // first do revoke check
+ grantOptionCheck(pm, grantorPrincipal, tPrivilege);
+
+ alterSentryRoleRevokePrivilegeCore(pm, trimmedRoleName, tPrivilege);
+ }
+
+ CommitContext commit = commitUpdateTransaction(pm);
+ rollbackTransaction = false;
+ return commit;
+ } finally {
+ if (rollbackTransaction) {
+ rollbackTransaction(pm);
+ }
+ }
+ }
+
+ private void alterSentryRoleRevokePrivilegeCore(PersistenceManager pm,
+ String roleName, TSentryPrivilege tPrivilege)
+ throws SentryNoSuchObjectException, SentryInvalidInputException {
+ Query query = pm.newQuery(MSentryRole.class);
+ query.setFilter("this.roleName == t");
+ query.declareParameters("java.lang.String t");
+ query.setUnique(true);
+ MSentryRole mRole = (MSentryRole) query.execute(roleName);
+ if (mRole == null) {
+ throw new SentryNoSuchObjectException("Role: " + roleName + " doesn't exist");
+ } else {
+ query = pm.newQuery(MSentryPrivilege.class);
+ MSentryPrivilege mPrivilege = getMSentryPrivilege(tPrivilege, pm);
+ if (mPrivilege == null) {
+ mPrivilege = convertToMSentryPrivilege(tPrivilege);
+ } else {
+ mPrivilege = (MSentryPrivilege) pm.detachCopy(mPrivilege);
+ }
+
+ Set<MSentryPrivilege> privilegeGraph = Sets.newHashSet();
+ if (mPrivilege.getGrantOption() != null) {
+ privilegeGraph.add(mPrivilege);
+ } else {
+ MSentryPrivilege mTure = new MSentryPrivilege(mPrivilege);
+ mTure.setGrantOption(true);
+ privilegeGraph.add(mTure);
+ MSentryPrivilege mFalse = new MSentryPrivilege(mPrivilege);
+ mFalse.setGrantOption(false);
+ privilegeGraph.add(mFalse);
+ }
+ // Get the privilege graph
+ populateChildren(pm, Sets.newHashSet(roleName), mPrivilege, privilegeGraph);
+ for (MSentryPrivilege childPriv : privilegeGraph) {
+ revokePrivilegeFromRole(pm, tPrivilege, mRole, childPriv);
+ }
+ pm.makePersistent(mRole);
+ }
+ }
+
+ /**
+ * Roles can be granted ALL, SELECT, and INSERT on tables. When
+ * a role has ALL and SELECT or INSERT are revoked, we need to remove the ALL
+ * privilege and add SELECT (INSERT was revoked) or INSERT (SELECT was revoked).
+ */
+ private void revokePartial(PersistenceManager pm,
+ TSentryPrivilege requestedPrivToRevoke, MSentryRole mRole,
+ MSentryPrivilege currentPrivilege) throws SentryInvalidInputException {
+ MSentryPrivilege persistedPriv = getMSentryPrivilege(convertToTSentryPrivilege(currentPrivilege), pm);
+ if (persistedPriv == null) {
+ persistedPriv = convertToMSentryPrivilege(convertToTSentryPrivilege(currentPrivilege));
+ }
+
+ if (requestedPrivToRevoke.getAction().equalsIgnoreCase("ALL") || requestedPrivToRevoke.getAction().equalsIgnoreCase("*")) {
+ persistedPriv.removeRole(mRole);
+ privCleaner.incPrivRemoval();
+ pm.makePersistent(persistedPriv);
+ } else if (requestedPrivToRevoke.getAction().equalsIgnoreCase(AccessConstants.SELECT)
+ && !currentPrivilege.getAction().equalsIgnoreCase(AccessConstants.INSERT)) {
+ revokeRolePartial(pm, mRole, currentPrivilege, persistedPriv, AccessConstants.INSERT);
+ } else if (requestedPrivToRevoke.getAction().equalsIgnoreCase(AccessConstants.INSERT)
+ && !currentPrivilege.getAction().equalsIgnoreCase(AccessConstants.SELECT)) {
+ revokeRolePartial(pm, mRole, currentPrivilege, persistedPriv, AccessConstants.SELECT);
+ }
+ }
+
+ private void revokeRolePartial(PersistenceManager pm, MSentryRole mRole,
+ MSentryPrivilege currentPrivilege, MSentryPrivilege persistedPriv, String addAction)
+ throws SentryInvalidInputException {
+ // If table / URI, remove ALL
+ persistedPriv.removeRole(mRole);
+ privCleaner.incPrivRemoval();
+ pm.makePersistent(persistedPriv);
+
+ currentPrivilege.setAction(AccessConstants.ALL);
+ persistedPriv = getMSentryPrivilege(convertToTSentryPrivilege(currentPrivilege), pm);
+ if (persistedPriv != null && mRole.getPrivileges().contains(persistedPriv)) {
+ persistedPriv.removeRole(mRole);
+ privCleaner.incPrivRemoval();
+ pm.makePersistent(persistedPriv);
+
+ currentPrivilege.setAction(addAction);
+ persistedPriv = getMSentryPrivilege(convertToTSentryPrivilege(currentPrivilege), pm);
+ if (persistedPriv == null) {
+ persistedPriv = convertToMSentryPrivilege(convertToTSentryPrivilege(currentPrivilege));
+ mRole.appendPrivilege(persistedPriv);
+ }
+ persistedPriv.appendRole(mRole);
+ pm.makePersistent(persistedPriv);
+ }
+ }
+
+ /**
+ * Revoke privilege from role
+ */
+ private void revokePrivilegeFromRole(PersistenceManager pm, TSentryPrivilege tPrivilege,
+ MSentryRole mRole, MSentryPrivilege mPrivilege) throws SentryInvalidInputException {
+ if (PARTIAL_REVOKE_ACTIONS.contains(mPrivilege.getAction())) {
+ // if this privilege is in {ALL,SELECT,INSERT}
+ // we will do partial revoke
+ revokePartial(pm, tPrivilege, mRole, mPrivilege);
+ } else {
+ // if this privilege is not ALL, SELECT nor INSERT,
+ // we will revoke it from role directly
+ MSentryPrivilege persistedPriv = getMSentryPrivilege(convertToTSentryPrivilege(mPrivilege), pm);
+ if (persistedPriv != null) {
+ mPrivilege.removeRole(mRole);
+ privCleaner.incPrivRemoval();
+ pm.makePersistent(mPrivilege);
+ }
+ }
+ }
+
+ /**
+ * Explore Privilege graph and collect child privileges.
+ * The responsibility to commit/rollback the transaction should be handled by the caller.
+ */
+ private void populateChildren(PersistenceManager pm, Set<String> roleNames, MSentryPrivilege priv,
+ Set<MSentryPrivilege> children) throws SentryInvalidInputException {
+ Preconditions.checkNotNull(pm);
+ if (!isNULL(priv.getServerName()) || !isNULL(priv.getDbName())
+ || !isNULL(priv.getTableName())) {
+ // Get all TableLevel Privs
+ Set<MSentryPrivilege> childPrivs = getChildPrivileges(pm, roleNames, priv);
+ for (MSentryPrivilege childPriv : childPrivs) {
+ // Only recurse for table level privs..
+ if (!isNULL(childPriv.getDbName()) && !isNULL(childPriv.getTableName())
+ && !isNULL(childPriv.getColumnName())) {
+ populateChildren(pm, roleNames, childPriv, children);
+ }
+ // The method getChildPrivileges() didn't do filter on "action",
+ // if the action is not "All", it should judge the action of children privilege.
+ // For example: a user has a privilege \u201cAll on Col1\u201d,
+ // if the operation is \u201cREVOKE INSERT on table\u201d
+ // the privilege should be the child of table level privilege.
+ // but the privilege may still have other meaning, likes "SELECT on Col1".
+ // and the privileges like "SELECT on Col1" should not be revoke.
+ if (!priv.isActionALL()) {
+ if (childPriv.isActionALL()) {
+ // If the child privilege is All, we should convert it to the same
+ // privilege with parent
+ childPriv.setAction(priv.getAction());
+ }
+ // Only include privilege that imply the parent privilege.
+ if (!priv.implies(childPriv)) {
+ continue;
+ }
+ }
+ children.add(childPriv);
+ }
+ }
+ }
+
+ private Set<MSentryPrivilege> getChildPrivileges(PersistenceManager pm, Set<String> roleNames,
+ MSentryPrivilege parent) throws SentryInvalidInputException {
+ // Column and URI do not have children
+ if (!isNULL(parent.getColumnName()) || !isNULL(parent.getURI())) {
+ return new HashSet<MSentryPrivilege>();
+ }
+
+ Query query = pm.newQuery(MSentryPrivilege.class);
+ query.declareVariables("MSentryRole role");
+ List<String> rolesFiler = new LinkedList<String>();
+ for (String rName : roleNames) {
+ rolesFiler.add("role.roleName == \"" + trimAndLower(rName) + "\"");
+ }
+ StringBuilder filters = new StringBuilder("roles.contains(role) "
+ + "&& (" + Joiner.on(" || ").join(rolesFiler) + ")");
+ filters.append(" && serverName == \"" + parent.getServerName() + "\"");
+ if (!isNULL(parent.getDbName())) {
+ filters.append(" && dbName == \"" + parent.getDbName() + "\"");
+ if (!isNULL(parent.getTableName())) {
+ filters.append(" && tableName == \"" + parent.getTableName() + "\"");
+ filters.append(" && columnName != \"__NULL__\"");
+ } else {
+ filters.append(" && tableName != \"__NULL__\"");
+ }
+ } else {
+ filters.append(" && (dbName != \"__NULL__\" || URI != \"__NULL__\")");
+ }
+
+ query.setFilter(filters.toString());
+ query.setResult("privilegeScope, serverName, dbName, tableName, columnName," +
+ " URI, action, grantOption");
+ Set<MSentryPrivilege> privileges = new HashSet<MSentryPrivilege>();
+ for (Object[] privObj : (List<Object[]>) query.execute()) {
+ MSentryPrivilege priv = new MSentryPrivilege();
+ priv.setPrivilegeScope((String) privObj[0]);
+ priv.setServerName((String) privObj[1]);
+ priv.setDbName((String) privObj[2]);
+ priv.setTableName((String) privObj[3]);
+ priv.setColumnName((String) privObj[4]);
+ priv.setURI((String) privObj[5]);
+ priv.setAction((String) privObj[6]);
+ priv.setGrantOption((Boolean) privObj[7]);
+ privileges.add(priv);
+ }
+ return privileges;
+ }
+
+ private List<MSentryPrivilege> getMSentryPrivileges(TSentryPrivilege tPriv, PersistenceManager pm) {
+ Query query = pm.newQuery(MSentryPrivilege.class);
+ StringBuilder filters = new StringBuilder("this.serverName == \""
+ + toNULLCol(safeTrimLower(tPriv.getServerName())) + "\" ");
+ if (!isNULL(tPriv.getDbName())) {
+ filters.append("&& this.dbName == \"" + toNULLCol(safeTrimLower(tPriv.getDbName())) + "\" ");
+ if (!isNULL(tPriv.getTableName())) {
+ filters.append("&& this.tableName == \"" + toNULLCol(safeTrimLower(tPriv.getTableName())) + "\" ");
+ if (!isNULL(tPriv.getColumnName())) {
+ filters.append("&& this.columnName == \"" + toNULLCol(safeTrimLower(tPriv.getColumnName())) + "\" ");
+ }
+ }
+ }
+ // if db is null, uri is not null
+ else if (!isNULL(tPriv.getURI())){
+ filters.append("&& this.URI == \"" + toNULLCol(safeTrim(tPriv.getURI())) + "\" ");
+ }
+ filters.append("&& this.action == \"" + toNULLCol(safeTrimLower(tPriv.getAction())) + "\"");
+
+ query.setFilter(filters.toString());
+ return (List<MSentryPrivilege>) query.execute();
+ }
+
+ private MSentryPrivilege getMSentryPrivilege(TSentryPrivilege tPriv, PersistenceManager pm) {
+ Query query = pm.newQuery(MSentryPrivilege.class);
+ query.setFilter("this.serverName == \"" + toNULLCol(safeTrimLower(tPriv.getServerName())) + "\" "
+ + "&& this.dbName == \"" + toNULLCol(safeTrimLower(tPriv.getDbName())) + "\" "
+ + "&& this.tableName == \"" + toNULLCol(safeTrimLower(tPriv.getTableName())) + "\" "
+ + "&& this.columnName == \"" + toNULLCol(safeTrimLower(tPriv.getColumnName())) + "\" "
+ + "&& this.URI == \"" + toNULLCol(safeTrim(tPriv.getURI())) + "\" "
+ + "&& this.grantOption == grantOption "
+ + "&& this.action == \"" + toNULLCol(safeTrimLower(tPriv.getAction())) + "\"");
+ query.declareParameters("Boolean grantOption");
+ query.setUnique(true);
+ Boolean grantOption = null;
+ if (tPriv.getGrantOption().equals(TSentryGrantOption.TRUE)) {
+ grantOption = true;
+ } else if (tPriv.getGrantOption().equals(TSentryGrantOption.FALSE)) {
+ grantOption = false;
+ }
+ Object obj = query.execute(grantOption);
+ if (obj != null) {
+ return (MSentryPrivilege) obj;
+ }
+ return null;
+ }
+
+ public CommitContext dropSentryRole(String roleName)
+ throws SentryNoSuchObjectException {
+ boolean rollbackTransaction = true;
+ PersistenceManager pm = null;
+ try {
+ pm = openTransaction();
+ dropSentryRoleCore(pm, roleName);
+ CommitContext commit = commitUpdateTransaction(pm);
+ rollbackTransaction = false;
+ return commit;
+ } finally {
+ if (rollbackTransaction) {
+ rollbackTransaction(pm);
+ }
+ }
+ }
+
+ private void dropSentryRoleCore(PersistenceManager pm, String roleName)
+ throws SentryNoSuchObjectException {
+ String lRoleName = trimAndLower(roleName);
+ Query query = pm.newQuery(MSentryRole.class);
+ query.setFilter("this.roleName == t");
+ query.declareParameters("java.lang.String t");
+ query.setUnique(true);
+ MSentryRole sentryRole = (MSentryRole) query.execute(lRoleName);
+ if (sentryRole == null) {
+ throw new SentryNoSuchObjectException("Role: " + lRoleName + " doesn't exist");
+ } else {
+ pm.retrieve(sentryRole);
+ int numPrivs = sentryRole.getPrivileges().size();
+ sentryRole.removePrivileges();
+ // with SENTRY-398 generic model
+ sentryRole.removeGMPrivileges();
+ privCleaner.incPrivRemoval(numPrivs);
+ pm.deletePersistent(sentryRole);
+ }
+ }
+
+ public CommitContext alterSentryRoleAddGroups(String grantorPrincipal, String roleName,
+ Set<TSentryGroup> groupNames)
+ throws SentryNoSuchObjectException {
+ boolean rollbackTransaction = true;
+ PersistenceManager pm = null;
+ try {
+ pm = openTransaction();
+ alterSentryRoleAddGroupsCore(pm, roleName, groupNames);
+ CommitContext commit = commitUpdateTransaction(pm);
+ rollbackTransaction = false;
+ return commit;
+ } finally {
+ if (rollbackTransaction) {
+ rollbackTransaction(pm);
+ }
+ }
+ }
+
+ private void alterSentryRoleAddGroupsCore(PersistenceManager pm, String roleName,
+ Set<TSentryGroup> groupNames) throws SentryNoSuchObjectException {
+ String lRoleName = trimAndLower(roleName);
+ Query query = pm.newQuery(MSentryRole.class);
+ query.setFilter("this.roleName == t");
+ query.declareParameters("java.lang.String t");
+ query.setUnique(true);
+ MSentryRole role = (MSentryRole) query.execute(lRoleName);
+ if (role == null) {
+ throw new SentryNoSuchObjectException("Role: " + lRoleName + " doesn't exist");
+ } else {
+ query = pm.newQuery(MSentryGroup.class);
+ query.setFilter("this.groupName == t");
+ query.declareParameters("java.lang.String t");
+ query.setUnique(true);
+ List<MSentryGroup> groups = Lists.newArrayList();
+ for (TSentryGroup tGroup : groupNames) {
+ String groupName = tGroup.getGroupName().trim();
+ MSentryGroup group = (MSentryGroup) query.execute(groupName);
+ if (group == null) {
+ group = new MSentryGroup(groupName, System.currentTimeMillis(), Sets.newHashSet(role));
+ }
+ group.appendRole(role);
+ groups.add(group);
+ }
+ pm.makePersistentAll(groups);
+ }
+ }
+
+ public CommitContext alterSentryRoleAddUsers(String roleName,
+ Set<String> userNames) throws SentryNoSuchObjectException {
+ boolean rollbackTransaction = true;
+ PersistenceManager pm = null;
+ try {
+ pm = openTransaction();
+ alterSentryRoleAddUsersCore(pm, roleName, userNames);
+ CommitContext commit = commitUpdateTransaction(pm);
+ rollbackTransaction = false;
+ return commit;
+ } finally {
+ if (rollbackTransaction) {
+ rollbackTransaction(pm);
+ }
+ }
+ }
+
+ private void alterSentryRoleAddUsersCore(PersistenceManager pm, String roleName,
+ Set<String> userNames) throws SentryNoSuchObjectException {
+ String trimmedRoleName = trimAndLower(roleName);
+ MSentryRole role = getMSentryRole(pm, trimmedRoleName);
+ if (role == null) {
+ throw new SentryNoSuchObjectException("Role: " + trimmedRoleName);
+ } else {
+ Query query = pm.newQuery(MSentryUser.class);
+ query.setFilter("this.userName == t");
+ query.declareParameters("java.lang.String t");
+ query.setUnique(true);
+ List<MSentryUser> users = Lists.newArrayList();
+ for (String userName : userNames) {
+ userName = userName.trim();
+ MSentryUser user = (MSentryUser) query.execute(userName);
+ if (user == null) {
+ user = new MSentryUser(userName, System.currentTimeMillis(), Sets.newHashSet(role));
+ }
+ user.appendRole(role);
+ users.add(user);
+ }
+ pm.makePersistentAll(users);
+ }
+ }
+
+ public CommitContext alterSentryRoleDeleteUsers(String roleName, Set<String> userNames)
+ throws SentryNoSuchObjectException {
+ boolean rollbackTransaction = true;
+ PersistenceManager pm = null;
+ String trimmedRoleName = trimAndLower(roleName);
+ try {
+ pm = openTransaction();
+ MSentryRole role = getMSentryRole(pm, trimmedRoleName);
+ if (role == null) {
+ throw new SentryNoSuchObjectException("Role: " + trimmedRoleName);
+ } else {
+ Query query = pm.newQuery(MSentryUser.class);
+ query.setFilter("this.userName == t");
+ query.declareParameters("java.lang.String t");
+ query.setUnique(true);
+ List<MSentryUser> users = Lists.newArrayList();
+ for (String userName : userNames) {
+ userName = userName.trim();
+ MSentryUser user = (MSentryUser) query.execute(userName);
+ if (user != null) {
+ user.removeRole(role);
+ users.add(user);
+ }
+ }
+ pm.makePersistentAll(users);
+ CommitContext commit = commitUpdateTransaction(pm);
+ rollbackTransaction = false;
+ return commit;
+ }
+ } finally {
+ if (rollbackTransaction) {
+ rollbackTransaction(pm);
+ }
+ }
+ }
+
+ public CommitContext alterSentryRoleDeleteGroups(String roleName,
+ Set<TSentryGroup> groupNames)
+ throws SentryNoSuchObjectException {
+ boolean rollbackTransaction = true;
+ PersistenceManager pm = null;
+ String trimmedRoleName = trimAndLower(roleName);
+ try {
+ pm = openTransaction();
+ Query query = pm.newQuery(MSentryRole.class);
+ query.setFilter("this.roleName == t");
+ query.declareParameters("java.lang.String t");
+ query.setUnique(true);
+ MSentryRole role = (MSentryRole) query.execute(trimmedRoleName);
+ if (role == null) {
+ throw new SentryNoSuchObjectException("Role: " + trimmedRoleName + " doesn't exist");
+ } else {
+ query = pm.newQuery(MSentryGroup.class);
+ query.setFilter("this.groupName == t");
+ query.declareParameters("java.lang.String t");
+ query.setUnique(true);
+ List<MSentryGroup> groups = Lists.newArrayList();
+ for (TSentryGroup tGroup : groupNames) {
+ String groupName = tGroup.getGroupName().trim();
+ MSentryGroup group = (MSentryGroup) query.execute(groupName);
+ if (group != null) {
+ group.removeRole(role);
+ groups.add(group);
+ }
+ }
+ pm.makePersistentAll(groups);
+ CommitContext commit = commitUpdateTransaction(pm);
+ rollbackTransaction = false;
+ return commit;
+ }
+ } finally {
+ if (rollbackTransaction) {
+ rollbackTransaction(pm);
+ }
+ }
+ }
+
+ @VisibleForTesting
+ MSentryRole getMSentryRoleByName(String roleName)
+ throws SentryNoSuchObjectException {
+ boolean rollbackTransaction = true;
+ PersistenceManager pm = null;
+ String trimmedRoleName = trimAndLower(roleName);
+ try {
+ pm = openTransaction();
+ Query query = pm.newQuery(MSentryRole.class);
+ query.setFilter("this.roleName == t");
+ query.declareParameters("java.lang.String t");
+ query.setUnique(true);
+ MSentryRole sentryRole = (MSentryRole) query.execute(trimmedRoleName);
+ if (sentryRole == null) {
+ throw new SentryNoSuchObjectException("Role: " + trimmedRoleName + " doesn't exist");
+ } else {
+ pm.retrieve(sentryRole);
+ }
+ rollbackTransaction = false;
+ commitTransaction(pm);
+ return sentryRole;
+ } finally {
+ if (rollbackTransaction) {
+ rollbackTransaction(pm);
+ }
+ }
+ }
+
+ private boolean hasAnyServerPrivileges(Set<String> roleNames, String serverName) {
+ if (roleNames == null || roleNames.isEmpty()) {
+ return false;
+ }
+ boolean rollbackTransaction = true;
+ PersistenceManager pm = null;
+ try {
+ pm = openTransaction();
+ Query query = pm.newQuery(MSentryPrivilege.class);
+ query.declareVariables("MSentryRole role");
+ List<String> rolesFiler = new LinkedList<String>();
+ for (String rName : roleNames) {
+ rolesFiler.add("role.roleName == \"" + trimAndLower(rName) + "\"");
+ }
+ StringBuilder filters = new StringBuilder("roles.contains(role) "
+ + "&& (" + Joiner.on(" || ").join(rolesFiler) + ") ");
+ filters.append("&& serverName == \"" + trimAndLower(serverName) + "\"");
+ query.setFilter(filters.toString());
+ query.setResult("count(this)");
+
+ Long numPrivs = (Long) query.execute();
+ rollbackTransaction = false;
+ commitTransaction(pm);
+ return numPrivs > 0;
+ } finally {
+ if (rollbackTransaction) {
+ rollbackTransaction(pm);
+ }
+ }
+ }
+
+ List<MSentryPrivilege> getMSentryPrivileges(Set<String> roleNames, TSentryAuthorizable authHierarchy) {
+ if (roleNames == null || roleNames.isEmpty()) {
+ return new ArrayList<MSentryPrivilege>();
+ }
+ boolean rollbackTransaction = true;
+ PersistenceManager pm = null;
+ try {
+ pm = openTransaction();
+ Query query = pm.newQuery(MSentryPrivilege.class);
+ query.declareVariables("MSentryRole role");
+ List<String> rolesFiler = new LinkedList<String>();
+ for (String rName : roleNames) {
+ rolesFiler.add("role.roleName == \"" + trimAndLower(rName) + "\"");
+ }
+ StringBuilder filters = new StringBuilder("roles.contains(role) "
+ + "&& (" + Joiner.on(" || ").join(rolesFiler) + ") ");
+ if (authHierarchy != null && authHierarchy.getServer() != null) {
+ filters.append("&& serverName == \"" + authHierarchy.getServer().toLowerCase() + "\"");
+ if (authHierarchy.getDb() != null) {
+ filters.append(" && ((dbName == \"" + authHierarchy.getDb().toLowerCase() + "\") || (dbName == \"__NULL__\")) && (URI == \"__NULL__\")");
+ if (authHierarchy.getTable() != null
+ && !AccessConstants.ALL.equalsIgnoreCase(authHierarchy.getTable())) {
+ if (!AccessConstants.SOME.equalsIgnoreCase(authHierarchy.getTable())) {
+ filters.append(" && ((tableName == \"" + authHierarchy.getTable().toLowerCase() + "\") || (tableName == \"__NULL__\")) && (URI == \"__NULL__\")");
+ }
+ if (authHierarchy.getColumn() != null
+ && !AccessConstants.ALL.equalsIgnoreCase(authHierarchy.getColumn())
+ && !AccessConstants.SOME.equalsIgnoreCase(authHierarchy.getColumn())) {
+ filters.append(" && ((columnName == \"" + authHierarchy.getColumn().toLowerCase() + "\") || (columnName == \"__NULL__\")) && (URI == \"__NULL__\")");
+ }
+ }
+ }
+ if (authHierarchy.getUri() != null) {
+ filters.append(" && ((URI != \"__NULL__\") && (\"" + authHierarchy.getUri() + "\".startsWith(URI)) || (URI == \"__NULL__\")) && (dbName == \"__NULL__\")");
+ }
+ }
+ query.setFilter(filters.toString());
+ List<MSentryPrivilege> privileges = (List<MSentryPrivilege>) query.execute();
+ rollbackTransaction = false;
+ commitTransaction(pm);
+ return privileges;
+ } finally {
+ if (rollbackTransaction) {
+ rollbackTransaction(pm);
+ }
+ }
+ }
+
+ List<MSentryPrivilege> getMSentryPrivilegesByAuth(Set<String> roleNames, TSentryAuthorizable authHierarchy) {
+ boolean rollbackTransaction = true;
+ PersistenceManager pm = null;
+ try {
+ pm = openTransaction();
+ Query query = pm.newQuery(MSentryPrivilege.class);
+ StringBuilder filters = new StringBuilder();
+ if (roleNames == null || roleNames.isEmpty()) {
+ filters.append(" !roles.isEmpty() ");
+ } else {
+ query.declareVariables("MSentryRole role");
+ List<String> rolesFiler = new LinkedList<String>();
+ for (String rName : roleNames) {
+ rolesFiler.add("role.roleName == \"" + trimAndLower(rName) + "\"");
+ }
+ filters.append("roles.contains(role) "
+ + "&& (" + Joiner.on(" || ").join(rolesFiler) + ") ");
+ }
+ if (authHierarchy.getServer() != null) {
+ filters.append("&& serverName == \"" +
+ authHierarchy.getServer().toLowerCase() + "\"");
+ if (authHierarchy.getDb() != null) {
+ filters.append(" && (dbName == \"" +
+ authHierarchy.getDb().toLowerCase() + "\") && (URI == \"__NULL__\")");
+ if (authHierarchy.getTable() != null) {
+ filters.append(" && (tableName == \"" +
+ authHierarchy.getTable().toLowerCase() + "\")");
+ } else {
+ filters.append(" && (tableName == \"__NULL__\")");
+ }
+ } else if (authHierarchy.getUri() != null) {
+ filters.append(" && (URI != \"__NULL__\") && (\"" + authHierarchy.getUri() +
+ "\".startsWith(URI)) && (dbName == \"__NULL__\")");
+ } else {
+ filters.append(" && (dbName == \"__NULL__\") && (URI == \"__NULL__\")");
+ }
+ } else {
+ // if no server, then return empty resultset
+ return new ArrayList<MSentryPrivilege>();
+ }
+ FetchGroup grp = pm.getFetchGroup(MSentryPrivilege.class, "fetchRole");
+ grp.addMember("roles");
+ pm.getFetchPlan().addGroup("fetchRole");
+ query.setFilter(filters.toString());
+ List<MSentryPrivilege> privileges = (List<MSentryPrivilege>) query.execute();
+ rollbackTransaction = false;
+ commitTransaction(pm);
+ return privileges;
+ } finally {
+ if (rollbackTransaction) {
+ rollbackTransaction(pm);
+ }
+ }
+ }
+
+ public TSentryPrivilegeMap listSentryPrivilegesByAuthorizable(Set<String> groups,
+ TSentryActiveRoleSet activeRoles,
+ TSentryAuthorizable authHierarchy, boolean isAdmin)
+ throws SentryInvalidInputException {
+ Map<String, Set<TSentryPrivilege>> resultPrivilegeMap = Maps.newTreeMap();
+ Set<String> roles = getRolesToQuery(groups, null, new TSentryActiveRoleSet(true, null));
+
+ if (activeRoles != null && !activeRoles.isAll()) {
+ // need to check/convert to lowercase here since this is from user input
+ for (String aRole : activeRoles.getRoles()) {
+ roles.add(aRole.toLowerCase());
+ }
+ }
+
+ // An empty 'roles' is a treated as a wildcard (in case of admin role)..
+ // so if not admin, don't return anything if 'roles' is empty..
+ if (isAdmin || !roles.isEmpty()) {
+ List<MSentryPrivilege> mSentryPrivileges = getMSentryPrivilegesByAuth(roles,
+ authHierarchy);
+ for (MSentryPrivilege priv : mSentryPrivileges) {
+ for (MSentryRole role : priv.getRoles()) {
+ TSentryPrivilege tPriv = convertToTSentryPrivilege(priv);
+ if (resultPrivilegeMap.containsKey(role.getRoleName())) {
+ resultPrivilegeMap.get(role.getRoleName()).add(tPriv);
+ } else {
+ Set<TSentryPrivilege> tPrivSet = Sets.newTreeSet();
+ tPrivSet.add(tPriv);
+ resultPrivilegeMap.put(role.getRoleName(), tPrivSet);
+ }
+ }
+ }
+ }
+ return new TSentryPrivilegeMap(resultPrivilegeMap);
+ }
+
+ private Set<MSentryPrivilege> getMSentryPrivilegesByRoleName(String roleName)
+ throws SentryNoSuchObjectException {
+ MSentryRole mSentryRole = getMSentryRoleByName(roleName);
+ return mSentryRole.getPrivileges();
+ }
+
+ /**
+ * Gets sentry privilege objects for a given roleName from the persistence layer
+ * @param roleName : roleName to look up
+ * @return : Set of thrift sentry privilege objects
+ * @throws SentryNoSuchObjectException
+ */
+
+ public Set<TSentryPrivilege> getAllTSentryPrivilegesByRoleName(String roleName)
+ throws SentryNoSuchObjectException {
+ return convertToTSentryPrivileges(getMSentryPrivilegesByRoleName(roleName));
+ }
+
+
+ /**
+ * Gets sentry privilege objects for criteria from the persistence layer
+ * @param roleNames : roleNames to look up (required)
+ * @param authHierarchy : filter push down based on auth hierarchy (optional)
+ * @return : Set of thrift sentry privilege objects
+ * @throws SentryNoSuchObjectException
+ */
+
+ public Set<TSentryPrivilege> getTSentryPrivileges(Set<String> roleNames, TSentryAuthorizable authHierarchy) throws SentryInvalidInputException {
+ if (authHierarchy.getServer() == null) {
+ throw new SentryInvalidInputException("serverName cannot be null !!");
+ }
+ if (authHierarchy.getTable() != null && authHierarchy.getDb() == null) {
+ throw new SentryInvalidInputException("dbName cannot be null when tableName is present !!");
+ }
+ if (authHierarchy.getColumn() != null && authHierarchy.getTable() == null) {
+ throw new SentryInvalidInputException("tableName cannot be null when columnName is present !!");
+ }
+ if (authHierarchy.getUri() == null && authHierarchy.getDb() == null) {
+ throw new SentryInvalidInputException("One of uri or dbName must not be null !!");
+ }
+ return convertToTSentryPrivileges(getMSentryPrivileges(roleNames, authHierarchy));
+ }
+
+
+ private Set<MSentryRole> getMSentryRolesByGroupName(String groupName)
+ throws SentryNoSuchObjectException {
+ boolean rollbackTransaction = true;
+ PersistenceManager pm = null;
+ try {
+ Set<MSentryRole> roles;
+ pm = openTransaction();
+
+ //If no group name was specified, return all roles
+ if (groupName == null) {
+ Query query = pm.newQuery(MSentryRole.class);
+ roles = new HashSet<MSentryRole>((List<MSentryRole>)query.execute());
+ } else {
+ Query query = pm.newQuery(MSentryGroup.class);
+ MSentryGroup sentryGroup;
+ String trimmedGroupName = groupName.trim();
+ query.setFilter("this.groupName == t");
+ query.declareParameters("java.lang.String t");
+ query.setUnique(true);
+ sentryGroup = (MSentryGroup) query.execute(trimmedGroupName);
+ if (sentryGroup == null) {
+ throw new SentryNoSuchObjectException("Group: " + trimmedGroupName + " doesn't exist");
+ } else {
+ pm.retrieve(sentryGroup);
+ }
+ roles = sentryGroup.getRoles();
+ }
+ for ( MSentryRole role: roles) {
+ pm.retrieve(role);
+ }
+ commitTransaction(pm);
+ rollbackTransaction = false;
+ return roles;
+ } finally {
+ if (rollbackTransaction) {
+ rollbackTransaction(pm);
+ }
+ }
+ }
+
+ /**
+ * Gets sentry role objects for a given groupName from the persistence layer
+ * @param groupName : groupName to look up ( if null returns all roles for all groups)
+ * @return : Set of thrift sentry role objects
+ * @throws SentryNoSuchObjectException
+ */
+ public Set<TSentryRole> getTSentryRolesByGroupName(Set<String> groupNames,
+ boolean checkAllGroups) throws SentryNoSuchObjectException {
+ Set<MSentryRole> roleSet = Sets.newHashSet();
+ for (String groupName : groupNames) {
+ try {
+ roleSet.addAll(getMSentryRolesByGroupName(groupName));
+ } catch (SentryNoSuchObjectException e) {
+ // if we are checking for all the given groups, then continue searching
+ if (!checkAllGroups) {
+ throw e;
+ }
+ }
+ }
+ return convertToTSentryRoles(roleSet);
+ }
+
+ public Set<String> getRoleNamesForGroups(Set<String> groups) {
+ if (groups == null || groups.isEmpty()) {
+ return ImmutableSet.of();
+ }
+ boolean rollbackTransaction = true;
+ PersistenceManager pm = null;
+ try {
+ pm = openTransaction();
+ Set<String> result = getRoleNamesForGroupsCore(pm, groups);
+ rollbackTransaction = false;
+ commitTransaction(pm);
+ return result;
+ } finally {
+ if (rollbackTransaction) {
+ rollbackTransaction(pm);
+ }
+ }
+ }
+
+ private Set<String> getRoleNamesForGroupsCore(PersistenceManager pm, Set<String> groups) {
+ return convertToRoleNameSet(getRolesForGroups(pm, groups));
+ }
+
+ public Set<String> getRoleNamesForUsers(Set<String> users) {
+ if (users == null || users.isEmpty()) {
+ return ImmutableSet.of();
+ }
+ boolean rollbackTransaction = true;
+ PersistenceManager pm = null;
+ try {
+ pm = openTransaction();
+ Set<String> result = getRoleNamesForUsersCore(pm,users);
+ rollbackTransaction = false;
+ commitTransaction(pm);
+ return result;
+ } finally {
+ if (rollbackTransaction) {
+ rollbackTransaction(pm);
+ }
+ }
+ }
+
+ private Set<String> getRoleNamesForUsersCore(PersistenceManager pm, Set<String> users) {
+ return convertToRoleNameSet(getRolesForUsers(pm, users));
+ }
+
+ public Set<TSentryRole> getTSentryRolesByUserNames(Set<String> users) {
+ boolean rollbackTransaction = true;
+ PersistenceManager pm = null;
+ try {
+ pm = openTransaction();
+ Set<MSentryRole> mSentryRoles = getRolesForUsers(pm, users);
+ // Since {@link MSentryRole#getGroups()} is lazy-loading, the converting should be call
+ // before transaction committed.
+ Set<TSentryRole> result = convertToTSentryRoles(mSentryRoles);
+ rollbackTransaction = false;
+ commitTransaction(pm);
+ return result;
+ } finally {
+ if (rollbackTransaction) {
+ rollbackTransaction(pm);
+ }
+ }
+ }
+
+ public Set<MSentryRole> getRolesForGroups(PersistenceManager pm, Set<String> groups) {
+ Set<MSentryRole> result = Sets.newHashSet();
+ if (groups != null) {
+ Query query = pm.newQuery(MSentryGroup.class);
+ query.setFilter("this.groupName == t");
+ query.declareParameters("java.lang.String t");
+ query.setUnique(true);
+ for (String group : groups) {
+ MSentryGroup sentryGroup = (MSentryGroup) query.execute(group.trim());
+ if (sentryGroup != null) {
+ result.addAll(sentryGroup.getRoles());
+ }
+ }
+ }
+ return result;
+ }
+
+ public Set<MSentryRole> getRolesForUsers(PersistenceManager pm, Set<String> users) {
+ Set<MSentryRole> result = Sets.newHashSet();
+ if (users != null) {
+ Query query = pm.newQuery(MSentryUser.class);
+ query.setFilter("this.userName == t");
+ query.declareParameters("java.lang.String t");
+ query.setUnique(true);
+ for (String user : users) {
+ MSentryUser sentryUser = (MSentryUser) query.execute(user.trim());
+ if (sentryUser != null) {
+ result.addAll(sentryUser.getRoles());
+ }
+ }
+ }
+ return result;
+ }
+
+ public Set<String> listAllSentryPrivilegesForProvider(Set<String> groups, Set<String> users,
+ TSentryActiveRoleSet roleSet) throws SentryInvalidInputException {
+ return listSentryPrivilegesForProvider(groups, users, roleSet, null);
+ }
+
+
+ public Set<String> listSentryPrivilegesForProvider(Set<String> groups, Set<String> users,
+ TSentryActiveRoleSet roleSet, TSentryAuthorizable authHierarchy) throws SentryInvalidInputException {
+ Set<String> result = Sets.newHashSet();
+ Set<String> rolesToQuery = getRolesToQuery(groups, users, roleSet);
+ List<MSentryPrivilege> mSentryPrivileges = getMSentryPrivileges(rolesToQuery, authHierarchy);
+ for (MSentryPrivilege priv : mSentryPrivileges) {
+ result.add(toAuthorizable(priv));
+ }
+
+ return result;
+ }
+
+ public boolean hasAnyServerPrivileges(Set<String> groups, Set<String> users,
+ TSentryActiveRoleSet roleSet, String server) {
+ Set<String> rolesToQuery = getRolesToQuery(groups, users, roleSet);
+ return hasAnyServerPrivileges(rolesToQuery, server);
+ }
+
+ private Set<String> getRolesToQuery(Set<String> groups, Set<String> users,
+ TSentryActiveRoleSet roleSet) {
+ Set<String> activeRoleNames = toTrimedLower(roleSet.getRoles());
+
+ Set<String> roleNames = Sets.newHashSet();
+ boolean rollbackTransaction = true;
+ PersistenceManager pm = null;
+ try {
+ pm = openTransaction();
+ roleNames.addAll(toTrimedLower(getRoleNamesForGroupsCore(pm, groups)));
+ roleNames.addAll(toTrimedLower(getRoleNamesForUsersCore(pm, users)));
+ rollbackTransaction = false;
+ commitTransaction(pm);
+ return roleSet.isAll() ? roleNames : Sets.intersection(activeRoleNames,
+ roleNames);
+ } finally {
+ if (rollbackTransaction) {
+ rollbackTransaction(pm);
+ }
+ }
+ }
+
+ @VisibleForTesting
+ static String toAuthorizable(MSentryPrivilege privilege) {
+ List<String> authorizable = new ArrayList<String>(4);
+ authorizable.add(KV_JOINER.join(AuthorizableType.Server.name().toLowerCase(),
+ privilege.getServerName()));
+ if (isNULL(privilege.getURI())) {
+ if (!isNULL(privilege.getDbName())) {
+ authorizable.add(KV_JOINER.join(AuthorizableType.Db.name().toLowerCase(),
+ privilege.getDbName()));
+ if (!isNULL(privilege.getTableName())) {
+ authorizable.add(KV_JOINER.join(AuthorizableType.Table.name().toLowerCase(),
+ privilege.getTableName()));
+ if (!isNULL(privilege.getColumnName())) {
+ authorizable.add(KV_JOINER.join(AuthorizableType.Column.name().toLowerCase(),
+ privilege.getColumnName()));
+ }
+ }
+ }
+ } else {
+ authorizable.add(KV_JOINER.join(AuthorizableType.URI.name().toLowerCase(),
+ privilege.getURI()));
+ }
+ if (!isNULL(privilege.getAction())
+ && !privilege.getAction().equalsIgnoreCase(AccessConstants.ALL)) {
+ authorizable
+ .add(KV_JOINER.join(SentryConstants.PRIVILEGE_NAME.toLowerCase(),
+ privilege.getAction()));
+ }
+ return AUTHORIZABLE_JOINER.join(authorizable);
+ }
+
+ @VisibleForTesting
+ static Set<String> toTrimedLower(Set<String> s) {
+ if (null == s) {
+ return new HashSet<String>();
+ }
+ Set<String> result = Sets.newHashSet();
+ for (String v : s) {
+ result.add(v.trim().toLowerCase());
+ }
+ return result;
+ }
+
+
+ /**
+ * Converts model object(s) to thrift object(s).
+ * Additionally does normalization
+ * such as trimming whitespace and setting appropriate case. Also sets the create
+ * time.
+ */
+
+ private Set<TSentryPrivilege> convertToTSentryPrivileges(Collection<MSentryPrivilege> mSentryPrivileges) {
+ Set<TSentryPrivilege> privileges = new HashSet<TSentryPrivilege>();
+ for(MSentryPrivilege mSentryPrivilege:mSentryPrivileges) {
+ privileges.add(convertToTSentryPrivilege(mSentryPrivilege));
+ }
+ return privileges;
+ }
+
+ private Set<TSentryRole> convertToTSentryRoles(Set<MSentryRole> mSentryRoles) {
+ Set<TSentryRole> roles = new HashSet<TSentryRole>();
+ for(MSentryRole mSentryRole:mSentryRoles) {
+ roles.add(convertToTSentryRole(mSentryRole));
+ }
+ return roles;
+ }
+
+ private Set<String> convertToRoleNameSet(Set<MSentryRole> mSentryRoles) {
+ Set<String> roleNameSet = Sets.newHashSet();
+ for (MSentryRole role : mSentryRoles) {
+ roleNameSet.add(role.getRoleName());
+ }
+ return roleNameSet;
+ }
+
+ private TSentryRole convertToTSentryRole(MSentryRole mSentryRole) {
+ TSentryRole role = new TSentryRole();
+ role.setRoleName(mSentryRole.getRoleName());
+ role.setGrantorPrincipal("--");
+ Set<TSentryGroup> sentryGroups = new HashSet<TSentryGroup>();
+ for(MSentryGroup mSentryGroup:mSentryRole.getGroups()) {
+ TSentryGroup group = convertToTSentryGroup(mSentryGroup);
+ sentryGroups.add(group);
+ }
+
+ role.setGroups(sentryGroups);
+ return role;
+ }
+
+ private TSentryGroup convertToTSentryGroup(MSentryGroup mSentryGroup) {
+ TSentryGroup group = new TSentryGroup();
+ group.setGroupName(mSentryGroup.getGroupName());
+ return group;
+ }
+
+ protected TSentryPrivilege convertToTSentryPrivilege(MSentryPrivilege mSentryPrivilege) {
+ TSentryPrivilege privilege = new TSentryPrivilege();
+ convertToTSentryPrivilege(mSentryPrivilege, privilege);
+ return privilege;
+ }
+
+ private void convertToTSentryPrivilege(MSentryPrivilege mSentryPrivilege,
+ TSentryPrivilege privilege) {
+ privilege.setCreateTime(mSentryPrivilege.getCreateTime());
+ privilege.setAction(fromNULLCol(mSentryPrivilege.getAction()));
+ privilege.setPrivilegeScope(mSentryPrivilege.getPrivilegeScope());
+ privilege.setServerName(fromNULLCol(mSentryPrivilege.getServerName()));
+ privilege.setDbName(fromNULLCol(mSentryPrivilege.getDbName()));
+ privilege.setTableName(fromNULLCol(mSentryPrivilege.getTableName()));
+ privilege.setColumnName(fromNULLCol(mSentryPrivilege.getColumnName()));
+ privilege.setURI(fromNULLCol(mSentryPrivilege.getURI()));
+ if (mSentryPrivilege.getGrantOption() != null) {
+ privilege.setGrantOption(TSentryGrantOption.valueOf(mSentryPrivilege.getGrantOption().toString().toUpperCase()));
+ } else {
+ privilege.setGrantOption(TSentryGrantOption.UNSET);
+ }
+ }
+
+ /**
+ * Converts thrift object to model object. Additionally does normalization
+ * such as trimming whitespace and setting appropriate case.
+ * @throws SentryInvalidInputException
+ */
+ private MSentryPrivilege convertToMSentryPrivilege(TSentryPrivilege privilege)
+ throws SentryInvalidInputException {
+ MSentryPrivilege mSentryPrivilege = new MSentryPrivilege();
+ mSentryPrivilege.setServerName(toNULLCol(safeTrimLower(privilege.getServerName())));
+ mSentryPrivilege.setDbName(toNULLCol(safeTrimLower(privilege.getDbName())));
+ mSentryPrivilege.setTableName(toNULLCol(safeTrimLower(privilege.getTableName())));
+ mSentryPrivilege.setColumnName(toNULLCol(safeTrimLower(privilege.getColumnName())));
+ mSentryPrivilege.setPrivilegeScope(safeTrim(privilege.getPrivilegeScope()));
+ mSentryPrivilege.setAction(toNULLCol(safeTrimLower(privilege.getAction())));
+ mSentryPrivilege.setCreateTime(System.currentTimeMillis());
+ mSentryPrivilege.setURI(toNULLCol(safeTrim(privilege.getURI())));
+ if ( !privilege.getGrantOption().equals(TSentryGrantOption.UNSET) ) {
+ mSentryPrivilege.setGrantOption(Boolean.valueOf(privilege.getGrantOption().toString()));
+ } else {
+ mSentryPrivilege.setGrantOption(null);
+ }
+ return mSentryPrivilege;
+ }
+ private static String safeTrim(String s) {
+ if (s == null) {
+ return null;
+ }
+ return s.trim();
+ }
+ private static String safeTrimLower(String s) {
+ if (s == null) {
+ return null;
+ }
+ return s.trim().toLowerCase();
+ }
+
+ public String getSentryVersion() throws SentryNoSuchObjectException,
+ SentryAccessDeniedException {
+ MSentryVersion mVersion = getMSentryVersion();
+ return mVersion.getSchemaVersion();
+ }
+
+ public void setSentryVersion(String newVersion, String verComment)
+ throws SentryNoSuchObjectException, SentryAccessDeniedException {
+ MSentryVersion mVersion;
+ boolean rollbackTransaction = true;
+ PersistenceManager pm = null;
+
+ try {
+ mVersion = getMSentryVersion();
+ if (newVersion.equals(mVersion.getSchemaVersion())) {
+ // specified version already in there
+ return;
+ }
+ } catch (SentryNoSuchObjectException e) {
+ // if the version doesn't exist, then create it
+ mVersion = new MSentryVersion();
+ }
+ mVersion.setSchemaVersion(newVersion);
+ mVersion.setVersionComment(verComment);
+ try {
+ pm = openTransaction();
+ pm.makePersistent(mVersion);
+ rollbackTransaction = false;
+ commitTransaction(pm);
+ } finally {
+ if (rollbackTransaction) {
+ rollbackTransaction(pm);
+ }
+ }
+ }
+
+ @SuppressWarnings("unchecked")
+ private MSentryVersion getMSentryVersion()
+ throws SentryNoSuchObjectException, SentryAccessDeniedException {
+ boolean rollbackTransaction = true;
+ PersistenceManager pm = null;
+ try {
+ pm = openTransaction();
+ Query query = pm.newQuery(MSentryVersion.class);
+ List<MSentryVersion> mSentryVersions = (List<MSentryVersion>) query
+ .execute();
+ pm.retrieveAll(mSentryVersions);
+ rollbackTransaction = false;
+ commitTransaction(pm);
+ if (mSentryVersions.isEmpty()) {
+ throw new SentryNoSuchObjectException("No matching version found");
+ }
+ if (mSentryVersions.size() > 1) {
+ throw new SentryAccessDeniedException(
+ "Metastore contains multiple versions");
+ }
+ return mSentryVersions.get(0);
+ } catch (JDODataStoreException e) {
+ if (e.getCause() instanceof MissingTableException) {
+ throw new SentryAccessDeniedException("Version table not found. "
+ + "The sentry store is not set or corrupt ");
+ } else {
+ throw e;
+ }
+ } finally {
+ if (rollbackTransaction) {
+ rollbackTransaction(pm);
+ }
+ }
+ }
+
+ /**
+ * Drop given privilege from all roles
+ */
+ public void dropPrivilege(TSentryAuthorizable tAuthorizable)
+ throws SentryNoSuchObjectException, SentryInvalidInputException {
+ PersistenceManager pm = null;
+ boolean rollbackTransaction = true;
+
+ TSentryPrivilege tPrivilege = toSentryPrivilege(tAuthorizable);
+ try {
+ pm = openTransaction();
+
+ if (isMultiActionsSupported(tPrivilege)) {
+ for (String privilegeAction : ALL_ACTIONS) {
+ tPrivilege.setAction(privilegeAction);
+ dropPrivilegeForAllRoles(pm, new TSentryPrivilege(tPrivilege));
+ }
+ } else {
+ dropPrivilegeForAllRoles(pm, new TSentryPrivilege(tPrivilege));
+ }
+ rollbackTransaction = false;
+ commitTransaction(pm);
+ } catch (JDODataStoreException e) {
+ throw new SentryInvalidInputException("Failed to get privileges: "
+ + e.getMessage());
+ } finally {
+ if (rollbackTransaction) {
+ rollbackTransaction(pm);
+ }
+ }
+ }
+
+ /**
+ * Rename given privilege from all roles drop the old privilege and create the new one
+ * @param tAuthorizable
+ * @param newTAuthorizable
+ * @throws SentryNoSuchObjectException
+ * @throws SentryInvalidInputException
+ */
+ public void renamePrivilege(TSentryAuthorizable tAuthorizable,
+ TSentryAuthorizable newTAuthorizable)
+ throws SentryNoSuchObjectException, SentryInvalidInputException {
+ PersistenceManager pm = null;
+ boolean rollbackTransaction = true;
+
+ TSentryPrivilege tPrivilege = toSentryPrivilege(tAuthorizable);
+ TSentryPrivilege newPrivilege = toSentryPrivilege(newTAuthorizable);
+
+ try {
+ pm = openTransaction();
+ // In case of tables or DBs, check all actions
+ if (isMultiActionsSupported(tPrivilege)) {
+ for (String privilegeAction : ALL_ACTIONS) {
+ tPrivilege.setAction(privilegeAction);
+ newPrivilege.setAction(privilegeAction);
+ renamePrivilegeForAllRoles(pm, tPrivilege, newPrivilege);
+ }
+ } else {
+ renamePrivilegeForAllRoles(pm, tPrivilege, newPrivilege);
+ }
+ rollbackTransaction = false;
+ commitTransaction(pm);
+ } catch (JDODataStoreException e) {
+ throw new SentryInvalidInputException("Failed to get privileges: "
+ + e.getMessage());
+ } finally {
+ if (rollbackTransaction) {
+ rollbackTransaction(pm);
+ }
+ }
+ }
+
+ // Currently INSERT/SELECT/ALL are supported for Table and DB level privileges
+ private boolean isMultiActionsSupported(TSentryPrivilege tPrivilege) {
+ return tPrivilege.getDbName() != null;
+
+ }
+ // wrapper for dropOrRename
+ private void renamePrivilegeForAllRoles(PersistenceManager pm,
+ TSentryPrivilege tPrivilege,
+ TSentryPrivilege newPrivilege) throws SentryNoSuchObjectException,
+ SentryInvalidInputException {
+ dropOrRenamePrivilegeForAllRoles(pm, tPrivilege, newPrivilege);
+ }
+
+ /**
+ * Drop given privilege from all roles
+ * @param tPrivilege
+ * @throws SentryNoSuchObjectException
+ * @throws SentryInvalidInputException
+ */
+ private void dropPrivilegeForAllRoles(PersistenceManager pm,
+ TSentryPrivilege tPrivilege)
+ throws SentryNoSuchObjectException, SentryInvalidInputException {
+ dropOrRenamePrivilegeForAllRoles(pm, tPrivilege, null);
+ }
+
+ /**
+ * Drop given privilege from all roles Create the new privilege if asked
+ * @param tPrivilege
+ * @param pm
+ * @throws SentryNoSuchObjectException
+ * @throws SentryInvalidInputException
+ */
+ private void dropOrRenamePrivilegeForAllRoles(PersistenceManager pm,
+ TSentryPrivilege tPrivilege,
+ TSentryPrivilege newTPrivilege) throws SentryNoSuchObjectException,
+ SentryInvalidInputException {
+ HashSet<MSentryRole> roleSet = Sets.newHashSet();
+
+ List<MSentryPrivilege> mPrivileges = getMSentryPrivileges(tPrivilege, pm);
+ if (mPrivileges != null && !mPrivileges.isEmpty()) {
+ for (MSentryPrivilege mPrivilege : mPrivileges) {
+ roleSet.addAll(ImmutableSet.copyOf(mPrivilege.getRoles()));
+ }
+ }
+
+ MSentryPrivilege parent = getMSentryPrivilege(tPrivilege, pm);
+ for (MSentryRole role : roleSet) {
+ // 1. get privilege and child privileges
+ Set<MSentryPrivilege> privilegeGraph = Sets.newHashSet();
+ if (parent != null) {
+ privilegeGraph.add(parent);
+ populateChildren(pm, Sets.newHashSet(role.getRoleName()), parent, privilegeGraph);
+ } else {
+ populateChildren(pm, Sets.newHashSet(role.getRoleName()), convertToMSentryPrivilege(tPrivilege),
+ privilegeGraph);
+ }
+ // 2. revoke privilege and child privileges
+ alterSentryRoleRevokePrivilegeCore(pm, role.getRoleName(), tPrivilege);
+ // 3. add new privilege and child privileges with new tableName
+ if (newTPrivilege != null) {
+ for (MSentryPrivilege m : privilegeGraph) {
+ TSentryPrivilege t = convertToTSentryPrivilege(m);
+ if (newTPrivilege.getPrivilegeScope().equals(PrivilegeScope.DATABASE.name())) {
+ t.setDbName(newTPrivilege.getDbName());
+ } else if (newTPrivilege.getPrivilegeScope().equals(PrivilegeScope.TABLE.name())) {
+ t.setTableName(newTPrivilege.getTableName());
+ }
+ alterSentryRoleGrantPrivilegeCore(pm, role.getRoleName(), t);
+ }
+ }
+ }
+ }
+
+ private TSentryPrivilege toSentryPrivilege(TSentryAuthorizable tAuthorizable)
+ throws SentryInvalidInputException {
+ TSentryPrivilege tSentryPrivilege = new TSentryPrivilege();
+ tSentryPrivilege.setDbName(fromNULLCol(tAuthorizable.getDb()));
+ tSentryPrivilege.setServerName(fromNULLCol(tAuthorizable.getServer()));
+ tSentryPrivilege.setTableName(fromNULLCol(tAuthorizable.getTable()));
+ tSentryPrivilege.setColumnName(fromNULLCol(tAuthorizable.getColumn()));
+ tSentryPrivilege.setURI(fromNULLCol(tAuthorizable.getUri()));
+ PrivilegeScope scope;
+ if (!isNULL(tSentryPrivilege.getColumnName())) {
+ scope = PrivilegeScope.COLUMN;
+ } else if (!isNULL(tSentryPrivilege.getTableName())) {
+ scope = PrivilegeScope.TABLE;
+ } else if (!isNULL(tSentryPrivilege.getDbName())) {
+ scope = PrivilegeScope.DATABASE;
+ } else if (!isNULL(tSentryPrivilege.getURI())) {
+ scope = PrivilegeScope.URI;
+ } else {
+ scope = PrivilegeScope.SERVER;
+ }
+ tSentryPrivilege.setPrivilegeScope(scope.name());
+ tSentryPrivilege.setAction(AccessConstants.ALL);
+ return tSentryPrivilege;
+ }
+
+ public static String toNULLCol(String s) {
+ return Strings.isNullOrEmpty(s) ? NULL_COL : s;
+ }
+
+ public static String fromNULLCol(String s) {
+ return isNULL(s) ? "" : s;
+ }
+
+ public static boolean isNULL(String s) {
+ return Strings.isNullOrEmpty(s) || s.equals(NULL_COL);
+ }
+
+ /**
+ * Grant option check
+ * @param pm
+ * @param privilege
+ * @throws SentryUserException
+ */
+ private void grantOptionCheck(PersistenceManager pm, String grantorPrincipal, TSentryPrivilege privilege)
+ throws SentryUserException {
+ MSentryPrivilege mPrivilege = convertToMSentryPrivilege(privilege);
+ if (grantorPrincipal == null) {
+ throw new SentryInvalidInputException("grantorPrincipal should not be null");
+ }
+
+ Set<String> groups = SentryPolicyStoreProcessor.getGroupsFromUserName(conf, grantorPrincipal);
+
+ // if grantor is in adminGroup, don't need to do check
+ Set<String> admins = getAdminGroups();
+ boolean isAdminGroup = false;
+ if (groups != null && admins != null && !admins.isEmpty()) {
+ for (String g : groups) {
+ if (admins.contains(g)) {
+ isAdminGroup = true;
+ break;
+ }
+ }
+ }
+
+ if (!isAdminGroup) {
+ boolean hasGrant = false;
+ // get all privileges for group and user
+ Set<MSentryRole> roles = getRolesForGroups(pm, groups);
+ roles.addAll(getRolesForUsers(pm, Sets.newHashSet(grantorPrincipal)));
+ if (roles != null && !roles.isEmpty()) {
+ for (MSentryRole role : roles) {
+ Set<MSentryPrivilege> privilegeSet = role.getPrivileges();
+ if (privilegeSet != null && !privilegeSet.isEmpty()) {
+ // if role has a privilege p with grant option
+ // and mPrivilege is a child privilege of p
+ for (MSentryPrivilege p : privilegeSet) {
+ if (p.getGrantOption() && p.implies(mPrivilege)) {
+ hasGrant = true;
+ break;
+ }
+ }
+ }
+ }
+ }
+
+ if (!hasGrant) {
+ throw new SentryGrantDeniedException(grantorPrincipal
+ + " has no grant!");
+ }
+ }
+ }
+
+ // get adminGroups from conf
+ private Set<String> getAdminGroups() {
+ return Sets.newHashSet(conf.getStrings(
+ ServerConfig.ADMIN_GROUPS, new String[]{}));
+ }
+
+ /**
+ * This returns a Mapping of AuthZObj(db/table) -> (Role -> permission)
+ */
+ public Map<String, HashMap<String, String>> retrieveFullPrivilegeImage() {
+ Map<String, HashMap<String, String>> retVal = new HashMap<String, HashMap<String,String>>();
+ boolean rollbackTransaction = true;
+ PersistenceManager pm = null;
+ try {
+ pm = openTransaction();
+ Query query = pm.newQuery(MSentryPrivilege.class);
+ String filters = "(serverName != \"__NULL__\") "
+ + "&& (dbName != \"__NULL__\") " + "&& (URI == \"__NULL__\")";
+ query.setFilter(filters.toString());
+ query
+ .setOrdering("serverName ascending, dbName ascending, tableName ascending");
+ List<MSentryPrivilege> privileges = (List<MSentryPrivilege>) query
+ .execute();
+ rollbackTransaction = false;
+ for (MSentryPrivilege mPriv : privileges) {
+ String authzObj = mPriv.getDbName();
+ if (!isNULL(mPriv.getTableName())) {
+ authzObj = authzObj + "." + mPriv.getTableName();
+ }
+ HashMap<String, String> pUpdate = retVal.get(authzObj);
+ if (pUpdate == null) {
+ pUpdate = new HashMap<String, String>();
+ retVal.put(authzObj, pUpdate);
+ }
+ for (MSentryRole mRole : mPriv.getRoles()) {
+ String existingPriv = pUpdate.get(mRole.getRoleName());
+ if (existingPriv == null) {
+ pUpdate.put(mRole.getRoleName(), mPriv.getAction().toUpperCase());
+ } else {
+ pUpdate.put(mRole.getRoleName(), existingPriv + ","
+ + mPriv.getAction().toUpperCase());
+ }
+ }
+ }
+ commitTransaction(pm);
+ return retVal;
+ } finally {
+ if (rollbackTransaction) {
+ rollbackTransaction(pm);
+ }
+ }
+ }
+
+ /**
+ * This returns a Mapping of Role -> [Groups]
+ */
+ public Map<String, LinkedList<String>> retrieveFullRoleImage() {
+ Map<String, LinkedList<String>> retVal = new HashMap<String, LinkedList<String>>();
+ boolean rollbackTransaction = true;
+ PersistenceManager pm = null;
+ try {
+ pm = openTransaction();
+ Query query = pm.newQuery(MSentryGroup.class);
+ List<MSentryGroup> groups = (List<MSentryGroup>) query.execute();
+ for (MSentryGroup mGroup : groups) {
+ for (MSentryRole role : mGroup.getRoles()) {
+ LinkedList<String> rUpdate = retVal.get(role.getRoleName());
+ if (rUpdate == null) {
+ rUpdate = new LinkedList<String>();
+ retVal.put(role.getRoleName(), rUpdate);
+ }
+ rUpdate.add(mGroup.getGroupName());
+ }
+ }
+ commitTransaction(pm);
+ return retVal;
+ } finally {
+ if (rollbackTransaction) {
+ rollbackTransaction(pm);
+ }
+ }
+ }
+
+ /**
+ * This thread exists to clean up "orphaned" privilege rows in the database.
+ * These rows aren't removed automatically due to the fact that there is
+ * a many-to-many mapping between the roles and privileges, and the
+ * detection and removal of orphaned privileges is a wee bit involved.
+ * This thread hangs out until notified by the parent (the outer class)
+ * and then runs a custom SQL statement that detects and removes orphans.
+ */
+ private class PrivCleaner implements Runnable {
+ // Kick off priv orphan removal after this many notifies
+ private static final int NOTIFY_THRESHOLD = 50;
+
+ // How many times we've been notified; reset to zero after orphan removal
+ private int currentNotifies = 0;
+
+ // Internal state for threads
+ private boolean exitRequired = false;
+
+ // This lock and condition are needed to implement a way to drop the
+ // lock inside a while loop, and not hold the lock across the orphan
+ // removal.
+ private final Lock lock = new ReentrantLock();
+ private final Condition cond = lock.newCondition();
+
+ /**
+ * Waits in a loop, running the orphan removal function when notified.
+ * Will exit after exitRequired is set to true by exit(). We are careful
+ * to not hold our lock while removing orphans; that operation might
+ * take a long time. There's also the matter of lock ordering. Other
+ * threads start a transaction first, and then grab our lock; this thread
+ * grabs the lock and then starts a transaction. Handling this correctly
+ * requires explicit locking/unlocking through the loop.
+ */
+ public void run() {
+ while (true) {
+ lock.lock();
+ try {
+ // Check here in case this was set during removeOrphanedPrivileges()
+ if (exitRequired) {
+ return;
+ }
+ while (currentNotifies <= NOTIFY_THRESHOLD) {
+ try {
+ cond.await();
+ } catch (InterruptedException e) {
+ // Interrupted
+ }
+ // Check here in case this was set while waiting
+ if (exitRequired) {
+ return;
+ }
+ }
+ currentNotifies = 0;
+ } finally {
+ lock.unlock();
+ }
+ try {
+ removeOrphanedPrivileges();
+ } catch (Exception e) {
+ LOGGER.warn("Privilege cleaning thread encountered an error: " +
+ e.getMessage());
+ }
+ }
+ }
+
+ /**
+ * This is called when a privilege is removed from a role. This may
+ * or may not mean that the privilege needs to be removed from the
+ * database; there may be more references to it from other roles.
+ * As a result, we'll lazily run the orphan cleaner every
+ * NOTIFY_THRESHOLD times this routine is called.
+ * @param numDeletions The number of potentially orphaned privileges
+ */
+ public void incPrivRemoval(int numDeletions) {
+ if (privCleanerThread != null) {
+ try {
+ lock.lock();
+ currentNotifies += numDeletions;
+ if (currentNotifies > NOTIFY_THRESHOLD) {
+ cond.signal();
+ }
+ } finally {
+ lock.unlock();
+ }
+ }
+ }
+
+ /**
+ * Simple form of incPrivRemoval when only one privilege is deleted.
+ */
+ public void incPrivRemoval() {
+ incPrivRemoval(1);
+ }
+
+ /**
+ * Tell this thread to exit. Safe to call multiple times, as it just
+ * notifies the run() loop to finish up.
+ */
+ public void exit() {
+ if (privCleanerThread != null) {
+ lock.lock();
+ try {
+ exitRequired = true;
+ cond.signal();
+ } finally {
+ lock.unlock();
+ }
+ }
+ }
+
+ /**
+ * Run a SQL query to detect orphaned privileges, and then delete
+ * each one. This is complicated by the fact that datanucleus does
+ * not seem to play well with the mix between a direct SQL query
+ * and operations on the database. The solution that seems to work
+ * is to split the operation into two transactions: the first is
+ * just a read for privileges that look like they're orphans, the
+ * second transaction will go and get each of those privilege objects,
+ * verify that there are no roles attached, and then delete them.
+ */
+ private void removeOrphanedPrivileges() {
+ final String privDB = "SENTRY_DB_PRIVILEGE";
+ final String privId = "DB_PRIVILEGE_ID";
+ final String mapDB = "SENTRY_ROLE_DB_PRIVILEGE_MAP";
+ final String privFilter =
+ "select " + privId +
+ " from " + privDB + " p" +
+ " where not exists (" +
+ " select 1 from " + mapDB + " d" +
+ " where p." + privId + " != d." + privId +
+ " )";
+ boolean rollback = true;
+ int orphansRemoved = 0;
+ ArrayList<Object> idList = new ArrayList<Object>();
+ PersistenceManager pm = pmf.getPersistenceManager();
+
+ // Transaction 1: Perform a SQL query to get things that look like orphans
+ try {
+ Transaction transaction = pm.currentTransaction();
+ transaction.begin();
+ transaction.setRollbackOnly(); // Makes the tx read-only
+ Query query = pm.newQuery("javax.jdo.query.SQL", privFilter);
+ query.setClass(MSentryPrivilege.class);
+ List<MSentryPrivilege> results = (List<MSentryPrivilege>) query.execute();
+ for (MSentryPrivilege orphan : results) {
+ idList.add(pm.getObjectId(orphan));
+ }
+ transaction.rollback();
+ rollback = false;
+ } finally {
+ if (rollback && pm.currentTransaction().isActive()) {
+ pm.currentTransaction().rollback();
+ } else {
+ LOGGER.debug("Found {} potential orphans", idList.size());
+ }
+ }
+
+ if (idList.isEmpty()) {
+ pm.close();
+ return;
+ }
+
+ Preconditions.checkState(!rollback);
+
+ // Transaction 2: For each potential orphan, verify it's really an
+ // orphan and delete it if so
+ rollback = true;
+ try {
+ Transaction transaction = pm.currentTransaction();
+ transaction.begin();
+ pm.refreshAll(); // Try to ensure we really have correct objects
+ for (Object id : idList) {
+ MSentryPrivilege priv = (MSentryPrivilege) pm.getObjectById(id);
+ if (priv.getRoles().isEmpty()) {
+ pm.deletePersistent(priv);
+ orphansRemoved++;
+ }
+ }
+ transaction.commit();
+ pm.close();
+ rollback = false;
+ } finally {
+ if (rollback) {
+ rollbackTransaction(pm);
+ } else {
+ LOGGER.debug("Cleaned up {} orphaned privileges", orphansRemoved);
+ }
+ }
+ }
+ }
+
+ // get mapping datas for [group,role], [user,role] with the specific roles
+ public List<Map<String, Set<String>>> getGroupUserRoleMapList(Set<String> roleNames) {
+ boolean rollbackTransaction = true;
+ PersistenceManager pm = null;
+ try {
+ pm = openTransaction();
+ Query query = pm.newQuery(MSentryRole.class);
+
+ List<String> rolesFiler = new LinkedList<String>();
+ if (roleNames != null) {
+ for (String rName : roleNames) {
+ rolesFiler.add("(roleName == \"" + rName.trim().toLowerCase() + "\")");
+ }
+ }
+ if (rolesFiler.size() > 0) {
+ query.setFilter(Joiner.on(" || ").join(rolesFiler));
+ }
+
+ List<MSentryRole> mSentryRoles = (List<MSentryRole>) query.execute();
+ Map<String, Set<String>> groupRolesMap = getGroupRolesMap(mSentryRoles);
+ Map<String, Set<String>> userRolesMap = getUserRolesMap(mSentryRoles);
+ List<Map<String, Set<String>>> mapsList = new ArrayList<>();
+ mapsList.add(INDEX_GROUP_ROLES_MAP, groupRolesMap);
+ mapsList.add(INDEX_USER_ROLES_MAP, userRolesMap);
+ commitTransaction(pm);
+ rollbackTransaction = false;
+ return mapsList;
+ } finally {
+ if (rollbackTransaction) {
+ rollbackTransaction(pm);
+ }
+ }
+ }
+
+ private Map<String, Set<String>> getGroupRolesMap(List<MSentryRole> mSentryRoles) {
+ Map<String, Set<String>> groupRolesMap = Maps.newHashMap();
+ if (mSentryRoles == null) {
+ return groupRolesMap;
+ }
+ // change the List<MSentryRole> -> Map<groupName, Set<roleName>>
+ for (MSentryRole mSentryRole : mSentryRoles) {
+ Set<MSentryGroup> groups = mSentryRole.getGroups();
+ for (MSentryGroup group : groups) {
+ String groupName = group.getGroupName();
+ Set<String> rNames = groupRolesMap.get(groupName);
+ if (rNames == null) {
+ rNames = new HashSet<String>();
+ }
+ rNames.add(mSentryRole.getRoleName());
+ groupRolesMap.put(groupName, rNames);
+ }
+ }
+ return groupRolesMap;
+ }
+
+ private Map<String, Set<String>> getUserRolesMap(List<MSentryRole> mSentryRoles) {
+ Map<String, Set<String>> userRolesMap = Maps.newHashMap();
+ if (mSentryRoles == null) {
+ return userRolesMap;
+ }
+ // change the List<MSentryRole> -> Map<userName, Set<roleName>>
+ for (MSentryRole mSentryRole : mSentryRoles) {
+ Set<MSentryUser> users = mSentryRole.getUsers();
+ for (MSentryUser user : users) {
+ String userName = user.getUserName();
+ Set<String> rNames = userRolesMap.get(userName);
+ if (rNames == null) {
+ rNames = new HashSet<String>();
+ }
+ rNames.add(mSentryRole.getRoleName());
+ userRolesMap.put(userName, rNames);
+ }
+ }
+ return userRolesMap;
+ }
+
+ // get all mapping data for [role,privilege]
+ public Map<String, Set<TSentryPrivilege>> getRoleNameTPrivilegesMap() throws Exception {
+ return getRoleNameTPrivilegesMap(null, null);
+ }
+
+ // get mapping data for [role,privilege] with the specific auth object
+ public Map<String, Set<TSentryPrivilege>> getRoleNameTPrivilegesMap(String dbName,
+ String tableName) throws Exception {
+ boolean rollbackTransaction = true;
+ PersistenceManager pm = null;
+ try {
+ pm = openTransaction();
+ Query query = pm.newQuery(MSentryPrivilege.class);
+
+ List<String> privilegeFiler = new LinkedList<Strin
<TRUNCATED>
[29/44] sentry git commit: SENTRY-1287: Create sentry-service-server
module(Colin Ma, reviewed by Dapeng Sun)
Posted by co...@apache.org.
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/log/util/TestCommandUtil.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/log/util/TestCommandUtil.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/log/util/TestCommandUtil.java
deleted file mode 100644
index 8cf0e70..0000000
--- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/log/util/TestCommandUtil.java
+++ /dev/null
@@ -1,416 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.sentry.provider.db.log.util;
-
-import java.util.ArrayList;
-import java.util.List;
-import java.util.Set;
-
-import org.apache.sentry.core.model.db.AccessConstants;
-import org.apache.sentry.provider.db.generic.service.thrift.TAuthorizable;
-import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleGrantPrivilegeRequest;
-import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleRevokePrivilegeRequest;
-import org.apache.sentry.provider.db.service.thrift.TSentryGrantOption;
-import org.apache.sentry.provider.db.service.thrift.TSentryPrivilege;
-import org.apache.sentry.service.thrift.ServiceConstants.PrivilegeScope;
-import org.junit.Assert;
-import org.junit.Test;
-
-import com.google.common.collect.Sets;
-
-public class TestCommandUtil extends Assert {
-
- @Test
- public void testCreateCmdForCreateOrDropRole() {
- String roleName = "testRole";
-
- String createRoleCmdResult = CommandUtil.createCmdForCreateOrDropRole(
- roleName, true);
- String dropRoleCmdResult = CommandUtil.createCmdForCreateOrDropRole(
- roleName, false);
- String createRoleCmdExcepted = "CREATE ROLE testRole";
- String dropRoleCmdExcepted = "DROP ROLE testRole";
-
- assertEquals(createRoleCmdExcepted, createRoleCmdResult);
- assertEquals(dropRoleCmdResult, dropRoleCmdExcepted);
- }
-
- @Test
- public void testCreateCmdForRoleAddOrDeleteGroup1() {
-
- String createRoleAddGroupCmdResult = CommandUtil.createCmdForRoleAddGroup("testRole",
- getGroupStr(1));
- String createRoleAddGroupCmdExcepted = "GRANT ROLE testRole TO GROUP testGroup1";
- String createRoleDeleteGroupCmdResult = CommandUtil.createCmdForRoleDeleteGroup("testRole",
- getGroupStr(1));
- String createRoleDeleteGroupCmdExcepted = "REVOKE ROLE testRole FROM GROUP testGroup1";
-
- assertEquals(createRoleAddGroupCmdExcepted, createRoleAddGroupCmdResult);
- assertEquals(createRoleDeleteGroupCmdExcepted,
- createRoleDeleteGroupCmdResult);
- }
-
- @Test
- public void testCreateCmdForRoleAddOrDeleteGroup2() {
- String createRoleAddGroupCmdResult = CommandUtil.createCmdForRoleAddGroup("testRole",
- getGroupStr(3));
- String createRoleAddGroupCmdExcepted = "GRANT ROLE testRole TO GROUP testGroup1, testGroup2, testGroup3";
- String createRoleDeleteGroupCmdResult = CommandUtil.createCmdForRoleDeleteGroup("testRole",
- getGroupStr(3));
- String createRoleDeleteGroupCmdExcepted = "REVOKE ROLE testRole FROM GROUP testGroup1, testGroup2, testGroup3";
-
- assertEquals(createRoleAddGroupCmdExcepted, createRoleAddGroupCmdResult);
- assertEquals(createRoleDeleteGroupCmdExcepted,
- createRoleDeleteGroupCmdResult);
- }
-
- @Test
- public void testCreateCmdForRoleAddOrDeleteUser1() {
- String createRoleAddGroupCmdResult =
- CommandUtil.createCmdForRoleAddUser("testRole", getUserStr(1));
- String createRoleAddGroupCmdExcepted = "GRANT ROLE testRole TO USER testUser1";
- String createRoleDeleteGroupCmdResult =
- CommandUtil.createCmdForRoleDeleteUser("testRole", getUserStr(1));
- String createRoleDeleteGroupCmdExcepted = "REVOKE ROLE testRole FROM USER testUser1";
-
- assertEquals(createRoleAddGroupCmdExcepted, createRoleAddGroupCmdResult);
- assertEquals(createRoleDeleteGroupCmdExcepted, createRoleDeleteGroupCmdResult);
- }
-
- @Test
- public void testCreateCmdForRoleAddOrDeleteUser2() {
- String createRoleAddGroupCmdResult =
- CommandUtil.createCmdForRoleAddUser("testRole", getUserStr(3));
- String createRoleAddGroupCmdExcepted =
- "GRANT ROLE testRole TO USER testUser1, testUser2, testUser3";
- String createRoleDeleteGroupCmdResult =
- CommandUtil.createCmdForRoleDeleteUser("testRole", getUserStr(3));
- String createRoleDeleteGroupCmdExcepted =
- "REVOKE ROLE testRole FROM USER testUser1, testUser2, testUser3";
-
- assertEquals(createRoleAddGroupCmdExcepted, createRoleAddGroupCmdResult);
- assertEquals(createRoleDeleteGroupCmdExcepted, createRoleDeleteGroupCmdResult);
- }
-
- @Test
- public void testCreateCmdForGrantOrRevokePrivilege1() {
- TAlterSentryRoleGrantPrivilegeRequest grantRequest = getGrantPrivilegeRequest();
- TAlterSentryRoleRevokePrivilegeRequest revokeRequest = getRevokePrivilegeRequest();
-
- TSentryPrivilege privilege = getPrivilege(AccessConstants.ALL,
- PrivilegeScope.DATABASE.name(), "dbTest", "tableTest", "serverTest",
- "hdfs://namenode:port/path/to/dir");
- Set<TSentryPrivilege> privileges = Sets.newHashSet();
- privileges.add(privilege);
- grantRequest.setPrivileges(privileges);
- revokeRequest.setPrivileges(privileges);
-
- String createGrantPrivilegeCmdResult = CommandUtil
- .createCmdForGrantPrivilege(grantRequest);
- String createGrantPrivilegeCmdExcepted = "GRANT ALL ON DATABASE dbTest TO ROLE testRole";
- String createRevokePrivilegeCmdResult = CommandUtil
- .createCmdForRevokePrivilege(revokeRequest);
- String createRevokePrivilegeCmdExcepted = "REVOKE ALL ON DATABASE dbTest FROM ROLE testRole";
-
- assertEquals(createGrantPrivilegeCmdExcepted, createGrantPrivilegeCmdResult);
- assertEquals(createRevokePrivilegeCmdExcepted,
- createRevokePrivilegeCmdResult);
- }
-
- @Test
- public void testCreateCmdForGrantOrRevokePrivilege2() {
- TAlterSentryRoleGrantPrivilegeRequest grantRequest = getGrantPrivilegeRequest();
- TAlterSentryRoleRevokePrivilegeRequest revokeRequest = getRevokePrivilegeRequest();
-
- TSentryPrivilege privilege = getPrivilege(AccessConstants.INSERT,
- PrivilegeScope.DATABASE.name(), "dbTest", "tableTest", "serverTest",
- "hdfs://namenode:port/path/to/dir");
- Set<TSentryPrivilege> privileges = Sets.newHashSet();
- privileges.add(privilege);
- grantRequest.setPrivileges(privileges);
- revokeRequest.setPrivileges(privileges);
-
- String createGrantPrivilegeCmdResult = CommandUtil
- .createCmdForGrantPrivilege(grantRequest);
- String createGrantPrivilegeCmdExcepted = "GRANT INSERT ON DATABASE dbTest TO ROLE testRole";
- String createRevokePrivilegeCmdResult = CommandUtil
- .createCmdForRevokePrivilege(revokeRequest);
- String createRevokePrivilegeCmdExcepted = "REVOKE INSERT ON DATABASE dbTest FROM ROLE testRole";
-
- assertEquals(createGrantPrivilegeCmdExcepted, createGrantPrivilegeCmdResult);
- assertEquals(createRevokePrivilegeCmdExcepted,
- createRevokePrivilegeCmdResult);
- }
-
- @Test
- public void testCreateCmdForGrantOrRevokePrivilege3() {
- TAlterSentryRoleGrantPrivilegeRequest grantRequest = getGrantPrivilegeRequest();
- TAlterSentryRoleRevokePrivilegeRequest revokeRequest = getRevokePrivilegeRequest();
-
- TSentryPrivilege privilege = getPrivilege(AccessConstants.SELECT,
- PrivilegeScope.DATABASE.name(), "dbTest", "tableTest", "serverTest",
- "hdfs://namenode:port/path/to/dir");
- Set<TSentryPrivilege> privileges = Sets.newHashSet();
- privileges.add(privilege);
- grantRequest.setPrivileges(privileges);
- revokeRequest.setPrivileges(privileges);
-
- String createGrantPrivilegeCmdResult = CommandUtil
- .createCmdForGrantPrivilege(grantRequest);
- String createGrantPrivilegeCmdExcepted = "GRANT SELECT ON DATABASE dbTest TO ROLE testRole";
- String createRevokePrivilegeCmdResult = CommandUtil
- .createCmdForRevokePrivilege(revokeRequest);
- String createRevokePrivilegeCmdExcepted = "REVOKE SELECT ON DATABASE dbTest FROM ROLE testRole";
-
- assertEquals(createGrantPrivilegeCmdExcepted, createGrantPrivilegeCmdResult);
- assertEquals(createRevokePrivilegeCmdExcepted,
- createRevokePrivilegeCmdResult);
- }
-
- @Test
- public void testCreateCmdForGrantOrRevokePrivilege4() {
- TAlterSentryRoleGrantPrivilegeRequest grantRequest = getGrantPrivilegeRequest();
- TAlterSentryRoleRevokePrivilegeRequest revokeRequest = getRevokePrivilegeRequest();
-
- TSentryPrivilege privilege = getPrivilege(null,
- PrivilegeScope.DATABASE.name(), "dbTest", "tableTest", "serverTest",
- "hdfs://namenode:port/path/to/dir");
- Set<TSentryPrivilege> privileges = Sets.newHashSet();
- privileges.add(privilege);
- grantRequest.setPrivileges(privileges);
- revokeRequest.setPrivileges(privileges);
-
- String createGrantPrivilegeCmdResult = CommandUtil
- .createCmdForGrantPrivilege(grantRequest);
- String createGrantPrivilegeCmdExcepted = "GRANT null ON DATABASE dbTest TO ROLE testRole";
- String createRevokePrivilegeCmdResult = CommandUtil
- .createCmdForRevokePrivilege(revokeRequest);
- String createRevokePrivilegeCmdExcepted = "REVOKE null ON DATABASE dbTest FROM ROLE testRole";
-
- assertEquals(createGrantPrivilegeCmdExcepted, createGrantPrivilegeCmdResult);
- assertEquals(createRevokePrivilegeCmdExcepted,
- createRevokePrivilegeCmdResult);
- }
-
- @Test
- public void testCreateCmdForGrantOrRevokePrivilege5() {
- TAlterSentryRoleGrantPrivilegeRequest grantRequest = getGrantPrivilegeRequest();
- TAlterSentryRoleRevokePrivilegeRequest revokeRequest = getRevokePrivilegeRequest();
-
- TSentryPrivilege privilege = getPrivilege(AccessConstants.SELECT,
- PrivilegeScope.TABLE.name(), "dbTest", "tableTest", "serverTest",
- "hdfs://namenode:port/path/to/dir");
- Set<TSentryPrivilege> privileges = Sets.newHashSet();
- privileges.add(privilege);
- grantRequest.setPrivileges(privileges);
- revokeRequest.setPrivileges(privileges);
-
- String createGrantPrivilegeCmdResult = CommandUtil
- .createCmdForGrantPrivilege(grantRequest);
- String createGrantPrivilegeCmdExcepted = "GRANT SELECT ON TABLE tableTest TO ROLE testRole";
- String createRevokePrivilegeCmdResult = CommandUtil
- .createCmdForRevokePrivilege(revokeRequest);
- String createRevokePrivilegeCmdExcepted = "REVOKE SELECT ON TABLE tableTest FROM ROLE testRole";
-
- assertEquals(createGrantPrivilegeCmdExcepted, createGrantPrivilegeCmdResult);
- assertEquals(createRevokePrivilegeCmdExcepted,
- createRevokePrivilegeCmdResult);
- }
-
- @Test
- public void testCreateCmdForGrantOrRevokePrivilege6() {
- TAlterSentryRoleGrantPrivilegeRequest grantRequest = getGrantPrivilegeRequest();
- TAlterSentryRoleRevokePrivilegeRequest revokeRequest = getRevokePrivilegeRequest();
-
- TSentryPrivilege privilege = getPrivilege(AccessConstants.SELECT,
- PrivilegeScope.SERVER.name(), "dbTest", "tableTest", "serverTest",
- "hdfs://namenode:port/path/to/dir");
- Set<TSentryPrivilege> privileges = Sets.newHashSet();
- privileges.add(privilege);
- grantRequest.setPrivileges(privileges);
- revokeRequest.setPrivileges(privileges);
-
- String createGrantPrivilegeCmdResult = CommandUtil
- .createCmdForGrantPrivilege(grantRequest);
- String createGrantPrivilegeCmdExcepted = "GRANT SELECT ON SERVER serverTest TO ROLE testRole";
- String createRevokePrivilegeCmdResult = CommandUtil
- .createCmdForRevokePrivilege(revokeRequest);
- String createRevokePrivilegeCmdExcepted = "REVOKE SELECT ON SERVER serverTest FROM ROLE testRole";
-
- assertEquals(createGrantPrivilegeCmdExcepted, createGrantPrivilegeCmdResult);
- assertEquals(createRevokePrivilegeCmdExcepted,
- createRevokePrivilegeCmdResult);
- }
-
- @Test
- public void testCreateCmdForGrantOrRevokePrivilege7() {
- TAlterSentryRoleGrantPrivilegeRequest grantRequest = getGrantPrivilegeRequest();
- TAlterSentryRoleRevokePrivilegeRequest revokeRequest = getRevokePrivilegeRequest();
-
- TSentryPrivilege privilege = getPrivilege(AccessConstants.SELECT,
- PrivilegeScope.URI.name(), "dbTest", "tableTest", "serverTest",
- "hdfs://namenode:port/path/to/dir");
- Set<TSentryPrivilege> privileges = Sets.newHashSet();
- privileges.add(privilege);
- grantRequest.setPrivileges(privileges);
- revokeRequest.setPrivileges(privileges);
-
- String createGrantPrivilegeCmdResult = CommandUtil
- .createCmdForGrantPrivilege(grantRequest);
- String createGrantPrivilegeCmdExcepted = "GRANT SELECT ON URI hdfs://namenode:port/path/to/dir TO ROLE testRole";
- String createRevokePrivilegeCmdResult = CommandUtil
- .createCmdForRevokePrivilege(revokeRequest);
- String createRevokePrivilegeCmdExcepted = "REVOKE SELECT ON URI hdfs://namenode:port/path/to/dir FROM ROLE testRole";
-
- assertEquals(createGrantPrivilegeCmdExcepted, createGrantPrivilegeCmdResult);
- assertEquals(createRevokePrivilegeCmdExcepted,
- createRevokePrivilegeCmdResult);
- }
-
- @Test
- public void testCreateCmdForGrantOrRevokePrivilege8() {
- TAlterSentryRoleGrantPrivilegeRequest grantRequest = getGrantPrivilegeRequest();
- TAlterSentryRoleRevokePrivilegeRequest revokeRequest = getRevokePrivilegeRequest();
-
- TSentryPrivilege privilege = getPrivilege(AccessConstants.SELECT, PrivilegeScope.SERVER.name(),
- "dbTest", "tableTest", "serverTest", "hdfs://namenode:port/path/to/dir");
- privilege.setGrantOption(TSentryGrantOption.TRUE);
- Set<TSentryPrivilege> privileges = Sets.newHashSet();
- privileges.add(privilege);
- grantRequest.setPrivileges(privileges);
- revokeRequest.setPrivileges(privileges);
-
- String createGrantPrivilegeCmdResult = CommandUtil.createCmdForGrantPrivilege(grantRequest);
- String createGrantPrivilegeCmdExcepted = "GRANT SELECT ON SERVER serverTest TO ROLE testRole WITH GRANT OPTION";
- String createRevokePrivilegeCmdResult = CommandUtil.createCmdForRevokePrivilege(revokeRequest);
- String createRevokePrivilegeCmdExcepted = "REVOKE SELECT ON SERVER serverTest FROM ROLE testRole WITH GRANT OPTION";
-
- assertEquals(createGrantPrivilegeCmdExcepted, createGrantPrivilegeCmdResult);
- assertEquals(createRevokePrivilegeCmdExcepted, createRevokePrivilegeCmdResult);
- }
-
- // generate the command without grant option
- @Test
- public void testCreateCmdForGrantOrRevokeGMPrivilege1() {
- org.apache.sentry.provider.db.generic.service.thrift.TAlterSentryRoleGrantPrivilegeRequest grantRequest = getGrantGMPrivilegeRequest();
- org.apache.sentry.provider.db.generic.service.thrift.TAlterSentryRoleRevokePrivilegeRequest revokeRequest = getRevokeGMPrivilegeRequest();
- org.apache.sentry.provider.db.generic.service.thrift.TSentryPrivilege privilege = getGMPrivilege();
- grantRequest.setPrivilege(privilege);
- revokeRequest.setPrivilege(privilege);
-
- String createGrantPrivilegeCmdResult = CommandUtil.createCmdForGrantGMPrivilege(grantRequest);
- String createGrantPrivilegeCmdExcepted = "GRANT ACTION ON resourceType1 resourceName1 resourceType2 resourceName2 TO ROLE testRole";
- String createRevokePrivilegeCmdResult = CommandUtil
- .createCmdForRevokeGMPrivilege(revokeRequest);
- String createRevokePrivilegeCmdExcepted = "REVOKE ACTION ON resourceType1 resourceName1 resourceType2 resourceName2 FROM ROLE testRole";
-
- assertEquals(createGrantPrivilegeCmdExcepted, createGrantPrivilegeCmdResult);
- assertEquals(createRevokePrivilegeCmdExcepted, createRevokePrivilegeCmdResult);
- }
-
- // generate the command with grant option
- @Test
- public void testCreateCmdForGrantOrRevokeGMPrivilege2() {
- org.apache.sentry.provider.db.generic.service.thrift.TAlterSentryRoleGrantPrivilegeRequest grantRequest = getGrantGMPrivilegeRequest();
- org.apache.sentry.provider.db.generic.service.thrift.TAlterSentryRoleRevokePrivilegeRequest revokeRequest = getRevokeGMPrivilegeRequest();
- org.apache.sentry.provider.db.generic.service.thrift.TSentryPrivilege privilege = getGMPrivilege();
- privilege
- .setGrantOption(org.apache.sentry.provider.db.generic.service.thrift.TSentryGrantOption.TRUE);
- grantRequest.setPrivilege(privilege);
- revokeRequest.setPrivilege(privilege);
-
- String createGrantPrivilegeCmdResult = CommandUtil.createCmdForGrantGMPrivilege(grantRequest);
- String createGrantPrivilegeCmdExcepted = "GRANT ACTION ON resourceType1 resourceName1 resourceType2 resourceName2 TO ROLE testRole WITH GRANT OPTION";
- String createRevokePrivilegeCmdResult = CommandUtil
- .createCmdForRevokeGMPrivilege(revokeRequest);
- String createRevokePrivilegeCmdExcepted = "REVOKE ACTION ON resourceType1 resourceName1 resourceType2 resourceName2 FROM ROLE testRole WITH GRANT OPTION";
-
- assertEquals(createGrantPrivilegeCmdExcepted, createGrantPrivilegeCmdResult);
- assertEquals(createRevokePrivilegeCmdExcepted, createRevokePrivilegeCmdResult);
- }
-
- private String getGroupStr(int num) {
- StringBuilder sb = new StringBuilder();
- for (int i = 0; i < num; i++) {
- if (i > 0) {
- sb.append(", ");
- }
- sb.append("testGroup" + (i + 1));
- }
- return sb.toString();
- }
-
- private String getUserStr(int num) {
- StringBuilder sb = new StringBuilder();
- for (int i = 0; i < num; i++) {
- if (i > 0) {
- sb.append(", ");
- }
- sb.append("testUser" + (i + 1));
- }
- return sb.toString();
- }
-
- private TAlterSentryRoleGrantPrivilegeRequest getGrantPrivilegeRequest() {
- TAlterSentryRoleGrantPrivilegeRequest request = new TAlterSentryRoleGrantPrivilegeRequest();
- request.setRoleName("testRole");
- return request;
- }
-
- private TAlterSentryRoleRevokePrivilegeRequest getRevokePrivilegeRequest() {
- TAlterSentryRoleRevokePrivilegeRequest request = new TAlterSentryRoleRevokePrivilegeRequest();
- request.setRoleName("testRole");
- return request;
- }
-
- private org.apache.sentry.provider.db.generic.service.thrift.TAlterSentryRoleGrantPrivilegeRequest getGrantGMPrivilegeRequest() {
- org.apache.sentry.provider.db.generic.service.thrift.TAlterSentryRoleGrantPrivilegeRequest request = new org.apache.sentry.provider.db.generic.service.thrift.TAlterSentryRoleGrantPrivilegeRequest();
- request.setRoleName("testRole");
- return request;
- }
-
- private org.apache.sentry.provider.db.generic.service.thrift.TAlterSentryRoleRevokePrivilegeRequest getRevokeGMPrivilegeRequest() {
- org.apache.sentry.provider.db.generic.service.thrift.TAlterSentryRoleRevokePrivilegeRequest request = new org.apache.sentry.provider.db.generic.service.thrift.TAlterSentryRoleRevokePrivilegeRequest();
- request.setRoleName("testRole");
- return request;
- }
-
- private TSentryPrivilege getPrivilege(String action, String privilegeScope,
- String dbName, String tableName, String serverName, String URI) {
- TSentryPrivilege privilege = new TSentryPrivilege();
- privilege.setAction(action);
- privilege.setPrivilegeScope(privilegeScope);
- privilege.setDbName(dbName);
- privilege.setTableName(tableName);
- privilege.setServerName(serverName);
- privilege.setURI(URI);
- return privilege;
- }
-
- private org.apache.sentry.provider.db.generic.service.thrift.TSentryPrivilege getGMPrivilege() {
- org.apache.sentry.provider.db.generic.service.thrift.TSentryPrivilege privilege = new org.apache.sentry.provider.db.generic.service.thrift.TSentryPrivilege();
- privilege.setAction("ACTION");
- privilege.setComponent("COMPONENT");
- List<TAuthorizable> authorizables = new ArrayList<TAuthorizable>();
- authorizables.add(new TAuthorizable("resourceType1", "resourceName1"));
- authorizables.add(new TAuthorizable("resourceType2", "resourceName2"));
- privilege.setAuthorizables(authorizables);
- return privilege;
- }
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryPrivilege.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryPrivilege.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryPrivilege.java
deleted file mode 100644
index c31233b..0000000
--- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryPrivilege.java
+++ /dev/null
@@ -1,245 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.sentry.provider.db.service.persistent;
-
-import static org.junit.Assert.assertFalse;
-import static org.junit.Assert.assertTrue;
-
-import org.apache.sentry.core.model.db.AccessConstants;
-import org.apache.sentry.provider.db.service.model.MSentryPrivilege;
-import org.junit.Test;
-
-public class TestSentryPrivilege {
- @Test
- public void testImpliesPrivilegePositive() throws Exception {
- // 1.test server+database+table+action
- MSentryPrivilege my = new MSentryPrivilege();
- MSentryPrivilege your = new MSentryPrivilege();
- my.setServerName("server1");
- my.setDbName("db1");
- my.setTableName("tb1");
- my.setAction(AccessConstants.SELECT);
- your.setServerName("server1");
- your.setDbName("db1");
- your.setTableName("tb1");
- your.setAction(AccessConstants.SELECT);
- assertTrue(my.implies(your));
-
- my.setAction(AccessConstants.ALL);
- assertTrue(my.implies(your));
-
- my.setTableName("");
- assertTrue(my.implies(your));
-
- my.setDbName("");
- assertTrue(my.implies(your));
-
- my.setAction(AccessConstants.ACTION_ALL);
- assertTrue(my.implies(your));
-
- my.setTableName("");
- assertTrue(my.implies(your));
-
- my.setDbName("");
- assertTrue(my.implies(your));
-
- // 2.test server+URI+action using all combinations of * and ALL for action
- String[][] actionMap = new String[][] {
- { AccessConstants.ALL, AccessConstants.ALL },
- { AccessConstants.ALL, AccessConstants.ACTION_ALL },
- { AccessConstants.ACTION_ALL, AccessConstants.ALL },
- { AccessConstants.ACTION_ALL, AccessConstants.ACTION_ALL } };
-
- for (int actions = 0; actions < actionMap.length; actions++) {
- my = new MSentryPrivilege();
- your = new MSentryPrivilege();
- my.setServerName("server1");
- my.setAction(actionMap[actions][0]);
- your.setServerName("server1");
- your.setAction(actionMap[actions][1]);
- my.setURI("hdfs://namenode:9000/path");
- your.setURI("hdfs://namenode:9000/path");
- assertTrue(my.implies(your));
-
- my.setURI("hdfs://namenode:9000/path");
- your.setURI("hdfs://namenode:9000/path/to/some/dir");
- assertTrue(my.implies(your));
-
- my.setURI("file:///path");
- your.setURI("file:///path");
- assertTrue(my.implies(your));
-
- my.setURI("file:///path");
- your.setURI("file:///path/to/some/dir");
- assertTrue(my.implies(your));
-
- // my is SERVER level privilege, your is URI level privilege
- my.setURI("");
- your.setURI("file:///path");
- assertTrue(my.implies(your));
- }
- }
-
- @Test
- public void testImpliesPrivilegeNegative() throws Exception {
- // 1.test server+database+table+action
- MSentryPrivilege my = new MSentryPrivilege();
- MSentryPrivilege your = new MSentryPrivilege();
- // bad action
- my.setServerName("server1");
- my.setDbName("db1");
- my.setTableName("tb1");
- my.setAction(AccessConstants.SELECT);
- your.setServerName("server1");
- your.setDbName("db1");
- your.setTableName("tb1");
- your.setAction(AccessConstants.INSERT);
- assertFalse(my.implies(your));
-
- // bad action
- your.setAction(AccessConstants.ALL);
- assertFalse(my.implies(your));
-
-
- // bad table
- your.setTableName("tb2");
- assertFalse(my.implies(your));
-
- // bad database
- your.setTableName("tb1");
- your.setDbName("db2");
- assertFalse(my.implies(your));
-
- // bad server
- your.setTableName("tb1");
- your.setDbName("db1");
- your.setServerName("server2");
- assertFalse(my.implies(your));
-
- // 2.test server+URI+action
- my = new MSentryPrivilege();
- your = new MSentryPrivilege();
- my.setServerName("server1");
- my.setAction(AccessConstants.ALL);
- your.setServerName("server2");
- your.setAction(AccessConstants.ALL);
-
- // relative path
- my.setURI("hdfs://namenode:9000/path");
- your.setURI("hdfs://namenode:9000/path/to/../../other");
- assertFalse(my.implies(your));
- my.setURI("file:///path");
- your.setURI("file:///path/to/../../other");
- assertFalse(my.implies(your));
-
- // bad uri
- my.setURI("blah");
- your.setURI("hdfs://namenode:9000/path/to/some/dir");
- assertFalse(my.implies(your));
- my.setURI("hdfs://namenode:9000/path/to/some/dir");
- your.setURI("blah");
- assertFalse(my.implies(your));
-
- // bad scheme
- my.setURI("hdfs://namenode:9000/path");
- your.setURI("file:///path/to/some/dir");
- assertFalse(my.implies(your));
- my.setURI("hdfs://namenode:9000/path");
- your.setURI("file://namenode:9000/path/to/some/dir");
- assertFalse(my.implies(your));
-
- // bad hostname
- my.setURI("hdfs://namenode1:9000/path");
- your.setURI("hdfs://namenode2:9000/path");
- assertFalse(my.implies(your));
-
- // bad port
- my.setURI("hdfs://namenode:9000/path");
- your.setURI("hdfs://namenode:9001/path");
- assertFalse(my.implies(your));
-
- // bad path
- my.setURI("hdfs://namenode:9000/path1");
- your.setURI("hdfs://namenode:9000/path2");
- assertFalse(my.implies(your));
- my.setURI("file:///path1");
- your.setURI("file:///path2");
- assertFalse(my.implies(your));
-
- // bad server
- your.setServerName("server2");
- my.setURI("hdfs://namenode:9000/path1");
- your.setURI("hdfs://namenode:9000/path1");
- assertFalse(my.implies(your));
-
- // bad implies
- my.setServerName("server1");
- my.setURI("hdfs://namenode:9000/path1");
- your.setServerName("server1");
- your.setURI("");
- assertFalse(my.implies(your));
- }
-
- @Test
- public void testImpliesPrivilegePositiveWithColumn() throws Exception {
- // 1.test server+database+table+column+action
- MSentryPrivilege my = new MSentryPrivilege();
- MSentryPrivilege your = new MSentryPrivilege();
- my.setServerName("server1");
- my.setAction(AccessConstants.SELECT);
- your.setServerName("server1");
- your.setDbName("db1");
- your.setTableName("tb1");
- your.setColumnName("c1");
- your.setAction(AccessConstants.SELECT);
- assertTrue(my.implies(your));
-
- my.setDbName("db1");
- assertTrue(my.implies(your));
-
- my.setTableName("tb1");
- assertTrue(my.implies(your));
-
- my.setColumnName("c1");
- assertTrue(my.implies(your));
- }
-
- @Test
- public void testImpliesPrivilegeNegativeWithColumn() throws Exception {
- // 1.test server+database+table+column+action
- MSentryPrivilege my = new MSentryPrivilege();
- MSentryPrivilege your = new MSentryPrivilege();
- // bad column
- my.setServerName("server1");
- my.setDbName("db1");
- my.setTableName("tb1");
- my.setColumnName("c1");
- my.setAction(AccessConstants.SELECT);
- your.setServerName("server1");
- your.setDbName("db1");
- your.setTableName("tb1");
- your.setColumnName("c2");
- your.setAction(AccessConstants.SELECT);
- assertFalse(my.implies(your));
-
- // bad scope
- your.setColumnName("");
- assertFalse(my.implies(your));
- }
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryServiceDiscovery.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryServiceDiscovery.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryServiceDiscovery.java
deleted file mode 100644
index 7cbcc11..0000000
--- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryServiceDiscovery.java
+++ /dev/null
@@ -1,123 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.sentry.provider.db.service.persistent;
-
-import java.io.IOException;
-import java.util.HashMap;
-import java.util.Map;
-
-import org.apache.hadoop.conf.Configuration;
-
-import org.apache.curator.test.TestingServer;
-import org.apache.curator.x.discovery.ServiceInstance;
-import org.apache.sentry.service.thrift.ServiceConstants.ServerConfig;
-import org.junit.After;
-import org.junit.Before;
-import org.junit.Test;
-import static org.junit.Assert.assertEquals;
-
-public class TestSentryServiceDiscovery {
-
- private HAContext haContext;
- private TestingServer server;
-
- @Before
- public void setup() throws Exception {
- server = new TestingServer();
- // HA conf
- Configuration conf = new Configuration(false);
- conf.set(ServerConfig.SENTRY_HA_ENABLED, "true");
- conf.set(ServerConfig.SENTRY_HA_ZOOKEEPER_NAMESPACE, "sentry-test");
- conf.set(ServerConfig.SENTRY_HA_ZOOKEEPER_QUORUM, server.getConnectString());
- haContext = HAContext.getHAContext(conf);
- }
-
- @After
- public void teardown() {
- HAContext.clearServerContext();
- if (server != null) {
- try {
- server.stop();
- } catch (IOException e) {
- }
- }
- }
-
- @Test
- public void testRegisterOneService() throws Exception {
- final String hostname = "localhost1";
- final Integer port = 123;
- ServiceRegister register = new ServiceRegister(haContext);
- register.regService(hostname, port);
- ServiceManager manager = new ServiceManager(haContext);
- ServiceInstance<Void> instance = manager.getServiceInstance();
- assertEquals("'hostname' doesn't match.", hostname, instance.getAddress());
- assertEquals("'port' doesn't match.", port, instance.getPort());
- }
-
- @Test
- public void testRegisterMultiService() throws Exception {
-
- final String hostname1 = "localhost1";
- final Integer port1 = 123;
- final String hostname2 = "localhost2";
- final Integer port2 = 456;
- final String hostname3 = "localhost3";
- final Integer port3 = 789;
-
- Map<String, Integer> servicesMap = new HashMap<String, Integer>();
- servicesMap.put(hostname1, port1);
- servicesMap.put(hostname2, port2);
- servicesMap.put(hostname3, port3);
-
- ServiceRegister register1 = new ServiceRegister(haContext);
- register1.regService(hostname1, port1);
- ServiceRegister register2 = new ServiceRegister(haContext);
- register2.regService(hostname2, port2);
- ServiceRegister register3 = new ServiceRegister(haContext);
- register3.regService(hostname3, port3);
-
- ServiceManager manager = new ServiceManager(haContext);
- ServiceInstance<Void> instance = manager.getServiceInstance();
- assertEquals("'instance' doesn't match.", instance.getPort(), servicesMap.get(instance.getAddress()));
- instance = manager.getServiceInstance();
- assertEquals("'instance' doesn't match.", instance.getPort(), servicesMap.get(instance.getAddress()));
- instance = manager.getServiceInstance();
- assertEquals("'instance' doesn't match.", instance.getPort(), servicesMap.get(instance.getAddress()));
- }
-
- @Test
- public void testReportError() throws Exception {
- final String hostname1 = "localhost1";
- final Integer port1 = 123;
-
- ServiceRegister register1 = new ServiceRegister(haContext);
- register1.regService(hostname1, port1);
-
- ServiceManager manager = new ServiceManager(haContext);
- ServiceInstance<Void> instance = manager.getServiceInstance();
- manager.reportError(instance);
- // report twice, manager will not return temporarily
- instance = manager.getServiceInstance();
- manager.reportError(instance);
- instance = manager.getServiceInstance();
- assertEquals("'instance' should be null.", null, instance);
- }
-
-}
[24/44] sentry git commit: SENTRY-1287: Create sentry-service-server
module(Colin Ma, reviewed by Dapeng Sun)
Posted by co...@apache.org.
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceIntegration.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceIntegration.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceIntegration.java
deleted file mode 100644
index a05521f..0000000
--- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceIntegration.java
+++ /dev/null
@@ -1,1102 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless createRequired by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.sentry.provider.db.service.thrift;
-
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertTrue;
-import static org.junit.Assert.fail;
-
-import java.util.HashMap;
-import java.util.HashSet;
-import java.util.List;
-import java.util.Map;
-import java.util.Set;
-import java.util.TreeMap;
-
-import org.apache.sentry.core.common.ActiveRoleSet;
-import org.apache.sentry.core.common.Authorizable;
-import org.apache.sentry.core.model.db.AccessConstants;
-import org.apache.sentry.core.model.db.AccessURI;
-import org.apache.sentry.core.model.db.Database;
-import org.apache.sentry.core.model.db.Server;
-import org.apache.sentry.core.model.db.Table;
-import org.apache.sentry.core.common.exception.SentryAccessDeniedException;
-import org.apache.sentry.service.thrift.SentryServiceIntegrationBase;
-import org.junit.Test;
-
-import com.google.common.collect.Lists;
-import com.google.common.collect.Maps;
-import com.google.common.collect.Sets;
-
-
-public class TestSentryServiceIntegration extends SentryServiceIntegrationBase {
-
- @Test
- public void testCreateDropShowRole() throws Exception {
- runTestAsSubject(new TestOperation(){
- @Override
- public void runTestAsSubject() throws Exception {
- String requestorUserName = ADMIN_USER;
- Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
- String roleName = "admin_r";
- setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
- writePolicyFile();
-
- client.dropRoleIfExists(requestorUserName, roleName);
-
- client.createRole(requestorUserName, roleName);
-
- Set<TSentryRole> roles = client.listRoles(requestorUserName);
- assertEquals("Incorrect number of roles", 1, roles.size());
-
- for (TSentryRole role:roles) {
- assertTrue(role.getRoleName(), role.getRoleName().equalsIgnoreCase(roleName));
- }
- client.dropRole(requestorUserName, roleName);
- }});
- }
-
- @Test
- public void testGranRevokePrivilegeOnTableForRole() throws Exception {
- runTestAsSubject(new TestOperation(){
- @Override
- public void runTestAsSubject() throws Exception {
- String requestorUserName = ADMIN_USER;
- Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
- setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
- writePolicyFile();
- String roleName1 = "admin_r1";
- String roleName2 = "admin_r2";
-
- client.dropRoleIfExists(requestorUserName, roleName1);
- client.createRole(requestorUserName, roleName1);
-
- client.grantTablePrivilege(requestorUserName, roleName1, "server", "db1", "table1", "ALL");
- client.grantTablePrivilege(requestorUserName, roleName1, "server", "db1", "table2", "ALL");
- client.grantTablePrivilege(requestorUserName, roleName1, "server", "db2", "table3", "ALL");
- client.grantTablePrivilege(requestorUserName, roleName1, "server", "db2", "table4", "ALL");
-
-
- client.dropRoleIfExists(requestorUserName, roleName2);
- client.createRole(requestorUserName, roleName2);
-
- client.grantTablePrivilege(requestorUserName, roleName2, "server", "db1", "table1", "ALL");
- client.grantTablePrivilege(requestorUserName, roleName2, "server", "db1", "table2", "ALL");
- client.grantTablePrivilege(requestorUserName, roleName2, "server", "db2", "table3", "ALL");
- client.grantTablePrivilege(requestorUserName, roleName2, "server", "db2", "table4", "ALL");
-
- Set<TSentryPrivilege> listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName1);
- assertEquals("Privilege not assigned to role1 !!", 4, listPrivilegesByRoleName.size());
-
- listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName2);
- assertEquals("Privilege not assigned to role2 !!", 4, listPrivilegesByRoleName.size());
-
-
- client.revokeTablePrivilege(requestorUserName, roleName1, "server", "db1", "table1", "ALL");
- listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName1);
- assertTrue("Privilege not correctly revoked !!", listPrivilegesByRoleName.size() == 3);
- listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName2);
- assertTrue("Privilege not correctly revoked !!", listPrivilegesByRoleName.size() == 4);
-
- client.revokeTablePrivilege(requestorUserName, roleName2, "server", "db1", "table1", "ALL");
- listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName2);
- assertTrue("Privilege not correctly revoked !!", listPrivilegesByRoleName.size() == 3);
- listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName1);
- assertTrue("Privilege not correctly revoked !!", listPrivilegesByRoleName.size() == 3);
-
- client.revokeTablePrivilege(requestorUserName, roleName1, "server", "db1", "table2", "ALL");
- client.revokeTablePrivilege(requestorUserName, roleName1, "server", "db2", "table3", "ALL");
- client.revokeTablePrivilege(requestorUserName, roleName1, "server", "db2", "table4", "ALL");
- listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName1);
- assertTrue("Privilege not correctly revoked !!", listPrivilegesByRoleName.size() == 0);
-
- client.revokeTablePrivilege(requestorUserName, roleName2, "server", "db1", "table2", "ALL");
- client.revokeTablePrivilege(requestorUserName, roleName2, "server", "db2", "table3", "ALL");
- client.revokeTablePrivilege(requestorUserName, roleName2, "server", "db2", "table4", "ALL");
- listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName2);
- assertTrue("Privilege not correctly revoked !!", listPrivilegesByRoleName.size() == 0);
- }});
- }
-
- @Test
- public void testAddDeleteRolesForUser() throws Exception {
- runTestAsSubject(new TestOperation() {
- @Override
- public void runTestAsSubject() throws Exception {
- String requestorUserName = ADMIN_USER;
- Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
- setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
-
- // user1->group1
- // user2->group1
- // user3->group1, group2
- // user4->group2, group3
- // group1->r1
- // group2->r2
- // group3->r2
- // user2->r3
- // user4->r3
- String roleName1 = "r1";
- String roleName2 = "r2";
- String roleName3 = "r3";
- String user1 = "u1";
- String user2 = "u2";
- String user3 = "u3";
- String user4 = "u4";
- String group1 = "g1";
- String group2 = "g2";
- String group3 = "g3";
- Map<String, Set<String>> userToGroups = Maps.newHashMap();
- userToGroups.put(user1, Sets.newHashSet(group1));
- userToGroups.put(user2, Sets.newHashSet(group1));
- userToGroups.put(user3, Sets.newHashSet(group1, group2));
- userToGroups.put(user4, Sets.newHashSet(group2, group3));
-
- setLocalGroupMapping(user1, Sets.newHashSet(group1));
- setLocalGroupMapping(user2, Sets.newHashSet(group1));
- setLocalGroupMapping(user3, Sets.newHashSet(group1, group2));
- setLocalGroupMapping(user4, Sets.newHashSet(group2, group3));
- writePolicyFile();
-
- client.dropRoleIfExists(requestorUserName, roleName1);
- client.dropRoleIfExists(requestorUserName, roleName2);
- client.dropRoleIfExists(requestorUserName, roleName3);
- client.createRole(requestorUserName, roleName1);
- client.createRole(requestorUserName, roleName2);
- client.createRole(requestorUserName, roleName3);
-
- client.grantRoleToGroup(requestorUserName, group1, roleName1);
- client.grantRoleToUser(requestorUserName, user2, roleName2);
- client.grantRoleToUser(requestorUserName, user3, roleName2);
- client.grantRoleToUser(requestorUserName, user2, roleName3);
- client.grantRoleToUsers(requestorUserName, roleName3, Sets.newHashSet(user4));
- // following test cases also test the grantRoleToUser() and grantRoleToUsers() implicity
- // admin always can get the role list
- Set<TSentryRole> roles = client.listRolesByUserName(requestorUserName, user1);
- assertEquals(0, roles.size());
- // the role list includes the role for user and the role for user's group
- roles = client.listRolesByUserName(requestorUserName, user2);
- assertEquals(2, roles.size());
- for (TSentryRole role : roles) {
- assertTrue(roleName2.equals(role.getRoleName()) || roleName3.equals(role.getRoleName()));
- }
- // user has 2 groups whose role list are different
- roles = client.listRolesByUserName(requestorUserName, user3);
- assertEquals(1, roles.size());
- for (TSentryRole role : roles) {
- assertTrue(roleName2.equals(role.getRoleName()));
- }
- // user has 2 groups whose role list are the same
- roles = client.listRolesByUserName(requestorUserName, user4);
- assertEquals(1, roles.size());
- for (TSentryRole role : roles) {
- assertTrue(roleName3.equals(role.getRoleName()));
- }
- // user can get his own role list if he isn't an admin
- roles = client.listRolesByUserName(user3, user3);
- assertEquals(1, roles.size());
- // user can't get other's role list if he isn't an admin
- try {
- client.listRolesByUserName(user3, user2);
- fail("SentryAccessDeniedException should be caught.");
- } catch (SentryAccessDeniedException e) {
- // excepted exception
- }
- // the user's name can't be empty
- try {
- client.listRolesByUserName(user3, "");
- fail("SentryAccessDeniedException should be caught.");
- } catch (SentryAccessDeniedException e) {
- // excepted exception
- }
- client.revokeRoleFromUser(requestorUserName, user2, roleName3);
- client.revokeRoleFromUsers(requestorUserName, roleName3, Sets.newHashSet(user4));
- // test the result of revokeRoleFromUser() and revokeRoleFromUsers()
- roles = client.listRolesByUserName(requestorUserName, user2);
- assertEquals(1, roles.size());
- for (TSentryRole role : roles) {
- assertTrue(roleName2.equals(role.getRoleName()));
- }
- roles = client.listRolesByUserName(requestorUserName, user4);
- assertEquals(0, roles.size());
- }
- });
- }
-
- @Test
- public void testGranRevokePrivilegeForRoleWithUG() throws Exception {
- runTestAsSubject(new TestOperation() {
- @Override
- public void runTestAsSubject() throws Exception {
- String requestorUserName = ADMIN_USER;
- Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
- setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
-
- // user1_1->group1
- // user1_2->group1
- // user2_1->group2
- // user2_2->group2
- // group1->r1
- // group2->r2
- // user1_1->r3
- // user2_1->r4
- String roleName1 = "r1";
- String roleName2 = "r2";
- String roleName3 = "r3";
- String roleName4 = "r4";
- String user1_1 = "u1_1";
- String user1_2 = "u1_2";
- String user2_1 = "u2_1";
- String user2_2 = "u2_2";
- String group1 = "g1";
- String group2 = "g2";
- Map<String, String> userToGroup = Maps.newHashMap();
- userToGroup.put(user1_1, group1);
- userToGroup.put(user1_2, group1);
- userToGroup.put(user2_1, group2);
- userToGroup.put(user2_2, user2_1);
-
- Set<String> groupSet = Sets.newHashSet(group1);
- setLocalGroupMapping(user1_1, groupSet);
- setLocalGroupMapping(user1_2, groupSet);
- groupSet = Sets.newHashSet(group2);
- setLocalGroupMapping(user2_1, groupSet);
- setLocalGroupMapping(user2_2, groupSet);
- writePolicyFile();
-
- client.dropRoleIfExists(requestorUserName, roleName1);
- client.dropRoleIfExists(requestorUserName, roleName2);
- client.dropRoleIfExists(requestorUserName, roleName3);
- client.dropRoleIfExists(requestorUserName, roleName4);
- client.createRole(requestorUserName, roleName1);
- client.createRole(requestorUserName, roleName2);
- client.createRole(requestorUserName, roleName3);
- client.createRole(requestorUserName, roleName4);
-
- client.grantRoleToGroup(requestorUserName, group1, roleName1);
- client.grantRoleToGroup(requestorUserName, group2, roleName2);
- client.grantRoleToUser(requestorUserName, user1_1, roleName3);
- client.grantRoleToUsers(requestorUserName, roleName4, Sets.newHashSet(user2_1));
-
- client
- .grantTablePrivilege(requestorUserName, roleName1, "server", "db1", "table1_1", "ALL");
- client
- .grantTablePrivilege(requestorUserName, roleName1, "server", "db1", "table1_2", "ALL");
- client
- .grantTablePrivilege(requestorUserName, roleName2, "server", "db1", "table2_1", "ALL");
- client
- .grantTablePrivilege(requestorUserName, roleName2, "server", "db1", "table2_2", "ALL");
- client
- .grantTablePrivilege(requestorUserName, roleName3, "server", "db1", "table3_1", "ALL");
- client
- .grantTablePrivilege(requestorUserName, roleName3, "server", "db1", "table3_2", "ALL");
- client
- .grantTablePrivilege(requestorUserName, roleName4, "server", "db1", "table4_1", "ALL");
- client
- .grantTablePrivilege(requestorUserName, roleName4, "server", "db1", "table4_2", "ALL");
-
- Set<String> listPrivilegesForProvider = client.listPrivilegesForProvider(
- Sets.newHashSet(group1), Sets.newHashSet(""), ActiveRoleSet.ALL, (Authorizable[]) null);
- assertEquals("Privilege not correctly assigned to roles !!", Sets.newHashSet(
- "server=server->db=db1->table=table1_1->action=all",
- "server=server->db=db1->table=table1_2->action=all"), listPrivilegesForProvider);
-
- listPrivilegesForProvider = client.listPrivilegesForProvider(
- Sets.newHashSet(userToGroup.get(user1_2)),
- Sets.newHashSet(user1_2), ActiveRoleSet.ALL, (Authorizable[]) null);
- assertEquals("Privilege not correctly assigned to roles !!", Sets.newHashSet(
- "server=server->db=db1->table=table1_1->action=all",
- "server=server->db=db1->table=table1_2->action=all"), listPrivilegesForProvider);
-
- listPrivilegesForProvider = client.listPrivilegesForProvider(
- Sets.newHashSet(userToGroup.get(user1_1)),
- Sets.newHashSet(user1_1), ActiveRoleSet.ALL, (Authorizable[]) null);
- assertEquals("Privilege not correctly assigned to roles !!", Sets.newHashSet(
- "server=server->db=db1->table=table1_1->action=all",
- "server=server->db=db1->table=table1_2->action=all",
- "server=server->db=db1->table=table3_1->action=all",
- "server=server->db=db1->table=table3_2->action=all"), listPrivilegesForProvider);
-
- listPrivilegesForProvider = client.listPrivilegesForProvider(Sets.newHashSet(group1),
- Sets.newHashSet(user1_1, user1_2), ActiveRoleSet.ALL, (Authorizable[]) null);
- assertEquals("Privilege not correctly assigned to roles !!", Sets.newHashSet(
- "server=server->db=db1->table=table1_1->action=all",
- "server=server->db=db1->table=table1_2->action=all",
- "server=server->db=db1->table=table3_1->action=all",
- "server=server->db=db1->table=table3_2->action=all"), listPrivilegesForProvider);
-
- listPrivilegesForProvider = client.listPrivilegesForProvider(
- Sets.newHashSet(group1, group2), Sets.newHashSet(user1_1, user1_2, user2_1, user2_2),
- ActiveRoleSet.ALL, (Authorizable[]) null);
- assertEquals("Privilege not correctly assigned to roles !!", Sets.newHashSet(
- "server=server->db=db1->table=table1_1->action=all",
- "server=server->db=db1->table=table1_2->action=all",
- "server=server->db=db1->table=table2_1->action=all",
- "server=server->db=db1->table=table2_2->action=all",
- "server=server->db=db1->table=table3_1->action=all",
- "server=server->db=db1->table=table3_2->action=all",
- "server=server->db=db1->table=table4_1->action=all",
- "server=server->db=db1->table=table4_2->action=all"), listPrivilegesForProvider);
-
- client.revokeRoleFromUser(requestorUserName, user1_1, roleName3);
- client.revokeRoleFromUsers(requestorUserName, roleName4, Sets.newHashSet(user2_1));
- }
- });
- }
-
- @Test
- public void testMultipleRolesSamePrivilege() throws Exception {
- runTestAsSubject(new TestOperation(){
- @Override
- public void runTestAsSubject() throws Exception {
- String requestorUserName = ADMIN_USER;
- Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
- setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
- writePolicyFile();
- String roleName1 = "admin_r1";
- String roleName2 = "admin_r2";
-
- client.dropRoleIfExists(requestorUserName, roleName1);
- client.createRole(requestorUserName, roleName1);
-
- client.dropRoleIfExists(requestorUserName, roleName2);
- client.createRole(requestorUserName, roleName2);
-
- client.grantTablePrivilege(requestorUserName, roleName1, "server", "db", "table", "ALL");
- Set<TSentryPrivilege> listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName1);
- assertTrue("Privilege not assigned to role1 !!", listPrivilegesByRoleName.size() == 1);
-
- client.grantTablePrivilege(requestorUserName, roleName2, "server", "db", "table", "ALL");
- listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName2);
- assertTrue("Privilege not assigned to role2 !!", listPrivilegesByRoleName.size() == 1);
- }});
- }
-
- @Test
- public void testShowRoleGrant() throws Exception {
- runTestAsSubject(new TestOperation(){
- @Override
- public void runTestAsSubject() throws Exception {
- String requestorUserName = ADMIN_USER;
- Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
- String roleName = "admin_testdb";
- String groupName = "group1";
- setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
- writePolicyFile();
-
- client.dropRoleIfExists(requestorUserName, roleName);
- client.createRole(requestorUserName, roleName);
-
- Set<TSentryRole> roles = client.listRoles(requestorUserName);
- assertEquals("Incorrect number of roles", 1, roles.size());
-
- client.grantRoleToGroup(requestorUserName, groupName, roleName);
- Set<TSentryRole> groupRoles = client.listRolesByGroupName(requestorUserName, groupName);
- assertTrue(groupRoles.size() == 1);
- for (TSentryRole role:groupRoles) {
- assertTrue(role.getRoleName(), role.getRoleName().equalsIgnoreCase(roleName));
- assertTrue(role.getGroups().size() == 1);
- for (TSentryGroup group :role.getGroups()) {
- assertTrue(group.getGroupName(), group.getGroupName().equalsIgnoreCase(groupName));
- }
- }
-
- client.dropRole(requestorUserName, roleName);
- }});
- }
-
- @Test
- public void testShowGrant() throws Exception {
- runTestAsSubject(new TestOperation(){
- @Override
- public void runTestAsSubject() throws Exception {
- String requestorUserName = ADMIN_USER;
- Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
- String roleName = "admin_testdb";
- String server = "server1";
- String db = "testDB";
- setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
- writePolicyFile();
-
- client.dropRoleIfExists(requestorUserName, roleName);
- client.createRole(requestorUserName, roleName);
-
- Set<TSentryRole> roles = client.listRoles(requestorUserName);
- assertEquals("Incorrect number of roles", 1, roles.size());
-
- client.grantDatabasePrivilege(requestorUserName, roleName, server, db, AccessConstants.ALL);
- Set<TSentryPrivilege> privileges = client.listAllPrivilegesByRoleName(requestorUserName, roleName);
- assertTrue(privileges.size() == 1);
-
- client.revokeDatabasePrivilege(requestorUserName, roleName, server, db, AccessConstants.ALL);
- client.dropRole(requestorUserName, roleName);
- }});
- }
-
- //See SENTRY-166
- @Test
- public void testUriWithEquals() throws Exception {
- runTestAsSubject(new TestOperation(){
- @Override
- public void runTestAsSubject() throws Exception {
- String requestorUserName = ADMIN_USER;
- Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
- String roleName = "admin_testdb";
- String server = "server1";
- String uri = "file://u/w/h/t/partition=value/";
- setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
- writePolicyFile();
-
- // Creating associated role
- client.dropRoleIfExists(requestorUserName, roleName);
- client.createRole(requestorUserName, roleName);
- Set<TSentryRole> roles = client.listRoles(requestorUserName);
- assertEquals("Incorrect number of roles", 1, roles.size());
-
- client.grantURIPrivilege(requestorUserName, roleName, server, uri);
- Set<TSentryPrivilege> privileges = client.listAllPrivilegesByRoleName(requestorUserName, roleName);
- assertTrue(privileges.size() == 1);
-
- // Revoking the same privilege
- client.revokeURIPrivilege(requestorUserName, roleName, server, uri);
- privileges = client.listAllPrivilegesByRoleName(requestorUserName, roleName);
- assertTrue(privileges.size() == 0);
-
- // Clean up
- client.dropRole(requestorUserName, roleName);
- }});
- }
-
-
- //See SENTRY-181
- @Test
- public void testSameGrantTwice() throws Exception {
- runTestAsSubject(new TestOperation(){
- @Override
- public void runTestAsSubject() throws Exception {
- String requestorUserName = ADMIN_USER;
- Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
- setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
- writePolicyFile();
- String roleName = "admin_r1";
-
- client.createRole(requestorUserName, roleName);
- client.grantTablePrivilege(requestorUserName, roleName, "server", "db1", "table1", "ALL");
- client.grantTablePrivilege(requestorUserName, roleName, "server", "db1", "table1", "ALL");
- assertEquals(1, client.listAllPrivilegesByRoleName(requestorUserName, roleName).size());
- }});
- }
-
- @Test
- public void testGrantRevokeWithGrantOption() throws Exception {
- runTestAsSubject(new TestOperation(){
- @Override
- public void runTestAsSubject() throws Exception {
- // Grant a privilege with Grant Option
- String requestorUserName = ADMIN_USER;
- Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
- setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
- writePolicyFile();
- String roleName = "admin_r1";
- boolean grantOption = true;
- boolean withoutGrantOption = false;
-
- client.dropRoleIfExists(requestorUserName, roleName);
- client.createRole(requestorUserName, roleName);
-
- client.grantTablePrivilege(requestorUserName, roleName, "server", "db1", "table1", "ALL", grantOption);
- assertEquals(1, client.listAllPrivilegesByRoleName(requestorUserName, roleName).size());
-
- // Try to revoke the privilege without grantOption and can't revoke the privilege.
- client.revokeTablePrivilege(requestorUserName, roleName, "server", "db1", "table1", "ALL", withoutGrantOption);
- assertEquals(1, client.listAllPrivilegesByRoleName(requestorUserName, roleName).size());
-
- // Try to revoke the privilege with grantOption, the privilege will be revoked.
- client.revokeTablePrivilege(requestorUserName, roleName, "server", "db1", "table1", "ALL", grantOption);
- assertEquals(0, client.listAllPrivilegesByRoleName(requestorUserName, roleName).size());
- }});
- }
-
- @Test
- public void testGrantTwoPrivilegeDiffInGrantOption() throws Exception {
- runTestAsSubject(new TestOperation(){
- @Override
- public void runTestAsSubject() throws Exception {
- // Grant a privilege with 'Grant Option'.
- String requestorUserName = ADMIN_USER;
- Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
- setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
- writePolicyFile();
- String roleName = "admin_r1";
- boolean grantOption = true;
- boolean withoutGrantOption = false;
-
- client.dropRoleIfExists(requestorUserName, roleName);
- client.createRole(requestorUserName, roleName);
-
- client.grantTablePrivilege(requestorUserName, roleName, "server", "db1", "table1", "ALL", grantOption);
- assertEquals(1, client.listAllPrivilegesByRoleName(requestorUserName, roleName).size());
-
- // Grant a privilege without 'Grant Option'.
- client.grantTablePrivilege(requestorUserName, roleName, "server", "db1", "table1", "ALL", withoutGrantOption);
- assertEquals(2, client.listAllPrivilegesByRoleName(requestorUserName, roleName).size());
-
- // Use 'grantOption = null', the two privileges will be revoked.
- client.revokeTablePrivilege(requestorUserName, roleName, "server", "db1", "table1", "ALL", null);
- assertEquals(0, client.listAllPrivilegesByRoleName(requestorUserName, roleName).size());
- }});
- }
-
- @Test
- public void testGranRevokePrivilegeOnColumnForRole() throws Exception {
- runTestAsSubject(new TestOperation(){
- @Override
- public void runTestAsSubject() throws Exception {
- String requestorUserName = ADMIN_USER;
- Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
- setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
- writePolicyFile();
- String roleName1 = "admin_r1";
- String roleName2 = "admin_r2";
-
- client.dropRoleIfExists(requestorUserName, roleName1);
- client.createRole(requestorUserName, roleName1);
-
- client.grantColumnPrivilege(requestorUserName, roleName1, "server", "db1", "table1", "col1", "ALL");
- client.grantColumnPrivilege(requestorUserName, roleName1, "server", "db1", "table1", "col2", "ALL");
- client.grantColumnPrivilege(requestorUserName, roleName1, "server", "db1", "table2", "col1", "ALL");
- client.grantColumnPrivilege(requestorUserName, roleName1, "server", "db1", "table2", "col2", "ALL");
- client.grantColumnPrivilege(requestorUserName, roleName1, "server", "db2", "table1", "col1", "ALL");
- client.grantColumnPrivilege(requestorUserName, roleName1, "server", "db2", "table2", "col1", "ALL");
-
-
- client.dropRoleIfExists(requestorUserName, roleName2);
- client.createRole(requestorUserName, roleName2);
-
- client.grantColumnPrivilege(requestorUserName, roleName2, "server", "db1", "table1", "col1", "ALL");
- client.grantColumnPrivilege(requestorUserName, roleName2, "server", "db1", "table1", "col2", "ALL");
- client.grantColumnPrivilege(requestorUserName, roleName2, "server", "db1", "table2", "col1", "ALL");
- client.grantColumnPrivilege(requestorUserName, roleName2, "server", "db1", "table2", "col2", "ALL");
- client.grantColumnPrivilege(requestorUserName, roleName2, "server", "db2", "table1", "col1", "ALL");
- client.grantColumnPrivilege(requestorUserName, roleName2, "server", "db2", "table2", "col1", "ALL");
-
- Set<TSentryPrivilege> listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName1);
- assertEquals("Privilege not assigned to role1 !!", 6, listPrivilegesByRoleName.size());
-
- listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName2);
- assertEquals("Privilege not assigned to role2 !!", 6, listPrivilegesByRoleName.size());
-
-
- client.revokeColumnPrivilege(requestorUserName, roleName1, "server", "db1", "table1", "col1", "ALL");
- listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName1);
- assertTrue("Privilege not correctly revoked !!", listPrivilegesByRoleName.size() == 5);
- listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName2);
- assertTrue("Privilege not correctly revoked !!", listPrivilegesByRoleName.size() == 6);
-
- client.revokeTablePrivilege(requestorUserName, roleName2, "server", "db1", "table1", "ALL");
- listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName2);
- assertTrue("Privilege not correctly revoked !!", listPrivilegesByRoleName.size() == 4);
- listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName1);
- assertTrue("Privilege not correctly revoked !!", listPrivilegesByRoleName.size() == 5);
-
- client.revokeDatabasePrivilege(requestorUserName, roleName1, "server", "db1", "ALL");
- listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName1);
- assertTrue("Privilege not correctly revoked !!", listPrivilegesByRoleName.size() == 2);
- client.revokeColumnPrivilege(requestorUserName, roleName1, "server", "db2", "table1", "col1", "ALL");
- client.revokeColumnPrivilege(requestorUserName, roleName1, "server", "db2", "table2", "col1", "ALL");
- listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName1);
- assertTrue("Privilege not correctly revoked !!", listPrivilegesByRoleName.size() == 0);
-
- client.revokeColumnPrivilege(requestorUserName, roleName2, "server", "db1", "table2", "col1", "ALL");
- client.revokeColumnPrivilege(requestorUserName, roleName2, "server", "db1", "table2", "col2", "ALL");
- client.revokeColumnPrivilege(requestorUserName, roleName2, "server", "db2", "table1", "col1", "ALL");
- client.revokeColumnPrivilege(requestorUserName, roleName2, "server", "db2", "table2", "col1", "ALL");
- listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName2);
- assertTrue("Privilege not correctly revoked !!", listPrivilegesByRoleName.size() == 0);
- }});
- }
-
- @Test
- public void testListByAuthDB() throws Exception {
- runTestAsSubject(new TestOperation(){
- @Override
- public void runTestAsSubject() throws Exception {
- String requestorUserName = ADMIN_USER;
- Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
- String roleName1 = "role1";
- String roleName2 = "role2";
- Set<String> testRoleSet = Sets.newHashSet(roleName1, roleName2);
- String group1 = "group1";
- String group2 = "group2";
- Set<String> testGroupSet = Sets.newHashSet(group1, group2);
- String server = "server1";
- String db = "testDB";
- String db2 = "testDB2";
- String tab = "testTab";
- setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
- String group1user = "group1user";
- setLocalGroupMapping(group1user, Sets.newHashSet(group1));
- String group2user = "group2user";
- setLocalGroupMapping(group2user, Sets.newHashSet(group2));
- setLocalGroupMapping("random", Sets.newHashSet("foo"));
- writePolicyFile();
-
- client.dropRoleIfExists(requestorUserName, roleName1);
- client.createRole(requestorUserName, roleName1);
- client.dropRoleIfExists(requestorUserName, roleName2);
- client.createRole(requestorUserName, roleName2);
-
- TSentryPrivilege role1db1 = client.grantDatabasePrivilege(
- requestorUserName, roleName1, server, db, AccessConstants.SELECT);
- client.grantTablePrivilege(requestorUserName, roleName1, server, db, tab,
- AccessConstants.ALL);
- client.grantTablePrivilege(requestorUserName, roleName1, server, db2, tab,
- AccessConstants.SELECT);
- client.grantURIPrivilege(requestorUserName, roleName1, server, "hdfs:///fooUri");
- client.grantRoleToGroup(requestorUserName, group1, roleName1);
-
- TSentryPrivilege role2db1 = client.grantDatabasePrivilege(
- requestorUserName, roleName2, server, db,
- AccessConstants.ALL);
- client.grantDatabasePrivilege(requestorUserName, roleName2, server, db2,
- AccessConstants.SELECT);
- client.grantTablePrivilege(requestorUserName, roleName2, server, db2, tab,
- AccessConstants.ALL);
- client.grantRoleToGroup(requestorUserName, group2, roleName2);
-
- // build expected output
- TSentryPrivilegeMap db1RoleToPrivMap = new TSentryPrivilegeMap(
- new TreeMap<String, Set<TSentryPrivilege>>());
- db1RoleToPrivMap.getPrivilegeMap()
- .put(roleName1, Sets.newHashSet(role1db1));
- db1RoleToPrivMap.getPrivilegeMap()
- .put(roleName2, Sets.newHashSet(role2db1));
- Map<TSentryAuthorizable, TSentryPrivilegeMap> expectedResults = Maps
- .newTreeMap();
- List<? extends Authorizable> db1Authrizable = Lists.newArrayList(
- new Server(server), new Database(db));
- expectedResults.put(
- SentryPolicyServiceClientDefaultImpl.setupSentryAuthorizable(db1Authrizable),
- db1RoleToPrivMap);
-
- Set<List<? extends Authorizable>> authorizableSet = Sets.newHashSet();
- authorizableSet.add(db1Authrizable);
-
- // verify for null group and null roleset
- Map<TSentryAuthorizable, TSentryPrivilegeMap> authPrivMap = client
- .listPrivilegsbyAuthorizable(requestorUserName, authorizableSet, null, null);
- assertEquals(expectedResults, authPrivMap);
-
- // verify for null group and specific roleset
- authPrivMap = client.listPrivilegsbyAuthorizable(requestorUserName, authorizableSet,
- null, new ActiveRoleSet(testRoleSet));
- assertEquals(expectedResults, authPrivMap);
-
- // verify for null group and specific roleset
- authPrivMap = client.listPrivilegsbyAuthorizable(requestorUserName, authorizableSet, null,
- ActiveRoleSet.ALL);
- assertEquals(expectedResults, authPrivMap);
-
- // verify for specific group and null roleset
- authPrivMap = client.listPrivilegsbyAuthorizable(requestorUserName, authorizableSet,
- testGroupSet, null);
- assertEquals(expectedResults, authPrivMap);
-
- // verify for specific group and specific roleset
- authPrivMap = client.listPrivilegsbyAuthorizable(requestorUserName, authorizableSet,
- testGroupSet, new ActiveRoleSet(testRoleSet));
- assertEquals(expectedResults, authPrivMap);
-
- // verify for specific group and ALL roleset
- authPrivMap = client.listPrivilegsbyAuthorizable(requestorUserName, authorizableSet,
- testGroupSet, ActiveRoleSet.ALL);
- assertEquals(expectedResults, authPrivMap);
-
- // verify users not belonging to any group are not shown anything
- authPrivMap = client
- .listPrivilegsbyAuthorizable("random", authorizableSet,
- new HashSet<String>(), ActiveRoleSet.ALL);
- expectedResults.clear();
- expectedResults.put(
- SentryPolicyServiceClientDefaultImpl.setupSentryAuthorizable(db1Authrizable),
- new TSentryPrivilegeMap(new HashMap<String, Set<TSentryPrivilege>>()));
- assertEquals(expectedResults, authPrivMap);
- }});
- }
-
- @Test
- public void testListByAuthTab() throws Exception {
- runTestAsSubject(new TestOperation(){
- @Override
- public void runTestAsSubject() throws Exception {
- String requestorUserName = ADMIN_USER;
- Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
- String roleName1 = "role1";
- String roleName2 = "role2";
- String server = "server1";
- String db = "testDB";
- String db2 = "testDB2";
- String tab = "testTab";
- setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
- writePolicyFile();
-
- client.dropRoleIfExists(requestorUserName, roleName1);
- client.createRole(requestorUserName, roleName1);
- client.dropRoleIfExists(requestorUserName, roleName2);
- client.createRole(requestorUserName, roleName2);
-
- client.grantDatabasePrivilege(
- requestorUserName, roleName1, server, db, AccessConstants.SELECT);
- client.grantTablePrivilege(requestorUserName, roleName1, server, db, tab,
- AccessConstants.ALL);
- TSentryPrivilege role1db2tab = client.grantTablePrivilege(
- requestorUserName, roleName1, server, db2, tab,
- AccessConstants.SELECT);
-
- client.grantDatabasePrivilege(
- requestorUserName, roleName2, server, db,
- AccessConstants.ALL);
- client.grantDatabasePrivilege(requestorUserName, roleName2, server, db2,
- AccessConstants.SELECT);
- TSentryPrivilege role2db2tab = client.grantTablePrivilege(
- requestorUserName, roleName2, server, db2, tab,
- AccessConstants.ALL);
- client.grantURIPrivilege(requestorUserName, roleName1, server,
- "hdfs:///fooUri");
-
- // build expected output
- TSentryPrivilegeMap db1RoleToPrivMap = new TSentryPrivilegeMap(
- new TreeMap<String, Set<TSentryPrivilege>>());
- db1RoleToPrivMap.getPrivilegeMap().put(roleName1,
- Sets.newHashSet(role1db2tab));
- db1RoleToPrivMap.getPrivilegeMap().put(roleName2,
- Sets.newHashSet(role2db2tab));
- Map<TSentryAuthorizable, TSentryPrivilegeMap> expectedResults = Maps
- .newTreeMap();
- List<? extends Authorizable> db2TabAuthrizable = Lists.newArrayList(
- new Server(server), new Database(db2), new Table(tab));
- expectedResults.put(
- SentryPolicyServiceClientDefaultImpl.setupSentryAuthorizable(db2TabAuthrizable),
- db1RoleToPrivMap);
-
- Set<List<? extends Authorizable>> authorizableSet = Sets.newHashSet();
- authorizableSet.add(db2TabAuthrizable);
- Map<TSentryAuthorizable, TSentryPrivilegeMap> authPrivMap = client
- .listPrivilegsbyAuthorizable(requestorUserName, authorizableSet, null, null);
-
- assertEquals(expectedResults, authPrivMap);
- }});
- }
-
- @Test
- public void testListByAuthUri() throws Exception {
- runTestAsSubject(new TestOperation(){
- @Override
- public void runTestAsSubject() throws Exception {
- String requestorUserName = ADMIN_USER;
- Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
- String roleName1 = "role1";
- String roleName2 = "role2";
- String server = "server1";
- String db = "testDB";
- String db2 = "testDB2";
- String tab = "testTab";
- String uri1 = "hdfs:///fooUri";
- setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
- writePolicyFile();
-
- client.dropRoleIfExists(requestorUserName, roleName1);
- client.createRole(requestorUserName, roleName1);
- client.dropRoleIfExists(requestorUserName, roleName2);
- client.createRole(requestorUserName, roleName2);
-
- client.grantDatabasePrivilege(requestorUserName, roleName1, server, db,
- AccessConstants.SELECT);
- client.grantTablePrivilege(requestorUserName, roleName1, server, db, tab,
- AccessConstants.ALL);
- client.grantTablePrivilege(requestorUserName, roleName1, server, db2, tab,
- AccessConstants.SELECT);
- TSentryPrivilege role1uri1 = client.grantURIPrivilege(requestorUserName,
- roleName1, server, uri1);
-
- client.grantDatabasePrivilege(requestorUserName, roleName2, server, db,
- AccessConstants.ALL);
- client.grantDatabasePrivilege(requestorUserName, roleName2, server, db2,
- AccessConstants.SELECT);
- client.grantTablePrivilege(requestorUserName, roleName2, server, db2, tab,
- AccessConstants.ALL);
- TSentryPrivilege role2uri2 = client.grantURIPrivilege(requestorUserName,
- roleName2, server, uri1);
-
- // build expected output
- TSentryPrivilegeMap db1RoleToPrivMap = new TSentryPrivilegeMap(
- new TreeMap<String, Set<TSentryPrivilege>>());
- db1RoleToPrivMap.getPrivilegeMap().put(roleName1,
- Sets.newHashSet(role1uri1));
- db1RoleToPrivMap.getPrivilegeMap().put(roleName2,
- Sets.newHashSet(role2uri2));
- Map<TSentryAuthorizable, TSentryPrivilegeMap> expectedResults = Maps
- .newTreeMap();
- List<? extends Authorizable> uri1Authrizable = Lists.newArrayList(
- new Server(server), new AccessURI(uri1));
- expectedResults.put(
- SentryPolicyServiceClientDefaultImpl.setupSentryAuthorizable(uri1Authrizable),
- db1RoleToPrivMap);
-
- Set<List<? extends Authorizable>> authorizableSet = Sets.newHashSet();
- authorizableSet.add(uri1Authrizable);
- Map<TSentryAuthorizable, TSentryPrivilegeMap> authPrivMap = client
- .listPrivilegsbyAuthorizable(requestorUserName, authorizableSet, null, null);
-
- assertEquals(expectedResults, authPrivMap);
- }});
- }
-
- /**
- * List privileges by authorizables executed by non-admin user
- * Test various positive and negative cases for non-admin user
- * @throws Exception
- */
- @Test
- public void testListByAuthTabForNonAdmin() throws Exception {
- runTestAsSubject(new TestOperation(){
- @Override
- public void runTestAsSubject() throws Exception {
- String requestorUserName = ADMIN_USER;
- String user1 = "user1";
- String group1 = "group1";
- String group2 = "group2";
- Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
- Set<String> userGroupNames1 = Sets.newHashSet(group1);
- Set<String> userGroupNames2 = Sets.newHashSet(group2);
- String roleName1 = "role1";
- String roleName2 = "role2";
- String server = "server1";
- String db = "testDB";
- String db2 = "testDB2";
- String tab = "testTab";
- setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
- setLocalGroupMapping(user1, userGroupNames1);
- writePolicyFile();
-
- client.dropRoleIfExists(requestorUserName, roleName1);
- client.createRole(requestorUserName, roleName1);
- client.dropRoleIfExists(requestorUserName, roleName2);
- client.createRole(requestorUserName, roleName2);
-
- client.grantDatabasePrivilege(requestorUserName, roleName1, server, db,
- AccessConstants.SELECT);
- client.grantTablePrivilege(requestorUserName, roleName1, server, db, tab,
- AccessConstants.ALL);
- TSentryPrivilege role1db2tab = client.grantTablePrivilege(
- requestorUserName, roleName1, server, db2, tab, AccessConstants.SELECT);
- client.grantRoleToGroup(requestorUserName, group1, roleName1);
-
- client.grantDatabasePrivilege(requestorUserName, roleName2, server, db,
- AccessConstants.ALL);
- client.grantDatabasePrivilege(requestorUserName, roleName2, server, db2,
- AccessConstants.SELECT);
- client.grantTablePrivilege(requestorUserName, roleName2, server, db2, tab,
- AccessConstants.ALL);
- client.grantURIPrivilege(requestorUserName, roleName1, server,
- "hdfs:///fooUri");
-
- // build expected output. user1 should see privileges on tab1 from role1
- TSentryPrivilegeMap db1RoleToPrivMap = new TSentryPrivilegeMap(
- new TreeMap<String, Set<TSentryPrivilege>>());
- db1RoleToPrivMap.getPrivilegeMap().put(roleName1, Sets.newHashSet(role1db2tab));
- Map<TSentryAuthorizable, TSentryPrivilegeMap> expectedResults = Maps.newTreeMap();
- List<? extends Authorizable> db2TabAuthorizable = Lists.newArrayList(
- new Server(server), new Database(db2), new Table(tab));
- expectedResults.put(
- SentryPolicyServiceClientDefaultImpl.setupSentryAuthorizable(db2TabAuthorizable),
- db1RoleToPrivMap);
-
- Set<List<? extends Authorizable>> authorizableSet = Sets.newHashSet();
- authorizableSet.add(db2TabAuthorizable);
-
- // list privileges with null group and roles
- Map<TSentryAuthorizable, TSentryPrivilegeMap> authPrivMap = client
- .listPrivilegsbyAuthorizable(user1, authorizableSet, null, null);
- assertEquals(expectedResults, authPrivMap);
-
- // list privileges with empty group set and null roles
- authPrivMap = client.listPrivilegsbyAuthorizable(user1, authorizableSet,
- new HashSet<String>(), null);
- assertEquals(expectedResults, authPrivMap);
-
- // list privileges with null group set and ALL roleset
- authPrivMap = client.listPrivilegsbyAuthorizable(user1, authorizableSet,
- null, new ActiveRoleSet(true));
- assertEquals(expectedResults, authPrivMap);
-
- // list privileges with user1's group set and null roles
- authPrivMap = client.listPrivilegsbyAuthorizable(user1, authorizableSet,
- userGroupNames1, null);
- assertEquals(expectedResults, authPrivMap);
-
- // list privileges with user1's group set and ALL roles
- authPrivMap = client.listPrivilegsbyAuthorizable(user1, authorizableSet,
- userGroupNames1, new ActiveRoleSet(true));
- assertEquals(expectedResults, authPrivMap);
-
- // list privileges with null group and user's specific roles with uppercase name
- authPrivMap = client.listPrivilegsbyAuthorizable(user1, authorizableSet,
- null, new ActiveRoleSet(Sets.newHashSet(roleName1.toUpperCase())));
- assertEquals(expectedResults, authPrivMap);
-
- // verify that user1 can't query group2
- try {
- client.listPrivilegsbyAuthorizable(user1, authorizableSet, userGroupNames2, null);
- fail("listPrivilegsbyAuthorizable() should fail for user1 accessing " + group2);
- } catch (SentryAccessDeniedException e) {
- // expected
- }
-
- // verify that user1 can't query role2
- ActiveRoleSet roleSet2 = new ActiveRoleSet(Sets.newHashSet(roleName2));
- try {
- client.listPrivilegsbyAuthorizable(user1, authorizableSet, null, roleSet2);
- fail("listPrivilegsbyAuthorizable() should fail for user1 accessing " + roleName2);
- } catch (SentryAccessDeniedException e) {
- // expected
- }
- }});
- }
-
- /**
- * Attempt to access a configuration value that is forbidden in getConfigVal
- * @param configVal The banned value
- * @param defaultVal A default to pass to getConfigValue
- * @throws Exception
- */
- private void checkBannedConfigVal(final String configVal, final String defaultVal)
- throws Exception {
- runTestAsSubject(new TestOperation(){
- @Override
- public void runTestAsSubject() throws Exception {
- try {
- client.getConfigValue(configVal, defaultVal);
- fail("Attempt to access " + configVal + " succeeded");
- } catch (SentryAccessDeniedException e) {
- assertTrue(e.toString().contains("was denied"));
- assertTrue(e.toString().contains(configVal));
- }
- }});
- }
-
- @Test
- public void testGetConfigVal() throws Exception {
- runTestAsSubject(new TestOperation(){
- @Override
- public void runTestAsSubject() throws Exception {
- String requestorUserName = ADMIN_USER;
- Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
- setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
- writePolicyFile();
-
- String val;
-
- // Basic success case
- val = client.getConfigValue("sentry.service.admin.group", "xxx");
- assertEquals(val, "admin_group");
-
- // Undefined value gets the default back
- val = client.getConfigValue("sentry.this.is.not.defined", "hello");
- assertEquals(val, "hello");
-
- // Undefined value and null default gets null back
- val = client.getConfigValue("sentry.this.is.not.defined", null);
- assertEquals(val, null);
-
- // Known config value with null default works as expected
- val = client.getConfigValue("sentry.service.admin.group", null);
- assertEquals(val, "admin_group");
-
- // Value that is forbidden (anything not starting with "sentry") dies
- checkBannedConfigVal("notsentry", "xxx");
-
- // Ditto with a null default
- checkBannedConfigVal("notsentry", null);
-
- // Values with .jdbc. are forbidden
- checkBannedConfigVal("sentry.xxx.jdbc.xxx", null);
-
- // Values with password are forbidden
- checkBannedConfigVal("sentry.xxx.password", null);
-
- // Attempt to get the location of the keytab also fails
- checkBannedConfigVal("sentry.service.server.keytab", null);
-
- }});
- }
-
- /* SENTRY-841 */
- @Test
- public void testGranRevokePrivilegeOnServerForRole() throws Exception {
- runTestAsSubject(new TestOperation(){
- @Override
- public void runTestAsSubject() throws Exception {
- String requestorUserName = ADMIN_USER;
- Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
- setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
- writePolicyFile();
-
- String roleName1 = "admin_r1";
-
- client.dropRoleIfExists(requestorUserName, roleName1);
- client.createRole(requestorUserName, roleName1);
-
- client.grantServerPrivilege(requestorUserName, roleName1, "server", false);
-
- Set<TSentryPrivilege> listPrivs = client.listAllPrivilegesByRoleName(requestorUserName, roleName1);
- assertTrue("Privilege should be all:",listPrivs.iterator().next().getAction().equals("*"));
-
- client.revokeServerPrivilege(requestorUserName, roleName1, "server", false);
- listPrivs = client.listAllPrivilegesByRoleName(requestorUserName, roleName1);
- assertTrue("Privilege not correctly revoked !!", listPrivs.size() == 0);
-
- }});
- }
-
- @Test
- public void testGranRevokePrivilegeWithoutAction() throws Exception {
- runTestAsSubject(new TestOperation(){
- @Override
- public void runTestAsSubject() throws Exception {
- String requestorUserName = ADMIN_USER;
- String roleName1 = "admin_r1";
- Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
- setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
- writePolicyFile();
-
- client.dropRoleIfExists(requestorUserName, roleName1);
- client.createRole(requestorUserName, roleName1);
- client.grantServerPrivilege(requestorUserName, roleName1, "server1", false);
-
- Set<TSentryPrivilege> listPrivs = client.listAllPrivilegesByRoleName(requestorUserName, roleName1);
- assertTrue("Privilege should be all:", listPrivs.iterator().next().getAction().equals("*"));
-
- client.revokeServerPrivilege(requestorUserName, roleName1, "server1", "ALL", false);
- listPrivs = client.listAllPrivilegesByRoleName(requestorUserName, roleName1);
- assertTrue("Privilege not correctly revoked !!", listPrivs.size() == 0);
-
- }});
- }
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceWithInvalidMsgSize.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceWithInvalidMsgSize.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceWithInvalidMsgSize.java
deleted file mode 100644
index 15eab15..0000000
--- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceWithInvalidMsgSize.java
+++ /dev/null
@@ -1,119 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.provider.db.service.thrift;
-
-import com.google.common.collect.Sets;
-import org.apache.hadoop.conf.Configuration;
-import org.apache.sentry.core.common.exception.SentryUserException;
-import org.apache.sentry.service.thrift.SentryServiceClientFactory;
-import org.apache.sentry.service.thrift.SentryServiceFactory;
-import org.apache.sentry.service.thrift.SentryServiceIntegrationBase;
-import org.apache.sentry.service.thrift.ServiceConstants;
-import org.junit.Assert;
-import org.junit.Test;
-
-import java.util.Set;
-
-/**
- * Test sentry service with a larger message size than the server's or client's thrift max message size.
- */
-public class TestSentryServiceWithInvalidMsgSize extends SentryServiceIntegrationBase {
- private final Set<String> REQUESTER_USER_GROUP_NAMES = Sets.newHashSet(ADMIN_GROUP);
- private final String ROLE_NAME = "admin_r";
-
- /**
- * Test the case when the message size is larger than the client's thrift max message size.
- */
- @Test
- public void testClientWithSmallMaxMsgSize() throws Exception {
- runTestAsSubject(new TestOperation() {
- @Override
- public void runTestAsSubject() throws Exception {
- Configuration confWithSmallMaxMsgSize = new Configuration(conf);
- confWithSmallMaxMsgSize.setLong(ServiceConstants.ClientConfig.SENTRY_POLICY_CLIENT_THRIFT_MAX_MESSAGE_SIZE, 20);
- // create a client with a small thrift max message size
- SentryPolicyServiceClient clientWithSmallMaxMsgSize = SentryServiceClientFactory.create(confWithSmallMaxMsgSize);
-
- setLocalGroupMapping(ADMIN_USER, REQUESTER_USER_GROUP_NAMES);
- writePolicyFile();
-
- boolean exceptionThrown = false;
- try {
- // client throws exception when message size is larger than the client's thrift max message size.
- clientWithSmallMaxMsgSize.listRoles(ADMIN_USER);
- } catch (SentryUserException e) {
- exceptionThrown = true;
- Assert.assertTrue(e.getMessage().contains("Thrift exception occurred"));
- Assert.assertTrue(e.getCause().getMessage().contains("Length exceeded max allowed"));
- } finally {
- Assert.assertEquals(true, exceptionThrown);
- clientWithSmallMaxMsgSize.close();
- }
-
- // client can still talk with sentry server when message size is smaller.
- client.dropRoleIfExists(ADMIN_USER, ROLE_NAME);
- client.listRoles(ADMIN_USER);
- client.createRole(ADMIN_USER, ROLE_NAME);
- client.listRoles(ADMIN_USER);
- }
- });
- }
-
- /**
- * Test the case when the message size is larger than the server's thrift max message size.
- */
- @Test
- public void testServerWithSmallMaxMsgSize() throws Exception {
- runTestAsSubject(new TestOperation() {
- @Override
- public void runTestAsSubject() throws Exception {
- Configuration confWithSmallMaxMsgSize = new Configuration(conf);
- confWithSmallMaxMsgSize.setLong(ServiceConstants.ServerConfig.SENTRY_POLICY_SERVER_THRIFT_MAX_MESSAGE_SIZE,
- 50);
- stopSentryService();
-
- // create a server with a small max thrift message size
- server = new SentryServiceFactory().create(confWithSmallMaxMsgSize);
- startSentryService();
-
- setLocalGroupMapping(ADMIN_USER, REQUESTER_USER_GROUP_NAMES);
- writePolicyFile();
-
- // client can talk with server when message size is smaller.
- client.listRoles(ADMIN_USER);
- client.createRole(ADMIN_USER, ROLE_NAME);
-
- boolean exceptionThrown = false;
- try {
- // client throws exception when message size is larger than the server's thrift max message size.
- client.grantServerPrivilege(ADMIN_USER, ROLE_NAME, "server", false);
- } catch (SentryUserException e) {
- exceptionThrown = true;
- Assert.assertTrue(e.getMessage().contains("org.apache.thrift.transport.TTransportException"));
- } finally {
- Assert.assertEquals(true, exceptionThrown);
- }
-
- // client can still talk with sentry server when message size is smaller.
- Set<TSentryRole> roles = client.listRoles(ADMIN_USER);
- Assert.assertTrue(roles.size() == 1);
- Assert.assertEquals(ROLE_NAME, roles.iterator().next().getRoleName());
- }
- });
- }
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceWithKerberos.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceWithKerberos.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceWithKerberos.java
deleted file mode 100644
index ff73382..0000000
--- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceWithKerberos.java
+++ /dev/null
@@ -1,58 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.provider.db.service.thrift;
-
-import org.apache.sentry.service.thrift.SentryServiceIntegrationBase;
-import org.junit.After;
-import org.junit.Before;
-import org.junit.BeforeClass;
-import org.junit.Test;
-
-/**
- * Test various kerberos related stuff on the SentryService side
- */
-public class TestSentryServiceWithKerberos extends SentryServiceIntegrationBase {
-
- @BeforeClass
- public static void setup() throws Exception {
- SERVER_KERBEROS_NAME = "sentry/_HOST@" + REALM;
- SentryServiceIntegrationBase.setup();
- }
-
- @Override
- @Before
- public void before() throws Exception {
- }
-
- @Override
- @After
- public void after() {
- }
-
- /**
- * Test that we are correctly substituting "_HOST" if/when needed.
- *
- * @throws Exception
- */
- @Test
- public void testHostSubstitution() throws Exception {
- // We just need to ensure that we are able to correct connect to the server
- connectToSentryService();
- }
-
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryWebServerWithKerberos.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryWebServerWithKerberos.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryWebServerWithKerberos.java
deleted file mode 100644
index ece2ee8..0000000
--- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryWebServerWithKerberos.java
+++ /dev/null
@@ -1,136 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.provider.db.service.thrift;
-
-import static org.junit.Assert.fail;
-
-import java.io.File;
-import java.net.HttpURLConnection;
-import java.net.URL;
-import java.security.PrivilegedExceptionAction;
-import java.util.HashSet;
-
-import javax.security.auth.Subject;
-import javax.security.auth.kerberos.KerberosPrincipal;
-import javax.security.auth.login.LoginContext;
-
-import org.apache.commons.io.IOUtils;
-import org.apache.hadoop.security.authentication.client.AuthenticatedURL;
-import org.apache.hadoop.security.authentication.client.AuthenticationException;
-import org.apache.hadoop.security.authentication.client.KerberosAuthenticator;
-import org.apache.sentry.service.thrift.KerberosConfiguration;
-import org.apache.sentry.service.thrift.SentryServiceIntegrationBase;
-import org.junit.After;
-import org.junit.Assert;
-import org.junit.Before;
-import org.junit.BeforeClass;
-import org.junit.Test;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-import com.google.common.collect.Sets;
-
-public class TestSentryWebServerWithKerberos extends SentryServiceIntegrationBase {
-
- private static Logger LOG = LoggerFactory.getLogger(TestSentryWebServerWithKerberos.class);
-
- @BeforeClass
- public static void setup() throws Exception {
- webServerEnabled = true;
- webSecurity = true;
- SentryServiceIntegrationBase.setup();
- }
-
- @Override
- @Before
- public void before() throws Exception {
- }
-
- @Override
- @After
- public void after() {
- }
-
- @Test
- public void testPing() throws Exception {
- clientUgi.doAs(new PrivilegedExceptionAction<Void>() {
- @Override
- public Void run() throws Exception {
- final URL url = new URL("http://"+ SERVER_HOST + ":" + webServerPort + "/ping");
- HttpURLConnection conn = new AuthenticatedURL(new KerberosAuthenticator()).
- openConnection(url, new AuthenticatedURL.Token());
- Assert.assertEquals(HttpURLConnection.HTTP_OK, conn.getResponseCode());
- String response = IOUtils.toString(conn.getInputStream());
- Assert.assertEquals("pong\n", response);
- return null;
- }} );
- }
-
- @Test
- public void testPingWithoutSubject() throws Exception {
- final URL url = new URL("http://"+ SERVER_HOST + ":" + webServerPort + "/ping");
- try {
- new AuthenticatedURL(new KerberosAuthenticator()).openConnection(url, new AuthenticatedURL.Token());
- fail("Here should fail.");
- } catch (Exception e) {
- boolean isExpectError = e.getMessage().contains("No valid credentials provided");
- Assert.assertTrue("Here should fail by 'No valid credentials provided'," +
- " but the exception is:" + e, isExpectError);
- }
- }
-
- @Test
- public void testPingUsingHttpURLConnection() throws Exception {
- final URL url = new URL("http://"+ SERVER_HOST + ":" + webServerPort + "/ping");
- HttpURLConnection conn = (HttpURLConnection) url.openConnection();
- Assert.assertEquals(HttpURLConnection.HTTP_UNAUTHORIZED, conn.getResponseCode());
- String errorMessage = IOUtils.toString(conn.getErrorStream());
- Assert.assertTrue(errorMessage.contains("Authentication required"));
- }
-
- @Test
- public void testPingWithUnauthorizedUser() throws Exception {
- // create an unauthorized User with Kerberos
- String userPrinciple = "user/" + SERVER_HOST;
- String userKerberosName = userPrinciple + "@" + REALM;
- Subject userSubject = new Subject(false, Sets.newHashSet(
- new KerberosPrincipal(userKerberosName)), new HashSet<Object>(),new HashSet<Object>());
- File userKeytab = new File(kdcWorkDir, "user.keytab");
- kdc.createPrincipal(userKeytab, userPrinciple);
- LoginContext userLoginContext = new LoginContext("", userSubject, null,
- KerberosConfiguration.createClientConfig(userKerberosName, userKeytab));
- userLoginContext.login();
- Subject.doAs(userLoginContext.getSubject(), new PrivilegedExceptionAction<Void>() {
- @Override
- public Void run() throws Exception {
- final URL url = new URL("http://"+ SERVER_HOST + ":" + webServerPort + "/ping");
- try {
- new AuthenticatedURL(new KerberosAuthenticator()).openConnection(url, new AuthenticatedURL.Token());
- fail("Here should fail.");
- } catch (AuthenticationException e) {
- String expectedError = "status code: 403";
- if (!e.getMessage().contains(expectedError)) {
- LOG.error("UnexpectedError: " + e.getMessage(), e);
- fail("UnexpectedError: " + e.getMessage());
- }
- }
- return null;
- }
- });
- }
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryWebServerWithSSL.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryWebServerWithSSL.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryWebServerWithSSL.java
deleted file mode 100644
index d1d0b4b..0000000
--- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryWebServerWithSSL.java
+++ /dev/null
@@ -1,52 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.provider.db.service.thrift;
-
-import com.google.common.io.Resources;
-import org.apache.commons.io.IOUtils;
-import org.apache.sentry.service.thrift.SentryServiceIntegrationBase;
-import org.junit.*;
-
-import javax.net.ssl.HttpsURLConnection;
-import java.net.URL;
-import java.util.Properties;
-
-/**
- * Test sentry web server when ssl is enabled.
- */
-public class TestSentryWebServerWithSSL extends SentryServiceIntegrationBase {
- @BeforeClass
- public static void setup() throws Exception {
- webServerEnabled = true;
- webSecurity = false;
- useSSL = true;
- SentryServiceIntegrationBase.setup();
- }
-
- @Test
- public void testPing() throws Exception {
- final URL url = new URL("https://"+ SERVER_HOST + ":" + webServerPort + "/ping");
- Properties systemProps = System.getProperties();
- systemProps.put( "javax.net.ssl.trustStore", Resources.getResource("cacerts.jks").getPath());
- System.setProperties(systemProps);
- HttpsURLConnection conn = (HttpsURLConnection) url.openConnection();
- Assert.assertEquals(HttpsURLConnection.HTTP_OK, conn.getResponseCode());
- String response = IOUtils.toString(conn.getInputStream());
- Assert.assertEquals("pong\n", response);
- }
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryWebServerWithoutSecurity.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryWebServerWithoutSecurity.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryWebServerWithoutSecurity.java
deleted file mode 100644
index 4a913e5..0000000
--- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryWebServerWithoutSecurity.java
+++ /dev/null
@@ -1,87 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.provider.db.service.thrift;
-
-import java.net.HttpURLConnection;
-import java.net.URL;
-
-import org.apache.commons.io.IOUtils;
-import org.apache.sentry.service.thrift.SentryServiceIntegrationBase;
-import org.junit.After;
-import org.junit.Assert;
-import org.junit.Before;
-import org.junit.BeforeClass;
-import org.junit.Test;
-
-public class TestSentryWebServerWithoutSecurity extends SentryServiceIntegrationBase {
-
- @BeforeClass
- public static void setup() throws Exception {
- webServerEnabled = true;
- webSecurity = false;
- SentryServiceIntegrationBase.setup();
- }
-
- @Override
- @Before
- public void before() throws Exception {
- }
-
- @Override
- @After
- public void after() {
- }
-
- @Test
- public void testPing() throws Exception {
- final URL url = new URL("http://"+ SERVER_HOST + ":" + webServerPort + "/ping");
- HttpURLConnection conn = (HttpURLConnection) url.openConnection();
- Assert.assertEquals(HttpURLConnection.HTTP_OK, conn.getResponseCode());
- String response = IOUtils.toString(conn.getInputStream());
- Assert.assertEquals("pong\n", response);
- }
-
- @Test
- public void testConf() throws Exception {
- // test bad format
- final URL url = new URL("http://" + SERVER_HOST + ":" + webServerPort + "/conf?"
- + ConfServlet.FORMAT_PARAM + "=badformat");
- HttpURLConnection conn = (HttpURLConnection) url.openConnection();
- Assert.assertEquals(HttpURLConnection.HTTP_BAD_REQUEST, conn.getResponseCode());
-
- // test json format
- final URL url1 = new URL("http://" + SERVER_HOST + ":" + webServerPort + "/conf?"
- + ConfServlet.FORMAT_PARAM +"=" + ConfServlet.FORMAT_JSON);
- conn = (HttpURLConnection) url1.openConnection();
- Assert.assertEquals(HttpURLConnection.HTTP_OK, conn.getResponseCode());
-
- // test xml format
- final URL url2 = new URL("http://" + SERVER_HOST + ":" + webServerPort + "/conf?"
- + ConfServlet.FORMAT_PARAM +"=" + ConfServlet.FORMAT_XML);
- conn = (HttpURLConnection) url2.openConnection();
- Assert.assertEquals(HttpURLConnection.HTTP_OK, conn.getResponseCode());
- String xmlResponse = IOUtils.toString(conn.getInputStream());
-
- // test default is xml format
- final URL url3 = new URL("http://" + SERVER_HOST + ":" + webServerPort + "/conf");
- conn = (HttpURLConnection) url3.openConnection();
- Assert.assertEquals(HttpURLConnection.HTTP_OK, conn.getResponseCode());
- String defaultResponse = IOUtils.toString(conn.getInputStream());
- Assert.assertEquals(xmlResponse, defaultResponse);
- }
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/tools/TestSentrySchemaTool.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/tools/TestSentrySchemaTool.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/tools/TestSentrySchemaTool.java
deleted file mode 100644
index 68abf27..0000000
--- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/tools/TestSentrySchemaTool.java
+++ /dev/null
@@ -1,94 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.sentry.provider.db.tools;
-
-import java.io.File;
-
-import org.apache.hadoop.conf.Configuration;
-import org.apache.sentry.core.common.exception.SentryUserException;
-import org.apache.sentry.provider.db.service.persistent.SentryStoreSchemaInfo;
-import org.apache.sentry.service.thrift.ServiceConstants.ServerConfig;
-import org.junit.Before;
-import org.junit.Test;
-
-import com.google.common.io.Files;
-
-public class TestSentrySchemaTool {
- private Configuration sentryConf;
- private SentrySchemaTool schemaTool;
-
- private static final String OLDEST_INIT_VERSION = "1.4.0";
-
- @Before
- public void defaultSetup() throws Exception {
- sentryConf = new Configuration();
- File dbDir = new File(Files.createTempDir(), "sentry_policy_db");
- sentryConf.set(ServerConfig.SENTRY_STORE_JDBC_URL,
- "jdbc:derby:;databaseName=" + dbDir.getPath() + ";create=true");
- sentryConf.set(ServerConfig.SENTRY_STORE_JDBC_PASS, "dummy");
- schemaTool = new SentrySchemaTool("./src/main/resources", sentryConf,
- "derby");
- }
-
- private void nonDefaultsetup() throws Exception {
- sentryConf = new Configuration();
- File dbDir = new File(Files.createTempDir(), "sentry_policy_db");
- sentryConf.set(ServerConfig.SENTRY_STORE_JDBC_URL,
- "jdbc:derby:;databaseName=" + dbDir.getPath() + ";create=true");
- sentryConf.set(ServerConfig.SENTRY_STORE_JDBC_PASS, "dummy");
- schemaTool = new SentrySchemaTool("./src/main/resources", sentryConf,
- "derby");
- }
-
- @Test
- public void testInitNonDefault() throws Exception {
- nonDefaultsetup();
- schemaTool.doInit();
- schemaTool.verifySchemaVersion();
- }
-
- @Test
- public void testInit() throws Exception {
- schemaTool.doInit();
- schemaTool.verifySchemaVersion();
- }
-
- @Test
- public void testInitTo() throws Exception {
- schemaTool.doInit(SentryStoreSchemaInfo.getSentryVersion());
- schemaTool.verifySchemaVersion();
- }
-
- @Test(expected = SentryUserException.class)
- public void testDryRun() throws Exception {
- schemaTool.setDryRun(true);
- schemaTool.doInit();
- schemaTool.setDryRun(false);
- // verification should fail since dryRun didn't create the actual schema
- schemaTool.verifySchemaVersion();
- }
-
- @Test
- public void testUpgrade() throws Exception {
- schemaTool.doInit(OLDEST_INIT_VERSION);
- schemaTool.doUpgrade();
- schemaTool.verifySchemaVersion();
- }
-
-}
[33/44] sentry git commit: SENTRY-1287: Create sentry-service-server
module(Colin Ma, reviewed by Dapeng Sun)
Posted by co...@apache.org.
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/main/webapp/css/bootstrap.min.css
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/webapp/css/bootstrap.min.css b/sentry-provider/sentry-provider-db/src/main/webapp/css/bootstrap.min.css
deleted file mode 100644
index a553c4f..0000000
--- a/sentry-provider/sentry-provider-db/src/main/webapp/css/bootstrap.min.css
+++ /dev/null
@@ -1,9 +0,0 @@
-/*!
- * Bootstrap v3.0.0
- *
- * Copyright 2013 Twitter, Inc
- * Licensed under the Apache License v2.0
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Designed and built with all the love in the world by @mdo and @fat.
- *//*! normalize.css v2.1.0 | MIT License | git.io/normalize */article,aside,details,figcaption,figure,footer,header,hgroup,main,nav,section,summary{display:block}audio,canvas,video{display:inline-block}audio:not([controls]){display:none;height:0}[hidden]{display:none}html{font-family:sans-serif;-webkit-text-size-adjust:100%;-ms-text-size-adjust:100%}body{margin:0}a:focus{outline:thin dotted}a:active,a:hover{outline:0}h1{margin:.67em 0;font-size:2em}abbr[title]{border-bottom:1px dotted}b,strong{font-weight:bold}dfn{font-style:italic}hr{height:0;-moz-box-sizing:content-box;box-sizing:content-box}mark{color:#000;background:#ff0}code,kbd,pre,samp{font-family:monospace,serif;font-size:1em}pre{white-space:pre-wrap}q{quotes:"\201C" "\201D" "\2018" "\2019"}small{font-size:80%}sub,sup{position:relative;font-size:75%;line-height:0;vertical-align:baseline}sup{top:-0.5em}sub{bottom:-0.25em}img{border:0}svg:not(:root){overflow:hidden}figure{margin:0}fieldset{padding:.35em .625em .75em;margin:0
2px;border:1px solid #c0c0c0}legend{padding:0;border:0}button,input,select,textarea{margin:0;font-family:inherit;font-size:100%}button,input{line-height:normal}button,select{text-transform:none}button,html input[type="button"],input[type="reset"],input[type="submit"]{cursor:pointer;-webkit-appearance:button}button[disabled],html input[disabled]{cursor:default}input[type="checkbox"],input[type="radio"]{padding:0;box-sizing:border-box}input[type="search"]{-webkit-box-sizing:content-box;-moz-box-sizing:content-box;box-sizing:content-box;-webkit-appearance:textfield}input[type="search"]::-webkit-search-cancel-button,input[type="search"]::-webkit-search-decoration{-webkit-appearance:none}button::-moz-focus-inner,input::-moz-focus-inner{padding:0;border:0}textarea{overflow:auto;vertical-align:top}table{border-collapse:collapse;border-spacing:0}@media print{*{color:#000!important;text-shadow:none!important;background:transparent!important;box-shadow:none!important}a,a:visited{text-decorati
on:underline}a[href]:after{content:" (" attr(href) ")"}abbr[title]:after{content:" (" attr(title) ")"}.ir a:after,a[href^="javascript:"]:after,a[href^="#"]:after{content:""}pre,blockquote{border:1px solid #999;page-break-inside:avoid}thead{display:table-header-group}tr,img{page-break-inside:avoid}img{max-width:100%!important}@page{margin:2cm .5cm}p,h2,h3{orphans:3;widows:3}h2,h3{page-break-after:avoid}.navbar{display:none}.table td,.table th{background-color:#fff!important}.btn>.caret,.dropup>.btn>.caret{border-top-color:#000!important}.label{border:1px solid #000}.table{border-collapse:collapse!important}.table-bordered th,.table-bordered td{border:1px solid #ddd!important}}*,*:before,*:after{-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box}html{font-size:62.5%;-webkit-tap-highlight-color:rgba(0,0,0,0)}body{font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:14px;line-height:1.428571429;color:#333;background-color:#fff}input,button,select
,textarea{font-family:inherit;font-size:inherit;line-height:inherit}button,input,select[multiple],textarea{background-image:none}a{color:#428bca;text-decoration:none}a:hover,a:focus{color:#2a6496;text-decoration:underline}a:focus{outline:thin dotted #333;outline:5px auto -webkit-focus-ring-color;outline-offset:-2px}img{vertical-align:middle}.img-responsive{display:block;height:auto;max-width:100%}.img-rounded{border-radius:6px}.img-thumbnail{display:inline-block;height:auto;max-width:100%;padding:4px;line-height:1.428571429;background-color:#fff;border:1px solid #ddd;border-radius:4px;-webkit-transition:all .2s ease-in-out;transition:all .2s ease-in-out}.img-circle{border-radius:50%}hr{margin-top:20px;margin-bottom:20px;border:0;border-top:1px solid #eee}.sr-only{position:absolute;width:1px;height:1px;padding:0;margin:-1px;overflow:hidden;clip:rect(0 0 0 0);border:0}p{margin:0 0 10px}.lead{margin-bottom:20px;font-size:16.099999999999998px;font-weight:200;line-height:1.4}@media(min-w
idth:768px){.lead{font-size:21px}}small{font-size:85%}cite{font-style:normal}.text-muted{color:#999}.text-primary{color:#428bca}.text-warning{color:#c09853}.text-danger{color:#b94a48}.text-success{color:#468847}.text-info{color:#3a87ad}.text-left{text-align:left}.text-right{text-align:right}.text-center{text-align:center}h1,h2,h3,h4,h5,h6,.h1,.h2,.h3,.h4,.h5,.h6{font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-weight:500;line-height:1.1}h1 small,h2 small,h3 small,h4 small,h5 small,h6 small,.h1 small,.h2 small,.h3 small,.h4 small,.h5 small,.h6 small{font-weight:normal;line-height:1;color:#999}h1,h2,h3{margin-top:20px;margin-bottom:10px}h4,h5,h6{margin-top:10px;margin-bottom:10px}h1,.h1{font-size:36px}h2,.h2{font-size:30px}h3,.h3{font-size:24px}h4,.h4{font-size:18px}h5,.h5{font-size:14px}h6,.h6{font-size:12px}h1 small,.h1 small{font-size:24px}h2 small,.h2 small{font-size:18px}h3 small,.h3 small,h4 small,.h4 small{font-size:14px}.page-header{padding-bottom:9px;margin:40px 0
20px;border-bottom:1px solid #eee}ul,ol{margin-top:0;margin-bottom:10px}ul ul,ol ul,ul ol,ol ol{margin-bottom:0}.list-unstyled{padding-left:0;list-style:none}.list-inline{padding-left:0;list-style:none}.list-inline>li{display:inline-block;padding-right:5px;padding-left:5px}dl{margin-bottom:20px}dt,dd{line-height:1.428571429}dt{font-weight:bold}dd{margin-left:0}@media(min-width:768px){.dl-horizontal dt{float:left;width:160px;overflow:hidden;clear:left;text-align:right;text-overflow:ellipsis;white-space:nowrap}.dl-horizontal dd{margin-left:180px}.dl-horizontal dd:before,.dl-horizontal dd:after{display:table;content:" "}.dl-horizontal dd:after{clear:both}.dl-horizontal dd:before,.dl-horizontal dd:after{display:table;content:" "}.dl-horizontal dd:after{clear:both}}abbr[title],abbr[data-original-title]{cursor:help;border-bottom:1px dotted #999}abbr.initialism{font-size:90%;text-transform:uppercase}blockquote{padding:10px 20px;margin:0 0 20px;border-left:5px solid #eee}blockquote p{font-
size:17.5px;font-weight:300;line-height:1.25}blockquote p:last-child{margin-bottom:0}blockquote small{display:block;line-height:1.428571429;color:#999}blockquote small:before{content:'\2014 \00A0'}blockquote.pull-right{padding-right:15px;padding-left:0;border-right:5px solid #eee;border-left:0}blockquote.pull-right p,blockquote.pull-right small{text-align:right}blockquote.pull-right small:before{content:''}blockquote.pull-right small:after{content:'\00A0 \2014'}q:before,q:after,blockquote:before,blockquote:after{content:""}address{display:block;margin-bottom:20px;font-style:normal;line-height:1.428571429}code,pre{font-family:Monaco,Menlo,Consolas,"Courier New",monospace}code{padding:2px 4px;font-size:90%;color:#c7254e;white-space:nowrap;background-color:#f9f2f4;border-radius:4px}pre{display:block;padding:9.5px;margin:0 0 10px;font-size:13px;line-height:1.428571429;color:#333;word-break:break-all;word-wrap:break-word;background-color:#f5f5f5;border:1px solid #ccc;border-radius:4px}pr
e.prettyprint{margin-bottom:20px}pre code{padding:0;font-size:inherit;color:inherit;white-space:pre-wrap;background-color:transparent;border:0}.pre-scrollable{max-height:340px;overflow-y:scroll}.container{padding-right:15px;padding-left:15px;margin-right:auto;margin-left:auto}.container:before,.container:after{display:table;content:" "}.container:after{clear:both}.container:before,.container:after{display:table;content:" "}.container:after{clear:both}.row{margin-right:-15px;margin-left:-15px}.row:before,.row:after{display:table;content:" "}.row:after{clear:both}.row:before,.row:after{display:table;content:" "}.row:after{clear:both}.col-xs-1,.col-xs-2,.col-xs-3,.col-xs-4,.col-xs-5,.col-xs-6,.col-xs-7,.col-xs-8,.col-xs-9,.col-xs-10,.col-xs-11,.col-xs-12,.col-sm-1,.col-sm-2,.col-sm-3,.col-sm-4,.col-sm-5,.col-sm-6,.col-sm-7,.col-sm-8,.col-sm-9,.col-sm-10,.col-sm-11,.col-sm-12,.col-md-1,.col-md-2,.col-md-3,.col-md-4,.col-md-5,.col-md-6,.col-md-7,.col-md-8,.col-md-9,.col-md-10,.col-md-11,
.col-md-12,.col-lg-1,.col-lg-2,.col-lg-3,.col-lg-4,.col-lg-5,.col-lg-6,.col-lg-7,.col-lg-8,.col-lg-9,.col-lg-10,.col-lg-11,.col-lg-12{position:relative;min-height:1px;padding-right:15px;padding-left:15px}.col-xs-1,.col-xs-2,.col-xs-3,.col-xs-4,.col-xs-5,.col-xs-6,.col-xs-7,.col-xs-8,.col-xs-9,.col-xs-10,.col-xs-11{float:left}.col-xs-1{width:8.333333333333332%}.col-xs-2{width:16.666666666666664%}.col-xs-3{width:25%}.col-xs-4{width:33.33333333333333%}.col-xs-5{width:41.66666666666667%}.col-xs-6{width:50%}.col-xs-7{width:58.333333333333336%}.col-xs-8{width:66.66666666666666%}.col-xs-9{width:75%}.col-xs-10{width:83.33333333333334%}.col-xs-11{width:91.66666666666666%}.col-xs-12{width:100%}@media(min-width:768px){.container{max-width:750px}.col-sm-1,.col-sm-2,.col-sm-3,.col-sm-4,.col-sm-5,.col-sm-6,.col-sm-7,.col-sm-8,.col-sm-9,.col-sm-10,.col-sm-11{float:left}.col-sm-1{width:8.333333333333332%}.col-sm-2{width:16.666666666666664%}.col-sm-3{width:25%}.col-sm-4{width:33.33333333333333%}.col
-sm-5{width:41.66666666666667%}.col-sm-6{width:50%}.col-sm-7{width:58.333333333333336%}.col-sm-8{width:66.66666666666666%}.col-sm-9{width:75%}.col-sm-10{width:83.33333333333334%}.col-sm-11{width:91.66666666666666%}.col-sm-12{width:100%}.col-sm-push-1{left:8.333333333333332%}.col-sm-push-2{left:16.666666666666664%}.col-sm-push-3{left:25%}.col-sm-push-4{left:33.33333333333333%}.col-sm-push-5{left:41.66666666666667%}.col-sm-push-6{left:50%}.col-sm-push-7{left:58.333333333333336%}.col-sm-push-8{left:66.66666666666666%}.col-sm-push-9{left:75%}.col-sm-push-10{left:83.33333333333334%}.col-sm-push-11{left:91.66666666666666%}.col-sm-pull-1{right:8.333333333333332%}.col-sm-pull-2{right:16.666666666666664%}.col-sm-pull-3{right:25%}.col-sm-pull-4{right:33.33333333333333%}.col-sm-pull-5{right:41.66666666666667%}.col-sm-pull-6{right:50%}.col-sm-pull-7{right:58.333333333333336%}.col-sm-pull-8{right:66.66666666666666%}.col-sm-pull-9{right:75%}.col-sm-pull-10{right:83.33333333333334%}.col-sm-pull-11
{right:91.66666666666666%}.col-sm-offset-1{margin-left:8.333333333333332%}.col-sm-offset-2{margin-left:16.666666666666664%}.col-sm-offset-3{margin-left:25%}.col-sm-offset-4{margin-left:33.33333333333333%}.col-sm-offset-5{margin-left:41.66666666666667%}.col-sm-offset-6{margin-left:50%}.col-sm-offset-7{margin-left:58.333333333333336%}.col-sm-offset-8{margin-left:66.66666666666666%}.col-sm-offset-9{margin-left:75%}.col-sm-offset-10{margin-left:83.33333333333334%}.col-sm-offset-11{margin-left:91.66666666666666%}}@media(min-width:992px){.container{max-width:970px}.col-md-1,.col-md-2,.col-md-3,.col-md-4,.col-md-5,.col-md-6,.col-md-7,.col-md-8,.col-md-9,.col-md-10,.col-md-11{float:left}.col-md-1{width:8.333333333333332%}.col-md-2{width:16.666666666666664%}.col-md-3{width:25%}.col-md-4{width:33.33333333333333%}.col-md-5{width:41.66666666666667%}.col-md-6{width:50%}.col-md-7{width:58.333333333333336%}.col-md-8{width:66.66666666666666%}.col-md-9{width:75%}.col-md-10{width:83.33333333333334%}.
col-md-11{width:91.66666666666666%}.col-md-12{width:100%}.col-md-push-0{left:auto}.col-md-push-1{left:8.333333333333332%}.col-md-push-2{left:16.666666666666664%}.col-md-push-3{left:25%}.col-md-push-4{left:33.33333333333333%}.col-md-push-5{left:41.66666666666667%}.col-md-push-6{left:50%}.col-md-push-7{left:58.333333333333336%}.col-md-push-8{left:66.66666666666666%}.col-md-push-9{left:75%}.col-md-push-10{left:83.33333333333334%}.col-md-push-11{left:91.66666666666666%}.col-md-pull-0{right:auto}.col-md-pull-1{right:8.333333333333332%}.col-md-pull-2{right:16.666666666666664%}.col-md-pull-3{right:25%}.col-md-pull-4{right:33.33333333333333%}.col-md-pull-5{right:41.66666666666667%}.col-md-pull-6{right:50%}.col-md-pull-7{right:58.333333333333336%}.col-md-pull-8{right:66.66666666666666%}.col-md-pull-9{right:75%}.col-md-pull-10{right:83.33333333333334%}.col-md-pull-11{right:91.66666666666666%}.col-md-offset-0{margin-left:0}.col-md-offset-1{margin-left:8.333333333333332%}.col-md-offset-2{margin
-left:16.666666666666664%}.col-md-offset-3{margin-left:25%}.col-md-offset-4{margin-left:33.33333333333333%}.col-md-offset-5{margin-left:41.66666666666667%}.col-md-offset-6{margin-left:50%}.col-md-offset-7{margin-left:58.333333333333336%}.col-md-offset-8{margin-left:66.66666666666666%}.col-md-offset-9{margin-left:75%}.col-md-offset-10{margin-left:83.33333333333334%}.col-md-offset-11{margin-left:91.66666666666666%}}@media(min-width:1200px){.container{max-width:1170px}.col-lg-1,.col-lg-2,.col-lg-3,.col-lg-4,.col-lg-5,.col-lg-6,.col-lg-7,.col-lg-8,.col-lg-9,.col-lg-10,.col-lg-11{float:left}.col-lg-1{width:8.333333333333332%}.col-lg-2{width:16.666666666666664%}.col-lg-3{width:25%}.col-lg-4{width:33.33333333333333%}.col-lg-5{width:41.66666666666667%}.col-lg-6{width:50%}.col-lg-7{width:58.333333333333336%}.col-lg-8{width:66.66666666666666%}.col-lg-9{width:75%}.col-lg-10{width:83.33333333333334%}.col-lg-11{width:91.66666666666666%}.col-lg-12{width:100%}.col-lg-push-0{left:auto}.col-lg-push-
1{left:8.333333333333332%}.col-lg-push-2{left:16.666666666666664%}.col-lg-push-3{left:25%}.col-lg-push-4{left:33.33333333333333%}.col-lg-push-5{left:41.66666666666667%}.col-lg-push-6{left:50%}.col-lg-push-7{left:58.333333333333336%}.col-lg-push-8{left:66.66666666666666%}.col-lg-push-9{left:75%}.col-lg-push-10{left:83.33333333333334%}.col-lg-push-11{left:91.66666666666666%}.col-lg-pull-0{right:auto}.col-lg-pull-1{right:8.333333333333332%}.col-lg-pull-2{right:16.666666666666664%}.col-lg-pull-3{right:25%}.col-lg-pull-4{right:33.33333333333333%}.col-lg-pull-5{right:41.66666666666667%}.col-lg-pull-6{right:50%}.col-lg-pull-7{right:58.333333333333336%}.col-lg-pull-8{right:66.66666666666666%}.col-lg-pull-9{right:75%}.col-lg-pull-10{right:83.33333333333334%}.col-lg-pull-11{right:91.66666666666666%}.col-lg-offset-0{margin-left:0}.col-lg-offset-1{margin-left:8.333333333333332%}.col-lg-offset-2{margin-left:16.666666666666664%}.col-lg-offset-3{margin-left:25%}.col-lg-offset-4{margin-left:33.3333
3333333333%}.col-lg-offset-5{margin-left:41.66666666666667%}.col-lg-offset-6{margin-left:50%}.col-lg-offset-7{margin-left:58.333333333333336%}.col-lg-offset-8{margin-left:66.66666666666666%}.col-lg-offset-9{margin-left:75%}.col-lg-offset-10{margin-left:83.33333333333334%}.col-lg-offset-11{margin-left:91.66666666666666%}}table{max-width:100%;background-color:transparent}th{text-align:left}.table{width:100%;margin-bottom:20px}.table thead>tr>th,.table tbody>tr>th,.table tfoot>tr>th,.table thead>tr>td,.table tbody>tr>td,.table tfoot>tr>td{padding:8px;line-height:1.428571429;vertical-align:top;border-top:1px solid #ddd}.table thead>tr>th{vertical-align:bottom;border-bottom:2px solid #ddd}.table caption+thead tr:first-child th,.table colgroup+thead tr:first-child th,.table thead:first-child tr:first-child th,.table caption+thead tr:first-child td,.table colgroup+thead tr:first-child td,.table thead:first-child tr:first-child td{border-top:0}.table tbody+tbody{border-top:2px solid #ddd}.t
able .table{background-color:#fff}.table-condensed thead>tr>th,.table-condensed tbody>tr>th,.table-condensed tfoot>tr>th,.table-condensed thead>tr>td,.table-condensed tbody>tr>td,.table-condensed tfoot>tr>td{padding:5px}.table-bordered{border:1px solid #ddd}.table-bordered>thead>tr>th,.table-bordered>tbody>tr>th,.table-bordered>tfoot>tr>th,.table-bordered>thead>tr>td,.table-bordered>tbody>tr>td,.table-bordered>tfoot>tr>td{border:1px solid #ddd}.table-bordered>thead>tr>th,.table-bordered>thead>tr>td{border-bottom-width:2px}.table-striped>tbody>tr:nth-child(odd)>td,.table-striped>tbody>tr:nth-child(odd)>th{background-color:#f9f9f9}.table-hover>tbody>tr:hover>td,.table-hover>tbody>tr:hover>th{background-color:#f5f5f5}table col[class*="col-"]{display:table-column;float:none}table td[class*="col-"],table th[class*="col-"]{display:table-cell;float:none}.table>thead>tr>td.active,.table>tbody>tr>td.active,.table>tfoot>tr>td.active,.table>thead>tr>th.active,.table>tbody>tr>th.active,.table>t
foot>tr>th.active,.table>thead>tr.active>td,.table>tbody>tr.active>td,.table>tfoot>tr.active>td,.table>thead>tr.active>th,.table>tbody>tr.active>th,.table>tfoot>tr.active>th{background-color:#f5f5f5}.table>thead>tr>td.success,.table>tbody>tr>td.success,.table>tfoot>tr>td.success,.table>thead>tr>th.success,.table>tbody>tr>th.success,.table>tfoot>tr>th.success,.table>thead>tr.success>td,.table>tbody>tr.success>td,.table>tfoot>tr.success>td,.table>thead>tr.success>th,.table>tbody>tr.success>th,.table>tfoot>tr.success>th{background-color:#dff0d8;border-color:#d6e9c6}.table-hover>tbody>tr>td.success:hover,.table-hover>tbody>tr>th.success:hover,.table-hover>tbody>tr.success:hover>td{background-color:#d0e9c6;border-color:#c9e2b3}.table>thead>tr>td.danger,.table>tbody>tr>td.danger,.table>tfoot>tr>td.danger,.table>thead>tr>th.danger,.table>tbody>tr>th.danger,.table>tfoot>tr>th.danger,.table>thead>tr.danger>td,.table>tbody>tr.danger>td,.table>tfoot>tr.danger>td,.table>thead>tr.danger>th,.tabl
e>tbody>tr.danger>th,.table>tfoot>tr.danger>th{background-color:#f2dede;border-color:#eed3d7}.table-hover>tbody>tr>td.danger:hover,.table-hover>tbody>tr>th.danger:hover,.table-hover>tbody>tr.danger:hover>td{background-color:#ebcccc;border-color:#e6c1c7}.table>thead>tr>td.warning,.table>tbody>tr>td.warning,.table>tfoot>tr>td.warning,.table>thead>tr>th.warning,.table>tbody>tr>th.warning,.table>tfoot>tr>th.warning,.table>thead>tr.warning>td,.table>tbody>tr.warning>td,.table>tfoot>tr.warning>td,.table>thead>tr.warning>th,.table>tbody>tr.warning>th,.table>tfoot>tr.warning>th{background-color:#fcf8e3;border-color:#fbeed5}.table-hover>tbody>tr>td.warning:hover,.table-hover>tbody>tr>th.warning:hover,.table-hover>tbody>tr.warning:hover>td{background-color:#faf2cc;border-color:#f8e5be}@media(max-width:768px){.table-responsive{width:100%;margin-bottom:15px;overflow-x:scroll;overflow-y:hidden;border:1px solid #ddd}.table-responsive>.table{margin-bottom:0;background-color:#fff}.table-responsive>
.table>thead>tr>th,.table-responsive>.table>tbody>tr>th,.table-responsive>.table>tfoot>tr>th,.table-responsive>.table>thead>tr>td,.table-responsive>.table>tbody>tr>td,.table-responsive>.table>tfoot>tr>td{white-space:nowrap}.table-responsive>.table-bordered{border:0}.table-responsive>.table-bordered>thead>tr>th:first-child,.table-responsive>.table-bordered>tbody>tr>th:first-child,.table-responsive>.table-bordered>tfoot>tr>th:first-child,.table-responsive>.table-bordered>thead>tr>td:first-child,.table-responsive>.table-bordered>tbody>tr>td:first-child,.table-responsive>.table-bordered>tfoot>tr>td:first-child{border-left:0}.table-responsive>.table-bordered>thead>tr>th:last-child,.table-responsive>.table-bordered>tbody>tr>th:last-child,.table-responsive>.table-bordered>tfoot>tr>th:last-child,.table-responsive>.table-bordered>thead>tr>td:last-child,.table-responsive>.table-bordered>tbody>tr>td:last-child,.table-responsive>.table-bordered>tfoot>tr>td:last-child{border-right:0}.table-respo
nsive>.table-bordered>thead>tr:last-child>th,.table-responsive>.table-bordered>tbody>tr:last-child>th,.table-responsive>.table-bordered>tfoot>tr:last-child>th,.table-responsive>.table-bordered>thead>tr:last-child>td,.table-responsive>.table-bordered>tbody>tr:last-child>td,.table-responsive>.table-bordered>tfoot>tr:last-child>td{border-bottom:0}}fieldset{padding:0;margin:0;border:0}legend{display:block;width:100%;padding:0;margin-bottom:20px;font-size:21px;line-height:inherit;color:#333;border:0;border-bottom:1px solid #e5e5e5}label{display:inline-block;margin-bottom:5px;font-weight:bold}input[type="search"]{-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box}input[type="radio"],input[type="checkbox"]{margin:4px 0 0;margin-top:1px \9;line-height:normal}input[type="file"]{display:block}select[multiple],select[size]{height:auto}select optgroup{font-family:inherit;font-size:inherit;font-style:inherit}input[type="file"]:focus,input[type="radio"]:focus,input[typ
e="checkbox"]:focus{outline:thin dotted #333;outline:5px auto -webkit-focus-ring-color;outline-offset:-2px}input[type="number"]::-webkit-outer-spin-button,input[type="number"]::-webkit-inner-spin-button{height:auto}.form-control:-moz-placeholder{color:#999}.form-control::-moz-placeholder{color:#999}.form-control:-ms-input-placeholder{color:#999}.form-control::-webkit-input-placeholder{color:#999}.form-control{display:block;width:100%;height:34px;padding:6px 12px;font-size:14px;line-height:1.428571429;color:#555;vertical-align:middle;background-color:#fff;border:1px solid #ccc;border-radius:4px;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,0.075);box-shadow:inset 0 1px 1px rgba(0,0,0,0.075);-webkit-transition:border-color ease-in-out .15s,box-shadow ease-in-out .15s;transition:border-color ease-in-out .15s,box-shadow ease-in-out .15s}.form-control:focus{border-color:#66afe9;outline:0;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,0.075),0 0 8px rgba(102,175,233,0.6);box-shadow:inset 0
1px 1px rgba(0,0,0,0.075),0 0 8px rgba(102,175,233,0.6)}.form-control[disabled],.form-control[readonly],fieldset[disabled] .form-control{cursor:not-allowed;background-color:#eee}textarea.form-control{height:auto}.form-group{margin-bottom:15px}.radio,.checkbox{display:block;min-height:20px;padding-left:20px;margin-top:10px;margin-bottom:10px;vertical-align:middle}.radio label,.checkbox label{display:inline;margin-bottom:0;font-weight:normal;cursor:pointer}.radio input[type="radio"],.radio-inline input[type="radio"],.checkbox input[type="checkbox"],.checkbox-inline input[type="checkbox"]{float:left;margin-left:-20px}.radio+.radio,.checkbox+.checkbox{margin-top:-5px}.radio-inline,.checkbox-inline{display:inline-block;padding-left:20px;margin-bottom:0;font-weight:normal;vertical-align:middle;cursor:pointer}.radio-inline+.radio-inline,.checkbox-inline+.checkbox-inline{margin-top:0;margin-left:10px}input[type="radio"][disabled],input[type="checkbox"][disabled],.radio[disabled],.radio-inl
ine[disabled],.checkbox[disabled],.checkbox-inline[disabled],fieldset[disabled] input[type="radio"],fieldset[disabled] input[type="checkbox"],fieldset[disabled] .radio,fieldset[disabled] .radio-inline,fieldset[disabled] .checkbox,fieldset[disabled] .checkbox-inline{cursor:not-allowed}.input-sm{height:30px;padding:5px 10px;font-size:12px;line-height:1.5;border-radius:3px}select.input-sm{height:30px;line-height:30px}textarea.input-sm{height:auto}.input-lg{height:45px;padding:10px 16px;font-size:18px;line-height:1.33;border-radius:6px}select.input-lg{height:45px;line-height:45px}textarea.input-lg{height:auto}.has-warning .help-block,.has-warning .control-label{color:#c09853}.has-warning .form-control{border-color:#c09853;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,0.075);box-shadow:inset 0 1px 1px rgba(0,0,0,0.075)}.has-warning .form-control:focus{border-color:#a47e3c;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,0.075),0 0 6px #dbc59e;box-shadow:inset 0 1px 1px rgba(0,0,0,0.075),0 0
6px #dbc59e}.has-warning .input-group-addon{color:#c09853;background-color:#fcf8e3;border-color:#c09853}.has-error .help-block,.has-error .control-label{color:#b94a48}.has-error .form-control{border-color:#b94a48;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,0.075);box-shadow:inset 0 1px 1px rgba(0,0,0,0.075)}.has-error .form-control:focus{border-color:#953b39;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,0.075),0 0 6px #d59392;box-shadow:inset 0 1px 1px rgba(0,0,0,0.075),0 0 6px #d59392}.has-error .input-group-addon{color:#b94a48;background-color:#f2dede;border-color:#b94a48}.has-success .help-block,.has-success .control-label{color:#468847}.has-success .form-control{border-color:#468847;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,0.075);box-shadow:inset 0 1px 1px rgba(0,0,0,0.075)}.has-success .form-control:focus{border-color:#356635;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,0.075),0 0 6px #7aba7b;box-shadow:inset 0 1px 1px rgba(0,0,0,0.075),0 0 6px #7aba7b}.has-success .in
put-group-addon{color:#468847;background-color:#dff0d8;border-color:#468847}.form-control-static{padding-top:7px;margin-bottom:0}.help-block{display:block;margin-top:5px;margin-bottom:10px;color:#737373}@media(min-width:768px){.form-inline .form-group{display:inline-block;margin-bottom:0;vertical-align:middle}.form-inline .form-control{display:inline-block}.form-inline .radio,.form-inline .checkbox{display:inline-block;padding-left:0;margin-top:0;margin-bottom:0}.form-inline .radio input[type="radio"],.form-inline .checkbox input[type="checkbox"]{float:none;margin-left:0}}.form-horizontal .control-label,.form-horizontal .radio,.form-horizontal .checkbox,.form-horizontal .radio-inline,.form-horizontal .checkbox-inline{padding-top:7px;margin-top:0;margin-bottom:0}.form-horizontal .form-group{margin-right:-15px;margin-left:-15px}.form-horizontal .form-group:before,.form-horizontal .form-group:after{display:table;content:" "}.form-horizontal .form-group:after{clear:both}.form-horizontal
.form-group:before,.form-horizontal .form-group:after{display:table;content:" "}.form-horizontal .form-group:after{clear:both}@media(min-width:768px){.form-horizontal .control-label{text-align:right}}.btn{display:inline-block;padding:6px 12px;margin-bottom:0;font-size:14px;font-weight:normal;line-height:1.428571429;text-align:center;white-space:nowrap;vertical-align:middle;cursor:pointer;border:1px solid transparent;border-radius:4px;-webkit-user-select:none;-moz-user-select:none;-ms-user-select:none;-o-user-select:none;user-select:none}.btn:focus{outline:thin dotted #333;outline:5px auto -webkit-focus-ring-color;outline-offset:-2px}.btn:hover,.btn:focus{color:#333;text-decoration:none}.btn:active,.btn.active{background-image:none;outline:0;-webkit-box-shadow:inset 0 3px 5px rgba(0,0,0,0.125);box-shadow:inset 0 3px 5px rgba(0,0,0,0.125)}.btn.disabled,.btn[disabled],fieldset[disabled] .btn{pointer-events:none;cursor:not-allowed;opacity:.65;filter:alpha(opacity=65);-webkit-box-shadow
:none;box-shadow:none}.btn-default{color:#333;background-color:#fff;border-color:#ccc}.btn-default:hover,.btn-default:focus,.btn-default:active,.btn-default.active,.open .dropdown-toggle.btn-default{color:#333;background-color:#ebebeb;border-color:#adadad}.btn-default:active,.btn-default.active,.open .dropdown-toggle.btn-default{background-image:none}.btn-default.disabled,.btn-default[disabled],fieldset[disabled] .btn-default,.btn-default.disabled:hover,.btn-default[disabled]:hover,fieldset[disabled] .btn-default:hover,.btn-default.disabled:focus,.btn-default[disabled]:focus,fieldset[disabled] .btn-default:focus,.btn-default.disabled:active,.btn-default[disabled]:active,fieldset[disabled] .btn-default:active,.btn-default.disabled.active,.btn-default[disabled].active,fieldset[disabled] .btn-default.active{background-color:#fff;border-color:#ccc}.btn-primary{color:#fff;background-color:#428bca;border-color:#357ebd}.btn-primary:hover,.btn-primary:focus,.btn-primary:active,.btn-primary.
active,.open .dropdown-toggle.btn-primary{color:#fff;background-color:#3276b1;border-color:#285e8e}.btn-primary:active,.btn-primary.active,.open .dropdown-toggle.btn-primary{background-image:none}.btn-primary.disabled,.btn-primary[disabled],fieldset[disabled] .btn-primary,.btn-primary.disabled:hover,.btn-primary[disabled]:hover,fieldset[disabled] .btn-primary:hover,.btn-primary.disabled:focus,.btn-primary[disabled]:focus,fieldset[disabled] .btn-primary:focus,.btn-primary.disabled:active,.btn-primary[disabled]:active,fieldset[disabled] .btn-primary:active,.btn-primary.disabled.active,.btn-primary[disabled].active,fieldset[disabled] .btn-primary.active{background-color:#428bca;border-color:#357ebd}.btn-warning{color:#fff;background-color:#f0ad4e;border-color:#eea236}.btn-warning:hover,.btn-warning:focus,.btn-warning:active,.btn-warning.active,.open .dropdown-toggle.btn-warning{color:#fff;background-color:#ed9c28;border-color:#d58512}.btn-warning:active,.btn-warning.active,.open .dropd
own-toggle.btn-warning{background-image:none}.btn-warning.disabled,.btn-warning[disabled],fieldset[disabled] .btn-warning,.btn-warning.disabled:hover,.btn-warning[disabled]:hover,fieldset[disabled] .btn-warning:hover,.btn-warning.disabled:focus,.btn-warning[disabled]:focus,fieldset[disabled] .btn-warning:focus,.btn-warning.disabled:active,.btn-warning[disabled]:active,fieldset[disabled] .btn-warning:active,.btn-warning.disabled.active,.btn-warning[disabled].active,fieldset[disabled] .btn-warning.active{background-color:#f0ad4e;border-color:#eea236}.btn-danger{color:#fff;background-color:#d9534f;border-color:#d43f3a}.btn-danger:hover,.btn-danger:focus,.btn-danger:active,.btn-danger.active,.open .dropdown-toggle.btn-danger{color:#fff;background-color:#d2322d;border-color:#ac2925}.btn-danger:active,.btn-danger.active,.open .dropdown-toggle.btn-danger{background-image:none}.btn-danger.disabled,.btn-danger[disabled],fieldset[disabled] .btn-danger,.btn-danger.disabled:hover,.btn-danger[di
sabled]:hover,fieldset[disabled] .btn-danger:hover,.btn-danger.disabled:focus,.btn-danger[disabled]:focus,fieldset[disabled] .btn-danger:focus,.btn-danger.disabled:active,.btn-danger[disabled]:active,fieldset[disabled] .btn-danger:active,.btn-danger.disabled.active,.btn-danger[disabled].active,fieldset[disabled] .btn-danger.active{background-color:#d9534f;border-color:#d43f3a}.btn-success{color:#fff;background-color:#5cb85c;border-color:#4cae4c}.btn-success:hover,.btn-success:focus,.btn-success:active,.btn-success.active,.open .dropdown-toggle.btn-success{color:#fff;background-color:#47a447;border-color:#398439}.btn-success:active,.btn-success.active,.open .dropdown-toggle.btn-success{background-image:none}.btn-success.disabled,.btn-success[disabled],fieldset[disabled] .btn-success,.btn-success.disabled:hover,.btn-success[disabled]:hover,fieldset[disabled] .btn-success:hover,.btn-success.disabled:focus,.btn-success[disabled]:focus,fieldset[disabled] .btn-success:focus,.btn-success.d
isabled:active,.btn-success[disabled]:active,fieldset[disabled] .btn-success:active,.btn-success.disabled.active,.btn-success[disabled].active,fieldset[disabled] .btn-success.active{background-color:#5cb85c;border-color:#4cae4c}.btn-info{color:#fff;background-color:#5bc0de;border-color:#46b8da}.btn-info:hover,.btn-info:focus,.btn-info:active,.btn-info.active,.open .dropdown-toggle.btn-info{color:#fff;background-color:#39b3d7;border-color:#269abc}.btn-info:active,.btn-info.active,.open .dropdown-toggle.btn-info{background-image:none}.btn-info.disabled,.btn-info[disabled],fieldset[disabled] .btn-info,.btn-info.disabled:hover,.btn-info[disabled]:hover,fieldset[disabled] .btn-info:hover,.btn-info.disabled:focus,.btn-info[disabled]:focus,fieldset[disabled] .btn-info:focus,.btn-info.disabled:active,.btn-info[disabled]:active,fieldset[disabled] .btn-info:active,.btn-info.disabled.active,.btn-info[disabled].active,fieldset[disabled] .btn-info.active{background-color:#5bc0de;border-color:#46
b8da}.btn-link{font-weight:normal;color:#428bca;cursor:pointer;border-radius:0}.btn-link,.btn-link:active,.btn-link[disabled],fieldset[disabled] .btn-link{background-color:transparent;-webkit-box-shadow:none;box-shadow:none}.btn-link,.btn-link:hover,.btn-link:focus,.btn-link:active{border-color:transparent}.btn-link:hover,.btn-link:focus{color:#2a6496;text-decoration:underline;background-color:transparent}.btn-link[disabled]:hover,fieldset[disabled] .btn-link:hover,.btn-link[disabled]:focus,fieldset[disabled] .btn-link:focus{color:#999;text-decoration:none}.btn-lg{padding:10px 16px;font-size:18px;line-height:1.33;border-radius:6px}.btn-sm,.btn-xs{padding:5px 10px;font-size:12px;line-height:1.5;border-radius:3px}.btn-xs{padding:1px 5px}.btn-block{display:block;width:100%;padding-right:0;padding-left:0}.btn-block+.btn-block{margin-top:5px}input[type="submit"].btn-block,input[type="reset"].btn-block,input[type="button"].btn-block{width:100%}.fade{opacity:0;-webkit-transition:opacity .1
5s linear;transition:opacity .15s linear}.fade.in{opacity:1}.collapse{display:none}.collapse.in{display:block}.collapsing{position:relative;height:0;overflow:hidden;-webkit-transition:height .35s ease;transition:height .35s ease}@font-face{font-family:'Glyphicons Halflings';src:url('../fonts/glyphicons-halflings-regular.eot');src:url('../fonts/glyphicons-halflings-regular.eot?#iefix') format('embedded-opentype'),url('../fonts/glyphicons-halflings-regular.woff') format('woff'),url('../fonts/glyphicons-halflings-regular.ttf') format('truetype'),url('../fonts/glyphicons-halflings-regular.svg#glyphicons-halflingsregular') format('svg')}.glyphicon{position:relative;top:1px;display:inline-block;font-family:'Glyphicons Halflings';-webkit-font-smoothing:antialiased;font-style:normal;font-weight:normal;line-height:1}.glyphicon-asterisk:before{content:"\2a"}.glyphicon-plus:before{content:"\2b"}.glyphicon-euro:before{content:"\20ac"}.glyphicon-minus:before{content:"\2212"}.glyphicon-cloud:befo
re{content:"\2601"}.glyphicon-envelope:before{content:"\2709"}.glyphicon-pencil:before{content:"\270f"}.glyphicon-glass:before{content:"\e001"}.glyphicon-music:before{content:"\e002"}.glyphicon-search:before{content:"\e003"}.glyphicon-heart:before{content:"\e005"}.glyphicon-star:before{content:"\e006"}.glyphicon-star-empty:before{content:"\e007"}.glyphicon-user:before{content:"\e008"}.glyphicon-film:before{content:"\e009"}.glyphicon-th-large:before{content:"\e010"}.glyphicon-th:before{content:"\e011"}.glyphicon-th-list:before{content:"\e012"}.glyphicon-ok:before{content:"\e013"}.glyphicon-remove:before{content:"\e014"}.glyphicon-zoom-in:before{content:"\e015"}.glyphicon-zoom-out:before{content:"\e016"}.glyphicon-off:before{content:"\e017"}.glyphicon-signal:before{content:"\e018"}.glyphicon-cog:before{content:"\e019"}.glyphicon-trash:before{content:"\e020"}.glyphicon-home:before{content:"\e021"}.glyphicon-file:before{content:"\e022"}.glyphicon-time:before{content:"\e023"}.glyphicon-r
oad:before{content:"\e024"}.glyphicon-download-alt:before{content:"\e025"}.glyphicon-download:before{content:"\e026"}.glyphicon-upload:before{content:"\e027"}.glyphicon-inbox:before{content:"\e028"}.glyphicon-play-circle:before{content:"\e029"}.glyphicon-repeat:before{content:"\e030"}.glyphicon-refresh:before{content:"\e031"}.glyphicon-list-alt:before{content:"\e032"}.glyphicon-flag:before{content:"\e034"}.glyphicon-headphones:before{content:"\e035"}.glyphicon-volume-off:before{content:"\e036"}.glyphicon-volume-down:before{content:"\e037"}.glyphicon-volume-up:before{content:"\e038"}.glyphicon-qrcode:before{content:"\e039"}.glyphicon-barcode:before{content:"\e040"}.glyphicon-tag:before{content:"\e041"}.glyphicon-tags:before{content:"\e042"}.glyphicon-book:before{content:"\e043"}.glyphicon-print:before{content:"\e045"}.glyphicon-font:before{content:"\e047"}.glyphicon-bold:before{content:"\e048"}.glyphicon-italic:before{content:"\e049"}.glyphicon-text-height:before{content:"\e050"}.gly
phicon-text-width:before{content:"\e051"}.glyphicon-align-left:before{content:"\e052"}.glyphicon-align-center:before{content:"\e053"}.glyphicon-align-right:before{content:"\e054"}.glyphicon-align-justify:before{content:"\e055"}.glyphicon-list:before{content:"\e056"}.glyphicon-indent-left:before{content:"\e057"}.glyphicon-indent-right:before{content:"\e058"}.glyphicon-facetime-video:before{content:"\e059"}.glyphicon-picture:before{content:"\e060"}.glyphicon-map-marker:before{content:"\e062"}.glyphicon-adjust:before{content:"\e063"}.glyphicon-tint:before{content:"\e064"}.glyphicon-edit:before{content:"\e065"}.glyphicon-share:before{content:"\e066"}.glyphicon-check:before{content:"\e067"}.glyphicon-move:before{content:"\e068"}.glyphicon-step-backward:before{content:"\e069"}.glyphicon-fast-backward:before{content:"\e070"}.glyphicon-backward:before{content:"\e071"}.glyphicon-play:before{content:"\e072"}.glyphicon-pause:before{content:"\e073"}.glyphicon-stop:before{content:"\e074"}.glyphi
con-forward:before{content:"\e075"}.glyphicon-fast-forward:before{content:"\e076"}.glyphicon-step-forward:before{content:"\e077"}.glyphicon-eject:before{content:"\e078"}.glyphicon-chevron-left:before{content:"\e079"}.glyphicon-chevron-right:before{content:"\e080"}.glyphicon-plus-sign:before{content:"\e081"}.glyphicon-minus-sign:before{content:"\e082"}.glyphicon-remove-sign:before{content:"\e083"}.glyphicon-ok-sign:before{content:"\e084"}.glyphicon-question-sign:before{content:"\e085"}.glyphicon-info-sign:before{content:"\e086"}.glyphicon-screenshot:before{content:"\e087"}.glyphicon-remove-circle:before{content:"\e088"}.glyphicon-ok-circle:before{content:"\e089"}.glyphicon-ban-circle:before{content:"\e090"}.glyphicon-arrow-left:before{content:"\e091"}.glyphicon-arrow-right:before{content:"\e092"}.glyphicon-arrow-up:before{content:"\e093"}.glyphicon-arrow-down:before{content:"\e094"}.glyphicon-share-alt:before{content:"\e095"}.glyphicon-resize-full:before{content:"\e096"}.glyphicon-re
size-small:before{content:"\e097"}.glyphicon-exclamation-sign:before{content:"\e101"}.glyphicon-gift:before{content:"\e102"}.glyphicon-leaf:before{content:"\e103"}.glyphicon-eye-open:before{content:"\e105"}.glyphicon-eye-close:before{content:"\e106"}.glyphicon-warning-sign:before{content:"\e107"}.glyphicon-plane:before{content:"\e108"}.glyphicon-random:before{content:"\e110"}.glyphicon-comment:before{content:"\e111"}.glyphicon-magnet:before{content:"\e112"}.glyphicon-chevron-up:before{content:"\e113"}.glyphicon-chevron-down:before{content:"\e114"}.glyphicon-retweet:before{content:"\e115"}.glyphicon-shopping-cart:before{content:"\e116"}.glyphicon-folder-close:before{content:"\e117"}.glyphicon-folder-open:before{content:"\e118"}.glyphicon-resize-vertical:before{content:"\e119"}.glyphicon-resize-horizontal:before{content:"\e120"}.glyphicon-hdd:before{content:"\e121"}.glyphicon-bullhorn:before{content:"\e122"}.glyphicon-certificate:before{content:"\e124"}.glyphicon-thumbs-up:before{cont
ent:"\e125"}.glyphicon-thumbs-down:before{content:"\e126"}.glyphicon-hand-right:before{content:"\e127"}.glyphicon-hand-left:before{content:"\e128"}.glyphicon-hand-up:before{content:"\e129"}.glyphicon-hand-down:before{content:"\e130"}.glyphicon-circle-arrow-right:before{content:"\e131"}.glyphicon-circle-arrow-left:before{content:"\e132"}.glyphicon-circle-arrow-up:before{content:"\e133"}.glyphicon-circle-arrow-down:before{content:"\e134"}.glyphicon-globe:before{content:"\e135"}.glyphicon-tasks:before{content:"\e137"}.glyphicon-filter:before{content:"\e138"}.glyphicon-fullscreen:before{content:"\e140"}.glyphicon-dashboard:before{content:"\e141"}.glyphicon-heart-empty:before{content:"\e143"}.glyphicon-link:before{content:"\e144"}.glyphicon-phone:before{content:"\e145"}.glyphicon-usd:before{content:"\e148"}.glyphicon-gbp:before{content:"\e149"}.glyphicon-sort:before{content:"\e150"}.glyphicon-sort-by-alphabet:before{content:"\e151"}.glyphicon-sort-by-alphabet-alt:before{content:"\e152"}.
glyphicon-sort-by-order:before{content:"\e153"}.glyphicon-sort-by-order-alt:before{content:"\e154"}.glyphicon-sort-by-attributes:before{content:"\e155"}.glyphicon-sort-by-attributes-alt:before{content:"\e156"}.glyphicon-unchecked:before{content:"\e157"}.glyphicon-expand:before{content:"\e158"}.glyphicon-collapse-down:before{content:"\e159"}.glyphicon-collapse-up:before{content:"\e160"}.glyphicon-log-in:before{content:"\e161"}.glyphicon-flash:before{content:"\e162"}.glyphicon-log-out:before{content:"\e163"}.glyphicon-new-window:before{content:"\e164"}.glyphicon-record:before{content:"\e165"}.glyphicon-save:before{content:"\e166"}.glyphicon-open:before{content:"\e167"}.glyphicon-saved:before{content:"\e168"}.glyphicon-import:before{content:"\e169"}.glyphicon-export:before{content:"\e170"}.glyphicon-send:before{content:"\e171"}.glyphicon-floppy-disk:before{content:"\e172"}.glyphicon-floppy-saved:before{content:"\e173"}.glyphicon-floppy-remove:before{content:"\e174"}.glyphicon-floppy-sa
ve:before{content:"\e175"}.glyphicon-floppy-open:before{content:"\e176"}.glyphicon-credit-card:before{content:"\e177"}.glyphicon-transfer:before{content:"\e178"}.glyphicon-cutlery:before{content:"\e179"}.glyphicon-header:before{content:"\e180"}.glyphicon-compressed:before{content:"\e181"}.glyphicon-earphone:before{content:"\e182"}.glyphicon-phone-alt:before{content:"\e183"}.glyphicon-tower:before{content:"\e184"}.glyphicon-stats:before{content:"\e185"}.glyphicon-sd-video:before{content:"\e186"}.glyphicon-hd-video:before{content:"\e187"}.glyphicon-subtitles:before{content:"\e188"}.glyphicon-sound-stereo:before{content:"\e189"}.glyphicon-sound-dolby:before{content:"\e190"}.glyphicon-sound-5-1:before{content:"\e191"}.glyphicon-sound-6-1:before{content:"\e192"}.glyphicon-sound-7-1:before{content:"\e193"}.glyphicon-copyright-mark:before{content:"\e194"}.glyphicon-registration-mark:before{content:"\e195"}.glyphicon-cloud-download:before{content:"\e197"}.glyphicon-cloud-upload:before{conte
nt:"\e198"}.glyphicon-tree-conifer:before{content:"\e199"}.glyphicon-tree-deciduous:before{content:"\e200"}.glyphicon-briefcase:before{content:"\1f4bc"}.glyphicon-calendar:before{content:"\1f4c5"}.glyphicon-pushpin:before{content:"\1f4cc"}.glyphicon-paperclip:before{content:"\1f4ce"}.glyphicon-camera:before{content:"\1f4f7"}.glyphicon-lock:before{content:"\1f512"}.glyphicon-bell:before{content:"\1f514"}.glyphicon-bookmark:before{content:"\1f516"}.glyphicon-fire:before{content:"\1f525"}.glyphicon-wrench:before{content:"\1f527"}.caret{display:inline-block;width:0;height:0;margin-left:2px;vertical-align:middle;border-top:4px solid #000;border-right:4px solid transparent;border-bottom:0 dotted;border-left:4px solid transparent;content:""}.dropdown{position:relative}.dropdown-toggle:focus{outline:0}.dropdown-menu{position:absolute;top:100%;left:0;z-index:1000;display:none;float:left;min-width:160px;padding:5px 0;margin:2px 0 0;font-size:14px;list-style:none;background-color:#fff;border:1
px solid #ccc;border:1px solid rgba(0,0,0,0.15);border-radius:4px;-webkit-box-shadow:0 6px 12px rgba(0,0,0,0.175);box-shadow:0 6px 12px rgba(0,0,0,0.175);background-clip:padding-box}.dropdown-menu.pull-right{right:0;left:auto}.dropdown-menu .divider{height:1px;margin:9px 0;overflow:hidden;background-color:#e5e5e5}.dropdown-menu>li>a{display:block;padding:3px 20px;clear:both;font-weight:normal;line-height:1.428571429;color:#333;white-space:nowrap}.dropdown-menu>li>a:hover,.dropdown-menu>li>a:focus{color:#fff;text-decoration:none;background-color:#428bca}.dropdown-menu>.active>a,.dropdown-menu>.active>a:hover,.dropdown-menu>.active>a:focus{color:#fff;text-decoration:none;background-color:#428bca;outline:0}.dropdown-menu>.disabled>a,.dropdown-menu>.disabled>a:hover,.dropdown-menu>.disabled>a:focus{color:#999}.dropdown-menu>.disabled>a:hover,.dropdown-menu>.disabled>a:focus{text-decoration:none;cursor:not-allowed;background-color:transparent;background-image:none;filter:progid:DXImageTr
ansform.Microsoft.gradient(enabled=false)}.open>.dropdown-menu{display:block}.open>a{outline:0}.dropdown-header{display:block;padding:3px 20px;font-size:12px;line-height:1.428571429;color:#999}.dropdown-backdrop{position:fixed;top:0;right:0;bottom:0;left:0;z-index:990}.pull-right>.dropdown-menu{right:0;left:auto}.dropup .caret,.navbar-fixed-bottom .dropdown .caret{border-top:0 dotted;border-bottom:4px solid #000;content:""}.dropup .dropdown-menu,.navbar-fixed-bottom .dropdown .dropdown-menu{top:auto;bottom:100%;margin-bottom:1px}@media(min-width:768px){.navbar-right .dropdown-menu{right:0;left:auto}}.btn-default .caret{border-top-color:#333}.btn-primary .caret,.btn-success .caret,.btn-warning .caret,.btn-danger .caret,.btn-info .caret{border-top-color:#fff}.dropup .btn-default .caret{border-bottom-color:#333}.dropup .btn-primary .caret,.dropup .btn-success .caret,.dropup .btn-warning .caret,.dropup .btn-danger .caret,.dropup .btn-info .caret{border-bottom-color:#fff}.btn-group,.btn-
group-vertical{position:relative;display:inline-block;vertical-align:middle}.btn-group>.btn,.btn-group-vertical>.btn{position:relative;float:left}.btn-group>.btn:hover,.btn-group-vertical>.btn:hover,.btn-group>.btn:focus,.btn-group-vertical>.btn:focus,.btn-group>.btn:active,.btn-group-vertical>.btn:active,.btn-group>.btn.active,.btn-group-vertical>.btn.active{z-index:2}.btn-group>.btn:focus,.btn-group-vertical>.btn:focus{outline:0}.btn-group .btn+.btn,.btn-group .btn+.btn-group,.btn-group .btn-group+.btn,.btn-group .btn-group+.btn-group{margin-left:-1px}.btn-toolbar:before,.btn-toolbar:after{display:table;content:" "}.btn-toolbar:after{clear:both}.btn-toolbar:before,.btn-toolbar:after{display:table;content:" "}.btn-toolbar:after{clear:both}.btn-toolbar .btn-group{float:left}.btn-toolbar>.btn+.btn,.btn-toolbar>.btn-group+.btn,.btn-toolbar>.btn+.btn-group,.btn-toolbar>.btn-group+.btn-group{margin-left:5px}.btn-group>.btn:not(:first-child):not(:last-child):not(.dropdown-toggle){border-
radius:0}.btn-group>.btn:first-child{margin-left:0}.btn-group>.btn:first-child:not(:last-child):not(.dropdown-toggle){border-top-right-radius:0;border-bottom-right-radius:0}.btn-group>.btn:last-child:not(:first-child),.btn-group>.dropdown-toggle:not(:first-child){border-bottom-left-radius:0;border-top-left-radius:0}.btn-group>.btn-group{float:left}.btn-group>.btn-group:not(:first-child):not(:last-child)>.btn{border-radius:0}.btn-group>.btn-group:first-child>.btn:last-child,.btn-group>.btn-group:first-child>.dropdown-toggle{border-top-right-radius:0;border-bottom-right-radius:0}.btn-group>.btn-group:last-child>.btn:first-child{border-bottom-left-radius:0;border-top-left-radius:0}.btn-group .dropdown-toggle:active,.btn-group.open .dropdown-toggle{outline:0}.btn-group-xs>.btn{padding:5px 10px;padding:1px 5px;font-size:12px;line-height:1.5;border-radius:3px}.btn-group-sm>.btn{padding:5px 10px;font-size:12px;line-height:1.5;border-radius:3px}.btn-group-lg>.btn{padding:10px 16px;font-size
:18px;line-height:1.33;border-radius:6px}.btn-group>.btn+.dropdown-toggle{padding-right:8px;padding-left:8px}.btn-group>.btn-lg+.dropdown-toggle{padding-right:12px;padding-left:12px}.btn-group.open .dropdown-toggle{-webkit-box-shadow:inset 0 3px 5px rgba(0,0,0,0.125);box-shadow:inset 0 3px 5px rgba(0,0,0,0.125)}.btn .caret{margin-left:0}.btn-lg .caret{border-width:5px 5px 0;border-bottom-width:0}.dropup .btn-lg .caret{border-width:0 5px 5px}.btn-group-vertical>.btn,.btn-group-vertical>.btn-group{display:block;float:none;width:100%;max-width:100%}.btn-group-vertical>.btn-group:before,.btn-group-vertical>.btn-group:after{display:table;content:" "}.btn-group-vertical>.btn-group:after{clear:both}.btn-group-vertical>.btn-group:before,.btn-group-vertical>.btn-group:after{display:table;content:" "}.btn-group-vertical>.btn-group:after{clear:both}.btn-group-vertical>.btn-group>.btn{float:none}.btn-group-vertical>.btn+.btn,.btn-group-vertical>.btn+.btn-group,.btn-group-vertical>.btn-group+.bt
n,.btn-group-vertical>.btn-group+.btn-group{margin-top:-1px;margin-left:0}.btn-group-vertical>.btn:not(:first-child):not(:last-child){border-radius:0}.btn-group-vertical>.btn:first-child:not(:last-child){border-top-right-radius:4px;border-bottom-right-radius:0;border-bottom-left-radius:0}.btn-group-vertical>.btn:last-child:not(:first-child){border-top-right-radius:0;border-bottom-left-radius:4px;border-top-left-radius:0}.btn-group-vertical>.btn-group:not(:first-child):not(:last-child)>.btn{border-radius:0}.btn-group-vertical>.btn-group:first-child>.btn:last-child,.btn-group-vertical>.btn-group:first-child>.dropdown-toggle{border-bottom-right-radius:0;border-bottom-left-radius:0}.btn-group-vertical>.btn-group:last-child>.btn:first-child{border-top-right-radius:0;border-top-left-radius:0}.btn-group-justified{display:table;width:100%;border-collapse:separate;table-layout:fixed}.btn-group-justified .btn{display:table-cell;float:none;width:1%}[data-toggle="buttons"]>.btn>input[type="radi
o"],[data-toggle="buttons"]>.btn>input[type="checkbox"]{display:none}.input-group{position:relative;display:table;border-collapse:separate}.input-group.col{float:none;padding-right:0;padding-left:0}.input-group .form-control{width:100%;margin-bottom:0}.input-group-lg>.form-control,.input-group-lg>.input-group-addon,.input-group-lg>.input-group-btn>.btn{height:45px;padding:10px 16px;font-size:18px;line-height:1.33;border-radius:6px}select.input-group-lg>.form-control,select.input-group-lg>.input-group-addon,select.input-group-lg>.input-group-btn>.btn{height:45px;line-height:45px}textarea.input-group-lg>.form-control,textarea.input-group-lg>.input-group-addon,textarea.input-group-lg>.input-group-btn>.btn{height:auto}.input-group-sm>.form-control,.input-group-sm>.input-group-addon,.input-group-sm>.input-group-btn>.btn{height:30px;padding:5px 10px;font-size:12px;line-height:1.5;border-radius:3px}select.input-group-sm>.form-control,select.input-group-sm>.input-group-addon,select.input-gr
oup-sm>.input-group-btn>.btn{height:30px;line-height:30px}textarea.input-group-sm>.form-control,textarea.input-group-sm>.input-group-addon,textarea.input-group-sm>.input-group-btn>.btn{height:auto}.input-group-addon,.input-group-btn,.input-group .form-control{display:table-cell}.input-group-addon:not(:first-child):not(:last-child),.input-group-btn:not(:first-child):not(:last-child),.input-group .form-control:not(:first-child):not(:last-child){border-radius:0}.input-group-addon,.input-group-btn{width:1%;white-space:nowrap;vertical-align:middle}.input-group-addon{padding:6px 12px;font-size:14px;font-weight:normal;line-height:1;text-align:center;background-color:#eee;border:1px solid #ccc;border-radius:4px}.input-group-addon.input-sm{padding:5px 10px;font-size:12px;border-radius:3px}.input-group-addon.input-lg{padding:10px 16px;font-size:18px;border-radius:6px}.input-group-addon input[type="radio"],.input-group-addon input[type="checkbox"]{margin-top:0}.input-group .form-control:first-
child,.input-group-addon:first-child,.input-group-btn:first-child>.btn,.input-group-btn:first-child>.dropdown-toggle,.input-group-btn:last-child>.btn:not(:last-child):not(.dropdown-toggle){border-top-right-radius:0;border-bottom-right-radius:0}.input-group-addon:first-child{border-right:0}.input-group .form-control:last-child,.input-group-addon:last-child,.input-group-btn:last-child>.btn,.input-group-btn:last-child>.dropdown-toggle,.input-group-btn:first-child>.btn:not(:first-child){border-bottom-left-radius:0;border-top-left-radius:0}.input-group-addon:last-child{border-left:0}.input-group-btn{position:relative;white-space:nowrap}.input-group-btn>.btn{position:relative}.input-group-btn>.btn+.btn{margin-left:-4px}.input-group-btn>.btn:hover,.input-group-btn>.btn:active{z-index:2}.nav{padding-left:0;margin-bottom:0;list-style:none}.nav:before,.nav:after{display:table;content:" "}.nav:after{clear:both}.nav:before,.nav:after{display:table;content:" "}.nav:after{clear:both}.nav>li{posit
ion:relative;display:block}.nav>li>a{position:relative;display:block;padding:10px 15px}.nav>li>a:hover,.nav>li>a:focus{text-decoration:none;background-color:#eee}.nav>li.disabled>a{color:#999}.nav>li.disabled>a:hover,.nav>li.disabled>a:focus{color:#999;text-decoration:none;cursor:not-allowed;background-color:transparent}.nav .open>a,.nav .open>a:hover,.nav .open>a:focus{background-color:#eee;border-color:#428bca}.nav .nav-divider{height:1px;margin:9px 0;overflow:hidden;background-color:#e5e5e5}.nav>li>a>img{max-width:none}.nav-tabs{border-bottom:1px solid #ddd}.nav-tabs>li{float:left;margin-bottom:-1px}.nav-tabs>li>a{margin-right:2px;line-height:1.428571429;border:1px solid transparent;border-radius:4px 4px 0 0}.nav-tabs>li>a:hover{border-color:#eee #eee #ddd}.nav-tabs>li.active>a,.nav-tabs>li.active>a:hover,.nav-tabs>li.active>a:focus{color:#555;cursor:default;background-color:#fff;border:1px solid #ddd;border-bottom-color:transparent}.nav-tabs.nav-justified{width:100%;border-botto
m:0}.nav-tabs.nav-justified>li{float:none}.nav-tabs.nav-justified>li>a{text-align:center}@media(min-width:768px){.nav-tabs.nav-justified>li{display:table-cell;width:1%}}.nav-tabs.nav-justified>li>a{margin-right:0;border-bottom:1px solid #ddd}.nav-tabs.nav-justified>.active>a{border-bottom-color:#fff}.nav-pills>li{float:left}.nav-pills>li>a{border-radius:5px}.nav-pills>li+li{margin-left:2px}.nav-pills>li.active>a,.nav-pills>li.active>a:hover,.nav-pills>li.active>a:focus{color:#fff;background-color:#428bca}.nav-stacked>li{float:none}.nav-stacked>li+li{margin-top:2px;margin-left:0}.nav-justified{width:100%}.nav-justified>li{float:none}.nav-justified>li>a{text-align:center}@media(min-width:768px){.nav-justified>li{display:table-cell;width:1%}}.nav-tabs-justified{border-bottom:0}.nav-tabs-justified>li>a{margin-right:0;border-bottom:1px solid #ddd}.nav-tabs-justified>.active>a{border-bottom-color:#fff}.tabbable:before,.tabbable:after{display:table;content:" "}.tabbable:after{clear:both}.t
abbable:before,.tabbable:after{display:table;content:" "}.tabbable:after{clear:both}.tab-content>.tab-pane,.pill-content>.pill-pane{display:none}.tab-content>.active,.pill-content>.active{display:block}.nav .caret{border-top-color:#428bca;border-bottom-color:#428bca}.nav a:hover .caret{border-top-color:#2a6496;border-bottom-color:#2a6496}.nav-tabs .dropdown-menu{margin-top:-1px;border-top-right-radius:0;border-top-left-radius:0}.navbar{position:relative;z-index:1000;min-height:50px;margin-bottom:20px;border:1px solid transparent}.navbar:before,.navbar:after{display:table;content:" "}.navbar:after{clear:both}.navbar:before,.navbar:after{display:table;content:" "}.navbar:after{clear:both}@media(min-width:768px){.navbar{border-radius:4px}}.navbar-header:before,.navbar-header:after{display:table;content:" "}.navbar-header:after{clear:both}.navbar-header:before,.navbar-header:after{display:table;content:" "}.navbar-header:after{clear:both}@media(min-width:768px){.navbar-header{float:left
}}.navbar-collapse{max-height:340px;padding-right:15px;padding-left:15px;overflow-x:visible;border-top:1px solid transparent;box-shadow:inset 0 1px 0 rgba(255,255,255,0.1);-webkit-overflow-scrolling:touch}.navbar-collapse:before,.navbar-collapse:after{display:table;content:" "}.navbar-collapse:after{clear:both}.navbar-collapse:before,.navbar-collapse:after{display:table;content:" "}.navbar-collapse:after{clear:both}.navbar-collapse.in{overflow-y:auto}@media(min-width:768px){.navbar-collapse{width:auto;border-top:0;box-shadow:none}.navbar-collapse.collapse{display:block!important;height:auto!important;padding-bottom:0;overflow:visible!important}.navbar-collapse.in{overflow-y:visible}.navbar-collapse .navbar-nav.navbar-left:first-child{margin-left:-15px}.navbar-collapse .navbar-nav.navbar-right:last-child{margin-right:-15px}.navbar-collapse .navbar-text:last-child{margin-right:0}}.container>.navbar-header,.container>.navbar-collapse{margin-right:-15px;margin-left:-15px}@media(min-widt
h:768px){.container>.navbar-header,.container>.navbar-collapse{margin-right:0;margin-left:0}}.navbar-static-top{border-width:0 0 1px}@media(min-width:768px){.navbar-static-top{border-radius:0}}.navbar-fixed-top,.navbar-fixed-bottom{position:fixed;right:0;left:0;border-width:0 0 1px}@media(min-width:768px){.navbar-fixed-top,.navbar-fixed-bottom{border-radius:0}}.navbar-fixed-top{top:0;z-index:1030}.navbar-fixed-bottom{bottom:0;margin-bottom:0}.navbar-brand{float:left;padding:15px 15px;font-size:18px;line-height:20px}.navbar-brand:hover,.navbar-brand:focus{text-decoration:none}@media(min-width:768px){.navbar>.container .navbar-brand{margin-left:-15px}}.navbar-toggle{position:relative;float:right;padding:9px 10px;margin-top:8px;margin-right:15px;margin-bottom:8px;background-color:transparent;border:1px solid transparent;border-radius:4px}.navbar-toggle .icon-bar{display:block;width:22px;height:2px;border-radius:1px}.navbar-toggle .icon-bar+.icon-bar{margin-top:4px}@media(min-width:768p
x){.navbar-toggle{display:none}}.navbar-nav{margin:7.5px -15px}.navbar-nav>li>a{padding-top:10px;padding-bottom:10px;line-height:20px}@media(max-width:767px){.navbar-nav .open .dropdown-menu{position:static;float:none;width:auto;margin-top:0;background-color:transparent;border:0;box-shadow:none}.navbar-nav .open .dropdown-menu>li>a,.navbar-nav .open .dropdown-menu .dropdown-header{padding:5px 15px 5px 25px}.navbar-nav .open .dropdown-menu>li>a{line-height:20px}.navbar-nav .open .dropdown-menu>li>a:hover,.navbar-nav .open .dropdown-menu>li>a:focus{background-image:none}}@media(min-width:768px){.navbar-nav{float:left;margin:0}.navbar-nav>li{float:left}.navbar-nav>li>a{padding-top:15px;padding-bottom:15px}}@media(min-width:768px){.navbar-left{float:left!important}.navbar-right{float:right!important}}.navbar-form{padding:10px 15px;margin-top:8px;margin-right:-15px;margin-bottom:8px;margin-left:-15px;border-top:1px solid transparent;border-bottom:1px solid transparent;-webkit-box-shadow:
inset 0 1px 0 rgba(255,255,255,0.1),0 1px 0 rgba(255,255,255,0.1);box-shadow:inset 0 1px 0 rgba(255,255,255,0.1),0 1px 0 rgba(255,255,255,0.1)}@media(min-width:768px){.navbar-form .form-group{display:inline-block;margin-bottom:0;vertical-align:middle}.navbar-form .form-control{display:inline-block}.navbar-form .radio,.navbar-form .checkbox{display:inline-block;padding-left:0;margin-top:0;margin-bottom:0}.navbar-form .radio input[type="radio"],.navbar-form .checkbox input[type="checkbox"]{float:none;margin-left:0}}@media(max-width:767px){.navbar-form .form-group{margin-bottom:5px}}@media(min-width:768px){.navbar-form{width:auto;padding-top:0;padding-bottom:0;margin-right:0;margin-left:0;border:0;-webkit-box-shadow:none;box-shadow:none}}.navbar-nav>li>.dropdown-menu{margin-top:0;border-top-right-radius:0;border-top-left-radius:0}.navbar-fixed-bottom .navbar-nav>li>.dropdown-menu{border-bottom-right-radius:0;border-bottom-left-radius:0}.navbar-nav.pull-right>li>.dropdown-menu,.navbar-n
av>li>.dropdown-menu.pull-right{right:0;left:auto}.navbar-btn{margin-top:8px;margin-bottom:8px}.navbar-text{float:left;margin-top:15px;margin-bottom:15px}@media(min-width:768px){.navbar-text{margin-right:15px;margin-left:15px}}.navbar-default{background-color:#f8f8f8;border-color:#e7e7e7}.navbar-default .navbar-brand{color:#777}.navbar-default .navbar-brand:hover,.navbar-default .navbar-brand:focus{color:#5e5e5e;background-color:transparent}.navbar-default .navbar-text{color:#777}.navbar-default .navbar-nav>li>a{color:#777}.navbar-default .navbar-nav>li>a:hover,.navbar-default .navbar-nav>li>a:focus{color:#333;background-color:transparent}.navbar-default .navbar-nav>.active>a,.navbar-default .navbar-nav>.active>a:hover,.navbar-default .navbar-nav>.active>a:focus{color:#555;background-color:#e7e7e7}.navbar-default .navbar-nav>.disabled>a,.navbar-default .navbar-nav>.disabled>a:hover,.navbar-default .navbar-nav>.disabled>a:focus{color:#ccc;background-color:transparent}.navbar-default
.navbar-toggle{border-color:#ddd}.navbar-default .navbar-toggle:hover,.navbar-default .navbar-toggle:focus{background-color:#ddd}.navbar-default .navbar-toggle .icon-bar{background-color:#ccc}.navbar-default .navbar-collapse,.navbar-default .navbar-form{border-color:#e6e6e6}.navbar-default .navbar-nav>.dropdown>a:hover .caret,.navbar-default .navbar-nav>.dropdown>a:focus .caret{border-top-color:#333;border-bottom-color:#333}.navbar-default .navbar-nav>.open>a,.navbar-default .navbar-nav>.open>a:hover,.navbar-default .navbar-nav>.open>a:focus{color:#555;background-color:#e7e7e7}.navbar-default .navbar-nav>.open>a .caret,.navbar-default .navbar-nav>.open>a:hover .caret,.navbar-default .navbar-nav>.open>a:focus .caret{border-top-color:#555;border-bottom-color:#555}.navbar-default .navbar-nav>.dropdown>a .caret{border-top-color:#777;border-bottom-color:#777}@media(max-width:767px){.navbar-default .navbar-nav .open .dropdown-menu>li>a{color:#777}.navbar-default .navbar-nav .open .dropdow
n-menu>li>a:hover,.navbar-default .navbar-nav .open .dropdown-menu>li>a:focus{color:#333;background-color:transparent}.navbar-default .navbar-nav .open .dropdown-menu>.active>a,.navbar-default .navbar-nav .open .dropdown-menu>.active>a:hover,.navbar-default .navbar-nav .open .dropdown-menu>.active>a:focus{color:#555;background-color:#e7e7e7}.navbar-default .navbar-nav .open .dropdown-menu>.disabled>a,.navbar-default .navbar-nav .open .dropdown-menu>.disabled>a:hover,.navbar-default .navbar-nav .open .dropdown-menu>.disabled>a:focus{color:#ccc;background-color:transparent}}.navbar-default .navbar-link{color:#777}.navbar-default .navbar-link:hover{color:#333}.navbar-inverse{background-color:#222;border-color:#080808}.navbar-inverse .navbar-brand{color:#999}.navbar-inverse .navbar-brand:hover,.navbar-inverse .navbar-brand:focus{color:#fff;background-color:transparent}.navbar-inverse .navbar-text{color:#999}.navbar-inverse .navbar-nav>li>a{color:#999}.navbar-inverse .navbar-nav>li>a:hov
er,.navbar-inverse .navbar-nav>li>a:focus{color:#fff;background-color:transparent}.navbar-inverse .navbar-nav>.active>a,.navbar-inverse .navbar-nav>.active>a:hover,.navbar-inverse .navbar-nav>.active>a:focus{color:#fff;background-color:#080808}.navbar-inverse .navbar-nav>.disabled>a,.navbar-inverse .navbar-nav>.disabled>a:hover,.navbar-inverse .navbar-nav>.disabled>a:focus{color:#444;background-color:transparent}.navbar-inverse .navbar-toggle{border-color:#333}.navbar-inverse .navbar-toggle:hover,.navbar-inverse .navbar-toggle:focus{background-color:#333}.navbar-inverse .navbar-toggle .icon-bar{background-color:#fff}.navbar-inverse .navbar-collapse,.navbar-inverse .navbar-form{border-color:#101010}.navbar-inverse .navbar-nav>.open>a,.navbar-inverse .navbar-nav>.open>a:hover,.navbar-inverse .navbar-nav>.open>a:focus{color:#fff;background-color:#080808}.navbar-inverse .navbar-nav>.dropdown>a:hover .caret{border-top-color:#fff;border-bottom-color:#fff}.navbar-inverse .navbar-nav>.dropd
own>a .caret{border-top-color:#999;border-bottom-color:#999}.navbar-inverse .navbar-nav>.open>a .caret,.navbar-inverse .navbar-nav>.open>a:hover .caret,.navbar-inverse .navbar-nav>.open>a:focus .caret{border-top-color:#fff;border-bottom-color:#fff}@media(max-width:767px){.navbar-inverse .navbar-nav .open .dropdown-menu>.dropdown-header{border-color:#080808}.navbar-inverse .navbar-nav .open .dropdown-menu>li>a{color:#999}.navbar-inverse .navbar-nav .open .dropdown-menu>li>a:hover,.navbar-inverse .navbar-nav .open .dropdown-menu>li>a:focus{color:#fff;background-color:transparent}.navbar-inverse .navbar-nav .open .dropdown-menu>.active>a,.navbar-inverse .navbar-nav .open .dropdown-menu>.active>a:hover,.navbar-inverse .navbar-nav .open .dropdown-menu>.active>a:focus{color:#fff;background-color:#080808}.navbar-inverse .navbar-nav .open .dropdown-menu>.disabled>a,.navbar-inverse .navbar-nav .open .dropdown-menu>.disabled>a:hover,.navbar-inverse .navbar-nav .open .dropdown-menu>.disabled>a
:focus{color:#444;background-color:transparent}}.navbar-inverse .navbar-link{color:#999}.navbar-inverse .navbar-link:hover{color:#fff}.breadcrumb{padding:8px 15px;margin-bottom:20px;list-style:none;background-color:#f5f5f5;border-radius:4px}.breadcrumb>li{display:inline-block}.breadcrumb>li+li:before{padding:0 5px;color:#ccc;content:"/\00a0"}.breadcrumb>.active{color:#999}.pagination{display:inline-block;padding-left:0;margin:20px 0;border-radius:4px}.pagination>li{display:inline}.pagination>li>a,.pagination>li>span{position:relative;float:left;padding:6px 12px;margin-left:-1px;line-height:1.428571429;text-decoration:none;background-color:#fff;border:1px solid #ddd}.pagination>li:first-child>a,.pagination>li:first-child>span{margin-left:0;border-bottom-left-radius:4px;border-top-left-radius:4px}.pagination>li:last-child>a,.pagination>li:last-child>span{border-top-right-radius:4px;border-bottom-right-radius:4px}.pagination>li>a:hover,.pagination>li>span:hover,.pagination>li>a:focus,.
pagination>li>span:focus{background-color:#eee}.pagination>.active>a,.pagination>.active>span,.pagination>.active>a:hover,.pagination>.active>span:hover,.pagination>.active>a:focus,.pagination>.active>span:focus{z-index:2;color:#fff;cursor:default;background-color:#428bca;border-color:#428bca}.pagination>.disabled>span,.pagination>.disabled>a,.pagination>.disabled>a:hover,.pagination>.disabled>a:focus{color:#999;cursor:not-allowed;background-color:#fff;border-color:#ddd}.pagination-lg>li>a,.pagination-lg>li>span{padding:10px 16px;font-size:18px}.pagination-lg>li:first-child>a,.pagination-lg>li:first-child>span{border-bottom-left-radius:6px;border-top-left-radius:6px}.pagination-lg>li:last-child>a,.pagination-lg>li:last-child>span{border-top-right-radius:6px;border-bottom-right-radius:6px}.pagination-sm>li>a,.pagination-sm>li>span{padding:5px 10px;font-size:12px}.pagination-sm>li:first-child>a,.pagination-sm>li:first-child>span{border-bottom-left-radius:3px;border-top-left-radius:3px
}.pagination-sm>li:last-child>a,.pagination-sm>li:last-child>span{border-top-right-radius:3px;border-bottom-right-radius:3px}.pager{padding-left:0;margin:20px 0;text-align:center;list-style:none}.pager:before,.pager:after{display:table;content:" "}.pager:after{clear:both}.pager:before,.pager:after{display:table;content:" "}.pager:after{clear:both}.pager li{display:inline}.pager li>a,.pager li>span{display:inline-block;padding:5px 14px;background-color:#fff;border:1px solid #ddd;border-radius:15px}.pager li>a:hover,.pager li>a:focus{text-decoration:none;background-color:#eee}.pager .next>a,.pager .next>span{float:right}.pager .previous>a,.pager .previous>span{float:left}.pager .disabled>a,.pager .disabled>a:hover,.pager .disabled>a:focus,.pager .disabled>span{color:#999;cursor:not-allowed;background-color:#fff}.label{display:inline;padding:.2em .6em .3em;font-size:75%;font-weight:bold;line-height:1;color:#fff;text-align:center;white-space:nowrap;vertical-align:baseline;border-radius:
.25em}.label[href]:hover,.label[href]:focus{color:#fff;text-decoration:none;cursor:pointer}.label:empty{display:none}.label-default{background-color:#999}.label-default[href]:hover,.label-default[href]:focus{background-color:#808080}.label-primary{background-color:#428bca}.label-primary[href]:hover,.label-primary[href]:focus{background-color:#3071a9}.label-success{background-color:#5cb85c}.label-success[href]:hover,.label-success[href]:focus{background-color:#449d44}.label-info{background-color:#5bc0de}.label-info[href]:hover,.label-info[href]:focus{background-color:#31b0d5}.label-warning{background-color:#f0ad4e}.label-warning[href]:hover,.label-warning[href]:focus{background-color:#ec971f}.label-danger{background-color:#d9534f}.label-danger[href]:hover,.label-danger[href]:focus{background-color:#c9302c}.badge{display:inline-block;min-width:10px;padding:3px 7px;font-size:12px;font-weight:bold;line-height:1;color:#fff;text-align:center;white-space:nowrap;vertical-align:baseline;back
ground-color:#999;border-radius:10px}.badge:empty{display:none}a.badge:hover,a.badge:focus{color:#fff;text-decoration:none;cursor:pointer}.btn .badge{position:relative;top:-1px}a.list-group-item.active>.badge,.nav-pills>.active>a>.badge{color:#428bca;background-color:#fff}.nav-pills>li>a>.badge{margin-left:3px}.jumbotron{padding:30px;margin-bottom:30px;font-size:21px;font-weight:200;line-height:2.1428571435;color:inherit;background-color:#eee}.jumbotron h1{line-height:1;color:inherit}.jumbotron p{line-height:1.4}.container .jumbotron{border-radius:6px}@media screen and (min-width:768px){.jumbotron{padding-top:48px;padding-bottom:48px}.container .jumbotron{padding-right:60px;padding-left:60px}.jumbotron h1{font-size:63px}}.thumbnail{display:inline-block;display:block;height:auto;max-width:100%;padding:4px;line-height:1.428571429;background-color:#fff;border:1px solid #ddd;border-radius:4px;-webkit-transition:all .2s ease-in-out;transition:all .2s ease-in-out}.thumbnail>img{display:bl
ock;height:auto;max-width:100%}a.thumbnail:hover,a.thumbnail:focus{border-color:#428bca}.thumbnail>img{margin-right:auto;margin-left:auto}.thumbnail .caption{padding:9px;color:#333}.alert{padding:15px;margin-bottom:20px;border:1px solid transparent;border-radius:4px}.alert h4{margin-top:0;color:inherit}.alert .alert-link{font-weight:bold}.alert>p,.alert>ul{margin-bottom:0}.alert>p+p{margin-top:5px}.alert-dismissable{padding-right:35px}.alert-dismissable .close{position:relative;top:-2px;right:-21px;color:inherit}.alert-success{color:#468847;background-color:#dff0d8;border-color:#d6e9c6}.alert-success hr{border-top-color:#c9e2b3}.alert-success .alert-link{color:#356635}.alert-info{color:#3a87ad;background-color:#d9edf7;border-color:#bce8f1}.alert-info hr{border-top-color:#a6e1ec}.alert-info .alert-link{color:#2d6987}.alert-warning{color:#c09853;background-color:#fcf8e3;border-color:#fbeed5}.alert-warning hr{border-top-color:#f8e5be}.alert-warning .alert-link{color:#a47e3c}.alert-dang
er{color:#b94a48;background-color:#f2dede;border-color:#eed3d7}.alert-danger hr{border-top-color:#e6c1c7}.alert-danger .alert-link{color:#953b39}@-webkit-keyframes progress-bar-stripes{from{background-position:40px 0}to{background-position:0 0}}@-moz-keyframes progress-bar-stripes{from{background-position:40px 0}to{background-position:0 0}}@-o-keyframes progress-bar-stripes{from{background-position:0 0}to{background-position:40px 0}}@keyframes progress-bar-stripes{from{background-position:40px 0}to{background-position:0 0}}.progress{height:20px;margin-bottom:20px;overflow:hidden;background-color:#f5f5f5;border-radius:4px;-webkit-box-shadow:inset 0 1px 2px rgba(0,0,0,0.1);box-shadow:inset 0 1px 2px rgba(0,0,0,0.1)}.progress-bar{float:left;width:0;height:100%;font-size:12px;color:#fff;text-align:center;background-color:#428bca;-webkit-box-shadow:inset 0 -1px 0 rgba(0,0,0,0.15);box-shadow:inset 0 -1px 0 rgba(0,0,0,0.15);-webkit-transition:width .6s ease;transition:width .6s ease}.progr
ess-striped .progress-bar{background-image:-webkit-gradient(linear,0 100%,100% 0,color-stop(0.25,rgba(255,255,255,0.15)),color-stop(0.25,transparent),color-stop(0.5,transparent),color-stop(0.5,rgba(255,255,255,0.15)),color-stop(0.75,rgba(255,255,255,0.15)),color-stop(0.75,transparent),to(transparent));background-image:-webkit-linear-gradient(45deg,rgba(255,255,255,0.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,0.15) 50%,rgba(255,255,255,0.15) 75%,transparent 75%,transparent);background-image:-moz-linear-gradient(45deg,rgba(255,255,255,0.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,0.15) 50%,rgba(255,255,255,0.15) 75%,transparent 75%,transparent);background-image:linear-gradient(45deg,rgba(255,255,255,0.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,0.15) 50%,rgba(255,255,255,0.15) 75%,transparent 75%,transparent);background-size:40px 40px}.progress.active .progress-bar{-webkit-animation:progress-bar-stripes 2s linear infinite;-moz-animation:progress
-bar-stripes 2s linear infinite;-ms-animation:progress-bar-stripes 2s linear infinite;-o-animation:progress-bar-stripes 2s linear infinite;animation:progress-bar-stripes 2s linear infinite}.progress-bar-success{background-color:#5cb85c}.progress-striped .progress-bar-success{background-image:-webkit-gradient(linear,0 100%,100% 0,color-stop(0.25,rgba(255,255,255,0.15)),color-stop(0.25,transparent),color-stop(0.5,transparent),color-stop(0.5,rgba(255,255,255,0.15)),color-stop(0.75,rgba(255,255,255,0.15)),color-stop(0.75,transparent),to(transparent));background-image:-webkit-linear-gradient(45deg,rgba(255,255,255,0.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,0.15) 50%,rgba(255,255,255,0.15) 75%,transparent 75%,transparent);background-image:-moz-linear-gradient(45deg,rgba(255,255,255,0.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,0.15) 50%,rgba(255,255,255,0.15) 75%,transparent 75%,transparent);background-image:linear-gradient(45deg,rgba(255,255,255,0.15) 25%,tra
nsparent 25%,transparent 50%,rgba(255,255,255,0.15) 50%,rgba(255,255,255,0.15) 75%,transparent 75%,transparent)}.progress-bar-info{background-color:#5bc0de}.progress-striped .progress-bar-info{background-image:-webkit-gradient(linear,0 100%,100% 0,color-stop(0.25,rgba(255,255,255,0.15)),color-stop(0.25,transparent),color-stop(0.5,transparent),color-stop(0.5,rgba(255,255,255,0.15)),color-stop(0.75,rgba(255,255,255,0.15)),color-stop(0.75,transparent),to(transparent));background-image:-webkit-linear-gradient(45deg,rgba(255,255,255,0.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,0.15) 50%,rgba(255,255,255,0.15) 75%,transparent 75%,transparent);background-image:-moz-linear-gradient(45deg,rgba(255,255,255,0.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,0.15) 50%,rgba(255,255,255,0.15) 75%,transparent 75%,transparent);background-image:linear-gradient(45deg,rgba(255,255,255,0.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,0.15) 50%,rgba(255,255,255,0.15) 75%,
transparent 75%,transparent)}.progress-bar-warning{background-color:#f0ad4e}.progress-striped .progress-bar-warning{background-image:-webkit-gradient(linear,0 100%,100% 0,color-stop(0.25,rgba(255,255,255,0.15)),color-stop(0.25,transparent),color-stop(0.5,transparent),color-stop(0.5,rgba(255,255,255,0.15)),color-stop(0.75,rgba(255,255,255,0.15)),color-stop(0.75,transparent),to(transparent));background-image:-webkit-linear-gradient(45deg,rgba(255,255,255,0.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,0.15) 50%,rgba(255,255,255,0.15) 75%,transparent 75%,transparent);background-image:-moz-linear-gradient(45deg,rgba(255,255,255,0.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,0.15) 50%,rgba(255,255,255,0.15) 75%,transparent 75%,transparent);background-image:linear-gradient(45deg,rgba(255,255,255,0.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,0.15) 50%,rgba(255,255,255,0.15) 75%,transparent 75%,transparent)}.progress-bar-danger{background-color:#d9534f}.p
rogress-striped .progress-bar-danger{background-image:-webkit-gradient(linear,0 100%,100% 0,color-stop(0.25,rgba(255,255,255,0.15)),color-stop(0.25,transparent),color-stop(0.5,transparent),color-stop(0.5,rgba(255,255,255,0.15)),color-stop(0.75,rgba(255,255,255,0.15)),color-stop(0.75,transparent),to(transparent));background-image:-webkit-linear-gradient(45deg,rgba(255,255,255,0.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,0.15) 50%,rgba(255,255,255,0.15) 75%,transparent 75%,transparent);background-image:-moz-linear-gradient(45deg,rgba(255,255,255,0.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,0.15) 50%,rgba(255,255,255,0.15) 75%,transparent 75%,transparent);background-image:linear-gradient(45deg,rgba(255,255,255,0.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,0.15) 50%,rgba(255,255,255,0.15) 75%,transparent 75%,transparent)}.media,.media-body{overflow:hidden;zoom:1}.media,.media .media{margin-top:15px}.media:first-child{margin-top:0}.media-object{di
splay:block}.media-heading{margin:0 0 5px}.media>.pull-left{margin-right:10px}.media>.pull-right{margin-left:10px}.media-list{padding-left:0;list-style:none}.list-group{padding-left:0;margin-bottom:20px}.list-group-item{position:relative;display:block;padding:10px 15px;margin-bottom:-1px;background-color:#fff;border:1px solid #ddd}.list-group-item:first-child{border-top-right-radius:4px;border-top-left-radius:4px}.list-group-item:last-child{margin-bottom:0;border-bottom-right-radius:4px;border-bottom-left-radius:4px}.list-group-item>.badge{float:right}.list-group-item>.badge+.badge{margin-right:5px}a.list-group-item{color:#555}a.list-group-item .list-group-item-heading{color:#333}a.list-group-item:hover,a.list-group-item:focus{text-decoration:none;background-color:#f5f5f5}.list-group-item.active,.list-group-item.active:hover,.list-group-item.active:focus{z-index:2;color:#fff;background-color:#428bca;border-color:#428bca}.list-group-item.active .list-group-item-heading,.list-group-it
em.active:hover .list-group-item-heading,.list-group-item.active:focus .list-group-item-heading{color:inherit}.list-group-item.active .list-group-item-text,.list-group-item.active:hover .list-group-item-text,.list-group-item.active:focus .list-group-item-text{color:#e1edf7}.list-group-item-heading{margin-top:0;margin-bottom:5px}.list-group-item-text{margin-bottom:0;line-height:1.3}.panel{margin-bottom:20px;background-color:#fff;border:1px solid transparent;border-radius:4px;-webkit-box-shadow:0 1px 1px rgba(0,0,0,0.05);box-shadow:0 1px 1px rgba(0,0,0,0.05)}.panel-body{padding:15px}.panel-body:before,.panel-body:after{display:table;content:" "}.panel-body:after{clear:both}.panel-body:before,.panel-body:after{display:table;content:" "}.panel-body:after{clear:both}.panel>.list-group{margin-bottom:0}.panel>.list-group .list-group-item{border-width:1px 0}.panel>.list-group .list-group-item:first-child{border-top-right-radius:0;border-top-left-radius:0}.panel>.list-group .list-group-item:
last-child{border-bottom:0}.panel-heading+.list-group .list-group-item:first-child{border-top-width:0}.panel>.table{margin-bottom:0}.panel>.panel-body+.table{border-top:1px solid #ddd}.panel-heading{padding:10px 15px;border-bottom:1px solid transparent;border-top-right-radius:3px;border-top-left-radius:3px}.panel-title{margin-top:0;margin-bottom:0;font-size:16px}.panel-title>a{color:inherit}.panel-footer{padding:10px 15px;background-color:#f5f5f5;border-top:1px solid #ddd;border-bottom-right-radius:3px;border-bottom-left-radius:3px}.panel-group .panel{margin-bottom:0;overflow:hidden;border-radius:4px}.panel-group .panel+.panel{margin-top:5px}.panel-group .panel-heading{border-bottom:0}.panel-group .panel-heading+.panel-collapse .panel-body{border-top:1px solid #ddd}.panel-group .panel-footer{border-top:0}.panel-group .panel-footer+.panel-collapse .panel-body{border-bottom:1px solid #ddd}.panel-default{border-color:#ddd}.panel-default>.panel-heading{color:#333;background-color:#f5f5f
5;border-color:#ddd}.panel-default>.panel-heading+.panel-collapse .panel-body{border-top-color:#ddd}.panel-default>.panel-footer+.panel-collapse .panel-body{border-bottom-color:#ddd}.panel-primary{border-color:#428bca}.panel-primary>.panel-heading{color:#fff;background-color:#428bca;border-color:#428bca}.panel-primary>.panel-heading+.panel-collapse .panel-body{border-top-color:#428bca}.panel-primary>.panel-footer+.panel-collapse .panel-body{border-bottom-color:#428bca}.panel-success{border-color:#d6e9c6}.panel-success>.panel-heading{color:#468847;background-color:#dff0d8;border-color:#d6e9c6}.panel-success>.panel-heading+.panel-collapse .panel-body{border-top-color:#d6e9c6}.panel-success>.panel-footer+.panel-collapse .panel-body{border-bottom-color:#d6e9c6}.panel-warning{border-color:#fbeed5}.panel-warning>.panel-heading{color:#c09853;background-color:#fcf8e3;border-color:#fbeed5}.panel-warning>.panel-heading+.panel-collapse .panel-body{border-top-color:#fbeed5}.panel-warning>.panel
-footer+.panel-collapse .panel-body{border-bottom-color:#fbeed5}.panel-danger{border-color:#eed3d7}.panel-danger>.panel-heading{color:#b94a48;background-color:#f2dede;border-color:#eed3d7}.panel-danger>.panel-heading+.panel-collapse .panel-body{border-top-color:#eed3d7}.panel-danger>.panel-footer+.panel-collapse .panel-body{border-bottom-color:#eed3d7}.panel-info{border-color:#bce8f1}.panel-info>.panel-heading{color:#3a87ad;background-color:#d9edf7;border-color:#bce8f1}.panel-info>.panel-heading+.panel-collapse .panel-body{border-top-color:#bce8f1}.panel-info>.panel-footer+.panel-collapse .panel-body{border-bottom-color:#bce8f1}.well{min-height:20px;padding:19px;margin-bottom:20px;background-color:#f5f5f5;border:1px solid #e3e3e3;border-radius:4px;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,0.05);box-shadow:inset 0 1px 1px rgba(0,0,0,0.05)}.well blockquote{border-color:#ddd;border-color:rgba(0,0,0,0.15)}.well-lg{padding:24px;border-radius:6px}.well-sm{padding:9px;border-radius:3px
}.close{float:right;font-size:21px;font-weight:bold;line-height:1;color:#000;text-shadow:0 1px 0 #fff;opacity:.2;filter:alpha(opacity=20)}.close:hover,.close:focus{color:#000;text-decoration:none;cursor:pointer;opacity:.5;filter:alpha(opacity=50)}button.close{padding:0;cursor:pointer;background:transparent;border:0;-webkit-appearance:none}.modal-open{overflow:hidden}body.modal-open,.modal-open .navbar-fixed-top,.modal-open .navbar-fixed-bottom{margin-right:15px}.modal{position:fixed;top:0;right:0;bottom:0;left:0;z-index:1040;display:none;overflow:auto;overflow-y:scroll}.modal.fade .modal-dialog{-webkit-transform:translate(0,-25%);-ms-transform:translate(0,-25%);transform:translate(0,-25%);-webkit-transition:-webkit-transform .3s ease-out;-moz-transition:-moz-transform .3s ease-out;-o-transition:-o-transform .3s ease-out;transition:transform .3s ease-out}.modal.in .modal-dialog{-webkit-transform:translate(0,0);-ms-transform:translate(0,0);transform:translate(0,0)}.modal-dialog{z-inde
x:1050;width:auto;padding:10px;margin-right:auto;margin-left:auto}.modal-content{position:relative;background-color:#fff;border:1px solid #999;border:1px solid rgba(0,0,0,0.2);border-radius:6px;outline:0;-webkit-box-shadow:0 3px 9px rgba(0,0,0,0.5);box-shadow:0 3px 9px rgba(0,0,0,0.5);background-clip:padding-box}.modal-backdrop{position:fixed;top:0;right:0;bottom:0;left:0;z-index:1030;background-color:#000}.modal-backdrop.fade{opacity:0;filter:alpha(opacity=0)}.modal-backdrop.in{opacity:.5;filter:alpha(opacity=50)}.modal-header{min-height:16.428571429px;padding:15px;border-bottom:1px solid #e5e5e5}.modal-header .close{margin-top:-2px}.modal-title{margin:0;line-height:1.428571429}.modal-body{position:relative;padding:20px}.modal-footer{padding:19px 20px 20px;margin-top:15px;text-align:right;border-top:1px solid #e5e5e5}.modal-footer:before,.modal-footer:after{display:table;content:" "}.modal-footer:after{clear:both}.modal-footer:before,.modal-footer:after{display:table;content:" "}.m
odal-footer:after{clear:both}.modal-footer .btn+.btn{margin-bottom:0;margin-left:5px}.modal-footer .btn-group .btn+.btn{margin-left:-1px}.modal-footer .btn-block+.btn-block{margin-left:0}@media screen and (min-width:768px){.modal-dialog{right:auto;left:50%;width:600px;padding-top:30px;padding-bottom:30px}.modal-content{-webkit-box-shadow:0 5px 15px rgba(0,0,0,0.5);box-shadow:0 5px 15px rgba(0,0,0,0.5)}}.tooltip{position:absolute;z-index:1030;display:block;font-size:12px;line-height:1.4;opacity:0;filter:alpha(opacity=0);visibility:visible}.tooltip.in{opacity:.9;filter:alpha(opacity=90)}.tooltip.top{padding:5px 0;margin-top:-3px}.tooltip.right{padding:0 5px;margin-left:3px}.tooltip.bottom{padding:5px 0;margin-top:3px}.tooltip.left{padding:0 5px;margin-left:-3px}.tooltip-inner{max-width:200px;padding:3px 8px;color:#fff;text-align:center;text-decoration:none;background-color:#000;border-radius:4px}.tooltip-arrow{position:absolute;width:0;height:0;border-color:transparent;border-style:so
lid}.tooltip.top .tooltip-arrow{bottom:0;left:50%;margin-left:-5px;border-top-color:#000;border-width:5px 5px 0}.tooltip.top-left .tooltip-arrow{bottom:0;left:5px;border-top-color:#000;border-width:5px 5px 0}.tooltip.top-right .tooltip-arrow{right:5px;bottom:0;border-top-color:#000;border-width:5px 5px 0}.tooltip.right .tooltip-arrow{top:50%;left:0;margin-top:-5px;border-right-color:#000;border-width:5px 5px 5px 0}.tooltip.left .tooltip-arrow{top:50%;right:0;margin-top:-5px;border-left-color:#000;border-width:5px 0 5px 5px}.tooltip.bottom .tooltip-arrow{top:0;left:50%;margin-left:-5px;border-bottom-color:#000;border-width:0 5px 5px}.tooltip.bottom-left .tooltip-arrow{top:0;left:5px;border-bottom-color:#000;border-width:0 5px 5px}.tooltip.bottom-right .tooltip-arrow{top:0;right:5px;border-bottom-color:#000;border-width:0 5px 5px}.popover{position:absolute;top:0;left:0;z-index:1010;display:none;max-width:276px;padding:1px;text-align:left;white-space:normal;background-color:#fff;border
:1px solid #ccc;border:1px solid rgba(0,0,0,0.2);border-radius:6px;-webkit-box-shadow:0 5px 10px rgba(0,0,0,0.2);box-shadow:0 5px 10px rgba(0,0,0,0.2);background-clip:padding-box}.popover.top{margin-top:-10px}.popover.right{margin-left:10px}.popover.bottom{margin-top:10px}.popover.left{margin-left:-10px}.popover-title{padding:8px 14px;margin:0;font-size:14px;font-weight:normal;line-height:18px;background-color:#f7f7f7;border-bottom:1px solid #ebebeb;border-radius:5px 5px 0 0}.popover-content{padding:9px 14px}.popover .arrow,.popover .arrow:after{position:absolute;display:block;width:0;height:0;border-color:transparent;border-style:solid}.popover .arrow{border-width:11px}.popover .arrow:after{border-width:10px;content:""}.popover.top .arrow{bottom:-11px;left:50%;margin-left:-11px;border-top-color:#999;border-top-color:rgba(0,0,0,0.25);border-bottom-width:0}.popover.top .arrow:after{bottom:1px;margin-left:-10px;border-top-color:#fff;border-bottom-width:0;content:" "}.popover.right .ar
row{top:50%;left:-11px;margin-top:-11px;border-right-color:#999;border-right-color:rgba(0,0,0,0.25);border-left-width:0}.popover.right .arrow:after{bottom:-10px;left:1px;border-right-color:#fff;border-left-width:0;content:" "}.popover.bottom .arrow{top:-11px;left:50%;margin-left:-11px;border-bottom-color:#999;border-bottom-color:rgba(0,0,0,0.25);border-top-width:0}.popover.bottom .arrow:after{top:1px;margin-left:-10px;border-bottom-color:#fff;border-top-width:0;content:" "}.popover.left .arrow{top:50%;right:-11px;margin-top:-11px;border-left-color:#999;border-left-color:rgba(0,0,0,0.25);border-right-width:0}.popover.left .arrow:after{right:1px;bottom:-10px;border-left-color:#fff;border-right-width:0;content:" "}.carousel{position:relative}.carousel-inner{position:relative;width:100%;overflow:hidden}.carousel-inner>.item{position:relative;display:none;-webkit-transition:.6s ease-in-out left;transition:.6s ease-in-out left}.carousel-inner>.item>img,.carousel-inner>.item>a>img{display:
block;height:auto;max-width:100%;line-height:1}.carousel-inner>.active,.carousel-inner>.next,.carousel-inner>.prev{display:block}.carousel-inner>.active{left:0}.carousel-inner>.next,.carousel-inner>.prev{position:absolute;top:0;width:100%}.carousel-inner>.next{left:100%}.carousel-inner>.prev{left:-100%}.carousel-inner>.next.left,.carousel-inner>.prev.right{left:0}.carousel-inner>.active.left{left:-100%}.carousel-inner>.active.right{left:100%}.carousel-control{position:absolute;top:0;bottom:0;left:0;width:15%;font-size:20px;color:#fff;text-align:center;text-shadow:0 1px 2px rgba(0,0,0,0.6);opacity:.5;filter:alpha(opacity=50)}.carousel-control.left{background-image:-webkit-gradient(linear,0 top,100% top,from(rgba(0,0,0,0.5)),to(rgba(0,0,0,0.0001)));background-image:-webkit-linear-gradient(left,color-stop(rgba(0,0,0,0.5) 0),color-stop(rgba(0,0,0,0.0001) 100%));background-image:-moz-linear-gradient(left,rgba(0,0,0,0.5) 0,rgba(0,0,0,0.0001) 100%);background-image:linear-gradient(to right
,rgba(0,0,0,0.5) 0,rgba(0,0,0,0.0001) 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#80000000',endColorstr='#00000000',GradientType=1)}.carousel-control.right{right:0;left:auto;background-image:-webkit-gradient(linear,0 top,100% top,from(rgba(0,0,0,0.0001)),to(rgba(0,0,0,0.5)));background-image:-webkit-linear-gradient(left,color-stop(rgba(0,0,0,0.0001) 0),color-stop(rgba(0,0,0,0.5) 100%));background-image:-moz-linear-gradient(left,rgba(0,0,0,0.0001) 0,rgba(0,0,0,0.5) 100%);background-image:linear-gradient(to right,rgba(0,0,0,0.0001) 0,rgba(0,0,0,0.5) 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#00000000',endColorstr='#80000000',GradientType=1)}.carousel-control:hover,.carousel-control:focus{color:#fff;text-decoration:none;opacity:.9;filter:alpha(opacity=90)}.carousel-control .icon-prev,.carousel-control .icon-next,.carousel-control .glyphicon-chevron-left,.carousel-control .glyp
hicon-chevron-right{position:absolute;top:50%;left:50%;z-index:5;display:inline-block}.carousel-control .icon-prev,.carousel-control .icon-next{width:20px;height:20px;margin-top:-10px;margin-left:-10px;font-family:serif}.carousel-control .icon-prev:before{content:'\2039'}.carousel-control .icon-next:before{content:'\203a'}.carousel-indicators{position:absolute;bottom:10px;left:50%;z-index:15;width:60%;padding-left:0;margin-left:-30%;text-align:center;list-style:none}.carousel-indicators li{display:inline-block;width:10px;height:10px;margin:1px;text-indent:-999px;cursor:pointer;border:1px solid #fff;border-radius:10px}.carousel-indicators .active{width:12px;height:12px;margin:0;background-color:#fff}.carousel-caption{position:absolute;right:15%;bottom:20px;left:15%;z-index:10;padding-top:20px;padding-bottom:20px;color:#fff;text-align:center;text-shadow:0 1px 2px rgba(0,0,0,0.6)}.carousel-caption .btn{text-shadow:none}@media screen and (min-width:768px){.carousel-control .icon-prev,.c
arou
<TRUNCATED>
[43/44] sentry git commit: SENTRY-1287: Create sentry-service-server
module(Colin Ma, reviewed by Dapeng Sun)
Posted by co...@apache.org.
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/persistent/PrivilegeOperatePersistence.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/persistent/PrivilegeOperatePersistence.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/persistent/PrivilegeOperatePersistence.java
deleted file mode 100644
index fa9dadf..0000000
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/persistent/PrivilegeOperatePersistence.java
+++ /dev/null
@@ -1,485 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.provider.db.generic.service.persistent;
-
-import java.lang.reflect.Constructor;
-import java.util.ArrayList;
-import java.util.LinkedList;
-import java.util.List;
-import java.util.Map;
-import java.util.Set;
-
-import javax.jdo.PersistenceManager;
-import javax.jdo.Query;
-
-import org.apache.hadoop.conf.Configuration;
-import org.apache.sentry.core.common.exception.SentryUserException;
-import org.apache.sentry.core.common.Action;
-import org.apache.sentry.core.common.Authorizable;
-import org.apache.sentry.core.common.BitFieldAction;
-import org.apache.sentry.core.common.BitFieldActionFactory;
-import org.apache.sentry.core.model.kafka.KafkaActionFactory;
-import org.apache.sentry.core.model.search.SearchActionFactory;
-import org.apache.sentry.core.model.sqoop.SqoopActionFactory;
-import org.apache.sentry.provider.db.generic.service.persistent.PrivilegeObject.Builder;
-import org.apache.sentry.provider.db.service.model.MSentryGMPrivilege;
-import org.apache.sentry.provider.db.service.model.MSentryRole;
-
-import com.google.common.base.Joiner;
-import com.google.common.base.Strings;
-import com.google.common.collect.Maps;
-import com.google.common.collect.Sets;
-import org.apache.sentry.service.thrift.ServiceConstants;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-/**
- * This class used do some operations related privilege and make the results
- * persistence
- */
-public class PrivilegeOperatePersistence {
- private static final Logger LOGGER = LoggerFactory.getLogger(PrivilegeOperatePersistence.class);
- private static final Map<String, BitFieldActionFactory> actionFactories = Maps.newHashMap();
- static{
- actionFactories.put("solr", new SearchActionFactory());
- actionFactories.put("sqoop", new SqoopActionFactory());
- actionFactories.put("kafka", KafkaActionFactory.getInstance());
- }
-
- private final Configuration conf;
-
- public PrivilegeOperatePersistence(Configuration conf) {
- this.conf = conf;
- }
-
- public boolean checkPrivilegeOption(Set<MSentryRole> roles, PrivilegeObject privilege, PersistenceManager pm) {
- MSentryGMPrivilege requestPrivilege = convertToPrivilege(privilege);
- boolean hasGrant = false;
- //get persistent privileges by roles
- Query query = pm.newQuery(MSentryGMPrivilege.class);
- StringBuilder filters = new StringBuilder();
- if (roles != null && roles.size() > 0) {
- query.declareVariables("org.apache.sentry.provider.db.service.model.MSentryRole role");
- List<String> rolesFiler = new LinkedList<String>();
- for (MSentryRole role : roles) {
- rolesFiler.add("role.roleName == \"" + role.getRoleName() + "\" ");
- }
- filters.append("roles.contains(role) " + "&& (" + Joiner.on(" || ").join(rolesFiler) + ")");
- }
- query.setFilter(filters.toString());
-
- List<MSentryGMPrivilege> tPrivileges = (List<MSentryGMPrivilege>)query.execute();
- for (MSentryGMPrivilege tPrivilege : tPrivileges) {
- if (tPrivilege.getGrantOption() && tPrivilege.implies(requestPrivilege)) {
- hasGrant = true;
- break;
- }
- }
- return hasGrant;
- }
- public void grantPrivilege(PrivilegeObject privilege,MSentryRole role, PersistenceManager pm) throws SentryUserException {
- MSentryGMPrivilege mPrivilege = convertToPrivilege(privilege);
- grantRolePartial(mPrivilege, role, pm);
- }
-
- private void grantRolePartial(MSentryGMPrivilege grantPrivilege,
- MSentryRole role,PersistenceManager pm) {
- /**
- * If Grant is for ALL action and other actions belongs to ALL action already exists..
- * need to remove it and GRANT ALL action
- */
- String component = grantPrivilege.getComponentName();
- BitFieldAction action = getAction(component, grantPrivilege.getAction());
- BitFieldAction allAction = getAction(component, Action.ALL);
-
- if (action.implies(allAction)) {
- /**
- * ALL action is a multi-bit set action that includes some actions such as INSERT,SELECT and CREATE.
- */
- List<? extends BitFieldAction> actions = getActionFactory(component).getActionsByCode(allAction.getActionCode());
- for (BitFieldAction ac : actions) {
- grantPrivilege.setAction(ac.getValue());
- MSentryGMPrivilege existPriv = getPrivilege(grantPrivilege, pm);
- if (existPriv != null && role.getGmPrivileges().contains(existPriv)) {
- /**
- * force to load all roles related this privilege
- * avoid the lazy-loading risk,such as:
- * if the roles field of privilege aren't loaded, then the roles is a empty set
- * privilege.removeRole(role) and pm.makePersistent(privilege)
- * will remove other roles that shouldn't been removed
- */
- pm.retrieve(existPriv);
- existPriv.removeRole(role);
- pm.makePersistent(existPriv);
- }
- }
- } else {
- /**
- * If ALL Action already exists..
- * do nothing.
- */
- grantPrivilege.setAction(allAction.getValue());
- MSentryGMPrivilege allPrivilege = getPrivilege(grantPrivilege, pm);
- if (allPrivilege != null && role.getGmPrivileges().contains(allPrivilege)) {
- return;
- }
- }
-
- /**
- * restore the action
- */
- grantPrivilege.setAction(action.getValue());
- /**
- * check the privilege is exist or not
- */
- MSentryGMPrivilege mPrivilege = getPrivilege(grantPrivilege, pm);
- if (mPrivilege == null) {
- mPrivilege = grantPrivilege;
- }
- mPrivilege.appendRole(role);
- pm.makePersistent(mPrivilege);
- }
-
-
- public void revokePrivilege(PrivilegeObject privilege,MSentryRole role, PersistenceManager pm) throws SentryUserException {
- MSentryGMPrivilege mPrivilege = getPrivilege(convertToPrivilege(privilege), pm);
- if (mPrivilege == null) {
- mPrivilege = convertToPrivilege(privilege);
- } else {
- mPrivilege = (MSentryGMPrivilege) pm.detachCopy(mPrivilege);
- }
-
- Set<MSentryGMPrivilege> privilegeGraph = Sets.newHashSet();
- privilegeGraph.addAll(populateIncludePrivileges(Sets.newHashSet(role), mPrivilege, pm));
-
- /**
- * Get the privilege graph
- * populateIncludePrivileges will get the privileges that needed revoke
- */
- for (MSentryGMPrivilege persistedPriv : privilegeGraph) {
- /**
- * force to load all roles related this privilege
- * avoid the lazy-loading risk,such as:
- * if the roles field of privilege aren't loaded, then the roles is a empty set
- * privilege.removeRole(role) and pm.makePersistent(privilege)
- * will remove other roles that shouldn't been removed
- */
- revokeRolePartial(mPrivilege, persistedPriv, role, pm);
- }
- pm.makePersistent(role);
- }
-
- /**
- * Explore Privilege graph and collect privileges that are belong to the specific privilege
- */
- @SuppressWarnings("unchecked")
- private Set<MSentryGMPrivilege> populateIncludePrivileges(Set<MSentryRole> roles,
- MSentryGMPrivilege parent, PersistenceManager pm) {
- Set<MSentryGMPrivilege> childrens = Sets.newHashSet();
-
- Query query = pm.newQuery(MSentryGMPrivilege.class);
- StringBuilder filters = new StringBuilder();
- //add populateIncludePrivilegesQuery
- filters.append(MSentryGMPrivilege.populateIncludePrivilegesQuery(parent));
- // add filter for role names
- if (roles != null && roles.size() > 0) {
- query.declareVariables("org.apache.sentry.provider.db.service.model.MSentryRole role");
- List<String> rolesFiler = new LinkedList<String>();
- for (MSentryRole role : roles) {
- rolesFiler.add("role.roleName == \"" + role.getRoleName() + "\" ");
- }
- filters.append("&& roles.contains(role) " + "&& (" + Joiner.on(" || ").join(rolesFiler) + ")");
- }
- query.setFilter(filters.toString());
-
- List<MSentryGMPrivilege> privileges = (List<MSentryGMPrivilege>)query.execute();
- childrens.addAll(privileges);
- return childrens;
- }
-
- /**
- * Roles can be granted multi-bit set action like ALL action on resource object.
- * Take solr component for example, When a role has been granted ALL action but
- * QUERY or UPDATE or CREATE are revoked, we need to remove the ALL
- * privilege and add left privileges like UPDATE and CREATE(QUERY was revoked) or
- * QUERY and UPDATE(CREATEE was revoked).
- */
- private void revokeRolePartial(MSentryGMPrivilege revokePrivilege,
- MSentryGMPrivilege persistedPriv, MSentryRole role,
- PersistenceManager pm) {
- String component = revokePrivilege.getComponentName();
- BitFieldAction revokeaction = getAction(component, revokePrivilege.getAction());
- BitFieldAction persistedAction = getAction(component, persistedPriv.getAction());
- BitFieldAction allAction = getAction(component, Action.ALL);
-
- if (revokeaction.implies(allAction)) {
- /**
- * if revoke action is ALL, directly revoke its children privileges and itself
- */
- persistedPriv.removeRole(role);
- pm.makePersistent(persistedPriv);
- } else {
- /**
- * if persisted action is ALL, it only revoke the requested action and left partial actions
- * like the requested action is SELECT, the UPDATE and CREATE action are left
- */
- if (persistedAction.implies(allAction)) {
- /**
- * revoke the ALL privilege
- */
- persistedPriv.removeRole(role);
- pm.makePersistent(persistedPriv);
-
- List<? extends BitFieldAction> actions = getActionFactory(component).getActionsByCode(allAction.getActionCode());
- for (BitFieldAction ac: actions) {
- if (ac.getActionCode() != revokeaction.getActionCode()) {
- /**
- * grant the left privileges to role
- */
- MSentryGMPrivilege tmpPriv = new MSentryGMPrivilege(persistedPriv);
- tmpPriv.setAction(ac.getValue());
- MSentryGMPrivilege leftPersistedPriv = getPrivilege(tmpPriv, pm);
- if (leftPersistedPriv == null) {
- //leftPersistedPriv isn't exist
- leftPersistedPriv = tmpPriv;
- role.appendGMPrivilege(leftPersistedPriv);
- }
- leftPersistedPriv.appendRole(role);
- pm.makePersistent(leftPersistedPriv);
- }
- }
- } else if (revokeaction.implies(persistedAction)) {
- /**
- * if the revoke action is equal to the persisted action and they aren't ALL action
- * directly remove the role from privilege
- */
- persistedPriv.removeRole(role);
- pm.makePersistent(persistedPriv);
- }
- /**
- * if the revoke action is not equal to the persisted action,
- * do nothing
- */
- }
- }
-
- /**
- * Drop any role related to the requested privilege and its children privileges
- */
- public void dropPrivilege(PrivilegeObject privilege,PersistenceManager pm) {
- MSentryGMPrivilege requestPrivilege = convertToPrivilege(privilege);
-
- if (Strings.isNullOrEmpty(privilege.getAction())) {
- requestPrivilege.setAction(getAction(privilege.getComponent(), Action.ALL).getValue());
- }
- /**
- * Get the privilege graph
- * populateIncludePrivileges will get the privileges that need dropped,
- */
- Set<MSentryGMPrivilege> privilegeGraph = Sets.newHashSet();
- privilegeGraph.addAll(populateIncludePrivileges(null, requestPrivilege, pm));
-
- for (MSentryGMPrivilege mPrivilege : privilegeGraph) {
- /**
- * force to load all roles related this privilege
- * avoid the lazy-loading
- */
- pm.retrieve(mPrivilege);
- Set<MSentryRole> roles = mPrivilege.getRoles();
- for (MSentryRole role : roles) {
- revokeRolePartial(requestPrivilege, mPrivilege, role, pm);
- }
- }
- }
-
- private MSentryGMPrivilege convertToPrivilege(PrivilegeObject privilege) {
- return new MSentryGMPrivilege(privilege.getComponent(),
- privilege.getService(), privilege.getAuthorizables(),
- privilege.getAction(), privilege.getGrantOption());
- }
-
- private MSentryGMPrivilege getPrivilege(MSentryGMPrivilege privilege, PersistenceManager pm) {
- Query query = pm.newQuery(MSentryGMPrivilege.class);
- query.setFilter(MSentryGMPrivilege.toQuery(privilege));
- query.setUnique(true);
- return (MSentryGMPrivilege)query.execute();
- }
-
- @SuppressWarnings("unchecked")
- public Set<PrivilegeObject> getPrivilegesByRole(Set<MSentryRole> roles, PersistenceManager pm) {
- Set<PrivilegeObject> privileges = Sets.newHashSet();
- if (roles == null || roles.size() == 0) {
- return privileges;
- }
- Query query = pm.newQuery(MSentryGMPrivilege.class);
- StringBuilder filters = new StringBuilder();
- // add filter for role names
- query.declareVariables("org.apache.sentry.provider.db.service.model.MSentryRole role");
- List<String> rolesFiler = new LinkedList<String>();
- for (MSentryRole role : roles) {
- rolesFiler.add("role.roleName == \"" + role.getRoleName() + "\" ");
- }
- filters.append("roles.contains(role) " + "&& (" + Joiner.on(" || ").join(rolesFiler) + ")");
-
- query.setFilter(filters.toString());
- List<MSentryGMPrivilege> mPrivileges = (List<MSentryGMPrivilege>) query.execute();
- if (mPrivileges == null || mPrivileges.isEmpty()) {
- return privileges;
- }
- for (MSentryGMPrivilege mPrivilege : mPrivileges) {
- privileges.add(new Builder()
- .setComponent(mPrivilege.getComponentName())
- .setService(mPrivilege.getServiceName())
- .setAction(mPrivilege.getAction())
- .setAuthorizables(mPrivilege.getAuthorizables())
- .withGrantOption(mPrivilege.getGrantOption())
- .build());
- }
- return privileges;
- }
-
- public Set<PrivilegeObject> getPrivilegesByProvider(String component,
- String service, Set<MSentryRole> roles,
- List<? extends Authorizable> authorizables, PersistenceManager pm) {
- Set<PrivilegeObject> privileges = Sets.newHashSet();
- if (roles == null || roles.isEmpty()) {
- return privileges;
- }
-
- MSentryGMPrivilege parentPrivilege = new MSentryGMPrivilege(component, service, authorizables, null, null);
- Set<MSentryGMPrivilege> privilegeGraph = Sets.newHashSet();
- privilegeGraph.addAll(populateIncludePrivileges(roles, parentPrivilege, pm));
-
- for (MSentryGMPrivilege mPrivilege : privilegeGraph) {
- privileges.add(new Builder()
- .setComponent(mPrivilege.getComponentName())
- .setService(mPrivilege.getServiceName())
- .setAction(mPrivilege.getAction())
- .setAuthorizables(mPrivilege.getAuthorizables())
- .withGrantOption(mPrivilege.getGrantOption())
- .build());
- }
- return privileges;
- }
-
- public Set<MSentryGMPrivilege> getPrivilegesByAuthorizable(String component,
- String service, Set<MSentryRole> roles,
- List<? extends Authorizable> authorizables, PersistenceManager pm) {
-
- Set<MSentryGMPrivilege> privilegeGraph = Sets.newHashSet();
-
- if (roles == null || roles.isEmpty()) {
- return privilegeGraph;
- }
-
- MSentryGMPrivilege parentPrivilege = new MSentryGMPrivilege(component, service, authorizables, null, null);
- privilegeGraph.addAll(populateIncludePrivileges(roles, parentPrivilege, pm));
- return privilegeGraph;
- }
-
- public void renamePrivilege(String component, String service,
- List<? extends Authorizable> oldAuthorizables, List<? extends Authorizable> newAuthorizables,
- String grantorPrincipal, PersistenceManager pm)
- throws SentryUserException {
- MSentryGMPrivilege oldPrivilege = new MSentryGMPrivilege(component, service, oldAuthorizables, null, null);
- oldPrivilege.setAction(getAction(component,Action.ALL).getValue());
- /**
- * Get the privilege graph
- * populateIncludePrivileges will get the old privileges that need dropped
- */
- Set<MSentryGMPrivilege> privilegeGraph = Sets.newHashSet();
- privilegeGraph.addAll(populateIncludePrivileges(null, oldPrivilege, pm));
-
- for (MSentryGMPrivilege dropPrivilege : privilegeGraph) {
- /**
- * construct the new privilege needed to add
- */
- List<Authorizable> authorizables = new ArrayList<Authorizable>(
- dropPrivilege.getAuthorizables());
- for (int i = 0; i < newAuthorizables.size(); i++) {
- authorizables.set(i, newAuthorizables.get(i));
- }
- MSentryGMPrivilege newPrivilge = new MSentryGMPrivilege(
- component,service, authorizables, dropPrivilege.getAction(),
- dropPrivilege.getGrantOption());
-
- /**
- * force to load all roles related this privilege
- * avoid the lazy-loading
- */
- pm.retrieve(dropPrivilege);
-
- Set<MSentryRole> roles = dropPrivilege.getRoles();
- for (MSentryRole role : roles) {
- revokeRolePartial(oldPrivilege, dropPrivilege, role, pm);
- grantRolePartial(newPrivilge, role, pm);
- }
- }
- }
-
- private BitFieldAction getAction(String component, String name) {
- BitFieldActionFactory actionFactory = getActionFactory(component);
- BitFieldAction action = actionFactory.getActionByName(name);
- if (action == null) {
- throw new RuntimeException("Can not get BitFieldAction for name: " + name);
- }
- return action;
- }
-
- private BitFieldActionFactory getActionFactory(String component) {
- String caseInsensitiveComponent = component.toLowerCase();
- if (actionFactories.containsKey(caseInsensitiveComponent)) {
- return actionFactories.get(caseInsensitiveComponent);
- }
- BitFieldActionFactory actionFactory = createActionFactory(caseInsensitiveComponent);
- actionFactories.put(caseInsensitiveComponent, actionFactory);
- LOGGER.info("Action factory for component {} is not found in cache. Loaded it from configuration as {}.",
- component, actionFactory.getClass().getName());
- return actionFactory;
- }
-
- private BitFieldActionFactory createActionFactory(String component) {
- String actionFactoryClassName =
- conf.get(String.format(ServiceConstants.ServerConfig.SENTRY_COMPONENT_ACTION_FACTORY_FORMAT, component));
- if (actionFactoryClassName == null) {
- throw new RuntimeException("ActionFactory not defined for component " + component +
- ". Please define the parameter " +
- "sentry." + component + ".action.factory in configuration");
- }
- Class<?> actionFactoryClass;
- try {
- actionFactoryClass = Class.forName(actionFactoryClassName);
- } catch (ClassNotFoundException e) {
- throw new RuntimeException("ActionFactory class " + actionFactoryClassName + " not found.");
- }
- if (!BitFieldActionFactory.class.isAssignableFrom(actionFactoryClass)) {
- throw new RuntimeException("ActionFactory class " + actionFactoryClassName + " must extend "
- + BitFieldActionFactory.class.getName());
- }
- BitFieldActionFactory actionFactory;
- try {
- Constructor<?> actionFactoryConstructor = actionFactoryClass.getDeclaredConstructor();
- actionFactoryConstructor.setAccessible(true);
- actionFactory = (BitFieldActionFactory) actionFactoryClass.newInstance();
- } catch (NoSuchMethodException | InstantiationException | IllegalAccessException e) {
- throw new RuntimeException("Could not instantiate actionFactory " + actionFactoryClassName +
- " for component: " + component, e);
- }
- return actionFactory;
- }
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/persistent/SentryStoreLayer.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/persistent/SentryStoreLayer.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/persistent/SentryStoreLayer.java
deleted file mode 100644
index c003965..0000000
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/persistent/SentryStoreLayer.java
+++ /dev/null
@@ -1,198 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.provider.db.generic.service.persistent;
-
-import java.util.List;
-import java.util.Set;
-
-import org.apache.sentry.core.common.exception.SentryUserException;
-import org.apache.sentry.core.common.Authorizable;
-import org.apache.sentry.core.common.exception.SentryAlreadyExistsException;
-import org.apache.sentry.core.common.exception.SentryNoSuchObjectException;
-import org.apache.sentry.provider.db.service.model.MSentryGMPrivilege;
-import org.apache.sentry.provider.db.service.persistent.CommitContext;
-
-/**
- * Sentry store for persistent the authorize object to database
- */
-public interface SentryStoreLayer {
- /**
- * Create a role
- * @param component: The request respond to which component
- * @param role: The name of role
- * @param requestor: User on whose behalf the request is launched
- * @returns commit context used for notification handlers
- * @throws SentryAlreadyExistsException
- */
- CommitContext createRole(String component, String role,
- String requestor) throws SentryAlreadyExistsException;
-
- /**
- * Drop a role
- * @param component: The request respond to which component
- * @param role: The name of role
- * @param requestor: user on whose behalf the request is launched
- * @returns commit context used for notification handlers
- * @throws SentryNoSuchObjectException
- */
- CommitContext dropRole(String component, String role,
- String requestor) throws SentryNoSuchObjectException;
-
- /**
- * Add a role to groups.
- * @param component: The request respond to which component
- * @param role: The name of role
- * @param groups: The name of groups
- * @param requestor: User on whose behalf the request is issued
- * @returns commit context used for notification handlers
- * @throws SentryNoSuchObjectException
- */
- CommitContext alterRoleAddGroups(String component, String role,
- Set<String> groups, String requestor) throws SentryNoSuchObjectException;
-
- /**
- * Delete a role from groups.
- * @param component: The request respond to which component
- * @param role: The name of role
- * @param groups: The name of groups
- * @param requestor: User on whose behalf the request is launched
- * @returns commit context used for notification handlers
- * @throws SentryNoSuchObjectException
- */
- CommitContext alterRoleDeleteGroups(String component, String role,
- Set<String> groups, String requestor) throws SentryNoSuchObjectException;
-
- /**
- * Grant a privilege to role.
- * @param component: The request respond to which component
- * @param role: The name of role
- * @param privilege: The privilege object will be granted
- * @param grantorPrincipal: User on whose behalf the request is launched
- * @returns commit context Used for notification handlers
- * @throws SentryUserException
- */
- CommitContext alterRoleGrantPrivilege(String component, String role,
- PrivilegeObject privilege, String grantorPrincipal) throws SentryUserException;
-
- /**
- * Revoke a privilege from role.
- * @param component: The request respond to which component
- * @param role: The name of role
- * @param privilege: The privilege object will revoked
- * @param grantorPrincipal: User on whose behalf the request is launched
- * @returns commit context used for notification handlers
- * @throws SentryUserException
- */
- CommitContext alterRoleRevokePrivilege(String component, String role,
- PrivilegeObject privilege, String grantorPrincipal) throws SentryUserException;
-
- /**
- * Rename privilege
- *
- * @param component: The request respond to which component
- * @param service: The name of service
- * @param oldAuthorizables: The old list of authorize objects
- * @param newAuthorizables: The new list of authorize objects
- * @param requestor: User on whose behalf the request is launched
- * @returns commit context used for notification handlers
- * @throws SentryUserException
- */
- CommitContext renamePrivilege(
- String component, String service, List<? extends Authorizable> oldAuthorizables,
- List<? extends Authorizable> newAuthorizables, String requestor) throws SentryUserException;
-
- /**
- * Drop privilege
- * @param component: The request respond to which component
- * @param privilege: The privilege will be dropped
- * @param requestor: User on whose behalf the request is launched
- * @returns commit context used for notification handlers
- * @throws SentryUserException
- */
- CommitContext dropPrivilege(String component, PrivilegeObject privilege,
- String requestor) throws SentryUserException;
-
- /**
- * Get roles
- * @param component: The request respond to which component
- * @param groups: The name of groups
- * @returns the set of roles
- * @throws SentryUserException
- */
- Set<String> getRolesByGroups(String component, Set<String> groups) throws SentryUserException;
-
- /**
- * Get groups
- * @param component: The request respond to which component
- * @param roles: The name of roles
- * @returns the set of groups
- * @throws SentryUserException
- */
- Set<String> getGroupsByRoles(String component, Set<String> roles) throws SentryUserException;
-
- /**
- * Get privileges
- * @param component: The request respond to which component
- * @param roles: The name of roles
- * @returns the set of privileges
- * @throws SentryUserException
- */
- Set<PrivilegeObject> getPrivilegesByRole(String component, Set<String> roles) throws SentryUserException;
-
- /**
- * get sentry privileges from provider as followings:
- * @param component: The request respond to which component
- * @param service: The name of service
- * @param roles: The name of roles
- * @param groups: The name of groups
- * @param authorizables: The list of authorize objects
- * @returns the set of privileges
- * @throws SentryUserException
- */
-
- Set<PrivilegeObject> getPrivilegesByProvider(String component, String service, Set<String> roles,
- Set<String> groups, List<? extends Authorizable> authorizables)
- throws SentryUserException;
-
- /**
- * Get all roles name.
- *
- * @returns The set of roles name,
- */
- Set<String> getAllRoleNames();
-
- /**
- * Get sentry privileges based on valid active roles and the authorize objects.
- *
- * @param component: The request respond to which component
- * @param service: The name of service
- * @param validActiveRoles: The valid active roles
- * @param authorizables: The list of authorize objects
- * @returns The set of MSentryGMPrivilege
- * @throws SentryUserException
- */
- Set<MSentryGMPrivilege> getPrivilegesByAuthorizable(String component, String service,
- Set<String> validActiveRoles, List<? extends Authorizable> authorizables)
- throws SentryUserException;
-
- /**
- * close sentryStore
- */
- void close();
-
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/NotificationHandler.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/NotificationHandler.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/NotificationHandler.java
deleted file mode 100644
index e0a5f03..0000000
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/NotificationHandler.java
+++ /dev/null
@@ -1,47 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.provider.db.generic.service.thrift;
-
-import org.apache.sentry.provider.db.service.persistent.CommitContext;
-
-public interface NotificationHandler {
-
- void create_sentry_role(CommitContext context,
- TCreateSentryRoleRequest request, TCreateSentryRoleResponse response);
-
- void drop_sentry_role(CommitContext context, TDropSentryRoleRequest request,
- TDropSentryRoleResponse response);
-
- void alter_sentry_role_grant_privilege(CommitContext context, TAlterSentryRoleGrantPrivilegeRequest request,
- TAlterSentryRoleGrantPrivilegeResponse response);
-
- void alter_sentry_role_revoke_privilege(CommitContext context, TAlterSentryRoleRevokePrivilegeRequest request,
- TAlterSentryRoleRevokePrivilegeResponse response);
-
- void alter_sentry_role_add_groups(CommitContext context,TAlterSentryRoleAddGroupsRequest request,
- TAlterSentryRoleAddGroupsResponse response);
-
- void alter_sentry_role_delete_groups(CommitContext context, TAlterSentryRoleDeleteGroupsRequest request,
- TAlterSentryRoleDeleteGroupsResponse response);
-
- void drop_sentry_privilege(CommitContext context, TDropPrivilegesRequest request,
- TDropPrivilegesResponse response);
-
- void rename_sentry_privilege(CommitContext context, TRenamePrivilegesRequest request,
- TRenamePrivilegesResponse response);
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/NotificationHandlerInvoker.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/NotificationHandlerInvoker.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/NotificationHandlerInvoker.java
deleted file mode 100644
index 1d9c246..0000000
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/NotificationHandlerInvoker.java
+++ /dev/null
@@ -1,164 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.provider.db.generic.service.thrift;
-
-import java.util.List;
-
-import org.apache.sentry.provider.db.service.persistent.CommitContext;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-import com.google.common.collect.Lists;
-
-/**
- * Invokes configured instances of NotificationHandler. Importantly
- * NotificationHandler's each receive a copy of the request and
- * response thrift objects from each successful request.
- */
-public class NotificationHandlerInvoker implements NotificationHandler {
- private static final Logger LOGGER = LoggerFactory.getLogger(NotificationHandlerInvoker.class);
- private List<? extends NotificationHandler> handlers = Lists.newArrayList();
-
- public NotificationHandlerInvoker(List<? extends NotificationHandler> handlers) {
- this.handlers = handlers;
- }
- @Override
- public void create_sentry_role(CommitContext context,
- TCreateSentryRoleRequest request, TCreateSentryRoleResponse response) {
- for (NotificationHandler handler : handlers) {
- try {
- LOGGER.debug("Calling " + handler);
- handler.create_sentry_role(context, new TCreateSentryRoleRequest(request),
- new TCreateSentryRoleResponse(response));
- } catch (Exception ex) {
- LOGGER.error("Unexpected error in " + handler + ". Request: "
- + request + ", Response: " + response, ex);
- }
- }
- }
-
- @Override
- public void drop_sentry_role(CommitContext context,
- TDropSentryRoleRequest request, TDropSentryRoleResponse response) {
- for (NotificationHandler handler : handlers) {
- try {
- LOGGER.debug("Calling " + handler);
- handler.drop_sentry_role(context, new TDropSentryRoleRequest(request),
- new TDropSentryRoleResponse(response));
- } catch (Exception ex) {
- LOGGER.error("Unexpected error in " + handler + ". Request: "
- + request + ", Response: " + response, ex);
- }
- }
- }
-
- @Override
- public void alter_sentry_role_grant_privilege(CommitContext context,
- TAlterSentryRoleGrantPrivilegeRequest request,
- TAlterSentryRoleGrantPrivilegeResponse response) {
- for (NotificationHandler handler : handlers) {
- try {
- LOGGER.debug("Calling " + handler);
- handler.alter_sentry_role_grant_privilege(context,
- new TAlterSentryRoleGrantPrivilegeRequest(request),
- new TAlterSentryRoleGrantPrivilegeResponse(response));
- } catch (Exception ex) {
- LOGGER.error("Unexpected error in " + handler + ". Request: "
- + request + ", Response: " + response, ex);
- }
- }
- }
-
- @Override
- public void alter_sentry_role_revoke_privilege(CommitContext context,
- TAlterSentryRoleRevokePrivilegeRequest request,
- TAlterSentryRoleRevokePrivilegeResponse response) {
- for (NotificationHandler handler : handlers) {
- try {
- LOGGER.debug("Calling " + handler);
- handler.alter_sentry_role_revoke_privilege(context,
- new TAlterSentryRoleRevokePrivilegeRequest(request),
- new TAlterSentryRoleRevokePrivilegeResponse(response));
- } catch (Exception ex) {
- LOGGER.error("Unexpected error in " + handler + ". Request: "
- + request + ", Response: " + response, ex);
- }
- }
- }
-
- @Override
- public void alter_sentry_role_add_groups(CommitContext context,
- TAlterSentryRoleAddGroupsRequest request,
- TAlterSentryRoleAddGroupsResponse response) {
- for (NotificationHandler handler : handlers) {
- try {
- LOGGER.debug("Calling " + handler);
- handler.alter_sentry_role_add_groups(context, new TAlterSentryRoleAddGroupsRequest(request),
- new TAlterSentryRoleAddGroupsResponse(response));
- } catch (Exception ex) {
- LOGGER.error("Unexpected error in " + handler + ". Request: "
- + request + ", Response: " + response, ex);
- }
- }
- }
-
- @Override
- public void alter_sentry_role_delete_groups(CommitContext context,
- TAlterSentryRoleDeleteGroupsRequest request,
- TAlterSentryRoleDeleteGroupsResponse response) {
- for (NotificationHandler handler : handlers) {
- try {
- LOGGER.debug("Calling " + handler);
- handler.alter_sentry_role_delete_groups(context, new TAlterSentryRoleDeleteGroupsRequest(request),
- new TAlterSentryRoleDeleteGroupsResponse(response));
- } catch (Exception ex) {
- LOGGER.error("Unexpected error in " + handler + ". Request: "
- + request + ", Response: " + response, ex);
- }
- }
- }
- @Override
- public void drop_sentry_privilege(CommitContext context,
- TDropPrivilegesRequest request, TDropPrivilegesResponse response) {
- for (NotificationHandler handler : handlers) {
- try {
- LOGGER.debug("Calling " + handler);
- handler.drop_sentry_privilege(context, new TDropPrivilegesRequest(request),
- new TDropPrivilegesResponse(response));
- } catch (Exception ex) {
- LOGGER.error("Unexpected error in " + handler + ". Request: "
- + request + ", Response: " + response, ex);
- }
- }
- }
- @Override
- public void rename_sentry_privilege(CommitContext context,
- TRenamePrivilegesRequest request, TRenamePrivilegesResponse response) {
- for (NotificationHandler handler : handlers) {
- try {
- LOGGER.debug("Calling " + handler);
- handler.rename_sentry_privilege(context, new TRenamePrivilegesRequest(request),
- new TRenamePrivilegesResponse(response));
- } catch (Exception ex) {
- LOGGER.error("Unexpected error in " + handler + ". Request: "
- + request + ", Response: " + response, ex);
- }
- }
- }
-
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericPolicyProcessor.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericPolicyProcessor.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericPolicyProcessor.java
deleted file mode 100644
index dc1152d..0000000
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericPolicyProcessor.java
+++ /dev/null
@@ -1,836 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.provider.db.generic.service.thrift;
-
-import static org.apache.sentry.core.common.utils.SentryConstants.AUTHORIZABLE_JOINER;
-import static org.apache.sentry.core.common.utils.SentryConstants.KV_JOINER;
-
-import java.lang.reflect.Constructor;
-import java.util.HashSet;
-import java.util.List;
-import java.util.Map;
-import java.util.Set;
-
-import org.apache.hadoop.conf.Configuration;
-import org.apache.sentry.core.common.exception.SentryUserException;
-import org.apache.sentry.core.common.Authorizable;
-import org.apache.sentry.core.common.utils.SentryConstants;
-import org.apache.sentry.core.common.exception.SentrySiteConfigurationException;
-import org.apache.sentry.core.model.db.AccessConstants;
-import org.apache.sentry.core.common.utils.KeyValue;
-import org.apache.sentry.core.common.utils.AuthorizationComponent;
-import org.apache.sentry.core.common.exception.SentryAccessDeniedException;
-import org.apache.sentry.core.common.exception.SentryAlreadyExistsException;
-import org.apache.sentry.core.common.exception.SentryInvalidInputException;
-import org.apache.sentry.core.common.exception.SentryNoSuchObjectException;
-import org.apache.sentry.core.common.exception.SentryThriftAPIMismatchException;
-import org.apache.sentry.provider.db.generic.service.persistent.PrivilegeObject;
-import org.apache.sentry.provider.db.generic.service.persistent.PrivilegeObject.Builder;
-import org.apache.sentry.provider.db.generic.service.persistent.SentryStoreLayer;
-import org.apache.sentry.provider.db.log.entity.JsonLogEntityFactory;
-import org.apache.sentry.provider.db.log.util.Constants;
-import org.apache.sentry.provider.db.service.model.MSentryGMPrivilege;
-import org.apache.sentry.provider.db.service.model.MSentryRole;
-import org.apache.sentry.provider.db.service.persistent.CommitContext;
-import org.apache.sentry.provider.db.service.thrift.PolicyStoreConstants;
-import org.apache.sentry.provider.db.service.thrift.SentryPolicyStoreProcessor;
-import org.apache.sentry.service.thrift.ServiceConstants.ServerConfig;
-import org.apache.sentry.service.thrift.ServiceConstants.ThriftConstants;
-import org.apache.sentry.service.thrift.ServiceConstants;
-import org.apache.sentry.service.thrift.Status;
-import org.apache.sentry.service.thrift.TSentryResponseStatus;
-import org.apache.thrift.TException;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-import com.google.common.annotations.VisibleForTesting;
-import com.google.common.base.Splitter;
-import com.google.common.base.Strings;
-import com.google.common.collect.ImmutableSet;
-import com.google.common.collect.Lists;
-import com.google.common.collect.Maps;
-import com.google.common.collect.Sets;
-
-public class SentryGenericPolicyProcessor implements SentryGenericPolicyService.Iface {
- private static final Logger LOGGER = LoggerFactory.getLogger(SentryGenericPolicyProcessor.class);
- private static final Logger AUDIT_LOGGER = LoggerFactory
- .getLogger(Constants.AUDIT_LOGGER_NAME_GENERIC);
- private final Configuration conf;
- private final ImmutableSet<String> adminGroups;
- private final SentryStoreLayer store;
- private final NotificationHandlerInvoker handerInvoker;
-
- public static final String SENTRY_GENERIC_SERVICE_NAME = "SentryGenericPolicyService";
- private static final String ACCESS_DENIAL_MESSAGE = "Access denied to ";
-
- public SentryGenericPolicyProcessor(Configuration conf) throws Exception {
- this.store = createStore(conf);
- this.handerInvoker = new NotificationHandlerInvoker(createHandlers(conf));
- this.conf = conf;
- adminGroups = ImmutableSet.copyOf((Sets.newHashSet(conf.getStrings(
- ServerConfig.ADMIN_GROUPS, new String[]{}))));
- }
-
- @VisibleForTesting
- public SentryGenericPolicyProcessor(Configuration conf, SentryStoreLayer store) throws Exception {
- this.store = store;
- this.handerInvoker = new NotificationHandlerInvoker(createHandlers(conf));
- this.conf = conf;
- adminGroups = ImmutableSet.copyOf(toTrimmed(Sets.newHashSet(conf.getStrings(
- ServerConfig.ADMIN_GROUPS, new String[]{}))));
- }
-
- private void authorize(String requestorUser, Set<String> requestorGroups)
- throws SentryAccessDeniedException {
- if (!inAdminGroups(requestorGroups)) {
- String msg = "User: " + requestorUser + " is part of " + requestorGroups +
- " which does not, intersect admin groups " + adminGroups;
- LOGGER.warn(msg);
- throw new SentryAccessDeniedException(ACCESS_DENIAL_MESSAGE + requestorUser);
- }
- }
-
- private Set<String> toTrimmedLower(Set<String> s) {
- if (null == s) {
- return new HashSet<String>();
- }
- Set<String> result = Sets.newHashSet();
- for (String v : s) {
- result.add(v.trim().toLowerCase());
- }
- return result;
- }
-
- private Set<String> toTrimmed(Set<String> s) {
- if (null == s) {
- return new HashSet<String>();
- }
- Set<String> result = Sets.newHashSet();
- for (String v : s) {
- result.add(v.trim());
- }
- return result;
- }
-
- private String toTrimmedLower(String s) {
- if (Strings.isNullOrEmpty(s)){
- return "";
- }
- return s.trim().toLowerCase();
- }
-
- public static Set<String> getRequestorGroups(Configuration conf, String userName) throws SentryUserException {
- return SentryPolicyStoreProcessor.getGroupsFromUserName(conf, userName);
- }
-
- private boolean inAdminGroups(Set<String> requestorGroups) {
- if (Sets.intersection(adminGroups, requestorGroups).isEmpty()) {
- return false;
- }
- return true;
- }
-
- public static SentryStoreLayer createStore(Configuration conf) throws SentrySiteConfigurationException {
- SentryStoreLayer storeLayer = null;
- String store = conf.get(PolicyStoreConstants.SENTRY_GENERIC_POLICY_STORE, PolicyStoreConstants.SENTRY_GENERIC_POLICY_STORE_DEFAULT);
-
- if (Strings.isNullOrEmpty(store)) {
- throw new SentrySiteConfigurationException("sentry.generic.policy.store can not be empty");
- }
- try {
- storeLayer = createInstance(store, conf, SentryStoreLayer.class);
- } catch (Exception e) {
- throw new SentrySiteConfigurationException("Create sentryStore error: " + e.getMessage(), e);
- }
- return storeLayer;
- }
-
- public static List<NotificationHandler> createHandlers(Configuration conf) throws SentrySiteConfigurationException {
-
- List<NotificationHandler> handlers = Lists.newArrayList();
- Iterable<String> notificationHandlers = Splitter.onPattern("[\\s,]").trimResults()
- .omitEmptyStrings().split(conf.get(PolicyStoreConstants.SENTRY_GENERIC_POLICY_NOTIFICATION, ""));
- try {
- for (String notificationHandler : notificationHandlers) {
- handlers.add(createInstance(notificationHandler, conf, NotificationHandler.class));
- }
- } catch (Exception e) {
- throw new SentrySiteConfigurationException("Create notificationHandlers error: " + e.getMessage(), e);
- }
- return handlers;
- }
-
- @SuppressWarnings("unchecked")
- public static <T> T createInstance(String className, Configuration conf, Class<T> iface) throws Exception {
- T result;
- try {
- Class<?> clazz = Class.forName(className);
- if (!iface.isAssignableFrom(clazz)) {
- throw new IllegalArgumentException("Class " + clazz + " is not a " +
- iface.getName());
- }
- Constructor<T> meth = (Constructor<T>)clazz.getDeclaredConstructor(Configuration.class);
- meth.setAccessible(true);
- result = meth.newInstance(new Object[]{conf});
- } catch (Exception e) {
- throw new RuntimeException(e);
- }
- return result;
- }
-
- private <T> Response<T> requestHandle(RequestHandler<T> handler) {
- Response<T> response = new Response<T>();
- try {
- response = handler.handle();
- } catch (SentryAccessDeniedException e) {
- String msg = "Sentry access denied: " + e.getMessage();
- LOGGER.error(msg, e);
- response.status = Status.AccessDenied(e.getMessage(), e);
- } catch (SentryAlreadyExistsException e) {
- String msg = "Sentry object already exists: " + e.getMessage();
- LOGGER.error(msg, e);
- response.status = Status.AlreadyExists(e.getMessage(), e);
- } catch (SentryNoSuchObjectException e) {
- String msg = "Sentry object doesn't exist: " + e.getMessage();
- LOGGER.error(msg, e);
- response.status = Status.NoSuchObject(e.getMessage(), e);
- } catch (SentryInvalidInputException e) {
- String msg = "Invalid input privilege object: " + e.getMessage();
- LOGGER.error(msg, e);
- response.status = Status.InvalidInput(msg, e);
- } catch (SentryThriftAPIMismatchException e) {
- String msg = "Sentry thrift API mismatch error: " + e.getMessage();
- LOGGER.error(msg, e);
- response.status = Status.THRIFT_VERSION_MISMATCH(e.getMessage(), e);
- } catch (Exception e) {
- String msg = "Unknown error:" + e.getMessage();
- LOGGER.error(msg, e);
- response.status = Status.RuntimeError(msg, e);
- }
- return response;
- }
-
- private PrivilegeObject toPrivilegeObject(TSentryPrivilege tSentryPrivilege) {
- Boolean grantOption;
- if (tSentryPrivilege.getGrantOption().equals(TSentryGrantOption.TRUE)) {
- grantOption = true;
- } else if (tSentryPrivilege.getGrantOption().equals(TSentryGrantOption.FALSE)) {
- grantOption = false;
- } else {
- grantOption = null;
- }
- return new Builder().setComponent(tSentryPrivilege.getComponent())
- .setService(tSentryPrivilege.getServiceName())
- .setAuthorizables(toAuthorizables(tSentryPrivilege.getAuthorizables()))
- .setAction(tSentryPrivilege.getAction())
- .withGrantOption(grantOption)
- .build();
- }
-
- private TSentryPrivilege fromPrivilegeObject(PrivilegeObject privilege) {
-
- TSentryPrivilege tPrivilege = new TSentryPrivilege(privilege.getComponent(), privilege.getService(),
- fromAuthorizable(privilege.getAuthorizables()),
- privilege.getAction());
- if (privilege.getGrantOption() == null) {
- tPrivilege.setGrantOption(TSentryGrantOption.UNSET);
- } else if (privilege.getGrantOption()) {
- tPrivilege.setGrantOption(TSentryGrantOption.TRUE);
- } else {
- tPrivilege.setGrantOption(TSentryGrantOption.FALSE);
- }
- return tPrivilege;
- }
-
- private List<TAuthorizable> fromAuthorizable(List<? extends Authorizable> authorizables) {
- List<TAuthorizable> tAuthorizables = Lists.newArrayList();
- for (Authorizable authorizable : authorizables) {
- tAuthorizables.add(new TAuthorizable(authorizable.getTypeName(), authorizable.getName()));
- }
- return tAuthorizables;
- }
-
- private String fromAuthorizableToStr(List<? extends Authorizable> authorizables) {
- if (authorizables != null && !authorizables.isEmpty()) {
- List<String> privileges = Lists.newArrayList();
-
- for (Authorizable authorizable : authorizables) {
-
- privileges.add(SentryConstants.KV_JOINER.join(authorizable.getTypeName(),
- authorizable.getName()));
- }
-
- return SentryConstants.AUTHORIZABLE_JOINER.join(privileges);
- } else {
- return "";
- }
- }
-
- private List<? extends Authorizable> toAuthorizables(List<TAuthorizable> tAuthorizables) {
- List<Authorizable> authorizables = Lists.newArrayList();
- if (tAuthorizables == null) {
- return authorizables;
- }
- for (final TAuthorizable tAuthorizable : tAuthorizables) {
- authorizables.add(new Authorizable() {
- @Override
- public String getTypeName() {
- return tAuthorizable.getType();
- }
- @Override
- public String getName() {
- return tAuthorizable.getName();
- }
- });
- }
- return authorizables;
- }
-
- private List<? extends Authorizable> toAuthorizables(String privilegeStr) {
- List<Authorizable> authorizables = Lists.newArrayList();
- if (privilegeStr == null) {
- return authorizables;
- }
-
- for (String authorizable : SentryConstants.AUTHORIZABLE_SPLITTER.split(privilegeStr)) {
- KeyValue tempKV = new KeyValue(authorizable);
- final String key = tempKV.getKey();
- final String value = tempKV.getValue();
-
- authorizables.add(new Authorizable() {
- @Override
- public String getTypeName() {
- return key;
- }
-
- @Override
- public String getName() {
- return value;
- }
- });
- }
-
- return authorizables;
- }
-
- // Construct the role to set of privileges mapping based on the
- // MSentryGMPrivilege information.
- private TSentryPrivilegeMap toTSentryPrivilegeMap(Set<MSentryGMPrivilege> mPrivileges) {
-
- // Mapping of <Role, Set<Privilege>>.
- Map<String, Set<TSentryPrivilege>> tPrivilegeMap = Maps.newTreeMap();
-
- for (MSentryGMPrivilege mPrivilege : mPrivileges) {
- for (MSentryRole role : mPrivilege.getRoles()) {
-
- TSentryPrivilege tPrivilege = toTSentryPrivilege(mPrivilege);
-
- if (tPrivilegeMap.containsKey(role.getRoleName())) {
- tPrivilegeMap.get(role.getRoleName()).add(tPrivilege);
- } else {
- Set<TSentryPrivilege> tPrivilegeSet = Sets.newTreeSet();
- tPrivilegeSet.add(tPrivilege);
- tPrivilegeMap.put(role.getRoleName(), tPrivilegeSet);
- }
- }
- }
-
- return new TSentryPrivilegeMap(tPrivilegeMap);
- }
-
- // Construct TSentryPrivilege based on MSentryGMPrivilege information.
- private TSentryPrivilege toTSentryPrivilege(MSentryGMPrivilege mPrivilege) {
-
- TSentryPrivilege tPrivilege = new TSentryPrivilege(mPrivilege.getComponentName(),
- mPrivilege.getServiceName(), fromAuthorizable(mPrivilege.getAuthorizables()), mPrivilege.getAction());
-
- if (mPrivilege.getGrantOption() == null) {
- tPrivilege.setGrantOption(TSentryGrantOption.UNSET);
- } else if (mPrivilege.getGrantOption()) {
- tPrivilege.setGrantOption(TSentryGrantOption.TRUE);
- } else {
- tPrivilege.setGrantOption(TSentryGrantOption.FALSE);
- }
-
- return tPrivilege;
- }
-
- private Set<String> buildPermissions(Set<PrivilegeObject> privileges) {
- Set<String> permissions = Sets.newHashSet();
- for (PrivilegeObject privilege : privileges) {
- List<String> hierarchy = Lists.newArrayList();
- if (hasComponentServerPrivilege(privilege.getComponent())) {
- hierarchy.add(KV_JOINER.join("server", privilege.getService()));
- }
- for (Authorizable authorizable : privilege.getAuthorizables()) {
- hierarchy.add(KV_JOINER.join(authorizable.getTypeName(),authorizable.getName()));
- }
- hierarchy.add(KV_JOINER.join("action", privilege.getAction()));
- permissions.add(AUTHORIZABLE_JOINER.join(hierarchy));
- }
- return permissions;
- }
-
- private boolean hasComponentServerPrivilege(String component) {
- //judge the component whether has the server privilege, for example: sqoop has the privilege on the server
- return AuthorizationComponent.SQOOP.equalsIgnoreCase(component);
- }
-
- @Override
- public TCreateSentryRoleResponse create_sentry_role(
- final TCreateSentryRoleRequest request) throws TException {
- Response<Void> respose = requestHandle(new RequestHandler<Void>() {
- @Override
- public Response<Void> handle() throws Exception {
- validateClientVersion(request.getProtocol_version());
- authorize(request.getRequestorUserName(),
- getRequestorGroups(conf, request.getRequestorUserName()));
- CommitContext context = store.createRole(request.getComponent(), request.getRoleName(), request.getRequestorUserName());
- return new Response<Void>(Status.OK(), context);
- }
- });
-
- TCreateSentryRoleResponse tResponse = new TCreateSentryRoleResponse(respose.status);
- if (Status.OK.getCode() == respose.status.getValue()) {
- handerInvoker.create_sentry_role(respose.context, request, tResponse);
- }
-
- try {
- AUDIT_LOGGER.info(JsonLogEntityFactory.getInstance()
- .createJsonLogEntity(request, tResponse, conf).toJsonFormatLog());
- } catch (Exception e) {
- // if any exception, log the exception.
- String msg = "Error in creating audit log for create role: " + e.getMessage();
- LOGGER.error(msg, e);
- }
- return tResponse;
- }
-
- @Override
- public TDropSentryRoleResponse drop_sentry_role(final TDropSentryRoleRequest request)
- throws TException {
- Response<Void> respose = requestHandle(new RequestHandler<Void>() {
- @Override
- public Response<Void> handle() throws Exception {
- validateClientVersion(request.getProtocol_version());
- authorize(request.getRequestorUserName(),
- getRequestorGroups(conf, request.getRequestorUserName()));
- CommitContext context = store.dropRole(request.getComponent(), request.getRoleName(), request.getRequestorUserName());
- return new Response<Void>(Status.OK(), context);
- }
- });
-
- TDropSentryRoleResponse tResponse = new TDropSentryRoleResponse(respose.status);
- if (Status.OK.getCode() == respose.status.getValue()) {
- handerInvoker.drop_sentry_role(respose.context, request, tResponse);
- }
-
- try {
- AUDIT_LOGGER.info(JsonLogEntityFactory.getInstance()
- .createJsonLogEntity(request, tResponse, conf).toJsonFormatLog());
- } catch (Exception e) {
- // if any exception, log the exception.
- String msg = "Error in creating audit log for drop role: " + e.getMessage();
- LOGGER.error(msg, e);
- }
- return tResponse;
- }
-
- @Override
- public TAlterSentryRoleGrantPrivilegeResponse alter_sentry_role_grant_privilege(
- final TAlterSentryRoleGrantPrivilegeRequest request) throws TException {
- Response<Void> respose = requestHandle(new RequestHandler<Void>() {
- @Override
- public Response<Void> handle() throws Exception {
- validateClientVersion(request.getProtocol_version());
- CommitContext context = store.alterRoleGrantPrivilege(request.getComponent(), request.getRoleName(), toPrivilegeObject(request.getPrivilege()), request.getRequestorUserName());
- return new Response<Void>(Status.OK(), context);
- }
- });
-
- TAlterSentryRoleGrantPrivilegeResponse tResponse = new TAlterSentryRoleGrantPrivilegeResponse(respose.status);
- if (Status.OK.getCode() == respose.status.getValue()) {
- handerInvoker.alter_sentry_role_grant_privilege(respose.context, request, tResponse);
- }
-
- try {
- AUDIT_LOGGER.info(JsonLogEntityFactory.getInstance()
- .createJsonLogEntity(request, tResponse, conf).toJsonFormatLog());
- } catch (Exception e) {
- // if any exception, log the exception.
- String msg = "Error in creating audit log for grant privilege to role: " + e.getMessage();
- LOGGER.error(msg, e);
- }
- return tResponse;
- }
-
- @Override
- public TAlterSentryRoleRevokePrivilegeResponse alter_sentry_role_revoke_privilege(
- final TAlterSentryRoleRevokePrivilegeRequest request) throws TException {
- Response<Void> respose = requestHandle(new RequestHandler<Void>() {
- @Override
- public Response<Void> handle() throws Exception {
- validateClientVersion(request.getProtocol_version());
- CommitContext context = store.alterRoleRevokePrivilege(request.getComponent(), request.getRoleName(), toPrivilegeObject(request.getPrivilege()), request.getRequestorUserName());
- return new Response<Void>(Status.OK(), context);
- }
- });
-
- TAlterSentryRoleRevokePrivilegeResponse tResponse = new TAlterSentryRoleRevokePrivilegeResponse(respose.status);
- if (Status.OK.getCode() == respose.status.getValue()) {
- handerInvoker.alter_sentry_role_revoke_privilege(respose.context, request, tResponse);
- }
-
- try {
- AUDIT_LOGGER.info(JsonLogEntityFactory.getInstance()
- .createJsonLogEntity(request, tResponse, conf).toJsonFormatLog());
- } catch (Exception e) {
- // if any exception, log the exception.
- String msg = "Error in creating audit log for revoke privilege from role: " + e.getMessage();
- LOGGER.error(msg, e);
- }
- return tResponse;
- }
-
- @Override
- public TAlterSentryRoleAddGroupsResponse alter_sentry_role_add_groups(
- final TAlterSentryRoleAddGroupsRequest request) throws TException {
- Response<Void> respose = requestHandle(new RequestHandler<Void>() {
- @Override
- public Response<Void> handle() throws Exception {
- validateClientVersion(request.getProtocol_version());
- authorize(request.getRequestorUserName(),
- getRequestorGroups(conf, request.getRequestorUserName()));
- CommitContext context = store.alterRoleAddGroups(request.getComponent(), request.getRoleName(), request.getGroups(), request.getRequestorUserName());
- return new Response<Void>(Status.OK(), context);
- }
- });
-
- TAlterSentryRoleAddGroupsResponse tResponse = new TAlterSentryRoleAddGroupsResponse(respose.status);
- if (Status.OK.getCode() == respose.status.getValue()) {
- handerInvoker.alter_sentry_role_add_groups(respose.context, request, tResponse);
- }
-
- try {
- AUDIT_LOGGER.info(JsonLogEntityFactory.getInstance()
- .createJsonLogEntity(request, tResponse, conf).toJsonFormatLog());
- } catch (Exception e) {
- // if any exception, log the exception.
- String msg = "Error in creating audit log for add role to group: " + e.getMessage();
- LOGGER.error(msg, e);
- }
- return tResponse;
- }
-
- @Override
- public TAlterSentryRoleDeleteGroupsResponse alter_sentry_role_delete_groups(
- final TAlterSentryRoleDeleteGroupsRequest request) throws TException {
- Response<Void> respose = requestHandle(new RequestHandler<Void>() {
- @Override
- public Response<Void> handle() throws Exception {
- validateClientVersion(request.getProtocol_version());
- authorize(request.getRequestorUserName(),
- getRequestorGroups(conf, request.getRequestorUserName()));
- CommitContext context = store.alterRoleDeleteGroups(request.getComponent(), request.getRoleName(), request.getGroups(), request.getRequestorUserName());
- return new Response<Void>(Status.OK(), context);
- }
- });
-
- TAlterSentryRoleDeleteGroupsResponse tResponse = new TAlterSentryRoleDeleteGroupsResponse(respose.status);
- if (Status.OK.getCode() == respose.status.getValue()) {
- handerInvoker.alter_sentry_role_delete_groups(respose.context, request, tResponse);
- }
-
- try {
- AUDIT_LOGGER.info(JsonLogEntityFactory.getInstance()
- .createJsonLogEntity(request, tResponse, conf).toJsonFormatLog());
- } catch (Exception e) {
- // if any exception, log the exception.
- String msg = "Error in creating audit log for delete role from group: " + e.getMessage();
- LOGGER.error(msg, e);
- }
- return tResponse;
- }
-
- @Override
- public TListSentryRolesResponse list_sentry_roles_by_group(
- final TListSentryRolesRequest request) throws TException {
- Response<Set<TSentryRole>> respose = requestHandle(new RequestHandler<Set<TSentryRole>>() {
- @Override
- public Response<Set<TSentryRole>> handle() throws Exception {
- validateClientVersion(request.getProtocol_version());
- Set<String> groups = getRequestorGroups(conf, request.getRequestorUserName());
- if (!AccessConstants.ALL.equalsIgnoreCase(request.getGroupName())) {
- boolean admin = inAdminGroups(groups);
- //Only admin users can list all roles in the system ( groupname = null)
- //Non admin users are only allowed to list only groups which they belong to
- if(!admin && (request.getGroupName() == null || !groups.contains(request.getGroupName()))) {
- throw new SentryAccessDeniedException(ACCESS_DENIAL_MESSAGE + request.getRequestorUserName());
- }
- groups.clear();
- groups.add(request.getGroupName());
- }
-
- Set<String> roleNames = store.getRolesByGroups(request.getComponent(), groups);
- Set<TSentryRole> tSentryRoles = Sets.newHashSet();
- for (String roleName : roleNames) {
- Set<String> groupsForRoleName = store.getGroupsByRoles(request.getComponent(), Sets.newHashSet(roleName));
- tSentryRoles.add(new TSentryRole(roleName, groupsForRoleName));
- }
- return new Response<Set<TSentryRole>>(Status.OK(), tSentryRoles);
- }
- });
- TListSentryRolesResponse tResponse = new TListSentryRolesResponse();
- tResponse.setStatus(respose.status);
- tResponse.setRoles(respose.content);
- return tResponse;
- }
-
- @Override
- public TListSentryPrivilegesResponse list_sentry_privileges_by_role(
- final TListSentryPrivilegesRequest request) throws TException {
- Response<Set<TSentryPrivilege>> respose = requestHandle(new RequestHandler<Set<TSentryPrivilege>>() {
- @Override
- public Response<Set<TSentryPrivilege>> handle() throws Exception {
- validateClientVersion(request.getProtocol_version());
- Set<String> groups = getRequestorGroups(conf, request.getRequestorUserName());
- if (!inAdminGroups(groups)) {
- Set<String> roleNamesForGroups = toTrimmedLower(store.getRolesByGroups(request.getComponent(), groups));
- if (!roleNamesForGroups.contains(toTrimmedLower(request.getRoleName()))) {
- throw new SentryAccessDeniedException(ACCESS_DENIAL_MESSAGE + request.getRequestorUserName());
- }
- }
- Set<PrivilegeObject> privileges = store.getPrivilegesByProvider(request.getComponent(),
- request.getServiceName(),
- Sets.newHashSet(request.getRoleName()),
- null, toAuthorizables(request.getAuthorizables()));
- Set<TSentryPrivilege> tSentryPrivileges = Sets.newHashSet();
- for (PrivilegeObject privilege : privileges) {
- tSentryPrivileges.add(fromPrivilegeObject(privilege));
- }
- return new Response<Set<TSentryPrivilege>>(Status.OK(), tSentryPrivileges);
- }
- });
- TListSentryPrivilegesResponse tResponse = new TListSentryPrivilegesResponse();
- tResponse.setStatus(respose.status);
- tResponse.setPrivileges(respose.content);
- return tResponse;
- }
-
- @Override
- public TListSentryPrivilegesForProviderResponse list_sentry_privileges_for_provider(
- final TListSentryPrivilegesForProviderRequest request) throws TException {
- Response<Set<String>> respose = requestHandle(new RequestHandler<Set<String>>() {
- @Override
- public Response<Set<String>> handle() throws Exception {
- validateClientVersion(request.getProtocol_version());
- Set<String> activeRoleNames = toTrimmedLower(request.getRoleSet().getRoles());
- Set<String> roleNamesForGroups = store.getRolesByGroups(request.getComponent(), request.getGroups());
- Set<String> rolesToQuery = request.getRoleSet().isAll() ? roleNamesForGroups : Sets.intersection(activeRoleNames, roleNamesForGroups);
- Set<PrivilegeObject> privileges = store.getPrivilegesByProvider(request.getComponent(),
- request.getServiceName(),
- rolesToQuery, null,
- toAuthorizables(request.getAuthorizables()));
- return new Response<Set<String>>(Status.OK(), buildPermissions(privileges));
- }
- });
- TListSentryPrivilegesForProviderResponse tResponse = new TListSentryPrivilegesForProviderResponse();
- tResponse.setStatus(respose.status);
- tResponse.setPrivileges(respose.content);
- return tResponse;
- }
-
- @Override
- public TListSentryPrivilegesByAuthResponse list_sentry_privileges_by_authorizable(TListSentryPrivilegesByAuthRequest request) throws TException {
-
- TListSentryPrivilegesByAuthResponse response = new TListSentryPrivilegesByAuthResponse();
- Map<String, TSentryPrivilegeMap> authRoleMap = Maps.newHashMap();
-
- // Group names are case sensitive.
- Set<String> requestedGroups = request.getGroups();
- String subject = request.getRequestorUserName();
- TSentryActiveRoleSet activeRoleSet = request.getRoleSet();
- Set<String> validActiveRoles = Sets.newHashSet();
-
- try {
- validateClientVersion(request.getProtocol_version());
- Set<String> memberGroups = getRequestorGroups(conf, subject);
-
- // Disallow non-admin users to lookup groups that
- // they are not part of.
- if(!inAdminGroups(memberGroups)) {
-
- if (requestedGroups != null && !requestedGroups.isEmpty()) {
- for (String requestedGroup : requestedGroups) {
-
- // If user doesn't belong to one of the requested groups,
- // then raise security exception.
- if (!memberGroups.contains(requestedGroup)) {
- throw new SentryAccessDeniedException(ACCESS_DENIAL_MESSAGE + subject);
- }
- }
- } else {
- // Non-admin's search is limited to its own groups.
- requestedGroups = memberGroups;
- }
-
- Set<String> grantedRoles = toTrimmedLower(store.getRolesByGroups(request.getComponent(), requestedGroups));
-
- // If activeRoleSet is not null, disallow non-admin to lookup roles that they are not part of.
- if (activeRoleSet != null && !activeRoleSet.isAll()) {
-
- Set<String> activeRoleNames = toTrimmedLower(activeRoleSet.getRoles());
- for (String activeRole : activeRoleNames) {
- if (!grantedRoles.contains(activeRole)) {
- throw new SentryAccessDeniedException(ACCESS_DENIAL_MESSAGE
- + subject);
- }
- }
-
- // For non-admin, valid active roles are intersection of active roles and granted roles.
- validActiveRoles.addAll(activeRoleSet.isAll() ? grantedRoles : Sets.intersection(activeRoleNames, grantedRoles));
- } else {
- // For non-admin, if activeRoleSet is null, valid active roles would be the granted roles.
- validActiveRoles.addAll(grantedRoles);
- }
- } else {
- // For admin, if requestedGroups are empty, requested roles will be all roles.
- Set<String> requestedRoles = toTrimmedLower(store.getAllRoleNames());
- if (requestedGroups != null && !requestedGroups.isEmpty()) {
- requestedRoles = toTrimmedLower(store.getRolesByGroups(request.getComponent(), requestedGroups));
- }
-
- // If activeRoleSet (which is optional) is not null, valid active role will be intersection
- // of active roles and requested roles. Otherwise, valid active roles are the requested roles.
- if (activeRoleSet != null && !activeRoleSet.isAll()) {
- validActiveRoles.addAll(Sets.intersection(toTrimmedLower(activeRoleSet.getRoles()), requestedRoles));
- } else {
- validActiveRoles.addAll(requestedRoles);
- }
- }
-
- // If user is not part of any group.. return empty response
- if (request.getAuthorizablesSet() != null) {
- for (String authorizablesStr : request.getAuthorizablesSet()) {
-
- List<? extends Authorizable> authorizables = toAuthorizables(authorizablesStr);
- Set<MSentryGMPrivilege> sentryPrivileges = store.getPrivilegesByAuthorizable(request.getComponent(), request.getServiceName(), validActiveRoles, authorizables);
- authRoleMap.put(fromAuthorizableToStr(authorizables), toTSentryPrivilegeMap(sentryPrivileges));
- }
- }
-
- response.setPrivilegesMapByAuth(authRoleMap);
- response.setStatus(Status.OK());
- } catch (SentryAccessDeniedException e) {
- LOGGER.error(e.getMessage(), e);
- response.setStatus(Status.AccessDenied(e.getMessage(), e));
- } catch (SentryThriftAPIMismatchException e) {
- LOGGER.error(e.getMessage(), e);
- response.setStatus(Status.THRIFT_VERSION_MISMATCH(e.getMessage(), e));
- } catch (Exception e) {
- String msg = "Unknown error for request: " + request + ", message: "
- + e.getMessage();
- LOGGER.error(msg, e);
- response.setStatus(Status.RuntimeError(msg, e));
- }
-
- return response;
- }
-
- @Override
- public TDropPrivilegesResponse drop_sentry_privilege(
- final TDropPrivilegesRequest request) throws TException {
- Response<Void> respose = requestHandle(new RequestHandler<Void>() {
- @Override
- public Response<Void> handle() throws Exception {
- validateClientVersion(request.getProtocol_version());
- authorize(request.getRequestorUserName(),
- getRequestorGroups(conf, request.getRequestorUserName()));
- CommitContext context = store.dropPrivilege(request.getComponent(),
- toPrivilegeObject(request.getPrivilege()),
- request.getRequestorUserName());
- return new Response<Void>(Status.OK(), context);
- }
- });
-
- TDropPrivilegesResponse tResponse = new TDropPrivilegesResponse(respose.status);
- if (Status.OK.getCode() == respose.status.getValue()) {
- handerInvoker.drop_sentry_privilege(respose.context, request, tResponse);
- }
- return tResponse;
- }
-
- @Override
- public TRenamePrivilegesResponse rename_sentry_privilege(
- final TRenamePrivilegesRequest request) throws TException {
- Response<Void> respose = requestHandle(new RequestHandler<Void>() {
- @Override
- public Response<Void> handle() throws Exception {
- validateClientVersion(request.getProtocol_version());
- authorize(request.getRequestorUserName(),
- getRequestorGroups(conf, request.getRequestorUserName()));
- CommitContext context = store.renamePrivilege(request.getComponent(), request.getServiceName(),
- toAuthorizables(request.getOldAuthorizables()),
- toAuthorizables(request.getNewAuthorizables()),
- request.getRequestorUserName());
- return new Response<Void>(Status.OK(),context);
- }
- });
-
- TRenamePrivilegesResponse tResponse = new TRenamePrivilegesResponse(respose.status);
- if (Status.OK.getCode() == respose.status.getValue()) {
- handerInvoker.rename_sentry_privilege(respose.context, request, tResponse);
- }
- return tResponse;
- }
-
- private static class Response<T> {
- private TSentryResponseStatus status;
- private CommitContext context;
- private T content;
-
- Response() {
- }
-
- Response(TSentryResponseStatus status, CommitContext context) {
- this(status,context,null);
- }
-
- Response(TSentryResponseStatus status, T content) {
- this(status,null,content);
- }
-
- Response(TSentryResponseStatus status, CommitContext context, T content) {
- this.status = status;
- this.context = context;
- this.content = content;
- }
- }
- private interface RequestHandler <T>{
- Response<T> handle() throws Exception ;
- }
-
- private static void validateClientVersion(int protocolVersion) throws SentryThriftAPIMismatchException {
- if (ServiceConstants.ThriftConstants.TSENTRY_SERVICE_VERSION_CURRENT != protocolVersion) {
- String msg = "Sentry thrift API protocol version mismatch: Client thrift version " +
- "is: " + protocolVersion + " , server thrift version " +
- "is " + ThriftConstants.TSENTRY_SERVICE_VERSION_CURRENT;
- throw new SentryThriftAPIMismatchException(msg);
- }
- }
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericPolicyProcessorFactory.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericPolicyProcessorFactory.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericPolicyProcessorFactory.java
deleted file mode 100644
index 1cce1fc..0000000
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericPolicyProcessorFactory.java
+++ /dev/null
@@ -1,40 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.provider.db.generic.service.thrift;
-
-import org.apache.hadoop.conf.Configuration;
-import org.apache.sentry.service.thrift.ProcessorFactory;
-import org.apache.thrift.TMultiplexedProcessor;
-import org.apache.thrift.TProcessor;
-
-public class SentryGenericPolicyProcessorFactory extends ProcessorFactory {
-
- public SentryGenericPolicyProcessorFactory(Configuration conf) {
- super(conf);
- }
-
- @Override
- public boolean register(TMultiplexedProcessor multiplexedProcessor) throws Exception {
- SentryGenericPolicyProcessor processHandler = new SentryGenericPolicyProcessor(conf);
- TProcessor processor = new SentryGenericPolicyProcessorWrapper<SentryGenericPolicyService.Iface>(
- processHandler);
- multiplexedProcessor.registerProcessor(SentryGenericPolicyProcessor.SENTRY_GENERIC_SERVICE_NAME, processor);
- return true;
- }
-
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericPolicyProcessorWrapper.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericPolicyProcessorWrapper.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericPolicyProcessorWrapper.java
deleted file mode 100644
index d320d0f..0000000
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericPolicyProcessorWrapper.java
+++ /dev/null
@@ -1,39 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.sentry.provider.db.generic.service.thrift;
-
-import org.apache.sentry.provider.db.service.thrift.ThriftUtil;
-import org.apache.thrift.TException;
-import org.apache.thrift.protocol.TProtocol;
-
-public class SentryGenericPolicyProcessorWrapper<I extends SentryGenericPolicyService.Iface>
- extends SentryGenericPolicyService.Processor<SentryGenericPolicyService.Iface> {
-
- public SentryGenericPolicyProcessorWrapper(I iface) {
- super(iface);
- }
-
- @Override
- public boolean process(TProtocol in, TProtocol out) throws TException {
- // set the ip and impersonator for audit log
- ThriftUtil.setIpAddress(in);
- ThriftUtil.setImpersonator(in);
- return super.process(in, out);
- }
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericServiceClientDefaultImpl.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericServiceClientDefaultImpl.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericServiceClientDefaultImpl.java
index ee6cdf7..d22cfe2 100644
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericServiceClientDefaultImpl.java
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericServiceClientDefaultImpl.java
@@ -161,7 +161,7 @@ public class SentryGenericServiceClientDefaultImpl implements SentryGenericServi
ServiceConstants.ClientConfig.SENTRY_POLICY_CLIENT_THRIFT_MAX_MESSAGE_SIZE_DEFAULT);
TMultiplexedProtocol protocol = new TMultiplexedProtocol(
new TBinaryProtocol(transport, maxMessageSize, maxMessageSize, true, true),
- SentryGenericPolicyProcessor.SENTRY_GENERIC_SERVICE_NAME);
+ ServiceConstants.SENTRY_GENERIC_SERVICE_NAME);
client = new SentryGenericPolicyService.Client(protocol);
LOGGER.debug("Successfully created client");
}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/log/appender/AuditLoggerTestAppender.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/log/appender/AuditLoggerTestAppender.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/log/appender/AuditLoggerTestAppender.java
deleted file mode 100644
index 8000ebd..0000000
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/log/appender/AuditLoggerTestAppender.java
+++ /dev/null
@@ -1,52 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.sentry.provider.db.log.appender;
-
-import java.util.ArrayList;
-import java.util.List;
-
-import org.apache.log4j.AppenderSkeleton;
-import org.apache.log4j.Level;
-import org.apache.log4j.spi.LoggingEvent;
-
-import com.google.common.annotations.VisibleForTesting;
-
-@VisibleForTesting
-public class AuditLoggerTestAppender extends AppenderSkeleton {
- public static final List<LoggingEvent> events = new ArrayList<LoggingEvent>();
-
- public void close() {
- }
-
- public boolean requiresLayout() {
- return false;
- }
-
- @Override
- protected void append(LoggingEvent event) {
- events.add(event);
- }
-
- public static String getLastLogEvent() {
- return events.get(events.size() - 1).getMessage().toString();
- }
-
- public static Level getLastLogLevel() {
- return events.get(events.size() - 1).getLevel();
- }
-}
[09/44] sentry git commit: SENTRY-1287: Create sentry-service-server
module(Colin Ma, reviewed by Dapeng Sun)
Posted by co...@apache.org.
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/generic/tools/TestSentryShellKafka.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/generic/tools/TestSentryShellKafka.java b/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/generic/tools/TestSentryShellKafka.java
new file mode 100644
index 0000000..7db5426
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/generic/tools/TestSentryShellKafka.java
@@ -0,0 +1,542 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.provider.db.generic.tools;
+
+import com.google.common.collect.Sets;
+import com.google.common.io.Files;
+import org.apache.commons.io.FileUtils;
+import org.apache.sentry.core.common.exception.SentryUserException;
+import org.apache.sentry.core.model.kafka.validator.KafkaPrivilegeValidator;
+import org.apache.sentry.provider.db.generic.service.thrift.SentryGenericServiceIntegrationBase;
+import org.apache.sentry.provider.db.generic.service.thrift.TSentryPrivilege;
+import org.apache.sentry.provider.db.generic.service.thrift.TSentryRole;
+import org.apache.sentry.provider.db.tools.SentryShellCommon;
+import org.apache.shiro.config.ConfigurationException;
+import org.junit.After;
+import org.junit.Before;
+import org.junit.Test;
+
+import java.io.ByteArrayOutputStream;
+import java.io.File;
+import java.io.FileOutputStream;
+import java.io.PrintStream;
+import java.util.Arrays;
+import java.util.HashSet;
+import java.util.Iterator;
+import java.util.Set;
+
+import static org.junit.Assert.*;
+
+public class TestSentryShellKafka extends SentryGenericServiceIntegrationBase {
+ private File confDir;
+ private File confPath;
+ private static String TEST_ROLE_NAME_1 = "testRole1";
+ private static String TEST_ROLE_NAME_2 = "testRole2";
+ private static String KAFKA = "kafka";
+ private String requestorName = "";
+ private String service = "kafka1";
+
+ @Before
+ public void prepareForTest() throws Exception {
+ confDir = Files.createTempDir();
+ confPath = new File(confDir, "sentry-site.xml");
+ if (confPath.createNewFile()) {
+ FileOutputStream to = new FileOutputStream(confPath);
+ conf.writeXml(to);
+ to.close();
+ }
+ requestorName = clientUgi.getShortUserName();//.getProperty("user.name", "");
+ Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
+ setLocalGroupMapping(requestorName, requestorUserGroupNames);
+ // add ADMIN_USER for the after() in SentryServiceIntegrationBase
+ setLocalGroupMapping(ADMIN_USER, requestorUserGroupNames);
+ writePolicyFile();
+ }
+
+ @After
+ public void clearTestData() throws Exception {
+ FileUtils.deleteQuietly(confDir);
+ }
+
+ @Test
+ public void testCreateDropRole() throws Exception {
+ runTestAsSubject(new TestOperation() {
+ @Override
+ public void runTestAsSubject() throws Exception {
+ // test: create role with -cr
+ String[] args = { "-cr", "-r", TEST_ROLE_NAME_1, "-conf", confPath.getAbsolutePath() };
+ SentryShellKafka.main(args);
+ // test: create role with --create_role
+ args = new String[] { "--create_role", "-r", TEST_ROLE_NAME_2, "-conf",
+ confPath.getAbsolutePath() };
+ SentryShellKafka.main(args);
+
+ // validate the result, list roles with -lr
+ args = new String[] { "-lr", "-conf", confPath.getAbsolutePath() };
+ SentryShellKafka sentryShell = new SentryShellKafka();
+ Set<String> roleNames = getShellResultWithOSRedirect(sentryShell, args, true);
+ validateRoleNames(roleNames, TEST_ROLE_NAME_1, TEST_ROLE_NAME_2);
+
+ // validate the result, list roles with --list_role
+ args = new String[] { "--list_role", "-conf", confPath.getAbsolutePath() };
+ sentryShell = new SentryShellKafka();
+ roleNames = getShellResultWithOSRedirect(sentryShell, args, true);
+ validateRoleNames(roleNames, TEST_ROLE_NAME_1, TEST_ROLE_NAME_2);
+
+ // test: drop role with -dr
+ args = new String[] { "-dr", "-r", TEST_ROLE_NAME_1, "-conf", confPath.getAbsolutePath() };
+ SentryShellKafka.main(args);
+ // test: drop role with --drop_role
+ args = new String[] { "--drop_role", "-r", TEST_ROLE_NAME_2, "-conf",
+ confPath.getAbsolutePath() };
+ SentryShellKafka.main(args);
+
+ // validate the result
+ Set<TSentryRole> roles = client.listAllRoles(requestorName, KAFKA);
+ assertEquals("Incorrect number of roles", 0, roles.size());
+ }
+ });
+ }
+
+ @Test
+ public void testAddDeleteRoleForGroup() throws Exception {
+ runTestAsSubject(new TestOperation() {
+ @Override
+ public void runTestAsSubject() throws Exception {
+ // Group names are case sensitive - mixed case names should work
+ String TEST_GROUP_1 = "testGroup1";
+ String TEST_GROUP_2 = "testGroup2";
+ String TEST_GROUP_3 = "testGroup3";
+
+ // create the role for test
+ client.createRole(requestorName, TEST_ROLE_NAME_1, KAFKA);
+ client.createRole(requestorName, TEST_ROLE_NAME_2, KAFKA);
+ // test: add role to group with -arg
+ String[] args = { "-arg", "-r", TEST_ROLE_NAME_1, "-g", TEST_GROUP_1, "-conf",
+ confPath.getAbsolutePath() };
+ SentryShellKafka.main(args);
+ // test: add role to multiple groups
+ args = new String[] { "-arg", "-r", TEST_ROLE_NAME_1, "-g", TEST_GROUP_2 + "," + TEST_GROUP_3,
+ "-conf",
+ confPath.getAbsolutePath() };
+ SentryShellKafka.main(args);
+ // test: add role to group with --add_role_group
+ args = new String[] { "--add_role_group", "-r", TEST_ROLE_NAME_2, "-g", TEST_GROUP_1,
+ "-conf",
+ confPath.getAbsolutePath() };
+ SentryShellKafka.main(args);
+
+ // validate the result list roles with -lr and -g
+ args = new String[] { "-lr", "-g", TEST_GROUP_1, "-conf", confPath.getAbsolutePath() };
+ SentryShellKafka sentryShell = new SentryShellKafka();
+ Set<String> roleNames = getShellResultWithOSRedirect(sentryShell, args, true);
+ validateRoleNames(roleNames, TEST_ROLE_NAME_1, TEST_ROLE_NAME_2);
+
+ // list roles with --list_role and -g
+ args = new String[] { "--list_role", "-g", TEST_GROUP_2, "-conf",
+ confPath.getAbsolutePath() };
+ sentryShell = new SentryShellKafka();
+ roleNames = getShellResultWithOSRedirect(sentryShell, args, true);
+ validateRoleNames(roleNames, TEST_ROLE_NAME_1);
+
+ args = new String[] { "--list_role", "-g", TEST_GROUP_3, "-conf",
+ confPath.getAbsolutePath() };
+ sentryShell = new SentryShellKafka();
+ roleNames = getShellResultWithOSRedirect(sentryShell, args, true);
+ validateRoleNames(roleNames, TEST_ROLE_NAME_1);
+
+ // test: delete role from group with -drg
+ args = new String[] { "-drg", "-r", TEST_ROLE_NAME_1, "-g", TEST_GROUP_1, "-conf",
+ confPath.getAbsolutePath() };
+ SentryShellKafka.main(args);
+ // test: delete role to multiple groups
+ args = new String[] { "-drg", "-r", TEST_ROLE_NAME_1, "-g", TEST_GROUP_2 + "," + TEST_GROUP_3,
+ "-conf",
+ confPath.getAbsolutePath() };
+ SentryShellKafka.main(args);
+ // test: delete role from group with --delete_role_group
+ args = new String[] { "--delete_role_group", "-r", TEST_ROLE_NAME_2, "-g", TEST_GROUP_1,
+ "-conf", confPath.getAbsolutePath() };
+ SentryShellKafka.main(args);
+
+ // validate the result
+ Set<TSentryRole> roles = client.listRolesByGroupName(requestorName, TEST_GROUP_1, KAFKA);
+ assertEquals("Incorrect number of roles", 0, roles.size());
+ roles = client.listRolesByGroupName(requestorName, TEST_GROUP_2, KAFKA);
+ assertEquals("Incorrect number of roles", 0, roles.size());
+ roles = client.listRolesByGroupName(requestorName, TEST_GROUP_3, KAFKA);
+ assertEquals("Incorrect number of roles", 0, roles.size());
+ // clear the test data
+ client.dropRole(requestorName, TEST_ROLE_NAME_1, KAFKA);
+ client.dropRole(requestorName, TEST_ROLE_NAME_2, KAFKA);
+ }
+ });
+ }
+
+ @Test
+ public void testCaseSensitiveGroupName() throws Exception {
+ runTestAsSubject(new TestOperation() {
+ @Override
+ public void runTestAsSubject() throws Exception {
+
+ // create the role for test
+ client.createRole(requestorName, TEST_ROLE_NAME_1, KAFKA);
+ // add role to a group (lower case)
+ String[] args = {"-arg", "-r", TEST_ROLE_NAME_1, "-g", "group1", "-conf",
+ confPath.getAbsolutePath()};
+ SentryShellKafka.main(args);
+
+ // validate the roles when group name is same case as above
+ args = new String[]{"-lr", "-g", "group1", "-conf", confPath.getAbsolutePath()};
+ SentryShellKafka sentryShell = new SentryShellKafka();
+ Set<String> roleNames = getShellResultWithOSRedirect(sentryShell, args, true);
+ validateRoleNames(roleNames, TEST_ROLE_NAME_1);
+
+ // roles should be empty when group name is different case than above
+ args = new String[]{"-lr", "-g", "GROUP1", "-conf", confPath.getAbsolutePath()};
+ roleNames = getShellResultWithOSRedirect(sentryShell, args, true);
+ validateRoleNames(roleNames);
+ }
+ });
+ }
+
+ public static String grant(boolean shortOption) {
+ return shortOption ? "-gpr" : "--grant_privilege_role";
+ }
+
+ public static String revoke(boolean shortOption) {
+ return shortOption ? "-rpr" : "--revoke_privilege_role";
+ }
+
+ public static String list(boolean shortOption) {
+ return shortOption ? "-lp" : "--list_privilege";
+ }
+
+ private void assertGrantRevokePrivilege(final boolean shortOption) throws Exception {
+ runTestAsSubject(new TestOperation() {
+ @Override
+ public void runTestAsSubject() throws Exception {
+ // create the role for test
+ client.createRole(requestorName, TEST_ROLE_NAME_1, KAFKA);
+ client.createRole(requestorName, TEST_ROLE_NAME_2, KAFKA);
+
+ String [] privs = {
+ "HOST=*->CLUSTER=kafka-cluster->action=read",
+ "HOST=h1->TOPIC=t1->action=write",
+ "HOST=*->CONSUMERGROUP=cg1->action=read",
+ "CLUSTER=kafka-cluster->action=write",
+ "CONSUMERGROUP=cg2->action=write"
+ };
+ for (int i = 0; i < privs.length; ++i) {
+ // test: grant privilege to role
+ String [] args = new String [] { grant(shortOption), "-r", TEST_ROLE_NAME_1, "-p",
+ privs[ i ],
+ "-conf", confPath.getAbsolutePath() };
+ SentryShellKafka.main(args);
+ }
+
+ // test the list privilege
+ String [] args = new String[] { list(shortOption), "-r", TEST_ROLE_NAME_1, "-conf", confPath.getAbsolutePath() };
+ SentryShellKafka sentryShell = new SentryShellKafka();
+ Set<String> privilegeStrs = getShellResultWithOSRedirect(sentryShell, args, true);
+
+ assertEquals("Incorrect number of privileges", privs.length, privilegeStrs.size());
+ for (int i = 0; i < privs.length; ++i) {
+ assertTrue("Expected privilege: " + privs[i] + " in " + Arrays.toString(privilegeStrs.toArray()), privilegeStrs.contains(privs[i].startsWith("HOST=") ? privs[i] : "HOST=*->" + privs[i]));
+ }
+
+ for (int i = 0; i < privs.length; ++i) {
+ args = new String[] { revoke(shortOption), "-r", TEST_ROLE_NAME_1, "-p",
+ privs[ i ], "-conf",
+ confPath.getAbsolutePath() };
+ SentryShellKafka.main(args);
+ Set<TSentryPrivilege> privileges = client.listPrivilegesByRoleName(requestorName,
+ TEST_ROLE_NAME_1, KAFKA, service);
+ assertEquals("Incorrect number of privileges. Received privileges: " + Arrays.toString(privileges.toArray()), privs.length - (i + 1), privileges.size());
+ }
+
+ // clear the test data
+ client.dropRole(requestorName, TEST_ROLE_NAME_1, KAFKA);
+ client.dropRole(requestorName, TEST_ROLE_NAME_2, KAFKA);
+ }
+ });
+ }
+
+
+ @Test
+ public void testGrantRevokePrivilegeWithShortOption() throws Exception {
+ assertGrantRevokePrivilege(true);
+ }
+
+ @Test
+ public void testGrantRevokePrivilegeWithLongOption() throws Exception {
+ assertGrantRevokePrivilege(false);
+ }
+
+
+ @Test
+ public void testNegativeCaseWithInvalidArgument() throws Exception {
+ runTestAsSubject(new TestOperation() {
+ @Override
+ public void runTestAsSubject() throws Exception {
+ client.createRole(requestorName, TEST_ROLE_NAME_1, KAFKA);
+ // test: create duplicate role with -cr
+ String[] args = { "-cr", "-r", TEST_ROLE_NAME_1, "-conf", confPath.getAbsolutePath() };
+ SentryShellKafka sentryShell = new SentryShellKafka();
+ try {
+ sentryShell.executeShell(args);
+ fail("Exception should be thrown for creating duplicate role");
+ } catch (SentryUserException e) {
+ // expected exception
+ } catch (Exception e) {
+ fail ("Unexpected exception received. " + e);
+ }
+
+ // test: drop non-exist role with -dr
+ args = new String[] { "-dr", "-r", TEST_ROLE_NAME_2, "-conf", confPath.getAbsolutePath() };
+ sentryShell = new SentryShellKafka();
+ try {
+ sentryShell.executeShell(args);
+ fail("Exception should be thrown for dropping non-exist role");
+ } catch (SentryUserException e) {
+ // excepted exception
+ } catch (Exception e) {
+ fail ("Unexpected exception received. " + e);
+ }
+
+ // test: add non-exist role to group with -arg
+ args = new String[] { "-arg", "-r", TEST_ROLE_NAME_2, "-g", "testGroup1", "-conf",
+ confPath.getAbsolutePath() };
+ sentryShell = new SentryShellKafka();
+ try {
+ sentryShell.executeShell(args);
+ fail("Exception should be thrown for granting non-exist role to group");
+ } catch (SentryUserException e) {
+ // excepted exception
+ } catch (Exception e) {
+ fail ("Unexpected exception received. " + e);
+ }
+
+ // test: drop group from non-exist role with -drg
+ args = new String[] { "-drg", "-r", TEST_ROLE_NAME_2, "-g", "testGroup1", "-conf",
+ confPath.getAbsolutePath() };
+ sentryShell = new SentryShellKafka();
+ try {
+ sentryShell.executeShell(args);
+ fail("Exception should be thrown for drop group from non-exist role");
+ } catch (SentryUserException e) {
+ // excepted exception
+ } catch (Exception e) {
+ fail ("Unexpected exception received. " + e);
+ }
+
+ // test: grant privilege to role with the error privilege format
+ args = new String[] { "-gpr", "-r", TEST_ROLE_NAME_1, "-p", "serverserver1->action=all",
+ "-conf", confPath.getAbsolutePath() };
+ sentryShell = new SentryShellKafka();
+ try {
+ sentryShell.executeShell(args);
+ fail("Exception should be thrown for the error privilege format, invalid key value.");
+ } catch (IllegalArgumentException e) {
+ // excepted exception
+ } catch (Exception e) {
+ fail ("Unexpected exception received. " + e);
+ }
+
+ // test: grant privilege to role with the error privilege hierarchy
+ args = new String[] { "-gpr", "-r", TEST_ROLE_NAME_1, "-p",
+ "consumergroup=cg1->host=h1->action=create", "-conf",
+ confPath.getAbsolutePath() };
+ sentryShell = new SentryShellKafka();
+ try {
+ sentryShell.executeShell(args);
+ fail("Exception should be thrown for the error privilege format, invalid key value.");
+ } catch (ConfigurationException e) {
+ // expected exception
+ } catch (Exception e) {
+ fail ("Unexpected exception received. " + e);
+ }
+
+ // clear the test data
+ client.dropRole(requestorName, TEST_ROLE_NAME_1, KAFKA);
+ }
+ });
+ }
+
+ @Test
+ public void testNegativeCaseWithoutRequiredArgument() throws Exception {
+ runTestAsSubject(new TestOperation() {
+ @Override
+ public void runTestAsSubject() throws Exception {
+ String strOptionConf = "conf";
+ client.createRole(requestorName, TEST_ROLE_NAME_1, KAFKA);
+ // test: the conf is required argument
+ String[] args = { "-cr", "-r", TEST_ROLE_NAME_1 };
+ SentryShellKafka sentryShell = new SentryShellKafka();
+ validateMissingParameterMsg(sentryShell, args,
+ SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + strOptionConf);
+
+ // test: -r is required when create role
+ args = new String[] { "-cr", "-conf", confPath.getAbsolutePath() };
+ sentryShell = new SentryShellKafka();
+ validateMissingParameterMsg(sentryShell, args,
+ SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_ROLE_NAME);
+
+ // test: -r is required when drop role
+ args = new String[] { "-dr", "-conf", confPath.getAbsolutePath() };
+ sentryShell = new SentryShellKafka();
+ validateMissingParameterMsg(sentryShell, args,
+ SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_ROLE_NAME);
+
+ // test: -r is required when add role to group
+ args = new String[] { "-arg", "-g", "testGroup1", "-conf", confPath.getAbsolutePath() };
+ sentryShell = new SentryShellKafka();
+ validateMissingParameterMsg(sentryShell, args,
+ SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_ROLE_NAME);
+
+ // test: -g is required when add role to group
+ args = new String[] { "-arg", "-r", TEST_ROLE_NAME_2, "-conf", confPath.getAbsolutePath() };
+ sentryShell = new SentryShellKafka();
+ validateMissingParameterMsg(sentryShell, args,
+ SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_GROUP_NAME);
+
+ // test: -r is required when delete role from group
+ args = new String[] { "-drg", "-g", "testGroup1", "-conf", confPath.getAbsolutePath() };
+ sentryShell = new SentryShellKafka();
+ validateMissingParameterMsg(sentryShell, args,
+ SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_ROLE_NAME);
+
+ // test: -g is required when delete role from group
+ args = new String[] { "-drg", "-r", TEST_ROLE_NAME_2, "-conf", confPath.getAbsolutePath() };
+ sentryShell = new SentryShellKafka();
+ validateMissingParameterMsg(sentryShell, args,
+ SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_GROUP_NAME);
+
+ // test: -r is required when grant privilege to role
+ args = new String[] { "-gpr", "-p", "server=server1", "-conf", confPath.getAbsolutePath() };
+ sentryShell = new SentryShellKafka();
+ validateMissingParameterMsg(sentryShell, args,
+ SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_ROLE_NAME);
+
+ // test: -p is required when grant privilege to role
+ args = new String[] { "-gpr", "-r", TEST_ROLE_NAME_1, "-conf", confPath.getAbsolutePath() };
+ sentryShell = new SentryShellKafka();
+ validateMissingParameterMsg(sentryShell, args,
+ SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_PRIVILEGE);
+
+ // test: action is required in privilege
+ args = new String[] { "-gpr", "-r", TEST_ROLE_NAME_1, "-conf", confPath.getAbsolutePath(), "-p", "host=*->topic=t1" };
+ sentryShell = new SentryShellKafka();
+ try {
+ getShellResultWithOSRedirect(sentryShell, args, false);
+ fail("Expected IllegalArgumentException");
+ } catch (ConfigurationException e) {
+ assert(("Kafka privilege must end with a valid action.\n" + KafkaPrivilegeValidator.KafkaPrivilegeHelpMsg).equals(e.getMessage()));
+ } catch (Exception e) {
+ fail ("Unexpected exception received. " + e);
+ }
+
+ // test: -r is required when revoke privilege from role
+ args = new String[] { "-rpr", "-p", "host=h1", "-conf", confPath.getAbsolutePath() };
+ sentryShell = new SentryShellKafka();
+ validateMissingParameterMsg(sentryShell, args,
+ SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_ROLE_NAME);
+
+ // test: -p is required when revoke privilege from role
+ args = new String[] { "-rpr", "-r", TEST_ROLE_NAME_1, "-conf", confPath.getAbsolutePath() };
+ sentryShell = new SentryShellKafka();
+ validateMissingParameterMsg(sentryShell, args,
+ SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_PRIVILEGE);
+
+ // test: command option is required for shell
+ args = new String[] {"-conf", confPath.getAbsolutePath() };
+ sentryShell = new SentryShellKafka();
+ validateMissingParameterMsgsContains(sentryShell, args,
+ SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + "[",
+ "-arg Add role to group",
+ "-cr Create role",
+ "-rpr Revoke privilege from role",
+ "-drg Delete role from group",
+ "-lr List role",
+ "-lp List privilege",
+ "-gpr Grant privilege to role",
+ "-dr Drop role");
+
+ // clear the test data
+ client.dropRole(requestorName, TEST_ROLE_NAME_1, KAFKA);
+ }
+ });
+ }
+
+ // redirect the System.out to ByteArrayOutputStream, then execute the command and parse the result.
+ private Set<String> getShellResultWithOSRedirect(SentryShellKafka sentryShell,
+ String[] args, boolean expectedExecuteResult) throws Exception {
+ PrintStream oldOut = System.out;
+ ByteArrayOutputStream outContent = new ByteArrayOutputStream();
+ System.setOut(new PrintStream(outContent));
+ assertEquals(expectedExecuteResult, sentryShell.executeShell(args));
+ Set<String> resultSet = Sets.newHashSet(outContent.toString().split("\n"));
+ System.setOut(oldOut);
+ return resultSet;
+ }
+
+ private void validateRoleNames(Set<String> roleNames, String ... expectedRoleNames) {
+ if (expectedRoleNames != null && expectedRoleNames.length > 0) {
+ assertEquals("Found: " + roleNames.size() + " roles, expected: " + expectedRoleNames.length,
+ expectedRoleNames.length, roleNames.size());
+ Set<String> lowerCaseRoles = new HashSet<String>();
+ for (String role : roleNames) {
+ lowerCaseRoles.add(role.toLowerCase());
+ }
+
+ for (String expectedRole : expectedRoleNames) {
+ assertTrue("Expected role: " + expectedRole,
+ lowerCaseRoles.contains(expectedRole.toLowerCase()));
+ }
+ }
+ }
+
+ private void validateMissingParameterMsg(SentryShellKafka sentryShell, String[] args,
+ String expectedErrorMsg) throws Exception {
+ Set<String> errorMsgs = getShellResultWithOSRedirect(sentryShell, args, false);
+ assertTrue("Expected error message: " + expectedErrorMsg, errorMsgs.contains(expectedErrorMsg));
+ }
+
+ private void validateMissingParameterMsgsContains(SentryShellKafka sentryShell, String[] args,
+ String ... expectedErrorMsgsContains) throws Exception {
+ Set<String> errorMsgs = getShellResultWithOSRedirect(sentryShell, args, false);
+ boolean foundAllMessages = false;
+ Iterator<String> it = errorMsgs.iterator();
+ while (it.hasNext()) {
+ String errorMessage = it.next();
+ boolean missingExpected = false;
+ for (String expectedContains : expectedErrorMsgsContains) {
+ if (!errorMessage.contains(expectedContains)) {
+ missingExpected = true;
+ break;
+ }
+ }
+ if (!missingExpected) {
+ foundAllMessages = true;
+ break;
+ }
+ }
+ assertTrue(foundAllMessages);
+ }
+}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/generic/tools/TestSentryShellSolr.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/generic/tools/TestSentryShellSolr.java b/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/generic/tools/TestSentryShellSolr.java
new file mode 100644
index 0000000..d4e26e8
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/generic/tools/TestSentryShellSolr.java
@@ -0,0 +1,525 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.provider.db.generic.tools;
+
+import com.google.common.io.Files;
+import com.google.common.collect.Sets;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.fail;
+
+import java.io.ByteArrayOutputStream;
+import java.io.File;
+import java.io.FileOutputStream;
+import java.io.PrintStream;
+import java.util.HashSet;
+import java.util.Iterator;
+import java.util.Set;
+
+import org.apache.commons.io.FileUtils;
+import org.apache.sentry.core.common.exception.SentryUserException;
+import org.apache.sentry.provider.db.generic.service.thrift.SentryGenericServiceIntegrationBase;
+import org.apache.sentry.provider.db.generic.service.thrift.TSentryRole;
+import org.apache.sentry.provider.db.generic.service.thrift.TSentryPrivilege;
+import org.apache.sentry.provider.db.tools.SentryShellCommon;
+
+import org.junit.After;
+import org.junit.Before;
+import org.junit.Test;
+
+public class TestSentryShellSolr extends SentryGenericServiceIntegrationBase {
+ private File confDir;
+ private File confPath;
+ private static String TEST_ROLE_NAME_1 = "testRole1";
+ private static String TEST_ROLE_NAME_2 = "testRole2";
+ private String requestorName = "";
+ private String service = "service1";
+
+ @Before
+ public void prepareForTest() throws Exception {
+ confDir = Files.createTempDir();
+ confPath = new File(confDir, "sentry-site.xml");
+ if (confPath.createNewFile()) {
+ FileOutputStream to = new FileOutputStream(confPath);
+ conf.writeXml(to);
+ to.close();
+ }
+ requestorName = clientUgi.getShortUserName();//System.getProperty("user.name", "");
+ Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
+ setLocalGroupMapping(requestorName, requestorUserGroupNames);
+ // add ADMIN_USER for the after() in SentryServiceIntegrationBase
+ setLocalGroupMapping(ADMIN_USER, requestorUserGroupNames);
+ writePolicyFile();
+ }
+
+ @After
+ public void clearTestData() throws Exception {
+ FileUtils.deleteQuietly(confDir);
+ }
+
+ @Test
+ public void testCreateDropRole() throws Exception {
+ runTestAsSubject(new TestOperation() {
+ @Override
+ public void runTestAsSubject() throws Exception {
+ // test: create role with -cr
+ String[] args = { "-cr", "-r", TEST_ROLE_NAME_1, "-conf", confPath.getAbsolutePath() };
+ SentryShellSolr.main(args);
+ // test: create role with --create_role
+ args = new String[] { "--create_role", "-r", TEST_ROLE_NAME_2, "-conf",
+ confPath.getAbsolutePath() };
+ SentryShellSolr.main(args);
+
+ // validate the result, list roles with -lr
+ args = new String[] { "-lr", "-conf", confPath.getAbsolutePath() };
+ SentryShellSolr sentryShell = new SentryShellSolr();
+ Set<String> roleNames = getShellResultWithOSRedirect(sentryShell, args, true);
+ validateRoleNames(roleNames, TEST_ROLE_NAME_1, TEST_ROLE_NAME_2);
+
+ // validate the result, list roles with --list_role
+ args = new String[] { "--list_role", "-conf", confPath.getAbsolutePath() };
+ sentryShell = new SentryShellSolr();
+ roleNames = getShellResultWithOSRedirect(sentryShell, args, true);
+ validateRoleNames(roleNames, TEST_ROLE_NAME_1, TEST_ROLE_NAME_2);
+
+ // test: drop role with -dr
+ args = new String[] { "-dr", "-r", TEST_ROLE_NAME_1, "-conf", confPath.getAbsolutePath() };
+ SentryShellSolr.main(args);
+ // test: drop role with --drop_role
+ args = new String[] { "--drop_role", "-r", TEST_ROLE_NAME_2, "-conf",
+ confPath.getAbsolutePath() };
+ SentryShellSolr.main(args);
+
+ // validate the result
+ Set<TSentryRole> roles = client.listAllRoles(requestorName, SOLR);
+ assertEquals("Incorrect number of roles", 0, roles.size());
+ }
+ });
+ }
+
+ @Test
+ public void testAddDeleteRoleForGroup() throws Exception {
+ runTestAsSubject(new TestOperation() {
+ @Override
+ public void runTestAsSubject() throws Exception {
+ // Group names are case sensitive - mixed case names should work
+ String TEST_GROUP_1 = "testGroup1";
+ String TEST_GROUP_2 = "testGroup2";
+ String TEST_GROUP_3 = "testGroup3";
+
+ // create the role for test
+ client.createRole(requestorName, TEST_ROLE_NAME_1, SOLR);
+ client.createRole(requestorName, TEST_ROLE_NAME_2, SOLR);
+ // test: add role to group with -arg
+ String[] args = { "-arg", "-r", TEST_ROLE_NAME_1, "-g", TEST_GROUP_1, "-conf",
+ confPath.getAbsolutePath() };
+ SentryShellSolr.main(args);
+ // test: add role to multiple groups
+ args = new String[] { "-arg", "-r", TEST_ROLE_NAME_1, "-g", TEST_GROUP_2 + "," + TEST_GROUP_3,
+ "-conf",
+ confPath.getAbsolutePath() };
+ SentryShellSolr.main(args);
+ // test: add role to group with --add_role_group
+ args = new String[] { "--add_role_group", "-r", TEST_ROLE_NAME_2, "-g", TEST_GROUP_1,
+ "-conf",
+ confPath.getAbsolutePath() };
+ SentryShellSolr.main(args);
+
+ // validate the result list roles with -lr and -g
+ args = new String[] { "-lr", "-g", TEST_GROUP_1, "-conf", confPath.getAbsolutePath() };
+ SentryShellSolr sentryShell = new SentryShellSolr();
+ Set<String> roleNames = getShellResultWithOSRedirect(sentryShell, args, true);
+ validateRoleNames(roleNames, TEST_ROLE_NAME_1, TEST_ROLE_NAME_2);
+
+ // list roles with --list_role and -g
+ args = new String[] { "--list_role", "-g", TEST_GROUP_2, "-conf",
+ confPath.getAbsolutePath() };
+ sentryShell = new SentryShellSolr();
+ roleNames = getShellResultWithOSRedirect(sentryShell, args, true);
+ validateRoleNames(roleNames, TEST_ROLE_NAME_1);
+
+ args = new String[] { "--list_role", "-g", TEST_GROUP_3, "-conf",
+ confPath.getAbsolutePath() };
+ sentryShell = new SentryShellSolr();
+ roleNames = getShellResultWithOSRedirect(sentryShell, args, true);
+ validateRoleNames(roleNames, TEST_ROLE_NAME_1);
+
+ // test: delete role from group with -drg
+ args = new String[] { "-drg", "-r", TEST_ROLE_NAME_1, "-g", TEST_GROUP_1, "-conf",
+ confPath.getAbsolutePath() };
+ SentryShellSolr.main(args);
+ // test: delete role to multiple groups
+ args = new String[] { "-drg", "-r", TEST_ROLE_NAME_1, "-g", TEST_GROUP_2 + "," + TEST_GROUP_3,
+ "-conf",
+ confPath.getAbsolutePath() };
+ SentryShellSolr.main(args);
+ // test: delete role from group with --delete_role_group
+ args = new String[] { "--delete_role_group", "-r", TEST_ROLE_NAME_2, "-g", TEST_GROUP_1,
+ "-conf", confPath.getAbsolutePath() };
+ SentryShellSolr.main(args);
+
+ // validate the result
+ Set<TSentryRole> roles = client.listRolesByGroupName(requestorName, TEST_GROUP_1, SOLR);
+ assertEquals("Incorrect number of roles", 0, roles.size());
+ roles = client.listRolesByGroupName(requestorName, TEST_GROUP_2, SOLR);
+ assertEquals("Incorrect number of roles", 0, roles.size());
+ roles = client.listRolesByGroupName(requestorName, TEST_GROUP_3, SOLR);
+ assertEquals("Incorrect number of roles", 0, roles.size());
+ // clear the test data
+ client.dropRole(requestorName, TEST_ROLE_NAME_1, SOLR);
+ client.dropRole(requestorName, TEST_ROLE_NAME_2, SOLR);
+ }
+ });
+ }
+
+ @Test
+ public void testCaseSensitiveGroupName() throws Exception {
+ runTestAsSubject(new TestOperation() {
+ @Override
+ public void runTestAsSubject() throws Exception {
+
+ // create the role for test
+ client.createRole(requestorName, TEST_ROLE_NAME_1, SOLR);
+ // add role to a group (lower case)
+ String[] args = { "-arg", "-r", TEST_ROLE_NAME_1, "-g", "group1", "-conf",
+ confPath.getAbsolutePath() };
+ SentryShellSolr.main(args);
+
+ // validate the roles when group name is same case as above
+ args = new String[] { "-lr", "-g", "group1", "-conf", confPath.getAbsolutePath() };
+ SentryShellSolr sentryShell = new SentryShellSolr();
+ Set<String> roleNames = getShellResultWithOSRedirect(sentryShell, args, true);
+ validateRoleNames(roleNames, TEST_ROLE_NAME_1);
+
+ // roles should be empty when group name is different case than above
+ args = new String[] { "-lr", "-g", "GROUP1", "-conf", confPath.getAbsolutePath() };
+ roleNames = getShellResultWithOSRedirect(sentryShell, args, true);
+ validateRoleNames(roleNames);
+ }
+ });
+ }
+
+ public static String grant(boolean shortOption) {
+ return shortOption ? "-gpr" : "--grant_privilege_role";
+ }
+
+ public static String revoke(boolean shortOption) {
+ return shortOption ? "-rpr" : "--revoke_privilege_role";
+ }
+
+ public static String list(boolean shortOption) {
+ return shortOption ? "-lp" : "--list_privilege";
+ }
+
+ private void assertGrantRevokePrivilege(final boolean shortOption) throws Exception {
+ runTestAsSubject(new TestOperation() {
+ @Override
+ public void runTestAsSubject() throws Exception {
+ // create the role for test
+ client.createRole(requestorName, TEST_ROLE_NAME_1, SOLR);
+ client.createRole(requestorName, TEST_ROLE_NAME_2, SOLR);
+
+ String [] privs = {
+ "Collection=*->action=*",
+ "Collection=collection2->action=update",
+ "Collection=collection3->action=query",
+ };
+ for (int i = 0; i < privs.length; ++i) {
+ // test: grant privilege to role
+ String [] args = new String [] { grant(shortOption), "-r", TEST_ROLE_NAME_1, "-p",
+ privs[ i ],
+ "-conf", confPath.getAbsolutePath() };
+ SentryShellSolr.main(args);
+ }
+
+ // test the list privilege
+ String [] args = new String[] { list(shortOption), "-r", TEST_ROLE_NAME_1, "-conf", confPath.getAbsolutePath() };
+ SentryShellSolr sentryShell = new SentryShellSolr();
+ Set<String> privilegeStrs = getShellResultWithOSRedirect(sentryShell, args, true);
+ assertEquals("Incorrect number of privileges", privs.length, privilegeStrs.size());
+ for (int i = 0; i < privs.length; ++i) {
+ assertTrue("Expected privilege: " + privs[ i ], privilegeStrs.contains(privs[ i ]));
+ }
+
+ for (int i = 0; i < privs.length; ++i) {
+ args = new String[] { revoke(shortOption), "-r", TEST_ROLE_NAME_1, "-p",
+ privs[ i ], "-conf",
+ confPath.getAbsolutePath() };
+ SentryShellSolr.main(args);
+ Set<TSentryPrivilege> privileges = client.listPrivilegesByRoleName(requestorName,
+ TEST_ROLE_NAME_1, SOLR, service);
+ assertEquals("Incorrect number of privileges", privs.length - (i + 1), privileges.size());
+ }
+
+ // clear the test data
+ client.dropRole(requestorName, TEST_ROLE_NAME_1, SOLR);
+ client.dropRole(requestorName, TEST_ROLE_NAME_2, SOLR);
+ }
+ });
+ }
+
+
+ @Test
+ public void testGrantRevokePrivilegeWithShortOption() throws Exception {
+ assertGrantRevokePrivilege(true);
+ }
+
+ @Test
+ public void testGrantRevokePrivilegeWithLongOption() throws Exception {
+ assertGrantRevokePrivilege(false);
+ }
+
+
+ @Test
+ public void testNegativeCaseWithInvalidArgument() throws Exception {
+ runTestAsSubject(new TestOperation() {
+ @Override
+ public void runTestAsSubject() throws Exception {
+ client.createRole(requestorName, TEST_ROLE_NAME_1, SOLR);
+ // test: create duplicate role with -cr
+ String[] args = { "-cr", "-r", TEST_ROLE_NAME_1, "-conf", confPath.getAbsolutePath() };
+ SentryShellSolr sentryShell = new SentryShellSolr();
+ try {
+ sentryShell.executeShell(args);
+ fail("Exception should be thrown for creating duplicate role");
+ } catch (SentryUserException e) {
+ // expected exception
+ }
+
+ // test: drop non-exist role with -dr
+ args = new String[] { "-dr", "-r", TEST_ROLE_NAME_2, "-conf", confPath.getAbsolutePath() };
+ sentryShell = new SentryShellSolr();
+ try {
+ sentryShell.executeShell(args);
+ fail("Exception should be thrown for dropping non-exist role");
+ } catch (SentryUserException e) {
+ // excepted exception
+ }
+
+ // test: add non-exist role to group with -arg
+ args = new String[] { "-arg", "-r", TEST_ROLE_NAME_2, "-g", "testGroup1", "-conf",
+ confPath.getAbsolutePath() };
+ sentryShell = new SentryShellSolr();
+ try {
+ sentryShell.executeShell(args);
+ fail("Exception should be thrown for granting non-exist role to group");
+ } catch (SentryUserException e) {
+ // excepted exception
+ }
+
+ // test: drop group from non-exist role with -drg
+ args = new String[] { "-drg", "-r", TEST_ROLE_NAME_2, "-g", "testGroup1", "-conf",
+ confPath.getAbsolutePath() };
+ sentryShell = new SentryShellSolr();
+ try {
+ sentryShell.executeShell(args);
+ fail("Exception should be thrown for drop group from non-exist role");
+ } catch (SentryUserException e) {
+ // excepted exception
+ }
+
+ // test: grant privilege to role with the error privilege format
+ args = new String[] { "-gpr", "-r", TEST_ROLE_NAME_1, "-p", "serverserver1->action=*",
+ "-conf", confPath.getAbsolutePath() };
+ sentryShell = new SentryShellSolr();
+ try {
+ sentryShell.executeShell(args);
+ fail("Exception should be thrown for the error privilege format, invalid key value.");
+ } catch (IllegalArgumentException e) {
+ // excepted exception
+ }
+
+ // test: grant privilege to role with the error privilege hierarchy
+ args = new String[] { "-gpr", "-r", TEST_ROLE_NAME_1, "-p",
+ "server=server1->table=tbl1->column=col2->action=insert", "-conf",
+ confPath.getAbsolutePath() };
+ sentryShell = new SentryShellSolr();
+ try {
+ sentryShell.executeShell(args);
+ fail("Exception should be thrown for the error privilege format, invalid key value.");
+ } catch (IllegalArgumentException e) {
+ // expected exception
+ }
+
+ // clear the test data
+ client.dropRole(requestorName, TEST_ROLE_NAME_1, SOLR);
+ }
+ });
+ }
+
+ @Test
+ public void testNegativeCaseWithoutRequiredArgument() throws Exception {
+ runTestAsSubject(new TestOperation() {
+ @Override
+ public void runTestAsSubject() throws Exception {
+ String strOptionConf = "conf";
+ client.createRole(requestorName, TEST_ROLE_NAME_1, SOLR);
+ // test: the conf is required argument
+ String[] args = { "-cr", "-r", TEST_ROLE_NAME_1 };
+ SentryShellSolr sentryShell = new SentryShellSolr();
+ validateMissingParameterMsg(sentryShell, args,
+ SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + strOptionConf);
+
+ // test: -r is required when create role
+ args = new String[] { "-cr", "-conf", confPath.getAbsolutePath() };
+ sentryShell = new SentryShellSolr();
+ validateMissingParameterMsg(sentryShell, args,
+ SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_ROLE_NAME);
+
+ // test: -r is required when drop role
+ args = new String[] { "-dr", "-conf", confPath.getAbsolutePath() };
+ sentryShell = new SentryShellSolr();
+ validateMissingParameterMsg(sentryShell, args,
+ SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_ROLE_NAME);
+
+ // test: -r is required when add role to group
+ args = new String[] { "-arg", "-g", "testGroup1", "-conf", confPath.getAbsolutePath() };
+ sentryShell = new SentryShellSolr();
+ validateMissingParameterMsg(sentryShell, args,
+ SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_ROLE_NAME);
+
+ // test: -g is required when add role to group
+ args = new String[] { "-arg", "-r", TEST_ROLE_NAME_2, "-conf", confPath.getAbsolutePath() };
+ sentryShell = new SentryShellSolr();
+ validateMissingParameterMsg(sentryShell, args,
+ SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_GROUP_NAME);
+
+ // test: -r is required when delete role from group
+ args = new String[] { "-drg", "-g", "testGroup1", "-conf", confPath.getAbsolutePath() };
+ sentryShell = new SentryShellSolr();
+ validateMissingParameterMsg(sentryShell, args,
+ SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_ROLE_NAME);
+
+ // test: -g is required when delete role from group
+ args = new String[] { "-drg", "-r", TEST_ROLE_NAME_2, "-conf", confPath.getAbsolutePath() };
+ sentryShell = new SentryShellSolr();
+ validateMissingParameterMsg(sentryShell, args,
+ SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_GROUP_NAME);
+
+ // test: -r is required when grant privilege to role
+ args = new String[] { "-gpr", "-p", "server=server1", "-conf", confPath.getAbsolutePath() };
+ sentryShell = new SentryShellSolr();
+ validateMissingParameterMsg(sentryShell, args,
+ SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_ROLE_NAME);
+
+ // test: -p is required when grant privilege to role
+ args = new String[] { "-gpr", "-r", TEST_ROLE_NAME_1, "-conf", confPath.getAbsolutePath() };
+ sentryShell = new SentryShellSolr();
+ validateMissingParameterMsg(sentryShell, args,
+ SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_PRIVILEGE);
+
+ // test: action is required in privilege
+ args = new String[] { "-gpr", "-r", TEST_ROLE_NAME_1, "-conf", confPath.getAbsolutePath(), "-p", "collection=collection1" };
+ sentryShell = new SentryShellSolr();
+ try {
+ getShellResultWithOSRedirect(sentryShell, args, false);
+ fail("Expected IllegalArgumentException");
+ } catch (IllegalArgumentException e) {
+ assert("Privilege is invalid: action required but not specified.".equals(e.getMessage()));
+ }
+
+ // test: -r is required when revoke privilege from role
+ args = new String[] { "-rpr", "-p", "server=server1", "-conf", confPath.getAbsolutePath() };
+ sentryShell = new SentryShellSolr();
+ validateMissingParameterMsg(sentryShell, args,
+ SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_ROLE_NAME);
+
+ // test: -p is required when revoke privilege from role
+ args = new String[] { "-rpr", "-r", TEST_ROLE_NAME_1, "-conf", confPath.getAbsolutePath() };
+ sentryShell = new SentryShellSolr();
+ validateMissingParameterMsg(sentryShell, args,
+ SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_PRIVILEGE);
+
+ // test: command option is required for shell
+ args = new String[] {"-conf", confPath.getAbsolutePath() };
+ sentryShell = new SentryShellSolr();
+ validateMissingParameterMsgsContains(sentryShell, args,
+ SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + "[",
+ "-arg Add role to group",
+ "-cr Create role",
+ "-rpr Revoke privilege from role",
+ "-drg Delete role from group",
+ "-lr List role",
+ "-lp List privilege",
+ "-gpr Grant privilege to role",
+ "-dr Drop role");
+
+ // clear the test data
+ client.dropRole(requestorName, TEST_ROLE_NAME_1, SOLR);
+ }
+ });
+ }
+
+ // redirect the System.out to ByteArrayOutputStream, then execute the command and parse the result.
+ private Set<String> getShellResultWithOSRedirect(SentryShellSolr sentryShell,
+ String[] args, boolean expectedExecuteResult) throws Exception {
+ PrintStream oldOut = System.out;
+ ByteArrayOutputStream outContent = new ByteArrayOutputStream();
+ System.setOut(new PrintStream(outContent));
+ assertEquals(expectedExecuteResult, sentryShell.executeShell(args));
+ Set<String> resultSet = Sets.newHashSet(outContent.toString().split("\n"));
+ System.setOut(oldOut);
+ return resultSet;
+ }
+
+ private void validateRoleNames(Set<String> roleNames, String ... expectedRoleNames) {
+ if (expectedRoleNames != null && expectedRoleNames.length > 0) {
+ assertEquals("Found: " + roleNames.size() + " roles, expected: " + expectedRoleNames.length,
+ expectedRoleNames.length, roleNames.size());
+ Set<String> lowerCaseRoles = new HashSet<String>();
+ for (String role : roleNames) {
+ lowerCaseRoles.add(role.toLowerCase());
+ }
+
+ for (String expectedRole : expectedRoleNames) {
+ assertTrue("Expected role: " + expectedRole,
+ lowerCaseRoles.contains(expectedRole.toLowerCase()));
+ }
+ }
+ }
+
+ private void validateMissingParameterMsg(SentryShellSolr sentryShell, String[] args,
+ String expectedErrorMsg) throws Exception {
+ Set<String> errorMsgs = getShellResultWithOSRedirect(sentryShell, args, false);
+ assertTrue("Expected error message: " + expectedErrorMsg, errorMsgs.contains(expectedErrorMsg));
+ }
+
+ private void validateMissingParameterMsgsContains(SentryShellSolr sentryShell, String[] args,
+ String ... expectedErrorMsgsContains) throws Exception {
+ Set<String> errorMsgs = getShellResultWithOSRedirect(sentryShell, args, false);
+ boolean foundAllMessages = false;
+ Iterator<String> it = errorMsgs.iterator();
+ while (it.hasNext()) {
+ String errorMessage = it.next();
+ boolean missingExpected = false;
+ for (String expectedContains : expectedErrorMsgsContains) {
+ if (!errorMessage.contains(expectedContains)) {
+ missingExpected = true;
+ break;
+ }
+ }
+ if (!missingExpected) {
+ foundAllMessages = true;
+ break;
+ }
+ }
+ assertTrue(foundAllMessages);
+ }
+}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/log/appender/TestRollingFileWithoutDeleteAppender.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/log/appender/TestRollingFileWithoutDeleteAppender.java b/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/log/appender/TestRollingFileWithoutDeleteAppender.java
new file mode 100644
index 0000000..50785fd
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/log/appender/TestRollingFileWithoutDeleteAppender.java
@@ -0,0 +1,103 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.provider.db.log.appender;
+
+import java.io.File;
+
+import org.apache.commons.io.FileUtils;
+import org.apache.log4j.Logger;
+import org.apache.log4j.PatternLayout;
+import org.junit.After;
+import org.junit.Assert;
+import org.junit.Before;
+import org.junit.Test;
+
+import com.google.common.io.Files;
+
+public class TestRollingFileWithoutDeleteAppender {
+ private Logger sentryLogger = Logger.getRootLogger();
+ private File dataDir;
+
+ @Before
+ public void init() {
+ dataDir = Files.createTempDir();
+ }
+
+ @Test
+ public void testRollOver() throws Throwable {
+ if (dataDir == null) {
+ Assert.fail("Excepted temp folder for audit log is created.");
+ }
+ RollingFileWithoutDeleteAppender appender = new RollingFileWithoutDeleteAppender(
+ new PatternLayout("%m%n"), dataDir.getPath() + "/auditLog.log");
+ appender.setMaximumFileSize(100);
+ sentryLogger.addAppender(appender);
+ // Write exactly 10 bytes with each log
+ for (int i = 0; i < 99; i++) {
+ if (i < 10) {
+ sentryLogger.debug("Hello---" + i);
+ } else if (i < 100) {
+ sentryLogger.debug("Hello--" + i);
+ }
+ }
+
+ if (dataDir != null) {
+ File[] files = dataDir.listFiles();
+ if (files != null) {
+ Assert.assertEquals(files.length, 10);
+ } else {
+ Assert.fail("Excepted 10 log files.");
+ }
+ } else {
+ Assert.fail("Excepted 10 log files.");
+ }
+
+ }
+
+ /***
+ * Generate log enough to cause a single rollover. Verify the file name format
+ * @throws Throwable
+ */
+ @Test
+ public void testFileNamePattern() throws Throwable {
+ if (dataDir == null) {
+ Assert.fail("Excepted temp folder for audit log is created.");
+ }
+ RollingFileWithoutDeleteAppender appender = new RollingFileWithoutDeleteAppender(
+ new PatternLayout("%m%n"), dataDir.getPath() + "/auditLog.log");
+ appender.setMaximumFileSize(10);
+ sentryLogger.addAppender(appender);
+ sentryLogger.debug("123456789012345");
+ File[] files = dataDir.listFiles();
+ if (files != null) {
+ Assert.assertEquals(files.length, 2);
+ Assert.assertTrue(files[0].getName().contains("auditLog.log."));
+ Assert.assertTrue(files[1].getName().contains("auditLog.log."));
+ } else {
+ Assert.fail("Excepted 2 log files.");
+ }
+ }
+
+ @After
+ public void destroy() {
+ if (dataDir != null) {
+ FileUtils.deleteQuietly(dataDir);
+ }
+ }
+}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/log/entity/TestDbAuditMetadataLogEntity.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/log/entity/TestDbAuditMetadataLogEntity.java b/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/log/entity/TestDbAuditMetadataLogEntity.java
new file mode 100644
index 0000000..3d15b4f
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/log/entity/TestDbAuditMetadataLogEntity.java
@@ -0,0 +1,67 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.provider.db.log.entity;
+
+import org.apache.sentry.provider.db.log.util.Constants;
+import org.codehaus.jackson.JsonNode;
+import org.codehaus.jackson.node.ContainerNode;
+import org.junit.Assert;
+import org.junit.Test;
+
+public class TestDbAuditMetadataLogEntity {
+
+ @Test
+ public void testToJsonFormatLog() throws Throwable {
+ DBAuditMetadataLogEntity amle = new DBAuditMetadataLogEntity("serviceName", "userName",
+ "impersonator", "ipAddress", "operation", "eventTime", "operationText", "allowed",
+ "objectType", "component", "databaseName", "tableName", "columnName", "resourcePath");
+ String jsonAuditLog = amle.toJsonFormatLog();
+ ContainerNode rootNode = AuditMetadataLogEntity.parse(jsonAuditLog);
+ assertEntryEquals(rootNode, Constants.LOG_FIELD_SERVICE_NAME, "serviceName");
+ assertEntryEquals(rootNode, Constants.LOG_FIELD_USER_NAME, "userName");
+ assertEntryEquals(rootNode, Constants.LOG_FIELD_IMPERSONATOR,
+ "impersonator");
+ assertEntryEquals(rootNode, Constants.LOG_FIELD_IP_ADDRESS, "ipAddress");
+ assertEntryEquals(rootNode, Constants.LOG_FIELD_OPERATION, "operation");
+ assertEntryEquals(rootNode, Constants.LOG_FIELD_EVENT_TIME, "eventTime");
+ assertEntryEquals(rootNode, Constants.LOG_FIELD_OPERATION_TEXT,
+ "operationText");
+ assertEntryEquals(rootNode, Constants.LOG_FIELD_ALLOWED, "allowed");
+ assertEntryEquals(rootNode, Constants.LOG_FIELD_DATABASE_NAME,
+ "databaseName");
+ assertEntryEquals(rootNode, Constants.LOG_FIELD_TABLE_NAME, "tableName");
+ assertEntryEquals(rootNode, Constants.LOG_FIELD_COLUMN_NAME, "columnName");
+ assertEntryEquals(rootNode, Constants.LOG_FIELD_RESOURCE_PATH,
+ "resourcePath");
+ assertEntryEquals(rootNode, Constants.LOG_FIELD_OBJECT_TYPE, "objectType");
+ }
+
+ void assertEntryEquals(ContainerNode rootNode, String key, String value) {
+ JsonNode node = assertNodeContains(rootNode, key);
+ Assert.assertEquals(value, node.getTextValue());
+ }
+
+ private JsonNode assertNodeContains(ContainerNode rootNode, String key) {
+ JsonNode node = rootNode.get(key);
+ if (node == null) {
+ Assert.fail("No entry of name \"" + key + "\" found in " + rootNode.toString());
+ }
+ return node;
+ }
+}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/log/entity/TestGMAuditMetadataLogEntity.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/log/entity/TestGMAuditMetadataLogEntity.java b/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/log/entity/TestGMAuditMetadataLogEntity.java
new file mode 100644
index 0000000..62b46f6
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/log/entity/TestGMAuditMetadataLogEntity.java
@@ -0,0 +1,72 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.provider.db.log.entity;
+
+import java.util.HashMap;
+import java.util.Map;
+
+import org.apache.sentry.provider.db.log.util.Constants;
+import org.codehaus.jackson.JsonNode;
+import org.codehaus.jackson.node.ContainerNode;
+import org.junit.Assert;
+import org.junit.Test;
+
+public class TestGMAuditMetadataLogEntity {
+ @Test
+ public void testToJsonFormatLog() throws Throwable {
+
+ Map<String, String> privilegesMap = new HashMap<String, String>();
+ privilegesMap.put("resourceType1", "resourceName1");
+ privilegesMap.put("resourceType2", "resourceName2");
+ privilegesMap.put("resourceType3", "resourceName3");
+ privilegesMap.put("resourceType4", "resourceName4");
+ GMAuditMetadataLogEntity gmamle = new GMAuditMetadataLogEntity("serviceName", "userName",
+ "impersonator", "ipAddress", "operation", "eventTime", "operationText", "allowed",
+ "objectType", "component", privilegesMap);
+ String jsonAuditLog = gmamle.toJsonFormatLog();
+ ContainerNode rootNode = AuditMetadataLogEntity.parse(jsonAuditLog);
+ assertEntryEquals(rootNode, Constants.LOG_FIELD_SERVICE_NAME, "serviceName");
+ assertEntryEquals(rootNode, Constants.LOG_FIELD_USER_NAME, "userName");
+ assertEntryEquals(rootNode, Constants.LOG_FIELD_IMPERSONATOR, "impersonator");
+ assertEntryEquals(rootNode, Constants.LOG_FIELD_IP_ADDRESS, "ipAddress");
+ assertEntryEquals(rootNode, Constants.LOG_FIELD_OPERATION, "operation");
+ assertEntryEquals(rootNode, Constants.LOG_FIELD_EVENT_TIME, "eventTime");
+ assertEntryEquals(rootNode, Constants.LOG_FIELD_OPERATION_TEXT, "operationText");
+ assertEntryEquals(rootNode, Constants.LOG_FIELD_ALLOWED, "allowed");
+ assertEntryEquals(rootNode, Constants.LOG_FIELD_OBJECT_TYPE, "objectType");
+ assertEntryEquals(rootNode, Constants.LOG_FIELD_COMPONENT, "component");
+ assertEntryEquals(rootNode, "resourceType1", "resourceName1");
+ assertEntryEquals(rootNode, "resourceType2", "resourceName2");
+ assertEntryEquals(rootNode, "resourceType3", "resourceName3");
+ assertEntryEquals(rootNode, "resourceType4", "resourceName4");
+ }
+
+ void assertEntryEquals(ContainerNode rootNode, String key, String value) {
+ JsonNode node = assertNodeContains(rootNode, key);
+ Assert.assertEquals(value, node.getTextValue());
+ }
+
+ private JsonNode assertNodeContains(ContainerNode rootNode, String key) {
+ JsonNode node = rootNode.get(key);
+ if (node == null) {
+ Assert.fail("No entry of name \"" + key + "\" found in " + rootNode.toString());
+ }
+ return node;
+ }
+}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/log/entity/TestJsonLogEntityFactory.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/log/entity/TestJsonLogEntityFactory.java b/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/log/entity/TestJsonLogEntityFactory.java
new file mode 100644
index 0000000..bf206ea
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/log/entity/TestJsonLogEntityFactory.java
@@ -0,0 +1,272 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.provider.db.log.entity;
+
+import static org.junit.Assert.assertEquals;
+
+import java.util.LinkedHashSet;
+import java.util.Set;
+
+import org.apache.hadoop.conf.Configuration;
+import org.apache.sentry.core.model.db.AccessConstants;
+import org.apache.sentry.provider.db.log.util.Constants;
+import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleAddGroupsRequest;
+import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleAddGroupsResponse;
+import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleDeleteGroupsRequest;
+import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleDeleteGroupsResponse;
+import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleGrantPrivilegeRequest;
+import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleGrantPrivilegeResponse;
+import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleRevokePrivilegeRequest;
+import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleRevokePrivilegeResponse;
+import org.apache.sentry.provider.db.service.thrift.TCreateSentryRoleRequest;
+import org.apache.sentry.provider.db.service.thrift.TCreateSentryRoleResponse;
+import org.apache.sentry.provider.db.service.thrift.TDropSentryRoleRequest;
+import org.apache.sentry.provider.db.service.thrift.TDropSentryRoleResponse;
+import org.apache.sentry.provider.db.service.thrift.TSentryGroup;
+import org.apache.sentry.provider.db.service.thrift.TSentryPrivilege;
+import org.apache.sentry.provider.db.service.thrift.ThriftUtil;
+import org.apache.sentry.service.thrift.ServiceConstants.PrivilegeScope;
+import org.apache.sentry.service.thrift.ServiceConstants.ServerConfig;
+import org.apache.sentry.service.thrift.Status;
+import org.junit.BeforeClass;
+import org.junit.Test;
+
+import com.google.common.collect.Sets;
+
+public class TestJsonLogEntityFactory {
+
+ private static Configuration conf;
+
+ private static String TEST_IP = "localhost/127.0.0.1";
+ private static String TEST_IMPERSONATOR = "impersonator";
+ private static String TEST_ROLE_NAME = "testRole";
+ private static String TEST_USER_NAME = "requestUser";
+ private static String TEST_DATABASE_NAME = "testDB";
+ private static String TEST_TABLE_NAME = "testTable";
+ private static String TEST_GROUP = "testGroup";
+
+ @BeforeClass
+ public static void init() {
+ conf = new Configuration();
+ conf.set(ServerConfig.SENTRY_SERVICE_NAME,
+ ServerConfig.SENTRY_SERVICE_NAME_DEFAULT);
+ ThriftUtil.setIpAddress(TEST_IP);
+ ThriftUtil.setImpersonator(TEST_IMPERSONATOR);
+ }
+
+ @Test
+ public void testCreateRole() {
+ TCreateSentryRoleRequest request = new TCreateSentryRoleRequest();
+ TCreateSentryRoleResponse response = new TCreateSentryRoleResponse();
+ request.setRequestorUserName(TEST_USER_NAME);
+ request.setRoleName(TEST_ROLE_NAME);
+ response.setStatus(Status.OK());
+ DBAuditMetadataLogEntity amle = (DBAuditMetadataLogEntity) JsonLogEntityFactory
+ .getInstance().createJsonLogEntity(request, response, conf);
+ assertCommon(amle, Constants.TRUE, Constants.OPERATION_CREATE_ROLE,
+ "CREATE ROLE testRole", null, null, null, Constants.OBJECT_TYPE_ROLE);
+
+ response.setStatus(Status.InvalidInput("", null));
+ amle = (DBAuditMetadataLogEntity) JsonLogEntityFactory.getInstance()
+ .createJsonLogEntity(request, response, conf);
+ assertCommon(amle, Constants.FALSE, Constants.OPERATION_CREATE_ROLE,
+ "CREATE ROLE testRole", null, null, null, Constants.OBJECT_TYPE_ROLE);
+ }
+
+ @Test
+ public void testDropRole() {
+ TDropSentryRoleRequest request = new TDropSentryRoleRequest();
+ TDropSentryRoleResponse response = new TDropSentryRoleResponse();
+ request.setRequestorUserName(TEST_USER_NAME);
+ request.setRoleName(TEST_ROLE_NAME);
+ response.setStatus(Status.OK());
+ DBAuditMetadataLogEntity amle = (DBAuditMetadataLogEntity) JsonLogEntityFactory
+ .getInstance().createJsonLogEntity(request, response, conf);
+ assertCommon(amle, Constants.TRUE, Constants.OPERATION_DROP_ROLE,
+ "DROP ROLE testRole", null, null, null, Constants.OBJECT_TYPE_ROLE);
+
+ response.setStatus(Status.InvalidInput("", null));
+ amle = (DBAuditMetadataLogEntity) JsonLogEntityFactory.getInstance()
+ .createJsonLogEntity(request, response, conf);
+ assertCommon(amle, Constants.FALSE, Constants.OPERATION_DROP_ROLE,
+ "DROP ROLE testRole", null, null, null, Constants.OBJECT_TYPE_ROLE);
+ }
+
+ @Test
+ public void testGrantRole() {
+ TAlterSentryRoleGrantPrivilegeRequest request = new TAlterSentryRoleGrantPrivilegeRequest();
+ request.setRequestorUserName(TEST_USER_NAME);
+ request.setRoleName(TEST_ROLE_NAME);
+
+ TAlterSentryRoleGrantPrivilegeResponse response = new TAlterSentryRoleGrantPrivilegeResponse();
+
+ TSentryPrivilege privilege = getPrivilege(AccessConstants.ALL,
+ PrivilegeScope.DATABASE.name(), TEST_DATABASE_NAME, null, null, null);
+ Set<TSentryPrivilege> privileges = Sets.newHashSet();
+ privileges.add(privilege);
+ request.setPrivileges(privileges);
+ response.setStatus(Status.OK());
+ DBAuditMetadataLogEntity amle = new DBAuditMetadataLogEntity();
+ Set<JsonLogEntity> amles = JsonLogEntityFactory
+ .getInstance().createJsonLogEntitys(request, response, conf);
+ assertEquals(amles.size(), 1);
+ amle = (DBAuditMetadataLogEntity) amles.iterator().next();
+
+ assertCommon(amle, Constants.TRUE, Constants.OPERATION_GRANT_PRIVILEGE,
+ "GRANT ALL ON DATABASE testDB TO ROLE testRole", TEST_DATABASE_NAME,
+ null, null, Constants.OBJECT_TYPE_PRINCIPAL);
+
+ privilege = getPrivilege(AccessConstants.ALL, PrivilegeScope.TABLE.name(),
+ null, TEST_TABLE_NAME, null, null);
+ privileges = Sets.newHashSet();
+ privileges.add(privilege);
+ request.setPrivileges(privileges);
+ response.setStatus(Status.InvalidInput("", null));
+ amles = JsonLogEntityFactory.getInstance()
+ .createJsonLogEntitys(request, response, conf);
+ assertEquals(amles.size(), 1);
+ amle = (DBAuditMetadataLogEntity) amles.iterator().next();
+
+ assertCommon(amle, Constants.FALSE, Constants.OPERATION_GRANT_PRIVILEGE,
+ "GRANT ALL ON TABLE testTable TO ROLE testRole", null, TEST_TABLE_NAME,
+ null, Constants.OBJECT_TYPE_PRINCIPAL);
+ }
+
+ @Test
+ public void testRevokeRole() {
+ TAlterSentryRoleRevokePrivilegeRequest request = new TAlterSentryRoleRevokePrivilegeRequest();
+ TAlterSentryRoleRevokePrivilegeResponse response = new TAlterSentryRoleRevokePrivilegeResponse();
+ request.setRequestorUserName(TEST_USER_NAME);
+ request.setRoleName(TEST_ROLE_NAME);
+
+ TSentryPrivilege privilege = getPrivilege(AccessConstants.ALL,
+ PrivilegeScope.DATABASE.name(), TEST_DATABASE_NAME, null, null, null);
+ Set<TSentryPrivilege> privileges = Sets.newHashSet();
+ privileges.add(privilege);
+ request.setPrivileges(privileges);
+ response.setStatus(Status.OK());
+ DBAuditMetadataLogEntity amle = new DBAuditMetadataLogEntity();
+ Set<JsonLogEntity> amles = JsonLogEntityFactory
+ .getInstance().createJsonLogEntitys(request, response, conf);
+ assertEquals(amles.size(), 1);
+ amle = (DBAuditMetadataLogEntity) amles.iterator().next();
+
+ assertCommon(amle, Constants.TRUE, Constants.OPERATION_REVOKE_PRIVILEGE,
+ "REVOKE ALL ON DATABASE testDB FROM ROLE testRole", TEST_DATABASE_NAME,
+ null, null, Constants.OBJECT_TYPE_PRINCIPAL);
+
+ privilege = getPrivilege(AccessConstants.ALL, PrivilegeScope.TABLE.name(),
+ null, TEST_TABLE_NAME, null, null);
+ privileges = Sets.newHashSet();
+ privileges.add(privilege);
+ request.setPrivileges(privileges);
+ response.setStatus(Status.InvalidInput("", null));
+ amles = JsonLogEntityFactory.getInstance()
+ .createJsonLogEntitys(request, response, conf);
+ assertEquals(amles.size(), 1);
+ amle = (DBAuditMetadataLogEntity) amles.iterator().next();
+
+ assertCommon(amle, Constants.FALSE, Constants.OPERATION_REVOKE_PRIVILEGE,
+ "REVOKE ALL ON TABLE testTable FROM ROLE testRole", null,
+ TEST_TABLE_NAME, null, Constants.OBJECT_TYPE_PRINCIPAL);
+ }
+
+ @Test
+ public void testAddRole() {
+ TAlterSentryRoleAddGroupsRequest request = new TAlterSentryRoleAddGroupsRequest();
+ TAlterSentryRoleAddGroupsResponse response = new TAlterSentryRoleAddGroupsResponse();
+ request.setRequestorUserName(TEST_USER_NAME);
+ request.setRoleName(TEST_ROLE_NAME);
+ request.setGroups(getGroups());
+ response.setStatus(Status.OK());
+ DBAuditMetadataLogEntity amle = (DBAuditMetadataLogEntity) JsonLogEntityFactory
+ .getInstance().createJsonLogEntity(request, response, conf);
+ assertCommon(amle, Constants.TRUE, Constants.OPERATION_ADD_ROLE,
+ "GRANT ROLE testRole TO GROUP testGroup", null, null, null,
+ Constants.OBJECT_TYPE_ROLE);
+
+ response.setStatus(Status.InvalidInput("", null));
+ amle = (DBAuditMetadataLogEntity) JsonLogEntityFactory.getInstance()
+ .createJsonLogEntity(request, response, conf);
+ assertCommon(amle, Constants.FALSE, Constants.OPERATION_ADD_ROLE,
+ "GRANT ROLE testRole TO GROUP testGroup", null, null, null,
+ Constants.OBJECT_TYPE_ROLE);
+ }
+
+ @Test
+ public void testDeleteRole() {
+ TAlterSentryRoleDeleteGroupsRequest request = new TAlterSentryRoleDeleteGroupsRequest();
+ TAlterSentryRoleDeleteGroupsResponse response = new TAlterSentryRoleDeleteGroupsResponse();
+ request.setRequestorUserName(TEST_USER_NAME);
+ request.setRoleName(TEST_ROLE_NAME);
+ request.setGroups(getGroups());
+ response.setStatus(Status.OK());
+ DBAuditMetadataLogEntity amle = (DBAuditMetadataLogEntity) JsonLogEntityFactory
+ .getInstance().createJsonLogEntity(request, response, conf);
+ assertCommon(amle, Constants.TRUE, Constants.OPERATION_DELETE_ROLE,
+ "REVOKE ROLE testRole FROM GROUP testGroup", null, null, null,
+ Constants.OBJECT_TYPE_ROLE);
+
+ response.setStatus(Status.InvalidInput("", null));
+ amle = (DBAuditMetadataLogEntity) JsonLogEntityFactory.getInstance()
+ .createJsonLogEntity(request, response, conf);
+ assertCommon(amle, Constants.FALSE, Constants.OPERATION_DELETE_ROLE,
+ "REVOKE ROLE testRole FROM GROUP testGroup", null, null, null,
+ Constants.OBJECT_TYPE_ROLE);
+ }
+
+ private void assertCommon(DBAuditMetadataLogEntity amle,
+ String allowedExcepted, String operationExcepted,
+ String operationTextExcepted, String databaseNameExcepted,
+ String tableNameExcepted, String resourcePathExcepted,
+ String objectTypeExcepted) {
+ assertEquals(ServerConfig.SENTRY_SERVICE_NAME_DEFAULT,
+ amle.getServiceName());
+ assertEquals(TEST_IP, amle.getIpAddress());
+ assertEquals(TEST_USER_NAME, amle.getUserName());
+ assertEquals(TEST_IMPERSONATOR, amle.getImpersonator());
+ assertEquals(allowedExcepted, amle.getAllowed());
+ assertEquals(operationExcepted, amle.getOperation());
+ assertEquals(operationTextExcepted, amle.getOperationText());
+ assertEquals(tableNameExcepted, amle.getTableName());
+ assertEquals(databaseNameExcepted, amle.getDatabaseName());
+ assertEquals(resourcePathExcepted, amle.getResourcePath());
+ assertEquals(objectTypeExcepted, amle.getObjectType());
+ }
+
+ private TSentryPrivilege getPrivilege(String action, String privilegeScope,
+ String dbName, String tableName, String serverName, String URI) {
+ TSentryPrivilege privilege = new TSentryPrivilege();
+ privilege.setAction(action);
+ privilege.setPrivilegeScope(privilegeScope);
+ privilege.setDbName(dbName);
+ privilege.setTableName(tableName);
+ privilege.setServerName(serverName);
+ privilege.setURI(URI);
+ return privilege;
+ }
+
+ private Set<TSentryGroup> getGroups() {
+ Set<TSentryGroup> groups = new LinkedHashSet<TSentryGroup>();
+ TSentryGroup group = new TSentryGroup();
+ group.setGroupName(TEST_GROUP);
+ groups.add(group);
+ return groups;
+ }
+}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/log/entity/TestJsonLogEntityFactoryGM.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/log/entity/TestJsonLogEntityFactoryGM.java b/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/log/entity/TestJsonLogEntityFactoryGM.java
new file mode 100644
index 0000000..dfae5ab
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/log/entity/TestJsonLogEntityFactoryGM.java
@@ -0,0 +1,259 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.provider.db.log.entity;
+
+import static org.junit.Assert.assertEquals;
+
+import java.util.ArrayList;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+
+import org.apache.hadoop.conf.Configuration;
+import org.apache.sentry.provider.db.generic.service.thrift.TAlterSentryRoleAddGroupsRequest;
+import org.apache.sentry.provider.db.generic.service.thrift.TAlterSentryRoleAddGroupsResponse;
+import org.apache.sentry.provider.db.generic.service.thrift.TAlterSentryRoleDeleteGroupsRequest;
+import org.apache.sentry.provider.db.generic.service.thrift.TAlterSentryRoleDeleteGroupsResponse;
+import org.apache.sentry.provider.db.generic.service.thrift.TAlterSentryRoleGrantPrivilegeRequest;
+import org.apache.sentry.provider.db.generic.service.thrift.TAlterSentryRoleGrantPrivilegeResponse;
+import org.apache.sentry.provider.db.generic.service.thrift.TAlterSentryRoleRevokePrivilegeRequest;
+import org.apache.sentry.provider.db.generic.service.thrift.TAlterSentryRoleRevokePrivilegeResponse;
+import org.apache.sentry.provider.db.generic.service.thrift.TAuthorizable;
+import org.apache.sentry.provider.db.generic.service.thrift.TCreateSentryRoleRequest;
+import org.apache.sentry.provider.db.generic.service.thrift.TCreateSentryRoleResponse;
+import org.apache.sentry.provider.db.generic.service.thrift.TDropSentryRoleRequest;
+import org.apache.sentry.provider.db.generic.service.thrift.TDropSentryRoleResponse;
+import org.apache.sentry.provider.db.generic.service.thrift.TSentryPrivilege;
+import org.apache.sentry.provider.db.log.util.Constants;
+import org.apache.sentry.provider.db.service.thrift.ThriftUtil;
+import org.apache.sentry.service.thrift.ServiceConstants.ServerConfig;
+import org.apache.sentry.service.thrift.Status;
+import org.junit.BeforeClass;
+import org.junit.Test;
+
+public class TestJsonLogEntityFactoryGM {
+
+ private static Configuration conf;
+ private static String TEST_IP = "localhost/127.0.0.1";
+ private static String TEST_IMPERSONATOR = "impersonator";
+ private static String TEST_ROLE_NAME = "testRole";
+ private static String TEST_USER_NAME = "requestUser";
+ private static String TEST_GROUP = "testGroup";
+ private static String TEST_ACTION = "action";
+ private static String TEST_COMPONENT = "component";
+ private static Map<String, String> TEST_PRIVILEGES_MAP = new HashMap<String, String>();
+
+ @BeforeClass
+ public static void init() {
+ conf = new Configuration();
+ conf.set(ServerConfig.SENTRY_SERVICE_NAME, ServerConfig.SENTRY_SERVICE_NAME_DEFAULT);
+ ThriftUtil.setIpAddress(TEST_IP);
+ ThriftUtil.setImpersonator(TEST_IMPERSONATOR);
+ TEST_PRIVILEGES_MAP.put("resourceType1", "resourceName1");
+ TEST_PRIVILEGES_MAP.put("resourceType2", "resourceName2");
+ TEST_PRIVILEGES_MAP.put("resourceType3", "resourceName3");
+ }
+
+ @Test
+ public void testCreateRole() {
+ TCreateSentryRoleRequest request = new TCreateSentryRoleRequest();
+ TCreateSentryRoleResponse response = new TCreateSentryRoleResponse();
+ request.setRequestorUserName(TEST_USER_NAME);
+ request.setRoleName(TEST_ROLE_NAME);
+ response.setStatus(Status.OK());
+ GMAuditMetadataLogEntity amle = (GMAuditMetadataLogEntity) JsonLogEntityFactory.getInstance()
+ .createJsonLogEntity(request, response, conf);
+ assertCommon(amle, Constants.TRUE, Constants.OPERATION_CREATE_ROLE, "CREATE ROLE testRole",
+ Constants.OBJECT_TYPE_ROLE, new HashMap<String, String>());
+
+ response.setStatus(Status.InvalidInput("", null));
+ amle = (GMAuditMetadataLogEntity) JsonLogEntityFactory.getInstance().createJsonLogEntity(
+ request, response, conf);
+ assertCommon(amle, Constants.FALSE, Constants.OPERATION_CREATE_ROLE, "CREATE ROLE testRole",
+ Constants.OBJECT_TYPE_ROLE, new HashMap<String, String>());
+ }
+
+ @Test
+ public void testDropRole() {
+ TDropSentryRoleRequest request = new TDropSentryRoleRequest();
+ TDropSentryRoleResponse response = new TDropSentryRoleResponse();
+ request.setRequestorUserName(TEST_USER_NAME);
+ request.setRoleName(TEST_ROLE_NAME);
+ response.setStatus(Status.OK());
+ GMAuditMetadataLogEntity amle = (GMAuditMetadataLogEntity) JsonLogEntityFactory
+ .getInstance().createJsonLogEntity(request, response, conf);
+ assertCommon(amle, Constants.TRUE, Constants.OPERATION_DROP_ROLE, "DROP ROLE testRole",
+ Constants.OBJECT_TYPE_ROLE, new HashMap<String, String>());
+
+ response.setStatus(Status.InvalidInput("", null));
+ amle = (GMAuditMetadataLogEntity) JsonLogEntityFactory.getInstance().createJsonLogEntity(
+ request, response, conf);
+ assertCommon(amle, Constants.FALSE, Constants.OPERATION_DROP_ROLE, "DROP ROLE testRole",
+ Constants.OBJECT_TYPE_ROLE, new HashMap<String, String>());
+ }
+
+ @Test
+ public void testGrantRole() {
+ TAlterSentryRoleGrantPrivilegeRequest request = new TAlterSentryRoleGrantPrivilegeRequest();
+ request.setRequestorUserName(TEST_USER_NAME);
+ request.setRoleName(TEST_ROLE_NAME);
+
+ TAlterSentryRoleGrantPrivilegeResponse response = new TAlterSentryRoleGrantPrivilegeResponse();
+
+ TSentryPrivilege privilege = getPrivilege();
+ request.setPrivilege(privilege);
+ response.setStatus(Status.OK());
+ GMAuditMetadataLogEntity amle = (GMAuditMetadataLogEntity) JsonLogEntityFactory.getInstance()
+ .createJsonLogEntity(
+ request, response, conf);
+ assertCommon(
+ amle,
+ Constants.TRUE,
+ Constants.OPERATION_GRANT_PRIVILEGE,
+ "GRANT ACTION ON resourceType1 resourceName1 resourceType2 resourceName2 resourceType3 resourceName3 TO ROLE testRole",
+ Constants.OBJECT_TYPE_PRINCIPAL, TEST_PRIVILEGES_MAP);
+
+ response.setStatus(Status.InvalidInput("", null));
+ amle = (GMAuditMetadataLogEntity) JsonLogEntityFactory.getInstance().createJsonLogEntity(
+ request, response, conf);
+ assertCommon(
+ amle,
+ Constants.FALSE,
+ Constants.OPERATION_GRANT_PRIVILEGE,
+ "GRANT ACTION ON resourceType1 resourceName1 resourceType2 resourceName2 resourceType3 resourceName3 TO ROLE testRole",
+ Constants.OBJECT_TYPE_PRINCIPAL, TEST_PRIVILEGES_MAP);
+ }
+
+ @Test
+ public void testRevokeRole() {
+ TAlterSentryRoleRevokePrivilegeRequest request = new TAlterSentryRoleRevokePrivilegeRequest();
+ TAlterSentryRoleRevokePrivilegeResponse response = new TAlterSentryRoleRevokePrivilegeResponse();
+ request.setRequestorUserName(TEST_USER_NAME);
+ request.setRoleName(TEST_ROLE_NAME);
+
+ TSentryPrivilege privilege = getPrivilege();
+ request.setPrivilege(privilege);
+ response.setStatus(Status.OK());
+ GMAuditMetadataLogEntity amle = (GMAuditMetadataLogEntity) JsonLogEntityFactory.getInstance()
+ .createJsonLogEntity(request, response, conf);
+ assertCommon(
+ amle,
+ Constants.TRUE,
+ Constants.OPERATION_REVOKE_PRIVILEGE,
+ "REVOKE ACTION ON resourceType1 resourceName1 resourceType2 resourceName2 resourceType3 resourceName3 FROM ROLE testRole",
+ Constants.OBJECT_TYPE_PRINCIPAL, TEST_PRIVILEGES_MAP);
+
+ response.setStatus(Status.InvalidInput("", null));
+ amle = (GMAuditMetadataLogEntity) JsonLogEntityFactory.getInstance().createJsonLogEntity(
+ request, response, conf);
+
+ assertCommon(
+ amle,
+ Constants.FALSE,
+ Constants.OPERATION_REVOKE_PRIVILEGE,
+ "REVOKE ACTION ON resourceType1 resourceName1 resourceType2 resourceName2 resourceType3 resourceName3 FROM ROLE testRole",
+ Constants.OBJECT_TYPE_PRINCIPAL, TEST_PRIVILEGES_MAP);
+ }
+
+ @Test
+ public void testAddRole() {
+ TAlterSentryRoleAddGroupsRequest request = new TAlterSentryRoleAddGroupsRequest();
+ TAlterSentryRoleAddGroupsResponse response = new TAlterSentryRoleAddGroupsResponse();
+ request.setRequestorUserName(TEST_USER_NAME);
+ request.setRoleName(TEST_ROLE_NAME);
+ request.setGroups(getGroups());
+ response.setStatus(Status.OK());
+ GMAuditMetadataLogEntity amle = (GMAuditMetadataLogEntity) JsonLogEntityFactory.getInstance()
+ .createJsonLogEntity(request, response, conf);
+ assertCommon(amle, Constants.TRUE, Constants.OPERATION_ADD_ROLE,
+ "GRANT ROLE testRole TO GROUP testGroup", Constants.OBJECT_TYPE_ROLE,
+ new HashMap<String, String>());
+
+ response.setStatus(Status.InvalidInput("", null));
+ amle = (GMAuditMetadataLogEntity) JsonLogEntityFactory.getInstance().createJsonLogEntity(
+ request, response, conf);
+ assertCommon(amle, Constants.FALSE, Constants.OPERATION_ADD_ROLE,
+ "GRANT ROLE testRole TO GROUP testGroup", Constants.OBJECT_TYPE_ROLE,
+ new HashMap<String, String>());
+ }
+
+ @Test
+ public void testDeleteRole() {
+ TAlterSentryRoleDeleteGroupsRequest request = new TAlterSentryRoleDeleteGroupsRequest();
+ TAlterSentryRoleDeleteGroupsResponse response = new TAlterSentryRoleDeleteGroupsResponse();
+ request.setRequestorUserName(TEST_USER_NAME);
+ request.setRoleName(TEST_ROLE_NAME);
+ request.setGroups(getGroups());
+ response.setStatus(Status.OK());
+ GMAuditMetadataLogEntity amle = (GMAuditMetadataLogEntity) JsonLogEntityFactory
+ .getInstance().createJsonLogEntity(request, response, conf);
+ assertCommon(amle, Constants.TRUE, Constants.OPERATION_DELETE_ROLE,
+ "REVOKE ROLE testRole FROM GROUP testGroup", Constants.OBJECT_TYPE_ROLE,
+ new HashMap<String, String>());
+
+ response.setStatus(Status.InvalidInput("", null));
+ amle = (GMAuditMetadataLogEntity) JsonLogEntityFactory.getInstance().createJsonLogEntity(
+ request, response, conf);
+ assertCommon(amle, Constants.FALSE, Constants.OPERATION_DELETE_ROLE,
+ "REVOKE ROLE testRole FROM GROUP testGroup", Constants.OBJECT_TYPE_ROLE,
+ new HashMap<String, String>());
+ }
+
+ private void assertCommon(GMAuditMetadataLogEntity amle, String allowedExcepted,
+ String operationExcepted, String operationTextExcepted, String objectTypeExcepted,
+ Map<String, String> privilegesExcepted) {
+ assertEquals(ServerConfig.SENTRY_SERVICE_NAME_DEFAULT, amle.getServiceName());
+ assertEquals(TEST_IP, amle.getIpAddress());
+ assertEquals(TEST_USER_NAME, amle.getUserName());
+ assertEquals(TEST_IMPERSONATOR, amle.getImpersonator());
+ assertEquals(allowedExcepted, amle.getAllowed());
+ assertEquals(operationExcepted, amle.getOperation());
+ assertEquals(operationTextExcepted, amle.getOperationText());
+ assertEquals(objectTypeExcepted, amle.getObjectType());
+ assertPrivilegesMap(privilegesExcepted, amle.getPrivilegesMap());
+ }
+
+ private void assertPrivilegesMap(Map<String, String> privilegesExcepted,
+ Map<String, String> privilegesActual) {
+ assertEquals(privilegesExcepted.size(), privilegesActual.size());
+ for (Map.Entry<String, String> privilege : privilegesExcepted.entrySet()) {
+ assertEquals(privilege.getValue(), privilegesActual.get(privilege.getKey()));
+ }
+ }
+
+ private TSentryPrivilege getPrivilege() {
+ TSentryPrivilege privilege = new TSentryPrivilege();
+ privilege.setAction(TEST_ACTION);
+ privilege.setComponent(TEST_COMPONENT);
+ List<TAuthorizable> authorizables = new ArrayList<TAuthorizable>();
+ authorizables.add(new TAuthorizable("resourceType1", "resourceName1"));
+ authorizables.add(new TAuthorizable("resourceType2", "resourceName2"));
+ authorizables.add(new TAuthorizable("resourceType3", "resourceName3"));
+ privilege.setAuthorizables(authorizables);
+ return privilege;
+ }
+
+ private Set<String> getGroups() {
+ Set<String> groups = new HashSet<String>();
+ groups.add(TEST_GROUP);
+ return groups;
+ }
+}
[06/44] sentry git commit: SENTRY-1287: Create sentry-service-server
module(Colin Ma, reviewed by Dapeng Sun)
Posted by co...@apache.org.
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryStoreImportExport.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryStoreImportExport.java b/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryStoreImportExport.java
new file mode 100644
index 0000000..d1a88b0
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryStoreImportExport.java
@@ -0,0 +1,1164 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.provider.db.service.persistent;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertTrue;
+
+import java.io.File;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+
+import org.apache.commons.io.FileUtils;
+import org.apache.hadoop.conf.Configuration;
+import org.apache.sentry.core.model.db.AccessConstants;
+import org.apache.sentry.provider.db.service.model.MSentryGroup;
+import org.apache.sentry.provider.db.service.model.MSentryPrivilege;
+import org.apache.sentry.provider.db.service.model.MSentryRole;
+import org.apache.sentry.provider.db.service.model.MSentryUser;
+import org.apache.sentry.provider.db.service.thrift.TSentryGrantOption;
+import org.apache.sentry.provider.db.service.thrift.TSentryMappingData;
+import org.apache.sentry.provider.db.service.thrift.TSentryPrivilege;
+import org.apache.sentry.core.common.utils.PolicyFile;
+import org.apache.sentry.service.thrift.ServiceConstants.PrivilegeScope;
+import org.apache.sentry.service.thrift.ServiceConstants.ServerConfig;
+import org.junit.After;
+import org.junit.AfterClass;
+import org.junit.Before;
+import org.junit.BeforeClass;
+import org.junit.Test;
+
+import com.google.common.collect.Maps;
+import com.google.common.collect.Sets;
+import com.google.common.io.Files;
+
+public class TestSentryStoreImportExport {
+
+ private static File dataDir;
+ private static SentryStore sentryStore;
+ private static String[] adminGroups = { "adminGroup1" };
+ private static PolicyFile policyFile;
+ private static File policyFilePath;
+ private TSentryPrivilege tSentryPrivilege1;
+ private TSentryPrivilege tSentryPrivilege2;
+ private TSentryPrivilege tSentryPrivilege3;
+ private TSentryPrivilege tSentryPrivilege4;
+ private TSentryPrivilege tSentryPrivilege5;
+ private TSentryPrivilege tSentryPrivilege6;
+ private TSentryPrivilege tSentryPrivilege7;
+ private TSentryPrivilege tSentryPrivilege8;
+ private TSentryPrivilege tSentryPrivilege9;
+
+ @BeforeClass
+ public static void setupEnv() throws Exception {
+ dataDir = new File(Files.createTempDir(), "sentry_policy_db");
+ Configuration conf = new Configuration(false);
+ conf.set(ServerConfig.SENTRY_VERIFY_SCHEM_VERSION, "false");
+ conf.set(ServerConfig.SENTRY_STORE_JDBC_URL, "jdbc:derby:;databaseName=" + dataDir.getPath()
+ + ";create=true");
+ conf.set(ServerConfig.SENTRY_STORE_JDBC_PASS, "sentry");
+ conf.setStrings(ServerConfig.ADMIN_GROUPS, adminGroups);
+ conf.set(ServerConfig.SENTRY_STORE_GROUP_MAPPING, ServerConfig.SENTRY_STORE_LOCAL_GROUP_MAPPING);
+ policyFilePath = new File(dataDir, "local_policy_file.ini");
+ conf.set(ServerConfig.SENTRY_STORE_GROUP_MAPPING_RESOURCE, policyFilePath.getPath());
+ policyFile = new PolicyFile();
+ sentryStore = new SentryStore(conf);
+
+ String adminUser = "g1";
+ addGroupsToUser(adminUser, adminGroups);
+ writePolicyFile();
+ }
+
+ @Before
+ public void setupPrivilege() {
+ preparePrivilege();
+ }
+
+ @After
+ public void clearStore() {
+ sentryStore.clearAllTables();
+ }
+
+ // create the privileges instance for test case:
+ // privilege1=[server=server1]
+ // privilege2=[server=server1, action=select, grantOption=false]
+ // privilege3=[server=server1, db=db2, action=insert, grantOption=true]
+ // privilege4=[server=server1, db=db1, table=tbl1, action=insert, grantOption=false]
+ // privilege5=[server=server1, db=db1, table=tbl2, column=col1, action=insert, grantOption=false]
+ // privilege6=[server=server1, db=db1, table=tbl3, column=col1, action=*, grantOption=true]
+ // privilege7=[server=server1, db=db1, table=tbl4, column=col1, action=all, grantOption=true]
+ // privilege8=[server=server1, uri=hdfs://testserver:9999/path1, action=insert, grantOption=false]
+ // privilege9=[server=server1, db=db2, table=tbl1, action=insert, grantOption=false]
+ private void preparePrivilege() {
+ tSentryPrivilege1 = createTSentryPrivilege(PrivilegeScope.SERVER.name(), "server1", "", "", "",
+ "", "", TSentryGrantOption.UNSET);
+ tSentryPrivilege2 = createTSentryPrivilege(PrivilegeScope.SERVER.name(), "server1", "", "", "",
+ "", AccessConstants.SELECT, TSentryGrantOption.FALSE);
+ tSentryPrivilege3 = createTSentryPrivilege(PrivilegeScope.DATABASE.name(), "server1", "db2",
+ "", "", "", AccessConstants.INSERT, TSentryGrantOption.TRUE);
+ tSentryPrivilege4 = createTSentryPrivilege(PrivilegeScope.TABLE.name(), "server1", "db1",
+ "tbl1", "", "", AccessConstants.INSERT, TSentryGrantOption.FALSE);
+ tSentryPrivilege5 = createTSentryPrivilege(PrivilegeScope.COLUMN.name(), "server1", "db1",
+ "tbl2", "col1", "", AccessConstants.INSERT, TSentryGrantOption.FALSE);
+ tSentryPrivilege6 = createTSentryPrivilege(PrivilegeScope.COLUMN.name(), "server1", "db1",
+ "tbl3", "col1", "", AccessConstants.ALL, TSentryGrantOption.TRUE);
+ tSentryPrivilege7 = createTSentryPrivilege(PrivilegeScope.COLUMN.name(), "server1", "db1",
+ "tbl4", "col1", "", AccessConstants.ACTION_ALL, TSentryGrantOption.TRUE);
+ tSentryPrivilege8 = createTSentryPrivilege(PrivilegeScope.URI.name(), "server1", "", "", "",
+ "hdfs://testserver:9999/path1", AccessConstants.INSERT, TSentryGrantOption.FALSE);
+ tSentryPrivilege9 = createTSentryPrivilege(PrivilegeScope.TABLE.name(), "server1", "db2",
+ "tbl1", "", "", AccessConstants.INSERT, TSentryGrantOption.FALSE);
+ }
+
+ @AfterClass
+ public static void teardown() {
+ if (sentryStore != null) {
+ sentryStore.stop();
+ }
+ if (dataDir != null) {
+ FileUtils.deleteQuietly(dataDir);
+ }
+ }
+
+ protected static void addGroupsToUser(String user, String... groupNames) {
+ policyFile.addGroupsToUser(user, groupNames);
+ }
+
+ protected static void writePolicyFile() throws Exception {
+ policyFile.write(policyFilePath);
+ }
+
+ // Befor import, database is empty.
+ // The following information is imported:
+ // group1=role1,role2,role3
+ // group2=role1,role2,role3
+ // group3=role1,role2,role3
+ // role1=privilege1,privilege2,privilege3,privilege4,privilege5,privilege6,privilege7,privilege8
+ // role2=privilege1,privilege2,privilege3,privilege4,privilege5,privilege6,privilege7,privilege8
+ // role3=privilege1,privilege2,privilege3,privilege4,privilege5,privilege6,privilege7,privilege8
+ // Both import API importSentryMetaData and export APIs getRolesMap, getGroupsMap,
+ // getPrivilegesList are tested.
+ @Test
+ public void testImportExportPolicy1() throws Exception {
+ TSentryMappingData tSentryMappingData = new TSentryMappingData();
+ Map<String, Set<String>> sentryGroupRolesMap = Maps.newHashMap();
+ Map<String, Set<TSentryPrivilege>> sentryRolePrivilegesMap = Maps.newHashMap();
+ sentryGroupRolesMap.put("group1", Sets.newHashSet("Role1", "role2", "role3"));
+ sentryGroupRolesMap.put("group2", Sets.newHashSet("Role1", "role2", "role3"));
+ sentryGroupRolesMap.put("group3", Sets.newHashSet("Role1", "role2", "role3"));
+ sentryRolePrivilegesMap.put("Role1", Sets.newHashSet(tSentryPrivilege1, tSentryPrivilege2,
+ tSentryPrivilege3, tSentryPrivilege4, tSentryPrivilege5, tSentryPrivilege6,
+ tSentryPrivilege7, tSentryPrivilege8));
+ sentryRolePrivilegesMap.put("role2", Sets.newHashSet(tSentryPrivilege1, tSentryPrivilege2,
+ tSentryPrivilege3, tSentryPrivilege4, tSentryPrivilege5, tSentryPrivilege6,
+ tSentryPrivilege7, tSentryPrivilege8));
+ sentryRolePrivilegesMap.put("role3", Sets.newHashSet(tSentryPrivilege1, tSentryPrivilege2,
+ tSentryPrivilege3, tSentryPrivilege4, tSentryPrivilege5, tSentryPrivilege6,
+ tSentryPrivilege7, tSentryPrivilege8));
+ tSentryMappingData.setGroupRolesMap(sentryGroupRolesMap);
+ tSentryMappingData.setRolePrivilegesMap(sentryRolePrivilegesMap);
+ sentryStore.importSentryMetaData(tSentryMappingData, false);
+
+ Map<String, MSentryRole> rolesMap = sentryStore.getRolesMap();
+ Map<String, MSentryGroup> groupsMap = sentryStore.getGroupNameToGroupMap();
+ List<MSentryPrivilege> privilegesList = sentryStore.getPrivilegesList();
+
+ // test the result data for the role
+ verifyRoles(rolesMap, Sets.newHashSet("role1", "role2", "role3"));
+
+ // test the result data for the group
+ verifyGroups(groupsMap, Sets.newHashSet("group1", "group2", "group3"));
+
+ // test the result data for the privilege
+ verifyPrivileges(privilegesList, Sets.newHashSet(tSentryPrivilege1, tSentryPrivilege2,
+ tSentryPrivilege3, tSentryPrivilege4, tSentryPrivilege5, tSentryPrivilege6,
+ tSentryPrivilege7, tSentryPrivilege8));
+
+ // test the mapping data for group and role
+ List<Map<String, Set<String>>> mapList = sentryStore.getGroupUserRoleMapList(null);
+ Map<String, Set<String>> actualGroupRolesMap = mapList.get(
+ SentryStore.INDEX_GROUP_ROLES_MAP);
+ Map<String, Set<String>> exceptedGroupRolesMap = Maps.newHashMap();
+ exceptedGroupRolesMap.put("group1", Sets.newHashSet("role1", "role2", "role3"));
+ exceptedGroupRolesMap.put("group2", Sets.newHashSet("role1", "role2", "role3"));
+ exceptedGroupRolesMap.put("group3", Sets.newHashSet("role1", "role2", "role3"));
+ verifyUserGroupRolesMap(actualGroupRolesMap, exceptedGroupRolesMap);
+
+ // test the mapping data for role and privilege
+ Map<String, Set<TSentryPrivilege>> actualRolePrivilegesMap = sentryStore
+ .getRoleNameTPrivilegesMap();
+ Map<String, Set<TSentryPrivilege>> exceptedRolePrivilegesMap = Maps.newHashMap();
+ exceptedRolePrivilegesMap.put("role1", Sets.newHashSet(tSentryPrivilege1, tSentryPrivilege2,
+ tSentryPrivilege3, tSentryPrivilege4, tSentryPrivilege5, tSentryPrivilege6,
+ tSentryPrivilege7, tSentryPrivilege8));
+ exceptedRolePrivilegesMap.put("role2", Sets.newHashSet(tSentryPrivilege1, tSentryPrivilege2,
+ tSentryPrivilege3, tSentryPrivilege4, tSentryPrivilege5, tSentryPrivilege6,
+ tSentryPrivilege7, tSentryPrivilege8));
+ exceptedRolePrivilegesMap.put("role3", Sets.newHashSet(tSentryPrivilege1, tSentryPrivilege2,
+ tSentryPrivilege3, tSentryPrivilege4, tSentryPrivilege5, tSentryPrivilege6,
+ tSentryPrivilege7, tSentryPrivilege8));
+
+ verifyRolePrivilegesMap(actualRolePrivilegesMap, exceptedRolePrivilegesMap);
+ }
+
+ // call import twice, and there has no duplicate data:
+ // The data for 1st import:
+ // group1=role1
+ // role1=privilege1,privilege2,privilege3,privilege4
+ // The data for 2nd import:
+ // group2=role2,role3
+ // group3=role2,role3
+ // role2=privilege5,privilege6,privilege7,privilege8
+ // role3=privilege5,privilege6,privilege7,privilege8
+ // Both import API importSentryMetaData and export APIs getRolesMap, getGroupsMap,
+ // getPrivilegesList are tested.
+ @Test
+ public void testImportExportPolicy2() throws Exception {
+ TSentryMappingData tSentryMappingData1 = new TSentryMappingData();
+ Map<String, Set<String>> sentryGroupRolesMap1 = Maps.newHashMap();
+ Map<String, Set<TSentryPrivilege>> sentryRolePrivilegesMap1 = Maps.newHashMap();
+ sentryGroupRolesMap1.put("group1", Sets.newHashSet("role1"));
+ sentryRolePrivilegesMap1
+ .put("role1", Sets.newHashSet(tSentryPrivilege1, tSentryPrivilege2, tSentryPrivilege3,
+ tSentryPrivilege4));
+ tSentryMappingData1.setGroupRolesMap(sentryGroupRolesMap1);
+ tSentryMappingData1.setRolePrivilegesMap(sentryRolePrivilegesMap1);
+ sentryStore.importSentryMetaData(tSentryMappingData1, false);
+
+ TSentryMappingData tSentryMappingData2 = new TSentryMappingData();
+ Map<String, Set<String>> sentryGroupRolesMap2 = Maps.newHashMap();
+ Map<String, Set<TSentryPrivilege>> sentryRolePrivilegesMap2 = Maps.newHashMap();
+ sentryGroupRolesMap2.put("group2", Sets.newHashSet("role2", "role3"));
+ sentryGroupRolesMap2.put("group3", Sets.newHashSet("role2", "role3"));
+ sentryRolePrivilegesMap2
+ .put("role2", Sets.newHashSet(tSentryPrivilege5, tSentryPrivilege6, tSentryPrivilege7,
+ tSentryPrivilege8));
+ sentryRolePrivilegesMap2
+ .put("role3", Sets.newHashSet(tSentryPrivilege5, tSentryPrivilege6, tSentryPrivilege7,
+ tSentryPrivilege8));
+ tSentryMappingData2.setGroupRolesMap(sentryGroupRolesMap2);
+ tSentryMappingData2.setRolePrivilegesMap(sentryRolePrivilegesMap2);
+ sentryStore.importSentryMetaData(tSentryMappingData2, false);
+
+ Map<String, MSentryRole> rolesMap = sentryStore.getRolesMap();
+ Map<String, MSentryGroup> groupsMap = sentryStore.getGroupNameToGroupMap();
+ List<MSentryPrivilege> privilegesList = sentryStore.getPrivilegesList();
+
+ // test the result data for the role
+ verifyRoles(rolesMap, Sets.newHashSet("role1", "role2", "role3"));
+
+ // test the result data for the group
+ verifyGroups(groupsMap, Sets.newHashSet("group1", "group2", "group3"));
+
+ // test the result data for the privilege
+ verifyPrivileges(privilegesList, Sets.newHashSet(tSentryPrivilege1, tSentryPrivilege2,
+ tSentryPrivilege3, tSentryPrivilege4, tSentryPrivilege5, tSentryPrivilege6,
+ tSentryPrivilege7, tSentryPrivilege8));
+
+ // test the mapping data for group and role
+ List<Map<String, Set<String>>> mapList = sentryStore.getGroupUserRoleMapList(null);
+ Map<String, Set<String>> actualGroupRolesMap = mapList.get(
+ SentryStore.INDEX_GROUP_ROLES_MAP);
+ Map<String, Set<String>> exceptedGroupRolesMap = Maps.newHashMap();
+ exceptedGroupRolesMap.put("group1", Sets.newHashSet("role1"));
+ exceptedGroupRolesMap.put("group2", Sets.newHashSet("role2", "role3"));
+ exceptedGroupRolesMap.put("group3", Sets.newHashSet("role2", "role3"));
+ verifyUserGroupRolesMap(actualGroupRolesMap, exceptedGroupRolesMap);
+
+ // test the mapping data for role and privilege
+ Map<String, Set<TSentryPrivilege>> actualRolePrivilegesMap = sentryStore
+ .getRoleNameTPrivilegesMap();
+ Map<String, Set<TSentryPrivilege>> exceptedRolePrivilegesMap = Maps.newHashMap();
+ exceptedRolePrivilegesMap
+ .put("role1", Sets.newHashSet(tSentryPrivilege1, tSentryPrivilege2, tSentryPrivilege3,
+ tSentryPrivilege4));
+ exceptedRolePrivilegesMap
+ .put("role2", Sets.newHashSet(tSentryPrivilege5, tSentryPrivilege6, tSentryPrivilege7,
+ tSentryPrivilege8));
+ exceptedRolePrivilegesMap
+ .put("role3", Sets.newHashSet(tSentryPrivilege5, tSentryPrivilege6, tSentryPrivilege7,
+ tSentryPrivilege8));
+ verifyRolePrivilegesMap(actualRolePrivilegesMap, exceptedRolePrivilegesMap);
+ }
+
+ // call import twice, and there has data overlap:
+ // The data for 1st import:
+ // group1=role1, role2
+ // group2=role1, role2
+ // group3=role1, role2
+ // role1=privilege1,privilege2,privilege3,privilege4,privilege5
+ // role2=privilege1,privilege2,privilege3,privilege4,privilege5
+ // The data for 2nd import:
+ // group1=role2,role3
+ // group2=role2,role3
+ // group3=role2,role3
+ // role2=privilege4,privilege5,privilege6,privilege7,privilege8
+ // role3=privilege4,privilege5,privilege6,privilege7,privilege8
+ // Both import API importSentryMetaData and export APIs getRolesMap, getGroupsMap,
+ // getPrivilegesList are tested.
+ @Test
+ public void testImportExportPolicy3() throws Exception {
+ TSentryMappingData tSentryMappingData1 = new TSentryMappingData();
+ Map<String, Set<String>> sentryGroupRolesMap1 = Maps.newHashMap();
+ Map<String, Set<TSentryPrivilege>> sentryRolePrivilegesMap1 = Maps.newHashMap();
+ sentryGroupRolesMap1.put("group1", Sets.newHashSet("role1", "role2"));
+ sentryGroupRolesMap1.put("group2", Sets.newHashSet("role1", "role2"));
+ sentryGroupRolesMap1.put("group3", Sets.newHashSet("role1", "role2"));
+ sentryRolePrivilegesMap1.put("role1", Sets.newHashSet(tSentryPrivilege1, tSentryPrivilege2,
+ tSentryPrivilege3, tSentryPrivilege4, tSentryPrivilege5));
+ sentryRolePrivilegesMap1.put("role2", Sets.newHashSet(tSentryPrivilege1, tSentryPrivilege2,
+ tSentryPrivilege3, tSentryPrivilege4, tSentryPrivilege5));
+ tSentryMappingData1.setGroupRolesMap(sentryGroupRolesMap1);
+ tSentryMappingData1.setRolePrivilegesMap(sentryRolePrivilegesMap1);
+ sentryStore.importSentryMetaData(tSentryMappingData1, false);
+
+ TSentryMappingData tSentryMappingData2 = new TSentryMappingData();
+ Map<String, Set<String>> sentryGroupRolesMap2 = Maps.newHashMap();
+ Map<String, Set<TSentryPrivilege>> sentryRolePrivilegesMap2 = Maps.newHashMap();
+ sentryGroupRolesMap2.put("group1", Sets.newHashSet("role2", "role3"));
+ sentryGroupRolesMap2.put("group2", Sets.newHashSet("role2", "role3"));
+ sentryGroupRolesMap2.put("group3", Sets.newHashSet("role2", "role3"));
+ sentryRolePrivilegesMap2.put("role2", Sets.newHashSet(tSentryPrivilege4, tSentryPrivilege5,
+ tSentryPrivilege6, tSentryPrivilege7, tSentryPrivilege8));
+ sentryRolePrivilegesMap2.put("role3", Sets.newHashSet(tSentryPrivilege4, tSentryPrivilege5,
+ tSentryPrivilege6, tSentryPrivilege7, tSentryPrivilege8));
+ tSentryMappingData2.setGroupRolesMap(sentryGroupRolesMap2);
+ tSentryMappingData2.setRolePrivilegesMap(sentryRolePrivilegesMap2);
+ sentryStore.importSentryMetaData(tSentryMappingData2, false);
+
+ Map<String, MSentryRole> rolesMap = sentryStore.getRolesMap();
+ Map<String, MSentryGroup> groupsMap = sentryStore.getGroupNameToGroupMap();
+ List<MSentryPrivilege> privilegesList = sentryStore.getPrivilegesList();
+
+ // test the result data for the role
+ verifyRoles(rolesMap, Sets.newHashSet("role1", "role2", "role3"));
+
+ // test the result data for the group
+ verifyGroups(groupsMap, Sets.newHashSet("group1", "group2", "group3"));
+
+ // test the result data for the privilege
+ verifyPrivileges(privilegesList, Sets.newHashSet(tSentryPrivilege1, tSentryPrivilege2,
+ tSentryPrivilege3, tSentryPrivilege4, tSentryPrivilege5, tSentryPrivilege6,
+ tSentryPrivilege7, tSentryPrivilege8));
+
+ // test the mapping data for group and role
+ List<Map<String, Set<String>>> mapList = sentryStore.getGroupUserRoleMapList(null);
+ Map<String, Set<String>> actualGroupRolesMap = mapList.get(
+ SentryStore.INDEX_GROUP_ROLES_MAP);
+ Map<String, Set<String>> exceptedGroupRolesMap = Maps.newHashMap();
+ exceptedGroupRolesMap.put("group1", Sets.newHashSet("role1", "role2", "role3"));
+ exceptedGroupRolesMap.put("group2", Sets.newHashSet("role1", "role2", "role3"));
+ exceptedGroupRolesMap.put("group3", Sets.newHashSet("role1", "role2", "role3"));
+ verifyUserGroupRolesMap(actualGroupRolesMap, exceptedGroupRolesMap);
+
+ // test the mapping data for role and privilege
+ Map<String, Set<TSentryPrivilege>> actualRolePrivilegesMap = sentryStore
+ .getRoleNameTPrivilegesMap();
+ Map<String, Set<TSentryPrivilege>> exceptedRolePrivilegesMap = Maps.newHashMap();
+ exceptedRolePrivilegesMap.put("role1", Sets.newHashSet(tSentryPrivilege1, tSentryPrivilege2,
+ tSentryPrivilege3, tSentryPrivilege4, tSentryPrivilege5));
+ exceptedRolePrivilegesMap.put("role2", Sets.newHashSet(tSentryPrivilege1, tSentryPrivilege2,
+ tSentryPrivilege3, tSentryPrivilege4, tSentryPrivilege5, tSentryPrivilege6,
+ tSentryPrivilege7, tSentryPrivilege8));
+ exceptedRolePrivilegesMap.put("role3", Sets.newHashSet(tSentryPrivilege4, tSentryPrivilege5,
+ tSentryPrivilege6, tSentryPrivilege7, tSentryPrivilege8));
+ verifyRolePrivilegesMap(actualRolePrivilegesMap, exceptedRolePrivilegesMap);
+ }
+
+ // call import twice, and there has one role without group.
+ // The data for 1st import:
+ // group1=role1, role2
+ // role1=privilege1,privilege2
+ // role2=privilege3,privilege4
+ // The data for 2nd import:
+ // group2=role2
+ // role2=privilege5,privilege6
+ // role3=privilege7,privilege8
+ // role3 is without group, will be imported also
+ @Test
+ public void testImportExportPolicy4() throws Exception {
+ TSentryMappingData tSentryMappingData1 = new TSentryMappingData();
+ Map<String, Set<String>> sentryGroupRolesMap1 = Maps.newHashMap();
+ Map<String, Set<TSentryPrivilege>> sentryRolePrivilegesMap1 = Maps.newHashMap();
+ sentryGroupRolesMap1.put("group1", Sets.newHashSet("role1", "role2"));
+ sentryRolePrivilegesMap1.put("role1", Sets.newHashSet(tSentryPrivilege1, tSentryPrivilege2));
+ sentryRolePrivilegesMap1.put("role2", Sets.newHashSet(tSentryPrivilege3, tSentryPrivilege4));
+ tSentryMappingData1.setGroupRolesMap(sentryGroupRolesMap1);
+ tSentryMappingData1.setRolePrivilegesMap(sentryRolePrivilegesMap1);
+ sentryStore.importSentryMetaData(tSentryMappingData1, false);
+
+ TSentryMappingData tSentryMappingData2 = new TSentryMappingData();
+ Map<String, Set<String>> sentryGroupRolesMap2 = Maps.newHashMap();
+ Map<String, Set<TSentryPrivilege>> sentryRolePrivilegesMap2 = Maps.newHashMap();
+ sentryGroupRolesMap2.put("group2", Sets.newHashSet("role2"));
+ sentryRolePrivilegesMap2.put("role2", Sets.newHashSet(tSentryPrivilege5, tSentryPrivilege6));
+ sentryRolePrivilegesMap2.put("role3", Sets.newHashSet(tSentryPrivilege7, tSentryPrivilege8));
+ tSentryMappingData2.setGroupRolesMap(sentryGroupRolesMap2);
+ tSentryMappingData2.setRolePrivilegesMap(sentryRolePrivilegesMap2);
+ sentryStore.importSentryMetaData(tSentryMappingData2, false);
+
+ Map<String, MSentryRole> rolesMap = sentryStore.getRolesMap();
+ Map<String, MSentryGroup> groupsMap = sentryStore.getGroupNameToGroupMap();
+ List<MSentryPrivilege> privilegesList = sentryStore.getPrivilegesList();
+
+ // test the result data for the role
+ verifyRoles(rolesMap, Sets.newHashSet("role1", "role2", "role3"));
+
+ // test the result data for the group
+ verifyGroups(groupsMap, Sets.newHashSet("group1", "group2"));
+
+ // test the result data for the privilege
+ verifyPrivileges(privilegesList, Sets.newHashSet(tSentryPrivilege1, tSentryPrivilege2,
+ tSentryPrivilege3, tSentryPrivilege4, tSentryPrivilege5, tSentryPrivilege6,
+ tSentryPrivilege7, tSentryPrivilege8));
+
+ // test the mapping data for group and role
+ List<Map<String, Set<String>>> mapList = sentryStore.getGroupUserRoleMapList(null);
+ Map<String, Set<String>> actualGroupRolesMap = mapList.get(
+ SentryStore.INDEX_GROUP_ROLES_MAP);
+ Map<String, Set<String>> exceptedGroupRolesMap = Maps.newHashMap();
+ exceptedGroupRolesMap.put("group1", Sets.newHashSet("role1", "role2"));
+ exceptedGroupRolesMap.put("group2", Sets.newHashSet("role2"));
+ verifyUserGroupRolesMap(actualGroupRolesMap, exceptedGroupRolesMap);
+
+ // test the mapping data for role and privilege
+ Map<String, Set<TSentryPrivilege>> actualRolePrivilegesMap = sentryStore
+ .getRoleNameTPrivilegesMap();
+ Map<String, Set<TSentryPrivilege>> exceptedRolePrivilegesMap = Maps.newHashMap();
+ exceptedRolePrivilegesMap.put("role1", Sets.newHashSet(tSentryPrivilege1, tSentryPrivilege2));
+ exceptedRolePrivilegesMap
+ .put("role2", Sets.newHashSet(tSentryPrivilege3, tSentryPrivilege4, tSentryPrivilege5,
+ tSentryPrivilege6));
+ exceptedRolePrivilegesMap.put("role3", Sets.newHashSet(tSentryPrivilege7, tSentryPrivilege8));
+ verifyRolePrivilegesMap(actualRolePrivilegesMap, exceptedRolePrivilegesMap);
+ }
+
+ // test for import mapping data for [group,role] only:
+ // group1=role1, role2
+ @Test
+ public void testImportExportPolicy5() throws Exception {
+ TSentryMappingData tSentryMappingData1 = new TSentryMappingData();
+ Map<String, Set<String>> sentryGroupRolesMap1 = Maps.newHashMap();
+ Map<String, Set<TSentryPrivilege>> sentryRolePrivilegesMap1 = Maps.newHashMap();
+ sentryGroupRolesMap1.put("group1", Sets.newHashSet("role1", "role2"));
+ tSentryMappingData1.setGroupRolesMap(sentryGroupRolesMap1);
+ tSentryMappingData1.setRolePrivilegesMap(sentryRolePrivilegesMap1);
+ sentryStore.importSentryMetaData(tSentryMappingData1, false);
+
+ Map<String, MSentryRole> rolesMap = sentryStore.getRolesMap();
+ Map<String, MSentryGroup> groupsMap = sentryStore.getGroupNameToGroupMap();
+ List<MSentryPrivilege> privilegesList = sentryStore.getPrivilegesList();
+
+ // test the result data for the role
+ verifyRoles(rolesMap, Sets.newHashSet("role1", "role2"));
+
+ // test the result data for the group
+ verifyGroups(groupsMap, Sets.newHashSet("group1"));
+
+ // test the result data for the privilege
+ assertTrue(privilegesList.isEmpty());
+
+ // test the mapping data for group and role
+ List<Map<String, Set<String>>> mapList = sentryStore.getGroupUserRoleMapList(null);
+ Map<String, Set<String>> actualGroupRolesMap = mapList.get(
+ SentryStore.INDEX_GROUP_ROLES_MAP);
+ Map<String, Set<String>> exceptedGroupRolesMap = Maps.newHashMap();
+ exceptedGroupRolesMap.put("group1", Sets.newHashSet("role1", "role2"));
+ verifyUserGroupRolesMap(actualGroupRolesMap, exceptedGroupRolesMap);
+
+ // test the mapping data for role and privilege
+ Map<String, Set<TSentryPrivilege>> actualRolePrivilegesMap = sentryStore
+ .getRoleNameTPrivilegesMap();
+ assertTrue(actualRolePrivilegesMap.isEmpty());
+ }
+
+ // test for filter the orphaned group:
+ // group1=role1, role2
+ // group2=role2
+ @Test
+ public void testImportExportPolicy6() throws Exception {
+ TSentryMappingData tSentryMappingData1 = new TSentryMappingData();
+ Map<String, Set<String>> sentryGroupRolesMap1 = Maps.newHashMap();
+ Map<String, Set<TSentryPrivilege>> sentryRolePrivilegesMap1 = Maps.newHashMap();
+ sentryGroupRolesMap1.put("group1", Sets.newHashSet("role1", "role2"));
+ sentryGroupRolesMap1.put("group2", Sets.newHashSet("role2"));
+ tSentryMappingData1.setGroupRolesMap(sentryGroupRolesMap1);
+ tSentryMappingData1.setRolePrivilegesMap(sentryRolePrivilegesMap1);
+ sentryStore.importSentryMetaData(tSentryMappingData1, false);
+
+ // drop the role2, the group2 is orphaned group
+ sentryStore.dropSentryRole("role2");
+
+ Map<String, MSentryRole> rolesMap = sentryStore.getRolesMap();
+ Map<String, MSentryGroup> groupsMap = sentryStore.getGroupNameToGroupMap();
+ List<MSentryPrivilege> privilegesList = sentryStore.getPrivilegesList();
+
+ // test the result data for the role
+ verifyRoles(rolesMap, Sets.newHashSet("role1"));
+
+ // test the result data for the group
+ verifyGroups(groupsMap, Sets.newHashSet("group1", "group2"));
+
+ // test the result data for the privilege
+ assertTrue(privilegesList.isEmpty());
+
+ // test the mapping data for group and role
+ List<Map<String, Set<String>>> mapList = sentryStore.getGroupUserRoleMapList(null);
+ Map<String, Set<String>> actualGroupRolesMap = mapList.get(
+ SentryStore.INDEX_GROUP_ROLES_MAP);
+ Map<String, Set<String>> exceptedGroupRolesMap = Maps.newHashMap();
+ exceptedGroupRolesMap.put("group1", Sets.newHashSet("role1"));
+ verifyUserGroupRolesMap(actualGroupRolesMap, exceptedGroupRolesMap);
+
+ // test the mapping data for role and privilege
+ Map<String, Set<TSentryPrivilege>> actualRolePrivilegesMap = sentryStore
+ .getRoleNameTPrivilegesMap();
+ assertTrue(actualRolePrivilegesMap.isEmpty());
+ }
+
+ // call import twice, and there has no duplicate data, the import will be with the overwrite mode:
+ // The data for 1st import:
+ // group1=role1
+ // role1=privilege1
+ // The data for 2nd import:
+ // group2=role2,role3
+ // group3=role2,role3
+ // role2=privilege2
+ // role3=privilege2
+ // Both import API importSentryMetaData and export APIs getRolesMap, getGroupsMap,
+ // getPrivilegesList are tested.
+ @Test
+ public void testImportExportPolicy7() throws Exception {
+ TSentryMappingData tSentryMappingData1 = new TSentryMappingData();
+ Map<String, Set<String>> sentryGroupRolesMap1 = Maps.newHashMap();
+ Map<String, Set<TSentryPrivilege>> sentryRolePrivilegesMap1 = Maps.newHashMap();
+ sentryGroupRolesMap1.put("group1", Sets.newHashSet("role1"));
+ sentryRolePrivilegesMap1.put("role1", Sets.newHashSet(tSentryPrivilege1));
+ tSentryMappingData1.setGroupRolesMap(sentryGroupRolesMap1);
+ tSentryMappingData1.setRolePrivilegesMap(sentryRolePrivilegesMap1);
+ // the import with overwrite mode
+ sentryStore.importSentryMetaData(tSentryMappingData1, true);
+
+ TSentryMappingData tSentryMappingData2 = new TSentryMappingData();
+ Map<String, Set<String>> sentryGroupRolesMap2 = Maps.newHashMap();
+ Map<String, Set<TSentryPrivilege>> sentryRolePrivilegesMap2 = Maps.newHashMap();
+ sentryGroupRolesMap2.put("group2", Sets.newHashSet("role2", "role3"));
+ sentryGroupRolesMap2.put("group3", Sets.newHashSet("role2", "role3"));
+ sentryRolePrivilegesMap2.put("role2", Sets.newHashSet(tSentryPrivilege2));
+ sentryRolePrivilegesMap2.put("role3", Sets.newHashSet(tSentryPrivilege2));
+ tSentryMappingData2.setGroupRolesMap(sentryGroupRolesMap2);
+ tSentryMappingData2.setRolePrivilegesMap(sentryRolePrivilegesMap2);
+ // the import with overwrite mode
+ sentryStore.importSentryMetaData(tSentryMappingData2, true);
+
+ Map<String, MSentryRole> rolesMap = sentryStore.getRolesMap();
+ Map<String, MSentryGroup> groupsMap = sentryStore.getGroupNameToGroupMap();
+ List<MSentryPrivilege> privilegesList = sentryStore.getPrivilegesList();
+
+ // test the result data for the role
+ verifyRoles(rolesMap, Sets.newHashSet("role1", "role2", "role3"));
+
+ // test the result data for the group
+ verifyGroups(groupsMap, Sets.newHashSet("group1", "group2", "group3"));
+
+ // test the result data for the privilege
+ verifyPrivileges(privilegesList, Sets.newHashSet(tSentryPrivilege1, tSentryPrivilege2));
+
+ // test the mapping data for group and role
+ List<Map<String, Set<String>>> mapList = sentryStore.getGroupUserRoleMapList(null);
+ Map<String, Set<String>> actualGroupRolesMap = mapList.get(
+ SentryStore.INDEX_GROUP_ROLES_MAP);
+ Map<String, Set<String>> exceptedGroupRolesMap = Maps.newHashMap();
+ exceptedGroupRolesMap.put("group1", Sets.newHashSet("role1"));
+ exceptedGroupRolesMap.put("group2", Sets.newHashSet("role2", "role3"));
+ exceptedGroupRolesMap.put("group3", Sets.newHashSet("role2", "role3"));
+ verifyUserGroupRolesMap(actualGroupRolesMap, exceptedGroupRolesMap);
+
+ // test the mapping data for role and privilege
+ Map<String, Set<TSentryPrivilege>> actualRolePrivilegesMap = sentryStore
+ .getRoleNameTPrivilegesMap();
+ Map<String, Set<TSentryPrivilege>> exceptedRolePrivilegesMap = Maps.newHashMap();
+ exceptedRolePrivilegesMap.put("role1", Sets.newHashSet(tSentryPrivilege1));
+ exceptedRolePrivilegesMap.put("role2", Sets.newHashSet(tSentryPrivilege2));
+ exceptedRolePrivilegesMap.put("role3", Sets.newHashSet(tSentryPrivilege2));
+ verifyRolePrivilegesMap(actualRolePrivilegesMap, exceptedRolePrivilegesMap);
+ }
+
+ // call import twice, and there has data overlap, the import will be with the overwrite mode:
+ // The data for 1st import:
+ // group1=role1, role2
+ // group2=role1, role2
+ // group3=role1, role2
+ // role1=privilege1,privilege2,privilege3,privilege4,privilege5
+ // role2=privilege1,privilege2,privilege3,privilege4,privilege5
+ // The data for 2nd import:
+ // group1=role2,role3
+ // group2=role2,role3
+ // group3=role2,role3
+ // role2=privilege4,privilege5,privilege6,privilege7,privilege8
+ // role3=privilege4,privilege5,privilege6,privilege7,privilege8
+ // Both import API importSentryMetaData and export APIs getRolesMap, getGroupsMap,
+ // getPrivilegesList are tested.
+ @Test
+ public void testImportExportPolicy8() throws Exception {
+ TSentryMappingData tSentryMappingData1 = new TSentryMappingData();
+ Map<String, Set<String>> sentryGroupRolesMap1 = Maps.newHashMap();
+ Map<String, Set<TSentryPrivilege>> sentryRolePrivilegesMap1 = Maps.newHashMap();
+ sentryGroupRolesMap1.put("group1", Sets.newHashSet("role1", "role2"));
+ sentryGroupRolesMap1.put("group2", Sets.newHashSet("role1", "role2"));
+ sentryGroupRolesMap1.put("group3", Sets.newHashSet("role1", "role2"));
+ sentryRolePrivilegesMap1.put("role1", Sets.newHashSet(tSentryPrivilege1, tSentryPrivilege2,
+ tSentryPrivilege3, tSentryPrivilege4, tSentryPrivilege5));
+ sentryRolePrivilegesMap1.put("role2", Sets.newHashSet(tSentryPrivilege1, tSentryPrivilege2,
+ tSentryPrivilege3, tSentryPrivilege4, tSentryPrivilege5));
+ tSentryMappingData1.setGroupRolesMap(sentryGroupRolesMap1);
+ tSentryMappingData1.setRolePrivilegesMap(sentryRolePrivilegesMap1);
+ // the import with overwrite mode
+ sentryStore.importSentryMetaData(tSentryMappingData1, true);
+
+ TSentryMappingData tSentryMappingData2 = new TSentryMappingData();
+ Map<String, Set<String>> sentryGroupRolesMap2 = Maps.newHashMap();
+ Map<String, Set<TSentryPrivilege>> sentryRolePrivilegesMap2 = Maps.newHashMap();
+ sentryGroupRolesMap2.put("group1", Sets.newHashSet("role2", "role3"));
+ sentryGroupRolesMap2.put("group2", Sets.newHashSet("role2", "role3"));
+ sentryGroupRolesMap2.put("group3", Sets.newHashSet("role2", "role3"));
+ sentryRolePrivilegesMap2.put("role2", Sets.newHashSet(tSentryPrivilege4, tSentryPrivilege5,
+ tSentryPrivilege6, tSentryPrivilege7, tSentryPrivilege8));
+ sentryRolePrivilegesMap2.put("role3", Sets.newHashSet(tSentryPrivilege4, tSentryPrivilege5,
+ tSentryPrivilege6, tSentryPrivilege7, tSentryPrivilege8));
+ tSentryMappingData2.setGroupRolesMap(sentryGroupRolesMap2);
+ tSentryMappingData2.setRolePrivilegesMap(sentryRolePrivilegesMap2);
+ // the import with overwrite mode
+ sentryStore.importSentryMetaData(tSentryMappingData2, true);
+
+ Map<String, MSentryRole> rolesMap = sentryStore.getRolesMap();
+ Map<String, MSentryGroup> groupsMap = sentryStore.getGroupNameToGroupMap();
+ List<MSentryPrivilege> privilegesList = sentryStore.getPrivilegesList();
+
+ // test the result data for the role
+ verifyRoles(rolesMap, Sets.newHashSet("role1", "role2", "role3"));
+
+ // test the result data for the group
+ verifyGroups(groupsMap, Sets.newHashSet("group1", "group2", "group3"));
+
+ // test the result data for the privilege
+ verifyPrivileges(privilegesList, Sets.newHashSet(tSentryPrivilege1, tSentryPrivilege2,
+ tSentryPrivilege3, tSentryPrivilege4, tSentryPrivilege5, tSentryPrivilege6,
+ tSentryPrivilege7, tSentryPrivilege8));
+
+ // test the mapping data for group and role
+ List<Map<String, Set<String>>> mapList = sentryStore.getGroupUserRoleMapList(null);
+ Map<String, Set<String>> actualGroupRolesMap = mapList.get(
+ SentryStore.INDEX_GROUP_ROLES_MAP);
+ Map<String, Set<String>> exceptedGroupRolesMap = Maps.newHashMap();
+ exceptedGroupRolesMap.put("group1", Sets.newHashSet("role1", "role2", "role3"));
+ exceptedGroupRolesMap.put("group2", Sets.newHashSet("role1", "role2", "role3"));
+ exceptedGroupRolesMap.put("group3", Sets.newHashSet("role1", "role2", "role3"));
+ verifyUserGroupRolesMap(actualGroupRolesMap, exceptedGroupRolesMap);
+
+ // test the mapping data for role and privilege
+ Map<String, Set<TSentryPrivilege>> actualRolePrivilegesMap = sentryStore
+ .getRoleNameTPrivilegesMap();
+ Map<String, Set<TSentryPrivilege>> exceptedRolePrivilegesMap = Maps.newHashMap();
+ exceptedRolePrivilegesMap.put("role1", Sets.newHashSet(tSentryPrivilege1, tSentryPrivilege2,
+ tSentryPrivilege3, tSentryPrivilege4, tSentryPrivilege5));
+ // role2 should be overwrite
+ exceptedRolePrivilegesMap.put("role2", Sets.newHashSet(tSentryPrivilege4, tSentryPrivilege5,
+ tSentryPrivilege6, tSentryPrivilege7, tSentryPrivilege8));
+ exceptedRolePrivilegesMap.put("role3", Sets.newHashSet(tSentryPrivilege4, tSentryPrivilege5,
+ tSentryPrivilege6, tSentryPrivilege7, tSentryPrivilege8));
+ verifyRolePrivilegesMap(actualRolePrivilegesMap, exceptedRolePrivilegesMap);
+ }
+
+ // test the import privileges with the action: All, *, select, insert
+ // All and * should replace the select and insert
+ // The data for import:
+ // group1=role1, role2
+ // role1=testPrivilege1,testPrivilege2,testPrivilege3,testPrivilege4
+ // role2=testPrivilege5, testPrivilege6,testPrivilege7,testPrivilege8
+ @Test
+ public void testImportExportPolicy9() throws Exception {
+ TSentryPrivilege testPrivilege1 = createTSentryPrivilege(PrivilegeScope.TABLE.name(),
+ "server1", "db1", "tbl1", "", "", AccessConstants.SELECT, TSentryGrantOption.TRUE);
+ TSentryPrivilege testPrivilege2 = createTSentryPrivilege(PrivilegeScope.TABLE.name(),
+ "server1", "db1", "tbl1", "", "", AccessConstants.INSERT, TSentryGrantOption.FALSE);
+ TSentryPrivilege testPrivilege3 = createTSentryPrivilege(PrivilegeScope.TABLE.name(),
+ "server1", "db1", "tbl1", "", "", AccessConstants.ACTION_ALL, TSentryGrantOption.TRUE);
+ TSentryPrivilege testPrivilege4 = createTSentryPrivilege(PrivilegeScope.TABLE.name(),
+ "server1", "db1", "tbl1", "", "", AccessConstants.INSERT, TSentryGrantOption.TRUE);
+ TSentryPrivilege testPrivilege5 = createTSentryPrivilege(PrivilegeScope.TABLE.name(),
+ "server1", "db1", "tbl2", "", "", AccessConstants.SELECT, TSentryGrantOption.TRUE);
+ TSentryPrivilege testPrivilege6 = createTSentryPrivilege(PrivilegeScope.TABLE.name(),
+ "server1", "db1", "tbl2", "", "", AccessConstants.INSERT, TSentryGrantOption.FALSE);
+ TSentryPrivilege testPrivilege7 = createTSentryPrivilege(PrivilegeScope.TABLE.name(),
+ "server1", "db1", "tbl2", "", "", AccessConstants.ALL, TSentryGrantOption.TRUE);
+ TSentryPrivilege testPrivilege8 = createTSentryPrivilege(PrivilegeScope.TABLE.name(),
+ "server1", "db1", "tbl2", "", "", AccessConstants.INSERT, TSentryGrantOption.TRUE);
+
+ TSentryMappingData tSentryMappingData1 = new TSentryMappingData();
+ Map<String, Set<String>> sentryGroupRolesMap1 = Maps.newHashMap();
+ Map<String, Set<TSentryPrivilege>> sentryRolePrivilegesMap1 = Maps.newHashMap();
+ sentryGroupRolesMap1.put("group1", Sets.newHashSet("role1", "role2"));
+ // after import there should be only testPrivilege2, testPrivilege3
+ sentryRolePrivilegesMap1.put("role1",
+ Sets.newHashSet(testPrivilege1, testPrivilege2, testPrivilege3, testPrivilege4));
+ // after import there should be only testPrivilege6,testPrivilege7
+ sentryRolePrivilegesMap1.put("role2",
+ Sets.newHashSet(testPrivilege5, testPrivilege6, testPrivilege7, testPrivilege8));
+ tSentryMappingData1.setGroupRolesMap(sentryGroupRolesMap1);
+ tSentryMappingData1.setRolePrivilegesMap(sentryRolePrivilegesMap1);
+ // the import with overwrite mode
+ sentryStore.importSentryMetaData(tSentryMappingData1, true);
+
+ Map<String, MSentryRole> rolesMap = sentryStore.getRolesMap();
+ Map<String, MSentryGroup> groupsMap = sentryStore.getGroupNameToGroupMap();
+
+ // test the result data for the role
+ verifyRoles(rolesMap, Sets.newHashSet("role1", "role2"));
+
+ // test the result data for the group
+ verifyGroups(groupsMap, Sets.newHashSet("group1"));
+
+ // test the mapping data for group and role
+ List<Map<String, Set<String>>> mapList = sentryStore.getGroupUserRoleMapList(null);
+ Map<String, Set<String>> actualGroupRolesMap = mapList.get(
+ SentryStore.INDEX_GROUP_ROLES_MAP);
+ Map<String, Set<String>> exceptedGroupRolesMap = Maps.newHashMap();
+ exceptedGroupRolesMap.put("group1", Sets.newHashSet("role1", "role2"));
+ verifyUserGroupRolesMap(actualGroupRolesMap, exceptedGroupRolesMap);
+
+ // test the mapping data for role and privilege
+ Map<String, Set<TSentryPrivilege>> actualRolePrivilegesMap = sentryStore
+ .getRoleNameTPrivilegesMap();
+ Map<String, Set<TSentryPrivilege>> exceptedRolePrivilegesMap = Maps.newHashMap();
+ exceptedRolePrivilegesMap.put("role1", Sets.newHashSet(testPrivilege2, testPrivilege3));
+ exceptedRolePrivilegesMap.put("role2", Sets.newHashSet(testPrivilege6, testPrivilege7));
+ verifyRolePrivilegesMap(actualRolePrivilegesMap, exceptedRolePrivilegesMap);
+ }
+
+ // The following data is imported:
+ // group1=role1
+ // group2=role1,role2
+ // group3=role2,role3
+ // group4=role1,role2,role3
+ // role1=privilege3,privilege4,privilege9
+ // role2=privilege3,privilege4,privilege5,privilege6,privilege7
+ // role3=privilege4,privilege5,privilege6,privilege7,privilege8
+ // Export APIs getRoleNameTPrivilegesMap, getGroupNameRoleNamesMap are tested.
+ @Test
+ public void testExportPolicyWithSpecificObject() throws Exception {
+ // import the data for test
+ TSentryMappingData tSentryMappingData = new TSentryMappingData();
+ Map<String, Set<String>> sentryGroupRolesMap = Maps.newHashMap();
+ Map<String, Set<TSentryPrivilege>> sentryRolePrivilegesMap = Maps.newHashMap();
+ sentryGroupRolesMap.put("group1", Sets.newHashSet("role1"));
+ sentryGroupRolesMap.put("group2", Sets.newHashSet("role1", "role2"));
+ sentryGroupRolesMap.put("group3", Sets.newHashSet("role2", "role3"));
+ sentryGroupRolesMap.put("group4", Sets.newHashSet("role1", "role2", "role3"));
+ sentryRolePrivilegesMap.put("role1", Sets.newHashSet(
+ tSentryPrivilege3, tSentryPrivilege4, tSentryPrivilege9));
+ sentryRolePrivilegesMap.put("role2", Sets.newHashSet(
+ tSentryPrivilege3, tSentryPrivilege4, tSentryPrivilege5, tSentryPrivilege6,
+ tSentryPrivilege7));
+ sentryRolePrivilegesMap.put("role3", Sets.newHashSet(
+ tSentryPrivilege4, tSentryPrivilege5, tSentryPrivilege6,
+ tSentryPrivilege7, tSentryPrivilege8));
+ tSentryMappingData.setGroupRolesMap(sentryGroupRolesMap);
+ tSentryMappingData.setRolePrivilegesMap(sentryRolePrivilegesMap);
+ sentryStore.importSentryMetaData(tSentryMappingData, false);
+
+ // verify the rolePrivilegesMap and groupRolesMap for db=db1
+ Map<String, Set<TSentryPrivilege>> actualRolePrivilegesMap =
+ sentryStore.getRoleNameTPrivilegesMap("db1", "");
+ Map<String, Set<TSentryPrivilege>> exceptedRolePrivilegesMap = Maps.newHashMap();
+ exceptedRolePrivilegesMap.put("role1", Sets.newHashSet(tSentryPrivilege4));
+ exceptedRolePrivilegesMap.put("role2", Sets.newHashSet(tSentryPrivilege4,
+ tSentryPrivilege5, tSentryPrivilege6, tSentryPrivilege7));
+ exceptedRolePrivilegesMap.put("role3", Sets.newHashSet(tSentryPrivilege4,
+ tSentryPrivilege5, tSentryPrivilege6, tSentryPrivilege7));
+ verifyRolePrivilegesMap(actualRolePrivilegesMap, exceptedRolePrivilegesMap);
+
+ List<Map<String, Set<String>>> mapList = sentryStore.getGroupUserRoleMapList(
+ actualRolePrivilegesMap.keySet());
+ Map<String, Set<String>> actualGroupRolesMap = mapList.get(
+ SentryStore.INDEX_GROUP_ROLES_MAP);
+ Map<String, Set<String>> exceptedGroupRolesMap = Maps.newHashMap();
+ exceptedGroupRolesMap.put("group1", Sets.newHashSet("role1"));
+ exceptedGroupRolesMap.put("group2", Sets.newHashSet("role1", "role2"));
+ exceptedGroupRolesMap.put("group3", Sets.newHashSet("role2", "role3"));
+ exceptedGroupRolesMap.put("group4", Sets.newHashSet("role1", "role2", "role3"));
+ verifyUserGroupRolesMap(actualGroupRolesMap, exceptedGroupRolesMap);
+
+ // verify the rolePrivilegesMap and groupRolesMap for db=db2
+ actualRolePrivilegesMap = sentryStore.getRoleNameTPrivilegesMap("db2", "");
+ exceptedRolePrivilegesMap = Maps.newHashMap();
+ exceptedRolePrivilegesMap.put("role1", Sets.newHashSet(tSentryPrivilege3, tSentryPrivilege9));
+ exceptedRolePrivilegesMap.put("role2", Sets.newHashSet(tSentryPrivilege3));
+ verifyRolePrivilegesMap(actualRolePrivilegesMap, exceptedRolePrivilegesMap);
+
+ mapList = sentryStore.getGroupUserRoleMapList(actualRolePrivilegesMap.keySet());
+ actualGroupRolesMap = mapList.get(SentryStore.INDEX_GROUP_ROLES_MAP);
+ exceptedGroupRolesMap = Maps.newHashMap();
+ exceptedGroupRolesMap.put("group1", Sets.newHashSet("role1"));
+ exceptedGroupRolesMap.put("group2", Sets.newHashSet("role1", "role2"));
+ exceptedGroupRolesMap.put("group3", Sets.newHashSet("role2"));
+ exceptedGroupRolesMap.put("group4", Sets.newHashSet("role1", "role2"));
+ verifyUserGroupRolesMap(actualGroupRolesMap, exceptedGroupRolesMap);
+
+ // verify the rolePrivilegesMap and groupRolesMap for db=db1 and table=tbl1
+ actualRolePrivilegesMap = sentryStore.getRoleNameTPrivilegesMap("db1", "tbl1");
+ exceptedRolePrivilegesMap = Maps.newHashMap();
+ exceptedRolePrivilegesMap.put("role1", Sets.newHashSet(tSentryPrivilege4));
+ exceptedRolePrivilegesMap.put("role2", Sets.newHashSet(tSentryPrivilege4));
+ exceptedRolePrivilegesMap.put("role3", Sets.newHashSet(tSentryPrivilege4));
+ verifyRolePrivilegesMap(actualRolePrivilegesMap, exceptedRolePrivilegesMap);
+
+ mapList = sentryStore.getGroupUserRoleMapList(actualRolePrivilegesMap.keySet());
+ actualGroupRolesMap = mapList.get(SentryStore.INDEX_GROUP_ROLES_MAP);
+ exceptedGroupRolesMap = Maps.newHashMap();
+ exceptedGroupRolesMap.put("group1", Sets.newHashSet("role1"));
+ exceptedGroupRolesMap.put("group2", Sets.newHashSet("role1", "role2"));
+ exceptedGroupRolesMap.put("group3", Sets.newHashSet("role2", "role3"));
+ exceptedGroupRolesMap.put("group4", Sets.newHashSet("role1", "role2", "role3"));
+ verifyUserGroupRolesMap(actualGroupRolesMap, exceptedGroupRolesMap);
+
+ // verify the rolePrivilegesMap and groupRolesMap for db=db1 and table=tbl2
+ actualRolePrivilegesMap = sentryStore.getRoleNameTPrivilegesMap("db1", "tbl2");
+ exceptedRolePrivilegesMap = Maps.newHashMap();
+ exceptedRolePrivilegesMap.put("role2", Sets.newHashSet(tSentryPrivilege5));
+ exceptedRolePrivilegesMap.put("role3", Sets.newHashSet(tSentryPrivilege5));
+ verifyRolePrivilegesMap(actualRolePrivilegesMap, exceptedRolePrivilegesMap);
+
+ mapList = sentryStore.getGroupUserRoleMapList(actualRolePrivilegesMap.keySet());
+ actualGroupRolesMap = mapList.get(SentryStore.INDEX_GROUP_ROLES_MAP);
+ exceptedGroupRolesMap = Maps.newHashMap();
+ exceptedGroupRolesMap.put("group2", Sets.newHashSet("role2"));
+ exceptedGroupRolesMap.put("group3", Sets.newHashSet("role2", "role3"));
+ exceptedGroupRolesMap.put("group4", Sets.newHashSet("role2", "role3"));
+ verifyUserGroupRolesMap(actualGroupRolesMap, exceptedGroupRolesMap);
+
+ // verify the rolePrivilegesMap and groupRolesMap for table=tbl1
+ actualRolePrivilegesMap = sentryStore.getRoleNameTPrivilegesMap("", "tbl1");
+ exceptedRolePrivilegesMap = Maps.newHashMap();
+ exceptedRolePrivilegesMap.put("role1", Sets.newHashSet(tSentryPrivilege4, tSentryPrivilege9));
+ exceptedRolePrivilegesMap.put("role2", Sets.newHashSet(tSentryPrivilege4));
+ exceptedRolePrivilegesMap.put("role3", Sets.newHashSet(tSentryPrivilege4));
+ verifyRolePrivilegesMap(actualRolePrivilegesMap, exceptedRolePrivilegesMap);
+
+ mapList = sentryStore.getGroupUserRoleMapList(actualRolePrivilegesMap.keySet());
+ actualGroupRolesMap = mapList.get(SentryStore.INDEX_GROUP_ROLES_MAP);
+ exceptedGroupRolesMap = Maps.newHashMap();
+ exceptedGroupRolesMap.put("group1", Sets.newHashSet("role1"));
+ exceptedGroupRolesMap.put("group2", Sets.newHashSet("role1", "role2"));
+ exceptedGroupRolesMap.put("group3", Sets.newHashSet("role2", "role3"));
+ exceptedGroupRolesMap.put("group4", Sets.newHashSet("role1", "role2", "role3"));
+ verifyUserGroupRolesMap(actualGroupRolesMap, exceptedGroupRolesMap);
+
+ // verify the rolePrivilegesMap and groupRolesMap for empty parameter
+ actualRolePrivilegesMap = sentryStore.getRoleNameTPrivilegesMap("", "");
+ exceptedRolePrivilegesMap = Maps.newHashMap();
+ exceptedRolePrivilegesMap.put("role1", Sets.newHashSet(tSentryPrivilege3,
+ tSentryPrivilege4, tSentryPrivilege9));
+ exceptedRolePrivilegesMap.put("role2", Sets.newHashSet(tSentryPrivilege3,
+ tSentryPrivilege4, tSentryPrivilege5, tSentryPrivilege6, tSentryPrivilege7));
+ exceptedRolePrivilegesMap.put("role3", Sets.newHashSet(tSentryPrivilege4,
+ tSentryPrivilege5, tSentryPrivilege6,
+ tSentryPrivilege7, tSentryPrivilege8));
+ verifyRolePrivilegesMap(actualRolePrivilegesMap, exceptedRolePrivilegesMap);
+
+ mapList = sentryStore.getGroupUserRoleMapList(actualRolePrivilegesMap.keySet());
+ actualGroupRolesMap = mapList.get(SentryStore.INDEX_GROUP_ROLES_MAP);
+ exceptedGroupRolesMap = Maps.newHashMap();
+ exceptedGroupRolesMap.put("group1", Sets.newHashSet("role1"));
+ exceptedGroupRolesMap.put("group2", Sets.newHashSet("role1", "role2"));
+ exceptedGroupRolesMap.put("group3", Sets.newHashSet("role2", "role3"));
+ exceptedGroupRolesMap.put("group4", Sets.newHashSet("role1", "role2", "role3"));
+ verifyUserGroupRolesMap(actualGroupRolesMap, exceptedGroupRolesMap);
+ }
+
+ // Befor import, database is empty.
+ // The following information is imported:
+ // group1=role1,role2,role3
+ // user1=role1,role2
+ // user2=role2,role3
+ // role1=privilege1,privilege2,privilege3,privilege4
+ // role2=privilege5,privilege6,privilege7,privilege8
+ // role3=privilege3,privilege4,privilege5,privilege6
+ // Both import API importSentryMetaData and export APIs getRolesMap, getGroupsMap,
+ // getUsersMap getPrivilegesList are tested.
+ @Test
+ public void testImportExportWithUser() throws Exception {
+ TSentryMappingData tSentryMappingData = new TSentryMappingData();
+ Map<String, Set<String>> groupRolesMap = Maps.newHashMap();
+ Map<String, Set<String>> userRolesMap = Maps.newHashMap();
+ Map<String, Set<TSentryPrivilege>> sentryRolePrivilegesMap = Maps.newHashMap();
+ groupRolesMap.put("group1", Sets.newHashSet("Role1", "role2", "role3"));
+ userRolesMap.put("user1", Sets.newHashSet("Role1", "role2"));
+ userRolesMap.put("user2", Sets.newHashSet("role2", "role3"));
+ sentryRolePrivilegesMap.put("Role1", Sets.newHashSet(tSentryPrivilege1, tSentryPrivilege2,
+ tSentryPrivilege3, tSentryPrivilege4));
+ sentryRolePrivilegesMap.put("role2", Sets.newHashSet(tSentryPrivilege5, tSentryPrivilege6,
+ tSentryPrivilege7, tSentryPrivilege8));
+ sentryRolePrivilegesMap.put("role3", Sets.newHashSet(tSentryPrivilege3,
+ tSentryPrivilege4, tSentryPrivilege5, tSentryPrivilege6));
+ tSentryMappingData.setGroupRolesMap(groupRolesMap);
+ tSentryMappingData.setRolePrivilegesMap(sentryRolePrivilegesMap);
+ tSentryMappingData.setUserRolesMap(userRolesMap);
+ sentryStore.importSentryMetaData(tSentryMappingData, false);
+
+ Map<String, MSentryRole> rolesMap = sentryStore.getRolesMap();
+ Map<String, MSentryGroup> groupsMap = sentryStore.getGroupNameToGroupMap();
+ Map<String, MSentryUser> usersMap = sentryStore.getUserNameToUserMap();
+ List<MSentryPrivilege> privilegesList = sentryStore.getPrivilegesList();
+
+ // test the result data for the role
+ verifyRoles(rolesMap, Sets.newHashSet("role1", "role2", "role3"));
+
+ // test the result data for the group
+ verifyGroups(groupsMap, Sets.newHashSet("group1"));
+
+ // test the result data for the user
+ verifyUsers(usersMap, Sets.newHashSet("user1", "user2"));
+
+ // test the result data for the privilege
+ verifyPrivileges(privilegesList, Sets.newHashSet(tSentryPrivilege1, tSentryPrivilege2,
+ tSentryPrivilege3, tSentryPrivilege4, tSentryPrivilege5, tSentryPrivilege6,
+ tSentryPrivilege7, tSentryPrivilege8));
+
+ // test the mapping data for group and role
+ List<Map<String, Set<String>>> mapList = sentryStore.getGroupUserRoleMapList(null);
+ Map<String, Set<String>> actualGroupRolesMap = mapList.get(
+ SentryStore.INDEX_GROUP_ROLES_MAP);
+ Map<String, Set<String>> exceptedGroupRolesMap = Maps.newHashMap();
+ exceptedGroupRolesMap.put("group1", Sets.newHashSet("role1", "role2", "role3"));
+ verifyUserGroupRolesMap(actualGroupRolesMap, exceptedGroupRolesMap);
+
+ Map<String, Set<String>> actualUserRolesMap = mapList.get(
+ SentryStore.INDEX_USER_ROLES_MAP);
+ Map<String, Set<String>> exceptedUserRolesMap = Maps.newHashMap();
+ exceptedUserRolesMap.put("user1", Sets.newHashSet("role1", "role2"));
+ exceptedUserRolesMap.put("user2", Sets.newHashSet("role2", "role3"));
+ verifyUserGroupRolesMap(actualUserRolesMap, exceptedUserRolesMap);
+
+ // test the mapping data for role and privilege
+ Map<String, Set<TSentryPrivilege>> actualRolePrivilegesMap = sentryStore
+ .getRoleNameTPrivilegesMap();
+ Map<String, Set<TSentryPrivilege>> exceptedRolePrivilegesMap = Maps.newHashMap();
+ exceptedRolePrivilegesMap.put("role1", Sets.newHashSet(tSentryPrivilege1, tSentryPrivilege2,
+ tSentryPrivilege3, tSentryPrivilege4));
+ exceptedRolePrivilegesMap.put("role2", Sets.newHashSet(tSentryPrivilege5, tSentryPrivilege6,
+ tSentryPrivilege7, tSentryPrivilege8));
+ exceptedRolePrivilegesMap.put("role3", Sets.newHashSet(tSentryPrivilege3,
+ tSentryPrivilege4, tSentryPrivilege5, tSentryPrivilege6));
+
+ verifyRolePrivilegesMap(actualRolePrivilegesMap, exceptedRolePrivilegesMap);
+ }
+
+ private void verifyRoles(Map<String, MSentryRole> actualRoleMap, Set<String> expectedRoleNameSet) {
+ assertEquals(expectedRoleNameSet.size(), actualRoleMap.keySet().size());
+ for (String roleName : actualRoleMap.keySet()) {
+ assertTrue(expectedRoleNameSet.contains(roleName));
+ }
+ }
+
+ private void verifyGroups(Map<String, MSentryGroup> actualGroupsMap,
+ Set<String> expectedGroupNameSet) {
+ assertEquals(expectedGroupNameSet.size(), actualGroupsMap.keySet().size());
+ for (String groupName : actualGroupsMap.keySet()) {
+ assertTrue(expectedGroupNameSet.contains(groupName));
+ }
+ }
+
+ private void verifyUsers(Map<String, MSentryUser> actualUsersMap,
+ Set<String> expectedUserNameSet) {
+ assertEquals(expectedUserNameSet.size(), actualUsersMap.keySet().size());
+ for (String userName : actualUsersMap.keySet()) {
+ assertTrue(expectedUserNameSet.contains(userName));
+ }
+ }
+
+ private void verifyPrivileges(List<MSentryPrivilege> actualPrivileges,
+ Set<TSentryPrivilege> expectedTSentryPrivilegeSet) {
+ assertEquals(expectedTSentryPrivilegeSet.size(), actualPrivileges.size());
+ for (MSentryPrivilege mSentryPrivilege : actualPrivileges) {
+ boolean isFound = false;
+ for (TSentryPrivilege tSentryPrivilege : expectedTSentryPrivilegeSet) {
+ isFound = compareTSentryPrivilege(sentryStore.convertToTSentryPrivilege(mSentryPrivilege),
+ tSentryPrivilege);
+ if (isFound) {
+ break;
+ }
+ }
+ assertTrue(isFound);
+ }
+ }
+
+ private void verifyUserGroupRolesMap(Map<String, Set<String>> actualMap,
+ Map<String, Set<String>> exceptedMap) {
+ assertEquals(exceptedMap.keySet().size(), actualMap.keySet().size());
+ for (String name : actualMap.keySet()) {
+ Set<String> exceptedRoles = exceptedMap.get(name);
+ Set<String> actualRoles = actualMap.get(name);
+ assertEquals(actualRoles.size(), exceptedRoles.size());
+ assertTrue(actualRoles.equals(exceptedRoles));
+ }
+ }
+
+ private void verifyRolePrivilegesMap(Map<String, Set<TSentryPrivilege>> actualRolePrivilegesMap,
+ Map<String, Set<TSentryPrivilege>> expectedRolePrivilegesMap) {
+ assertEquals(expectedRolePrivilegesMap.keySet().size(), actualRolePrivilegesMap.keySet().size());
+ for (String roleName : expectedRolePrivilegesMap.keySet()) {
+ Set<TSentryPrivilege> exceptedTSentryPrivileges = expectedRolePrivilegesMap.get(roleName);
+ Set<TSentryPrivilege> actualTSentryPrivileges = actualRolePrivilegesMap.get(roleName);
+ assertEquals(exceptedTSentryPrivileges.size(), actualTSentryPrivileges.size());
+ for (TSentryPrivilege actualPrivilege : actualTSentryPrivileges) {
+ boolean isFound = false;
+ for (TSentryPrivilege expectedPrivilege : exceptedTSentryPrivileges) {
+ isFound = compareTSentryPrivilege(expectedPrivilege, actualPrivilege);
+ if (isFound) {
+ break;
+ }
+ }
+ assertTrue(isFound);
+ }
+ }
+ }
+
+ private TSentryPrivilege createTSentryPrivilege(String scope, String server, String dbName,
+ String tableName, String columnName, String uri, String action, TSentryGrantOption grantOption) {
+ TSentryPrivilege tSentryPrivilege = new TSentryPrivilege();
+ tSentryPrivilege.setPrivilegeScope(scope);
+ tSentryPrivilege.setServerName(server);
+ tSentryPrivilege.setDbName(dbName);
+ tSentryPrivilege.setTableName(tableName);
+ tSentryPrivilege.setColumnName(columnName);
+ tSentryPrivilege.setURI(uri);
+ tSentryPrivilege.setAction(action);
+ tSentryPrivilege.setGrantOption(grantOption);
+ return tSentryPrivilege;
+ }
+
+ // compare the TSentryPrivilege without the create time
+ private boolean compareTSentryPrivilege(TSentryPrivilege tSentryPrivilege1,
+ TSentryPrivilege tSentryPrivilege2) {
+ if (tSentryPrivilege1 == null) {
+ if (tSentryPrivilege2 == null) {
+ return true;
+ } else {
+ return false;
+ }
+ } else {
+ if (tSentryPrivilege2 == null) {
+ return false;
+ }
+ }
+
+ boolean this_present_privilegeScope = true && tSentryPrivilege1.isSetPrivilegeScope();
+ boolean that_present_privilegeScope = true && tSentryPrivilege2.isSetPrivilegeScope();
+ if (this_present_privilegeScope || that_present_privilegeScope) {
+ if (!(this_present_privilegeScope && that_present_privilegeScope)) {
+ return false;
+ }
+ if (!tSentryPrivilege1.getPrivilegeScope().equalsIgnoreCase(
+ tSentryPrivilege2.getPrivilegeScope())) {
+ return false;
+ }
+ }
+
+ boolean this_present_serverName = true && tSentryPrivilege1.isSetServerName();
+ boolean that_present_serverName = true && tSentryPrivilege2.isSetServerName();
+ if (this_present_serverName || that_present_serverName) {
+ if (!(this_present_serverName && that_present_serverName)) {
+ return false;
+ }
+ if (!tSentryPrivilege1.getServerName().equalsIgnoreCase(tSentryPrivilege2.getServerName())) {
+ return false;
+ }
+ }
+
+ boolean this_present_dbName = true && tSentryPrivilege1.isSetDbName();
+ boolean that_present_dbName = true && tSentryPrivilege2.isSetDbName();
+ if (this_present_dbName || that_present_dbName) {
+ if (!(this_present_dbName && that_present_dbName)) {
+ return false;
+ }
+ if (!tSentryPrivilege1.getDbName().equalsIgnoreCase(tSentryPrivilege2.getDbName())) {
+ return false;
+ }
+ }
+
+ boolean this_present_tableName = true && tSentryPrivilege1.isSetTableName();
+ boolean that_present_tableName = true && tSentryPrivilege2.isSetTableName();
+ if (this_present_tableName || that_present_tableName) {
+ if (!(this_present_tableName && that_present_tableName)) {
+ return false;
+ }
+ if (!tSentryPrivilege1.getTableName().equalsIgnoreCase(tSentryPrivilege2.getTableName())) {
+ return false;
+ }
+ }
+
+ boolean this_present_URI = true && tSentryPrivilege1.isSetURI();
+ boolean that_present_URI = true && tSentryPrivilege2.isSetURI();
+ if (this_present_URI || that_present_URI) {
+ if (!(this_present_URI && that_present_URI)) {
+ return false;
+ }
+ if (!tSentryPrivilege1.getURI().equalsIgnoreCase(tSentryPrivilege2.getURI())) {
+ return false;
+ }
+ }
+
+ boolean this_present_action = true && tSentryPrivilege1.isSetAction();
+ boolean that_present_action = true && tSentryPrivilege2.isSetAction();
+ if (this_present_action || that_present_action) {
+ if (!(this_present_action && that_present_action)) {
+ return false;
+ }
+ if (!tSentryPrivilege1.getAction().equalsIgnoreCase(tSentryPrivilege2.getAction())) {
+ return false;
+ }
+ }
+
+ boolean this_present_grantOption = true && tSentryPrivilege1.isSetGrantOption();
+ boolean that_present_grantOption = true && tSentryPrivilege2.isSetGrantOption();
+ if (this_present_grantOption || that_present_grantOption) {
+ if (!(this_present_grantOption && that_present_grantOption)) {
+ return false;
+ }
+ if (!tSentryPrivilege1.getGrantOption().equals(tSentryPrivilege2.getGrantOption())) {
+ return false;
+ }
+ }
+
+ boolean this_present_columnName = true && tSentryPrivilege1.isSetColumnName();
+ boolean that_present_columnName = true && tSentryPrivilege2.isSetColumnName();
+ if (this_present_columnName || that_present_columnName) {
+ if (!(this_present_columnName && that_present_columnName)) {
+ return false;
+ }
+ if (!tSentryPrivilege1.getColumnName().equalsIgnoreCase(tSentryPrivilege2.getColumnName())) {
+ return false;
+ }
+ }
+
+ return true;
+ }
+}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryStoreToAuthorizable.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryStoreToAuthorizable.java b/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryStoreToAuthorizable.java
new file mode 100644
index 0000000..25f94fa
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryStoreToAuthorizable.java
@@ -0,0 +1,86 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.provider.db.service.persistent;
+
+import static org.junit.Assert.assertEquals;
+
+import org.apache.sentry.core.model.db.AccessConstants;
+import org.apache.sentry.provider.db.service.model.MSentryPrivilege;
+import org.junit.Test;
+
+public class TestSentryStoreToAuthorizable {
+
+ private MSentryPrivilege privilege;
+
+ @Test
+ public void testServer() {
+ privilege = new MSentryPrivilege(null, "server1", null, null, null, null, null);
+ assertEquals("server=server1",
+ SentryStore.toAuthorizable(privilege));
+ privilege = new MSentryPrivilege(null, "server1", null, null, null, null,
+ AccessConstants.ALL);
+ assertEquals("server=server1",
+ SentryStore.toAuthorizable(privilege));
+ }
+
+ @Test
+ public void testTable() {
+ privilege = new MSentryPrivilege(null, "server1", "db1", "tbl1", null, null, null);
+ assertEquals("server=server1->db=db1->table=tbl1",
+ SentryStore.toAuthorizable(privilege));
+ privilege = new MSentryPrivilege(null, "server1", "db1", "tbl1", null, null,
+ AccessConstants.INSERT);
+ assertEquals("server=server1->db=db1->table=tbl1->action=insert",
+ SentryStore.toAuthorizable(privilege));
+ privilege = new MSentryPrivilege(null, "server1", "db1", "tbl1", null, null,
+ AccessConstants.SELECT);
+ assertEquals("server=server1->db=db1->table=tbl1->action=select",
+ SentryStore.toAuthorizable(privilege));
+ privilege = new MSentryPrivilege(null, "server1", "db1", "tbl1", null, null,
+ AccessConstants.ALL);
+ assertEquals("server=server1->db=db1->table=tbl1",
+ SentryStore.toAuthorizable(privilege));
+ }
+
+ @Test
+ public void testDb() {
+ privilege = new MSentryPrivilege(null, "server1", "db1", null, null, null, null);
+ assertEquals("server=server1->db=db1",
+ SentryStore.toAuthorizable(privilege));
+ privilege = new MSentryPrivilege(null, "server1", "db1", null, null, null,
+ AccessConstants.ALL);
+ assertEquals("server=server1->db=db1",
+ SentryStore.toAuthorizable(privilege));
+ }
+
+ @Test
+ public void testUri() {
+ privilege = new MSentryPrivilege(null, "server1", null, null, null, "file:///", null);
+ assertEquals("server=server1->uri=file:///",
+ SentryStore.toAuthorizable(privilege));
+ privilege = new MSentryPrivilege(null, "server1", null, null, null, "file:///",
+ AccessConstants.SELECT);
+ assertEquals("server=server1->uri=file:///->action=select",
+ SentryStore.toAuthorizable(privilege));
+ privilege = new MSentryPrivilege(null, "server1", null, null, null, "file:///",
+ AccessConstants.ALL);
+ assertEquals("server=server1->uri=file:///",
+ SentryStore.toAuthorizable(privilege));
+ }
+}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryVersion.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryVersion.java b/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryVersion.java
new file mode 100644
index 0000000..103dbb6
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryVersion.java
@@ -0,0 +1,84 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.provider.db.service.persistent;
+
+import static org.junit.Assert.assertEquals;
+
+import java.io.File;
+
+import org.apache.hadoop.conf.Configuration;
+import org.apache.sentry.core.common.exception.SentryNoSuchObjectException;
+import org.apache.sentry.service.thrift.ServiceConstants.ServerConfig;
+import org.junit.Before;
+import org.junit.Test;
+
+import com.google.common.io.Files;
+
+public class TestSentryVersion {
+
+ private File dataDir;
+ private Configuration conf;
+
+ @Before
+ public void setup() throws Exception {
+ dataDir = new File(Files.createTempDir(), "sentry_policy_db");
+ conf = new Configuration(false);
+ conf.set(ServerConfig.SENTRY_STORE_JDBC_URL, "jdbc:derby:;databaseName="
+ + dataDir.getPath() + ";create=true");
+ conf.set(ServerConfig.SENTRY_STORE_JDBC_PASS, "dummy");
+ }
+
+ /**
+ * Create the schema using auto creation Create new sentry store without
+ * implicit schema creation on the same backend db and make sure it starts
+ *
+ * @throws Exception
+ */
+ @Test
+ public void testVerifySentryVersionCheck() throws Exception {
+ conf.set(ServerConfig.SENTRY_VERIFY_SCHEM_VERSION, "false");
+ SentryStore sentryStore = new SentryStore(conf);
+ sentryStore.stop();
+ conf.set(ServerConfig.SENTRY_VERIFY_SCHEM_VERSION, "true");
+ }
+
+ /**
+ * Verify that store is not initialized by default without schema pre-created
+ *
+ * @throws Exception
+ */
+ @Test(expected = SentryNoSuchObjectException.class)
+ public void testNegSentrySchemaDefault() throws Exception {
+ new SentryStore(conf);
+ }
+
+ /**
+ * With schema verification turned off, Sentry Store should autoCreate the
+ * schema
+ * @throws Exception
+ */
+ @Test
+ public void testSentryImplicitVersion() throws Exception {
+ conf.set(ServerConfig.SENTRY_VERIFY_SCHEM_VERSION, "false");
+ SentryStore sentryStore = new SentryStore(conf);
+ assertEquals(SentryStoreSchemaInfo.getSentryVersion(),
+ sentryStore.getSentryVersion());
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/thrift/SentryMiniKdcTestcase.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/thrift/SentryMiniKdcTestcase.java b/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/thrift/SentryMiniKdcTestcase.java
new file mode 100644
index 0000000..1114194
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/thrift/SentryMiniKdcTestcase.java
@@ -0,0 +1,68 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.provider.db.service.thrift;
+
+import java.io.File;
+import java.util.Properties;
+
+import org.apache.hadoop.minikdc.MiniKdc;
+
+public class SentryMiniKdcTestcase {
+
+ private static File workDir;
+ private static Properties conf;
+ private static MiniKdc kdc;
+
+ public static void startMiniKdc(Properties confOverlay) throws Exception {
+ createTestDir();
+ createMiniKdcConf(confOverlay);
+ kdc = new MiniKdc(conf, workDir);
+ kdc.start();
+ }
+
+ private static void createMiniKdcConf(Properties confOverlay) {
+ conf = MiniKdc.createConf();
+ for ( Object property : confOverlay.keySet()) {
+ conf.put(property, confOverlay.get(property));
+ }
+ }
+
+ private static void createTestDir() {
+ workDir = new File(System.getProperty("test.dir", "target"));
+ }
+
+ public static void stopMiniKdc() {
+ if (kdc != null) {
+ kdc.stop();
+ }
+ }
+
+ public static MiniKdc getKdc() {
+ return kdc;
+ }
+
+ public static File getWorkDir() {
+ return workDir;
+ }
+
+ public Properties getConf() {
+ return conf;
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/thrift/TestAuthorizingDDLAuditLogWithKerberos.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/thrift/TestAuthorizingDDLAuditLogWithKerberos.java b/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/thrift/TestAuthorizingDDLAuditLogWithKerberos.java
new file mode 100644
index 0000000..48f25dd
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/thrift/TestAuthorizingDDLAuditLogWithKerberos.java
@@ -0,0 +1,295 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.provider.db.service.thrift;
+
+import static org.hamcrest.core.Is.is;
+import static org.junit.Assert.assertThat;
+import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.fail;
+
+import java.util.HashMap;
+import java.util.Map;
+import java.util.Set;
+
+import org.apache.log4j.Level;
+import org.apache.log4j.Logger;
+import org.apache.sentry.provider.db.log.appender.AuditLoggerTestAppender;
+import org.apache.sentry.provider.db.log.util.CommandUtil;
+import org.apache.sentry.provider.db.log.util.Constants;
+import org.apache.sentry.service.thrift.SentryServiceIntegrationBase;
+import org.codehaus.jettison.json.JSONObject;
+import org.junit.BeforeClass;
+import org.junit.Test;
+
+import com.google.common.collect.Sets;
+
+public class TestAuthorizingDDLAuditLogWithKerberos extends SentryServiceIntegrationBase {
+
+ @BeforeClass
+ public static void setupLog4j() throws Exception {
+ Logger logger = Logger.getLogger("sentry.hive.authorization.ddl.logger");
+ AuditLoggerTestAppender testAppender = new AuditLoggerTestAppender();
+ logger.addAppender(testAppender);
+ logger.setLevel(Level.INFO);
+ }
+
+ @Test
+ public void testBasic() throws Exception {
+ runTestAsSubject(new TestOperation() {
+ @Override
+ public void runTestAsSubject() throws Exception {
+ String requestorUserName = SentryServiceIntegrationBase.ADMIN_USER;
+ Set<String> requestorUserGroupNames = Sets.newHashSet(SentryServiceIntegrationBase.ADMIN_GROUP);
+ setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
+ writePolicyFile();
+
+ String roleName = "testRole";
+ String errorRoleName = "errorRole";
+ String serverName = "server1";
+ String groupName = "testGroup";
+ String dbName = "dbTest";
+ String tableName = "tableTest";
+ Map<String, String> fieldValueMap = new HashMap<String, String>();
+
+ // for successful audit log
+ client.createRole(requestorUserName, roleName);
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_CREATE_ROLE);
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT, "CREATE ROLE " + roleName);
+ fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.TRUE);
+ // for ip address, there is another logic to test the result
+ fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null);
+ assertAuditLog(fieldValueMap);
+
+ client.grantRoleToGroup(requestorUserName, groupName, roleName);
+ fieldValueMap.clear();
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_ADD_ROLE);
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT, "GRANT ROLE " + roleName
+ + " TO GROUP " + groupName);
+ fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.TRUE);
+ fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null);
+ assertAuditLog(fieldValueMap);
+
+ client.grantDatabasePrivilege(requestorUserName, roleName, serverName, dbName, "ALL");
+ fieldValueMap.clear();
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_GRANT_PRIVILEGE);
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT, "GRANT ALL ON DATABASE " + dbName
+ + " TO ROLE " + roleName);
+ fieldValueMap.put(Constants.LOG_FIELD_DATABASE_NAME, dbName);
+ fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.TRUE);
+ fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null);
+ assertAuditLog(fieldValueMap);
+
+ client.grantTablePrivilege(requestorUserName, roleName, serverName, dbName, tableName,
+ "SELECT", true);
+ fieldValueMap.clear();
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_GRANT_PRIVILEGE);
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT, "GRANT SELECT ON TABLE " + tableName
+ + " TO ROLE " + roleName + " WITH GRANT OPTION");
+ fieldValueMap.put(Constants.LOG_FIELD_TABLE_NAME, tableName);
+ fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.TRUE);
+ fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null);
+ assertAuditLog(fieldValueMap);
+
+ // for error audit log
+ try {
+ client.createRole(requestorUserName, roleName);
+ fail("Exception should have been thrown");
+ } catch (Exception e) {
+ fieldValueMap.clear();
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_CREATE_ROLE);
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT, "CREATE ROLE " + roleName);
+ fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.FALSE);
+ fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null);
+ assertAuditLog(fieldValueMap);
+ }
+ try {
+ client.grantRoleToGroup(requestorUserName, groupName, errorRoleName);
+ fail("Exception should have been thrown");
+ } catch (Exception e) {
+ fieldValueMap.clear();
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_ADD_ROLE);
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT, "GRANT ROLE " + errorRoleName
+ + " TO GROUP " + groupName);
+ fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.FALSE);
+ fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null);
+ assertAuditLog(fieldValueMap);
+ }
+ try {
+ client
+ .grantDatabasePrivilege(requestorUserName, errorRoleName, serverName, dbName, "ALL");
+ fail("Exception should have been thrown");
+ } catch (Exception e) {
+ fieldValueMap.clear();
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_GRANT_PRIVILEGE);
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT, "GRANT ALL ON DATABASE " + dbName
+ + " TO ROLE " + errorRoleName);
+ fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.FALSE);
+ fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null);
+ assertAuditLog(fieldValueMap);
+ }
+ try {
+ client.grantDatabasePrivilege(requestorUserName, errorRoleName, serverName, dbName,
+ "INSERT");
+ fail("Exception should have been thrown");
+ } catch (Exception e) {
+ fieldValueMap.clear();
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_GRANT_PRIVILEGE);
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT, "GRANT INSERT ON DATABASE "
+ + dbName + " TO ROLE " + errorRoleName);
+ fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.FALSE);
+ fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null);
+ assertAuditLog(fieldValueMap);
+ }
+ try {
+ client.grantDatabasePrivilege(requestorUserName, errorRoleName, serverName, dbName,
+ "SELECT");
+ fail("Exception should have been thrown");
+ } catch (Exception e) {
+ fieldValueMap.clear();
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_GRANT_PRIVILEGE);
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT, "GRANT SELECT ON DATABASE "
+ + dbName + " TO ROLE " + errorRoleName);
+ fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.FALSE);
+ fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null);
+ assertAuditLog(fieldValueMap);
+ }
+ try {
+ client.grantTablePrivilege(requestorUserName, errorRoleName, serverName, dbName,
+ tableName, "SELECT");
+ fail("Exception should have been thrown");
+ } catch (Exception e) {
+ fieldValueMap.clear();
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_GRANT_PRIVILEGE);
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT, "GRANT SELECT ON TABLE "
+ + tableName + " TO ROLE " + errorRoleName);
+ fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.FALSE);
+ fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null);
+ assertAuditLog(fieldValueMap);
+ }
+
+ client.revokeTablePrivilege(requestorUserName, roleName, serverName, dbName, tableName,
+ "SELECT");
+ fieldValueMap.clear();
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_REVOKE_PRIVILEGE);
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT, "REVOKE SELECT ON TABLE " + tableName
+ + " FROM ROLE " + roleName);
+ fieldValueMap.put(Constants.LOG_FIELD_TABLE_NAME, tableName);
+ fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.TRUE);
+ fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null);
+ assertAuditLog(fieldValueMap);
+
+ client.revokeDatabasePrivilege(requestorUserName, roleName, serverName, dbName, "ALL");
+ fieldValueMap.clear();
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_REVOKE_PRIVILEGE);
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT, "REVOKE ALL ON DATABASE " + dbName
+ + " FROM ROLE " + roleName);
+ fieldValueMap.put(Constants.LOG_FIELD_DATABASE_NAME, dbName);
+ fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.TRUE);
+ fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null);
+ assertAuditLog(fieldValueMap);
+
+ client.revokeRoleFromGroup(requestorUserName, groupName, roleName);
+ fieldValueMap.clear();
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_DELETE_ROLE);
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT, "REVOKE ROLE " + roleName
+ + " FROM GROUP " + groupName);
+ fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.TRUE);
+ fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null);
+ assertAuditLog(fieldValueMap);
+
+ client.dropRole(requestorUserName, roleName);
+ fieldValueMap.clear();
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_DROP_ROLE);
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT, "DROP ROLE " + roleName);
+ fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.TRUE);
+ fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null);
+ assertAuditLog(fieldValueMap);
+
+ // for error audit log
+ try {
+ client.revokeTablePrivilege(requestorUserName, errorRoleName, serverName, dbName,
+ tableName, "SELECT");
+ fail("Exception should have been thrown");
+ } catch (Exception e) {
+ fieldValueMap.clear();
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_REVOKE_PRIVILEGE);
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT, "REVOKE SELECT ON TABLE "
+ + tableName + " FROM ROLE " + errorRoleName);
+ fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.FALSE);
+ fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null);
+ assertAuditLog(fieldValueMap);
+ }
+
+ try {
+ client.revokeDatabasePrivilege(requestorUserName, errorRoleName, serverName, dbName,
+ "ALL");
+ fail("Exception should have been thrown");
+ } catch (Exception e) {
+ fieldValueMap.clear();
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_REVOKE_PRIVILEGE);
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT, "REVOKE ALL ON DATABASE " + dbName
+ + " FROM ROLE " + errorRoleName);
+ fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.FALSE);
+ fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null);
+ assertAuditLog(fieldValueMap);
+ }
+
+ try {
+ client.revokeRoleFromGroup(requestorUserName, groupName, errorRoleName);
+ fail("Exception should have been thrown");
+ } catch (Exception e) {
+ fieldValueMap.clear();
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_DELETE_ROLE);
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT, "REVOKE ROLE " + errorRoleName
+ + " FROM GROUP " + groupName);
+ fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.FALSE);
+ fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null);
+ assertAuditLog(fieldValueMap);
+ }
+
+ try {
+ client.dropRole(requestorUserName, errorRoleName);
+ fail("Exception should have been thrown");
+ } catch (Exception e) {
+ fieldValueMap.clear();
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_DROP_ROLE);
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT, "DROP ROLE " + errorRoleName);
+ fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.FALSE);
+ fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null);
+ assertAuditLog(fieldValueMap);
+ }
+ }
+ });
+ }
+
+ private void assertAuditLog(Map<String, String> fieldValueMap) throws Exception {
+ assertThat(AuditLoggerTestAppender.getLastLogLevel(), is(Level.INFO));
+ JSONObject jsonObject = new JSONObject(AuditLoggerTestAppender.getLastLogEvent());
+ if (fieldValueMap != null) {
+ for (Map.Entry<String, String> entry : fieldValueMap.entrySet()) {
+ String entryKey = entry.getKey();
+ if (Constants.LOG_FIELD_IP_ADDRESS.equals(entryKey)) {
+ assertTrue(CommandUtil.assertIPInAuditLog(jsonObject.get(entryKey).toString()));
+ } else {
+ assertTrue(entry.getValue().equalsIgnoreCase(jsonObject.get(entryKey).toString()));
+ }
+ }
+ }
+ }
+}
[26/44] sentry git commit: SENTRY-1287: Create sentry-service-server
module(Colin Ma, reviewed by Dapeng Sun)
Posted by co...@apache.org.
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestConnectionWithTicketTimeout.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestConnectionWithTicketTimeout.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestConnectionWithTicketTimeout.java
deleted file mode 100644
index 36fa4b5..0000000
--- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestConnectionWithTicketTimeout.java
+++ /dev/null
@@ -1,57 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.sentry.provider.db.service.thrift;
-
-import org.apache.hadoop.minikdc.MiniKdc;
-import org.apache.sentry.service.thrift.ServiceConstants;
-import org.junit.BeforeClass;
-import org.junit.Ignore;
-import org.junit.Test;
-
-@Ignore("SENTRY-515: Not part of automated unit testing, as it takes too long. Fails until we move to a hadoop 2.6.1. See HADOOP-10786")
-public class TestConnectionWithTicketTimeout extends
- org.apache.sentry.service.thrift.SentryServiceIntegrationBase {
-
- @BeforeClass
- public static void setup() throws Exception {
- kerberos = true;
- beforeSetup();
- setupConf();
- startSentryService();
- afterSetup();
- }
-
- public static void beforeSetup() throws Exception {
- kdcConfOverlay.setProperty(MiniKdc.MAX_TICKET_LIFETIME, "360001");
- //Only UGI based client connections renew their TGT, this is not a problem in the real world
- // as this is not configurable and always true
- conf.set(ServiceConstants.ServerConfig.SECURITY_USE_UGI_TRANSPORT, "true");
- }
-
- /***
- * Test is run only when sentry.hive.test.ticket.timeout is set to "true"
- * @throws Exception
- */
- @Test
- public void testConnectionAfterTicketTimeout() throws Exception {
- Thread.sleep(400000);
- connectToSentryService();
- }
-
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestNotificationHandlerInvoker.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestNotificationHandlerInvoker.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestNotificationHandlerInvoker.java
deleted file mode 100644
index 6a2f48f..0000000
--- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestNotificationHandlerInvoker.java
+++ /dev/null
@@ -1,112 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.sentry.provider.db.service.thrift;
-
-import java.util.UUID;
-
-import org.apache.hadoop.conf.Configuration;
-import org.apache.sentry.provider.db.service.persistent.CommitContext;
-import org.junit.Before;
-import org.junit.Test;
-import org.mockito.Mockito;
-
-import com.google.common.collect.Lists;
-
-public class TestNotificationHandlerInvoker {
-
- private Configuration conf;
- private CommitContext commitContext;
- private NotificationHandler handler;
- private NotificationHandlerInvoker invoker;
-
- @Before
- public void setup() throws Exception {
- conf = new Configuration(false);
- commitContext = new CommitContext(UUID.randomUUID(), 1L);
- handler = Mockito.spy(new NotificationHandler(conf) {});
- invoker = new NotificationHandlerInvoker(conf,
- Lists.newArrayList(new ThrowingNotificationHandler(conf), handler));
- }
-
- @Test
- public void testCreateSentryRole() throws Exception {
- TCreateSentryRoleRequest request = new TCreateSentryRoleRequest();
- TCreateSentryRoleResponse response = new TCreateSentryRoleResponse();
- invoker.create_sentry_role(commitContext, request, response);
- Mockito.verify(handler).create_sentry_role(commitContext,
- request, response);
- }
-
- @Test
- public void testDropSentryRole() throws Exception {
- TDropSentryRoleRequest request = new TDropSentryRoleRequest();
- TDropSentryRoleResponse response = new TDropSentryRoleResponse();
- invoker.drop_sentry_role(commitContext, request, response);
- Mockito.verify(handler).drop_sentry_role(commitContext,
- request, response);
- }
-
-
-
- @Test
- public void testAlterSentryRoleAddGroups() throws Exception {
- TAlterSentryRoleAddGroupsRequest request = new TAlterSentryRoleAddGroupsRequest();
- TAlterSentryRoleAddGroupsResponse response = new TAlterSentryRoleAddGroupsResponse();
- invoker.alter_sentry_role_add_groups(commitContext, request, response);
- Mockito.verify(handler).alter_sentry_role_add_groups(commitContext,
- request, response);
- }
-
- @Test
- public void testAlterSentryRoleDeleteGroups() throws Exception {
- TAlterSentryRoleDeleteGroupsRequest request = new TAlterSentryRoleDeleteGroupsRequest();
- TAlterSentryRoleDeleteGroupsResponse response = new TAlterSentryRoleDeleteGroupsResponse();
- invoker.alter_sentry_role_delete_groups(commitContext, request, response);
- Mockito.verify(handler).alter_sentry_role_delete_groups(commitContext,
- request, response);
- }
-
- public static class ThrowingNotificationHandler extends NotificationHandler {
- public ThrowingNotificationHandler(Configuration config) throws Exception {
- super(config);
- }
- @Override
- public void create_sentry_role(CommitContext args,
- TCreateSentryRoleRequest request, TCreateSentryRoleResponse response) {
- throw new RuntimeException();
- }
- public void drop_sentry_role(CommitContext context,
- TDropSentryRoleRequest request,
- TDropSentryRoleResponse response) {
- throw new RuntimeException();
- }
- @Override
- public void alter_sentry_role_add_groups(CommitContext args,
- TAlterSentryRoleAddGroupsRequest request,
- TAlterSentryRoleAddGroupsResponse response) {
- throw new RuntimeException();
- }
- @Override
- public void alter_sentry_role_delete_groups(
- CommitContext args, TAlterSentryRoleDeleteGroupsRequest request,
- TAlterSentryRoleDeleteGroupsResponse response) {
- throw new RuntimeException();
- }
- }
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryPolicyStoreProcessor.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryPolicyStoreProcessor.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryPolicyStoreProcessor.java
deleted file mode 100644
index 04d92dd..0000000
--- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryPolicyStoreProcessor.java
+++ /dev/null
@@ -1,81 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.provider.db.service.thrift;
-
-import org.apache.sentry.core.common.exception.SentrySiteConfigurationException;
-import org.junit.Assert;
-
-import org.apache.hadoop.conf.Configuration;
-import org.apache.sentry.core.common.exception.SentryThriftAPIMismatchException;
-import org.apache.sentry.provider.db.service.thrift.PolicyStoreConstants.PolicyStoreServerConfig;
-import org.apache.sentry.service.thrift.ServiceConstants;
-import org.junit.Before;
-import org.junit.Test;
-
-public class TestSentryPolicyStoreProcessor {
-
- private Configuration conf;
-
- @Before
- public void setup() {
- conf = new Configuration(false);
- }
- @Test(expected=SentrySiteConfigurationException.class)
- public void testConfigNotNotificationHandler() throws Exception {
- conf.set(PolicyStoreServerConfig.NOTIFICATION_HANDLERS, Object.class.getName());
- SentryPolicyStoreProcessor.createHandlers(conf);
- }
- @Test(expected=SentrySiteConfigurationException.class)
- public void testConfigCannotCreateNotificationHandler() throws Exception {
- conf.set(PolicyStoreServerConfig.NOTIFICATION_HANDLERS,
- ExceptionInConstructorNotificationHandler.class.getName());
- SentryPolicyStoreProcessor.createHandlers(conf);
- }
- @Test(expected=SentrySiteConfigurationException.class)
- public void testConfigNotAClassNotificationHandler() throws Exception {
- conf.set(PolicyStoreServerConfig.NOTIFICATION_HANDLERS, "junk");
- SentryPolicyStoreProcessor.createHandlers(conf);
- }
- @Test
- public void testConfigMultipleNotificationHandlers() throws Exception {
- conf.set(PolicyStoreServerConfig.NOTIFICATION_HANDLERS,
- NoopNotificationHandler.class.getName() + "," +
- NoopNotificationHandler.class.getName() + " " +
- NoopNotificationHandler.class.getName());
- Assert.assertEquals(3, SentryPolicyStoreProcessor.createHandlers(conf).size());
- }
- public static class ExceptionInConstructorNotificationHandler extends NotificationHandler {
- public ExceptionInConstructorNotificationHandler(Configuration config) throws Exception {
- super(config);
- throw new Exception();
- }
- }
- public static class NoopNotificationHandler extends NotificationHandler {
- public NoopNotificationHandler(Configuration config) throws Exception {
- super(config);
- }
- }
- @Test(expected=SentryThriftAPIMismatchException.class)
- public void testSentryThriftAPIMismatch() throws Exception {
- SentryPolicyStoreProcessor.validateClientVersion(ServiceConstants.ThriftConstants.TSENTRY_SERVICE_VERSION_CURRENT -1);
- }
- @Test
- public void testSentryThriftAPIMatchVersion() throws Exception {
- SentryPolicyStoreProcessor.validateClientVersion(ServiceConstants.ThriftConstants.TSENTRY_SERVICE_VERSION_CURRENT);
- }
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServerForHaWithoutKerberos.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServerForHaWithoutKerberos.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServerForHaWithoutKerberos.java
deleted file mode 100644
index 6c78942..0000000
--- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServerForHaWithoutKerberos.java
+++ /dev/null
@@ -1,219 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless createRequired by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.sentry.provider.db.service.thrift;
-import static org.junit.Assert.assertEquals;
-
-import java.util.HashSet;
-import java.util.Set;
-
-import org.apache.sentry.core.common.ActiveRoleSet;
-import org.apache.sentry.core.model.db.AccessConstants;
-import org.apache.sentry.core.model.db.Database;
-import org.apache.sentry.core.model.db.Server;
-import org.apache.sentry.core.model.db.Table;
-import org.apache.sentry.service.thrift.SentryServiceIntegrationBase;
-import org.junit.BeforeClass;
-import org.junit.Test;
-
-import com.google.common.collect.Lists;
-import com.google.common.collect.Sets;
-
-public class TestSentryServerForHaWithoutKerberos extends SentryServiceIntegrationBase {
-
- @BeforeClass
- public static void setup() throws Exception {
- kerberos = false;
- haEnabled = true;
- beforeSetup();
- setupConf();
- startSentryService();
- afterSetup();
- }
-
- @Test
- public void testCreateRole() throws Exception {
- String requestorUserName = ADMIN_USER;
- Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
- setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
- writePolicyFile();
- String roleName = "admin_r";
- client.dropRoleIfExists(requestorUserName, roleName);
- client.createRole(requestorUserName, roleName);
- client.dropRole(requestorUserName, roleName);
- }
-
- @Test
- public void testQueryPushDown() throws Exception {
- String requestorUserName = ADMIN_USER;
- Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
- setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
- writePolicyFile();
-
- String roleName1 = "admin_r1";
- String roleName2 = "admin_r2";
-
- String group1 = "g1";
- String group2 = "g2";
-
- client.dropRoleIfExists(requestorUserName, roleName1);
- client.createRole(requestorUserName, roleName1);
- client.grantRoleToGroup(requestorUserName, group1, roleName1);
-
- client.grantTablePrivilege(requestorUserName, roleName1, "server", "db1", "table1", "ALL");
- client.grantTablePrivilege(requestorUserName, roleName1, "server", "db1", "table2", "ALL");
- client.grantTablePrivilege(requestorUserName, roleName1, "server", "db2", "table3", "ALL");
- client.grantTablePrivilege(requestorUserName, roleName1, "server", "db2", "table4", "ALL");
-
-
- client.dropRoleIfExists(requestorUserName, roleName2);
- client.createRole(requestorUserName, roleName2);
- client.grantRoleToGroup(requestorUserName, group1, roleName2);
- client.grantRoleToGroup(requestorUserName, group2, roleName2);
-
- client.grantTablePrivilege(requestorUserName, roleName2, "server", "db1", "table1", "ALL");
- client.grantTablePrivilege(requestorUserName, roleName2, "server", "db1", "table2", "ALL");
- client.grantTablePrivilege(requestorUserName, roleName2, "server", "db2", "table3", "ALL");
- client.grantTablePrivilege(requestorUserName, roleName2, "server", "db2", "table4", "ALL");
- client.grantTablePrivilege(requestorUserName, roleName2, "server", "db3", "table5", "ALL");
-
- Set<TSentryPrivilege> listPrivilegesByRoleName = client.listPrivilegesByRoleName(requestorUserName, roleName2, Lists.newArrayList(new Server("server"), new Database("db1")));
- assertEquals("Privilege not assigned to role2 !!", 2, listPrivilegesByRoleName.size());
-
- listPrivilegesByRoleName = client.listPrivilegesByRoleName(requestorUserName, roleName2, Lists.newArrayList(new Server("server"), new Database("db2"), new Table("table1")));
- assertEquals("Privilege not assigned to role2 !!", 0, listPrivilegesByRoleName.size());
-
- listPrivilegesByRoleName = client.listPrivilegesByRoleName(requestorUserName, roleName2, Lists.newArrayList(new Server("server"), new Database("db1"), new Table("table1")));
- assertEquals("Privilege not assigned to role2 !!", 1, listPrivilegesByRoleName.size());
-
- listPrivilegesByRoleName = client.listPrivilegesByRoleName(requestorUserName, roleName2, Lists.newArrayList(new Server("server"), new Database("db3")));
- assertEquals("Privilege not assigned to role2 !!", 1, listPrivilegesByRoleName.size());
-
- Set<String> listPrivilegesForProvider = client.listPrivilegesForProvider(Sets.newHashSet(group1, group2), null, ActiveRoleSet.ALL, new Server("server"), new Database("db2"));
- assertEquals("Privilege not correctly assigned to roles !!",
- Sets.newHashSet("server=server->db=db2->table=table4->action=all", "server=server->db=db2->table=table3->action=all"),
- listPrivilegesForProvider);
-
- listPrivilegesForProvider = client.listPrivilegesForProvider(Sets.newHashSet(group1, group2), null, ActiveRoleSet.ALL, new Server("server"), new Database("db3"));
- assertEquals("Privilege not correctly assigned to roles !!", Sets.newHashSet("server=server->db=db3->table=table5->action=all"), listPrivilegesForProvider);
-
- listPrivilegesForProvider = client.listPrivilegesForProvider(Sets.newHashSet(group1, group2), null, new ActiveRoleSet(Sets.newHashSet(roleName1)), new Server("server"), new Database("db3"));
- assertEquals("Privilege not correctly assigned to roles !!", Sets.newHashSet("server=+"), listPrivilegesForProvider);
-
- listPrivilegesForProvider = client.listPrivilegesForProvider(Sets.newHashSet(group1, group2), null, new ActiveRoleSet(Sets.newHashSet(roleName1)), new Server("server1"));
- assertEquals("Privilege not correctly assigned to roles !!", new HashSet<String>(), listPrivilegesForProvider);
- }
-
-
-
- /**
- * Create role, add privileges and grant it to a group drop the role and
- * verify the privileges are no longer visible recreate the role with same
- * name and verify the privileges again.
- * @throws Exception
- */
- @Test
- public void testDropRole() throws Exception {
- String requestorUserName = ADMIN_USER;
- Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
- setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
- writePolicyFile();
- String roleName = "admin_r";
-
- // create role and add privileges
- client.dropRoleIfExists(requestorUserName, roleName);
- client.createRole(requestorUserName, roleName);
- client.grantRoleToGroup(requestorUserName, ADMIN_GROUP, roleName);
- client.grantDatabasePrivilege(requestorUserName, roleName, "server1", "db2", AccessConstants.ALL);
- client.grantTablePrivilege(requestorUserName, roleName, "server1", "db3", "tab3", "ALL");
- assertEquals(2, client.listPrivilegesForProvider(requestorUserGroupNames, null,
- ActiveRoleSet.ALL).size());
-
- // drop role and verify privileges
- client.dropRole(requestorUserName, roleName);
- assertEquals(0, client.listPrivilegesForProvider(requestorUserGroupNames, null,
- ActiveRoleSet.ALL).size());
-
- // recreate the role
- client.createRole(requestorUserName, roleName);
- client.grantRoleToGroup(requestorUserName, ADMIN_GROUP, roleName);
- assertEquals(0, client.listPrivilegesForProvider(requestorUserGroupNames, null,
- ActiveRoleSet.ALL).size());
-
- // grant different privileges and verify
- client.grantDatabasePrivilege(requestorUserName, roleName, "server1", "db2", AccessConstants.ALL);
- assertEquals(1, client.listPrivilegesForProvider(requestorUserGroupNames, null,
- ActiveRoleSet.ALL).size());
- client.dropRole(requestorUserName, roleName);
- assertEquals(0, client.listPrivilegesForProvider(requestorUserGroupNames, null,
- ActiveRoleSet.ALL).size());
- assertEquals(0, client.listPrivilegesForProvider(requestorUserGroupNames, null,
- ActiveRoleSet.ALL).size());
- }
-
- @Test
- public void testDropRoleOnUser() throws Exception {
- String requestorUserName = ADMIN_USER;
- Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
- Set<String> requestorUserNames = Sets.newHashSet(ADMIN_USER);
- setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
- writePolicyFile();
- String roleName = "admin_r";
-
- // create role and add privileges
- client.dropRoleIfExists(requestorUserName, roleName);
- client.createRole(requestorUserName, roleName);
- client.grantRoleToUser(requestorUserName, ADMIN_USER, roleName);
- client.grantDatabasePrivilege(requestorUserName, roleName, "server1", "db2", AccessConstants.ALL);
- client.grantTablePrivilege(requestorUserName, roleName, "server1", "db3", "tab3", "ALL");
- assertEquals(2, client.listPrivilegesForProvider(requestorUserGroupNames, requestorUserNames,
- ActiveRoleSet.ALL).size());
-
- // drop role and verify privileges
- client.dropRole(requestorUserName, roleName);
- assertEquals(0, client.listPrivilegesForProvider(requestorUserGroupNames, requestorUserNames,
- ActiveRoleSet.ALL).size());
-
- // recreate the role
- client.createRole(requestorUserName, roleName);
- client.grantRoleToGroup(requestorUserName, ADMIN_GROUP, roleName);
- assertEquals(0, client.listPrivilegesForProvider(requestorUserGroupNames, requestorUserNames,
- ActiveRoleSet.ALL).size());
-
- // grant different privileges and verify
- client.grantDatabasePrivilege(requestorUserName, roleName, "server1", "db2", AccessConstants.ALL);
- assertEquals(1, client.listPrivilegesForProvider(requestorUserGroupNames, requestorUserNames,
- ActiveRoleSet.ALL).size());
- client.dropRole(requestorUserName, roleName);
- assertEquals(0, client.listPrivilegesForProvider(requestorUserGroupNames, requestorUserNames,
- ActiveRoleSet.ALL).size());
- assertEquals(0, client.listPrivilegesForProvider(requestorUserGroupNames, requestorUserNames,
- ActiveRoleSet.ALL).size());
- }
-
- /**
- * Test that we are correctly substituting "_HOST" if/when needed.
- *
- * @throws Exception
- */
- @Test
- public void testHostSubstitution() throws Exception {
- // We just need to ensure that we are able to correct connect to the server
- connectToSentryService();
- }
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServerForPoolHAWithoutKerberos.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServerForPoolHAWithoutKerberos.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServerForPoolHAWithoutKerberos.java
deleted file mode 100644
index 9ba7d23..0000000
--- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServerForPoolHAWithoutKerberos.java
+++ /dev/null
@@ -1,36 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless createRequired by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.sentry.provider.db.service.thrift;
-
-import org.junit.BeforeClass;
-
-public class TestSentryServerForPoolHAWithoutKerberos extends TestSentryServerForHaWithoutKerberos {
-
- @BeforeClass
- public static void setup() throws Exception {
- kerberos = false;
- haEnabled = true;
- pooled = true;
- beforeSetup();
- setupConf();
- startSentryService();
- afterSetup();
- }
-
-}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServerForPoolWithoutKerberos.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServerForPoolWithoutKerberos.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServerForPoolWithoutKerberos.java
deleted file mode 100644
index 62fbb2f..0000000
--- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServerForPoolWithoutKerberos.java
+++ /dev/null
@@ -1,36 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless createRequired by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.sentry.provider.db.service.thrift;
-
-import org.junit.BeforeClass;
-
-public class TestSentryServerForPoolWithoutKerberos extends TestSentryServerWithoutKerberos {
-
- @BeforeClass
- public static void setup() throws Exception {
- kerberos = false;
- haEnabled = false;
- pooled = true;
- beforeSetup();
- setupConf();
- startSentryService();
- afterSetup();
- }
-
-}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServerWithoutKerberos.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServerWithoutKerberos.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServerWithoutKerberos.java
deleted file mode 100644
index b37f057..0000000
--- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServerWithoutKerberos.java
+++ /dev/null
@@ -1,214 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless createRequired by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.sentry.provider.db.service.thrift;
-import static org.junit.Assert.assertEquals;
-
-import java.util.ArrayList;
-import java.util.HashSet;
-import java.util.Set;
-
-import org.apache.sentry.core.common.ActiveRoleSet;
-import org.apache.sentry.core.common.Authorizable;
-import org.apache.sentry.core.model.db.AccessConstants;
-import org.apache.sentry.core.model.db.Database;
-import org.apache.sentry.core.model.db.Server;
-import org.apache.sentry.core.model.db.Table;
-import org.apache.sentry.service.thrift.SentryServiceIntegrationBase;
-import org.junit.BeforeClass;
-import org.junit.Test;
-
-import com.google.common.collect.Lists;
-import com.google.common.collect.Sets;
-
-public class TestSentryServerWithoutKerberos extends SentryServiceIntegrationBase {
-
- @BeforeClass
- public static void setup() throws Exception {
- kerberos = false;
- beforeSetup();
- setupConf();
- startSentryService();
- afterSetup();
- }
-
- @Test
- public void testCreateRole() throws Exception {
- String requestorUserName = ADMIN_USER;
- Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
- setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
- writePolicyFile();
- String roleName = "admin_r";
- client.dropRoleIfExists(requestorUserName, roleName);
- client.createRole(requestorUserName, roleName);
- client.dropRole(requestorUserName, roleName);
- }
-
- @Test
- public void testQueryPushDown() throws Exception {
- String requestorUserName = ADMIN_USER;
- Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
- setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
- writePolicyFile();
-
- String roleName1 = "admin_r1";
- String roleName2 = "admin_r2";
-
- String group1 = "g1";
- String group2 = "g2";
-
- client.dropRoleIfExists(requestorUserName, roleName1);
- client.createRole(requestorUserName, roleName1);
- client.grantRoleToGroup(requestorUserName, group1, roleName1);
-
- client.grantTablePrivilege(requestorUserName, roleName1, "server", "db1", "table1", "ALL");
- client.grantTablePrivilege(requestorUserName, roleName1, "server", "db1", "table2", "ALL");
- client.grantTablePrivilege(requestorUserName, roleName1, "server", "db2", "table3", "ALL");
- client.grantTablePrivilege(requestorUserName, roleName1, "server", "db2", "table4", "ALL");
-
- client.dropRoleIfExists(requestorUserName, roleName2);
- client.createRole(requestorUserName, roleName2);
- client.grantRoleToGroup(requestorUserName, group1, roleName2);
- client.grantRoleToGroup(requestorUserName, group2, roleName2);
-
- client.grantTablePrivilege(requestorUserName, roleName2, "server", "db1", "table1", "ALL");
- client.grantTablePrivilege(requestorUserName, roleName2, "server", "db1", "table2", "ALL");
- client.grantTablePrivilege(requestorUserName, roleName2, "server", "db2", "table3", "ALL");
- client.grantTablePrivilege(requestorUserName, roleName2, "server", "db2", "table4", "ALL");
- client.grantTablePrivilege(requestorUserName, roleName2, "server", "db3", "table5", "ALL");
-
- Set<TSentryPrivilege> listPrivilegesByRoleName = client.listPrivilegesByRoleName(requestorUserName, roleName2, null);
- assertEquals("Privilege not assigned to role2 !!", 5, listPrivilegesByRoleName.size());
-
- listPrivilegesByRoleName = client.listPrivilegesByRoleName(requestorUserName, roleName2, new ArrayList<Authorizable>());
- assertEquals("Privilege not assigned to role2 !!", 5, listPrivilegesByRoleName.size());
-
- listPrivilegesByRoleName = client.listPrivilegesByRoleName(requestorUserName, roleName2, Lists.newArrayList(new Server("server"), new Database("db1")));
- assertEquals("Privilege not assigned to role2 !!", 2, listPrivilegesByRoleName.size());
-
- listPrivilegesByRoleName = client.listPrivilegesByRoleName(requestorUserName, roleName2, Lists.newArrayList(new Server("server"), new Database("db2"), new Table("table1")));
- assertEquals("Privilege not assigned to role2 !!", 0, listPrivilegesByRoleName.size());
-
- listPrivilegesByRoleName = client.listPrivilegesByRoleName(requestorUserName, roleName2, Lists.newArrayList(new Server("server"), new Database("db1"), new Table("table1")));
- assertEquals("Privilege not assigned to role2 !!", 1, listPrivilegesByRoleName.size());
-
- listPrivilegesByRoleName = client.listPrivilegesByRoleName(requestorUserName, roleName2, Lists.newArrayList(new Server("server"), new Database("db3")));
- assertEquals("Privilege not assigned to role2 !!", 1, listPrivilegesByRoleName.size());
-
- Set<String> listPrivilegesForProvider = client.listPrivilegesForProvider(Sets.newHashSet(group1, group2), null, ActiveRoleSet.ALL, new Server("server"), new Database("db2"));
- assertEquals("Privilege not correctly assigned to roles !!",
- Sets.newHashSet("server=server->db=db2->table=table4->action=all", "server=server->db=db2->table=table3->action=all"),
- listPrivilegesForProvider);
-
- listPrivilegesForProvider = client.listPrivilegesForProvider(Sets.newHashSet(group1, group2), null, ActiveRoleSet.ALL, new Server("server"), new Database("db3"));
- assertEquals("Privilege not correctly assigned to roles !!", Sets.newHashSet("server=server->db=db3->table=table5->action=all"), listPrivilegesForProvider);
-
- listPrivilegesForProvider = client.listPrivilegesForProvider(Sets.newHashSet(group1, group2), null, new ActiveRoleSet(Sets.newHashSet(roleName1)), new Server("server"), new Database("db3"));
- assertEquals("Privilege not correctly assigned to roles !!", Sets.newHashSet("server=+"), listPrivilegesForProvider);
-
- listPrivilegesForProvider = client.listPrivilegesForProvider(Sets.newHashSet(group1, group2), null, new ActiveRoleSet(Sets.newHashSet(roleName1)), new Server("server1"));
- assertEquals("Privilege not correctly assigned to roles !!", new HashSet<String>(), listPrivilegesForProvider);
- }
-
-
-
- /**
- * Create role, add privileges and grant it to a group drop the role and
- * verify the privileges are no longer visible recreate the role with same
- * name and verify the privileges again.
- * @throws Exception
- */
- @Test
- public void testDropRole() throws Exception {
- String requestorUserName = ADMIN_USER;
- Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
- setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
- writePolicyFile();
- String roleName = "admin_r";
-
- // create role and add privileges
- client.dropRoleIfExists(requestorUserName, roleName);
- client.createRole(requestorUserName, roleName);
- client.grantRoleToGroup(requestorUserName, ADMIN_GROUP, roleName);
- client.grantDatabasePrivilege(requestorUserName, roleName, "server1", "db2", AccessConstants.ALL);
- client.grantTablePrivilege(requestorUserName, roleName, "server1", "db3", "tab3", "ALL");
- assertEquals(2, client.listPrivilegesForProvider(requestorUserGroupNames, null,
- ActiveRoleSet.ALL).size());
-
- // drop role and verify privileges
- client.dropRole(requestorUserName, roleName);
- assertEquals(0, client.listPrivilegesForProvider(requestorUserGroupNames, null,
- ActiveRoleSet.ALL).size());
-
- // recreate the role
- client.createRole(requestorUserName, roleName);
- client.grantRoleToGroup(requestorUserName, ADMIN_GROUP, roleName);
- assertEquals(0, client.listPrivilegesForProvider(requestorUserGroupNames, null,
- ActiveRoleSet.ALL).size());
-
- // grant different privileges and verify
- client.grantDatabasePrivilege(requestorUserName, roleName, "server1", "db2", AccessConstants.ALL);
- assertEquals(1, client.listPrivilegesForProvider(requestorUserGroupNames, null,
- ActiveRoleSet.ALL).size());
- client.dropRole(requestorUserName, roleName);
- assertEquals(0, client.listPrivilegesForProvider(requestorUserGroupNames, null,
- ActiveRoleSet.ALL).size());
- assertEquals(0, client.listPrivilegesForProvider(requestorUserGroupNames, null,
- ActiveRoleSet.ALL).size());
- }
-
- @Test
- public void testDropRoleOnUser() throws Exception {
- String requestorUserName = ADMIN_USER;
- Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
- Set<String> requestorUserNames = Sets.newHashSet(ADMIN_USER);
- setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
- writePolicyFile();
- String roleName = "admin_r";
-
- // create role and add privileges
- client.dropRoleIfExists(requestorUserName, roleName);
- client.createRole(requestorUserName, roleName);
- client.grantRoleToUser(requestorUserName, ADMIN_USER, roleName);
- client.grantDatabasePrivilege(requestorUserName, roleName, "server1", "db2", AccessConstants.ALL);
- client.grantTablePrivilege(requestorUserName, roleName, "server1", "db3", "tab3", "ALL");
- assertEquals(2, client.listPrivilegesForProvider(requestorUserGroupNames, requestorUserNames,
- ActiveRoleSet.ALL).size());
-
- // drop role and verify privileges
- client.dropRole(requestorUserName, roleName);
- assertEquals(0, client.listPrivilegesForProvider(requestorUserGroupNames, requestorUserNames,
- ActiveRoleSet.ALL).size());
-
- // recreate the role
- client.createRole(requestorUserName, roleName);
- client.grantRoleToGroup(requestorUserName, ADMIN_GROUP, roleName);
- assertEquals(0, client.listPrivilegesForProvider(requestorUserGroupNames, requestorUserNames,
- ActiveRoleSet.ALL).size());
-
- // grant different privileges and verify
- client.grantDatabasePrivilege(requestorUserName, roleName, "server1", "db2", AccessConstants.ALL);
- assertEquals(1, client.listPrivilegesForProvider(requestorUserGroupNames, requestorUserNames,
- ActiveRoleSet.ALL).size());
- client.dropRole(requestorUserName, roleName);
- assertEquals(0, client.listPrivilegesForProvider(requestorUserGroupNames, requestorUserNames,
- ActiveRoleSet.ALL).size());
- assertEquals(0, client.listPrivilegesForProvider(requestorUserGroupNames, requestorUserNames,
- ActiveRoleSet.ALL).size());
- }
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceClientPool.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceClientPool.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceClientPool.java
deleted file mode 100644
index fe4164d..0000000
--- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceClientPool.java
+++ /dev/null
@@ -1,111 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.sentry.provider.db.service.thrift;
-
-import static org.junit.Assert.assertTrue;
-
-import java.security.PrivilegedExceptionAction;
-import java.util.ArrayList;
-import java.util.List;
-import java.util.Set;
-import java.util.concurrent.Callable;
-import java.util.concurrent.ExecutorService;
-import java.util.concurrent.Executors;
-import java.util.concurrent.Future;
-import java.util.concurrent.FutureTask;
-
-import org.apache.sentry.core.common.exception.SentryUserException;
-import org.apache.sentry.service.thrift.SentryServiceFactory;
-import org.apache.sentry.service.thrift.SentryServiceIntegrationBase;
-import org.junit.Test;
-
-import com.google.common.collect.Sets;
-
-public class TestSentryServiceClientPool extends SentryServiceIntegrationBase {
-
- @Test
- public void testConnectionWhenReconnect() throws Exception {
- runTestAsSubject(new TestOperation() {
- @Override
- public void runTestAsSubject() throws Exception {
- String requestorUserName = ADMIN_USER;
- Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
- String roleName = "admin_r";
- setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
- writePolicyFile();
-
- client.dropRoleIfExists(requestorUserName, roleName);
- client.createRole(requestorUserName, roleName);
- client.listRoles(requestorUserName);
- stopSentryService();
- server = new SentryServiceFactory().create(conf);
- startSentryService();
- client.listRoles(requestorUserName);
- client.dropRole(requestorUserName, roleName);
- }
- });
- }
-
- @Test
- public void testConnectionWithMultipleRetries() throws Exception {
- runTestAsSubject(new TestOperation() {
- @Override
- public void runTestAsSubject() throws Exception {
- List<Future<Boolean>> tasks = new ArrayList<Future<Boolean>>();
- String requestorUserName = ADMIN_USER;
- Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
- String roleName = "admin_r";
- setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
- writePolicyFile();
-
- client.dropRoleIfExists(requestorUserName, roleName);
- client.createRole(requestorUserName, roleName);
-
- ExecutorService executorService = Executors.newFixedThreadPool(20);
-
- Callable<Boolean> func = new Callable<Boolean>() {
- public Boolean call() throws Exception {
- return clientUgi.doAs(new PrivilegedExceptionAction<Boolean>() {
- @Override
- public Boolean run() throws Exception {
- try {
- client.listRoles(ADMIN_USER);
- return true;
- } catch (SentryUserException sue) {
- return false;
- }
- }
- });
- }
- };
-
- for (int i = 0; i < 30; i++) {
- FutureTask<Boolean> task = new FutureTask<Boolean>(func);
- tasks.add(task);
- executorService.submit(task);
- }
-
- for (Future<Boolean> task : tasks) {
- Boolean result = task.get();
- assertTrue("Some tasks are failed.", result);
- }
- }
- });
- }
-}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceFailureCase.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceFailureCase.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceFailureCase.java
deleted file mode 100644
index 51bba31..0000000
--- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceFailureCase.java
+++ /dev/null
@@ -1,74 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.sentry.provider.db.service.thrift;
-
-import org.apache.sentry.service.thrift.SentryServiceIntegrationBase;
-import org.apache.sentry.service.thrift.ServiceConstants.ServerConfig;
-import org.junit.After;
-import org.junit.Assert;
-import org.junit.Before;
-import org.junit.BeforeClass;
-import org.junit.Test;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-import com.google.common.base.Strings;
-
-public class TestSentryServiceFailureCase extends SentryServiceIntegrationBase {
- private static final Logger LOGGER = LoggerFactory.getLogger(TestSentryServiceFailureCase.class);
- private static final String PEER_CALLBACK_FAILURE = "Peer indicated failure: Problem with callback handler";
-
- @BeforeClass
- public static void setup() throws Exception {
- kerberos = true;
- beforeSetup();
- setupConf();
- conf.set(ServerConfig.ALLOW_CONNECT, "");
- startSentryService();
- afterSetup();
- }
-
- @Override
- @Before
- public void before() throws Exception {
- }
-
- @Override
- @After
- public void after() {
- }
-
- @Test
- public void testClientServerConnectionFailure() throws Exception {
- try {
- connectToSentryService();
- Assert.fail("Failed to receive Exception");
- } catch(Exception e) {
- LOGGER.info("Excepted exception", e);
- Throwable cause = e.getCause();
- if (cause == null) {
- throw e;
- }
- String msg = "Exception message: " + cause.getMessage() + " to contain " +
- PEER_CALLBACK_FAILURE;
- Assert.assertTrue(msg, Strings.nullToEmpty(cause.getMessage())
- .contains(PEER_CALLBACK_FAILURE));
- }
- }
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceForHAWithKerberos.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceForHAWithKerberos.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceForHAWithKerberos.java
deleted file mode 100644
index 813b30b..0000000
--- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceForHAWithKerberos.java
+++ /dev/null
@@ -1,75 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.provider.db.service.thrift;
-
-
-import java.io.File;
-import java.util.Set;
-
-import org.apache.sentry.provider.file.PolicyFile;
-import org.apache.sentry.service.thrift.SentryServiceIntegrationBase;
-import org.apache.sentry.service.thrift.ServiceConstants.ServerConfig;
-import org.junit.Before;
-import org.junit.BeforeClass;
-import org.junit.Test;
-
-import com.google.common.collect.Sets;
-
-/**
- * Test various kerberos related stuff on the SentryService side
- */
-public class TestSentryServiceForHAWithKerberos extends SentryServiceIntegrationBase {
-
- @BeforeClass
- public static void setup() throws Exception {
- kerberos = true;
- haEnabled = true;
- SERVER_KERBEROS_NAME = "sentry/_HOST@" + REALM;
- beforeSetup();
- setupConf();
- startSentryService();
- afterSetup();
- }
-
- @Override
- @Before
- public void before() throws Exception {
- policyFilePath = new File(dbDir, "local_policy_file.ini");
- conf.set(ServerConfig.SENTRY_STORE_GROUP_MAPPING_RESOURCE,
- policyFilePath.getPath());
- policyFile = new PolicyFile();
- connectToSentryService();
- }
-
- @Test
- public void testCreateRole() throws Exception {
- runTestAsSubject(new TestOperation(){
- @Override
- public void runTestAsSubject() throws Exception {
- String requestorUserName = ADMIN_USER;
- Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
- setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
- writePolicyFile();
- String roleName = "admin_r";
- client.dropRoleIfExists(requestorUserName, roleName);
- client.createRole(requestorUserName, roleName);
- client.dropRole(requestorUserName, roleName);
- }
- });
- }
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceForPoolHAWithKerberos.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceForPoolHAWithKerberos.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceForPoolHAWithKerberos.java
deleted file mode 100644
index acb906f..0000000
--- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceForPoolHAWithKerberos.java
+++ /dev/null
@@ -1,36 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless createRequired by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.sentry.provider.db.service.thrift;
-
-import org.junit.BeforeClass;
-
-public class TestSentryServiceForPoolHAWithKerberos extends TestSentryServiceWithKerberos {
-
- @BeforeClass
- public static void setup() throws Exception {
- kerberos = true;
- haEnabled = true;
- pooled = true;
- beforeSetup();
- setupConf();
- startSentryService();
- afterSetup();
- }
-
-}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceForPoolWithKerberos.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceForPoolWithKerberos.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceForPoolWithKerberos.java
deleted file mode 100644
index bd3c1cc..0000000
--- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceForPoolWithKerberos.java
+++ /dev/null
@@ -1,36 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless createRequired by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.sentry.provider.db.service.thrift;
-
-import org.junit.BeforeClass;
-
-public class TestSentryServiceForPoolWithKerberos extends TestSentryServiceWithKerberos {
-
- @BeforeClass
- public static void setup() throws Exception {
- kerberos = true;
- haEnabled = false;
- pooled = true;
- beforeSetup();
- setupConf();
- startSentryService();
- afterSetup();
- }
-
-}
\ No newline at end of file
[05/44] sentry git commit: SENTRY-1287: Create sentry-service-server
module(Colin Ma, reviewed by Dapeng Sun)
Posted by co...@apache.org.
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/thrift/TestConnectionWithTicketTimeout.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/thrift/TestConnectionWithTicketTimeout.java b/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/thrift/TestConnectionWithTicketTimeout.java
new file mode 100644
index 0000000..c6177d4
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/thrift/TestConnectionWithTicketTimeout.java
@@ -0,0 +1,57 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.provider.db.service.thrift;
+
+import org.apache.hadoop.minikdc.MiniKdc;
+import org.apache.sentry.service.thrift.SentryServiceIntegrationBase;
+import org.apache.sentry.service.thrift.ServiceConstants;
+import org.junit.BeforeClass;
+import org.junit.Ignore;
+import org.junit.Test;
+
+@Ignore("SENTRY-515: Not part of automated unit testing, as it takes too long. Fails until we move to a hadoop 2.6.1. See HADOOP-10786")
+public class TestConnectionWithTicketTimeout extends SentryServiceIntegrationBase {
+
+ @BeforeClass
+ public static void setup() throws Exception {
+ SentryServiceIntegrationBase.kerberos = true;
+ beforeSetup();
+ SentryServiceIntegrationBase.setupConf();
+ SentryServiceIntegrationBase.startSentryService();
+ SentryServiceIntegrationBase.afterSetup();
+ }
+
+ public static void beforeSetup() throws Exception {
+ SentryServiceIntegrationBase.kdcConfOverlay.setProperty(MiniKdc.MAX_TICKET_LIFETIME, "360001");
+ //Only UGI based client connections renew their TGT, this is not a problem in the real world
+ // as this is not configurable and always true
+ SentryServiceIntegrationBase.conf.set(ServiceConstants.ServerConfig.SECURITY_USE_UGI_TRANSPORT, "true");
+ }
+
+ /***
+ * Test is run only when sentry.hive.test.ticket.timeout is set to "true"
+ * @throws Exception
+ */
+ @Test
+ public void testConnectionAfterTicketTimeout() throws Exception {
+ Thread.sleep(400000);
+ connectToSentryService();
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/thrift/TestNotificationHandlerInvoker.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/thrift/TestNotificationHandlerInvoker.java b/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/thrift/TestNotificationHandlerInvoker.java
new file mode 100644
index 0000000..6a2f48f
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/thrift/TestNotificationHandlerInvoker.java
@@ -0,0 +1,112 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.provider.db.service.thrift;
+
+import java.util.UUID;
+
+import org.apache.hadoop.conf.Configuration;
+import org.apache.sentry.provider.db.service.persistent.CommitContext;
+import org.junit.Before;
+import org.junit.Test;
+import org.mockito.Mockito;
+
+import com.google.common.collect.Lists;
+
+public class TestNotificationHandlerInvoker {
+
+ private Configuration conf;
+ private CommitContext commitContext;
+ private NotificationHandler handler;
+ private NotificationHandlerInvoker invoker;
+
+ @Before
+ public void setup() throws Exception {
+ conf = new Configuration(false);
+ commitContext = new CommitContext(UUID.randomUUID(), 1L);
+ handler = Mockito.spy(new NotificationHandler(conf) {});
+ invoker = new NotificationHandlerInvoker(conf,
+ Lists.newArrayList(new ThrowingNotificationHandler(conf), handler));
+ }
+
+ @Test
+ public void testCreateSentryRole() throws Exception {
+ TCreateSentryRoleRequest request = new TCreateSentryRoleRequest();
+ TCreateSentryRoleResponse response = new TCreateSentryRoleResponse();
+ invoker.create_sentry_role(commitContext, request, response);
+ Mockito.verify(handler).create_sentry_role(commitContext,
+ request, response);
+ }
+
+ @Test
+ public void testDropSentryRole() throws Exception {
+ TDropSentryRoleRequest request = new TDropSentryRoleRequest();
+ TDropSentryRoleResponse response = new TDropSentryRoleResponse();
+ invoker.drop_sentry_role(commitContext, request, response);
+ Mockito.verify(handler).drop_sentry_role(commitContext,
+ request, response);
+ }
+
+
+
+ @Test
+ public void testAlterSentryRoleAddGroups() throws Exception {
+ TAlterSentryRoleAddGroupsRequest request = new TAlterSentryRoleAddGroupsRequest();
+ TAlterSentryRoleAddGroupsResponse response = new TAlterSentryRoleAddGroupsResponse();
+ invoker.alter_sentry_role_add_groups(commitContext, request, response);
+ Mockito.verify(handler).alter_sentry_role_add_groups(commitContext,
+ request, response);
+ }
+
+ @Test
+ public void testAlterSentryRoleDeleteGroups() throws Exception {
+ TAlterSentryRoleDeleteGroupsRequest request = new TAlterSentryRoleDeleteGroupsRequest();
+ TAlterSentryRoleDeleteGroupsResponse response = new TAlterSentryRoleDeleteGroupsResponse();
+ invoker.alter_sentry_role_delete_groups(commitContext, request, response);
+ Mockito.verify(handler).alter_sentry_role_delete_groups(commitContext,
+ request, response);
+ }
+
+ public static class ThrowingNotificationHandler extends NotificationHandler {
+ public ThrowingNotificationHandler(Configuration config) throws Exception {
+ super(config);
+ }
+ @Override
+ public void create_sentry_role(CommitContext args,
+ TCreateSentryRoleRequest request, TCreateSentryRoleResponse response) {
+ throw new RuntimeException();
+ }
+ public void drop_sentry_role(CommitContext context,
+ TDropSentryRoleRequest request,
+ TDropSentryRoleResponse response) {
+ throw new RuntimeException();
+ }
+ @Override
+ public void alter_sentry_role_add_groups(CommitContext args,
+ TAlterSentryRoleAddGroupsRequest request,
+ TAlterSentryRoleAddGroupsResponse response) {
+ throw new RuntimeException();
+ }
+ @Override
+ public void alter_sentry_role_delete_groups(
+ CommitContext args, TAlterSentryRoleDeleteGroupsRequest request,
+ TAlterSentryRoleDeleteGroupsResponse response) {
+ throw new RuntimeException();
+ }
+ }
+}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryPolicyStoreProcessor.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryPolicyStoreProcessor.java b/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryPolicyStoreProcessor.java
new file mode 100644
index 0000000..04d92dd
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryPolicyStoreProcessor.java
@@ -0,0 +1,81 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.provider.db.service.thrift;
+
+import org.apache.sentry.core.common.exception.SentrySiteConfigurationException;
+import org.junit.Assert;
+
+import org.apache.hadoop.conf.Configuration;
+import org.apache.sentry.core.common.exception.SentryThriftAPIMismatchException;
+import org.apache.sentry.provider.db.service.thrift.PolicyStoreConstants.PolicyStoreServerConfig;
+import org.apache.sentry.service.thrift.ServiceConstants;
+import org.junit.Before;
+import org.junit.Test;
+
+public class TestSentryPolicyStoreProcessor {
+
+ private Configuration conf;
+
+ @Before
+ public void setup() {
+ conf = new Configuration(false);
+ }
+ @Test(expected=SentrySiteConfigurationException.class)
+ public void testConfigNotNotificationHandler() throws Exception {
+ conf.set(PolicyStoreServerConfig.NOTIFICATION_HANDLERS, Object.class.getName());
+ SentryPolicyStoreProcessor.createHandlers(conf);
+ }
+ @Test(expected=SentrySiteConfigurationException.class)
+ public void testConfigCannotCreateNotificationHandler() throws Exception {
+ conf.set(PolicyStoreServerConfig.NOTIFICATION_HANDLERS,
+ ExceptionInConstructorNotificationHandler.class.getName());
+ SentryPolicyStoreProcessor.createHandlers(conf);
+ }
+ @Test(expected=SentrySiteConfigurationException.class)
+ public void testConfigNotAClassNotificationHandler() throws Exception {
+ conf.set(PolicyStoreServerConfig.NOTIFICATION_HANDLERS, "junk");
+ SentryPolicyStoreProcessor.createHandlers(conf);
+ }
+ @Test
+ public void testConfigMultipleNotificationHandlers() throws Exception {
+ conf.set(PolicyStoreServerConfig.NOTIFICATION_HANDLERS,
+ NoopNotificationHandler.class.getName() + "," +
+ NoopNotificationHandler.class.getName() + " " +
+ NoopNotificationHandler.class.getName());
+ Assert.assertEquals(3, SentryPolicyStoreProcessor.createHandlers(conf).size());
+ }
+ public static class ExceptionInConstructorNotificationHandler extends NotificationHandler {
+ public ExceptionInConstructorNotificationHandler(Configuration config) throws Exception {
+ super(config);
+ throw new Exception();
+ }
+ }
+ public static class NoopNotificationHandler extends NotificationHandler {
+ public NoopNotificationHandler(Configuration config) throws Exception {
+ super(config);
+ }
+ }
+ @Test(expected=SentryThriftAPIMismatchException.class)
+ public void testSentryThriftAPIMismatch() throws Exception {
+ SentryPolicyStoreProcessor.validateClientVersion(ServiceConstants.ThriftConstants.TSENTRY_SERVICE_VERSION_CURRENT -1);
+ }
+ @Test
+ public void testSentryThriftAPIMatchVersion() throws Exception {
+ SentryPolicyStoreProcessor.validateClientVersion(ServiceConstants.ThriftConstants.TSENTRY_SERVICE_VERSION_CURRENT);
+ }
+}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServerForHaWithoutKerberos.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServerForHaWithoutKerberos.java b/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServerForHaWithoutKerberos.java
new file mode 100644
index 0000000..d5cc1b9
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServerForHaWithoutKerberos.java
@@ -0,0 +1,219 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless createRequired by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.provider.db.service.thrift;
+import static org.junit.Assert.assertEquals;
+
+import java.util.HashSet;
+import java.util.Set;
+
+import org.apache.sentry.core.common.ActiveRoleSet;
+import org.apache.sentry.core.model.db.AccessConstants;
+import org.apache.sentry.core.model.db.Database;
+import org.apache.sentry.core.model.db.Server;
+import org.apache.sentry.core.model.db.Table;
+import org.apache.sentry.service.thrift.SentryServiceIntegrationBase;
+import org.junit.BeforeClass;
+import org.junit.Test;
+
+import com.google.common.collect.Lists;
+import com.google.common.collect.Sets;
+
+public class TestSentryServerForHaWithoutKerberos extends SentryServiceIntegrationBase {
+
+ @BeforeClass
+ public static void setup() throws Exception {
+ SentryServiceIntegrationBase.kerberos = false;
+ SentryServiceIntegrationBase.haEnabled = true;
+ SentryServiceIntegrationBase.beforeSetup();
+ SentryServiceIntegrationBase.setupConf();
+ SentryServiceIntegrationBase.startSentryService();
+ SentryServiceIntegrationBase.afterSetup();
+ }
+
+ @Test
+ public void testCreateRole() throws Exception {
+ String requestorUserName = SentryServiceIntegrationBase.ADMIN_USER;
+ Set<String> requestorUserGroupNames = Sets.newHashSet(SentryServiceIntegrationBase.ADMIN_GROUP);
+ setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
+ writePolicyFile();
+ String roleName = "admin_r";
+ client.dropRoleIfExists(requestorUserName, roleName);
+ client.createRole(requestorUserName, roleName);
+ client.dropRole(requestorUserName, roleName);
+ }
+
+ @Test
+ public void testQueryPushDown() throws Exception {
+ String requestorUserName = SentryServiceIntegrationBase.ADMIN_USER;
+ Set<String> requestorUserGroupNames = Sets.newHashSet(SentryServiceIntegrationBase.ADMIN_GROUP);
+ setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
+ writePolicyFile();
+
+ String roleName1 = "admin_r1";
+ String roleName2 = "admin_r2";
+
+ String group1 = "g1";
+ String group2 = "g2";
+
+ client.dropRoleIfExists(requestorUserName, roleName1);
+ client.createRole(requestorUserName, roleName1);
+ client.grantRoleToGroup(requestorUserName, group1, roleName1);
+
+ client.grantTablePrivilege(requestorUserName, roleName1, "server", "db1", "table1", "ALL");
+ client.grantTablePrivilege(requestorUserName, roleName1, "server", "db1", "table2", "ALL");
+ client.grantTablePrivilege(requestorUserName, roleName1, "server", "db2", "table3", "ALL");
+ client.grantTablePrivilege(requestorUserName, roleName1, "server", "db2", "table4", "ALL");
+
+
+ client.dropRoleIfExists(requestorUserName, roleName2);
+ client.createRole(requestorUserName, roleName2);
+ client.grantRoleToGroup(requestorUserName, group1, roleName2);
+ client.grantRoleToGroup(requestorUserName, group2, roleName2);
+
+ client.grantTablePrivilege(requestorUserName, roleName2, "server", "db1", "table1", "ALL");
+ client.grantTablePrivilege(requestorUserName, roleName2, "server", "db1", "table2", "ALL");
+ client.grantTablePrivilege(requestorUserName, roleName2, "server", "db2", "table3", "ALL");
+ client.grantTablePrivilege(requestorUserName, roleName2, "server", "db2", "table4", "ALL");
+ client.grantTablePrivilege(requestorUserName, roleName2, "server", "db3", "table5", "ALL");
+
+ Set<TSentryPrivilege> listPrivilegesByRoleName = client.listPrivilegesByRoleName(requestorUserName, roleName2, Lists.newArrayList(new Server("server"), new Database("db1")));
+ assertEquals("Privilege not assigned to role2 !!", 2, listPrivilegesByRoleName.size());
+
+ listPrivilegesByRoleName = client.listPrivilegesByRoleName(requestorUserName, roleName2, Lists.newArrayList(new Server("server"), new Database("db2"), new Table("table1")));
+ assertEquals("Privilege not assigned to role2 !!", 0, listPrivilegesByRoleName.size());
+
+ listPrivilegesByRoleName = client.listPrivilegesByRoleName(requestorUserName, roleName2, Lists.newArrayList(new Server("server"), new Database("db1"), new Table("table1")));
+ assertEquals("Privilege not assigned to role2 !!", 1, listPrivilegesByRoleName.size());
+
+ listPrivilegesByRoleName = client.listPrivilegesByRoleName(requestorUserName, roleName2, Lists.newArrayList(new Server("server"), new Database("db3")));
+ assertEquals("Privilege not assigned to role2 !!", 1, listPrivilegesByRoleName.size());
+
+ Set<String> listPrivilegesForProvider = client.listPrivilegesForProvider(Sets.newHashSet(group1, group2), null, ActiveRoleSet.ALL, new Server("server"), new Database("db2"));
+ assertEquals("Privilege not correctly assigned to roles !!",
+ Sets.newHashSet("server=server->db=db2->table=table4->action=all", "server=server->db=db2->table=table3->action=all"),
+ listPrivilegesForProvider);
+
+ listPrivilegesForProvider = client.listPrivilegesForProvider(Sets.newHashSet(group1, group2), null, ActiveRoleSet.ALL, new Server("server"), new Database("db3"));
+ assertEquals("Privilege not correctly assigned to roles !!", Sets.newHashSet("server=server->db=db3->table=table5->action=all"), listPrivilegesForProvider);
+
+ listPrivilegesForProvider = client.listPrivilegesForProvider(Sets.newHashSet(group1, group2), null, new ActiveRoleSet(Sets.newHashSet(roleName1)), new Server("server"), new Database("db3"));
+ assertEquals("Privilege not correctly assigned to roles !!", Sets.newHashSet("server=+"), listPrivilegesForProvider);
+
+ listPrivilegesForProvider = client.listPrivilegesForProvider(Sets.newHashSet(group1, group2), null, new ActiveRoleSet(Sets.newHashSet(roleName1)), new Server("server1"));
+ assertEquals("Privilege not correctly assigned to roles !!", new HashSet<String>(), listPrivilegesForProvider);
+ }
+
+
+
+ /**
+ * Create role, add privileges and grant it to a group drop the role and
+ * verify the privileges are no longer visible recreate the role with same
+ * name and verify the privileges again.
+ * @throws Exception
+ */
+ @Test
+ public void testDropRole() throws Exception {
+ String requestorUserName = SentryServiceIntegrationBase.ADMIN_USER;
+ Set<String> requestorUserGroupNames = Sets.newHashSet(SentryServiceIntegrationBase.ADMIN_GROUP);
+ setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
+ writePolicyFile();
+ String roleName = "admin_r";
+
+ // create role and add privileges
+ client.dropRoleIfExists(requestorUserName, roleName);
+ client.createRole(requestorUserName, roleName);
+ client.grantRoleToGroup(requestorUserName, SentryServiceIntegrationBase.ADMIN_GROUP, roleName);
+ client.grantDatabasePrivilege(requestorUserName, roleName, "server1", "db2", AccessConstants.ALL);
+ client.grantTablePrivilege(requestorUserName, roleName, "server1", "db3", "tab3", "ALL");
+ assertEquals(2, client.listPrivilegesForProvider(requestorUserGroupNames, null,
+ ActiveRoleSet.ALL).size());
+
+ // drop role and verify privileges
+ client.dropRole(requestorUserName, roleName);
+ assertEquals(0, client.listPrivilegesForProvider(requestorUserGroupNames, null,
+ ActiveRoleSet.ALL).size());
+
+ // recreate the role
+ client.createRole(requestorUserName, roleName);
+ client.grantRoleToGroup(requestorUserName, SentryServiceIntegrationBase.ADMIN_GROUP, roleName);
+ assertEquals(0, client.listPrivilegesForProvider(requestorUserGroupNames, null,
+ ActiveRoleSet.ALL).size());
+
+ // grant different privileges and verify
+ client.grantDatabasePrivilege(requestorUserName, roleName, "server1", "db2", AccessConstants.ALL);
+ assertEquals(1, client.listPrivilegesForProvider(requestorUserGroupNames, null,
+ ActiveRoleSet.ALL).size());
+ client.dropRole(requestorUserName, roleName);
+ assertEquals(0, client.listPrivilegesForProvider(requestorUserGroupNames, null,
+ ActiveRoleSet.ALL).size());
+ assertEquals(0, client.listPrivilegesForProvider(requestorUserGroupNames, null,
+ ActiveRoleSet.ALL).size());
+ }
+
+ @Test
+ public void testDropRoleOnUser() throws Exception {
+ String requestorUserName = SentryServiceIntegrationBase.ADMIN_USER;
+ Set<String> requestorUserGroupNames = Sets.newHashSet(SentryServiceIntegrationBase.ADMIN_GROUP);
+ Set<String> requestorUserNames = Sets.newHashSet(SentryServiceIntegrationBase.ADMIN_USER);
+ setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
+ writePolicyFile();
+ String roleName = "admin_r";
+
+ // create role and add privileges
+ client.dropRoleIfExists(requestorUserName, roleName);
+ client.createRole(requestorUserName, roleName);
+ client.grantRoleToUser(requestorUserName, SentryServiceIntegrationBase.ADMIN_USER, roleName);
+ client.grantDatabasePrivilege(requestorUserName, roleName, "server1", "db2", AccessConstants.ALL);
+ client.grantTablePrivilege(requestorUserName, roleName, "server1", "db3", "tab3", "ALL");
+ assertEquals(2, client.listPrivilegesForProvider(requestorUserGroupNames, requestorUserNames,
+ ActiveRoleSet.ALL).size());
+
+ // drop role and verify privileges
+ client.dropRole(requestorUserName, roleName);
+ assertEquals(0, client.listPrivilegesForProvider(requestorUserGroupNames, requestorUserNames,
+ ActiveRoleSet.ALL).size());
+
+ // recreate the role
+ client.createRole(requestorUserName, roleName);
+ client.grantRoleToGroup(requestorUserName, SentryServiceIntegrationBase.ADMIN_GROUP, roleName);
+ assertEquals(0, client.listPrivilegesForProvider(requestorUserGroupNames, requestorUserNames,
+ ActiveRoleSet.ALL).size());
+
+ // grant different privileges and verify
+ client.grantDatabasePrivilege(requestorUserName, roleName, "server1", "db2", AccessConstants.ALL);
+ assertEquals(1, client.listPrivilegesForProvider(requestorUserGroupNames, requestorUserNames,
+ ActiveRoleSet.ALL).size());
+ client.dropRole(requestorUserName, roleName);
+ assertEquals(0, client.listPrivilegesForProvider(requestorUserGroupNames, requestorUserNames,
+ ActiveRoleSet.ALL).size());
+ assertEquals(0, client.listPrivilegesForProvider(requestorUserGroupNames, requestorUserNames,
+ ActiveRoleSet.ALL).size());
+ }
+
+ /**
+ * Test that we are correctly substituting "_HOST" if/when needed.
+ *
+ * @throws Exception
+ */
+ @Test
+ public void testHostSubstitution() throws Exception {
+ // We just need to ensure that we are able to correct connect to the server
+ connectToSentryService();
+ }
+}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServerForPoolHAWithoutKerberos.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServerForPoolHAWithoutKerberos.java b/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServerForPoolHAWithoutKerberos.java
new file mode 100644
index 0000000..9ba7d23
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServerForPoolHAWithoutKerberos.java
@@ -0,0 +1,36 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless createRequired by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.provider.db.service.thrift;
+
+import org.junit.BeforeClass;
+
+public class TestSentryServerForPoolHAWithoutKerberos extends TestSentryServerForHaWithoutKerberos {
+
+ @BeforeClass
+ public static void setup() throws Exception {
+ kerberos = false;
+ haEnabled = true;
+ pooled = true;
+ beforeSetup();
+ setupConf();
+ startSentryService();
+ afterSetup();
+ }
+
+}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServerForPoolWithoutKerberos.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServerForPoolWithoutKerberos.java b/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServerForPoolWithoutKerberos.java
new file mode 100644
index 0000000..121fc4d
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServerForPoolWithoutKerberos.java
@@ -0,0 +1,37 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless createRequired by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.provider.db.service.thrift;
+
+import org.apache.sentry.service.thrift.SentryServiceIntegrationBase;
+import org.junit.BeforeClass;
+
+public class TestSentryServerForPoolWithoutKerberos extends TestSentryServerWithoutKerberos {
+
+ @BeforeClass
+ public static void setup() throws Exception {
+ SentryServiceIntegrationBase.kerberos = false;
+ SentryServiceIntegrationBase.haEnabled = false;
+ SentryServiceIntegrationBase.pooled = true;
+ SentryServiceIntegrationBase.beforeSetup();
+ SentryServiceIntegrationBase.setupConf();
+ SentryServiceIntegrationBase.startSentryService();
+ SentryServiceIntegrationBase.afterSetup();
+ }
+
+}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServerWithoutKerberos.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServerWithoutKerberos.java b/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServerWithoutKerberos.java
new file mode 100644
index 0000000..86cf9da
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServerWithoutKerberos.java
@@ -0,0 +1,214 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless createRequired by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.provider.db.service.thrift;
+import static org.junit.Assert.assertEquals;
+
+import java.util.ArrayList;
+import java.util.HashSet;
+import java.util.Set;
+
+import org.apache.sentry.core.common.ActiveRoleSet;
+import org.apache.sentry.core.common.Authorizable;
+import org.apache.sentry.core.model.db.AccessConstants;
+import org.apache.sentry.core.model.db.Database;
+import org.apache.sentry.core.model.db.Server;
+import org.apache.sentry.core.model.db.Table;
+import org.apache.sentry.service.thrift.SentryServiceIntegrationBase;
+import org.junit.BeforeClass;
+import org.junit.Test;
+
+import com.google.common.collect.Lists;
+import com.google.common.collect.Sets;
+
+public class TestSentryServerWithoutKerberos extends SentryServiceIntegrationBase {
+
+ @BeforeClass
+ public static void setup() throws Exception {
+ SentryServiceIntegrationBase.kerberos = false;
+ SentryServiceIntegrationBase.beforeSetup();
+ SentryServiceIntegrationBase.setupConf();
+ SentryServiceIntegrationBase.startSentryService();
+ SentryServiceIntegrationBase.afterSetup();
+ }
+
+ @Test
+ public void testCreateRole() throws Exception {
+ String requestorUserName = SentryServiceIntegrationBase.ADMIN_USER;
+ Set<String> requestorUserGroupNames = Sets.newHashSet(SentryServiceIntegrationBase.ADMIN_GROUP);
+ setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
+ writePolicyFile();
+ String roleName = "admin_r";
+ client.dropRoleIfExists(requestorUserName, roleName);
+ client.createRole(requestorUserName, roleName);
+ client.dropRole(requestorUserName, roleName);
+ }
+
+ @Test
+ public void testQueryPushDown() throws Exception {
+ String requestorUserName = SentryServiceIntegrationBase.ADMIN_USER;
+ Set<String> requestorUserGroupNames = Sets.newHashSet(SentryServiceIntegrationBase.ADMIN_GROUP);
+ setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
+ writePolicyFile();
+
+ String roleName1 = "admin_r1";
+ String roleName2 = "admin_r2";
+
+ String group1 = "g1";
+ String group2 = "g2";
+
+ client.dropRoleIfExists(requestorUserName, roleName1);
+ client.createRole(requestorUserName, roleName1);
+ client.grantRoleToGroup(requestorUserName, group1, roleName1);
+
+ client.grantTablePrivilege(requestorUserName, roleName1, "server", "db1", "table1", "ALL");
+ client.grantTablePrivilege(requestorUserName, roleName1, "server", "db1", "table2", "ALL");
+ client.grantTablePrivilege(requestorUserName, roleName1, "server", "db2", "table3", "ALL");
+ client.grantTablePrivilege(requestorUserName, roleName1, "server", "db2", "table4", "ALL");
+
+ client.dropRoleIfExists(requestorUserName, roleName2);
+ client.createRole(requestorUserName, roleName2);
+ client.grantRoleToGroup(requestorUserName, group1, roleName2);
+ client.grantRoleToGroup(requestorUserName, group2, roleName2);
+
+ client.grantTablePrivilege(requestorUserName, roleName2, "server", "db1", "table1", "ALL");
+ client.grantTablePrivilege(requestorUserName, roleName2, "server", "db1", "table2", "ALL");
+ client.grantTablePrivilege(requestorUserName, roleName2, "server", "db2", "table3", "ALL");
+ client.grantTablePrivilege(requestorUserName, roleName2, "server", "db2", "table4", "ALL");
+ client.grantTablePrivilege(requestorUserName, roleName2, "server", "db3", "table5", "ALL");
+
+ Set<TSentryPrivilege> listPrivilegesByRoleName = client.listPrivilegesByRoleName(requestorUserName, roleName2, null);
+ assertEquals("Privilege not assigned to role2 !!", 5, listPrivilegesByRoleName.size());
+
+ listPrivilegesByRoleName = client.listPrivilegesByRoleName(requestorUserName, roleName2, new ArrayList<Authorizable>());
+ assertEquals("Privilege not assigned to role2 !!", 5, listPrivilegesByRoleName.size());
+
+ listPrivilegesByRoleName = client.listPrivilegesByRoleName(requestorUserName, roleName2, Lists.newArrayList(new Server("server"), new Database("db1")));
+ assertEquals("Privilege not assigned to role2 !!", 2, listPrivilegesByRoleName.size());
+
+ listPrivilegesByRoleName = client.listPrivilegesByRoleName(requestorUserName, roleName2, Lists.newArrayList(new Server("server"), new Database("db2"), new Table("table1")));
+ assertEquals("Privilege not assigned to role2 !!", 0, listPrivilegesByRoleName.size());
+
+ listPrivilegesByRoleName = client.listPrivilegesByRoleName(requestorUserName, roleName2, Lists.newArrayList(new Server("server"), new Database("db1"), new Table("table1")));
+ assertEquals("Privilege not assigned to role2 !!", 1, listPrivilegesByRoleName.size());
+
+ listPrivilegesByRoleName = client.listPrivilegesByRoleName(requestorUserName, roleName2, Lists.newArrayList(new Server("server"), new Database("db3")));
+ assertEquals("Privilege not assigned to role2 !!", 1, listPrivilegesByRoleName.size());
+
+ Set<String> listPrivilegesForProvider = client.listPrivilegesForProvider(Sets.newHashSet(group1, group2), null, ActiveRoleSet.ALL, new Server("server"), new Database("db2"));
+ assertEquals("Privilege not correctly assigned to roles !!",
+ Sets.newHashSet("server=server->db=db2->table=table4->action=all", "server=server->db=db2->table=table3->action=all"),
+ listPrivilegesForProvider);
+
+ listPrivilegesForProvider = client.listPrivilegesForProvider(Sets.newHashSet(group1, group2), null, ActiveRoleSet.ALL, new Server("server"), new Database("db3"));
+ assertEquals("Privilege not correctly assigned to roles !!", Sets.newHashSet("server=server->db=db3->table=table5->action=all"), listPrivilegesForProvider);
+
+ listPrivilegesForProvider = client.listPrivilegesForProvider(Sets.newHashSet(group1, group2), null, new ActiveRoleSet(Sets.newHashSet(roleName1)), new Server("server"), new Database("db3"));
+ assertEquals("Privilege not correctly assigned to roles !!", Sets.newHashSet("server=+"), listPrivilegesForProvider);
+
+ listPrivilegesForProvider = client.listPrivilegesForProvider(Sets.newHashSet(group1, group2), null, new ActiveRoleSet(Sets.newHashSet(roleName1)), new Server("server1"));
+ assertEquals("Privilege not correctly assigned to roles !!", new HashSet<String>(), listPrivilegesForProvider);
+ }
+
+
+
+ /**
+ * Create role, add privileges and grant it to a group drop the role and
+ * verify the privileges are no longer visible recreate the role with same
+ * name and verify the privileges again.
+ * @throws Exception
+ */
+ @Test
+ public void testDropRole() throws Exception {
+ String requestorUserName = SentryServiceIntegrationBase.ADMIN_USER;
+ Set<String> requestorUserGroupNames = Sets.newHashSet(SentryServiceIntegrationBase.ADMIN_GROUP);
+ setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
+ writePolicyFile();
+ String roleName = "admin_r";
+
+ // create role and add privileges
+ client.dropRoleIfExists(requestorUserName, roleName);
+ client.createRole(requestorUserName, roleName);
+ client.grantRoleToGroup(requestorUserName, SentryServiceIntegrationBase.ADMIN_GROUP, roleName);
+ client.grantDatabasePrivilege(requestorUserName, roleName, "server1", "db2", AccessConstants.ALL);
+ client.grantTablePrivilege(requestorUserName, roleName, "server1", "db3", "tab3", "ALL");
+ assertEquals(2, client.listPrivilegesForProvider(requestorUserGroupNames, null,
+ ActiveRoleSet.ALL).size());
+
+ // drop role and verify privileges
+ client.dropRole(requestorUserName, roleName);
+ assertEquals(0, client.listPrivilegesForProvider(requestorUserGroupNames, null,
+ ActiveRoleSet.ALL).size());
+
+ // recreate the role
+ client.createRole(requestorUserName, roleName);
+ client.grantRoleToGroup(requestorUserName, SentryServiceIntegrationBase.ADMIN_GROUP, roleName);
+ assertEquals(0, client.listPrivilegesForProvider(requestorUserGroupNames, null,
+ ActiveRoleSet.ALL).size());
+
+ // grant different privileges and verify
+ client.grantDatabasePrivilege(requestorUserName, roleName, "server1", "db2", AccessConstants.ALL);
+ assertEquals(1, client.listPrivilegesForProvider(requestorUserGroupNames, null,
+ ActiveRoleSet.ALL).size());
+ client.dropRole(requestorUserName, roleName);
+ assertEquals(0, client.listPrivilegesForProvider(requestorUserGroupNames, null,
+ ActiveRoleSet.ALL).size());
+ assertEquals(0, client.listPrivilegesForProvider(requestorUserGroupNames, null,
+ ActiveRoleSet.ALL).size());
+ }
+
+ @Test
+ public void testDropRoleOnUser() throws Exception {
+ String requestorUserName = SentryServiceIntegrationBase.ADMIN_USER;
+ Set<String> requestorUserGroupNames = Sets.newHashSet(SentryServiceIntegrationBase.ADMIN_GROUP);
+ Set<String> requestorUserNames = Sets.newHashSet(SentryServiceIntegrationBase.ADMIN_USER);
+ setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
+ writePolicyFile();
+ String roleName = "admin_r";
+
+ // create role and add privileges
+ client.dropRoleIfExists(requestorUserName, roleName);
+ client.createRole(requestorUserName, roleName);
+ client.grantRoleToUser(requestorUserName, SentryServiceIntegrationBase.ADMIN_USER, roleName);
+ client.grantDatabasePrivilege(requestorUserName, roleName, "server1", "db2", AccessConstants.ALL);
+ client.grantTablePrivilege(requestorUserName, roleName, "server1", "db3", "tab3", "ALL");
+ assertEquals(2, client.listPrivilegesForProvider(requestorUserGroupNames, requestorUserNames,
+ ActiveRoleSet.ALL).size());
+
+ // drop role and verify privileges
+ client.dropRole(requestorUserName, roleName);
+ assertEquals(0, client.listPrivilegesForProvider(requestorUserGroupNames, requestorUserNames,
+ ActiveRoleSet.ALL).size());
+
+ // recreate the role
+ client.createRole(requestorUserName, roleName);
+ client.grantRoleToGroup(requestorUserName, SentryServiceIntegrationBase.ADMIN_GROUP, roleName);
+ assertEquals(0, client.listPrivilegesForProvider(requestorUserGroupNames, requestorUserNames,
+ ActiveRoleSet.ALL).size());
+
+ // grant different privileges and verify
+ client.grantDatabasePrivilege(requestorUserName, roleName, "server1", "db2", AccessConstants.ALL);
+ assertEquals(1, client.listPrivilegesForProvider(requestorUserGroupNames, requestorUserNames,
+ ActiveRoleSet.ALL).size());
+ client.dropRole(requestorUserName, roleName);
+ assertEquals(0, client.listPrivilegesForProvider(requestorUserGroupNames, requestorUserNames,
+ ActiveRoleSet.ALL).size());
+ assertEquals(0, client.listPrivilegesForProvider(requestorUserGroupNames, requestorUserNames,
+ ActiveRoleSet.ALL).size());
+ }
+}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceClientPool.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceClientPool.java b/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceClientPool.java
new file mode 100644
index 0000000..87eb41b
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceClientPool.java
@@ -0,0 +1,111 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.provider.db.service.thrift;
+
+import static org.junit.Assert.assertTrue;
+
+import java.security.PrivilegedExceptionAction;
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Set;
+import java.util.concurrent.Callable;
+import java.util.concurrent.ExecutorService;
+import java.util.concurrent.Executors;
+import java.util.concurrent.Future;
+import java.util.concurrent.FutureTask;
+
+import org.apache.sentry.core.common.exception.SentryUserException;
+import org.apache.sentry.service.thrift.SentryServiceFactory;
+import org.apache.sentry.service.thrift.SentryServiceIntegrationBase;
+import org.junit.Test;
+
+import com.google.common.collect.Sets;
+
+public class TestSentryServiceClientPool extends SentryServiceIntegrationBase {
+
+ @Test
+ public void testConnectionWhenReconnect() throws Exception {
+ runTestAsSubject(new TestOperation() {
+ @Override
+ public void runTestAsSubject() throws Exception {
+ String requestorUserName = SentryServiceIntegrationBase.ADMIN_USER;
+ Set<String> requestorUserGroupNames = Sets.newHashSet(SentryServiceIntegrationBase.ADMIN_GROUP);
+ String roleName = "admin_r";
+ setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
+ writePolicyFile();
+
+ client.dropRoleIfExists(requestorUserName, roleName);
+ client.createRole(requestorUserName, roleName);
+ client.listRoles(requestorUserName);
+ stopSentryService();
+ SentryServiceIntegrationBase.server = new SentryServiceFactory().create(SentryServiceIntegrationBase.conf);
+ SentryServiceIntegrationBase.startSentryService();
+ client.listRoles(requestorUserName);
+ client.dropRole(requestorUserName, roleName);
+ }
+ });
+ }
+
+ @Test
+ public void testConnectionWithMultipleRetries() throws Exception {
+ runTestAsSubject(new TestOperation() {
+ @Override
+ public void runTestAsSubject() throws Exception {
+ List<Future<Boolean>> tasks = new ArrayList<Future<Boolean>>();
+ String requestorUserName = SentryServiceIntegrationBase.ADMIN_USER;
+ Set<String> requestorUserGroupNames = Sets.newHashSet(SentryServiceIntegrationBase.ADMIN_GROUP);
+ String roleName = "admin_r";
+ setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
+ writePolicyFile();
+
+ client.dropRoleIfExists(requestorUserName, roleName);
+ client.createRole(requestorUserName, roleName);
+
+ ExecutorService executorService = Executors.newFixedThreadPool(20);
+
+ Callable<Boolean> func = new Callable<Boolean>() {
+ public Boolean call() throws Exception {
+ return SentryServiceIntegrationBase.clientUgi.doAs(new PrivilegedExceptionAction<Boolean>() {
+ @Override
+ public Boolean run() throws Exception {
+ try {
+ client.listRoles(SentryServiceIntegrationBase.ADMIN_USER);
+ return true;
+ } catch (SentryUserException sue) {
+ return false;
+ }
+ }
+ });
+ }
+ };
+
+ for (int i = 0; i < 30; i++) {
+ FutureTask<Boolean> task = new FutureTask<Boolean>(func);
+ tasks.add(task);
+ executorService.submit(task);
+ }
+
+ for (Future<Boolean> task : tasks) {
+ Boolean result = task.get();
+ assertTrue("Some tasks are failed.", result);
+ }
+ }
+ });
+ }
+}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceFailureCase.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceFailureCase.java b/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceFailureCase.java
new file mode 100644
index 0000000..e44c7ca
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceFailureCase.java
@@ -0,0 +1,74 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.provider.db.service.thrift;
+
+import org.apache.sentry.service.thrift.SentryServiceIntegrationBase;
+import org.apache.sentry.service.thrift.ServiceConstants.ServerConfig;
+import org.junit.After;
+import org.junit.Assert;
+import org.junit.Before;
+import org.junit.BeforeClass;
+import org.junit.Test;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import com.google.common.base.Strings;
+
+public class TestSentryServiceFailureCase extends SentryServiceIntegrationBase {
+ private static final Logger LOGGER = LoggerFactory.getLogger(TestSentryServiceFailureCase.class);
+ private static final String PEER_CALLBACK_FAILURE = "Peer indicated failure: Problem with callback handler";
+
+ @BeforeClass
+ public static void setup() throws Exception {
+ SentryServiceIntegrationBase.kerberos = true;
+ SentryServiceIntegrationBase.beforeSetup();
+ SentryServiceIntegrationBase.setupConf();
+ SentryServiceIntegrationBase.conf.set(ServerConfig.ALLOW_CONNECT, "");
+ SentryServiceIntegrationBase.startSentryService();
+ SentryServiceIntegrationBase.afterSetup();
+ }
+
+ @Override
+ @Before
+ public void before() throws Exception {
+ }
+
+ @Override
+ @After
+ public void after() {
+ }
+
+ @Test
+ public void testClientServerConnectionFailure() throws Exception {
+ try {
+ connectToSentryService();
+ Assert.fail("Failed to receive Exception");
+ } catch(Exception e) {
+ LOGGER.info("Excepted exception", e);
+ Throwable cause = e.getCause();
+ if (cause == null) {
+ throw e;
+ }
+ String msg = "Exception message: " + cause.getMessage() + " to contain " +
+ PEER_CALLBACK_FAILURE;
+ Assert.assertTrue(msg, Strings.nullToEmpty(cause.getMessage())
+ .contains(PEER_CALLBACK_FAILURE));
+ }
+ }
+}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceForHAWithKerberos.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceForHAWithKerberos.java b/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceForHAWithKerberos.java
new file mode 100644
index 0000000..f6cd8a0
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceForHAWithKerberos.java
@@ -0,0 +1,75 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.provider.db.service.thrift;
+
+
+import java.io.File;
+import java.util.Set;
+
+import org.apache.sentry.core.common.utils.PolicyFile;
+import org.apache.sentry.service.thrift.SentryServiceIntegrationBase;
+import org.apache.sentry.service.thrift.ServiceConstants.ServerConfig;
+import org.junit.Before;
+import org.junit.BeforeClass;
+import org.junit.Test;
+
+import com.google.common.collect.Sets;
+
+/**
+ * Test various kerberos related stuff on the SentryService side
+ */
+public class TestSentryServiceForHAWithKerberos extends SentryServiceIntegrationBase {
+
+ @BeforeClass
+ public static void setup() throws Exception {
+ SentryServiceIntegrationBase.kerberos = true;
+ SentryServiceIntegrationBase.haEnabled = true;
+ SentryServiceIntegrationBase.SERVER_KERBEROS_NAME = "sentry/_HOST@" + SentryServiceIntegrationBase.REALM;
+ SentryServiceIntegrationBase.beforeSetup();
+ SentryServiceIntegrationBase.setupConf();
+ SentryServiceIntegrationBase.startSentryService();
+ SentryServiceIntegrationBase.afterSetup();
+ }
+
+ @Override
+ @Before
+ public void before() throws Exception {
+ policyFilePath = new File(SentryServiceIntegrationBase.dbDir, "local_policy_file.ini");
+ SentryServiceIntegrationBase.conf.set(ServerConfig.SENTRY_STORE_GROUP_MAPPING_RESOURCE,
+ policyFilePath.getPath());
+ policyFile = new PolicyFile();
+ connectToSentryService();
+ }
+
+ @Test
+ public void testCreateRole() throws Exception {
+ runTestAsSubject(new TestOperation(){
+ @Override
+ public void runTestAsSubject() throws Exception {
+ String requestorUserName = SentryServiceIntegrationBase.ADMIN_USER;
+ Set<String> requestorUserGroupNames = Sets.newHashSet(SentryServiceIntegrationBase.ADMIN_GROUP);
+ setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
+ writePolicyFile();
+ String roleName = "admin_r";
+ client.dropRoleIfExists(requestorUserName, roleName);
+ client.createRole(requestorUserName, roleName);
+ client.dropRole(requestorUserName, roleName);
+ }
+ });
+ }
+}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceForPoolHAWithKerberos.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceForPoolHAWithKerberos.java b/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceForPoolHAWithKerberos.java
new file mode 100644
index 0000000..d453e92
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceForPoolHAWithKerberos.java
@@ -0,0 +1,39 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless createRequired by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.provider.db.service.thrift;
+
+import org.apache.sentry.service.thrift.SentryServiceIntegrationBase;
+import org.junit.BeforeClass;
+
+public class
+
+ TestSentryServiceForPoolHAWithKerberos extends TestSentryServiceWithKerberos {
+
+ @BeforeClass
+ public static void setup() throws Exception {
+ SentryServiceIntegrationBase.kerberos = true;
+ SentryServiceIntegrationBase.haEnabled = true;
+ SentryServiceIntegrationBase.pooled = true;
+ SentryServiceIntegrationBase.beforeSetup();
+ SentryServiceIntegrationBase.setupConf();
+ SentryServiceIntegrationBase.startSentryService();
+ SentryServiceIntegrationBase.afterSetup();
+ }
+
+}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceForPoolWithKerberos.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceForPoolWithKerberos.java b/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceForPoolWithKerberos.java
new file mode 100644
index 0000000..f3eb648
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceForPoolWithKerberos.java
@@ -0,0 +1,37 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless createRequired by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.provider.db.service.thrift;
+
+import org.apache.sentry.service.thrift.SentryServiceIntegrationBase;
+import org.junit.BeforeClass;
+
+public class TestSentryServiceForPoolWithKerberos extends TestSentryServiceWithKerberos {
+
+ @BeforeClass
+ public static void setup() throws Exception {
+ SentryServiceIntegrationBase.kerberos = true;
+ SentryServiceIntegrationBase.haEnabled = false;
+ SentryServiceIntegrationBase.pooled = true;
+ SentryServiceIntegrationBase.beforeSetup();
+ SentryServiceIntegrationBase.setupConf();
+ SentryServiceIntegrationBase.startSentryService();
+ SentryServiceIntegrationBase.afterSetup();
+ }
+
+}
\ No newline at end of file
[18/44] sentry git commit: SENTRY-1287: Create sentry-service-server
module(Colin Ma, reviewed by Dapeng Sun)
Posted by co...@apache.org.
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStoreSchemaInfo.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStoreSchemaInfo.java b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStoreSchemaInfo.java
new file mode 100644
index 0000000..223cc87
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStoreSchemaInfo.java
@@ -0,0 +1,143 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.provider.db.service.persistent;
+
+import java.io.BufferedReader;
+import java.io.File;
+import java.io.FileNotFoundException;
+import java.io.FileReader;
+import java.io.IOException;
+import java.util.ArrayList;
+import java.util.List;
+
+import org.apache.sentry.core.common.exception.SentryUserException;
+
+public class SentryStoreSchemaInfo {
+ private static final String SQL_FILE_EXTENSION = ".sql";
+ private static final String UPGRADE_FILE_PREFIX = "upgrade-";
+ private static final String INIT_FILE_PREFIX = "sentry-";
+ private static final String VERSION_UPGRADE_LIST = "upgrade.order";
+ private final String dbType;
+ private final String sentrySchemaVersions[];
+ private final String sentryScriptDir;
+
+ private static final String SENTRY_VERSION = "1.8.0";
+
+ public SentryStoreSchemaInfo(String sentryScriptDir, String dbType)
+ throws SentryUserException {
+ this.sentryScriptDir = sentryScriptDir;
+ this.dbType = dbType;
+ // load upgrade order for the given dbType
+ List<String> upgradeOrderList = new ArrayList<String>();
+ String upgradeListFile = getSentryStoreScriptDir() + File.separator
+ + VERSION_UPGRADE_LIST + "." + dbType;
+ try (BufferedReader bfReader = new BufferedReader(new FileReader(upgradeListFile))) {
+ String currSchemaVersion;
+ while ((currSchemaVersion = bfReader.readLine()) != null) {
+ upgradeOrderList.add(currSchemaVersion.trim());
+ }
+ } catch (FileNotFoundException e) {
+ throw new SentryUserException("File " + upgradeListFile + " not found ", e);
+ } catch (IOException e) {
+ throw new SentryUserException("Error reading " + upgradeListFile, e);
+ }
+ sentrySchemaVersions = upgradeOrderList.toArray(new String[0]);
+ }
+
+ public String getSentrySchemaVersion() {
+ return SENTRY_VERSION;
+ }
+
+ public List<String> getUpgradeScripts(String fromSchemaVer)
+ throws SentryUserException {
+ List<String> upgradeScriptList = new ArrayList<String>();
+
+ // check if we are already at current schema level
+ if (getSentryVersion().equals(fromSchemaVer)) {
+ return upgradeScriptList;
+ }
+
+ // Find the list of scripts to execute for this upgrade
+ int firstScript = sentrySchemaVersions.length;
+ for (int i = 0; i < sentrySchemaVersions.length; i++) {
+ String fromVersion = sentrySchemaVersions[i].split("-to-")[0];
+ if (fromVersion.equals(fromSchemaVer)) {
+ firstScript = i;
+ break;
+ }
+ }
+ if (firstScript == sentrySchemaVersions.length) {
+ throw new SentryUserException("Unknown version specified for upgrade "
+ + fromSchemaVer + " Metastore schema may be too old or newer");
+ }
+
+ for (int i = firstScript; i < sentrySchemaVersions.length; i++) {
+ String scriptFile = generateUpgradeFileName(sentrySchemaVersions[i]);
+ upgradeScriptList.add(scriptFile);
+ }
+ return upgradeScriptList;
+ }
+
+ /***
+ * Get the name of the script to initialize the schema for given version
+ *
+ * @param toVersion
+ * Target version. If it's null, then the current server version is
+ * used
+ * @return
+ * @throws SentryUserException
+ */
+ public String generateInitFileName(String toVersion)
+ throws SentryUserException {
+ String version = toVersion;
+ if (version == null) {
+ version = getSentryVersion();
+ }
+ String initScriptName = INIT_FILE_PREFIX + dbType + "-" + version
+ + SQL_FILE_EXTENSION;
+ // check if the file exists
+ if (!(new File(getSentryStoreScriptDir() + File.separatorChar
+ + initScriptName).exists())) {
+ throw new SentryUserException(
+ "Unknown version specified for initialization: " + version);
+ }
+ return initScriptName;
+ }
+
+ /**
+ * Find the directory of sentry store scripts
+ *
+ * @return
+ */
+ public String getSentryStoreScriptDir() {
+ return sentryScriptDir;
+ }
+
+ // format the upgrade script name eg upgrade-x-y-dbType.sql
+ private String generateUpgradeFileName(String fileVersion) {
+ return INIT_FILE_PREFIX + UPGRADE_FILE_PREFIX + dbType + "-"
+ + fileVersion + SQL_FILE_EXTENSION;
+ }
+
+ // Current hive version, in majorVersion.minorVersion.changeVersion format
+ // TODO: store the version using the build script
+ public static String getSentryVersion() {
+ return SENTRY_VERSION;
+ }
+}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/persistent/ServiceRegister.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/persistent/ServiceRegister.java b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/persistent/ServiceRegister.java
new file mode 100644
index 0000000..79dfe48
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/persistent/ServiceRegister.java
@@ -0,0 +1,52 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.provider.db.service.persistent;
+
+import org.apache.curator.x.discovery.ServiceDiscoveryBuilder;
+import org.apache.curator.x.discovery.ServiceInstance;
+import org.apache.curator.x.discovery.details.InstanceSerializer;
+
+public class ServiceRegister {
+
+ private HAContext haContext;
+
+ public ServiceRegister(HAContext haContext) {
+ this.haContext = haContext;
+ }
+
+ public void regService(String host, int port) throws Exception {
+
+ haContext.startCuratorFramework();
+ ServiceInstance<Void> serviceInstance = ServiceInstance.<Void>builder()
+ .address(host)
+ .port(port)
+ .name(HAContext.SENTRY_SERVICE_REGISTER_NAMESPACE)
+ .build();
+
+ InstanceSerializer<Void> instanceSerializer = new FixedJsonInstanceSerializer<Void>(Void.class);
+ ServiceDiscoveryBuilder.builder(Void.class)
+ .basePath(HAContext.SENTRY_SERVICE_REGISTER_NAMESPACE)
+ .client(haContext.getCuratorFramework())
+ .serializer(instanceSerializer)
+ .thisInstance(serviceInstance)
+ .build()
+ .start();
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/thrift/ConfServlet.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/thrift/ConfServlet.java b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/thrift/ConfServlet.java
new file mode 100644
index 0000000..9e7fca8
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/thrift/ConfServlet.java
@@ -0,0 +1,69 @@
+package org.apache.sentry.provider.db.service.thrift;
+
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+import java.io.IOException;
+import java.io.Writer;
+
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.apache.hadoop.conf.Configuration;
+
+/**
+ * Servlet to print out all sentry configuration.
+ */
+public class ConfServlet extends HttpServlet {
+ public static final String CONF_CONTEXT_ATTRIBUTE = "sentry.conf";
+ public static final String FORMAT_JSON = "json";
+ public static final String FORMAT_XML = "xml";
+ public static final String FORMAT_PARAM = "format";
+ private static final long serialVersionUID = 1L;
+
+ @Override
+ public void doGet(HttpServletRequest request, HttpServletResponse response)
+ throws ServletException, IOException {
+ String format = request.getParameter(FORMAT_PARAM);
+ if (format == null) {
+ format = FORMAT_XML;
+ }
+
+ if (FORMAT_XML.equals(format)) {
+ response.setContentType("text/xml; charset=utf-8");
+ } else if (FORMAT_JSON.equals(format)) {
+ response.setContentType("application/json; charset=utf-8");
+ }
+
+ Configuration conf = (Configuration)getServletContext().getAttribute(
+ CONF_CONTEXT_ATTRIBUTE);
+ assert conf != null;
+
+ Writer out = response.getWriter();
+ if (FORMAT_JSON.equals(format)) {
+ Configuration.dumpConfiguration(conf, out);
+ } else if (FORMAT_XML.equals(format)) {
+ conf.writeXml(out);
+ } else {
+ response.sendError(HttpServletResponse.SC_BAD_REQUEST, "Bad format: " + format);
+ }
+ out.close();
+ }
+}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/thrift/NotificationHandler.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/thrift/NotificationHandler.java b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/thrift/NotificationHandler.java
new file mode 100644
index 0000000..b1a4b7f
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/thrift/NotificationHandler.java
@@ -0,0 +1,79 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.provider.db.service.thrift;
+
+import org.apache.hadoop.conf.Configuration;
+import org.apache.sentry.provider.db.service.persistent.CommitContext;
+
+/**
+ * Users wishing to be notified when a metadata changing event occurs
+ * should extend this abstract class. All methods which modify the underlying
+ * metadata in SentryPolicyStoreProcessor will have a corresponding method
+ * on this class. Each method will contain a copy of the request and response
+ * object. Therefore any change to the request or response object will be ignored.
+ * Additionally each method will be passed a CommitContext.
+ *
+ * Sub-classes should be thread-safe.
+ */
+public abstract class NotificationHandler {
+
+ private final Configuration config;
+
+ public NotificationHandler(Configuration config) throws Exception {
+ this.config = config;
+ }
+
+ protected Configuration getConf() {
+ return config;
+ }
+
+ public void create_sentry_role(CommitContext context,
+ TCreateSentryRoleRequest request, TCreateSentryRoleResponse response) {
+ }
+
+ public void drop_sentry_role(CommitContext context, TDropSentryRoleRequest request,
+ TDropSentryRoleResponse response) {
+ }
+
+ public void alter_sentry_role_grant_privilege(CommitContext context, TAlterSentryRoleGrantPrivilegeRequest request,
+ TAlterSentryRoleGrantPrivilegeResponse response) {
+ }
+
+ public void alter_sentry_role_revoke_privilege(CommitContext context, TAlterSentryRoleRevokePrivilegeRequest request,
+ TAlterSentryRoleRevokePrivilegeResponse response) {
+ }
+
+ public void alter_sentry_role_add_groups(CommitContext context,
+ TAlterSentryRoleAddGroupsRequest request,
+ TAlterSentryRoleAddGroupsResponse response) {
+ }
+
+ public void alter_sentry_role_delete_groups(
+ CommitContext context, TAlterSentryRoleDeleteGroupsRequest request,
+ TAlterSentryRoleDeleteGroupsResponse response) {
+ }
+
+ public void alter_sentry_role_add_users(CommitContext context,
+ TAlterSentryRoleAddUsersRequest request, TAlterSentryRoleAddUsersResponse response) {
+ }
+
+ public void alter_sentry_role_delete_users(CommitContext context,
+ TAlterSentryRoleDeleteUsersRequest request, TAlterSentryRoleDeleteUsersResponse response) {
+ }
+}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/thrift/NotificationHandlerInvoker.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/thrift/NotificationHandlerInvoker.java b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/thrift/NotificationHandlerInvoker.java
new file mode 100644
index 0000000..856ef9a
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/thrift/NotificationHandlerInvoker.java
@@ -0,0 +1,176 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.provider.db.service.thrift;
+
+import java.util.List;
+
+import org.apache.hadoop.conf.Configuration;
+import org.apache.sentry.provider.db.service.persistent.CommitContext;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import com.google.common.collect.ImmutableList;
+
+/**
+ * Invokes configured instances of NotificationHandler. Importantly
+ * NotificationHandler's each receive a copy of the request and
+ * response thrift objects from each successful request.
+ */
+public class NotificationHandlerInvoker extends NotificationHandler {
+ private static final Logger LOGGER = LoggerFactory.getLogger(NotificationHandlerInvoker.class);
+
+ private final ImmutableList<NotificationHandler> handlers;
+
+ public NotificationHandlerInvoker(Configuration conf, NotificationHandler handler)
+ throws Exception {
+ this(conf, ImmutableList.of(handler));
+ }
+
+ public NotificationHandlerInvoker(Configuration conf, List<NotificationHandler> handlers)
+ throws Exception {
+ super(conf);
+ this.handlers = ImmutableList.copyOf(handlers);
+ }
+
+ @Override
+ public void create_sentry_role(CommitContext context,
+ TCreateSentryRoleRequest request, TCreateSentryRoleResponse response) {
+ for (NotificationHandler handler : handlers) {
+ try {
+ LOGGER.debug("Calling " + handler);
+ handler.create_sentry_role(context, new TCreateSentryRoleRequest(request),
+ new TCreateSentryRoleResponse(response));
+ } catch (Exception ex) {
+ LOGGER.error("Unexpected error in " + handler + ". Request: "
+ + request + ", Response: " + response, ex);
+ }
+ }
+ }
+
+ @Override
+ public void drop_sentry_role(CommitContext context, TDropSentryRoleRequest request,
+ TDropSentryRoleResponse response) {
+ for (NotificationHandler handler : handlers) {
+ try {
+ LOGGER.debug("Calling " + handler);
+ handler.drop_sentry_role(context, new TDropSentryRoleRequest(request),
+ new TDropSentryRoleResponse(response));
+ } catch (Exception ex) {
+ LOGGER.error("Unexpected error in " + handler + ". Request: "
+ + request + ", Response: " + response, ex);
+ }
+ }
+ }
+
+ @Override
+ public void alter_sentry_role_grant_privilege(CommitContext context,
+ TAlterSentryRoleGrantPrivilegeRequest request,
+ TAlterSentryRoleGrantPrivilegeResponse response) {
+ for (NotificationHandler handler : handlers) {
+ try {
+ LOGGER.debug("Calling " + handler);
+ handler.alter_sentry_role_grant_privilege(context,
+ new TAlterSentryRoleGrantPrivilegeRequest(request),
+ new TAlterSentryRoleGrantPrivilegeResponse(response));
+ } catch (Exception ex) {
+ LOGGER.error("Unexpected error in " + handler + ". Request: "
+ + request + ", Response: " + response, ex);
+ }
+ }
+ }
+
+ @Override
+ public void alter_sentry_role_revoke_privilege(CommitContext context,
+ TAlterSentryRoleRevokePrivilegeRequest request,
+ TAlterSentryRoleRevokePrivilegeResponse response) {
+ for (NotificationHandler handler : handlers) {
+ try {
+ LOGGER.debug("Calling " + handler);
+ handler.alter_sentry_role_revoke_privilege(context,
+ new TAlterSentryRoleRevokePrivilegeRequest(request),
+ new TAlterSentryRoleRevokePrivilegeResponse(response));
+ } catch (Exception ex) {
+ LOGGER.error("Unexpected error in " + handler + ". Request: "
+ + request + ", Response: " + response, ex);
+ }
+ }
+ }
+
+ @Override
+ public void alter_sentry_role_add_groups(CommitContext context,
+ TAlterSentryRoleAddGroupsRequest request,
+ TAlterSentryRoleAddGroupsResponse response) {
+ for (NotificationHandler handler : handlers) {
+ try {
+ LOGGER.debug("Calling " + handler);
+ handler.alter_sentry_role_add_groups(context, new TAlterSentryRoleAddGroupsRequest(request),
+ new TAlterSentryRoleAddGroupsResponse(response));
+ } catch (Exception ex) {
+ LOGGER.error("Unexpected error in " + handler + ". Request: "
+ + request + ", Response: " + response, ex);
+ }
+ }
+ }
+
+ @Override
+ public void alter_sentry_role_delete_groups(
+ CommitContext context, TAlterSentryRoleDeleteGroupsRequest request,
+ TAlterSentryRoleDeleteGroupsResponse response) {
+ for (NotificationHandler handler : handlers) {
+ try {
+ LOGGER.debug("Calling " + handler);
+ handler.alter_sentry_role_delete_groups(context, new TAlterSentryRoleDeleteGroupsRequest(request),
+ new TAlterSentryRoleDeleteGroupsResponse(response));
+ } catch (Exception ex) {
+ LOGGER.error("Unexpected error in " + handler + ". Request: "
+ + request + ", Response: " + response, ex);
+ }
+ }
+ }
+
+ @Override
+ public void alter_sentry_role_add_users(CommitContext context,
+ TAlterSentryRoleAddUsersRequest request, TAlterSentryRoleAddUsersResponse response) {
+ for (NotificationHandler handler : handlers) {
+ try {
+ LOGGER.debug("Calling " + handler);
+ handler.alter_sentry_role_add_users(context, new TAlterSentryRoleAddUsersRequest(request),
+ new TAlterSentryRoleAddUsersResponse(response));
+ } catch (Exception ex) {
+ LOGGER.error("Unexpected error in " + handler + ". Request: " + request + ", Response: "
+ + response, ex);
+ }
+ }
+ }
+
+ @Override
+ public void alter_sentry_role_delete_users(CommitContext context,
+ TAlterSentryRoleDeleteUsersRequest request, TAlterSentryRoleDeleteUsersResponse response) {
+ for (NotificationHandler handler : handlers) {
+ try {
+ LOGGER.debug("Calling " + handler);
+ handler.alter_sentry_role_delete_users(context, new TAlterSentryRoleDeleteUsersRequest(
+ request), new TAlterSentryRoleDeleteUsersResponse(response));
+ } catch (Exception ex) {
+ LOGGER.error("Unexpected error in " + handler + ". Request: " + request + ", Response: "
+ + response, ex);
+ }
+ }
+ }
+}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/thrift/PolicyStoreConstants.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/thrift/PolicyStoreConstants.java b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/thrift/PolicyStoreConstants.java
new file mode 100644
index 0000000..8cf1c1a
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/thrift/PolicyStoreConstants.java
@@ -0,0 +1,32 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.provider.db.service.thrift;
+
+public final class PolicyStoreConstants {
+ public static final String SENTRY_GENERIC_POLICY_NOTIFICATION = "sentry.generic.policy.notification";
+ public static final String SENTRY_GENERIC_POLICY_STORE = "sentry.generic.policy.store";
+ public static final String SENTRY_GENERIC_POLICY_STORE_DEFAULT =
+ "org.apache.sentry.provider.db.generic.service.persistent.DelegateSentryStore";
+ public static class PolicyStoreServerConfig {
+ public static final String NOTIFICATION_HANDLERS = "sentry.policy.store.notification.handlers";
+ }
+
+ private PolicyStoreConstants() {
+ // Make constructor private to avoid instantiation
+ }
+}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryAuthFilter.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryAuthFilter.java b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryAuthFilter.java
new file mode 100644
index 0000000..c1cfc1b
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryAuthFilter.java
@@ -0,0 +1,92 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.provider.db.service.thrift;
+
+import java.io.IOException;
+import java.util.Enumeration;
+import java.util.Properties;
+import java.util.Set;
+
+import javax.servlet.FilterChain;
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.apache.hadoop.security.authentication.server.AuthenticationFilter;
+import org.apache.hadoop.util.StringUtils;
+import org.apache.sentry.service.thrift.ServiceConstants.ServerConfig;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import com.google.common.collect.Sets;
+
+/**
+ * SentryAuthFilter is a subclass of AuthenticationFilter,
+ * add authorization: Only allowed users could connect the web server.
+ */
+public class SentryAuthFilter extends AuthenticationFilter {
+
+ private static final Logger LOG = LoggerFactory.getLogger(SentryAuthFilter.class);
+
+ public static final String ALLOW_WEB_CONNECT_USERS = ServerConfig.SENTRY_WEB_SECURITY_ALLOW_CONNECT_USERS;
+
+ private Set<String> allowUsers;
+
+ @Override
+ protected void doFilter(FilterChain filterChain, HttpServletRequest request,
+ HttpServletResponse response) throws IOException, ServletException {
+ String userName = request.getRemoteUser();
+ LOG.debug("Authenticating user: " + userName + " from request.");
+ if (!allowUsers.contains(userName)) {
+ response.sendError(HttpServletResponse.SC_FORBIDDEN,
+ "Unauthorized user status code: " + HttpServletResponse.SC_FORBIDDEN);
+ throw new ServletException(userName + " is unauthorized. status code: " + HttpServletResponse.SC_FORBIDDEN);
+ }
+ super.doFilter(filterChain, request, response);
+ }
+
+ /**
+ * Override <code>getConfiguration<code> to get <code>ALLOW_WEB_CONNECT_USERS<code>.
+ */
+ @Override
+ protected Properties getConfiguration(String configPrefix, FilterConfig filterConfig) throws ServletException {
+ Properties props = new Properties();
+ Enumeration<?> names = filterConfig.getInitParameterNames();
+ while (names.hasMoreElements()) {
+ String name = (String) names.nextElement();
+ if (name.startsWith(configPrefix)) {
+ String value = filterConfig.getInitParameter(name);
+ if (ALLOW_WEB_CONNECT_USERS.equals(name)) {
+ allowUsers = parseConnectUsersFromConf(value);
+ } else {
+ props.put(name.substring(configPrefix.length()), value);
+ }
+ }
+ }
+ return props;
+ }
+
+ private static Set<String> parseConnectUsersFromConf(String value) {
+ String lcValue = value;
+ if (lcValue != null) {
+ lcValue = lcValue.toLowerCase();
+ }
+ return Sets.newHashSet(StringUtils.getStrings(lcValue));
+ }
+}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryHealthCheckServletContextListener.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryHealthCheckServletContextListener.java b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryHealthCheckServletContextListener.java
new file mode 100644
index 0000000..8822c2e
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryHealthCheckServletContextListener.java
@@ -0,0 +1,35 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.provider.db.service.thrift;
+
+import com.codahale.metrics.health.HealthCheckRegistry;
+import com.codahale.metrics.servlets.HealthCheckServlet;
+
+/**
+ * Use this class's registry to register health checks: Can be some tests which make sure Sentry service is healthy
+ */
+public class SentryHealthCheckServletContextListener extends HealthCheckServlet.ContextListener {
+
+ //This is just a place holder for health check registry, with out this AdminServlet throws out an error
+ public static final HealthCheckRegistry HEALTH_CHECK_REGISTRY = new HealthCheckRegistry();
+
+ @Override
+ protected HealthCheckRegistry getHealthCheckRegistry() {
+ return HEALTH_CHECK_REGISTRY;
+ }
+}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryMetrics.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryMetrics.java b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryMetrics.java
new file mode 100644
index 0000000..c6d4d02
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryMetrics.java
@@ -0,0 +1,162 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.provider.db.service.thrift;
+
+import com.codahale.metrics.ConsoleReporter;
+import com.codahale.metrics.Counter;
+import com.codahale.metrics.Gauge;
+import com.codahale.metrics.Histogram;
+import com.codahale.metrics.JmxReporter;
+import com.codahale.metrics.Metric;
+import com.codahale.metrics.MetricRegistry;
+import com.codahale.metrics.MetricSet;
+import com.codahale.metrics.Timer;
+import com.codahale.metrics.jvm.BufferPoolMetricSet;
+import com.codahale.metrics.jvm.GarbageCollectorMetricSet;
+import com.codahale.metrics.jvm.MemoryUsageGaugeSet;
+import com.codahale.metrics.jvm.ThreadStatesGaugeSet;
+import org.apache.sentry.provider.db.service.persistent.SentryStore;
+
+import java.lang.management.ManagementFactory;
+import java.util.Map;
+import java.util.concurrent.TimeUnit;
+
+/**
+ * A singleton class which holds metrics related utility functions as well as the list of metrics
+ */
+public final class SentryMetrics {
+ private static SentryMetrics sentryMetrics = null;
+ private boolean reportingInitialized = false;
+ private boolean gaugesAdded = false;
+
+ public final Timer createRoleTimer = SentryMetricsServletContextListener.METRIC_REGISTRY.timer(
+ MetricRegistry.name(SentryPolicyStoreProcessor.class, "create-role"));
+ public final Timer dropRoleTimer = SentryMetricsServletContextListener.METRIC_REGISTRY.timer(
+ MetricRegistry.name(SentryPolicyStoreProcessor.class, "drop-role"));
+ public final Timer grantRoleTimer = SentryMetricsServletContextListener.METRIC_REGISTRY.timer(
+ MetricRegistry.name(SentryPolicyStoreProcessor.class, "grant-role"));
+ public final Timer revokeRoleTimer = SentryMetricsServletContextListener.METRIC_REGISTRY.timer(
+ MetricRegistry.name(SentryPolicyStoreProcessor.class, "revoke-role"));
+ public final Timer grantTimer = SentryMetricsServletContextListener.METRIC_REGISTRY.timer(
+ MetricRegistry.name(SentryPolicyStoreProcessor.class, "grant-privilege"));
+ public final Timer revokeTimer = SentryMetricsServletContextListener.METRIC_REGISTRY.timer(
+ MetricRegistry.name(SentryPolicyStoreProcessor.class, "revoke-privilege"));
+
+ public final Timer dropPrivilegeTimer = SentryMetricsServletContextListener.METRIC_REGISTRY.timer(
+ MetricRegistry.name(SentryPolicyStoreProcessor.class, "drop-privilege"));
+ public final Timer renamePrivilegeTimer = SentryMetricsServletContextListener.METRIC_REGISTRY.timer(
+ MetricRegistry.name(SentryPolicyStoreProcessor.class, "rename-privilege"));
+
+ public final Timer listRolesByGroupTimer = SentryMetricsServletContextListener.METRIC_REGISTRY.timer(
+ MetricRegistry.name(SentryPolicyStoreProcessor.class, "list-roles-by-group"));
+ public final Timer listPrivilegesByRoleTimer = SentryMetricsServletContextListener.METRIC_REGISTRY.timer(
+ MetricRegistry.name(SentryPolicyStoreProcessor.class, "list-privileges-by-role"));
+ public final Timer listPrivilegesForProviderTimer = SentryMetricsServletContextListener.METRIC_REGISTRY.timer(
+ MetricRegistry.name(SentryPolicyStoreProcessor.class, "list-privileges-for-provider"));
+ public final Timer listPrivilegesByAuthorizableTimer = SentryMetricsServletContextListener.METRIC_REGISTRY.timer(
+ MetricRegistry.name(SentryPolicyStoreProcessor.class, "list-privileges-by-authorizable"));
+
+ /**
+ * Return a Timer with name.
+ */
+ public Timer getTimer(String name) {
+ return SentryMetricsServletContextListener.METRIC_REGISTRY.timer(name);
+ }
+
+ /**
+ * Return a Histogram with name.
+ */
+ public Histogram getHistogram(String name) {
+ return SentryMetricsServletContextListener.METRIC_REGISTRY.histogram(name);
+ }
+
+ /**
+ * Return a Counter with name.
+ */
+ public Counter getCounter(String name) {
+ return SentryMetricsServletContextListener.METRIC_REGISTRY.counter(name);
+ }
+
+ private SentryMetrics() {
+ registerMetricSet("gc", new GarbageCollectorMetricSet(), SentryMetricsServletContextListener.METRIC_REGISTRY);
+ registerMetricSet("buffers", new BufferPoolMetricSet(ManagementFactory.getPlatformMBeanServer()),
+ SentryMetricsServletContextListener.METRIC_REGISTRY);
+ registerMetricSet("memory", new MemoryUsageGaugeSet(), SentryMetricsServletContextListener.METRIC_REGISTRY);
+ registerMetricSet("threads", new ThreadStatesGaugeSet(), SentryMetricsServletContextListener.METRIC_REGISTRY);
+ }
+
+ public static synchronized SentryMetrics getInstance() {
+ if (sentryMetrics == null) {
+ sentryMetrics = new SentryMetrics();
+ }
+ return sentryMetrics;
+ }
+
+ public void addSentryStoreGauges(SentryStore sentryStore) {
+ if(!gaugesAdded) {
+ addGauge(SentryStore.class, "role_count", sentryStore.getRoleCountGauge());
+ addGauge(SentryStore.class, "privilege_count", sentryStore.getPrivilegeCountGauge());
+ addGauge(SentryStore.class, "group_count", sentryStore.getGroupCountGauge());
+ gaugesAdded = true;
+ }
+ }
+
+
+ /* Should be only called once to initialize the reporters
+ */
+ public synchronized void initReporting(Reporting reporting) {
+ if(!reportingInitialized) {
+ switch(reporting) {
+ case CONSOLE:
+ final ConsoleReporter consoleReporter = ConsoleReporter.forRegistry(SentryMetricsServletContextListener.METRIC_REGISTRY)
+ .convertRatesTo(TimeUnit.SECONDS)
+ .convertDurationsTo(TimeUnit.MILLISECONDS)
+ .build();
+ consoleReporter.start(1, TimeUnit.SECONDS);
+ break;
+ case JMX:
+ final JmxReporter jmxReporter = JmxReporter.forRegistry(SentryMetricsServletContextListener.METRIC_REGISTRY)
+ .convertRatesTo(TimeUnit.SECONDS)
+ .convertDurationsTo(TimeUnit.MILLISECONDS)
+ .build();
+ jmxReporter.start();
+ break;
+ }
+ }
+ }
+
+ private <T, V> void addGauge(Class<T> tClass, String gaugeName, Gauge<V> gauge) {
+ SentryMetricsServletContextListener.METRIC_REGISTRY.register(
+ MetricRegistry.name(tClass, gaugeName), gauge);
+ }
+
+ private void registerMetricSet(String prefix, MetricSet metricSet, MetricRegistry registry) {
+ for (Map.Entry<String, Metric> entry : metricSet.getMetrics().entrySet()) {
+ if (entry.getValue() instanceof MetricSet) {
+ registerMetricSet(prefix + "." + entry.getKey(), (MetricSet) entry.getValue(), registry);
+ } else {
+ registry.register(prefix + "." + entry.getKey(), entry.getValue());
+ }
+ }
+ }
+
+ public enum Reporting {
+ JMX,
+ CONSOLE;
+ }
+}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryMetricsServletContextListener.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryMetricsServletContextListener.java b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryMetricsServletContextListener.java
new file mode 100644
index 0000000..6692197
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryMetricsServletContextListener.java
@@ -0,0 +1,32 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.provider.db.service.thrift;
+
+import com.codahale.metrics.MetricRegistry;
+import com.codahale.metrics.servlets.MetricsServlet;
+
+public class SentryMetricsServletContextListener extends MetricsServlet.ContextListener {
+
+ public static final MetricRegistry METRIC_REGISTRY = new MetricRegistry();
+
+ @Override
+ protected MetricRegistry getMetricRegistry() {
+ return METRIC_REGISTRY;
+ }
+
+}
[37/44] sentry git commit: SENTRY-1287: Create sentry-service-server
module(Colin Ma, reviewed by Dapeng Sun)
Posted by co...@apache.org.
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/SentrySchemaTool.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/SentrySchemaTool.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/SentrySchemaTool.java
deleted file mode 100644
index d75e24b..0000000
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/SentrySchemaTool.java
+++ /dev/null
@@ -1,595 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.provider.db.tools;
-
-import java.io.BufferedReader;
-import java.io.BufferedWriter;
-import java.io.File;
-import java.io.FileReader;
-import java.io.FileWriter;
-import java.io.IOException;
-import java.io.PrintStream;
-import java.net.MalformedURLException;
-import java.sql.Connection;
-import java.sql.DriverManager;
-import java.sql.ResultSet;
-import java.sql.SQLException;
-import java.sql.Statement;
-import java.util.ArrayList;
-import java.util.IllegalFormatException;
-import java.util.List;
-
-import org.apache.commons.cli.CommandLine;
-import org.apache.commons.cli.CommandLineParser;
-import org.apache.commons.cli.GnuParser;
-import org.apache.commons.cli.HelpFormatter;
-import org.apache.commons.cli.Option;
-import org.apache.commons.cli.OptionBuilder;
-import org.apache.commons.cli.OptionGroup;
-import org.apache.commons.cli.Options;
-import org.apache.commons.cli.ParseException;
-import org.apache.commons.io.output.NullOutputStream;
-import org.apache.hadoop.conf.Configuration;
-import org.apache.hive.beeline.BeeLine;
-import org.apache.sentry.Command;
-import org.apache.sentry.core.common.exception.SentryUserException;
-import org.apache.sentry.core.common.exception.SentrySiteConfigurationException;
-import org.apache.sentry.provider.db.service.persistent.SentryStoreSchemaInfo;
-import org.apache.sentry.provider.db.tools.SentrySchemaHelper.NestedScriptParser;
-import org.apache.sentry.service.thrift.SentryService;
-import org.apache.sentry.service.thrift.ServiceConstants;
-
-public class SentrySchemaTool {
- private static final String SENTRY_SCRIP_DIR = File.separatorChar + "scripts"
- + File.separatorChar + "sentrystore" + File.separatorChar + "upgrade";
- private String userName = null;
- private String passWord = null;
- private String connectionURL = null;
- private String driver = null;
- private boolean dryRun = false;
- private String dbOpts = null;
- private boolean verbose = false;
- private final Configuration sentryConf;
- private final String dbType;
- private final SentryStoreSchemaInfo sentryStoreSchemaInfo;
-
- public SentrySchemaTool(Configuration sentryConf, String dbType)
- throws SentryUserException, IOException {
- this(System.getenv("SENTRY_HOME") + SENTRY_SCRIP_DIR, sentryConf, dbType);
- }
-
- public SentrySchemaTool(String sentryScripPath, Configuration sentryConf,
- String dbType) throws SentryUserException, IOException {
- if (sentryScripPath == null || sentryScripPath.isEmpty()) {
- throw new SentryUserException("No Sentry script dir provided");
- }
- this.sentryConf = sentryConf;
- this.dbType = dbType;
- this.sentryStoreSchemaInfo = new SentryStoreSchemaInfo(sentryScripPath,
- dbType);
- userName = sentryConf.get(ServiceConstants.ServerConfig.SENTRY_STORE_JDBC_USER,
- ServiceConstants.ServerConfig.SENTRY_STORE_JDBC_USER_DEFAULT);
- //Password will be read from Credential provider specified using property
- // CREDENTIAL_PROVIDER_PATH("hadoop.security.credential.provider.path" in sentry-site.xml
- // it falls back to reading directly from sentry-site.xml
- char[] passTmp = sentryConf.getPassword(ServiceConstants.ServerConfig.SENTRY_STORE_JDBC_PASS);
- if(passTmp != null) {
- passWord = new String(passTmp);
- } else {
- throw new SentrySiteConfigurationException("Error reading " + ServiceConstants.ServerConfig.SENTRY_STORE_JDBC_PASS);
- }
-
- try {
- connectionURL = getValidConfVar(ServiceConstants.ServerConfig.SENTRY_STORE_JDBC_URL);
- if(dbType.equalsIgnoreCase(SentrySchemaHelper.DB_DERBY)) {
- driver = sentryConf.get(ServiceConstants.ServerConfig.SENTRY_STORE_JDBC_DRIVER,
- ServiceConstants.ServerConfig.SENTRY_STORE_JDBC_DRIVER_DEFAULT);
- } else {
- driver = getValidConfVar(ServiceConstants.ServerConfig.SENTRY_STORE_JDBC_DRIVER);
- }
- // load required JDBC driver
- Class.forName(driver);
- } catch (IOException e) {
- throw new SentryUserException("Missing property: " + e.getMessage());
- } catch (ClassNotFoundException e) {
- throw new SentryUserException("Failed to load driver", e);
- }
- }
-
- public Configuration getConfiguration() {
- return sentryConf;
- }
-
- public void setUserName(String userName) {
- this.userName = userName;
- }
-
- public void setPassWord(String passWord) {
- this.passWord = passWord;
- }
-
- public void setDryRun(boolean dryRun) {
- this.dryRun = dryRun;
- }
-
- public void setVerbose(boolean verbose) {
- this.verbose = verbose;
- }
-
- public String getDbOpts() {
- return dbOpts;
- }
-
- public void setDbOpts(String dbOpts) {
- this.dbOpts = dbOpts;
- }
-
- private static void printAndExit(Options cmdLineOptions) {
- HelpFormatter formatter = new HelpFormatter();
- formatter.printHelp("schemaTool", cmdLineOptions);
- System.exit(1);
- }
-
- /***
- * Print Hive version and schema version
- * @throws SentryUserException
- */
- public void showInfo() throws SentryUserException {
- Connection sentryStoreConn = getConnectionToMetastore(true);
- System.out.println("Sentry distribution version:\t "
- + SentryStoreSchemaInfo.getSentryVersion());
- System.out.println("SentryStore schema version:\t "
- + getMetaStoreSchemaVersion(sentryStoreConn));
- }
-
- // read schema version from sentry store
- private String getMetaStoreSchemaVersion(Connection sentryStoreConn)
- throws SentryUserException {
- String versionQuery;
- if (SentrySchemaHelper.getDbCommandParser(dbType).needsQuotedIdentifier()) {
- versionQuery = "select t.\"SCHEMA_VERSION\" from \"SENTRY_VERSION\" t";
- } else {
- versionQuery = "select t.SCHEMA_VERSION from SENTRY_VERSION t";
- }
- try (Statement stmt = sentryStoreConn.createStatement();
- ResultSet res = stmt.executeQuery(versionQuery)) {
- if (!res.next()) {
- throw new SentryUserException("Didn't find version data in sentry store");
- }
- String currentSchemaVersion = res.getString(1);
- sentryStoreConn.close();
- return currentSchemaVersion;
- } catch (SQLException e) {
- throw new SentryUserException("Failed to get schema version.", e);
- }
- }
-
- // test the connection sentry store using the config property
- private void testConnectionToMetastore() throws SentryUserException {
- try (Connection conn = getConnectionToMetastore(true)) {
- conn.close();
- } catch (SQLException e) {
- throw new SentryUserException("Failed to close sentry store connection", e);
- }
- }
-
- /***
- * get JDBC connection to sentry store db
- *
- * @param printInfo print connection parameters
- * @return
- * @throws SentryUserException
- */
- private Connection getConnectionToMetastore(boolean printInfo)
- throws SentryUserException {
- if (printInfo) {
- System.out.println("Sentry store connection URL:\t " + connectionURL);
- System.out.println("Sentry store Connection Driver :\t " + driver);
- System.out.println("Sentry store connection User:\t " + userName);
- }
- if (userName == null || userName.isEmpty()) {
- throw new SentryUserException("UserName empty ");
- }
- try {
- // Connect using the JDBC URL and user/pass from conf
- return DriverManager.getConnection(connectionURL, userName, passWord);
- } catch (SQLException e) {
- throw new SentryUserException("Failed to make connection to Sentry store.", e);
- }
- }
-
- /**
- * check if the current schema version in sentry store matches the Hive version
- * @throws SentryUserException
- */
- public void verifySchemaVersion() throws SentryUserException {
- // don't check version if its a dry run
- if (dryRun) {
- return;
- }
- String newSchemaVersion =
- getMetaStoreSchemaVersion(getConnectionToMetastore(false));
- // verify that the new version is added to schema
- if (!sentryStoreSchemaInfo.getSentrySchemaVersion().equalsIgnoreCase(
- newSchemaVersion)) {
- throw new SentryUserException("Found unexpected schema version "
- + newSchemaVersion);
- }
- }
-
- /**
- * Perform sentry store schema upgrade. extract the current schema version from sentry store
- * @throws SentryUserException
- */
- public void doUpgrade() throws SentryUserException {
- String fromVersion = getMetaStoreSchemaVersion(getConnectionToMetastore(false));
- if (fromVersion == null || fromVersion.isEmpty()) {
- throw new SentryUserException(
- "Schema version not stored in the sentry store. "
- +
- "Metastore schema is too old or corrupt. Try specifying the version manually");
- }
- doUpgrade(fromVersion);
- }
-
- /**
- * Perform sentry store schema upgrade
- *
- * @param fromSchemaVer
- * Existing version of the sentry store. If null, then read from the sentry store
- * @throws SentryUserException
- */
- public void doUpgrade(String fromSchemaVer) throws SentryUserException {
- if (sentryStoreSchemaInfo.getSentrySchemaVersion().equals(fromSchemaVer)) {
- System.out.println("No schema upgrade required from version " + fromSchemaVer);
- return;
- }
- // Find the list of scripts to execute for this upgrade
- List<String> upgradeScripts =
- sentryStoreSchemaInfo.getUpgradeScripts(fromSchemaVer);
- testConnectionToMetastore();
- System.out.println("Starting upgrade sentry store schema from version " +
- fromSchemaVer + " to "
- + sentryStoreSchemaInfo.getSentrySchemaVersion());
- String scriptDir = sentryStoreSchemaInfo.getSentryStoreScriptDir();
- try {
- for (String scriptFile : upgradeScripts) {
- System.out.println("Upgrade script " + scriptFile);
- if (!dryRun) {
- runBeeLine(scriptDir, scriptFile);
- System.out.println("Completed " + scriptFile);
- }
- }
- } catch (IOException eIO) {
- throw new SentryUserException(
- "Upgrade FAILED! Metastore state would be inconsistent !!", eIO);
- }
-
- // Revalidated the new version after upgrade
- verifySchemaVersion();
- }
-
- /**
- * Initialize the sentry store schema to current version
- *
- * @throws SentryUserException
- */
- public void doInit() throws SentryUserException {
- doInit(sentryStoreSchemaInfo.getSentrySchemaVersion());
-
- // Revalidated the new version after upgrade
- verifySchemaVersion();
- }
-
- /**
- * Initialize the sentry store schema
- *
- * @param toVersion
- * If null then current hive version is used
- * @throws SentryUserException
- */
- public void doInit(String toVersion) throws SentryUserException {
- testConnectionToMetastore();
- System.out.println("Starting sentry store schema initialization to " + toVersion);
-
- String initScriptDir = sentryStoreSchemaInfo.getSentryStoreScriptDir();
- String initScriptFile = sentryStoreSchemaInfo.generateInitFileName(toVersion);
-
- try {
- System.out.println("Initialization script " + initScriptFile);
- if (!dryRun) {
- runBeeLine(initScriptDir, initScriptFile);
- System.out.println("Initialization script completed");
- }
- } catch (IOException e) {
- throw new SentryUserException("Schema initialization FAILED!"
- + " Metastore state would be inconsistent !!", e);
- }
- }
-
- // Flatten the nested upgrade script into a buffer
- public static String buildCommand(NestedScriptParser dbCommandParser,
- String scriptDir, String scriptFile) throws IllegalFormatException, IOException {
-
- BufferedReader bfReader =
- new BufferedReader(new FileReader(scriptDir + File.separatorChar + scriptFile));
- String currLine;
- StringBuilder sb = new StringBuilder();
- String currentCommand = null;
- while ((currLine = bfReader.readLine()) != null) {
- currLine = currLine.trim();
- if (currLine.isEmpty()) {
- continue; // skip empty lines
- }
-
- if (currentCommand == null) {
- currentCommand = currLine;
- } else {
- currentCommand = currentCommand + " " + currLine;
- }
- if (dbCommandParser.isPartialCommand(currLine)) {
- // if its a partial line, continue collecting the pieces
- continue;
- }
-
- // if this is a valid executable command then add it to the buffer
- if (!dbCommandParser.isNonExecCommand(currentCommand)) {
- currentCommand = dbCommandParser.cleanseCommand(currentCommand);
-
- if (dbCommandParser.isNestedScript(currentCommand)) {
- // if this is a nested sql script then flatten it
- String currScript = dbCommandParser.getScriptName(currentCommand);
- sb.append(buildCommand(dbCommandParser, scriptDir, currScript));
- } else {
- // Now we have a complete statement, process it
- // write the line to buffer
- sb.append(currentCommand);
- sb.append(System.getProperty("line.separator"));
- }
- }
- currentCommand = null;
- }
- bfReader.close();
- return sb.toString();
- }
-
- // run beeline on the given sentry store scrip, flatten the nested scripts into single file
- private void runBeeLine(String scriptDir, String scriptFile) throws IOException {
- NestedScriptParser dbCommandParser =
- SentrySchemaHelper.getDbCommandParser(dbType);
- dbCommandParser.setDbOpts(getDbOpts());
- // expand the nested script
- String sqlCommands = buildCommand(dbCommandParser, scriptDir, scriptFile);
- File tmpFile = File.createTempFile("schematool", ".sql");
- tmpFile.deleteOnExit();
-
- // write out the buffer into a file. Add beeline commands for autocommit and close
- try (FileWriter fstream = new FileWriter(tmpFile.getPath());
- BufferedWriter out = new BufferedWriter(fstream)) {
-
- out.write("!set Silent " + verbose + System.getProperty("line.separator"));
- out.write("!autocommit on" + System.getProperty("line.separator"));
- out.write("!set Isolation TRANSACTION_READ_COMMITTED"
- + System.getProperty("line.separator"));
- out.write("!set AllowMultiLineCommand false"
- + System.getProperty("line.separator"));
- out.write(sqlCommands);
- out.write("!closeall" + System.getProperty("line.separator"));
- out.close();
- }
- runBeeLine(tmpFile.getPath());
- }
-
- // Generate the beeline args per hive conf and execute the given script
- public void runBeeLine(String sqlScriptFile) throws IOException {
- List<String> argList = new ArrayList<String>();
- argList.add("-u");
- argList.add(connectionURL);
- argList.add("-d");
- argList
- .add(driver);
- argList.add("-n");
- argList.add(userName);
- argList.add("-p");
- argList.add(passWord);
- argList.add("-f");
- argList.add(sqlScriptFile);
-
- BeeLine beeLine = new BeeLine();
- if (!verbose) {
- beeLine.setOutputStream(new PrintStream(new NullOutputStream()));
- // beeLine.getOpts().setSilent(true);
- }
- // beeLine.getOpts().setAllowMultiLineCommand(false);
- // beeLine.getOpts().setIsolation("TRANSACTION_READ_COMMITTED");
- int status = beeLine.begin(argList.toArray(new String[0]), null);
- if (status != 0) {
- throw new IOException("Schema script failed, errorcode " + status);
- }
- }
-
- private String getValidConfVar(String confVar) throws IOException {
- String confVarKey = confVar;
- String confVarValue = sentryConf.get(confVarKey);
- if (confVarValue == null || confVarValue.isEmpty()) {
- throw new IOException("Empty " + confVar);
- }
- return confVarValue;
- }
-
- // Create the required command line options
- @SuppressWarnings("static-access")
- private static void initOptions(Options cmdLineOptions) {
- Option help = new Option("help", "print this message");
- Option upgradeOpt = new Option("upgradeSchema", "Schema upgrade");
- Option upgradeFromOpt = OptionBuilder.withArgName("upgradeFrom").hasArg().
- withDescription("Schema upgrade from a version").
- create("upgradeSchemaFrom");
- Option initOpt = new Option("initSchema", "Schema initialization");
- Option initToOpt = OptionBuilder.withArgName("initTo").hasArg().
- withDescription("Schema initialization to a version").
- create("initSchemaTo");
- Option infoOpt = new Option("info", "Show config and schema details");
-
- OptionGroup optGroup = new OptionGroup();
- optGroup.addOption(upgradeOpt).addOption(initOpt).
- addOption(help).addOption(upgradeFromOpt).
- addOption(initToOpt).addOption(infoOpt);
- optGroup.setRequired(true);
-
- Option userNameOpt = OptionBuilder.withArgName("user")
- .hasArg()
- .withDescription("Override config file user name")
- .create("userName");
- Option passwdOpt = OptionBuilder.withArgName("password")
- .hasArg()
- .withDescription("Override config file password")
- .create("passWord");
- Option dbTypeOpt = OptionBuilder.withArgName("databaseType")
- .hasArg().withDescription("Metastore database type [" +
- SentrySchemaHelper.DB_DERBY + "," +
- SentrySchemaHelper.DB_MYSQL + "," +
- SentrySchemaHelper.DB_ORACLE + "," +
- SentrySchemaHelper.DB_POSTGRACE + "," +
- SentrySchemaHelper.DB_DB2 + "]")
- .create("dbType");
- Option dbOpts = OptionBuilder.withArgName("databaseOpts")
- .hasArgs().withDescription("Backend DB specific options")
- .create("dbOpts");
-
- Option dryRunOpt = new Option("dryRun", "list SQL scripts (no execute)");
- Option verboseOpt = new Option("verbose", "only print SQL statements");
-
- Option configOpt = OptionBuilder.withArgName("confName").hasArgs()
- .withDescription("Sentry Service configuration file").isRequired(true)
- .create(ServiceConstants.ServiceArgs.CONFIG_FILE_LONG);
-
- cmdLineOptions.addOption(help);
- cmdLineOptions.addOption(dryRunOpt);
- cmdLineOptions.addOption(userNameOpt);
- cmdLineOptions.addOption(passwdOpt);
- cmdLineOptions.addOption(dbTypeOpt);
- cmdLineOptions.addOption(verboseOpt);
- cmdLineOptions.addOption(dbOpts);
- cmdLineOptions.addOption(configOpt);
- cmdLineOptions.addOptionGroup(optGroup);
- }
-
- public static class CommandImpl implements Command {
- @Override
- public void run(String[] args) throws Exception {
- CommandLineParser parser = new GnuParser();
- CommandLine line = null;
- String dbType = null;
- String schemaVer = null;
- Options cmdLineOptions = new Options();
- String configFileName = null;
-
- // Argument handling
- initOptions(cmdLineOptions);
- try {
- line = parser.parse(cmdLineOptions, args);
- } catch (ParseException e) {
- System.err.println("SentrySchemaTool:Parsing failed. Reason: "
- + e.getLocalizedMessage());
- printAndExit(cmdLineOptions);
- }
-
- if (line.hasOption("help")) {
- HelpFormatter formatter = new HelpFormatter();
- formatter.printHelp("schemaTool", cmdLineOptions);
- return;
- }
-
- if (line.hasOption("dbType")) {
- dbType = line.getOptionValue("dbType");
- if (!dbType.equalsIgnoreCase(SentrySchemaHelper.DB_DERBY)
- && !dbType.equalsIgnoreCase(SentrySchemaHelper.DB_MYSQL)
- && !dbType.equalsIgnoreCase(SentrySchemaHelper.DB_POSTGRACE)
- && !dbType.equalsIgnoreCase(SentrySchemaHelper.DB_ORACLE)
- && !dbType.equalsIgnoreCase(SentrySchemaHelper.DB_DB2)) {
- System.err.println("Unsupported dbType " + dbType);
- printAndExit(cmdLineOptions);
- }
- } else {
- System.err.println("no dbType supplied");
- printAndExit(cmdLineOptions);
- }
- if (line.hasOption(ServiceConstants.ServiceArgs.CONFIG_FILE_LONG)) {
- configFileName = line
- .getOptionValue(ServiceConstants.ServiceArgs.CONFIG_FILE_LONG);
- } else {
- System.err.println("no config file specified");
- printAndExit(cmdLineOptions);
- }
- try {
- SentrySchemaTool schemaTool = new SentrySchemaTool(
- SentryService.loadConfig(configFileName), dbType);
-
- if (line.hasOption("userName")) {
- schemaTool.setUserName(line.getOptionValue("userName"));
- }
- if (line.hasOption("passWord")) {
- schemaTool.setPassWord(line.getOptionValue("passWord"));
- }
- if (line.hasOption("dryRun")) {
- schemaTool.setDryRun(true);
- }
- if (line.hasOption("verbose")) {
- schemaTool.setVerbose(true);
- }
- if (line.hasOption("dbOpts")) {
- schemaTool.setDbOpts(line.getOptionValue("dbOpts"));
- }
-
- if (line.hasOption("info")) {
- schemaTool.showInfo();
- } else if (line.hasOption("upgradeSchema")) {
- schemaTool.doUpgrade();
- } else if (line.hasOption("upgradeSchemaFrom")) {
- schemaVer = line.getOptionValue("upgradeSchemaFrom");
- schemaTool.doUpgrade(schemaVer);
- } else if (line.hasOption("initSchema")) {
- schemaTool.doInit();
- } else if (line.hasOption("initSchemaTo")) {
- schemaVer = line.getOptionValue("initSchemaTo");
- schemaTool.doInit(schemaVer);
- } else {
- System.err.println("no valid option supplied");
- printAndExit(cmdLineOptions);
- }
- } catch (SentryUserException e) {
- System.err.println(e);
- if (line.hasOption("verbose")) {
- e.printStackTrace();
- }
- System.err.println("*** Sentry schemaTool failed ***");
- System.exit(1);
- } catch (MalformedURLException e) {
- System.err.println(e);
- if (line.hasOption("verbose")) {
- e.printStackTrace();
- }
- System.err.println("*** Sentry schemaTool failed ***");
- System.exit(1);
- }
- System.out.println("Sentry schemaTool completed");
- }
- }
-
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/GSSCallback.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/GSSCallback.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/GSSCallback.java
deleted file mode 100644
index b668b95..0000000
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/GSSCallback.java
+++ /dev/null
@@ -1,110 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.service.thrift;
-
-import java.util.Arrays;
-import java.util.List;
-
-import javax.security.auth.callback.Callback;
-import javax.security.auth.callback.UnsupportedCallbackException;
-import javax.security.sasl.AuthorizeCallback;
-
-import org.apache.hadoop.conf.Configuration;
-import org.apache.hadoop.security.SaslRpcServer;
-import org.apache.sentry.core.common.exception.ConnectionDeniedException;
-import org.apache.sentry.service.thrift.ServiceConstants.ServerConfig;
-
-public class GSSCallback extends SaslRpcServer.SaslGssCallbackHandler {
-
- private final Configuration conf;
- public GSSCallback(Configuration conf) {
- super();
- this.conf = conf;
- }
-
- boolean comparePrincipals(String principal1, String principal2) {
- String[] principalParts1 = SaslRpcServer.splitKerberosName(principal1);
- String[] principalParts2 = SaslRpcServer.splitKerberosName(principal2);
- if (principalParts1.length == 0 || principalParts2.length == 0) {
- return false;
- }
- if (principalParts1.length == principalParts2.length) {
- for (int i=0; i < principalParts1.length; i++) {
- if (!principalParts1[i].equals(principalParts2[i])) {
- return false;
- }
- }
- return true;
- } else {
- return false;
- }
- }
-
- boolean allowConnect(String principal) {
- String allowedPrincipals = conf.get(ServerConfig.ALLOW_CONNECT);
- if (allowedPrincipals == null) {
- return false;
- }
- String principalShortName = getShortName(principal);
- List<String> items = Arrays.asList(allowedPrincipals.split("\\s*,\\s*"));
- for (String item : items) {
- if (comparePrincipals(item, principalShortName)) {
- return true;
- }
- }
- return false;
- }
-
- private String getShortName(String principal) {
- String parts[] = SaslRpcServer.splitKerberosName(principal);
- return parts[0];
- }
-
- @Override
- public void handle(Callback[] callbacks)
- throws UnsupportedCallbackException, ConnectionDeniedException {
- AuthorizeCallback ac = null;
- for (Callback callback : callbacks) {
- if (callback instanceof AuthorizeCallback) {
- ac = (AuthorizeCallback) callback;
- } else {
- throw new UnsupportedCallbackException(callback,
- "Unrecognized SASL GSSAPI Callback");
- }
- }
- if (ac != null) {
- String authid = ac.getAuthenticationID();
- String authzid = ac.getAuthorizationID();
-
- if (allowConnect(authid)) {
- if (authid.equals(authzid)) {
- ac.setAuthorized(true);
- } else {
- ac.setAuthorized(false);
- }
- if (ac.isAuthorized()) {
- ac.setAuthorizedID(authzid);
- }
- } else {
- throw new ConnectionDeniedException(ac,
- "Connection to sentry service denied due to lack of client credentials",
- authid);
- }
- }
- }
-}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/KerberosConfiguration.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/KerberosConfiguration.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/KerberosConfiguration.java
deleted file mode 100644
index 41e4fe4..0000000
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/KerberosConfiguration.java
+++ /dev/null
@@ -1,107 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.service.thrift;
-
-import java.io.File;
-import java.util.HashMap;
-import java.util.Map;
-
-import javax.security.auth.login.AppConfigurationEntry;
-
-public class KerberosConfiguration extends javax.security.auth.login.Configuration {
- private String principal;
- private String keytab;
- private boolean isInitiator;
- private static final boolean IBM_JAVA = System.getProperty("java.vendor").contains("IBM");
-
- private KerberosConfiguration(String principal, File keytab,
- boolean client) {
- this.principal = principal;
- this.keytab = keytab.getAbsolutePath();
- this.isInitiator = client;
- }
-
- public static javax.security.auth.login.Configuration createClientConfig(String principal,
- File keytab) {
- return new KerberosConfiguration(principal, keytab, true);
- }
-
- public static javax.security.auth.login.Configuration createServerConfig(String principal,
- File keytab) {
- return new KerberosConfiguration(principal, keytab, false);
- }
-
- private static String getKrb5LoginModuleName() {
- return (IBM_JAVA ? "com.ibm.security.auth.module.Krb5LoginModule"
- : "com.sun.security.auth.module.Krb5LoginModule");
- }
-
- @Override
- public AppConfigurationEntry[] getAppConfigurationEntry(String name) {
- Map<String, String> options = new HashMap<String, String>();
-
- if (IBM_JAVA) {
- // IBM JAVA's UseKeytab covers both keyTab and useKeyTab options
- options.put("useKeytab",keytab.startsWith("file://") ? keytab : "file://" + keytab);
-
- options.put("principal", principal);
- options.put("refreshKrb5Config", "true");
-
- // Both "initiator" and "acceptor"
- options.put("credsType", "both");
- } else {
- options.put("keyTab", keytab);
- options.put("principal", principal);
- options.put("useKeyTab", "true");
- options.put("storeKey", "true");
- options.put("doNotPrompt", "true");
- options.put("useTicketCache", "true");
- options.put("renewTGT", "true");
- options.put("refreshKrb5Config", "true");
- options.put("isInitiator", Boolean.toString(isInitiator));
- }
-
- String ticketCache = System.getenv("KRB5CCNAME");
- if (IBM_JAVA) {
- // If cache is specified via env variable, it takes priority
- if (ticketCache != null) {
- // IBM JAVA only respects system property so copy ticket cache to system property
- // The first value searched when "useDefaultCcache" is true.
- System.setProperty("KRB5CCNAME", ticketCache);
- } else {
- ticketCache = System.getProperty("KRB5CCNAME");
- }
-
- if (ticketCache != null) {
- options.put("useDefaultCcache", "true");
- options.put("renewTGT", "true");
- }
- } else {
- if (ticketCache != null) {
- options.put("ticketCache", ticketCache);
- }
- }
- options.put("debug", "true");
-
- return new AppConfigurationEntry[]{
- new AppConfigurationEntry(getKrb5LoginModuleName(),
- AppConfigurationEntry.LoginModuleControlFlag.REQUIRED,
- options)};
- }
-}
-
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/ProcessorFactory.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/ProcessorFactory.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/ProcessorFactory.java
deleted file mode 100644
index a3bb6ab..0000000
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/ProcessorFactory.java
+++ /dev/null
@@ -1,31 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.service.thrift;
-
-import org.apache.hadoop.conf.Configuration;
-import org.apache.thrift.TMultiplexedProcessor;
-
-public abstract class ProcessorFactory {
- protected final Configuration conf;
-
- public ProcessorFactory(Configuration conf) {
- this.conf = conf;
- }
-
- public abstract boolean register(TMultiplexedProcessor processor) throws Exception;
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/SentryKerberosContext.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/SentryKerberosContext.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/SentryKerberosContext.java
deleted file mode 100644
index f54f161..0000000
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/SentryKerberosContext.java
+++ /dev/null
@@ -1,157 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.sentry.service.thrift;
-
-import java.io.File;
-import java.util.HashSet;
-import java.util.Set;
-
-import javax.security.auth.Subject;
-import javax.security.auth.kerberos.KerberosPrincipal;
-import javax.security.auth.kerberos.KerberosTicket;
-import javax.security.auth.login.LoginContext;
-import javax.security.auth.login.LoginException;
-
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-import com.google.common.collect.Sets;
-
-public class SentryKerberosContext implements Runnable {
- private static final float TICKET_RENEW_WINDOW = 0.80f;
- private static final Logger LOGGER = LoggerFactory
- .getLogger(SentryKerberosContext.class);
- private LoginContext loginContext;
- private Subject subject;
- private final javax.security.auth.login.Configuration kerberosConfig;
- @Deprecated
- private Thread renewerThread;
- @Deprecated
- private boolean shutDownRenewer = false;
-
- public SentryKerberosContext(String principal, String keyTab, boolean autoRenewTicket)
- throws LoginException {
- subject = new Subject(false, Sets.newHashSet(new KerberosPrincipal(principal)),
- new HashSet<Object>(), new HashSet<Object>());
- kerberosConfig = KerberosConfiguration.createClientConfig(principal, new File(keyTab));
- loginWithNewContext();
- if (autoRenewTicket) {
- startRenewerThread();
- }
- }
-
- private void loginWithNewContext() throws LoginException {
- LOGGER.info("Logging in with new Context");
- logoutSubject();
- loginContext = new LoginContext("", subject, null, kerberosConfig);
- loginContext.login();
- subject = loginContext.getSubject();
- }
-
- private void logoutSubject() {
- if (loginContext != null) {
- try {
- loginContext.logout();
- } catch (LoginException e) {
- LOGGER.warn("Error logging out the subject", e);
- }
- }
- loginContext = null;
- }
-
- public Subject getSubject() {
- return subject;
- }
-
- /**
- * Get the Kerberos TGT
- * @return the user's TGT or null if none was found
- */
- @Deprecated
- private KerberosTicket getTGT() {
- Set<KerberosTicket> tickets = subject.getPrivateCredentials(KerberosTicket.class);
- for(KerberosTicket ticket: tickets) {
- KerberosPrincipal server = ticket.getServer();
- if (server.getName().equals("krbtgt/" + server.getRealm() +
- "@" + server.getRealm())) {
- return ticket;
- }
- }
- return null;
- }
-
- @Deprecated
- private long getRefreshTime(KerberosTicket tgt) {
- long start = tgt.getStartTime().getTime();
- long end = tgt.getEndTime().getTime();
- LOGGER.debug("Ticket start time: " + start);
- LOGGER.debug("Ticket End time: " + end);
- return start + (long) ((end - start) * TICKET_RENEW_WINDOW);
- }
-
- /***
- * Ticket renewer thread
- * wait till 80% time interval left on the ticket and then renew it
- */
- @Deprecated
- @Override
- public void run() {
- try {
- LOGGER.info("Sentry Ticket renewer thread started");
- while (!shutDownRenewer) {
- KerberosTicket tgt = getTGT();
- if (tgt == null) {
- LOGGER.warn("No ticket found in the cache");
- return;
- }
- long nextRefresh = getRefreshTime(tgt);
- while (System.currentTimeMillis() < nextRefresh) {
- Thread.sleep(1000);
- if (shutDownRenewer) {
- return;
- }
- }
- loginWithNewContext();
- LOGGER.debug("Renewed ticket");
- }
- } catch (InterruptedException e1) {
- LOGGER.warn("Sentry Ticket renewer thread interrupted", e1);
- return;
- } catch (LoginException e) {
- LOGGER.warn("Failed to renew ticket", e);
- } finally {
- logoutSubject();
- LOGGER.info("Sentry Ticket renewer thread finished");
- }
- }
-
- @Deprecated
- public void startRenewerThread() {
- renewerThread = new Thread(this);
- renewerThread.start();
- }
-
- public void shutDown() throws LoginException {
- if (renewerThread != null) {
- shutDownRenewer = true;
- } else {
- logoutSubject();
- }
- }
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/SentryService.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/SentryService.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/SentryService.java
deleted file mode 100644
index 5783649..0000000
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/SentryService.java
+++ /dev/null
@@ -1,426 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.sentry.service.thrift;
-
-import java.io.File;
-import java.io.IOException;
-import java.lang.reflect.Constructor;
-import java.net.InetSocketAddress;
-import java.net.MalformedURLException;
-import java.net.ServerSocket;
-import java.security.PrivilegedExceptionAction;
-import java.util.ArrayList;
-import java.util.EventListener;
-import java.util.List;
-import java.util.concurrent.Callable;
-import java.util.concurrent.ExecutionException;
-import java.util.concurrent.ExecutorService;
-import java.util.concurrent.Executors;
-import java.util.concurrent.Future;
-import java.util.concurrent.ThreadFactory;
-
-import javax.security.auth.Subject;
-
-import org.apache.commons.cli.CommandLine;
-import org.apache.commons.cli.CommandLineParser;
-import org.apache.commons.cli.GnuParser;
-import org.apache.commons.cli.HelpFormatter;
-import org.apache.commons.cli.Options;
-import org.apache.hadoop.conf.Configuration;
-import org.apache.hadoop.net.NetUtils;
-import org.apache.hadoop.security.SaslRpcServer;
-import org.apache.hadoop.security.SaslRpcServer.AuthMethod;
-import org.apache.hadoop.security.SecurityUtil;
-import org.apache.sentry.Command;
-import org.apache.sentry.provider.db.service.thrift.SentryHealthCheckServletContextListener;
-import org.apache.sentry.provider.db.service.thrift.SentryMetricsServletContextListener;
-import org.apache.sentry.provider.db.service.thrift.SentryWebServer;
-import org.apache.sentry.service.thrift.ServiceConstants.ConfUtilties;
-import org.apache.sentry.service.thrift.ServiceConstants.ServerConfig;
-import org.apache.thrift.TMultiplexedProcessor;
-import org.apache.thrift.protocol.TBinaryProtocol;
-import org.apache.thrift.server.TServer;
-import org.apache.thrift.server.TServerEventHandler;
-import org.apache.thrift.server.TThreadPoolServer;
-import org.apache.thrift.transport.TSaslServerTransport;
-import org.apache.thrift.transport.TServerSocket;
-import org.apache.thrift.transport.TServerTransport;
-import org.apache.thrift.transport.TTransportFactory;
-import org.eclipse.jetty.util.MultiException;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-import com.google.common.base.Preconditions;
-
-public class SentryService implements Callable {
-
- private static final Logger LOGGER = LoggerFactory
- .getLogger(SentryService.class);
-
- private static enum Status {
- NOT_STARTED(), STARTED();
- }
-
- private final Configuration conf;
- private final InetSocketAddress address;
- private final int maxThreads;
- private final int minThreads;
- private boolean kerberos;
- private final String principal;
- private final String[] principalParts;
- private final String keytab;
- private final ExecutorService serviceExecutor;
- private Future serviceStatus;
- private TServer thriftServer;
- private Status status;
- private int webServerPort;
- private SentryWebServer sentryWebServer;
- private long maxMessageSize;
-
- public SentryService(Configuration conf) {
- this.conf = conf;
- int port = conf
- .getInt(ServerConfig.RPC_PORT, ServerConfig.RPC_PORT_DEFAULT);
- if (port == 0) {
- port = findFreePort();
- conf.setInt(ServerConfig.RPC_PORT, port);
- }
- this.address = NetUtils.createSocketAddr(
- conf.get(ServerConfig.RPC_ADDRESS, ServerConfig.RPC_ADDRESS_DEFAULT),
- port);
- LOGGER.info("Configured on address " + address);
- kerberos = ServerConfig.SECURITY_MODE_KERBEROS.equalsIgnoreCase(
- conf.get(ServerConfig.SECURITY_MODE, ServerConfig.SECURITY_MODE_KERBEROS).trim());
- maxThreads = conf.getInt(ServerConfig.RPC_MAX_THREADS,
- ServerConfig.RPC_MAX_THREADS_DEFAULT);
- minThreads = conf.getInt(ServerConfig.RPC_MIN_THREADS,
- ServerConfig.RPC_MIN_THREADS_DEFAULT);
- maxMessageSize = conf.getLong(ServerConfig.SENTRY_POLICY_SERVER_THRIFT_MAX_MESSAGE_SIZE,
- ServerConfig.SENTRY_POLICY_SERVER_THRIFT_MAX_MESSAGE_SIZE_DEFAULT);
- if (kerberos) {
- // Use Hadoop libraries to translate the _HOST placeholder with actual hostname
- try {
- String rawPrincipal = Preconditions.checkNotNull(conf.get(ServerConfig.PRINCIPAL), ServerConfig.PRINCIPAL + " is required");
- principal = SecurityUtil.getServerPrincipal(rawPrincipal, address.getAddress());
- } catch(IOException io) {
- throw new RuntimeException("Can't translate kerberos principal'", io);
- }
- LOGGER.info("Using kerberos principal: " + principal);
-
- principalParts = SaslRpcServer.splitKerberosName(principal);
- Preconditions.checkArgument(principalParts.length == 3,
- "Kerberos principal should have 3 parts: " + principal);
- keytab = Preconditions.checkNotNull(conf.get(ServerConfig.KEY_TAB),
- ServerConfig.KEY_TAB + " is required");
- File keytabFile = new File(keytab);
- Preconditions.checkState(keytabFile.isFile() && keytabFile.canRead(),
- "Keytab " + keytab + " does not exist or is not readable.");
- } else {
- principal = null;
- principalParts = null;
- keytab = null;
- }
- serviceExecutor = Executors.newSingleThreadExecutor(new ThreadFactory() {
- private int count = 0;
-
- @Override
- public Thread newThread(Runnable r) {
- return new Thread(r, SentryService.class.getSimpleName() + "-"
- + (count++));
- }
- });
- webServerPort = conf.getInt(ServerConfig.SENTRY_WEB_PORT, ServerConfig.SENTRY_WEB_PORT_DEFAULT);
- status = Status.NOT_STARTED;
- }
-
- @Override
- public String call() throws Exception {
- SentryKerberosContext kerberosContext = null;
- try {
- status = Status.STARTED;
- if (kerberos) {
- Boolean autoRenewTicket = conf.getBoolean(ServerConfig.SENTRY_KERBEROS_TGT_AUTORENEW, ServerConfig.SENTRY_KERBEROS_TGT_AUTORENEW_DEFAULT);
- kerberosContext = new SentryKerberosContext(principal, keytab, autoRenewTicket);
- Subject.doAs(kerberosContext.getSubject(), new PrivilegedExceptionAction<Void>() {
- @Override
- public Void run() throws Exception {
- runServer();
- return null;
- }
- });
- } else {
- runServer();
- }
- } catch (Exception t) {
- LOGGER.error("Error starting server", t);
- throw new Exception("Error starting server", t);
- } finally {
- if (kerberosContext != null) {
- kerberosContext.shutDown();
- }
- status = Status.NOT_STARTED;
- }
- return null;
- }
-
- private void runServer() throws Exception {
- Iterable<String> processorFactories = ConfUtilties.CLASS_SPLITTER
- .split(conf.get(ServerConfig.PROCESSOR_FACTORIES,
- ServerConfig.PROCESSOR_FACTORIES_DEFAULT).trim());
- TMultiplexedProcessor processor = new TMultiplexedProcessor();
- boolean registeredProcessor = false;
- for (String processorFactory : processorFactories) {
- Class<?> clazz = conf.getClassByName(processorFactory);
- if (!ProcessorFactory.class.isAssignableFrom(clazz)) {
- throw new IllegalArgumentException("Processor Factory "
- + processorFactory + " is not a "
- + ProcessorFactory.class.getName());
- }
- try {
- Constructor<?> constructor = clazz
- .getConstructor(Configuration.class);
- LOGGER.info("ProcessorFactory being used: " + clazz.getCanonicalName());
- ProcessorFactory factory = (ProcessorFactory) constructor
- .newInstance(conf);
- boolean registerStatus = factory.register(processor);
- if (!registerStatus) {
- LOGGER.error("Failed to register " + clazz.getCanonicalName());
- }
- registeredProcessor = registerStatus || registeredProcessor;
- } catch (Exception e) {
- throw new IllegalStateException("Could not create "
- + processorFactory, e);
- }
- }
- if (!registeredProcessor) {
- throw new IllegalStateException(
- "Failed to register any processors from " + processorFactories);
- }
- TServerTransport serverTransport = new TServerSocket(address);
- TTransportFactory transportFactory = null;
- if (kerberos) {
- TSaslServerTransport.Factory saslTransportFactory = new TSaslServerTransport.Factory();
- saslTransportFactory.addServerDefinition(AuthMethod.KERBEROS
- .getMechanismName(), principalParts[0], principalParts[1],
- ServerConfig.SASL_PROPERTIES, new GSSCallback(conf));
- transportFactory = saslTransportFactory;
- } else {
- transportFactory = new TTransportFactory();
- }
- TThreadPoolServer.Args args = new TThreadPoolServer.Args(
- serverTransport).processor(processor)
- .transportFactory(transportFactory)
- .protocolFactory(new TBinaryProtocol.Factory(true, true, maxMessageSize, maxMessageSize))
- .minWorkerThreads(minThreads).maxWorkerThreads(maxThreads);
- thriftServer = new TThreadPoolServer(args);
- LOGGER.info("Serving on " + address);
- startSentryWebServer();
- thriftServer.serve();
- }
-
- private void startSentryWebServer() throws Exception{
- Boolean sentryReportingEnable = conf.getBoolean(ServerConfig.SENTRY_WEB_ENABLE,
- ServerConfig.SENTRY_WEB_ENABLE_DEFAULT);
- if(sentryReportingEnable) {
- List<EventListener> listenerList = new ArrayList<EventListener>();
- listenerList.add(new SentryHealthCheckServletContextListener());
- listenerList.add(new SentryMetricsServletContextListener());
- sentryWebServer = new SentryWebServer(listenerList, webServerPort, conf);
- sentryWebServer.start();
- }
-
- }
-
- private void stopSentryWebServer() throws Exception{
- if( sentryWebServer != null) {
- sentryWebServer.stop();
- sentryWebServer = null;
- }
- }
-
- public InetSocketAddress getAddress() {
- return address;
- }
-
- public synchronized boolean isRunning() {
- return status == Status.STARTED && thriftServer != null
- && thriftServer.isServing();
- }
-
- public synchronized void start() throws Exception{
- if (status != Status.NOT_STARTED) {
- throw new IllegalStateException("Cannot start when " + status);
- }
- LOGGER.info("Attempting to start...");
- serviceStatus = serviceExecutor.submit(this);
- }
-
- public synchronized void stop() throws Exception{
- MultiException exception = null;
- LOGGER.info("Attempting to stop...");
- if (isRunning()) {
- LOGGER.info("Attempting to stop sentry thrift service...");
- try {
- thriftServer.stop();
- thriftServer = null;
- status = Status.NOT_STARTED;
- } catch (Exception e) {
- LOGGER.error("Error while stopping sentry thrift service", e);
- exception = addMultiException(exception,e);
- }
- } else {
- thriftServer = null;
- status = Status.NOT_STARTED;
- LOGGER.info("Sentry thrift service is already stopped...");
- }
- if (isWebServerRunning()) {
- try {
- LOGGER.info("Attempting to stop sentry web service...");
- stopSentryWebServer();
- } catch (Exception e) {
- LOGGER.error("Error while stopping sentry web service", e);
- exception = addMultiException(exception,e);
- }
- } else {
- LOGGER.info("Sentry web service is already stopped...");
- }
- if (exception != null) {
- exception.ifExceptionThrow();
- }
- LOGGER.info("Stopped...");
- }
-
- // wait for the service thread to finish execution
- public synchronized void waitOnFuture() throws ExecutionException, InterruptedException {
- LOGGER.info("Waiting on future.get()");
- serviceStatus.get();
- }
-
- private MultiException addMultiException(MultiException exception, Exception e) {
- MultiException newException = exception;
- if (newException == null) {
- newException = new MultiException();
- }
- newException.add(e);
- return newException;
- }
-
- private boolean isWebServerRunning() {
- return sentryWebServer != null
- && sentryWebServer.isAlive();
- }
-
- private static int findFreePort() {
- int attempts = 0;
- while (attempts++ <= 1000) {
- try {
- ServerSocket s = new ServerSocket(0);
- int port = s.getLocalPort();
- s.close();
- return port;
- } catch (IOException e) {
- // ignore and retry
- }
- }
- throw new IllegalStateException("Unable to find a port after 1000 attempts");
- }
-
- public static Configuration loadConfig(String configFileName)
- throws MalformedURLException {
- File configFile = null;
- if (configFileName == null) {
- throw new IllegalArgumentException("Usage: "
- + ServiceConstants.ServiceArgs.CONFIG_FILE_LONG
- + " path/to/sentry-service.xml");
- } else if (!((configFile = new File(configFileName)).isFile() && configFile
- .canRead())) {
- throw new IllegalArgumentException("Cannot read configuration file "
- + configFile);
- }
- Configuration conf = new Configuration(false);
- conf.addResource(configFile.toURI().toURL());
- return conf;
- }
-
- public static class CommandImpl implements Command {
- @Override
- public void run(String[] args) throws Exception {
- CommandLineParser parser = new GnuParser();
- Options options = new Options();
- options.addOption(ServiceConstants.ServiceArgs.CONFIG_FILE_SHORT,
- ServiceConstants.ServiceArgs.CONFIG_FILE_LONG,
- true, "Sentry Service configuration file");
- CommandLine commandLine = parser.parse(options, args);
- String configFileName = commandLine.getOptionValue(ServiceConstants.
- ServiceArgs.CONFIG_FILE_LONG);
- File configFile = null;
- if (configFileName == null || commandLine.hasOption("h") || commandLine.hasOption("help")) {
- // print usage
- HelpFormatter formatter = new HelpFormatter();
- formatter.printHelp("sentry --command service", options);
- System.exit(-1);
- } else if(!((configFile = new File(configFileName)).isFile() && configFile.canRead())) {
- throw new IllegalArgumentException("Cannot read configuration file " + configFile);
- }
- Configuration serverConf = loadConfig(configFileName);
- final SentryService server = new SentryService(serverConf);
- server.start();
- Runtime.getRuntime().addShutdownHook(new Thread() {
- @Override
- public void run() {
- LOGGER.info("ShutdownHook shutting down server");
- try {
- server.stop();
- } catch (Throwable t) {
- LOGGER.error("Error stopping SentryService", t);
- }
- }
- });
-
- // Let's wait on the service to stop
- try {
- server.waitOnFuture();
- } finally {
- server.serviceExecutor.shutdown();
- }
- }
- }
-
- public Configuration getConf() {
- return conf;
- }
-
- /**
- * Add Thrift event handler to underlying thrift threadpool server
- * @param eventHandler
- */
- public void setThriftEventHandler(TServerEventHandler eventHandler) throws IllegalStateException {
- if (thriftServer == null) {
- throw new IllegalStateException("Server is not initialized or stopped");
- }
- thriftServer.setServerEventHandler(eventHandler);
- }
-
- public TServerEventHandler getThriftEventHandler() throws IllegalStateException {
- if (thriftServer == null) {
- throw new IllegalStateException("Server is not initialized or stopped");
- }
- return thriftServer.getEventHandler();
- }
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/SentryServiceFactory.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/SentryServiceFactory.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/SentryServiceFactory.java
deleted file mode 100644
index 1685702..0000000
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/SentryServiceFactory.java
+++ /dev/null
@@ -1,28 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.sentry.service.thrift;
-import org.apache.hadoop.conf.Configuration;
-
-public class SentryServiceFactory {
-
- public SentryService create(Configuration conf) throws Exception {
- return new SentryService(conf);
- }
-
-}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/SentryServiceUtil.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/SentryServiceUtil.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/SentryServiceUtil.java
deleted file mode 100644
index ce73358..0000000
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/SentryServiceUtil.java
+++ /dev/null
@@ -1,158 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.sentry.service.thrift;
-
-import java.util.HashMap;
-import java.util.List;
-import java.util.Map;
-
-import org.apache.commons.lang.StringUtils;
-import org.apache.sentry.core.common.utils.SentryConstants;
-import org.apache.sentry.core.common.utils.KeyValue;
-import org.apache.sentry.core.common.utils.PolicyFileConstants;
-import org.apache.sentry.provider.db.service.thrift.TSentryGrantOption;
-import org.apache.sentry.provider.db.service.thrift.TSentryPrivilege;
-import org.apache.sentry.service.thrift.ServiceConstants.PrivilegeScope;
-
-import com.google.common.collect.Lists;
-
-public final class SentryServiceUtil {
-
- // parse the privilege in String and get the TSentryPrivilege as result
- public static TSentryPrivilege convertToTSentryPrivilege(String privilegeStr) {
- TSentryPrivilege tSentryPrivilege = new TSentryPrivilege();
- for (String authorizable : SentryConstants.AUTHORIZABLE_SPLITTER.split(privilegeStr)) {
- KeyValue tempKV = new KeyValue(authorizable);
- String key = tempKV.getKey();
- String value = tempKV.getValue();
-
- if (PolicyFileConstants.PRIVILEGE_SERVER_NAME.equalsIgnoreCase(key)) {
- tSentryPrivilege.setServerName(value);
- } else if (PolicyFileConstants.PRIVILEGE_DATABASE_NAME.equalsIgnoreCase(key)) {
- tSentryPrivilege.setDbName(value);
- } else if (PolicyFileConstants.PRIVILEGE_TABLE_NAME.equalsIgnoreCase(key)) {
- tSentryPrivilege.setTableName(value);
- } else if (PolicyFileConstants.PRIVILEGE_COLUMN_NAME.equalsIgnoreCase(key)) {
- tSentryPrivilege.setColumnName(value);
- } else if (PolicyFileConstants.PRIVILEGE_URI_NAME.equalsIgnoreCase(key)) {
- tSentryPrivilege.setURI(value);
- } else if (PolicyFileConstants.PRIVILEGE_ACTION_NAME.equalsIgnoreCase(key)) {
- tSentryPrivilege.setAction(value);
- } else if (PolicyFileConstants.PRIVILEGE_GRANT_OPTION_NAME.equalsIgnoreCase(key)) {
- TSentryGrantOption grantOption = "true".equalsIgnoreCase(value) ? TSentryGrantOption.TRUE
- : TSentryGrantOption.FALSE;
- tSentryPrivilege.setGrantOption(grantOption);
- }
- }
- tSentryPrivilege.setPrivilegeScope(getPrivilegeScope(tSentryPrivilege));
- return tSentryPrivilege;
- }
-
- /**
- * Parse the object path from string to map.
- * @param objectPath the string format as db=db1->table=tbl1
- * @return Map
- */
- public static Map<String, String> parseObjectPath(String objectPath) {
- Map<String, String> objectMap = new HashMap<String, String>();
- if (StringUtils.isEmpty(objectPath)) {
- return objectMap;
- }
- for (String kvStr : SentryConstants.AUTHORIZABLE_SPLITTER.split(objectPath)) {
- KeyValue kv = new KeyValue(kvStr);
- String key = kv.getKey();
- String value = kv.getValue();
-
- if (PolicyFileConstants.PRIVILEGE_DATABASE_NAME.equalsIgnoreCase(key)) {
- objectMap.put(PolicyFileConstants.PRIVILEGE_DATABASE_NAME, value);
- } else if (PolicyFileConstants.PRIVILEGE_TABLE_NAME.equalsIgnoreCase(key)) {
- objectMap.put(PolicyFileConstants.PRIVILEGE_TABLE_NAME, value);
- }
- }
- return objectMap;
- }
-
- // for the different hierarchy for hive:
- // 1: server->url
- // 2: server->database->table->column
- // if both of them are found in the privilege string, the privilege scope will be set as
- // PrivilegeScope.URI
- public static String getPrivilegeScope(TSentryPrivilege tSentryPrivilege) {
- PrivilegeScope privilegeScope = PrivilegeScope.SERVER;
- if (!StringUtils.isEmpty(tSentryPrivilege.getURI())) {
- privilegeScope = PrivilegeScope.URI;
- } else if (!StringUtils.isEmpty(tSentryPrivilege.getColumnName())) {
- privilegeScope = PrivilegeScope.COLUMN;
- } else if (!StringUtils.isEmpty(tSentryPrivilege.getTableName())) {
- privilegeScope = PrivilegeScope.TABLE;
- } else if (!StringUtils.isEmpty(tSentryPrivilege.getDbName())) {
- privilegeScope = PrivilegeScope.DATABASE;
- }
- return privilegeScope.toString();
- }
-
- // convert TSentryPrivilege to privilege in string
- public static String convertTSentryPrivilegeToStr(TSentryPrivilege tSentryPrivilege) {
- List<String> privileges = Lists.newArrayList();
- if (tSentryPrivilege != null) {
- String serverName = tSentryPrivilege.getServerName();
- String dbName = tSentryPrivilege.getDbName();
- String tableName = tSentryPrivilege.getTableName();
- String columnName = tSentryPrivilege.getColumnName();
- String uri = tSentryPrivilege.getURI();
- String action = tSentryPrivilege.getAction();
- String grantOption = (tSentryPrivilege.getGrantOption() == TSentryGrantOption.TRUE ? "true"
- : "false");
- if (!StringUtils.isEmpty(serverName)) {
- privileges.add(SentryConstants.KV_JOINER.join(PolicyFileConstants.PRIVILEGE_SERVER_NAME,
- serverName));
- if (!StringUtils.isEmpty(uri)) {
- privileges.add(SentryConstants.KV_JOINER.join(PolicyFileConstants.PRIVILEGE_URI_NAME,
- uri));
- } else if (!StringUtils.isEmpty(dbName)) {
- privileges.add(SentryConstants.KV_JOINER.join(
- PolicyFileConstants.PRIVILEGE_DATABASE_NAME, dbName));
- if (!StringUtils.isEmpty(tableName)) {
- privileges.add(SentryConstants.KV_JOINER.join(
- PolicyFileConstants.PRIVILEGE_TABLE_NAME, tableName));
- if (!StringUtils.isEmpty(columnName)) {
- privileges.add(SentryConstants.KV_JOINER.join(
- PolicyFileConstants.PRIVILEGE_COLUMN_NAME, columnName));
- }
- }
- }
- if (!StringUtils.isEmpty(action)) {
- privileges.add(SentryConstants.KV_JOINER.join(
- PolicyFileConstants.PRIVILEGE_ACTION_NAME, action));
- }
- }
- // only append the grant option to privilege string if it's true
- if ("true".equals(grantOption)) {
- privileges.add(SentryConstants.KV_JOINER.join(
- PolicyFileConstants.PRIVILEGE_GRANT_OPTION_NAME, grantOption));
- }
- }
- return SentryConstants.AUTHORIZABLE_JOINER.join(privileges);
- }
-
- private SentryServiceUtil() {
- // Make constructor private to avoid instantiation
- }
-
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/main/resources/001-SENTRY-327.derby.sql
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/resources/001-SENTRY-327.derby.sql b/sentry-provider/sentry-provider-db/src/main/resources/001-SENTRY-327.derby.sql
deleted file mode 100644
index 04353d1..0000000
--- a/sentry-provider/sentry-provider-db/src/main/resources/001-SENTRY-327.derby.sql
+++ /dev/null
@@ -1,2 +0,0 @@
--- SENTRY-327
-ALTER TABLE SENTRY_DB_PRIVILEGE ADD COLUMN WITH_GRANT_OPTION CHAR(1) NOT NULL DEFAULT 'N';
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/main/resources/001-SENTRY-327.mysql.sql
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/resources/001-SENTRY-327.mysql.sql b/sentry-provider/sentry-provider-db/src/main/resources/001-SENTRY-327.mysql.sql
deleted file mode 100644
index 7d96bc0..0000000
--- a/sentry-provider/sentry-provider-db/src/main/resources/001-SENTRY-327.mysql.sql
+++ /dev/null
@@ -1,2 +0,0 @@
--- SENTRY-327
-ALTER TABLE `SENTRY_DB_PRIVILEGE` ADD `WITH_GRANT_OPTION` CHAR(1) NOT NULL DEFAULT 'N';
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/main/resources/001-SENTRY-327.oracle.sql
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/resources/001-SENTRY-327.oracle.sql b/sentry-provider/sentry-provider-db/src/main/resources/001-SENTRY-327.oracle.sql
deleted file mode 100644
index f42ccdf..0000000
--- a/sentry-provider/sentry-provider-db/src/main/resources/001-SENTRY-327.oracle.sql
+++ /dev/null
@@ -1,2 +0,0 @@
--- SENTRY-327
-ALTER TABLE SENTRY_DB_PRIVILEGE ADD WITH_GRANT_OPTION CHAR(1) DEFAULT 'N' NOT NULL;
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/main/resources/001-SENTRY-327.postgres.sql
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/resources/001-SENTRY-327.postgres.sql b/sentry-provider/sentry-provider-db/src/main/resources/001-SENTRY-327.postgres.sql
deleted file mode 100644
index 1b670ec..0000000
--- a/sentry-provider/sentry-provider-db/src/main/resources/001-SENTRY-327.postgres.sql
+++ /dev/null
@@ -1,2 +0,0 @@
--- SENTRY-327
-ALTER TABLE "SENTRY_DB_PRIVILEGE" ADD COLUMN "WITH_GRANT_OPTION" CHAR(1) NOT NULL DEFAULT 'N';
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/main/resources/002-SENTRY-339.derby.sql
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/resources/002-SENTRY-339.derby.sql b/sentry-provider/sentry-provider-db/src/main/resources/002-SENTRY-339.derby.sql
deleted file mode 100644
index 647e9e2..0000000
--- a/sentry-provider/sentry-provider-db/src/main/resources/002-SENTRY-339.derby.sql
+++ /dev/null
@@ -1,13 +0,0 @@
--- SENTRY-339
-DROP INDEX SENTRYPRIVILEGENAME;
-CREATE UNIQUE INDEX SENTRYPRIVILEGENAME ON SENTRY_DB_PRIVILEGE ("SERVER_NAME",DB_NAME,"TABLE_NAME",URI,"ACTION",WITH_GRANT_OPTION);
-
-ALTER TABLE SENTRY_DB_PRIVILEGE DROP COLUMN PRIVILEGE_NAME;
-
-ALTER TABLE SENTRY_DB_PRIVILEGE ALTER COLUMN DB_NAME SET DEFAULT '__NULL__';
-ALTER TABLE SENTRY_DB_PRIVILEGE ALTER COLUMN TABLE_NAME SET DEFAULT '__NULL__';
-ALTER TABLE SENTRY_DB_PRIVILEGE ALTER COLUMN URI SET DEFAULT '__NULL__';
-
-UPDATE SENTRY_DB_PRIVILEGE SET DB_NAME = DEFAULT WHERE DB_NAME is null;
-UPDATE SENTRY_DB_PRIVILEGE SET TABLE_NAME = DEFAULT WHERE TABLE_NAME is null;
-UPDATE SENTRY_DB_PRIVILEGE SET URI = DEFAULT WHERE URI is null;
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/main/resources/002-SENTRY-339.mysql.sql
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/resources/002-SENTRY-339.mysql.sql b/sentry-provider/sentry-provider-db/src/main/resources/002-SENTRY-339.mysql.sql
deleted file mode 100644
index cd4ec7c..0000000
--- a/sentry-provider/sentry-provider-db/src/main/resources/002-SENTRY-339.mysql.sql
+++ /dev/null
@@ -1,13 +0,0 @@
--- SENTRY-339
-ALTER TABLE `SENTRY_DB_PRIVILEGE` DROP INDEX `SENTRY_DB_PRIV_PRIV_NAME_UNIQ`;
-ALTER TABLE `SENTRY_DB_PRIVILEGE` ADD UNIQUE `SENTRY_DB_PRIV_PRIV_NAME_UNIQ` (`SERVER_NAME`,`DB_NAME`,`TABLE_NAME`,`URI`(250),`ACTION`,`WITH_GRANT_OPTION`);
-ALTER TABLE `SENTRY_DB_PRIVILEGE` DROP `PRIVILEGE_NAME`;
-
-ALTER TABLE SENTRY_DB_PRIVILEGE ALTER COLUMN DB_NAME SET DEFAULT '__NULL__';
-ALTER TABLE SENTRY_DB_PRIVILEGE ALTER COLUMN TABLE_NAME SET DEFAULT '__NULL__';
-ALTER TABLE SENTRY_DB_PRIVILEGE ALTER COLUMN URI SET DEFAULT '__NULL__';
-
-UPDATE SENTRY_DB_PRIVILEGE SET DB_NAME = DEFAULT WHERE DB_NAME is null;
-UPDATE SENTRY_DB_PRIVILEGE SET TABLE_NAME = DEFAULT WHERE TABLE_NAME is null;
-UPDATE SENTRY_DB_PRIVILEGE SET URI = DEFAULT WHERE URI is null;
-
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/main/resources/002-SENTRY-339.oracle.sql
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/resources/002-SENTRY-339.oracle.sql b/sentry-provider/sentry-provider-db/src/main/resources/002-SENTRY-339.oracle.sql
deleted file mode 100644
index f5f596d..0000000
--- a/sentry-provider/sentry-provider-db/src/main/resources/002-SENTRY-339.oracle.sql
+++ /dev/null
@@ -1,13 +0,0 @@
--- SENTRY-339
-ALTER TABLE SENTRY_DB_PRIVILEGE DROP CONSTRAINT "SENTRY_DB_PRIV_PRIV_NAME_UNIQ" DROP INDEX;
-ALTER TABLE SENTRY_DB_PRIVILEGE ADD CONSTRAINT "SENTRY_DB_PRIV_PRIV_NAME_UNIQ" UNIQUE ("SERVER_NAME","DB_NAME","TABLE_NAME","URI","ACTION","WITH_GRANT_OPTION");
-ALTER TABLE SENTRY_DB_PRIVILEGE DROP COLUMN PRIVILEGE_NAME;
-
-ALTER TABLE SENTRY_DB_PRIVILEGE MODIFY DB_NAME DEFAULT '__NULL__';
-ALTER TABLE SENTRY_DB_PRIVILEGE MODIFY TABLE_NAME DEFAULT '__NULL__';
-ALTER TABLE SENTRY_DB_PRIVILEGE MODIFY URI DEFAULT '__NULL__';
-
-UPDATE SENTRY_DB_PRIVILEGE SET DB_NAME = DEFAULT WHERE DB_NAME is null;
-UPDATE SENTRY_DB_PRIVILEGE SET TABLE_NAME = DEFAULT WHERE TABLE_NAME is null;
-UPDATE SENTRY_DB_PRIVILEGE SET URI = DEFAULT WHERE URI is null;
-
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/main/resources/002-SENTRY-339.postgres.sql
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/resources/002-SENTRY-339.postgres.sql b/sentry-provider/sentry-provider-db/src/main/resources/002-SENTRY-339.postgres.sql
deleted file mode 100644
index 458e447..0000000
--- a/sentry-provider/sentry-provider-db/src/main/resources/002-SENTRY-339.postgres.sql
+++ /dev/null
@@ -1,13 +0,0 @@
--- SENTRY-339
-ALTER TABLE "SENTRY_DB_PRIVILEGE" DROP CONSTRAINT "SENTRY_DB_PRIV_PRIV_NAME_UNIQ";
-ALTER TABLE "SENTRY_DB_PRIVILEGE" ADD CONSTRAINT "SENTRY_DB_PRIV_PRIV_NAME_UNIQ" UNIQUE ("SERVER_NAME","DB_NAME","TABLE_NAME","URI", "ACTION","WITH_GRANT_OPTION");
-ALTER TABLE "SENTRY_DB_PRIVILEGE" DROP COLUMN "PRIVILEGE_NAME";
-
-ALTER TABLE "SENTRY_DB_PRIVILEGE" ALTER COLUMN "DB_NAME" SET DEFAULT '__NULL__';
-AlTER TABLE "SENTRY_DB_PRIVILEGE" ALTER COLUMN "TABLE_NAME" SET DEFAULT '__NULL__';
-ALTER TABLE "SENTRY_DB_PRIVILEGE" ALTER COLUMN "URI" SET DEFAULT '__NULL__';
-
-UPDATE "SENTRY_DB_PRIVILEGE" SET "DB_NAME" = DEFAULT where "DB_NAME" is null;
-UPDATE "SENTRY_DB_PRIVILEGE" SET "TABLE_NAME" = DEFAULT where "TABLE_NAME" is null;
-UPDATE "SENTRY_DB_PRIVILEGE" SET "URI" = DEFAULT where "URI" is null;
-
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/main/resources/003-SENTRY-380.derby.sql
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/resources/003-SENTRY-380.derby.sql b/sentry-provider/sentry-provider-db/src/main/resources/003-SENTRY-380.derby.sql
deleted file mode 100644
index f27b358..0000000
--- a/sentry-provider/sentry-provider-db/src/main/resources/003-SENTRY-380.derby.sql
+++ /dev/null
@@ -1,7 +0,0 @@
--- SENTRY-380
-ALTER TABLE SENTRY_DB_PRIVILEGE DROP GRANTOR_PRINCIPAL;
-ALTER TABLE SENTRY_ROLE DROP GRANTOR_PRINCIPAL;
-ALTER TABLE SENTRY_GROUP DROP GRANTOR_PRINCIPAL;
-
-ALTER TABLE SENTRY_ROLE_DB_PRIVILEGE_MAP ADD GRANTOR_PRINCIPAL VARCHAR(128);
-ALTER TABLE SENTRY_ROLE_GROUP_MAP ADD GRANTOR_PRINCIPAL VARCHAR(128);
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/main/resources/003-SENTRY-380.mysql.sql
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/resources/003-SENTRY-380.mysql.sql b/sentry-provider/sentry-provider-db/src/main/resources/003-SENTRY-380.mysql.sql
deleted file mode 100644
index 8e0a633..0000000
--- a/sentry-provider/sentry-provider-db/src/main/resources/003-SENTRY-380.mysql.sql
+++ /dev/null
@@ -1,7 +0,0 @@
--- SENTRY-380
-ALTER TABLE `SENTRY_DB_PRIVILEGE` DROP `GRANTOR_PRINCIPAL`;
-ALTER TABLE `SENTRY_ROLE` DROP `GRANTOR_PRINCIPAL`;
-ALTER TABLE `SENTRY_GROUP` DROP `GRANTOR_PRINCIPAL`;
-
-ALTER TABLE `SENTRY_ROLE_DB_PRIVILEGE_MAP` ADD `GRANTOR_PRINCIPAL` VARCHAR(128) CHARACTER SET utf8 COLLATE utf8_bin;
-ALTER TABLE `SENTRY_ROLE_GROUP_MAP` ADD `GRANTOR_PRINCIPAL` VARCHAR(128) CHARACTER SET utf8 COLLATE utf8_bin;
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/main/resources/003-SENTRY-380.oracle.sql
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/resources/003-SENTRY-380.oracle.sql b/sentry-provider/sentry-provider-db/src/main/resources/003-SENTRY-380.oracle.sql
deleted file mode 100644
index d07d20e..0000000
--- a/sentry-provider/sentry-provider-db/src/main/resources/003-SENTRY-380.oracle.sql
+++ /dev/null
@@ -1,7 +0,0 @@
--- SENTRY-380
-ALTER TABLE "SENTRY_DB_PRIVILEGE" DROP COLUMN "GRANTOR_PRINCIPAL";
-ALTER TABLE "SENTRY_ROLE" DROP COLUMN "GRANTOR_PRINCIPAL";
-ALTER TABLE "SENTRY_GROUP" DROP COLUMN "GRANTOR_PRINCIPAL";
-
-ALTER TABLE "SENTRY_ROLE_DB_PRIVILEGE_MAP" ADD "GRANTOR_PRINCIPAL" VARCHAR2(128);
-ALTER TABLE "SENTRY_ROLE_GROUP_MAP" ADD "GRANTOR_PRINCIPAL" VARCHAR2(128);
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/main/resources/003-SENTRY-380.postgres.sql
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/resources/003-SENTRY-380.postgres.sql b/sentry-provider/sentry-provider-db/src/main/resources/003-SENTRY-380.postgres.sql
deleted file mode 100644
index 95a2ef1..0000000
--- a/sentry-provider/sentry-provider-db/src/main/resources/003-SENTRY-380.postgres.sql
+++ /dev/null
@@ -1,7 +0,0 @@
--- SENTRY-380
-ALTER TABLE "SENTRY_DB_PRIVILEGE" DROP "GRANTOR_PRINCIPAL";
-ALTER TABLE "SENTRY_ROLE" DROP "GRANTOR_PRINCIPAL";
-ALTER TABLE "SENTRY_GROUP" DROP "GRANTOR_PRINCIPAL";
-
-ALTER TABLE "SENTRY_ROLE_DB_PRIVILEGE_MAP" ADD "GRANTOR_PRINCIPAL" character varying(128);
-ALTER TABLE "SENTRY_ROLE_GROUP_MAP" ADD "GRANTOR_PRINCIPAL" character varying(128);
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/main/resources/004-SENTRY-74.derby.sql
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/resources/004-SENTRY-74.derby.sql b/sentry-provider/sentry-provider-db/src/main/resources/004-SENTRY-74.derby.sql
deleted file mode 100644
index da1f4d6..0000000
--- a/sentry-provider/sentry-provider-db/src/main/resources/004-SENTRY-74.derby.sql
+++ /dev/null
@@ -1,4 +0,0 @@
--- SENTRY-74
-ALTER TABLE SENTRY_DB_PRIVILEGE ADD COLUMN COLUMN_NAME VARCHAR(4000) DEFAULT '__NULL__';
-DROP INDEX SENTRYPRIVILEGENAME;
-CREATE UNIQUE INDEX SENTRYPRIVILEGENAME ON SENTRY_DB_PRIVILEGE ("SERVER_NAME",DB_NAME,"TABLE_NAME","COLUMN_NAME",URI,"ACTION",WITH_GRANT_OPTION);
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/main/resources/004-SENTRY-74.mysql.sql
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/resources/004-SENTRY-74.mysql.sql b/sentry-provider/sentry-provider-db/src/main/resources/004-SENTRY-74.mysql.sql
deleted file mode 100644
index 1419ca3..0000000
--- a/sentry-provider/sentry-provider-db/src/main/resources/004-SENTRY-74.mysql.sql
+++ /dev/null
@@ -1,4 +0,0 @@
--- SENTRY-74
-ALTER TABLE `SENTRY_DB_PRIVILEGE` ADD `COLUMN_NAME` VARCHAR(128) DEFAULT '__NULL__';
-ALTER TABLE `SENTRY_DB_PRIVILEGE` DROP INDEX `SENTRY_DB_PRIV_PRIV_NAME_UNIQ`;
-ALTER TABLE `SENTRY_DB_PRIVILEGE` ADD UNIQUE `SENTRY_DB_PRIV_PRIV_NAME_UNIQ` (`SERVER_NAME`,`DB_NAME`,`TABLE_NAME`,`COLUMN_NAME`,`URI`(250),`ACTION`,`WITH_GRANT_OPTION`);
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/main/resources/004-SENTRY-74.oracle.sql
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/resources/004-SENTRY-74.oracle.sql b/sentry-provider/sentry-provider-db/src/main/resources/004-SENTRY-74.oracle.sql
deleted file mode 100644
index a70ae0a..0000000
--- a/sentry-provider/sentry-provider-db/src/main/resources/004-SENTRY-74.oracle.sql
+++ /dev/null
@@ -1,4 +0,0 @@
--- SENTRY-74
-ALTER TABLE SENTRY_DB_PRIVILEGE ADD COLUMN_NAME VARCHAR2(128) DEFAULT '__NULL__';
-ALTER TABLE SENTRY_DB_PRIVILEGE DROP CONSTRAINT "SENTRY_DB_PRIV_PRIV_NAME_UNIQ" DROP INDEX;
-ALTER TABLE SENTRY_DB_PRIVILEGE ADD CONSTRAINT "SENTRY_DB_PRIV_PRIV_NAME_UNIQ" UNIQUE ("SERVER_NAME","DB_NAME","TABLE_NAME","COLUMN_NAME","URI","ACTION","WITH_GRANT_OPTION");
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/main/resources/004-SENTRY-74.postgres.sql
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/resources/004-SENTRY-74.postgres.sql b/sentry-provider/sentry-provider-db/src/main/resources/004-SENTRY-74.postgres.sql
deleted file mode 100644
index 81bdfa3..0000000
--- a/sentry-provider/sentry-provider-db/src/main/resources/004-SENTRY-74.postgres.sql
+++ /dev/null
@@ -1,4 +0,0 @@
--- SENTRY-74
-ALTER TABLE "SENTRY_DB_PRIVILEGE" ADD COLUMN "COLUMN_NAME" character varying(128) DEFAULT '__NULL__';
-ALTER TABLE "SENTRY_DB_PRIVILEGE" DROP CONSTRAINT "SENTRY_DB_PRIV_PRIV_NAME_UNIQ";
-ALTER TABLE "SENTRY_DB_PRIVILEGE" ADD CONSTRAINT "SENTRY_DB_PRIV_PRIV_NAME_UNIQ" UNIQUE ("SERVER_NAME","DB_NAME","TABLE_NAME","COLUMN_NAME","URI", "ACTION","WITH_GRANT_OPTION");
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/main/resources/005-SENTRY-398.derby.sql
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/resources/005-SENTRY-398.derby.sql b/sentry-provider/sentry-provider-db/src/main/resources/005-SENTRY-398.derby.sql
deleted file mode 100644
index c038b81..0000000
--- a/sentry-provider/sentry-provider-db/src/main/resources/005-SENTRY-398.derby.sql
+++ /dev/null
@@ -1,43 +0,0 @@
--- Table SENTRY_GM_PRIVILEGE for classes [org.apache.sentry.provider.db.service.model.MSentryGMPrivilege]
-CREATE TABLE SENTRY_GM_PRIVILEGE
-(
- GM_PRIVILEGE_ID BIGINT NOT NULL,
- "ACTION" VARCHAR(40),
- COMPONENT_NAME VARCHAR(400),
- CREATE_TIME BIGINT NOT NULL,
- WITH_GRANT_OPTION CHAR(1) NOT NULL DEFAULT 'N',
- RESOURCE_NAME_0 VARCHAR(400) DEFAULT '__NULL__',
- RESOURCE_NAME_1 VARCHAR(400) DEFAULT '__NULL__',
- RESOURCE_NAME_2 VARCHAR(400) DEFAULT '__NULL__',
- RESOURCE_NAME_3 VARCHAR(400) DEFAULT '__NULL__',
- RESOURCE_TYPE_0 VARCHAR(400) DEFAULT '__NULL__',
- RESOURCE_TYPE_1 VARCHAR(400) DEFAULT '__NULL__',
- RESOURCE_TYPE_2 VARCHAR(400) DEFAULT '__NULL__',
- RESOURCE_TYPE_3 VARCHAR(400) DEFAULT '__NULL__',
- "SCOPE" VARCHAR(40),
- SERVICE_NAME VARCHAR(400)
-);
--- Primary key(GM_PRIVILEGE_ID)
-ALTER TABLE SENTRY_GM_PRIVILEGE ADD CONSTRAINT SENTRY_GM_PRIVILEGE_PK PRIMARY KEY (GM_PRIVILEGE_ID);
-
--- Constraints for table SENTRY_GM_PRIVILEGE for class(es) [org.apache.sentry.provider.db.service.model.MSentryGMPrivilege]
-CREATE UNIQUE INDEX GM_PRIVILEGE_INDEX ON SENTRY_GM_PRIVILEGE (COMPONENT_NAME,SERVICE_NAME,RESOURCE_NAME_0,RESOURCE_TYPE_0,RESOURCE_NAME_1,RESOURCE_TYPE_1,RESOURCE_NAME_2,RESOURCE_TYPE_2,RESOURCE_NAME_3,RESOURCE_TYPE_3,"ACTION",WITH_GRANT_OPTION);
-
--- Table SENTRY_ROLE_GM_PRIVILEGE_MAP for join relationship
-CREATE TABLE SENTRY_ROLE_GM_PRIVILEGE_MAP
-(
- ROLE_ID BIGINT NOT NULL,
- GM_PRIVILEGE_ID BIGINT NOT NULL
-);
-ALTER TABLE SENTRY_ROLE_GM_PRIVILEGE_MAP ADD CONSTRAINT SENTRY_ROLE_GM_PRIVILEGE_MAP_PK PRIMARY KEY (ROLE_ID,GM_PRIVILEGE_ID);
-
--- Constraints for table SENTRY_ROLE_GM_PRIVILEGE_MAP
-CREATE INDEX SENTRY_ROLE_GM_PRIVILEGE_MAP_N50 ON SENTRY_ROLE_GM_PRIVILEGE_MAP (ROLE_ID);
-
-CREATE INDEX SENTRY_ROLE_GM_PRIVILEGE_MAP_N49 ON SENTRY_ROLE_GM_PRIVILEGE_MAP (GM_PRIVILEGE_ID);
-
-ALTER TABLE SENTRY_ROLE_GM_PRIVILEGE_MAP ADD CONSTRAINT SENTRY_ROLE_GM_PRIVILEGE_MAP_FK2 FOREIGN KEY (GM_PRIVILEGE_ID) REFERENCES SENTRY_GM_PRIVILEGE (GM_PRIVILEGE_ID);
-
-ALTER TABLE SENTRY_ROLE_GM_PRIVILEGE_MAP ADD CONSTRAINT SENTRY_ROLE_GM_PRIVILEGE_MAP_FK1 FOREIGN KEY (ROLE_ID) REFERENCES SENTRY_ROLE (ROLE_ID);
-
-
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/main/resources/005-SENTRY-398.mysql.sql
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/resources/005-SENTRY-398.mysql.sql b/sentry-provider/sentry-provider-db/src/main/resources/005-SENTRY-398.mysql.sql
deleted file mode 100644
index 920737f..0000000
--- a/sentry-provider/sentry-provider-db/src/main/resources/005-SENTRY-398.mysql.sql
+++ /dev/null
@@ -1,62 +0,0 @@
--- Table SENTRY_GM_PRIVILEGE for classes [org.apache.sentry.provider.db.service.model.MSentryGMPrivilege]
-CREATE TABLE `SENTRY_GM_PRIVILEGE`
-(
- `GM_PRIVILEGE_ID` BIGINT NOT NULL,
- `ACTION` VARCHAR(32) CHARACTER SET utf8 COLLATE utf8_bin NOT NULL,
- `COMPONENT_NAME` VARCHAR(32) CHARACTER SET utf8 COLLATE utf8_bin NOT NULL,
- `CREATE_TIME` BIGINT NOT NULL,
- `WITH_GRANT_OPTION` CHAR(1) NOT NULL DEFAULT 'N',
- `RESOURCE_NAME_0` VARCHAR(64) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT '__NULL__',
- `RESOURCE_NAME_1` VARCHAR(64) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT '__NULL__',
- `RESOURCE_NAME_2` VARCHAR(64) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT '__NULL__',
- `RESOURCE_NAME_3` VARCHAR(64) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT '__NULL__',
- `RESOURCE_TYPE_0` VARCHAR(64) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT '__NULL__',
- `RESOURCE_TYPE_1` VARCHAR(64) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT '__NULL__',
- `RESOURCE_TYPE_2` VARCHAR(64) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT '__NULL__',
- `RESOURCE_TYPE_3` VARCHAR(64) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT '__NULL__',
- `SCOPE` VARCHAR(128) CHARACTER SET utf8 COLLATE utf8_bin NOT NULL,
- `SERVICE_NAME` VARCHAR(64) BINARY CHARACTER SET utf8 COLLATE utf8_bin NOT NULL
-) ENGINE=INNODB DEFAULT CHARSET=utf8;
-
-ALTER TABLE `SENTRY_GM_PRIVILEGE`
- ADD CONSTRAINT `SENTRY_GM_PRIVILEGE_PK` PRIMARY KEY (`GM_PRIVILEGE_ID`);
--- Constraints for table SENTRY_GM_PRIVILEGE for class(es) [org.apache.sentry.provider.db.service.model.MSentryGMPrivilege]
-ALTER TABLE `SENTRY_GM_PRIVILEGE`
- ADD UNIQUE `GM_PRIVILEGE_UNIQUE` (`COMPONENT_NAME`,`SERVICE_NAME`,`RESOURCE_NAME_0`,`RESOURCE_TYPE_0`,`RESOURCE_NAME_1`,`RESOURCE_TYPE_1`,`RESOURCE_NAME_2`,`RESOURCE_TYPE_2`,`RESOURCE_NAME_3`,`RESOURCE_TYPE_3`,`ACTION`,`WITH_GRANT_OPTION`);
-
-ALTER TABLE `SENTRY_GM_PRIVILEGE`
- ADD INDEX `SENTRY_GM_PRIV_COMP_IDX` (`COMPONENT_NAME`);
-
-ALTER TABLE `SENTRY_GM_PRIVILEGE`
- ADD INDEX `SENTRY_GM_PRIV_SERV_IDX` (`SERVICE_NAME`);
-
-ALTER TABLE `SENTRY_GM_PRIVILEGE`
- ADD INDEX `SENTRY_GM_PRIV_RES0_IDX` (`RESOURCE_NAME_0`,`RESOURCE_TYPE_0`);
-
-ALTER TABLE `SENTRY_GM_PRIVILEGE`
- ADD INDEX `SENTRY_GM_PRIV_RES1_IDX` (`RESOURCE_NAME_1`,`RESOURCE_TYPE_1`);
-
-ALTER TABLE `SENTRY_GM_PRIVILEGE`
- ADD INDEX `SENTRY_GM_PRIV_RES2_IDX` (`RESOURCE_NAME_2`,`RESOURCE_TYPE_2`);
-
-ALTER TABLE `SENTRY_GM_PRIVILEGE`
- ADD INDEX `SENTRY_GM_PRIV_RES3_IDX` (`RESOURCE_NAME_3`,`RESOURCE_TYPE_3`);
-
--- Table SENTRY_ROLE_GM_PRIVILEGE_MAP for join relationship
-CREATE TABLE `SENTRY_ROLE_GM_PRIVILEGE_MAP`
-(
- `ROLE_ID` BIGINT NOT NULL,
- `GM_PRIVILEGE_ID` BIGINT NOT NULL
-) ENGINE=INNODB DEFAULT CHARSET=utf8;
-
-ALTER TABLE `SENTRY_ROLE_GM_PRIVILEGE_MAP`
- ADD CONSTRAINT `SENTRY_ROLE_GM_PRIVILEGE_MAP_PK` PRIMARY KEY (`ROLE_ID`,`GM_PRIVILEGE_ID`);
-
--- Constraints for table SENTRY_ROLE_GM_PRIVILEGE_MAP
-ALTER TABLE `SENTRY_ROLE_GM_PRIVILEGE_MAP`
- ADD CONSTRAINT `SEN_RLE_GM_PRV_MAP_SN_RLE_FK`
- FOREIGN KEY (`ROLE_ID`) REFERENCES `SENTRY_ROLE`(`ROLE_ID`);
-
-ALTER TABLE `SENTRY_ROLE_GM_PRIVILEGE_MAP`
- ADD CONSTRAINT `SEN_RL_GM_PRV_MAP_SN_DB_PRV_FK`
- FOREIGN KEY (`GM_PRIVILEGE_ID`) REFERENCES `SENTRY_GM_PRIVILEGE`(`GM_PRIVILEGE_ID`);
[28/44] sentry git commit: SENTRY-1287: Create sentry-service-server
module(Colin Ma, reviewed by Dapeng Sun)
Posted by co...@apache.org.
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryStore.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryStore.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryStore.java
deleted file mode 100644
index bc7fe12..0000000
--- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryStore.java
+++ /dev/null
@@ -1,2090 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.sentry.provider.db.service.persistent;
-
-import java.io.File;
-import java.util.Arrays;
-import java.util.Collections;
-import java.util.HashSet;
-import java.util.Map;
-import java.util.Set;
-
-import org.apache.commons.io.FileUtils;
-import org.apache.hadoop.conf.Configuration;
-import org.apache.hadoop.security.alias.CredentialProvider;
-import org.apache.hadoop.security.alias.CredentialProviderFactory;
-import org.apache.hadoop.security.alias.UserProvider;
-import org.apache.sentry.core.common.exception.SentryAccessDeniedException;
-import org.apache.sentry.core.model.db.AccessConstants;
-import org.apache.sentry.core.common.exception.SentryAlreadyExistsException;
-import org.apache.sentry.core.common.exception.SentryGrantDeniedException;
-import org.apache.sentry.core.common.exception.SentryNoSuchObjectException;
-import org.apache.sentry.provider.db.service.model.MSentryPrivilege;
-import org.apache.sentry.provider.db.service.model.MSentryRole;
-import org.apache.sentry.provider.db.service.thrift.TSentryActiveRoleSet;
-import org.apache.sentry.provider.db.service.thrift.TSentryAuthorizable;
-import org.apache.sentry.provider.db.service.thrift.TSentryGrantOption;
-import org.apache.sentry.provider.db.service.thrift.TSentryGroup;
-import org.apache.sentry.provider.db.service.thrift.TSentryPrivilege;
-import org.apache.sentry.provider.db.service.thrift.TSentryRole;
-import org.apache.sentry.provider.file.PolicyFile;
-import org.apache.sentry.service.thrift.ServiceConstants.ServerConfig;
-import org.junit.After;
-import org.junit.AfterClass;
-import org.junit.Before;
-import org.junit.BeforeClass;
-import org.junit.Ignore;
-import org.junit.Test;
-
-import com.google.common.collect.Iterables;
-import com.google.common.collect.Maps;
-import com.google.common.collect.Sets;
-import com.google.common.io.Files;
-
-public class TestSentryStore extends org.junit.Assert {
-
- private static File dataDir;
- private static SentryStore sentryStore;
- private static String[] adminGroups = { "adminGroup1" };
- private static PolicyFile policyFile;
- private static File policyFilePath;
- final long NUM_PRIVS = 60; // > SentryStore.PrivCleaner.NOTIFY_THRESHOLD
- private static Configuration conf = null;
- private static char[] passwd = new char[] { '1', '2', '3'};
-
- @BeforeClass
- public static void setup() throws Exception {
- conf = new Configuration(false);
- final String ourUrl = UserProvider.SCHEME_NAME + ":///";
- conf.set(CredentialProviderFactory.CREDENTIAL_PROVIDER_PATH, ourUrl);
- CredentialProvider provider = CredentialProviderFactory.getProviders(conf).get(0);
- provider.createCredentialEntry(ServerConfig.
- SENTRY_STORE_JDBC_PASS, passwd);
- provider.flush();
-
- dataDir = new File(Files.createTempDir(), "sentry_policy_db");
- conf.set(ServerConfig.SENTRY_VERIFY_SCHEM_VERSION, "false");
- conf.set(ServerConfig.SENTRY_STORE_JDBC_URL,
- "jdbc:derby:;databaseName=" + dataDir.getPath() + ";create=true");
- conf.set(ServerConfig.SENTRY_STORE_JDBC_PASS, "dummy");
- conf.setStrings(ServerConfig.ADMIN_GROUPS, adminGroups);
- conf.set(ServerConfig.SENTRY_STORE_GROUP_MAPPING,
- ServerConfig.SENTRY_STORE_LOCAL_GROUP_MAPPING);
- policyFilePath = new File(dataDir, "local_policy_file.ini");
- conf.set(ServerConfig.SENTRY_STORE_GROUP_MAPPING_RESOURCE,
- policyFilePath.getPath());
- sentryStore = new SentryStore(conf);
- }
-
- @Before
- public void before() throws Exception {
- policyFile = new PolicyFile();
- String adminUser = "g1";
- addGroupsToUser(adminUser, adminGroups);
- writePolicyFile();
- }
-
- @After
- public void after() {
- sentryStore.clearAllTables();
- }
-
- @AfterClass
- public static void teardown() {
- if (sentryStore != null) {
- sentryStore.stop();
- }
- if (dataDir != null) {
- FileUtils.deleteQuietly(dataDir);
- }
- }
-
- @Test
- public void testCredentialProvider() throws Exception {
- assertArrayEquals(passwd, conf.getPassword(ServerConfig.
- SENTRY_STORE_JDBC_PASS));
- }
-
- @Test
- public void testCaseInsensitiveRole() throws Exception {
- String roleName = "newRole";
- String grantor = "g1";
- Set<TSentryGroup> groups = Sets.newHashSet();
- TSentryGroup group = new TSentryGroup();
- group.setGroupName("test-groups-g1");
- groups.add(group);
-
- TSentryPrivilege privilege = new TSentryPrivilege();
- privilege.setPrivilegeScope("TABLE");
- privilege.setServerName("server1");
- privilege.setDbName("default");
- privilege.setTableName("table1");
- privilege.setAction(AccessConstants.ALL);
- privilege.setCreateTime(System.currentTimeMillis());
-
- Set<String> users = Sets.newHashSet("user1");
-
- long seqId = sentryStore.createSentryRole(roleName).getSequenceId();
- assertEquals(seqId + 1, sentryStore.alterSentryRoleAddGroups(grantor, roleName, groups).getSequenceId());
- assertEquals(seqId + 2, sentryStore.alterSentryRoleDeleteGroups(roleName, groups).getSequenceId());
- assertEquals(seqId + 3, sentryStore.alterSentryRoleAddUsers(roleName, users).getSequenceId());
- assertEquals(seqId + 4, sentryStore.alterSentryRoleDeleteUsers(roleName, users).getSequenceId());
- assertEquals(seqId + 5, sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName, privilege)
- .getSequenceId());
- assertEquals(seqId + 6, sentryStore
- .alterSentryRoleRevokePrivilege(grantor, roleName, privilege).getSequenceId());
- }
-
- @Test
- public void testURI() throws Exception {
- String roleName = "test-dup-role";
- String grantor = "g1";
- String uri = "file:///var/folders/dt/9zm44z9s6bjfxbrm4v36lzdc0000gp/T/1401860678102-0/data/kv1.dat";
- sentryStore.createSentryRole(roleName);
- TSentryPrivilege tSentryPrivilege = new TSentryPrivilege("URI", "server1", "ALL");
- tSentryPrivilege.setURI(uri);
- sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName, tSentryPrivilege);
-
- TSentryAuthorizable tSentryAuthorizable = new TSentryAuthorizable();
- tSentryAuthorizable.setUri(uri);
- tSentryAuthorizable.setServer("server1");
-
- Set<TSentryPrivilege> privileges =
- sentryStore.getTSentryPrivileges(new HashSet<String>(Arrays.asList(roleName)), tSentryAuthorizable);
-
- assertTrue(privileges.size() == 1);
-
- Set<TSentryGroup> tSentryGroups = new HashSet<TSentryGroup>();
- tSentryGroups.add(new TSentryGroup("group1"));
- sentryStore.alterSentryRoleAddGroups(grantor, roleName, tSentryGroups);
- sentryStore.alterSentryRoleAddUsers(roleName, Sets.newHashSet("user1"));
-
- TSentryActiveRoleSet thriftRoleSet = new TSentryActiveRoleSet(true, new HashSet<String>(Arrays.asList(roleName)));
-
- // list privilege for group only
- Set<String> privs = sentryStore.listSentryPrivilegesForProvider(
- new HashSet<String>(Arrays.asList("group1")), Sets.newHashSet(""), thriftRoleSet,
- tSentryAuthorizable);
-
- assertTrue(privs.size()==1);
- assertTrue(privs.contains("server=server1->uri=" + uri + "->action=all"));
-
- // list privilege for user only
- privs = sentryStore.listSentryPrivilegesForProvider(new HashSet<String>(Arrays.asList("")),
- Sets.newHashSet("user1"), thriftRoleSet, tSentryAuthorizable);
- assertTrue(privs.size() == 1);
- assertTrue(privs.contains("server=server1->uri=" + uri + "->action=all"));
-
- // list privilege for both user and group
- privs = sentryStore.listSentryPrivilegesForProvider(
- new HashSet<String>(Arrays.asList("group1")), Sets.newHashSet("user1"), thriftRoleSet,
- tSentryAuthorizable);
- assertTrue(privs.size() == 1);
- assertTrue(privs.contains("server=server1->uri=" + uri + "->action=all"));
- }
-
- @Test
- public void testCreateDuplicateRole() throws Exception {
- String roleName = "test-dup-role";
- sentryStore.createSentryRole(roleName);
- try {
- sentryStore.createSentryRole(roleName);
- fail("Expected SentryAlreadyExistsException");
- } catch(SentryAlreadyExistsException e) {
- // expected
- }
- }
-
- @Test
- public void testCaseSensitiveScope() throws Exception {
- String roleName = "role1";
- String grantor = "g1";
- long seqId = sentryStore.createSentryRole(roleName).getSequenceId();
- TSentryPrivilege sentryPrivilege = new TSentryPrivilege("Database", "server1", "all");
- sentryPrivilege.setDbName("db1");
- assertEquals(seqId + 1, sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName, sentryPrivilege).getSequenceId());
- }
-
- @Test
- public void testCreateDropRole() throws Exception {
- String roleName = "test-drop-role";
- long seqId = sentryStore.createSentryRole(roleName).getSequenceId();
- assertEquals(seqId + 1, sentryStore.dropSentryRole(roleName).getSequenceId());
- }
-
- @Test
- public void testAddDeleteGroupsNonExistantRole()
- throws Exception {
- String roleName = "non-existant-role";
- String grantor = "g1";
- Set<TSentryGroup> groups = Sets.newHashSet();
- Set<String> users = Sets.newHashSet(grantor);
- try {
- sentryStore.alterSentryRoleAddGroups(grantor, roleName, groups);
- fail("Expected SentryNoSuchObjectException exception");
- } catch (SentryNoSuchObjectException e) {
- // excepted exception
- }
- try {
- sentryStore.alterSentryRoleAddUsers(roleName, users);
- fail("Expected SentryNoSuchObjectException exception");
- } catch (SentryNoSuchObjectException e) {
- // excepted exception
- }
- }
-
- @Test
- public void testAddDeleteGroups() throws Exception {
- String roleName = "test-groups";
- String grantor = "g1";
- long seqId = sentryStore.createSentryRole(roleName).getSequenceId();
- Set<TSentryGroup> groups = Sets.newHashSet();
- TSentryGroup group = new TSentryGroup();
- group.setGroupName("test-groups-g1");
- groups.add(group);
- group = new TSentryGroup();
- group.setGroupName("test-groups-g2");
- groups.add(group);
- assertEquals(seqId + 1, sentryStore.alterSentryRoleAddGroups(grantor,
- roleName, groups).getSequenceId());
- assertEquals(seqId + 2, sentryStore.alterSentryRoleDeleteGroups(roleName, groups)
- .getSequenceId());
- MSentryRole role = sentryStore.getMSentryRoleByName(roleName);
- assertEquals(Collections.emptySet(), role.getGroups());
- }
-
- @Test
- public void testAddDeleteUsers() throws Exception {
- String roleName = "test-users";
- long seqId = sentryStore.createSentryRole(roleName).getSequenceId();
- Set<String> users = Sets.newHashSet("test-user-u1", "test-user-u2");
- assertEquals(seqId + 1, sentryStore.alterSentryRoleAddUsers(roleName, users).getSequenceId());
- MSentryRole role = sentryStore.getMSentryRoleByName(roleName);
- assertEquals(2, role.getUsers().size());
- assertEquals(seqId + 2, sentryStore.alterSentryRoleDeleteUsers(roleName, users).getSequenceId());
- role = sentryStore.getMSentryRoleByName(roleName);
- assertEquals(0, role.getUsers().size());
- }
-
- @Test
- public void testGetTSentryRolesForUser() throws Exception {
- // Test the method GetTSentryRolesForUser according to the following test data:
- // user1->group1
- // user2->group1
- // user3->group1, group2
- // user4->group2, group3
- // group1->r1
- // group2->r2
- // group3->r2
- // user2->r3
- // user4->r3
- String roleName1 = "r1";
- String roleName2 = "r2";
- String roleName3 = "r3";
- String user1 = "u1";
- String user2 = "u2";
- String user3 = "u3";
- String user4 = "u4";
- String group1 = "group1";
- String group2 = "group2";
- String group3 = "group3";
- Map<String, Set<String>> userToGroups = Maps.newHashMap();
- userToGroups.put(user1, Sets.newHashSet(group1));
- userToGroups.put(user2, Sets.newHashSet(group1));
- userToGroups.put(user3, Sets.newHashSet(group1, group2));
- userToGroups.put(user4, Sets.newHashSet(group2, group3));
-
- sentryStore.createSentryRole(roleName1);
- sentryStore.createSentryRole(roleName2);
- sentryStore.createSentryRole(roleName3);
- sentryStore.alterSentryRoleAddUsers(roleName1, Sets.newHashSet(user1));
- sentryStore.alterSentryRoleAddUsers(roleName2, Sets.newHashSet(user2));
- sentryStore.alterSentryRoleAddUsers(roleName2, Sets.newHashSet(user3));
- sentryStore.alterSentryRoleAddUsers(roleName3, Sets.newHashSet(user2, user4));
-
- Set<TSentryRole> roles = sentryStore.getTSentryRolesByUserNames(Sets.newHashSet(user1));
- assertEquals(1, roles.size());
- for (TSentryRole role : roles) {
- assertTrue(roleName1.equals(role.getRoleName()));
- }
-
- roles = sentryStore.getTSentryRolesByUserNames(Sets.newHashSet(user2));
- assertEquals(2, roles.size());
- for (TSentryRole role : roles) {
- assertTrue(roleName2.equals(role.getRoleName()) || roleName3.equals(role.getRoleName()));
- }
-
- roles = sentryStore.getTSentryRolesByUserNames(Sets.newHashSet(user3));
- assertEquals(1, roles.size());
- for (TSentryRole role : roles) {
- assertTrue(roleName2.equals(role.getRoleName()));
- }
-
- roles = sentryStore.getTSentryRolesByUserNames(Sets.newHashSet(user4));
- assertEquals(1, roles.size());
- for (TSentryRole role : roles) {
- assertTrue(roleName3.equals(role.getRoleName()));
- }
- }
-
- @Test
- public void testGrantRevokePrivilege() throws Exception {
- String roleName = "test-privilege";
- String grantor = "g1";
- String server = "server1";
- String db = "db1";
- String table = "tbl1";
- long seqId = sentryStore.createSentryRole(roleName).getSequenceId();
- TSentryPrivilege privilege = new TSentryPrivilege();
- privilege.setPrivilegeScope("TABLE");
- privilege.setServerName(server);
- privilege.setDbName(db);
- privilege.setTableName(table);
- privilege.setAction(AccessConstants.ALL);
- privilege.setCreateTime(System.currentTimeMillis());
- assertEquals(seqId + 1, sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName, privilege)
- .getSequenceId());
- MSentryRole role = sentryStore.getMSentryRoleByName(roleName);
- Set<MSentryPrivilege> privileges = role.getPrivileges();
- assertEquals(privileges.toString(), 1, privileges.size());
- privilege.setAction(AccessConstants.SELECT);
- assertEquals(seqId + 2, sentryStore.alterSentryRoleRevokePrivilege(grantor, roleName, privilege)
- .getSequenceId());
- // after having ALL and revoking SELECT, we should have INSERT
- role = sentryStore.getMSentryRoleByName(roleName);
- privileges = role.getPrivileges();
- assertEquals(privileges.toString(), 1, privileges.size());
- MSentryPrivilege mPrivilege = Iterables.get(privileges, 0);
- assertEquals(server, mPrivilege.getServerName());
- assertEquals(db, mPrivilege.getDbName());
- assertEquals(table, mPrivilege.getTableName());
- assertEquals(AccessConstants.INSERT, mPrivilege.getAction());
- assertFalse(mPrivilege.getGrantOption());
- }
-
- private void verifyOrphanCleanup() throws Exception {
- boolean success = false;
- int iterations = 30;
- while (!success && iterations > 0) {
- Thread.sleep(1000);
- long numDBPrivs = sentryStore.countMSentryPrivileges();
- if (numDBPrivs < NUM_PRIVS) {
- assertEquals(0, numDBPrivs);
- success = true;
- }
- iterations--;
- }
- assertTrue("Failed to cleanup orphaned privileges", success);
- }
-
- /**
- * Create several privileges in the database, then delete the role that
- * created them. This makes them all orphans. Wait a bit to ensure the
- * cleanup thread runs, and expect them all to be gone from the database.
- * @throws Exception
- */
- @Ignore("Disabled with SENTRY-545 following SENTRY-140 problems")
- @Test
- public void testPrivilegeCleanup() throws Exception {
- final String roleName = "test-priv-cleanup";
- final String grantor = "g1";
- final String server = "server";
- final String dBase = "db";
- final String table = "table-";
-
- sentryStore.createSentryRole(roleName);
-
- // Create NUM_PRIVS unique privilege objects in the database
- for (int i = 0; i < NUM_PRIVS; i++) {
- TSentryPrivilege priv = new TSentryPrivilege();
- priv.setPrivilegeScope("TABLE");
- priv.setServerName(server);
- priv.setAction(AccessConstants.ALL);
- priv.setCreateTime(System.currentTimeMillis());
- priv.setTableName(table + i);
- priv.setDbName(dBase);
- sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName, priv);
- }
-
- // Make sure we really have the expected number of privs in the database
- assertEquals(sentryStore.countMSentryPrivileges(), NUM_PRIVS);
-
- // Now to make a bunch of orphans, we just remove the role that
- // created them.
- sentryStore.dropSentryRole(roleName);
-
- // Now wait and see if the orphans get cleaned up
- verifyOrphanCleanup();
- }
-
- /**
- * Much like testPrivilegeCleanup, make a lot of privileges and make sure
- * they get cleaned up. The difference here is that the privileges are
- * created by granting ALL and then removing SELECT - thus leaving INSERT.
- * This test exists because the revocation plays havoc with the orphan
- * cleanup thread.
- * @throws Exception
- */
- @Ignore("Disabled with SENTRY-545 following SENTRY-140 problems")
- @Test
- public void testPrivilegeCleanup2() throws Exception {
- final String roleName = "test-priv-cleanup";
- final String grantor = "g1";
- final String server = "server";
- final String dBase = "db";
- final String table = "table-";
-
- sentryStore.createSentryRole(roleName);
-
- // Create NUM_PRIVS unique privilege objects in the database once more,
- // this time granting ALL and revoking SELECT to make INSERT.
- for (int i=0 ; i < NUM_PRIVS; i++) {
- TSentryPrivilege priv = new TSentryPrivilege();
- priv.setPrivilegeScope("DATABASE");
- priv.setServerName(server);
- priv.setAction(AccessConstants.ALL);
- priv.setCreateTime(System.currentTimeMillis());
- priv.setTableName(table + i);
- priv.setDbName(dBase);
- priv.setGrantOption(TSentryGrantOption.TRUE);
- sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName, priv);
-
- priv.setAction(AccessConstants.SELECT);
- priv.setGrantOption(TSentryGrantOption.UNSET);
- sentryStore.alterSentryRoleRevokePrivilege(grantor, roleName, priv);
- // after having ALL and revoking SELECT, we should have INSERT
- MSentryRole role = sentryStore.getMSentryRoleByName(roleName);
- Set<MSentryPrivilege> privileges = role.getPrivileges();
- assertEquals(privileges.toString(), i+1, privileges.size());
- MSentryPrivilege mPrivilege = Iterables.get(privileges, 0);
- assertEquals(AccessConstants.INSERT, mPrivilege.getAction());
- }
-
- // Drop the role and clean up as before
- sentryStore.dropSentryRole(roleName);
- verifyOrphanCleanup();
- }
-
- @Test
- public void testGrantRevokeMultiPrivileges() throws Exception {
- String roleName = "test-privilege";
- String grantor = "g1";
- String server = "server1";
- String db = "db1";
- String table = "tbl1";
- String[] columns = {"c1","c2","c3","c4"};
- long seqId = sentryStore.createSentryRole(roleName).getSequenceId();
- Set<TSentryPrivilege> tPrivileges = Sets.newHashSet();
- for (String column : columns) {
- TSentryPrivilege privilege = new TSentryPrivilege();
- privilege.setPrivilegeScope("Column");
- privilege.setServerName(server);
- privilege.setDbName(db);
- privilege.setTableName(table);
- privilege.setColumnName(column);
- privilege.setAction(AccessConstants.SELECT);
- privilege.setCreateTime(System.currentTimeMillis());
- tPrivileges.add(privilege);
- }
- assertEquals(seqId + 1, sentryStore.alterSentryRoleGrantPrivileges(grantor, roleName, tPrivileges)
- .getSequenceId());
- MSentryRole role = sentryStore.getMSentryRoleByName(roleName);
- Set<MSentryPrivilege> privileges = role.getPrivileges();
- assertEquals(privileges.toString(), 4, privileges.size());
-
- tPrivileges = Sets.newHashSet();
- for (int i = 0; i < 2; i++) {
- TSentryPrivilege privilege = new TSentryPrivilege();
- privilege.setPrivilegeScope("Column");
- privilege.setServerName(server);
- privilege.setDbName(db);
- privilege.setTableName(table);
- privilege.setColumnName(columns[i]);
- privilege.setAction(AccessConstants.SELECT);
- privilege.setCreateTime(System.currentTimeMillis());
- tPrivileges.add(privilege);
- }
- assertEquals(seqId + 2, sentryStore.alterSentryRoleRevokePrivileges(grantor, roleName, tPrivileges)
- .getSequenceId());
- role = sentryStore.getMSentryRoleByName(roleName);
- privileges = role.getPrivileges();
- assertEquals(privileges.toString(), 2, privileges.size());
-
- TSentryPrivilege privilege = new TSentryPrivilege();
- privilege.setPrivilegeScope("Table");
- privilege.setServerName(server);
- privilege.setDbName(db);
- privilege.setTableName(table);
- privilege.setAction(AccessConstants.SELECT);
- privilege.setCreateTime(System.currentTimeMillis());
- assertEquals(seqId + 3, sentryStore.alterSentryRoleRevokePrivilege(grantor, roleName, privilege)
- .getSequenceId());
- // After revoking table scope, we will have 0 privileges
- role = sentryStore.getMSentryRoleByName(roleName);
- privileges = role.getPrivileges();
- assertEquals(privileges.toString(), 0, privileges.size());
- }
-
- /**
- * Regression test for SENTRY-74 and SENTRY-552
- */
- @Test
- public void testGrantRevokePrivilegeWithColumn() throws Exception {
- String roleName = "test-col-privilege";
- String grantor = "g1";
- String server = "server1";
- String db = "db1";
- String table = "tbl1";
- String column1 = "c1";
- String column2 = "c2";
- long seqId = sentryStore.createSentryRole(roleName).getSequenceId();
- TSentryPrivilege privilege = new TSentryPrivilege();
- privilege.setPrivilegeScope("COLUMN");
- privilege.setServerName(server);
- privilege.setDbName(db);
- privilege.setTableName(table);
- privilege.setColumnName(column1);
- privilege.setAction(AccessConstants.ALL);
- privilege.setCreateTime(System.currentTimeMillis());
-
- // Grant ALL on c1 and c2
- assertEquals(seqId + 1, sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName, privilege)
- .getSequenceId());
- privilege.setColumnName(column2);
- assertEquals(seqId + 2, sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName, privilege)
- .getSequenceId());
- MSentryRole role = sentryStore.getMSentryRoleByName(roleName);
- Set<MSentryPrivilege> privileges = role.getPrivileges();
- assertEquals(privileges.toString(), 2, privileges.size());
-
- // Revoke SELECT on c2
- privilege.setAction(AccessConstants.SELECT);
- assertEquals(seqId + 3, sentryStore.alterSentryRoleRevokePrivilege(grantor, roleName, privilege)
- .getSequenceId());
-
- // At this point c1 has ALL privileges and c2 should have INSERT after revoking SELECT
- role = sentryStore.getMSentryRoleByName(roleName);
- privileges = role.getPrivileges();
- assertEquals(privileges.toString(), 2, privileges.size());
- for (MSentryPrivilege mPrivilege: privileges) {
- assertEquals(server, mPrivilege.getServerName());
- assertEquals(db, mPrivilege.getDbName());
- assertEquals(table, mPrivilege.getTableName());
- assertFalse(mPrivilege.getGrantOption());
- if (mPrivilege.getColumnName().equals(column1)) {
- assertEquals(AccessConstants.ALL, mPrivilege.getAction());
- } else if (mPrivilege.getColumnName().equals(column2)) {
- assertEquals(AccessConstants.INSERT, mPrivilege.getAction());
- } else {
- fail("Unexpected column name: " + mPrivilege.getColumnName());
- }
- }
-
- // after revoking INSERT table level privilege will remove privileges from column2
- // and downgrade column1 to SELECT privileges.
- privilege = new TSentryPrivilege();
- privilege.setPrivilegeScope("TABLE");
- privilege.setServerName(server);
- privilege.setDbName(db);
- privilege.setTableName(table);
- privilege.setAction(AccessConstants.INSERT);
- privilege.setCreateTime(System.currentTimeMillis());
- assertEquals(seqId + 4, sentryStore.alterSentryRoleRevokePrivilege(grantor, roleName, privilege)
- .getSequenceId());
- role = sentryStore.getMSentryRoleByName(roleName);
- privileges = role.getPrivileges();
- assertEquals(privileges.toString(), 1, privileges.size());
- assertEquals(column1, Iterables.get(privileges, 0).getColumnName());
- assertEquals(AccessConstants.SELECT, Iterables.get(privileges, 0).getAction());
-
- // Revoke ALL from the table should now remove all the column privileges.
- privilege.setAction(AccessConstants.ALL);
- privilege.setCreateTime(System.currentTimeMillis());
- assertEquals(seqId + 5, sentryStore.alterSentryRoleRevokePrivilege(grantor, roleName, privilege)
- .getSequenceId());
- role = sentryStore.getMSentryRoleByName(roleName);
- privileges = role.getPrivileges();
- assertEquals(privileges.toString(), 0, privileges.size());
- }
-
- /**
- * Regression test for SENTRY-552
- */
- @Test
- public void testGrantRevokeTablePrivilegeDowngradeByDb() throws Exception {
- String roleName = "test-table-db-downgrade-privilege";
- String grantor = "g1";
- String server = "server1";
- String db = "db1";
- String table1 = "tbl1";
- String table2 = "tbl2";
- long seqId = sentryStore.createSentryRole(roleName).getSequenceId();
- TSentryPrivilege privilegeTable1 = new TSentryPrivilege();
- privilegeTable1.setPrivilegeScope("TABLE");
- privilegeTable1.setServerName(server);
- privilegeTable1.setDbName(db);
- privilegeTable1.setTableName(table1);
- privilegeTable1.setAction(AccessConstants.ALL);
- privilegeTable1.setCreateTime(System.currentTimeMillis());
- TSentryPrivilege privilegeTable2 = privilegeTable1.deepCopy();
- privilegeTable2.setTableName(table2);
-
- // Grant ALL on table1 and table2
- assertEquals(seqId + 1, sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName, privilegeTable1)
- .getSequenceId());
- assertEquals(seqId + 2, sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName, privilegeTable2)
- .getSequenceId());
- MSentryRole role = sentryStore.getMSentryRoleByName(roleName);
- Set<MSentryPrivilege> privileges = role.getPrivileges();
- assertEquals(privileges.toString(), 2, privileges.size());
-
- // Revoke SELECT on table2
- privilegeTable2.setAction(AccessConstants.SELECT);
- assertEquals(seqId + 3, sentryStore.alterSentryRoleRevokePrivilege(grantor, roleName, privilegeTable2)
- .getSequenceId());
- // after having ALL and revoking SELECT, we should have INSERT
- role = sentryStore.getMSentryRoleByName(roleName);
- privileges = role.getPrivileges();
- assertEquals(privileges.toString(), 2, privileges.size());
-
- // At this point table1 has ALL privileges and table2 should have INSERT after revoking SELECT
- role = sentryStore.getMSentryRoleByName(roleName);
- privileges = role.getPrivileges();
- assertEquals(privileges.toString(), 2, privileges.size());
- for (MSentryPrivilege mPrivilege: privileges) {
- assertEquals(server, mPrivilege.getServerName());
- assertEquals(db, mPrivilege.getDbName());
- assertFalse(mPrivilege.getGrantOption());
- if (mPrivilege.getTableName().equals(table1)) {
- assertEquals(AccessConstants.ALL, mPrivilege.getAction());
- } else if (mPrivilege.getTableName().equals(table2)) {
- assertEquals(AccessConstants.INSERT, mPrivilege.getAction());
- } else {
- fail("Unexpected table name: " + mPrivilege.getTableName());
- }
- }
-
- // Revoke INSERT on Database
- privilegeTable2.setAction(AccessConstants.INSERT);
- privilegeTable2.setPrivilegeScope("DATABASE");
- privilegeTable2.unsetTableName();
- assertEquals(seqId + 4, sentryStore.alterSentryRoleRevokePrivilege(grantor, roleName, privilegeTable2)
- .getSequenceId());
- role = sentryStore.getMSentryRoleByName(roleName);
- privileges = role.getPrivileges();
-
- // after revoking INSERT database level privilege will remove privileges from table2
- // and downgrade table1 to SELECT privileges.
- assertEquals(privileges.toString(), 1, privileges.size());
- MSentryPrivilege mPrivilege = Iterables.get(privileges, 0);
- assertEquals(server, mPrivilege.getServerName());
- assertEquals(db, mPrivilege.getDbName());
- assertEquals(table1, mPrivilege.getTableName());
- assertEquals(AccessConstants.SELECT, mPrivilege.getAction());
- assertFalse(mPrivilege.getGrantOption());
- }
-
- /**
- * Regression test for SENTRY-552
- */
- @Test
- public void testGrantRevokeColumnPrivilegeDowngradeByDb() throws Exception {
- String roleName = "test-column-db-downgrade-privilege";
- String grantor = "g1";
- String server = "server1";
- String db = "db1";
- String table = "tbl1";
- String column1 = "c1";
- String column2 = "c2";
- long seqId = sentryStore.createSentryRole(roleName).getSequenceId();
- TSentryPrivilege privilegeCol1 = new TSentryPrivilege();
- privilegeCol1.setPrivilegeScope("COLUMN");
- privilegeCol1.setServerName(server);
- privilegeCol1.setDbName(db);
- privilegeCol1.setTableName(table);
- privilegeCol1.setColumnName(column1);
- privilegeCol1.setAction(AccessConstants.ALL);
- privilegeCol1.setCreateTime(System.currentTimeMillis());
- TSentryPrivilege privilegeCol2 = privilegeCol1.deepCopy();
- privilegeCol2.setColumnName(column2);
-
- // Grant ALL on column1 and column2
- assertEquals(seqId + 1, sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName, privilegeCol1)
- .getSequenceId());
- assertEquals(seqId + 2, sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName, privilegeCol2)
- .getSequenceId());
- MSentryRole role = sentryStore.getMSentryRoleByName(roleName);
- Set<MSentryPrivilege> privileges = role.getPrivileges();
- assertEquals(privileges.toString(), 2, privileges.size());
-
- // Revoke SELECT on column2
- privilegeCol2.setAction(AccessConstants.SELECT);
- assertEquals(seqId + 3, sentryStore.alterSentryRoleRevokePrivilege(grantor, roleName, privilegeCol2)
- .getSequenceId());
- // after having ALL and revoking SELECT, we should have INSERT
- role = sentryStore.getMSentryRoleByName(roleName);
- privileges = role.getPrivileges();
- assertEquals(privileges.toString(), 2, privileges.size());
-
- // At this point column1 has ALL privileges and column2 should have INSERT after revoking SELECT
- role = sentryStore.getMSentryRoleByName(roleName);
- privileges = role.getPrivileges();
- assertEquals(privileges.toString(), 2, privileges.size());
- for (MSentryPrivilege mPrivilege: privileges) {
- assertEquals(server, mPrivilege.getServerName());
- assertEquals(db, mPrivilege.getDbName());
- assertEquals(table, mPrivilege.getTableName());
- assertFalse(mPrivilege.getGrantOption());
- if (mPrivilege.getColumnName().equals(column1)) {
- assertEquals(AccessConstants.ALL, mPrivilege.getAction());
- } else if (mPrivilege.getColumnName().equals(column2)) {
- assertEquals(AccessConstants.INSERT, mPrivilege.getAction());
- } else {
- fail("Unexpected column name: " + mPrivilege.getColumnName());
- }
- }
-
- // Revoke INSERT on Database
- privilegeCol2.setAction(AccessConstants.INSERT);
- privilegeCol2.setPrivilegeScope("DATABASE");
- privilegeCol2.unsetTableName();
- privilegeCol2.unsetColumnName();
- assertEquals(seqId + 4, sentryStore.alterSentryRoleRevokePrivilege(grantor, roleName, privilegeCol2)
- .getSequenceId());
- role = sentryStore.getMSentryRoleByName(roleName);
- privileges = role.getPrivileges();
-
- // after revoking INSERT database level privilege will remove privileges from column2
- // and downgrade column1 to SELECT privileges.
- assertEquals(privileges.toString(), 1, privileges.size());
- MSentryPrivilege mPrivilege = Iterables.get(privileges, 0);
- assertEquals(server, mPrivilege.getServerName());
- assertEquals(db, mPrivilege.getDbName());
- assertEquals(table, mPrivilege.getTableName());
- assertEquals(column1, mPrivilege.getColumnName());
- assertEquals(AccessConstants.SELECT, mPrivilege.getAction());
- assertFalse(mPrivilege.getGrantOption());
- }
-
- @Test
- public void testGrantRevokePrivilegeWithGrantOption() throws Exception {
- String roleName = "test-grantOption-table";
- String grantor = "g1";
- String server = "server1";
- String db = "db1";
- String table = "tbl1";
- TSentryGrantOption grantOption = TSentryGrantOption.TRUE;
- long seqId = sentryStore.createSentryRole(roleName).getSequenceId();
-
- TSentryPrivilege privilege = new TSentryPrivilege();
- privilege.setPrivilegeScope("TABLE");
- privilege.setServerName(server);
- privilege.setDbName(db);
- privilege.setTableName(table);
- privilege.setAction(AccessConstants.ALL);
- privilege.setCreateTime(System.currentTimeMillis());
- privilege.setGrantOption(grantOption);
- assertEquals(seqId + 1, sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName, privilege)
- .getSequenceId());
- MSentryRole role = sentryStore.getMSentryRoleByName(roleName);
- Set<MSentryPrivilege> privileges = role.getPrivileges();
- assertEquals(privileges.toString(), 1, privileges.size());
- assertEquals(Boolean.valueOf(privilege.getGrantOption().toString()), Iterables.get(privileges, 0).getGrantOption());
- assertEquals(seqId + 2, sentryStore.alterSentryRoleRevokePrivilege(grantor, roleName, privilege)
- .getSequenceId());
- role = sentryStore.getMSentryRoleByName(roleName);
- privileges = role.getPrivileges();
- assertEquals(0, privileges.size());
-
- roleName = "test-grantOption-db";
- sentryStore.createSentryRole(roleName);
- privilege = new TSentryPrivilege();
- privilege.setPrivilegeScope("DATABASE");
- privilege.setServerName(server);
- privilege.setDbName(db);
- privilege.setAction(AccessConstants.ALL);
- privilege.setGrantOption(TSentryGrantOption.TRUE);
- privilege.setCreateTime(System.currentTimeMillis());
- privilege.setGrantOption(grantOption);
- sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName, privilege);
- role = sentryStore.getMSentryRoleByName(roleName);
- privileges = role.getPrivileges();
- assertEquals(privileges.toString(), 1, privileges.size());
-
- privilege.setAction(AccessConstants.SELECT);
- privilege.setGrantOption(TSentryGrantOption.UNSET);
- sentryStore.alterSentryRoleRevokePrivilege(grantor, roleName, privilege);
- // after having ALL and revoking SELECT, we should have INSERT
- role = sentryStore.getMSentryRoleByName(roleName);
- privileges = role.getPrivileges();
- assertEquals(privileges.toString(), 1, privileges.size());
- MSentryPrivilege mPrivilege = Iterables.get(privileges, 0);
- assertEquals(server, mPrivilege.getServerName());
- assertEquals(db, mPrivilege.getDbName());
- assertEquals(AccessConstants.INSERT, mPrivilege.getAction());
- }
-
- @Test
- public void testGrantCheckWithGroupAndUser() throws Exception {
- // 1. set local group mapping and group-role, user-role mapping
- // user0_0->group0
- // user0_1->group0
- // user1_0->group1
- // user1_1->group1
- // group0->roleG0
- // group1->roleG1
- // user0_0->roleU00
- // user0_1->roleU01
- // user1_0->roleU10
- // user1_1->roleU11
- String grantor = "g1";
- String[][] users = { { "user0_0", "user0_1" }, { "user1_0", "user1_1" } };
- String[] groups = { "group0", "group1" };
- String[] rolesForGroup = { "roleG0", "roleG1" };
- String[] rolesForUser = { "roleU0", "roleU1", "roleU2", "roleU3" };
- for (int i = 0; i < groups.length; i++) {
- for (int j = 0; j < users[i].length; j++) {
- addGroupsToUser(users[i][j], groups[i]);
- sentryStore.createSentryRole(rolesForUser[i * 2 + j]);
- sentryStore.alterSentryRoleAddUsers(rolesForUser[i * 2 + j], Sets.newHashSet(users[i][j]));
- }
- sentryStore.createSentryRole(rolesForGroup[i]);
- Set<TSentryGroup> tGroups = Sets.newHashSet();
- TSentryGroup tGroup = new TSentryGroup(groups[i]);
- tGroups.add(tGroup);
- sentryStore.alterSentryRoleAddGroups(grantor, rolesForGroup[i], tGroups);
- }
- writePolicyFile();
-
- // 2. g1 grant all on database db1 to roleG0, roleU0 without grant option
- String server = "server1";
- String db = "db1";
- grantor = "g1";
- TSentryPrivilege privilege1 = new TSentryPrivilege();
- privilege1.setPrivilegeScope("DATABASE");
- privilege1.setServerName(server);
- privilege1.setDbName(db);
- privilege1.setAction(AccessConstants.ALL);
- privilege1.setCreateTime(System.currentTimeMillis());
- privilege1.setGrantOption(TSentryGrantOption.FALSE);
- // user0_0 has the privilege without grant option
- sentryStore.alterSentryRoleGrantPrivilege(grantor, "roleG0", privilege1);
- sentryStore.alterSentryRoleGrantPrivilege(grantor, "roleU0", privilege1);
- try {
- sentryStore.alterSentryRoleGrantPrivilege("user0_0", "roleG1", privilege1);
- fail("Expected SentryGrantDeniedException exception");
- } catch (SentryGrantDeniedException e) {
- // excepted exception
- }
- try {
- sentryStore.alterSentryRoleRevokePrivilege("user0_0", "roleG1", privilege1);
- fail("Expected SentryGrantDeniedException exception");
- } catch (SentryGrantDeniedException e) {
- // excepted exception
- }
-
- // 3. g1 grant all on database db1 to roleG0 with grant option
- TSentryPrivilege privilege2 = new TSentryPrivilege();
- privilege2.setPrivilegeScope("DATABASE");
- privilege2.setServerName(server);
- privilege2.setDbName(db);
- privilege2.setAction(AccessConstants.ALL);
- privilege2.setCreateTime(System.currentTimeMillis());
- privilege2.setGrantOption(TSentryGrantOption.TRUE);
- // user0_0, user0_1 can grant the same privilege to other roles
- sentryStore.alterSentryRoleGrantPrivilege(grantor, "roleG0", privilege2);
- sentryStore.alterSentryRoleGrantPrivilege("user0_0", "roleG1", privilege2);
- validatePrivilegeByRoleName("roleG1", privilege2);
- sentryStore.alterSentryRoleRevokePrivilege("user0_0", "roleG1", privilege2);
- validateEmptyPrivilegeByRoleName("roleG1");
- sentryStore.alterSentryRoleGrantPrivilege("user0_1", "roleG1", privilege2);
- validatePrivilegeByRoleName("roleG1", privilege2);
- sentryStore.alterSentryRoleRevokePrivilege("user0_1", "roleG1", privilege2);
- validateEmptyPrivilegeByRoleName("roleG1");
- // clear privilege for roleG0
- sentryStore.alterSentryRoleRevokePrivilege(grantor, "roleG0", privilege2);
-
- // 4. g1 grant all on database db1 to roleU0 with grant option
- sentryStore.alterSentryRoleGrantPrivilege(grantor, "roleU0", privilege2);
- sentryStore.alterSentryRoleGrantPrivilege("user0_0", "roleG1", privilege2);
- validatePrivilegeByRoleName("roleG1", privilege2);
- sentryStore.alterSentryRoleRevokePrivilege("user0_0", "roleG1", privilege2);
- validateEmptyPrivilegeByRoleName("roleG1");
- try {
- sentryStore.alterSentryRoleGrantPrivilege("user0_1", "roleG1", privilege2);
- fail("Expected SentryGrantDeniedException exception");
- } catch (SentryGrantDeniedException e) {
- // excepted exception
- }
- try {
- sentryStore.alterSentryRoleRevokePrivilege("user0_1", "roleG1", privilege2);
- fail("Expected SentryGrantDeniedException exception");
- } catch (SentryGrantDeniedException e) {
- // excepted exception
- }
- // clear privilege for roleG0
- sentryStore.alterSentryRoleRevokePrivilege(grantor, "roleU0", privilege2);
-
- // 5. g1 grant all on database db1 to roleU2, roleG0 with grant option
- sentryStore.alterSentryRoleGrantPrivilege(grantor, "roleU2", privilege2);
- sentryStore.alterSentryRoleGrantPrivilege(grantor, "roleG0", privilege2);
- sentryStore.alterSentryRoleGrantPrivilege("user0_0", "roleG1", privilege2);
- validatePrivilegeByRoleName("roleG1", privilege2);
- sentryStore.alterSentryRoleRevokePrivilege("user0_0", "roleG1", privilege2);
- validateEmptyPrivilegeByRoleName("roleG1");
- sentryStore.alterSentryRoleGrantPrivilege("user0_1", "roleG1", privilege2);
- validatePrivilegeByRoleName("roleG1", privilege2);
- sentryStore.alterSentryRoleRevokePrivilege("user0_1", "roleG1", privilege2);
- validateEmptyPrivilegeByRoleName("roleG1");
-
- sentryStore.alterSentryRoleGrantPrivilege("user1_0", "roleG1", privilege2);
- validatePrivilegeByRoleName("roleG1", privilege2);
- sentryStore.alterSentryRoleRevokePrivilege("user1_0", "roleG1", privilege2);
- validateEmptyPrivilegeByRoleName("roleG1");
- try {
- sentryStore.alterSentryRoleGrantPrivilege("user1_1", "roleG1", privilege2);
- fail("Expected SentryGrantDeniedException exception");
- } catch (SentryGrantDeniedException e) {
- // excepted exception
- }
- try {
- sentryStore.alterSentryRoleRevokePrivilege("user1_1", "roleG1", privilege2);
- fail("Expected SentryGrantDeniedException exception");
- } catch (SentryGrantDeniedException e) {
- // excepted exception
- }
- // clear privilege for roleG0
- sentryStore.alterSentryRoleRevokePrivilege(grantor, "roleG0", privilege2);
- sentryStore.alterSentryRoleRevokePrivilege(grantor, "roleU2", privilege2);
- }
-
- private void validatePrivilegeByRoleName(String roleName, TSentryPrivilege exceptedTPrivelege)
- throws Exception {
- MSentryRole role = sentryStore.getMSentryRoleByName(roleName);
- Set<MSentryPrivilege> privileges = role.getPrivileges();
- assertEquals(privileges.toString(), 1, privileges.size());
- MSentryPrivilege mPrivilege = Iterables.get(privileges, 0);
- assertEquals(exceptedTPrivelege.getServerName(), mPrivilege.getServerName());
- assertEquals(exceptedTPrivelege.getDbName(), mPrivilege.getDbName());
- assertEquals(AccessConstants.ALL, mPrivilege.getAction());
- }
-
- private void validateEmptyPrivilegeByRoleName(String roleName) throws Exception {
- MSentryRole role = sentryStore.getMSentryRoleByName(roleName);
- Set<MSentryPrivilege> privileges = role.getPrivileges();
- assertEquals(privileges.toString(), 0, privileges.size());
- }
-
- @Test
- public void testGrantCheckWithGrantOption() throws Exception {
- // 1. set local group mapping
- // user0->group0->role0
- // user1->group1->role1
- // user2->group2->role2
- // user3->group3->role3
- // user4->group4->role4
- String grantor = "g1";
- String[] users = {"user0","user1","user2","user3","user4"};
- String[] groups = { "group0", "group1", "group2", "group3", "group4" };
- String[] roles = {"role0","role1","role2","role3","role4"};
- for (int i = 0; i < users.length; i++) {
- addGroupsToUser(users[i], groups[i]);
- sentryStore.createSentryRole(roles[i]);
- Set<TSentryGroup> tGroups = Sets.newHashSet();
- TSentryGroup tGroup = new TSentryGroup(groups[i]);
- tGroups.add(tGroup);
- sentryStore.alterSentryRoleAddGroups(grantor, roles[i], tGroups);
- }
- writePolicyFile();
-
- // 2. g1 grant all on database db1 to role0 with grant option
- String server = "server1";
- String db = "db1";
- String table = "tbl1";
- String roleName = roles[0];
- grantor = "g1";
- TSentryPrivilege privilege1 = new TSentryPrivilege();
- privilege1.setPrivilegeScope("DATABASE");
- privilege1.setServerName(server);
- privilege1.setDbName(db);
- privilege1.setAction(AccessConstants.ALL);
- privilege1.setCreateTime(System.currentTimeMillis());
- privilege1.setGrantOption(TSentryGrantOption.TRUE);
- sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName, privilege1);
- MSentryRole role = sentryStore.getMSentryRoleByName(roleName);
- Set<MSentryPrivilege> privileges = role.getPrivileges();
- assertEquals(privileges.toString(), 1, privileges.size());
-
- // 3. user0 grant select on database db1 to role1, with grant option
- roleName = roles[1];
- grantor = users[0];
- TSentryPrivilege privilege2 = new TSentryPrivilege();
- privilege2.setPrivilegeScope("DATABASE");
- privilege2.setServerName(server);
- privilege2.setDbName(db);
- privilege2.setAction(AccessConstants.SELECT);
- privilege2.setCreateTime(System.currentTimeMillis());
- privilege2.setGrantOption(TSentryGrantOption.TRUE);
- sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName, privilege2);
-
- // 4. user0 grant all on table tb1 to role2, no grant option
- roleName = roles[2];
- grantor = users[0];
- TSentryPrivilege privilege3 = new TSentryPrivilege();
- privilege3.setPrivilegeScope("TABLE");
- privilege3.setServerName(server);
- privilege3.setDbName(db);
- privilege3.setTableName(table);
- privilege3.setAction(AccessConstants.ALL);
- privilege3.setCreateTime(System.currentTimeMillis());
- privilege3.setGrantOption(TSentryGrantOption.FALSE);
- sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName, privilege3);
-
- // 5. user1 has role1, no insert privilege,
- // grant insert to role3, will throw no grant exception
- roleName = roles[3];
- grantor = users[1];
- TSentryPrivilege privilege4 = new TSentryPrivilege();
- privilege4.setPrivilegeScope("DATABASE");
- privilege4.setServerName(server);
- privilege4.setDbName(db);
- privilege4.setAction(AccessConstants.INSERT);
- privilege4.setCreateTime(System.currentTimeMillis());
- privilege4.setGrantOption(TSentryGrantOption.FALSE);
- try {
- sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName, privilege4);
- fail("Expected SentryGrantDeniedException exception");
- } catch (SentryGrantDeniedException e) {
- // excepted exception
- }
-
- // 6. user2 has role2, no grant option,
- // grant insert to role4, will throw no grant exception
- roleName = roles[4];
- grantor = users[2];
- TSentryPrivilege privilege5 = new TSentryPrivilege();
- privilege5.setPrivilegeScope("TABLE");
- privilege5.setServerName(server);
- privilege5.setDbName(db);
- privilege5.setTableName(table);
- privilege5.setAction(AccessConstants.INSERT);
- privilege5.setCreateTime(System.currentTimeMillis());
- privilege5.setGrantOption(TSentryGrantOption.FALSE);
- try {
- sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName, privilege5);
- fail("Expected SentryGrantDeniedException exception");
- } catch (SentryGrantDeniedException e) {
- // excepted exception
- }
- }
-
- @Test
- public void testRevokeCheckWithGrantOption() throws Exception {
- // 1. set local group mapping
- // user0->group0->role0
- // user1->group1->role1
- // user2->group2->role2
- String grantor = "g1";
- String[] users = {"user0","user1","user2"};
- String[] roles = {"role0","role1","role2"};
- String[] groups = {"group0","group1","group2"};
- for (int i = 0; i < users.length; i++) {
- addGroupsToUser(users[i], groups[i]);
- sentryStore.createSentryRole(roles[i]);
- Set<TSentryGroup> tGroups = Sets.newHashSet();
- TSentryGroup tGroup = new TSentryGroup(groups[i]);
- tGroups.add(tGroup);
- sentryStore.alterSentryRoleAddGroups(grantor, roles[i], tGroups);
- sentryStore.alterSentryRoleAddUsers(roles[i], Sets.newHashSet(users[i]));
- }
- writePolicyFile();
-
- // 2. g1 grant select on database db1 to role0, with grant option
- String server = "server1";
- String db = "db1";
- String table = "tbl1";
- String roleName = roles[0];
- grantor = "g1";
- TSentryPrivilege privilege1 = new TSentryPrivilege();
- privilege1.setPrivilegeScope("DATABASE");
- privilege1.setServerName(server);
- privilege1.setDbName(db);
- privilege1.setAction(AccessConstants.SELECT);
- privilege1.setCreateTime(System.currentTimeMillis());
- privilege1.setGrantOption(TSentryGrantOption.TRUE);
- sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName, privilege1);
- MSentryRole role = sentryStore.getMSentryRoleByName(roleName);
- Set<MSentryPrivilege> privileges = role.getPrivileges();
- assertEquals(privileges.toString(), 1, privileges.size());
-
- // 3. g1 grant all on table tb1 to role1, no grant option
- roleName = roles[1];
- grantor = "g1";
- TSentryPrivilege privilege2 = new TSentryPrivilege();
- privilege2.setPrivilegeScope("TABLE");
- privilege2.setServerName(server);
- privilege2.setDbName(db);
- privilege2.setTableName(table);
- privilege2.setAction(AccessConstants.ALL);
- privilege2.setCreateTime(System.currentTimeMillis());
- privilege2.setGrantOption(TSentryGrantOption.FALSE);
- sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName, privilege2);
-
- // 4. g1 grant select on table tb1 to role2, no grant option
- roleName = roles[2];
- grantor = "g1";
- TSentryPrivilege privilege3 = new TSentryPrivilege();
- privilege3.setPrivilegeScope("TABLE");
- privilege3.setServerName(server);
- privilege3.setDbName(db);
- privilege3.setTableName(table);
- privilege3.setAction(AccessConstants.SELECT);
- privilege3.setCreateTime(System.currentTimeMillis());
- privilege3.setGrantOption(TSentryGrantOption.FALSE);
- sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName, privilege3);
-
- // 5. user1 has role1, no grant option,
- // revoke from role2 will throw no grant exception
- roleName = roles[2];
- grantor = users[1];
- try {
- sentryStore.alterSentryRoleRevokePrivilege(grantor, roleName, privilege3);
- fail("Expected SentryGrantDeniedException exception");
- } catch (SentryGrantDeniedException e) {
- // excepted exception
- }
-
- // 6. user0 has role0, only have select,
- // revoke all from role1 will throw no grant exception
- roleName = roles[1];
- grantor = users[0];
- try {
- sentryStore.alterSentryRoleRevokePrivilege(grantor, roleName, privilege2);
- fail("Expected SentryGrantDeniedException exception");
- } catch (SentryGrantDeniedException e) {
- // excepted exception
- }
-
- // 7. user0 has role0, has select and grant option,
- // revoke select from role2
- roleName = roles[2];
- grantor = users[0];
- sentryStore.alterSentryRoleRevokePrivilege(grantor, roleName, privilege3);
- role = sentryStore.getMSentryRoleByName(roleName);
- privileges = role.getPrivileges();
- assertEquals(0, privileges.size());
- }
-
- @Test
- public void testRevokeAllGrantOption() throws Exception {
- // 1. set local group mapping
- // user0->group0->role0
- String grantor = "g1";
- String[] users = {"user0"};
- String[] roles = {"role0"};
- String[] groups = {"group0"};
- for (int i = 0; i < users.length; i++) {
- addGroupsToUser(users[i], groups[i]);
- sentryStore.createSentryRole(roles[i]);
- Set<TSentryGroup> tGroups = Sets.newHashSet();
- TSentryGroup tGroup = new TSentryGroup(groups[i]);
- tGroups.add(tGroup);
- sentryStore.alterSentryRoleAddGroups(grantor, roles[i], tGroups);
- }
- writePolicyFile();
-
- // 2. g1 grant select on table tb1 to role0, with grant option
- String server = "server1";
- String db = "db1";
- String table = "tbl1";
- String roleName = roles[0];
- grantor = "g1";
- TSentryPrivilege privilege = new TSentryPrivilege();
- privilege.setPrivilegeScope("TABLE");
- privilege.setServerName(server);
- privilege.setDbName(db);
- privilege.setTableName(table);
- privilege.setAction(AccessConstants.SELECT);
- privilege.setCreateTime(System.currentTimeMillis());
- privilege.setGrantOption(TSentryGrantOption.TRUE);
- sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName, privilege);
-
- // 3. g1 grant select on table tb1 to role0, no grant option
- roleName = roles[0];
- grantor = "g1";
- privilege.setGrantOption(TSentryGrantOption.FALSE);
- sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName, privilege);
-
- // 4. g1 revoke all privilege from role0
- roleName = roles[0];
- grantor = "g1";
- privilege.setGrantOption(TSentryGrantOption.UNSET);
- sentryStore.alterSentryRoleRevokePrivilege(grantor, roleName, privilege);
- MSentryRole role = sentryStore.getMSentryRoleByName(roleName);
- Set<MSentryPrivilege> privileges = role.getPrivileges();
- assertEquals(privileges.toString(), 0, privileges.size());
- }
-
- @Test
- public void testGrantCheckWithColumn() throws Exception {
- // 1. set local group mapping
- // user0->group0->role0
- // user1->group1->role1
- String grantor = "g1";
- String[] users = {"user0","user1"};
- String[] roles = {"role0","role1"};
- String[] groups = {"group0","group1"};
- for (int i = 0; i < users.length; i++) {
- addGroupsToUser(users[i], groups[i]);
- sentryStore.createSentryRole(roles[i]);
- Set<TSentryGroup> tGroups = Sets.newHashSet();
- TSentryGroup tGroup = new TSentryGroup(groups[i]);
- tGroups.add(tGroup);
- sentryStore.alterSentryRoleAddGroups(grantor, roles[i], tGroups);
- }
- writePolicyFile();
-
- // 2. g1 grant select on table tb1 to role0, with grant option
- String server = "server1";
- String db = "db1";
- String table = "tbl1";
- String roleName = roles[0];
- grantor = "g1";
- TSentryPrivilege privilege1 = new TSentryPrivilege();
- privilege1.setPrivilegeScope("TABLE");
- privilege1.setServerName(server);
- privilege1.setDbName(db);
- privilege1.setTableName(table);
- privilege1.setAction(AccessConstants.SELECT);
- privilege1.setCreateTime(System.currentTimeMillis());
- privilege1.setGrantOption(TSentryGrantOption.TRUE);
- sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName, privilege1);
- MSentryRole role = sentryStore.getMSentryRoleByName(roleName);
- Set<MSentryPrivilege> privileges = role.getPrivileges();
- assertEquals(privileges.toString(), 1, privileges.size());
-
- // 3. user0 grant select on column tb1.c1 to role1, with grant option
- roleName = roles[1];
- grantor = users[0];
- String column = "c1";
- TSentryPrivilege privilege2 = new TSentryPrivilege();
- privilege2.setPrivilegeScope("COLUMN");
- privilege2.setServerName(server);
- privilege2.setDbName(db);
- privilege2.setTableName(table);
- privilege2.setColumnName(column);
- privilege2.setAction(AccessConstants.SELECT);
- privilege2.setCreateTime(System.currentTimeMillis());
- privilege2.setGrantOption(TSentryGrantOption.TRUE);
- sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName, privilege2);
-
- // 4. user1 revoke table level privilege from user0, will throw grant denied exception
- roleName = roles[0];
- grantor = users[1];
- try {
- sentryStore.alterSentryRoleRevokePrivilege(grantor, roleName, privilege1);
- fail("Expected SentryGrantDeniedException exception");
- } catch (SentryGrantDeniedException e) {
- // excepted exception
- }
-
- // 5. user0 revoke column level privilege from user1
- roleName = roles[1];
- grantor = users[0];
- sentryStore.alterSentryRoleRevokePrivilege(grantor, roleName, privilege2);
- role = sentryStore.getMSentryRoleByName(roleName);
- privileges = role.getPrivileges();
- assertEquals(0, privileges.size());
- }
-
- @Test
- public void testGrantDuplicatePrivilege() throws Exception {
- String roleName = "test-privilege";
- String grantor = "g1";
- String server = "server1";
- String db = "db1";
- String table = "tbl1";
- long seqId = sentryStore.createSentryRole(roleName).getSequenceId();
- TSentryPrivilege privilege = new TSentryPrivilege();
- privilege.setPrivilegeScope("TABLE");
- privilege.setServerName(server);
- privilege.setDbName(db);
- privilege.setTableName(table);
- privilege.setAction(AccessConstants.ALL);
- privilege.setCreateTime(System.currentTimeMillis());
- assertEquals(seqId + 1, sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName, privilege)
- .getSequenceId());
- assertEquals(seqId + 2, sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName, privilege)
- .getSequenceId());
- privilege.setServerName("Server1");
- privilege.setDbName("DB1");
- privilege.setTableName("TBL1");
- assertEquals(seqId + 3, sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName, privilege)
- .getSequenceId());
- MSentryRole role = sentryStore.getMSentryRoleByName(roleName);
- Set<MSentryPrivilege> privileges = role.getPrivileges();
- assertEquals(privileges.toString(), 1, privileges.size());
- }
-
- @Test
- public void testListSentryPrivilegesForProvider() throws Exception {
- String roleName1 = "list-privs-r1", roleName2 = "list-privs-r2";
- String groupName1 = "list-privs-g1", groupName2 = "list-privs-g2";
- String userName1 = "list-privs-u1", userName2 = "list-privs-u2";
- String userWithoutRole = "user-no-privs";
- Set<String> noRoleUsers = Sets.newHashSet(userWithoutRole);
- String grantor = "g1";
- long seqId = sentryStore.createSentryRole(roleName1).getSequenceId();
- assertEquals(seqId + 1, sentryStore.createSentryRole(roleName2).getSequenceId());
- TSentryPrivilege privilege1 = new TSentryPrivilege();
- privilege1.setPrivilegeScope("TABLE");
- privilege1.setServerName("server1");
- privilege1.setDbName("db1");
- privilege1.setTableName("tbl1");
- privilege1.setAction("SELECT");
- privilege1.setCreateTime(System.currentTimeMillis());
- assertEquals(seqId + 2, sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName1, privilege1)
- .getSequenceId());
- assertEquals(seqId + 3, sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName2, privilege1)
- .getSequenceId());
- TSentryPrivilege privilege2 = new TSentryPrivilege();
- privilege2.setPrivilegeScope("SERVER");
- privilege2.setServerName("server1");
- privilege2.setCreateTime(System.currentTimeMillis());
- assertEquals(seqId + 4, sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName2, privilege2)
- .getSequenceId());
- Set<TSentryGroup> groups = Sets.newHashSet();
- Set<String> users = Sets.newHashSet();
- TSentryGroup group = new TSentryGroup();
- group.setGroupName(groupName1);
- groups.add(group);
- users.add(userName1);
- assertEquals(seqId + 5, sentryStore.alterSentryRoleAddGroups(grantor,
- roleName1, groups).getSequenceId());
- assertEquals(seqId + 6, sentryStore.alterSentryRoleAddUsers(roleName1, users).getSequenceId());
- groups.clear();
- users.clear();
- group = new TSentryGroup();
- group.setGroupName(groupName2);
- groups.add(group);
- users.add(userName2);
- // group 2 and user2 has both roles 1 and 2
- assertEquals(seqId + 7, sentryStore.alterSentryRoleAddGroups(grantor, roleName1, groups)
- .getSequenceId());
- assertEquals(seqId + 8, sentryStore.alterSentryRoleAddGroups(grantor, roleName2, groups)
- .getSequenceId());
- assertEquals(seqId + 9, sentryStore.alterSentryRoleAddUsers(roleName1, users).getSequenceId());
- assertEquals(seqId + 10, sentryStore.alterSentryRoleAddUsers(roleName2, users).getSequenceId());
- // group1 all roles
- assertEquals(Sets.newHashSet("server=server1->db=db1->table=tbl1->action=select"),
- SentryStore.toTrimedLower(sentryStore.listAllSentryPrivilegesForProvider(Sets
- .newHashSet(groupName1), noRoleUsers, new TSentryActiveRoleSet(true,
- new HashSet<String>()))));
- // user1 all roles
- assertEquals(Sets.newHashSet("server=server1->db=db1->table=tbl1->action=select"),
- SentryStore.toTrimedLower(sentryStore.listAllSentryPrivilegesForProvider(Sets
- .newHashSet(""), Sets.newHashSet(userName1), new TSentryActiveRoleSet(true,
- new HashSet<String>()))));
- // group1 and user1 all roles
- assertEquals(Sets.newHashSet("server=server1->db=db1->table=tbl1->action=select"),
- SentryStore.toTrimedLower(sentryStore.listAllSentryPrivilegesForProvider(Sets
- .newHashSet(groupName1), Sets.newHashSet(userName1), new TSentryActiveRoleSet(true,
- new HashSet<String>()))));
- // one active role
- assertEquals(
- Sets.newHashSet("server=server1->db=db1->table=tbl1->action=select"),
- SentryStore.toTrimedLower(sentryStore.listAllSentryPrivilegesForProvider(
- Sets.newHashSet(groupName1), noRoleUsers,
- new TSentryActiveRoleSet(false, Sets.newHashSet(roleName1)))));
- // unknown active role
- assertEquals(
- Sets.newHashSet(),
- SentryStore.toTrimedLower(sentryStore.listAllSentryPrivilegesForProvider(
- Sets.newHashSet(groupName1), noRoleUsers,
- new TSentryActiveRoleSet(false, Sets.newHashSet("not a role")))));
- // no active roles
- assertEquals(Sets.newHashSet(), SentryStore.toTrimedLower(sentryStore
- .listAllSentryPrivilegesForProvider(Sets.newHashSet(groupName1), noRoleUsers,
- new TSentryActiveRoleSet(false, new HashSet<String>()))));
-
- // group2 all roles
- assertEquals(Sets.newHashSet("server=server1->db=db1->table=tbl1->action=select",
- "server=server1"), SentryStore.toTrimedLower(sentryStore
- .listAllSentryPrivilegesForProvider(Sets.newHashSet(groupName2), Sets.newHashSet(""),
- new TSentryActiveRoleSet(true, new HashSet<String>()))));
- // user2 all roles
- assertEquals(Sets.newHashSet("server=server1->db=db1->table=tbl1->action=select",
- "server=server1"), SentryStore.toTrimedLower(sentryStore
- .listAllSentryPrivilegesForProvider(Sets.newHashSet(""), Sets.newHashSet(userName2),
- new TSentryActiveRoleSet(true, new HashSet<String>()))));
- // user2 and group2 all roles
- assertEquals(Sets.newHashSet("server=server1->db=db1->table=tbl1->action=select",
- "server=server1"), SentryStore.toTrimedLower(sentryStore
- .listAllSentryPrivilegesForProvider(Sets.newHashSet(groupName2),
- Sets.newHashSet(userName2), new TSentryActiveRoleSet(true, new HashSet<String>()))));
-
- // one active role
- assertEquals(
- Sets.newHashSet("server=server1->db=db1->table=tbl1->action=select"),
- SentryStore.toTrimedLower(sentryStore.listAllSentryPrivilegesForProvider(
- Sets.newHashSet(groupName2), noRoleUsers,
- new TSentryActiveRoleSet(false, Sets.newHashSet(roleName1)))));
- assertEquals(
- Sets.newHashSet("server=server1->db=db1->table=tbl1->action=select", "server=server1"),
- SentryStore.toTrimedLower(sentryStore.listAllSentryPrivilegesForProvider(
- Sets.newHashSet(groupName2), noRoleUsers,
- new TSentryActiveRoleSet(false, Sets.newHashSet(roleName2)))));
- // unknown active role
- assertEquals(
- Sets.newHashSet(),
- SentryStore.toTrimedLower(sentryStore.listAllSentryPrivilegesForProvider(
- Sets.newHashSet(groupName2), noRoleUsers,
- new TSentryActiveRoleSet(false, Sets.newHashSet("not a role")))));
- // no active roles
- assertEquals(Sets.newHashSet(), SentryStore.toTrimedLower(sentryStore
- .listAllSentryPrivilegesForProvider(Sets.newHashSet(groupName2), noRoleUsers,
- new TSentryActiveRoleSet(false, new HashSet<String>()))));
-
- // both groups, all active roles
- assertEquals(Sets.newHashSet("server=server1->db=db1->table=tbl1->action=select",
- "server=server1"), SentryStore.toTrimedLower(sentryStore
- .listAllSentryPrivilegesForProvider(Sets.newHashSet(groupName1, groupName2), noRoleUsers,
- new TSentryActiveRoleSet(true, new HashSet<String>()))));
- // both users and groups, all active roles
- assertEquals(Sets.newHashSet("server=server1->db=db1->table=tbl1->action=select",
- "server=server1"), SentryStore.toTrimedLower(sentryStore
- .listAllSentryPrivilegesForProvider(Sets.newHashSet(groupName1, groupName2), Sets
- .newHashSet(userName1, userName2),
- new TSentryActiveRoleSet(true, new HashSet<String>()))));
- // one active role
- assertEquals(Sets.newHashSet("server=server1->db=db1->table=tbl1->action=select"),
- SentryStore.toTrimedLower(sentryStore.listAllSentryPrivilegesForProvider(Sets.newHashSet(
- groupName1, groupName2), noRoleUsers,
- new TSentryActiveRoleSet(false, Sets.newHashSet(roleName1)))));
- assertEquals(Sets.newHashSet("server=server1->db=db1->table=tbl1->action=select",
- "server=server1"), SentryStore.toTrimedLower(sentryStore
- .listAllSentryPrivilegesForProvider(Sets.newHashSet(groupName1, groupName2), noRoleUsers,
- new TSentryActiveRoleSet(false, Sets.newHashSet(roleName2)))));
- // unknown active role
- assertEquals(Sets.newHashSet(), SentryStore.toTrimedLower(sentryStore
- .listAllSentryPrivilegesForProvider(Sets.newHashSet(groupName1, groupName2), noRoleUsers,
- new TSentryActiveRoleSet(false, Sets.newHashSet("not a role")))));
- // no active roles
- assertEquals(Sets.newHashSet(), SentryStore.toTrimedLower(sentryStore
- .listAllSentryPrivilegesForProvider(Sets.newHashSet(groupName1, groupName2), noRoleUsers,
- new TSentryActiveRoleSet(false, new HashSet<String>()))));
- }
-
- @Test
- public void testListRole() throws Exception {
- String roleName1 = "role1", roleName2 = "role2", roleName3 = "role3";
- String group1 = "group1", group2 = "group2";
- String grantor = "g1";
-
- sentryStore.createSentryRole(roleName1);
- sentryStore.createSentryRole(roleName2);
- sentryStore.createSentryRole(roleName3);
-
- sentryStore.alterSentryRoleAddGroups(grantor, roleName1, Sets.newHashSet(new TSentryGroup(group1)));
- sentryStore.alterSentryRoleAddGroups(grantor, roleName2, Sets.newHashSet(new TSentryGroup(group2)));
- sentryStore.alterSentryRoleAddGroups(grantor, roleName3,
- Sets.newHashSet(new TSentryGroup(group1), new TSentryGroup(group2)));
-
- assertEquals(2, sentryStore.getTSentryRolesByGroupName(Sets.newHashSet(group1), false).size());
- assertEquals(2, sentryStore.getTSentryRolesByGroupName(Sets.newHashSet(group2), false).size());
- assertEquals(3, sentryStore.getTSentryRolesByGroupName(Sets.newHashSet(group1,group2), false).size());
- assertEquals(0,
- sentryStore.getTSentryRolesByGroupName(Sets.newHashSet("foo"), true)
- .size());
- }
-
- /**
- * Assign multiple table and SERVER privileges to roles
- * drop privilege for the object verify that it's removed correctl
- * @throws Exception
- */
- @Test
- public void testDropDbObject() throws Exception {
- String roleName1 = "list-privs-r1", roleName2 = "list-privs-r2", roleName3 = "list-privs-r3";
- String grantor = "g1";
- sentryStore.createSentryRole(roleName1);
- sentryStore.createSentryRole(roleName2);
- sentryStore.createSentryRole(roleName3);
-
- TSentryPrivilege privilege_tbl1 = new TSentryPrivilege();
- privilege_tbl1.setPrivilegeScope("TABLE");
- privilege_tbl1.setServerName("server1");
- privilege_tbl1.setDbName("db1");
- privilege_tbl1.setTableName("tbl1");
- privilege_tbl1.setCreateTime(System.currentTimeMillis());
-
- TSentryPrivilege privilege1 = new TSentryPrivilege(privilege_tbl1);
- privilege1.setAction("SELECT");
-
- TSentryPrivilege privilege2_1 = new TSentryPrivilege(privilege_tbl1);
- privilege2_1.setAction("INSERT");
- TSentryPrivilege privilege3_1 = new TSentryPrivilege(privilege_tbl1);
- privilege3_1.setAction("*");
-
- TSentryPrivilege privilege_server = new TSentryPrivilege();
- privilege_server.setPrivilegeScope("SERVER");
- privilege_server.setServerName("server1");
- privilege_server.setCreateTime(System.currentTimeMillis());
-
- TSentryPrivilege privilege_tbl2 = new TSentryPrivilege();
- privilege_tbl2.setPrivilegeScope("TABLE");
- privilege_tbl2.setServerName("server1");
- privilege_tbl2.setDbName("db1");
- privilege_tbl2.setTableName("tbl2");
- privilege_tbl2.setCreateTime(System.currentTimeMillis());
-
- TSentryPrivilege privilege2_3 = new TSentryPrivilege(privilege_tbl2);
- privilege2_3.setAction("SELECT");
-
- TSentryPrivilege privilege3_2 = new TSentryPrivilege(privilege_tbl2);
- privilege3_2.setAction("INSERT");
-
- sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName1, privilege1);
-
- sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName2, privilege2_1);
- sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName2, privilege_server);
- sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName2, privilege2_3);
-
- sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName3, privilege3_1);
- sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName3, privilege3_2);
-
- sentryStore.dropPrivilege(toTSentryAuthorizable(privilege_tbl1));
- assertEquals(0, sentryStore.getAllTSentryPrivilegesByRoleName(roleName1)
- .size());
- assertEquals(2, sentryStore.getAllTSentryPrivilegesByRoleName(roleName2)
- .size());
- assertEquals(1, sentryStore.getAllTSentryPrivilegesByRoleName(roleName3)
- .size());
-
- sentryStore.dropPrivilege(toTSentryAuthorizable(privilege_tbl2));
- assertEquals(0, sentryStore.getAllTSentryPrivilegesByRoleName(roleName1)
- .size());
- assertEquals(1, sentryStore.getAllTSentryPrivilegesByRoleName(roleName2)
- .size());
- assertEquals(0, sentryStore.getAllTSentryPrivilegesByRoleName(roleName3)
- .size());
- }
-
- /**
- * Regression test for SENTRY-547 and SENTRY-548
- * Use case:
- * GRANT INSERT on TABLE tbl1 to ROLE role1
- * GRANT SELECT on TABLE tbl1 to ROLE role1
- * GRANT ALTER on TABLE tbl1 to ROLE role1
- * GRANT DROP on TABLE tbl1 to ROLE role1
- * DROP TABLE tbl1
- *
- * After drop tbl1, role1 should have 0 privileges
- */
- @Test
- public void testDropTableWithMultiAction() throws Exception {
- String roleName1 = "role1";
- String grantor = "g1";
- sentryStore.createSentryRole(roleName1);
-
- TSentryPrivilege privilege_tbl1 = new TSentryPrivilege();
- privilege_tbl1.setPrivilegeScope("TABLE");
- privilege_tbl1.setServerName("server1");
- privilege_tbl1.setDbName("db1");
- privilege_tbl1.setTableName("tbl1");
- privilege_tbl1.setCreateTime(System.currentTimeMillis());
-
- TSentryPrivilege privilege_tbl1_insert = new TSentryPrivilege(
- privilege_tbl1);
- privilege_tbl1_insert.setAction(AccessConstants.INSERT);
-
- TSentryPrivilege privilege_tbl1_select = new TSentryPrivilege(
- privilege_tbl1);
- privilege_tbl1_select.setAction(AccessConstants.SELECT);
-
- TSentryPrivilege privilege_tbl1_alter = new TSentryPrivilege(
- privilege_tbl1);
- privilege_tbl1_alter.setAction(AccessConstants.ALTER);
-
- TSentryPrivilege privilege_tbl1_drop = new TSentryPrivilege(
- privilege_tbl1);
- privilege_tbl1_drop.setAction(AccessConstants.DROP);
-
- sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName1, privilege_tbl1_insert);
- sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName1, privilege_tbl1_select);
- sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName1, privilege_tbl1_alter);
- sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName1, privilege_tbl1_drop);
-
- assertEquals(4, sentryStore.getAllTSentryPrivilegesByRoleName(roleName1).size());
-
- // after drop privilege_tbl1, role1 should have 0 privileges
- sentryStore.dropPrivilege(toTSentryAuthorizable(privilege_tbl1));
- assertEquals(0, sentryStore.getAllTSentryPrivilegesByRoleName(roleName1).size());
- }
-
- @Test
- public void testDropTableWithColumn() throws Exception {
- String roleName1 = "role1", roleName2 = "role2";
- String grantor = "g1";
- String table1 = "tbl1";
-
- sentryStore.createSentryRole(roleName1);
- sentryStore.createSentryRole(roleName2);
-
- TSentryPrivilege privilege_tbl1 = new TSentryPrivilege();
- privilege_tbl1.setPrivilegeScope("TABLE");
- privilege_tbl1.setServerName("server1");
- privilege_tbl1.setDbName("db1");
- privilege_tbl1.setTableName(table1);
- privilege_tbl1.setAction(AccessConstants.SELECT);
- privilege_tbl1.setCreateTime(System.currentTimeMillis());
-
- TSentryPrivilege privilege_tbl1_c1 = new TSentryPrivilege(privilege_tbl1);
- privilege_tbl1_c1.setPrivilegeScope("COLUMN");
- privilege_tbl1_c1.setColumnName("c1");
- privilege_tbl1_c1.setCreateTime(System.currentTimeMillis());
-
- TSentryPrivilege privilege_tbl1_c2 = new TSentryPrivilege(privilege_tbl1);
- privilege_tbl1_c2.setPrivilegeScope("COLUMN");
- privilege_tbl1_c2.setColumnName("c2");
- privilege_tbl1_c2.setCreateTime(System.currentTimeMillis());
-
- TSentryPrivilege privilege_tbl1_c3 = new TSentryPrivilege(privilege_tbl1);
- privilege_tbl1_c3.setPrivilegeScope("COLUMN");
- privilege_tbl1_c3.setColumnName("c3");
- privilege_tbl1_c3.setCreateTime(System.currentTimeMillis());
-
- sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName1, privilege_tbl1_c1);
- sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName1, privilege_tbl1_c2);
- sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName2, privilege_tbl1_c3);
-
- Set<TSentryPrivilege> privilegeSet = sentryStore.getAllTSentryPrivilegesByRoleName(roleName1);
- assertEquals(2, privilegeSet.size());
- privilegeSet = sentryStore.getAllTSentryPrivilegesByRoleName(roleName2);
- assertEquals(1, privilegeSet.size());
-
- TSentryAuthorizable tableAuthorizable = toTSentryAuthorizable(privilege_tbl1);
- sentryStore.dropPrivilege(tableAuthorizable);
-
- privilegeSet = sentryStore.getAllTSentryPrivilegesByRoleName(roleName1);
- assertEquals(0, privilegeSet.size());
- privilegeSet = sentryStore.getAllTSentryPrivilegesByRoleName(roleName2);
- assertEquals(0, privilegeSet.size());
- }
-
- @Test
- public void testDropOverlappedPrivileges() throws Exception {
- String roleName1 = "list-privs-r1";
- String grantor = "g1";
- sentryStore.createSentryRole(roleName1);
-
- TSentryPrivilege privilege_tbl1 = new TSentryPrivilege();
- privilege_tbl1.setPrivilegeScope("TABLE");
- privilege_tbl1.setServerName("server1");
- privilege_tbl1.setDbName("db1");
- privilege_tbl1.setTableName("tbl1");
- privilege_tbl1.setCreateTime(System.currentTimeMillis());
-
- TSentryPrivilege privilege_tbl1_insert = new TSentryPrivilege(
- privilege_tbl1);
- privilege_tbl1_insert.setAction("INSERT");
-
- TSentryPrivilege privilege_tbl1_all = new TSentryPrivilege(privilege_tbl1);
- privilege_tbl1_all.setAction("*");
-
- sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName1, privilege_tbl1_insert);
- sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName1, privilege_tbl1_all);
-
- sentryStore.dropPrivilege(toTSentryAuthorizable(privilege_tbl1));
- assertEquals(0, sentryStore.getAllTSentryPrivilegesByRoleName(roleName1)
- .size());
- }
-
- private TSentryAuthorizable toTSentryAuthorizable(
- TSentryPrivilege tSentryPrivilege) {
- TSentryAuthorizable tSentryAuthorizable = new TSentryAuthorizable();
- tSentryAuthorizable.setServer(tSentryPrivilege.getServerName());
- tSentryAuthorizable.setDb(tSentryPrivilege.getDbName());
- tSentryAuthorizable.setTable(tSentryPrivilege.getTableName());
- tSentryAuthorizable.setUri(tSentryPrivilege.getURI());
- return tSentryAuthorizable;
- }
-
- /***
- * Create roles and assign privileges for same table rename the privileges for
- * the table and verify the new privileges
- * @throws Exception
- */
- @Test
- public void testRenameTable() throws Exception {
- String roleName1 = "role1", roleName2 = "role2", roleName3 = "role3";
- String grantor = "g1";
- String table1 = "tbl1", table2 = "tbl2";
-
- sentryStore.createSentryRole(roleName1);
- sentryStore.createSentryRole(roleName2);
- sentryStore.createSentryRole(roleName3);
-
- TSentryPrivilege privilege_tbl1 = new TSentryPrivilege();
- privilege_tbl1.setPrivilegeScope("TABLE");
- privilege_tbl1.setServerName("server1");
- privilege_tbl1.setDbName("db1");
- privilege_tbl1.setTableName(table1);
- privilege_tbl1.setCreateTime(System.currentTimeMillis());
-
- TSentryPrivilege privilege_tbl1_insert = new TSentryPrivilege(
- privilege_tbl1);
- privilege_tbl1_insert.setAction(AccessConstants.INSERT);
-
- TSentryPrivilege privilege_tbl1_select = new TSentryPrivilege(
- privilege_tbl1);
- privilege_tbl1_select.setAction(AccessConstants.SELECT);
-
- TSentryPrivilege privilege_tbl1_all = new TSentryPrivilege(privilege_tbl1);
- privilege_tbl1_all.setAction(AccessConstants.ALL);
-
- sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName1, privilege_tbl1_insert);
- sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName2, privilege_tbl1_select);
- sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName3, privilege_tbl1_all);
-
- TSentryAuthorizable oldTable = toTSentryAuthorizable(privilege_tbl1);
- TSentryAuthorizable newTable = toTSentryAuthorizable(privilege_tbl1);
- newTable.setTable(table2);
- sentryStore.renamePrivilege(oldTable, newTable);
-
- for (String roleName : Sets.newHashSet(roleName1, roleName2, roleName3)) {
- Set<TSentryPrivilege> privilegeSet = sentryStore
- .getAllTSentryPrivilegesByRoleName(roleName);
- assertEquals(1, privilegeSet.size());
- for (TSentryPrivilege privilege : privilegeSet) {
- assertTrue(table2.equalsIgnoreCase(privilege.getTableName()));
- }
- }
- }
-
- /**
- * Regression test for SENTRY-550
- * Use case:
- * GRANT INSERT on TABLE tbl1 to ROLE role1
- * GRANT SELECT on TABLE tbl1 to ROLE role1
- * GRANT ALTER on TABLE tbl1 to ROLE role1
- * GRANT DROP on TABLE tbl1 to ROLE role1
- * RENAME TABLE tbl1 to tbl2
- *
- * After rename tbl1 to tbl2, table name of all role1's privileges should be "tbl2"
- */
- @Test
- public void testRenameTableWithMultiAction() throws Exception {
- String roleName1 = "role1";
- String grantor = "g1";
- String table1 = "tbl1", table2 = "tbl2";
- sentryStore.createSentryRole(roleName1);
-
- TSentryPrivilege privilege_tbl1 = new TSentryPrivilege();
- privilege_tbl1.setPrivilegeScope("TABLE");
- privilege_tbl1.setServerName("server1");
- privilege_tbl1.setDbName("db1");
- privilege_tbl1.setTableName(table1);
- privilege_tbl1.setCreateTime(System.currentTimeMillis());
-
- TSentryPrivilege privilege_tbl1_insert = new TSentryPrivilege(
- privilege_tbl1);
- privilege_tbl1_insert.setAction(AccessConstants.INSERT);
-
- TSentryPrivilege privilege_tbl1_select = new TSentryPrivilege(
- privilege_tbl1);
- privilege_tbl1_select.setAction(AccessConstants.SELECT);
-
- TSentryPrivilege privilege_tbl1_alter = new TSentryPrivilege(
- privilege_tbl1);
- privilege_tbl1_alter.setAction(AccessConstants.ALTER);
-
- TSentryPrivilege privilege_tbl1_drop = new TSentryPrivilege(
- privilege_tbl1);
- privilege_tbl1_drop.setAction(AccessConstants.DROP);
-
- sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName1, privilege_tbl1_insert);
- sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName1, privilege_tbl1_select);
- sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName1, privilege_tbl1_alter);
- sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName1, privilege_tbl1_drop);
-
- TSentryAuthorizable oldTable = toTSentryAuthorizable(privilege_tbl1);
- TSentryAuthorizable newTable = toTSentryAuthorizable(privilege_tbl1);
- newTable.setTable(table2);
- sentryStore.renamePrivilege(oldTable, newTable);
-
- // after rename tbl1 to tbl2, all table name of role's privilege will be tbl2
- Set<TSentryPrivilege> privilegeSet = sentryStore
- .getAllTSentryPrivilegesByRoleName(roleName1);
- assertEquals(4, privilegeSet.size());
- for (TSentryPrivilege privilege : privilegeSet) {
- assertTrue(table2.equalsIgnoreCase(privilege.getTableName()));
- }
- }
-
- @Test
- public void testSentryRoleSize() throws Exception {
- for( long i = 0; i< 5; i++ ) {
- assertEquals((Long)i, sentryStore.getRoleCountGauge().getValue());
- sentryStore.createSentryRole("role" + i);
- }
- }
- @Test
- public void testSentryPrivilegeSize() throws Exception {
- String role1 = "role1";
- String role2 = "role2";
-
- sentryStore.createSentryRole(role1);
- sentryStore.createSentryRole(role2);
-
- TSentryPrivilege privilege = new TSentryPrivilege();
- privilege.setPrivilegeScope("TABLE");
- privilege.setServerName("server1");
- privilege.setDbName("db1");
- privilege.setTableName("tb1");
- privilege.setCreateTime(System.currentTimeMillis());
-
- String grantor = "g1";
-
- assertEquals(Long.valueOf(0), sentryStore.getPrivilegeCountGauge().getValue());
-
- sentryStore.alterSentryRoleGrantPrivilege(grantor, role1, privilege);
- assertEquals(Long.valueOf(1), sentryStore.getPrivilegeCountGauge().getValue());
-
- sentryStore.alterSentryRoleGrantPrivilege(grantor, role2, privilege);
- assertEquals(Long.valueOf(1), sentryStore.getPrivilegeCountGauge().getValue());
-
- privilege.setTableName("tb2");
- sentryStore.alterSentryRoleGrantPrivilege(grantor, role2, privilege);
- assertEquals(Long.valueOf(2), sentryStore.getPrivilegeCountGauge().getValue());
- }
-
- @Test
- public void testSentryGroupsSize() throws Exception {
- String role1 = "role1";
- String role2 = "role2";
-
- sentryStore.createSentryRole(role1);
- sentryStore.createSentryRole(role2);
-
- Set<TSentryGroup> groups = Sets.newHashSet();
- TSentryGroup group = new TSentryGroup();
- group.setGroupName("group1");
- groups.add(group);
-
- String grantor = "g1";
-
- sentryStore.alterSentryRoleAddGroups(grantor, role1, groups);
- assertEquals(Long.valueOf(1), sentryStore.getGroupCountGauge().getValue());
-
- sentryStore.alterSentryRoleAddGroups(grantor, role2, groups);
- assertEquals(Long.valueOf(1), sentryStore.getGroupCountGauge().getValue());
-
- groups.add(new TSentryGroup("group2"));
- sentryStore.alterSentryRoleAddGroups(grantor, role2, groups);
- assertEquals(Long.valueOf(2), sentryStore.getGroupCountGauge().getValue());
-
- }
-
- @Test
- public void testSentryUsersSize() throws Exception {
- String role1 = "role1";
- String role2 = "role2";
-
- sentryStore.createSentryRole(role1);
- sentryStore.createSentryRole(role2);
-
- Set<String> users = Sets.newHashSet("user1");
-
- sentryStore.alterSentryRoleAddUsers(role1, users);
- assertEquals(Long.valueOf(1), sentryStore.getUserCountGauge().getValue());
-
- sentryStore.alterSentryRoleAddUsers(role2, users);
- assertEquals(Long.valueOf(1), sentryStore.getUserCountGauge().getValue());
-
- users.add("user2");
- sentryStore.alterSentryRoleAddUsers(role2, users);
- assertEquals(Long.valueOf(2), sentryStore.getUserCountGauge().getValue());
-
- }
-
- @Test
- public void testRenameTableWithColumn() throws Exception {
- String roleName1 = "role1", roleName2 = "role2";
- String grantor = "g1";
- String table1 = "tbl1", table2 = "tbl2";
-
- sentryStore.createSentryRole(roleName1);
- sentryStore.createSentryRole(roleName2);
-
- TSentryPrivilege privilege_tbl1 = new TSentryPrivilege();
- privilege_tbl1.setPrivilegeScope("TABLE");
- privilege_tbl1.setServerName("server1");
- privilege_tbl1.setDbName("db1");
- privilege_tbl1.setTableName(table1);
- privilege_tbl1.setAction(AccessConstants.SELECT);
- privilege_tbl1.setCreateTime(System.currentTimeMillis());
-
- TSentryPrivilege privilege_tbl1_c1 = new TSentryPrivilege(privilege_tbl1);
- privilege_tbl1_c1.setPrivilegeScope("COLUMN");
- privilege_tbl1_c1.setColumnName("c1");
- privilege_tbl1_c1.setCreateTime(System.currentTimeMillis());
-
- TSentryPrivilege privilege_tbl1_c2 = new TSentryPrivilege(privilege_tbl1);
- privilege_tbl1_c2.setPrivilegeScope("COLUMN");
- privilege_tbl1_c2.setColumnName("c2");
- privilege_tbl1_c2.setCreateTime(System.currentTimeMillis());
-
- TSentryPrivilege privilege_tbl1_c3 = new TSentryPrivilege(privilege_tbl1);
- privilege_tbl1_c3.setPrivilegeScope("COLUMN");
- privilege_tbl1_c3.setColumnName("c3");
- privilege_tbl1_c3.setCreateTime(System.currentTimeMillis());
-
- sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName1, privilege_tbl1_c1);
- sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName1, privilege_tbl1_c2);
- sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName2, privilege_tbl1_c3);
-
- Set<TSentryPrivilege> privilegeSet = sentryStore.getAllTSentryPrivilegesByRoleName(roleName1);
- assertEquals(2, privilegeSet.size());
- privilegeSet = sentryStore.getAllTSentryPrivilegesByRoleName(roleName2);
- assertEquals(1, privilegeSet.size());
-
- TSentryAuthorizable oldTable = toTSentryAuthorizable(privilege_tbl1);
- TSentryAuthorizable newTable = toTSentryAuthorizable(privilege_tbl1);
- newTable.setTable(table2);
- sentryStore.renamePrivilege(oldTable, newTable);
-
- privilegeSet = sentryStore.getAllTSentryPrivilegesByRoleName(roleName1);
- assertEquals(2, privilegeSet.size());
- for (TSentryPrivilege privilege : privilegeSet) {
- assertTrue(table2.equalsIgnoreCase(privilege.getTableName()));
- }
- privilegeSet = sentryStore.getAllTSentryPrivilegesByRoleName(roleName2);
- assertEquals(1, privilegeSet.size());
- }
-
- @Test
- public void testSentryTablePrivilegeSome() throws Exception {
- String roleName = "test-table-privilege-some";
- String grantor = "g1";
- String dbName = "db1";
- String table = "tb1";
- sentryStore.createSentryRole(roleName);
- TSentryPrivilege tSentryPrivilege = new TSentryPrivilege("TABLE", "server1", "ALL");
- tSentryPrivilege.setDbName(dbName);
- tSentryPrivilege.setTableName(table);
- sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName, tSentryPrivilege);
-
- TSentryAuthorizable tSentryAuthorizable = new TSentryAuthorizable();
- tSentryAuthorizable.setDb(dbName);
- tSentryAuthorizable.setTable(AccessConstants.SOME);
- tSentryAuthorizable.setServer("server1");
-
- Set<TSentryPrivilege> privileges =
- sentryStore.getTSentryPrivileges(new HashSet<String>(Arrays.asList(roleName)), tSentryAuthorizable);
-
- assertTrue(privileges.size() == 1);
-
- Set<TSentryGroup> tSentryGroups = new HashSet<TSentryGroup>();
- tSentryGroups.add(new TSentryGroup("g
<TRUNCATED>
[44/44] sentry git commit: SENTRY-1287: Create sentry-service-server
module(Colin Ma, reviewed by Dapeng Sun)
Posted by co...@apache.org.
SENTRY-1287: Create sentry-service-server module(Colin Ma, reviewed by Dapeng Sun)
Project: http://git-wip-us.apache.org/repos/asf/sentry/repo
Commit: http://git-wip-us.apache.org/repos/asf/sentry/commit/e72e6eac
Tree: http://git-wip-us.apache.org/repos/asf/sentry/tree/e72e6eac
Diff: http://git-wip-us.apache.org/repos/asf/sentry/diff/e72e6eac
Branch: refs/heads/SENTRY-1205
Commit: e72e6eacfb0a4375f35c91ed1d1fcf6c7c914aa8
Parents: 4767ec3
Author: Colin Ma <co...@apache.org>
Authored: Fri Jun 24 14:45:02 2016 +0800
Committer: Colin Ma <co...@apache.org>
Committed: Fri Jun 24 14:45:02 2016 +0800
----------------------------------------------------------------------
pom.xml | 13 +-
sentry-binding/sentry-binding-hive/pom.xml | 4 -
.../policy/hive/TestPolicyParsingNegative.java | 2 +-
...sourceAuthorizationProviderSpecialCases.java | 2 +-
.../hive/TestSimpleDBPolicyEngineDFS.java | 2 +-
...tKafkaAuthorizationProviderSpecialCases.java | 2 +-
...SearchAuthorizationProviderSpecialCases.java | 2 +-
...tSqoopAuthorizationProviderSpecialCases.java | 2 +-
.../sentry/core/common/utils/PolicyFile.java | 202 ++
sentry-dist/pom.xml | 4 +
sentry-dist/src/main/assembly/src.xml | 1 +
sentry-hdfs/sentry-hdfs-common/pom.xml | 19 +-
...ndexerAuthorizationProviderSpecialCases.java | 2 +-
sentry-provider/sentry-provider-db/pom.xml | 177 +-
.../provider/db/SentryPolicyStorePlugin.java | 60 -
.../service/persistent/DelegateSentryStore.java | 542 ----
.../service/persistent/PrivilegeObject.java | 231 --
.../persistent/PrivilegeOperatePersistence.java | 485 ----
.../service/persistent/SentryStoreLayer.java | 198 --
.../service/thrift/NotificationHandler.java | 47 -
.../thrift/NotificationHandlerInvoker.java | 164 --
.../thrift/SentryGenericPolicyProcessor.java | 836 ------
.../SentryGenericPolicyProcessorFactory.java | 40 -
.../SentryGenericPolicyProcessorWrapper.java | 39 -
.../SentryGenericServiceClientDefaultImpl.java | 2 +-
.../log/appender/AuditLoggerTestAppender.java | 52 -
.../RollingFileWithoutDeleteAppender.java | 175 --
.../db/log/entity/AuditMetadataLogEntity.java | 155 -
.../db/log/entity/DBAuditMetadataLogEntity.java | 124 -
.../db/log/entity/GMAuditMetadataLogEntity.java | 97 -
.../provider/db/log/entity/JsonLogEntity.java | 25 -
.../db/log/entity/JsonLogEntityFactory.java | 351 ---
.../provider/db/log/util/CommandUtil.java | 233 --
.../sentry/provider/db/log/util/Constants.java | 162 --
.../db/service/model/MSentryGMPrivilege.java | 497 ----
.../provider/db/service/model/MSentryGroup.java | 116 -
.../db/service/model/MSentryPrivilege.java | 332 ---
.../provider/db/service/model/MSentryRole.java | 216 --
.../provider/db/service/model/MSentryUser.java | 116 -
.../db/service/model/MSentryVersion.java | 66 -
.../provider/db/service/model/package.jdo | 242 --
.../db/service/persistent/CommitContext.java | 42 -
.../db/service/persistent/SentryStore.java | 2672 ------------------
.../persistent/SentryStoreSchemaInfo.java | 143 -
.../db/service/persistent/ServiceRegister.java | 52 -
.../provider/db/service/thrift/ConfServlet.java | 69 -
.../db/service/thrift/NotificationHandler.java | 79 -
.../thrift/NotificationHandlerInvoker.java | 176 --
.../db/service/thrift/PolicyStoreConstants.java | 32 -
.../db/service/thrift/SentryAuthFilter.java | 92 -
...SentryHealthCheckServletContextListener.java | 35 -
.../db/service/thrift/SentryMetrics.java | 162 --
.../SentryMetricsServletContextListener.java | 32 -
.../SentryPolicyServiceClientDefaultImpl.java | 2 +-
.../thrift/SentryPolicyStoreProcessor.java | 1113 --------
.../SentryPolicyStoreProcessorFactory.java | 39 -
.../service/thrift/SentryProcessorWrapper.java | 37 -
.../db/service/thrift/SentryWebServer.java | 184 --
.../provider/db/service/thrift/ThriftUtil.java | 112 -
.../provider/db/tools/SentrySchemaHelper.java | 315 ---
.../provider/db/tools/SentrySchemaTool.java | 595 ----
.../sentry/service/thrift/GSSCallback.java | 110 -
.../service/thrift/KerberosConfiguration.java | 107 -
.../sentry/service/thrift/ProcessorFactory.java | 31 -
.../service/thrift/SentryKerberosContext.java | 157 -
.../sentry/service/thrift/SentryService.java | 426 ---
.../service/thrift/SentryServiceFactory.java | 28 -
.../service/thrift/SentryServiceUtil.java | 158 --
.../src/main/resources/001-SENTRY-327.derby.sql | 2 -
.../src/main/resources/001-SENTRY-327.mysql.sql | 2 -
.../main/resources/001-SENTRY-327.oracle.sql | 2 -
.../main/resources/001-SENTRY-327.postgres.sql | 2 -
.../src/main/resources/002-SENTRY-339.derby.sql | 13 -
.../src/main/resources/002-SENTRY-339.mysql.sql | 13 -
.../main/resources/002-SENTRY-339.oracle.sql | 13 -
.../main/resources/002-SENTRY-339.postgres.sql | 13 -
.../src/main/resources/003-SENTRY-380.derby.sql | 7 -
.../src/main/resources/003-SENTRY-380.mysql.sql | 7 -
.../main/resources/003-SENTRY-380.oracle.sql | 7 -
.../main/resources/003-SENTRY-380.postgres.sql | 7 -
.../src/main/resources/004-SENTRY-74.derby.sql | 4 -
.../src/main/resources/004-SENTRY-74.mysql.sql | 4 -
.../src/main/resources/004-SENTRY-74.oracle.sql | 4 -
.../main/resources/004-SENTRY-74.postgres.sql | 4 -
.../src/main/resources/005-SENTRY-398.derby.sql | 43 -
.../src/main/resources/005-SENTRY-398.mysql.sql | 62 -
.../main/resources/005-SENTRY-398.oracle.sql | 55 -
.../main/resources/005-SENTRY-398.postgres.sql | 54 -
.../src/main/resources/006-SENTRY-711.derby.sql | 27 -
.../src/main/resources/006-SENTRY-711.mysql.sql | 28 -
.../main/resources/006-SENTRY-711.oracle.sql | 28 -
.../main/resources/006-SENTRY-711.postgres.sql | 28 -
.../src/main/resources/sentry-db2-1.4.0.sql | 112 -
.../src/main/resources/sentry-db2-1.5.0.sql | 155 -
.../src/main/resources/sentry-db2-1.6.0.sql | 155 -
.../src/main/resources/sentry-db2-1.7.0.sql | 155 -
.../src/main/resources/sentry-db2-1.8.0.sql | 183 --
.../src/main/resources/sentry-derby-1.4.0.sql | 112 -
.../src/main/resources/sentry-derby-1.5.0.sql | 155 -
.../src/main/resources/sentry-derby-1.6.0.sql | 155 -
.../src/main/resources/sentry-derby-1.7.0.sql | 155 -
.../src/main/resources/sentry-derby-1.8.0.sql | 184 --
.../src/main/resources/sentry-mysql-1.4.0.sql | 126 -
.../src/main/resources/sentry-mysql-1.5.0.sql | 192 --
.../src/main/resources/sentry-mysql-1.6.0.sql | 193 --
.../src/main/resources/sentry-mysql-1.7.0.sql | 193 --
.../src/main/resources/sentry-mysql-1.8.0.sql | 223 --
.../src/main/resources/sentry-oracle-1.4.0.sql | 110 -
.../src/main/resources/sentry-oracle-1.5.0.sql | 168 --
.../src/main/resources/sentry-oracle-1.6.0.sql | 168 --
.../src/main/resources/sentry-oracle-1.7.0.sql | 168 --
.../src/main/resources/sentry-oracle-1.8.0.sql | 197 --
.../main/resources/sentry-postgres-1.4.0.sql | 124 -
.../main/resources/sentry-postgres-1.5.0.sql | 182 --
.../main/resources/sentry-postgres-1.6.0.sql | 182 --
.../main/resources/sentry-postgres-1.7.0.sql | 182 --
.../main/resources/sentry-postgres-1.8.0.sql | 211 --
.../sentry-upgrade-db2-1.4.0-to-1.5.0.sql | 61 -
.../sentry-upgrade-db2-1.5.0-to-1.6.0.sql | 2 -
.../sentry-upgrade-db2-1.6.0-to-1.7.0.sql | 2 -
.../sentry-upgrade-db2-1.7.0-to-1.8.0.sql | 31 -
.../sentry-upgrade-derby-1.4.0-to-1.5.0.sql | 8 -
.../sentry-upgrade-derby-1.5.0-to-1.6.0.sql | 2 -
.../sentry-upgrade-derby-1.6.0-to-1.7.0.sql | 2 -
.../sentry-upgrade-derby-1.7.0-to-1.8.0.sql | 4 -
.../sentry-upgrade-mysql-1.4.0-to-1.5.0.sql | 10 -
.../sentry-upgrade-mysql-1.5.0-to-1.6.0.sql | 5 -
.../sentry-upgrade-mysql-1.6.0-to-1.7.0.sql | 5 -
.../sentry-upgrade-mysql-1.7.0-to-1.8.0.sql | 6 -
.../sentry-upgrade-oracle-1.4.0-to-1.5.0.sql | 9 -
.../sentry-upgrade-oracle-1.5.0-to-1.6.0.sql | 5 -
.../sentry-upgrade-oracle-1.6.0-to-1.7.0.sql | 5 -
.../sentry-upgrade-oracle-1.7.0-to-1.8.0.sql | 6 -
.../sentry-upgrade-postgres-1.4.0-to-1.5.0.sql | 9 -
.../sentry-upgrade-postgres-1.5.0-to-1.6.0.sql | 5 -
.../sentry-upgrade-postgres-1.6.0-to-1.7.0.sql | 5 -
.../sentry-upgrade-postgres-1.7.0-to-1.8.0.sql | 6 -
.../src/main/resources/upgrade.order.db2 | 4 -
.../src/main/resources/upgrade.order.derby | 4 -
.../src/main/resources/upgrade.order.mysql | 4 -
.../src/main/resources/upgrade.order.oracle | 4 -
.../src/main/resources/upgrade.order.postgres | 4 -
.../src/main/webapp/SentryService.html | 61 -
.../src/main/webapp/css/bootstrap-theme.min.css | 10 -
.../src/main/webapp/css/bootstrap.min.css | 9 -
.../src/main/webapp/css/sentry.css | 52 -
.../src/main/webapp/sentry.png | Bin 3223 -> 0 bytes
.../persistent/SentryStoreIntegrationBase.java | 91 -
.../persistent/TestDelegateSentryStore.java | 182 --
.../TestPrivilegeOperatePersistence.java | 1139 --------
.../persistent/TestSentryGMPrivilege.java | 207 --
.../service/persistent/TestSentryRole.java | 372 ---
.../SentryGenericServiceIntegrationBase.java | 73 -
.../TestAuditLogForSentryGenericService.java | 296 --
.../TestSentryGenericPolicyProcessor.java | 353 ---
.../TestSentryGenericServiceIntegration.java | 503 ----
.../generic/tools/TestSentryConfigToolSolr.java | 261 --
.../db/generic/tools/TestSentryShellKafka.java | 542 ----
.../db/generic/tools/TestSentryShellSolr.java | 525 ----
.../TestRollingFileWithoutDeleteAppender.java | 106 -
.../entity/TestDbAuditMetadataLogEntity.java | 69 -
.../entity/TestGMAuditMetadataLogEntity.java | 74 -
.../db/log/entity/TestJsonLogEntityFactory.java | 272 --
.../log/entity/TestJsonLogEntityFactoryGM.java | 259 --
.../provider/db/log/util/TestCommandUtil.java | 416 ---
.../service/persistent/TestSentryPrivilege.java | 245 --
.../persistent/TestSentryServiceDiscovery.java | 123 -
.../db/service/persistent/TestSentryStore.java | 2090 --------------
.../persistent/TestSentryStoreImportExport.java | 1164 --------
.../TestSentryStoreToAuthorizable.java | 86 -
.../service/persistent/TestSentryVersion.java | 85 -
.../service/thrift/SentryMiniKdcTestcase.java | 68 -
.../TestAuthorizingDDLAuditLogWithKerberos.java | 295 --
.../thrift/TestConnectionWithTicketTimeout.java | 57 -
.../thrift/TestNotificationHandlerInvoker.java | 112 -
.../thrift/TestSentryPolicyStoreProcessor.java | 81 -
.../TestSentryServerForHaWithoutKerberos.java | 219 --
...estSentryServerForPoolHAWithoutKerberos.java | 36 -
.../TestSentryServerForPoolWithoutKerberos.java | 36 -
.../thrift/TestSentryServerWithoutKerberos.java | 214 --
.../thrift/TestSentryServiceClientPool.java | 111 -
.../thrift/TestSentryServiceFailureCase.java | 74 -
.../TestSentryServiceForHAWithKerberos.java | 75 -
.../TestSentryServiceForPoolHAWithKerberos.java | 36 -
.../TestSentryServiceForPoolWithKerberos.java | 36 -
.../thrift/TestSentryServiceImportExport.java | 751 -----
.../thrift/TestSentryServiceIntegration.java | 1102 --------
.../TestSentryServiceWithInvalidMsgSize.java | 119 -
.../thrift/TestSentryServiceWithKerberos.java | 58 -
.../thrift/TestSentryWebServerWithKerberos.java | 136 -
.../thrift/TestSentryWebServerWithSSL.java | 52 -
.../TestSentryWebServerWithoutSecurity.java | 87 -
.../provider/db/tools/TestSentrySchemaTool.java | 94 -
.../provider/db/tools/TestSentryShellHive.java | 608 ----
.../thrift/SentryServiceIntegrationBase.java | 355 ---
.../src/test/resources/cacerts.jks | Bin 954 -> 0 bytes
.../src/test/resources/keystore.jks | Bin 2245 -> 0 bytes
.../src/test/resources/log4j.properties | 34 -
.../src/test/resources/solr_case.ini | 26 -
.../test/resources/solr_config_import_tool.ini | 29 -
.../src/test/resources/solr_invalid.ini | 21 -
.../apache/sentry/provider/file/PolicyFile.java | 202 --
sentry-service/pom.xml | 1 +
.../service/thrift/SentryServiceUtil.java | 158 ++
.../sentry/service/thrift/ServiceConstants.java | 2 +
sentry-service/sentry-service-server/pom.xml | 283 ++
.../provider/db/SentryPolicyStorePlugin.java | 60 +
.../service/persistent/DelegateSentryStore.java | 542 ++++
.../service/persistent/PrivilegeObject.java | 231 ++
.../persistent/PrivilegeOperatePersistence.java | 485 ++++
.../service/persistent/SentryStoreLayer.java | 198 ++
.../service/thrift/NotificationHandler.java | 47 +
.../thrift/NotificationHandlerInvoker.java | 164 ++
.../thrift/SentryGenericPolicyProcessor.java | 835 ++++++
.../SentryGenericPolicyProcessorFactory.java | 41 +
.../SentryGenericPolicyProcessorWrapper.java | 39 +
.../log/appender/AuditLoggerTestAppender.java | 52 +
.../RollingFileWithoutDeleteAppender.java | 175 ++
.../db/log/entity/AuditMetadataLogEntity.java | 155 +
.../db/log/entity/DBAuditMetadataLogEntity.java | 124 +
.../db/log/entity/GMAuditMetadataLogEntity.java | 97 +
.../provider/db/log/entity/JsonLogEntity.java | 25 +
.../db/log/entity/JsonLogEntityFactory.java | 351 +++
.../provider/db/log/util/CommandUtil.java | 233 ++
.../sentry/provider/db/log/util/Constants.java | 162 ++
.../db/service/model/MSentryGMPrivilege.java | 497 ++++
.../provider/db/service/model/MSentryGroup.java | 116 +
.../db/service/model/MSentryPrivilege.java | 332 +++
.../provider/db/service/model/MSentryRole.java | 216 ++
.../provider/db/service/model/MSentryUser.java | 116 +
.../db/service/model/MSentryVersion.java | 66 +
.../provider/db/service/model/package.jdo | 242 ++
.../db/service/persistent/CommitContext.java | 42 +
.../db/service/persistent/SentryStore.java | 2672 ++++++++++++++++++
.../persistent/SentryStoreSchemaInfo.java | 143 +
.../db/service/persistent/ServiceRegister.java | 52 +
.../provider/db/service/thrift/ConfServlet.java | 69 +
.../db/service/thrift/NotificationHandler.java | 79 +
.../thrift/NotificationHandlerInvoker.java | 176 ++
.../db/service/thrift/PolicyStoreConstants.java | 32 +
.../db/service/thrift/SentryAuthFilter.java | 92 +
...SentryHealthCheckServletContextListener.java | 35 +
.../db/service/thrift/SentryMetrics.java | 162 ++
.../SentryMetricsServletContextListener.java | 32 +
.../thrift/SentryPolicyStoreProcessor.java | 1111 ++++++++
.../SentryPolicyStoreProcessorFactory.java | 40 +
.../service/thrift/SentryProcessorWrapper.java | 37 +
.../db/service/thrift/SentryWebServer.java | 184 ++
.../provider/db/service/thrift/ThriftUtil.java | 112 +
.../provider/db/tools/SentrySchemaHelper.java | 315 +++
.../provider/db/tools/SentrySchemaTool.java | 595 ++++
.../sentry/service/thrift/GSSCallback.java | 110 +
.../service/thrift/KerberosConfiguration.java | 107 +
.../sentry/service/thrift/ProcessorFactory.java | 31 +
.../service/thrift/SentryKerberosContext.java | 157 +
.../sentry/service/thrift/SentryService.java | 426 +++
.../service/thrift/SentryServiceFactory.java | 28 +
.../src/main/resources/001-SENTRY-327.derby.sql | 2 +
.../src/main/resources/001-SENTRY-327.mysql.sql | 2 +
.../main/resources/001-SENTRY-327.oracle.sql | 2 +
.../main/resources/001-SENTRY-327.postgres.sql | 2 +
.../src/main/resources/002-SENTRY-339.derby.sql | 13 +
.../src/main/resources/002-SENTRY-339.mysql.sql | 13 +
.../main/resources/002-SENTRY-339.oracle.sql | 13 +
.../main/resources/002-SENTRY-339.postgres.sql | 13 +
.../src/main/resources/003-SENTRY-380.derby.sql | 7 +
.../src/main/resources/003-SENTRY-380.mysql.sql | 7 +
.../main/resources/003-SENTRY-380.oracle.sql | 7 +
.../main/resources/003-SENTRY-380.postgres.sql | 7 +
.../src/main/resources/004-SENTRY-74.derby.sql | 4 +
.../src/main/resources/004-SENTRY-74.mysql.sql | 4 +
.../src/main/resources/004-SENTRY-74.oracle.sql | 4 +
.../main/resources/004-SENTRY-74.postgres.sql | 4 +
.../src/main/resources/005-SENTRY-398.derby.sql | 43 +
.../src/main/resources/005-SENTRY-398.mysql.sql | 62 +
.../main/resources/005-SENTRY-398.oracle.sql | 55 +
.../main/resources/005-SENTRY-398.postgres.sql | 54 +
.../src/main/resources/006-SENTRY-711.derby.sql | 27 +
.../src/main/resources/006-SENTRY-711.mysql.sql | 28 +
.../main/resources/006-SENTRY-711.oracle.sql | 28 +
.../main/resources/006-SENTRY-711.postgres.sql | 28 +
.../src/main/resources/sentry-db2-1.4.0.sql | 112 +
.../src/main/resources/sentry-db2-1.5.0.sql | 155 +
.../src/main/resources/sentry-db2-1.6.0.sql | 155 +
.../src/main/resources/sentry-db2-1.7.0.sql | 155 +
.../src/main/resources/sentry-db2-1.8.0.sql | 183 ++
.../src/main/resources/sentry-derby-1.4.0.sql | 112 +
.../src/main/resources/sentry-derby-1.5.0.sql | 155 +
.../src/main/resources/sentry-derby-1.6.0.sql | 155 +
.../src/main/resources/sentry-derby-1.7.0.sql | 155 +
.../src/main/resources/sentry-derby-1.8.0.sql | 184 ++
.../src/main/resources/sentry-mysql-1.4.0.sql | 126 +
.../src/main/resources/sentry-mysql-1.5.0.sql | 192 ++
.../src/main/resources/sentry-mysql-1.6.0.sql | 193 ++
.../src/main/resources/sentry-mysql-1.7.0.sql | 193 ++
.../src/main/resources/sentry-mysql-1.8.0.sql | 223 ++
.../src/main/resources/sentry-oracle-1.4.0.sql | 110 +
.../src/main/resources/sentry-oracle-1.5.0.sql | 168 ++
.../src/main/resources/sentry-oracle-1.6.0.sql | 168 ++
.../src/main/resources/sentry-oracle-1.7.0.sql | 168 ++
.../src/main/resources/sentry-oracle-1.8.0.sql | 197 ++
.../main/resources/sentry-postgres-1.4.0.sql | 124 +
.../main/resources/sentry-postgres-1.5.0.sql | 182 ++
.../main/resources/sentry-postgres-1.6.0.sql | 182 ++
.../main/resources/sentry-postgres-1.7.0.sql | 182 ++
.../main/resources/sentry-postgres-1.8.0.sql | 211 ++
.../sentry-upgrade-db2-1.4.0-to-1.5.0.sql | 61 +
.../sentry-upgrade-db2-1.5.0-to-1.6.0.sql | 2 +
.../sentry-upgrade-db2-1.6.0-to-1.7.0.sql | 2 +
.../sentry-upgrade-db2-1.7.0-to-1.8.0.sql | 31 +
.../sentry-upgrade-derby-1.4.0-to-1.5.0.sql | 8 +
.../sentry-upgrade-derby-1.5.0-to-1.6.0.sql | 2 +
.../sentry-upgrade-derby-1.6.0-to-1.7.0.sql | 2 +
.../sentry-upgrade-derby-1.7.0-to-1.8.0.sql | 4 +
.../sentry-upgrade-mysql-1.4.0-to-1.5.0.sql | 10 +
.../sentry-upgrade-mysql-1.5.0-to-1.6.0.sql | 5 +
.../sentry-upgrade-mysql-1.6.0-to-1.7.0.sql | 5 +
.../sentry-upgrade-mysql-1.7.0-to-1.8.0.sql | 6 +
.../sentry-upgrade-oracle-1.4.0-to-1.5.0.sql | 9 +
.../sentry-upgrade-oracle-1.5.0-to-1.6.0.sql | 5 +
.../sentry-upgrade-oracle-1.6.0-to-1.7.0.sql | 5 +
.../sentry-upgrade-oracle-1.7.0-to-1.8.0.sql | 6 +
.../sentry-upgrade-postgres-1.4.0-to-1.5.0.sql | 9 +
.../sentry-upgrade-postgres-1.5.0-to-1.6.0.sql | 5 +
.../sentry-upgrade-postgres-1.6.0-to-1.7.0.sql | 5 +
.../sentry-upgrade-postgres-1.7.0-to-1.8.0.sql | 6 +
.../src/main/resources/upgrade.order.db2 | 4 +
.../src/main/resources/upgrade.order.derby | 4 +
.../src/main/resources/upgrade.order.mysql | 4 +
.../src/main/resources/upgrade.order.oracle | 4 +
.../src/main/resources/upgrade.order.postgres | 4 +
.../src/main/webapp/SentryService.html | 61 +
.../src/main/webapp/css/bootstrap-theme.min.css | 10 +
.../src/main/webapp/css/bootstrap.min.css | 9 +
.../src/main/webapp/css/sentry.css | 52 +
.../src/main/webapp/sentry.png | Bin 0 -> 3223 bytes
.../persistent/SentryStoreIntegrationBase.java | 91 +
.../persistent/TestDelegateSentryStore.java | 182 ++
.../TestPrivilegeOperatePersistence.java | 1139 ++++++++
.../persistent/TestSentryGMPrivilege.java | 207 ++
.../service/persistent/TestSentryRole.java | 372 +++
.../SentryGenericServiceIntegrationBase.java | 73 +
.../TestAuditLogForSentryGenericService.java | 296 ++
.../TestSentryGenericPolicyProcessor.java | 349 +++
.../TestSentryGenericServiceIntegration.java | 503 ++++
.../generic/tools/TestSentryConfigToolSolr.java | 261 ++
.../db/generic/tools/TestSentryShellKafka.java | 542 ++++
.../db/generic/tools/TestSentryShellSolr.java | 525 ++++
.../TestRollingFileWithoutDeleteAppender.java | 103 +
.../entity/TestDbAuditMetadataLogEntity.java | 67 +
.../entity/TestGMAuditMetadataLogEntity.java | 72 +
.../db/log/entity/TestJsonLogEntityFactory.java | 272 ++
.../log/entity/TestJsonLogEntityFactoryGM.java | 259 ++
.../provider/db/log/util/TestCommandUtil.java | 416 +++
.../service/persistent/TestSentryPrivilege.java | 245 ++
.../persistent/TestSentryServiceDiscovery.java | 123 +
.../db/service/persistent/TestSentryStore.java | 2090 ++++++++++++++
.../persistent/TestSentryStoreImportExport.java | 1164 ++++++++
.../TestSentryStoreToAuthorizable.java | 86 +
.../service/persistent/TestSentryVersion.java | 84 +
.../service/thrift/SentryMiniKdcTestcase.java | 68 +
.../TestAuthorizingDDLAuditLogWithKerberos.java | 295 ++
.../thrift/TestConnectionWithTicketTimeout.java | 57 +
.../thrift/TestNotificationHandlerInvoker.java | 112 +
.../thrift/TestSentryPolicyStoreProcessor.java | 81 +
.../TestSentryServerForHaWithoutKerberos.java | 219 ++
...estSentryServerForPoolHAWithoutKerberos.java | 36 +
.../TestSentryServerForPoolWithoutKerberos.java | 37 +
.../thrift/TestSentryServerWithoutKerberos.java | 214 ++
.../thrift/TestSentryServiceClientPool.java | 111 +
.../thrift/TestSentryServiceFailureCase.java | 74 +
.../TestSentryServiceForHAWithKerberos.java | 75 +
.../TestSentryServiceForPoolHAWithKerberos.java | 39 +
.../TestSentryServiceForPoolWithKerberos.java | 37 +
.../thrift/TestSentryServiceImportExport.java | 751 +++++
.../thrift/TestSentryServiceIntegration.java | 1102 ++++++++
.../TestSentryServiceWithInvalidMsgSize.java | 119 +
.../thrift/TestSentryServiceWithKerberos.java | 58 +
.../thrift/TestSentryWebServerWithKerberos.java | 136 +
.../thrift/TestSentryWebServerWithSSL.java | 52 +
.../TestSentryWebServerWithoutSecurity.java | 87 +
.../provider/db/tools/TestSentrySchemaTool.java | 94 +
.../provider/db/tools/TestSentryShellHive.java | 608 ++++
.../thrift/SentryServiceIntegrationBase.java | 355 +++
.../src/test/resources/cacerts.jks | Bin 0 -> 954 bytes
.../src/test/resources/keystore.jks | Bin 0 -> 2245 bytes
.../src/test/resources/log4j.properties | 34 +
.../src/test/resources/solr_case.ini | 26 +
.../test/resources/solr_config_import_tool.ini | 29 +
.../src/test/resources/solr_invalid.ini | 21 +
sentry-tests/sentry-tests-hive/pom.xml | 2 +-
.../dbprovider/AbstractTestWithDbProvider.java | 2 +-
.../e2e/dbprovider/TestConcurrentClients.java | 2 +-
.../tests/e2e/dbprovider/TestDbComplexView.java | 2 +-
.../tests/e2e/dbprovider/TestDbConnections.java | 2 +-
.../tests/e2e/dbprovider/TestDbEndToEnd.java | 2 +-
.../sentry/tests/e2e/ha/TestHaEnd2End.java | 2 +-
.../tests/e2e/hdfs/TestHDFSIntegration.java | 2 +-
.../AbstractTestWithStaticConfiguration.java | 2 +-
.../sentry/tests/e2e/hive/TestConfigTool.java | 2 +-
.../sentry/tests/e2e/hive/TestCrossDbOps.java | 2 +-
.../e2e/hive/TestCustomSerdePrivileges.java | 2 +-
.../sentry/tests/e2e/hive/TestEndToEnd.java | 2 +-
.../e2e/hive/TestExportImportPrivileges.java | 2 +-
.../tests/e2e/hive/TestJDBCInterface.java | 2 +-
.../tests/e2e/hive/TestLockPrivileges.java | 2 +-
.../e2e/hive/TestMetadataObjectRetrieval.java | 2 +-
.../tests/e2e/hive/TestMetadataPermissions.java | 2 +-
.../tests/e2e/hive/TestMovingToProduction.java | 2 +-
.../tests/e2e/hive/TestOperationsPart1.java | 2 +-
.../tests/e2e/hive/TestOperationsPart2.java | 2 +-
.../tests/e2e/hive/TestPerDBConfiguration.java | 2 +-
.../e2e/hive/TestPerDatabasePolicyFile.java | 2 +-
.../e2e/hive/TestPrivilegeAtTransform.java | 2 +-
.../e2e/hive/TestPrivilegesAtColumnScope.java | 2 +-
.../e2e/hive/TestPrivilegesAtDatabaseScope.java | 2 +-
.../e2e/hive/TestPrivilegesAtFunctionScope.java | 2 +-
.../hive/TestPrivilegesAtTableScopePart1.java | 2 +-
.../hive/TestPrivilegesAtTableScopePart2.java | 2 +-
.../tests/e2e/hive/TestReloadPrivileges.java | 2 +-
.../e2e/hive/TestRuntimeMetadataRetrieval.java | 2 +-
.../sentry/tests/e2e/hive/TestSandboxOps.java | 2 +-
.../hive/TestSentryOnFailureHookLoading.java | 2 +-
.../tests/e2e/hive/TestServerConfiguration.java | 2 +-
.../tests/e2e/hive/TestUriPermissions.java | 2 +-
.../tests/e2e/hive/TestUserManagement.java | 2 +-
.../tests/e2e/hive/TestViewPrivileges.java | 2 +-
...actMetastoreTestWithStaticConfiguration.java | 2 +-
.../metastore/SentryPolicyProviderForDb.java | 2 +-
.../metastore/TestAuthorizingObjectStore.java | 2 +-
.../e2e/metastore/TestMetaStoreWithPigHCat.java | 2 +-
.../e2e/metastore/TestMetastoreEndToEnd.java | 2 +-
sentry-tests/sentry-tests-kafka/pom.xml | 3 +-
.../e2e/kafka/AbstractKafkaSentryTestBase.java | 2 +-
sentry-tests/sentry-tests-solr/pom.xml | 2 +-
.../AbstractSolrSentryTestWithDbProvider.java | 2 +-
sentry-tests/sentry-tests-sqoop/pom.xml | 2 +-
.../e2e/sqoop/AbstractSqoopSentryTestBase.java | 2 +-
438 files changed, 32545 insertions(+), 32396 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/pom.xml
----------------------------------------------------------------------
diff --git a/pom.xml b/pom.xml
index ce48f68..a434fdb 100644
--- a/pom.xml
+++ b/pom.xml
@@ -75,6 +75,7 @@ limitations under the License.
<jackson.version>1.8.8</jackson.version>
<jdo-api.version>3.0.1</jdo-api.version>
<jettyVersion>8.1.19.v20160209</jettyVersion>
+ <jetty.aggregate>7.6.0.v20120127</jetty.aggregate>
<joda-time.version>2.5</joda-time.version>
<junit.version>4.10</junit.version>
<libfb303.version>0.9.3</libfb303.version>
@@ -430,6 +431,11 @@ limitations under the License.
</dependency>
<dependency>
<groupId>org.apache.sentry</groupId>
+ <artifactId>sentry-service-server</artifactId>
+ <version>${project.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.sentry</groupId>
<artifactId>sentry-provider-common</artifactId>
<version>${project.version}</version>
</dependency>
@@ -470,7 +476,7 @@ limitations under the License.
</dependency>
<dependency>
<groupId>org.apache.sentry</groupId>
- <artifactId>sentry-provider-db</artifactId>
+ <artifactId>sentry-service-server</artifactId>
<version>${project.version}</version>
<type>test-jar</type>
</dependency>
@@ -620,6 +626,11 @@ limitations under the License.
<artifactId>jetty-servlet</artifactId>
<version>${jettyVersion}</version>
</dependency>
+ <dependency>
+ <groupId>org.eclipse.jetty.aggregate</groupId>
+ <artifactId>jetty-all</artifactId>
+ <version>${jetty.aggregate}</version>
+ </dependency>
</dependencies>
</dependencyManagement>
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-binding/sentry-binding-hive/pom.xml
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-hive/pom.xml b/sentry-binding/sentry-binding-hive/pom.xml
index 07aaae3..a46f7d8 100644
--- a/sentry-binding/sentry-binding-hive/pom.xml
+++ b/sentry-binding/sentry-binding-hive/pom.xml
@@ -112,10 +112,6 @@ limitations under the License.
</dependency>
<!-- required for SentryGrantRevokeTask -->
<dependency>
- <groupId>org.apache.sentry</groupId>
- <artifactId>sentry-provider-db</artifactId>
- </dependency>
- <dependency>
<groupId>org.apache.hadoop</groupId>
<artifactId>hadoop-minicluster</artifactId>
<scope>test</scope>
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/policy/hive/TestPolicyParsingNegative.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/policy/hive/TestPolicyParsingNegative.java b/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/policy/hive/TestPolicyParsingNegative.java
index 4dc8812..0a53088 100644
--- a/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/policy/hive/TestPolicyParsingNegative.java
+++ b/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/policy/hive/TestPolicyParsingNegative.java
@@ -24,7 +24,7 @@ import org.junit.Assert;
import org.apache.commons.io.FileUtils;
import org.apache.sentry.core.common.ActiveRoleSet;
import org.apache.sentry.policy.common.PolicyEngine;
-import org.apache.sentry.provider.file.PolicyFile;
+import org.apache.sentry.core.common.utils.PolicyFile;
import org.junit.After;
import org.junit.Before;
import org.junit.Test;
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/policy/hive/TestResourceAuthorizationProviderSpecialCases.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/policy/hive/TestResourceAuthorizationProviderSpecialCases.java b/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/policy/hive/TestResourceAuthorizationProviderSpecialCases.java
index 6fe9e6b..040f467 100644
--- a/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/policy/hive/TestResourceAuthorizationProviderSpecialCases.java
+++ b/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/policy/hive/TestResourceAuthorizationProviderSpecialCases.java
@@ -36,7 +36,7 @@ import org.apache.sentry.core.model.db.Server;
import org.apache.sentry.policy.common.PolicyEngine;
import org.apache.sentry.provider.common.AuthorizationProvider;
import org.apache.sentry.provider.file.LocalGroupResourceAuthorizationProvider;
-import org.apache.sentry.provider.file.PolicyFile;
+import org.apache.sentry.core.common.utils.PolicyFile;
import org.junit.After;
import org.junit.Before;
import org.junit.Test;
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/policy/hive/TestSimpleDBPolicyEngineDFS.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/policy/hive/TestSimpleDBPolicyEngineDFS.java b/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/policy/hive/TestSimpleDBPolicyEngineDFS.java
index 97cf615..f86516f 100644
--- a/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/policy/hive/TestSimpleDBPolicyEngineDFS.java
+++ b/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/policy/hive/TestSimpleDBPolicyEngineDFS.java
@@ -28,7 +28,7 @@ import org.apache.hadoop.fs.Path;
import org.apache.hadoop.hdfs.MiniDFSCluster;
import org.apache.sentry.core.common.ActiveRoleSet;
import org.apache.sentry.policy.common.PolicyEngine;
-import org.apache.sentry.provider.file.PolicyFile;
+import org.apache.sentry.core.common.utils.PolicyFile;
import org.apache.sentry.provider.file.PolicyFiles;
import org.junit.AfterClass;
import org.junit.BeforeClass;
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-binding/sentry-binding-kafka/src/test/java/org/apache/sentry/policy/kafka/TestKafkaAuthorizationProviderSpecialCases.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-kafka/src/test/java/org/apache/sentry/policy/kafka/TestKafkaAuthorizationProviderSpecialCases.java b/sentry-binding/sentry-binding-kafka/src/test/java/org/apache/sentry/policy/kafka/TestKafkaAuthorizationProviderSpecialCases.java
index 63d2f30..6109059 100644
--- a/sentry-binding/sentry-binding-kafka/src/test/java/org/apache/sentry/policy/kafka/TestKafkaAuthorizationProviderSpecialCases.java
+++ b/sentry-binding/sentry-binding-kafka/src/test/java/org/apache/sentry/policy/kafka/TestKafkaAuthorizationProviderSpecialCases.java
@@ -38,7 +38,7 @@ import org.apache.sentry.core.model.kafka.Topic;
import org.apache.sentry.policy.common.PolicyEngine;
import org.apache.sentry.provider.common.AuthorizationProvider;
import org.apache.sentry.provider.file.LocalGroupResourceAuthorizationProvider;
-import org.apache.sentry.provider.file.PolicyFile;
+import org.apache.sentry.core.common.utils.PolicyFile;
import org.junit.After;
import org.junit.Before;
import org.junit.Test;
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/policy/solr/TestSearchAuthorizationProviderSpecialCases.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/policy/solr/TestSearchAuthorizationProviderSpecialCases.java b/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/policy/solr/TestSearchAuthorizationProviderSpecialCases.java
index 371f361..80e3f4a 100644
--- a/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/policy/solr/TestSearchAuthorizationProviderSpecialCases.java
+++ b/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/policy/solr/TestSearchAuthorizationProviderSpecialCases.java
@@ -35,7 +35,7 @@ import org.apache.sentry.core.model.search.SearchPrivilegeModel;
import org.apache.sentry.policy.common.PolicyEngine;
import org.apache.sentry.provider.common.AuthorizationProvider;
import org.apache.sentry.provider.file.LocalGroupResourceAuthorizationProvider;
-import org.apache.sentry.provider.file.PolicyFile;
+import org.apache.sentry.core.common.utils.PolicyFile;
import org.junit.After;
import org.junit.Before;
import org.junit.Test;
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-binding/sentry-binding-sqoop/src/test/java/org/apache/sentry/policy/sqoop/TestSqoopAuthorizationProviderSpecialCases.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-sqoop/src/test/java/org/apache/sentry/policy/sqoop/TestSqoopAuthorizationProviderSpecialCases.java b/sentry-binding/sentry-binding-sqoop/src/test/java/org/apache/sentry/policy/sqoop/TestSqoopAuthorizationProviderSpecialCases.java
index 8d69402..4bcf3b1 100644
--- a/sentry-binding/sentry-binding-sqoop/src/test/java/org/apache/sentry/policy/sqoop/TestSqoopAuthorizationProviderSpecialCases.java
+++ b/sentry-binding/sentry-binding-sqoop/src/test/java/org/apache/sentry/policy/sqoop/TestSqoopAuthorizationProviderSpecialCases.java
@@ -38,7 +38,7 @@ import org.apache.sentry.core.model.sqoop.SqoopPrivilegeModel;
import org.apache.sentry.policy.common.PolicyEngine;
import org.apache.sentry.provider.common.AuthorizationProvider;
import org.apache.sentry.provider.file.LocalGroupResourceAuthorizationProvider;
-import org.apache.sentry.provider.file.PolicyFile;
+import org.apache.sentry.core.common.utils.PolicyFile;
import org.junit.After;
import org.junit.Before;
import org.junit.Test;
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/utils/PolicyFile.java
----------------------------------------------------------------------
diff --git a/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/utils/PolicyFile.java b/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/utils/PolicyFile.java
new file mode 100644
index 0000000..a6ef0b3
--- /dev/null
+++ b/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/utils/PolicyFile.java
@@ -0,0 +1,202 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.core.common.utils;
+
+import static org.apache.sentry.core.common.utils.PolicyFileConstants.DATABASES;
+import static org.apache.sentry.core.common.utils.PolicyFileConstants.GROUPS;
+import static org.apache.sentry.core.common.utils.PolicyFileConstants.ROLES;
+import static org.apache.sentry.core.common.utils.PolicyFileConstants.USERS;
+
+import java.io.File;
+import java.util.Collection;
+import java.util.List;
+import java.util.Map;
+import java.util.Map.Entry;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import com.google.common.annotations.VisibleForTesting;
+import com.google.common.base.Charsets;
+import com.google.common.base.Joiner;
+import com.google.common.collect.ArrayListMultimap;
+import com.google.common.collect.Lists;
+import com.google.common.collect.Maps;
+import com.google.common.collect.Multimap;
+import com.google.common.io.Files;
+
+/**
+ * PolicyFile creator. Written specifically to be used with tests. Specifically
+ * due to the fact that methods that would typically return true or false to
+ * indicate success or failure these methods throw an unchecked exception.
+ * This is because in a test if you mean to remove a user from the policy file,
+ * the user should absolutely be there. If not, the test is mis-behaving.
+ */
+@VisibleForTesting
+public class PolicyFile {
+
+ private static final Logger LOGGER = LoggerFactory
+ .getLogger(PolicyFile.class);
+
+ private static final String NL = System.getProperty("line.separator", "\n");
+
+ private final Map<String, String> databasesToPolicyFiles = Maps.newHashMap();
+ private final Multimap<String, String> usersToGroups = ArrayListMultimap.create();
+ private final Multimap<String, String> groupsToRoles = ArrayListMultimap
+ .create();
+ private final Multimap<String, String> rolesToPermissions = ArrayListMultimap
+ .create();
+
+ public Multimap<String, String> getGroupsToRoles() {
+ return groupsToRoles;
+ }
+ public Multimap<String, String> getRolesToPermissions() {
+ return rolesToPermissions;
+ }
+ public PolicyFile addRolesToGroup(String groupName, String... roleNames)
+ throws Exception {
+ return addRolesToGroup(groupName, false, roleNames);
+ }
+ public PolicyFile addRolesToGroup(String groupName, boolean allowDuplicates, String... roleNames) {
+ return add(groupsToRoles.get(groupName), allowDuplicates, roleNames);
+ }
+ public PolicyFile addPermissionsToRole(String roleName, String... permissionNames) {
+ return addPermissionsToRole(roleName, false, permissionNames);
+ }
+ public PolicyFile addPermissionsToRole(String roleName, boolean allowDuplicates, String... permissionNames) {
+ return add(rolesToPermissions.get(roleName), allowDuplicates, permissionNames);
+ }
+ public PolicyFile addGroupsToUser(String userName, String... groupNames) {
+ LOGGER.warn("Static user:group mapping is not being used");
+ return addGroupsToUser(userName, false, groupNames);
+ }
+ public PolicyFile addGroupsToUser(String userName, boolean allowDuplicates, String... groupNames) {
+ LOGGER.warn("Static user:group mapping is not being used");
+ return add(usersToGroups.get(userName), allowDuplicates, groupNames);
+ }
+ public PolicyFile setUserGroupMapping(Map<String, String> mapping) {
+ for (Entry<String, String> entry : mapping.entrySet()) {
+ usersToGroups.put(entry.getKey(), entry.getValue());
+ }
+ return this;
+ }
+ public PolicyFile addDatabase(String databaseName, String path) {
+ String oldPath = databasesToPolicyFiles.put(databaseName, path);
+ if (oldPath != null) {
+ throw new IllegalStateException("Database " + databaseName + " already existed in " +
+ databasesToPolicyFiles + " with value of " + oldPath);
+ }
+ databasesToPolicyFiles.put(databaseName, path);
+ return this;
+ }
+ public PolicyFile removeRolesFromGroup(String groupName, String... roleNames) {
+ return remove(groupsToRoles.get(groupName), roleNames);
+ }
+ public PolicyFile removePermissionsFromRole(String roleName, String... permissionNames) {
+ return remove(rolesToPermissions.get(roleName), permissionNames);
+ }
+ public PolicyFile removeGroupsFromUser(String userName, String... groupNames) {
+ LOGGER.warn("Static user:group mapping is not being used");
+ return remove(usersToGroups.get(userName), groupNames);
+ }
+ public PolicyFile removeDatabase(String databaseName) {
+ if(databasesToPolicyFiles.remove(databaseName) == null) {
+ throw new IllegalStateException("Database " + databaseName + " did not exist in " +
+ databasesToPolicyFiles);
+ }
+ return this;
+ }
+ public PolicyFile copy() {
+ PolicyFile other = new PolicyFile();
+ other.databasesToPolicyFiles.putAll(databasesToPolicyFiles);
+ other.usersToGroups.putAll(usersToGroups);
+ other.groupsToRoles.putAll(groupsToRoles);
+ other.rolesToPermissions.putAll(rolesToPermissions);
+ return other;
+ }
+
+ public void write(File clientFile, File serverFile) throws Exception {
+ write(clientFile);
+ write(serverFile);
+ }
+
+ public void write(File file) throws Exception {
+ if(file.exists() && !file.delete()) {
+ throw new IllegalStateException("Unable to delete " + file);
+ }
+ String contents = Joiner.on(NL)
+ .join(getSection(DATABASES, databasesToPolicyFiles),
+ getSection(USERS, usersToGroups),
+ getSection(GROUPS, groupsToRoles),
+ getSection(ROLES, rolesToPermissions),
+ "");
+ LOGGER.info("Writing policy file to " + file + ":\n" + contents);
+ Files.write(contents, file, Charsets.UTF_8);
+ }
+
+ private String getSection(String name, Map<String, String> mapping) {
+ if(mapping.isEmpty()) {
+ return "";
+ }
+ Joiner kvJoiner = Joiner.on(" = ");
+ List<String> lines = Lists.newArrayList();
+ lines.add("[" + name + "]");
+ for (Entry<String, String> entry : mapping.entrySet()) {
+ lines.add(kvJoiner.join(entry.getKey(), entry.getValue()));
+ }
+ return Joiner.on(NL).join(lines);
+ }
+ private String getSection(String name, Multimap<String, String> mapping) {
+ if(mapping.isEmpty()) {
+ return "";
+ }
+ Joiner kvJoiner = Joiner.on(" = ");
+ Joiner itemJoiner = Joiner.on(" , ");
+ List<String> lines = Lists.newArrayList();
+ lines.add("[" + name + "]");
+ for(String key : mapping.keySet()) {
+ lines.add(kvJoiner.join(key, itemJoiner.join(mapping.get(key))));
+ }
+ return Joiner.on(NL).join(lines);
+ }
+
+ private PolicyFile remove(Collection<String> exitingItems, String[] newItems) {
+ for(String newItem : newItems) {
+ if(!exitingItems.remove(newItem)) {
+ throw new IllegalStateException("Item " + newItem + " did not exist in " + exitingItems);
+ }
+ }
+ return this;
+ }
+ private PolicyFile add(Collection<String> exitingItems, boolean allowDuplicates, String[] newItems) {
+ for(String newItem : newItems) {
+ if(exitingItems.contains(newItem) && !allowDuplicates) {
+ throw new IllegalStateException("Item " + newItem + " already exists in " + exitingItems);
+ }
+ exitingItems.add(newItem);
+ }
+ return this;
+ }
+
+ //User:Group mapping for the admin user needs to be set separately
+ public static PolicyFile setAdminOnServer1(String admin) throws Exception {
+ return new PolicyFile()
+ .addRolesToGroup(admin, "admin_role")
+ .addPermissionsToRole("admin_role", "server=server1");
+ }
+}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-dist/pom.xml
----------------------------------------------------------------------
diff --git a/sentry-dist/pom.xml b/sentry-dist/pom.xml
index 0403770..8b3022f 100644
--- a/sentry-dist/pom.xml
+++ b/sentry-dist/pom.xml
@@ -76,6 +76,10 @@ limitations under the License.
</dependency>
<dependency>
<groupId>org.apache.sentry</groupId>
+ <artifactId>sentry-service-server</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.sentry</groupId>
<artifactId>sentry-provider-common</artifactId>
</dependency>
<dependency>
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-dist/src/main/assembly/src.xml
----------------------------------------------------------------------
diff --git a/sentry-dist/src/main/assembly/src.xml b/sentry-dist/src/main/assembly/src.xml
index c730c58..6801b85 100644
--- a/sentry-dist/src/main/assembly/src.xml
+++ b/sentry-dist/src/main/assembly/src.xml
@@ -55,6 +55,7 @@
<include>dev-support/**</include>
<include>sentry-binding/**</include>
<include>sentry-core/**</include>
+ <include>sentry-service/**</include>
<include>sentry-dist/**</include>
<include>sentry-provider/**</include>
<include>sentry-policy/**</include>
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-hdfs/sentry-hdfs-common/pom.xml
----------------------------------------------------------------------
diff --git a/sentry-hdfs/sentry-hdfs-common/pom.xml b/sentry-hdfs/sentry-hdfs-common/pom.xml
index d244edc..281196b 100644
--- a/sentry-hdfs/sentry-hdfs-common/pom.xml
+++ b/sentry-hdfs/sentry-hdfs-common/pom.xml
@@ -60,26 +60,29 @@ limitations under the License.
<version>${curator.version}</version>
</dependency>
<dependency>
- <groupId>org.apache.hadoop</groupId>
- <artifactId>hadoop-minikdc</artifactId>
- <scope>test</scope>
- </dependency>
- <dependency>
<groupId>org.apache.sentry</groupId>
<artifactId>sentry-provider-db</artifactId>
- <scope>provided</scope>
</dependency>
<dependency>
<groupId>org.apache.sentry</groupId>
- <artifactId>sentry-provider-file</artifactId>
+ <artifactId>sentry-service-server</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.hadoop</groupId>
+ <artifactId>hadoop-minikdc</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.apache.sentry</groupId>
- <artifactId>sentry-provider-db</artifactId>
+ <artifactId>sentry-service-server</artifactId>
<type>test-jar</type>
<scope>test</scope>
</dependency>
+ <dependency>
+ <groupId>org.apache.sentry</groupId>
+ <artifactId>sentry-provider-file</artifactId>
+ <scope>test</scope>
+ </dependency>
</dependencies>
<build>
<sourceDirectory>${basedir}/src/main/java</sourceDirectory>
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-policy/sentry-policy-indexer/src/test/java/org/apache/sentry/policy/indexer/TestIndexerAuthorizationProviderSpecialCases.java
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-indexer/src/test/java/org/apache/sentry/policy/indexer/TestIndexerAuthorizationProviderSpecialCases.java b/sentry-policy/sentry-policy-indexer/src/test/java/org/apache/sentry/policy/indexer/TestIndexerAuthorizationProviderSpecialCases.java
index 1717c42..020b758 100644
--- a/sentry-policy/sentry-policy-indexer/src/test/java/org/apache/sentry/policy/indexer/TestIndexerAuthorizationProviderSpecialCases.java
+++ b/sentry-policy/sentry-policy-indexer/src/test/java/org/apache/sentry/policy/indexer/TestIndexerAuthorizationProviderSpecialCases.java
@@ -35,7 +35,7 @@ import org.apache.sentry.core.model.indexer.IndexerPrivilegeModel;
import org.apache.sentry.policy.common.PolicyEngine;
import org.apache.sentry.provider.common.AuthorizationProvider;
import org.apache.sentry.provider.file.LocalGroupResourceAuthorizationProvider;
-import org.apache.sentry.provider.file.PolicyFile;
+import org.apache.sentry.core.common.utils.PolicyFile;
import org.junit.After;
import org.junit.Before;
import org.junit.Test;
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/pom.xml
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/pom.xml b/sentry-provider/sentry-provider-db/pom.xml
index 3d76198..8061433 100644
--- a/sentry-provider/sentry-provider-db/pom.xml
+++ b/sentry-provider/sentry-provider-db/pom.xml
@@ -75,40 +75,40 @@ limitations under the License.
</dependency>
<dependency>
<groupId>org.apache.sentry</groupId>
- <artifactId>sentry-core-model-db</artifactId>
+ <artifactId>sentry-provider-common</artifactId>
</dependency>
<dependency>
<groupId>org.apache.sentry</groupId>
- <artifactId>sentry-core-model-search</artifactId>
+ <artifactId>sentry-service-common</artifactId>
</dependency>
<dependency>
<groupId>org.apache.sentry</groupId>
- <artifactId>sentry-core-model-sqoop</artifactId>
+ <artifactId>sentry-provider-file</artifactId>
</dependency>
<dependency>
<groupId>org.apache.sentry</groupId>
- <artifactId>sentry-core-model-kafka</artifactId>
+ <artifactId>sentry-policy-engine</artifactId>
</dependency>
<dependency>
- <groupId>org.apache.sentry</groupId>
- <artifactId>sentry-provider-common</artifactId>
+ <groupId>org.apache.hive</groupId>
+ <artifactId>hive-shims</artifactId>
+ <scope>provided</scope>
</dependency>
<dependency>
<groupId>org.apache.sentry</groupId>
- <artifactId>sentry-provider-file</artifactId>
+ <artifactId>sentry-core-model-db</artifactId>
</dependency>
<dependency>
<groupId>org.apache.sentry</groupId>
- <artifactId>sentry-policy-engine</artifactId>
+ <artifactId>sentry-core-model-kafka</artifactId>
</dependency>
<dependency>
<groupId>org.apache.sentry</groupId>
- <artifactId>sentry-service-common</artifactId>
+ <artifactId>sentry-core-model-search</artifactId>
</dependency>
<dependency>
- <groupId>org.apache.hive</groupId>
- <artifactId>hive-shims</artifactId>
- <scope>provided</scope>
+ <groupId>org.apache.sentry</groupId>
+ <artifactId>sentry-core-model-sqoop</artifactId>
</dependency>
<dependency>
<groupId>org.apache.hive</groupId>
@@ -127,11 +127,6 @@ limitations under the License.
<artifactId>ant-contrib</artifactId>
</dependency>
<dependency>
- <groupId>org.apache.hadoop</groupId>
- <artifactId>hadoop-minikdc</artifactId>
- <scope>test</scope>
- </dependency>
- <dependency>
<groupId>javax.jdo</groupId>
<artifactId>jdo-api</artifactId>
</dependency>
@@ -156,6 +151,10 @@ limitations under the License.
<artifactId>jetty-servlet</artifactId>
</dependency>
<dependency>
+ <groupId>org.apache.hadoop</groupId>
+ <artifactId>hadoop-common</artifactId>
+ </dependency>
+ <dependency>
<groupId>org.mockito</groupId>
<artifactId>mockito-all</artifactId>
<scope>test</scope>
@@ -165,148 +164,4 @@ limitations under the License.
<artifactId>commons-pool2</artifactId>
</dependency>
</dependencies>
-
- <build>
- <sourceDirectory>${basedir}/src/main/java</sourceDirectory>
- <testSourceDirectory>${basedir}/src/test/java</testSourceDirectory>
- <resources>
- <resource>
- <directory>${basedir}/src/main/java/org/apache/sentry/provider/db/service/model</directory>
- <includes>
- <include>package.jdo</include>
- </includes>
- </resource>
- <resource>
- <directory>${basedir}/src/main</directory>
- <includes>
- <include>webapp/*</include>
- <include>webapp/css/*</include>
- </includes>
- </resource>
- </resources>
- <plugins>
- <plugin>
- <groupId>com.google.code.maven-replacer-plugin</groupId>
- <artifactId>replacer</artifactId>
- <version>1.5.2</version>
- <executions>
- <execution>
- <id>replaceTokens</id>
- <phase>clean</phase>
- <goals>
- <goal>replace</goal>
- </goals>
- </execution>
- </executions>
- <configuration>
- <file>${basedir}/src/main/webapp/SentryService.html</file>
- <replacements>
- <replacement>
- <token>%PROJECT_VERSION%</token>
- <value>${version}</value>
- </replacement>
- </replacements>
- </configuration>
- </plugin>
- <plugin>
- <groupId>org.datanucleus</groupId>
- <artifactId>datanucleus-maven-plugin</artifactId>
- <configuration>
- <api>JDO</api>
- <metadataIncludes>**/*.jdo</metadataIncludes>
- <verbose>true</verbose>
- </configuration>
- <executions>
- <execution>
- <phase>process-classes</phase>
- <goals>
- <goal>enhance</goal>
- </goals>
- </execution>
- </executions>
- </plugin>
- <plugin>
- <groupId>org.apache.maven.plugins</groupId>
- <artifactId>maven-jar-plugin</artifactId>
- <executions>
- <execution>
- <goals>
- <goal>test-jar</goal>
- </goals>
- </execution>
- </executions>
- </plugin>
- <plugin>
- <groupId>org.apache.maven.plugins</groupId>
- <artifactId>maven-surefire-plugin</artifactId>
- <configuration>
- <reuseForks>false</reuseForks>
- </configuration>
- </plugin>
- </plugins>
- </build>
- <profiles>
- <profile>
- <id>datanucleus3</id>
- <activation>
- <activeByDefault>true</activeByDefault>
- </activation>
- <properties>
- <datanucleus-api-jdo.version>3.2.6</datanucleus-api-jdo.version>
- <datanucleus-core.version>3.2.12</datanucleus-core.version>
- <datanucleus-rdbms.version>3.2.12</datanucleus-rdbms.version>
- </properties>
- <dependencies>
- <dependency>
- <groupId>org.datanucleus</groupId>
- <artifactId>datanucleus-core</artifactId>
- <version>${datanucleus-core.version}</version>
- </dependency>
- <dependency>
- <groupId>org.datanucleus</groupId>
- <artifactId>datanucleus-api-jdo</artifactId>
- <version>${datanucleus-api-jdo.version}</version>
- </dependency>
- <dependency>
- <groupId>org.datanucleus</groupId>
- <artifactId>datanucleus-rdbms</artifactId>
- <version>${datanucleus-rdbms.version}</version>
- </dependency>
- </dependencies>
- </profile>
- <profile>
- <id>datanucleus4</id>
- <activation>
- <activeByDefault>false</activeByDefault>
- </activation>
- <properties>
- <datanucleus-api-jdo.version>4.2.1</datanucleus-api-jdo.version>
- <datanucleus-core.version>4.1.6</datanucleus-core.version>
- <datanucleus-rdbms.version>4.1.7</datanucleus-rdbms.version>
- <datanucleus-jdo.version>3.2.0-m3</datanucleus-jdo.version>
- </properties>
- <dependencies>
- <dependency>
- <groupId>org.datanucleus</groupId>
- <artifactId>datanucleus-core</artifactId>
- <version>${datanucleus-core.version}</version>
- </dependency>
- <dependency>
- <groupId>org.datanucleus</groupId>
- <artifactId>datanucleus-api-jdo</artifactId>
- <version>${datanucleus-api-jdo.version}</version>
- </dependency>
- <dependency>
- <groupId>org.datanucleus</groupId>
- <artifactId>datanucleus-rdbms</artifactId>
- <version>${datanucleus-rdbms.version}</version>
- </dependency>
- <dependency>
- <groupId>org.datanucleus</groupId>
- <artifactId>javax.jdo</artifactId>
- <version>${datanucleus-jdo.version}</version>
- </dependency>
- </dependencies>
- </profile>
- </profiles>
</project>
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/SentryPolicyStorePlugin.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/SentryPolicyStorePlugin.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/SentryPolicyStorePlugin.java
deleted file mode 100644
index 2ff715f..0000000
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/SentryPolicyStorePlugin.java
+++ /dev/null
@@ -1,60 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.sentry.provider.db;
-
-import org.apache.hadoop.conf.Configuration;
-import org.apache.sentry.core.common.exception.SentryUserException;
-import org.apache.sentry.provider.db.service.persistent.SentryStore;
-import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleAddGroupsRequest;
-import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleDeleteGroupsRequest;
-import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleGrantPrivilegeRequest;
-import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleRevokePrivilegeRequest;
-import org.apache.sentry.provider.db.service.thrift.TDropPrivilegesRequest;
-import org.apache.sentry.provider.db.service.thrift.TDropSentryRoleRequest;
-import org.apache.sentry.provider.db.service.thrift.TRenamePrivilegesRequest;
-
-public interface SentryPolicyStorePlugin {
-
- @SuppressWarnings("serial")
- class SentryPluginException extends SentryUserException {
- public SentryPluginException(String msg) {
- super(msg);
- }
- public SentryPluginException(String msg, Throwable t) {
- super(msg, t);
- }
- }
-
- void initialize(Configuration conf, SentryStore sentryStore) throws SentryPluginException;
-
- void onAlterSentryRoleAddGroups(TAlterSentryRoleAddGroupsRequest tRequest) throws SentryPluginException;
-
- void onAlterSentryRoleDeleteGroups(TAlterSentryRoleDeleteGroupsRequest tRequest) throws SentryPluginException;
-
- void onAlterSentryRoleGrantPrivilege(TAlterSentryRoleGrantPrivilegeRequest tRequest) throws SentryPluginException;
-
- void onAlterSentryRoleRevokePrivilege(TAlterSentryRoleRevokePrivilegeRequest tRequest) throws SentryPluginException;
-
- void onDropSentryRole(TDropSentryRoleRequest tRequest) throws SentryPluginException;
-
- void onRenameSentryPrivilege(TRenamePrivilegesRequest request) throws SentryPluginException;
-
- void onDropSentryPrivilege(TDropPrivilegesRequest request) throws SentryPluginException;
-
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/persistent/DelegateSentryStore.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/persistent/DelegateSentryStore.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/persistent/DelegateSentryStore.java
deleted file mode 100644
index e960dcd..0000000
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/persistent/DelegateSentryStore.java
+++ /dev/null
@@ -1,542 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.provider.db.generic.service.persistent;
-
-import java.io.IOException;
-import java.util.Arrays;
-import java.util.HashSet;
-import java.util.LinkedList;
-import java.util.List;
-import java.util.Set;
-
-import javax.jdo.PersistenceManager;
-import javax.jdo.Query;
-
-import org.apache.hadoop.conf.Configuration;
-import org.apache.sentry.core.common.exception.SentryUserException;
-import org.apache.sentry.core.common.Authorizable;
-import org.apache.sentry.core.common.exception.SentryAccessDeniedException;
-import org.apache.sentry.core.common.exception.SentryAlreadyExistsException;
-import org.apache.sentry.core.common.exception.SentryGrantDeniedException;
-import org.apache.sentry.core.common.exception.SentryInvalidInputException;
-import org.apache.sentry.core.common.exception.SentryNoSuchObjectException;
-import org.apache.sentry.core.common.exception.SentrySiteConfigurationException;
-import org.apache.sentry.provider.db.service.model.MSentryGMPrivilege;
-import org.apache.sentry.provider.db.service.model.MSentryGroup;
-import org.apache.sentry.provider.db.service.model.MSentryRole;
-import org.apache.sentry.provider.db.service.persistent.CommitContext;
-import org.apache.sentry.provider.db.service.persistent.SentryStore;
-import org.apache.sentry.provider.db.service.thrift.SentryPolicyStoreProcessor;
-import org.apache.sentry.provider.db.service.thrift.TSentryGroup;
-import org.apache.sentry.provider.db.service.thrift.TSentryRole;
-import org.apache.sentry.service.thrift.ServiceConstants.ServerConfig;
-
-import com.google.common.annotations.VisibleForTesting;
-import com.google.common.base.Joiner;
-import com.google.common.base.Preconditions;
-import com.google.common.base.Strings;
-import com.google.common.collect.ImmutableSet;
-import com.google.common.collect.Sets;
-
-/**
- * The DelegateSentryStore will supports the generic authorizable model. It stores the authorizables
- * into separated column. Take the authorizables:[DATABASE=db1,TABLE=tb1,COLUMN=cl1] for example,
- * The DATABASE,db1,TABLE,tb1,COLUMN and cl1 will be stored into the six columns(resourceName0=db1,resourceType0=DATABASE,
- * resourceName1=tb1,resourceType1=TABLE,
- * resourceName2=cl1,resourceType2=COLUMN ) of generic privilege table
- */
-public class DelegateSentryStore implements SentryStoreLayer {
- private SentryStore delegate;
- private Configuration conf;
- private Set<String> adminGroups;
- private PrivilegeOperatePersistence privilegeOperator;
-
- public DelegateSentryStore(Configuration conf) throws SentryNoSuchObjectException,
- SentryAccessDeniedException, SentrySiteConfigurationException, IOException {
- this.privilegeOperator = new PrivilegeOperatePersistence(conf);
- // The generic model doesn't turn on the thread that cleans hive privileges
- conf.set(ServerConfig.SENTRY_STORE_ORPHANED_PRIVILEGE_REMOVAL,"false");
- this.conf = conf;
- //delegated old sentryStore
- this.delegate = new SentryStore(conf);
- adminGroups = ImmutableSet.copyOf(toTrimmed(Sets.newHashSet(conf.getStrings(
- ServerConfig.ADMIN_GROUPS, new String[]{}))));
- }
-
- private PersistenceManager openTransaction() {
- return delegate.openTransaction();
- }
-
- private CommitContext commitUpdateTransaction(PersistenceManager pm) {
- return delegate.commitUpdateTransaction(pm);
- }
-
- private void rollbackTransaction(PersistenceManager pm) {
- delegate.rollbackTransaction(pm);
- }
-
- private void commitTransaction(PersistenceManager pm) {
- delegate.commitTransaction(pm);
- }
-
- private MSentryRole getRole(String roleName, PersistenceManager pm) {
- return delegate.getMSentryRole(pm, roleName);
- }
-
- @Override
- public CommitContext createRole(String component, String role,
- String requestor) throws SentryAlreadyExistsException {
- return delegate.createSentryRole(role);
- }
-
- /**
- * The role is global in the generic model, such as the role may be has more than one component
- * privileges, so delete role will remove all privileges related to it.
- */
- @Override
- public CommitContext dropRole(String component, String role, String requestor)
- throws SentryNoSuchObjectException {
- boolean rollbackTransaction = true;
- PersistenceManager pm = null;
- String trimmedRole = toTrimmedLower(role);
- try {
- pm = openTransaction();
- Query query = pm.newQuery(MSentryRole.class);
- query.setFilter("this.roleName == t");
- query.declareParameters("java.lang.String t");
- query.setUnique(true);
- MSentryRole sentryRole = (MSentryRole) query.execute(trimmedRole);
- if (sentryRole == null) {
- throw new SentryNoSuchObjectException("Role: " + trimmedRole + " doesn't exist");
- } else {
- pm.retrieve(sentryRole);
- sentryRole.removeGMPrivileges();
- sentryRole.removePrivileges();
- pm.deletePersistent(sentryRole);
- }
- CommitContext commit = commitUpdateTransaction(pm);
- rollbackTransaction = false;
- return commit;
- } finally {
- if (rollbackTransaction) {
- rollbackTransaction(pm);
- }
- }
- }
-
- @Override
- public Set<String> getAllRoleNames() {
- return delegate.getAllRoleNames();
- }
-
- @Override
- public CommitContext alterRoleAddGroups(String component, String role,
- Set<String> groups, String requestor) throws SentryNoSuchObjectException {
- return delegate.alterSentryRoleAddGroups(requestor, role, toTSentryGroups(groups));
- }
-
- @Override
- public CommitContext alterRoleDeleteGroups(String component, String role,
- Set<String> groups, String requestor) throws SentryNoSuchObjectException {
- //called to old sentryStore
- return delegate.alterSentryRoleDeleteGroups(role, toTSentryGroups(groups));
- }
-
- @Override
- public CommitContext alterRoleGrantPrivilege(String component, String role,
- PrivilegeObject privilege, String grantorPrincipal)
- throws SentryUserException {
- String trimmedRole = toTrimmedLower(role);
- PersistenceManager pm = null;
- boolean rollbackTransaction = true;
- try{
- pm = openTransaction();
- MSentryRole mRole = getRole(trimmedRole, pm);
- if (mRole == null) {
- throw new SentryNoSuchObjectException("Role: " + trimmedRole + " doesn't exist");
- }
- /**
- * check with grant option
- */
- grantOptionCheck(privilege, grantorPrincipal, pm);
-
- privilegeOperator.grantPrivilege(privilege, mRole, pm);
-
- CommitContext commitContext = delegate.commitUpdateTransaction(pm);
- rollbackTransaction = false;
- return commitContext;
-
- } finally {
- if (rollbackTransaction) {
- rollbackTransaction(pm);
- }
- }
- }
-
- @Override
- public CommitContext alterRoleRevokePrivilege(String component,
- String role, PrivilegeObject privilege, String grantorPrincipal)
- throws SentryUserException {
- String trimmedRole = toTrimmedLower(role);
- PersistenceManager pm = null;
- boolean rollbackTransaction = true;
- try{
- pm = openTransaction();
- MSentryRole mRole = getRole(trimmedRole, pm);
- if (mRole == null) {
- throw new SentryNoSuchObjectException("Role: " + trimmedRole + " doesn't exist");
- }
- /**
- * check with grant option
- */
- grantOptionCheck(privilege, grantorPrincipal, pm);
-
- privilegeOperator.revokePrivilege(privilege, mRole, pm);
-
- CommitContext commitContext = commitUpdateTransaction(pm);
- rollbackTransaction = false;
- return commitContext;
-
- } finally {
- if (rollbackTransaction) {
- rollbackTransaction(pm);
- }
- }
- }
-
- @Override
- public CommitContext renamePrivilege(String component, String service,
- List<? extends Authorizable> oldAuthorizables,
- List<? extends Authorizable> newAuthorizables, String requestor)
- throws SentryUserException {
- Preconditions.checkNotNull(component);
- Preconditions.checkNotNull(service);
- Preconditions.checkNotNull(oldAuthorizables);
- Preconditions.checkNotNull(newAuthorizables);
-
- if (oldAuthorizables.size() != newAuthorizables.size()) {
- throw new SentryAccessDeniedException(
- "rename privilege denied: the size of oldAuthorizables must equals the newAuthorizables "
- + "oldAuthorizables:" + Arrays.toString(oldAuthorizables.toArray()) + " "
- + "newAuthorizables:" + Arrays.toString(newAuthorizables.toArray()));
- }
-
- PersistenceManager pm = null;
- boolean rollbackTransaction = true;
- try {
- pm = openTransaction();
-
- privilegeOperator.renamePrivilege(toTrimmedLower(component), toTrimmedLower(service),
- oldAuthorizables, newAuthorizables, requestor, pm);
-
- CommitContext commitContext = commitUpdateTransaction(pm);
- rollbackTransaction = false;
- return commitContext;
- } finally {
- if (rollbackTransaction) {
- rollbackTransaction(pm);
- }
- }
- }
-
- @Override
- public CommitContext dropPrivilege(String component,
- PrivilegeObject privilege, String requestor) throws SentryUserException {
- Preconditions.checkNotNull(requestor);
-
- PersistenceManager pm = null;
- boolean rollbackTransaction = true;
- try {
- pm = openTransaction();
-
- privilegeOperator.dropPrivilege(privilege, pm);
-
- CommitContext commitContext = commitUpdateTransaction(pm);
- rollbackTransaction = false;
- return commitContext;
- } finally {
- if (rollbackTransaction) {
- rollbackTransaction(pm);
- }
- }
- }
-
- /**
- * Grant option check
- * @param component
- * @param pm
- * @param privilegeReader
- * @throws SentryUserException
- */
- private void grantOptionCheck(PrivilegeObject requestPrivilege, String grantorPrincipal,PersistenceManager pm)
- throws SentryUserException {
-
- if (Strings.isNullOrEmpty(grantorPrincipal)) {
- throw new SentryInvalidInputException("grantorPrincipal should not be null or empty");
- }
-
- Set<String> groups = getRequestorGroups(grantorPrincipal);
- if (groups == null || groups.isEmpty()) {
- throw new SentryGrantDeniedException(grantorPrincipal
- + " has no grant!");
- }
- //admin group check
- if (!Sets.intersection(adminGroups, toTrimmed(groups)).isEmpty()) {
- return;
- }
- //privilege grant option check
- Set<MSentryRole> mRoles = delegate.getRolesForGroups(pm, groups);
- if (!privilegeOperator.checkPrivilegeOption(mRoles, requestPrivilege, pm)) {
- throw new SentryGrantDeniedException(grantorPrincipal
- + " has no grant!");
- }
- }
-
- @Override
- public Set<String> getRolesByGroups(String component, Set<String> groups)
- throws SentryUserException {
- Set<String> roles = Sets.newHashSet();
- if (groups == null) {
- return roles;
- }
- for (TSentryRole tSentryRole : delegate.getTSentryRolesByGroupName(groups, true)) {
- roles.add(tSentryRole.getRoleName());
- }
- return roles;
- }
-
- @Override
- public Set<String> getGroupsByRoles(String component, Set<String> roles)
- throws SentryUserException {
- Set<String> trimmedRoles = toTrimmedLower(roles);
- Set<String> groupNames = Sets.newHashSet();
- if (trimmedRoles.size() == 0) {
- return groupNames;
- }
-
- PersistenceManager pm = null;
- try{
- pm = openTransaction();
- //get groups by roles
- Query query = pm.newQuery(MSentryGroup.class);
- StringBuilder filters = new StringBuilder();
- query.declareVariables("org.apache.sentry.provider.db.service.model.MSentryRole role");
- List<String> rolesFiler = new LinkedList<String>();
- for (String role : trimmedRoles) {
- rolesFiler.add("role.roleName == \"" + role + "\" ");
- }
- filters.append("roles.contains(role) " + "&& (" + Joiner.on(" || ").join(rolesFiler) + ")");
- query.setFilter(filters.toString());
-
- List<MSentryGroup> groups = (List<MSentryGroup>)query.execute();
- if (groups == null) {
- return groupNames;
- }
- for (MSentryGroup group : groups) {
- groupNames.add(group.getGroupName());
- }
- return groupNames;
- } finally {
- if (pm != null) {
- commitTransaction(pm);
- }
- }
- }
-
- @Override
- public Set<PrivilegeObject> getPrivilegesByRole(String component,
- Set<String> roles) throws SentryUserException {
- Preconditions.checkNotNull(roles);
- Set<PrivilegeObject> privileges = Sets.newHashSet();
- if (roles.isEmpty()) {
- return privileges;
- }
-
- PersistenceManager pm = null;
- try {
- pm = openTransaction();
- Set<MSentryRole> mRoles = Sets.newHashSet();
- for (String role : roles) {
- MSentryRole mRole = getRole(toTrimmedLower(role), pm);
- if (mRole != null) {
- mRoles.add(mRole);
- }
- }
- privileges.addAll(privilegeOperator.getPrivilegesByRole(mRoles, pm));
- } finally {
- if (pm != null) {
- commitTransaction(pm);
- }
- }
- return privileges;
- }
-
- @Override
- public Set<PrivilegeObject> getPrivilegesByProvider(String component,
- String service, Set<String> roles, Set<String> groups,
- List<? extends Authorizable> authorizables) throws SentryUserException {
- Preconditions.checkNotNull(component);
- Preconditions.checkNotNull(service);
-
- String trimmedComponent = toTrimmedLower(component);
- String trimmedService = toTrimmedLower(service);
-
- Set<PrivilegeObject> privileges = Sets.newHashSet();
- PersistenceManager pm = null;
- try {
- pm = openTransaction();
- //CaseInsensitive roleNames
- Set<String> trimmedRoles = toTrimmedLower(roles);
-
- if (groups != null) {
- trimmedRoles.addAll(delegate.getRoleNamesForGroups(groups));
- }
-
- if (trimmedRoles.size() == 0) {
- return privileges;
- }
-
- Set<MSentryRole> mRoles = Sets.newHashSet();
- for (String role : trimmedRoles) {
- MSentryRole mRole = getRole(role, pm);
- if (mRole != null) {
- mRoles.add(mRole);
- }
- }
- //get the privileges
- privileges.addAll(privilegeOperator.getPrivilegesByProvider(trimmedComponent, trimmedService, mRoles, authorizables, pm));
- } finally {
- if (pm != null) {
- commitTransaction(pm);
- }
- }
- return privileges;
- }
-
- @Override
- public Set<MSentryGMPrivilege> getPrivilegesByAuthorizable(String component, String service,
- Set<String> validActiveRoles, List<? extends Authorizable> authorizables)
- throws SentryUserException {
-
- Preconditions.checkNotNull(component);
- Preconditions.checkNotNull(service);
-
- component = toTrimmedLower(component);
- service = toTrimmedLower(service);
-
- Set<MSentryGMPrivilege> privileges = Sets.newHashSet();
-
- if (validActiveRoles == null || validActiveRoles.isEmpty()) {
- return privileges;
- }
-
- PersistenceManager pm = null;
- try {
- pm = openTransaction();
-
- Set<MSentryRole> mRoles = Sets.newHashSet();
- for (String role : validActiveRoles) {
- MSentryRole mRole = getRole(role, pm);
- if (mRole != null) {
- mRoles.add(mRole);
- }
- }
-
- //get the privileges
- Set<MSentryGMPrivilege> mSentryGMPrivileges = privilegeOperator.getPrivilegesByAuthorizable(component, service, mRoles, authorizables, pm);
-
- for (MSentryGMPrivilege mSentryGMPrivilege : mSentryGMPrivileges) {
- /**
- * force to load all roles related this privilege
- * avoid the lazy-loading
- */
- pm.retrieve(mSentryGMPrivilege);
- privileges.add(mSentryGMPrivilege);
- }
-
- } finally {
- commitTransaction(pm);
- }
- return privileges;
- }
-
- @Override
- public void close() {
- delegate.stop();
- }
-
- private Set<TSentryGroup> toTSentryGroups(Set<String> groups) {
- Set<TSentryGroup> tSentryGroups = Sets.newHashSet();
- for (String group : groups) {
- tSentryGroups.add(new TSentryGroup(group));
- }
- return tSentryGroups;
- }
-
- private Set<String> toTrimmedLower(Set<String> s) {
- if (s == null) {
- return new HashSet<String>();
- }
- Set<String> result = Sets.newHashSet();
- for (String v : s) {
- result.add(v.trim().toLowerCase());
- }
- return result;
- }
-
- private Set<String> toTrimmed(Set<String> s) {
- if (s == null) {
- return new HashSet<String>();
- }
- Set<String> result = Sets.newHashSet();
- for (String v : s) {
- result.add(v.trim());
- }
- return result;
- }
-
- private String toTrimmedLower(String s) {
- if (s == null) {
- return "";
- }
- return s.trim().toLowerCase();
- }
-
- private Set<String> getRequestorGroups(String userName)
- throws SentryUserException {
- return SentryPolicyStoreProcessor.getGroupsFromUserName(this.conf, userName);
- }
-
- @VisibleForTesting
- void clearAllTables() {
- boolean rollbackTransaction = true;
- PersistenceManager pm = null;
- try {
- pm = openTransaction();
- pm.newQuery(MSentryRole.class).deletePersistentAll();
- pm.newQuery(MSentryGroup.class).deletePersistentAll();
- pm.newQuery(MSentryGMPrivilege.class).deletePersistentAll();
- commitUpdateTransaction(pm);
- rollbackTransaction = false;
- } finally {
- if (rollbackTransaction) {
- rollbackTransaction(pm);
- }
- }
- }
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/persistent/PrivilegeObject.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/persistent/PrivilegeObject.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/persistent/PrivilegeObject.java
deleted file mode 100644
index feab1e9..0000000
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/persistent/PrivilegeObject.java
+++ /dev/null
@@ -1,231 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.provider.db.generic.service.persistent;
-
-import static org.apache.sentry.core.common.utils.SentryConstants.KV_JOINER;
-import static org.apache.sentry.core.common.utils.SentryConstants.AUTHORIZABLE_JOINER;
-
-import java.util.List;
-import org.apache.sentry.core.common.Authorizable;
-import com.google.common.base.Preconditions;
-import com.google.common.collect.Lists;
-
-public final class PrivilegeObject {
- private final String component;
- private final String service;
- private final String action;
- private final Boolean grantOption;
- private List<? extends Authorizable> authorizables;
-
- private PrivilegeObject(String component, String service, String action,
- Boolean grantOption,
- List<? extends Authorizable> authorizables) {
- this.component = component;
- this.service = service;
- this.action = action;
- this.grantOption = grantOption;
- this.authorizables = authorizables;
- }
-
- public List<? extends Authorizable> getAuthorizables() {
- return authorizables;
- }
-
- public String getAction() {
- return action;
- }
-
- public String getComponent() {
- return component;
- }
-
- public String getService() {
- return service;
- }
-
- public Boolean getGrantOption() {
- return grantOption;
- }
-
- @Override
- public String toString() {
- List<String> authorizable = Lists.newArrayList();
- for (Authorizable az : authorizables) {
- authorizable.add(KV_JOINER.join(az.getTypeName(),az.getName()));
- }
- return "PrivilegeObject [" + ", service=" + service + ", component="
- + component + ", authorizables=" + AUTHORIZABLE_JOINER.join(authorizable)
- + ", action=" + action + ", grantOption=" + grantOption + "]";
- }
-
- @Override
- public int hashCode() {
- final int prime = 31;
- int result = 1;
- result = prime * result + ((action == null) ? 0 : action.hashCode());
- result = prime * result + ((component == null) ? 0 : component.hashCode());
- result = prime * result + ((service == null) ? 0 : service.hashCode());
- result = prime * result + ((grantOption == null) ? 0 : grantOption.hashCode());
- for (Authorizable authorizable : authorizables) {
- result = prime * result + authorizable.getTypeName().hashCode();
- result = prime * result + authorizable.getName().hashCode();
- }
- return result;
- }
-
- @Override
- public boolean equals(Object obj) {
- if (this == obj) {
- return true;
- }
- if (obj == null) {
- return false;
- }
- if (getClass() != obj.getClass()) {
- return false;
- }
- PrivilegeObject other = (PrivilegeObject) obj;
- if (action == null) {
- if (other.action != null) {
- return false;
- }
- } else if (!action.equals(other.action)) {
- return false;
- }
- if (service == null) {
- if (other.service != null) {
- return false;
- }
- } else if (!service.equals(other.service)) {
- return false;
- }
- if (component == null) {
- if (other.component != null) {
- return false;
- }
- } else if (!component.equals(other.component)) {
- return false;
- }
- if (grantOption == null) {
- if (other.grantOption != null) {
- return false;
- }
- } else if (!grantOption.equals(other.grantOption)) {
- return false;
- }
-
- if (authorizables.size() != other.authorizables.size()) {
- return false;
- }
- for (int i = 0; i < authorizables.size(); i++) {
- String o1 = KV_JOINER.join(authorizables.get(i).getTypeName(),
- authorizables.get(i).getName());
- String o2 = KV_JOINER.join(other.authorizables.get(i).getTypeName(),
- other.authorizables.get(i).getName());
- if (!o1.equalsIgnoreCase(o2)) {
- return false;
- }
- }
- return true;
- }
-
- public static class Builder {
- private String component;
- private String service;
- private String action;
- private Boolean grantOption;
- private List<? extends Authorizable> authorizables;
-
- public Builder() {
-
- }
-
- public Builder(PrivilegeObject privilege) {
- this.component = privilege.component;
- this.service = privilege.service;
- this.action = privilege.action;
- this.grantOption = privilege.grantOption;
- this.authorizables = privilege.authorizables;
- }
-
- public Builder setComponent(String component) {
- this.component = component;
- return this;
- }
-
- public Builder setService(String service) {
- this.service = service;
- return this;
- }
-
- public Builder setAction(String action) {
- this.action = action;
- return this;
- }
-
- public Builder withGrantOption(Boolean grantOption) {
- this.grantOption = grantOption;
- return this;
- }
-
- public Builder setAuthorizables(List<? extends Authorizable> authorizables) {
- this.authorizables = authorizables;
- return this;
- }
-
- /**
- * TolowerCase the authorizable name, the authorizable type is define when it was created.
- * Take the Solr for example, it has two Authorizable objects. They have the type Collection
- * and Field, they are can't be changed. So we should unified the authorizable name tolowercase.
- * @return new authorizable lists
- */
- private List<? extends Authorizable> toLowerAuthorizableName(List<? extends Authorizable> authorizables) {
- List<Authorizable> newAuthorizable = Lists.newArrayList();
- if (authorizables == null || authorizables.size() == 0) {
- return newAuthorizable;
- }
- for (final Authorizable authorizable : authorizables) {
- newAuthorizable.add(new Authorizable() {
- @Override
- public String getTypeName() {
- return authorizable.getTypeName();
- }
- @Override
- public String getName() {
- return authorizable.getName();
- }
- });
- }
- return newAuthorizable;
- }
-
- public PrivilegeObject build() {
- Preconditions.checkNotNull(component);
- Preconditions.checkNotNull(service);
- Preconditions.checkNotNull(action);
- //CaseInsensitive authorizable name
- List<? extends Authorizable> newAuthorizable = toLowerAuthorizableName(authorizables);
-
- return new PrivilegeObject(component.toLowerCase(),
- service.toLowerCase(),
- action.toLowerCase(),
- grantOption,
- newAuthorizable);
- }
- }
-}
[16/44] sentry git commit: SENTRY-1287: Create sentry-service-server
module(Colin Ma, reviewed by Dapeng Sun)
Posted by co...@apache.org.
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/tools/SentrySchemaTool.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/tools/SentrySchemaTool.java b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/tools/SentrySchemaTool.java
new file mode 100644
index 0000000..d75e24b
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/tools/SentrySchemaTool.java
@@ -0,0 +1,595 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.provider.db.tools;
+
+import java.io.BufferedReader;
+import java.io.BufferedWriter;
+import java.io.File;
+import java.io.FileReader;
+import java.io.FileWriter;
+import java.io.IOException;
+import java.io.PrintStream;
+import java.net.MalformedURLException;
+import java.sql.Connection;
+import java.sql.DriverManager;
+import java.sql.ResultSet;
+import java.sql.SQLException;
+import java.sql.Statement;
+import java.util.ArrayList;
+import java.util.IllegalFormatException;
+import java.util.List;
+
+import org.apache.commons.cli.CommandLine;
+import org.apache.commons.cli.CommandLineParser;
+import org.apache.commons.cli.GnuParser;
+import org.apache.commons.cli.HelpFormatter;
+import org.apache.commons.cli.Option;
+import org.apache.commons.cli.OptionBuilder;
+import org.apache.commons.cli.OptionGroup;
+import org.apache.commons.cli.Options;
+import org.apache.commons.cli.ParseException;
+import org.apache.commons.io.output.NullOutputStream;
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hive.beeline.BeeLine;
+import org.apache.sentry.Command;
+import org.apache.sentry.core.common.exception.SentryUserException;
+import org.apache.sentry.core.common.exception.SentrySiteConfigurationException;
+import org.apache.sentry.provider.db.service.persistent.SentryStoreSchemaInfo;
+import org.apache.sentry.provider.db.tools.SentrySchemaHelper.NestedScriptParser;
+import org.apache.sentry.service.thrift.SentryService;
+import org.apache.sentry.service.thrift.ServiceConstants;
+
+public class SentrySchemaTool {
+ private static final String SENTRY_SCRIP_DIR = File.separatorChar + "scripts"
+ + File.separatorChar + "sentrystore" + File.separatorChar + "upgrade";
+ private String userName = null;
+ private String passWord = null;
+ private String connectionURL = null;
+ private String driver = null;
+ private boolean dryRun = false;
+ private String dbOpts = null;
+ private boolean verbose = false;
+ private final Configuration sentryConf;
+ private final String dbType;
+ private final SentryStoreSchemaInfo sentryStoreSchemaInfo;
+
+ public SentrySchemaTool(Configuration sentryConf, String dbType)
+ throws SentryUserException, IOException {
+ this(System.getenv("SENTRY_HOME") + SENTRY_SCRIP_DIR, sentryConf, dbType);
+ }
+
+ public SentrySchemaTool(String sentryScripPath, Configuration sentryConf,
+ String dbType) throws SentryUserException, IOException {
+ if (sentryScripPath == null || sentryScripPath.isEmpty()) {
+ throw new SentryUserException("No Sentry script dir provided");
+ }
+ this.sentryConf = sentryConf;
+ this.dbType = dbType;
+ this.sentryStoreSchemaInfo = new SentryStoreSchemaInfo(sentryScripPath,
+ dbType);
+ userName = sentryConf.get(ServiceConstants.ServerConfig.SENTRY_STORE_JDBC_USER,
+ ServiceConstants.ServerConfig.SENTRY_STORE_JDBC_USER_DEFAULT);
+ //Password will be read from Credential provider specified using property
+ // CREDENTIAL_PROVIDER_PATH("hadoop.security.credential.provider.path" in sentry-site.xml
+ // it falls back to reading directly from sentry-site.xml
+ char[] passTmp = sentryConf.getPassword(ServiceConstants.ServerConfig.SENTRY_STORE_JDBC_PASS);
+ if(passTmp != null) {
+ passWord = new String(passTmp);
+ } else {
+ throw new SentrySiteConfigurationException("Error reading " + ServiceConstants.ServerConfig.SENTRY_STORE_JDBC_PASS);
+ }
+
+ try {
+ connectionURL = getValidConfVar(ServiceConstants.ServerConfig.SENTRY_STORE_JDBC_URL);
+ if(dbType.equalsIgnoreCase(SentrySchemaHelper.DB_DERBY)) {
+ driver = sentryConf.get(ServiceConstants.ServerConfig.SENTRY_STORE_JDBC_DRIVER,
+ ServiceConstants.ServerConfig.SENTRY_STORE_JDBC_DRIVER_DEFAULT);
+ } else {
+ driver = getValidConfVar(ServiceConstants.ServerConfig.SENTRY_STORE_JDBC_DRIVER);
+ }
+ // load required JDBC driver
+ Class.forName(driver);
+ } catch (IOException e) {
+ throw new SentryUserException("Missing property: " + e.getMessage());
+ } catch (ClassNotFoundException e) {
+ throw new SentryUserException("Failed to load driver", e);
+ }
+ }
+
+ public Configuration getConfiguration() {
+ return sentryConf;
+ }
+
+ public void setUserName(String userName) {
+ this.userName = userName;
+ }
+
+ public void setPassWord(String passWord) {
+ this.passWord = passWord;
+ }
+
+ public void setDryRun(boolean dryRun) {
+ this.dryRun = dryRun;
+ }
+
+ public void setVerbose(boolean verbose) {
+ this.verbose = verbose;
+ }
+
+ public String getDbOpts() {
+ return dbOpts;
+ }
+
+ public void setDbOpts(String dbOpts) {
+ this.dbOpts = dbOpts;
+ }
+
+ private static void printAndExit(Options cmdLineOptions) {
+ HelpFormatter formatter = new HelpFormatter();
+ formatter.printHelp("schemaTool", cmdLineOptions);
+ System.exit(1);
+ }
+
+ /***
+ * Print Hive version and schema version
+ * @throws SentryUserException
+ */
+ public void showInfo() throws SentryUserException {
+ Connection sentryStoreConn = getConnectionToMetastore(true);
+ System.out.println("Sentry distribution version:\t "
+ + SentryStoreSchemaInfo.getSentryVersion());
+ System.out.println("SentryStore schema version:\t "
+ + getMetaStoreSchemaVersion(sentryStoreConn));
+ }
+
+ // read schema version from sentry store
+ private String getMetaStoreSchemaVersion(Connection sentryStoreConn)
+ throws SentryUserException {
+ String versionQuery;
+ if (SentrySchemaHelper.getDbCommandParser(dbType).needsQuotedIdentifier()) {
+ versionQuery = "select t.\"SCHEMA_VERSION\" from \"SENTRY_VERSION\" t";
+ } else {
+ versionQuery = "select t.SCHEMA_VERSION from SENTRY_VERSION t";
+ }
+ try (Statement stmt = sentryStoreConn.createStatement();
+ ResultSet res = stmt.executeQuery(versionQuery)) {
+ if (!res.next()) {
+ throw new SentryUserException("Didn't find version data in sentry store");
+ }
+ String currentSchemaVersion = res.getString(1);
+ sentryStoreConn.close();
+ return currentSchemaVersion;
+ } catch (SQLException e) {
+ throw new SentryUserException("Failed to get schema version.", e);
+ }
+ }
+
+ // test the connection sentry store using the config property
+ private void testConnectionToMetastore() throws SentryUserException {
+ try (Connection conn = getConnectionToMetastore(true)) {
+ conn.close();
+ } catch (SQLException e) {
+ throw new SentryUserException("Failed to close sentry store connection", e);
+ }
+ }
+
+ /***
+ * get JDBC connection to sentry store db
+ *
+ * @param printInfo print connection parameters
+ * @return
+ * @throws SentryUserException
+ */
+ private Connection getConnectionToMetastore(boolean printInfo)
+ throws SentryUserException {
+ if (printInfo) {
+ System.out.println("Sentry store connection URL:\t " + connectionURL);
+ System.out.println("Sentry store Connection Driver :\t " + driver);
+ System.out.println("Sentry store connection User:\t " + userName);
+ }
+ if (userName == null || userName.isEmpty()) {
+ throw new SentryUserException("UserName empty ");
+ }
+ try {
+ // Connect using the JDBC URL and user/pass from conf
+ return DriverManager.getConnection(connectionURL, userName, passWord);
+ } catch (SQLException e) {
+ throw new SentryUserException("Failed to make connection to Sentry store.", e);
+ }
+ }
+
+ /**
+ * check if the current schema version in sentry store matches the Hive version
+ * @throws SentryUserException
+ */
+ public void verifySchemaVersion() throws SentryUserException {
+ // don't check version if its a dry run
+ if (dryRun) {
+ return;
+ }
+ String newSchemaVersion =
+ getMetaStoreSchemaVersion(getConnectionToMetastore(false));
+ // verify that the new version is added to schema
+ if (!sentryStoreSchemaInfo.getSentrySchemaVersion().equalsIgnoreCase(
+ newSchemaVersion)) {
+ throw new SentryUserException("Found unexpected schema version "
+ + newSchemaVersion);
+ }
+ }
+
+ /**
+ * Perform sentry store schema upgrade. extract the current schema version from sentry store
+ * @throws SentryUserException
+ */
+ public void doUpgrade() throws SentryUserException {
+ String fromVersion = getMetaStoreSchemaVersion(getConnectionToMetastore(false));
+ if (fromVersion == null || fromVersion.isEmpty()) {
+ throw new SentryUserException(
+ "Schema version not stored in the sentry store. "
+ +
+ "Metastore schema is too old or corrupt. Try specifying the version manually");
+ }
+ doUpgrade(fromVersion);
+ }
+
+ /**
+ * Perform sentry store schema upgrade
+ *
+ * @param fromSchemaVer
+ * Existing version of the sentry store. If null, then read from the sentry store
+ * @throws SentryUserException
+ */
+ public void doUpgrade(String fromSchemaVer) throws SentryUserException {
+ if (sentryStoreSchemaInfo.getSentrySchemaVersion().equals(fromSchemaVer)) {
+ System.out.println("No schema upgrade required from version " + fromSchemaVer);
+ return;
+ }
+ // Find the list of scripts to execute for this upgrade
+ List<String> upgradeScripts =
+ sentryStoreSchemaInfo.getUpgradeScripts(fromSchemaVer);
+ testConnectionToMetastore();
+ System.out.println("Starting upgrade sentry store schema from version " +
+ fromSchemaVer + " to "
+ + sentryStoreSchemaInfo.getSentrySchemaVersion());
+ String scriptDir = sentryStoreSchemaInfo.getSentryStoreScriptDir();
+ try {
+ for (String scriptFile : upgradeScripts) {
+ System.out.println("Upgrade script " + scriptFile);
+ if (!dryRun) {
+ runBeeLine(scriptDir, scriptFile);
+ System.out.println("Completed " + scriptFile);
+ }
+ }
+ } catch (IOException eIO) {
+ throw new SentryUserException(
+ "Upgrade FAILED! Metastore state would be inconsistent !!", eIO);
+ }
+
+ // Revalidated the new version after upgrade
+ verifySchemaVersion();
+ }
+
+ /**
+ * Initialize the sentry store schema to current version
+ *
+ * @throws SentryUserException
+ */
+ public void doInit() throws SentryUserException {
+ doInit(sentryStoreSchemaInfo.getSentrySchemaVersion());
+
+ // Revalidated the new version after upgrade
+ verifySchemaVersion();
+ }
+
+ /**
+ * Initialize the sentry store schema
+ *
+ * @param toVersion
+ * If null then current hive version is used
+ * @throws SentryUserException
+ */
+ public void doInit(String toVersion) throws SentryUserException {
+ testConnectionToMetastore();
+ System.out.println("Starting sentry store schema initialization to " + toVersion);
+
+ String initScriptDir = sentryStoreSchemaInfo.getSentryStoreScriptDir();
+ String initScriptFile = sentryStoreSchemaInfo.generateInitFileName(toVersion);
+
+ try {
+ System.out.println("Initialization script " + initScriptFile);
+ if (!dryRun) {
+ runBeeLine(initScriptDir, initScriptFile);
+ System.out.println("Initialization script completed");
+ }
+ } catch (IOException e) {
+ throw new SentryUserException("Schema initialization FAILED!"
+ + " Metastore state would be inconsistent !!", e);
+ }
+ }
+
+ // Flatten the nested upgrade script into a buffer
+ public static String buildCommand(NestedScriptParser dbCommandParser,
+ String scriptDir, String scriptFile) throws IllegalFormatException, IOException {
+
+ BufferedReader bfReader =
+ new BufferedReader(new FileReader(scriptDir + File.separatorChar + scriptFile));
+ String currLine;
+ StringBuilder sb = new StringBuilder();
+ String currentCommand = null;
+ while ((currLine = bfReader.readLine()) != null) {
+ currLine = currLine.trim();
+ if (currLine.isEmpty()) {
+ continue; // skip empty lines
+ }
+
+ if (currentCommand == null) {
+ currentCommand = currLine;
+ } else {
+ currentCommand = currentCommand + " " + currLine;
+ }
+ if (dbCommandParser.isPartialCommand(currLine)) {
+ // if its a partial line, continue collecting the pieces
+ continue;
+ }
+
+ // if this is a valid executable command then add it to the buffer
+ if (!dbCommandParser.isNonExecCommand(currentCommand)) {
+ currentCommand = dbCommandParser.cleanseCommand(currentCommand);
+
+ if (dbCommandParser.isNestedScript(currentCommand)) {
+ // if this is a nested sql script then flatten it
+ String currScript = dbCommandParser.getScriptName(currentCommand);
+ sb.append(buildCommand(dbCommandParser, scriptDir, currScript));
+ } else {
+ // Now we have a complete statement, process it
+ // write the line to buffer
+ sb.append(currentCommand);
+ sb.append(System.getProperty("line.separator"));
+ }
+ }
+ currentCommand = null;
+ }
+ bfReader.close();
+ return sb.toString();
+ }
+
+ // run beeline on the given sentry store scrip, flatten the nested scripts into single file
+ private void runBeeLine(String scriptDir, String scriptFile) throws IOException {
+ NestedScriptParser dbCommandParser =
+ SentrySchemaHelper.getDbCommandParser(dbType);
+ dbCommandParser.setDbOpts(getDbOpts());
+ // expand the nested script
+ String sqlCommands = buildCommand(dbCommandParser, scriptDir, scriptFile);
+ File tmpFile = File.createTempFile("schematool", ".sql");
+ tmpFile.deleteOnExit();
+
+ // write out the buffer into a file. Add beeline commands for autocommit and close
+ try (FileWriter fstream = new FileWriter(tmpFile.getPath());
+ BufferedWriter out = new BufferedWriter(fstream)) {
+
+ out.write("!set Silent " + verbose + System.getProperty("line.separator"));
+ out.write("!autocommit on" + System.getProperty("line.separator"));
+ out.write("!set Isolation TRANSACTION_READ_COMMITTED"
+ + System.getProperty("line.separator"));
+ out.write("!set AllowMultiLineCommand false"
+ + System.getProperty("line.separator"));
+ out.write(sqlCommands);
+ out.write("!closeall" + System.getProperty("line.separator"));
+ out.close();
+ }
+ runBeeLine(tmpFile.getPath());
+ }
+
+ // Generate the beeline args per hive conf and execute the given script
+ public void runBeeLine(String sqlScriptFile) throws IOException {
+ List<String> argList = new ArrayList<String>();
+ argList.add("-u");
+ argList.add(connectionURL);
+ argList.add("-d");
+ argList
+ .add(driver);
+ argList.add("-n");
+ argList.add(userName);
+ argList.add("-p");
+ argList.add(passWord);
+ argList.add("-f");
+ argList.add(sqlScriptFile);
+
+ BeeLine beeLine = new BeeLine();
+ if (!verbose) {
+ beeLine.setOutputStream(new PrintStream(new NullOutputStream()));
+ // beeLine.getOpts().setSilent(true);
+ }
+ // beeLine.getOpts().setAllowMultiLineCommand(false);
+ // beeLine.getOpts().setIsolation("TRANSACTION_READ_COMMITTED");
+ int status = beeLine.begin(argList.toArray(new String[0]), null);
+ if (status != 0) {
+ throw new IOException("Schema script failed, errorcode " + status);
+ }
+ }
+
+ private String getValidConfVar(String confVar) throws IOException {
+ String confVarKey = confVar;
+ String confVarValue = sentryConf.get(confVarKey);
+ if (confVarValue == null || confVarValue.isEmpty()) {
+ throw new IOException("Empty " + confVar);
+ }
+ return confVarValue;
+ }
+
+ // Create the required command line options
+ @SuppressWarnings("static-access")
+ private static void initOptions(Options cmdLineOptions) {
+ Option help = new Option("help", "print this message");
+ Option upgradeOpt = new Option("upgradeSchema", "Schema upgrade");
+ Option upgradeFromOpt = OptionBuilder.withArgName("upgradeFrom").hasArg().
+ withDescription("Schema upgrade from a version").
+ create("upgradeSchemaFrom");
+ Option initOpt = new Option("initSchema", "Schema initialization");
+ Option initToOpt = OptionBuilder.withArgName("initTo").hasArg().
+ withDescription("Schema initialization to a version").
+ create("initSchemaTo");
+ Option infoOpt = new Option("info", "Show config and schema details");
+
+ OptionGroup optGroup = new OptionGroup();
+ optGroup.addOption(upgradeOpt).addOption(initOpt).
+ addOption(help).addOption(upgradeFromOpt).
+ addOption(initToOpt).addOption(infoOpt);
+ optGroup.setRequired(true);
+
+ Option userNameOpt = OptionBuilder.withArgName("user")
+ .hasArg()
+ .withDescription("Override config file user name")
+ .create("userName");
+ Option passwdOpt = OptionBuilder.withArgName("password")
+ .hasArg()
+ .withDescription("Override config file password")
+ .create("passWord");
+ Option dbTypeOpt = OptionBuilder.withArgName("databaseType")
+ .hasArg().withDescription("Metastore database type [" +
+ SentrySchemaHelper.DB_DERBY + "," +
+ SentrySchemaHelper.DB_MYSQL + "," +
+ SentrySchemaHelper.DB_ORACLE + "," +
+ SentrySchemaHelper.DB_POSTGRACE + "," +
+ SentrySchemaHelper.DB_DB2 + "]")
+ .create("dbType");
+ Option dbOpts = OptionBuilder.withArgName("databaseOpts")
+ .hasArgs().withDescription("Backend DB specific options")
+ .create("dbOpts");
+
+ Option dryRunOpt = new Option("dryRun", "list SQL scripts (no execute)");
+ Option verboseOpt = new Option("verbose", "only print SQL statements");
+
+ Option configOpt = OptionBuilder.withArgName("confName").hasArgs()
+ .withDescription("Sentry Service configuration file").isRequired(true)
+ .create(ServiceConstants.ServiceArgs.CONFIG_FILE_LONG);
+
+ cmdLineOptions.addOption(help);
+ cmdLineOptions.addOption(dryRunOpt);
+ cmdLineOptions.addOption(userNameOpt);
+ cmdLineOptions.addOption(passwdOpt);
+ cmdLineOptions.addOption(dbTypeOpt);
+ cmdLineOptions.addOption(verboseOpt);
+ cmdLineOptions.addOption(dbOpts);
+ cmdLineOptions.addOption(configOpt);
+ cmdLineOptions.addOptionGroup(optGroup);
+ }
+
+ public static class CommandImpl implements Command {
+ @Override
+ public void run(String[] args) throws Exception {
+ CommandLineParser parser = new GnuParser();
+ CommandLine line = null;
+ String dbType = null;
+ String schemaVer = null;
+ Options cmdLineOptions = new Options();
+ String configFileName = null;
+
+ // Argument handling
+ initOptions(cmdLineOptions);
+ try {
+ line = parser.parse(cmdLineOptions, args);
+ } catch (ParseException e) {
+ System.err.println("SentrySchemaTool:Parsing failed. Reason: "
+ + e.getLocalizedMessage());
+ printAndExit(cmdLineOptions);
+ }
+
+ if (line.hasOption("help")) {
+ HelpFormatter formatter = new HelpFormatter();
+ formatter.printHelp("schemaTool", cmdLineOptions);
+ return;
+ }
+
+ if (line.hasOption("dbType")) {
+ dbType = line.getOptionValue("dbType");
+ if (!dbType.equalsIgnoreCase(SentrySchemaHelper.DB_DERBY)
+ && !dbType.equalsIgnoreCase(SentrySchemaHelper.DB_MYSQL)
+ && !dbType.equalsIgnoreCase(SentrySchemaHelper.DB_POSTGRACE)
+ && !dbType.equalsIgnoreCase(SentrySchemaHelper.DB_ORACLE)
+ && !dbType.equalsIgnoreCase(SentrySchemaHelper.DB_DB2)) {
+ System.err.println("Unsupported dbType " + dbType);
+ printAndExit(cmdLineOptions);
+ }
+ } else {
+ System.err.println("no dbType supplied");
+ printAndExit(cmdLineOptions);
+ }
+ if (line.hasOption(ServiceConstants.ServiceArgs.CONFIG_FILE_LONG)) {
+ configFileName = line
+ .getOptionValue(ServiceConstants.ServiceArgs.CONFIG_FILE_LONG);
+ } else {
+ System.err.println("no config file specified");
+ printAndExit(cmdLineOptions);
+ }
+ try {
+ SentrySchemaTool schemaTool = new SentrySchemaTool(
+ SentryService.loadConfig(configFileName), dbType);
+
+ if (line.hasOption("userName")) {
+ schemaTool.setUserName(line.getOptionValue("userName"));
+ }
+ if (line.hasOption("passWord")) {
+ schemaTool.setPassWord(line.getOptionValue("passWord"));
+ }
+ if (line.hasOption("dryRun")) {
+ schemaTool.setDryRun(true);
+ }
+ if (line.hasOption("verbose")) {
+ schemaTool.setVerbose(true);
+ }
+ if (line.hasOption("dbOpts")) {
+ schemaTool.setDbOpts(line.getOptionValue("dbOpts"));
+ }
+
+ if (line.hasOption("info")) {
+ schemaTool.showInfo();
+ } else if (line.hasOption("upgradeSchema")) {
+ schemaTool.doUpgrade();
+ } else if (line.hasOption("upgradeSchemaFrom")) {
+ schemaVer = line.getOptionValue("upgradeSchemaFrom");
+ schemaTool.doUpgrade(schemaVer);
+ } else if (line.hasOption("initSchema")) {
+ schemaTool.doInit();
+ } else if (line.hasOption("initSchemaTo")) {
+ schemaVer = line.getOptionValue("initSchemaTo");
+ schemaTool.doInit(schemaVer);
+ } else {
+ System.err.println("no valid option supplied");
+ printAndExit(cmdLineOptions);
+ }
+ } catch (SentryUserException e) {
+ System.err.println(e);
+ if (line.hasOption("verbose")) {
+ e.printStackTrace();
+ }
+ System.err.println("*** Sentry schemaTool failed ***");
+ System.exit(1);
+ } catch (MalformedURLException e) {
+ System.err.println(e);
+ if (line.hasOption("verbose")) {
+ e.printStackTrace();
+ }
+ System.err.println("*** Sentry schemaTool failed ***");
+ System.exit(1);
+ }
+ System.out.println("Sentry schemaTool completed");
+ }
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/service/thrift/GSSCallback.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/service/thrift/GSSCallback.java b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/service/thrift/GSSCallback.java
new file mode 100644
index 0000000..b668b95
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/service/thrift/GSSCallback.java
@@ -0,0 +1,110 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.service.thrift;
+
+import java.util.Arrays;
+import java.util.List;
+
+import javax.security.auth.callback.Callback;
+import javax.security.auth.callback.UnsupportedCallbackException;
+import javax.security.sasl.AuthorizeCallback;
+
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.security.SaslRpcServer;
+import org.apache.sentry.core.common.exception.ConnectionDeniedException;
+import org.apache.sentry.service.thrift.ServiceConstants.ServerConfig;
+
+public class GSSCallback extends SaslRpcServer.SaslGssCallbackHandler {
+
+ private final Configuration conf;
+ public GSSCallback(Configuration conf) {
+ super();
+ this.conf = conf;
+ }
+
+ boolean comparePrincipals(String principal1, String principal2) {
+ String[] principalParts1 = SaslRpcServer.splitKerberosName(principal1);
+ String[] principalParts2 = SaslRpcServer.splitKerberosName(principal2);
+ if (principalParts1.length == 0 || principalParts2.length == 0) {
+ return false;
+ }
+ if (principalParts1.length == principalParts2.length) {
+ for (int i=0; i < principalParts1.length; i++) {
+ if (!principalParts1[i].equals(principalParts2[i])) {
+ return false;
+ }
+ }
+ return true;
+ } else {
+ return false;
+ }
+ }
+
+ boolean allowConnect(String principal) {
+ String allowedPrincipals = conf.get(ServerConfig.ALLOW_CONNECT);
+ if (allowedPrincipals == null) {
+ return false;
+ }
+ String principalShortName = getShortName(principal);
+ List<String> items = Arrays.asList(allowedPrincipals.split("\\s*,\\s*"));
+ for (String item : items) {
+ if (comparePrincipals(item, principalShortName)) {
+ return true;
+ }
+ }
+ return false;
+ }
+
+ private String getShortName(String principal) {
+ String parts[] = SaslRpcServer.splitKerberosName(principal);
+ return parts[0];
+ }
+
+ @Override
+ public void handle(Callback[] callbacks)
+ throws UnsupportedCallbackException, ConnectionDeniedException {
+ AuthorizeCallback ac = null;
+ for (Callback callback : callbacks) {
+ if (callback instanceof AuthorizeCallback) {
+ ac = (AuthorizeCallback) callback;
+ } else {
+ throw new UnsupportedCallbackException(callback,
+ "Unrecognized SASL GSSAPI Callback");
+ }
+ }
+ if (ac != null) {
+ String authid = ac.getAuthenticationID();
+ String authzid = ac.getAuthorizationID();
+
+ if (allowConnect(authid)) {
+ if (authid.equals(authzid)) {
+ ac.setAuthorized(true);
+ } else {
+ ac.setAuthorized(false);
+ }
+ if (ac.isAuthorized()) {
+ ac.setAuthorizedID(authzid);
+ }
+ } else {
+ throw new ConnectionDeniedException(ac,
+ "Connection to sentry service denied due to lack of client credentials",
+ authid);
+ }
+ }
+ }
+}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/service/thrift/KerberosConfiguration.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/service/thrift/KerberosConfiguration.java b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/service/thrift/KerberosConfiguration.java
new file mode 100644
index 0000000..41e4fe4
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/service/thrift/KerberosConfiguration.java
@@ -0,0 +1,107 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.service.thrift;
+
+import java.io.File;
+import java.util.HashMap;
+import java.util.Map;
+
+import javax.security.auth.login.AppConfigurationEntry;
+
+public class KerberosConfiguration extends javax.security.auth.login.Configuration {
+ private String principal;
+ private String keytab;
+ private boolean isInitiator;
+ private static final boolean IBM_JAVA = System.getProperty("java.vendor").contains("IBM");
+
+ private KerberosConfiguration(String principal, File keytab,
+ boolean client) {
+ this.principal = principal;
+ this.keytab = keytab.getAbsolutePath();
+ this.isInitiator = client;
+ }
+
+ public static javax.security.auth.login.Configuration createClientConfig(String principal,
+ File keytab) {
+ return new KerberosConfiguration(principal, keytab, true);
+ }
+
+ public static javax.security.auth.login.Configuration createServerConfig(String principal,
+ File keytab) {
+ return new KerberosConfiguration(principal, keytab, false);
+ }
+
+ private static String getKrb5LoginModuleName() {
+ return (IBM_JAVA ? "com.ibm.security.auth.module.Krb5LoginModule"
+ : "com.sun.security.auth.module.Krb5LoginModule");
+ }
+
+ @Override
+ public AppConfigurationEntry[] getAppConfigurationEntry(String name) {
+ Map<String, String> options = new HashMap<String, String>();
+
+ if (IBM_JAVA) {
+ // IBM JAVA's UseKeytab covers both keyTab and useKeyTab options
+ options.put("useKeytab",keytab.startsWith("file://") ? keytab : "file://" + keytab);
+
+ options.put("principal", principal);
+ options.put("refreshKrb5Config", "true");
+
+ // Both "initiator" and "acceptor"
+ options.put("credsType", "both");
+ } else {
+ options.put("keyTab", keytab);
+ options.put("principal", principal);
+ options.put("useKeyTab", "true");
+ options.put("storeKey", "true");
+ options.put("doNotPrompt", "true");
+ options.put("useTicketCache", "true");
+ options.put("renewTGT", "true");
+ options.put("refreshKrb5Config", "true");
+ options.put("isInitiator", Boolean.toString(isInitiator));
+ }
+
+ String ticketCache = System.getenv("KRB5CCNAME");
+ if (IBM_JAVA) {
+ // If cache is specified via env variable, it takes priority
+ if (ticketCache != null) {
+ // IBM JAVA only respects system property so copy ticket cache to system property
+ // The first value searched when "useDefaultCcache" is true.
+ System.setProperty("KRB5CCNAME", ticketCache);
+ } else {
+ ticketCache = System.getProperty("KRB5CCNAME");
+ }
+
+ if (ticketCache != null) {
+ options.put("useDefaultCcache", "true");
+ options.put("renewTGT", "true");
+ }
+ } else {
+ if (ticketCache != null) {
+ options.put("ticketCache", ticketCache);
+ }
+ }
+ options.put("debug", "true");
+
+ return new AppConfigurationEntry[]{
+ new AppConfigurationEntry(getKrb5LoginModuleName(),
+ AppConfigurationEntry.LoginModuleControlFlag.REQUIRED,
+ options)};
+ }
+}
+
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/service/thrift/ProcessorFactory.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/service/thrift/ProcessorFactory.java b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/service/thrift/ProcessorFactory.java
new file mode 100644
index 0000000..a3bb6ab
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/service/thrift/ProcessorFactory.java
@@ -0,0 +1,31 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.service.thrift;
+
+import org.apache.hadoop.conf.Configuration;
+import org.apache.thrift.TMultiplexedProcessor;
+
+public abstract class ProcessorFactory {
+ protected final Configuration conf;
+
+ public ProcessorFactory(Configuration conf) {
+ this.conf = conf;
+ }
+
+ public abstract boolean register(TMultiplexedProcessor processor) throws Exception;
+}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/service/thrift/SentryKerberosContext.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/service/thrift/SentryKerberosContext.java b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/service/thrift/SentryKerberosContext.java
new file mode 100644
index 0000000..f54f161
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/service/thrift/SentryKerberosContext.java
@@ -0,0 +1,157 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.service.thrift;
+
+import java.io.File;
+import java.util.HashSet;
+import java.util.Set;
+
+import javax.security.auth.Subject;
+import javax.security.auth.kerberos.KerberosPrincipal;
+import javax.security.auth.kerberos.KerberosTicket;
+import javax.security.auth.login.LoginContext;
+import javax.security.auth.login.LoginException;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import com.google.common.collect.Sets;
+
+public class SentryKerberosContext implements Runnable {
+ private static final float TICKET_RENEW_WINDOW = 0.80f;
+ private static final Logger LOGGER = LoggerFactory
+ .getLogger(SentryKerberosContext.class);
+ private LoginContext loginContext;
+ private Subject subject;
+ private final javax.security.auth.login.Configuration kerberosConfig;
+ @Deprecated
+ private Thread renewerThread;
+ @Deprecated
+ private boolean shutDownRenewer = false;
+
+ public SentryKerberosContext(String principal, String keyTab, boolean autoRenewTicket)
+ throws LoginException {
+ subject = new Subject(false, Sets.newHashSet(new KerberosPrincipal(principal)),
+ new HashSet<Object>(), new HashSet<Object>());
+ kerberosConfig = KerberosConfiguration.createClientConfig(principal, new File(keyTab));
+ loginWithNewContext();
+ if (autoRenewTicket) {
+ startRenewerThread();
+ }
+ }
+
+ private void loginWithNewContext() throws LoginException {
+ LOGGER.info("Logging in with new Context");
+ logoutSubject();
+ loginContext = new LoginContext("", subject, null, kerberosConfig);
+ loginContext.login();
+ subject = loginContext.getSubject();
+ }
+
+ private void logoutSubject() {
+ if (loginContext != null) {
+ try {
+ loginContext.logout();
+ } catch (LoginException e) {
+ LOGGER.warn("Error logging out the subject", e);
+ }
+ }
+ loginContext = null;
+ }
+
+ public Subject getSubject() {
+ return subject;
+ }
+
+ /**
+ * Get the Kerberos TGT
+ * @return the user's TGT or null if none was found
+ */
+ @Deprecated
+ private KerberosTicket getTGT() {
+ Set<KerberosTicket> tickets = subject.getPrivateCredentials(KerberosTicket.class);
+ for(KerberosTicket ticket: tickets) {
+ KerberosPrincipal server = ticket.getServer();
+ if (server.getName().equals("krbtgt/" + server.getRealm() +
+ "@" + server.getRealm())) {
+ return ticket;
+ }
+ }
+ return null;
+ }
+
+ @Deprecated
+ private long getRefreshTime(KerberosTicket tgt) {
+ long start = tgt.getStartTime().getTime();
+ long end = tgt.getEndTime().getTime();
+ LOGGER.debug("Ticket start time: " + start);
+ LOGGER.debug("Ticket End time: " + end);
+ return start + (long) ((end - start) * TICKET_RENEW_WINDOW);
+ }
+
+ /***
+ * Ticket renewer thread
+ * wait till 80% time interval left on the ticket and then renew it
+ */
+ @Deprecated
+ @Override
+ public void run() {
+ try {
+ LOGGER.info("Sentry Ticket renewer thread started");
+ while (!shutDownRenewer) {
+ KerberosTicket tgt = getTGT();
+ if (tgt == null) {
+ LOGGER.warn("No ticket found in the cache");
+ return;
+ }
+ long nextRefresh = getRefreshTime(tgt);
+ while (System.currentTimeMillis() < nextRefresh) {
+ Thread.sleep(1000);
+ if (shutDownRenewer) {
+ return;
+ }
+ }
+ loginWithNewContext();
+ LOGGER.debug("Renewed ticket");
+ }
+ } catch (InterruptedException e1) {
+ LOGGER.warn("Sentry Ticket renewer thread interrupted", e1);
+ return;
+ } catch (LoginException e) {
+ LOGGER.warn("Failed to renew ticket", e);
+ } finally {
+ logoutSubject();
+ LOGGER.info("Sentry Ticket renewer thread finished");
+ }
+ }
+
+ @Deprecated
+ public void startRenewerThread() {
+ renewerThread = new Thread(this);
+ renewerThread.start();
+ }
+
+ public void shutDown() throws LoginException {
+ if (renewerThread != null) {
+ shutDownRenewer = true;
+ } else {
+ logoutSubject();
+ }
+ }
+}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/service/thrift/SentryService.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/service/thrift/SentryService.java b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/service/thrift/SentryService.java
new file mode 100644
index 0000000..5783649
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/service/thrift/SentryService.java
@@ -0,0 +1,426 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.service.thrift;
+
+import java.io.File;
+import java.io.IOException;
+import java.lang.reflect.Constructor;
+import java.net.InetSocketAddress;
+import java.net.MalformedURLException;
+import java.net.ServerSocket;
+import java.security.PrivilegedExceptionAction;
+import java.util.ArrayList;
+import java.util.EventListener;
+import java.util.List;
+import java.util.concurrent.Callable;
+import java.util.concurrent.ExecutionException;
+import java.util.concurrent.ExecutorService;
+import java.util.concurrent.Executors;
+import java.util.concurrent.Future;
+import java.util.concurrent.ThreadFactory;
+
+import javax.security.auth.Subject;
+
+import org.apache.commons.cli.CommandLine;
+import org.apache.commons.cli.CommandLineParser;
+import org.apache.commons.cli.GnuParser;
+import org.apache.commons.cli.HelpFormatter;
+import org.apache.commons.cli.Options;
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.net.NetUtils;
+import org.apache.hadoop.security.SaslRpcServer;
+import org.apache.hadoop.security.SaslRpcServer.AuthMethod;
+import org.apache.hadoop.security.SecurityUtil;
+import org.apache.sentry.Command;
+import org.apache.sentry.provider.db.service.thrift.SentryHealthCheckServletContextListener;
+import org.apache.sentry.provider.db.service.thrift.SentryMetricsServletContextListener;
+import org.apache.sentry.provider.db.service.thrift.SentryWebServer;
+import org.apache.sentry.service.thrift.ServiceConstants.ConfUtilties;
+import org.apache.sentry.service.thrift.ServiceConstants.ServerConfig;
+import org.apache.thrift.TMultiplexedProcessor;
+import org.apache.thrift.protocol.TBinaryProtocol;
+import org.apache.thrift.server.TServer;
+import org.apache.thrift.server.TServerEventHandler;
+import org.apache.thrift.server.TThreadPoolServer;
+import org.apache.thrift.transport.TSaslServerTransport;
+import org.apache.thrift.transport.TServerSocket;
+import org.apache.thrift.transport.TServerTransport;
+import org.apache.thrift.transport.TTransportFactory;
+import org.eclipse.jetty.util.MultiException;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import com.google.common.base.Preconditions;
+
+public class SentryService implements Callable {
+
+ private static final Logger LOGGER = LoggerFactory
+ .getLogger(SentryService.class);
+
+ private static enum Status {
+ NOT_STARTED(), STARTED();
+ }
+
+ private final Configuration conf;
+ private final InetSocketAddress address;
+ private final int maxThreads;
+ private final int minThreads;
+ private boolean kerberos;
+ private final String principal;
+ private final String[] principalParts;
+ private final String keytab;
+ private final ExecutorService serviceExecutor;
+ private Future serviceStatus;
+ private TServer thriftServer;
+ private Status status;
+ private int webServerPort;
+ private SentryWebServer sentryWebServer;
+ private long maxMessageSize;
+
+ public SentryService(Configuration conf) {
+ this.conf = conf;
+ int port = conf
+ .getInt(ServerConfig.RPC_PORT, ServerConfig.RPC_PORT_DEFAULT);
+ if (port == 0) {
+ port = findFreePort();
+ conf.setInt(ServerConfig.RPC_PORT, port);
+ }
+ this.address = NetUtils.createSocketAddr(
+ conf.get(ServerConfig.RPC_ADDRESS, ServerConfig.RPC_ADDRESS_DEFAULT),
+ port);
+ LOGGER.info("Configured on address " + address);
+ kerberos = ServerConfig.SECURITY_MODE_KERBEROS.equalsIgnoreCase(
+ conf.get(ServerConfig.SECURITY_MODE, ServerConfig.SECURITY_MODE_KERBEROS).trim());
+ maxThreads = conf.getInt(ServerConfig.RPC_MAX_THREADS,
+ ServerConfig.RPC_MAX_THREADS_DEFAULT);
+ minThreads = conf.getInt(ServerConfig.RPC_MIN_THREADS,
+ ServerConfig.RPC_MIN_THREADS_DEFAULT);
+ maxMessageSize = conf.getLong(ServerConfig.SENTRY_POLICY_SERVER_THRIFT_MAX_MESSAGE_SIZE,
+ ServerConfig.SENTRY_POLICY_SERVER_THRIFT_MAX_MESSAGE_SIZE_DEFAULT);
+ if (kerberos) {
+ // Use Hadoop libraries to translate the _HOST placeholder with actual hostname
+ try {
+ String rawPrincipal = Preconditions.checkNotNull(conf.get(ServerConfig.PRINCIPAL), ServerConfig.PRINCIPAL + " is required");
+ principal = SecurityUtil.getServerPrincipal(rawPrincipal, address.getAddress());
+ } catch(IOException io) {
+ throw new RuntimeException("Can't translate kerberos principal'", io);
+ }
+ LOGGER.info("Using kerberos principal: " + principal);
+
+ principalParts = SaslRpcServer.splitKerberosName(principal);
+ Preconditions.checkArgument(principalParts.length == 3,
+ "Kerberos principal should have 3 parts: " + principal);
+ keytab = Preconditions.checkNotNull(conf.get(ServerConfig.KEY_TAB),
+ ServerConfig.KEY_TAB + " is required");
+ File keytabFile = new File(keytab);
+ Preconditions.checkState(keytabFile.isFile() && keytabFile.canRead(),
+ "Keytab " + keytab + " does not exist or is not readable.");
+ } else {
+ principal = null;
+ principalParts = null;
+ keytab = null;
+ }
+ serviceExecutor = Executors.newSingleThreadExecutor(new ThreadFactory() {
+ private int count = 0;
+
+ @Override
+ public Thread newThread(Runnable r) {
+ return new Thread(r, SentryService.class.getSimpleName() + "-"
+ + (count++));
+ }
+ });
+ webServerPort = conf.getInt(ServerConfig.SENTRY_WEB_PORT, ServerConfig.SENTRY_WEB_PORT_DEFAULT);
+ status = Status.NOT_STARTED;
+ }
+
+ @Override
+ public String call() throws Exception {
+ SentryKerberosContext kerberosContext = null;
+ try {
+ status = Status.STARTED;
+ if (kerberos) {
+ Boolean autoRenewTicket = conf.getBoolean(ServerConfig.SENTRY_KERBEROS_TGT_AUTORENEW, ServerConfig.SENTRY_KERBEROS_TGT_AUTORENEW_DEFAULT);
+ kerberosContext = new SentryKerberosContext(principal, keytab, autoRenewTicket);
+ Subject.doAs(kerberosContext.getSubject(), new PrivilegedExceptionAction<Void>() {
+ @Override
+ public Void run() throws Exception {
+ runServer();
+ return null;
+ }
+ });
+ } else {
+ runServer();
+ }
+ } catch (Exception t) {
+ LOGGER.error("Error starting server", t);
+ throw new Exception("Error starting server", t);
+ } finally {
+ if (kerberosContext != null) {
+ kerberosContext.shutDown();
+ }
+ status = Status.NOT_STARTED;
+ }
+ return null;
+ }
+
+ private void runServer() throws Exception {
+ Iterable<String> processorFactories = ConfUtilties.CLASS_SPLITTER
+ .split(conf.get(ServerConfig.PROCESSOR_FACTORIES,
+ ServerConfig.PROCESSOR_FACTORIES_DEFAULT).trim());
+ TMultiplexedProcessor processor = new TMultiplexedProcessor();
+ boolean registeredProcessor = false;
+ for (String processorFactory : processorFactories) {
+ Class<?> clazz = conf.getClassByName(processorFactory);
+ if (!ProcessorFactory.class.isAssignableFrom(clazz)) {
+ throw new IllegalArgumentException("Processor Factory "
+ + processorFactory + " is not a "
+ + ProcessorFactory.class.getName());
+ }
+ try {
+ Constructor<?> constructor = clazz
+ .getConstructor(Configuration.class);
+ LOGGER.info("ProcessorFactory being used: " + clazz.getCanonicalName());
+ ProcessorFactory factory = (ProcessorFactory) constructor
+ .newInstance(conf);
+ boolean registerStatus = factory.register(processor);
+ if (!registerStatus) {
+ LOGGER.error("Failed to register " + clazz.getCanonicalName());
+ }
+ registeredProcessor = registerStatus || registeredProcessor;
+ } catch (Exception e) {
+ throw new IllegalStateException("Could not create "
+ + processorFactory, e);
+ }
+ }
+ if (!registeredProcessor) {
+ throw new IllegalStateException(
+ "Failed to register any processors from " + processorFactories);
+ }
+ TServerTransport serverTransport = new TServerSocket(address);
+ TTransportFactory transportFactory = null;
+ if (kerberos) {
+ TSaslServerTransport.Factory saslTransportFactory = new TSaslServerTransport.Factory();
+ saslTransportFactory.addServerDefinition(AuthMethod.KERBEROS
+ .getMechanismName(), principalParts[0], principalParts[1],
+ ServerConfig.SASL_PROPERTIES, new GSSCallback(conf));
+ transportFactory = saslTransportFactory;
+ } else {
+ transportFactory = new TTransportFactory();
+ }
+ TThreadPoolServer.Args args = new TThreadPoolServer.Args(
+ serverTransport).processor(processor)
+ .transportFactory(transportFactory)
+ .protocolFactory(new TBinaryProtocol.Factory(true, true, maxMessageSize, maxMessageSize))
+ .minWorkerThreads(minThreads).maxWorkerThreads(maxThreads);
+ thriftServer = new TThreadPoolServer(args);
+ LOGGER.info("Serving on " + address);
+ startSentryWebServer();
+ thriftServer.serve();
+ }
+
+ private void startSentryWebServer() throws Exception{
+ Boolean sentryReportingEnable = conf.getBoolean(ServerConfig.SENTRY_WEB_ENABLE,
+ ServerConfig.SENTRY_WEB_ENABLE_DEFAULT);
+ if(sentryReportingEnable) {
+ List<EventListener> listenerList = new ArrayList<EventListener>();
+ listenerList.add(new SentryHealthCheckServletContextListener());
+ listenerList.add(new SentryMetricsServletContextListener());
+ sentryWebServer = new SentryWebServer(listenerList, webServerPort, conf);
+ sentryWebServer.start();
+ }
+
+ }
+
+ private void stopSentryWebServer() throws Exception{
+ if( sentryWebServer != null) {
+ sentryWebServer.stop();
+ sentryWebServer = null;
+ }
+ }
+
+ public InetSocketAddress getAddress() {
+ return address;
+ }
+
+ public synchronized boolean isRunning() {
+ return status == Status.STARTED && thriftServer != null
+ && thriftServer.isServing();
+ }
+
+ public synchronized void start() throws Exception{
+ if (status != Status.NOT_STARTED) {
+ throw new IllegalStateException("Cannot start when " + status);
+ }
+ LOGGER.info("Attempting to start...");
+ serviceStatus = serviceExecutor.submit(this);
+ }
+
+ public synchronized void stop() throws Exception{
+ MultiException exception = null;
+ LOGGER.info("Attempting to stop...");
+ if (isRunning()) {
+ LOGGER.info("Attempting to stop sentry thrift service...");
+ try {
+ thriftServer.stop();
+ thriftServer = null;
+ status = Status.NOT_STARTED;
+ } catch (Exception e) {
+ LOGGER.error("Error while stopping sentry thrift service", e);
+ exception = addMultiException(exception,e);
+ }
+ } else {
+ thriftServer = null;
+ status = Status.NOT_STARTED;
+ LOGGER.info("Sentry thrift service is already stopped...");
+ }
+ if (isWebServerRunning()) {
+ try {
+ LOGGER.info("Attempting to stop sentry web service...");
+ stopSentryWebServer();
+ } catch (Exception e) {
+ LOGGER.error("Error while stopping sentry web service", e);
+ exception = addMultiException(exception,e);
+ }
+ } else {
+ LOGGER.info("Sentry web service is already stopped...");
+ }
+ if (exception != null) {
+ exception.ifExceptionThrow();
+ }
+ LOGGER.info("Stopped...");
+ }
+
+ // wait for the service thread to finish execution
+ public synchronized void waitOnFuture() throws ExecutionException, InterruptedException {
+ LOGGER.info("Waiting on future.get()");
+ serviceStatus.get();
+ }
+
+ private MultiException addMultiException(MultiException exception, Exception e) {
+ MultiException newException = exception;
+ if (newException == null) {
+ newException = new MultiException();
+ }
+ newException.add(e);
+ return newException;
+ }
+
+ private boolean isWebServerRunning() {
+ return sentryWebServer != null
+ && sentryWebServer.isAlive();
+ }
+
+ private static int findFreePort() {
+ int attempts = 0;
+ while (attempts++ <= 1000) {
+ try {
+ ServerSocket s = new ServerSocket(0);
+ int port = s.getLocalPort();
+ s.close();
+ return port;
+ } catch (IOException e) {
+ // ignore and retry
+ }
+ }
+ throw new IllegalStateException("Unable to find a port after 1000 attempts");
+ }
+
+ public static Configuration loadConfig(String configFileName)
+ throws MalformedURLException {
+ File configFile = null;
+ if (configFileName == null) {
+ throw new IllegalArgumentException("Usage: "
+ + ServiceConstants.ServiceArgs.CONFIG_FILE_LONG
+ + " path/to/sentry-service.xml");
+ } else if (!((configFile = new File(configFileName)).isFile() && configFile
+ .canRead())) {
+ throw new IllegalArgumentException("Cannot read configuration file "
+ + configFile);
+ }
+ Configuration conf = new Configuration(false);
+ conf.addResource(configFile.toURI().toURL());
+ return conf;
+ }
+
+ public static class CommandImpl implements Command {
+ @Override
+ public void run(String[] args) throws Exception {
+ CommandLineParser parser = new GnuParser();
+ Options options = new Options();
+ options.addOption(ServiceConstants.ServiceArgs.CONFIG_FILE_SHORT,
+ ServiceConstants.ServiceArgs.CONFIG_FILE_LONG,
+ true, "Sentry Service configuration file");
+ CommandLine commandLine = parser.parse(options, args);
+ String configFileName = commandLine.getOptionValue(ServiceConstants.
+ ServiceArgs.CONFIG_FILE_LONG);
+ File configFile = null;
+ if (configFileName == null || commandLine.hasOption("h") || commandLine.hasOption("help")) {
+ // print usage
+ HelpFormatter formatter = new HelpFormatter();
+ formatter.printHelp("sentry --command service", options);
+ System.exit(-1);
+ } else if(!((configFile = new File(configFileName)).isFile() && configFile.canRead())) {
+ throw new IllegalArgumentException("Cannot read configuration file " + configFile);
+ }
+ Configuration serverConf = loadConfig(configFileName);
+ final SentryService server = new SentryService(serverConf);
+ server.start();
+ Runtime.getRuntime().addShutdownHook(new Thread() {
+ @Override
+ public void run() {
+ LOGGER.info("ShutdownHook shutting down server");
+ try {
+ server.stop();
+ } catch (Throwable t) {
+ LOGGER.error("Error stopping SentryService", t);
+ }
+ }
+ });
+
+ // Let's wait on the service to stop
+ try {
+ server.waitOnFuture();
+ } finally {
+ server.serviceExecutor.shutdown();
+ }
+ }
+ }
+
+ public Configuration getConf() {
+ return conf;
+ }
+
+ /**
+ * Add Thrift event handler to underlying thrift threadpool server
+ * @param eventHandler
+ */
+ public void setThriftEventHandler(TServerEventHandler eventHandler) throws IllegalStateException {
+ if (thriftServer == null) {
+ throw new IllegalStateException("Server is not initialized or stopped");
+ }
+ thriftServer.setServerEventHandler(eventHandler);
+ }
+
+ public TServerEventHandler getThriftEventHandler() throws IllegalStateException {
+ if (thriftServer == null) {
+ throw new IllegalStateException("Server is not initialized or stopped");
+ }
+ return thriftServer.getEventHandler();
+ }
+}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/service/thrift/SentryServiceFactory.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/service/thrift/SentryServiceFactory.java b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/service/thrift/SentryServiceFactory.java
new file mode 100644
index 0000000..1685702
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/service/thrift/SentryServiceFactory.java
@@ -0,0 +1,28 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.service.thrift;
+import org.apache.hadoop.conf.Configuration;
+
+public class SentryServiceFactory {
+
+ public SentryService create(Configuration conf) throws Exception {
+ return new SentryService(conf);
+ }
+
+}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/main/resources/001-SENTRY-327.derby.sql
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/main/resources/001-SENTRY-327.derby.sql b/sentry-service/sentry-service-server/src/main/resources/001-SENTRY-327.derby.sql
new file mode 100644
index 0000000..04353d1
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/main/resources/001-SENTRY-327.derby.sql
@@ -0,0 +1,2 @@
+-- SENTRY-327
+ALTER TABLE SENTRY_DB_PRIVILEGE ADD COLUMN WITH_GRANT_OPTION CHAR(1) NOT NULL DEFAULT 'N';
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/main/resources/001-SENTRY-327.mysql.sql
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/main/resources/001-SENTRY-327.mysql.sql b/sentry-service/sentry-service-server/src/main/resources/001-SENTRY-327.mysql.sql
new file mode 100644
index 0000000..7d96bc0
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/main/resources/001-SENTRY-327.mysql.sql
@@ -0,0 +1,2 @@
+-- SENTRY-327
+ALTER TABLE `SENTRY_DB_PRIVILEGE` ADD `WITH_GRANT_OPTION` CHAR(1) NOT NULL DEFAULT 'N';
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/main/resources/001-SENTRY-327.oracle.sql
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/main/resources/001-SENTRY-327.oracle.sql b/sentry-service/sentry-service-server/src/main/resources/001-SENTRY-327.oracle.sql
new file mode 100644
index 0000000..f42ccdf
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/main/resources/001-SENTRY-327.oracle.sql
@@ -0,0 +1,2 @@
+-- SENTRY-327
+ALTER TABLE SENTRY_DB_PRIVILEGE ADD WITH_GRANT_OPTION CHAR(1) DEFAULT 'N' NOT NULL;
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/main/resources/001-SENTRY-327.postgres.sql
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/main/resources/001-SENTRY-327.postgres.sql b/sentry-service/sentry-service-server/src/main/resources/001-SENTRY-327.postgres.sql
new file mode 100644
index 0000000..1b670ec
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/main/resources/001-SENTRY-327.postgres.sql
@@ -0,0 +1,2 @@
+-- SENTRY-327
+ALTER TABLE "SENTRY_DB_PRIVILEGE" ADD COLUMN "WITH_GRANT_OPTION" CHAR(1) NOT NULL DEFAULT 'N';
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/main/resources/002-SENTRY-339.derby.sql
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/main/resources/002-SENTRY-339.derby.sql b/sentry-service/sentry-service-server/src/main/resources/002-SENTRY-339.derby.sql
new file mode 100644
index 0000000..647e9e2
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/main/resources/002-SENTRY-339.derby.sql
@@ -0,0 +1,13 @@
+-- SENTRY-339
+DROP INDEX SENTRYPRIVILEGENAME;
+CREATE UNIQUE INDEX SENTRYPRIVILEGENAME ON SENTRY_DB_PRIVILEGE ("SERVER_NAME",DB_NAME,"TABLE_NAME",URI,"ACTION",WITH_GRANT_OPTION);
+
+ALTER TABLE SENTRY_DB_PRIVILEGE DROP COLUMN PRIVILEGE_NAME;
+
+ALTER TABLE SENTRY_DB_PRIVILEGE ALTER COLUMN DB_NAME SET DEFAULT '__NULL__';
+ALTER TABLE SENTRY_DB_PRIVILEGE ALTER COLUMN TABLE_NAME SET DEFAULT '__NULL__';
+ALTER TABLE SENTRY_DB_PRIVILEGE ALTER COLUMN URI SET DEFAULT '__NULL__';
+
+UPDATE SENTRY_DB_PRIVILEGE SET DB_NAME = DEFAULT WHERE DB_NAME is null;
+UPDATE SENTRY_DB_PRIVILEGE SET TABLE_NAME = DEFAULT WHERE TABLE_NAME is null;
+UPDATE SENTRY_DB_PRIVILEGE SET URI = DEFAULT WHERE URI is null;
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/main/resources/002-SENTRY-339.mysql.sql
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/main/resources/002-SENTRY-339.mysql.sql b/sentry-service/sentry-service-server/src/main/resources/002-SENTRY-339.mysql.sql
new file mode 100644
index 0000000..cd4ec7c
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/main/resources/002-SENTRY-339.mysql.sql
@@ -0,0 +1,13 @@
+-- SENTRY-339
+ALTER TABLE `SENTRY_DB_PRIVILEGE` DROP INDEX `SENTRY_DB_PRIV_PRIV_NAME_UNIQ`;
+ALTER TABLE `SENTRY_DB_PRIVILEGE` ADD UNIQUE `SENTRY_DB_PRIV_PRIV_NAME_UNIQ` (`SERVER_NAME`,`DB_NAME`,`TABLE_NAME`,`URI`(250),`ACTION`,`WITH_GRANT_OPTION`);
+ALTER TABLE `SENTRY_DB_PRIVILEGE` DROP `PRIVILEGE_NAME`;
+
+ALTER TABLE SENTRY_DB_PRIVILEGE ALTER COLUMN DB_NAME SET DEFAULT '__NULL__';
+ALTER TABLE SENTRY_DB_PRIVILEGE ALTER COLUMN TABLE_NAME SET DEFAULT '__NULL__';
+ALTER TABLE SENTRY_DB_PRIVILEGE ALTER COLUMN URI SET DEFAULT '__NULL__';
+
+UPDATE SENTRY_DB_PRIVILEGE SET DB_NAME = DEFAULT WHERE DB_NAME is null;
+UPDATE SENTRY_DB_PRIVILEGE SET TABLE_NAME = DEFAULT WHERE TABLE_NAME is null;
+UPDATE SENTRY_DB_PRIVILEGE SET URI = DEFAULT WHERE URI is null;
+
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/main/resources/002-SENTRY-339.oracle.sql
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/main/resources/002-SENTRY-339.oracle.sql b/sentry-service/sentry-service-server/src/main/resources/002-SENTRY-339.oracle.sql
new file mode 100644
index 0000000..f5f596d
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/main/resources/002-SENTRY-339.oracle.sql
@@ -0,0 +1,13 @@
+-- SENTRY-339
+ALTER TABLE SENTRY_DB_PRIVILEGE DROP CONSTRAINT "SENTRY_DB_PRIV_PRIV_NAME_UNIQ" DROP INDEX;
+ALTER TABLE SENTRY_DB_PRIVILEGE ADD CONSTRAINT "SENTRY_DB_PRIV_PRIV_NAME_UNIQ" UNIQUE ("SERVER_NAME","DB_NAME","TABLE_NAME","URI","ACTION","WITH_GRANT_OPTION");
+ALTER TABLE SENTRY_DB_PRIVILEGE DROP COLUMN PRIVILEGE_NAME;
+
+ALTER TABLE SENTRY_DB_PRIVILEGE MODIFY DB_NAME DEFAULT '__NULL__';
+ALTER TABLE SENTRY_DB_PRIVILEGE MODIFY TABLE_NAME DEFAULT '__NULL__';
+ALTER TABLE SENTRY_DB_PRIVILEGE MODIFY URI DEFAULT '__NULL__';
+
+UPDATE SENTRY_DB_PRIVILEGE SET DB_NAME = DEFAULT WHERE DB_NAME is null;
+UPDATE SENTRY_DB_PRIVILEGE SET TABLE_NAME = DEFAULT WHERE TABLE_NAME is null;
+UPDATE SENTRY_DB_PRIVILEGE SET URI = DEFAULT WHERE URI is null;
+
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/main/resources/002-SENTRY-339.postgres.sql
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/main/resources/002-SENTRY-339.postgres.sql b/sentry-service/sentry-service-server/src/main/resources/002-SENTRY-339.postgres.sql
new file mode 100644
index 0000000..458e447
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/main/resources/002-SENTRY-339.postgres.sql
@@ -0,0 +1,13 @@
+-- SENTRY-339
+ALTER TABLE "SENTRY_DB_PRIVILEGE" DROP CONSTRAINT "SENTRY_DB_PRIV_PRIV_NAME_UNIQ";
+ALTER TABLE "SENTRY_DB_PRIVILEGE" ADD CONSTRAINT "SENTRY_DB_PRIV_PRIV_NAME_UNIQ" UNIQUE ("SERVER_NAME","DB_NAME","TABLE_NAME","URI", "ACTION","WITH_GRANT_OPTION");
+ALTER TABLE "SENTRY_DB_PRIVILEGE" DROP COLUMN "PRIVILEGE_NAME";
+
+ALTER TABLE "SENTRY_DB_PRIVILEGE" ALTER COLUMN "DB_NAME" SET DEFAULT '__NULL__';
+AlTER TABLE "SENTRY_DB_PRIVILEGE" ALTER COLUMN "TABLE_NAME" SET DEFAULT '__NULL__';
+ALTER TABLE "SENTRY_DB_PRIVILEGE" ALTER COLUMN "URI" SET DEFAULT '__NULL__';
+
+UPDATE "SENTRY_DB_PRIVILEGE" SET "DB_NAME" = DEFAULT where "DB_NAME" is null;
+UPDATE "SENTRY_DB_PRIVILEGE" SET "TABLE_NAME" = DEFAULT where "TABLE_NAME" is null;
+UPDATE "SENTRY_DB_PRIVILEGE" SET "URI" = DEFAULT where "URI" is null;
+
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/main/resources/003-SENTRY-380.derby.sql
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/main/resources/003-SENTRY-380.derby.sql b/sentry-service/sentry-service-server/src/main/resources/003-SENTRY-380.derby.sql
new file mode 100644
index 0000000..f27b358
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/main/resources/003-SENTRY-380.derby.sql
@@ -0,0 +1,7 @@
+-- SENTRY-380
+ALTER TABLE SENTRY_DB_PRIVILEGE DROP GRANTOR_PRINCIPAL;
+ALTER TABLE SENTRY_ROLE DROP GRANTOR_PRINCIPAL;
+ALTER TABLE SENTRY_GROUP DROP GRANTOR_PRINCIPAL;
+
+ALTER TABLE SENTRY_ROLE_DB_PRIVILEGE_MAP ADD GRANTOR_PRINCIPAL VARCHAR(128);
+ALTER TABLE SENTRY_ROLE_GROUP_MAP ADD GRANTOR_PRINCIPAL VARCHAR(128);
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/main/resources/003-SENTRY-380.mysql.sql
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/main/resources/003-SENTRY-380.mysql.sql b/sentry-service/sentry-service-server/src/main/resources/003-SENTRY-380.mysql.sql
new file mode 100644
index 0000000..8e0a633
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/main/resources/003-SENTRY-380.mysql.sql
@@ -0,0 +1,7 @@
+-- SENTRY-380
+ALTER TABLE `SENTRY_DB_PRIVILEGE` DROP `GRANTOR_PRINCIPAL`;
+ALTER TABLE `SENTRY_ROLE` DROP `GRANTOR_PRINCIPAL`;
+ALTER TABLE `SENTRY_GROUP` DROP `GRANTOR_PRINCIPAL`;
+
+ALTER TABLE `SENTRY_ROLE_DB_PRIVILEGE_MAP` ADD `GRANTOR_PRINCIPAL` VARCHAR(128) CHARACTER SET utf8 COLLATE utf8_bin;
+ALTER TABLE `SENTRY_ROLE_GROUP_MAP` ADD `GRANTOR_PRINCIPAL` VARCHAR(128) CHARACTER SET utf8 COLLATE utf8_bin;
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/main/resources/003-SENTRY-380.oracle.sql
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/main/resources/003-SENTRY-380.oracle.sql b/sentry-service/sentry-service-server/src/main/resources/003-SENTRY-380.oracle.sql
new file mode 100644
index 0000000..d07d20e
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/main/resources/003-SENTRY-380.oracle.sql
@@ -0,0 +1,7 @@
+-- SENTRY-380
+ALTER TABLE "SENTRY_DB_PRIVILEGE" DROP COLUMN "GRANTOR_PRINCIPAL";
+ALTER TABLE "SENTRY_ROLE" DROP COLUMN "GRANTOR_PRINCIPAL";
+ALTER TABLE "SENTRY_GROUP" DROP COLUMN "GRANTOR_PRINCIPAL";
+
+ALTER TABLE "SENTRY_ROLE_DB_PRIVILEGE_MAP" ADD "GRANTOR_PRINCIPAL" VARCHAR2(128);
+ALTER TABLE "SENTRY_ROLE_GROUP_MAP" ADD "GRANTOR_PRINCIPAL" VARCHAR2(128);
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/main/resources/003-SENTRY-380.postgres.sql
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/main/resources/003-SENTRY-380.postgres.sql b/sentry-service/sentry-service-server/src/main/resources/003-SENTRY-380.postgres.sql
new file mode 100644
index 0000000..95a2ef1
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/main/resources/003-SENTRY-380.postgres.sql
@@ -0,0 +1,7 @@
+-- SENTRY-380
+ALTER TABLE "SENTRY_DB_PRIVILEGE" DROP "GRANTOR_PRINCIPAL";
+ALTER TABLE "SENTRY_ROLE" DROP "GRANTOR_PRINCIPAL";
+ALTER TABLE "SENTRY_GROUP" DROP "GRANTOR_PRINCIPAL";
+
+ALTER TABLE "SENTRY_ROLE_DB_PRIVILEGE_MAP" ADD "GRANTOR_PRINCIPAL" character varying(128);
+ALTER TABLE "SENTRY_ROLE_GROUP_MAP" ADD "GRANTOR_PRINCIPAL" character varying(128);
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/main/resources/004-SENTRY-74.derby.sql
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/main/resources/004-SENTRY-74.derby.sql b/sentry-service/sentry-service-server/src/main/resources/004-SENTRY-74.derby.sql
new file mode 100644
index 0000000..da1f4d6
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/main/resources/004-SENTRY-74.derby.sql
@@ -0,0 +1,4 @@
+-- SENTRY-74
+ALTER TABLE SENTRY_DB_PRIVILEGE ADD COLUMN COLUMN_NAME VARCHAR(4000) DEFAULT '__NULL__';
+DROP INDEX SENTRYPRIVILEGENAME;
+CREATE UNIQUE INDEX SENTRYPRIVILEGENAME ON SENTRY_DB_PRIVILEGE ("SERVER_NAME",DB_NAME,"TABLE_NAME","COLUMN_NAME",URI,"ACTION",WITH_GRANT_OPTION);
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/main/resources/004-SENTRY-74.mysql.sql
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/main/resources/004-SENTRY-74.mysql.sql b/sentry-service/sentry-service-server/src/main/resources/004-SENTRY-74.mysql.sql
new file mode 100644
index 0000000..1419ca3
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/main/resources/004-SENTRY-74.mysql.sql
@@ -0,0 +1,4 @@
+-- SENTRY-74
+ALTER TABLE `SENTRY_DB_PRIVILEGE` ADD `COLUMN_NAME` VARCHAR(128) DEFAULT '__NULL__';
+ALTER TABLE `SENTRY_DB_PRIVILEGE` DROP INDEX `SENTRY_DB_PRIV_PRIV_NAME_UNIQ`;
+ALTER TABLE `SENTRY_DB_PRIVILEGE` ADD UNIQUE `SENTRY_DB_PRIV_PRIV_NAME_UNIQ` (`SERVER_NAME`,`DB_NAME`,`TABLE_NAME`,`COLUMN_NAME`,`URI`(250),`ACTION`,`WITH_GRANT_OPTION`);
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/main/resources/004-SENTRY-74.oracle.sql
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/main/resources/004-SENTRY-74.oracle.sql b/sentry-service/sentry-service-server/src/main/resources/004-SENTRY-74.oracle.sql
new file mode 100644
index 0000000..a70ae0a
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/main/resources/004-SENTRY-74.oracle.sql
@@ -0,0 +1,4 @@
+-- SENTRY-74
+ALTER TABLE SENTRY_DB_PRIVILEGE ADD COLUMN_NAME VARCHAR2(128) DEFAULT '__NULL__';
+ALTER TABLE SENTRY_DB_PRIVILEGE DROP CONSTRAINT "SENTRY_DB_PRIV_PRIV_NAME_UNIQ" DROP INDEX;
+ALTER TABLE SENTRY_DB_PRIVILEGE ADD CONSTRAINT "SENTRY_DB_PRIV_PRIV_NAME_UNIQ" UNIQUE ("SERVER_NAME","DB_NAME","TABLE_NAME","COLUMN_NAME","URI","ACTION","WITH_GRANT_OPTION");
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/main/resources/004-SENTRY-74.postgres.sql
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/main/resources/004-SENTRY-74.postgres.sql b/sentry-service/sentry-service-server/src/main/resources/004-SENTRY-74.postgres.sql
new file mode 100644
index 0000000..81bdfa3
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/main/resources/004-SENTRY-74.postgres.sql
@@ -0,0 +1,4 @@
+-- SENTRY-74
+ALTER TABLE "SENTRY_DB_PRIVILEGE" ADD COLUMN "COLUMN_NAME" character varying(128) DEFAULT '__NULL__';
+ALTER TABLE "SENTRY_DB_PRIVILEGE" DROP CONSTRAINT "SENTRY_DB_PRIV_PRIV_NAME_UNIQ";
+ALTER TABLE "SENTRY_DB_PRIVILEGE" ADD CONSTRAINT "SENTRY_DB_PRIV_PRIV_NAME_UNIQ" UNIQUE ("SERVER_NAME","DB_NAME","TABLE_NAME","COLUMN_NAME","URI", "ACTION","WITH_GRANT_OPTION");
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/main/resources/005-SENTRY-398.derby.sql
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/main/resources/005-SENTRY-398.derby.sql b/sentry-service/sentry-service-server/src/main/resources/005-SENTRY-398.derby.sql
new file mode 100644
index 0000000..c038b81
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/main/resources/005-SENTRY-398.derby.sql
@@ -0,0 +1,43 @@
+-- Table SENTRY_GM_PRIVILEGE for classes [org.apache.sentry.provider.db.service.model.MSentryGMPrivilege]
+CREATE TABLE SENTRY_GM_PRIVILEGE
+(
+ GM_PRIVILEGE_ID BIGINT NOT NULL,
+ "ACTION" VARCHAR(40),
+ COMPONENT_NAME VARCHAR(400),
+ CREATE_TIME BIGINT NOT NULL,
+ WITH_GRANT_OPTION CHAR(1) NOT NULL DEFAULT 'N',
+ RESOURCE_NAME_0 VARCHAR(400) DEFAULT '__NULL__',
+ RESOURCE_NAME_1 VARCHAR(400) DEFAULT '__NULL__',
+ RESOURCE_NAME_2 VARCHAR(400) DEFAULT '__NULL__',
+ RESOURCE_NAME_3 VARCHAR(400) DEFAULT '__NULL__',
+ RESOURCE_TYPE_0 VARCHAR(400) DEFAULT '__NULL__',
+ RESOURCE_TYPE_1 VARCHAR(400) DEFAULT '__NULL__',
+ RESOURCE_TYPE_2 VARCHAR(400) DEFAULT '__NULL__',
+ RESOURCE_TYPE_3 VARCHAR(400) DEFAULT '__NULL__',
+ "SCOPE" VARCHAR(40),
+ SERVICE_NAME VARCHAR(400)
+);
+-- Primary key(GM_PRIVILEGE_ID)
+ALTER TABLE SENTRY_GM_PRIVILEGE ADD CONSTRAINT SENTRY_GM_PRIVILEGE_PK PRIMARY KEY (GM_PRIVILEGE_ID);
+
+-- Constraints for table SENTRY_GM_PRIVILEGE for class(es) [org.apache.sentry.provider.db.service.model.MSentryGMPrivilege]
+CREATE UNIQUE INDEX GM_PRIVILEGE_INDEX ON SENTRY_GM_PRIVILEGE (COMPONENT_NAME,SERVICE_NAME,RESOURCE_NAME_0,RESOURCE_TYPE_0,RESOURCE_NAME_1,RESOURCE_TYPE_1,RESOURCE_NAME_2,RESOURCE_TYPE_2,RESOURCE_NAME_3,RESOURCE_TYPE_3,"ACTION",WITH_GRANT_OPTION);
+
+-- Table SENTRY_ROLE_GM_PRIVILEGE_MAP for join relationship
+CREATE TABLE SENTRY_ROLE_GM_PRIVILEGE_MAP
+(
+ ROLE_ID BIGINT NOT NULL,
+ GM_PRIVILEGE_ID BIGINT NOT NULL
+);
+ALTER TABLE SENTRY_ROLE_GM_PRIVILEGE_MAP ADD CONSTRAINT SENTRY_ROLE_GM_PRIVILEGE_MAP_PK PRIMARY KEY (ROLE_ID,GM_PRIVILEGE_ID);
+
+-- Constraints for table SENTRY_ROLE_GM_PRIVILEGE_MAP
+CREATE INDEX SENTRY_ROLE_GM_PRIVILEGE_MAP_N50 ON SENTRY_ROLE_GM_PRIVILEGE_MAP (ROLE_ID);
+
+CREATE INDEX SENTRY_ROLE_GM_PRIVILEGE_MAP_N49 ON SENTRY_ROLE_GM_PRIVILEGE_MAP (GM_PRIVILEGE_ID);
+
+ALTER TABLE SENTRY_ROLE_GM_PRIVILEGE_MAP ADD CONSTRAINT SENTRY_ROLE_GM_PRIVILEGE_MAP_FK2 FOREIGN KEY (GM_PRIVILEGE_ID) REFERENCES SENTRY_GM_PRIVILEGE (GM_PRIVILEGE_ID);
+
+ALTER TABLE SENTRY_ROLE_GM_PRIVILEGE_MAP ADD CONSTRAINT SENTRY_ROLE_GM_PRIVILEGE_MAP_FK1 FOREIGN KEY (ROLE_ID) REFERENCES SENTRY_ROLE (ROLE_ID);
+
+
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/main/resources/005-SENTRY-398.mysql.sql
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/main/resources/005-SENTRY-398.mysql.sql b/sentry-service/sentry-service-server/src/main/resources/005-SENTRY-398.mysql.sql
new file mode 100644
index 0000000..920737f
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/main/resources/005-SENTRY-398.mysql.sql
@@ -0,0 +1,62 @@
+-- Table SENTRY_GM_PRIVILEGE for classes [org.apache.sentry.provider.db.service.model.MSentryGMPrivilege]
+CREATE TABLE `SENTRY_GM_PRIVILEGE`
+(
+ `GM_PRIVILEGE_ID` BIGINT NOT NULL,
+ `ACTION` VARCHAR(32) CHARACTER SET utf8 COLLATE utf8_bin NOT NULL,
+ `COMPONENT_NAME` VARCHAR(32) CHARACTER SET utf8 COLLATE utf8_bin NOT NULL,
+ `CREATE_TIME` BIGINT NOT NULL,
+ `WITH_GRANT_OPTION` CHAR(1) NOT NULL DEFAULT 'N',
+ `RESOURCE_NAME_0` VARCHAR(64) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT '__NULL__',
+ `RESOURCE_NAME_1` VARCHAR(64) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT '__NULL__',
+ `RESOURCE_NAME_2` VARCHAR(64) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT '__NULL__',
+ `RESOURCE_NAME_3` VARCHAR(64) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT '__NULL__',
+ `RESOURCE_TYPE_0` VARCHAR(64) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT '__NULL__',
+ `RESOURCE_TYPE_1` VARCHAR(64) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT '__NULL__',
+ `RESOURCE_TYPE_2` VARCHAR(64) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT '__NULL__',
+ `RESOURCE_TYPE_3` VARCHAR(64) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT '__NULL__',
+ `SCOPE` VARCHAR(128) CHARACTER SET utf8 COLLATE utf8_bin NOT NULL,
+ `SERVICE_NAME` VARCHAR(64) BINARY CHARACTER SET utf8 COLLATE utf8_bin NOT NULL
+) ENGINE=INNODB DEFAULT CHARSET=utf8;
+
+ALTER TABLE `SENTRY_GM_PRIVILEGE`
+ ADD CONSTRAINT `SENTRY_GM_PRIVILEGE_PK` PRIMARY KEY (`GM_PRIVILEGE_ID`);
+-- Constraints for table SENTRY_GM_PRIVILEGE for class(es) [org.apache.sentry.provider.db.service.model.MSentryGMPrivilege]
+ALTER TABLE `SENTRY_GM_PRIVILEGE`
+ ADD UNIQUE `GM_PRIVILEGE_UNIQUE` (`COMPONENT_NAME`,`SERVICE_NAME`,`RESOURCE_NAME_0`,`RESOURCE_TYPE_0`,`RESOURCE_NAME_1`,`RESOURCE_TYPE_1`,`RESOURCE_NAME_2`,`RESOURCE_TYPE_2`,`RESOURCE_NAME_3`,`RESOURCE_TYPE_3`,`ACTION`,`WITH_GRANT_OPTION`);
+
+ALTER TABLE `SENTRY_GM_PRIVILEGE`
+ ADD INDEX `SENTRY_GM_PRIV_COMP_IDX` (`COMPONENT_NAME`);
+
+ALTER TABLE `SENTRY_GM_PRIVILEGE`
+ ADD INDEX `SENTRY_GM_PRIV_SERV_IDX` (`SERVICE_NAME`);
+
+ALTER TABLE `SENTRY_GM_PRIVILEGE`
+ ADD INDEX `SENTRY_GM_PRIV_RES0_IDX` (`RESOURCE_NAME_0`,`RESOURCE_TYPE_0`);
+
+ALTER TABLE `SENTRY_GM_PRIVILEGE`
+ ADD INDEX `SENTRY_GM_PRIV_RES1_IDX` (`RESOURCE_NAME_1`,`RESOURCE_TYPE_1`);
+
+ALTER TABLE `SENTRY_GM_PRIVILEGE`
+ ADD INDEX `SENTRY_GM_PRIV_RES2_IDX` (`RESOURCE_NAME_2`,`RESOURCE_TYPE_2`);
+
+ALTER TABLE `SENTRY_GM_PRIVILEGE`
+ ADD INDEX `SENTRY_GM_PRIV_RES3_IDX` (`RESOURCE_NAME_3`,`RESOURCE_TYPE_3`);
+
+-- Table SENTRY_ROLE_GM_PRIVILEGE_MAP for join relationship
+CREATE TABLE `SENTRY_ROLE_GM_PRIVILEGE_MAP`
+(
+ `ROLE_ID` BIGINT NOT NULL,
+ `GM_PRIVILEGE_ID` BIGINT NOT NULL
+) ENGINE=INNODB DEFAULT CHARSET=utf8;
+
+ALTER TABLE `SENTRY_ROLE_GM_PRIVILEGE_MAP`
+ ADD CONSTRAINT `SENTRY_ROLE_GM_PRIVILEGE_MAP_PK` PRIMARY KEY (`ROLE_ID`,`GM_PRIVILEGE_ID`);
+
+-- Constraints for table SENTRY_ROLE_GM_PRIVILEGE_MAP
+ALTER TABLE `SENTRY_ROLE_GM_PRIVILEGE_MAP`
+ ADD CONSTRAINT `SEN_RLE_GM_PRV_MAP_SN_RLE_FK`
+ FOREIGN KEY (`ROLE_ID`) REFERENCES `SENTRY_ROLE`(`ROLE_ID`);
+
+ALTER TABLE `SENTRY_ROLE_GM_PRIVILEGE_MAP`
+ ADD CONSTRAINT `SEN_RL_GM_PRV_MAP_SN_DB_PRV_FK`
+ FOREIGN KEY (`GM_PRIVILEGE_ID`) REFERENCES `SENTRY_GM_PRIVILEGE`(`GM_PRIVILEGE_ID`);
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/main/resources/005-SENTRY-398.oracle.sql
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/main/resources/005-SENTRY-398.oracle.sql b/sentry-service/sentry-service-server/src/main/resources/005-SENTRY-398.oracle.sql
new file mode 100644
index 0000000..412bc45
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/main/resources/005-SENTRY-398.oracle.sql
@@ -0,0 +1,55 @@
+-- Table SENTRY_GM_PRIVILEGE for classes [org.apache.sentry.provider.db.service.model.MSentryGMPrivilege]
+CREATE TABLE "SENTRY_GM_PRIVILEGE" (
+ "GM_PRIVILEGE_ID" NUMBER NOT NULL,
+ "COMPONENT_NAME" VARCHAR2(32) NOT NULL,
+ "CREATE_TIME" NUMBER NOT NULL,
+ "WITH_GRANT_OPTION" CHAR(1) DEFAULT 'N' NOT NULL,
+ "RESOURCE_NAME_0" VARCHAR2(64) DEFAULT '__NULL__',
+ "RESOURCE_NAME_1" VARCHAR2(64) DEFAULT '__NULL__',
+ "RESOURCE_NAME_2" VARCHAR2(64) DEFAULT '__NULL__',
+ "RESOURCE_NAME_3" VARCHAR2(64) DEFAULT '__NULL__',
+ "RESOURCE_TYPE_0" VARCHAR2(64) DEFAULT '__NULL__',
+ "RESOURCE_TYPE_1" VARCHAR2(64) DEFAULT '__NULL__',
+ "RESOURCE_TYPE_2" VARCHAR2(64) DEFAULT '__NULL__',
+ "RESOURCE_TYPE_3" VARCHAR2(64) DEFAULT '__NULL__',
+ "ACTION" VARCHAR2(32) NOT NULL,
+ "SCOPE" VARCHAR2(128) NOT NULL,
+ "SERVICE_NAME" VARCHAR2(64) NOT NULL
+);
+
+ALTER TABLE "SENTRY_GM_PRIVILEGE"
+ ADD CONSTRAINT "SENTRY_GM_PRIV_PK" PRIMARY KEY ("GM_PRIVILEGE_ID");
+-- Constraints for table SENTRY_GM_PRIVILEGE for class(es) [org.apache.sentry.provider.db.service.model.MSentryGMPrivilege]
+ALTER TABLE "SENTRY_GM_PRIVILEGE"
+ ADD CONSTRAINT "SENTRY_GM_PRIV_PRIV_NAME_UNIQ" UNIQUE ("COMPONENT_NAME","SERVICE_NAME","RESOURCE_NAME_0","RESOURCE_NAME_1","RESOURCE_NAME_2",
+ "RESOURCE_NAME_3","RESOURCE_TYPE_0","RESOURCE_TYPE_1","RESOURCE_TYPE_2","RESOURCE_TYPE_3","ACTION","WITH_GRANT_OPTION");
+
+CREATE INDEX "SENTRY_GM_PRIV_COMP_IDX" ON "SENTRY_GM_PRIVILEGE" ("COMPONENT_NAME");
+
+CREATE INDEX "SENTRY_GM_PRIV_SERV_IDX" ON "SENTRY_GM_PRIVILEGE" ("SERVICE_NAME");
+
+CREATE INDEX "SENTRY_GM_PRIV_RES0_IDX" ON "SENTRY_GM_PRIVILEGE" ("RESOURCE_NAME_0","RESOURCE_TYPE_0");
+
+CREATE INDEX "SENTRY_GM_PRIV_RES1_IDX" ON "SENTRY_GM_PRIVILEGE" ("RESOURCE_NAME_1","RESOURCE_TYPE_1");
+
+CREATE INDEX "SENTRY_GM_PRIV_RES2_IDX" ON "SENTRY_GM_PRIVILEGE" ("RESOURCE_NAME_2","RESOURCE_TYPE_2");
+
+CREATE INDEX "SENTRY_GM_PRIV_RES3_IDX" ON "SENTRY_GM_PRIVILEGE" ("RESOURCE_NAME_3","RESOURCE_TYPE_3");
+
+-- Table SENTRY_ROLE_GM_PRIVILEGE_MAP for join relationship
+CREATE TABLE "SENTRY_ROLE_GM_PRIVILEGE_MAP" (
+ "ROLE_ID" NUMBER NOT NULL,
+ "GM_PRIVILEGE_ID" NUMBER NOT NULL
+);
+
+ALTER TABLE "SENTRY_ROLE_GM_PRIVILEGE_MAP"
+ ADD CONSTRAINT "SEN_RLE_GM_PRIV_MAP_PK" PRIMARY KEY ("ROLE_ID","GM_PRIVILEGE_ID");
+
+-- Constraints for table SENTRY_ROLE_GM_PRIVILEGE_MAP
+ALTER TABLE "SENTRY_ROLE_GM_PRIVILEGE_MAP"
+ ADD CONSTRAINT "SEN_RLE_GM_PRV_MAP_SN_RLE_FK"
+ FOREIGN KEY ("ROLE_ID") REFERENCES "SENTRY_ROLE"("ROLE_ID") INITIALLY DEFERRED;
+
+ALTER TABLE "SENTRY_ROLE_GM_PRIVILEGE_MAP"
+ ADD CONSTRAINT "SEN_RL_GM_PRV_MAP_SN_DB_PRV_FK"
+ FOREIGN KEY ("GM_PRIVILEGE_ID") REFERENCES "SENTRY_GM_PRIVILEGE"("GM_PRIVILEGE_ID") INITIALLY DEFERRED;
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/main/resources/005-SENTRY-398.postgres.sql
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/main/resources/005-SENTRY-398.postgres.sql b/sentry-service/sentry-service-server/src/main/resources/005-SENTRY-398.postgres.sql
new file mode 100644
index 0000000..e9e1655
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/main/resources/005-SENTRY-398.postgres.sql
@@ -0,0 +1,54 @@
+-- Table SENTRY_GM_PRIVILEGE for classes [org.apache.sentry.provider.db.service.model.MSentryGMPrivilege]
+CREATE TABLE "SENTRY_GM_PRIVILEGE" (
+ "GM_PRIVILEGE_ID" BIGINT NOT NULL,
+ "COMPONENT_NAME" character varying(32) NOT NULL,
+ "CREATE_TIME" BIGINT NOT NULL,
+ "WITH_GRANT_OPTION" CHAR(1) NOT NULL DEFAULT 'N',
+ "RESOURCE_NAME_0" character varying(64) DEFAULT '__NULL__',
+ "RESOURCE_NAME_1" character varying(64) DEFAULT '__NULL__',
+ "RESOURCE_NAME_2" character varying(64) DEFAULT '__NULL__',
+ "RESOURCE_NAME_3" character varying(64) DEFAULT '__NULL__',
+ "RESOURCE_TYPE_0" character varying(64) DEFAULT '__NULL__',
+ "RESOURCE_TYPE_1" character varying(64) DEFAULT '__NULL__',
+ "RESOURCE_TYPE_2" character varying(64) DEFAULT '__NULL__',
+ "RESOURCE_TYPE_3" character varying(64) DEFAULT '__NULL__',
+ "ACTION" character varying(32) NOT NULL,
+ "SCOPE" character varying(128) NOT NULL,
+ "SERVICE_NAME" character varying(64) NOT NULL
+);
+ALTER TABLE ONLY "SENTRY_GM_PRIVILEGE"
+ ADD CONSTRAINT "SENTRY_GM_PRIV_PK" PRIMARY KEY ("GM_PRIVILEGE_ID");
+-- Constraints for table SENTRY_GM_PRIVILEGE for class(es) [org.apache.sentry.provider.db.service.model.MSentryGMPrivilege]
+ALTER TABLE ONLY "SENTRY_GM_PRIVILEGE"
+ ADD CONSTRAINT "SENTRY_GM_PRIV_PRIV_NAME_UNIQ" UNIQUE ("COMPONENT_NAME","SERVICE_NAME","RESOURCE_NAME_0","RESOURCE_NAME_1","RESOURCE_NAME_2",
+ "RESOURCE_NAME_3","RESOURCE_TYPE_0","RESOURCE_TYPE_1","RESOURCE_TYPE_2","RESOURCE_TYPE_3","ACTION","WITH_GRANT_OPTION");
+
+CREATE INDEX "SENTRY_GM_PRIV_COMP_IDX" ON "SENTRY_GM_PRIVILEGE" USING btree ("COMPONENT_NAME");
+
+CREATE INDEX "SENTRY_GM_PRIV_SERV_IDX" ON "SENTRY_GM_PRIVILEGE" USING btree ("SERVICE_NAME");
+
+CREATE INDEX "SENTRY_GM_PRIV_RES0_IDX" ON "SENTRY_GM_PRIVILEGE" USING btree ("RESOURCE_NAME_0","RESOURCE_TYPE_0");
+
+CREATE INDEX "SENTRY_GM_PRIV_RES1_IDX" ON "SENTRY_GM_PRIVILEGE" USING btree ("RESOURCE_NAME_1","RESOURCE_TYPE_1");
+
+CREATE INDEX "SENTRY_GM_PRIV_RES2_IDX" ON "SENTRY_GM_PRIVILEGE" USING btree ("RESOURCE_NAME_2","RESOURCE_TYPE_2");
+
+CREATE INDEX "SENTRY_GM_PRIV_RES3_IDX" ON "SENTRY_GM_PRIVILEGE" USING btree ("RESOURCE_NAME_3","RESOURCE_TYPE_3");
+
+-- Table SENTRY_ROLE_GM_PRIVILEGE_MAP for join relationship
+CREATE TABLE "SENTRY_ROLE_GM_PRIVILEGE_MAP" (
+ "ROLE_ID" BIGINT NOT NULL,
+ "GM_PRIVILEGE_ID" BIGINT NOT NULL
+);
+
+ALTER TABLE "SENTRY_ROLE_GM_PRIVILEGE_MAP"
+ ADD CONSTRAINT "SENTRY_ROLE_GM_PRIVILEGE_MAP_PK" PRIMARY KEY ("ROLE_ID","GM_PRIVILEGE_ID");
+
+-- Constraints for table SENTRY_ROLE_GM_PRIVILEGE_MAP
+ALTER TABLE ONLY "SENTRY_ROLE_GM_PRIVILEGE_MAP"
+ ADD CONSTRAINT "SEN_RLE_GM_PRV_MAP_SN_RLE_FK"
+ FOREIGN KEY ("ROLE_ID") REFERENCES "SENTRY_ROLE"("ROLE_ID") DEFERRABLE;
+
+ALTER TABLE ONLY "SENTRY_ROLE_GM_PRIVILEGE_MAP"
+ ADD CONSTRAINT "SEN_RL_GM_PRV_MAP_SN_DB_PRV_FK"
+ FOREIGN KEY ("GM_PRIVILEGE_ID") REFERENCES "SENTRY_GM_PRIVILEGE"("GM_PRIVILEGE_ID") DEFERRABLE;
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/main/resources/006-SENTRY-711.derby.sql
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/main/resources/006-SENTRY-711.derby.sql b/sentry-service/sentry-service-server/src/main/resources/006-SENTRY-711.derby.sql
new file mode 100644
index 0000000..807a62b
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/main/resources/006-SENTRY-711.derby.sql
@@ -0,0 +1,27 @@
+CREATE TABLE SENTRY_USER
+(
+ USER_ID BIGINT NOT NULL generated always as identity (start with 1),
+ CREATE_TIME BIGINT NOT NULL,
+ USER_NAME VARCHAR(128)
+);
+
+ALTER TABLE SENTRY_USER ADD CONSTRAINT SENTRY_USER_PK PRIMARY KEY (USER_ID);
+
+CREATE UNIQUE INDEX SENTRYUSERNAME ON SENTRY_USER (USER_NAME);
+
+CREATE TABLE SENTRY_ROLE_USER_MAP
+(
+ USER_ID BIGINT NOT NULL,
+ ROLE_ID BIGINT NOT NULL,
+ GRANTOR_PRINCIPAL VARCHAR(128)
+);
+
+ALTER TABLE SENTRY_ROLE_USER_MAP ADD CONSTRAINT SENTRY_ROLE_USER_MAP_PK PRIMARY KEY (USER_ID,ROLE_ID);
+
+CREATE INDEX SENTRY_ROLE_USER_MAP_N49 ON SENTRY_ROLE_USER_MAP (USER_ID);
+
+CREATE INDEX SENTRY_ROLE_USER_MAP_N50 ON SENTRY_ROLE_USER_MAP (ROLE_ID);
+
+ALTER TABLE SENTRY_ROLE_USER_MAP ADD CONSTRAINT SENTRY_ROLE_USER_MAP_FK2 FOREIGN KEY (ROLE_ID) REFERENCES SENTRY_ROLE (ROLE_ID) ;
+
+ALTER TABLE SENTRY_ROLE_USER_MAP ADD CONSTRAINT SENTRY_ROLE_USER_MAP_FK1 FOREIGN KEY (USER_ID) REFERENCES SENTRY_USER (USER_ID) ;
\ No newline at end of file
[25/44] sentry git commit: SENTRY-1287: Create sentry-service-server
module(Colin Ma, reviewed by Dapeng Sun)
Posted by co...@apache.org.
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceImportExport.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceImportExport.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceImportExport.java
deleted file mode 100644
index 930b473..0000000
--- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceImportExport.java
+++ /dev/null
@@ -1,751 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.sentry.provider.db.service.thrift;
-
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertTrue;
-import static org.junit.Assert.fail;
-
-import java.util.Map;
-import java.util.Set;
-
-import org.apache.sentry.core.common.utils.SentryConstants;
-import org.apache.sentry.core.common.utils.PolicyFileConstants;
-import org.apache.sentry.service.thrift.SentryServiceIntegrationBase;
-import org.junit.Before;
-import org.junit.BeforeClass;
-import org.junit.Test;
-
-import com.google.common.collect.Maps;
-import com.google.common.collect.Sets;
-
-public class TestSentryServiceImportExport extends SentryServiceIntegrationBase {
-
- // define the privileges
- public static String PRIVILIEGE1 = "server=server1";
- public static String PRIVILIEGE2 = "server=server1->action=select->grantoption=false";
- public static String PRIVILIEGE3 = "server=server1->db=db2->action=insert->grantoption=true";
- public static String PRIVILIEGE4 = "server=server1->db=db1->table=tbl1->action=insert";
- public static String PRIVILIEGE5 = "server=server1->db=db1->table=tbl2->column=col1->action=insert";
- public static String PRIVILIEGE6 = "server=server1->db=db1->table=tbl3->column=col1->action=*->grantoption=true";
- public static String PRIVILIEGE7 = "server=server1->db=db1->table=tbl4->column=col1->action=all->grantoption=true";
- public static String PRIVILIEGE8 = "server=server1->uri=hdfs://testserver:9999/path2->action=insert";
- public static String PRIVILIEGE9 = "server=server1->db=db2->table=tbl1->action=insert";
-
- @BeforeClass
- public static void setup() throws Exception {
- kerberos = false;
- setupConf();
- startSentryService();
- }
-
- @Before
- public void preparePolicyFile() throws Exception {
- super.before();
- String requestorUserName = ADMIN_USER;
- Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
- setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
- writePolicyFile();
- }
-
- // Befor import, database is empty.
- // The following information is imported:
- // group1=role1,role2,role3
- // group2=role1,role2,role3
- // group3=role1,role2,role3
- // role1=privilege1,privilege2,privilege3,privilege4,privilege5,privilege6,privilege7,privilege8
- // role2=privilege1,privilege2,privilege3,privilege4,privilege5,privilege6,privilege7,privilege8
- // role3=privilege1,privilege2,privilege3,privilege4,privilege5,privilege6,privilege7,privilege8
- // Both import API importPolicy and export API exportPoicy are tested.
- @Test
- public void testImportExportPolicy1() throws Exception {
- runTestAsSubject(new TestOperation() {
- @Override
- public void runTestAsSubject() throws Exception {
- Map<String, Map<String, Set<String>>> policyFileMappingData = Maps.newHashMap();
- Map<String, Set<String>> groupRolesMap = Maps.newHashMap();
- Set<String> roles = Sets.newHashSet("role1", "role2", "role3");
- groupRolesMap.put("group1", roles);
- groupRolesMap.put("group2", roles);
- groupRolesMap.put("group3", roles);
- Map<String, Set<String>> rolePrivilegesMap = Maps.newHashMap();
- for (String roleName : roles) {
- rolePrivilegesMap.put(roleName, Sets.newHashSet(PRIVILIEGE1, PRIVILIEGE2, PRIVILIEGE3,
- PRIVILIEGE4, PRIVILIEGE5, PRIVILIEGE6, PRIVILIEGE7, PRIVILIEGE8));
- }
- policyFileMappingData.put(PolicyFileConstants.GROUPS, groupRolesMap);
- policyFileMappingData.put(PolicyFileConstants.ROLES, rolePrivilegesMap);
- client.importPolicy(policyFileMappingData, ADMIN_USER, false);
-
- Map<String, Map<String, Set<String>>> sentryMappingData = client.exportPolicy(ADMIN_USER, null);
- validateSentryMappingData(sentryMappingData,
- policyFileMappingData);
- }
- });
- }
-
- // call import twice, and there has no duplicate data:
- // The data for 1st import:
- // group1=role1
- // role1=privilege1,privilege2,privilege3,privilege4
- // The data for 2nd import:
- // group2=role2,role3
- // group3=role2,role3
- // role2=privilege5,privilege6,privilege7,privilege8
- // role3=privilege5,privilege6,privilege7,privilege8
- // Both import API importPolicy and export API exportPoicy are tested.
- @Test
- public void testImportExportPolicy2() throws Exception {
- runTestAsSubject(new TestOperation() {
- @Override
- public void runTestAsSubject() throws Exception {
- Map<String, Map<String, Set<String>>> policyFileMappingData1 = Maps.newHashMap();
- Map<String, Set<String>> groupRolesMap1 = Maps.newHashMap();
- groupRolesMap1.put("group1", Sets.newHashSet("role1"));
- Map<String, Set<String>> rolePrivilegesMap1 = Maps.newHashMap();
- rolePrivilegesMap1.put("role1",
- Sets.newHashSet(PRIVILIEGE1, PRIVILIEGE2, PRIVILIEGE3, PRIVILIEGE4));
- policyFileMappingData1.put(PolicyFileConstants.GROUPS, groupRolesMap1);
- policyFileMappingData1.put(PolicyFileConstants.ROLES, rolePrivilegesMap1);
- client.importPolicy(policyFileMappingData1, ADMIN_USER, false);
-
- Map<String, Map<String, Set<String>>> policyFileMappingData2 = Maps.newHashMap();
- Map<String, Set<String>> groupRolesMap2 = Maps.newHashMap();
- groupRolesMap2.put("group2", Sets.newHashSet("role2", "role3"));
- groupRolesMap2.put("group3", Sets.newHashSet("role2", "role3"));
- Map<String, Set<String>> rolePrivilegesMap2 = Maps.newHashMap();
- rolePrivilegesMap2.put("role2",
- Sets.newHashSet(PRIVILIEGE5, PRIVILIEGE6, PRIVILIEGE7, PRIVILIEGE8));
- rolePrivilegesMap2.put("role3",
- Sets.newHashSet(PRIVILIEGE5, PRIVILIEGE6, PRIVILIEGE7, PRIVILIEGE8));
- policyFileMappingData2.put(PolicyFileConstants.GROUPS, groupRolesMap2);
- policyFileMappingData2.put(PolicyFileConstants.ROLES, rolePrivilegesMap2);
- client.importPolicy(policyFileMappingData2, ADMIN_USER, false);
-
- Map<String, Map<String, Set<String>>> exceptedMappingData = Maps.newHashMap();
- // for exceptedMappingData, combine policyFileMappingData1 and policyFileMappingData2
- exceptedMappingData.put(PolicyFileConstants.GROUPS,
- policyFileMappingData1.get(PolicyFileConstants.GROUPS));
- exceptedMappingData.get(PolicyFileConstants.GROUPS).putAll(
- policyFileMappingData2.get(PolicyFileConstants.GROUPS));
- exceptedMappingData.put(PolicyFileConstants.ROLES,
- policyFileMappingData1.get(PolicyFileConstants.ROLES));
- exceptedMappingData.get(PolicyFileConstants.ROLES).putAll(
- policyFileMappingData2.get(PolicyFileConstants.ROLES));
-
- Map<String, Map<String, Set<String>>> sentryMappingData = client.exportPolicy(ADMIN_USER, null);
- validateSentryMappingData(sentryMappingData, exceptedMappingData);
- }
- });
- }
-
- // Call import twice, and there has overlapping groups
- // The data for 1st import:
- // group1=role1, role2
- // group2=role1, role2
- // group3=role1, role2
- // role1=privilege1,privilege2,privilege3,privilege4,privilege5
- // role2=privilege1,privilege2,privilege3,privilege4,privilege5
- // The data for 2nd import:
- // group1=role2,role3
- // group2=role2,role3
- // group3=role2,role3
- // role2=privilege4,privilege5,privilege6,privilege7,privilege8
- // role3=privilege4,privilege5,privilege6,privilege7,privilege8
- // Both import API importPolicy and export API exportPoicy are tested.
- @Test
- public void testImportExportPolicy3() throws Exception {
- runTestAsSubject(new TestOperation() {
- @Override
- public void runTestAsSubject() throws Exception {
- Map<String, Map<String, Set<String>>> policyFileMappingData1 = Maps.newHashMap();
- Map<String, Set<String>> groupRolesMap1 = Maps.newHashMap();
- groupRolesMap1.put("group1", Sets.newHashSet("role1", "role2"));
- groupRolesMap1.put("group2", Sets.newHashSet("role1", "role2"));
- groupRolesMap1.put("group3", Sets.newHashSet("role1", "role2"));
- Map<String, Set<String>> rolePrivilegesMap1 = Maps.newHashMap();
- rolePrivilegesMap1.put("role1",
- Sets.newHashSet(PRIVILIEGE1, PRIVILIEGE2, PRIVILIEGE3, PRIVILIEGE4, PRIVILIEGE5));
- rolePrivilegesMap1.put("role2",
- Sets.newHashSet(PRIVILIEGE1, PRIVILIEGE2, PRIVILIEGE3, PRIVILIEGE4, PRIVILIEGE5));
- policyFileMappingData1.put(PolicyFileConstants.GROUPS, groupRolesMap1);
- policyFileMappingData1.put(PolicyFileConstants.ROLES, rolePrivilegesMap1);
- client.importPolicy(policyFileMappingData1, ADMIN_USER, false);
-
- Map<String, Map<String, Set<String>>> policyFileMappingData2 = Maps.newHashMap();
- Map<String, Set<String>> groupRolesMap2 = Maps.newHashMap();
- groupRolesMap2.put("group1", Sets.newHashSet("role2", "role3"));
- groupRolesMap2.put("group2", Sets.newHashSet("role2", "role3"));
- groupRolesMap2.put("group3", Sets.newHashSet("role2", "role3"));
- Map<String, Set<String>> rolePrivilegesMap2 = Maps.newHashMap();
- rolePrivilegesMap2.put("role2",
- Sets.newHashSet(PRIVILIEGE4, PRIVILIEGE5, PRIVILIEGE6, PRIVILIEGE7, PRIVILIEGE8));
- rolePrivilegesMap2.put("role3",
- Sets.newHashSet(PRIVILIEGE4, PRIVILIEGE5, PRIVILIEGE6, PRIVILIEGE7, PRIVILIEGE8));
- policyFileMappingData2.put(PolicyFileConstants.GROUPS, groupRolesMap2);
- policyFileMappingData2.put(PolicyFileConstants.ROLES, rolePrivilegesMap2);
- client.importPolicy(policyFileMappingData2, ADMIN_USER, false);
-
- Map<String, Map<String, Set<String>>> exceptedMappingData = Maps.newHashMap();
- Map<String, Set<String>> exceptedRolesMap = Maps.newHashMap();
- exceptedRolesMap.put("group1", Sets.newHashSet("role1", "role2", "role3"));
- exceptedRolesMap.put("group2", Sets.newHashSet("role1", "role2", "role3"));
- exceptedRolesMap.put("group3", Sets.newHashSet("role1", "role2", "role3"));
- Map<String, Set<String>> exceptedPrivilegesMap = Maps.newHashMap();
- exceptedPrivilegesMap.put("role1",
- Sets.newHashSet(PRIVILIEGE1, PRIVILIEGE2, PRIVILIEGE3, PRIVILIEGE4, PRIVILIEGE5));
- exceptedPrivilegesMap.put("role2", Sets.newHashSet(PRIVILIEGE1, PRIVILIEGE2, PRIVILIEGE3,
- PRIVILIEGE4, PRIVILIEGE5, PRIVILIEGE6, PRIVILIEGE7, PRIVILIEGE8));
- exceptedPrivilegesMap.put("role3",
- Sets.newHashSet(PRIVILIEGE4, PRIVILIEGE5, PRIVILIEGE6, PRIVILIEGE7, PRIVILIEGE8));
- exceptedMappingData.put(PolicyFileConstants.GROUPS, exceptedRolesMap);
- exceptedMappingData.put(PolicyFileConstants.ROLES, exceptedPrivilegesMap);
-
- Map<String, Map<String, Set<String>>> sentryMappingData = client.exportPolicy(ADMIN_USER, null);
- validateSentryMappingData(sentryMappingData, exceptedMappingData);
- }
- });
- }
-
- // Only mapping data for [group,role] is imported:
- // group1=role1,role2
- @Test
- public void testImportExportPolicy4() throws Exception {
- runTestAsSubject(new TestOperation() {
- @Override
- public void runTestAsSubject() throws Exception {
- Map<String, Map<String, Set<String>>> policyFileMappingData = Maps.newHashMap();
- Map<String, Set<String>> groupRolesMap = Maps.newHashMap();
- Set<String> roles = Sets.newHashSet("role1", "role2");
- groupRolesMap.put("group1", roles);
- Map<String, Set<String>> rolePrivilegesMap = Maps.newHashMap();
- policyFileMappingData.put(PolicyFileConstants.GROUPS, groupRolesMap);
- policyFileMappingData.put(PolicyFileConstants.ROLES, rolePrivilegesMap);
- client.importPolicy(policyFileMappingData, ADMIN_USER, false);
-
- Map<String, Map<String, Set<String>>> sentryMappingData = client.exportPolicy(ADMIN_USER, null);
- validateSentryMappingData(sentryMappingData,
- policyFileMappingData);
- }
- });
- }
-
- // call import twice, and there has no duplicate data, the import will be with the overwrite mode:
- // The data for 1st import:
- // group1=role1
- // role1=privilege1
- // The data for 2nd import:
- // group2=role2,role3
- // group3=role2,role3
- // role2=privilege2
- // role3=privilege2
- // Both import API importSentryMetaData and export APIs getRolesMap, getGroupsMap,
- // getPrivilegesList are tested.
- @Test
- public void testImportExportPolicy5() throws Exception {
- runTestAsSubject(new TestOperation() {
- @Override
- public void runTestAsSubject() throws Exception {
- Map<String, Map<String, Set<String>>> policyFileMappingData1 = Maps.newHashMap();
- Map<String, Set<String>> groupRolesMap1 = Maps.newHashMap();
- groupRolesMap1.put("group1", Sets.newHashSet("role1"));
- Map<String, Set<String>> rolePrivilegesMap1 = Maps.newHashMap();
- rolePrivilegesMap1.put("role1", Sets.newHashSet(PRIVILIEGE1));
- policyFileMappingData1.put(PolicyFileConstants.GROUPS, groupRolesMap1);
- policyFileMappingData1.put(PolicyFileConstants.ROLES, rolePrivilegesMap1);
- client.importPolicy(policyFileMappingData1, ADMIN_USER, true);
-
- Map<String, Map<String, Set<String>>> policyFileMappingData2 = Maps.newHashMap();
- Map<String, Set<String>> groupRolesMap2 = Maps.newHashMap();
- groupRolesMap2.put("group2", Sets.newHashSet("role2", "role3"));
- groupRolesMap2.put("group3", Sets.newHashSet("role2", "role3"));
- Map<String, Set<String>> rolePrivilegesMap2 = Maps.newHashMap();
- rolePrivilegesMap2.put("role2", Sets.newHashSet(PRIVILIEGE2));
- rolePrivilegesMap2.put("role3", Sets.newHashSet(PRIVILIEGE2));
- policyFileMappingData2.put(PolicyFileConstants.GROUPS, groupRolesMap2);
- policyFileMappingData2.put(PolicyFileConstants.ROLES, rolePrivilegesMap2);
- client.importPolicy(policyFileMappingData2, ADMIN_USER, true);
-
- Map<String, Map<String, Set<String>>> exceptedMappingData = Maps.newHashMap();
- Map<String, Set<String>> exceptedRolesMap = Maps.newHashMap();
- exceptedRolesMap.put("group1", Sets.newHashSet("role1"));
- exceptedRolesMap.put("group2", Sets.newHashSet("role2", "role3"));
- exceptedRolesMap.put("group3", Sets.newHashSet("role2", "role3"));
- Map<String, Set<String>> exceptedPrivilegesMap = Maps.newHashMap();
- exceptedPrivilegesMap.put("role1", Sets.newHashSet(PRIVILIEGE1));
- exceptedPrivilegesMap.put("role2", Sets.newHashSet(PRIVILIEGE2));
- exceptedPrivilegesMap.put("role3", Sets.newHashSet(PRIVILIEGE2));
- exceptedMappingData.put(PolicyFileConstants.GROUPS, exceptedRolesMap);
- exceptedMappingData.put(PolicyFileConstants.ROLES, exceptedPrivilegesMap);
-
- Map<String, Map<String, Set<String>>> sentryMappingData = client.exportPolicy(ADMIN_USER, null);
- validateSentryMappingData(sentryMappingData, exceptedMappingData);
- }
- });
- }
-
- // call import twice, and there has data overlap, the import will be with the overwrite mode:
- // The data for 1st import:
- // group1=role1, role2
- // group2=role1, role2
- // group3=role1, role2
- // role1=privilege1,privilege2,privilege3,privilege4,privilege5
- // role2=privilege1,privilege2,privilege3,privilege4,privilege5
- // The data for 2nd import:
- // group1=role2,role3
- // group2=role2,role3
- // group3=role2,role3
- // role2=privilege4,privilege5,privilege6,privilege7,privilege8
- // role3=privilege4,privilege5,privilege6,privilege7,privilege8
- // Both import API importSentryMetaData and export APIs getRolesMap, getGroupsMap,
- // getPrivilegesList are tested.
- @Test
- public void testImportExportPolicy6() throws Exception {
- runTestAsSubject(new TestOperation() {
- @Override
- public void runTestAsSubject() throws Exception {
- Map<String, Map<String, Set<String>>> policyFileMappingData1 = Maps.newHashMap();
- Map<String, Set<String>> groupRolesMap1 = Maps.newHashMap();
- groupRolesMap1.put("group1", Sets.newHashSet("role1", "role2"));
- groupRolesMap1.put("group2", Sets.newHashSet("role1", "role2"));
- groupRolesMap1.put("group3", Sets.newHashSet("role1", "role2"));
- Map<String, Set<String>> rolePrivilegesMap1 = Maps.newHashMap();
- rolePrivilegesMap1.put("role1",
- Sets.newHashSet(PRIVILIEGE1, PRIVILIEGE2, PRIVILIEGE3, PRIVILIEGE4, PRIVILIEGE5));
- rolePrivilegesMap1.put("role2",
- Sets.newHashSet(PRIVILIEGE1, PRIVILIEGE2, PRIVILIEGE3, PRIVILIEGE4, PRIVILIEGE5));
- policyFileMappingData1.put(PolicyFileConstants.GROUPS, groupRolesMap1);
- policyFileMappingData1.put(PolicyFileConstants.ROLES, rolePrivilegesMap1);
- client.importPolicy(policyFileMappingData1, ADMIN_USER, true);
-
- Map<String, Map<String, Set<String>>> policyFileMappingData2 = Maps.newHashMap();
- Map<String, Set<String>> groupRolesMap2 = Maps.newHashMap();
- groupRolesMap2.put("group1", Sets.newHashSet("role2", "role3"));
- groupRolesMap2.put("group2", Sets.newHashSet("role2", "role3"));
- groupRolesMap2.put("group3", Sets.newHashSet("role2", "role3"));
- Map<String, Set<String>> rolePrivilegesMap2 = Maps.newHashMap();
- rolePrivilegesMap2.put("role2",
- Sets.newHashSet(PRIVILIEGE4, PRIVILIEGE5, PRIVILIEGE6, PRIVILIEGE7, PRIVILIEGE8));
- rolePrivilegesMap2.put("role3",
- Sets.newHashSet(PRIVILIEGE4, PRIVILIEGE5, PRIVILIEGE6, PRIVILIEGE7, PRIVILIEGE8));
- policyFileMappingData2.put(PolicyFileConstants.GROUPS, groupRolesMap2);
- policyFileMappingData2.put(PolicyFileConstants.ROLES, rolePrivilegesMap2);
- client.importPolicy(policyFileMappingData2, ADMIN_USER, true);
-
- Map<String, Map<String, Set<String>>> exceptedMappingData = Maps.newHashMap();
- Map<String, Set<String>> exceptedRolesMap = Maps.newHashMap();
- exceptedRolesMap.put("group1", Sets.newHashSet("role1", "role2", "role3"));
- exceptedRolesMap.put("group2", Sets.newHashSet("role1", "role2", "role3"));
- exceptedRolesMap.put("group3", Sets.newHashSet("role1", "role2", "role3"));
- Map<String, Set<String>> exceptedPrivilegesMap = Maps.newHashMap();
- exceptedPrivilegesMap.put("role1",
- Sets.newHashSet(PRIVILIEGE1, PRIVILIEGE2, PRIVILIEGE3, PRIVILIEGE4, PRIVILIEGE5));
- exceptedPrivilegesMap.put("role2",
- Sets.newHashSet(PRIVILIEGE4, PRIVILIEGE5, PRIVILIEGE6, PRIVILIEGE7, PRIVILIEGE8));
- exceptedPrivilegesMap.put("role3",
- Sets.newHashSet(PRIVILIEGE4, PRIVILIEGE5, PRIVILIEGE6, PRIVILIEGE7, PRIVILIEGE8));
- exceptedMappingData.put(PolicyFileConstants.GROUPS, exceptedRolesMap);
- exceptedMappingData.put(PolicyFileConstants.ROLES, exceptedPrivilegesMap);
-
- Map<String, Map<String, Set<String>>> sentryMappingData = client.exportPolicy(ADMIN_USER, null);
- validateSentryMappingData(sentryMappingData, exceptedMappingData);
- }
- });
- }
-
- // test the import privileges with the action: All, *, select, insert
- // All and * should replace the select and insert
- // The data for import:
- // group1=role1, role2
- // role1=testPrivilege1,testPrivilege2,testPrivilege3,testPrivilege4
- // role2=testPrivilege5, testPrivilege6,testPrivilege7,testPrivilege8
- @Test
- public void testImportExportPolicy7() throws Exception {
- runTestAsSubject(new TestOperation() {
- @Override
- public void runTestAsSubject() throws Exception {
- String testPrivilege1 = "server=server1->db=db1->table=tbl1->action=select->grantoption=true";
- String testPrivilege2 = "server=server1->db=db1->table=tbl1->action=insert->grantoption=false";
- String testPrivilege3 = "server=server1->db=db1->table=tbl1->action=all->grantoption=true";
- String testPrivilege4 = "server=server1->db=db1->table=tbl1->action=insert->grantoption=true";
- String testPrivilege5 = "server=server1->db=db1->table=tbl2->action=select->grantoption=true";
- String testPrivilege6 = "server=server1->db=db1->table=tbl2->action=insert->grantoption=false";
- String testPrivilege7 = "server=server1->db=db1->table=tbl2->action=*->grantoption=true";
- String testPrivilege8 = "server=server1->db=db1->table=tbl2->action=insert->grantoption=true";
-
- Map<String, Map<String, Set<String>>> policyFileMappingData1 = Maps.newHashMap();
- Map<String, Set<String>> groupRolesMap1 = Maps.newHashMap();
- groupRolesMap1.put("group1", Sets.newHashSet("role1", "role2"));
- Map<String, Set<String>> rolePrivilegesMap1 = Maps.newHashMap();
- rolePrivilegesMap1.put("role1",
- Sets.newHashSet(testPrivilege1, testPrivilege2, testPrivilege3, testPrivilege4));
- rolePrivilegesMap1.put("role2",
- Sets.newHashSet(testPrivilege5, testPrivilege6, testPrivilege7, testPrivilege8));
- policyFileMappingData1.put(PolicyFileConstants.GROUPS, groupRolesMap1);
- policyFileMappingData1.put(PolicyFileConstants.ROLES, rolePrivilegesMap1);
- client.importPolicy(policyFileMappingData1, ADMIN_USER, true);
-
- Map<String, Map<String, Set<String>>> exceptedMappingData = Maps.newHashMap();
- Map<String, Set<String>> exceptedRolesMap = Maps.newHashMap();
- exceptedRolesMap.put("group1", Sets.newHashSet("role1", "role2"));
- Map<String, Set<String>> exceptedPrivilegesMap = Maps.newHashMap();
- exceptedPrivilegesMap.put("role1", Sets.newHashSet(testPrivilege2, testPrivilege3));
- exceptedPrivilegesMap.put("role2", Sets.newHashSet(testPrivilege6, testPrivilege7));
- exceptedMappingData.put(PolicyFileConstants.GROUPS, exceptedRolesMap);
- exceptedMappingData.put(PolicyFileConstants.ROLES, exceptedPrivilegesMap);
-
- Map<String, Map<String, Set<String>>> sentryMappingData = client.exportPolicy(ADMIN_USER, null);
- validateSentryMappingData(sentryMappingData, exceptedMappingData);
- }
- });
- }
-
- // Call import twice, and there has overlapping actions, all and * should replace the select and
- // insert
- // The data for 1st import:
- // group1=role1, role2
- // role1=privilege1(with select action),privilege2(with insert action)
- // role2=privilege4(with select action),privilege5(with insert action)
- // The data for 2nd import:
- // group1=role1, role2
- // role1=privilege3(with all action)
- // role2=privilege6(with * action)
- @Test
- public void testImportExportPolicy8() throws Exception {
- runTestAsSubject(new TestOperation() {
- @Override
- public void runTestAsSubject() throws Exception {
- String testPrivilege1 = "server=server1->db=db1->table=tbl1->action=select->grantoption=true";
- String testPrivilege2 = "server=server1->db=db1->table=tbl1->action=insert->grantoption=true";
- String testPrivilege3 = "server=server1->db=db1->table=tbl1->action=all->grantoption=true";
- String testPrivilege4 = "server=server1->db=db1->table=tbl2->action=select->grantoption=true";
- String testPrivilege5 = "server=server1->db=db1->table=tbl2->action=insert->grantoption=true";
- String testPrivilege6 = "server=server1->db=db1->table=tbl2->action=*->grantoption=true";
-
- Map<String, Map<String, Set<String>>> policyFileMappingData1 = Maps.newHashMap();
- Map<String, Set<String>> groupRolesMap1 = Maps.newHashMap();
- groupRolesMap1.put("group1", Sets.newHashSet("role1", "role2"));
- Map<String, Set<String>> rolePrivilegesMap1 = Maps.newHashMap();
- rolePrivilegesMap1.put("role1", Sets.newHashSet(testPrivilege1, testPrivilege2));
- rolePrivilegesMap1.put("role2", Sets.newHashSet(testPrivilege4, testPrivilege5));
- policyFileMappingData1.put(PolicyFileConstants.GROUPS, groupRolesMap1);
- policyFileMappingData1.put(PolicyFileConstants.ROLES, rolePrivilegesMap1);
- client.importPolicy(policyFileMappingData1, ADMIN_USER, false);
-
- Map<String, Map<String, Set<String>>> policyFileMappingData2 = Maps.newHashMap();
- Map<String, Set<String>> groupRolesMap2 = Maps.newHashMap();
- groupRolesMap2.put("group1", Sets.newHashSet("role1", "role2"));
- Map<String, Set<String>> rolePrivilegesMap2 = Maps.newHashMap();
- rolePrivilegesMap2.put("role1", Sets.newHashSet(testPrivilege3));
- rolePrivilegesMap2.put("role2", Sets.newHashSet(testPrivilege6));
- policyFileMappingData2.put(PolicyFileConstants.GROUPS, groupRolesMap2);
- policyFileMappingData2.put(PolicyFileConstants.ROLES, rolePrivilegesMap2);
- client.importPolicy(policyFileMappingData2, ADMIN_USER, false);
-
- Map<String, Map<String, Set<String>>> exceptedMappingData = policyFileMappingData2;
- Map<String, Map<String, Set<String>>> sentryMappingData = client.exportPolicy(ADMIN_USER, null);
- // all and * should replace the select and insert
- validateSentryMappingData(sentryMappingData, exceptedMappingData);
- }
- });
- }
-
- // test the user not in the admin group can't do the import/export
- @Test
- public void testImportExportPolicy9() throws Exception {
- runTestAsSubject(new TestOperation() {
- @Override
- public void runTestAsSubject() throws Exception {
- Map<String, Map<String, Set<String>>> policyFileMappingData1 = Maps.newHashMap();
- Map<String, Set<String>> groupRolesMap1 = Maps.newHashMap();
- Map<String, Set<String>> rolePrivilegesMap1 = Maps.newHashMap();
- policyFileMappingData1.put(PolicyFileConstants.GROUPS, groupRolesMap1);
- policyFileMappingData1.put(PolicyFileConstants.ROLES, rolePrivilegesMap1);
- try {
- client.importPolicy(policyFileMappingData1, "no-admin-user", false);
- fail("non-admin can't do the import.");
- } catch (Exception e) {
- // excepted exception
- }
-
- try {
- client.exportPolicy("no-admin-user", null);
- fail("non-admin can't do the export.");
- } catch (Exception e) {
- // excepted exception
- }
- }
- });
- }
-
- // The following data is imported:
- // group1=role1
- // group2=role1,role2
- // group3=role2,role3
- // group4=role1,role2,role3
- // role1=privilege3,privilege4,privilege9
- // role2=privilege3,privilege4,privilege5,privilege6,privilege7
- // role3=privilege4,privilege5,privilege6,privilege7,privilege8
- // Export APIs getRoleNameTPrivilegesMap, getGroupNameRoleNamesMap are tested.
- @Test
- public void testExportPolicyWithSpecificObject() throws Exception {
- runTestAsSubject(new TestOperation() {
- @Override
- public void runTestAsSubject() throws Exception {
- // import the test data
- Map<String, Map<String, Set<String>>> policyFileMappingData = Maps.newHashMap();
- Map<String, Set<String>> groupRolesMap = Maps.newHashMap();
- groupRolesMap.put("group1", Sets.newHashSet("role1"));
- groupRolesMap.put("group2", Sets.newHashSet("role1", "role2"));
- groupRolesMap.put("group3", Sets.newHashSet("role2", "role3"));
- groupRolesMap.put("group4", Sets.newHashSet("role1", "role2", "role3"));
- Map<String, Set<String>> rolePrivilegesMap1 = Maps.newHashMap();
- rolePrivilegesMap1.put("role1",
- Sets.newHashSet(PRIVILIEGE3, PRIVILIEGE4, PRIVILIEGE9));
- rolePrivilegesMap1.put("role2",
- Sets.newHashSet(PRIVILIEGE3, PRIVILIEGE4, PRIVILIEGE5,
- PRIVILIEGE6, PRIVILIEGE7));
- rolePrivilegesMap1.put("role3",
- Sets.newHashSet(PRIVILIEGE4, PRIVILIEGE5, PRIVILIEGE6,
- PRIVILIEGE7, PRIVILIEGE8));
- policyFileMappingData.put(PolicyFileConstants.GROUPS, groupRolesMap);
- policyFileMappingData.put(PolicyFileConstants.ROLES, rolePrivilegesMap1);
- client.importPolicy(policyFileMappingData, ADMIN_USER, true);
-
- // verify the rolePrivilegesMap and groupRolesMap with null objectPath
- Map<String, Map<String, Set<String>>> expectedMappingData = Maps.newHashMap();
- Map<String, Set<String>> expectedGroupRoles = Maps.newHashMap();
- expectedGroupRoles.put("group1", Sets.newHashSet("role1"));
- expectedGroupRoles.put("group2", Sets.newHashSet("role1", "role2"));
- expectedGroupRoles.put("group3", Sets.newHashSet("role2", "role3"));
- expectedGroupRoles.put("group4", Sets.newHashSet("role1", "role2", "role3"));
- Map<String, Set<String>> expectedRolePrivileges = Maps.newHashMap();
- expectedRolePrivileges.put("role1", Sets.newHashSet(
- PRIVILIEGE3, PRIVILIEGE4, PRIVILIEGE9));
- expectedRolePrivileges.put("role2", Sets.newHashSet(PRIVILIEGE3, PRIVILIEGE4,
- PRIVILIEGE5, PRIVILIEGE6, PRIVILIEGE7));
- expectedRolePrivileges.put("role3", Sets.newHashSet(PRIVILIEGE4,
- PRIVILIEGE5, PRIVILIEGE6, PRIVILIEGE7, PRIVILIEGE8));
- expectedMappingData.put(PolicyFileConstants.GROUPS, expectedGroupRoles);
- expectedMappingData.put(PolicyFileConstants.ROLES, expectedRolePrivileges);
-
- Map<String, Map<String, Set<String>>> sentryMappingData = client.exportPolicy(ADMIN_USER, null);
- validateSentryMappingData(sentryMappingData, expectedMappingData);
-
- // verify the rolePrivilegesMap and groupRolesMap with empty objectPath
- expectedMappingData = Maps.newHashMap();
- expectedGroupRoles = Maps.newHashMap();
- expectedGroupRoles.put("group1", Sets.newHashSet("role1"));
- expectedGroupRoles.put("group2", Sets.newHashSet("role1", "role2"));
- expectedGroupRoles.put("group3", Sets.newHashSet("role2", "role3"));
- expectedGroupRoles.put("group4", Sets.newHashSet("role1", "role2", "role3"));
- expectedRolePrivileges = Maps.newHashMap();
- expectedRolePrivileges.put("role1", Sets.newHashSet(
- PRIVILIEGE3, PRIVILIEGE4, PRIVILIEGE9));
- expectedRolePrivileges.put("role2", Sets.newHashSet(PRIVILIEGE3, PRIVILIEGE4,
- PRIVILIEGE5, PRIVILIEGE6, PRIVILIEGE7));
- expectedRolePrivileges.put("role3", Sets.newHashSet(PRIVILIEGE4,
- PRIVILIEGE5, PRIVILIEGE6, PRIVILIEGE7, PRIVILIEGE8));
- expectedMappingData.put(PolicyFileConstants.GROUPS, expectedGroupRoles);
- expectedMappingData.put(PolicyFileConstants.ROLES, expectedRolePrivileges);
-
- sentryMappingData = client.exportPolicy(ADMIN_USER, "");
- validateSentryMappingData(sentryMappingData, expectedMappingData);
-
- // verify the rolePrivilegesMap and groupRolesMap for db=db1
- expectedMappingData = Maps.newHashMap();
- expectedGroupRoles = Maps.newHashMap();
- expectedGroupRoles.put("group1", Sets.newHashSet("role1"));
- expectedGroupRoles.put("group2", Sets.newHashSet("role1", "role2"));
- expectedGroupRoles.put("group3", Sets.newHashSet("role2", "role3"));
- expectedGroupRoles.put("group4", Sets.newHashSet("role1", "role2", "role3"));
- expectedRolePrivileges = Maps.newHashMap();
- expectedRolePrivileges.put("role1", Sets.newHashSet(PRIVILIEGE4));
- expectedRolePrivileges.put("role2", Sets.newHashSet(PRIVILIEGE4,
- PRIVILIEGE5, PRIVILIEGE6, PRIVILIEGE7));
- expectedRolePrivileges.put("role3", Sets.newHashSet(PRIVILIEGE4,
- PRIVILIEGE5, PRIVILIEGE6, PRIVILIEGE7));
- expectedMappingData.put(PolicyFileConstants.GROUPS, expectedGroupRoles);
- expectedMappingData.put(PolicyFileConstants.ROLES, expectedRolePrivileges);
-
- sentryMappingData = client.exportPolicy(ADMIN_USER, "db=db1");
- validateSentryMappingData(sentryMappingData, expectedMappingData);
-
- // verify the rolePrivilegesMap and groupRolesMap for db=db2
- expectedMappingData = Maps.newHashMap();
- expectedGroupRoles = Maps.newHashMap();
- expectedGroupRoles.put("group1", Sets.newHashSet("role1"));
- expectedGroupRoles.put("group2", Sets.newHashSet("role1", "role2"));
- expectedGroupRoles.put("group3", Sets.newHashSet("role2"));
- expectedGroupRoles.put("group4", Sets.newHashSet("role1", "role2"));
- expectedRolePrivileges = Maps.newHashMap();
- expectedRolePrivileges.put("role1", Sets.newHashSet(PRIVILIEGE3, PRIVILIEGE9));
- expectedRolePrivileges.put("role2", Sets.newHashSet(PRIVILIEGE3));
- expectedMappingData.put(PolicyFileConstants.GROUPS, expectedGroupRoles);
- expectedMappingData.put(PolicyFileConstants.ROLES, expectedRolePrivileges);
-
- sentryMappingData = client.exportPolicy(ADMIN_USER, "db=db2");
- validateSentryMappingData(sentryMappingData, expectedMappingData);
-
- // verify the rolePrivilegesMap and groupRolesMap for db=db1->table=tbl1
- expectedMappingData = Maps.newHashMap();
- expectedGroupRoles = Maps.newHashMap();
- expectedGroupRoles.put("group1", Sets.newHashSet("role1"));
- expectedGroupRoles.put("group2", Sets.newHashSet("role1", "role2"));
- expectedGroupRoles.put("group3", Sets.newHashSet("role2", "role3"));
- expectedGroupRoles.put("group4", Sets.newHashSet("role1", "role2", "role3"));
- expectedRolePrivileges = Maps.newHashMap();
- expectedRolePrivileges.put("role1", Sets.newHashSet(PRIVILIEGE4));
- expectedRolePrivileges.put("role2", Sets.newHashSet(PRIVILIEGE4));
- expectedRolePrivileges.put("role3", Sets.newHashSet(PRIVILIEGE4));
- expectedMappingData.put(PolicyFileConstants.GROUPS, expectedGroupRoles);
- expectedMappingData.put(PolicyFileConstants.ROLES, expectedRolePrivileges);
-
- sentryMappingData = client.exportPolicy(ADMIN_USER, "db=db1->table=tbl1");
- validateSentryMappingData(sentryMappingData, expectedMappingData);
-
- // verify the rolePrivilegesMap and groupRolesMap for db=db1->table=tbl2
- expectedMappingData = Maps.newHashMap();
- expectedGroupRoles = Maps.newHashMap();
- expectedGroupRoles.put("group2", Sets.newHashSet("role2"));
- expectedGroupRoles.put("group3", Sets.newHashSet("role2", "role3"));
- expectedGroupRoles.put("group4", Sets.newHashSet("role2", "role3"));
- expectedRolePrivileges = Maps.newHashMap();
- expectedRolePrivileges.put("role2", Sets.newHashSet(PRIVILIEGE5));
- expectedRolePrivileges.put("role3", Sets.newHashSet(PRIVILIEGE5));
- expectedMappingData.put(PolicyFileConstants.GROUPS, expectedGroupRoles);
- expectedMappingData.put(PolicyFileConstants.ROLES, expectedRolePrivileges);
-
- sentryMappingData = client.exportPolicy(ADMIN_USER, "db=db1->table=tbl2");
- validateSentryMappingData(sentryMappingData, expectedMappingData);
-
- // verify the rolePrivilegesMap and groupRolesMap for db=db1->table=tbl1
- expectedMappingData = Maps.newHashMap();
- expectedGroupRoles = Maps.newHashMap();
- expectedGroupRoles.put("group1", Sets.newHashSet("role1"));
- expectedGroupRoles.put("group2", Sets.newHashSet("role1", "role2"));
- expectedGroupRoles.put("group3", Sets.newHashSet("role2", "role3"));
- expectedGroupRoles.put("group4", Sets.newHashSet("role1", "role2", "role3"));
- expectedRolePrivileges = Maps.newHashMap();
- expectedRolePrivileges.put("role1", Sets.newHashSet(PRIVILIEGE4, PRIVILIEGE9));
- expectedRolePrivileges.put("role2", Sets.newHashSet(PRIVILIEGE4));
- expectedRolePrivileges.put("role3", Sets.newHashSet(PRIVILIEGE4));
- expectedMappingData.put(PolicyFileConstants.GROUPS, expectedGroupRoles);
- expectedMappingData.put(PolicyFileConstants.ROLES, expectedRolePrivileges);
-
- sentryMappingData = client.exportPolicy(ADMIN_USER, "table=tbl1");
- validateSentryMappingData(sentryMappingData, expectedMappingData);
-
- // verify the invalid exportObject string
- try {
- client.exportPolicy(ADMIN_USER, "invalidString");
- fail("RuntimeException should be thrown.");
- } catch (RuntimeException sue) {
- // excepted exception
- }
- }
- });
- }
-
- // Befor import, database is empty.
- // The following information is imported:
- // group1=role1,role2,role3
- // group2=role1,role2,role3
- // user1=role1,role2,role3
- // user2=role1,role2,role3
- // role1=privilege1,privilege2,privilege3,privilege4
- // role2=privilege1,privilege2,privilege3,privilege4
- // role3=privilege1,privilege2,privilege3,privilege4
- @Test
- public void testImportExportPolicyWithUser() throws Exception {
- runTestAsSubject(new TestOperation() {
- @Override
- public void runTestAsSubject() throws Exception {
- Map<String, Map<String, Set<String>>> policyFileMappingData = Maps.newHashMap();
- Map<String, Set<String>> groupRolesMap = Maps.newHashMap();
- Map<String, Set<String>> userRolesMap = Maps.newHashMap();
- Set<String> roles = Sets.newHashSet("role1", "role2", "role3");
- groupRolesMap.put("group1", roles);
- groupRolesMap.put("group2", roles);
- userRolesMap.put("user1", roles);
- userRolesMap.put("user2", roles);
- Map<String, Set<String>> rolePrivilegesMap = Maps.newHashMap();
- for (String roleName : roles) {
- rolePrivilegesMap.put(roleName, Sets.newHashSet(PRIVILIEGE1,
- PRIVILIEGE2, PRIVILIEGE3, PRIVILIEGE4));
- }
- policyFileMappingData.put(PolicyFileConstants.USER_ROLES, userRolesMap);
- policyFileMappingData.put(PolicyFileConstants.GROUPS, groupRolesMap);
- policyFileMappingData.put(PolicyFileConstants.ROLES, rolePrivilegesMap);
- client.importPolicy(policyFileMappingData, ADMIN_USER, false);
-
- Map<String, Map<String, Set<String>>> sentryMappingData =
- client.exportPolicy(ADMIN_USER, null);
- // validate the [user, role] mapping
- validateRolesMap(sentryMappingData.get(PolicyFileConstants.USER_ROLES),
- policyFileMappingData.get(PolicyFileConstants.USER_ROLES));
- validateSentryMappingData(sentryMappingData,
- policyFileMappingData);
- }
- });
- }
-
- // verify the mapping data
- public void validateSentryMappingData(
- Map<String, Map<String, Set<String>>> actualMappingData,
- Map<String, Map<String, Set<String>>> expectedMappingData) {
- validateRolesMap(actualMappingData.get(PolicyFileConstants.GROUPS),
- expectedMappingData.get(PolicyFileConstants.GROUPS));
- validateRolePrivilegesMap(actualMappingData.get(PolicyFileConstants.ROLES),
- expectedMappingData.get(PolicyFileConstants.ROLES));
- }
-
- // verify the mapping data for [group,role] and [user,role]
- private void validateRolesMap(Map<String, Set<String>> actualMap,
- Map<String, Set<String>> expectedMap) {
- assertEquals(expectedMap.keySet().size(), actualMap.keySet().size());
- for (String name : actualMap.keySet()) {
- Set<String> actualRoles = actualMap.get(name);
- Set<String> expectedRoles = expectedMap.get(name);
- assertEquals(actualRoles.size(), expectedRoles.size());
- assertTrue(actualRoles.equals(expectedRoles));
- }
- }
-
- // verify the mapping data for [role,privilege]
- private void validateRolePrivilegesMap(Map<String, Set<String>> actualMap,
- Map<String, Set<String>> expectedMap) {
- assertEquals(expectedMap.keySet().size(), actualMap.keySet().size());
- for (String roleName : actualMap.keySet()) {
- Set<String> actualPrivileges = actualMap.get(roleName);
- Set<String> exceptedPrivileges = expectedMap.get(roleName);
- assertEquals(exceptedPrivileges.size(), actualPrivileges.size());
- for (String actualPrivilege : actualPrivileges) {
- boolean isFound = exceptedPrivileges.contains(actualPrivilege);
- if (!isFound) {
- String withOptionPrivilege = SentryConstants.AUTHORIZABLE_JOINER.join(actualPrivilege,
- SentryConstants.KV_JOINER.join(PolicyFileConstants.PRIVILEGE_GRANT_OPTION_NAME,
- "false"));
- isFound = exceptedPrivileges.contains(withOptionPrivilege);
- }
- assertTrue(isFound);
- }
- }
- }
-}
[27/44] sentry git commit: SENTRY-1287: Create sentry-service-server
module(Colin Ma, reviewed by Dapeng Sun)
Posted by co...@apache.org.
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryStoreImportExport.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryStoreImportExport.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryStoreImportExport.java
deleted file mode 100644
index 3ff97df..0000000
--- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryStoreImportExport.java
+++ /dev/null
@@ -1,1164 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.sentry.provider.db.service.persistent;
-
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertTrue;
-
-import java.io.File;
-import java.util.List;
-import java.util.Map;
-import java.util.Set;
-
-import org.apache.commons.io.FileUtils;
-import org.apache.hadoop.conf.Configuration;
-import org.apache.sentry.core.model.db.AccessConstants;
-import org.apache.sentry.provider.db.service.model.MSentryGroup;
-import org.apache.sentry.provider.db.service.model.MSentryPrivilege;
-import org.apache.sentry.provider.db.service.model.MSentryRole;
-import org.apache.sentry.provider.db.service.model.MSentryUser;
-import org.apache.sentry.provider.db.service.thrift.TSentryGrantOption;
-import org.apache.sentry.provider.db.service.thrift.TSentryMappingData;
-import org.apache.sentry.provider.db.service.thrift.TSentryPrivilege;
-import org.apache.sentry.provider.file.PolicyFile;
-import org.apache.sentry.service.thrift.ServiceConstants.PrivilegeScope;
-import org.apache.sentry.service.thrift.ServiceConstants.ServerConfig;
-import org.junit.After;
-import org.junit.AfterClass;
-import org.junit.Before;
-import org.junit.BeforeClass;
-import org.junit.Test;
-
-import com.google.common.collect.Maps;
-import com.google.common.collect.Sets;
-import com.google.common.io.Files;
-
-public class TestSentryStoreImportExport {
-
- private static File dataDir;
- private static SentryStore sentryStore;
- private static String[] adminGroups = { "adminGroup1" };
- private static PolicyFile policyFile;
- private static File policyFilePath;
- private TSentryPrivilege tSentryPrivilege1;
- private TSentryPrivilege tSentryPrivilege2;
- private TSentryPrivilege tSentryPrivilege3;
- private TSentryPrivilege tSentryPrivilege4;
- private TSentryPrivilege tSentryPrivilege5;
- private TSentryPrivilege tSentryPrivilege6;
- private TSentryPrivilege tSentryPrivilege7;
- private TSentryPrivilege tSentryPrivilege8;
- private TSentryPrivilege tSentryPrivilege9;
-
- @BeforeClass
- public static void setupEnv() throws Exception {
- dataDir = new File(Files.createTempDir(), "sentry_policy_db");
- Configuration conf = new Configuration(false);
- conf.set(ServerConfig.SENTRY_VERIFY_SCHEM_VERSION, "false");
- conf.set(ServerConfig.SENTRY_STORE_JDBC_URL, "jdbc:derby:;databaseName=" + dataDir.getPath()
- + ";create=true");
- conf.set(ServerConfig.SENTRY_STORE_JDBC_PASS, "sentry");
- conf.setStrings(ServerConfig.ADMIN_GROUPS, adminGroups);
- conf.set(ServerConfig.SENTRY_STORE_GROUP_MAPPING, ServerConfig.SENTRY_STORE_LOCAL_GROUP_MAPPING);
- policyFilePath = new File(dataDir, "local_policy_file.ini");
- conf.set(ServerConfig.SENTRY_STORE_GROUP_MAPPING_RESOURCE, policyFilePath.getPath());
- policyFile = new PolicyFile();
- sentryStore = new SentryStore(conf);
-
- String adminUser = "g1";
- addGroupsToUser(adminUser, adminGroups);
- writePolicyFile();
- }
-
- @Before
- public void setupPrivilege() {
- preparePrivilege();
- }
-
- @After
- public void clearStore() {
- sentryStore.clearAllTables();
- }
-
- // create the privileges instance for test case:
- // privilege1=[server=server1]
- // privilege2=[server=server1, action=select, grantOption=false]
- // privilege3=[server=server1, db=db2, action=insert, grantOption=true]
- // privilege4=[server=server1, db=db1, table=tbl1, action=insert, grantOption=false]
- // privilege5=[server=server1, db=db1, table=tbl2, column=col1, action=insert, grantOption=false]
- // privilege6=[server=server1, db=db1, table=tbl3, column=col1, action=*, grantOption=true]
- // privilege7=[server=server1, db=db1, table=tbl4, column=col1, action=all, grantOption=true]
- // privilege8=[server=server1, uri=hdfs://testserver:9999/path1, action=insert, grantOption=false]
- // privilege9=[server=server1, db=db2, table=tbl1, action=insert, grantOption=false]
- private void preparePrivilege() {
- tSentryPrivilege1 = createTSentryPrivilege(PrivilegeScope.SERVER.name(), "server1", "", "", "",
- "", "", TSentryGrantOption.UNSET);
- tSentryPrivilege2 = createTSentryPrivilege(PrivilegeScope.SERVER.name(), "server1", "", "", "",
- "", AccessConstants.SELECT, TSentryGrantOption.FALSE);
- tSentryPrivilege3 = createTSentryPrivilege(PrivilegeScope.DATABASE.name(), "server1", "db2",
- "", "", "", AccessConstants.INSERT, TSentryGrantOption.TRUE);
- tSentryPrivilege4 = createTSentryPrivilege(PrivilegeScope.TABLE.name(), "server1", "db1",
- "tbl1", "", "", AccessConstants.INSERT, TSentryGrantOption.FALSE);
- tSentryPrivilege5 = createTSentryPrivilege(PrivilegeScope.COLUMN.name(), "server1", "db1",
- "tbl2", "col1", "", AccessConstants.INSERT, TSentryGrantOption.FALSE);
- tSentryPrivilege6 = createTSentryPrivilege(PrivilegeScope.COLUMN.name(), "server1", "db1",
- "tbl3", "col1", "", AccessConstants.ALL, TSentryGrantOption.TRUE);
- tSentryPrivilege7 = createTSentryPrivilege(PrivilegeScope.COLUMN.name(), "server1", "db1",
- "tbl4", "col1", "", AccessConstants.ACTION_ALL, TSentryGrantOption.TRUE);
- tSentryPrivilege8 = createTSentryPrivilege(PrivilegeScope.URI.name(), "server1", "", "", "",
- "hdfs://testserver:9999/path1", AccessConstants.INSERT, TSentryGrantOption.FALSE);
- tSentryPrivilege9 = createTSentryPrivilege(PrivilegeScope.TABLE.name(), "server1", "db2",
- "tbl1", "", "", AccessConstants.INSERT, TSentryGrantOption.FALSE);
- }
-
- @AfterClass
- public static void teardown() {
- if (sentryStore != null) {
- sentryStore.stop();
- }
- if (dataDir != null) {
- FileUtils.deleteQuietly(dataDir);
- }
- }
-
- protected static void addGroupsToUser(String user, String... groupNames) {
- policyFile.addGroupsToUser(user, groupNames);
- }
-
- protected static void writePolicyFile() throws Exception {
- policyFile.write(policyFilePath);
- }
-
- // Befor import, database is empty.
- // The following information is imported:
- // group1=role1,role2,role3
- // group2=role1,role2,role3
- // group3=role1,role2,role3
- // role1=privilege1,privilege2,privilege3,privilege4,privilege5,privilege6,privilege7,privilege8
- // role2=privilege1,privilege2,privilege3,privilege4,privilege5,privilege6,privilege7,privilege8
- // role3=privilege1,privilege2,privilege3,privilege4,privilege5,privilege6,privilege7,privilege8
- // Both import API importSentryMetaData and export APIs getRolesMap, getGroupsMap,
- // getPrivilegesList are tested.
- @Test
- public void testImportExportPolicy1() throws Exception {
- TSentryMappingData tSentryMappingData = new TSentryMappingData();
- Map<String, Set<String>> sentryGroupRolesMap = Maps.newHashMap();
- Map<String, Set<TSentryPrivilege>> sentryRolePrivilegesMap = Maps.newHashMap();
- sentryGroupRolesMap.put("group1", Sets.newHashSet("Role1", "role2", "role3"));
- sentryGroupRolesMap.put("group2", Sets.newHashSet("Role1", "role2", "role3"));
- sentryGroupRolesMap.put("group3", Sets.newHashSet("Role1", "role2", "role3"));
- sentryRolePrivilegesMap.put("Role1", Sets.newHashSet(tSentryPrivilege1, tSentryPrivilege2,
- tSentryPrivilege3, tSentryPrivilege4, tSentryPrivilege5, tSentryPrivilege6,
- tSentryPrivilege7, tSentryPrivilege8));
- sentryRolePrivilegesMap.put("role2", Sets.newHashSet(tSentryPrivilege1, tSentryPrivilege2,
- tSentryPrivilege3, tSentryPrivilege4, tSentryPrivilege5, tSentryPrivilege6,
- tSentryPrivilege7, tSentryPrivilege8));
- sentryRolePrivilegesMap.put("role3", Sets.newHashSet(tSentryPrivilege1, tSentryPrivilege2,
- tSentryPrivilege3, tSentryPrivilege4, tSentryPrivilege5, tSentryPrivilege6,
- tSentryPrivilege7, tSentryPrivilege8));
- tSentryMappingData.setGroupRolesMap(sentryGroupRolesMap);
- tSentryMappingData.setRolePrivilegesMap(sentryRolePrivilegesMap);
- sentryStore.importSentryMetaData(tSentryMappingData, false);
-
- Map<String, MSentryRole> rolesMap = sentryStore.getRolesMap();
- Map<String, MSentryGroup> groupsMap = sentryStore.getGroupNameToGroupMap();
- List<MSentryPrivilege> privilegesList = sentryStore.getPrivilegesList();
-
- // test the result data for the role
- verifyRoles(rolesMap, Sets.newHashSet("role1", "role2", "role3"));
-
- // test the result data for the group
- verifyGroups(groupsMap, Sets.newHashSet("group1", "group2", "group3"));
-
- // test the result data for the privilege
- verifyPrivileges(privilegesList, Sets.newHashSet(tSentryPrivilege1, tSentryPrivilege2,
- tSentryPrivilege3, tSentryPrivilege4, tSentryPrivilege5, tSentryPrivilege6,
- tSentryPrivilege7, tSentryPrivilege8));
-
- // test the mapping data for group and role
- List<Map<String, Set<String>>> mapList = sentryStore.getGroupUserRoleMapList(null);
- Map<String, Set<String>> actualGroupRolesMap = mapList.get(
- SentryStore.INDEX_GROUP_ROLES_MAP);
- Map<String, Set<String>> exceptedGroupRolesMap = Maps.newHashMap();
- exceptedGroupRolesMap.put("group1", Sets.newHashSet("role1", "role2", "role3"));
- exceptedGroupRolesMap.put("group2", Sets.newHashSet("role1", "role2", "role3"));
- exceptedGroupRolesMap.put("group3", Sets.newHashSet("role1", "role2", "role3"));
- verifyUserGroupRolesMap(actualGroupRolesMap, exceptedGroupRolesMap);
-
- // test the mapping data for role and privilege
- Map<String, Set<TSentryPrivilege>> actualRolePrivilegesMap = sentryStore
- .getRoleNameTPrivilegesMap();
- Map<String, Set<TSentryPrivilege>> exceptedRolePrivilegesMap = Maps.newHashMap();
- exceptedRolePrivilegesMap.put("role1", Sets.newHashSet(tSentryPrivilege1, tSentryPrivilege2,
- tSentryPrivilege3, tSentryPrivilege4, tSentryPrivilege5, tSentryPrivilege6,
- tSentryPrivilege7, tSentryPrivilege8));
- exceptedRolePrivilegesMap.put("role2", Sets.newHashSet(tSentryPrivilege1, tSentryPrivilege2,
- tSentryPrivilege3, tSentryPrivilege4, tSentryPrivilege5, tSentryPrivilege6,
- tSentryPrivilege7, tSentryPrivilege8));
- exceptedRolePrivilegesMap.put("role3", Sets.newHashSet(tSentryPrivilege1, tSentryPrivilege2,
- tSentryPrivilege3, tSentryPrivilege4, tSentryPrivilege5, tSentryPrivilege6,
- tSentryPrivilege7, tSentryPrivilege8));
-
- verifyRolePrivilegesMap(actualRolePrivilegesMap, exceptedRolePrivilegesMap);
- }
-
- // call import twice, and there has no duplicate data:
- // The data for 1st import:
- // group1=role1
- // role1=privilege1,privilege2,privilege3,privilege4
- // The data for 2nd import:
- // group2=role2,role3
- // group3=role2,role3
- // role2=privilege5,privilege6,privilege7,privilege8
- // role3=privilege5,privilege6,privilege7,privilege8
- // Both import API importSentryMetaData and export APIs getRolesMap, getGroupsMap,
- // getPrivilegesList are tested.
- @Test
- public void testImportExportPolicy2() throws Exception {
- TSentryMappingData tSentryMappingData1 = new TSentryMappingData();
- Map<String, Set<String>> sentryGroupRolesMap1 = Maps.newHashMap();
- Map<String, Set<TSentryPrivilege>> sentryRolePrivilegesMap1 = Maps.newHashMap();
- sentryGroupRolesMap1.put("group1", Sets.newHashSet("role1"));
- sentryRolePrivilegesMap1
- .put("role1", Sets.newHashSet(tSentryPrivilege1, tSentryPrivilege2, tSentryPrivilege3,
- tSentryPrivilege4));
- tSentryMappingData1.setGroupRolesMap(sentryGroupRolesMap1);
- tSentryMappingData1.setRolePrivilegesMap(sentryRolePrivilegesMap1);
- sentryStore.importSentryMetaData(tSentryMappingData1, false);
-
- TSentryMappingData tSentryMappingData2 = new TSentryMappingData();
- Map<String, Set<String>> sentryGroupRolesMap2 = Maps.newHashMap();
- Map<String, Set<TSentryPrivilege>> sentryRolePrivilegesMap2 = Maps.newHashMap();
- sentryGroupRolesMap2.put("group2", Sets.newHashSet("role2", "role3"));
- sentryGroupRolesMap2.put("group3", Sets.newHashSet("role2", "role3"));
- sentryRolePrivilegesMap2
- .put("role2", Sets.newHashSet(tSentryPrivilege5, tSentryPrivilege6, tSentryPrivilege7,
- tSentryPrivilege8));
- sentryRolePrivilegesMap2
- .put("role3", Sets.newHashSet(tSentryPrivilege5, tSentryPrivilege6, tSentryPrivilege7,
- tSentryPrivilege8));
- tSentryMappingData2.setGroupRolesMap(sentryGroupRolesMap2);
- tSentryMappingData2.setRolePrivilegesMap(sentryRolePrivilegesMap2);
- sentryStore.importSentryMetaData(tSentryMappingData2, false);
-
- Map<String, MSentryRole> rolesMap = sentryStore.getRolesMap();
- Map<String, MSentryGroup> groupsMap = sentryStore.getGroupNameToGroupMap();
- List<MSentryPrivilege> privilegesList = sentryStore.getPrivilegesList();
-
- // test the result data for the role
- verifyRoles(rolesMap, Sets.newHashSet("role1", "role2", "role3"));
-
- // test the result data for the group
- verifyGroups(groupsMap, Sets.newHashSet("group1", "group2", "group3"));
-
- // test the result data for the privilege
- verifyPrivileges(privilegesList, Sets.newHashSet(tSentryPrivilege1, tSentryPrivilege2,
- tSentryPrivilege3, tSentryPrivilege4, tSentryPrivilege5, tSentryPrivilege6,
- tSentryPrivilege7, tSentryPrivilege8));
-
- // test the mapping data for group and role
- List<Map<String, Set<String>>> mapList = sentryStore.getGroupUserRoleMapList(null);
- Map<String, Set<String>> actualGroupRolesMap = mapList.get(
- SentryStore.INDEX_GROUP_ROLES_MAP);
- Map<String, Set<String>> exceptedGroupRolesMap = Maps.newHashMap();
- exceptedGroupRolesMap.put("group1", Sets.newHashSet("role1"));
- exceptedGroupRolesMap.put("group2", Sets.newHashSet("role2", "role3"));
- exceptedGroupRolesMap.put("group3", Sets.newHashSet("role2", "role3"));
- verifyUserGroupRolesMap(actualGroupRolesMap, exceptedGroupRolesMap);
-
- // test the mapping data for role and privilege
- Map<String, Set<TSentryPrivilege>> actualRolePrivilegesMap = sentryStore
- .getRoleNameTPrivilegesMap();
- Map<String, Set<TSentryPrivilege>> exceptedRolePrivilegesMap = Maps.newHashMap();
- exceptedRolePrivilegesMap
- .put("role1", Sets.newHashSet(tSentryPrivilege1, tSentryPrivilege2, tSentryPrivilege3,
- tSentryPrivilege4));
- exceptedRolePrivilegesMap
- .put("role2", Sets.newHashSet(tSentryPrivilege5, tSentryPrivilege6, tSentryPrivilege7,
- tSentryPrivilege8));
- exceptedRolePrivilegesMap
- .put("role3", Sets.newHashSet(tSentryPrivilege5, tSentryPrivilege6, tSentryPrivilege7,
- tSentryPrivilege8));
- verifyRolePrivilegesMap(actualRolePrivilegesMap, exceptedRolePrivilegesMap);
- }
-
- // call import twice, and there has data overlap:
- // The data for 1st import:
- // group1=role1, role2
- // group2=role1, role2
- // group3=role1, role2
- // role1=privilege1,privilege2,privilege3,privilege4,privilege5
- // role2=privilege1,privilege2,privilege3,privilege4,privilege5
- // The data for 2nd import:
- // group1=role2,role3
- // group2=role2,role3
- // group3=role2,role3
- // role2=privilege4,privilege5,privilege6,privilege7,privilege8
- // role3=privilege4,privilege5,privilege6,privilege7,privilege8
- // Both import API importSentryMetaData and export APIs getRolesMap, getGroupsMap,
- // getPrivilegesList are tested.
- @Test
- public void testImportExportPolicy3() throws Exception {
- TSentryMappingData tSentryMappingData1 = new TSentryMappingData();
- Map<String, Set<String>> sentryGroupRolesMap1 = Maps.newHashMap();
- Map<String, Set<TSentryPrivilege>> sentryRolePrivilegesMap1 = Maps.newHashMap();
- sentryGroupRolesMap1.put("group1", Sets.newHashSet("role1", "role2"));
- sentryGroupRolesMap1.put("group2", Sets.newHashSet("role1", "role2"));
- sentryGroupRolesMap1.put("group3", Sets.newHashSet("role1", "role2"));
- sentryRolePrivilegesMap1.put("role1", Sets.newHashSet(tSentryPrivilege1, tSentryPrivilege2,
- tSentryPrivilege3, tSentryPrivilege4, tSentryPrivilege5));
- sentryRolePrivilegesMap1.put("role2", Sets.newHashSet(tSentryPrivilege1, tSentryPrivilege2,
- tSentryPrivilege3, tSentryPrivilege4, tSentryPrivilege5));
- tSentryMappingData1.setGroupRolesMap(sentryGroupRolesMap1);
- tSentryMappingData1.setRolePrivilegesMap(sentryRolePrivilegesMap1);
- sentryStore.importSentryMetaData(tSentryMappingData1, false);
-
- TSentryMappingData tSentryMappingData2 = new TSentryMappingData();
- Map<String, Set<String>> sentryGroupRolesMap2 = Maps.newHashMap();
- Map<String, Set<TSentryPrivilege>> sentryRolePrivilegesMap2 = Maps.newHashMap();
- sentryGroupRolesMap2.put("group1", Sets.newHashSet("role2", "role3"));
- sentryGroupRolesMap2.put("group2", Sets.newHashSet("role2", "role3"));
- sentryGroupRolesMap2.put("group3", Sets.newHashSet("role2", "role3"));
- sentryRolePrivilegesMap2.put("role2", Sets.newHashSet(tSentryPrivilege4, tSentryPrivilege5,
- tSentryPrivilege6, tSentryPrivilege7, tSentryPrivilege8));
- sentryRolePrivilegesMap2.put("role3", Sets.newHashSet(tSentryPrivilege4, tSentryPrivilege5,
- tSentryPrivilege6, tSentryPrivilege7, tSentryPrivilege8));
- tSentryMappingData2.setGroupRolesMap(sentryGroupRolesMap2);
- tSentryMappingData2.setRolePrivilegesMap(sentryRolePrivilegesMap2);
- sentryStore.importSentryMetaData(tSentryMappingData2, false);
-
- Map<String, MSentryRole> rolesMap = sentryStore.getRolesMap();
- Map<String, MSentryGroup> groupsMap = sentryStore.getGroupNameToGroupMap();
- List<MSentryPrivilege> privilegesList = sentryStore.getPrivilegesList();
-
- // test the result data for the role
- verifyRoles(rolesMap, Sets.newHashSet("role1", "role2", "role3"));
-
- // test the result data for the group
- verifyGroups(groupsMap, Sets.newHashSet("group1", "group2", "group3"));
-
- // test the result data for the privilege
- verifyPrivileges(privilegesList, Sets.newHashSet(tSentryPrivilege1, tSentryPrivilege2,
- tSentryPrivilege3, tSentryPrivilege4, tSentryPrivilege5, tSentryPrivilege6,
- tSentryPrivilege7, tSentryPrivilege8));
-
- // test the mapping data for group and role
- List<Map<String, Set<String>>> mapList = sentryStore.getGroupUserRoleMapList(null);
- Map<String, Set<String>> actualGroupRolesMap = mapList.get(
- SentryStore.INDEX_GROUP_ROLES_MAP);
- Map<String, Set<String>> exceptedGroupRolesMap = Maps.newHashMap();
- exceptedGroupRolesMap.put("group1", Sets.newHashSet("role1", "role2", "role3"));
- exceptedGroupRolesMap.put("group2", Sets.newHashSet("role1", "role2", "role3"));
- exceptedGroupRolesMap.put("group3", Sets.newHashSet("role1", "role2", "role3"));
- verifyUserGroupRolesMap(actualGroupRolesMap, exceptedGroupRolesMap);
-
- // test the mapping data for role and privilege
- Map<String, Set<TSentryPrivilege>> actualRolePrivilegesMap = sentryStore
- .getRoleNameTPrivilegesMap();
- Map<String, Set<TSentryPrivilege>> exceptedRolePrivilegesMap = Maps.newHashMap();
- exceptedRolePrivilegesMap.put("role1", Sets.newHashSet(tSentryPrivilege1, tSentryPrivilege2,
- tSentryPrivilege3, tSentryPrivilege4, tSentryPrivilege5));
- exceptedRolePrivilegesMap.put("role2", Sets.newHashSet(tSentryPrivilege1, tSentryPrivilege2,
- tSentryPrivilege3, tSentryPrivilege4, tSentryPrivilege5, tSentryPrivilege6,
- tSentryPrivilege7, tSentryPrivilege8));
- exceptedRolePrivilegesMap.put("role3", Sets.newHashSet(tSentryPrivilege4, tSentryPrivilege5,
- tSentryPrivilege6, tSentryPrivilege7, tSentryPrivilege8));
- verifyRolePrivilegesMap(actualRolePrivilegesMap, exceptedRolePrivilegesMap);
- }
-
- // call import twice, and there has one role without group.
- // The data for 1st import:
- // group1=role1, role2
- // role1=privilege1,privilege2
- // role2=privilege3,privilege4
- // The data for 2nd import:
- // group2=role2
- // role2=privilege5,privilege6
- // role3=privilege7,privilege8
- // role3 is without group, will be imported also
- @Test
- public void testImportExportPolicy4() throws Exception {
- TSentryMappingData tSentryMappingData1 = new TSentryMappingData();
- Map<String, Set<String>> sentryGroupRolesMap1 = Maps.newHashMap();
- Map<String, Set<TSentryPrivilege>> sentryRolePrivilegesMap1 = Maps.newHashMap();
- sentryGroupRolesMap1.put("group1", Sets.newHashSet("role1", "role2"));
- sentryRolePrivilegesMap1.put("role1", Sets.newHashSet(tSentryPrivilege1, tSentryPrivilege2));
- sentryRolePrivilegesMap1.put("role2", Sets.newHashSet(tSentryPrivilege3, tSentryPrivilege4));
- tSentryMappingData1.setGroupRolesMap(sentryGroupRolesMap1);
- tSentryMappingData1.setRolePrivilegesMap(sentryRolePrivilegesMap1);
- sentryStore.importSentryMetaData(tSentryMappingData1, false);
-
- TSentryMappingData tSentryMappingData2 = new TSentryMappingData();
- Map<String, Set<String>> sentryGroupRolesMap2 = Maps.newHashMap();
- Map<String, Set<TSentryPrivilege>> sentryRolePrivilegesMap2 = Maps.newHashMap();
- sentryGroupRolesMap2.put("group2", Sets.newHashSet("role2"));
- sentryRolePrivilegesMap2.put("role2", Sets.newHashSet(tSentryPrivilege5, tSentryPrivilege6));
- sentryRolePrivilegesMap2.put("role3", Sets.newHashSet(tSentryPrivilege7, tSentryPrivilege8));
- tSentryMappingData2.setGroupRolesMap(sentryGroupRolesMap2);
- tSentryMappingData2.setRolePrivilegesMap(sentryRolePrivilegesMap2);
- sentryStore.importSentryMetaData(tSentryMappingData2, false);
-
- Map<String, MSentryRole> rolesMap = sentryStore.getRolesMap();
- Map<String, MSentryGroup> groupsMap = sentryStore.getGroupNameToGroupMap();
- List<MSentryPrivilege> privilegesList = sentryStore.getPrivilegesList();
-
- // test the result data for the role
- verifyRoles(rolesMap, Sets.newHashSet("role1", "role2", "role3"));
-
- // test the result data for the group
- verifyGroups(groupsMap, Sets.newHashSet("group1", "group2"));
-
- // test the result data for the privilege
- verifyPrivileges(privilegesList, Sets.newHashSet(tSentryPrivilege1, tSentryPrivilege2,
- tSentryPrivilege3, tSentryPrivilege4, tSentryPrivilege5, tSentryPrivilege6,
- tSentryPrivilege7, tSentryPrivilege8));
-
- // test the mapping data for group and role
- List<Map<String, Set<String>>> mapList = sentryStore.getGroupUserRoleMapList(null);
- Map<String, Set<String>> actualGroupRolesMap = mapList.get(
- SentryStore.INDEX_GROUP_ROLES_MAP);
- Map<String, Set<String>> exceptedGroupRolesMap = Maps.newHashMap();
- exceptedGroupRolesMap.put("group1", Sets.newHashSet("role1", "role2"));
- exceptedGroupRolesMap.put("group2", Sets.newHashSet("role2"));
- verifyUserGroupRolesMap(actualGroupRolesMap, exceptedGroupRolesMap);
-
- // test the mapping data for role and privilege
- Map<String, Set<TSentryPrivilege>> actualRolePrivilegesMap = sentryStore
- .getRoleNameTPrivilegesMap();
- Map<String, Set<TSentryPrivilege>> exceptedRolePrivilegesMap = Maps.newHashMap();
- exceptedRolePrivilegesMap.put("role1", Sets.newHashSet(tSentryPrivilege1, tSentryPrivilege2));
- exceptedRolePrivilegesMap
- .put("role2", Sets.newHashSet(tSentryPrivilege3, tSentryPrivilege4, tSentryPrivilege5,
- tSentryPrivilege6));
- exceptedRolePrivilegesMap.put("role3", Sets.newHashSet(tSentryPrivilege7, tSentryPrivilege8));
- verifyRolePrivilegesMap(actualRolePrivilegesMap, exceptedRolePrivilegesMap);
- }
-
- // test for import mapping data for [group,role] only:
- // group1=role1, role2
- @Test
- public void testImportExportPolicy5() throws Exception {
- TSentryMappingData tSentryMappingData1 = new TSentryMappingData();
- Map<String, Set<String>> sentryGroupRolesMap1 = Maps.newHashMap();
- Map<String, Set<TSentryPrivilege>> sentryRolePrivilegesMap1 = Maps.newHashMap();
- sentryGroupRolesMap1.put("group1", Sets.newHashSet("role1", "role2"));
- tSentryMappingData1.setGroupRolesMap(sentryGroupRolesMap1);
- tSentryMappingData1.setRolePrivilegesMap(sentryRolePrivilegesMap1);
- sentryStore.importSentryMetaData(tSentryMappingData1, false);
-
- Map<String, MSentryRole> rolesMap = sentryStore.getRolesMap();
- Map<String, MSentryGroup> groupsMap = sentryStore.getGroupNameToGroupMap();
- List<MSentryPrivilege> privilegesList = sentryStore.getPrivilegesList();
-
- // test the result data for the role
- verifyRoles(rolesMap, Sets.newHashSet("role1", "role2"));
-
- // test the result data for the group
- verifyGroups(groupsMap, Sets.newHashSet("group1"));
-
- // test the result data for the privilege
- assertTrue(privilegesList.isEmpty());
-
- // test the mapping data for group and role
- List<Map<String, Set<String>>> mapList = sentryStore.getGroupUserRoleMapList(null);
- Map<String, Set<String>> actualGroupRolesMap = mapList.get(
- SentryStore.INDEX_GROUP_ROLES_MAP);
- Map<String, Set<String>> exceptedGroupRolesMap = Maps.newHashMap();
- exceptedGroupRolesMap.put("group1", Sets.newHashSet("role1", "role2"));
- verifyUserGroupRolesMap(actualGroupRolesMap, exceptedGroupRolesMap);
-
- // test the mapping data for role and privilege
- Map<String, Set<TSentryPrivilege>> actualRolePrivilegesMap = sentryStore
- .getRoleNameTPrivilegesMap();
- assertTrue(actualRolePrivilegesMap.isEmpty());
- }
-
- // test for filter the orphaned group:
- // group1=role1, role2
- // group2=role2
- @Test
- public void testImportExportPolicy6() throws Exception {
- TSentryMappingData tSentryMappingData1 = new TSentryMappingData();
- Map<String, Set<String>> sentryGroupRolesMap1 = Maps.newHashMap();
- Map<String, Set<TSentryPrivilege>> sentryRolePrivilegesMap1 = Maps.newHashMap();
- sentryGroupRolesMap1.put("group1", Sets.newHashSet("role1", "role2"));
- sentryGroupRolesMap1.put("group2", Sets.newHashSet("role2"));
- tSentryMappingData1.setGroupRolesMap(sentryGroupRolesMap1);
- tSentryMappingData1.setRolePrivilegesMap(sentryRolePrivilegesMap1);
- sentryStore.importSentryMetaData(tSentryMappingData1, false);
-
- // drop the role2, the group2 is orphaned group
- sentryStore.dropSentryRole("role2");
-
- Map<String, MSentryRole> rolesMap = sentryStore.getRolesMap();
- Map<String, MSentryGroup> groupsMap = sentryStore.getGroupNameToGroupMap();
- List<MSentryPrivilege> privilegesList = sentryStore.getPrivilegesList();
-
- // test the result data for the role
- verifyRoles(rolesMap, Sets.newHashSet("role1"));
-
- // test the result data for the group
- verifyGroups(groupsMap, Sets.newHashSet("group1", "group2"));
-
- // test the result data for the privilege
- assertTrue(privilegesList.isEmpty());
-
- // test the mapping data for group and role
- List<Map<String, Set<String>>> mapList = sentryStore.getGroupUserRoleMapList(null);
- Map<String, Set<String>> actualGroupRolesMap = mapList.get(
- SentryStore.INDEX_GROUP_ROLES_MAP);
- Map<String, Set<String>> exceptedGroupRolesMap = Maps.newHashMap();
- exceptedGroupRolesMap.put("group1", Sets.newHashSet("role1"));
- verifyUserGroupRolesMap(actualGroupRolesMap, exceptedGroupRolesMap);
-
- // test the mapping data for role and privilege
- Map<String, Set<TSentryPrivilege>> actualRolePrivilegesMap = sentryStore
- .getRoleNameTPrivilegesMap();
- assertTrue(actualRolePrivilegesMap.isEmpty());
- }
-
- // call import twice, and there has no duplicate data, the import will be with the overwrite mode:
- // The data for 1st import:
- // group1=role1
- // role1=privilege1
- // The data for 2nd import:
- // group2=role2,role3
- // group3=role2,role3
- // role2=privilege2
- // role3=privilege2
- // Both import API importSentryMetaData and export APIs getRolesMap, getGroupsMap,
- // getPrivilegesList are tested.
- @Test
- public void testImportExportPolicy7() throws Exception {
- TSentryMappingData tSentryMappingData1 = new TSentryMappingData();
- Map<String, Set<String>> sentryGroupRolesMap1 = Maps.newHashMap();
- Map<String, Set<TSentryPrivilege>> sentryRolePrivilegesMap1 = Maps.newHashMap();
- sentryGroupRolesMap1.put("group1", Sets.newHashSet("role1"));
- sentryRolePrivilegesMap1.put("role1", Sets.newHashSet(tSentryPrivilege1));
- tSentryMappingData1.setGroupRolesMap(sentryGroupRolesMap1);
- tSentryMappingData1.setRolePrivilegesMap(sentryRolePrivilegesMap1);
- // the import with overwrite mode
- sentryStore.importSentryMetaData(tSentryMappingData1, true);
-
- TSentryMappingData tSentryMappingData2 = new TSentryMappingData();
- Map<String, Set<String>> sentryGroupRolesMap2 = Maps.newHashMap();
- Map<String, Set<TSentryPrivilege>> sentryRolePrivilegesMap2 = Maps.newHashMap();
- sentryGroupRolesMap2.put("group2", Sets.newHashSet("role2", "role3"));
- sentryGroupRolesMap2.put("group3", Sets.newHashSet("role2", "role3"));
- sentryRolePrivilegesMap2.put("role2", Sets.newHashSet(tSentryPrivilege2));
- sentryRolePrivilegesMap2.put("role3", Sets.newHashSet(tSentryPrivilege2));
- tSentryMappingData2.setGroupRolesMap(sentryGroupRolesMap2);
- tSentryMappingData2.setRolePrivilegesMap(sentryRolePrivilegesMap2);
- // the import with overwrite mode
- sentryStore.importSentryMetaData(tSentryMappingData2, true);
-
- Map<String, MSentryRole> rolesMap = sentryStore.getRolesMap();
- Map<String, MSentryGroup> groupsMap = sentryStore.getGroupNameToGroupMap();
- List<MSentryPrivilege> privilegesList = sentryStore.getPrivilegesList();
-
- // test the result data for the role
- verifyRoles(rolesMap, Sets.newHashSet("role1", "role2", "role3"));
-
- // test the result data for the group
- verifyGroups(groupsMap, Sets.newHashSet("group1", "group2", "group3"));
-
- // test the result data for the privilege
- verifyPrivileges(privilegesList, Sets.newHashSet(tSentryPrivilege1, tSentryPrivilege2));
-
- // test the mapping data for group and role
- List<Map<String, Set<String>>> mapList = sentryStore.getGroupUserRoleMapList(null);
- Map<String, Set<String>> actualGroupRolesMap = mapList.get(
- SentryStore.INDEX_GROUP_ROLES_MAP);
- Map<String, Set<String>> exceptedGroupRolesMap = Maps.newHashMap();
- exceptedGroupRolesMap.put("group1", Sets.newHashSet("role1"));
- exceptedGroupRolesMap.put("group2", Sets.newHashSet("role2", "role3"));
- exceptedGroupRolesMap.put("group3", Sets.newHashSet("role2", "role3"));
- verifyUserGroupRolesMap(actualGroupRolesMap, exceptedGroupRolesMap);
-
- // test the mapping data for role and privilege
- Map<String, Set<TSentryPrivilege>> actualRolePrivilegesMap = sentryStore
- .getRoleNameTPrivilegesMap();
- Map<String, Set<TSentryPrivilege>> exceptedRolePrivilegesMap = Maps.newHashMap();
- exceptedRolePrivilegesMap.put("role1", Sets.newHashSet(tSentryPrivilege1));
- exceptedRolePrivilegesMap.put("role2", Sets.newHashSet(tSentryPrivilege2));
- exceptedRolePrivilegesMap.put("role3", Sets.newHashSet(tSentryPrivilege2));
- verifyRolePrivilegesMap(actualRolePrivilegesMap, exceptedRolePrivilegesMap);
- }
-
- // call import twice, and there has data overlap, the import will be with the overwrite mode:
- // The data for 1st import:
- // group1=role1, role2
- // group2=role1, role2
- // group3=role1, role2
- // role1=privilege1,privilege2,privilege3,privilege4,privilege5
- // role2=privilege1,privilege2,privilege3,privilege4,privilege5
- // The data for 2nd import:
- // group1=role2,role3
- // group2=role2,role3
- // group3=role2,role3
- // role2=privilege4,privilege5,privilege6,privilege7,privilege8
- // role3=privilege4,privilege5,privilege6,privilege7,privilege8
- // Both import API importSentryMetaData and export APIs getRolesMap, getGroupsMap,
- // getPrivilegesList are tested.
- @Test
- public void testImportExportPolicy8() throws Exception {
- TSentryMappingData tSentryMappingData1 = new TSentryMappingData();
- Map<String, Set<String>> sentryGroupRolesMap1 = Maps.newHashMap();
- Map<String, Set<TSentryPrivilege>> sentryRolePrivilegesMap1 = Maps.newHashMap();
- sentryGroupRolesMap1.put("group1", Sets.newHashSet("role1", "role2"));
- sentryGroupRolesMap1.put("group2", Sets.newHashSet("role1", "role2"));
- sentryGroupRolesMap1.put("group3", Sets.newHashSet("role1", "role2"));
- sentryRolePrivilegesMap1.put("role1", Sets.newHashSet(tSentryPrivilege1, tSentryPrivilege2,
- tSentryPrivilege3, tSentryPrivilege4, tSentryPrivilege5));
- sentryRolePrivilegesMap1.put("role2", Sets.newHashSet(tSentryPrivilege1, tSentryPrivilege2,
- tSentryPrivilege3, tSentryPrivilege4, tSentryPrivilege5));
- tSentryMappingData1.setGroupRolesMap(sentryGroupRolesMap1);
- tSentryMappingData1.setRolePrivilegesMap(sentryRolePrivilegesMap1);
- // the import with overwrite mode
- sentryStore.importSentryMetaData(tSentryMappingData1, true);
-
- TSentryMappingData tSentryMappingData2 = new TSentryMappingData();
- Map<String, Set<String>> sentryGroupRolesMap2 = Maps.newHashMap();
- Map<String, Set<TSentryPrivilege>> sentryRolePrivilegesMap2 = Maps.newHashMap();
- sentryGroupRolesMap2.put("group1", Sets.newHashSet("role2", "role3"));
- sentryGroupRolesMap2.put("group2", Sets.newHashSet("role2", "role3"));
- sentryGroupRolesMap2.put("group3", Sets.newHashSet("role2", "role3"));
- sentryRolePrivilegesMap2.put("role2", Sets.newHashSet(tSentryPrivilege4, tSentryPrivilege5,
- tSentryPrivilege6, tSentryPrivilege7, tSentryPrivilege8));
- sentryRolePrivilegesMap2.put("role3", Sets.newHashSet(tSentryPrivilege4, tSentryPrivilege5,
- tSentryPrivilege6, tSentryPrivilege7, tSentryPrivilege8));
- tSentryMappingData2.setGroupRolesMap(sentryGroupRolesMap2);
- tSentryMappingData2.setRolePrivilegesMap(sentryRolePrivilegesMap2);
- // the import with overwrite mode
- sentryStore.importSentryMetaData(tSentryMappingData2, true);
-
- Map<String, MSentryRole> rolesMap = sentryStore.getRolesMap();
- Map<String, MSentryGroup> groupsMap = sentryStore.getGroupNameToGroupMap();
- List<MSentryPrivilege> privilegesList = sentryStore.getPrivilegesList();
-
- // test the result data for the role
- verifyRoles(rolesMap, Sets.newHashSet("role1", "role2", "role3"));
-
- // test the result data for the group
- verifyGroups(groupsMap, Sets.newHashSet("group1", "group2", "group3"));
-
- // test the result data for the privilege
- verifyPrivileges(privilegesList, Sets.newHashSet(tSentryPrivilege1, tSentryPrivilege2,
- tSentryPrivilege3, tSentryPrivilege4, tSentryPrivilege5, tSentryPrivilege6,
- tSentryPrivilege7, tSentryPrivilege8));
-
- // test the mapping data for group and role
- List<Map<String, Set<String>>> mapList = sentryStore.getGroupUserRoleMapList(null);
- Map<String, Set<String>> actualGroupRolesMap = mapList.get(
- SentryStore.INDEX_GROUP_ROLES_MAP);
- Map<String, Set<String>> exceptedGroupRolesMap = Maps.newHashMap();
- exceptedGroupRolesMap.put("group1", Sets.newHashSet("role1", "role2", "role3"));
- exceptedGroupRolesMap.put("group2", Sets.newHashSet("role1", "role2", "role3"));
- exceptedGroupRolesMap.put("group3", Sets.newHashSet("role1", "role2", "role3"));
- verifyUserGroupRolesMap(actualGroupRolesMap, exceptedGroupRolesMap);
-
- // test the mapping data for role and privilege
- Map<String, Set<TSentryPrivilege>> actualRolePrivilegesMap = sentryStore
- .getRoleNameTPrivilegesMap();
- Map<String, Set<TSentryPrivilege>> exceptedRolePrivilegesMap = Maps.newHashMap();
- exceptedRolePrivilegesMap.put("role1", Sets.newHashSet(tSentryPrivilege1, tSentryPrivilege2,
- tSentryPrivilege3, tSentryPrivilege4, tSentryPrivilege5));
- // role2 should be overwrite
- exceptedRolePrivilegesMap.put("role2", Sets.newHashSet(tSentryPrivilege4, tSentryPrivilege5,
- tSentryPrivilege6, tSentryPrivilege7, tSentryPrivilege8));
- exceptedRolePrivilegesMap.put("role3", Sets.newHashSet(tSentryPrivilege4, tSentryPrivilege5,
- tSentryPrivilege6, tSentryPrivilege7, tSentryPrivilege8));
- verifyRolePrivilegesMap(actualRolePrivilegesMap, exceptedRolePrivilegesMap);
- }
-
- // test the import privileges with the action: All, *, select, insert
- // All and * should replace the select and insert
- // The data for import:
- // group1=role1, role2
- // role1=testPrivilege1,testPrivilege2,testPrivilege3,testPrivilege4
- // role2=testPrivilege5, testPrivilege6,testPrivilege7,testPrivilege8
- @Test
- public void testImportExportPolicy9() throws Exception {
- TSentryPrivilege testPrivilege1 = createTSentryPrivilege(PrivilegeScope.TABLE.name(),
- "server1", "db1", "tbl1", "", "", AccessConstants.SELECT, TSentryGrantOption.TRUE);
- TSentryPrivilege testPrivilege2 = createTSentryPrivilege(PrivilegeScope.TABLE.name(),
- "server1", "db1", "tbl1", "", "", AccessConstants.INSERT, TSentryGrantOption.FALSE);
- TSentryPrivilege testPrivilege3 = createTSentryPrivilege(PrivilegeScope.TABLE.name(),
- "server1", "db1", "tbl1", "", "", AccessConstants.ACTION_ALL, TSentryGrantOption.TRUE);
- TSentryPrivilege testPrivilege4 = createTSentryPrivilege(PrivilegeScope.TABLE.name(),
- "server1", "db1", "tbl1", "", "", AccessConstants.INSERT, TSentryGrantOption.TRUE);
- TSentryPrivilege testPrivilege5 = createTSentryPrivilege(PrivilegeScope.TABLE.name(),
- "server1", "db1", "tbl2", "", "", AccessConstants.SELECT, TSentryGrantOption.TRUE);
- TSentryPrivilege testPrivilege6 = createTSentryPrivilege(PrivilegeScope.TABLE.name(),
- "server1", "db1", "tbl2", "", "", AccessConstants.INSERT, TSentryGrantOption.FALSE);
- TSentryPrivilege testPrivilege7 = createTSentryPrivilege(PrivilegeScope.TABLE.name(),
- "server1", "db1", "tbl2", "", "", AccessConstants.ALL, TSentryGrantOption.TRUE);
- TSentryPrivilege testPrivilege8 = createTSentryPrivilege(PrivilegeScope.TABLE.name(),
- "server1", "db1", "tbl2", "", "", AccessConstants.INSERT, TSentryGrantOption.TRUE);
-
- TSentryMappingData tSentryMappingData1 = new TSentryMappingData();
- Map<String, Set<String>> sentryGroupRolesMap1 = Maps.newHashMap();
- Map<String, Set<TSentryPrivilege>> sentryRolePrivilegesMap1 = Maps.newHashMap();
- sentryGroupRolesMap1.put("group1", Sets.newHashSet("role1", "role2"));
- // after import there should be only testPrivilege2, testPrivilege3
- sentryRolePrivilegesMap1.put("role1",
- Sets.newHashSet(testPrivilege1, testPrivilege2, testPrivilege3, testPrivilege4));
- // after import there should be only testPrivilege6,testPrivilege7
- sentryRolePrivilegesMap1.put("role2",
- Sets.newHashSet(testPrivilege5, testPrivilege6, testPrivilege7, testPrivilege8));
- tSentryMappingData1.setGroupRolesMap(sentryGroupRolesMap1);
- tSentryMappingData1.setRolePrivilegesMap(sentryRolePrivilegesMap1);
- // the import with overwrite mode
- sentryStore.importSentryMetaData(tSentryMappingData1, true);
-
- Map<String, MSentryRole> rolesMap = sentryStore.getRolesMap();
- Map<String, MSentryGroup> groupsMap = sentryStore.getGroupNameToGroupMap();
-
- // test the result data for the role
- verifyRoles(rolesMap, Sets.newHashSet("role1", "role2"));
-
- // test the result data for the group
- verifyGroups(groupsMap, Sets.newHashSet("group1"));
-
- // test the mapping data for group and role
- List<Map<String, Set<String>>> mapList = sentryStore.getGroupUserRoleMapList(null);
- Map<String, Set<String>> actualGroupRolesMap = mapList.get(
- SentryStore.INDEX_GROUP_ROLES_MAP);
- Map<String, Set<String>> exceptedGroupRolesMap = Maps.newHashMap();
- exceptedGroupRolesMap.put("group1", Sets.newHashSet("role1", "role2"));
- verifyUserGroupRolesMap(actualGroupRolesMap, exceptedGroupRolesMap);
-
- // test the mapping data for role and privilege
- Map<String, Set<TSentryPrivilege>> actualRolePrivilegesMap = sentryStore
- .getRoleNameTPrivilegesMap();
- Map<String, Set<TSentryPrivilege>> exceptedRolePrivilegesMap = Maps.newHashMap();
- exceptedRolePrivilegesMap.put("role1", Sets.newHashSet(testPrivilege2, testPrivilege3));
- exceptedRolePrivilegesMap.put("role2", Sets.newHashSet(testPrivilege6, testPrivilege7));
- verifyRolePrivilegesMap(actualRolePrivilegesMap, exceptedRolePrivilegesMap);
- }
-
- // The following data is imported:
- // group1=role1
- // group2=role1,role2
- // group3=role2,role3
- // group4=role1,role2,role3
- // role1=privilege3,privilege4,privilege9
- // role2=privilege3,privilege4,privilege5,privilege6,privilege7
- // role3=privilege4,privilege5,privilege6,privilege7,privilege8
- // Export APIs getRoleNameTPrivilegesMap, getGroupNameRoleNamesMap are tested.
- @Test
- public void testExportPolicyWithSpecificObject() throws Exception {
- // import the data for test
- TSentryMappingData tSentryMappingData = new TSentryMappingData();
- Map<String, Set<String>> sentryGroupRolesMap = Maps.newHashMap();
- Map<String, Set<TSentryPrivilege>> sentryRolePrivilegesMap = Maps.newHashMap();
- sentryGroupRolesMap.put("group1", Sets.newHashSet("role1"));
- sentryGroupRolesMap.put("group2", Sets.newHashSet("role1", "role2"));
- sentryGroupRolesMap.put("group3", Sets.newHashSet("role2", "role3"));
- sentryGroupRolesMap.put("group4", Sets.newHashSet("role1", "role2", "role3"));
- sentryRolePrivilegesMap.put("role1", Sets.newHashSet(
- tSentryPrivilege3, tSentryPrivilege4, tSentryPrivilege9));
- sentryRolePrivilegesMap.put("role2", Sets.newHashSet(
- tSentryPrivilege3, tSentryPrivilege4, tSentryPrivilege5, tSentryPrivilege6,
- tSentryPrivilege7));
- sentryRolePrivilegesMap.put("role3", Sets.newHashSet(
- tSentryPrivilege4, tSentryPrivilege5, tSentryPrivilege6,
- tSentryPrivilege7, tSentryPrivilege8));
- tSentryMappingData.setGroupRolesMap(sentryGroupRolesMap);
- tSentryMappingData.setRolePrivilegesMap(sentryRolePrivilegesMap);
- sentryStore.importSentryMetaData(tSentryMappingData, false);
-
- // verify the rolePrivilegesMap and groupRolesMap for db=db1
- Map<String, Set<TSentryPrivilege>> actualRolePrivilegesMap =
- sentryStore.getRoleNameTPrivilegesMap("db1", "");
- Map<String, Set<TSentryPrivilege>> exceptedRolePrivilegesMap = Maps.newHashMap();
- exceptedRolePrivilegesMap.put("role1", Sets.newHashSet(tSentryPrivilege4));
- exceptedRolePrivilegesMap.put("role2", Sets.newHashSet(tSentryPrivilege4,
- tSentryPrivilege5, tSentryPrivilege6, tSentryPrivilege7));
- exceptedRolePrivilegesMap.put("role3", Sets.newHashSet(tSentryPrivilege4,
- tSentryPrivilege5, tSentryPrivilege6, tSentryPrivilege7));
- verifyRolePrivilegesMap(actualRolePrivilegesMap, exceptedRolePrivilegesMap);
-
- List<Map<String, Set<String>>> mapList = sentryStore.getGroupUserRoleMapList(
- actualRolePrivilegesMap.keySet());
- Map<String, Set<String>> actualGroupRolesMap = mapList.get(
- SentryStore.INDEX_GROUP_ROLES_MAP);
- Map<String, Set<String>> exceptedGroupRolesMap = Maps.newHashMap();
- exceptedGroupRolesMap.put("group1", Sets.newHashSet("role1"));
- exceptedGroupRolesMap.put("group2", Sets.newHashSet("role1", "role2"));
- exceptedGroupRolesMap.put("group3", Sets.newHashSet("role2", "role3"));
- exceptedGroupRolesMap.put("group4", Sets.newHashSet("role1", "role2", "role3"));
- verifyUserGroupRolesMap(actualGroupRolesMap, exceptedGroupRolesMap);
-
- // verify the rolePrivilegesMap and groupRolesMap for db=db2
- actualRolePrivilegesMap = sentryStore.getRoleNameTPrivilegesMap("db2", "");
- exceptedRolePrivilegesMap = Maps.newHashMap();
- exceptedRolePrivilegesMap.put("role1", Sets.newHashSet(tSentryPrivilege3, tSentryPrivilege9));
- exceptedRolePrivilegesMap.put("role2", Sets.newHashSet(tSentryPrivilege3));
- verifyRolePrivilegesMap(actualRolePrivilegesMap, exceptedRolePrivilegesMap);
-
- mapList = sentryStore.getGroupUserRoleMapList(actualRolePrivilegesMap.keySet());
- actualGroupRolesMap = mapList.get(SentryStore.INDEX_GROUP_ROLES_MAP);
- exceptedGroupRolesMap = Maps.newHashMap();
- exceptedGroupRolesMap.put("group1", Sets.newHashSet("role1"));
- exceptedGroupRolesMap.put("group2", Sets.newHashSet("role1", "role2"));
- exceptedGroupRolesMap.put("group3", Sets.newHashSet("role2"));
- exceptedGroupRolesMap.put("group4", Sets.newHashSet("role1", "role2"));
- verifyUserGroupRolesMap(actualGroupRolesMap, exceptedGroupRolesMap);
-
- // verify the rolePrivilegesMap and groupRolesMap for db=db1 and table=tbl1
- actualRolePrivilegesMap = sentryStore.getRoleNameTPrivilegesMap("db1", "tbl1");
- exceptedRolePrivilegesMap = Maps.newHashMap();
- exceptedRolePrivilegesMap.put("role1", Sets.newHashSet(tSentryPrivilege4));
- exceptedRolePrivilegesMap.put("role2", Sets.newHashSet(tSentryPrivilege4));
- exceptedRolePrivilegesMap.put("role3", Sets.newHashSet(tSentryPrivilege4));
- verifyRolePrivilegesMap(actualRolePrivilegesMap, exceptedRolePrivilegesMap);
-
- mapList = sentryStore.getGroupUserRoleMapList(actualRolePrivilegesMap.keySet());
- actualGroupRolesMap = mapList.get(SentryStore.INDEX_GROUP_ROLES_MAP);
- exceptedGroupRolesMap = Maps.newHashMap();
- exceptedGroupRolesMap.put("group1", Sets.newHashSet("role1"));
- exceptedGroupRolesMap.put("group2", Sets.newHashSet("role1", "role2"));
- exceptedGroupRolesMap.put("group3", Sets.newHashSet("role2", "role3"));
- exceptedGroupRolesMap.put("group4", Sets.newHashSet("role1", "role2", "role3"));
- verifyUserGroupRolesMap(actualGroupRolesMap, exceptedGroupRolesMap);
-
- // verify the rolePrivilegesMap and groupRolesMap for db=db1 and table=tbl2
- actualRolePrivilegesMap = sentryStore.getRoleNameTPrivilegesMap("db1", "tbl2");
- exceptedRolePrivilegesMap = Maps.newHashMap();
- exceptedRolePrivilegesMap.put("role2", Sets.newHashSet(tSentryPrivilege5));
- exceptedRolePrivilegesMap.put("role3", Sets.newHashSet(tSentryPrivilege5));
- verifyRolePrivilegesMap(actualRolePrivilegesMap, exceptedRolePrivilegesMap);
-
- mapList = sentryStore.getGroupUserRoleMapList(actualRolePrivilegesMap.keySet());
- actualGroupRolesMap = mapList.get(SentryStore.INDEX_GROUP_ROLES_MAP);
- exceptedGroupRolesMap = Maps.newHashMap();
- exceptedGroupRolesMap.put("group2", Sets.newHashSet("role2"));
- exceptedGroupRolesMap.put("group3", Sets.newHashSet("role2", "role3"));
- exceptedGroupRolesMap.put("group4", Sets.newHashSet("role2", "role3"));
- verifyUserGroupRolesMap(actualGroupRolesMap, exceptedGroupRolesMap);
-
- // verify the rolePrivilegesMap and groupRolesMap for table=tbl1
- actualRolePrivilegesMap = sentryStore.getRoleNameTPrivilegesMap("", "tbl1");
- exceptedRolePrivilegesMap = Maps.newHashMap();
- exceptedRolePrivilegesMap.put("role1", Sets.newHashSet(tSentryPrivilege4, tSentryPrivilege9));
- exceptedRolePrivilegesMap.put("role2", Sets.newHashSet(tSentryPrivilege4));
- exceptedRolePrivilegesMap.put("role3", Sets.newHashSet(tSentryPrivilege4));
- verifyRolePrivilegesMap(actualRolePrivilegesMap, exceptedRolePrivilegesMap);
-
- mapList = sentryStore.getGroupUserRoleMapList(actualRolePrivilegesMap.keySet());
- actualGroupRolesMap = mapList.get(SentryStore.INDEX_GROUP_ROLES_MAP);
- exceptedGroupRolesMap = Maps.newHashMap();
- exceptedGroupRolesMap.put("group1", Sets.newHashSet("role1"));
- exceptedGroupRolesMap.put("group2", Sets.newHashSet("role1", "role2"));
- exceptedGroupRolesMap.put("group3", Sets.newHashSet("role2", "role3"));
- exceptedGroupRolesMap.put("group4", Sets.newHashSet("role1", "role2", "role3"));
- verifyUserGroupRolesMap(actualGroupRolesMap, exceptedGroupRolesMap);
-
- // verify the rolePrivilegesMap and groupRolesMap for empty parameter
- actualRolePrivilegesMap = sentryStore.getRoleNameTPrivilegesMap("", "");
- exceptedRolePrivilegesMap = Maps.newHashMap();
- exceptedRolePrivilegesMap.put("role1", Sets.newHashSet(tSentryPrivilege3,
- tSentryPrivilege4, tSentryPrivilege9));
- exceptedRolePrivilegesMap.put("role2", Sets.newHashSet(tSentryPrivilege3,
- tSentryPrivilege4, tSentryPrivilege5, tSentryPrivilege6, tSentryPrivilege7));
- exceptedRolePrivilegesMap.put("role3", Sets.newHashSet(tSentryPrivilege4,
- tSentryPrivilege5, tSentryPrivilege6,
- tSentryPrivilege7, tSentryPrivilege8));
- verifyRolePrivilegesMap(actualRolePrivilegesMap, exceptedRolePrivilegesMap);
-
- mapList = sentryStore.getGroupUserRoleMapList(actualRolePrivilegesMap.keySet());
- actualGroupRolesMap = mapList.get(SentryStore.INDEX_GROUP_ROLES_MAP);
- exceptedGroupRolesMap = Maps.newHashMap();
- exceptedGroupRolesMap.put("group1", Sets.newHashSet("role1"));
- exceptedGroupRolesMap.put("group2", Sets.newHashSet("role1", "role2"));
- exceptedGroupRolesMap.put("group3", Sets.newHashSet("role2", "role3"));
- exceptedGroupRolesMap.put("group4", Sets.newHashSet("role1", "role2", "role3"));
- verifyUserGroupRolesMap(actualGroupRolesMap, exceptedGroupRolesMap);
- }
-
- // Befor import, database is empty.
- // The following information is imported:
- // group1=role1,role2,role3
- // user1=role1,role2
- // user2=role2,role3
- // role1=privilege1,privilege2,privilege3,privilege4
- // role2=privilege5,privilege6,privilege7,privilege8
- // role3=privilege3,privilege4,privilege5,privilege6
- // Both import API importSentryMetaData and export APIs getRolesMap, getGroupsMap,
- // getUsersMap getPrivilegesList are tested.
- @Test
- public void testImportExportWithUser() throws Exception {
- TSentryMappingData tSentryMappingData = new TSentryMappingData();
- Map<String, Set<String>> groupRolesMap = Maps.newHashMap();
- Map<String, Set<String>> userRolesMap = Maps.newHashMap();
- Map<String, Set<TSentryPrivilege>> sentryRolePrivilegesMap = Maps.newHashMap();
- groupRolesMap.put("group1", Sets.newHashSet("Role1", "role2", "role3"));
- userRolesMap.put("user1", Sets.newHashSet("Role1", "role2"));
- userRolesMap.put("user2", Sets.newHashSet("role2", "role3"));
- sentryRolePrivilegesMap.put("Role1", Sets.newHashSet(tSentryPrivilege1, tSentryPrivilege2,
- tSentryPrivilege3, tSentryPrivilege4));
- sentryRolePrivilegesMap.put("role2", Sets.newHashSet(tSentryPrivilege5, tSentryPrivilege6,
- tSentryPrivilege7, tSentryPrivilege8));
- sentryRolePrivilegesMap.put("role3", Sets.newHashSet(tSentryPrivilege3,
- tSentryPrivilege4, tSentryPrivilege5, tSentryPrivilege6));
- tSentryMappingData.setGroupRolesMap(groupRolesMap);
- tSentryMappingData.setRolePrivilegesMap(sentryRolePrivilegesMap);
- tSentryMappingData.setUserRolesMap(userRolesMap);
- sentryStore.importSentryMetaData(tSentryMappingData, false);
-
- Map<String, MSentryRole> rolesMap = sentryStore.getRolesMap();
- Map<String, MSentryGroup> groupsMap = sentryStore.getGroupNameToGroupMap();
- Map<String, MSentryUser> usersMap = sentryStore.getUserNameToUserMap();
- List<MSentryPrivilege> privilegesList = sentryStore.getPrivilegesList();
-
- // test the result data for the role
- verifyRoles(rolesMap, Sets.newHashSet("role1", "role2", "role3"));
-
- // test the result data for the group
- verifyGroups(groupsMap, Sets.newHashSet("group1"));
-
- // test the result data for the user
- verifyUsers(usersMap, Sets.newHashSet("user1", "user2"));
-
- // test the result data for the privilege
- verifyPrivileges(privilegesList, Sets.newHashSet(tSentryPrivilege1, tSentryPrivilege2,
- tSentryPrivilege3, tSentryPrivilege4, tSentryPrivilege5, tSentryPrivilege6,
- tSentryPrivilege7, tSentryPrivilege8));
-
- // test the mapping data for group and role
- List<Map<String, Set<String>>> mapList = sentryStore.getGroupUserRoleMapList(null);
- Map<String, Set<String>> actualGroupRolesMap = mapList.get(
- SentryStore.INDEX_GROUP_ROLES_MAP);
- Map<String, Set<String>> exceptedGroupRolesMap = Maps.newHashMap();
- exceptedGroupRolesMap.put("group1", Sets.newHashSet("role1", "role2", "role3"));
- verifyUserGroupRolesMap(actualGroupRolesMap, exceptedGroupRolesMap);
-
- Map<String, Set<String>> actualUserRolesMap = mapList.get(
- SentryStore.INDEX_USER_ROLES_MAP);
- Map<String, Set<String>> exceptedUserRolesMap = Maps.newHashMap();
- exceptedUserRolesMap.put("user1", Sets.newHashSet("role1", "role2"));
- exceptedUserRolesMap.put("user2", Sets.newHashSet("role2", "role3"));
- verifyUserGroupRolesMap(actualUserRolesMap, exceptedUserRolesMap);
-
- // test the mapping data for role and privilege
- Map<String, Set<TSentryPrivilege>> actualRolePrivilegesMap = sentryStore
- .getRoleNameTPrivilegesMap();
- Map<String, Set<TSentryPrivilege>> exceptedRolePrivilegesMap = Maps.newHashMap();
- exceptedRolePrivilegesMap.put("role1", Sets.newHashSet(tSentryPrivilege1, tSentryPrivilege2,
- tSentryPrivilege3, tSentryPrivilege4));
- exceptedRolePrivilegesMap.put("role2", Sets.newHashSet(tSentryPrivilege5, tSentryPrivilege6,
- tSentryPrivilege7, tSentryPrivilege8));
- exceptedRolePrivilegesMap.put("role3", Sets.newHashSet(tSentryPrivilege3,
- tSentryPrivilege4, tSentryPrivilege5, tSentryPrivilege6));
-
- verifyRolePrivilegesMap(actualRolePrivilegesMap, exceptedRolePrivilegesMap);
- }
-
- private void verifyRoles(Map<String, MSentryRole> actualRoleMap, Set<String> expectedRoleNameSet) {
- assertEquals(expectedRoleNameSet.size(), actualRoleMap.keySet().size());
- for (String roleName : actualRoleMap.keySet()) {
- assertTrue(expectedRoleNameSet.contains(roleName));
- }
- }
-
- private void verifyGroups(Map<String, MSentryGroup> actualGroupsMap,
- Set<String> expectedGroupNameSet) {
- assertEquals(expectedGroupNameSet.size(), actualGroupsMap.keySet().size());
- for (String groupName : actualGroupsMap.keySet()) {
- assertTrue(expectedGroupNameSet.contains(groupName));
- }
- }
-
- private void verifyUsers(Map<String, MSentryUser> actualUsersMap,
- Set<String> expectedUserNameSet) {
- assertEquals(expectedUserNameSet.size(), actualUsersMap.keySet().size());
- for (String userName : actualUsersMap.keySet()) {
- assertTrue(expectedUserNameSet.contains(userName));
- }
- }
-
- private void verifyPrivileges(List<MSentryPrivilege> actualPrivileges,
- Set<TSentryPrivilege> expectedTSentryPrivilegeSet) {
- assertEquals(expectedTSentryPrivilegeSet.size(), actualPrivileges.size());
- for (MSentryPrivilege mSentryPrivilege : actualPrivileges) {
- boolean isFound = false;
- for (TSentryPrivilege tSentryPrivilege : expectedTSentryPrivilegeSet) {
- isFound = compareTSentryPrivilege(sentryStore.convertToTSentryPrivilege(mSentryPrivilege),
- tSentryPrivilege);
- if (isFound) {
- break;
- }
- }
- assertTrue(isFound);
- }
- }
-
- private void verifyUserGroupRolesMap(Map<String, Set<String>> actualMap,
- Map<String, Set<String>> exceptedMap) {
- assertEquals(exceptedMap.keySet().size(), actualMap.keySet().size());
- for (String name : actualMap.keySet()) {
- Set<String> exceptedRoles = exceptedMap.get(name);
- Set<String> actualRoles = actualMap.get(name);
- assertEquals(actualRoles.size(), exceptedRoles.size());
- assertTrue(actualRoles.equals(exceptedRoles));
- }
- }
-
- private void verifyRolePrivilegesMap(Map<String, Set<TSentryPrivilege>> actualRolePrivilegesMap,
- Map<String, Set<TSentryPrivilege>> expectedRolePrivilegesMap) {
- assertEquals(expectedRolePrivilegesMap.keySet().size(), actualRolePrivilegesMap.keySet().size());
- for (String roleName : expectedRolePrivilegesMap.keySet()) {
- Set<TSentryPrivilege> exceptedTSentryPrivileges = expectedRolePrivilegesMap.get(roleName);
- Set<TSentryPrivilege> actualTSentryPrivileges = actualRolePrivilegesMap.get(roleName);
- assertEquals(exceptedTSentryPrivileges.size(), actualTSentryPrivileges.size());
- for (TSentryPrivilege actualPrivilege : actualTSentryPrivileges) {
- boolean isFound = false;
- for (TSentryPrivilege expectedPrivilege : exceptedTSentryPrivileges) {
- isFound = compareTSentryPrivilege(expectedPrivilege, actualPrivilege);
- if (isFound) {
- break;
- }
- }
- assertTrue(isFound);
- }
- }
- }
-
- private TSentryPrivilege createTSentryPrivilege(String scope, String server, String dbName,
- String tableName, String columnName, String uri, String action, TSentryGrantOption grantOption) {
- TSentryPrivilege tSentryPrivilege = new TSentryPrivilege();
- tSentryPrivilege.setPrivilegeScope(scope);
- tSentryPrivilege.setServerName(server);
- tSentryPrivilege.setDbName(dbName);
- tSentryPrivilege.setTableName(tableName);
- tSentryPrivilege.setColumnName(columnName);
- tSentryPrivilege.setURI(uri);
- tSentryPrivilege.setAction(action);
- tSentryPrivilege.setGrantOption(grantOption);
- return tSentryPrivilege;
- }
-
- // compare the TSentryPrivilege without the create time
- private boolean compareTSentryPrivilege(TSentryPrivilege tSentryPrivilege1,
- TSentryPrivilege tSentryPrivilege2) {
- if (tSentryPrivilege1 == null) {
- if (tSentryPrivilege2 == null) {
- return true;
- } else {
- return false;
- }
- } else {
- if (tSentryPrivilege2 == null) {
- return false;
- }
- }
-
- boolean this_present_privilegeScope = true && tSentryPrivilege1.isSetPrivilegeScope();
- boolean that_present_privilegeScope = true && tSentryPrivilege2.isSetPrivilegeScope();
- if (this_present_privilegeScope || that_present_privilegeScope) {
- if (!(this_present_privilegeScope && that_present_privilegeScope)) {
- return false;
- }
- if (!tSentryPrivilege1.getPrivilegeScope().equalsIgnoreCase(
- tSentryPrivilege2.getPrivilegeScope())) {
- return false;
- }
- }
-
- boolean this_present_serverName = true && tSentryPrivilege1.isSetServerName();
- boolean that_present_serverName = true && tSentryPrivilege2.isSetServerName();
- if (this_present_serverName || that_present_serverName) {
- if (!(this_present_serverName && that_present_serverName)) {
- return false;
- }
- if (!tSentryPrivilege1.getServerName().equalsIgnoreCase(tSentryPrivilege2.getServerName())) {
- return false;
- }
- }
-
- boolean this_present_dbName = true && tSentryPrivilege1.isSetDbName();
- boolean that_present_dbName = true && tSentryPrivilege2.isSetDbName();
- if (this_present_dbName || that_present_dbName) {
- if (!(this_present_dbName && that_present_dbName)) {
- return false;
- }
- if (!tSentryPrivilege1.getDbName().equalsIgnoreCase(tSentryPrivilege2.getDbName())) {
- return false;
- }
- }
-
- boolean this_present_tableName = true && tSentryPrivilege1.isSetTableName();
- boolean that_present_tableName = true && tSentryPrivilege2.isSetTableName();
- if (this_present_tableName || that_present_tableName) {
- if (!(this_present_tableName && that_present_tableName)) {
- return false;
- }
- if (!tSentryPrivilege1.getTableName().equalsIgnoreCase(tSentryPrivilege2.getTableName())) {
- return false;
- }
- }
-
- boolean this_present_URI = true && tSentryPrivilege1.isSetURI();
- boolean that_present_URI = true && tSentryPrivilege2.isSetURI();
- if (this_present_URI || that_present_URI) {
- if (!(this_present_URI && that_present_URI)) {
- return false;
- }
- if (!tSentryPrivilege1.getURI().equalsIgnoreCase(tSentryPrivilege2.getURI())) {
- return false;
- }
- }
-
- boolean this_present_action = true && tSentryPrivilege1.isSetAction();
- boolean that_present_action = true && tSentryPrivilege2.isSetAction();
- if (this_present_action || that_present_action) {
- if (!(this_present_action && that_present_action)) {
- return false;
- }
- if (!tSentryPrivilege1.getAction().equalsIgnoreCase(tSentryPrivilege2.getAction())) {
- return false;
- }
- }
-
- boolean this_present_grantOption = true && tSentryPrivilege1.isSetGrantOption();
- boolean that_present_grantOption = true && tSentryPrivilege2.isSetGrantOption();
- if (this_present_grantOption || that_present_grantOption) {
- if (!(this_present_grantOption && that_present_grantOption)) {
- return false;
- }
- if (!tSentryPrivilege1.getGrantOption().equals(tSentryPrivilege2.getGrantOption())) {
- return false;
- }
- }
-
- boolean this_present_columnName = true && tSentryPrivilege1.isSetColumnName();
- boolean that_present_columnName = true && tSentryPrivilege2.isSetColumnName();
- if (this_present_columnName || that_present_columnName) {
- if (!(this_present_columnName && that_present_columnName)) {
- return false;
- }
- if (!tSentryPrivilege1.getColumnName().equalsIgnoreCase(tSentryPrivilege2.getColumnName())) {
- return false;
- }
- }
-
- return true;
- }
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryStoreToAuthorizable.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryStoreToAuthorizable.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryStoreToAuthorizable.java
deleted file mode 100644
index 25f94fa..0000000
--- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryStoreToAuthorizable.java
+++ /dev/null
@@ -1,86 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.sentry.provider.db.service.persistent;
-
-import static org.junit.Assert.assertEquals;
-
-import org.apache.sentry.core.model.db.AccessConstants;
-import org.apache.sentry.provider.db.service.model.MSentryPrivilege;
-import org.junit.Test;
-
-public class TestSentryStoreToAuthorizable {
-
- private MSentryPrivilege privilege;
-
- @Test
- public void testServer() {
- privilege = new MSentryPrivilege(null, "server1", null, null, null, null, null);
- assertEquals("server=server1",
- SentryStore.toAuthorizable(privilege));
- privilege = new MSentryPrivilege(null, "server1", null, null, null, null,
- AccessConstants.ALL);
- assertEquals("server=server1",
- SentryStore.toAuthorizable(privilege));
- }
-
- @Test
- public void testTable() {
- privilege = new MSentryPrivilege(null, "server1", "db1", "tbl1", null, null, null);
- assertEquals("server=server1->db=db1->table=tbl1",
- SentryStore.toAuthorizable(privilege));
- privilege = new MSentryPrivilege(null, "server1", "db1", "tbl1", null, null,
- AccessConstants.INSERT);
- assertEquals("server=server1->db=db1->table=tbl1->action=insert",
- SentryStore.toAuthorizable(privilege));
- privilege = new MSentryPrivilege(null, "server1", "db1", "tbl1", null, null,
- AccessConstants.SELECT);
- assertEquals("server=server1->db=db1->table=tbl1->action=select",
- SentryStore.toAuthorizable(privilege));
- privilege = new MSentryPrivilege(null, "server1", "db1", "tbl1", null, null,
- AccessConstants.ALL);
- assertEquals("server=server1->db=db1->table=tbl1",
- SentryStore.toAuthorizable(privilege));
- }
-
- @Test
- public void testDb() {
- privilege = new MSentryPrivilege(null, "server1", "db1", null, null, null, null);
- assertEquals("server=server1->db=db1",
- SentryStore.toAuthorizable(privilege));
- privilege = new MSentryPrivilege(null, "server1", "db1", null, null, null,
- AccessConstants.ALL);
- assertEquals("server=server1->db=db1",
- SentryStore.toAuthorizable(privilege));
- }
-
- @Test
- public void testUri() {
- privilege = new MSentryPrivilege(null, "server1", null, null, null, "file:///", null);
- assertEquals("server=server1->uri=file:///",
- SentryStore.toAuthorizable(privilege));
- privilege = new MSentryPrivilege(null, "server1", null, null, null, "file:///",
- AccessConstants.SELECT);
- assertEquals("server=server1->uri=file:///->action=select",
- SentryStore.toAuthorizable(privilege));
- privilege = new MSentryPrivilege(null, "server1", null, null, null, "file:///",
- AccessConstants.ALL);
- assertEquals("server=server1->uri=file:///",
- SentryStore.toAuthorizable(privilege));
- }
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryVersion.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryVersion.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryVersion.java
deleted file mode 100644
index a8e8a03..0000000
--- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryVersion.java
+++ /dev/null
@@ -1,85 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.sentry.provider.db.service.persistent;
-
-import static org.junit.Assert.assertEquals;
-
-import java.io.File;
-
-import org.apache.hadoop.conf.Configuration;
-import org.apache.sentry.core.common.exception.SentryNoSuchObjectException;
-import org.apache.sentry.service.thrift.ServiceConstants.ServerConfig;
-import org.junit.Before;
-import org.junit.Test;
-
-import com.google.common.io.Files;
-
-public class TestSentryVersion {
-
- private File dataDir;
- private Configuration conf;
-
- @Before
- public void setup() throws Exception {
- dataDir = new File(Files.createTempDir(), "sentry_policy_db");
- conf = new Configuration(false);
- conf.set(ServerConfig.SENTRY_STORE_JDBC_URL, "jdbc:derby:;databaseName="
- + dataDir.getPath() + ";create=true");
- conf.set(ServerConfig.SENTRY_STORE_JDBC_PASS, "dummy");
- }
-
- /**
- * Create the schema using auto creation Create new sentry store without
- * implicit schema creation on the same backend db and make sure it starts
- *
- * @throws Exception
- */
- @Test
- public void testVerifySentryVersionCheck() throws Exception {
- conf.set(ServerConfig.SENTRY_VERIFY_SCHEM_VERSION, "false");
- SentryStore sentryStore = new SentryStore(conf);
- sentryStore.stop();
- conf.set(ServerConfig.SENTRY_VERIFY_SCHEM_VERSION, "true");
- sentryStore = new SentryStore(conf);
- }
-
- /**
- * Verify that store is not initialized by default without schema pre-created
- *
- * @throws Exception
- */
- @Test(expected = SentryNoSuchObjectException.class)
- public void testNegSentrySchemaDefault() throws Exception {
- new SentryStore(conf);
- }
-
- /**
- * With schema verification turned off, Sentry Store should autoCreate the
- * schema
- * @throws Exception
- */
- @Test
- public void testSentryImplicitVersion() throws Exception {
- conf.set(ServerConfig.SENTRY_VERIFY_SCHEM_VERSION, "false");
- SentryStore sentryStore = new SentryStore(conf);
- assertEquals(SentryStoreSchemaInfo.getSentryVersion(),
- sentryStore.getSentryVersion());
- }
-
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/SentryMiniKdcTestcase.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/SentryMiniKdcTestcase.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/SentryMiniKdcTestcase.java
deleted file mode 100644
index 1114194..0000000
--- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/SentryMiniKdcTestcase.java
+++ /dev/null
@@ -1,68 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.sentry.provider.db.service.thrift;
-
-import java.io.File;
-import java.util.Properties;
-
-import org.apache.hadoop.minikdc.MiniKdc;
-
-public class SentryMiniKdcTestcase {
-
- private static File workDir;
- private static Properties conf;
- private static MiniKdc kdc;
-
- public static void startMiniKdc(Properties confOverlay) throws Exception {
- createTestDir();
- createMiniKdcConf(confOverlay);
- kdc = new MiniKdc(conf, workDir);
- kdc.start();
- }
-
- private static void createMiniKdcConf(Properties confOverlay) {
- conf = MiniKdc.createConf();
- for ( Object property : confOverlay.keySet()) {
- conf.put(property, confOverlay.get(property));
- }
- }
-
- private static void createTestDir() {
- workDir = new File(System.getProperty("test.dir", "target"));
- }
-
- public static void stopMiniKdc() {
- if (kdc != null) {
- kdc.stop();
- }
- }
-
- public static MiniKdc getKdc() {
- return kdc;
- }
-
- public static File getWorkDir() {
- return workDir;
- }
-
- public Properties getConf() {
- return conf;
- }
-
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestAuthorizingDDLAuditLogWithKerberos.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestAuthorizingDDLAuditLogWithKerberos.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestAuthorizingDDLAuditLogWithKerberos.java
deleted file mode 100644
index 426b2f7..0000000
--- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestAuthorizingDDLAuditLogWithKerberos.java
+++ /dev/null
@@ -1,295 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.sentry.provider.db.service.thrift;
-
-import static org.hamcrest.core.Is.is;
-import static org.junit.Assert.assertThat;
-import static org.junit.Assert.assertTrue;
-import static org.junit.Assert.fail;
-
-import java.util.HashMap;
-import java.util.Map;
-import java.util.Set;
-
-import org.apache.log4j.Level;
-import org.apache.log4j.Logger;
-import org.apache.sentry.provider.db.log.appender.AuditLoggerTestAppender;
-import org.apache.sentry.provider.db.log.util.CommandUtil;
-import org.apache.sentry.provider.db.log.util.Constants;
-import org.apache.sentry.service.thrift.SentryServiceIntegrationBase;
-import org.codehaus.jettison.json.JSONObject;
-import org.junit.BeforeClass;
-import org.junit.Test;
-
-import com.google.common.collect.Sets;
-
-public class TestAuthorizingDDLAuditLogWithKerberos extends SentryServiceIntegrationBase {
-
- @BeforeClass
- public static void setupLog4j() throws Exception {
- Logger logger = Logger.getLogger("sentry.hive.authorization.ddl.logger");
- AuditLoggerTestAppender testAppender = new AuditLoggerTestAppender();
- logger.addAppender(testAppender);
- logger.setLevel(Level.INFO);
- }
-
- @Test
- public void testBasic() throws Exception {
- runTestAsSubject(new TestOperation() {
- @Override
- public void runTestAsSubject() throws Exception {
- String requestorUserName = ADMIN_USER;
- Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
- setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
- writePolicyFile();
-
- String roleName = "testRole";
- String errorRoleName = "errorRole";
- String serverName = "server1";
- String groupName = "testGroup";
- String dbName = "dbTest";
- String tableName = "tableTest";
- Map<String, String> fieldValueMap = new HashMap<String, String>();
-
- // for successful audit log
- client.createRole(requestorUserName, roleName);
- fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_CREATE_ROLE);
- fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT, "CREATE ROLE " + roleName);
- fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.TRUE);
- // for ip address, there is another logic to test the result
- fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null);
- assertAuditLog(fieldValueMap);
-
- client.grantRoleToGroup(requestorUserName, groupName, roleName);
- fieldValueMap.clear();
- fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_ADD_ROLE);
- fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT, "GRANT ROLE " + roleName
- + " TO GROUP " + groupName);
- fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.TRUE);
- fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null);
- assertAuditLog(fieldValueMap);
-
- client.grantDatabasePrivilege(requestorUserName, roleName, serverName, dbName, "ALL");
- fieldValueMap.clear();
- fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_GRANT_PRIVILEGE);
- fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT, "GRANT ALL ON DATABASE " + dbName
- + " TO ROLE " + roleName);
- fieldValueMap.put(Constants.LOG_FIELD_DATABASE_NAME, dbName);
- fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.TRUE);
- fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null);
- assertAuditLog(fieldValueMap);
-
- client.grantTablePrivilege(requestorUserName, roleName, serverName, dbName, tableName,
- "SELECT", true);
- fieldValueMap.clear();
- fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_GRANT_PRIVILEGE);
- fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT, "GRANT SELECT ON TABLE " + tableName
- + " TO ROLE " + roleName + " WITH GRANT OPTION");
- fieldValueMap.put(Constants.LOG_FIELD_TABLE_NAME, tableName);
- fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.TRUE);
- fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null);
- assertAuditLog(fieldValueMap);
-
- // for error audit log
- try {
- client.createRole(requestorUserName, roleName);
- fail("Exception should have been thrown");
- } catch (Exception e) {
- fieldValueMap.clear();
- fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_CREATE_ROLE);
- fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT, "CREATE ROLE " + roleName);
- fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.FALSE);
- fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null);
- assertAuditLog(fieldValueMap);
- }
- try {
- client.grantRoleToGroup(requestorUserName, groupName, errorRoleName);
- fail("Exception should have been thrown");
- } catch (Exception e) {
- fieldValueMap.clear();
- fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_ADD_ROLE);
- fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT, "GRANT ROLE " + errorRoleName
- + " TO GROUP " + groupName);
- fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.FALSE);
- fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null);
- assertAuditLog(fieldValueMap);
- }
- try {
- client
- .grantDatabasePrivilege(requestorUserName, errorRoleName, serverName, dbName, "ALL");
- fail("Exception should have been thrown");
- } catch (Exception e) {
- fieldValueMap.clear();
- fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_GRANT_PRIVILEGE);
- fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT, "GRANT ALL ON DATABASE " + dbName
- + " TO ROLE " + errorRoleName);
- fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.FALSE);
- fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null);
- assertAuditLog(fieldValueMap);
- }
- try {
- client.grantDatabasePrivilege(requestorUserName, errorRoleName, serverName, dbName,
- "INSERT");
- fail("Exception should have been thrown");
- } catch (Exception e) {
- fieldValueMap.clear();
- fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_GRANT_PRIVILEGE);
- fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT, "GRANT INSERT ON DATABASE "
- + dbName + " TO ROLE " + errorRoleName);
- fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.FALSE);
- fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null);
- assertAuditLog(fieldValueMap);
- }
- try {
- client.grantDatabasePrivilege(requestorUserName, errorRoleName, serverName, dbName,
- "SELECT");
- fail("Exception should have been thrown");
- } catch (Exception e) {
- fieldValueMap.clear();
- fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_GRANT_PRIVILEGE);
- fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT, "GRANT SELECT ON DATABASE "
- + dbName + " TO ROLE " + errorRoleName);
- fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.FALSE);
- fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null);
- assertAuditLog(fieldValueMap);
- }
- try {
- client.grantTablePrivilege(requestorUserName, errorRoleName, serverName, dbName,
- tableName, "SELECT");
- fail("Exception should have been thrown");
- } catch (Exception e) {
- fieldValueMap.clear();
- fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_GRANT_PRIVILEGE);
- fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT, "GRANT SELECT ON TABLE "
- + tableName + " TO ROLE " + errorRoleName);
- fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.FALSE);
- fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null);
- assertAuditLog(fieldValueMap);
- }
-
- client.revokeTablePrivilege(requestorUserName, roleName, serverName, dbName, tableName,
- "SELECT");
- fieldValueMap.clear();
- fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_REVOKE_PRIVILEGE);
- fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT, "REVOKE SELECT ON TABLE " + tableName
- + " FROM ROLE " + roleName);
- fieldValueMap.put(Constants.LOG_FIELD_TABLE_NAME, tableName);
- fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.TRUE);
- fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null);
- assertAuditLog(fieldValueMap);
-
- client.revokeDatabasePrivilege(requestorUserName, roleName, serverName, dbName, "ALL");
- fieldValueMap.clear();
- fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_REVOKE_PRIVILEGE);
- fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT, "REVOKE ALL ON DATABASE " + dbName
- + " FROM ROLE " + roleName);
- fieldValueMap.put(Constants.LOG_FIELD_DATABASE_NAME, dbName);
- fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.TRUE);
- fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null);
- assertAuditLog(fieldValueMap);
-
- client.revokeRoleFromGroup(requestorUserName, groupName, roleName);
- fieldValueMap.clear();
- fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_DELETE_ROLE);
- fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT, "REVOKE ROLE " + roleName
- + " FROM GROUP " + groupName);
- fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.TRUE);
- fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null);
- assertAuditLog(fieldValueMap);
-
- client.dropRole(requestorUserName, roleName);
- fieldValueMap.clear();
- fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_DROP_ROLE);
- fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT, "DROP ROLE " + roleName);
- fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.TRUE);
- fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null);
- assertAuditLog(fieldValueMap);
-
- // for error audit log
- try {
- client.revokeTablePrivilege(requestorUserName, errorRoleName, serverName, dbName,
- tableName, "SELECT");
- fail("Exception should have been thrown");
- } catch (Exception e) {
- fieldValueMap.clear();
- fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_REVOKE_PRIVILEGE);
- fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT, "REVOKE SELECT ON TABLE "
- + tableName + " FROM ROLE " + errorRoleName);
- fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.FALSE);
- fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null);
- assertAuditLog(fieldValueMap);
- }
-
- try {
- client.revokeDatabasePrivilege(requestorUserName, errorRoleName, serverName, dbName,
- "ALL");
- fail("Exception should have been thrown");
- } catch (Exception e) {
- fieldValueMap.clear();
- fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_REVOKE_PRIVILEGE);
- fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT, "REVOKE ALL ON DATABASE " + dbName
- + " FROM ROLE " + errorRoleName);
- fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.FALSE);
- fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null);
- assertAuditLog(fieldValueMap);
- }
-
- try {
- client.revokeRoleFromGroup(requestorUserName, groupName, errorRoleName);
- fail("Exception should have been thrown");
- } catch (Exception e) {
- fieldValueMap.clear();
- fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_DELETE_ROLE);
- fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT, "REVOKE ROLE " + errorRoleName
- + " FROM GROUP " + groupName);
- fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.FALSE);
- fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null);
- assertAuditLog(fieldValueMap);
- }
-
- try {
- client.dropRole(requestorUserName, errorRoleName);
- fail("Exception should have been thrown");
- } catch (Exception e) {
- fieldValueMap.clear();
- fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_DROP_ROLE);
- fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT, "DROP ROLE " + errorRoleName);
- fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.FALSE);
- fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null);
- assertAuditLog(fieldValueMap);
- }
- }
- });
- }
-
- private void assertAuditLog(Map<String, String> fieldValueMap) throws Exception {
- assertThat(AuditLoggerTestAppender.getLastLogLevel(), is(Level.INFO));
- JSONObject jsonObject = new JSONObject(AuditLoggerTestAppender.getLastLogEvent());
- if (fieldValueMap != null) {
- for (Map.Entry<String, String> entry : fieldValueMap.entrySet()) {
- String entryKey = entry.getKey();
- if (Constants.LOG_FIELD_IP_ADDRESS.equals(entryKey)) {
- assertTrue(CommandUtil.assertIPInAuditLog(jsonObject.get(entryKey).toString()));
- } else {
- assertTrue(entry.getValue().equalsIgnoreCase(jsonObject.get(entryKey).toString()));
- }
- }
- }
- }
-}
[32/44] sentry git commit: SENTRY-1287: Create sentry-service-server
module(Colin Ma, reviewed by Dapeng Sun)
Posted by co...@apache.org.
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/main/webapp/css/sentry.css
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/webapp/css/sentry.css b/sentry-provider/sentry-provider-db/src/main/webapp/css/sentry.css
deleted file mode 100644
index 69cba19..0000000
--- a/sentry-provider/sentry-provider-db/src/main/webapp/css/sentry.css
+++ /dev/null
@@ -1,52 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-html {
- position: relative;
- min-height: 100%;
-}
-
-body {
- /* Margin bottom by footer height */
- margin-bottom: 60px;
- padding-top: 80px;
-}
-
-.navbar-collapse {margin-top:10px}
-
-.footer {
- position: absolute;
- bottom: 0;
- width: 100%;
- /* Set the fixed height of the footer here */
- height: 60px;
- background-color: #f5f5f5;
-}
-
-.container .text-muted {
- margin: 20px 0;
-}
-
-.footer > .container {
- padding-right: 15px;
- padding-left: 15px;
-}
-
-code {
- font-size: 80%;
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/main/webapp/sentry.png
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/webapp/sentry.png b/sentry-provider/sentry-provider-db/src/main/webapp/sentry.png
deleted file mode 100644
index 67edd90..0000000
Binary files a/sentry-provider/sentry-provider-db/src/main/webapp/sentry.png and /dev/null differ
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/service/persistent/SentryStoreIntegrationBase.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/service/persistent/SentryStoreIntegrationBase.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/service/persistent/SentryStoreIntegrationBase.java
deleted file mode 100644
index f14b586..0000000
--- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/service/persistent/SentryStoreIntegrationBase.java
+++ /dev/null
@@ -1,91 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.provider.db.generic.service.persistent;
-
-import java.io.File;
-
-import org.apache.commons.io.FileUtils;
-import org.apache.hadoop.conf.Configuration;
-import org.apache.sentry.provider.file.PolicyFile;
-import org.apache.sentry.service.thrift.ServiceConstants.ServerConfig;
-import org.junit.After;
-import org.junit.AfterClass;
-import org.junit.BeforeClass;
-
-import com.google.common.io.Files;
-
-public abstract class SentryStoreIntegrationBase {
- protected final static String[] adminGroups = { "adminGroup" };
- private static File dataDir;
- private static File policyFilePath;
- protected static Configuration conf;
- protected static DelegateSentryStore sentryStore;
- protected static PolicyFile policyFile;
-
- @BeforeClass
- public static void setup() throws Exception {
- conf = new Configuration(false);
- setup(conf);
- sentryStore = new DelegateSentryStore(conf);
- }
-
- private static void setup(Configuration conf) throws Exception {
- dataDir = new File(Files.createTempDir(), "sentry_policy_db");
- conf.set(ServerConfig.SENTRY_VERIFY_SCHEM_VERSION, "false");
- conf.set(ServerConfig.SENTRY_STORE_JDBC_URL,
- "jdbc:derby:;databaseName=" + dataDir.getPath() + ";create=true");
- conf.set(ServerConfig.SENTRY_STORE_JDBC_PASS, "dummy");
- conf.setStrings(ServerConfig.ADMIN_GROUPS, adminGroups);
- conf.set(ServerConfig.SENTRY_STORE_GROUP_MAPPING,
- ServerConfig.SENTRY_STORE_LOCAL_GROUP_MAPPING);
-
- policyFilePath = new File(Files.createTempDir(), "local_policy_file.ini");
- conf.set(ServerConfig.SENTRY_STORE_GROUP_MAPPING_RESOURCE,
- policyFilePath.getPath());
- }
-
- @After
- public void clearData() {
- sentryStore.clearAllTables();
- }
-
- @AfterClass
- public static void teardown() {
- if (sentryStore != null) {
- sentryStore.close();
- }
- if (dataDir != null) {
- FileUtils.deleteQuietly(dataDir);
- }
- if (policyFilePath != null) {
- FileUtils.deleteQuietly(policyFilePath);
- }
- }
-
- public static void addGroupsToUser(String user, String... groupNames) {
- policyFile.addGroupsToUser(user, groupNames);
- }
-
- public static void writePolicyFile() throws Exception {
- policyFile.write(policyFilePath);
- }
-
- public String[] getAdminGroups() {
- return adminGroups;
- }
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/service/persistent/TestDelegateSentryStore.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/service/persistent/TestDelegateSentryStore.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/service/persistent/TestDelegateSentryStore.java
deleted file mode 100644
index 1ab5f03..0000000
--- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/service/persistent/TestDelegateSentryStore.java
+++ /dev/null
@@ -1,182 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.provider.db.generic.service.persistent;
-
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.fail;
-
-import java.util.Set;
-
-import org.apache.sentry.core.common.exception.SentryAlreadyExistsException;
-import org.apache.sentry.core.common.exception.SentryNoSuchObjectException;
-import org.apache.sentry.provider.file.PolicyFile;
-import org.junit.Before;
-import org.junit.Test;
-
-import com.google.common.collect.Sets;
-
-public class TestDelegateSentryStore extends SentryStoreIntegrationBase{
- private static final String SEARCH = "solr";
-
- @Before
- public void configure() throws Exception {
- /**
- * add the admin user to admin groups
- */
- policyFile = new PolicyFile();
- addGroupsToUser("admin", getAdminGroups());
- writePolicyFile();
- }
-
- @Test
- public void testCreateDropRole() throws Exception {
- String roleName = "test-drop-role";
- String grantor = "grantor";
- long seqId = sentryStore.createRole(SEARCH, roleName, grantor).getSequenceId();
- assertEquals(seqId + 1, sentryStore.dropRole(SEARCH, roleName, grantor).getSequenceId());
- }
-
- @Test
- public void testCaseInsensitiveCreateDropRole() throws Exception {
- String roleName1 = "test";
- String roleName2 = "TeSt";
- String grantor = "grantor";
- sentryStore.createRole(SEARCH, roleName1, grantor);
- try {
- sentryStore.createRole(SEARCH, roleName2, grantor);
- fail("Fail to throw SentryAlreadyExistsException");
- } catch (SentryAlreadyExistsException e) {
- //ignore the exception
- }
-
- try {
- sentryStore.dropRole(SEARCH, roleName2, grantor);
- } catch (SentryNoSuchObjectException e) {
- fail("Shouldn't throw SentryNoSuchObjectException");
- }
- }
-
- @Test(expected=SentryAlreadyExistsException.class)
- public void testCreateDuplicateRole() throws Exception {
- String roleName = "test-dup-role";
- String grantor = "grantor";
- sentryStore.createRole(SEARCH, roleName, grantor);
- sentryStore.createRole(SEARCH, roleName, grantor);
- }
-
- @Test(expected=SentryNoSuchObjectException.class)
- public void testDropNotExistRole() throws Exception {
- String roleName = "not-exist";
- String grantor = "grantor";
- sentryStore.dropRole(SEARCH, roleName, grantor);
- }
-
- @Test(expected = SentryNoSuchObjectException.class)
- public void testAddGroupsNonExistantRole()
- throws Exception {
- String roleName = "non-existant-role";
- String grantor = "grantor";
- sentryStore.alterRoleAddGroups(SEARCH, roleName, Sets.newHashSet("g1"), grantor);
- }
-
- @Test(expected = SentryNoSuchObjectException.class)
- public void testDeleteGroupsNonExistantRole()
- throws Exception {
- String roleName = "non-existant-role";
- String grantor = "grantor";
- sentryStore.alterRoleDeleteGroups(SEARCH, roleName, Sets.newHashSet("g1"), grantor);
- }
-
- @Test
- public void testAddDeleteRoleToGroups() throws Exception {
- String role1 = "r1", role2 = "r2";
- Set<String> twoGroups = Sets.newHashSet("g1", "g2");
- Set<String> oneGroup = Sets.newHashSet("g3");
- String grantor = "grantor";
-
- sentryStore.createRole(SEARCH, role1, grantor);
- sentryStore.createRole(SEARCH, role2, grantor);
-
- sentryStore.alterRoleAddGroups(SEARCH, role1, twoGroups, grantor);
- assertEquals(twoGroups, sentryStore.getGroupsByRoles(SEARCH,Sets.newHashSet(role1)));
-
- assertEquals(Sets.newHashSet(role1), sentryStore.getRolesByGroups(SEARCH, twoGroups));
-
- sentryStore.alterRoleAddGroups(SEARCH, role2, oneGroup, grantor);
- assertEquals(oneGroup, sentryStore.getGroupsByRoles(SEARCH, Sets.newHashSet(role2)));
-
- sentryStore.alterRoleDeleteGroups(SEARCH, role1, Sets.newHashSet("g1"), grantor);
- assertEquals(Sets.newHashSet("g2"), sentryStore.getGroupsByRoles(SEARCH, Sets.newHashSet(role1)));
-
- sentryStore.alterRoleDeleteGroups(SEARCH, role2, oneGroup, grantor);
- assertEquals(Sets.newHashSet(), sentryStore.getGroupsByRoles(SEARCH, Sets.newHashSet(role2)));
- }
-
- @Test
- public void testGetRolesByGroupNames() throws Exception {
- String role1 = "r1", role2 = "r2";
- Set<String> twoGroups = Sets.newHashSet("g1", "g2");
- String grantor = "grantor";
-
- sentryStore.createRole(SEARCH, role1, grantor);
- sentryStore.createRole(SEARCH, role2, grantor);
-
- sentryStore.alterRoleAddGroups(SEARCH, role1, twoGroups, grantor);
- sentryStore.alterRoleAddGroups(SEARCH, role2, twoGroups, grantor);
-
- assertEquals(Sets.newHashSet(role1,role2), sentryStore.getRolesByGroups(SEARCH, twoGroups));
- }
-
- @Test
- public void testGetGroupsByRoleNames() throws Exception {
- String role1 = "r1", role2 = "r2";
- Set<String> twoGroups = Sets.newHashSet("g1", "g2");
- String grantor = "grantor";
-
- sentryStore.createRole(SEARCH, role1, grantor);
- sentryStore.createRole(SEARCH, role2, grantor);
-
- sentryStore.alterRoleAddGroups(SEARCH, role1, twoGroups, grantor);
- sentryStore.alterRoleAddGroups(SEARCH, role2, twoGroups, grantor);
-
- assertEquals(twoGroups, sentryStore.getGroupsByRoles(SEARCH, Sets.newHashSet(role1)));
- assertEquals(twoGroups, sentryStore.getGroupsByRoles(SEARCH, Sets.newHashSet(role2)));
- assertEquals(twoGroups, sentryStore.getGroupsByRoles(SEARCH, Sets.newHashSet(role1,role2)));
- }
-
- @Test
- public void testGetAllRoles() throws Exception {
- String role1 = "r1", role2 = "r2";
- Set<String> twoGroups = Sets.newHashSet("g1", "g2");
- String grantor = "grantor";
-
- sentryStore.createRole(SEARCH, role1, grantor);
- sentryStore.createRole(SEARCH, role2, grantor);
-
- sentryStore.alterRoleAddGroups(SEARCH, role1, twoGroups, grantor);
- sentryStore.alterRoleAddGroups(SEARCH, role2, twoGroups, grantor);
-
- //test get all roles by groupName=null
- String groupName = null;
- Set<String> groups = Sets.newHashSet(groupName);
- assertEquals(Sets.newHashSet(role1,role2), sentryStore.getRolesByGroups(SEARCH, groups));
-
- groups.clear();
- assertEquals(0, sentryStore.getRolesByGroups(SEARCH, groups).size());
- }
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/service/persistent/TestPrivilegeOperatePersistence.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/service/persistent/TestPrivilegeOperatePersistence.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/service/persistent/TestPrivilegeOperatePersistence.java
deleted file mode 100644
index 799d5ef..0000000
--- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/service/persistent/TestPrivilegeOperatePersistence.java
+++ /dev/null
@@ -1,1139 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.provider.db.generic.service.persistent;
-
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.fail;
-
-import java.util.Arrays;
-import java.util.Collections;
-import java.util.List;
-
-import com.google.common.collect.Lists;
-import org.apache.hadoop.conf.Configuration;
-import org.apache.sentry.core.common.exception.SentryUserException;
-import org.apache.sentry.core.common.Authorizable;
-import org.apache.sentry.core.common.BitFieldAction;
-import org.apache.sentry.core.common.BitFieldActionFactory;
-import org.apache.sentry.core.model.search.Collection;
-import org.apache.sentry.core.model.search.Field;
-import org.apache.sentry.core.model.search.SearchConstants;
-import org.apache.sentry.core.model.sqoop.SqoopActionConstant;
-import org.apache.sentry.core.common.exception.SentryGrantDeniedException;
-import org.apache.sentry.provider.db.generic.service.persistent.PrivilegeObject.Builder;
-import org.apache.sentry.provider.file.PolicyFile;
-import org.apache.sentry.service.thrift.ServiceConstants;
-import org.junit.Before;
-import org.junit.Test;
-
-import com.google.common.collect.Sets;
-
-/**
- * The test cases are used for search component The authorizables are COLLECTION and Field
- * The actions of search privilege are ALL,QUERY and UPDATE
- */
-public class TestPrivilegeOperatePersistence extends SentryStoreIntegrationBase {
- private static final String SEARCH = "solr";
- private static final String ADMIN_USER = "solr";
- private static final String GRANT_OPTION_USER = "user_grant_option";
- private static final String[] GRANT_OPTION_GROUP = { "group_grant_option" };
- private static final String NO_GRANT_OPTION_USER = "user_no_grant_option";
- private static final String[] NO_GRANT_OPTION_GROUP = { "group_no_grant_option" };
-
- private static final String SERVICE = "service";
- private static final String COLLECTION_NAME = "collection1";
- private static final String NOT_COLLECTION_NAME = "not_collection1";
- private static final String FIELD_NAME = "field1";
- private static final String NOT_FIELD_NAME = "not_field1";
-
- @Before
- public void configure() throws Exception {
- /**
- * add the solr user to admin groups
- */
- policyFile = new PolicyFile();
- addGroupsToUser(ADMIN_USER, getAdminGroups());
- writePolicyFile();
- }
-
- /**
- * Grant query privilege to role r1
- */
- @Test
- public void testGrantPrivilege() throws Exception {
- testGrantPrivilege(sentryStore, SEARCH);
- }
-
- @Test
- public void testGrantPrivilegeTwice() throws Exception {
- String roleName = "r1";
- /**
- * grantor is admin, there is no need to check grant option
- */
- String grantor = ADMIN_USER;
- sentryStore.createRole(SEARCH, roleName, grantor);
-
- PrivilegeObject queryPrivilegeWithOption = new Builder()
- .setComponent(SEARCH)
- .setAction(SearchConstants.QUERY)
- .setService(SERVICE)
- .setAuthorizables(Arrays.asList(new Collection(COLLECTION_NAME)))
- .withGrantOption(true)
- .build();
-
- sentryStore.alterRoleGrantPrivilege(SEARCH, roleName, queryPrivilegeWithOption, grantor);
- assertEquals(1,sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName)).size());
- //grant again
- sentryStore.alterRoleGrantPrivilege(SEARCH, roleName, queryPrivilegeWithOption, grantor);
- assertEquals(1,sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName)).size());
-
- PrivilegeObject queryPrivilegeWithNoOption = new Builder()
- .setComponent(SEARCH)
- .setAction(SearchConstants.QUERY)
- .setService(SERVICE)
- .setAuthorizables(Arrays.asList(new Collection(COLLECTION_NAME)))
- .withGrantOption(false)
- .build();
-
- sentryStore.alterRoleGrantPrivilege(SEARCH, roleName, queryPrivilegeWithNoOption, grantor);
- assertEquals(2,sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName)).size());
- //grant again
- sentryStore.alterRoleGrantPrivilege(SEARCH, roleName, queryPrivilegeWithNoOption, grantor);
- assertEquals(2,sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName)).size());
-
- PrivilegeObject queryPrivilegeWithNullGrant = new Builder()
- .setComponent(SEARCH)
- .setAction(SearchConstants.QUERY)
- .setService(SERVICE)
- .setAuthorizables(Arrays.asList(new Collection(COLLECTION_NAME)))
- .withGrantOption(null)
- .build();
-
- sentryStore.alterRoleGrantPrivilege(SEARCH, roleName, queryPrivilegeWithNullGrant, grantor);
-
- assertEquals(3,sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName)).size());
- //grant again
- sentryStore.alterRoleGrantPrivilege(SEARCH, roleName, queryPrivilegeWithNullGrant, grantor);
- assertEquals(3,sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName)).size());
-
- }
-
- /**
- * Grant query privilege to role r1 and there is ALL privilege related this
- * collection existed
- */
- @Test
- public void testGrantPrivilegeWithAllPrivilegeExist() throws Exception {
- String roleName = "r1";
- /**
- * grantor is admin, there is no need to check grant option
- */
- String grantor = ADMIN_USER;
- PrivilegeObject allPrivilege = new Builder()
- .setComponent(SEARCH)
- .setAction(SearchConstants.ALL)
- .setService(SERVICE)
- .setAuthorizables(Arrays.asList(new Collection(COLLECTION_NAME)))
- .build();
-
- sentryStore.createRole(SEARCH, roleName, grantor);
- /**
- * grant all privilege to role r1
- */
- sentryStore.alterRoleGrantPrivilege(SEARCH, roleName, allPrivilege, grantor);
- /**
- * check role r1 truly has the privilege been granted
- */
- assertEquals(Sets.newHashSet(allPrivilege),
- sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName)));
-
- PrivilegeObject queryPrivilege = new Builder(allPrivilege)
- .setAction(SearchConstants.QUERY)
- .build();
-
- /**
- * grant query privilege to role r1
- */
- sentryStore.alterRoleGrantPrivilege(SEARCH, roleName, queryPrivilege, grantor);
- /**
- * all privilege has been existed, the query privilege will not persistent
- */
- assertEquals(Sets.newHashSet(allPrivilege),
- sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName)));
- }
-
- /**
- * Grant query privilege to role r1 and there are query and update privileges
- * related this collection existed
- */
- @Test
- public void testGrantALLPrivilegeWithOtherPrivilegesExist() throws Exception {
- String roleName1 = "r1";
- String roleName2 = "r2";
- /**
- * grantor is admin, there is no need to check grant option
- */
- String grantor = ADMIN_USER;
-
- PrivilegeObject queryPrivilege = new Builder()
- .setComponent(SEARCH)
- .setAction(SearchConstants.QUERY)
- .setService(SERVICE)
- .setAuthorizables(Arrays.asList(new Collection(COLLECTION_NAME)))
- .build();
-
- PrivilegeObject updatePrivilege = new Builder(queryPrivilege)
- .setAction(SearchConstants.UPDATE)
- .build();
-
- sentryStore.createRole(SEARCH, roleName1, grantor);
- sentryStore.createRole(SEARCH, roleName2, grantor);
- /**
- * grant query and update privilege to role r1 and role r2
- */
- sentryStore.alterRoleGrantPrivilege(SEARCH, roleName1, queryPrivilege, grantor);
- sentryStore.alterRoleGrantPrivilege(SEARCH, roleName1, updatePrivilege,grantor);
- assertEquals(Sets.newHashSet(queryPrivilege, updatePrivilege),
- sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName1)));
-
- sentryStore.alterRoleGrantPrivilege(SEARCH, roleName2, queryPrivilege, grantor);
- sentryStore.alterRoleGrantPrivilege(SEARCH, roleName2, updatePrivilege,grantor);
- assertEquals(Sets.newHashSet(queryPrivilege, updatePrivilege),
- sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName2)));
-
- PrivilegeObject allPrivilege = new Builder(queryPrivilege)
- .setAction(SearchConstants.ALL)
- .build();
-
- /**
- * grant all privilege to role r1
- */
- sentryStore.alterRoleGrantPrivilege(SEARCH, roleName1, allPrivilege, grantor);
-
- /**
- * check the query and update privileges of roleName1 will be removed because of ALl privilege
- * granted
- */
- assertEquals(Sets.newHashSet(allPrivilege),
- sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName1)));
-
- /**
- * check the query and update privileges of roleName2 will not affected and exist
- */
- assertEquals(Sets.newHashSet(queryPrivilege, updatePrivilege),
- sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName2)));
- }
-
- @Test
- public void testGrantRevokeCheckWithGrantOption() throws Exception {
-
- addGroupsToUser(GRANT_OPTION_USER, GRANT_OPTION_GROUP);
- addGroupsToUser(NO_GRANT_OPTION_USER, NO_GRANT_OPTION_GROUP);
- writePolicyFile();
-
- String roleName1 = "r1";
- String roleName2 = "r2";
- String grantor = "g1";
- sentryStore.createRole(SEARCH, roleName1, grantor);
- sentryStore.createRole(SEARCH, roleName2, grantor);
- /**
- * grant query privilege to role r1 with grant option
- */
- PrivilegeObject queryPrivilege1 = new Builder()
- .setComponent(SEARCH)
- .setAction(SearchConstants.QUERY)
- .setService(SERVICE)
- .setAuthorizables(Arrays.asList(new Collection(COLLECTION_NAME)))
- .withGrantOption(true)
- .build();
-
- sentryStore.alterRoleGrantPrivilege(SEARCH, roleName1, queryPrivilege1,
- ADMIN_USER);
- assertEquals(Sets.newHashSet(queryPrivilege1),
- sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName1)));
- /**
- * grant query privilege to role r2 no grant option
- */
- PrivilegeObject queryPrivilege2 = new Builder()
- .setComponent(SEARCH)
- .setAction(SearchConstants.QUERY)
- .setService(SERVICE)
- .setAuthorizables(Arrays.asList(new Collection(COLLECTION_NAME)))
- .withGrantOption(false).build();
-
- sentryStore.alterRoleGrantPrivilege(SEARCH, roleName2, queryPrivilege2,
- ADMIN_USER);
- assertEquals(Sets.newHashSet(queryPrivilege2),
- sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName2)));
-
- sentryStore.alterRoleAddGroups(SEARCH, roleName1,
- Sets.newHashSet(GRANT_OPTION_GROUP), grantor);
- sentryStore.alterRoleAddGroups(SEARCH, roleName2,
- Sets.newHashSet(NO_GRANT_OPTION_GROUP), grantor);
-
- String roleName3 = "r3";
- sentryStore.createRole(SEARCH, roleName3, grantor);
- /**
- * the user with grant option grant query privilege to rolr r3
- */
- try{
- sentryStore.alterRoleGrantPrivilege(SEARCH, roleName3, queryPrivilege1,
- GRANT_OPTION_USER);
- } catch (SentryGrantDeniedException e) {
- fail("SentryGrantDeniedException shouldn't have been thrown");
- }
-
- /**
- * the user with grant option revoke query privilege to rolr r3
- */
- try{
- sentryStore.alterRoleRevokePrivilege(SEARCH, roleName3, queryPrivilege1,
- GRANT_OPTION_USER);
- } catch (SentryGrantDeniedException e) {
- fail("SentryGrantDeniedException shouldn't have been thrown");
- }
-
- /**
- * the user with no grant option grant query privilege to rolr r3, it will
- * throw SentryGrantDeniedException
- */
- try {
- sentryStore.alterRoleGrantPrivilege(SEARCH, roleName3, queryPrivilege2,
- NO_GRANT_OPTION_USER);
- fail("SentryGrantDeniedException should have been thrown");
- } catch (SentryGrantDeniedException e) {
- //ignore the exception
- }
-
- /**
- * the user with no grant option revoke query privilege to rolr r3, it will
- * throw SentryGrantDeniedException
- */
- try {
- sentryStore.alterRoleGrantPrivilege(SEARCH, roleName3, queryPrivilege2,
- NO_GRANT_OPTION_USER);
- fail("SentryGrantDeniedException should have been thrown");
- } catch (SentryGrantDeniedException e) {
- //ignore the exception
- }
- }
-
- @Test
- public void testGrantWithGrantOption() throws Exception {
-
- addGroupsToUser(GRANT_OPTION_USER, GRANT_OPTION_GROUP);
- addGroupsToUser(NO_GRANT_OPTION_USER, NO_GRANT_OPTION_GROUP);
- writePolicyFile();
-
- String roleName1 = "r1";
- String grantor = "g1";
- sentryStore.createRole(SEARCH, roleName1, grantor);
- /**
- * grant query privilege to role r1 with grant option
- */
- PrivilegeObject queryPrivilege = new Builder()
- .setComponent(SEARCH)
- .setAction(SearchConstants.QUERY)
- .setService(SERVICE)
- .setAuthorizables(Arrays.asList(new Collection(COLLECTION_NAME)))
- .withGrantOption(true)
- .build();
-
- sentryStore.alterRoleGrantPrivilege(SEARCH, roleName1, queryPrivilege,ADMIN_USER);
- sentryStore.alterRoleAddGroups(SEARCH, roleName1,
- Sets.newHashSet(GRANT_OPTION_GROUP), grantor);
-
- /**
- * the user with grant option grant query privilege to rolr r2
- */
- String roleName2 = "r2";
- sentryStore.createRole(SEARCH, roleName2, grantor);
- sentryStore.alterRoleGrantPrivilege(SEARCH, roleName2, queryPrivilege, GRANT_OPTION_USER);
-
- assertEquals(Sets.newHashSet(queryPrivilege),
- sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName2)));
-
- }
-
-
- /**
- * Grant query and update privileges to role r1 and revoke query privilege
- * there is left update privilege related to role r1
- */
- @Test
- public void testRevokePrivilege() throws Exception {
- String roleName = "r1";
- /**
- * grantor is admin, there is no need to check grant option
- */
- String grantor = ADMIN_USER;
- PrivilegeObject queryPrivilege = new Builder()
- .setComponent(SEARCH)
- .setAction(SearchConstants.QUERY)
- .setService(SERVICE)
- .setAuthorizables(Arrays.asList(new Collection(COLLECTION_NAME), new Field(FIELD_NAME)))
- .build();
-
- PrivilegeObject updatePrivilege = new Builder(queryPrivilege)
- .setAction(SearchConstants.UPDATE)
- .build();
-
- sentryStore.createRole(SEARCH, roleName, grantor);
- sentryStore.alterRoleGrantPrivilege(SEARCH, roleName, queryPrivilege, grantor);
- sentryStore.alterRoleGrantPrivilege(SEARCH, roleName, updatePrivilege, grantor);
-
- assertEquals(Sets.newHashSet(queryPrivilege,updatePrivilege),
- sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName)));
- /**
- * revoke query privilege
- */
- sentryStore.alterRoleRevokePrivilege(SEARCH, roleName, queryPrivilege, grantor);
- assertEquals(Sets.newHashSet(updatePrivilege),
- sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName)));
- }
-
- /**
- * Grant query and update privileges to role r1 and revoke all privilege,
- * there is no privilege related to role r1
- */
- @Test
- public void testRevokeAllPrivilege() throws Exception {
- String roleName = "r1";
- /**
- * grantor is admin, there is no need to check grant option
- */
- String grantor = ADMIN_USER;
- PrivilegeObject queryPrivilege = new Builder()
- .setComponent(SEARCH)
- .setAction(SearchConstants.QUERY)
- .setService(SERVICE)
- .setAuthorizables(Arrays.asList(new Collection(COLLECTION_NAME),new Field(FIELD_NAME)))
- .build();
-
- PrivilegeObject updatePrivilege = new Builder(queryPrivilege)
- .setAction(SearchConstants.UPDATE)
- .build();
-
- sentryStore.createRole(SEARCH, roleName, grantor);
-
- sentryStore.alterRoleGrantPrivilege(SEARCH, roleName, queryPrivilege, grantor);
- sentryStore.alterRoleGrantPrivilege(SEARCH, roleName, updatePrivilege, grantor);
-
- assertEquals(Sets.newHashSet(queryPrivilege,updatePrivilege),
- sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName)));
- /**
- * revoke all privilege
- */
- PrivilegeObject allPrivilege = new Builder(queryPrivilege)
- .setAction(SearchConstants.ALL)
- .build();
-
- sentryStore.alterRoleRevokePrivilege(SEARCH, roleName, allPrivilege, grantor);
-
- assertEquals(Sets.newHashSet(),
- sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName)));
- }
-
- /**
- * Grant all privilege to role r1 and revoke query privilege
- * there is update privilege related to role r1
- */
- @Test
- public void testRevokePrivilegeWithAllPrivilegeExist() throws Exception {
- String roleName = "r1";
- /**
- * grantor is admin, there is no need to check grant option
- */
- String grantor = ADMIN_USER;
- PrivilegeObject allPrivilege = new Builder()
- .setComponent(SEARCH)
- .setAction(SearchConstants.ALL)
- .setService(SERVICE)
- .setAuthorizables(Arrays.asList(new Collection(COLLECTION_NAME), new Field(FIELD_NAME)))
- .build();
-
- sentryStore.createRole(SEARCH, roleName, grantor);
-
- sentryStore.alterRoleGrantPrivilege(SEARCH, roleName, allPrivilege, grantor);
-
- assertEquals(Sets.newHashSet(allPrivilege),
- sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName)));
- /**
- * revoke update privilege
- */
- PrivilegeObject updatePrivilege = new Builder(allPrivilege)
- .setAction(SearchConstants.UPDATE)
- .build();
-
- PrivilegeObject queryPrivilege = new Builder(allPrivilege)
- .setAction(SearchConstants.QUERY)
- .build();
-
- sentryStore.alterRoleRevokePrivilege(SEARCH, roleName, updatePrivilege, grantor);
-
- assertEquals(Sets.newHashSet(queryPrivilege),
- sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName)));
- }
-
- /**
- * Grant update, query and all privilege to role r1
- * Revoke query privilege from role r1
- * there is update privilege related to role r1
- */
- @Test
- public void testRevokePrivilegeWithAllPrivilegesGranted() throws Exception {
- String roleName = "r1";
- /**
- * grantor is admin, there is no need to check grant option
- */
- String grantor = ADMIN_USER;
- PrivilegeObject allPrivilege = new Builder()
- .setComponent(SEARCH)
- .setAction(SearchConstants.ALL)
- .setService(SERVICE)
- .setAuthorizables(Arrays.asList(new Collection(COLLECTION_NAME), new Field(FIELD_NAME)))
- .build();
-
- PrivilegeObject updatePrivilege = new Builder(allPrivilege)
- .setAction(SearchConstants.UPDATE)
- .build();
-
- PrivilegeObject queryPrivilege = new Builder(allPrivilege)
- .setAction(SearchConstants.QUERY)
- .build();
-
- sentryStore.createRole(SEARCH, roleName, grantor);
- //grant query to role r1
- sentryStore.alterRoleGrantPrivilege(SEARCH, roleName, queryPrivilege, grantor);
- assertEquals(Sets.newHashSet(queryPrivilege),
- sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName)));
-
- //grant update to role r1
- sentryStore.alterRoleGrantPrivilege(SEARCH, roleName, updatePrivilege, grantor);
- assertEquals(Sets.newHashSet(queryPrivilege, updatePrivilege),
- sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName)));
- /**
- * grant all action privilege to role r1, because all action includes query and update action,
- * The role r1 only has the action all privilege
- */
- sentryStore.alterRoleGrantPrivilege(SEARCH, roleName, allPrivilege, grantor);
- assertEquals(Sets.newHashSet(allPrivilege),
- sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName)));
- /**
- * revoke update privilege from role r1, the query privilege has been left
- */
- sentryStore.alterRoleRevokePrivilege(SEARCH, roleName, updatePrivilege, grantor);
- assertEquals(Sets.newHashSet(queryPrivilege),
- sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName)));
- }
-
- @Test
- public void testRevokeParentPrivilegeWithChildsExist() throws Exception {
- String roleName = "r1";
- /**
- * grantor is admin, there is no need to check grant option
- */
- String grantor = ADMIN_USER;
- PrivilegeObject updatePrivilege1 = new Builder()
- .setComponent(SEARCH)
- .setAction(SearchConstants.UPDATE)
- .setService(SERVICE)
- .setAuthorizables(Arrays.asList(new Collection(COLLECTION_NAME), new Field(FIELD_NAME)))
- .build();
-
- PrivilegeObject queryPrivilege1 = new Builder()
- .setComponent(SEARCH)
- .setAction(SearchConstants.QUERY)
- .setService(SERVICE)
- .setAuthorizables(Arrays.asList(new Collection(COLLECTION_NAME),new Field(FIELD_NAME)))
- .build();
-
- PrivilegeObject queryPrivilege2 = new Builder()
- .setComponent(SEARCH)
- .setAction(SearchConstants.QUERY)
- .setService(SERVICE)
- .setAuthorizables(Arrays.asList(new Collection(NOT_COLLECTION_NAME)))
- .build();
-
- sentryStore.createRole(SEARCH, roleName, grantor);
- sentryStore.alterRoleGrantPrivilege(SEARCH, roleName, updatePrivilege1, grantor);
- sentryStore.alterRoleGrantPrivilege(SEARCH, roleName, queryPrivilege1, grantor);
-
- sentryStore.alterRoleGrantPrivilege(SEARCH, roleName, queryPrivilege2, grantor);
-
- /**
- * revoke all privilege with collection[COLLECTION_NAME=collection1] and its child privileges
- */
- PrivilegeObject allPrivilege = new Builder()
- .setComponent(SEARCH)
- .setAction(SearchConstants.ALL)
- .setService(SERVICE)
- .setAuthorizables(Arrays.asList(new Collection(COLLECTION_NAME)))
- .build();
-
- sentryStore.alterRoleRevokePrivilege(SEARCH, roleName, allPrivilege, grantor);
- assertEquals(Sets.newHashSet(queryPrivilege2),
- sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName)));
- }
-
- @Test
- public void testRevokeWithGrantOption() throws Exception {
-
- addGroupsToUser(GRANT_OPTION_USER, GRANT_OPTION_GROUP);
- addGroupsToUser(NO_GRANT_OPTION_USER, NO_GRANT_OPTION_GROUP);
- writePolicyFile();
-
- String roleName1 = "r1";
- String grantor = "g1";
- sentryStore.createRole(SEARCH, roleName1, grantor);
- /**
- * grant query privilege to role r1 with grant option
- */
- PrivilegeObject queryPrivilege = new Builder()
- .setComponent(SEARCH)
- .setAction(SearchConstants.QUERY)
- .setService(SERVICE)
- .setAuthorizables(Arrays.asList(new Collection(COLLECTION_NAME)))
- .withGrantOption(true)
- .build();
-
- sentryStore.alterRoleGrantPrivilege(SEARCH, roleName1, queryPrivilege,
- ADMIN_USER);
- assertEquals(Sets.newHashSet(queryPrivilege),
- sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName1)));
-
- sentryStore.alterRoleAddGroups(SEARCH, roleName1,
- Sets.newHashSet(GRANT_OPTION_GROUP), grantor);
-
- String roleName2 = "r2";
- sentryStore.createRole(SEARCH, roleName2, grantor);
- /**
- * the user with grant option grant query privilege to rolr r2
- */
- sentryStore.alterRoleGrantPrivilege(SEARCH, roleName2, queryPrivilege,
- GRANT_OPTION_USER);
- assertEquals(Sets.newHashSet(queryPrivilege),
- sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName2)));
-
- /**
- * the user with grant option revoke query privilege to rolr r3
- */
- sentryStore.alterRoleRevokePrivilege(SEARCH, roleName2, queryPrivilege, GRANT_OPTION_USER);
- assertEquals(Sets.newHashSet(),
- sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName2)));
- }
-
- @Test
- public void testDropPrivilege() throws Exception{
- String roleName1 = "r1";
- String roleName2 = "r2";
- String grantor = ADMIN_USER;
-
- PrivilegeObject queryPrivilege = new Builder()
- .setComponent(SEARCH)
- .setAction(SearchConstants.QUERY)
- .setService(SERVICE)
- .setAuthorizables(Arrays.asList(new Collection(COLLECTION_NAME), new Field(FIELD_NAME)))
- .build();
-
- PrivilegeObject updatePrivilege = new Builder(queryPrivilege)
- .setAction(SearchConstants.UPDATE)
- .build();
-
- /**
- * grant query and update privilege to role r1 and r2
- */
- sentryStore.createRole(SEARCH, roleName1, grantor);
- sentryStore.alterRoleGrantPrivilege(SEARCH, roleName1, queryPrivilege, grantor);
- sentryStore.alterRoleGrantPrivilege(SEARCH, roleName1, updatePrivilege, grantor);
-
- sentryStore.createRole(SEARCH, roleName2, grantor);
- sentryStore.alterRoleGrantPrivilege(SEARCH, roleName2, queryPrivilege, grantor);
- sentryStore.alterRoleGrantPrivilege(SEARCH, roleName2, updatePrivilege, grantor);
-
- assertEquals(Sets.newHashSet(queryPrivilege,updatePrivilege),
- sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName1)));
-
- assertEquals(Sets.newHashSet(queryPrivilege,updatePrivilege),
- sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName2)));
- /**
- * drop query privilege
- */
- sentryStore.dropPrivilege(SEARCH, queryPrivilege, grantor);
-
- assertEquals(Sets.newHashSet(updatePrivilege),
- sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName1)));
-
- assertEquals(Sets.newHashSet(updatePrivilege),
- sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName2)));
-
- /**
- * drop ALL privilege
- */
- PrivilegeObject allPrivilege = new Builder(queryPrivilege)
- .setAction(SearchConstants.ALL)
- .build();
-
- sentryStore.dropPrivilege(SEARCH, allPrivilege, grantor);
-
- assertEquals(Sets.newHashSet(),
- sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName1)));
-
- assertEquals(Sets.newHashSet(),
- sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName2)));
-
- /**
- * grant query and update field scope[collection1,field1] privilege to role r1
- * drop collection scope[collection1] privilege
- * there is no privilege
- */
- sentryStore.alterRoleGrantPrivilege(SEARCH, roleName1, queryPrivilege, grantor);
- sentryStore.alterRoleGrantPrivilege(SEARCH, roleName1, updatePrivilege, grantor);
-
- PrivilegeObject parentPrivilege = new Builder()
- .setComponent(SEARCH)
- .setAction(SearchConstants.ALL)
- .setService(SERVICE)
- .setAuthorizables(Arrays.asList(new Collection(COLLECTION_NAME)))
- .build();
-
- sentryStore.dropPrivilege(SEARCH, parentPrivilege, grantor);
- assertEquals(Sets.newHashSet(),
- sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName1)));
- }
-
- @Test
- public void testRenamePrivilege() throws Exception{
- String roleName1 = "r1";
- String roleName2 = "r2";
- String grantor = ADMIN_USER;
-
- List<? extends Authorizable> oldAuthoriables = Arrays.asList(new Collection(COLLECTION_NAME), new Field(FIELD_NAME));
- List<? extends Authorizable> newAuthoriables = Arrays.asList(new Collection(COLLECTION_NAME), new Field(NOT_FIELD_NAME));
-
- PrivilegeObject oldQueryPrivilege = new Builder()
- .setComponent(SEARCH)
- .setAction(SearchConstants.QUERY)
- .setService(SERVICE)
- .setAuthorizables(oldAuthoriables)
- .build();
-
- PrivilegeObject oldUpdatePrivilege = new Builder(oldQueryPrivilege)
- .setAction(SearchConstants.UPDATE)
- .build();
-
- PrivilegeObject oldALLPrivilege = new Builder(oldQueryPrivilege)
- .setAction(SearchConstants.ALL)
- .build();
-
-
- PrivilegeObject newQueryPrivilege = new Builder()
- .setComponent(SEARCH)
- .setAction(SearchConstants.QUERY)
- .setService(SERVICE)
- .setAuthorizables(newAuthoriables)
- .build();
-
- PrivilegeObject newUpdatePrivilege = new Builder(newQueryPrivilege)
- .setAction(SearchConstants.UPDATE)
- .build();
-
- PrivilegeObject newALLPrivilege = new Builder(newQueryPrivilege)
- .setAction(SearchConstants.ALL)
- .build();
-
-
- /**
- * grant query and update privilege to role r1
- * grant all privilege to role r2
- */
- sentryStore.createRole(SEARCH, roleName1, grantor);
- sentryStore.alterRoleGrantPrivilege(SEARCH, roleName1, oldQueryPrivilege, grantor);
- sentryStore.alterRoleGrantPrivilege(SEARCH, roleName1, oldUpdatePrivilege, grantor);
-
- sentryStore.createRole(SEARCH, roleName2, grantor);
- sentryStore.alterRoleGrantPrivilege(SEARCH, roleName2, oldALLPrivilege, grantor);
-
- assertEquals(Sets.newHashSet(oldQueryPrivilege,oldUpdatePrivilege),
- sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName1)));
-
- assertEquals(Sets.newHashSet(oldALLPrivilege),
- sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName2)));
- /**
- * rename old query privilege to new query privilege
- */
- sentryStore.renamePrivilege(SEARCH, SERVICE,
- oldAuthoriables,
- newAuthoriables,
- grantor);
-
- assertEquals(Sets.newHashSet(newQueryPrivilege,newUpdatePrivilege),
- sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName1)));
-
- assertEquals(Sets.newHashSet(newALLPrivilege),
- sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName2)));
- /**
- * rename collection scope[collection=collection1] privilege to [collection=not_collection1]
- * These privileges belong to collection scope[collection=collection1] will change to
- * [collection=not_collection1]
- */
-
- List<? extends Authorizable> newAuthoriables1 = Arrays.asList(new Collection(NOT_COLLECTION_NAME),new Field(NOT_FIELD_NAME));
-
- PrivilegeObject newQueryPrivilege1 = new Builder(newQueryPrivilege)
- .setAuthorizables(newAuthoriables1)
- .build();
-
- PrivilegeObject newUpdatePrivilege1 = new Builder(newUpdatePrivilege)
- .setAuthorizables(newAuthoriables1)
- .build();
-
- PrivilegeObject newALLPrivilege1 = new Builder(newALLPrivilege)
- .setAuthorizables(newAuthoriables1)
- .build();
-
- sentryStore.renamePrivilege(SEARCH, SERVICE,
- Arrays.asList(new Collection(COLLECTION_NAME)),
- Arrays.asList(new Collection(NOT_COLLECTION_NAME)),
- grantor);
-
- assertEquals(Sets.newHashSet(newQueryPrivilege1,newUpdatePrivilege1),
- sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName1)));
-
- assertEquals(Sets.newHashSet(newALLPrivilege1),
- sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName2)));
- }
-
- @Test
- public void testGetPrivilegesByRoleName() throws Exception {
- String roleName1 = "r1";
- String roleName2 = "r2";
- String grantor = "g1";
-
- PrivilegeObject queryPrivilege = new Builder()
- .setComponent(SEARCH)
- .setAction(SearchConstants.QUERY)
- .setService(SERVICE)
- .setAuthorizables(Arrays.asList(new Collection(COLLECTION_NAME)))
- .build();
-
- sentryStore.createRole(SEARCH, roleName1, grantor);
- sentryStore.alterRoleGrantPrivilege(SEARCH, roleName1, queryPrivilege,
- ADMIN_USER);
-
- PrivilegeObject updatePrivilege = new Builder()
- .setComponent(SEARCH)
- .setAction(SearchConstants.QUERY)
- .setService(SERVICE)
- .setAuthorizables(Arrays.asList(new Collection(COLLECTION_NAME)))
- .build();
-
- sentryStore.createRole(SEARCH, roleName2, grantor);
- sentryStore.alterRoleGrantPrivilege(SEARCH, roleName2, updatePrivilege,
- ADMIN_USER);
-
- assertEquals(Sets.newHashSet(queryPrivilege,updatePrivilege),
- sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName1,roleName2)));
-
- }
-
- @Test
- public void testGetPrivilegesByProvider() throws Exception {
- String roleName1 = "r1";
- String roleName2 = "r2";
- String roleName3 = "r3";
- String group = "g3";
- String grantor = ADMIN_USER;
-
- String service1 = "service1";
-
- PrivilegeObject queryPrivilege1 = new Builder()
- .setComponent(SEARCH)
- .setAction(SearchConstants.QUERY)
- .setService(service1)
- .setAuthorizables(Arrays.asList(new Collection(COLLECTION_NAME)))
- .build();
-
- PrivilegeObject updatePrivilege1 = new Builder()
- .setComponent(SEARCH)
- .setAction(SearchConstants.UPDATE)
- .setService(service1)
- .setAuthorizables(Arrays.asList(new Collection(COLLECTION_NAME), new Field(FIELD_NAME)))
- .build();
-
- PrivilegeObject queryPrivilege2 = new Builder()
- .setComponent(SEARCH)
- .setAction(SearchConstants.QUERY)
- .setService(service1)
- .setAuthorizables(Arrays.asList(new Collection(COLLECTION_NAME)))
- .build();
-
- PrivilegeObject updatePrivilege2 = new Builder()
- .setComponent(SEARCH)
- .setAction(SearchConstants.UPDATE)
- .setService(service1)
- .setAuthorizables(Arrays.asList(new Collection(COLLECTION_NAME), new Field(FIELD_NAME)))
- .build();
-
- sentryStore.createRole(SEARCH, roleName1, grantor);
- sentryStore.createRole(SEARCH, roleName2, grantor);
- sentryStore.createRole(SEARCH, roleName3, grantor);
-
- sentryStore.alterRoleAddGroups(SEARCH, roleName3, Sets.newHashSet(group), grantor);
-
- sentryStore.alterRoleGrantPrivilege(SEARCH, roleName1, queryPrivilege1, grantor);
- sentryStore.alterRoleGrantPrivilege(SEARCH, roleName1, updatePrivilege1, grantor);
- sentryStore.alterRoleGrantPrivilege(SEARCH, roleName2, queryPrivilege2, grantor);
- sentryStore.alterRoleGrantPrivilege(SEARCH, roleName3, updatePrivilege2, grantor);
-
- assertEquals(Sets.newHashSet(updatePrivilege1, queryPrivilege1),
- sentryStore.getPrivilegesByProvider(SEARCH, service1, Sets.newHashSet(roleName1), null, null));
-
- assertEquals(Sets.newHashSet(updatePrivilege1, queryPrivilege1, queryPrivilege2),
- sentryStore.getPrivilegesByProvider(SEARCH, service1, Sets.newHashSet(roleName1,roleName2),
- null, null));
-
- assertEquals(Sets.newHashSet(updatePrivilege1, queryPrivilege1, queryPrivilege2, updatePrivilege2),
- sentryStore.getPrivilegesByProvider(SEARCH, service1, Sets.newHashSet(roleName1,roleName2),
- Sets.newHashSet(group), null));
-
- List<? extends Authorizable> authorizables = Arrays.asList(new Collection(COLLECTION_NAME), new Field(FIELD_NAME));
- assertEquals(Sets.newHashSet(updatePrivilege1, updatePrivilege2),
- sentryStore.getPrivilegesByProvider(SEARCH, service1, Sets.newHashSet(roleName1,roleName2),
- Sets.newHashSet(group), authorizables));
- }
-
- @Test
- public void testGetPrivilegesByAuthorizable() throws Exception {
- String roleName1 = "r1";
- String roleName2 = "r2";
- String roleName3 = "r3";
- String grantor = ADMIN_USER;
-
- String service1 = "service1";
-
- PrivilegeObject queryPrivilege1 = new Builder()
- .setComponent(SEARCH)
- .setAction(SearchConstants.QUERY)
- .setService(service1)
- .setAuthorizables(Arrays.asList(new Collection(COLLECTION_NAME)))
- .build();
-
- PrivilegeObject updatePrivilege1 = new Builder()
- .setComponent(SEARCH)
- .setAction(SearchConstants.UPDATE)
- .setService(service1)
- .setAuthorizables(Arrays.asList(new Collection(COLLECTION_NAME), new Field(FIELD_NAME)))
- .build();
-
- PrivilegeObject queryPrivilege2 = new Builder()
- .setComponent(SEARCH)
- .setAction(SearchConstants.QUERY)
- .setService(service1)
- .setAuthorizables(Arrays.asList(new Collection(COLLECTION_NAME)))
- .build();
-
- PrivilegeObject updatePrivilege2 = new Builder()
- .setComponent(SEARCH)
- .setAction(SearchConstants.UPDATE)
- .setService(service1)
- .setAuthorizables(Arrays.asList(new Collection(COLLECTION_NAME), new Field(FIELD_NAME)))
- .build();
-
- sentryStore.createRole(SEARCH, roleName1, grantor);
- sentryStore.createRole(SEARCH, roleName2, grantor);
- sentryStore.createRole(SEARCH, roleName3, grantor);
-
- sentryStore.alterRoleGrantPrivilege(SEARCH, roleName1, queryPrivilege1, grantor);
- sentryStore.alterRoleGrantPrivilege(SEARCH, roleName1, updatePrivilege1, grantor);
- sentryStore.alterRoleGrantPrivilege(SEARCH, roleName2, queryPrivilege2, grantor);
- sentryStore.alterRoleGrantPrivilege(SEARCH, roleName3, updatePrivilege2, grantor);
-
- assertEquals(0, sentryStore.getPrivilegesByAuthorizable(SEARCH, service1, null,
- Arrays.asList(new Collection(COLLECTION_NAME), new Field(FIELD_NAME))).size());
- assertEquals(1, sentryStore.getPrivilegesByAuthorizable(SEARCH, service1, Sets.newHashSet(roleName1),
- Arrays.asList(new Collection(COLLECTION_NAME), new Field(FIELD_NAME))).size());
- assertEquals(2, sentryStore.getPrivilegesByAuthorizable(SEARCH, service1,
- Sets.newHashSet(roleName1), null).size());
- assertEquals(2, sentryStore.getPrivilegesByAuthorizable(SEARCH, service1,
- Sets.newHashSet(roleName1,roleName2), null).size());
- assertEquals(2, sentryStore.getPrivilegesByAuthorizable(SEARCH, service1,
- Sets.newHashSet(roleName1,roleName2, roleName3), null).size());
- }
-
- @Test(expected = RuntimeException.class)
- public void testGrantPrivilegeExternalComponentMissingConf() throws SentryUserException {
- testGrantPrivilege(sentryStore, "externalComponent");
- }
-
- @Test(expected = RuntimeException.class)
- public void testGrantPrivilegeExternalComponentInvalidConf() throws Exception {
- String externalComponent = "mycomponent";
- Configuration confCopy = new Configuration(conf);
- confCopy.set(String.format(ServiceConstants.ServerConfig.SENTRY_COMPONENT_ACTION_FACTORY_FORMAT, externalComponent),
- InvalidActionFactory.class.getName());
- SentryStoreLayer store = new DelegateSentryStore(confCopy);
- testGrantPrivilege(store, externalComponent);
- }
-
- @Test
- public void testGrantPrivilegeExternalComponent() throws Exception {
- String externalComponent = "mycomponent";
- Configuration confCopy = new Configuration(conf);
- confCopy.set(String.format(ServiceConstants.ServerConfig.SENTRY_COMPONENT_ACTION_FACTORY_FORMAT, externalComponent),
- MyComponentActionFactory.class.getName());
- SentryStoreLayer store = new DelegateSentryStore(confCopy);
- testGrantPrivilege(store, externalComponent);
- }
-
- @Test
- public void testGrantPrivilegeExternalComponentCaseInsensitivity() throws Exception {
- String externalComponent = "MyCoMpOnEnT";
- Configuration confCopy = new Configuration(conf);
- confCopy.set(String.format(ServiceConstants.ServerConfig.SENTRY_COMPONENT_ACTION_FACTORY_FORMAT, "mycomponent"),
- MyComponentActionFactory.class.getName());
- SentryStoreLayer store = new DelegateSentryStore(confCopy);
- testGrantPrivilege(store, externalComponent);
- }
-
- private void testGrantPrivilege(SentryStoreLayer sentryStore, String component) throws SentryUserException {
- String roleName = "r1";
- /**
- * grantor is admin, there is no need to check grant option
- */
- String grantor = ADMIN_USER;
- PrivilegeObject queryPrivilege = new Builder()
- .setComponent(component)
- .setAction(SearchConstants.QUERY)
- .setService(SERVICE)
- .setAuthorizables(Collections.singletonList(new Collection(COLLECTION_NAME)))
- .withGrantOption(null)
- .build();
-
- sentryStore.createRole(component, roleName, grantor);
- sentryStore.alterRoleGrantPrivilege(component, roleName, queryPrivilege, grantor);
-
- assertEquals(Sets.newHashSet(queryPrivilege),
- sentryStore.getPrivilegesByRole(component, Sets.newHashSet(roleName)));
-
- PrivilegeObject queryPrivilegeWithOption = new Builder()
- .setComponent(component)
- .setAction(SearchConstants.QUERY)
- .setService(SERVICE)
- .setAuthorizables(Collections.singletonList(new Collection(COLLECTION_NAME)))
- .withGrantOption(true)
- .build();
-
- sentryStore.alterRoleGrantPrivilege(component, roleName, queryPrivilegeWithOption, grantor);
-
- assertEquals(Sets.newHashSet(queryPrivilege, queryPrivilegeWithOption),
- sentryStore.getPrivilegesByRole(component, Sets.newHashSet(roleName)));
-
- PrivilegeObject queryPrivilegeWithNoOption = new Builder()
- .setComponent(component)
- .setAction(SearchConstants.QUERY)
- .setService(SERVICE)
- .setAuthorizables(Collections.singletonList(new Collection(COLLECTION_NAME)))
- .withGrantOption(false)
- .build();
-
- sentryStore.alterRoleGrantPrivilege(component, roleName, queryPrivilegeWithNoOption, grantor);
-
- assertEquals(Sets.newHashSet(queryPrivilege, queryPrivilegeWithOption, queryPrivilegeWithNoOption),
- sentryStore.getPrivilegesByRole(component, Sets.newHashSet(roleName)));
- }
-
- public static final class InvalidActionFactory {
-
- }
-
- public static final class MyComponentActionFactory extends BitFieldActionFactory {
-
- public enum MyComponentActionType {
- FOO("foo", 1),
- BAR("bar", 2),
- QUERY(SearchConstants.QUERY, 4),
- ALL("*", FOO.getCode() | BAR.getCode() | QUERY.getCode());
-
- private String name;
- private int code;
- MyComponentActionType(String name, int code) {
- this.name = name;
- this.code = code;
- }
-
- public int getCode() {
- return code;
- }
-
- public String getName() {
- return name;
- }
-
- static MyComponentActionType getActionByName(String name) {
- for (MyComponentActionType action : MyComponentActionType.values()) {
- if (action.name.equalsIgnoreCase(name)) {
- return action;
- }
- }
- throw new RuntimeException("can't get MyComponentActionType by name:" + name);
- }
-
- static List<MyComponentActionType> getActionByCode(int code) {
- List<MyComponentActionType> actions = Lists.newArrayList();
- for (MyComponentActionType action : MyComponentActionType.values()) {
- if ((action.code & code) == action.code && action != MyComponentActionType.ALL) {
- //MyComponentActionType.ALL action should not return in the list
- actions.add(action);
- }
- }
- if (actions.isEmpty()) {
- throw new RuntimeException("can't get sqoopActionType by code:" + code);
- }
- return actions;
- }
- }
-
- public static class MyComponentAction extends BitFieldAction {
- public MyComponentAction(String name) {
- this(MyComponentActionType.getActionByName(name));
- }
- public MyComponentAction(MyComponentActionType myComponentActionType) {
- super(myComponentActionType.name, myComponentActionType.code);
- }
- }
-
- @Override
- public List<? extends BitFieldAction> getActionsByCode(int actionCode) {
- List<MyComponentAction> actions = Lists.newArrayList();
- for (MyComponentActionType action : MyComponentActionType.getActionByCode(actionCode)) {
- actions.add(new MyComponentAction(action));
- }
- return actions;
- }
-
- @Override
- public BitFieldAction getActionByName(String name) {
- // Check the name is All
- if (SqoopActionConstant.ALL_NAME.equalsIgnoreCase(name)) {
- return new MyComponentAction(MyComponentActionType.ALL);
- }
- return new MyComponentAction(name);
- }
- }
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/service/persistent/TestSentryGMPrivilege.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/service/persistent/TestSentryGMPrivilege.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/service/persistent/TestSentryGMPrivilege.java
deleted file mode 100644
index 258721e..0000000
--- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/service/persistent/TestSentryGMPrivilege.java
+++ /dev/null
@@ -1,207 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.provider.db.generic.service.persistent;
-
-import static org.junit.Assert.assertTrue;
-import static org.junit.Assert.assertFalse;
-import static org.junit.Assert.fail;
-
-import java.util.Arrays;
-
-import org.apache.sentry.core.model.db.AccessConstants;
-import org.apache.sentry.core.model.search.Collection;
-import org.apache.sentry.core.model.search.Field;
-import org.apache.sentry.core.model.search.SearchConstants;
-import org.apache.sentry.provider.db.service.model.MSentryGMPrivilege;
-import org.junit.Test;
-
-public class TestSentryGMPrivilege {
-
- @Test
- public void testValidateAuthorizables() throws Exception {
- try {
- new MSentryGMPrivilege("solr",
- "service1", Arrays.asList(new Collection("c1"), new Field("f1")),SearchConstants.QUERY, false);
- } catch (IllegalStateException e) {
- fail("unexpect happend: it is a validated privilege");
- }
-
- try {
- new MSentryGMPrivilege("solr",
- "service1", Arrays.asList(new Collection(""), new Field("f1")),SearchConstants.QUERY, false);
- fail("unexpect happend: it is not a validated privilege, The empty name of authorizable can't be empty");
- } catch (IllegalStateException e) {
- }
-
- try {
- new MSentryGMPrivilege("solr",
- "service1", Arrays.asList(null, new Field("f1")),SearchConstants.QUERY, false);
- fail("unexpect happend: it is not a validated privilege, The authorizable can't be null");
- } catch (IllegalStateException e) {
- }
- }
-
- @Test
- public void testImpliesWithServerScope() throws Exception {
- //The persistent privilege is server scope
- MSentryGMPrivilege serverPrivilege = new MSentryGMPrivilege("solr",
- "service1", null,SearchConstants.QUERY, false);
-
- MSentryGMPrivilege collectionPrivilege = new MSentryGMPrivilege("solr",
- "service1", Arrays.asList(new Collection("c1")),
- SearchConstants.QUERY, false);
- assertTrue(serverPrivilege.implies(collectionPrivilege));
-
- MSentryGMPrivilege fieldPrivilege = new MSentryGMPrivilege("solr",
- "service1", Arrays.asList(new Collection("c1"), new Field("f1")),
- SearchConstants.QUERY, false);
- assertTrue(serverPrivilege.implies(fieldPrivilege));
- assertTrue(collectionPrivilege.implies(fieldPrivilege));
-
- serverPrivilege.setAction(SearchConstants.UPDATE);
- assertFalse(serverPrivilege.implies(collectionPrivilege));
- assertFalse(serverPrivilege.implies(fieldPrivilege));
-
- serverPrivilege.setAction(SearchConstants.ALL);
- assertTrue(serverPrivilege.implies(collectionPrivilege));
- assertTrue(serverPrivilege.implies(fieldPrivilege));
- }
- /**
- * The requested privilege has the different authorizable size with the persistent privilege
- * @throws Exception
- */
- @Test
- public void testImpliesDifferentAuthorizable() throws Exception {
- /**
- * Test the scope of persistent privilege is the larger than the requested privilege
- */
- MSentryGMPrivilege serverPrivilege = new MSentryGMPrivilege("solr",
- "service1", null, SearchConstants.QUERY, false);
-
- MSentryGMPrivilege collectionPrivilege = new MSentryGMPrivilege("solr",
- "service1", Arrays.asList(new Collection("c1")),
- SearchConstants.QUERY, false);
-
- MSentryGMPrivilege fieldPrivilege = new MSentryGMPrivilege("solr",
- "service1", Arrays.asList(new Collection("c1"), new Field("f1")),
- SearchConstants.QUERY, false);
- assertTrue(serverPrivilege.implies(collectionPrivilege));
- assertTrue(serverPrivilege.implies(fieldPrivilege));
- assertTrue(collectionPrivilege.implies(fieldPrivilege));
- /**
- * Test the scope of persistent privilege is less than the request privilege
- */
- assertFalse(fieldPrivilege.implies(collectionPrivilege));
- assertFalse(fieldPrivilege.implies(serverPrivilege));
- assertFalse(collectionPrivilege.implies(serverPrivilege));
-
- /**
- * Test the scope of persistent privilege is less than the request privilege,
- * but the name of left authorizable is ALL
- */
- MSentryGMPrivilege fieldAllPrivilege = new MSentryGMPrivilege("solr",
- "service1", Arrays.asList(new Collection("c1"), new Field(AccessConstants.ALL)),
- SearchConstants.QUERY, false);
-
- assertTrue(fieldAllPrivilege.implies(collectionPrivilege));
-
- /**
- * Test the scope of persistent privilege has the same scope as request privilege
- */
- MSentryGMPrivilege fieldPrivilege1 = new MSentryGMPrivilege("solr",
- "service1", Arrays.asList(new Collection("c1"), new Field("f1")),
- SearchConstants.QUERY, false);
-
- MSentryGMPrivilege fieldPrivilege2 = new MSentryGMPrivilege("solr",
- "service1", Arrays.asList(new Collection("c2"), new Field("f2")),
- SearchConstants.QUERY, false);
- assertFalse(fieldPrivilege1.implies(fieldPrivilege2));
- }
-
- /**
- * The requested privilege has the same authorizable size as with the persistent privilege
- * @throws Exception
- */
- @Test
- public void testSearchImpliesEqualAuthorizable() throws Exception {
-
- MSentryGMPrivilege serverPrivilege1 = new MSentryGMPrivilege("solr",
- "service1", null,SearchConstants.QUERY, false);
-
- MSentryGMPrivilege serverPrivilege2 = new MSentryGMPrivilege("solr",
- "service2", null,SearchConstants.QUERY, false);
-
- assertFalse(serverPrivilege1.implies(serverPrivilege2));
-
- MSentryGMPrivilege collectionPrivilege1 = new MSentryGMPrivilege("solr",
- "service1", Arrays.asList(new Collection("c1")),
- SearchConstants.QUERY, false);
-
- MSentryGMPrivilege collectionPrivilege2 = new MSentryGMPrivilege("solr",
- "service1", Arrays.asList(new Collection("c2")),
- SearchConstants.QUERY, false);
-
- assertFalse(collectionPrivilege1.implies(collectionPrivilege2));
-
- MSentryGMPrivilege fieldPrivilege1 = new MSentryGMPrivilege("solr",
- "service1", Arrays.asList(new Collection("c1"), new Field("f1")),
- SearchConstants.QUERY, false);
-
- MSentryGMPrivilege fieldPrivilege2 = new MSentryGMPrivilege("solr",
- "service1", Arrays.asList(new Collection("c1"), new Field("f2")),
- SearchConstants.QUERY, false);
-
- assertFalse(fieldPrivilege1.implies(fieldPrivilege2));
-
- /**
- * The authorizables aren't equal,but the persistent privilege has the ALL name
- */
- collectionPrivilege2.setAuthorizables(Arrays.asList(new Collection(AccessConstants.ALL)));
- collectionPrivilege2.implies(collectionPrivilege1);
-
- fieldPrivilege2.setAuthorizables(Arrays.asList(new Collection("c1"), new Field(AccessConstants.ALL)));
- fieldPrivilege2.implies(fieldPrivilege1);
- }
-
- @Test
- public void testSearchImpliesAction() throws Exception {
- /**
- * action is equal
- */
- MSentryGMPrivilege fieldPrivilege1 = new MSentryGMPrivilege("solr",
- "service1", Arrays.asList(new Collection("c1"), new Field("f2")),
- SearchConstants.QUERY, false);
-
- MSentryGMPrivilege fieldPrivilege2 = new MSentryGMPrivilege("solr",
- "service1", Arrays.asList(new Collection("c1"), new Field("f2")),
- SearchConstants.QUERY, false);
-
- assertTrue(fieldPrivilege1.implies(fieldPrivilege2));
-
- /**
- * action isn't equal
- */
- fieldPrivilege2.setAction(SearchConstants.UPDATE);
- assertFalse(fieldPrivilege1.implies(fieldPrivilege2));
- /**
- * action isn't equal,but the persistent privilege has the ALL action
- */
- fieldPrivilege1.setAction(SearchConstants.ALL);
- assertTrue(fieldPrivilege1.implies(fieldPrivilege2));
- }
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/service/persistent/TestSentryRole.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/service/persistent/TestSentryRole.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/service/persistent/TestSentryRole.java
deleted file mode 100644
index 29134fe..0000000
--- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/service/persistent/TestSentryRole.java
+++ /dev/null
@@ -1,372 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.provider.db.generic.service.persistent;
-
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertTrue;
-import static org.junit.Assert.fail;
-
-import java.io.File;
-import java.util.Arrays;
-import java.util.Properties;
-
-import javax.jdo.JDOHelper;
-import javax.jdo.PersistenceManager;
-import javax.jdo.PersistenceManagerFactory;
-import javax.jdo.Query;
-import javax.jdo.Transaction;
-
-import org.apache.commons.io.FileUtils;
-import org.apache.sentry.core.model.search.Collection;
-import org.apache.sentry.provider.db.service.model.MSentryGMPrivilege;
-import org.apache.sentry.provider.db.service.model.MSentryPrivilege;
-import org.apache.sentry.provider.db.service.model.MSentryRole;
-import org.apache.sentry.provider.db.service.persistent.SentryStore;
-import org.apache.sentry.service.thrift.ServiceConstants.ServerConfig;
-import org.junit.After;
-import org.junit.Before;
-import org.junit.Test;
-
-import com.google.common.base.Preconditions;
-import com.google.common.io.Files;
-/**
- * The class tests that the new feature SENTRY-398 generic model adds the new field in the MSentryRole
- * will not affect the functionality of the origin hive/impala authorization model
- */
-public class TestSentryRole {
- private static PersistenceManagerFactory pmf;
- private static File dataDir;
-
- @Before
- public void setup() throws Exception {
- dataDir = new File(Files.createTempDir(), "sentry_policy_db");
- Properties prop = new Properties();
- prop.setProperty(ServerConfig.JAVAX_JDO_URL, "jdbc:derby:;databaseName=" + dataDir.getPath() + ";create=true");
- prop.setProperty(ServerConfig.JAVAX_JDO_USER, "Sentry");
- prop.setProperty(ServerConfig.JAVAX_JDO_PASS, "Sentry");
- prop.setProperty(ServerConfig.JAVAX_JDO_DRIVER_NAME, "org.apache.derby.jdbc.EmbeddedDriver");
- prop.setProperty("datanucleus.schema.autoCreateAll", "true");
- prop.setProperty("datanucleus.autoCreateSchema", "true");
- prop.setProperty("datanucleus.fixedDatastore", "false");
- prop.setProperty("datanucleus.NontransactionalRead", "false");
- prop.setProperty("datanucleus.NontransactionalWrite", "false");
- pmf = JDOHelper.getPersistenceManagerFactory(prop);
- }
-
- @After
- public void tearDown() throws Exception {
- pmf.close();
- FileUtils.deleteQuietly(dataDir);
- }
-
- @Test
- public void grantMixedPrivilegeTest() throws Exception {
- String roleName = "r1";
- //hive/impala privilege
- MSentryPrivilege hivePrivilege = new MSentryPrivilege();
- hivePrivilege.setServerName("hive.server1");
- hivePrivilege.setDbName("db1");
- hivePrivilege.setTableName("tb1");
- hivePrivilege.setPrivilegeScope("table");
- hivePrivilege.setAction("select");
- hivePrivilege.setGrantOption(true);
- //solr privilege
- MSentryGMPrivilege solrPrivilege = new MSentryGMPrivilege();
- solrPrivilege.setComponentName("solr");
- solrPrivilege.setServiceName("solr.server1");
- solrPrivilege.setAuthorizables(Arrays.asList(new Collection("c1")));
- solrPrivilege.setAction("query");
- solrPrivilege.setGrantOption(true);
-
- PersistenceManager pm = null;
- //create role
- pm = openTransaction();
- pm.makePersistent(new MSentryRole(roleName, System.currentTimeMillis()));
- commitTransaction(pm);
- //add hivePrivilege to role
- pm = openTransaction();
- MSentryRole role = getMSentryRole(pm, roleName);
- hivePrivilege.appendRole(role);
- pm.makePersistent(hivePrivilege);
- commitTransaction(pm);
- //check hivePrivlege and solrPrivilege
- pm = openTransaction();
- role = getMSentryRole(pm, roleName);
- pm.retrieve(role);
- assertEquals(1, role.getPrivileges().size());
- assertEquals(0, role.getGmPrivileges().size());
- commitTransaction(pm);
- //add solrPrivilege to role
- pm = openTransaction();
- role = getMSentryRole(pm, roleName);
- pm.retrieve(role);
- solrPrivilege.appendRole(role);
- pm.makePersistent(solrPrivilege);
- commitTransaction(pm);
- //check hivePrivlege and solrPrivilege
- pm = openTransaction();
- role = getMSentryRole(pm, roleName);
- pm.retrieve(role);
- assertEquals(1, role.getPrivileges().size());
- assertEquals(1, role.getGmPrivileges().size());
- commitTransaction(pm);
- }
-
- @Test
- public void testWantGrantPrivilegeTwice() throws Exception {
- String roleName = "r1";
- //hive/impala privilege
- MSentryPrivilege hivePrivilege = new MSentryPrivilege();
- hivePrivilege.setServerName("hive.server1");
- hivePrivilege.setDbName("db1");
- hivePrivilege.setTableName("tb1");
- hivePrivilege.setPrivilegeScope("table");
- hivePrivilege.setAction("select");
- hivePrivilege.setURI(SentryStore.NULL_COL);
- hivePrivilege.setColumnName(SentryStore.NULL_COL);
- hivePrivilege.setGrantOption(true);
- //The same hivePrivilege
- MSentryPrivilege hivePrivilege2 = new MSentryPrivilege(hivePrivilege);
- //solr privilege
- MSentryGMPrivilege solrPrivilege = new MSentryGMPrivilege();
- solrPrivilege.setComponentName("solr");
- solrPrivilege.setServiceName("solr.server1");
- solrPrivilege.setAuthorizables(Arrays.asList(new Collection("c1")));
- solrPrivilege.setAction("query");
- solrPrivilege.setGrantOption(true);
- //The same solrPrivilege
- MSentryGMPrivilege solrPrivilege2 = new MSentryGMPrivilege(solrPrivilege);
-
- PersistenceManager pm = null;
- //create role
- pm = openTransaction();
- pm.makePersistent(new MSentryRole(roleName, System.currentTimeMillis()));
- commitTransaction(pm);
-
- //grant hivePrivilege and solrPrivilege to role
- pm = openTransaction();
- MSentryRole role = getMSentryRole(pm, roleName);
- solrPrivilege.appendRole(role);
- hivePrivilege.appendRole(role);
- pm.makePersistent(solrPrivilege);
- pm.makePersistent(hivePrivilege);
- commitTransaction(pm);
- //check
- pm = openTransaction();
- role = getMSentryRole(pm, roleName);
- pm.retrieve(role);
- assertEquals(1, role.getPrivileges().size());
- assertEquals(1, role.getGmPrivileges().size());
- commitTransaction(pm);
-
- //want to grant the same hivePrivilege and solrPrivilege to role again
- //hivePrivilege2 is equal to hivePrivilege
- //solrPrivilege2 is equal to solrPrivilege
- pm = openTransaction();
- role = getMSentryRole(pm, roleName);
- pm.retrieve(role);
- if (!role.getGmPrivileges().contains(solrPrivilege2)) {
- fail("unexpect happend: the MSentryGMPrivilege:" + solrPrivilege2 + " already be granted");
- }
- if (!role.getPrivileges().contains(hivePrivilege2)) {
- fail("unexpect happend: the MSentryPrivilege:" + hivePrivilege2 + " already be granted");
- }
- commitTransaction(pm);
- }
-
- @Test
- public void testMixedRevokePrivilege() throws Exception {
- String roleName = "r1";
- //hive/impala privilege
- MSentryPrivilege hivePrivilege = new MSentryPrivilege();
- hivePrivilege.setServerName("hive.server1");
- hivePrivilege.setDbName("db1");
- hivePrivilege.setTableName("tb1");
- hivePrivilege.setPrivilegeScope("table");
- hivePrivilege.setAction("select");
- hivePrivilege.setURI(SentryStore.NULL_COL);
- hivePrivilege.setColumnName(SentryStore.NULL_COL);
- hivePrivilege.setGrantOption(true);
-
- //solr privilege
- MSentryGMPrivilege solrPrivilege = new MSentryGMPrivilege();
- solrPrivilege.setComponentName("solr");
- solrPrivilege.setServiceName("solr.server1");
- solrPrivilege.setAuthorizables(Arrays.asList(new Collection("c1")));
- solrPrivilege.setAction("query");
- solrPrivilege.setGrantOption(true);
-
- PersistenceManager pm = null;
- //create role
- pm = openTransaction();
- pm.makePersistent(new MSentryRole(roleName, System.currentTimeMillis()));
- commitTransaction(pm);
-
- //grant hivePrivilege and solrPrivilege to role
- pm = openTransaction();
- MSentryRole role = getMSentryRole(pm, roleName);
- hivePrivilege.appendRole(role);
- solrPrivilege.appendRole(role);
- pm.makePersistent(hivePrivilege);
- pm.makePersistent(solrPrivilege);
- commitTransaction(pm);
-
- //check
- pm = openTransaction();
- role = getMSentryRole(pm, roleName);
- pm.retrieve(role);
- assertEquals(1, role.getPrivileges().size());
- assertEquals(1, role.getGmPrivileges().size());
- commitTransaction(pm);
-
- //revoke solrPrivilege from role
- pm = openTransaction();
- role = getMSentryRole(pm, roleName);
- solrPrivilege = (MSentryGMPrivilege)role.getGmPrivileges().toArray()[0];
- solrPrivilege.removeRole(role);
- pm.makePersistent(solrPrivilege);
- commitTransaction(pm);
-
- //check
- pm = openTransaction();
- role = getMSentryRole(pm, roleName);
- pm.retrieve(role);
- assertEquals(1, role.getPrivileges().size());
- assertEquals(0, role.getGmPrivileges().size());
- commitTransaction(pm);
-
- //revoke hivePrivilege from role
- pm = openTransaction();
- role = getMSentryRole(pm, roleName);
- pm.retrieve(role);
- hivePrivilege = (MSentryPrivilege)role.getPrivileges().toArray()[0];
- hivePrivilege.removeRole(role);
- pm.makePersistent(hivePrivilege);
- commitTransaction(pm);
-
- //check
- pm = openTransaction();
- role = getMSentryRole(pm, roleName);
- pm.retrieve(role);
- assertEquals(0, role.getPrivileges().size());
- assertEquals(0, role.getGmPrivileges().size());
- commitTransaction(pm);
- }
-
- @Test
- public void testDeletePrivilegeAndRole() throws Exception {
- String roleName = "r1";
- //hive/impala privilege
- MSentryPrivilege hivePrivilege = new MSentryPrivilege();
- hivePrivilege.setServerName("hive.server1");
- hivePrivilege.setDbName("db1");
- hivePrivilege.setTableName("tb1");
- hivePrivilege.setPrivilegeScope("table");
- hivePrivilege.setAction("select");
- hivePrivilege.setURI(SentryStore.NULL_COL);
- hivePrivilege.setColumnName(SentryStore.NULL_COL);
- hivePrivilege.setGrantOption(true);
-
- //solr privilege
- MSentryGMPrivilege solrPrivilege = new MSentryGMPrivilege();
- solrPrivilege.setComponentName("solr");
- solrPrivilege.setServiceName("solr.server1");
- solrPrivilege.setAuthorizables(Arrays.asList(new Collection("c1")));
- solrPrivilege.setAction("query");
- solrPrivilege.setGrantOption(true);
-
- PersistenceManager pm = null;
- //create role
- pm = openTransaction();
- pm.makePersistent(new MSentryRole(roleName, System.currentTimeMillis()));
- commitTransaction(pm);
-
- //grant hivePrivilege and solrPrivilege to role
- pm = openTransaction();
- MSentryRole role = getMSentryRole(pm, roleName);
- hivePrivilege.appendRole(role);
- solrPrivilege.appendRole(role);
- pm.makePersistent(hivePrivilege);
- pm.makePersistent(solrPrivilege);
- commitTransaction(pm);
-
- //check
- pm = openTransaction();
- role = getMSentryRole(pm, roleName);
- pm.retrieve(role);
- assertEquals(1, role.getPrivileges().size());
- assertEquals(1, role.getGmPrivileges().size());
- commitTransaction(pm);
-
- //remove all privileges
- pm = openTransaction();
- role = getMSentryRole(pm, roleName);
- role.removeGMPrivileges();
- role.removePrivileges();
- pm.makePersistent(role);
- commitTransaction(pm);
-
- //check
- pm = openTransaction();
- role = getMSentryRole(pm, roleName);
- pm.retrieve(role);
- assertEquals(0, role.getPrivileges().size());
- assertEquals(0, role.getGmPrivileges().size());
- commitTransaction(pm);
-
- //delete role
- pm = openTransaction();
- role = getMSentryRole(pm, roleName);
- pm.deletePersistent(role);
- commitTransaction(pm);
-
- //check
- pm = openTransaction();
- role = getMSentryRole(pm, roleName);
- assertTrue(role == null);
- commitTransaction(pm);
- }
-
- private PersistenceManager openTransaction() {
- PersistenceManager pm = pmf.getPersistenceManager();
- Transaction currentTransaction = pm.currentTransaction();
- currentTransaction.begin();
- return pm;
- }
-
- private void commitTransaction(PersistenceManager pm) {
- Transaction currentTransaction = pm.currentTransaction();
- try {
- Preconditions.checkState(currentTransaction.isActive(), "Transaction is not active");
- currentTransaction.commit();
- } finally {
- pm.close();
- }
- }
-
- private MSentryRole getMSentryRole(PersistenceManager pm, String roleName) {
- Query query = pm.newQuery(MSentryRole.class);
- query.setFilter("this.roleName == t");
- query.declareParameters("java.lang.String t");
- query.setUnique(true);
- MSentryRole sentryRole = (MSentryRole) query.execute(roleName);
- return sentryRole;
- }
-
-
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericServiceIntegrationBase.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericServiceIntegrationBase.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericServiceIntegrationBase.java
deleted file mode 100644
index 94cade1..0000000
--- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericServiceIntegrationBase.java
+++ /dev/null
@@ -1,73 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.provider.db.generic.service.thrift;
-
-import java.security.PrivilegedExceptionAction;
-import java.util.Set;
-
-import org.apache.sentry.service.thrift.SentryServiceIntegrationBase;
-import org.junit.After;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-public class SentryGenericServiceIntegrationBase extends SentryServiceIntegrationBase {
- private static final Logger LOGGER = LoggerFactory.getLogger(SentryGenericServiceIntegrationBase.class);
- protected static final String SOLR = "SOLR";
- protected SentryGenericServiceClient client;
-
- /**
- * use the generic client to connect sentry service
- */
- @Override
- public void connectToSentryService() throws Exception {
- // The client should already be logged in when running in solr
- // therefore we must manually login in the integration tests
- if (kerberos) {
- this.client = clientUgi.doAs( new PrivilegedExceptionAction<SentryGenericServiceClient>() {
- @Override
- public SentryGenericServiceClient run() throws Exception {
- return SentryGenericServiceClientFactory.create(conf);
- }
- });
- } else {
- this.client = SentryGenericServiceClientFactory.create(conf);
- }
- }
-
- @After
- public void after() {
- try {
- runTestAsSubject(new TestOperation(){
- @Override
- public void runTestAsSubject() throws Exception {
- Set<TSentryRole> tRoles = client.listAllRoles(ADMIN_USER, SOLR);
- for (TSentryRole tRole : tRoles) {
- client.dropRole(ADMIN_USER, tRole.getRoleName(), SOLR);
- }
- if(client != null) {
- client.close();
- }
- }
- });
- } catch (Exception e) {
- LOGGER.error(e.getMessage(), e);
- } finally {
- policyFilePath.delete();
- }
- }
-}
[12/44] sentry git commit: SENTRY-1287: Create sentry-service-server
module(Colin Ma, reviewed by Dapeng Sun)
Posted by co...@apache.org.
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/main/webapp/css/bootstrap.min.css
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/main/webapp/css/bootstrap.min.css b/sentry-service/sentry-service-server/src/main/webapp/css/bootstrap.min.css
new file mode 100644
index 0000000..a553c4f
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/main/webapp/css/bootstrap.min.css
@@ -0,0 +1,9 @@
+/*!
+ * Bootstrap v3.0.0
+ *
+ * Copyright 2013 Twitter, Inc
+ * Licensed under the Apache License v2.0
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Designed and built with all the love in the world by @mdo and @fat.
+ *//*! normalize.css v2.1.0 | MIT License | git.io/normalize */article,aside,details,figcaption,figure,footer,header,hgroup,main,nav,section,summary{display:block}audio,canvas,video{display:inline-block}audio:not([controls]){display:none;height:0}[hidden]{display:none}html{font-family:sans-serif;-webkit-text-size-adjust:100%;-ms-text-size-adjust:100%}body{margin:0}a:focus{outline:thin dotted}a:active,a:hover{outline:0}h1{margin:.67em 0;font-size:2em}abbr[title]{border-bottom:1px dotted}b,strong{font-weight:bold}dfn{font-style:italic}hr{height:0;-moz-box-sizing:content-box;box-sizing:content-box}mark{color:#000;background:#ff0}code,kbd,pre,samp{font-family:monospace,serif;font-size:1em}pre{white-space:pre-wrap}q{quotes:"\201C" "\201D" "\2018" "\2019"}small{font-size:80%}sub,sup{position:relative;font-size:75%;line-height:0;vertical-align:baseline}sup{top:-0.5em}sub{bottom:-0.25em}img{border:0}svg:not(:root){overflow:hidden}figure{margin:0}fieldset{padding:.35em .625em .75em;margin:0
2px;border:1px solid #c0c0c0}legend{padding:0;border:0}button,input,select,textarea{margin:0;font-family:inherit;font-size:100%}button,input{line-height:normal}button,select{text-transform:none}button,html input[type="button"],input[type="reset"],input[type="submit"]{cursor:pointer;-webkit-appearance:button}button[disabled],html input[disabled]{cursor:default}input[type="checkbox"],input[type="radio"]{padding:0;box-sizing:border-box}input[type="search"]{-webkit-box-sizing:content-box;-moz-box-sizing:content-box;box-sizing:content-box;-webkit-appearance:textfield}input[type="search"]::-webkit-search-cancel-button,input[type="search"]::-webkit-search-decoration{-webkit-appearance:none}button::-moz-focus-inner,input::-moz-focus-inner{padding:0;border:0}textarea{overflow:auto;vertical-align:top}table{border-collapse:collapse;border-spacing:0}@media print{*{color:#000!important;text-shadow:none!important;background:transparent!important;box-shadow:none!important}a,a:visited{text-decorati
on:underline}a[href]:after{content:" (" attr(href) ")"}abbr[title]:after{content:" (" attr(title) ")"}.ir a:after,a[href^="javascript:"]:after,a[href^="#"]:after{content:""}pre,blockquote{border:1px solid #999;page-break-inside:avoid}thead{display:table-header-group}tr,img{page-break-inside:avoid}img{max-width:100%!important}@page{margin:2cm .5cm}p,h2,h3{orphans:3;widows:3}h2,h3{page-break-after:avoid}.navbar{display:none}.table td,.table th{background-color:#fff!important}.btn>.caret,.dropup>.btn>.caret{border-top-color:#000!important}.label{border:1px solid #000}.table{border-collapse:collapse!important}.table-bordered th,.table-bordered td{border:1px solid #ddd!important}}*,*:before,*:after{-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box}html{font-size:62.5%;-webkit-tap-highlight-color:rgba(0,0,0,0)}body{font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:14px;line-height:1.428571429;color:#333;background-color:#fff}input,button,select
,textarea{font-family:inherit;font-size:inherit;line-height:inherit}button,input,select[multiple],textarea{background-image:none}a{color:#428bca;text-decoration:none}a:hover,a:focus{color:#2a6496;text-decoration:underline}a:focus{outline:thin dotted #333;outline:5px auto -webkit-focus-ring-color;outline-offset:-2px}img{vertical-align:middle}.img-responsive{display:block;height:auto;max-width:100%}.img-rounded{border-radius:6px}.img-thumbnail{display:inline-block;height:auto;max-width:100%;padding:4px;line-height:1.428571429;background-color:#fff;border:1px solid #ddd;border-radius:4px;-webkit-transition:all .2s ease-in-out;transition:all .2s ease-in-out}.img-circle{border-radius:50%}hr{margin-top:20px;margin-bottom:20px;border:0;border-top:1px solid #eee}.sr-only{position:absolute;width:1px;height:1px;padding:0;margin:-1px;overflow:hidden;clip:rect(0 0 0 0);border:0}p{margin:0 0 10px}.lead{margin-bottom:20px;font-size:16.099999999999998px;font-weight:200;line-height:1.4}@media(min-w
idth:768px){.lead{font-size:21px}}small{font-size:85%}cite{font-style:normal}.text-muted{color:#999}.text-primary{color:#428bca}.text-warning{color:#c09853}.text-danger{color:#b94a48}.text-success{color:#468847}.text-info{color:#3a87ad}.text-left{text-align:left}.text-right{text-align:right}.text-center{text-align:center}h1,h2,h3,h4,h5,h6,.h1,.h2,.h3,.h4,.h5,.h6{font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-weight:500;line-height:1.1}h1 small,h2 small,h3 small,h4 small,h5 small,h6 small,.h1 small,.h2 small,.h3 small,.h4 small,.h5 small,.h6 small{font-weight:normal;line-height:1;color:#999}h1,h2,h3{margin-top:20px;margin-bottom:10px}h4,h5,h6{margin-top:10px;margin-bottom:10px}h1,.h1{font-size:36px}h2,.h2{font-size:30px}h3,.h3{font-size:24px}h4,.h4{font-size:18px}h5,.h5{font-size:14px}h6,.h6{font-size:12px}h1 small,.h1 small{font-size:24px}h2 small,.h2 small{font-size:18px}h3 small,.h3 small,h4 small,.h4 small{font-size:14px}.page-header{padding-bottom:9px;margin:40px 0
20px;border-bottom:1px solid #eee}ul,ol{margin-top:0;margin-bottom:10px}ul ul,ol ul,ul ol,ol ol{margin-bottom:0}.list-unstyled{padding-left:0;list-style:none}.list-inline{padding-left:0;list-style:none}.list-inline>li{display:inline-block;padding-right:5px;padding-left:5px}dl{margin-bottom:20px}dt,dd{line-height:1.428571429}dt{font-weight:bold}dd{margin-left:0}@media(min-width:768px){.dl-horizontal dt{float:left;width:160px;overflow:hidden;clear:left;text-align:right;text-overflow:ellipsis;white-space:nowrap}.dl-horizontal dd{margin-left:180px}.dl-horizontal dd:before,.dl-horizontal dd:after{display:table;content:" "}.dl-horizontal dd:after{clear:both}.dl-horizontal dd:before,.dl-horizontal dd:after{display:table;content:" "}.dl-horizontal dd:after{clear:both}}abbr[title],abbr[data-original-title]{cursor:help;border-bottom:1px dotted #999}abbr.initialism{font-size:90%;text-transform:uppercase}blockquote{padding:10px 20px;margin:0 0 20px;border-left:5px solid #eee}blockquote p{font-
size:17.5px;font-weight:300;line-height:1.25}blockquote p:last-child{margin-bottom:0}blockquote small{display:block;line-height:1.428571429;color:#999}blockquote small:before{content:'\2014 \00A0'}blockquote.pull-right{padding-right:15px;padding-left:0;border-right:5px solid #eee;border-left:0}blockquote.pull-right p,blockquote.pull-right small{text-align:right}blockquote.pull-right small:before{content:''}blockquote.pull-right small:after{content:'\00A0 \2014'}q:before,q:after,blockquote:before,blockquote:after{content:""}address{display:block;margin-bottom:20px;font-style:normal;line-height:1.428571429}code,pre{font-family:Monaco,Menlo,Consolas,"Courier New",monospace}code{padding:2px 4px;font-size:90%;color:#c7254e;white-space:nowrap;background-color:#f9f2f4;border-radius:4px}pre{display:block;padding:9.5px;margin:0 0 10px;font-size:13px;line-height:1.428571429;color:#333;word-break:break-all;word-wrap:break-word;background-color:#f5f5f5;border:1px solid #ccc;border-radius:4px}pr
e.prettyprint{margin-bottom:20px}pre code{padding:0;font-size:inherit;color:inherit;white-space:pre-wrap;background-color:transparent;border:0}.pre-scrollable{max-height:340px;overflow-y:scroll}.container{padding-right:15px;padding-left:15px;margin-right:auto;margin-left:auto}.container:before,.container:after{display:table;content:" "}.container:after{clear:both}.container:before,.container:after{display:table;content:" "}.container:after{clear:both}.row{margin-right:-15px;margin-left:-15px}.row:before,.row:after{display:table;content:" "}.row:after{clear:both}.row:before,.row:after{display:table;content:" "}.row:after{clear:both}.col-xs-1,.col-xs-2,.col-xs-3,.col-xs-4,.col-xs-5,.col-xs-6,.col-xs-7,.col-xs-8,.col-xs-9,.col-xs-10,.col-xs-11,.col-xs-12,.col-sm-1,.col-sm-2,.col-sm-3,.col-sm-4,.col-sm-5,.col-sm-6,.col-sm-7,.col-sm-8,.col-sm-9,.col-sm-10,.col-sm-11,.col-sm-12,.col-md-1,.col-md-2,.col-md-3,.col-md-4,.col-md-5,.col-md-6,.col-md-7,.col-md-8,.col-md-9,.col-md-10,.col-md-11,
.col-md-12,.col-lg-1,.col-lg-2,.col-lg-3,.col-lg-4,.col-lg-5,.col-lg-6,.col-lg-7,.col-lg-8,.col-lg-9,.col-lg-10,.col-lg-11,.col-lg-12{position:relative;min-height:1px;padding-right:15px;padding-left:15px}.col-xs-1,.col-xs-2,.col-xs-3,.col-xs-4,.col-xs-5,.col-xs-6,.col-xs-7,.col-xs-8,.col-xs-9,.col-xs-10,.col-xs-11{float:left}.col-xs-1{width:8.333333333333332%}.col-xs-2{width:16.666666666666664%}.col-xs-3{width:25%}.col-xs-4{width:33.33333333333333%}.col-xs-5{width:41.66666666666667%}.col-xs-6{width:50%}.col-xs-7{width:58.333333333333336%}.col-xs-8{width:66.66666666666666%}.col-xs-9{width:75%}.col-xs-10{width:83.33333333333334%}.col-xs-11{width:91.66666666666666%}.col-xs-12{width:100%}@media(min-width:768px){.container{max-width:750px}.col-sm-1,.col-sm-2,.col-sm-3,.col-sm-4,.col-sm-5,.col-sm-6,.col-sm-7,.col-sm-8,.col-sm-9,.col-sm-10,.col-sm-11{float:left}.col-sm-1{width:8.333333333333332%}.col-sm-2{width:16.666666666666664%}.col-sm-3{width:25%}.col-sm-4{width:33.33333333333333%}.col
-sm-5{width:41.66666666666667%}.col-sm-6{width:50%}.col-sm-7{width:58.333333333333336%}.col-sm-8{width:66.66666666666666%}.col-sm-9{width:75%}.col-sm-10{width:83.33333333333334%}.col-sm-11{width:91.66666666666666%}.col-sm-12{width:100%}.col-sm-push-1{left:8.333333333333332%}.col-sm-push-2{left:16.666666666666664%}.col-sm-push-3{left:25%}.col-sm-push-4{left:33.33333333333333%}.col-sm-push-5{left:41.66666666666667%}.col-sm-push-6{left:50%}.col-sm-push-7{left:58.333333333333336%}.col-sm-push-8{left:66.66666666666666%}.col-sm-push-9{left:75%}.col-sm-push-10{left:83.33333333333334%}.col-sm-push-11{left:91.66666666666666%}.col-sm-pull-1{right:8.333333333333332%}.col-sm-pull-2{right:16.666666666666664%}.col-sm-pull-3{right:25%}.col-sm-pull-4{right:33.33333333333333%}.col-sm-pull-5{right:41.66666666666667%}.col-sm-pull-6{right:50%}.col-sm-pull-7{right:58.333333333333336%}.col-sm-pull-8{right:66.66666666666666%}.col-sm-pull-9{right:75%}.col-sm-pull-10{right:83.33333333333334%}.col-sm-pull-11
{right:91.66666666666666%}.col-sm-offset-1{margin-left:8.333333333333332%}.col-sm-offset-2{margin-left:16.666666666666664%}.col-sm-offset-3{margin-left:25%}.col-sm-offset-4{margin-left:33.33333333333333%}.col-sm-offset-5{margin-left:41.66666666666667%}.col-sm-offset-6{margin-left:50%}.col-sm-offset-7{margin-left:58.333333333333336%}.col-sm-offset-8{margin-left:66.66666666666666%}.col-sm-offset-9{margin-left:75%}.col-sm-offset-10{margin-left:83.33333333333334%}.col-sm-offset-11{margin-left:91.66666666666666%}}@media(min-width:992px){.container{max-width:970px}.col-md-1,.col-md-2,.col-md-3,.col-md-4,.col-md-5,.col-md-6,.col-md-7,.col-md-8,.col-md-9,.col-md-10,.col-md-11{float:left}.col-md-1{width:8.333333333333332%}.col-md-2{width:16.666666666666664%}.col-md-3{width:25%}.col-md-4{width:33.33333333333333%}.col-md-5{width:41.66666666666667%}.col-md-6{width:50%}.col-md-7{width:58.333333333333336%}.col-md-8{width:66.66666666666666%}.col-md-9{width:75%}.col-md-10{width:83.33333333333334%}.
col-md-11{width:91.66666666666666%}.col-md-12{width:100%}.col-md-push-0{left:auto}.col-md-push-1{left:8.333333333333332%}.col-md-push-2{left:16.666666666666664%}.col-md-push-3{left:25%}.col-md-push-4{left:33.33333333333333%}.col-md-push-5{left:41.66666666666667%}.col-md-push-6{left:50%}.col-md-push-7{left:58.333333333333336%}.col-md-push-8{left:66.66666666666666%}.col-md-push-9{left:75%}.col-md-push-10{left:83.33333333333334%}.col-md-push-11{left:91.66666666666666%}.col-md-pull-0{right:auto}.col-md-pull-1{right:8.333333333333332%}.col-md-pull-2{right:16.666666666666664%}.col-md-pull-3{right:25%}.col-md-pull-4{right:33.33333333333333%}.col-md-pull-5{right:41.66666666666667%}.col-md-pull-6{right:50%}.col-md-pull-7{right:58.333333333333336%}.col-md-pull-8{right:66.66666666666666%}.col-md-pull-9{right:75%}.col-md-pull-10{right:83.33333333333334%}.col-md-pull-11{right:91.66666666666666%}.col-md-offset-0{margin-left:0}.col-md-offset-1{margin-left:8.333333333333332%}.col-md-offset-2{margin
-left:16.666666666666664%}.col-md-offset-3{margin-left:25%}.col-md-offset-4{margin-left:33.33333333333333%}.col-md-offset-5{margin-left:41.66666666666667%}.col-md-offset-6{margin-left:50%}.col-md-offset-7{margin-left:58.333333333333336%}.col-md-offset-8{margin-left:66.66666666666666%}.col-md-offset-9{margin-left:75%}.col-md-offset-10{margin-left:83.33333333333334%}.col-md-offset-11{margin-left:91.66666666666666%}}@media(min-width:1200px){.container{max-width:1170px}.col-lg-1,.col-lg-2,.col-lg-3,.col-lg-4,.col-lg-5,.col-lg-6,.col-lg-7,.col-lg-8,.col-lg-9,.col-lg-10,.col-lg-11{float:left}.col-lg-1{width:8.333333333333332%}.col-lg-2{width:16.666666666666664%}.col-lg-3{width:25%}.col-lg-4{width:33.33333333333333%}.col-lg-5{width:41.66666666666667%}.col-lg-6{width:50%}.col-lg-7{width:58.333333333333336%}.col-lg-8{width:66.66666666666666%}.col-lg-9{width:75%}.col-lg-10{width:83.33333333333334%}.col-lg-11{width:91.66666666666666%}.col-lg-12{width:100%}.col-lg-push-0{left:auto}.col-lg-push-
1{left:8.333333333333332%}.col-lg-push-2{left:16.666666666666664%}.col-lg-push-3{left:25%}.col-lg-push-4{left:33.33333333333333%}.col-lg-push-5{left:41.66666666666667%}.col-lg-push-6{left:50%}.col-lg-push-7{left:58.333333333333336%}.col-lg-push-8{left:66.66666666666666%}.col-lg-push-9{left:75%}.col-lg-push-10{left:83.33333333333334%}.col-lg-push-11{left:91.66666666666666%}.col-lg-pull-0{right:auto}.col-lg-pull-1{right:8.333333333333332%}.col-lg-pull-2{right:16.666666666666664%}.col-lg-pull-3{right:25%}.col-lg-pull-4{right:33.33333333333333%}.col-lg-pull-5{right:41.66666666666667%}.col-lg-pull-6{right:50%}.col-lg-pull-7{right:58.333333333333336%}.col-lg-pull-8{right:66.66666666666666%}.col-lg-pull-9{right:75%}.col-lg-pull-10{right:83.33333333333334%}.col-lg-pull-11{right:91.66666666666666%}.col-lg-offset-0{margin-left:0}.col-lg-offset-1{margin-left:8.333333333333332%}.col-lg-offset-2{margin-left:16.666666666666664%}.col-lg-offset-3{margin-left:25%}.col-lg-offset-4{margin-left:33.3333
3333333333%}.col-lg-offset-5{margin-left:41.66666666666667%}.col-lg-offset-6{margin-left:50%}.col-lg-offset-7{margin-left:58.333333333333336%}.col-lg-offset-8{margin-left:66.66666666666666%}.col-lg-offset-9{margin-left:75%}.col-lg-offset-10{margin-left:83.33333333333334%}.col-lg-offset-11{margin-left:91.66666666666666%}}table{max-width:100%;background-color:transparent}th{text-align:left}.table{width:100%;margin-bottom:20px}.table thead>tr>th,.table tbody>tr>th,.table tfoot>tr>th,.table thead>tr>td,.table tbody>tr>td,.table tfoot>tr>td{padding:8px;line-height:1.428571429;vertical-align:top;border-top:1px solid #ddd}.table thead>tr>th{vertical-align:bottom;border-bottom:2px solid #ddd}.table caption+thead tr:first-child th,.table colgroup+thead tr:first-child th,.table thead:first-child tr:first-child th,.table caption+thead tr:first-child td,.table colgroup+thead tr:first-child td,.table thead:first-child tr:first-child td{border-top:0}.table tbody+tbody{border-top:2px solid #ddd}.t
able .table{background-color:#fff}.table-condensed thead>tr>th,.table-condensed tbody>tr>th,.table-condensed tfoot>tr>th,.table-condensed thead>tr>td,.table-condensed tbody>tr>td,.table-condensed tfoot>tr>td{padding:5px}.table-bordered{border:1px solid #ddd}.table-bordered>thead>tr>th,.table-bordered>tbody>tr>th,.table-bordered>tfoot>tr>th,.table-bordered>thead>tr>td,.table-bordered>tbody>tr>td,.table-bordered>tfoot>tr>td{border:1px solid #ddd}.table-bordered>thead>tr>th,.table-bordered>thead>tr>td{border-bottom-width:2px}.table-striped>tbody>tr:nth-child(odd)>td,.table-striped>tbody>tr:nth-child(odd)>th{background-color:#f9f9f9}.table-hover>tbody>tr:hover>td,.table-hover>tbody>tr:hover>th{background-color:#f5f5f5}table col[class*="col-"]{display:table-column;float:none}table td[class*="col-"],table th[class*="col-"]{display:table-cell;float:none}.table>thead>tr>td.active,.table>tbody>tr>td.active,.table>tfoot>tr>td.active,.table>thead>tr>th.active,.table>tbody>tr>th.active,.table>t
foot>tr>th.active,.table>thead>tr.active>td,.table>tbody>tr.active>td,.table>tfoot>tr.active>td,.table>thead>tr.active>th,.table>tbody>tr.active>th,.table>tfoot>tr.active>th{background-color:#f5f5f5}.table>thead>tr>td.success,.table>tbody>tr>td.success,.table>tfoot>tr>td.success,.table>thead>tr>th.success,.table>tbody>tr>th.success,.table>tfoot>tr>th.success,.table>thead>tr.success>td,.table>tbody>tr.success>td,.table>tfoot>tr.success>td,.table>thead>tr.success>th,.table>tbody>tr.success>th,.table>tfoot>tr.success>th{background-color:#dff0d8;border-color:#d6e9c6}.table-hover>tbody>tr>td.success:hover,.table-hover>tbody>tr>th.success:hover,.table-hover>tbody>tr.success:hover>td{background-color:#d0e9c6;border-color:#c9e2b3}.table>thead>tr>td.danger,.table>tbody>tr>td.danger,.table>tfoot>tr>td.danger,.table>thead>tr>th.danger,.table>tbody>tr>th.danger,.table>tfoot>tr>th.danger,.table>thead>tr.danger>td,.table>tbody>tr.danger>td,.table>tfoot>tr.danger>td,.table>thead>tr.danger>th,.tabl
e>tbody>tr.danger>th,.table>tfoot>tr.danger>th{background-color:#f2dede;border-color:#eed3d7}.table-hover>tbody>tr>td.danger:hover,.table-hover>tbody>tr>th.danger:hover,.table-hover>tbody>tr.danger:hover>td{background-color:#ebcccc;border-color:#e6c1c7}.table>thead>tr>td.warning,.table>tbody>tr>td.warning,.table>tfoot>tr>td.warning,.table>thead>tr>th.warning,.table>tbody>tr>th.warning,.table>tfoot>tr>th.warning,.table>thead>tr.warning>td,.table>tbody>tr.warning>td,.table>tfoot>tr.warning>td,.table>thead>tr.warning>th,.table>tbody>tr.warning>th,.table>tfoot>tr.warning>th{background-color:#fcf8e3;border-color:#fbeed5}.table-hover>tbody>tr>td.warning:hover,.table-hover>tbody>tr>th.warning:hover,.table-hover>tbody>tr.warning:hover>td{background-color:#faf2cc;border-color:#f8e5be}@media(max-width:768px){.table-responsive{width:100%;margin-bottom:15px;overflow-x:scroll;overflow-y:hidden;border:1px solid #ddd}.table-responsive>.table{margin-bottom:0;background-color:#fff}.table-responsive>
.table>thead>tr>th,.table-responsive>.table>tbody>tr>th,.table-responsive>.table>tfoot>tr>th,.table-responsive>.table>thead>tr>td,.table-responsive>.table>tbody>tr>td,.table-responsive>.table>tfoot>tr>td{white-space:nowrap}.table-responsive>.table-bordered{border:0}.table-responsive>.table-bordered>thead>tr>th:first-child,.table-responsive>.table-bordered>tbody>tr>th:first-child,.table-responsive>.table-bordered>tfoot>tr>th:first-child,.table-responsive>.table-bordered>thead>tr>td:first-child,.table-responsive>.table-bordered>tbody>tr>td:first-child,.table-responsive>.table-bordered>tfoot>tr>td:first-child{border-left:0}.table-responsive>.table-bordered>thead>tr>th:last-child,.table-responsive>.table-bordered>tbody>tr>th:last-child,.table-responsive>.table-bordered>tfoot>tr>th:last-child,.table-responsive>.table-bordered>thead>tr>td:last-child,.table-responsive>.table-bordered>tbody>tr>td:last-child,.table-responsive>.table-bordered>tfoot>tr>td:last-child{border-right:0}.table-respo
nsive>.table-bordered>thead>tr:last-child>th,.table-responsive>.table-bordered>tbody>tr:last-child>th,.table-responsive>.table-bordered>tfoot>tr:last-child>th,.table-responsive>.table-bordered>thead>tr:last-child>td,.table-responsive>.table-bordered>tbody>tr:last-child>td,.table-responsive>.table-bordered>tfoot>tr:last-child>td{border-bottom:0}}fieldset{padding:0;margin:0;border:0}legend{display:block;width:100%;padding:0;margin-bottom:20px;font-size:21px;line-height:inherit;color:#333;border:0;border-bottom:1px solid #e5e5e5}label{display:inline-block;margin-bottom:5px;font-weight:bold}input[type="search"]{-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box}input[type="radio"],input[type="checkbox"]{margin:4px 0 0;margin-top:1px \9;line-height:normal}input[type="file"]{display:block}select[multiple],select[size]{height:auto}select optgroup{font-family:inherit;font-size:inherit;font-style:inherit}input[type="file"]:focus,input[type="radio"]:focus,input[typ
e="checkbox"]:focus{outline:thin dotted #333;outline:5px auto -webkit-focus-ring-color;outline-offset:-2px}input[type="number"]::-webkit-outer-spin-button,input[type="number"]::-webkit-inner-spin-button{height:auto}.form-control:-moz-placeholder{color:#999}.form-control::-moz-placeholder{color:#999}.form-control:-ms-input-placeholder{color:#999}.form-control::-webkit-input-placeholder{color:#999}.form-control{display:block;width:100%;height:34px;padding:6px 12px;font-size:14px;line-height:1.428571429;color:#555;vertical-align:middle;background-color:#fff;border:1px solid #ccc;border-radius:4px;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,0.075);box-shadow:inset 0 1px 1px rgba(0,0,0,0.075);-webkit-transition:border-color ease-in-out .15s,box-shadow ease-in-out .15s;transition:border-color ease-in-out .15s,box-shadow ease-in-out .15s}.form-control:focus{border-color:#66afe9;outline:0;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,0.075),0 0 8px rgba(102,175,233,0.6);box-shadow:inset 0
1px 1px rgba(0,0,0,0.075),0 0 8px rgba(102,175,233,0.6)}.form-control[disabled],.form-control[readonly],fieldset[disabled] .form-control{cursor:not-allowed;background-color:#eee}textarea.form-control{height:auto}.form-group{margin-bottom:15px}.radio,.checkbox{display:block;min-height:20px;padding-left:20px;margin-top:10px;margin-bottom:10px;vertical-align:middle}.radio label,.checkbox label{display:inline;margin-bottom:0;font-weight:normal;cursor:pointer}.radio input[type="radio"],.radio-inline input[type="radio"],.checkbox input[type="checkbox"],.checkbox-inline input[type="checkbox"]{float:left;margin-left:-20px}.radio+.radio,.checkbox+.checkbox{margin-top:-5px}.radio-inline,.checkbox-inline{display:inline-block;padding-left:20px;margin-bottom:0;font-weight:normal;vertical-align:middle;cursor:pointer}.radio-inline+.radio-inline,.checkbox-inline+.checkbox-inline{margin-top:0;margin-left:10px}input[type="radio"][disabled],input[type="checkbox"][disabled],.radio[disabled],.radio-inl
ine[disabled],.checkbox[disabled],.checkbox-inline[disabled],fieldset[disabled] input[type="radio"],fieldset[disabled] input[type="checkbox"],fieldset[disabled] .radio,fieldset[disabled] .radio-inline,fieldset[disabled] .checkbox,fieldset[disabled] .checkbox-inline{cursor:not-allowed}.input-sm{height:30px;padding:5px 10px;font-size:12px;line-height:1.5;border-radius:3px}select.input-sm{height:30px;line-height:30px}textarea.input-sm{height:auto}.input-lg{height:45px;padding:10px 16px;font-size:18px;line-height:1.33;border-radius:6px}select.input-lg{height:45px;line-height:45px}textarea.input-lg{height:auto}.has-warning .help-block,.has-warning .control-label{color:#c09853}.has-warning .form-control{border-color:#c09853;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,0.075);box-shadow:inset 0 1px 1px rgba(0,0,0,0.075)}.has-warning .form-control:focus{border-color:#a47e3c;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,0.075),0 0 6px #dbc59e;box-shadow:inset 0 1px 1px rgba(0,0,0,0.075),0 0
6px #dbc59e}.has-warning .input-group-addon{color:#c09853;background-color:#fcf8e3;border-color:#c09853}.has-error .help-block,.has-error .control-label{color:#b94a48}.has-error .form-control{border-color:#b94a48;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,0.075);box-shadow:inset 0 1px 1px rgba(0,0,0,0.075)}.has-error .form-control:focus{border-color:#953b39;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,0.075),0 0 6px #d59392;box-shadow:inset 0 1px 1px rgba(0,0,0,0.075),0 0 6px #d59392}.has-error .input-group-addon{color:#b94a48;background-color:#f2dede;border-color:#b94a48}.has-success .help-block,.has-success .control-label{color:#468847}.has-success .form-control{border-color:#468847;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,0.075);box-shadow:inset 0 1px 1px rgba(0,0,0,0.075)}.has-success .form-control:focus{border-color:#356635;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,0.075),0 0 6px #7aba7b;box-shadow:inset 0 1px 1px rgba(0,0,0,0.075),0 0 6px #7aba7b}.has-success .in
put-group-addon{color:#468847;background-color:#dff0d8;border-color:#468847}.form-control-static{padding-top:7px;margin-bottom:0}.help-block{display:block;margin-top:5px;margin-bottom:10px;color:#737373}@media(min-width:768px){.form-inline .form-group{display:inline-block;margin-bottom:0;vertical-align:middle}.form-inline .form-control{display:inline-block}.form-inline .radio,.form-inline .checkbox{display:inline-block;padding-left:0;margin-top:0;margin-bottom:0}.form-inline .radio input[type="radio"],.form-inline .checkbox input[type="checkbox"]{float:none;margin-left:0}}.form-horizontal .control-label,.form-horizontal .radio,.form-horizontal .checkbox,.form-horizontal .radio-inline,.form-horizontal .checkbox-inline{padding-top:7px;margin-top:0;margin-bottom:0}.form-horizontal .form-group{margin-right:-15px;margin-left:-15px}.form-horizontal .form-group:before,.form-horizontal .form-group:after{display:table;content:" "}.form-horizontal .form-group:after{clear:both}.form-horizontal
.form-group:before,.form-horizontal .form-group:after{display:table;content:" "}.form-horizontal .form-group:after{clear:both}@media(min-width:768px){.form-horizontal .control-label{text-align:right}}.btn{display:inline-block;padding:6px 12px;margin-bottom:0;font-size:14px;font-weight:normal;line-height:1.428571429;text-align:center;white-space:nowrap;vertical-align:middle;cursor:pointer;border:1px solid transparent;border-radius:4px;-webkit-user-select:none;-moz-user-select:none;-ms-user-select:none;-o-user-select:none;user-select:none}.btn:focus{outline:thin dotted #333;outline:5px auto -webkit-focus-ring-color;outline-offset:-2px}.btn:hover,.btn:focus{color:#333;text-decoration:none}.btn:active,.btn.active{background-image:none;outline:0;-webkit-box-shadow:inset 0 3px 5px rgba(0,0,0,0.125);box-shadow:inset 0 3px 5px rgba(0,0,0,0.125)}.btn.disabled,.btn[disabled],fieldset[disabled] .btn{pointer-events:none;cursor:not-allowed;opacity:.65;filter:alpha(opacity=65);-webkit-box-shadow
:none;box-shadow:none}.btn-default{color:#333;background-color:#fff;border-color:#ccc}.btn-default:hover,.btn-default:focus,.btn-default:active,.btn-default.active,.open .dropdown-toggle.btn-default{color:#333;background-color:#ebebeb;border-color:#adadad}.btn-default:active,.btn-default.active,.open .dropdown-toggle.btn-default{background-image:none}.btn-default.disabled,.btn-default[disabled],fieldset[disabled] .btn-default,.btn-default.disabled:hover,.btn-default[disabled]:hover,fieldset[disabled] .btn-default:hover,.btn-default.disabled:focus,.btn-default[disabled]:focus,fieldset[disabled] .btn-default:focus,.btn-default.disabled:active,.btn-default[disabled]:active,fieldset[disabled] .btn-default:active,.btn-default.disabled.active,.btn-default[disabled].active,fieldset[disabled] .btn-default.active{background-color:#fff;border-color:#ccc}.btn-primary{color:#fff;background-color:#428bca;border-color:#357ebd}.btn-primary:hover,.btn-primary:focus,.btn-primary:active,.btn-primary.
active,.open .dropdown-toggle.btn-primary{color:#fff;background-color:#3276b1;border-color:#285e8e}.btn-primary:active,.btn-primary.active,.open .dropdown-toggle.btn-primary{background-image:none}.btn-primary.disabled,.btn-primary[disabled],fieldset[disabled] .btn-primary,.btn-primary.disabled:hover,.btn-primary[disabled]:hover,fieldset[disabled] .btn-primary:hover,.btn-primary.disabled:focus,.btn-primary[disabled]:focus,fieldset[disabled] .btn-primary:focus,.btn-primary.disabled:active,.btn-primary[disabled]:active,fieldset[disabled] .btn-primary:active,.btn-primary.disabled.active,.btn-primary[disabled].active,fieldset[disabled] .btn-primary.active{background-color:#428bca;border-color:#357ebd}.btn-warning{color:#fff;background-color:#f0ad4e;border-color:#eea236}.btn-warning:hover,.btn-warning:focus,.btn-warning:active,.btn-warning.active,.open .dropdown-toggle.btn-warning{color:#fff;background-color:#ed9c28;border-color:#d58512}.btn-warning:active,.btn-warning.active,.open .dropd
own-toggle.btn-warning{background-image:none}.btn-warning.disabled,.btn-warning[disabled],fieldset[disabled] .btn-warning,.btn-warning.disabled:hover,.btn-warning[disabled]:hover,fieldset[disabled] .btn-warning:hover,.btn-warning.disabled:focus,.btn-warning[disabled]:focus,fieldset[disabled] .btn-warning:focus,.btn-warning.disabled:active,.btn-warning[disabled]:active,fieldset[disabled] .btn-warning:active,.btn-warning.disabled.active,.btn-warning[disabled].active,fieldset[disabled] .btn-warning.active{background-color:#f0ad4e;border-color:#eea236}.btn-danger{color:#fff;background-color:#d9534f;border-color:#d43f3a}.btn-danger:hover,.btn-danger:focus,.btn-danger:active,.btn-danger.active,.open .dropdown-toggle.btn-danger{color:#fff;background-color:#d2322d;border-color:#ac2925}.btn-danger:active,.btn-danger.active,.open .dropdown-toggle.btn-danger{background-image:none}.btn-danger.disabled,.btn-danger[disabled],fieldset[disabled] .btn-danger,.btn-danger.disabled:hover,.btn-danger[di
sabled]:hover,fieldset[disabled] .btn-danger:hover,.btn-danger.disabled:focus,.btn-danger[disabled]:focus,fieldset[disabled] .btn-danger:focus,.btn-danger.disabled:active,.btn-danger[disabled]:active,fieldset[disabled] .btn-danger:active,.btn-danger.disabled.active,.btn-danger[disabled].active,fieldset[disabled] .btn-danger.active{background-color:#d9534f;border-color:#d43f3a}.btn-success{color:#fff;background-color:#5cb85c;border-color:#4cae4c}.btn-success:hover,.btn-success:focus,.btn-success:active,.btn-success.active,.open .dropdown-toggle.btn-success{color:#fff;background-color:#47a447;border-color:#398439}.btn-success:active,.btn-success.active,.open .dropdown-toggle.btn-success{background-image:none}.btn-success.disabled,.btn-success[disabled],fieldset[disabled] .btn-success,.btn-success.disabled:hover,.btn-success[disabled]:hover,fieldset[disabled] .btn-success:hover,.btn-success.disabled:focus,.btn-success[disabled]:focus,fieldset[disabled] .btn-success:focus,.btn-success.d
isabled:active,.btn-success[disabled]:active,fieldset[disabled] .btn-success:active,.btn-success.disabled.active,.btn-success[disabled].active,fieldset[disabled] .btn-success.active{background-color:#5cb85c;border-color:#4cae4c}.btn-info{color:#fff;background-color:#5bc0de;border-color:#46b8da}.btn-info:hover,.btn-info:focus,.btn-info:active,.btn-info.active,.open .dropdown-toggle.btn-info{color:#fff;background-color:#39b3d7;border-color:#269abc}.btn-info:active,.btn-info.active,.open .dropdown-toggle.btn-info{background-image:none}.btn-info.disabled,.btn-info[disabled],fieldset[disabled] .btn-info,.btn-info.disabled:hover,.btn-info[disabled]:hover,fieldset[disabled] .btn-info:hover,.btn-info.disabled:focus,.btn-info[disabled]:focus,fieldset[disabled] .btn-info:focus,.btn-info.disabled:active,.btn-info[disabled]:active,fieldset[disabled] .btn-info:active,.btn-info.disabled.active,.btn-info[disabled].active,fieldset[disabled] .btn-info.active{background-color:#5bc0de;border-color:#46
b8da}.btn-link{font-weight:normal;color:#428bca;cursor:pointer;border-radius:0}.btn-link,.btn-link:active,.btn-link[disabled],fieldset[disabled] .btn-link{background-color:transparent;-webkit-box-shadow:none;box-shadow:none}.btn-link,.btn-link:hover,.btn-link:focus,.btn-link:active{border-color:transparent}.btn-link:hover,.btn-link:focus{color:#2a6496;text-decoration:underline;background-color:transparent}.btn-link[disabled]:hover,fieldset[disabled] .btn-link:hover,.btn-link[disabled]:focus,fieldset[disabled] .btn-link:focus{color:#999;text-decoration:none}.btn-lg{padding:10px 16px;font-size:18px;line-height:1.33;border-radius:6px}.btn-sm,.btn-xs{padding:5px 10px;font-size:12px;line-height:1.5;border-radius:3px}.btn-xs{padding:1px 5px}.btn-block{display:block;width:100%;padding-right:0;padding-left:0}.btn-block+.btn-block{margin-top:5px}input[type="submit"].btn-block,input[type="reset"].btn-block,input[type="button"].btn-block{width:100%}.fade{opacity:0;-webkit-transition:opacity .1
5s linear;transition:opacity .15s linear}.fade.in{opacity:1}.collapse{display:none}.collapse.in{display:block}.collapsing{position:relative;height:0;overflow:hidden;-webkit-transition:height .35s ease;transition:height .35s ease}@font-face{font-family:'Glyphicons Halflings';src:url('../fonts/glyphicons-halflings-regular.eot');src:url('../fonts/glyphicons-halflings-regular.eot?#iefix') format('embedded-opentype'),url('../fonts/glyphicons-halflings-regular.woff') format('woff'),url('../fonts/glyphicons-halflings-regular.ttf') format('truetype'),url('../fonts/glyphicons-halflings-regular.svg#glyphicons-halflingsregular') format('svg')}.glyphicon{position:relative;top:1px;display:inline-block;font-family:'Glyphicons Halflings';-webkit-font-smoothing:antialiased;font-style:normal;font-weight:normal;line-height:1}.glyphicon-asterisk:before{content:"\2a"}.glyphicon-plus:before{content:"\2b"}.glyphicon-euro:before{content:"\20ac"}.glyphicon-minus:before{content:"\2212"}.glyphicon-cloud:befo
re{content:"\2601"}.glyphicon-envelope:before{content:"\2709"}.glyphicon-pencil:before{content:"\270f"}.glyphicon-glass:before{content:"\e001"}.glyphicon-music:before{content:"\e002"}.glyphicon-search:before{content:"\e003"}.glyphicon-heart:before{content:"\e005"}.glyphicon-star:before{content:"\e006"}.glyphicon-star-empty:before{content:"\e007"}.glyphicon-user:before{content:"\e008"}.glyphicon-film:before{content:"\e009"}.glyphicon-th-large:before{content:"\e010"}.glyphicon-th:before{content:"\e011"}.glyphicon-th-list:before{content:"\e012"}.glyphicon-ok:before{content:"\e013"}.glyphicon-remove:before{content:"\e014"}.glyphicon-zoom-in:before{content:"\e015"}.glyphicon-zoom-out:before{content:"\e016"}.glyphicon-off:before{content:"\e017"}.glyphicon-signal:before{content:"\e018"}.glyphicon-cog:before{content:"\e019"}.glyphicon-trash:before{content:"\e020"}.glyphicon-home:before{content:"\e021"}.glyphicon-file:before{content:"\e022"}.glyphicon-time:before{content:"\e023"}.glyphicon-r
oad:before{content:"\e024"}.glyphicon-download-alt:before{content:"\e025"}.glyphicon-download:before{content:"\e026"}.glyphicon-upload:before{content:"\e027"}.glyphicon-inbox:before{content:"\e028"}.glyphicon-play-circle:before{content:"\e029"}.glyphicon-repeat:before{content:"\e030"}.glyphicon-refresh:before{content:"\e031"}.glyphicon-list-alt:before{content:"\e032"}.glyphicon-flag:before{content:"\e034"}.glyphicon-headphones:before{content:"\e035"}.glyphicon-volume-off:before{content:"\e036"}.glyphicon-volume-down:before{content:"\e037"}.glyphicon-volume-up:before{content:"\e038"}.glyphicon-qrcode:before{content:"\e039"}.glyphicon-barcode:before{content:"\e040"}.glyphicon-tag:before{content:"\e041"}.glyphicon-tags:before{content:"\e042"}.glyphicon-book:before{content:"\e043"}.glyphicon-print:before{content:"\e045"}.glyphicon-font:before{content:"\e047"}.glyphicon-bold:before{content:"\e048"}.glyphicon-italic:before{content:"\e049"}.glyphicon-text-height:before{content:"\e050"}.gly
phicon-text-width:before{content:"\e051"}.glyphicon-align-left:before{content:"\e052"}.glyphicon-align-center:before{content:"\e053"}.glyphicon-align-right:before{content:"\e054"}.glyphicon-align-justify:before{content:"\e055"}.glyphicon-list:before{content:"\e056"}.glyphicon-indent-left:before{content:"\e057"}.glyphicon-indent-right:before{content:"\e058"}.glyphicon-facetime-video:before{content:"\e059"}.glyphicon-picture:before{content:"\e060"}.glyphicon-map-marker:before{content:"\e062"}.glyphicon-adjust:before{content:"\e063"}.glyphicon-tint:before{content:"\e064"}.glyphicon-edit:before{content:"\e065"}.glyphicon-share:before{content:"\e066"}.glyphicon-check:before{content:"\e067"}.glyphicon-move:before{content:"\e068"}.glyphicon-step-backward:before{content:"\e069"}.glyphicon-fast-backward:before{content:"\e070"}.glyphicon-backward:before{content:"\e071"}.glyphicon-play:before{content:"\e072"}.glyphicon-pause:before{content:"\e073"}.glyphicon-stop:before{content:"\e074"}.glyphi
con-forward:before{content:"\e075"}.glyphicon-fast-forward:before{content:"\e076"}.glyphicon-step-forward:before{content:"\e077"}.glyphicon-eject:before{content:"\e078"}.glyphicon-chevron-left:before{content:"\e079"}.glyphicon-chevron-right:before{content:"\e080"}.glyphicon-plus-sign:before{content:"\e081"}.glyphicon-minus-sign:before{content:"\e082"}.glyphicon-remove-sign:before{content:"\e083"}.glyphicon-ok-sign:before{content:"\e084"}.glyphicon-question-sign:before{content:"\e085"}.glyphicon-info-sign:before{content:"\e086"}.glyphicon-screenshot:before{content:"\e087"}.glyphicon-remove-circle:before{content:"\e088"}.glyphicon-ok-circle:before{content:"\e089"}.glyphicon-ban-circle:before{content:"\e090"}.glyphicon-arrow-left:before{content:"\e091"}.glyphicon-arrow-right:before{content:"\e092"}.glyphicon-arrow-up:before{content:"\e093"}.glyphicon-arrow-down:before{content:"\e094"}.glyphicon-share-alt:before{content:"\e095"}.glyphicon-resize-full:before{content:"\e096"}.glyphicon-re
size-small:before{content:"\e097"}.glyphicon-exclamation-sign:before{content:"\e101"}.glyphicon-gift:before{content:"\e102"}.glyphicon-leaf:before{content:"\e103"}.glyphicon-eye-open:before{content:"\e105"}.glyphicon-eye-close:before{content:"\e106"}.glyphicon-warning-sign:before{content:"\e107"}.glyphicon-plane:before{content:"\e108"}.glyphicon-random:before{content:"\e110"}.glyphicon-comment:before{content:"\e111"}.glyphicon-magnet:before{content:"\e112"}.glyphicon-chevron-up:before{content:"\e113"}.glyphicon-chevron-down:before{content:"\e114"}.glyphicon-retweet:before{content:"\e115"}.glyphicon-shopping-cart:before{content:"\e116"}.glyphicon-folder-close:before{content:"\e117"}.glyphicon-folder-open:before{content:"\e118"}.glyphicon-resize-vertical:before{content:"\e119"}.glyphicon-resize-horizontal:before{content:"\e120"}.glyphicon-hdd:before{content:"\e121"}.glyphicon-bullhorn:before{content:"\e122"}.glyphicon-certificate:before{content:"\e124"}.glyphicon-thumbs-up:before{cont
ent:"\e125"}.glyphicon-thumbs-down:before{content:"\e126"}.glyphicon-hand-right:before{content:"\e127"}.glyphicon-hand-left:before{content:"\e128"}.glyphicon-hand-up:before{content:"\e129"}.glyphicon-hand-down:before{content:"\e130"}.glyphicon-circle-arrow-right:before{content:"\e131"}.glyphicon-circle-arrow-left:before{content:"\e132"}.glyphicon-circle-arrow-up:before{content:"\e133"}.glyphicon-circle-arrow-down:before{content:"\e134"}.glyphicon-globe:before{content:"\e135"}.glyphicon-tasks:before{content:"\e137"}.glyphicon-filter:before{content:"\e138"}.glyphicon-fullscreen:before{content:"\e140"}.glyphicon-dashboard:before{content:"\e141"}.glyphicon-heart-empty:before{content:"\e143"}.glyphicon-link:before{content:"\e144"}.glyphicon-phone:before{content:"\e145"}.glyphicon-usd:before{content:"\e148"}.glyphicon-gbp:before{content:"\e149"}.glyphicon-sort:before{content:"\e150"}.glyphicon-sort-by-alphabet:before{content:"\e151"}.glyphicon-sort-by-alphabet-alt:before{content:"\e152"}.
glyphicon-sort-by-order:before{content:"\e153"}.glyphicon-sort-by-order-alt:before{content:"\e154"}.glyphicon-sort-by-attributes:before{content:"\e155"}.glyphicon-sort-by-attributes-alt:before{content:"\e156"}.glyphicon-unchecked:before{content:"\e157"}.glyphicon-expand:before{content:"\e158"}.glyphicon-collapse-down:before{content:"\e159"}.glyphicon-collapse-up:before{content:"\e160"}.glyphicon-log-in:before{content:"\e161"}.glyphicon-flash:before{content:"\e162"}.glyphicon-log-out:before{content:"\e163"}.glyphicon-new-window:before{content:"\e164"}.glyphicon-record:before{content:"\e165"}.glyphicon-save:before{content:"\e166"}.glyphicon-open:before{content:"\e167"}.glyphicon-saved:before{content:"\e168"}.glyphicon-import:before{content:"\e169"}.glyphicon-export:before{content:"\e170"}.glyphicon-send:before{content:"\e171"}.glyphicon-floppy-disk:before{content:"\e172"}.glyphicon-floppy-saved:before{content:"\e173"}.glyphicon-floppy-remove:before{content:"\e174"}.glyphicon-floppy-sa
ve:before{content:"\e175"}.glyphicon-floppy-open:before{content:"\e176"}.glyphicon-credit-card:before{content:"\e177"}.glyphicon-transfer:before{content:"\e178"}.glyphicon-cutlery:before{content:"\e179"}.glyphicon-header:before{content:"\e180"}.glyphicon-compressed:before{content:"\e181"}.glyphicon-earphone:before{content:"\e182"}.glyphicon-phone-alt:before{content:"\e183"}.glyphicon-tower:before{content:"\e184"}.glyphicon-stats:before{content:"\e185"}.glyphicon-sd-video:before{content:"\e186"}.glyphicon-hd-video:before{content:"\e187"}.glyphicon-subtitles:before{content:"\e188"}.glyphicon-sound-stereo:before{content:"\e189"}.glyphicon-sound-dolby:before{content:"\e190"}.glyphicon-sound-5-1:before{content:"\e191"}.glyphicon-sound-6-1:before{content:"\e192"}.glyphicon-sound-7-1:before{content:"\e193"}.glyphicon-copyright-mark:before{content:"\e194"}.glyphicon-registration-mark:before{content:"\e195"}.glyphicon-cloud-download:before{content:"\e197"}.glyphicon-cloud-upload:before{conte
nt:"\e198"}.glyphicon-tree-conifer:before{content:"\e199"}.glyphicon-tree-deciduous:before{content:"\e200"}.glyphicon-briefcase:before{content:"\1f4bc"}.glyphicon-calendar:before{content:"\1f4c5"}.glyphicon-pushpin:before{content:"\1f4cc"}.glyphicon-paperclip:before{content:"\1f4ce"}.glyphicon-camera:before{content:"\1f4f7"}.glyphicon-lock:before{content:"\1f512"}.glyphicon-bell:before{content:"\1f514"}.glyphicon-bookmark:before{content:"\1f516"}.glyphicon-fire:before{content:"\1f525"}.glyphicon-wrench:before{content:"\1f527"}.caret{display:inline-block;width:0;height:0;margin-left:2px;vertical-align:middle;border-top:4px solid #000;border-right:4px solid transparent;border-bottom:0 dotted;border-left:4px solid transparent;content:""}.dropdown{position:relative}.dropdown-toggle:focus{outline:0}.dropdown-menu{position:absolute;top:100%;left:0;z-index:1000;display:none;float:left;min-width:160px;padding:5px 0;margin:2px 0 0;font-size:14px;list-style:none;background-color:#fff;border:1
px solid #ccc;border:1px solid rgba(0,0,0,0.15);border-radius:4px;-webkit-box-shadow:0 6px 12px rgba(0,0,0,0.175);box-shadow:0 6px 12px rgba(0,0,0,0.175);background-clip:padding-box}.dropdown-menu.pull-right{right:0;left:auto}.dropdown-menu .divider{height:1px;margin:9px 0;overflow:hidden;background-color:#e5e5e5}.dropdown-menu>li>a{display:block;padding:3px 20px;clear:both;font-weight:normal;line-height:1.428571429;color:#333;white-space:nowrap}.dropdown-menu>li>a:hover,.dropdown-menu>li>a:focus{color:#fff;text-decoration:none;background-color:#428bca}.dropdown-menu>.active>a,.dropdown-menu>.active>a:hover,.dropdown-menu>.active>a:focus{color:#fff;text-decoration:none;background-color:#428bca;outline:0}.dropdown-menu>.disabled>a,.dropdown-menu>.disabled>a:hover,.dropdown-menu>.disabled>a:focus{color:#999}.dropdown-menu>.disabled>a:hover,.dropdown-menu>.disabled>a:focus{text-decoration:none;cursor:not-allowed;background-color:transparent;background-image:none;filter:progid:DXImageTr
ansform.Microsoft.gradient(enabled=false)}.open>.dropdown-menu{display:block}.open>a{outline:0}.dropdown-header{display:block;padding:3px 20px;font-size:12px;line-height:1.428571429;color:#999}.dropdown-backdrop{position:fixed;top:0;right:0;bottom:0;left:0;z-index:990}.pull-right>.dropdown-menu{right:0;left:auto}.dropup .caret,.navbar-fixed-bottom .dropdown .caret{border-top:0 dotted;border-bottom:4px solid #000;content:""}.dropup .dropdown-menu,.navbar-fixed-bottom .dropdown .dropdown-menu{top:auto;bottom:100%;margin-bottom:1px}@media(min-width:768px){.navbar-right .dropdown-menu{right:0;left:auto}}.btn-default .caret{border-top-color:#333}.btn-primary .caret,.btn-success .caret,.btn-warning .caret,.btn-danger .caret,.btn-info .caret{border-top-color:#fff}.dropup .btn-default .caret{border-bottom-color:#333}.dropup .btn-primary .caret,.dropup .btn-success .caret,.dropup .btn-warning .caret,.dropup .btn-danger .caret,.dropup .btn-info .caret{border-bottom-color:#fff}.btn-group,.btn-
group-vertical{position:relative;display:inline-block;vertical-align:middle}.btn-group>.btn,.btn-group-vertical>.btn{position:relative;float:left}.btn-group>.btn:hover,.btn-group-vertical>.btn:hover,.btn-group>.btn:focus,.btn-group-vertical>.btn:focus,.btn-group>.btn:active,.btn-group-vertical>.btn:active,.btn-group>.btn.active,.btn-group-vertical>.btn.active{z-index:2}.btn-group>.btn:focus,.btn-group-vertical>.btn:focus{outline:0}.btn-group .btn+.btn,.btn-group .btn+.btn-group,.btn-group .btn-group+.btn,.btn-group .btn-group+.btn-group{margin-left:-1px}.btn-toolbar:before,.btn-toolbar:after{display:table;content:" "}.btn-toolbar:after{clear:both}.btn-toolbar:before,.btn-toolbar:after{display:table;content:" "}.btn-toolbar:after{clear:both}.btn-toolbar .btn-group{float:left}.btn-toolbar>.btn+.btn,.btn-toolbar>.btn-group+.btn,.btn-toolbar>.btn+.btn-group,.btn-toolbar>.btn-group+.btn-group{margin-left:5px}.btn-group>.btn:not(:first-child):not(:last-child):not(.dropdown-toggle){border-
radius:0}.btn-group>.btn:first-child{margin-left:0}.btn-group>.btn:first-child:not(:last-child):not(.dropdown-toggle){border-top-right-radius:0;border-bottom-right-radius:0}.btn-group>.btn:last-child:not(:first-child),.btn-group>.dropdown-toggle:not(:first-child){border-bottom-left-radius:0;border-top-left-radius:0}.btn-group>.btn-group{float:left}.btn-group>.btn-group:not(:first-child):not(:last-child)>.btn{border-radius:0}.btn-group>.btn-group:first-child>.btn:last-child,.btn-group>.btn-group:first-child>.dropdown-toggle{border-top-right-radius:0;border-bottom-right-radius:0}.btn-group>.btn-group:last-child>.btn:first-child{border-bottom-left-radius:0;border-top-left-radius:0}.btn-group .dropdown-toggle:active,.btn-group.open .dropdown-toggle{outline:0}.btn-group-xs>.btn{padding:5px 10px;padding:1px 5px;font-size:12px;line-height:1.5;border-radius:3px}.btn-group-sm>.btn{padding:5px 10px;font-size:12px;line-height:1.5;border-radius:3px}.btn-group-lg>.btn{padding:10px 16px;font-size
:18px;line-height:1.33;border-radius:6px}.btn-group>.btn+.dropdown-toggle{padding-right:8px;padding-left:8px}.btn-group>.btn-lg+.dropdown-toggle{padding-right:12px;padding-left:12px}.btn-group.open .dropdown-toggle{-webkit-box-shadow:inset 0 3px 5px rgba(0,0,0,0.125);box-shadow:inset 0 3px 5px rgba(0,0,0,0.125)}.btn .caret{margin-left:0}.btn-lg .caret{border-width:5px 5px 0;border-bottom-width:0}.dropup .btn-lg .caret{border-width:0 5px 5px}.btn-group-vertical>.btn,.btn-group-vertical>.btn-group{display:block;float:none;width:100%;max-width:100%}.btn-group-vertical>.btn-group:before,.btn-group-vertical>.btn-group:after{display:table;content:" "}.btn-group-vertical>.btn-group:after{clear:both}.btn-group-vertical>.btn-group:before,.btn-group-vertical>.btn-group:after{display:table;content:" "}.btn-group-vertical>.btn-group:after{clear:both}.btn-group-vertical>.btn-group>.btn{float:none}.btn-group-vertical>.btn+.btn,.btn-group-vertical>.btn+.btn-group,.btn-group-vertical>.btn-group+.bt
n,.btn-group-vertical>.btn-group+.btn-group{margin-top:-1px;margin-left:0}.btn-group-vertical>.btn:not(:first-child):not(:last-child){border-radius:0}.btn-group-vertical>.btn:first-child:not(:last-child){border-top-right-radius:4px;border-bottom-right-radius:0;border-bottom-left-radius:0}.btn-group-vertical>.btn:last-child:not(:first-child){border-top-right-radius:0;border-bottom-left-radius:4px;border-top-left-radius:0}.btn-group-vertical>.btn-group:not(:first-child):not(:last-child)>.btn{border-radius:0}.btn-group-vertical>.btn-group:first-child>.btn:last-child,.btn-group-vertical>.btn-group:first-child>.dropdown-toggle{border-bottom-right-radius:0;border-bottom-left-radius:0}.btn-group-vertical>.btn-group:last-child>.btn:first-child{border-top-right-radius:0;border-top-left-radius:0}.btn-group-justified{display:table;width:100%;border-collapse:separate;table-layout:fixed}.btn-group-justified .btn{display:table-cell;float:none;width:1%}[data-toggle="buttons"]>.btn>input[type="radi
o"],[data-toggle="buttons"]>.btn>input[type="checkbox"]{display:none}.input-group{position:relative;display:table;border-collapse:separate}.input-group.col{float:none;padding-right:0;padding-left:0}.input-group .form-control{width:100%;margin-bottom:0}.input-group-lg>.form-control,.input-group-lg>.input-group-addon,.input-group-lg>.input-group-btn>.btn{height:45px;padding:10px 16px;font-size:18px;line-height:1.33;border-radius:6px}select.input-group-lg>.form-control,select.input-group-lg>.input-group-addon,select.input-group-lg>.input-group-btn>.btn{height:45px;line-height:45px}textarea.input-group-lg>.form-control,textarea.input-group-lg>.input-group-addon,textarea.input-group-lg>.input-group-btn>.btn{height:auto}.input-group-sm>.form-control,.input-group-sm>.input-group-addon,.input-group-sm>.input-group-btn>.btn{height:30px;padding:5px 10px;font-size:12px;line-height:1.5;border-radius:3px}select.input-group-sm>.form-control,select.input-group-sm>.input-group-addon,select.input-gr
oup-sm>.input-group-btn>.btn{height:30px;line-height:30px}textarea.input-group-sm>.form-control,textarea.input-group-sm>.input-group-addon,textarea.input-group-sm>.input-group-btn>.btn{height:auto}.input-group-addon,.input-group-btn,.input-group .form-control{display:table-cell}.input-group-addon:not(:first-child):not(:last-child),.input-group-btn:not(:first-child):not(:last-child),.input-group .form-control:not(:first-child):not(:last-child){border-radius:0}.input-group-addon,.input-group-btn{width:1%;white-space:nowrap;vertical-align:middle}.input-group-addon{padding:6px 12px;font-size:14px;font-weight:normal;line-height:1;text-align:center;background-color:#eee;border:1px solid #ccc;border-radius:4px}.input-group-addon.input-sm{padding:5px 10px;font-size:12px;border-radius:3px}.input-group-addon.input-lg{padding:10px 16px;font-size:18px;border-radius:6px}.input-group-addon input[type="radio"],.input-group-addon input[type="checkbox"]{margin-top:0}.input-group .form-control:first-
child,.input-group-addon:first-child,.input-group-btn:first-child>.btn,.input-group-btn:first-child>.dropdown-toggle,.input-group-btn:last-child>.btn:not(:last-child):not(.dropdown-toggle){border-top-right-radius:0;border-bottom-right-radius:0}.input-group-addon:first-child{border-right:0}.input-group .form-control:last-child,.input-group-addon:last-child,.input-group-btn:last-child>.btn,.input-group-btn:last-child>.dropdown-toggle,.input-group-btn:first-child>.btn:not(:first-child){border-bottom-left-radius:0;border-top-left-radius:0}.input-group-addon:last-child{border-left:0}.input-group-btn{position:relative;white-space:nowrap}.input-group-btn>.btn{position:relative}.input-group-btn>.btn+.btn{margin-left:-4px}.input-group-btn>.btn:hover,.input-group-btn>.btn:active{z-index:2}.nav{padding-left:0;margin-bottom:0;list-style:none}.nav:before,.nav:after{display:table;content:" "}.nav:after{clear:both}.nav:before,.nav:after{display:table;content:" "}.nav:after{clear:both}.nav>li{posit
ion:relative;display:block}.nav>li>a{position:relative;display:block;padding:10px 15px}.nav>li>a:hover,.nav>li>a:focus{text-decoration:none;background-color:#eee}.nav>li.disabled>a{color:#999}.nav>li.disabled>a:hover,.nav>li.disabled>a:focus{color:#999;text-decoration:none;cursor:not-allowed;background-color:transparent}.nav .open>a,.nav .open>a:hover,.nav .open>a:focus{background-color:#eee;border-color:#428bca}.nav .nav-divider{height:1px;margin:9px 0;overflow:hidden;background-color:#e5e5e5}.nav>li>a>img{max-width:none}.nav-tabs{border-bottom:1px solid #ddd}.nav-tabs>li{float:left;margin-bottom:-1px}.nav-tabs>li>a{margin-right:2px;line-height:1.428571429;border:1px solid transparent;border-radius:4px 4px 0 0}.nav-tabs>li>a:hover{border-color:#eee #eee #ddd}.nav-tabs>li.active>a,.nav-tabs>li.active>a:hover,.nav-tabs>li.active>a:focus{color:#555;cursor:default;background-color:#fff;border:1px solid #ddd;border-bottom-color:transparent}.nav-tabs.nav-justified{width:100%;border-botto
m:0}.nav-tabs.nav-justified>li{float:none}.nav-tabs.nav-justified>li>a{text-align:center}@media(min-width:768px){.nav-tabs.nav-justified>li{display:table-cell;width:1%}}.nav-tabs.nav-justified>li>a{margin-right:0;border-bottom:1px solid #ddd}.nav-tabs.nav-justified>.active>a{border-bottom-color:#fff}.nav-pills>li{float:left}.nav-pills>li>a{border-radius:5px}.nav-pills>li+li{margin-left:2px}.nav-pills>li.active>a,.nav-pills>li.active>a:hover,.nav-pills>li.active>a:focus{color:#fff;background-color:#428bca}.nav-stacked>li{float:none}.nav-stacked>li+li{margin-top:2px;margin-left:0}.nav-justified{width:100%}.nav-justified>li{float:none}.nav-justified>li>a{text-align:center}@media(min-width:768px){.nav-justified>li{display:table-cell;width:1%}}.nav-tabs-justified{border-bottom:0}.nav-tabs-justified>li>a{margin-right:0;border-bottom:1px solid #ddd}.nav-tabs-justified>.active>a{border-bottom-color:#fff}.tabbable:before,.tabbable:after{display:table;content:" "}.tabbable:after{clear:both}.t
abbable:before,.tabbable:after{display:table;content:" "}.tabbable:after{clear:both}.tab-content>.tab-pane,.pill-content>.pill-pane{display:none}.tab-content>.active,.pill-content>.active{display:block}.nav .caret{border-top-color:#428bca;border-bottom-color:#428bca}.nav a:hover .caret{border-top-color:#2a6496;border-bottom-color:#2a6496}.nav-tabs .dropdown-menu{margin-top:-1px;border-top-right-radius:0;border-top-left-radius:0}.navbar{position:relative;z-index:1000;min-height:50px;margin-bottom:20px;border:1px solid transparent}.navbar:before,.navbar:after{display:table;content:" "}.navbar:after{clear:both}.navbar:before,.navbar:after{display:table;content:" "}.navbar:after{clear:both}@media(min-width:768px){.navbar{border-radius:4px}}.navbar-header:before,.navbar-header:after{display:table;content:" "}.navbar-header:after{clear:both}.navbar-header:before,.navbar-header:after{display:table;content:" "}.navbar-header:after{clear:both}@media(min-width:768px){.navbar-header{float:left
}}.navbar-collapse{max-height:340px;padding-right:15px;padding-left:15px;overflow-x:visible;border-top:1px solid transparent;box-shadow:inset 0 1px 0 rgba(255,255,255,0.1);-webkit-overflow-scrolling:touch}.navbar-collapse:before,.navbar-collapse:after{display:table;content:" "}.navbar-collapse:after{clear:both}.navbar-collapse:before,.navbar-collapse:after{display:table;content:" "}.navbar-collapse:after{clear:both}.navbar-collapse.in{overflow-y:auto}@media(min-width:768px){.navbar-collapse{width:auto;border-top:0;box-shadow:none}.navbar-collapse.collapse{display:block!important;height:auto!important;padding-bottom:0;overflow:visible!important}.navbar-collapse.in{overflow-y:visible}.navbar-collapse .navbar-nav.navbar-left:first-child{margin-left:-15px}.navbar-collapse .navbar-nav.navbar-right:last-child{margin-right:-15px}.navbar-collapse .navbar-text:last-child{margin-right:0}}.container>.navbar-header,.container>.navbar-collapse{margin-right:-15px;margin-left:-15px}@media(min-widt
h:768px){.container>.navbar-header,.container>.navbar-collapse{margin-right:0;margin-left:0}}.navbar-static-top{border-width:0 0 1px}@media(min-width:768px){.navbar-static-top{border-radius:0}}.navbar-fixed-top,.navbar-fixed-bottom{position:fixed;right:0;left:0;border-width:0 0 1px}@media(min-width:768px){.navbar-fixed-top,.navbar-fixed-bottom{border-radius:0}}.navbar-fixed-top{top:0;z-index:1030}.navbar-fixed-bottom{bottom:0;margin-bottom:0}.navbar-brand{float:left;padding:15px 15px;font-size:18px;line-height:20px}.navbar-brand:hover,.navbar-brand:focus{text-decoration:none}@media(min-width:768px){.navbar>.container .navbar-brand{margin-left:-15px}}.navbar-toggle{position:relative;float:right;padding:9px 10px;margin-top:8px;margin-right:15px;margin-bottom:8px;background-color:transparent;border:1px solid transparent;border-radius:4px}.navbar-toggle .icon-bar{display:block;width:22px;height:2px;border-radius:1px}.navbar-toggle .icon-bar+.icon-bar{margin-top:4px}@media(min-width:768p
x){.navbar-toggle{display:none}}.navbar-nav{margin:7.5px -15px}.navbar-nav>li>a{padding-top:10px;padding-bottom:10px;line-height:20px}@media(max-width:767px){.navbar-nav .open .dropdown-menu{position:static;float:none;width:auto;margin-top:0;background-color:transparent;border:0;box-shadow:none}.navbar-nav .open .dropdown-menu>li>a,.navbar-nav .open .dropdown-menu .dropdown-header{padding:5px 15px 5px 25px}.navbar-nav .open .dropdown-menu>li>a{line-height:20px}.navbar-nav .open .dropdown-menu>li>a:hover,.navbar-nav .open .dropdown-menu>li>a:focus{background-image:none}}@media(min-width:768px){.navbar-nav{float:left;margin:0}.navbar-nav>li{float:left}.navbar-nav>li>a{padding-top:15px;padding-bottom:15px}}@media(min-width:768px){.navbar-left{float:left!important}.navbar-right{float:right!important}}.navbar-form{padding:10px 15px;margin-top:8px;margin-right:-15px;margin-bottom:8px;margin-left:-15px;border-top:1px solid transparent;border-bottom:1px solid transparent;-webkit-box-shadow:
inset 0 1px 0 rgba(255,255,255,0.1),0 1px 0 rgba(255,255,255,0.1);box-shadow:inset 0 1px 0 rgba(255,255,255,0.1),0 1px 0 rgba(255,255,255,0.1)}@media(min-width:768px){.navbar-form .form-group{display:inline-block;margin-bottom:0;vertical-align:middle}.navbar-form .form-control{display:inline-block}.navbar-form .radio,.navbar-form .checkbox{display:inline-block;padding-left:0;margin-top:0;margin-bottom:0}.navbar-form .radio input[type="radio"],.navbar-form .checkbox input[type="checkbox"]{float:none;margin-left:0}}@media(max-width:767px){.navbar-form .form-group{margin-bottom:5px}}@media(min-width:768px){.navbar-form{width:auto;padding-top:0;padding-bottom:0;margin-right:0;margin-left:0;border:0;-webkit-box-shadow:none;box-shadow:none}}.navbar-nav>li>.dropdown-menu{margin-top:0;border-top-right-radius:0;border-top-left-radius:0}.navbar-fixed-bottom .navbar-nav>li>.dropdown-menu{border-bottom-right-radius:0;border-bottom-left-radius:0}.navbar-nav.pull-right>li>.dropdown-menu,.navbar-n
av>li>.dropdown-menu.pull-right{right:0;left:auto}.navbar-btn{margin-top:8px;margin-bottom:8px}.navbar-text{float:left;margin-top:15px;margin-bottom:15px}@media(min-width:768px){.navbar-text{margin-right:15px;margin-left:15px}}.navbar-default{background-color:#f8f8f8;border-color:#e7e7e7}.navbar-default .navbar-brand{color:#777}.navbar-default .navbar-brand:hover,.navbar-default .navbar-brand:focus{color:#5e5e5e;background-color:transparent}.navbar-default .navbar-text{color:#777}.navbar-default .navbar-nav>li>a{color:#777}.navbar-default .navbar-nav>li>a:hover,.navbar-default .navbar-nav>li>a:focus{color:#333;background-color:transparent}.navbar-default .navbar-nav>.active>a,.navbar-default .navbar-nav>.active>a:hover,.navbar-default .navbar-nav>.active>a:focus{color:#555;background-color:#e7e7e7}.navbar-default .navbar-nav>.disabled>a,.navbar-default .navbar-nav>.disabled>a:hover,.navbar-default .navbar-nav>.disabled>a:focus{color:#ccc;background-color:transparent}.navbar-default
.navbar-toggle{border-color:#ddd}.navbar-default .navbar-toggle:hover,.navbar-default .navbar-toggle:focus{background-color:#ddd}.navbar-default .navbar-toggle .icon-bar{background-color:#ccc}.navbar-default .navbar-collapse,.navbar-default .navbar-form{border-color:#e6e6e6}.navbar-default .navbar-nav>.dropdown>a:hover .caret,.navbar-default .navbar-nav>.dropdown>a:focus .caret{border-top-color:#333;border-bottom-color:#333}.navbar-default .navbar-nav>.open>a,.navbar-default .navbar-nav>.open>a:hover,.navbar-default .navbar-nav>.open>a:focus{color:#555;background-color:#e7e7e7}.navbar-default .navbar-nav>.open>a .caret,.navbar-default .navbar-nav>.open>a:hover .caret,.navbar-default .navbar-nav>.open>a:focus .caret{border-top-color:#555;border-bottom-color:#555}.navbar-default .navbar-nav>.dropdown>a .caret{border-top-color:#777;border-bottom-color:#777}@media(max-width:767px){.navbar-default .navbar-nav .open .dropdown-menu>li>a{color:#777}.navbar-default .navbar-nav .open .dropdow
n-menu>li>a:hover,.navbar-default .navbar-nav .open .dropdown-menu>li>a:focus{color:#333;background-color:transparent}.navbar-default .navbar-nav .open .dropdown-menu>.active>a,.navbar-default .navbar-nav .open .dropdown-menu>.active>a:hover,.navbar-default .navbar-nav .open .dropdown-menu>.active>a:focus{color:#555;background-color:#e7e7e7}.navbar-default .navbar-nav .open .dropdown-menu>.disabled>a,.navbar-default .navbar-nav .open .dropdown-menu>.disabled>a:hover,.navbar-default .navbar-nav .open .dropdown-menu>.disabled>a:focus{color:#ccc;background-color:transparent}}.navbar-default .navbar-link{color:#777}.navbar-default .navbar-link:hover{color:#333}.navbar-inverse{background-color:#222;border-color:#080808}.navbar-inverse .navbar-brand{color:#999}.navbar-inverse .navbar-brand:hover,.navbar-inverse .navbar-brand:focus{color:#fff;background-color:transparent}.navbar-inverse .navbar-text{color:#999}.navbar-inverse .navbar-nav>li>a{color:#999}.navbar-inverse .navbar-nav>li>a:hov
er,.navbar-inverse .navbar-nav>li>a:focus{color:#fff;background-color:transparent}.navbar-inverse .navbar-nav>.active>a,.navbar-inverse .navbar-nav>.active>a:hover,.navbar-inverse .navbar-nav>.active>a:focus{color:#fff;background-color:#080808}.navbar-inverse .navbar-nav>.disabled>a,.navbar-inverse .navbar-nav>.disabled>a:hover,.navbar-inverse .navbar-nav>.disabled>a:focus{color:#444;background-color:transparent}.navbar-inverse .navbar-toggle{border-color:#333}.navbar-inverse .navbar-toggle:hover,.navbar-inverse .navbar-toggle:focus{background-color:#333}.navbar-inverse .navbar-toggle .icon-bar{background-color:#fff}.navbar-inverse .navbar-collapse,.navbar-inverse .navbar-form{border-color:#101010}.navbar-inverse .navbar-nav>.open>a,.navbar-inverse .navbar-nav>.open>a:hover,.navbar-inverse .navbar-nav>.open>a:focus{color:#fff;background-color:#080808}.navbar-inverse .navbar-nav>.dropdown>a:hover .caret{border-top-color:#fff;border-bottom-color:#fff}.navbar-inverse .navbar-nav>.dropd
own>a .caret{border-top-color:#999;border-bottom-color:#999}.navbar-inverse .navbar-nav>.open>a .caret,.navbar-inverse .navbar-nav>.open>a:hover .caret,.navbar-inverse .navbar-nav>.open>a:focus .caret{border-top-color:#fff;border-bottom-color:#fff}@media(max-width:767px){.navbar-inverse .navbar-nav .open .dropdown-menu>.dropdown-header{border-color:#080808}.navbar-inverse .navbar-nav .open .dropdown-menu>li>a{color:#999}.navbar-inverse .navbar-nav .open .dropdown-menu>li>a:hover,.navbar-inverse .navbar-nav .open .dropdown-menu>li>a:focus{color:#fff;background-color:transparent}.navbar-inverse .navbar-nav .open .dropdown-menu>.active>a,.navbar-inverse .navbar-nav .open .dropdown-menu>.active>a:hover,.navbar-inverse .navbar-nav .open .dropdown-menu>.active>a:focus{color:#fff;background-color:#080808}.navbar-inverse .navbar-nav .open .dropdown-menu>.disabled>a,.navbar-inverse .navbar-nav .open .dropdown-menu>.disabled>a:hover,.navbar-inverse .navbar-nav .open .dropdown-menu>.disabled>a
:focus{color:#444;background-color:transparent}}.navbar-inverse .navbar-link{color:#999}.navbar-inverse .navbar-link:hover{color:#fff}.breadcrumb{padding:8px 15px;margin-bottom:20px;list-style:none;background-color:#f5f5f5;border-radius:4px}.breadcrumb>li{display:inline-block}.breadcrumb>li+li:before{padding:0 5px;color:#ccc;content:"/\00a0"}.breadcrumb>.active{color:#999}.pagination{display:inline-block;padding-left:0;margin:20px 0;border-radius:4px}.pagination>li{display:inline}.pagination>li>a,.pagination>li>span{position:relative;float:left;padding:6px 12px;margin-left:-1px;line-height:1.428571429;text-decoration:none;background-color:#fff;border:1px solid #ddd}.pagination>li:first-child>a,.pagination>li:first-child>span{margin-left:0;border-bottom-left-radius:4px;border-top-left-radius:4px}.pagination>li:last-child>a,.pagination>li:last-child>span{border-top-right-radius:4px;border-bottom-right-radius:4px}.pagination>li>a:hover,.pagination>li>span:hover,.pagination>li>a:focus,.
pagination>li>span:focus{background-color:#eee}.pagination>.active>a,.pagination>.active>span,.pagination>.active>a:hover,.pagination>.active>span:hover,.pagination>.active>a:focus,.pagination>.active>span:focus{z-index:2;color:#fff;cursor:default;background-color:#428bca;border-color:#428bca}.pagination>.disabled>span,.pagination>.disabled>a,.pagination>.disabled>a:hover,.pagination>.disabled>a:focus{color:#999;cursor:not-allowed;background-color:#fff;border-color:#ddd}.pagination-lg>li>a,.pagination-lg>li>span{padding:10px 16px;font-size:18px}.pagination-lg>li:first-child>a,.pagination-lg>li:first-child>span{border-bottom-left-radius:6px;border-top-left-radius:6px}.pagination-lg>li:last-child>a,.pagination-lg>li:last-child>span{border-top-right-radius:6px;border-bottom-right-radius:6px}.pagination-sm>li>a,.pagination-sm>li>span{padding:5px 10px;font-size:12px}.pagination-sm>li:first-child>a,.pagination-sm>li:first-child>span{border-bottom-left-radius:3px;border-top-left-radius:3px
}.pagination-sm>li:last-child>a,.pagination-sm>li:last-child>span{border-top-right-radius:3px;border-bottom-right-radius:3px}.pager{padding-left:0;margin:20px 0;text-align:center;list-style:none}.pager:before,.pager:after{display:table;content:" "}.pager:after{clear:both}.pager:before,.pager:after{display:table;content:" "}.pager:after{clear:both}.pager li{display:inline}.pager li>a,.pager li>span{display:inline-block;padding:5px 14px;background-color:#fff;border:1px solid #ddd;border-radius:15px}.pager li>a:hover,.pager li>a:focus{text-decoration:none;background-color:#eee}.pager .next>a,.pager .next>span{float:right}.pager .previous>a,.pager .previous>span{float:left}.pager .disabled>a,.pager .disabled>a:hover,.pager .disabled>a:focus,.pager .disabled>span{color:#999;cursor:not-allowed;background-color:#fff}.label{display:inline;padding:.2em .6em .3em;font-size:75%;font-weight:bold;line-height:1;color:#fff;text-align:center;white-space:nowrap;vertical-align:baseline;border-radius:
.25em}.label[href]:hover,.label[href]:focus{color:#fff;text-decoration:none;cursor:pointer}.label:empty{display:none}.label-default{background-color:#999}.label-default[href]:hover,.label-default[href]:focus{background-color:#808080}.label-primary{background-color:#428bca}.label-primary[href]:hover,.label-primary[href]:focus{background-color:#3071a9}.label-success{background-color:#5cb85c}.label-success[href]:hover,.label-success[href]:focus{background-color:#449d44}.label-info{background-color:#5bc0de}.label-info[href]:hover,.label-info[href]:focus{background-color:#31b0d5}.label-warning{background-color:#f0ad4e}.label-warning[href]:hover,.label-warning[href]:focus{background-color:#ec971f}.label-danger{background-color:#d9534f}.label-danger[href]:hover,.label-danger[href]:focus{background-color:#c9302c}.badge{display:inline-block;min-width:10px;padding:3px 7px;font-size:12px;font-weight:bold;line-height:1;color:#fff;text-align:center;white-space:nowrap;vertical-align:baseline;back
ground-color:#999;border-radius:10px}.badge:empty{display:none}a.badge:hover,a.badge:focus{color:#fff;text-decoration:none;cursor:pointer}.btn .badge{position:relative;top:-1px}a.list-group-item.active>.badge,.nav-pills>.active>a>.badge{color:#428bca;background-color:#fff}.nav-pills>li>a>.badge{margin-left:3px}.jumbotron{padding:30px;margin-bottom:30px;font-size:21px;font-weight:200;line-height:2.1428571435;color:inherit;background-color:#eee}.jumbotron h1{line-height:1;color:inherit}.jumbotron p{line-height:1.4}.container .jumbotron{border-radius:6px}@media screen and (min-width:768px){.jumbotron{padding-top:48px;padding-bottom:48px}.container .jumbotron{padding-right:60px;padding-left:60px}.jumbotron h1{font-size:63px}}.thumbnail{display:inline-block;display:block;height:auto;max-width:100%;padding:4px;line-height:1.428571429;background-color:#fff;border:1px solid #ddd;border-radius:4px;-webkit-transition:all .2s ease-in-out;transition:all .2s ease-in-out}.thumbnail>img{display:bl
ock;height:auto;max-width:100%}a.thumbnail:hover,a.thumbnail:focus{border-color:#428bca}.thumbnail>img{margin-right:auto;margin-left:auto}.thumbnail .caption{padding:9px;color:#333}.alert{padding:15px;margin-bottom:20px;border:1px solid transparent;border-radius:4px}.alert h4{margin-top:0;color:inherit}.alert .alert-link{font-weight:bold}.alert>p,.alert>ul{margin-bottom:0}.alert>p+p{margin-top:5px}.alert-dismissable{padding-right:35px}.alert-dismissable .close{position:relative;top:-2px;right:-21px;color:inherit}.alert-success{color:#468847;background-color:#dff0d8;border-color:#d6e9c6}.alert-success hr{border-top-color:#c9e2b3}.alert-success .alert-link{color:#356635}.alert-info{color:#3a87ad;background-color:#d9edf7;border-color:#bce8f1}.alert-info hr{border-top-color:#a6e1ec}.alert-info .alert-link{color:#2d6987}.alert-warning{color:#c09853;background-color:#fcf8e3;border-color:#fbeed5}.alert-warning hr{border-top-color:#f8e5be}.alert-warning .alert-link{color:#a47e3c}.alert-dang
er{color:#b94a48;background-color:#f2dede;border-color:#eed3d7}.alert-danger hr{border-top-color:#e6c1c7}.alert-danger .alert-link{color:#953b39}@-webkit-keyframes progress-bar-stripes{from{background-position:40px 0}to{background-position:0 0}}@-moz-keyframes progress-bar-stripes{from{background-position:40px 0}to{background-position:0 0}}@-o-keyframes progress-bar-stripes{from{background-position:0 0}to{background-position:40px 0}}@keyframes progress-bar-stripes{from{background-position:40px 0}to{background-position:0 0}}.progress{height:20px;margin-bottom:20px;overflow:hidden;background-color:#f5f5f5;border-radius:4px;-webkit-box-shadow:inset 0 1px 2px rgba(0,0,0,0.1);box-shadow:inset 0 1px 2px rgba(0,0,0,0.1)}.progress-bar{float:left;width:0;height:100%;font-size:12px;color:#fff;text-align:center;background-color:#428bca;-webkit-box-shadow:inset 0 -1px 0 rgba(0,0,0,0.15);box-shadow:inset 0 -1px 0 rgba(0,0,0,0.15);-webkit-transition:width .6s ease;transition:width .6s ease}.progr
ess-striped .progress-bar{background-image:-webkit-gradient(linear,0 100%,100% 0,color-stop(0.25,rgba(255,255,255,0.15)),color-stop(0.25,transparent),color-stop(0.5,transparent),color-stop(0.5,rgba(255,255,255,0.15)),color-stop(0.75,rgba(255,255,255,0.15)),color-stop(0.75,transparent),to(transparent));background-image:-webkit-linear-gradient(45deg,rgba(255,255,255,0.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,0.15) 50%,rgba(255,255,255,0.15) 75%,transparent 75%,transparent);background-image:-moz-linear-gradient(45deg,rgba(255,255,255,0.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,0.15) 50%,rgba(255,255,255,0.15) 75%,transparent 75%,transparent);background-image:linear-gradient(45deg,rgba(255,255,255,0.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,0.15) 50%,rgba(255,255,255,0.15) 75%,transparent 75%,transparent);background-size:40px 40px}.progress.active .progress-bar{-webkit-animation:progress-bar-stripes 2s linear infinite;-moz-animation:progress
-bar-stripes 2s linear infinite;-ms-animation:progress-bar-stripes 2s linear infinite;-o-animation:progress-bar-stripes 2s linear infinite;animation:progress-bar-stripes 2s linear infinite}.progress-bar-success{background-color:#5cb85c}.progress-striped .progress-bar-success{background-image:-webkit-gradient(linear,0 100%,100% 0,color-stop(0.25,rgba(255,255,255,0.15)),color-stop(0.25,transparent),color-stop(0.5,transparent),color-stop(0.5,rgba(255,255,255,0.15)),color-stop(0.75,rgba(255,255,255,0.15)),color-stop(0.75,transparent),to(transparent));background-image:-webkit-linear-gradient(45deg,rgba(255,255,255,0.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,0.15) 50%,rgba(255,255,255,0.15) 75%,transparent 75%,transparent);background-image:-moz-linear-gradient(45deg,rgba(255,255,255,0.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,0.15) 50%,rgba(255,255,255,0.15) 75%,transparent 75%,transparent);background-image:linear-gradient(45deg,rgba(255,255,255,0.15) 25%,tra
nsparent 25%,transparent 50%,rgba(255,255,255,0.15) 50%,rgba(255,255,255,0.15) 75%,transparent 75%,transparent)}.progress-bar-info{background-color:#5bc0de}.progress-striped .progress-bar-info{background-image:-webkit-gradient(linear,0 100%,100% 0,color-stop(0.25,rgba(255,255,255,0.15)),color-stop(0.25,transparent),color-stop(0.5,transparent),color-stop(0.5,rgba(255,255,255,0.15)),color-stop(0.75,rgba(255,255,255,0.15)),color-stop(0.75,transparent),to(transparent));background-image:-webkit-linear-gradient(45deg,rgba(255,255,255,0.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,0.15) 50%,rgba(255,255,255,0.15) 75%,transparent 75%,transparent);background-image:-moz-linear-gradient(45deg,rgba(255,255,255,0.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,0.15) 50%,rgba(255,255,255,0.15) 75%,transparent 75%,transparent);background-image:linear-gradient(45deg,rgba(255,255,255,0.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,0.15) 50%,rgba(255,255,255,0.15) 75%,
transparent 75%,transparent)}.progress-bar-warning{background-color:#f0ad4e}.progress-striped .progress-bar-warning{background-image:-webkit-gradient(linear,0 100%,100% 0,color-stop(0.25,rgba(255,255,255,0.15)),color-stop(0.25,transparent),color-stop(0.5,transparent),color-stop(0.5,rgba(255,255,255,0.15)),color-stop(0.75,rgba(255,255,255,0.15)),color-stop(0.75,transparent),to(transparent));background-image:-webkit-linear-gradient(45deg,rgba(255,255,255,0.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,0.15) 50%,rgba(255,255,255,0.15) 75%,transparent 75%,transparent);background-image:-moz-linear-gradient(45deg,rgba(255,255,255,0.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,0.15) 50%,rgba(255,255,255,0.15) 75%,transparent 75%,transparent);background-image:linear-gradient(45deg,rgba(255,255,255,0.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,0.15) 50%,rgba(255,255,255,0.15) 75%,transparent 75%,transparent)}.progress-bar-danger{background-color:#d9534f}.p
rogress-striped .progress-bar-danger{background-image:-webkit-gradient(linear,0 100%,100% 0,color-stop(0.25,rgba(255,255,255,0.15)),color-stop(0.25,transparent),color-stop(0.5,transparent),color-stop(0.5,rgba(255,255,255,0.15)),color-stop(0.75,rgba(255,255,255,0.15)),color-stop(0.75,transparent),to(transparent));background-image:-webkit-linear-gradient(45deg,rgba(255,255,255,0.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,0.15) 50%,rgba(255,255,255,0.15) 75%,transparent 75%,transparent);background-image:-moz-linear-gradient(45deg,rgba(255,255,255,0.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,0.15) 50%,rgba(255,255,255,0.15) 75%,transparent 75%,transparent);background-image:linear-gradient(45deg,rgba(255,255,255,0.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,0.15) 50%,rgba(255,255,255,0.15) 75%,transparent 75%,transparent)}.media,.media-body{overflow:hidden;zoom:1}.media,.media .media{margin-top:15px}.media:first-child{margin-top:0}.media-object{di
splay:block}.media-heading{margin:0 0 5px}.media>.pull-left{margin-right:10px}.media>.pull-right{margin-left:10px}.media-list{padding-left:0;list-style:none}.list-group{padding-left:0;margin-bottom:20px}.list-group-item{position:relative;display:block;padding:10px 15px;margin-bottom:-1px;background-color:#fff;border:1px solid #ddd}.list-group-item:first-child{border-top-right-radius:4px;border-top-left-radius:4px}.list-group-item:last-child{margin-bottom:0;border-bottom-right-radius:4px;border-bottom-left-radius:4px}.list-group-item>.badge{float:right}.list-group-item>.badge+.badge{margin-right:5px}a.list-group-item{color:#555}a.list-group-item .list-group-item-heading{color:#333}a.list-group-item:hover,a.list-group-item:focus{text-decoration:none;background-color:#f5f5f5}.list-group-item.active,.list-group-item.active:hover,.list-group-item.active:focus{z-index:2;color:#fff;background-color:#428bca;border-color:#428bca}.list-group-item.active .list-group-item-heading,.list-group-it
em.active:hover .list-group-item-heading,.list-group-item.active:focus .list-group-item-heading{color:inherit}.list-group-item.active .list-group-item-text,.list-group-item.active:hover .list-group-item-text,.list-group-item.active:focus .list-group-item-text{color:#e1edf7}.list-group-item-heading{margin-top:0;margin-bottom:5px}.list-group-item-text{margin-bottom:0;line-height:1.3}.panel{margin-bottom:20px;background-color:#fff;border:1px solid transparent;border-radius:4px;-webkit-box-shadow:0 1px 1px rgba(0,0,0,0.05);box-shadow:0 1px 1px rgba(0,0,0,0.05)}.panel-body{padding:15px}.panel-body:before,.panel-body:after{display:table;content:" "}.panel-body:after{clear:both}.panel-body:before,.panel-body:after{display:table;content:" "}.panel-body:after{clear:both}.panel>.list-group{margin-bottom:0}.panel>.list-group .list-group-item{border-width:1px 0}.panel>.list-group .list-group-item:first-child{border-top-right-radius:0;border-top-left-radius:0}.panel>.list-group .list-group-item:
last-child{border-bottom:0}.panel-heading+.list-group .list-group-item:first-child{border-top-width:0}.panel>.table{margin-bottom:0}.panel>.panel-body+.table{border-top:1px solid #ddd}.panel-heading{padding:10px 15px;border-bottom:1px solid transparent;border-top-right-radius:3px;border-top-left-radius:3px}.panel-title{margin-top:0;margin-bottom:0;font-size:16px}.panel-title>a{color:inherit}.panel-footer{padding:10px 15px;background-color:#f5f5f5;border-top:1px solid #ddd;border-bottom-right-radius:3px;border-bottom-left-radius:3px}.panel-group .panel{margin-bottom:0;overflow:hidden;border-radius:4px}.panel-group .panel+.panel{margin-top:5px}.panel-group .panel-heading{border-bottom:0}.panel-group .panel-heading+.panel-collapse .panel-body{border-top:1px solid #ddd}.panel-group .panel-footer{border-top:0}.panel-group .panel-footer+.panel-collapse .panel-body{border-bottom:1px solid #ddd}.panel-default{border-color:#ddd}.panel-default>.panel-heading{color:#333;background-color:#f5f5f
5;border-color:#ddd}.panel-default>.panel-heading+.panel-collapse .panel-body{border-top-color:#ddd}.panel-default>.panel-footer+.panel-collapse .panel-body{border-bottom-color:#ddd}.panel-primary{border-color:#428bca}.panel-primary>.panel-heading{color:#fff;background-color:#428bca;border-color:#428bca}.panel-primary>.panel-heading+.panel-collapse .panel-body{border-top-color:#428bca}.panel-primary>.panel-footer+.panel-collapse .panel-body{border-bottom-color:#428bca}.panel-success{border-color:#d6e9c6}.panel-success>.panel-heading{color:#468847;background-color:#dff0d8;border-color:#d6e9c6}.panel-success>.panel-heading+.panel-collapse .panel-body{border-top-color:#d6e9c6}.panel-success>.panel-footer+.panel-collapse .panel-body{border-bottom-color:#d6e9c6}.panel-warning{border-color:#fbeed5}.panel-warning>.panel-heading{color:#c09853;background-color:#fcf8e3;border-color:#fbeed5}.panel-warning>.panel-heading+.panel-collapse .panel-body{border-top-color:#fbeed5}.panel-warning>.panel
-footer+.panel-collapse .panel-body{border-bottom-color:#fbeed5}.panel-danger{border-color:#eed3d7}.panel-danger>.panel-heading{color:#b94a48;background-color:#f2dede;border-color:#eed3d7}.panel-danger>.panel-heading+.panel-collapse .panel-body{border-top-color:#eed3d7}.panel-danger>.panel-footer+.panel-collapse .panel-body{border-bottom-color:#eed3d7}.panel-info{border-color:#bce8f1}.panel-info>.panel-heading{color:#3a87ad;background-color:#d9edf7;border-color:#bce8f1}.panel-info>.panel-heading+.panel-collapse .panel-body{border-top-color:#bce8f1}.panel-info>.panel-footer+.panel-collapse .panel-body{border-bottom-color:#bce8f1}.well{min-height:20px;padding:19px;margin-bottom:20px;background-color:#f5f5f5;border:1px solid #e3e3e3;border-radius:4px;-webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,0.05);box-shadow:inset 0 1px 1px rgba(0,0,0,0.05)}.well blockquote{border-color:#ddd;border-color:rgba(0,0,0,0.15)}.well-lg{padding:24px;border-radius:6px}.well-sm{padding:9px;border-radius:3px
}.close{float:right;font-size:21px;font-weight:bold;line-height:1;color:#000;text-shadow:0 1px 0 #fff;opacity:.2;filter:alpha(opacity=20)}.close:hover,.close:focus{color:#000;text-decoration:none;cursor:pointer;opacity:.5;filter:alpha(opacity=50)}button.close{padding:0;cursor:pointer;background:transparent;border:0;-webkit-appearance:none}.modal-open{overflow:hidden}body.modal-open,.modal-open .navbar-fixed-top,.modal-open .navbar-fixed-bottom{margin-right:15px}.modal{position:fixed;top:0;right:0;bottom:0;left:0;z-index:1040;display:none;overflow:auto;overflow-y:scroll}.modal.fade .modal-dialog{-webkit-transform:translate(0,-25%);-ms-transform:translate(0,-25%);transform:translate(0,-25%);-webkit-transition:-webkit-transform .3s ease-out;-moz-transition:-moz-transform .3s ease-out;-o-transition:-o-transform .3s ease-out;transition:transform .3s ease-out}.modal.in .modal-dialog{-webkit-transform:translate(0,0);-ms-transform:translate(0,0);transform:translate(0,0)}.modal-dialog{z-inde
x:1050;width:auto;padding:10px;margin-right:auto;margin-left:auto}.modal-content{position:relative;background-color:#fff;border:1px solid #999;border:1px solid rgba(0,0,0,0.2);border-radius:6px;outline:0;-webkit-box-shadow:0 3px 9px rgba(0,0,0,0.5);box-shadow:0 3px 9px rgba(0,0,0,0.5);background-clip:padding-box}.modal-backdrop{position:fixed;top:0;right:0;bottom:0;left:0;z-index:1030;background-color:#000}.modal-backdrop.fade{opacity:0;filter:alpha(opacity=0)}.modal-backdrop.in{opacity:.5;filter:alpha(opacity=50)}.modal-header{min-height:16.428571429px;padding:15px;border-bottom:1px solid #e5e5e5}.modal-header .close{margin-top:-2px}.modal-title{margin:0;line-height:1.428571429}.modal-body{position:relative;padding:20px}.modal-footer{padding:19px 20px 20px;margin-top:15px;text-align:right;border-top:1px solid #e5e5e5}.modal-footer:before,.modal-footer:after{display:table;content:" "}.modal-footer:after{clear:both}.modal-footer:before,.modal-footer:after{display:table;content:" "}.m
odal-footer:after{clear:both}.modal-footer .btn+.btn{margin-bottom:0;margin-left:5px}.modal-footer .btn-group .btn+.btn{margin-left:-1px}.modal-footer .btn-block+.btn-block{margin-left:0}@media screen and (min-width:768px){.modal-dialog{right:auto;left:50%;width:600px;padding-top:30px;padding-bottom:30px}.modal-content{-webkit-box-shadow:0 5px 15px rgba(0,0,0,0.5);box-shadow:0 5px 15px rgba(0,0,0,0.5)}}.tooltip{position:absolute;z-index:1030;display:block;font-size:12px;line-height:1.4;opacity:0;filter:alpha(opacity=0);visibility:visible}.tooltip.in{opacity:.9;filter:alpha(opacity=90)}.tooltip.top{padding:5px 0;margin-top:-3px}.tooltip.right{padding:0 5px;margin-left:3px}.tooltip.bottom{padding:5px 0;margin-top:3px}.tooltip.left{padding:0 5px;margin-left:-3px}.tooltip-inner{max-width:200px;padding:3px 8px;color:#fff;text-align:center;text-decoration:none;background-color:#000;border-radius:4px}.tooltip-arrow{position:absolute;width:0;height:0;border-color:transparent;border-style:so
lid}.tooltip.top .tooltip-arrow{bottom:0;left:50%;margin-left:-5px;border-top-color:#000;border-width:5px 5px 0}.tooltip.top-left .tooltip-arrow{bottom:0;left:5px;border-top-color:#000;border-width:5px 5px 0}.tooltip.top-right .tooltip-arrow{right:5px;bottom:0;border-top-color:#000;border-width:5px 5px 0}.tooltip.right .tooltip-arrow{top:50%;left:0;margin-top:-5px;border-right-color:#000;border-width:5px 5px 5px 0}.tooltip.left .tooltip-arrow{top:50%;right:0;margin-top:-5px;border-left-color:#000;border-width:5px 0 5px 5px}.tooltip.bottom .tooltip-arrow{top:0;left:50%;margin-left:-5px;border-bottom-color:#000;border-width:0 5px 5px}.tooltip.bottom-left .tooltip-arrow{top:0;left:5px;border-bottom-color:#000;border-width:0 5px 5px}.tooltip.bottom-right .tooltip-arrow{top:0;right:5px;border-bottom-color:#000;border-width:0 5px 5px}.popover{position:absolute;top:0;left:0;z-index:1010;display:none;max-width:276px;padding:1px;text-align:left;white-space:normal;background-color:#fff;border
:1px solid #ccc;border:1px solid rgba(0,0,0,0.2);border-radius:6px;-webkit-box-shadow:0 5px 10px rgba(0,0,0,0.2);box-shadow:0 5px 10px rgba(0,0,0,0.2);background-clip:padding-box}.popover.top{margin-top:-10px}.popover.right{margin-left:10px}.popover.bottom{margin-top:10px}.popover.left{margin-left:-10px}.popover-title{padding:8px 14px;margin:0;font-size:14px;font-weight:normal;line-height:18px;background-color:#f7f7f7;border-bottom:1px solid #ebebeb;border-radius:5px 5px 0 0}.popover-content{padding:9px 14px}.popover .arrow,.popover .arrow:after{position:absolute;display:block;width:0;height:0;border-color:transparent;border-style:solid}.popover .arrow{border-width:11px}.popover .arrow:after{border-width:10px;content:""}.popover.top .arrow{bottom:-11px;left:50%;margin-left:-11px;border-top-color:#999;border-top-color:rgba(0,0,0,0.25);border-bottom-width:0}.popover.top .arrow:after{bottom:1px;margin-left:-10px;border-top-color:#fff;border-bottom-width:0;content:" "}.popover.right .ar
row{top:50%;left:-11px;margin-top:-11px;border-right-color:#999;border-right-color:rgba(0,0,0,0.25);border-left-width:0}.popover.right .arrow:after{bottom:-10px;left:1px;border-right-color:#fff;border-left-width:0;content:" "}.popover.bottom .arrow{top:-11px;left:50%;margin-left:-11px;border-bottom-color:#999;border-bottom-color:rgba(0,0,0,0.25);border-top-width:0}.popover.bottom .arrow:after{top:1px;margin-left:-10px;border-bottom-color:#fff;border-top-width:0;content:" "}.popover.left .arrow{top:50%;right:-11px;margin-top:-11px;border-left-color:#999;border-left-color:rgba(0,0,0,0.25);border-right-width:0}.popover.left .arrow:after{right:1px;bottom:-10px;border-left-color:#fff;border-right-width:0;content:" "}.carousel{position:relative}.carousel-inner{position:relative;width:100%;overflow:hidden}.carousel-inner>.item{position:relative;display:none;-webkit-transition:.6s ease-in-out left;transition:.6s ease-in-out left}.carousel-inner>.item>img,.carousel-inner>.item>a>img{display:
block;height:auto;max-width:100%;line-height:1}.carousel-inner>.active,.carousel-inner>.next,.carousel-inner>.prev{display:block}.carousel-inner>.active{left:0}.carousel-inner>.next,.carousel-inner>.prev{position:absolute;top:0;width:100%}.carousel-inner>.next{left:100%}.carousel-inner>.prev{left:-100%}.carousel-inner>.next.left,.carousel-inner>.prev.right{left:0}.carousel-inner>.active.left{left:-100%}.carousel-inner>.active.right{left:100%}.carousel-control{position:absolute;top:0;bottom:0;left:0;width:15%;font-size:20px;color:#fff;text-align:center;text-shadow:0 1px 2px rgba(0,0,0,0.6);opacity:.5;filter:alpha(opacity=50)}.carousel-control.left{background-image:-webkit-gradient(linear,0 top,100% top,from(rgba(0,0,0,0.5)),to(rgba(0,0,0,0.0001)));background-image:-webkit-linear-gradient(left,color-stop(rgba(0,0,0,0.5) 0),color-stop(rgba(0,0,0,0.0001) 100%));background-image:-moz-linear-gradient(left,rgba(0,0,0,0.5) 0,rgba(0,0,0,0.0001) 100%);background-image:linear-gradient(to right
,rgba(0,0,0,0.5) 0,rgba(0,0,0,0.0001) 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#80000000',endColorstr='#00000000',GradientType=1)}.carousel-control.right{right:0;left:auto;background-image:-webkit-gradient(linear,0 top,100% top,from(rgba(0,0,0,0.0001)),to(rgba(0,0,0,0.5)));background-image:-webkit-linear-gradient(left,color-stop(rgba(0,0,0,0.0001) 0),color-stop(rgba(0,0,0,0.5) 100%));background-image:-moz-linear-gradient(left,rgba(0,0,0,0.0001) 0,rgba(0,0,0,0.5) 100%);background-image:linear-gradient(to right,rgba(0,0,0,0.0001) 0,rgba(0,0,0,0.5) 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#00000000',endColorstr='#80000000',GradientType=1)}.carousel-control:hover,.carousel-control:focus{color:#fff;text-decoration:none;opacity:.9;filter:alpha(opacity=90)}.carousel-control .icon-prev,.carousel-control .icon-next,.carousel-control .glyphicon-chevron-left,.carousel-control .glyp
hicon-chevron-right{position:absolute;top:50%;left:50%;z-index:5;display:inline-block}.carousel-control .icon-prev,.carousel-control .icon-next{width:20px;height:20px;margin-top:-10px;margin-left:-10px;font-family:serif}.carousel-control .icon-prev:before{content:'\2039'}.carousel-control .icon-next:before{content:'\203a'}.carousel-indicators{position:absolute;bottom:10px;left:50%;z-index:15;width:60%;padding-left:0;margin-left:-30%;text-align:center;list-style:none}.carousel-indicators li{display:inline-block;width:10px;height:10px;margin:1px;text-indent:-999px;cursor:pointer;border:1px solid #fff;border-radius:10px}.carousel-indicators .active{width:12px;height:12px;margin:0;background-color:#fff}.carousel-caption{position:absolute;right:15%;bottom:20px;left:15%;z-index:10;padding-top:20px;padding-bottom:20px;color:#fff;text-align:center;text-shadow:0 1px 2px rgba(0,0,0,0.6)}.carousel-caption .btn{text-shadow:none}@media screen and (min-width:768px){.carousel-control .icon-prev,.c
<TRUNCATED>
[35/44] sentry git commit: SENTRY-1287: Create sentry-service-server
module(Colin Ma, reviewed by Dapeng Sun)
Posted by co...@apache.org.
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/main/resources/sentry-mysql-1.4.0.sql
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/resources/sentry-mysql-1.4.0.sql b/sentry-provider/sentry-provider-db/src/main/resources/sentry-mysql-1.4.0.sql
deleted file mode 100644
index 70f4dbb..0000000
--- a/sentry-provider/sentry-provider-db/src/main/resources/sentry-mysql-1.4.0.sql
+++ /dev/null
@@ -1,126 +0,0 @@
--- Licensed to the Apache Software Foundation (ASF) under one or more
--- contributor license agreements. See the NOTICE file distributed with
--- this work for additional information regarding copyright ownership.
--- The ASF licenses this file to You under the Apache License, Version 2.0
--- (the "License"); you may not use this file except in compliance with
--- the License. You may obtain a copy of the License at
---
--- http://www.apache.org/licenses/LICENSE-2.0
---
--- Unless required by applicable law or agreed to in writing, software
--- distributed under the License is distributed on an "AS IS" BASIS,
--- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
--- See the License for the specific language governing permissions and
--- limitations under the License.
-
-
-/*!40101 SET @OLD_CHARACTER_SET_CLIENT=@@CHARACTER_SET_CLIENT */;
-/*!40101 SET @OLD_CHARACTER_SET_RESULTS=@@CHARACTER_SET_RESULTS */;
-/*!40101 SET @OLD_COLLATION_CONNECTION=@@COLLATION_CONNECTION */;
-/*!40101 SET NAMES utf8 */;
-/*!40103 SET @OLD_TIME_ZONE=@@TIME_ZONE */;
-/*!40103 SET TIME_ZONE='+00:00' */;
-/*!40014 SET @OLD_UNIQUE_CHECKS=@@UNIQUE_CHECKS, UNIQUE_CHECKS=0 */;
-/*!40014 SET @OLD_FOREIGN_KEY_CHECKS=@@FOREIGN_KEY_CHECKS, FOREIGN_KEY_CHECKS=0 */;
-/*!40101 SET @OLD_SQL_MODE=@@SQL_MODE, SQL_MODE='NO_AUTO_VALUE_ON_ZERO' */;
-/*!40111 SET @OLD_SQL_NOTES=@@SQL_NOTES, SQL_NOTES=0 */;
-
-CREATE TABLE `SENTRY_DB_PRIVILEGE` (
- `DB_PRIVILEGE_ID` BIGINT NOT NULL,
- `PRIVILEGE_NAME` VARCHAR(4000) CHARACTER SET utf8 COLLATE utf8_bin NOT NULL,
- `PRIVILEGE_SCOPE` VARCHAR(32) CHARACTER SET utf8 COLLATE utf8_bin NOT NULL,
- `SERVER_NAME` VARCHAR(128) CHARACTER SET utf8 COLLATE utf8_bin NOT NULL,
- `DB_NAME` VARCHAR(128) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT NULL,
- `TABLE_NAME` VARCHAR(128) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT NULL,
- `URI` VARCHAR(4000) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT NULL,
- `ACTION` VARCHAR(128) CHARACTER SET utf8 COLLATE utf8_bin NOT NULL,
- `CREATE_TIME` BIGINT NOT NULL,
- `GRANTOR_PRINCIPAL` VARCHAR(128) CHARACTER SET utf8 COLLATE utf8_bin NOT NULL
-) ENGINE=InnoDB DEFAULT CHARSET=utf8;
-
-CREATE TABLE `SENTRY_ROLE` (
- `ROLE_ID` BIGINT NOT NULL,
- `ROLE_NAME` VARCHAR(128) CHARACTER SET utf8 COLLATE utf8_bin NOT NULL,
- `CREATE_TIME` BIGINT NOT NULL,
- `GRANTOR_PRINCIPAL` VARCHAR(128) CHARACTER SET utf8 COLLATE utf8_bin NOT NULL
-) ENGINE=InnoDB DEFAULT CHARSET=utf8;
-
-CREATE TABLE `SENTRY_GROUP` (
- `GROUP_ID` BIGINT NOT NULL,
- `GROUP_NAME` VARCHAR(128) CHARACTER SET utf8 COLLATE utf8_bin NOT NULL,
- `CREATE_TIME` BIGINT NOT NULL,
- `GRANTOR_PRINCIPAL` VARCHAR(128) CHARACTER SET utf8 COLLATE utf8_bin NOT NULL
-) ENGINE=InnoDB DEFAULT CHARSET=utf8;
-
-CREATE TABLE `SENTRY_ROLE_DB_PRIVILEGE_MAP` (
- `ROLE_ID` BIGINT NOT NULL,
- `DB_PRIVILEGE_ID` BIGINT NOT NULL
-) ENGINE=InnoDB DEFAULT CHARSET=utf8;
-
-CREATE TABLE `SENTRY_ROLE_GROUP_MAP` (
- `ROLE_ID` BIGINT NOT NULL,
- `GROUP_ID` BIGINT NOT NULL
-) ENGINE=InnoDB DEFAULT CHARSET=utf8;
-
-CREATE TABLE IF NOT EXISTS `SENTRY_VERSION` (
- `VER_ID` BIGINT NOT NULL,
- `SCHEMA_VERSION` VARCHAR(127) NOT NULL,
- `VERSION_COMMENT` VARCHAR(255) NOT NULL
-) ENGINE=InnoDB DEFAULT CHARSET=utf8;
-
-ALTER TABLE `SENTRY_DB_PRIVILEGE`
- ADD CONSTRAINT `SENTRY_DB_PRIV_PK` PRIMARY KEY (`DB_PRIVILEGE_ID`);
-
-ALTER TABLE `SENTRY_ROLE`
- ADD CONSTRAINT `SENTRY_ROLE_PK` PRIMARY KEY (`ROLE_ID`);
-
-ALTER TABLE `SENTRY_GROUP`
- ADD CONSTRAINT `SENTRY_GROUP_PK` PRIMARY KEY (`GROUP_ID`);
-
-ALTER TABLE `SENTRY_VERSION`
- ADD CONSTRAINT `SENTRY_VERSION` PRIMARY KEY (`VER_ID`);
-
-ALTER TABLE `SENTRY_DB_PRIVILEGE`
- ADD INDEX `SENTRY_DB_PRIV_PRIV_NAME_UNIQ` (`PRIVILEGE_NAME`(250));
-
-ALTER TABLE `SENTRY_DB_PRIVILEGE`
- ADD INDEX `SENTRY_PRIV_SERV_IDX` (`SERVER_NAME`);
-
-ALTER TABLE `SENTRY_DB_PRIVILEGE`
- ADD INDEX `SENTRY_PRIV_DB_IDX` (`DB_NAME`);
-
-ALTER TABLE `SENTRY_DB_PRIVILEGE`
- ADD INDEX `SENTRY_PRIV_TBL_IDX` (`TABLE_NAME`);
-
-ALTER TABLE `SENTRY_DB_PRIVILEGE`
- ADD INDEX `SENTRY_PRIV_URI_IDX` (`URI`);
-
-ALTER TABLE `SENTRY_ROLE`
- ADD CONSTRAINT `SENTRY_ROLE_ROLE_NAME_UNIQUE` UNIQUE (`ROLE_NAME`);
-
-ALTER TABLE `SENTRY_GROUP`
- ADD CONSTRAINT `SENTRY_GRP_GRP_NAME_UNIQUE` UNIQUE (`GROUP_NAME`);
-
-ALTER TABLE `SENTRY_ROLE_DB_PRIVILEGE_MAP`
- ADD CONSTRAINT `SENTRY_ROLE_DB_PRIVILEGE_MAP_PK` PRIMARY KEY (`ROLE_ID`,`DB_PRIVILEGE_ID`);
-
-ALTER TABLE `SENTRY_ROLE_GROUP_MAP`
- ADD CONSTRAINT `SENTRY_ROLE_GROUP_MAP_PK` PRIMARY KEY (`ROLE_ID`,`GROUP_ID`);
-
-ALTER TABLE `SENTRY_ROLE_DB_PRIVILEGE_MAP`
- ADD CONSTRAINT `SEN_RLE_DB_PRV_MAP_SN_RLE_FK`
- FOREIGN KEY (`ROLE_ID`) REFERENCES `SENTRY_ROLE`(`ROLE_ID`);
-
-ALTER TABLE `SENTRY_ROLE_DB_PRIVILEGE_MAP`
- ADD CONSTRAINT `SEN_RL_DB_PRV_MAP_SN_DB_PRV_FK`
- FOREIGN KEY (`DB_PRIVILEGE_ID`) REFERENCES `SENTRY_DB_PRIVILEGE`(`DB_PRIVILEGE_ID`);
-
-ALTER TABLE `SENTRY_ROLE_GROUP_MAP`
- ADD CONSTRAINT `SEN_ROLE_GROUP_MAP_SEN_ROLE_FK`
- FOREIGN KEY (`ROLE_ID`) REFERENCES `SENTRY_ROLE`(`ROLE_ID`);
-
-ALTER TABLE `SENTRY_ROLE_GROUP_MAP`
- ADD CONSTRAINT `SEN_ROLE_GROUP_MAP_SEN_GRP_FK`
- FOREIGN KEY (`GROUP_ID`) REFERENCES `SENTRY_GROUP`(`GROUP_ID`);
-
-INSERT INTO SENTRY_VERSION (VER_ID, SCHEMA_VERSION, VERSION_COMMENT) VALUES (1, '1.4.0', 'Sentry release version 1.4.0');
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/main/resources/sentry-mysql-1.5.0.sql
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/resources/sentry-mysql-1.5.0.sql b/sentry-provider/sentry-provider-db/src/main/resources/sentry-mysql-1.5.0.sql
deleted file mode 100644
index d5d2e0a..0000000
--- a/sentry-provider/sentry-provider-db/src/main/resources/sentry-mysql-1.5.0.sql
+++ /dev/null
@@ -1,192 +0,0 @@
--- Licensed to the Apache Software Foundation (ASF) under one or more
--- contributor license agreements. See the NOTICE file distributed with
--- this work for additional information regarding copyright ownership.
--- The ASF licenses this file to You under the Apache License, Version 2.0
--- (the "License"); you may not use this file except in compliance with
--- the License. You may obtain a copy of the License at
---
--- http://www.apache.org/licenses/LICENSE-2.0
---
--- Unless required by applicable law or agreed to in writing, software
--- distributed under the License is distributed on an "AS IS" BASIS,
--- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
--- See the License for the specific language governing permissions and
--- limitations under the License.
-
-
-/*!40101 SET @OLD_CHARACTER_SET_CLIENT=@@CHARACTER_SET_CLIENT */;
-/*!40101 SET @OLD_CHARACTER_SET_RESULTS=@@CHARACTER_SET_RESULTS */;
-/*!40101 SET @OLD_COLLATION_CONNECTION=@@COLLATION_CONNECTION */;
-/*!40101 SET NAMES utf8 */;
-/*!40103 SET @OLD_TIME_ZONE=@@TIME_ZONE */;
-/*!40103 SET TIME_ZONE='+00:00' */;
-/*!40014 SET @OLD_UNIQUE_CHECKS=@@UNIQUE_CHECKS, UNIQUE_CHECKS=0 */;
-/*!40014 SET @OLD_FOREIGN_KEY_CHECKS=@@FOREIGN_KEY_CHECKS, FOREIGN_KEY_CHECKS=0 */;
-/*!40101 SET @OLD_SQL_MODE=@@SQL_MODE, SQL_MODE='NO_AUTO_VALUE_ON_ZERO' */;
-/*!40111 SET @OLD_SQL_NOTES=@@SQL_NOTES, SQL_NOTES=0 */;
-
-CREATE TABLE `SENTRY_DB_PRIVILEGE` (
- `DB_PRIVILEGE_ID` BIGINT NOT NULL,
- `PRIVILEGE_SCOPE` VARCHAR(32) CHARACTER SET utf8 COLLATE utf8_bin NOT NULL,
- `SERVER_NAME` VARCHAR(128) CHARACTER SET utf8 COLLATE utf8_bin NOT NULL,
- `DB_NAME` VARCHAR(128) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT '__NULL__',
- `TABLE_NAME` VARCHAR(128) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT '__NULL__',
- `COLUMN_NAME` VARCHAR(128) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT '__NULL__',
- `URI` VARCHAR(4000) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT '__NULL__',
- `ACTION` VARCHAR(128) CHARACTER SET utf8 COLLATE utf8_bin NOT NULL,
- `CREATE_TIME` BIGINT NOT NULL,
- `WITH_GRANT_OPTION` CHAR(1) NOT NULL
-) ENGINE=InnoDB DEFAULT CHARSET=utf8;
-
-CREATE TABLE `SENTRY_ROLE` (
- `ROLE_ID` BIGINT NOT NULL,
- `ROLE_NAME` VARCHAR(128) CHARACTER SET utf8 COLLATE utf8_bin NOT NULL,
- `CREATE_TIME` BIGINT NOT NULL
-) ENGINE=InnoDB DEFAULT CHARSET=utf8;
-
-CREATE TABLE `SENTRY_GROUP` (
- `GROUP_ID` BIGINT NOT NULL,
- `GROUP_NAME` VARCHAR(128) CHARACTER SET utf8 COLLATE utf8_bin NOT NULL,
- `CREATE_TIME` BIGINT NOT NULL
-) ENGINE=InnoDB DEFAULT CHARSET=utf8;
-
-CREATE TABLE `SENTRY_ROLE_DB_PRIVILEGE_MAP` (
- `ROLE_ID` BIGINT NOT NULL,
- `DB_PRIVILEGE_ID` BIGINT NOT NULL,
- `GRANTOR_PRINCIPAL` VARCHAR(128) CHARACTER SET utf8 COLLATE utf8_bin
-) ENGINE=InnoDB DEFAULT CHARSET=utf8;
-
-CREATE TABLE `SENTRY_ROLE_GROUP_MAP` (
- `ROLE_ID` BIGINT NOT NULL,
- `GROUP_ID` BIGINT NOT NULL,
- `GRANTOR_PRINCIPAL` VARCHAR(128) CHARACTER SET utf8 COLLATE utf8_bin
-) ENGINE=InnoDB DEFAULT CHARSET=utf8;
-
-CREATE TABLE IF NOT EXISTS `SENTRY_VERSION` (
- `VER_ID` BIGINT NOT NULL,
- `SCHEMA_VERSION` VARCHAR(127) NOT NULL,
- `VERSION_COMMENT` VARCHAR(255) NOT NULL
-) ENGINE=InnoDB DEFAULT CHARSET=utf8;
-
-ALTER TABLE `SENTRY_DB_PRIVILEGE`
- ADD CONSTRAINT `SENTRY_DB_PRIV_PK` PRIMARY KEY (`DB_PRIVILEGE_ID`);
-
-ALTER TABLE `SENTRY_ROLE`
- ADD CONSTRAINT `SENTRY_ROLE_PK` PRIMARY KEY (`ROLE_ID`);
-
-ALTER TABLE `SENTRY_GROUP`
- ADD CONSTRAINT `SENTRY_GROUP_PK` PRIMARY KEY (`GROUP_ID`);
-
-ALTER TABLE `SENTRY_VERSION`
- ADD CONSTRAINT `SENTRY_VERSION` PRIMARY KEY (`VER_ID`);
-
-ALTER TABLE `SENTRY_DB_PRIVILEGE`
- ADD UNIQUE `SENTRY_DB_PRIV_PRIV_NAME_UNIQ` (`SERVER_NAME`,`DB_NAME`,`TABLE_NAME`,`COLUMN_NAME`,`URI`(250),`ACTION`,`WITH_GRANT_OPTION`);
-
-ALTER TABLE `SENTRY_DB_PRIVILEGE`
- ADD INDEX `SENTRY_PRIV_SERV_IDX` (`SERVER_NAME`);
-
-ALTER TABLE `SENTRY_DB_PRIVILEGE`
- ADD INDEX `SENTRY_PRIV_DB_IDX` (`DB_NAME`);
-
-ALTER TABLE `SENTRY_DB_PRIVILEGE`
- ADD INDEX `SENTRY_PRIV_TBL_IDX` (`TABLE_NAME`);
-
-ALTER TABLE `SENTRY_DB_PRIVILEGE`
- ADD INDEX `SENTRY_PRIV_COL_IDX` (`COLUMN_NAME`);
-
-ALTER TABLE `SENTRY_DB_PRIVILEGE`
- ADD INDEX `SENTRY_PRIV_URI_IDX` (`URI`);
-
-ALTER TABLE `SENTRY_ROLE`
- ADD CONSTRAINT `SENTRY_ROLE_ROLE_NAME_UNIQUE` UNIQUE (`ROLE_NAME`);
-
-ALTER TABLE `SENTRY_GROUP`
- ADD CONSTRAINT `SENTRY_GRP_GRP_NAME_UNIQUE` UNIQUE (`GROUP_NAME`);
-
-ALTER TABLE `SENTRY_ROLE_DB_PRIVILEGE_MAP`
- ADD CONSTRAINT `SENTRY_ROLE_DB_PRIVILEGE_MAP_PK` PRIMARY KEY (`ROLE_ID`,`DB_PRIVILEGE_ID`);
-
-ALTER TABLE `SENTRY_ROLE_GROUP_MAP`
- ADD CONSTRAINT `SENTRY_ROLE_GROUP_MAP_PK` PRIMARY KEY (`ROLE_ID`,`GROUP_ID`);
-
-ALTER TABLE `SENTRY_ROLE_DB_PRIVILEGE_MAP`
- ADD CONSTRAINT `SEN_RLE_DB_PRV_MAP_SN_RLE_FK`
- FOREIGN KEY (`ROLE_ID`) REFERENCES `SENTRY_ROLE`(`ROLE_ID`);
-
-ALTER TABLE `SENTRY_ROLE_DB_PRIVILEGE_MAP`
- ADD CONSTRAINT `SEN_RL_DB_PRV_MAP_SN_DB_PRV_FK`
- FOREIGN KEY (`DB_PRIVILEGE_ID`) REFERENCES `SENTRY_DB_PRIVILEGE`(`DB_PRIVILEGE_ID`);
-
-ALTER TABLE `SENTRY_ROLE_GROUP_MAP`
- ADD CONSTRAINT `SEN_ROLE_GROUP_MAP_SEN_ROLE_FK`
- FOREIGN KEY (`ROLE_ID`) REFERENCES `SENTRY_ROLE`(`ROLE_ID`);
-
-ALTER TABLE `SENTRY_ROLE_GROUP_MAP`
- ADD CONSTRAINT `SEN_ROLE_GROUP_MAP_SEN_GRP_FK`
- FOREIGN KEY (`GROUP_ID`) REFERENCES `SENTRY_GROUP`(`GROUP_ID`);
-
-INSERT INTO SENTRY_VERSION (VER_ID, SCHEMA_VERSION, VERSION_COMMENT) VALUES (1, '1.5.0', 'Sentry release version 1.5.0');
-
--- Generic Model
--- Table SENTRY_GM_PRIVILEGE for classes [org.apache.sentry.provider.db.service.model.MSentryGMPrivilege]
-CREATE TABLE `SENTRY_GM_PRIVILEGE`
-(
- `GM_PRIVILEGE_ID` BIGINT NOT NULL,
- `ACTION` VARCHAR(32) CHARACTER SET utf8 COLLATE utf8_bin NOT NULL,
- `COMPONENT_NAME` VARCHAR(32) CHARACTER SET utf8 COLLATE utf8_bin NOT NULL,
- `CREATE_TIME` BIGINT NOT NULL,
- `WITH_GRANT_OPTION` CHAR(1) NOT NULL,
- `RESOURCE_NAME_0` VARCHAR(64) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT '__NULL__',
- `RESOURCE_NAME_1` VARCHAR(64) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT '__NULL__',
- `RESOURCE_NAME_2` VARCHAR(64) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT '__NULL__',
- `RESOURCE_NAME_3` VARCHAR(64) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT '__NULL__',
- `RESOURCE_TYPE_0` VARCHAR(64) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT '__NULL__',
- `RESOURCE_TYPE_1` VARCHAR(64) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT '__NULL__',
- `RESOURCE_TYPE_2` VARCHAR(64) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT '__NULL__',
- `RESOURCE_TYPE_3` VARCHAR(64) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT '__NULL__',
- `SCOPE` VARCHAR(128) CHARACTER SET utf8 COLLATE utf8_bin NOT NULL,
- `SERVICE_NAME` VARCHAR(64) BINARY CHARACTER SET utf8 COLLATE utf8_bin NOT NULL
-) ENGINE=InnoDB DEFAULT CHARSET=utf8;
-
-ALTER TABLE `SENTRY_GM_PRIVILEGE`
- ADD CONSTRAINT `SENTRY_GM_PRIVILEGE_PK` PRIMARY KEY (`GM_PRIVILEGE_ID`);
--- Constraints for table SENTRY_GM_PRIVILEGE for class(es) [org.apache.sentry.provider.db.service.model.MSentryGMPrivilege]
-CREATE UNIQUE INDEX `GM_PRIVILEGE_INDEX` ON `SENTRY_GM_PRIVILEGE` (`COMPONENT_NAME`,`SERVICE_NAME`,`RESOURCE_NAME_0`,`RESOURCE_TYPE_0`,`RESOURCE_NAME_1`,`RESOURCE_TYPE_1`,`RESOURCE_NAME_2`,`RESOURCE_TYPE_2`,`RESOURCE_NAME_3`,`RESOURCE_TYPE_3`,`ACTION`,`WITH_GRANT_OPTION`);
-
-ALTER TABLE `SENTRY_GM_PRIVILEGE`
- ADD INDEX `SENTRY_GM_PRIV_COMP_IDX` (`COMPONENT_NAME`);
-
-ALTER TABLE `SENTRY_GM_PRIVILEGE`
- ADD INDEX `SENTRY_GM_PRIV_SERV_IDX` (`SERVICE_NAME`);
-
-ALTER TABLE `SENTRY_GM_PRIVILEGE`
- ADD INDEX `SENTRY_GM_PRIV_RES0_IDX` (`RESOURCE_NAME_0`,`RESOURCE_TYPE_0`);
-
-ALTER TABLE `SENTRY_GM_PRIVILEGE`
- ADD INDEX `SENTRY_GM_PRIV_RES1_IDX` (`RESOURCE_NAME_1`,`RESOURCE_TYPE_1`);
-
-ALTER TABLE `SENTRY_GM_PRIVILEGE`
- ADD INDEX `SENTRY_GM_PRIV_RES2_IDX` (`RESOURCE_NAME_2`,`RESOURCE_TYPE_2`);
-
-ALTER TABLE `SENTRY_GM_PRIVILEGE`
- ADD INDEX `SENTRY_GM_PRIV_RES3_IDX` (`RESOURCE_NAME_3`,`RESOURCE_TYPE_3`);
-
--- Table SENTRY_ROLE_GM_PRIVILEGE_MAP for join relationship
-CREATE TABLE `SENTRY_ROLE_GM_PRIVILEGE_MAP`
-(
- `ROLE_ID` BIGINT NOT NULL,
- `GM_PRIVILEGE_ID` BIGINT NOT NULL
-) ENGINE=INNODB DEFAULT CHARSET=utf8;
-
-ALTER TABLE `SENTRY_ROLE_GM_PRIVILEGE_MAP`
- ADD CONSTRAINT `SENTRY_ROLE_GM_PRIVILEGE_MAP_PK` PRIMARY KEY (`ROLE_ID`,`GM_PRIVILEGE_ID`);
-
--- Constraints for table SENTRY_ROLE_GM_PRIVILEGE_MAP
-ALTER TABLE `SENTRY_ROLE_GM_PRIVILEGE_MAP`
- ADD CONSTRAINT `SEN_RLE_GM_PRV_MAP_SN_RLE_FK`
- FOREIGN KEY (`ROLE_ID`) REFERENCES `SENTRY_ROLE`(`ROLE_ID`);
-
-ALTER TABLE `SENTRY_ROLE_GM_PRIVILEGE_MAP`
- ADD CONSTRAINT `SEN_RL_GM_PRV_MAP_SN_DB_PRV_FK`
- FOREIGN KEY (`GM_PRIVILEGE_ID`) REFERENCES `SENTRY_GM_PRIVILEGE`(`GM_PRIVILEGE_ID`);
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/main/resources/sentry-mysql-1.6.0.sql
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/resources/sentry-mysql-1.6.0.sql b/sentry-provider/sentry-provider-db/src/main/resources/sentry-mysql-1.6.0.sql
deleted file mode 100644
index 1c1bb94..0000000
--- a/sentry-provider/sentry-provider-db/src/main/resources/sentry-mysql-1.6.0.sql
+++ /dev/null
@@ -1,193 +0,0 @@
--- Licensed to the Apache Software Foundation (ASF) under one or more
--- contributor license agreements. See the NOTICE file distributed with
--- this work for additional information regarding copyright ownership.
--- The ASF licenses this file to You under the Apache License, Version 2.0
--- (the "License"); you may not use this file except in compliance with
--- the License. You may obtain a copy of the License at
---
--- http://www.apache.org/licenses/LICENSE-2.0
---
--- Unless required by applicable law or agreed to in writing, software
--- distributed under the License is distributed on an "AS IS" BASIS,
--- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
--- See the License for the specific language governing permissions and
--- limitations under the License.
-
-
-/*!40101 SET @OLD_CHARACTER_SET_CLIENT=@@CHARACTER_SET_CLIENT */;
-/*!40101 SET @OLD_CHARACTER_SET_RESULTS=@@CHARACTER_SET_RESULTS */;
-/*!40101 SET @OLD_COLLATION_CONNECTION=@@COLLATION_CONNECTION */;
-/*!40101 SET NAMES utf8 */;
-/*!40103 SET @OLD_TIME_ZONE=@@TIME_ZONE */;
-/*!40103 SET TIME_ZONE='+00:00' */;
-/*!40014 SET @OLD_UNIQUE_CHECKS=@@UNIQUE_CHECKS, UNIQUE_CHECKS=0 */;
-/*!40014 SET @OLD_FOREIGN_KEY_CHECKS=@@FOREIGN_KEY_CHECKS, FOREIGN_KEY_CHECKS=0 */;
-/*!40101 SET @OLD_SQL_MODE=@@SQL_MODE, SQL_MODE='NO_AUTO_VALUE_ON_ZERO' */;
-/*!40111 SET @OLD_SQL_NOTES=@@SQL_NOTES, SQL_NOTES=0 */;
-
-CREATE TABLE `SENTRY_DB_PRIVILEGE` (
- `DB_PRIVILEGE_ID` BIGINT NOT NULL,
- `PRIVILEGE_SCOPE` VARCHAR(32) CHARACTER SET utf8 COLLATE utf8_bin NOT NULL,
- `SERVER_NAME` VARCHAR(128) CHARACTER SET utf8 COLLATE utf8_bin NOT NULL,
- `DB_NAME` VARCHAR(128) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT '__NULL__',
- `TABLE_NAME` VARCHAR(128) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT '__NULL__',
- `COLUMN_NAME` VARCHAR(128) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT '__NULL__',
- `URI` VARCHAR(4000) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT '__NULL__',
- `ACTION` VARCHAR(128) CHARACTER SET utf8 COLLATE utf8_bin NOT NULL,
- `CREATE_TIME` BIGINT NOT NULL,
- `WITH_GRANT_OPTION` CHAR(1) NOT NULL
-) ENGINE=InnoDB DEFAULT CHARSET=utf8;
-
-CREATE TABLE `SENTRY_ROLE` (
- `ROLE_ID` BIGINT NOT NULL,
- `ROLE_NAME` VARCHAR(128) CHARACTER SET utf8 COLLATE utf8_bin NOT NULL,
- `CREATE_TIME` BIGINT NOT NULL
-) ENGINE=InnoDB DEFAULT CHARSET=utf8;
-
-CREATE TABLE `SENTRY_GROUP` (
- `GROUP_ID` BIGINT NOT NULL,
- `GROUP_NAME` VARCHAR(128) CHARACTER SET utf8 COLLATE utf8_bin NOT NULL,
- `CREATE_TIME` BIGINT NOT NULL
-) ENGINE=InnoDB DEFAULT CHARSET=utf8;
-
-CREATE TABLE `SENTRY_ROLE_DB_PRIVILEGE_MAP` (
- `ROLE_ID` BIGINT NOT NULL,
- `DB_PRIVILEGE_ID` BIGINT NOT NULL,
- `GRANTOR_PRINCIPAL` VARCHAR(128) CHARACTER SET utf8 COLLATE utf8_bin
-) ENGINE=InnoDB DEFAULT CHARSET=utf8;
-
-CREATE TABLE `SENTRY_ROLE_GROUP_MAP` (
- `ROLE_ID` BIGINT NOT NULL,
- `GROUP_ID` BIGINT NOT NULL,
- `GRANTOR_PRINCIPAL` VARCHAR(128) CHARACTER SET utf8 COLLATE utf8_bin
-) ENGINE=InnoDB DEFAULT CHARSET=utf8;
-
-CREATE TABLE IF NOT EXISTS `SENTRY_VERSION` (
- `VER_ID` BIGINT NOT NULL,
- `SCHEMA_VERSION` VARCHAR(127) NOT NULL,
- `VERSION_COMMENT` VARCHAR(255) NOT NULL
-) ENGINE=InnoDB DEFAULT CHARSET=utf8;
-
-ALTER TABLE `SENTRY_DB_PRIVILEGE`
- ADD CONSTRAINT `SENTRY_DB_PRIV_PK` PRIMARY KEY (`DB_PRIVILEGE_ID`);
-
-ALTER TABLE `SENTRY_ROLE`
- ADD CONSTRAINT `SENTRY_ROLE_PK` PRIMARY KEY (`ROLE_ID`);
-
-ALTER TABLE `SENTRY_GROUP`
- ADD CONSTRAINT `SENTRY_GROUP_PK` PRIMARY KEY (`GROUP_ID`);
-
-ALTER TABLE `SENTRY_VERSION`
- ADD CONSTRAINT `SENTRY_VERSION` PRIMARY KEY (`VER_ID`);
-
-ALTER TABLE `SENTRY_DB_PRIVILEGE`
- ADD UNIQUE `SENTRY_DB_PRIV_PRIV_NAME_UNIQ` (`SERVER_NAME`,`DB_NAME`,`TABLE_NAME`,`COLUMN_NAME`,`URI`(250),`ACTION`,`WITH_GRANT_OPTION`);
-
-ALTER TABLE `SENTRY_DB_PRIVILEGE`
- ADD INDEX `SENTRY_PRIV_SERV_IDX` (`SERVER_NAME`);
-
-ALTER TABLE `SENTRY_DB_PRIVILEGE`
- ADD INDEX `SENTRY_PRIV_DB_IDX` (`DB_NAME`);
-
-ALTER TABLE `SENTRY_DB_PRIVILEGE`
- ADD INDEX `SENTRY_PRIV_TBL_IDX` (`TABLE_NAME`);
-
-ALTER TABLE `SENTRY_DB_PRIVILEGE`
- ADD INDEX `SENTRY_PRIV_COL_IDX` (`COLUMN_NAME`);
-
-ALTER TABLE `SENTRY_DB_PRIVILEGE`
- ADD INDEX `SENTRY_PRIV_URI_IDX` (`URI`);
-
-ALTER TABLE `SENTRY_ROLE`
- ADD CONSTRAINT `SENTRY_ROLE_ROLE_NAME_UNIQUE` UNIQUE (`ROLE_NAME`);
-
-ALTER TABLE `SENTRY_GROUP`
- ADD CONSTRAINT `SENTRY_GRP_GRP_NAME_UNIQUE` UNIQUE (`GROUP_NAME`);
-
-ALTER TABLE `SENTRY_ROLE_DB_PRIVILEGE_MAP`
- ADD CONSTRAINT `SENTRY_ROLE_DB_PRIVILEGE_MAP_PK` PRIMARY KEY (`ROLE_ID`,`DB_PRIVILEGE_ID`);
-
-ALTER TABLE `SENTRY_ROLE_GROUP_MAP`
- ADD CONSTRAINT `SENTRY_ROLE_GROUP_MAP_PK` PRIMARY KEY (`ROLE_ID`,`GROUP_ID`);
-
-ALTER TABLE `SENTRY_ROLE_DB_PRIVILEGE_MAP`
- ADD CONSTRAINT `SEN_RLE_DB_PRV_MAP_SN_RLE_FK`
- FOREIGN KEY (`ROLE_ID`) REFERENCES `SENTRY_ROLE`(`ROLE_ID`);
-
-ALTER TABLE `SENTRY_ROLE_DB_PRIVILEGE_MAP`
- ADD CONSTRAINT `SEN_RL_DB_PRV_MAP_SN_DB_PRV_FK`
- FOREIGN KEY (`DB_PRIVILEGE_ID`) REFERENCES `SENTRY_DB_PRIVILEGE`(`DB_PRIVILEGE_ID`);
-
-ALTER TABLE `SENTRY_ROLE_GROUP_MAP`
- ADD CONSTRAINT `SEN_ROLE_GROUP_MAP_SEN_ROLE_FK`
- FOREIGN KEY (`ROLE_ID`) REFERENCES `SENTRY_ROLE`(`ROLE_ID`);
-
-ALTER TABLE `SENTRY_ROLE_GROUP_MAP`
- ADD CONSTRAINT `SEN_ROLE_GROUP_MAP_SEN_GRP_FK`
- FOREIGN KEY (`GROUP_ID`) REFERENCES `SENTRY_GROUP`(`GROUP_ID`);
-
-INSERT INTO SENTRY_VERSION (VER_ID, SCHEMA_VERSION, VERSION_COMMENT) VALUES (1, '1.6.0', 'Sentry release version 1.6.0');
-
--- Generic Model
--- Table SENTRY_GM_PRIVILEGE for classes [org.apache.sentry.provider.db.service.model.MSentryGMPrivilege]
-CREATE TABLE `SENTRY_GM_PRIVILEGE`
-(
- `GM_PRIVILEGE_ID` BIGINT NOT NULL,
- `ACTION` VARCHAR(32) CHARACTER SET utf8 COLLATE utf8_bin NOT NULL,
- `COMPONENT_NAME` VARCHAR(32) CHARACTER SET utf8 COLLATE utf8_bin NOT NULL,
- `CREATE_TIME` BIGINT NOT NULL,
- `WITH_GRANT_OPTION` CHAR(1) NOT NULL,
- `RESOURCE_NAME_0` VARCHAR(64) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT '__NULL__',
- `RESOURCE_NAME_1` VARCHAR(64) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT '__NULL__',
- `RESOURCE_NAME_2` VARCHAR(64) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT '__NULL__',
- `RESOURCE_NAME_3` VARCHAR(64) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT '__NULL__',
- `RESOURCE_TYPE_0` VARCHAR(64) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT '__NULL__',
- `RESOURCE_TYPE_1` VARCHAR(64) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT '__NULL__',
- `RESOURCE_TYPE_2` VARCHAR(64) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT '__NULL__',
- `RESOURCE_TYPE_3` VARCHAR(64) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT '__NULL__',
- `SCOPE` VARCHAR(128) CHARACTER SET utf8 COLLATE utf8_bin NOT NULL,
- `SERVICE_NAME` VARCHAR(64) BINARY CHARACTER SET utf8 COLLATE utf8_bin NOT NULL
-) ENGINE=InnoDB DEFAULT CHARSET=utf8;
-
-ALTER TABLE `SENTRY_GM_PRIVILEGE`
- ADD CONSTRAINT `SENTRY_GM_PRIVILEGE_PK` PRIMARY KEY (`GM_PRIVILEGE_ID`);
--- Constraints for table SENTRY_GM_PRIVILEGE for class(es) [org.apache.sentry.provider.db.service.model.MSentryGMPrivilege]
-ALTER TABLE `SENTRY_GM_PRIVILEGE`
- ADD UNIQUE `GM_PRIVILEGE_UNIQUE` (`COMPONENT_NAME`,`SERVICE_NAME`,`RESOURCE_NAME_0`,`RESOURCE_TYPE_0`,`RESOURCE_NAME_1`,`RESOURCE_TYPE_1`,`RESOURCE_NAME_2`,`RESOURCE_TYPE_2`,`RESOURCE_NAME_3`,`RESOURCE_TYPE_3`,`ACTION`,`WITH_GRANT_OPTION`);
-
-ALTER TABLE `SENTRY_GM_PRIVILEGE`
- ADD INDEX `SENTRY_GM_PRIV_COMP_IDX` (`COMPONENT_NAME`);
-
-ALTER TABLE `SENTRY_GM_PRIVILEGE`
- ADD INDEX `SENTRY_GM_PRIV_SERV_IDX` (`SERVICE_NAME`);
-
-ALTER TABLE `SENTRY_GM_PRIVILEGE`
- ADD INDEX `SENTRY_GM_PRIV_RES0_IDX` (`RESOURCE_NAME_0`,`RESOURCE_TYPE_0`);
-
-ALTER TABLE `SENTRY_GM_PRIVILEGE`
- ADD INDEX `SENTRY_GM_PRIV_RES1_IDX` (`RESOURCE_NAME_1`,`RESOURCE_TYPE_1`);
-
-ALTER TABLE `SENTRY_GM_PRIVILEGE`
- ADD INDEX `SENTRY_GM_PRIV_RES2_IDX` (`RESOURCE_NAME_2`,`RESOURCE_TYPE_2`);
-
-ALTER TABLE `SENTRY_GM_PRIVILEGE`
- ADD INDEX `SENTRY_GM_PRIV_RES3_IDX` (`RESOURCE_NAME_3`,`RESOURCE_TYPE_3`);
-
--- Table SENTRY_ROLE_GM_PRIVILEGE_MAP for join relationship
-CREATE TABLE `SENTRY_ROLE_GM_PRIVILEGE_MAP`
-(
- `ROLE_ID` BIGINT NOT NULL,
- `GM_PRIVILEGE_ID` BIGINT NOT NULL
-) ENGINE=INNODB DEFAULT CHARSET=utf8;
-
-ALTER TABLE `SENTRY_ROLE_GM_PRIVILEGE_MAP`
- ADD CONSTRAINT `SENTRY_ROLE_GM_PRIVILEGE_MAP_PK` PRIMARY KEY (`ROLE_ID`,`GM_PRIVILEGE_ID`);
-
--- Constraints for table SENTRY_ROLE_GM_PRIVILEGE_MAP
-ALTER TABLE `SENTRY_ROLE_GM_PRIVILEGE_MAP`
- ADD CONSTRAINT `SEN_RLE_GM_PRV_MAP_SN_RLE_FK`
- FOREIGN KEY (`ROLE_ID`) REFERENCES `SENTRY_ROLE`(`ROLE_ID`);
-
-ALTER TABLE `SENTRY_ROLE_GM_PRIVILEGE_MAP`
- ADD CONSTRAINT `SEN_RL_GM_PRV_MAP_SN_DB_PRV_FK`
- FOREIGN KEY (`GM_PRIVILEGE_ID`) REFERENCES `SENTRY_GM_PRIVILEGE`(`GM_PRIVILEGE_ID`);
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/main/resources/sentry-mysql-1.7.0.sql
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/resources/sentry-mysql-1.7.0.sql b/sentry-provider/sentry-provider-db/src/main/resources/sentry-mysql-1.7.0.sql
deleted file mode 100644
index faff348..0000000
--- a/sentry-provider/sentry-provider-db/src/main/resources/sentry-mysql-1.7.0.sql
+++ /dev/null
@@ -1,193 +0,0 @@
--- Licensed to the Apache Software Foundation (ASF) under one or more
--- contributor license agreements. See the NOTICE file distributed with
--- this work for additional information regarding copyright ownership.
--- The ASF licenses this file to You under the Apache License, Version 2.0
--- (the "License"); you may not use this file except in compliance with
--- the License. You may obtain a copy of the License at
---
--- http://www.apache.org/licenses/LICENSE-2.0
---
--- Unless required by applicable law or agreed to in writing, software
--- distributed under the License is distributed on an "AS IS" BASIS,
--- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
--- See the License for the specific language governing permissions and
--- limitations under the License.
-
-
-/*!40101 SET @OLD_CHARACTER_SET_CLIENT=@@CHARACTER_SET_CLIENT */;
-/*!40101 SET @OLD_CHARACTER_SET_RESULTS=@@CHARACTER_SET_RESULTS */;
-/*!40101 SET @OLD_COLLATION_CONNECTION=@@COLLATION_CONNECTION */;
-/*!40101 SET NAMES utf8 */;
-/*!40103 SET @OLD_TIME_ZONE=@@TIME_ZONE */;
-/*!40103 SET TIME_ZONE='+00:00' */;
-/*!40014 SET @OLD_UNIQUE_CHECKS=@@UNIQUE_CHECKS, UNIQUE_CHECKS=0 */;
-/*!40014 SET @OLD_FOREIGN_KEY_CHECKS=@@FOREIGN_KEY_CHECKS, FOREIGN_KEY_CHECKS=0 */;
-/*!40101 SET @OLD_SQL_MODE=@@SQL_MODE, SQL_MODE='NO_AUTO_VALUE_ON_ZERO' */;
-/*!40111 SET @OLD_SQL_NOTES=@@SQL_NOTES, SQL_NOTES=0 */;
-
-CREATE TABLE `SENTRY_DB_PRIVILEGE` (
- `DB_PRIVILEGE_ID` BIGINT NOT NULL,
- `PRIVILEGE_SCOPE` VARCHAR(32) CHARACTER SET utf8 COLLATE utf8_bin NOT NULL,
- `SERVER_NAME` VARCHAR(128) CHARACTER SET utf8 COLLATE utf8_bin NOT NULL,
- `DB_NAME` VARCHAR(128) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT '__NULL__',
- `TABLE_NAME` VARCHAR(128) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT '__NULL__',
- `COLUMN_NAME` VARCHAR(128) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT '__NULL__',
- `URI` VARCHAR(4000) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT '__NULL__',
- `ACTION` VARCHAR(128) CHARACTER SET utf8 COLLATE utf8_bin NOT NULL,
- `CREATE_TIME` BIGINT NOT NULL,
- `WITH_GRANT_OPTION` CHAR(1) NOT NULL
-) ENGINE=InnoDB DEFAULT CHARSET=utf8;
-
-CREATE TABLE `SENTRY_ROLE` (
- `ROLE_ID` BIGINT NOT NULL,
- `ROLE_NAME` VARCHAR(128) CHARACTER SET utf8 COLLATE utf8_bin NOT NULL,
- `CREATE_TIME` BIGINT NOT NULL
-) ENGINE=InnoDB DEFAULT CHARSET=utf8;
-
-CREATE TABLE `SENTRY_GROUP` (
- `GROUP_ID` BIGINT NOT NULL,
- `GROUP_NAME` VARCHAR(128) CHARACTER SET utf8 COLLATE utf8_bin NOT NULL,
- `CREATE_TIME` BIGINT NOT NULL
-) ENGINE=InnoDB DEFAULT CHARSET=utf8;
-
-CREATE TABLE `SENTRY_ROLE_DB_PRIVILEGE_MAP` (
- `ROLE_ID` BIGINT NOT NULL,
- `DB_PRIVILEGE_ID` BIGINT NOT NULL,
- `GRANTOR_PRINCIPAL` VARCHAR(128) CHARACTER SET utf8 COLLATE utf8_bin
-) ENGINE=InnoDB DEFAULT CHARSET=utf8;
-
-CREATE TABLE `SENTRY_ROLE_GROUP_MAP` (
- `ROLE_ID` BIGINT NOT NULL,
- `GROUP_ID` BIGINT NOT NULL,
- `GRANTOR_PRINCIPAL` VARCHAR(128) CHARACTER SET utf8 COLLATE utf8_bin
-) ENGINE=InnoDB DEFAULT CHARSET=utf8;
-
-CREATE TABLE IF NOT EXISTS `SENTRY_VERSION` (
- `VER_ID` BIGINT NOT NULL,
- `SCHEMA_VERSION` VARCHAR(127) NOT NULL,
- `VERSION_COMMENT` VARCHAR(255) NOT NULL
-) ENGINE=InnoDB DEFAULT CHARSET=utf8;
-
-ALTER TABLE `SENTRY_DB_PRIVILEGE`
- ADD CONSTRAINT `SENTRY_DB_PRIV_PK` PRIMARY KEY (`DB_PRIVILEGE_ID`);
-
-ALTER TABLE `SENTRY_ROLE`
- ADD CONSTRAINT `SENTRY_ROLE_PK` PRIMARY KEY (`ROLE_ID`);
-
-ALTER TABLE `SENTRY_GROUP`
- ADD CONSTRAINT `SENTRY_GROUP_PK` PRIMARY KEY (`GROUP_ID`);
-
-ALTER TABLE `SENTRY_VERSION`
- ADD CONSTRAINT `SENTRY_VERSION` PRIMARY KEY (`VER_ID`);
-
-ALTER TABLE `SENTRY_DB_PRIVILEGE`
- ADD UNIQUE `SENTRY_DB_PRIV_PRIV_NAME_UNIQ` (`SERVER_NAME`,`DB_NAME`,`TABLE_NAME`,`COLUMN_NAME`,`URI`(250),`ACTION`,`WITH_GRANT_OPTION`);
-
-ALTER TABLE `SENTRY_DB_PRIVILEGE`
- ADD INDEX `SENTRY_PRIV_SERV_IDX` (`SERVER_NAME`);
-
-ALTER TABLE `SENTRY_DB_PRIVILEGE`
- ADD INDEX `SENTRY_PRIV_DB_IDX` (`DB_NAME`);
-
-ALTER TABLE `SENTRY_DB_PRIVILEGE`
- ADD INDEX `SENTRY_PRIV_TBL_IDX` (`TABLE_NAME`);
-
-ALTER TABLE `SENTRY_DB_PRIVILEGE`
- ADD INDEX `SENTRY_PRIV_COL_IDX` (`COLUMN_NAME`);
-
-ALTER TABLE `SENTRY_DB_PRIVILEGE`
- ADD INDEX `SENTRY_PRIV_URI_IDX` (`URI`);
-
-ALTER TABLE `SENTRY_ROLE`
- ADD CONSTRAINT `SENTRY_ROLE_ROLE_NAME_UNIQUE` UNIQUE (`ROLE_NAME`);
-
-ALTER TABLE `SENTRY_GROUP`
- ADD CONSTRAINT `SENTRY_GRP_GRP_NAME_UNIQUE` UNIQUE (`GROUP_NAME`);
-
-ALTER TABLE `SENTRY_ROLE_DB_PRIVILEGE_MAP`
- ADD CONSTRAINT `SENTRY_ROLE_DB_PRIVILEGE_MAP_PK` PRIMARY KEY (`ROLE_ID`,`DB_PRIVILEGE_ID`);
-
-ALTER TABLE `SENTRY_ROLE_GROUP_MAP`
- ADD CONSTRAINT `SENTRY_ROLE_GROUP_MAP_PK` PRIMARY KEY (`ROLE_ID`,`GROUP_ID`);
-
-ALTER TABLE `SENTRY_ROLE_DB_PRIVILEGE_MAP`
- ADD CONSTRAINT `SEN_RLE_DB_PRV_MAP_SN_RLE_FK`
- FOREIGN KEY (`ROLE_ID`) REFERENCES `SENTRY_ROLE`(`ROLE_ID`);
-
-ALTER TABLE `SENTRY_ROLE_DB_PRIVILEGE_MAP`
- ADD CONSTRAINT `SEN_RL_DB_PRV_MAP_SN_DB_PRV_FK`
- FOREIGN KEY (`DB_PRIVILEGE_ID`) REFERENCES `SENTRY_DB_PRIVILEGE`(`DB_PRIVILEGE_ID`);
-
-ALTER TABLE `SENTRY_ROLE_GROUP_MAP`
- ADD CONSTRAINT `SEN_ROLE_GROUP_MAP_SEN_ROLE_FK`
- FOREIGN KEY (`ROLE_ID`) REFERENCES `SENTRY_ROLE`(`ROLE_ID`);
-
-ALTER TABLE `SENTRY_ROLE_GROUP_MAP`
- ADD CONSTRAINT `SEN_ROLE_GROUP_MAP_SEN_GRP_FK`
- FOREIGN KEY (`GROUP_ID`) REFERENCES `SENTRY_GROUP`(`GROUP_ID`);
-
-INSERT INTO SENTRY_VERSION (VER_ID, SCHEMA_VERSION, VERSION_COMMENT) VALUES (1, '1.7.0', 'Sentry release version 1.7.0');
-
--- Generic Model
--- Table SENTRY_GM_PRIVILEGE for classes [org.apache.sentry.provider.db.service.model.MSentryGMPrivilege]
-CREATE TABLE `SENTRY_GM_PRIVILEGE`
-(
- `GM_PRIVILEGE_ID` BIGINT NOT NULL,
- `ACTION` VARCHAR(32) CHARACTER SET utf8 COLLATE utf8_bin NOT NULL,
- `COMPONENT_NAME` VARCHAR(32) CHARACTER SET utf8 COLLATE utf8_bin NOT NULL,
- `CREATE_TIME` BIGINT NOT NULL,
- `WITH_GRANT_OPTION` CHAR(1) NOT NULL,
- `RESOURCE_NAME_0` VARCHAR(64) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT '__NULL__',
- `RESOURCE_NAME_1` VARCHAR(64) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT '__NULL__',
- `RESOURCE_NAME_2` VARCHAR(64) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT '__NULL__',
- `RESOURCE_NAME_3` VARCHAR(64) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT '__NULL__',
- `RESOURCE_TYPE_0` VARCHAR(64) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT '__NULL__',
- `RESOURCE_TYPE_1` VARCHAR(64) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT '__NULL__',
- `RESOURCE_TYPE_2` VARCHAR(64) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT '__NULL__',
- `RESOURCE_TYPE_3` VARCHAR(64) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT '__NULL__',
- `SCOPE` VARCHAR(128) CHARACTER SET utf8 COLLATE utf8_bin NOT NULL,
- `SERVICE_NAME` VARCHAR(64) BINARY CHARACTER SET utf8 COLLATE utf8_bin NOT NULL
-) ENGINE=InnoDB DEFAULT CHARSET=utf8;
-
-ALTER TABLE `SENTRY_GM_PRIVILEGE`
- ADD CONSTRAINT `SENTRY_GM_PRIVILEGE_PK` PRIMARY KEY (`GM_PRIVILEGE_ID`);
--- Constraints for table SENTRY_GM_PRIVILEGE for class(es) [org.apache.sentry.provider.db.service.model.MSentryGMPrivilege]
-ALTER TABLE `SENTRY_GM_PRIVILEGE`
- ADD UNIQUE `GM_PRIVILEGE_UNIQUE` (`COMPONENT_NAME`,`SERVICE_NAME`,`RESOURCE_NAME_0`,`RESOURCE_TYPE_0`,`RESOURCE_NAME_1`,`RESOURCE_TYPE_1`,`RESOURCE_NAME_2`,`RESOURCE_TYPE_2`,`RESOURCE_NAME_3`,`RESOURCE_TYPE_3`,`ACTION`,`WITH_GRANT_OPTION`);
-
-ALTER TABLE `SENTRY_GM_PRIVILEGE`
- ADD INDEX `SENTRY_GM_PRIV_COMP_IDX` (`COMPONENT_NAME`);
-
-ALTER TABLE `SENTRY_GM_PRIVILEGE`
- ADD INDEX `SENTRY_GM_PRIV_SERV_IDX` (`SERVICE_NAME`);
-
-ALTER TABLE `SENTRY_GM_PRIVILEGE`
- ADD INDEX `SENTRY_GM_PRIV_RES0_IDX` (`RESOURCE_NAME_0`,`RESOURCE_TYPE_0`);
-
-ALTER TABLE `SENTRY_GM_PRIVILEGE`
- ADD INDEX `SENTRY_GM_PRIV_RES1_IDX` (`RESOURCE_NAME_1`,`RESOURCE_TYPE_1`);
-
-ALTER TABLE `SENTRY_GM_PRIVILEGE`
- ADD INDEX `SENTRY_GM_PRIV_RES2_IDX` (`RESOURCE_NAME_2`,`RESOURCE_TYPE_2`);
-
-ALTER TABLE `SENTRY_GM_PRIVILEGE`
- ADD INDEX `SENTRY_GM_PRIV_RES3_IDX` (`RESOURCE_NAME_3`,`RESOURCE_TYPE_3`);
-
--- Table SENTRY_ROLE_GM_PRIVILEGE_MAP for join relationship
-CREATE TABLE `SENTRY_ROLE_GM_PRIVILEGE_MAP`
-(
- `ROLE_ID` BIGINT NOT NULL,
- `GM_PRIVILEGE_ID` BIGINT NOT NULL
-) ENGINE=INNODB DEFAULT CHARSET=utf8;
-
-ALTER TABLE `SENTRY_ROLE_GM_PRIVILEGE_MAP`
- ADD CONSTRAINT `SENTRY_ROLE_GM_PRIVILEGE_MAP_PK` PRIMARY KEY (`ROLE_ID`,`GM_PRIVILEGE_ID`);
-
--- Constraints for table SENTRY_ROLE_GM_PRIVILEGE_MAP
-ALTER TABLE `SENTRY_ROLE_GM_PRIVILEGE_MAP`
- ADD CONSTRAINT `SEN_RLE_GM_PRV_MAP_SN_RLE_FK`
- FOREIGN KEY (`ROLE_ID`) REFERENCES `SENTRY_ROLE`(`ROLE_ID`);
-
-ALTER TABLE `SENTRY_ROLE_GM_PRIVILEGE_MAP`
- ADD CONSTRAINT `SEN_RL_GM_PRV_MAP_SN_DB_PRV_FK`
- FOREIGN KEY (`GM_PRIVILEGE_ID`) REFERENCES `SENTRY_GM_PRIVILEGE`(`GM_PRIVILEGE_ID`);
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/main/resources/sentry-mysql-1.8.0.sql
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/resources/sentry-mysql-1.8.0.sql b/sentry-provider/sentry-provider-db/src/main/resources/sentry-mysql-1.8.0.sql
deleted file mode 100644
index d27d7b9..0000000
--- a/sentry-provider/sentry-provider-db/src/main/resources/sentry-mysql-1.8.0.sql
+++ /dev/null
@@ -1,223 +0,0 @@
--- Licensed to the Apache Software Foundation (ASF) under one or more
--- contributor license agreements. See the NOTICE file distributed with
--- this work for additional information regarding copyright ownership.
--- The ASF licenses this file to You under the Apache License, Version 2.0
--- (the "License"); you may not use this file except in compliance with
--- the License. You may obtain a copy of the License at
---
--- http://www.apache.org/licenses/LICENSE-2.0
---
--- Unless required by applicable law or agreed to in writing, software
--- distributed under the License is distributed on an "AS IS" BASIS,
--- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
--- See the License for the specific language governing permissions and
--- limitations under the License.
-
-
-/*!40101 SET @OLD_CHARACTER_SET_CLIENT=@@CHARACTER_SET_CLIENT */;
-/*!40101 SET @OLD_CHARACTER_SET_RESULTS=@@CHARACTER_SET_RESULTS */;
-/*!40101 SET @OLD_COLLATION_CONNECTION=@@COLLATION_CONNECTION */;
-/*!40101 SET NAMES utf8 */;
-/*!40103 SET @OLD_TIME_ZONE=@@TIME_ZONE */;
-/*!40103 SET TIME_ZONE='+00:00' */;
-/*!40014 SET @OLD_UNIQUE_CHECKS=@@UNIQUE_CHECKS, UNIQUE_CHECKS=0 */;
-/*!40014 SET @OLD_FOREIGN_KEY_CHECKS=@@FOREIGN_KEY_CHECKS, FOREIGN_KEY_CHECKS=0 */;
-/*!40101 SET @OLD_SQL_MODE=@@SQL_MODE, SQL_MODE='NO_AUTO_VALUE_ON_ZERO' */;
-/*!40111 SET @OLD_SQL_NOTES=@@SQL_NOTES, SQL_NOTES=0 */;
-
-CREATE TABLE `SENTRY_DB_PRIVILEGE` (
- `DB_PRIVILEGE_ID` BIGINT NOT NULL,
- `PRIVILEGE_SCOPE` VARCHAR(32) CHARACTER SET utf8 COLLATE utf8_bin NOT NULL,
- `SERVER_NAME` VARCHAR(128) CHARACTER SET utf8 COLLATE utf8_bin NOT NULL,
- `DB_NAME` VARCHAR(128) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT '__NULL__',
- `TABLE_NAME` VARCHAR(128) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT '__NULL__',
- `COLUMN_NAME` VARCHAR(128) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT '__NULL__',
- `URI` VARCHAR(4000) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT '__NULL__',
- `ACTION` VARCHAR(128) CHARACTER SET utf8 COLLATE utf8_bin NOT NULL,
- `CREATE_TIME` BIGINT NOT NULL,
- `WITH_GRANT_OPTION` CHAR(1) NOT NULL
-) ENGINE=InnoDB DEFAULT CHARSET=utf8;
-
-CREATE TABLE `SENTRY_ROLE` (
- `ROLE_ID` BIGINT NOT NULL,
- `ROLE_NAME` VARCHAR(128) CHARACTER SET utf8 COLLATE utf8_bin NOT NULL,
- `CREATE_TIME` BIGINT NOT NULL
-) ENGINE=InnoDB DEFAULT CHARSET=utf8;
-
-CREATE TABLE `SENTRY_GROUP` (
- `GROUP_ID` BIGINT NOT NULL,
- `GROUP_NAME` VARCHAR(128) CHARACTER SET utf8 COLLATE utf8_bin NOT NULL,
- `CREATE_TIME` BIGINT NOT NULL
-) ENGINE=InnoDB DEFAULT CHARSET=utf8;
-
-CREATE TABLE `SENTRY_ROLE_DB_PRIVILEGE_MAP` (
- `ROLE_ID` BIGINT NOT NULL,
- `DB_PRIVILEGE_ID` BIGINT NOT NULL,
- `GRANTOR_PRINCIPAL` VARCHAR(128) CHARACTER SET utf8 COLLATE utf8_bin
-) ENGINE=InnoDB DEFAULT CHARSET=utf8;
-
-CREATE TABLE `SENTRY_ROLE_GROUP_MAP` (
- `ROLE_ID` BIGINT NOT NULL,
- `GROUP_ID` BIGINT NOT NULL,
- `GRANTOR_PRINCIPAL` VARCHAR(128) CHARACTER SET utf8 COLLATE utf8_bin
-) ENGINE=InnoDB DEFAULT CHARSET=utf8;
-
-CREATE TABLE IF NOT EXISTS `SENTRY_VERSION` (
- `VER_ID` BIGINT NOT NULL,
- `SCHEMA_VERSION` VARCHAR(127) NOT NULL,
- `VERSION_COMMENT` VARCHAR(255) NOT NULL
-) ENGINE=InnoDB DEFAULT CHARSET=utf8;
-
-ALTER TABLE `SENTRY_DB_PRIVILEGE`
- ADD CONSTRAINT `SENTRY_DB_PRIV_PK` PRIMARY KEY (`DB_PRIVILEGE_ID`);
-
-ALTER TABLE `SENTRY_ROLE`
- ADD CONSTRAINT `SENTRY_ROLE_PK` PRIMARY KEY (`ROLE_ID`);
-
-ALTER TABLE `SENTRY_GROUP`
- ADD CONSTRAINT `SENTRY_GROUP_PK` PRIMARY KEY (`GROUP_ID`);
-
-ALTER TABLE `SENTRY_VERSION`
- ADD CONSTRAINT `SENTRY_VERSION` PRIMARY KEY (`VER_ID`);
-
-ALTER TABLE `SENTRY_DB_PRIVILEGE`
- ADD UNIQUE `SENTRY_DB_PRIV_PRIV_NAME_UNIQ` (`SERVER_NAME`,`DB_NAME`,`TABLE_NAME`,`COLUMN_NAME`,`URI`(250),`ACTION`,`WITH_GRANT_OPTION`);
-
-ALTER TABLE `SENTRY_DB_PRIVILEGE`
- ADD INDEX `SENTRY_PRIV_SERV_IDX` (`SERVER_NAME`);
-
-ALTER TABLE `SENTRY_DB_PRIVILEGE`
- ADD INDEX `SENTRY_PRIV_DB_IDX` (`DB_NAME`);
-
-ALTER TABLE `SENTRY_DB_PRIVILEGE`
- ADD INDEX `SENTRY_PRIV_TBL_IDX` (`TABLE_NAME`);
-
-ALTER TABLE `SENTRY_DB_PRIVILEGE`
- ADD INDEX `SENTRY_PRIV_COL_IDX` (`COLUMN_NAME`);
-
-ALTER TABLE `SENTRY_DB_PRIVILEGE`
- ADD INDEX `SENTRY_PRIV_URI_IDX` (`URI`);
-
-ALTER TABLE `SENTRY_ROLE`
- ADD CONSTRAINT `SENTRY_ROLE_ROLE_NAME_UNIQUE` UNIQUE (`ROLE_NAME`);
-
-ALTER TABLE `SENTRY_GROUP`
- ADD CONSTRAINT `SENTRY_GRP_GRP_NAME_UNIQUE` UNIQUE (`GROUP_NAME`);
-
-ALTER TABLE `SENTRY_ROLE_DB_PRIVILEGE_MAP`
- ADD CONSTRAINT `SENTRY_ROLE_DB_PRIVILEGE_MAP_PK` PRIMARY KEY (`ROLE_ID`,`DB_PRIVILEGE_ID`);
-
-ALTER TABLE `SENTRY_ROLE_GROUP_MAP`
- ADD CONSTRAINT `SENTRY_ROLE_GROUP_MAP_PK` PRIMARY KEY (`ROLE_ID`,`GROUP_ID`);
-
-ALTER TABLE `SENTRY_ROLE_DB_PRIVILEGE_MAP`
- ADD CONSTRAINT `SEN_RLE_DB_PRV_MAP_SN_RLE_FK`
- FOREIGN KEY (`ROLE_ID`) REFERENCES `SENTRY_ROLE`(`ROLE_ID`);
-
-ALTER TABLE `SENTRY_ROLE_DB_PRIVILEGE_MAP`
- ADD CONSTRAINT `SEN_RL_DB_PRV_MAP_SN_DB_PRV_FK`
- FOREIGN KEY (`DB_PRIVILEGE_ID`) REFERENCES `SENTRY_DB_PRIVILEGE`(`DB_PRIVILEGE_ID`);
-
-ALTER TABLE `SENTRY_ROLE_GROUP_MAP`
- ADD CONSTRAINT `SEN_ROLE_GROUP_MAP_SEN_ROLE_FK`
- FOREIGN KEY (`ROLE_ID`) REFERENCES `SENTRY_ROLE`(`ROLE_ID`);
-
-ALTER TABLE `SENTRY_ROLE_GROUP_MAP`
- ADD CONSTRAINT `SEN_ROLE_GROUP_MAP_SEN_GRP_FK`
- FOREIGN KEY (`GROUP_ID`) REFERENCES `SENTRY_GROUP`(`GROUP_ID`);
-
-INSERT INTO SENTRY_VERSION (VER_ID, SCHEMA_VERSION, VERSION_COMMENT) VALUES (1, '1.8.0', 'Sentry release version 1.8.0');
-
--- Generic Model
--- Table SENTRY_GM_PRIVILEGE for classes [org.apache.sentry.provider.db.service.model.MSentryGMPrivilege]
-CREATE TABLE `SENTRY_GM_PRIVILEGE`
-(
- `GM_PRIVILEGE_ID` BIGINT NOT NULL,
- `ACTION` VARCHAR(32) CHARACTER SET utf8 COLLATE utf8_bin NOT NULL,
- `COMPONENT_NAME` VARCHAR(32) CHARACTER SET utf8 COLLATE utf8_bin NOT NULL,
- `CREATE_TIME` BIGINT NOT NULL,
- `WITH_GRANT_OPTION` CHAR(1) NOT NULL,
- `RESOURCE_NAME_0` VARCHAR(64) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT '__NULL__',
- `RESOURCE_NAME_1` VARCHAR(64) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT '__NULL__',
- `RESOURCE_NAME_2` VARCHAR(64) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT '__NULL__',
- `RESOURCE_NAME_3` VARCHAR(64) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT '__NULL__',
- `RESOURCE_TYPE_0` VARCHAR(64) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT '__NULL__',
- `RESOURCE_TYPE_1` VARCHAR(64) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT '__NULL__',
- `RESOURCE_TYPE_2` VARCHAR(64) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT '__NULL__',
- `RESOURCE_TYPE_3` VARCHAR(64) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT '__NULL__',
- `SCOPE` VARCHAR(128) CHARACTER SET utf8 COLLATE utf8_bin NOT NULL,
- `SERVICE_NAME` VARCHAR(64) BINARY CHARACTER SET utf8 COLLATE utf8_bin NOT NULL
-) ENGINE=InnoDB DEFAULT CHARSET=utf8;
-
-ALTER TABLE `SENTRY_GM_PRIVILEGE`
- ADD CONSTRAINT `SENTRY_GM_PRIVILEGE_PK` PRIMARY KEY (`GM_PRIVILEGE_ID`);
--- Constraints for table SENTRY_GM_PRIVILEGE for class(es) [org.apache.sentry.provider.db.service.model.MSentryGMPrivilege]
-ALTER TABLE `SENTRY_GM_PRIVILEGE`
- ADD UNIQUE `GM_PRIVILEGE_UNIQUE` (`COMPONENT_NAME`,`SERVICE_NAME`,`RESOURCE_NAME_0`,`RESOURCE_TYPE_0`,`RESOURCE_NAME_1`,`RESOURCE_TYPE_1`,`RESOURCE_NAME_2`,`RESOURCE_TYPE_2`,`RESOURCE_NAME_3`,`RESOURCE_TYPE_3`,`ACTION`,`WITH_GRANT_OPTION`);
-
-ALTER TABLE `SENTRY_GM_PRIVILEGE`
- ADD INDEX `SENTRY_GM_PRIV_COMP_IDX` (`COMPONENT_NAME`);
-
-ALTER TABLE `SENTRY_GM_PRIVILEGE`
- ADD INDEX `SENTRY_GM_PRIV_SERV_IDX` (`SERVICE_NAME`);
-
-ALTER TABLE `SENTRY_GM_PRIVILEGE`
- ADD INDEX `SENTRY_GM_PRIV_RES0_IDX` (`RESOURCE_NAME_0`,`RESOURCE_TYPE_0`);
-
-ALTER TABLE `SENTRY_GM_PRIVILEGE`
- ADD INDEX `SENTRY_GM_PRIV_RES1_IDX` (`RESOURCE_NAME_1`,`RESOURCE_TYPE_1`);
-
-ALTER TABLE `SENTRY_GM_PRIVILEGE`
- ADD INDEX `SENTRY_GM_PRIV_RES2_IDX` (`RESOURCE_NAME_2`,`RESOURCE_TYPE_2`);
-
-ALTER TABLE `SENTRY_GM_PRIVILEGE`
- ADD INDEX `SENTRY_GM_PRIV_RES3_IDX` (`RESOURCE_NAME_3`,`RESOURCE_TYPE_3`);
-
--- Table SENTRY_ROLE_GM_PRIVILEGE_MAP for join relationship
-CREATE TABLE `SENTRY_ROLE_GM_PRIVILEGE_MAP`
-(
- `ROLE_ID` BIGINT NOT NULL,
- `GM_PRIVILEGE_ID` BIGINT NOT NULL
-) ENGINE=INNODB DEFAULT CHARSET=utf8;
-
-ALTER TABLE `SENTRY_ROLE_GM_PRIVILEGE_MAP`
- ADD CONSTRAINT `SENTRY_ROLE_GM_PRIVILEGE_MAP_PK` PRIMARY KEY (`ROLE_ID`,`GM_PRIVILEGE_ID`);
-
--- Constraints for table SENTRY_ROLE_GM_PRIVILEGE_MAP
-ALTER TABLE `SENTRY_ROLE_GM_PRIVILEGE_MAP`
- ADD CONSTRAINT `SEN_RLE_GM_PRV_MAP_SN_RLE_FK`
- FOREIGN KEY (`ROLE_ID`) REFERENCES `SENTRY_ROLE`(`ROLE_ID`);
-
-ALTER TABLE `SENTRY_ROLE_GM_PRIVILEGE_MAP`
- ADD CONSTRAINT `SEN_RL_GM_PRV_MAP_SN_DB_PRV_FK`
- FOREIGN KEY (`GM_PRIVILEGE_ID`) REFERENCES `SENTRY_GM_PRIVILEGE`(`GM_PRIVILEGE_ID`);
-
-CREATE TABLE `SENTRY_USER` (
- `USER_ID` BIGINT NOT NULL,
- `USER_NAME` VARCHAR(128) CHARACTER SET utf8 COLLATE utf8_bin NOT NULL,
- `CREATE_TIME` BIGINT NOT NULL
-) ENGINE=InnoDB DEFAULT CHARSET=utf8;
-
-ALTER TABLE `SENTRY_USER`
- ADD CONSTRAINT `SENTRY_USER_PK` PRIMARY KEY (`USER_ID`);
-
-ALTER TABLE `SENTRY_USER`
- ADD CONSTRAINT `SENTRY_USER_USER_NAME_UNIQUE` UNIQUE (`USER_NAME`);
-
-CREATE TABLE `SENTRY_ROLE_USER_MAP` (
- `ROLE_ID` BIGINT NOT NULL,
- `USER_ID` BIGINT NOT NULL,
- `GRANTOR_PRINCIPAL` VARCHAR(128) CHARACTER SET utf8 COLLATE utf8_bin
-) ENGINE=InnoDB DEFAULT CHARSET=utf8;
-
-ALTER TABLE `SENTRY_ROLE_USER_MAP`
- ADD CONSTRAINT `SENTRY_ROLE_USER_MAP_PK` PRIMARY KEY (`ROLE_ID`,`USER_ID`);
-
-ALTER TABLE `SENTRY_ROLE_USER_MAP`
- ADD CONSTRAINT `SEN_ROLE_USER_MAP_SEN_ROLE_FK`
- FOREIGN KEY (`ROLE_ID`) REFERENCES `SENTRY_ROLE`(`ROLE_ID`);
-
-ALTER TABLE `SENTRY_ROLE_USER_MAP`
- ADD CONSTRAINT `SEN_ROLE_USER_MAP_SEN_USER_FK`
- FOREIGN KEY (`USER_ID`) REFERENCES `SENTRY_USER`(`USER_ID`);
-
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/main/resources/sentry-oracle-1.4.0.sql
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/resources/sentry-oracle-1.4.0.sql b/sentry-provider/sentry-provider-db/src/main/resources/sentry-oracle-1.4.0.sql
deleted file mode 100644
index 363590e..0000000
--- a/sentry-provider/sentry-provider-db/src/main/resources/sentry-oracle-1.4.0.sql
+++ /dev/null
@@ -1,110 +0,0 @@
---Licensed to the Apache Software Foundation (ASF) under one or more
---contributor license agreements. See the NOTICE file distributed with
---this work for additional information regarding copyright ownership.
---The ASF licenses this file to You under the Apache License, Version 2.0
---(the "License"); you may not use this file except in compliance with
---the License. You may obtain a copy of the License at
---
--- http://www.apache.org/licenses/LICENSE-2.0
---
---Unless required by applicable law or agreed to in writing, software
---distributed under the License is distributed on an "AS IS" BASIS,
---WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
---See the License for the specific language governing permissions and
---limitations under the License.
-
-CREATE TABLE "SENTRY_DB_PRIVILEGE" (
- "DB_PRIVILEGE_ID" NUMBER NOT NULL,
- "PRIVILEGE_NAME" VARCHAR2(4000) NOT NULL,
- "PRIVILEGE_SCOPE" VARCHAR2(32) NOT NULL,
- "SERVER_NAME" VARCHAR2(128) NOT NULL,
- "DB_NAME" VARCHAR2(128) NULL,
- "TABLE_NAME" VARCHAR2(128) NULL,
- "URI" VARCHAR2(4000) NULL,
- "ACTION" VARCHAR2(128) NOT NULL,
- "CREATE_TIME" NUMBER NOT NULL,
- "GRANTOR_PRINCIPAL" VARCHAR(128) NOT NULL
-);
-
-CREATE TABLE "SENTRY_ROLE" (
- "ROLE_ID" NUMBER NOT NULL,
- "ROLE_NAME" VARCHAR2(128) NOT NULL,
- "CREATE_TIME" NUMBER NOT NULL,
- "GRANTOR_PRINCIPAL" VARCHAR2(128) NOT NULL
-);
-
-CREATE TABLE "SENTRY_GROUP" (
- "GROUP_ID" NUMBER NOT NULL,
- "GROUP_NAME" VARCHAR2(128) NOT NULL,
- "CREATE_TIME" NUMBER NOT NULL,
- "GRANTOR_PRINCIPAL" VARCHAR2(128) NOT NULL
-);
-
-CREATE TABLE "SENTRY_ROLE_DB_PRIVILEGE_MAP" (
- "ROLE_ID" NUMBER NOT NULL,
- "DB_PRIVILEGE_ID" NUMBER NOT NULL
-);
-
-CREATE TABLE "SENTRY_ROLE_GROUP_MAP" (
- "ROLE_ID" NUMBER NOT NULL,
- "GROUP_ID" NUMBER NOT NULL
-);
-
-CREATE TABLE "SENTRY_VERSION" (
- "VER_ID" NUMBER NOT NULL,
- "SCHEMA_VERSION" VARCHAR(127) NOT NULL,
- "VERSION_COMMENT" VARCHAR(255) NOT NULL
-);
-
-ALTER TABLE "SENTRY_DB_PRIVILEGE"
- ADD CONSTRAINT "SENTRY_DB_PRIV_PK" PRIMARY KEY ("DB_PRIVILEGE_ID");
-
-ALTER TABLE "SENTRY_ROLE"
- ADD CONSTRAINT "SENTRY_ROLE_PK" PRIMARY KEY ("ROLE_ID");
-
-ALTER TABLE "SENTRY_GROUP"
- ADD CONSTRAINT "SENTRY_GROUP_PK" PRIMARY KEY ("GROUP_ID");
-
-ALTER TABLE "SENTRY_VERSION" ADD CONSTRAINT "SENTRY_VERSION_PK" PRIMARY KEY ("VER_ID");
-
-ALTER TABLE "SENTRY_DB_PRIVILEGE"
- ADD CONSTRAINT "SENTRY_DB_PRIV_PRIV_NAME_UNIQ" UNIQUE ("PRIVILEGE_NAME");
-
-CREATE INDEX "SENTRY_SERV_PRIV_IDX" ON "SENTRY_DB_PRIVILEGE" ("SERVER_NAME");
-
-CREATE INDEX "SENTRY_DB_PRIV_IDX" ON "SENTRY_DB_PRIVILEGE" ("DB_NAME");
-
-CREATE INDEX "SENTRY_TBL_PRIV_IDX" ON "SENTRY_DB_PRIVILEGE" ("TABLE_NAME");
-
-CREATE INDEX "SENTRY_URI_PRIV_IDX" ON "SENTRY_DB_PRIVILEGE" ("URI");
-
-ALTER TABLE "SENTRY_ROLE"
- ADD CONSTRAINT "SENTRY_ROLE_ROLE_NAME_UNIQUE" UNIQUE ("ROLE_NAME");
-
-ALTER TABLE "SENTRY_GROUP"
- ADD CONSTRAINT "SENTRY_GRP_GRP_NAME_UNIQUE" UNIQUE ("GROUP_NAME");
-
-ALTER TABLE "SENTRY_ROLE_DB_PRIVILEGE_MAP"
- ADD CONSTRAINT "SEN_RLE_PRIV_MAP_PK" PRIMARY KEY ("ROLE_ID","DB_PRIVILEGE_ID");
-
-ALTER TABLE "SENTRY_ROLE_GROUP_MAP"
- ADD CONSTRAINT "SENTRY_ROLE_GROUP_MAP_PK" PRIMARY KEY ("ROLE_ID","GROUP_ID");
-
-ALTER TABLE "SENTRY_ROLE_DB_PRIVILEGE_MAP"
- ADD CONSTRAINT "SEN_RLE_DB_PRV_MAP_SN_RLE_FK"
- FOREIGN KEY ("ROLE_ID") REFERENCES "SENTRY_ROLE"("ROLE_ID") INITIALLY DEFERRED;
-
-ALTER TABLE "SENTRY_ROLE_DB_PRIVILEGE_MAP"
- ADD CONSTRAINT "SEN_RL_DB_PRV_MAP_SN_DB_PRV_FK"
- FOREIGN KEY ("DB_PRIVILEGE_ID") REFERENCES "SENTRY_DB_PRIVILEGE"("DB_PRIVILEGE_ID") INITIALLY DEFERRED;
-
-ALTER TABLE "SENTRY_ROLE_GROUP_MAP"
- ADD CONSTRAINT "SEN_ROLE_GROUP_MAP_SEN_ROLE_FK"
- FOREIGN KEY ("ROLE_ID") REFERENCES "SENTRY_ROLE"("ROLE_ID") INITIALLY DEFERRED;
-
-ALTER TABLE "SENTRY_ROLE_GROUP_MAP"
- ADD CONSTRAINT "SEN_ROLE_GROUP_MAP_SEN_GRP_FK"
- FOREIGN KEY ("GROUP_ID") REFERENCES "SENTRY_GROUP"("GROUP_ID") INITIALLY DEFERRED;
-
-INSERT INTO SENTRY_VERSION (VER_ID, SCHEMA_VERSION, VERSION_COMMENT) VALUES (1, '1.4.0', 'Sentry release version 1.4.0');
-
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/main/resources/sentry-oracle-1.5.0.sql
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/resources/sentry-oracle-1.5.0.sql b/sentry-provider/sentry-provider-db/src/main/resources/sentry-oracle-1.5.0.sql
deleted file mode 100644
index fe8e93c..0000000
--- a/sentry-provider/sentry-provider-db/src/main/resources/sentry-oracle-1.5.0.sql
+++ /dev/null
@@ -1,168 +0,0 @@
---Licensed to the Apache Software Foundation (ASF) under one or more
---contributor license agreements. See the NOTICE file distributed with
---this work for additional information regarding copyright ownership.
---The ASF licenses this file to You under the Apache License, Version 2.0
---(the "License"); you may not use this file except in compliance with
---the License. You may obtain a copy of the License at
---
--- http://www.apache.org/licenses/LICENSE-2.0
---
---Unless required by applicable law or agreed to in writing, software
---distributed under the License is distributed on an "AS IS" BASIS,
---WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
---See the License for the specific language governing permissions and
---limitations under the License.
-
-CREATE TABLE "SENTRY_DB_PRIVILEGE" (
- "DB_PRIVILEGE_ID" NUMBER NOT NULL,
- "PRIVILEGE_SCOPE" VARCHAR2(32) NOT NULL,
- "SERVER_NAME" VARCHAR2(128) NOT NULL,
- "DB_NAME" VARCHAR2(128) DEFAULT '__NULL__',
- "TABLE_NAME" VARCHAR2(128) DEFAULT '__NULL__',
- "COLUMN_NAME" VARCHAR2(128) DEFAULT '__NULL__',
- "URI" VARCHAR2(4000) DEFAULT '__NULL__',
- "ACTION" VARCHAR2(128) NOT NULL,
- "CREATE_TIME" NUMBER NOT NULL,
- "WITH_GRANT_OPTION" CHAR(1) DEFAULT 'N' NOT NULL
-);
-
-CREATE TABLE "SENTRY_ROLE" (
- "ROLE_ID" NUMBER NOT NULL,
- "ROLE_NAME" VARCHAR2(128) NOT NULL,
- "CREATE_TIME" NUMBER NOT NULL
-);
-
-CREATE TABLE "SENTRY_GROUP" (
- "GROUP_ID" NUMBER NOT NULL,
- "GROUP_NAME" VARCHAR2(128) NOT NULL,
- "CREATE_TIME" NUMBER NOT NULL
-);
-
-CREATE TABLE "SENTRY_ROLE_DB_PRIVILEGE_MAP" (
- "ROLE_ID" NUMBER NOT NULL,
- "DB_PRIVILEGE_ID" NUMBER NOT NULL,
- "GRANTOR_PRINCIPAL" VARCHAR2(128)
-);
-
-CREATE TABLE "SENTRY_ROLE_GROUP_MAP" (
- "ROLE_ID" NUMBER NOT NULL,
- "GROUP_ID" NUMBER NOT NULL,
- "GRANTOR_PRINCIPAL" VARCHAR2(128)
-);
-
-CREATE TABLE "SENTRY_VERSION" (
- "VER_ID" NUMBER NOT NULL,
- "SCHEMA_VERSION" VARCHAR(127) NOT NULL,
- "VERSION_COMMENT" VARCHAR(255) NOT NULL
-);
-
-ALTER TABLE "SENTRY_DB_PRIVILEGE"
- ADD CONSTRAINT "SENTRY_DB_PRIV_PK" PRIMARY KEY ("DB_PRIVILEGE_ID");
-
-ALTER TABLE "SENTRY_ROLE"
- ADD CONSTRAINT "SENTRY_ROLE_PK" PRIMARY KEY ("ROLE_ID");
-
-ALTER TABLE "SENTRY_GROUP"
- ADD CONSTRAINT "SENTRY_GROUP_PK" PRIMARY KEY ("GROUP_ID");
-
-ALTER TABLE "SENTRY_VERSION" ADD CONSTRAINT "SENTRY_VERSION_PK" PRIMARY KEY ("VER_ID");
-
-ALTER TABLE "SENTRY_DB_PRIVILEGE"
- ADD CONSTRAINT "SENTRY_DB_PRIV_PRIV_NAME_UNIQ" UNIQUE ("SERVER_NAME","DB_NAME","TABLE_NAME","COLUMN_NAME","URI","ACTION","WITH_GRANT_OPTION");
-
-CREATE INDEX "SENTRY_SERV_PRIV_IDX" ON "SENTRY_DB_PRIVILEGE" ("SERVER_NAME");
-
-CREATE INDEX "SENTRY_DB_PRIV_IDX" ON "SENTRY_DB_PRIVILEGE" ("DB_NAME");
-
-CREATE INDEX "SENTRY_TBL_PRIV_IDX" ON "SENTRY_DB_PRIVILEGE" ("TABLE_NAME");
-
-CREATE INDEX "SENTRY_COL_PRIV_IDX" ON "SENTRY_DB_PRIVILEGE" ("COLUMN_NAME");
-
-CREATE INDEX "SENTRY_URI_PRIV_IDX" ON "SENTRY_DB_PRIVILEGE" ("URI");
-
-ALTER TABLE "SENTRY_ROLE"
- ADD CONSTRAINT "SENTRY_ROLE_ROLE_NAME_UNIQUE" UNIQUE ("ROLE_NAME");
-
-ALTER TABLE "SENTRY_GROUP"
- ADD CONSTRAINT "SENTRY_GRP_GRP_NAME_UNIQUE" UNIQUE ("GROUP_NAME");
-
-ALTER TABLE "SENTRY_ROLE_DB_PRIVILEGE_MAP"
- ADD CONSTRAINT "SEN_RLE_PRIV_MAP_PK" PRIMARY KEY ("ROLE_ID","DB_PRIVILEGE_ID");
-
-ALTER TABLE "SENTRY_ROLE_GROUP_MAP"
- ADD CONSTRAINT "SENTRY_ROLE_GROUP_MAP_PK" PRIMARY KEY ("ROLE_ID","GROUP_ID");
-
-ALTER TABLE "SENTRY_ROLE_DB_PRIVILEGE_MAP"
- ADD CONSTRAINT "SEN_RLE_DB_PRV_MAP_SN_RLE_FK"
- FOREIGN KEY ("ROLE_ID") REFERENCES "SENTRY_ROLE"("ROLE_ID") INITIALLY DEFERRED;
-
-ALTER TABLE "SENTRY_ROLE_DB_PRIVILEGE_MAP"
- ADD CONSTRAINT "SEN_RL_DB_PRV_MAP_SN_DB_PRV_FK"
- FOREIGN KEY ("DB_PRIVILEGE_ID") REFERENCES "SENTRY_DB_PRIVILEGE"("DB_PRIVILEGE_ID") INITIALLY DEFERRED;
-
-ALTER TABLE "SENTRY_ROLE_GROUP_MAP"
- ADD CONSTRAINT "SEN_ROLE_GROUP_MAP_SEN_ROLE_FK"
- FOREIGN KEY ("ROLE_ID") REFERENCES "SENTRY_ROLE"("ROLE_ID") INITIALLY DEFERRED;
-
-ALTER TABLE "SENTRY_ROLE_GROUP_MAP"
- ADD CONSTRAINT "SEN_ROLE_GROUP_MAP_SEN_GRP_FK"
- FOREIGN KEY ("GROUP_ID") REFERENCES "SENTRY_GROUP"("GROUP_ID") INITIALLY DEFERRED;
-
-INSERT INTO SENTRY_VERSION (VER_ID, SCHEMA_VERSION, VERSION_COMMENT) VALUES (1, '1.5.0', 'Sentry release version 1.5.0');
-
--- Generic Model
--- Table SENTRY_GM_PRIVILEGE for classes [org.apache.sentry.provider.db.service.model.MSentryGMPrivilege]
-CREATE TABLE "SENTRY_GM_PRIVILEGE" (
- "GM_PRIVILEGE_ID" NUMBER NOT NULL,
- "COMPONENT_NAME" VARCHAR2(32) NOT NULL,
- "SERVICE_NAME" VARCHAR2(64) NOT NULL,
- "RESOURCE_NAME_0" VARCHAR2(64) DEFAULT '__NULL__',
- "RESOURCE_NAME_1" VARCHAR2(64) DEFAULT '__NULL__',
- "RESOURCE_NAME_2" VARCHAR2(64) DEFAULT '__NULL__',
- "RESOURCE_NAME_3" VARCHAR2(64) DEFAULT '__NULL__',
- "RESOURCE_TYPE_0" VARCHAR2(64) DEFAULT '__NULL__',
- "RESOURCE_TYPE_1" VARCHAR2(64) DEFAULT '__NULL__',
- "RESOURCE_TYPE_2" VARCHAR2(64) DEFAULT '__NULL__',
- "RESOURCE_TYPE_3" VARCHAR2(64) DEFAULT '__NULL__',
- "ACTION" VARCHAR2(32) NOT NULL,
- "SCOPE" VARCHAR2(128) NOT NULL,
- "CREATE_TIME" NUMBER NOT NULL,
- "WITH_GRANT_OPTION" CHAR(1) DEFAULT 'N' NOT NULL
-);
-
-ALTER TABLE "SENTRY_GM_PRIVILEGE"
- ADD CONSTRAINT "SENTRY_GM_PRIV_PK" PRIMARY KEY ("GM_PRIVILEGE_ID");
--- Constraints for table SENTRY_GM_PRIVILEGE for class(es) [org.apache.sentry.provider.db.service.model.MSentryGMPrivilege]
-ALTER TABLE "SENTRY_GM_PRIVILEGE"
- ADD CONSTRAINT "SENTRY_GM_PRIV_PRIV_NAME_UNIQ" UNIQUE ("COMPONENT_NAME","SERVICE_NAME","RESOURCE_NAME_0","RESOURCE_NAME_1","RESOURCE_NAME_2",
- "RESOURCE_NAME_3","RESOURCE_TYPE_0","RESOURCE_TYPE_1","RESOURCE_TYPE_2","RESOURCE_TYPE_3","ACTION","WITH_GRANT_OPTION");
-
-CREATE INDEX "SENTRY_GM_PRIV_COMP_IDX" ON "SENTRY_GM_PRIVILEGE" ("COMPONENT_NAME");
-
-CREATE INDEX "SENTRY_GM_PRIV_SERV_IDX" ON "SENTRY_GM_PRIVILEGE" ("SERVICE_NAME");
-
-CREATE INDEX "SENTRY_GM_PRIV_RES0_IDX" ON "SENTRY_GM_PRIVILEGE" ("RESOURCE_NAME_0","RESOURCE_TYPE_0");
-
-CREATE INDEX "SENTRY_GM_PRIV_RES1_IDX" ON "SENTRY_GM_PRIVILEGE" ("RESOURCE_NAME_1","RESOURCE_TYPE_1");
-
-CREATE INDEX "SENTRY_GM_PRIV_RES2_IDX" ON "SENTRY_GM_PRIVILEGE" ("RESOURCE_NAME_2","RESOURCE_TYPE_2");
-
-CREATE INDEX "SENTRY_GM_PRIV_RES3_IDX" ON "SENTRY_GM_PRIVILEGE" ("RESOURCE_NAME_3","RESOURCE_TYPE_3");
-
--- Table SENTRY_ROLE_GM_PRIVILEGE_MAP for join relationship
-CREATE TABLE "SENTRY_ROLE_GM_PRIVILEGE_MAP" (
- "ROLE_ID" NUMBER NOT NULL,
- "GM_PRIVILEGE_ID" NUMBER NOT NULL
-);
-
-ALTER TABLE "SENTRY_ROLE_GM_PRIVILEGE_MAP"
- ADD CONSTRAINT "SEN_RLE_GM_PRIV_MAP_PK" PRIMARY KEY ("ROLE_ID","GM_PRIVILEGE_ID");
-
--- Constraints for table SENTRY_ROLE_GM_PRIVILEGE_MAP
-ALTER TABLE "SENTRY_ROLE_GM_PRIVILEGE_MAP"
- ADD CONSTRAINT "SEN_RLE_GM_PRV_MAP_SN_RLE_FK"
- FOREIGN KEY ("ROLE_ID") REFERENCES "SENTRY_ROLE"("ROLE_ID") INITIALLY DEFERRED;
-
-ALTER TABLE "SENTRY_ROLE_GM_PRIVILEGE_MAP"
- ADD CONSTRAINT "SEN_RL_GM_PRV_MAP_SN_DB_PRV_FK"
- FOREIGN KEY ("GM_PRIVILEGE_ID") REFERENCES "SENTRY_GM_PRIVILEGE"("GM_PRIVILEGE_ID") INITIALLY DEFERRED;
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/main/resources/sentry-oracle-1.6.0.sql
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/resources/sentry-oracle-1.6.0.sql b/sentry-provider/sentry-provider-db/src/main/resources/sentry-oracle-1.6.0.sql
deleted file mode 100644
index 3a22335..0000000
--- a/sentry-provider/sentry-provider-db/src/main/resources/sentry-oracle-1.6.0.sql
+++ /dev/null
@@ -1,168 +0,0 @@
---Licensed to the Apache Software Foundation (ASF) under one or more
---contributor license agreements. See the NOTICE file distributed with
---this work for additional information regarding copyright ownership.
---The ASF licenses this file to You under the Apache License, Version 2.0
---(the "License"); you may not use this file except in compliance with
---the License. You may obtain a copy of the License at
---
--- http://www.apache.org/licenses/LICENSE-2.0
---
---Unless required by applicable law or agreed to in writing, software
---distributed under the License is distributed on an "AS IS" BASIS,
---WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
---See the License for the specific language governing permissions and
---limitations under the License.
-
-CREATE TABLE "SENTRY_DB_PRIVILEGE" (
- "DB_PRIVILEGE_ID" NUMBER NOT NULL,
- "PRIVILEGE_SCOPE" VARCHAR2(32) NOT NULL,
- "SERVER_NAME" VARCHAR2(128) NOT NULL,
- "DB_NAME" VARCHAR2(128) DEFAULT '__NULL__',
- "TABLE_NAME" VARCHAR2(128) DEFAULT '__NULL__',
- "COLUMN_NAME" VARCHAR2(128) DEFAULT '__NULL__',
- "URI" VARCHAR2(4000) DEFAULT '__NULL__',
- "ACTION" VARCHAR2(128) NOT NULL,
- "CREATE_TIME" NUMBER NOT NULL,
- "WITH_GRANT_OPTION" CHAR(1) DEFAULT 'N' NOT NULL
-);
-
-CREATE TABLE "SENTRY_ROLE" (
- "ROLE_ID" NUMBER NOT NULL,
- "ROLE_NAME" VARCHAR2(128) NOT NULL,
- "CREATE_TIME" NUMBER NOT NULL
-);
-
-CREATE TABLE "SENTRY_GROUP" (
- "GROUP_ID" NUMBER NOT NULL,
- "GROUP_NAME" VARCHAR2(128) NOT NULL,
- "CREATE_TIME" NUMBER NOT NULL
-);
-
-CREATE TABLE "SENTRY_ROLE_DB_PRIVILEGE_MAP" (
- "ROLE_ID" NUMBER NOT NULL,
- "DB_PRIVILEGE_ID" NUMBER NOT NULL,
- "GRANTOR_PRINCIPAL" VARCHAR2(128)
-);
-
-CREATE TABLE "SENTRY_ROLE_GROUP_MAP" (
- "ROLE_ID" NUMBER NOT NULL,
- "GROUP_ID" NUMBER NOT NULL,
- "GRANTOR_PRINCIPAL" VARCHAR2(128)
-);
-
-CREATE TABLE "SENTRY_VERSION" (
- "VER_ID" NUMBER NOT NULL,
- "SCHEMA_VERSION" VARCHAR(127) NOT NULL,
- "VERSION_COMMENT" VARCHAR(255) NOT NULL
-);
-
-ALTER TABLE "SENTRY_DB_PRIVILEGE"
- ADD CONSTRAINT "SENTRY_DB_PRIV_PK" PRIMARY KEY ("DB_PRIVILEGE_ID");
-
-ALTER TABLE "SENTRY_ROLE"
- ADD CONSTRAINT "SENTRY_ROLE_PK" PRIMARY KEY ("ROLE_ID");
-
-ALTER TABLE "SENTRY_GROUP"
- ADD CONSTRAINT "SENTRY_GROUP_PK" PRIMARY KEY ("GROUP_ID");
-
-ALTER TABLE "SENTRY_VERSION" ADD CONSTRAINT "SENTRY_VERSION_PK" PRIMARY KEY ("VER_ID");
-
-ALTER TABLE "SENTRY_DB_PRIVILEGE"
- ADD CONSTRAINT "SENTRY_DB_PRIV_PRIV_NAME_UNIQ" UNIQUE ("SERVER_NAME","DB_NAME","TABLE_NAME","COLUMN_NAME","URI","ACTION","WITH_GRANT_OPTION");
-
-CREATE INDEX "SENTRY_SERV_PRIV_IDX" ON "SENTRY_DB_PRIVILEGE" ("SERVER_NAME");
-
-CREATE INDEX "SENTRY_DB_PRIV_IDX" ON "SENTRY_DB_PRIVILEGE" ("DB_NAME");
-
-CREATE INDEX "SENTRY_TBL_PRIV_IDX" ON "SENTRY_DB_PRIVILEGE" ("TABLE_NAME");
-
-CREATE INDEX "SENTRY_COL_PRIV_IDX" ON "SENTRY_DB_PRIVILEGE" ("COLUMN_NAME");
-
-CREATE INDEX "SENTRY_URI_PRIV_IDX" ON "SENTRY_DB_PRIVILEGE" ("URI");
-
-ALTER TABLE "SENTRY_ROLE"
- ADD CONSTRAINT "SENTRY_ROLE_ROLE_NAME_UNIQUE" UNIQUE ("ROLE_NAME");
-
-ALTER TABLE "SENTRY_GROUP"
- ADD CONSTRAINT "SENTRY_GRP_GRP_NAME_UNIQUE" UNIQUE ("GROUP_NAME");
-
-ALTER TABLE "SENTRY_ROLE_DB_PRIVILEGE_MAP"
- ADD CONSTRAINT "SEN_RLE_PRIV_MAP_PK" PRIMARY KEY ("ROLE_ID","DB_PRIVILEGE_ID");
-
-ALTER TABLE "SENTRY_ROLE_GROUP_MAP"
- ADD CONSTRAINT "SENTRY_ROLE_GROUP_MAP_PK" PRIMARY KEY ("ROLE_ID","GROUP_ID");
-
-ALTER TABLE "SENTRY_ROLE_DB_PRIVILEGE_MAP"
- ADD CONSTRAINT "SEN_RLE_DB_PRV_MAP_SN_RLE_FK"
- FOREIGN KEY ("ROLE_ID") REFERENCES "SENTRY_ROLE"("ROLE_ID") INITIALLY DEFERRED;
-
-ALTER TABLE "SENTRY_ROLE_DB_PRIVILEGE_MAP"
- ADD CONSTRAINT "SEN_RL_DB_PRV_MAP_SN_DB_PRV_FK"
- FOREIGN KEY ("DB_PRIVILEGE_ID") REFERENCES "SENTRY_DB_PRIVILEGE"("DB_PRIVILEGE_ID") INITIALLY DEFERRED;
-
-ALTER TABLE "SENTRY_ROLE_GROUP_MAP"
- ADD CONSTRAINT "SEN_ROLE_GROUP_MAP_SEN_ROLE_FK"
- FOREIGN KEY ("ROLE_ID") REFERENCES "SENTRY_ROLE"("ROLE_ID") INITIALLY DEFERRED;
-
-ALTER TABLE "SENTRY_ROLE_GROUP_MAP"
- ADD CONSTRAINT "SEN_ROLE_GROUP_MAP_SEN_GRP_FK"
- FOREIGN KEY ("GROUP_ID") REFERENCES "SENTRY_GROUP"("GROUP_ID") INITIALLY DEFERRED;
-
-INSERT INTO SENTRY_VERSION (VER_ID, SCHEMA_VERSION, VERSION_COMMENT) VALUES (1, '1.6.0', 'Sentry release version 1.6.0');
-
--- Generic Model
--- Table SENTRY_GM_PRIVILEGE for classes [org.apache.sentry.provider.db.service.model.MSentryGMPrivilege]
-CREATE TABLE "SENTRY_GM_PRIVILEGE" (
- "GM_PRIVILEGE_ID" NUMBER NOT NULL,
- "COMPONENT_NAME" VARCHAR2(32) NOT NULL,
- "SERVICE_NAME" VARCHAR2(64) NOT NULL,
- "RESOURCE_NAME_0" VARCHAR2(64) DEFAULT '__NULL__',
- "RESOURCE_NAME_1" VARCHAR2(64) DEFAULT '__NULL__',
- "RESOURCE_NAME_2" VARCHAR2(64) DEFAULT '__NULL__',
- "RESOURCE_NAME_3" VARCHAR2(64) DEFAULT '__NULL__',
- "RESOURCE_TYPE_0" VARCHAR2(64) DEFAULT '__NULL__',
- "RESOURCE_TYPE_1" VARCHAR2(64) DEFAULT '__NULL__',
- "RESOURCE_TYPE_2" VARCHAR2(64) DEFAULT '__NULL__',
- "RESOURCE_TYPE_3" VARCHAR2(64) DEFAULT '__NULL__',
- "ACTION" VARCHAR2(32) NOT NULL,
- "SCOPE" VARCHAR2(128) NOT NULL,
- "CREATE_TIME" NUMBER NOT NULL,
- "WITH_GRANT_OPTION" CHAR(1) DEFAULT 'N' NOT NULL
-);
-
-ALTER TABLE "SENTRY_GM_PRIVILEGE"
- ADD CONSTRAINT "SENTRY_GM_PRIV_PK" PRIMARY KEY ("GM_PRIVILEGE_ID");
--- Constraints for table SENTRY_GM_PRIVILEGE for class(es) [org.apache.sentry.provider.db.service.model.MSentryGMPrivilege]
-ALTER TABLE "SENTRY_GM_PRIVILEGE"
- ADD CONSTRAINT "SENTRY_GM_PRIV_PRIV_NAME_UNIQ" UNIQUE ("COMPONENT_NAME","SERVICE_NAME","RESOURCE_NAME_0","RESOURCE_NAME_1","RESOURCE_NAME_2",
- "RESOURCE_NAME_3","RESOURCE_TYPE_0","RESOURCE_TYPE_1","RESOURCE_TYPE_2","RESOURCE_TYPE_3","ACTION","WITH_GRANT_OPTION");
-
-CREATE INDEX "SENTRY_GM_PRIV_COMP_IDX" ON "SENTRY_GM_PRIVILEGE" ("COMPONENT_NAME");
-
-CREATE INDEX "SENTRY_GM_PRIV_SERV_IDX" ON "SENTRY_GM_PRIVILEGE" ("SERVICE_NAME");
-
-CREATE INDEX "SENTRY_GM_PRIV_RES0_IDX" ON "SENTRY_GM_PRIVILEGE" ("RESOURCE_NAME_0","RESOURCE_TYPE_0");
-
-CREATE INDEX "SENTRY_GM_PRIV_RES1_IDX" ON "SENTRY_GM_PRIVILEGE" ("RESOURCE_NAME_1","RESOURCE_TYPE_1");
-
-CREATE INDEX "SENTRY_GM_PRIV_RES2_IDX" ON "SENTRY_GM_PRIVILEGE" ("RESOURCE_NAME_2","RESOURCE_TYPE_2");
-
-CREATE INDEX "SENTRY_GM_PRIV_RES3_IDX" ON "SENTRY_GM_PRIVILEGE" ("RESOURCE_NAME_3","RESOURCE_TYPE_3");
-
--- Table SENTRY_ROLE_GM_PRIVILEGE_MAP for join relationship
-CREATE TABLE "SENTRY_ROLE_GM_PRIVILEGE_MAP" (
- "ROLE_ID" NUMBER NOT NULL,
- "GM_PRIVILEGE_ID" NUMBER NOT NULL
-);
-
-ALTER TABLE "SENTRY_ROLE_GM_PRIVILEGE_MAP"
- ADD CONSTRAINT "SEN_RLE_GM_PRIV_MAP_PK" PRIMARY KEY ("ROLE_ID","GM_PRIVILEGE_ID");
-
--- Constraints for table SENTRY_ROLE_GM_PRIVILEGE_MAP
-ALTER TABLE "SENTRY_ROLE_GM_PRIVILEGE_MAP"
- ADD CONSTRAINT "SEN_RLE_GM_PRV_MAP_SN_RLE_FK"
- FOREIGN KEY ("ROLE_ID") REFERENCES "SENTRY_ROLE"("ROLE_ID") INITIALLY DEFERRED;
-
-ALTER TABLE "SENTRY_ROLE_GM_PRIVILEGE_MAP"
- ADD CONSTRAINT "SEN_RL_GM_PRV_MAP_SN_DB_PRV_FK"
- FOREIGN KEY ("GM_PRIVILEGE_ID") REFERENCES "SENTRY_GM_PRIVILEGE"("GM_PRIVILEGE_ID") INITIALLY DEFERRED;
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/main/resources/sentry-oracle-1.7.0.sql
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/resources/sentry-oracle-1.7.0.sql b/sentry-provider/sentry-provider-db/src/main/resources/sentry-oracle-1.7.0.sql
deleted file mode 100644
index ae9cd06..0000000
--- a/sentry-provider/sentry-provider-db/src/main/resources/sentry-oracle-1.7.0.sql
+++ /dev/null
@@ -1,168 +0,0 @@
---Licensed to the Apache Software Foundation (ASF) under one or more
---contributor license agreements. See the NOTICE file distributed with
---this work for additional information regarding copyright ownership.
---The ASF licenses this file to You under the Apache License, Version 2.0
---(the "License"); you may not use this file except in compliance with
---the License. You may obtain a copy of the License at
---
--- http://www.apache.org/licenses/LICENSE-2.0
---
---Unless required by applicable law or agreed to in writing, software
---distributed under the License is distributed on an "AS IS" BASIS,
---WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
---See the License for the specific language governing permissions and
---limitations under the License.
-
-CREATE TABLE "SENTRY_DB_PRIVILEGE" (
- "DB_PRIVILEGE_ID" NUMBER NOT NULL,
- "PRIVILEGE_SCOPE" VARCHAR2(32) NOT NULL,
- "SERVER_NAME" VARCHAR2(128) NOT NULL,
- "DB_NAME" VARCHAR2(128) DEFAULT '__NULL__',
- "TABLE_NAME" VARCHAR2(128) DEFAULT '__NULL__',
- "COLUMN_NAME" VARCHAR2(128) DEFAULT '__NULL__',
- "URI" VARCHAR2(4000) DEFAULT '__NULL__',
- "ACTION" VARCHAR2(128) NOT NULL,
- "CREATE_TIME" NUMBER NOT NULL,
- "WITH_GRANT_OPTION" CHAR(1) DEFAULT 'N' NOT NULL
-);
-
-CREATE TABLE "SENTRY_ROLE" (
- "ROLE_ID" NUMBER NOT NULL,
- "ROLE_NAME" VARCHAR2(128) NOT NULL,
- "CREATE_TIME" NUMBER NOT NULL
-);
-
-CREATE TABLE "SENTRY_GROUP" (
- "GROUP_ID" NUMBER NOT NULL,
- "GROUP_NAME" VARCHAR2(128) NOT NULL,
- "CREATE_TIME" NUMBER NOT NULL
-);
-
-CREATE TABLE "SENTRY_ROLE_DB_PRIVILEGE_MAP" (
- "ROLE_ID" NUMBER NOT NULL,
- "DB_PRIVILEGE_ID" NUMBER NOT NULL,
- "GRANTOR_PRINCIPAL" VARCHAR2(128)
-);
-
-CREATE TABLE "SENTRY_ROLE_GROUP_MAP" (
- "ROLE_ID" NUMBER NOT NULL,
- "GROUP_ID" NUMBER NOT NULL,
- "GRANTOR_PRINCIPAL" VARCHAR2(128)
-);
-
-CREATE TABLE "SENTRY_VERSION" (
- "VER_ID" NUMBER NOT NULL,
- "SCHEMA_VERSION" VARCHAR(127) NOT NULL,
- "VERSION_COMMENT" VARCHAR(255) NOT NULL
-);
-
-ALTER TABLE "SENTRY_DB_PRIVILEGE"
- ADD CONSTRAINT "SENTRY_DB_PRIV_PK" PRIMARY KEY ("DB_PRIVILEGE_ID");
-
-ALTER TABLE "SENTRY_ROLE"
- ADD CONSTRAINT "SENTRY_ROLE_PK" PRIMARY KEY ("ROLE_ID");
-
-ALTER TABLE "SENTRY_GROUP"
- ADD CONSTRAINT "SENTRY_GROUP_PK" PRIMARY KEY ("GROUP_ID");
-
-ALTER TABLE "SENTRY_VERSION" ADD CONSTRAINT "SENTRY_VERSION_PK" PRIMARY KEY ("VER_ID");
-
-ALTER TABLE "SENTRY_DB_PRIVILEGE"
- ADD CONSTRAINT "SENTRY_DB_PRIV_PRIV_NAME_UNIQ" UNIQUE ("SERVER_NAME","DB_NAME","TABLE_NAME","COLUMN_NAME","URI","ACTION","WITH_GRANT_OPTION");
-
-CREATE INDEX "SENTRY_SERV_PRIV_IDX" ON "SENTRY_DB_PRIVILEGE" ("SERVER_NAME");
-
-CREATE INDEX "SENTRY_DB_PRIV_IDX" ON "SENTRY_DB_PRIVILEGE" ("DB_NAME");
-
-CREATE INDEX "SENTRY_TBL_PRIV_IDX" ON "SENTRY_DB_PRIVILEGE" ("TABLE_NAME");
-
-CREATE INDEX "SENTRY_COL_PRIV_IDX" ON "SENTRY_DB_PRIVILEGE" ("COLUMN_NAME");
-
-CREATE INDEX "SENTRY_URI_PRIV_IDX" ON "SENTRY_DB_PRIVILEGE" ("URI");
-
-ALTER TABLE "SENTRY_ROLE"
- ADD CONSTRAINT "SENTRY_ROLE_ROLE_NAME_UNIQUE" UNIQUE ("ROLE_NAME");
-
-ALTER TABLE "SENTRY_GROUP"
- ADD CONSTRAINT "SENTRY_GRP_GRP_NAME_UNIQUE" UNIQUE ("GROUP_NAME");
-
-ALTER TABLE "SENTRY_ROLE_DB_PRIVILEGE_MAP"
- ADD CONSTRAINT "SEN_RLE_PRIV_MAP_PK" PRIMARY KEY ("ROLE_ID","DB_PRIVILEGE_ID");
-
-ALTER TABLE "SENTRY_ROLE_GROUP_MAP"
- ADD CONSTRAINT "SENTRY_ROLE_GROUP_MAP_PK" PRIMARY KEY ("ROLE_ID","GROUP_ID");
-
-ALTER TABLE "SENTRY_ROLE_DB_PRIVILEGE_MAP"
- ADD CONSTRAINT "SEN_RLE_DB_PRV_MAP_SN_RLE_FK"
- FOREIGN KEY ("ROLE_ID") REFERENCES "SENTRY_ROLE"("ROLE_ID") INITIALLY DEFERRED;
-
-ALTER TABLE "SENTRY_ROLE_DB_PRIVILEGE_MAP"
- ADD CONSTRAINT "SEN_RL_DB_PRV_MAP_SN_DB_PRV_FK"
- FOREIGN KEY ("DB_PRIVILEGE_ID") REFERENCES "SENTRY_DB_PRIVILEGE"("DB_PRIVILEGE_ID") INITIALLY DEFERRED;
-
-ALTER TABLE "SENTRY_ROLE_GROUP_MAP"
- ADD CONSTRAINT "SEN_ROLE_GROUP_MAP_SEN_ROLE_FK"
- FOREIGN KEY ("ROLE_ID") REFERENCES "SENTRY_ROLE"("ROLE_ID") INITIALLY DEFERRED;
-
-ALTER TABLE "SENTRY_ROLE_GROUP_MAP"
- ADD CONSTRAINT "SEN_ROLE_GROUP_MAP_SEN_GRP_FK"
- FOREIGN KEY ("GROUP_ID") REFERENCES "SENTRY_GROUP"("GROUP_ID") INITIALLY DEFERRED;
-
-INSERT INTO SENTRY_VERSION (VER_ID, SCHEMA_VERSION, VERSION_COMMENT) VALUES (1, '1.7.0', 'Sentry release version 1.7.0');
-
--- Generic Model
--- Table SENTRY_GM_PRIVILEGE for classes [org.apache.sentry.provider.db.service.model.MSentryGMPrivilege]
-CREATE TABLE "SENTRY_GM_PRIVILEGE" (
- "GM_PRIVILEGE_ID" NUMBER NOT NULL,
- "COMPONENT_NAME" VARCHAR2(32) NOT NULL,
- "SERVICE_NAME" VARCHAR2(64) NOT NULL,
- "RESOURCE_NAME_0" VARCHAR2(64) DEFAULT '__NULL__',
- "RESOURCE_NAME_1" VARCHAR2(64) DEFAULT '__NULL__',
- "RESOURCE_NAME_2" VARCHAR2(64) DEFAULT '__NULL__',
- "RESOURCE_NAME_3" VARCHAR2(64) DEFAULT '__NULL__',
- "RESOURCE_TYPE_0" VARCHAR2(64) DEFAULT '__NULL__',
- "RESOURCE_TYPE_1" VARCHAR2(64) DEFAULT '__NULL__',
- "RESOURCE_TYPE_2" VARCHAR2(64) DEFAULT '__NULL__',
- "RESOURCE_TYPE_3" VARCHAR2(64) DEFAULT '__NULL__',
- "ACTION" VARCHAR2(32) NOT NULL,
- "SCOPE" VARCHAR2(128) NOT NULL,
- "CREATE_TIME" NUMBER NOT NULL,
- "WITH_GRANT_OPTION" CHAR(1) DEFAULT 'N' NOT NULL
-);
-
-ALTER TABLE "SENTRY_GM_PRIVILEGE"
- ADD CONSTRAINT "SENTRY_GM_PRIV_PK" PRIMARY KEY ("GM_PRIVILEGE_ID");
--- Constraints for table SENTRY_GM_PRIVILEGE for class(es) [org.apache.sentry.provider.db.service.model.MSentryGMPrivilege]
-ALTER TABLE "SENTRY_GM_PRIVILEGE"
- ADD CONSTRAINT "SENTRY_GM_PRIV_PRIV_NAME_UNIQ" UNIQUE ("COMPONENT_NAME","SERVICE_NAME","RESOURCE_NAME_0","RESOURCE_NAME_1","RESOURCE_NAME_2",
- "RESOURCE_NAME_3","RESOURCE_TYPE_0","RESOURCE_TYPE_1","RESOURCE_TYPE_2","RESOURCE_TYPE_3","ACTION","WITH_GRANT_OPTION");
-
-CREATE INDEX "SENTRY_GM_PRIV_COMP_IDX" ON "SENTRY_GM_PRIVILEGE" ("COMPONENT_NAME");
-
-CREATE INDEX "SENTRY_GM_PRIV_SERV_IDX" ON "SENTRY_GM_PRIVILEGE" ("SERVICE_NAME");
-
-CREATE INDEX "SENTRY_GM_PRIV_RES0_IDX" ON "SENTRY_GM_PRIVILEGE" ("RESOURCE_NAME_0","RESOURCE_TYPE_0");
-
-CREATE INDEX "SENTRY_GM_PRIV_RES1_IDX" ON "SENTRY_GM_PRIVILEGE" ("RESOURCE_NAME_1","RESOURCE_TYPE_1");
-
-CREATE INDEX "SENTRY_GM_PRIV_RES2_IDX" ON "SENTRY_GM_PRIVILEGE" ("RESOURCE_NAME_2","RESOURCE_TYPE_2");
-
-CREATE INDEX "SENTRY_GM_PRIV_RES3_IDX" ON "SENTRY_GM_PRIVILEGE" ("RESOURCE_NAME_3","RESOURCE_TYPE_3");
-
--- Table SENTRY_ROLE_GM_PRIVILEGE_MAP for join relationship
-CREATE TABLE "SENTRY_ROLE_GM_PRIVILEGE_MAP" (
- "ROLE_ID" NUMBER NOT NULL,
- "GM_PRIVILEGE_ID" NUMBER NOT NULL
-);
-
-ALTER TABLE "SENTRY_ROLE_GM_PRIVILEGE_MAP"
- ADD CONSTRAINT "SEN_RLE_GM_PRIV_MAP_PK" PRIMARY KEY ("ROLE_ID","GM_PRIVILEGE_ID");
-
--- Constraints for table SENTRY_ROLE_GM_PRIVILEGE_MAP
-ALTER TABLE "SENTRY_ROLE_GM_PRIVILEGE_MAP"
- ADD CONSTRAINT "SEN_RLE_GM_PRV_MAP_SN_RLE_FK"
- FOREIGN KEY ("ROLE_ID") REFERENCES "SENTRY_ROLE"("ROLE_ID") INITIALLY DEFERRED;
-
-ALTER TABLE "SENTRY_ROLE_GM_PRIVILEGE_MAP"
- ADD CONSTRAINT "SEN_RL_GM_PRV_MAP_SN_DB_PRV_FK"
- FOREIGN KEY ("GM_PRIVILEGE_ID") REFERENCES "SENTRY_GM_PRIVILEGE"("GM_PRIVILEGE_ID") INITIALLY DEFERRED;
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/main/resources/sentry-oracle-1.8.0.sql
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/resources/sentry-oracle-1.8.0.sql b/sentry-provider/sentry-provider-db/src/main/resources/sentry-oracle-1.8.0.sql
deleted file mode 100644
index ced5c31..0000000
--- a/sentry-provider/sentry-provider-db/src/main/resources/sentry-oracle-1.8.0.sql
+++ /dev/null
@@ -1,197 +0,0 @@
---Licensed to the Apache Software Foundation (ASF) under one or more
---contributor license agreements. See the NOTICE file distributed with
---this work for additional information regarding copyright ownership.
---The ASF licenses this file to You under the Apache License, Version 2.0
---(the "License"); you may not use this file except in compliance with
---the License. You may obtain a copy of the License at
---
--- http://www.apache.org/licenses/LICENSE-2.0
---
---Unless required by applicable law or agreed to in writing, software
---distributed under the License is distributed on an "AS IS" BASIS,
---WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
---See the License for the specific language governing permissions and
---limitations under the License.
-
-CREATE TABLE "SENTRY_DB_PRIVILEGE" (
- "DB_PRIVILEGE_ID" NUMBER NOT NULL,
- "PRIVILEGE_SCOPE" VARCHAR2(32) NOT NULL,
- "SERVER_NAME" VARCHAR2(128) NOT NULL,
- "DB_NAME" VARCHAR2(128) DEFAULT '__NULL__',
- "TABLE_NAME" VARCHAR2(128) DEFAULT '__NULL__',
- "COLUMN_NAME" VARCHAR2(128) DEFAULT '__NULL__',
- "URI" VARCHAR2(4000) DEFAULT '__NULL__',
- "ACTION" VARCHAR2(128) NOT NULL,
- "CREATE_TIME" NUMBER NOT NULL,
- "WITH_GRANT_OPTION" CHAR(1) DEFAULT 'N' NOT NULL
-);
-
-CREATE TABLE "SENTRY_ROLE" (
- "ROLE_ID" NUMBER NOT NULL,
- "ROLE_NAME" VARCHAR2(128) NOT NULL,
- "CREATE_TIME" NUMBER NOT NULL
-);
-
-CREATE TABLE "SENTRY_GROUP" (
- "GROUP_ID" NUMBER NOT NULL,
- "GROUP_NAME" VARCHAR2(128) NOT NULL,
- "CREATE_TIME" NUMBER NOT NULL
-);
-
-CREATE TABLE "SENTRY_ROLE_DB_PRIVILEGE_MAP" (
- "ROLE_ID" NUMBER NOT NULL,
- "DB_PRIVILEGE_ID" NUMBER NOT NULL,
- "GRANTOR_PRINCIPAL" VARCHAR2(128)
-);
-
-CREATE TABLE "SENTRY_ROLE_GROUP_MAP" (
- "ROLE_ID" NUMBER NOT NULL,
- "GROUP_ID" NUMBER NOT NULL,
- "GRANTOR_PRINCIPAL" VARCHAR2(128)
-);
-
-CREATE TABLE "SENTRY_VERSION" (
- "VER_ID" NUMBER NOT NULL,
- "SCHEMA_VERSION" VARCHAR(127) NOT NULL,
- "VERSION_COMMENT" VARCHAR(255) NOT NULL
-);
-
-ALTER TABLE "SENTRY_DB_PRIVILEGE"
- ADD CONSTRAINT "SENTRY_DB_PRIV_PK" PRIMARY KEY ("DB_PRIVILEGE_ID");
-
-ALTER TABLE "SENTRY_ROLE"
- ADD CONSTRAINT "SENTRY_ROLE_PK" PRIMARY KEY ("ROLE_ID");
-
-ALTER TABLE "SENTRY_GROUP"
- ADD CONSTRAINT "SENTRY_GROUP_PK" PRIMARY KEY ("GROUP_ID");
-
-ALTER TABLE "SENTRY_VERSION" ADD CONSTRAINT "SENTRY_VERSION_PK" PRIMARY KEY ("VER_ID");
-
-ALTER TABLE "SENTRY_DB_PRIVILEGE"
- ADD CONSTRAINT "SENTRY_DB_PRIV_PRIV_NAME_UNIQ" UNIQUE ("SERVER_NAME","DB_NAME","TABLE_NAME","COLUMN_NAME","URI","ACTION","WITH_GRANT_OPTION");
-
-CREATE INDEX "SENTRY_SERV_PRIV_IDX" ON "SENTRY_DB_PRIVILEGE" ("SERVER_NAME");
-
-CREATE INDEX "SENTRY_DB_PRIV_IDX" ON "SENTRY_DB_PRIVILEGE" ("DB_NAME");
-
-CREATE INDEX "SENTRY_TBL_PRIV_IDX" ON "SENTRY_DB_PRIVILEGE" ("TABLE_NAME");
-
-CREATE INDEX "SENTRY_COL_PRIV_IDX" ON "SENTRY_DB_PRIVILEGE" ("COLUMN_NAME");
-
-CREATE INDEX "SENTRY_URI_PRIV_IDX" ON "SENTRY_DB_PRIVILEGE" ("URI");
-
-ALTER TABLE "SENTRY_ROLE"
- ADD CONSTRAINT "SENTRY_ROLE_ROLE_NAME_UNIQUE" UNIQUE ("ROLE_NAME");
-
-ALTER TABLE "SENTRY_GROUP"
- ADD CONSTRAINT "SENTRY_GRP_GRP_NAME_UNIQUE" UNIQUE ("GROUP_NAME");
-
-ALTER TABLE "SENTRY_ROLE_DB_PRIVILEGE_MAP"
- ADD CONSTRAINT "SEN_RLE_PRIV_MAP_PK" PRIMARY KEY ("ROLE_ID","DB_PRIVILEGE_ID");
-
-ALTER TABLE "SENTRY_ROLE_GROUP_MAP"
- ADD CONSTRAINT "SENTRY_ROLE_GROUP_MAP_PK" PRIMARY KEY ("ROLE_ID","GROUP_ID");
-
-ALTER TABLE "SENTRY_ROLE_DB_PRIVILEGE_MAP"
- ADD CONSTRAINT "SEN_RLE_DB_PRV_MAP_SN_RLE_FK"
- FOREIGN KEY ("ROLE_ID") REFERENCES "SENTRY_ROLE"("ROLE_ID") INITIALLY DEFERRED;
-
-ALTER TABLE "SENTRY_ROLE_DB_PRIVILEGE_MAP"
- ADD CONSTRAINT "SEN_RL_DB_PRV_MAP_SN_DB_PRV_FK"
- FOREIGN KEY ("DB_PRIVILEGE_ID") REFERENCES "SENTRY_DB_PRIVILEGE"("DB_PRIVILEGE_ID") INITIALLY DEFERRED;
-
-ALTER TABLE "SENTRY_ROLE_GROUP_MAP"
- ADD CONSTRAINT "SEN_ROLE_GROUP_MAP_SEN_ROLE_FK"
- FOREIGN KEY ("ROLE_ID") REFERENCES "SENTRY_ROLE"("ROLE_ID") INITIALLY DEFERRED;
-
-ALTER TABLE "SENTRY_ROLE_GROUP_MAP"
- ADD CONSTRAINT "SEN_ROLE_GROUP_MAP_SEN_GRP_FK"
- FOREIGN KEY ("GROUP_ID") REFERENCES "SENTRY_GROUP"("GROUP_ID") INITIALLY DEFERRED;
-
-INSERT INTO SENTRY_VERSION (VER_ID, SCHEMA_VERSION, VERSION_COMMENT) VALUES (1, '1.8.0', 'Sentry release version 1.8.0');
-
--- Generic Model
--- Table SENTRY_GM_PRIVILEGE for classes [org.apache.sentry.provider.db.service.model.MSentryGMPrivilege]
-CREATE TABLE "SENTRY_GM_PRIVILEGE" (
- "GM_PRIVILEGE_ID" NUMBER NOT NULL,
- "COMPONENT_NAME" VARCHAR2(32) NOT NULL,
- "SERVICE_NAME" VARCHAR2(64) NOT NULL,
- "RESOURCE_NAME_0" VARCHAR2(64) DEFAULT '__NULL__',
- "RESOURCE_NAME_1" VARCHAR2(64) DEFAULT '__NULL__',
- "RESOURCE_NAME_2" VARCHAR2(64) DEFAULT '__NULL__',
- "RESOURCE_NAME_3" VARCHAR2(64) DEFAULT '__NULL__',
- "RESOURCE_TYPE_0" VARCHAR2(64) DEFAULT '__NULL__',
- "RESOURCE_TYPE_1" VARCHAR2(64) DEFAULT '__NULL__',
- "RESOURCE_TYPE_2" VARCHAR2(64) DEFAULT '__NULL__',
- "RESOURCE_TYPE_3" VARCHAR2(64) DEFAULT '__NULL__',
- "ACTION" VARCHAR2(32) NOT NULL,
- "SCOPE" VARCHAR2(128) NOT NULL,
- "CREATE_TIME" NUMBER NOT NULL,
- "WITH_GRANT_OPTION" CHAR(1) DEFAULT 'N' NOT NULL
-);
-
-ALTER TABLE "SENTRY_GM_PRIVILEGE"
- ADD CONSTRAINT "SENTRY_GM_PRIV_PK" PRIMARY KEY ("GM_PRIVILEGE_ID");
--- Constraints for table SENTRY_GM_PRIVILEGE for class(es) [org.apache.sentry.provider.db.service.model.MSentryGMPrivilege]
-ALTER TABLE "SENTRY_GM_PRIVILEGE"
- ADD CONSTRAINT "SENTRY_GM_PRIV_PRIV_NAME_UNIQ" UNIQUE ("COMPONENT_NAME","SERVICE_NAME","RESOURCE_NAME_0","RESOURCE_NAME_1","RESOURCE_NAME_2",
- "RESOURCE_NAME_3","RESOURCE_TYPE_0","RESOURCE_TYPE_1","RESOURCE_TYPE_2","RESOURCE_TYPE_3","ACTION","WITH_GRANT_OPTION");
-
-CREATE INDEX "SENTRY_GM_PRIV_COMP_IDX" ON "SENTRY_GM_PRIVILEGE" ("COMPONENT_NAME");
-
-CREATE INDEX "SENTRY_GM_PRIV_SERV_IDX" ON "SENTRY_GM_PRIVILEGE" ("SERVICE_NAME");
-
-CREATE INDEX "SENTRY_GM_PRIV_RES0_IDX" ON "SENTRY_GM_PRIVILEGE" ("RESOURCE_NAME_0","RESOURCE_TYPE_0");
-
-CREATE INDEX "SENTRY_GM_PRIV_RES1_IDX" ON "SENTRY_GM_PRIVILEGE" ("RESOURCE_NAME_1","RESOURCE_TYPE_1");
-
-CREATE INDEX "SENTRY_GM_PRIV_RES2_IDX" ON "SENTRY_GM_PRIVILEGE" ("RESOURCE_NAME_2","RESOURCE_TYPE_2");
-
-CREATE INDEX "SENTRY_GM_PRIV_RES3_IDX" ON "SENTRY_GM_PRIVILEGE" ("RESOURCE_NAME_3","RESOURCE_TYPE_3");
-
--- Table SENTRY_ROLE_GM_PRIVILEGE_MAP for join relationship
-CREATE TABLE "SENTRY_ROLE_GM_PRIVILEGE_MAP" (
- "ROLE_ID" NUMBER NOT NULL,
- "GM_PRIVILEGE_ID" NUMBER NOT NULL
-);
-
-ALTER TABLE "SENTRY_ROLE_GM_PRIVILEGE_MAP"
- ADD CONSTRAINT "SEN_RLE_GM_PRIV_MAP_PK" PRIMARY KEY ("ROLE_ID","GM_PRIVILEGE_ID");
-
--- Constraints for table SENTRY_ROLE_GM_PRIVILEGE_MAP
-ALTER TABLE "SENTRY_ROLE_GM_PRIVILEGE_MAP"
- ADD CONSTRAINT "SEN_RLE_GM_PRV_MAP_SN_RLE_FK"
- FOREIGN KEY ("ROLE_ID") REFERENCES "SENTRY_ROLE"("ROLE_ID") INITIALLY DEFERRED;
-
-ALTER TABLE "SENTRY_ROLE_GM_PRIVILEGE_MAP"
- ADD CONSTRAINT "SEN_RL_GM_PRV_MAP_SN_DB_PRV_FK"
- FOREIGN KEY ("GM_PRIVILEGE_ID") REFERENCES "SENTRY_GM_PRIVILEGE"("GM_PRIVILEGE_ID") INITIALLY DEFERRED;
-
-CREATE TABLE "SENTRY_USER" (
- "USER_ID" NUMBER NOT NULL,
- "USER_NAME" VARCHAR2(128) NOT NULL,
- "CREATE_TIME" NUMBER NOT NULL
-);
-
-ALTER TABLE "SENTRY_USER"
- ADD CONSTRAINT "SENTRY_USER_PK" PRIMARY KEY ("USER_ID");
-
-ALTER TABLE "SENTRY_USER"
- ADD CONSTRAINT "SENTRY_USER_USER_NAME_UNIQUE" UNIQUE ("USER_NAME");
-
-CREATE TABLE "SENTRY_ROLE_USER_MAP" (
- "ROLE_ID" NUMBER NOT NULL,
- "USER_ID" NUMBER NOT NULL,
- "GRANTOR_PRINCIPAL" VARCHAR2(128)
-);
-
-ALTER TABLE "SENTRY_ROLE_USER_MAP"
- ADD CONSTRAINT "SENTRY_ROLE_USER_MAP_PK" PRIMARY KEY ("ROLE_ID","USER_ID");
-
-ALTER TABLE "SENTRY_ROLE_USER_MAP"
- ADD CONSTRAINT "SEN_ROLE_USER_MAP_SEN_ROLE_FK"
- FOREIGN KEY ("ROLE_ID") REFERENCES "SENTRY_ROLE"("ROLE_ID") INITIALLY DEFERRED;
-
-ALTER TABLE "SENTRY_ROLE_USER_MAP"
- ADD CONSTRAINT "SEN_ROLE_USER_MAP_SEN_USER_FK"
- FOREIGN KEY ("USER_ID") REFERENCES "SENTRY_USER"("USER_ID") INITIALLY DEFERRED;
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/main/resources/sentry-postgres-1.4.0.sql
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/resources/sentry-postgres-1.4.0.sql b/sentry-provider/sentry-provider-db/src/main/resources/sentry-postgres-1.4.0.sql
deleted file mode 100644
index 5dfae03..0000000
--- a/sentry-provider/sentry-provider-db/src/main/resources/sentry-postgres-1.4.0.sql
+++ /dev/null
@@ -1,124 +0,0 @@
---Licensed to the Apache Software Foundation (ASF) under one or more
---contributor license agreements. See the NOTICE file distributed with
---this work for additional information regarding copyright ownership.
---The ASF licenses this file to You under the Apache License, Version 2.0
---(the "License"); you may not use this file except in compliance with
---the License. You may obtain a copy of the License at
---
--- http://www.apache.org/licenses/LICENSE-2.0
---
---Unless required by applicable law or agreed to in writing, software
---distributed under the License is distributed on an "AS IS" BASIS,
---WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
---See the License for the specific language governing permissions and
---limitations under the License.
-
-START TRANSACTION;
-
-SET statement_timeout = 0;
-SET client_encoding = 'UTF8';
-SET standard_conforming_strings = off;
-SET check_function_bodies = false;
-SET client_min_messages = warning;
-SET escape_string_warning = off;
-SET search_path = public, pg_catalog;
-SET default_tablespace = '';
-SET default_with_oids = false;
-
-CREATE TABLE "SENTRY_DB_PRIVILEGE" (
- "DB_PRIVILEGE_ID" BIGINT NOT NULL,
- "PRIVILEGE_NAME" character varying(4000) NOT NULL,
- "PRIVILEGE_SCOPE" character varying(32) NOT NULL,
- "SERVER_NAME" character varying(128) NOT NULL,
- "DB_NAME" character varying(128) DEFAULT NULL::character varying,
- "TABLE_NAME" character varying(128) DEFAULT NULL::character varying,
- "URI" character varying(4000) DEFAULT NULL::character varying,
- "ACTION" character varying(128) NOT NULL,
- "CREATE_TIME" BIGINT NOT NULL,
- "GRANTOR_PRINCIPAL" VARCHAR(128) NOT NULL
-);
-
-CREATE TABLE "SENTRY_ROLE" (
- "ROLE_ID" BIGINT NOT NULL,
- "ROLE_NAME" character varying(128) NOT NULL,
- "CREATE_TIME" BIGINT NOT NULL,
- "GRANTOR_PRINCIPAL" character varying(128) NOT NULL
-);
-
-CREATE TABLE "SENTRY_GROUP" (
- "GROUP_ID" BIGINT NOT NULL,
- "GROUP_NAME" character varying(128) NOT NULL,
- "CREATE_TIME" BIGINT NOT NULL,
- "GRANTOR_PRINCIPAL" character varying(128) NOT NULL
-);
-
-CREATE TABLE "SENTRY_ROLE_DB_PRIVILEGE_MAP" (
- "ROLE_ID" BIGINT NOT NULL,
- "DB_PRIVILEGE_ID" BIGINT NOT NULL
-);
-
-CREATE TABLE "SENTRY_ROLE_GROUP_MAP" (
- "ROLE_ID" BIGINT NOT NULL,
- "GROUP_ID" BIGINT NOT NULL
-);
-
-CREATE TABLE "SENTRY_VERSION" (
- "VER_ID" bigint,
- "SCHEMA_VERSION" character varying(127) NOT NULL,
- "VERSION_COMMENT" character varying(255) NOT NULL
-);
-
-
-ALTER TABLE ONLY "SENTRY_DB_PRIVILEGE"
- ADD CONSTRAINT "SENTRY_DB_PRIV_PK" PRIMARY KEY ("DB_PRIVILEGE_ID");
-
-ALTER TABLE ONLY "SENTRY_ROLE"
- ADD CONSTRAINT "SENTRY_ROLE_PK" PRIMARY KEY ("ROLE_ID");
-
-ALTER TABLE ONLY "SENTRY_GROUP"
- ADD CONSTRAINT "SENTRY_GROUP_PK" PRIMARY KEY ("GROUP_ID");
-
-ALTER TABLE ONLY "SENTRY_VERSION" ADD CONSTRAINT "SENTRY_VERSION_PK" PRIMARY KEY ("VER_ID");
-
-ALTER TABLE ONLY "SENTRY_DB_PRIVILEGE"
- ADD CONSTRAINT "SENTRY_DB_PRIV_PRIV_NAME_UNIQ" UNIQUE ("PRIVILEGE_NAME");
-
-CREATE INDEX "SENTRY_PRIV_SERV_IDX" ON "SENTRY_DB_PRIVILEGE" USING btree ("SERVER_NAME");
-
-CREATE INDEX "SENTRY_PRIV_DB_IDX" ON "SENTRY_DB_PRIVILEGE" USING btree ("DB_NAME");
-
-CREATE INDEX "SENTRY_PRIV_TBL_IDX" ON "SENTRY_DB_PRIVILEGE" USING btree ("TABLE_NAME");
-
-CREATE INDEX "SENTRY_PRIV_URI_IDX" ON "SENTRY_DB_PRIVILEGE" USING btree ("URI");
-
-ALTER TABLE ONLY "SENTRY_ROLE"
- ADD CONSTRAINT "SENTRY_ROLE_ROLE_NAME_UNIQUE" UNIQUE ("ROLE_NAME");
-
-ALTER TABLE ONLY "SENTRY_GROUP"
- ADD CONSTRAINT "SENTRY_GRP_GRP_NAME_UNIQUE" UNIQUE ("GROUP_NAME");
-
-ALTER TABLE "SENTRY_ROLE_DB_PRIVILEGE_MAP"
- ADD CONSTRAINT "SENTRY_ROLE_DB_PRIVILEGE_MAP_PK" PRIMARY KEY ("ROLE_ID","DB_PRIVILEGE_ID");
-
-ALTER TABLE "SENTRY_ROLE_GROUP_MAP"
- ADD CONSTRAINT "SENTRY_ROLE_GROUP_MAP_PK" PRIMARY KEY ("ROLE_ID","GROUP_ID");
-
-ALTER TABLE ONLY "SENTRY_ROLE_DB_PRIVILEGE_MAP"
- ADD CONSTRAINT "SEN_RLE_DB_PRV_MAP_SN_RLE_FK"
- FOREIGN KEY ("ROLE_ID") REFERENCES "SENTRY_ROLE"("ROLE_ID") DEFERRABLE;
-
-ALTER TABLE ONLY "SENTRY_ROLE_DB_PRIVILEGE_MAP"
- ADD CONSTRAINT "SEN_RL_DB_PRV_MAP_SN_DB_PRV_FK"
- FOREIGN KEY ("DB_PRIVILEGE_ID") REFERENCES "SENTRY_DB_PRIVILEGE"("DB_PRIVILEGE_ID") DEFERRABLE;
-
-ALTER TABLE ONLY "SENTRY_ROLE_GROUP_MAP"
- ADD CONSTRAINT "SEN_ROLE_GROUP_MAP_SEN_ROLE_FK"
- FOREIGN KEY ("ROLE_ID") REFERENCES "SENTRY_ROLE"("ROLE_ID") DEFERRABLE;
-
-ALTER TABLE ONLY "SENTRY_ROLE_GROUP_MAP"
- ADD CONSTRAINT "SEN_ROLE_GROUP_MAP_SEN_GRP_FK"
- FOREIGN KEY ("GROUP_ID") REFERENCES "SENTRY_GROUP"("GROUP_ID") DEFERRABLE;
-
-INSERT INTO "SENTRY_VERSION" ("VER_ID", "SCHEMA_VERSION", "VERSION_COMMENT") VALUES (1, '1.4.0', 'Sentry release version 1.4.0');
-
-COMMIT;
[03/44] sentry git commit: SENTRY-1287: Create sentry-service-server
module(Colin Ma, reviewed by Dapeng Sun)
Posted by co...@apache.org.
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceIntegration.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceIntegration.java b/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceIntegration.java
new file mode 100644
index 0000000..ef3bb4f
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceIntegration.java
@@ -0,0 +1,1102 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless createRequired by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.provider.db.service.thrift;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.fail;
+
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+import java.util.TreeMap;
+
+import org.apache.sentry.core.common.ActiveRoleSet;
+import org.apache.sentry.core.common.Authorizable;
+import org.apache.sentry.core.model.db.AccessConstants;
+import org.apache.sentry.core.model.db.AccessURI;
+import org.apache.sentry.core.model.db.Database;
+import org.apache.sentry.core.model.db.Server;
+import org.apache.sentry.core.model.db.Table;
+import org.apache.sentry.core.common.exception.SentryAccessDeniedException;
+import org.apache.sentry.service.thrift.SentryServiceIntegrationBase;
+import org.junit.Test;
+
+import com.google.common.collect.Lists;
+import com.google.common.collect.Maps;
+import com.google.common.collect.Sets;
+
+
+public class TestSentryServiceIntegration extends SentryServiceIntegrationBase {
+
+ @Test
+ public void testCreateDropShowRole() throws Exception {
+ runTestAsSubject(new TestOperation(){
+ @Override
+ public void runTestAsSubject() throws Exception {
+ String requestorUserName = SentryServiceIntegrationBase.ADMIN_USER;
+ Set<String> requestorUserGroupNames = Sets.newHashSet(SentryServiceIntegrationBase.ADMIN_GROUP);
+ String roleName = "admin_r";
+ setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
+ writePolicyFile();
+
+ client.dropRoleIfExists(requestorUserName, roleName);
+
+ client.createRole(requestorUserName, roleName);
+
+ Set<TSentryRole> roles = client.listRoles(requestorUserName);
+ assertEquals("Incorrect number of roles", 1, roles.size());
+
+ for (TSentryRole role:roles) {
+ assertTrue(role.getRoleName(), role.getRoleName().equalsIgnoreCase(roleName));
+ }
+ client.dropRole(requestorUserName, roleName);
+ }});
+ }
+
+ @Test
+ public void testGranRevokePrivilegeOnTableForRole() throws Exception {
+ runTestAsSubject(new TestOperation(){
+ @Override
+ public void runTestAsSubject() throws Exception {
+ String requestorUserName = SentryServiceIntegrationBase.ADMIN_USER;
+ Set<String> requestorUserGroupNames = Sets.newHashSet(SentryServiceIntegrationBase.ADMIN_GROUP);
+ setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
+ writePolicyFile();
+ String roleName1 = "admin_r1";
+ String roleName2 = "admin_r2";
+
+ client.dropRoleIfExists(requestorUserName, roleName1);
+ client.createRole(requestorUserName, roleName1);
+
+ client.grantTablePrivilege(requestorUserName, roleName1, "server", "db1", "table1", "ALL");
+ client.grantTablePrivilege(requestorUserName, roleName1, "server", "db1", "table2", "ALL");
+ client.grantTablePrivilege(requestorUserName, roleName1, "server", "db2", "table3", "ALL");
+ client.grantTablePrivilege(requestorUserName, roleName1, "server", "db2", "table4", "ALL");
+
+
+ client.dropRoleIfExists(requestorUserName, roleName2);
+ client.createRole(requestorUserName, roleName2);
+
+ client.grantTablePrivilege(requestorUserName, roleName2, "server", "db1", "table1", "ALL");
+ client.grantTablePrivilege(requestorUserName, roleName2, "server", "db1", "table2", "ALL");
+ client.grantTablePrivilege(requestorUserName, roleName2, "server", "db2", "table3", "ALL");
+ client.grantTablePrivilege(requestorUserName, roleName2, "server", "db2", "table4", "ALL");
+
+ Set<TSentryPrivilege> listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName1);
+ assertEquals("Privilege not assigned to role1 !!", 4, listPrivilegesByRoleName.size());
+
+ listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName2);
+ assertEquals("Privilege not assigned to role2 !!", 4, listPrivilegesByRoleName.size());
+
+
+ client.revokeTablePrivilege(requestorUserName, roleName1, "server", "db1", "table1", "ALL");
+ listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName1);
+ assertTrue("Privilege not correctly revoked !!", listPrivilegesByRoleName.size() == 3);
+ listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName2);
+ assertTrue("Privilege not correctly revoked !!", listPrivilegesByRoleName.size() == 4);
+
+ client.revokeTablePrivilege(requestorUserName, roleName2, "server", "db1", "table1", "ALL");
+ listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName2);
+ assertTrue("Privilege not correctly revoked !!", listPrivilegesByRoleName.size() == 3);
+ listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName1);
+ assertTrue("Privilege not correctly revoked !!", listPrivilegesByRoleName.size() == 3);
+
+ client.revokeTablePrivilege(requestorUserName, roleName1, "server", "db1", "table2", "ALL");
+ client.revokeTablePrivilege(requestorUserName, roleName1, "server", "db2", "table3", "ALL");
+ client.revokeTablePrivilege(requestorUserName, roleName1, "server", "db2", "table4", "ALL");
+ listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName1);
+ assertTrue("Privilege not correctly revoked !!", listPrivilegesByRoleName.size() == 0);
+
+ client.revokeTablePrivilege(requestorUserName, roleName2, "server", "db1", "table2", "ALL");
+ client.revokeTablePrivilege(requestorUserName, roleName2, "server", "db2", "table3", "ALL");
+ client.revokeTablePrivilege(requestorUserName, roleName2, "server", "db2", "table4", "ALL");
+ listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName2);
+ assertTrue("Privilege not correctly revoked !!", listPrivilegesByRoleName.size() == 0);
+ }});
+ }
+
+ @Test
+ public void testAddDeleteRolesForUser() throws Exception {
+ runTestAsSubject(new TestOperation() {
+ @Override
+ public void runTestAsSubject() throws Exception {
+ String requestorUserName = SentryServiceIntegrationBase.ADMIN_USER;
+ Set<String> requestorUserGroupNames = Sets.newHashSet(SentryServiceIntegrationBase.ADMIN_GROUP);
+ setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
+
+ // user1->group1
+ // user2->group1
+ // user3->group1, group2
+ // user4->group2, group3
+ // group1->r1
+ // group2->r2
+ // group3->r2
+ // user2->r3
+ // user4->r3
+ String roleName1 = "r1";
+ String roleName2 = "r2";
+ String roleName3 = "r3";
+ String user1 = "u1";
+ String user2 = "u2";
+ String user3 = "u3";
+ String user4 = "u4";
+ String group1 = "g1";
+ String group2 = "g2";
+ String group3 = "g3";
+ Map<String, Set<String>> userToGroups = Maps.newHashMap();
+ userToGroups.put(user1, Sets.newHashSet(group1));
+ userToGroups.put(user2, Sets.newHashSet(group1));
+ userToGroups.put(user3, Sets.newHashSet(group1, group2));
+ userToGroups.put(user4, Sets.newHashSet(group2, group3));
+
+ setLocalGroupMapping(user1, Sets.newHashSet(group1));
+ setLocalGroupMapping(user2, Sets.newHashSet(group1));
+ setLocalGroupMapping(user3, Sets.newHashSet(group1, group2));
+ setLocalGroupMapping(user4, Sets.newHashSet(group2, group3));
+ writePolicyFile();
+
+ client.dropRoleIfExists(requestorUserName, roleName1);
+ client.dropRoleIfExists(requestorUserName, roleName2);
+ client.dropRoleIfExists(requestorUserName, roleName3);
+ client.createRole(requestorUserName, roleName1);
+ client.createRole(requestorUserName, roleName2);
+ client.createRole(requestorUserName, roleName3);
+
+ client.grantRoleToGroup(requestorUserName, group1, roleName1);
+ client.grantRoleToUser(requestorUserName, user2, roleName2);
+ client.grantRoleToUser(requestorUserName, user3, roleName2);
+ client.grantRoleToUser(requestorUserName, user2, roleName3);
+ client.grantRoleToUsers(requestorUserName, roleName3, Sets.newHashSet(user4));
+ // following test cases also test the grantRoleToUser() and grantRoleToUsers() implicity
+ // admin always can get the role list
+ Set<TSentryRole> roles = client.listRolesByUserName(requestorUserName, user1);
+ assertEquals(0, roles.size());
+ // the role list includes the role for user and the role for user's group
+ roles = client.listRolesByUserName(requestorUserName, user2);
+ assertEquals(2, roles.size());
+ for (TSentryRole role : roles) {
+ assertTrue(roleName2.equals(role.getRoleName()) || roleName3.equals(role.getRoleName()));
+ }
+ // user has 2 groups whose role list are different
+ roles = client.listRolesByUserName(requestorUserName, user3);
+ assertEquals(1, roles.size());
+ for (TSentryRole role : roles) {
+ assertTrue(roleName2.equals(role.getRoleName()));
+ }
+ // user has 2 groups whose role list are the same
+ roles = client.listRolesByUserName(requestorUserName, user4);
+ assertEquals(1, roles.size());
+ for (TSentryRole role : roles) {
+ assertTrue(roleName3.equals(role.getRoleName()));
+ }
+ // user can get his own role list if he isn't an admin
+ roles = client.listRolesByUserName(user3, user3);
+ assertEquals(1, roles.size());
+ // user can't get other's role list if he isn't an admin
+ try {
+ client.listRolesByUserName(user3, user2);
+ fail("SentryAccessDeniedException should be caught.");
+ } catch (SentryAccessDeniedException e) {
+ // excepted exception
+ }
+ // the user's name can't be empty
+ try {
+ client.listRolesByUserName(user3, "");
+ fail("SentryAccessDeniedException should be caught.");
+ } catch (SentryAccessDeniedException e) {
+ // excepted exception
+ }
+ client.revokeRoleFromUser(requestorUserName, user2, roleName3);
+ client.revokeRoleFromUsers(requestorUserName, roleName3, Sets.newHashSet(user4));
+ // test the result of revokeRoleFromUser() and revokeRoleFromUsers()
+ roles = client.listRolesByUserName(requestorUserName, user2);
+ assertEquals(1, roles.size());
+ for (TSentryRole role : roles) {
+ assertTrue(roleName2.equals(role.getRoleName()));
+ }
+ roles = client.listRolesByUserName(requestorUserName, user4);
+ assertEquals(0, roles.size());
+ }
+ });
+ }
+
+ @Test
+ public void testGranRevokePrivilegeForRoleWithUG() throws Exception {
+ runTestAsSubject(new TestOperation() {
+ @Override
+ public void runTestAsSubject() throws Exception {
+ String requestorUserName = SentryServiceIntegrationBase.ADMIN_USER;
+ Set<String> requestorUserGroupNames = Sets.newHashSet(SentryServiceIntegrationBase.ADMIN_GROUP);
+ setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
+
+ // user1_1->group1
+ // user1_2->group1
+ // user2_1->group2
+ // user2_2->group2
+ // group1->r1
+ // group2->r2
+ // user1_1->r3
+ // user2_1->r4
+ String roleName1 = "r1";
+ String roleName2 = "r2";
+ String roleName3 = "r3";
+ String roleName4 = "r4";
+ String user1_1 = "u1_1";
+ String user1_2 = "u1_2";
+ String user2_1 = "u2_1";
+ String user2_2 = "u2_2";
+ String group1 = "g1";
+ String group2 = "g2";
+ Map<String, String> userToGroup = Maps.newHashMap();
+ userToGroup.put(user1_1, group1);
+ userToGroup.put(user1_2, group1);
+ userToGroup.put(user2_1, group2);
+ userToGroup.put(user2_2, user2_1);
+
+ Set<String> groupSet = Sets.newHashSet(group1);
+ setLocalGroupMapping(user1_1, groupSet);
+ setLocalGroupMapping(user1_2, groupSet);
+ groupSet = Sets.newHashSet(group2);
+ setLocalGroupMapping(user2_1, groupSet);
+ setLocalGroupMapping(user2_2, groupSet);
+ writePolicyFile();
+
+ client.dropRoleIfExists(requestorUserName, roleName1);
+ client.dropRoleIfExists(requestorUserName, roleName2);
+ client.dropRoleIfExists(requestorUserName, roleName3);
+ client.dropRoleIfExists(requestorUserName, roleName4);
+ client.createRole(requestorUserName, roleName1);
+ client.createRole(requestorUserName, roleName2);
+ client.createRole(requestorUserName, roleName3);
+ client.createRole(requestorUserName, roleName4);
+
+ client.grantRoleToGroup(requestorUserName, group1, roleName1);
+ client.grantRoleToGroup(requestorUserName, group2, roleName2);
+ client.grantRoleToUser(requestorUserName, user1_1, roleName3);
+ client.grantRoleToUsers(requestorUserName, roleName4, Sets.newHashSet(user2_1));
+
+ client
+ .grantTablePrivilege(requestorUserName, roleName1, "server", "db1", "table1_1", "ALL");
+ client
+ .grantTablePrivilege(requestorUserName, roleName1, "server", "db1", "table1_2", "ALL");
+ client
+ .grantTablePrivilege(requestorUserName, roleName2, "server", "db1", "table2_1", "ALL");
+ client
+ .grantTablePrivilege(requestorUserName, roleName2, "server", "db1", "table2_2", "ALL");
+ client
+ .grantTablePrivilege(requestorUserName, roleName3, "server", "db1", "table3_1", "ALL");
+ client
+ .grantTablePrivilege(requestorUserName, roleName3, "server", "db1", "table3_2", "ALL");
+ client
+ .grantTablePrivilege(requestorUserName, roleName4, "server", "db1", "table4_1", "ALL");
+ client
+ .grantTablePrivilege(requestorUserName, roleName4, "server", "db1", "table4_2", "ALL");
+
+ Set<String> listPrivilegesForProvider = client.listPrivilegesForProvider(
+ Sets.newHashSet(group1), Sets.newHashSet(""), ActiveRoleSet.ALL, (Authorizable[]) null);
+ assertEquals("Privilege not correctly assigned to roles !!", Sets.newHashSet(
+ "server=server->db=db1->table=table1_1->action=all",
+ "server=server->db=db1->table=table1_2->action=all"), listPrivilegesForProvider);
+
+ listPrivilegesForProvider = client.listPrivilegesForProvider(
+ Sets.newHashSet(userToGroup.get(user1_2)),
+ Sets.newHashSet(user1_2), ActiveRoleSet.ALL, (Authorizable[]) null);
+ assertEquals("Privilege not correctly assigned to roles !!", Sets.newHashSet(
+ "server=server->db=db1->table=table1_1->action=all",
+ "server=server->db=db1->table=table1_2->action=all"), listPrivilegesForProvider);
+
+ listPrivilegesForProvider = client.listPrivilegesForProvider(
+ Sets.newHashSet(userToGroup.get(user1_1)),
+ Sets.newHashSet(user1_1), ActiveRoleSet.ALL, (Authorizable[]) null);
+ assertEquals("Privilege not correctly assigned to roles !!", Sets.newHashSet(
+ "server=server->db=db1->table=table1_1->action=all",
+ "server=server->db=db1->table=table1_2->action=all",
+ "server=server->db=db1->table=table3_1->action=all",
+ "server=server->db=db1->table=table3_2->action=all"), listPrivilegesForProvider);
+
+ listPrivilegesForProvider = client.listPrivilegesForProvider(Sets.newHashSet(group1),
+ Sets.newHashSet(user1_1, user1_2), ActiveRoleSet.ALL, (Authorizable[]) null);
+ assertEquals("Privilege not correctly assigned to roles !!", Sets.newHashSet(
+ "server=server->db=db1->table=table1_1->action=all",
+ "server=server->db=db1->table=table1_2->action=all",
+ "server=server->db=db1->table=table3_1->action=all",
+ "server=server->db=db1->table=table3_2->action=all"), listPrivilegesForProvider);
+
+ listPrivilegesForProvider = client.listPrivilegesForProvider(
+ Sets.newHashSet(group1, group2), Sets.newHashSet(user1_1, user1_2, user2_1, user2_2),
+ ActiveRoleSet.ALL, (Authorizable[]) null);
+ assertEquals("Privilege not correctly assigned to roles !!", Sets.newHashSet(
+ "server=server->db=db1->table=table1_1->action=all",
+ "server=server->db=db1->table=table1_2->action=all",
+ "server=server->db=db1->table=table2_1->action=all",
+ "server=server->db=db1->table=table2_2->action=all",
+ "server=server->db=db1->table=table3_1->action=all",
+ "server=server->db=db1->table=table3_2->action=all",
+ "server=server->db=db1->table=table4_1->action=all",
+ "server=server->db=db1->table=table4_2->action=all"), listPrivilegesForProvider);
+
+ client.revokeRoleFromUser(requestorUserName, user1_1, roleName3);
+ client.revokeRoleFromUsers(requestorUserName, roleName4, Sets.newHashSet(user2_1));
+ }
+ });
+ }
+
+ @Test
+ public void testMultipleRolesSamePrivilege() throws Exception {
+ runTestAsSubject(new TestOperation(){
+ @Override
+ public void runTestAsSubject() throws Exception {
+ String requestorUserName = SentryServiceIntegrationBase.ADMIN_USER;
+ Set<String> requestorUserGroupNames = Sets.newHashSet(SentryServiceIntegrationBase.ADMIN_GROUP);
+ setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
+ writePolicyFile();
+ String roleName1 = "admin_r1";
+ String roleName2 = "admin_r2";
+
+ client.dropRoleIfExists(requestorUserName, roleName1);
+ client.createRole(requestorUserName, roleName1);
+
+ client.dropRoleIfExists(requestorUserName, roleName2);
+ client.createRole(requestorUserName, roleName2);
+
+ client.grantTablePrivilege(requestorUserName, roleName1, "server", "db", "table", "ALL");
+ Set<TSentryPrivilege> listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName1);
+ assertTrue("Privilege not assigned to role1 !!", listPrivilegesByRoleName.size() == 1);
+
+ client.grantTablePrivilege(requestorUserName, roleName2, "server", "db", "table", "ALL");
+ listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName2);
+ assertTrue("Privilege not assigned to role2 !!", listPrivilegesByRoleName.size() == 1);
+ }});
+ }
+
+ @Test
+ public void testShowRoleGrant() throws Exception {
+ runTestAsSubject(new TestOperation(){
+ @Override
+ public void runTestAsSubject() throws Exception {
+ String requestorUserName = SentryServiceIntegrationBase.ADMIN_USER;
+ Set<String> requestorUserGroupNames = Sets.newHashSet(SentryServiceIntegrationBase.ADMIN_GROUP);
+ String roleName = "admin_testdb";
+ String groupName = "group1";
+ setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
+ writePolicyFile();
+
+ client.dropRoleIfExists(requestorUserName, roleName);
+ client.createRole(requestorUserName, roleName);
+
+ Set<TSentryRole> roles = client.listRoles(requestorUserName);
+ assertEquals("Incorrect number of roles", 1, roles.size());
+
+ client.grantRoleToGroup(requestorUserName, groupName, roleName);
+ Set<TSentryRole> groupRoles = client.listRolesByGroupName(requestorUserName, groupName);
+ assertTrue(groupRoles.size() == 1);
+ for (TSentryRole role:groupRoles) {
+ assertTrue(role.getRoleName(), role.getRoleName().equalsIgnoreCase(roleName));
+ assertTrue(role.getGroups().size() == 1);
+ for (TSentryGroup group :role.getGroups()) {
+ assertTrue(group.getGroupName(), group.getGroupName().equalsIgnoreCase(groupName));
+ }
+ }
+
+ client.dropRole(requestorUserName, roleName);
+ }});
+ }
+
+ @Test
+ public void testShowGrant() throws Exception {
+ runTestAsSubject(new TestOperation(){
+ @Override
+ public void runTestAsSubject() throws Exception {
+ String requestorUserName = SentryServiceIntegrationBase.ADMIN_USER;
+ Set<String> requestorUserGroupNames = Sets.newHashSet(SentryServiceIntegrationBase.ADMIN_GROUP);
+ String roleName = "admin_testdb";
+ String server = "server1";
+ String db = "testDB";
+ setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
+ writePolicyFile();
+
+ client.dropRoleIfExists(requestorUserName, roleName);
+ client.createRole(requestorUserName, roleName);
+
+ Set<TSentryRole> roles = client.listRoles(requestorUserName);
+ assertEquals("Incorrect number of roles", 1, roles.size());
+
+ client.grantDatabasePrivilege(requestorUserName, roleName, server, db, AccessConstants.ALL);
+ Set<TSentryPrivilege> privileges = client.listAllPrivilegesByRoleName(requestorUserName, roleName);
+ assertTrue(privileges.size() == 1);
+
+ client.revokeDatabasePrivilege(requestorUserName, roleName, server, db, AccessConstants.ALL);
+ client.dropRole(requestorUserName, roleName);
+ }});
+ }
+
+ //See SENTRY-166
+ @Test
+ public void testUriWithEquals() throws Exception {
+ runTestAsSubject(new TestOperation(){
+ @Override
+ public void runTestAsSubject() throws Exception {
+ String requestorUserName = SentryServiceIntegrationBase.ADMIN_USER;
+ Set<String> requestorUserGroupNames = Sets.newHashSet(SentryServiceIntegrationBase.ADMIN_GROUP);
+ String roleName = "admin_testdb";
+ String server = "server1";
+ String uri = "file://u/w/h/t/partition=value/";
+ setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
+ writePolicyFile();
+
+ // Creating associated role
+ client.dropRoleIfExists(requestorUserName, roleName);
+ client.createRole(requestorUserName, roleName);
+ Set<TSentryRole> roles = client.listRoles(requestorUserName);
+ assertEquals("Incorrect number of roles", 1, roles.size());
+
+ client.grantURIPrivilege(requestorUserName, roleName, server, uri);
+ Set<TSentryPrivilege> privileges = client.listAllPrivilegesByRoleName(requestorUserName, roleName);
+ assertTrue(privileges.size() == 1);
+
+ // Revoking the same privilege
+ client.revokeURIPrivilege(requestorUserName, roleName, server, uri);
+ privileges = client.listAllPrivilegesByRoleName(requestorUserName, roleName);
+ assertTrue(privileges.size() == 0);
+
+ // Clean up
+ client.dropRole(requestorUserName, roleName);
+ }});
+ }
+
+
+ //See SENTRY-181
+ @Test
+ public void testSameGrantTwice() throws Exception {
+ runTestAsSubject(new TestOperation(){
+ @Override
+ public void runTestAsSubject() throws Exception {
+ String requestorUserName = SentryServiceIntegrationBase.ADMIN_USER;
+ Set<String> requestorUserGroupNames = Sets.newHashSet(SentryServiceIntegrationBase.ADMIN_GROUP);
+ setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
+ writePolicyFile();
+ String roleName = "admin_r1";
+
+ client.createRole(requestorUserName, roleName);
+ client.grantTablePrivilege(requestorUserName, roleName, "server", "db1", "table1", "ALL");
+ client.grantTablePrivilege(requestorUserName, roleName, "server", "db1", "table1", "ALL");
+ assertEquals(1, client.listAllPrivilegesByRoleName(requestorUserName, roleName).size());
+ }});
+ }
+
+ @Test
+ public void testGrantRevokeWithGrantOption() throws Exception {
+ runTestAsSubject(new TestOperation(){
+ @Override
+ public void runTestAsSubject() throws Exception {
+ // Grant a privilege with Grant Option
+ String requestorUserName = SentryServiceIntegrationBase.ADMIN_USER;
+ Set<String> requestorUserGroupNames = Sets.newHashSet(SentryServiceIntegrationBase.ADMIN_GROUP);
+ setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
+ writePolicyFile();
+ String roleName = "admin_r1";
+ boolean grantOption = true;
+ boolean withoutGrantOption = false;
+
+ client.dropRoleIfExists(requestorUserName, roleName);
+ client.createRole(requestorUserName, roleName);
+
+ client.grantTablePrivilege(requestorUserName, roleName, "server", "db1", "table1", "ALL", grantOption);
+ assertEquals(1, client.listAllPrivilegesByRoleName(requestorUserName, roleName).size());
+
+ // Try to revoke the privilege without grantOption and can't revoke the privilege.
+ client.revokeTablePrivilege(requestorUserName, roleName, "server", "db1", "table1", "ALL", withoutGrantOption);
+ assertEquals(1, client.listAllPrivilegesByRoleName(requestorUserName, roleName).size());
+
+ // Try to revoke the privilege with grantOption, the privilege will be revoked.
+ client.revokeTablePrivilege(requestorUserName, roleName, "server", "db1", "table1", "ALL", grantOption);
+ assertEquals(0, client.listAllPrivilegesByRoleName(requestorUserName, roleName).size());
+ }});
+ }
+
+ @Test
+ public void testGrantTwoPrivilegeDiffInGrantOption() throws Exception {
+ runTestAsSubject(new TestOperation(){
+ @Override
+ public void runTestAsSubject() throws Exception {
+ // Grant a privilege with 'Grant Option'.
+ String requestorUserName = SentryServiceIntegrationBase.ADMIN_USER;
+ Set<String> requestorUserGroupNames = Sets.newHashSet(SentryServiceIntegrationBase.ADMIN_GROUP);
+ setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
+ writePolicyFile();
+ String roleName = "admin_r1";
+ boolean grantOption = true;
+ boolean withoutGrantOption = false;
+
+ client.dropRoleIfExists(requestorUserName, roleName);
+ client.createRole(requestorUserName, roleName);
+
+ client.grantTablePrivilege(requestorUserName, roleName, "server", "db1", "table1", "ALL", grantOption);
+ assertEquals(1, client.listAllPrivilegesByRoleName(requestorUserName, roleName).size());
+
+ // Grant a privilege without 'Grant Option'.
+ client.grantTablePrivilege(requestorUserName, roleName, "server", "db1", "table1", "ALL", withoutGrantOption);
+ assertEquals(2, client.listAllPrivilegesByRoleName(requestorUserName, roleName).size());
+
+ // Use 'grantOption = null', the two privileges will be revoked.
+ client.revokeTablePrivilege(requestorUserName, roleName, "server", "db1", "table1", "ALL", null);
+ assertEquals(0, client.listAllPrivilegesByRoleName(requestorUserName, roleName).size());
+ }});
+ }
+
+ @Test
+ public void testGranRevokePrivilegeOnColumnForRole() throws Exception {
+ runTestAsSubject(new TestOperation(){
+ @Override
+ public void runTestAsSubject() throws Exception {
+ String requestorUserName = SentryServiceIntegrationBase.ADMIN_USER;
+ Set<String> requestorUserGroupNames = Sets.newHashSet(SentryServiceIntegrationBase.ADMIN_GROUP);
+ setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
+ writePolicyFile();
+ String roleName1 = "admin_r1";
+ String roleName2 = "admin_r2";
+
+ client.dropRoleIfExists(requestorUserName, roleName1);
+ client.createRole(requestorUserName, roleName1);
+
+ client.grantColumnPrivilege(requestorUserName, roleName1, "server", "db1", "table1", "col1", "ALL");
+ client.grantColumnPrivilege(requestorUserName, roleName1, "server", "db1", "table1", "col2", "ALL");
+ client.grantColumnPrivilege(requestorUserName, roleName1, "server", "db1", "table2", "col1", "ALL");
+ client.grantColumnPrivilege(requestorUserName, roleName1, "server", "db1", "table2", "col2", "ALL");
+ client.grantColumnPrivilege(requestorUserName, roleName1, "server", "db2", "table1", "col1", "ALL");
+ client.grantColumnPrivilege(requestorUserName, roleName1, "server", "db2", "table2", "col1", "ALL");
+
+
+ client.dropRoleIfExists(requestorUserName, roleName2);
+ client.createRole(requestorUserName, roleName2);
+
+ client.grantColumnPrivilege(requestorUserName, roleName2, "server", "db1", "table1", "col1", "ALL");
+ client.grantColumnPrivilege(requestorUserName, roleName2, "server", "db1", "table1", "col2", "ALL");
+ client.grantColumnPrivilege(requestorUserName, roleName2, "server", "db1", "table2", "col1", "ALL");
+ client.grantColumnPrivilege(requestorUserName, roleName2, "server", "db1", "table2", "col2", "ALL");
+ client.grantColumnPrivilege(requestorUserName, roleName2, "server", "db2", "table1", "col1", "ALL");
+ client.grantColumnPrivilege(requestorUserName, roleName2, "server", "db2", "table2", "col1", "ALL");
+
+ Set<TSentryPrivilege> listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName1);
+ assertEquals("Privilege not assigned to role1 !!", 6, listPrivilegesByRoleName.size());
+
+ listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName2);
+ assertEquals("Privilege not assigned to role2 !!", 6, listPrivilegesByRoleName.size());
+
+
+ client.revokeColumnPrivilege(requestorUserName, roleName1, "server", "db1", "table1", "col1", "ALL");
+ listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName1);
+ assertTrue("Privilege not correctly revoked !!", listPrivilegesByRoleName.size() == 5);
+ listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName2);
+ assertTrue("Privilege not correctly revoked !!", listPrivilegesByRoleName.size() == 6);
+
+ client.revokeTablePrivilege(requestorUserName, roleName2, "server", "db1", "table1", "ALL");
+ listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName2);
+ assertTrue("Privilege not correctly revoked !!", listPrivilegesByRoleName.size() == 4);
+ listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName1);
+ assertTrue("Privilege not correctly revoked !!", listPrivilegesByRoleName.size() == 5);
+
+ client.revokeDatabasePrivilege(requestorUserName, roleName1, "server", "db1", "ALL");
+ listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName1);
+ assertTrue("Privilege not correctly revoked !!", listPrivilegesByRoleName.size() == 2);
+ client.revokeColumnPrivilege(requestorUserName, roleName1, "server", "db2", "table1", "col1", "ALL");
+ client.revokeColumnPrivilege(requestorUserName, roleName1, "server", "db2", "table2", "col1", "ALL");
+ listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName1);
+ assertTrue("Privilege not correctly revoked !!", listPrivilegesByRoleName.size() == 0);
+
+ client.revokeColumnPrivilege(requestorUserName, roleName2, "server", "db1", "table2", "col1", "ALL");
+ client.revokeColumnPrivilege(requestorUserName, roleName2, "server", "db1", "table2", "col2", "ALL");
+ client.revokeColumnPrivilege(requestorUserName, roleName2, "server", "db2", "table1", "col1", "ALL");
+ client.revokeColumnPrivilege(requestorUserName, roleName2, "server", "db2", "table2", "col1", "ALL");
+ listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName2);
+ assertTrue("Privilege not correctly revoked !!", listPrivilegesByRoleName.size() == 0);
+ }});
+ }
+
+ @Test
+ public void testListByAuthDB() throws Exception {
+ runTestAsSubject(new TestOperation(){
+ @Override
+ public void runTestAsSubject() throws Exception {
+ String requestorUserName = SentryServiceIntegrationBase.ADMIN_USER;
+ Set<String> requestorUserGroupNames = Sets.newHashSet(SentryServiceIntegrationBase.ADMIN_GROUP);
+ String roleName1 = "role1";
+ String roleName2 = "role2";
+ Set<String> testRoleSet = Sets.newHashSet(roleName1, roleName2);
+ String group1 = "group1";
+ String group2 = "group2";
+ Set<String> testGroupSet = Sets.newHashSet(group1, group2);
+ String server = "server1";
+ String db = "testDB";
+ String db2 = "testDB2";
+ String tab = "testTab";
+ setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
+ String group1user = "group1user";
+ setLocalGroupMapping(group1user, Sets.newHashSet(group1));
+ String group2user = "group2user";
+ setLocalGroupMapping(group2user, Sets.newHashSet(group2));
+ setLocalGroupMapping("random", Sets.newHashSet("foo"));
+ writePolicyFile();
+
+ client.dropRoleIfExists(requestorUserName, roleName1);
+ client.createRole(requestorUserName, roleName1);
+ client.dropRoleIfExists(requestorUserName, roleName2);
+ client.createRole(requestorUserName, roleName2);
+
+ TSentryPrivilege role1db1 = client.grantDatabasePrivilege(
+ requestorUserName, roleName1, server, db, AccessConstants.SELECT);
+ client.grantTablePrivilege(requestorUserName, roleName1, server, db, tab,
+ AccessConstants.ALL);
+ client.grantTablePrivilege(requestorUserName, roleName1, server, db2, tab,
+ AccessConstants.SELECT);
+ client.grantURIPrivilege(requestorUserName, roleName1, server, "hdfs:///fooUri");
+ client.grantRoleToGroup(requestorUserName, group1, roleName1);
+
+ TSentryPrivilege role2db1 = client.grantDatabasePrivilege(
+ requestorUserName, roleName2, server, db,
+ AccessConstants.ALL);
+ client.grantDatabasePrivilege(requestorUserName, roleName2, server, db2,
+ AccessConstants.SELECT);
+ client.grantTablePrivilege(requestorUserName, roleName2, server, db2, tab,
+ AccessConstants.ALL);
+ client.grantRoleToGroup(requestorUserName, group2, roleName2);
+
+ // build expected output
+ TSentryPrivilegeMap db1RoleToPrivMap = new TSentryPrivilegeMap(
+ new TreeMap<String, Set<TSentryPrivilege>>());
+ db1RoleToPrivMap.getPrivilegeMap()
+ .put(roleName1, Sets.newHashSet(role1db1));
+ db1RoleToPrivMap.getPrivilegeMap()
+ .put(roleName2, Sets.newHashSet(role2db1));
+ Map<TSentryAuthorizable, TSentryPrivilegeMap> expectedResults = Maps
+ .newTreeMap();
+ List<? extends Authorizable> db1Authrizable = Lists.newArrayList(
+ new Server(server), new Database(db));
+ expectedResults.put(
+ SentryPolicyServiceClientDefaultImpl.setupSentryAuthorizable(db1Authrizable),
+ db1RoleToPrivMap);
+
+ Set<List<? extends Authorizable>> authorizableSet = Sets.newHashSet();
+ authorizableSet.add(db1Authrizable);
+
+ // verify for null group and null roleset
+ Map<TSentryAuthorizable, TSentryPrivilegeMap> authPrivMap = client
+ .listPrivilegsbyAuthorizable(requestorUserName, authorizableSet, null, null);
+ assertEquals(expectedResults, authPrivMap);
+
+ // verify for null group and specific roleset
+ authPrivMap = client.listPrivilegsbyAuthorizable(requestorUserName, authorizableSet,
+ null, new ActiveRoleSet(testRoleSet));
+ assertEquals(expectedResults, authPrivMap);
+
+ // verify for null group and specific roleset
+ authPrivMap = client.listPrivilegsbyAuthorizable(requestorUserName, authorizableSet, null,
+ ActiveRoleSet.ALL);
+ assertEquals(expectedResults, authPrivMap);
+
+ // verify for specific group and null roleset
+ authPrivMap = client.listPrivilegsbyAuthorizable(requestorUserName, authorizableSet,
+ testGroupSet, null);
+ assertEquals(expectedResults, authPrivMap);
+
+ // verify for specific group and specific roleset
+ authPrivMap = client.listPrivilegsbyAuthorizable(requestorUserName, authorizableSet,
+ testGroupSet, new ActiveRoleSet(testRoleSet));
+ assertEquals(expectedResults, authPrivMap);
+
+ // verify for specific group and ALL roleset
+ authPrivMap = client.listPrivilegsbyAuthorizable(requestorUserName, authorizableSet,
+ testGroupSet, ActiveRoleSet.ALL);
+ assertEquals(expectedResults, authPrivMap);
+
+ // verify users not belonging to any group are not shown anything
+ authPrivMap = client
+ .listPrivilegsbyAuthorizable("random", authorizableSet,
+ new HashSet<String>(), ActiveRoleSet.ALL);
+ expectedResults.clear();
+ expectedResults.put(
+ SentryPolicyServiceClientDefaultImpl.setupSentryAuthorizable(db1Authrizable),
+ new TSentryPrivilegeMap(new HashMap<String, Set<TSentryPrivilege>>()));
+ assertEquals(expectedResults, authPrivMap);
+ }});
+ }
+
+ @Test
+ public void testListByAuthTab() throws Exception {
+ runTestAsSubject(new TestOperation(){
+ @Override
+ public void runTestAsSubject() throws Exception {
+ String requestorUserName = SentryServiceIntegrationBase.ADMIN_USER;
+ Set<String> requestorUserGroupNames = Sets.newHashSet(SentryServiceIntegrationBase.ADMIN_GROUP);
+ String roleName1 = "role1";
+ String roleName2 = "role2";
+ String server = "server1";
+ String db = "testDB";
+ String db2 = "testDB2";
+ String tab = "testTab";
+ setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
+ writePolicyFile();
+
+ client.dropRoleIfExists(requestorUserName, roleName1);
+ client.createRole(requestorUserName, roleName1);
+ client.dropRoleIfExists(requestorUserName, roleName2);
+ client.createRole(requestorUserName, roleName2);
+
+ client.grantDatabasePrivilege(
+ requestorUserName, roleName1, server, db, AccessConstants.SELECT);
+ client.grantTablePrivilege(requestorUserName, roleName1, server, db, tab,
+ AccessConstants.ALL);
+ TSentryPrivilege role1db2tab = client.grantTablePrivilege(
+ requestorUserName, roleName1, server, db2, tab,
+ AccessConstants.SELECT);
+
+ client.grantDatabasePrivilege(
+ requestorUserName, roleName2, server, db,
+ AccessConstants.ALL);
+ client.grantDatabasePrivilege(requestorUserName, roleName2, server, db2,
+ AccessConstants.SELECT);
+ TSentryPrivilege role2db2tab = client.grantTablePrivilege(
+ requestorUserName, roleName2, server, db2, tab,
+ AccessConstants.ALL);
+ client.grantURIPrivilege(requestorUserName, roleName1, server,
+ "hdfs:///fooUri");
+
+ // build expected output
+ TSentryPrivilegeMap db1RoleToPrivMap = new TSentryPrivilegeMap(
+ new TreeMap<String, Set<TSentryPrivilege>>());
+ db1RoleToPrivMap.getPrivilegeMap().put(roleName1,
+ Sets.newHashSet(role1db2tab));
+ db1RoleToPrivMap.getPrivilegeMap().put(roleName2,
+ Sets.newHashSet(role2db2tab));
+ Map<TSentryAuthorizable, TSentryPrivilegeMap> expectedResults = Maps
+ .newTreeMap();
+ List<? extends Authorizable> db2TabAuthrizable = Lists.newArrayList(
+ new Server(server), new Database(db2), new Table(tab));
+ expectedResults.put(
+ SentryPolicyServiceClientDefaultImpl.setupSentryAuthorizable(db2TabAuthrizable),
+ db1RoleToPrivMap);
+
+ Set<List<? extends Authorizable>> authorizableSet = Sets.newHashSet();
+ authorizableSet.add(db2TabAuthrizable);
+ Map<TSentryAuthorizable, TSentryPrivilegeMap> authPrivMap = client
+ .listPrivilegsbyAuthorizable(requestorUserName, authorizableSet, null, null);
+
+ assertEquals(expectedResults, authPrivMap);
+ }});
+ }
+
+ @Test
+ public void testListByAuthUri() throws Exception {
+ runTestAsSubject(new TestOperation(){
+ @Override
+ public void runTestAsSubject() throws Exception {
+ String requestorUserName = SentryServiceIntegrationBase.ADMIN_USER;
+ Set<String> requestorUserGroupNames = Sets.newHashSet(SentryServiceIntegrationBase.ADMIN_GROUP);
+ String roleName1 = "role1";
+ String roleName2 = "role2";
+ String server = "server1";
+ String db = "testDB";
+ String db2 = "testDB2";
+ String tab = "testTab";
+ String uri1 = "hdfs:///fooUri";
+ setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
+ writePolicyFile();
+
+ client.dropRoleIfExists(requestorUserName, roleName1);
+ client.createRole(requestorUserName, roleName1);
+ client.dropRoleIfExists(requestorUserName, roleName2);
+ client.createRole(requestorUserName, roleName2);
+
+ client.grantDatabasePrivilege(requestorUserName, roleName1, server, db,
+ AccessConstants.SELECT);
+ client.grantTablePrivilege(requestorUserName, roleName1, server, db, tab,
+ AccessConstants.ALL);
+ client.grantTablePrivilege(requestorUserName, roleName1, server, db2, tab,
+ AccessConstants.SELECT);
+ TSentryPrivilege role1uri1 = client.grantURIPrivilege(requestorUserName,
+ roleName1, server, uri1);
+
+ client.grantDatabasePrivilege(requestorUserName, roleName2, server, db,
+ AccessConstants.ALL);
+ client.grantDatabasePrivilege(requestorUserName, roleName2, server, db2,
+ AccessConstants.SELECT);
+ client.grantTablePrivilege(requestorUserName, roleName2, server, db2, tab,
+ AccessConstants.ALL);
+ TSentryPrivilege role2uri2 = client.grantURIPrivilege(requestorUserName,
+ roleName2, server, uri1);
+
+ // build expected output
+ TSentryPrivilegeMap db1RoleToPrivMap = new TSentryPrivilegeMap(
+ new TreeMap<String, Set<TSentryPrivilege>>());
+ db1RoleToPrivMap.getPrivilegeMap().put(roleName1,
+ Sets.newHashSet(role1uri1));
+ db1RoleToPrivMap.getPrivilegeMap().put(roleName2,
+ Sets.newHashSet(role2uri2));
+ Map<TSentryAuthorizable, TSentryPrivilegeMap> expectedResults = Maps
+ .newTreeMap();
+ List<? extends Authorizable> uri1Authrizable = Lists.newArrayList(
+ new Server(server), new AccessURI(uri1));
+ expectedResults.put(
+ SentryPolicyServiceClientDefaultImpl.setupSentryAuthorizable(uri1Authrizable),
+ db1RoleToPrivMap);
+
+ Set<List<? extends Authorizable>> authorizableSet = Sets.newHashSet();
+ authorizableSet.add(uri1Authrizable);
+ Map<TSentryAuthorizable, TSentryPrivilegeMap> authPrivMap = client
+ .listPrivilegsbyAuthorizable(requestorUserName, authorizableSet, null, null);
+
+ assertEquals(expectedResults, authPrivMap);
+ }});
+ }
+
+ /**
+ * List privileges by authorizables executed by non-admin user
+ * Test various positive and negative cases for non-admin user
+ * @throws Exception
+ */
+ @Test
+ public void testListByAuthTabForNonAdmin() throws Exception {
+ runTestAsSubject(new TestOperation(){
+ @Override
+ public void runTestAsSubject() throws Exception {
+ String requestorUserName = SentryServiceIntegrationBase.ADMIN_USER;
+ String user1 = "user1";
+ String group1 = "group1";
+ String group2 = "group2";
+ Set<String> requestorUserGroupNames = Sets.newHashSet(SentryServiceIntegrationBase.ADMIN_GROUP);
+ Set<String> userGroupNames1 = Sets.newHashSet(group1);
+ Set<String> userGroupNames2 = Sets.newHashSet(group2);
+ String roleName1 = "role1";
+ String roleName2 = "role2";
+ String server = "server1";
+ String db = "testDB";
+ String db2 = "testDB2";
+ String tab = "testTab";
+ setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
+ setLocalGroupMapping(user1, userGroupNames1);
+ writePolicyFile();
+
+ client.dropRoleIfExists(requestorUserName, roleName1);
+ client.createRole(requestorUserName, roleName1);
+ client.dropRoleIfExists(requestorUserName, roleName2);
+ client.createRole(requestorUserName, roleName2);
+
+ client.grantDatabasePrivilege(requestorUserName, roleName1, server, db,
+ AccessConstants.SELECT);
+ client.grantTablePrivilege(requestorUserName, roleName1, server, db, tab,
+ AccessConstants.ALL);
+ TSentryPrivilege role1db2tab = client.grantTablePrivilege(
+ requestorUserName, roleName1, server, db2, tab, AccessConstants.SELECT);
+ client.grantRoleToGroup(requestorUserName, group1, roleName1);
+
+ client.grantDatabasePrivilege(requestorUserName, roleName2, server, db,
+ AccessConstants.ALL);
+ client.grantDatabasePrivilege(requestorUserName, roleName2, server, db2,
+ AccessConstants.SELECT);
+ client.grantTablePrivilege(requestorUserName, roleName2, server, db2, tab,
+ AccessConstants.ALL);
+ client.grantURIPrivilege(requestorUserName, roleName1, server,
+ "hdfs:///fooUri");
+
+ // build expected output. user1 should see privileges on tab1 from role1
+ TSentryPrivilegeMap db1RoleToPrivMap = new TSentryPrivilegeMap(
+ new TreeMap<String, Set<TSentryPrivilege>>());
+ db1RoleToPrivMap.getPrivilegeMap().put(roleName1, Sets.newHashSet(role1db2tab));
+ Map<TSentryAuthorizable, TSentryPrivilegeMap> expectedResults = Maps.newTreeMap();
+ List<? extends Authorizable> db2TabAuthorizable = Lists.newArrayList(
+ new Server(server), new Database(db2), new Table(tab));
+ expectedResults.put(
+ SentryPolicyServiceClientDefaultImpl.setupSentryAuthorizable(db2TabAuthorizable),
+ db1RoleToPrivMap);
+
+ Set<List<? extends Authorizable>> authorizableSet = Sets.newHashSet();
+ authorizableSet.add(db2TabAuthorizable);
+
+ // list privileges with null group and roles
+ Map<TSentryAuthorizable, TSentryPrivilegeMap> authPrivMap = client
+ .listPrivilegsbyAuthorizable(user1, authorizableSet, null, null);
+ assertEquals(expectedResults, authPrivMap);
+
+ // list privileges with empty group set and null roles
+ authPrivMap = client.listPrivilegsbyAuthorizable(user1, authorizableSet,
+ new HashSet<String>(), null);
+ assertEquals(expectedResults, authPrivMap);
+
+ // list privileges with null group set and ALL roleset
+ authPrivMap = client.listPrivilegsbyAuthorizable(user1, authorizableSet,
+ null, new ActiveRoleSet(true));
+ assertEquals(expectedResults, authPrivMap);
+
+ // list privileges with user1's group set and null roles
+ authPrivMap = client.listPrivilegsbyAuthorizable(user1, authorizableSet,
+ userGroupNames1, null);
+ assertEquals(expectedResults, authPrivMap);
+
+ // list privileges with user1's group set and ALL roles
+ authPrivMap = client.listPrivilegsbyAuthorizable(user1, authorizableSet,
+ userGroupNames1, new ActiveRoleSet(true));
+ assertEquals(expectedResults, authPrivMap);
+
+ // list privileges with null group and user's specific roles with uppercase name
+ authPrivMap = client.listPrivilegsbyAuthorizable(user1, authorizableSet,
+ null, new ActiveRoleSet(Sets.newHashSet(roleName1.toUpperCase())));
+ assertEquals(expectedResults, authPrivMap);
+
+ // verify that user1 can't query group2
+ try {
+ client.listPrivilegsbyAuthorizable(user1, authorizableSet, userGroupNames2, null);
+ fail("listPrivilegsbyAuthorizable() should fail for user1 accessing " + group2);
+ } catch (SentryAccessDeniedException e) {
+ // expected
+ }
+
+ // verify that user1 can't query role2
+ ActiveRoleSet roleSet2 = new ActiveRoleSet(Sets.newHashSet(roleName2));
+ try {
+ client.listPrivilegsbyAuthorizable(user1, authorizableSet, null, roleSet2);
+ fail("listPrivilegsbyAuthorizable() should fail for user1 accessing " + roleName2);
+ } catch (SentryAccessDeniedException e) {
+ // expected
+ }
+ }});
+ }
+
+ /**
+ * Attempt to access a configuration value that is forbidden in getConfigVal
+ * @param configVal The banned value
+ * @param defaultVal A default to pass to getConfigValue
+ * @throws Exception
+ */
+ private void checkBannedConfigVal(final String configVal, final String defaultVal)
+ throws Exception {
+ runTestAsSubject(new TestOperation(){
+ @Override
+ public void runTestAsSubject() throws Exception {
+ try {
+ client.getConfigValue(configVal, defaultVal);
+ fail("Attempt to access " + configVal + " succeeded");
+ } catch (SentryAccessDeniedException e) {
+ assertTrue(e.toString().contains("was denied"));
+ assertTrue(e.toString().contains(configVal));
+ }
+ }});
+ }
+
+ @Test
+ public void testGetConfigVal() throws Exception {
+ runTestAsSubject(new TestOperation(){
+ @Override
+ public void runTestAsSubject() throws Exception {
+ String requestorUserName = SentryServiceIntegrationBase.ADMIN_USER;
+ Set<String> requestorUserGroupNames = Sets.newHashSet(SentryServiceIntegrationBase.ADMIN_GROUP);
+ setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
+ writePolicyFile();
+
+ String val;
+
+ // Basic success case
+ val = client.getConfigValue("sentry.service.admin.group", "xxx");
+ assertEquals(val, "admin_group");
+
+ // Undefined value gets the default back
+ val = client.getConfigValue("sentry.this.is.not.defined", "hello");
+ assertEquals(val, "hello");
+
+ // Undefined value and null default gets null back
+ val = client.getConfigValue("sentry.this.is.not.defined", null);
+ assertEquals(val, null);
+
+ // Known config value with null default works as expected
+ val = client.getConfigValue("sentry.service.admin.group", null);
+ assertEquals(val, "admin_group");
+
+ // Value that is forbidden (anything not starting with "sentry") dies
+ checkBannedConfigVal("notsentry", "xxx");
+
+ // Ditto with a null default
+ checkBannedConfigVal("notsentry", null);
+
+ // Values with .jdbc. are forbidden
+ checkBannedConfigVal("sentry.xxx.jdbc.xxx", null);
+
+ // Values with password are forbidden
+ checkBannedConfigVal("sentry.xxx.password", null);
+
+ // Attempt to get the location of the keytab also fails
+ checkBannedConfigVal("sentry.service.server.keytab", null);
+
+ }});
+ }
+
+ /* SENTRY-841 */
+ @Test
+ public void testGranRevokePrivilegeOnServerForRole() throws Exception {
+ runTestAsSubject(new TestOperation(){
+ @Override
+ public void runTestAsSubject() throws Exception {
+ String requestorUserName = SentryServiceIntegrationBase.ADMIN_USER;
+ Set<String> requestorUserGroupNames = Sets.newHashSet(SentryServiceIntegrationBase.ADMIN_GROUP);
+ setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
+ writePolicyFile();
+
+ String roleName1 = "admin_r1";
+
+ client.dropRoleIfExists(requestorUserName, roleName1);
+ client.createRole(requestorUserName, roleName1);
+
+ client.grantServerPrivilege(requestorUserName, roleName1, "server", false);
+
+ Set<TSentryPrivilege> listPrivs = client.listAllPrivilegesByRoleName(requestorUserName, roleName1);
+ assertTrue("Privilege should be all:",listPrivs.iterator().next().getAction().equals("*"));
+
+ client.revokeServerPrivilege(requestorUserName, roleName1, "server", false);
+ listPrivs = client.listAllPrivilegesByRoleName(requestorUserName, roleName1);
+ assertTrue("Privilege not correctly revoked !!", listPrivs.size() == 0);
+
+ }});
+ }
+
+ @Test
+ public void testGranRevokePrivilegeWithoutAction() throws Exception {
+ runTestAsSubject(new TestOperation(){
+ @Override
+ public void runTestAsSubject() throws Exception {
+ String requestorUserName = SentryServiceIntegrationBase.ADMIN_USER;
+ String roleName1 = "admin_r1";
+ Set<String> requestorUserGroupNames = Sets.newHashSet(SentryServiceIntegrationBase.ADMIN_GROUP);
+ setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
+ writePolicyFile();
+
+ client.dropRoleIfExists(requestorUserName, roleName1);
+ client.createRole(requestorUserName, roleName1);
+ client.grantServerPrivilege(requestorUserName, roleName1, "server1", false);
+
+ Set<TSentryPrivilege> listPrivs = client.listAllPrivilegesByRoleName(requestorUserName, roleName1);
+ assertTrue("Privilege should be all:", listPrivs.iterator().next().getAction().equals("*"));
+
+ client.revokeServerPrivilege(requestorUserName, roleName1, "server1", "ALL", false);
+ listPrivs = client.listAllPrivilegesByRoleName(requestorUserName, roleName1);
+ assertTrue("Privilege not correctly revoked !!", listPrivs.size() == 0);
+
+ }});
+ }
+}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceWithInvalidMsgSize.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceWithInvalidMsgSize.java b/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceWithInvalidMsgSize.java
new file mode 100644
index 0000000..b7d0b88
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceWithInvalidMsgSize.java
@@ -0,0 +1,119 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.provider.db.service.thrift;
+
+import com.google.common.collect.Sets;
+import org.apache.hadoop.conf.Configuration;
+import org.apache.sentry.core.common.exception.SentryUserException;
+import org.apache.sentry.service.thrift.SentryServiceClientFactory;
+import org.apache.sentry.service.thrift.SentryServiceFactory;
+import org.apache.sentry.service.thrift.SentryServiceIntegrationBase;
+import org.apache.sentry.service.thrift.ServiceConstants;
+import org.junit.Assert;
+import org.junit.Test;
+
+import java.util.Set;
+
+/**
+ * Test sentry service with a larger message size than the server's or client's thrift max message size.
+ */
+public class TestSentryServiceWithInvalidMsgSize extends SentryServiceIntegrationBase {
+ private final Set<String> REQUESTER_USER_GROUP_NAMES = Sets.newHashSet(SentryServiceIntegrationBase.ADMIN_GROUP);
+ private final String ROLE_NAME = "admin_r";
+
+ /**
+ * Test the case when the message size is larger than the client's thrift max message size.
+ */
+ @Test
+ public void testClientWithSmallMaxMsgSize() throws Exception {
+ runTestAsSubject(new TestOperation() {
+ @Override
+ public void runTestAsSubject() throws Exception {
+ Configuration confWithSmallMaxMsgSize = new Configuration(SentryServiceIntegrationBase.conf);
+ confWithSmallMaxMsgSize.setLong(ServiceConstants.ClientConfig.SENTRY_POLICY_CLIENT_THRIFT_MAX_MESSAGE_SIZE, 20);
+ // create a client with a small thrift max message size
+ SentryPolicyServiceClient clientWithSmallMaxMsgSize = SentryServiceClientFactory.create(confWithSmallMaxMsgSize);
+
+ setLocalGroupMapping(SentryServiceIntegrationBase.ADMIN_USER, REQUESTER_USER_GROUP_NAMES);
+ writePolicyFile();
+
+ boolean exceptionThrown = false;
+ try {
+ // client throws exception when message size is larger than the client's thrift max message size.
+ clientWithSmallMaxMsgSize.listRoles(SentryServiceIntegrationBase.ADMIN_USER);
+ } catch (SentryUserException e) {
+ exceptionThrown = true;
+ Assert.assertTrue(e.getMessage().contains("Thrift exception occurred"));
+ Assert.assertTrue(e.getCause().getMessage().contains("Length exceeded max allowed"));
+ } finally {
+ Assert.assertEquals(true, exceptionThrown);
+ clientWithSmallMaxMsgSize.close();
+ }
+
+ // client can still talk with sentry server when message size is smaller.
+ client.dropRoleIfExists(SentryServiceIntegrationBase.ADMIN_USER, ROLE_NAME);
+ client.listRoles(SentryServiceIntegrationBase.ADMIN_USER);
+ client.createRole(SentryServiceIntegrationBase.ADMIN_USER, ROLE_NAME);
+ client.listRoles(SentryServiceIntegrationBase.ADMIN_USER);
+ }
+ });
+ }
+
+ /**
+ * Test the case when the message size is larger than the server's thrift max message size.
+ */
+ @Test
+ public void testServerWithSmallMaxMsgSize() throws Exception {
+ runTestAsSubject(new TestOperation() {
+ @Override
+ public void runTestAsSubject() throws Exception {
+ Configuration confWithSmallMaxMsgSize = new Configuration(SentryServiceIntegrationBase.conf);
+ confWithSmallMaxMsgSize.setLong(ServiceConstants.ServerConfig.SENTRY_POLICY_SERVER_THRIFT_MAX_MESSAGE_SIZE,
+ 50);
+ stopSentryService();
+
+ // create a server with a small max thrift message size
+ SentryServiceIntegrationBase.server = new SentryServiceFactory().create(confWithSmallMaxMsgSize);
+ SentryServiceIntegrationBase.startSentryService();
+
+ setLocalGroupMapping(SentryServiceIntegrationBase.ADMIN_USER, REQUESTER_USER_GROUP_NAMES);
+ writePolicyFile();
+
+ // client can talk with server when message size is smaller.
+ client.listRoles(SentryServiceIntegrationBase.ADMIN_USER);
+ client.createRole(SentryServiceIntegrationBase.ADMIN_USER, ROLE_NAME);
+
+ boolean exceptionThrown = false;
+ try {
+ // client throws exception when message size is larger than the server's thrift max message size.
+ client.grantServerPrivilege(SentryServiceIntegrationBase.ADMIN_USER, ROLE_NAME, "server", false);
+ } catch (SentryUserException e) {
+ exceptionThrown = true;
+ Assert.assertTrue(e.getMessage().contains("org.apache.thrift.transport.TTransportException"));
+ } finally {
+ Assert.assertEquals(true, exceptionThrown);
+ }
+
+ // client can still talk with sentry server when message size is smaller.
+ Set<TSentryRole> roles = client.listRoles(SentryServiceIntegrationBase.ADMIN_USER);
+ Assert.assertTrue(roles.size() == 1);
+ Assert.assertEquals(ROLE_NAME, roles.iterator().next().getRoleName());
+ }
+ });
+ }
+}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceWithKerberos.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceWithKerberos.java b/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceWithKerberos.java
new file mode 100644
index 0000000..26cee46
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceWithKerberos.java
@@ -0,0 +1,58 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.provider.db.service.thrift;
+
+import org.apache.sentry.service.thrift.SentryServiceIntegrationBase;
+import org.junit.After;
+import org.junit.Before;
+import org.junit.BeforeClass;
+import org.junit.Test;
+
+/**
+ * Test various kerberos related stuff on the SentryService side
+ */
+public class TestSentryServiceWithKerberos extends SentryServiceIntegrationBase {
+
+ @BeforeClass
+ public static void setup() throws Exception {
+ SentryServiceIntegrationBase.SERVER_KERBEROS_NAME = "sentry/_HOST@" + SentryServiceIntegrationBase.REALM;
+ SentryServiceIntegrationBase.setup();
+ }
+
+ @Override
+ @Before
+ public void before() throws Exception {
+ }
+
+ @Override
+ @After
+ public void after() {
+ }
+
+ /**
+ * Test that we are correctly substituting "_HOST" if/when needed.
+ *
+ * @throws Exception
+ */
+ @Test
+ public void testHostSubstitution() throws Exception {
+ // We just need to ensure that we are able to correct connect to the server
+ connectToSentryService();
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryWebServerWithKerberos.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryWebServerWithKerberos.java b/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryWebServerWithKerberos.java
new file mode 100644
index 0000000..a82cbde
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryWebServerWithKerberos.java
@@ -0,0 +1,136 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.provider.db.service.thrift;
+
+import static org.junit.Assert.fail;
+
+import java.io.File;
+import java.net.HttpURLConnection;
+import java.net.URL;
+import java.security.PrivilegedExceptionAction;
+import java.util.HashSet;
+
+import javax.security.auth.Subject;
+import javax.security.auth.kerberos.KerberosPrincipal;
+import javax.security.auth.login.LoginContext;
+
+import org.apache.commons.io.IOUtils;
+import org.apache.hadoop.security.authentication.client.AuthenticatedURL;
+import org.apache.hadoop.security.authentication.client.AuthenticationException;
+import org.apache.hadoop.security.authentication.client.KerberosAuthenticator;
+import org.apache.sentry.service.thrift.KerberosConfiguration;
+import org.apache.sentry.service.thrift.SentryServiceIntegrationBase;
+import org.junit.After;
+import org.junit.Assert;
+import org.junit.Before;
+import org.junit.BeforeClass;
+import org.junit.Test;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import com.google.common.collect.Sets;
+
+public class TestSentryWebServerWithKerberos extends SentryServiceIntegrationBase {
+
+ private static Logger LOG = LoggerFactory.getLogger(TestSentryWebServerWithKerberos.class);
+
+ @BeforeClass
+ public static void setup() throws Exception {
+ SentryServiceIntegrationBase.webServerEnabled = true;
+ SentryServiceIntegrationBase.webSecurity = true;
+ SentryServiceIntegrationBase.setup();
+ }
+
+ @Override
+ @Before
+ public void before() throws Exception {
+ }
+
+ @Override
+ @After
+ public void after() {
+ }
+
+ @Test
+ public void testPing() throws Exception {
+ SentryServiceIntegrationBase.clientUgi.doAs(new PrivilegedExceptionAction<Void>() {
+ @Override
+ public Void run() throws Exception {
+ final URL url = new URL("http://"+ SentryServiceIntegrationBase.SERVER_HOST + ":" + SentryServiceIntegrationBase.webServerPort + "/ping");
+ HttpURLConnection conn = new AuthenticatedURL(new KerberosAuthenticator()).
+ openConnection(url, new AuthenticatedURL.Token());
+ Assert.assertEquals(HttpURLConnection.HTTP_OK, conn.getResponseCode());
+ String response = IOUtils.toString(conn.getInputStream());
+ Assert.assertEquals("pong\n", response);
+ return null;
+ }} );
+ }
+
+ @Test
+ public void testPingWithoutSubject() throws Exception {
+ final URL url = new URL("http://"+ SentryServiceIntegrationBase.SERVER_HOST + ":" + SentryServiceIntegrationBase.webServerPort + "/ping");
+ try {
+ new AuthenticatedURL(new KerberosAuthenticator()).openConnection(url, new AuthenticatedURL.Token());
+ fail("Here should fail.");
+ } catch (Exception e) {
+ boolean isExpectError = e.getMessage().contains("No valid credentials provided");
+ Assert.assertTrue("Here should fail by 'No valid credentials provided'," +
+ " but the exception is:" + e, isExpectError);
+ }
+ }
+
+ @Test
+ public void testPingUsingHttpURLConnection() throws Exception {
+ final URL url = new URL("http://"+ SentryServiceIntegrationBase.SERVER_HOST + ":" + SentryServiceIntegrationBase.webServerPort + "/ping");
+ HttpURLConnection conn = (HttpURLConnection) url.openConnection();
+ Assert.assertEquals(HttpURLConnection.HTTP_UNAUTHORIZED, conn.getResponseCode());
+ String errorMessage = IOUtils.toString(conn.getErrorStream());
+ Assert.assertTrue(errorMessage.contains("Authentication required"));
+ }
+
+ @Test
+ public void testPingWithUnauthorizedUser() throws Exception {
+ // create an unauthorized User with Kerberos
+ String userPrinciple = "user/" + SentryServiceIntegrationBase.SERVER_HOST;
+ String userKerberosName = userPrinciple + "@" + SentryServiceIntegrationBase.REALM;
+ Subject userSubject = new Subject(false, Sets.newHashSet(
+ new KerberosPrincipal(userKerberosName)), new HashSet<Object>(),new HashSet<Object>());
+ File userKeytab = new File(SentryServiceIntegrationBase.kdcWorkDir, "user.keytab");
+ SentryServiceIntegrationBase.kdc.createPrincipal(userKeytab, userPrinciple);
+ LoginContext userLoginContext = new LoginContext("", userSubject, null,
+ KerberosConfiguration.createClientConfig(userKerberosName, userKeytab));
+ userLoginContext.login();
+ Subject.doAs(userLoginContext.getSubject(), new PrivilegedExceptionAction<Void>() {
+ @Override
+ public Void run() throws Exception {
+ final URL url = new URL("http://"+ SentryServiceIntegrationBase.SERVER_HOST + ":" + SentryServiceIntegrationBase.webServerPort + "/ping");
+ try {
+ new AuthenticatedURL(new KerberosAuthenticator()).openConnection(url, new AuthenticatedURL.Token());
+ fail("Here should fail.");
+ } catch (AuthenticationException e) {
+ String expectedError = "status code: 403";
+ if (!e.getMessage().contains(expectedError)) {
+ LOG.error("UnexpectedError: " + e.getMessage(), e);
+ fail("UnexpectedError: " + e.getMessage());
+ }
+ }
+ return null;
+ }
+ });
+ }
+}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryWebServerWithSSL.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryWebServerWithSSL.java b/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryWebServerWithSSL.java
new file mode 100644
index 0000000..f32782f
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryWebServerWithSSL.java
@@ -0,0 +1,52 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.provider.db.service.thrift;
+
+import com.google.common.io.Resources;
+import org.apache.commons.io.IOUtils;
+import org.apache.sentry.service.thrift.SentryServiceIntegrationBase;
+import org.junit.*;
+
+import javax.net.ssl.HttpsURLConnection;
+import java.net.URL;
+import java.util.Properties;
+
+/**
+ * Test sentry web server when ssl is enabled.
+ */
+public class TestSentryWebServerWithSSL extends SentryServiceIntegrationBase {
+ @BeforeClass
+ public static void setup() throws Exception {
+ SentryServiceIntegrationBase.webServerEnabled = true;
+ SentryServiceIntegrationBase.webSecurity = false;
+ SentryServiceIntegrationBase.useSSL = true;
+ SentryServiceIntegrationBase.setup();
+ }
+
+ @Test
+ public void testPing() throws Exception {
+ final URL url = new URL("https://"+ SentryServiceIntegrationBase.SERVER_HOST + ":" + SentryServiceIntegrationBase.webServerPort + "/ping");
+ Properties systemProps = System.getProperties();
+ systemProps.put( "javax.net.ssl.trustStore", Resources.getResource("cacerts.jks").getPath());
+ System.setProperties(systemProps);
+ HttpsURLConnection conn = (HttpsURLConnection) url.openConnection();
+ Assert.assertEquals(HttpsURLConnection.HTTP_OK, conn.getResponseCode());
+ String response = IOUtils.toString(conn.getInputStream());
+ Assert.assertEquals("pong\n", response);
+ }
+}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryWebServerWithoutSecurity.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryWebServerWithoutSecurity.java b/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryWebServerWithoutSecurity.java
new file mode 100644
index 0000000..a072709
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryWebServerWithoutSecurity.java
@@ -0,0 +1,87 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.provider.db.service.thrift;
+
+import java.net.HttpURLConnection;
+import java.net.URL;
+
+import org.apache.commons.io.IOUtils;
+import org.apache.sentry.service.thrift.SentryServiceIntegrationBase;
+import org.junit.After;
+import org.junit.Assert;
+import org.junit.Before;
+import org.junit.BeforeClass;
+import org.junit.Test;
+
+public class TestSentryWebServerWithoutSecurity extends SentryServiceIntegrationBase {
+
+ @BeforeClass
+ public static void setup() throws Exception {
+ SentryServiceIntegrationBase.webServerEnabled = true;
+ SentryServiceIntegrationBase.webSecurity = false;
+ SentryServiceIntegrationBase.setup();
+ }
+
+ @Override
+ @Before
+ public void before() throws Exception {
+ }
+
+ @Override
+ @After
+ public void after() {
+ }
+
+ @Test
+ public void testPing() throws Exception {
+ final URL url = new URL("http://"+ SentryServiceIntegrationBase.SERVER_HOST + ":" + SentryServiceIntegrationBase.webServerPort + "/ping");
+ HttpURLConnection conn = (HttpURLConnection) url.openConnection();
+ Assert.assertEquals(HttpURLConnection.HTTP_OK, conn.getResponseCode());
+ String response = IOUtils.toString(conn.getInputStream());
+ Assert.assertEquals("pong\n", response);
+ }
+
+ @Test
+ public void testConf() throws Exception {
+ // test bad format
+ final URL url = new URL("http://" + SentryServiceIntegrationBase.SERVER_HOST + ":" + SentryServiceIntegrationBase.webServerPort + "/conf?"
+ + ConfServlet.FORMAT_PARAM + "=badformat");
+ HttpURLConnection conn = (HttpURLConnection) url.openConnection();
+ Assert.assertEquals(HttpURLConnection.HTTP_BAD_REQUEST, conn.getResponseCode());
+
+ // test json format
+ final URL url1 = new URL("http://" + SentryServiceIntegrationBase.SERVER_HOST + ":" + SentryServiceIntegrationBase.webServerPort + "/conf?"
+ + ConfServlet.FORMAT_PARAM +"=" + ConfServlet.FORMAT_JSON);
+ conn = (HttpURLConnection) url1.openConnection();
+ Assert.assertEquals(HttpURLConnection.HTTP_OK, conn.getResponseCode());
+
+ // test xml format
+ final URL url2 = new URL("http://" + SentryServiceIntegrationBase.SERVER_HOST + ":" + SentryServiceIntegrationBase.webServerPort + "/conf?"
+ + ConfServlet.FORMAT_PARAM +"=" + ConfServlet.FORMAT_XML);
+ conn = (HttpURLConnection) url2.openConnection();
+ Assert.assertEquals(HttpURLConnection.HTTP_OK, conn.getResponseCode());
+ String xmlResponse = IOUtils.toString(conn.getInputStream());
+
+ // test default is xml format
+ final URL url3 = new URL("http://" + SentryServiceIntegrationBase.SERVER_HOST + ":" + SentryServiceIntegrationBase.webServerPort + "/conf");
+ conn = (HttpURLConnection) url3.openConnection();
+ Assert.assertEquals(HttpURLConnection.HTTP_OK, conn.getResponseCode());
+ String defaultResponse = IOUtils.toString(conn.getInputStream());
+ Assert.assertEquals(xmlResponse, defaultResponse);
+ }
+}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/tools/TestSentrySchemaTool.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/tools/TestSentrySchemaTool.java b/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/tools/TestSentrySchemaTool.java
new file mode 100644
index 0000000..68abf27
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/tools/TestSentrySchemaTool.java
@@ -0,0 +1,94 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.provider.db.tools;
+
+import java.io.File;
+
+import org.apache.hadoop.conf.Configuration;
+import org.apache.sentry.core.common.exception.SentryUserException;
+import org.apache.sentry.provider.db.service.persistent.SentryStoreSchemaInfo;
+import org.apache.sentry.service.thrift.ServiceConstants.ServerConfig;
+import org.junit.Before;
+import org.junit.Test;
+
+import com.google.common.io.Files;
+
+public class TestSentrySchemaTool {
+ private Configuration sentryConf;
+ private SentrySchemaTool schemaTool;
+
+ private static final String OLDEST_INIT_VERSION = "1.4.0";
+
+ @Before
+ public void defaultSetup() throws Exception {
+ sentryConf = new Configuration();
+ File dbDir = new File(Files.createTempDir(), "sentry_policy_db");
+ sentryConf.set(ServerConfig.SENTRY_STORE_JDBC_URL,
+ "jdbc:derby:;databaseName=" + dbDir.getPath() + ";create=true");
+ sentryConf.set(ServerConfig.SENTRY_STORE_JDBC_PASS, "dummy");
+ schemaTool = new SentrySchemaTool("./src/main/resources", sentryConf,
+ "derby");
+ }
+
+ private void nonDefaultsetup() throws Exception {
+ sentryConf = new Configuration();
+ File dbDir = new File(Files.createTempDir(), "sentry_policy_db");
+ sentryConf.set(ServerConfig.SENTRY_STORE_JDBC_URL,
+ "jdbc:derby:;databaseName=" + dbDir.getPath() + ";create=true");
+ sentryConf.set(ServerConfig.SENTRY_STORE_JDBC_PASS, "dummy");
+ schemaTool = new SentrySchemaTool("./src/main/resources", sentryConf,
+ "derby");
+ }
+
+ @Test
+ public void testInitNonDefault() throws Exception {
+ nonDefaultsetup();
+ schemaTool.doInit();
+ schemaTool.verifySchemaVersion();
+ }
+
+ @Test
+ public void testInit() throws Exception {
+ schemaTool.doInit();
+ schemaTool.verifySchemaVersion();
+ }
+
+ @Test
+ public void testInitTo() throws Exception {
+ schemaTool.doInit(SentryStoreSchemaInfo.getSentryVersion());
+ schemaTool.verifySchemaVersion();
+ }
+
+ @Test(expected = SentryUserException.class)
+ public void testDryRun() throws Exception {
+ schemaTool.setDryRun(true);
+ schemaTool.doInit();
+ schemaTool.setDryRun(false);
+ // verification should fail since dryRun didn't create the actual schema
+ schemaTool.verifySchemaVersion();
+ }
+
+ @Test
+ public void testUpgrade() throws Exception {
+ schemaTool.doInit(OLDEST_INIT_VERSION);
+ schemaTool.doUpgrade();
+ schemaTool.verifySchemaVersion();
+ }
+
+}
[04/44] sentry git commit: SENTRY-1287: Create sentry-service-server
module(Colin Ma, reviewed by Dapeng Sun)
Posted by co...@apache.org.
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceImportExport.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceImportExport.java b/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceImportExport.java
new file mode 100644
index 0000000..c5573a7
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceImportExport.java
@@ -0,0 +1,751 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.provider.db.service.thrift;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.fail;
+
+import java.util.Map;
+import java.util.Set;
+
+import org.apache.sentry.core.common.utils.SentryConstants;
+import org.apache.sentry.core.common.utils.PolicyFileConstants;
+import org.apache.sentry.service.thrift.SentryServiceIntegrationBase;
+import org.junit.Before;
+import org.junit.BeforeClass;
+import org.junit.Test;
+
+import com.google.common.collect.Maps;
+import com.google.common.collect.Sets;
+
+public class TestSentryServiceImportExport extends SentryServiceIntegrationBase {
+
+ // define the privileges
+ public static String PRIVILIEGE1 = "server=server1";
+ public static String PRIVILIEGE2 = "server=server1->action=select->grantoption=false";
+ public static String PRIVILIEGE3 = "server=server1->db=db2->action=insert->grantoption=true";
+ public static String PRIVILIEGE4 = "server=server1->db=db1->table=tbl1->action=insert";
+ public static String PRIVILIEGE5 = "server=server1->db=db1->table=tbl2->column=col1->action=insert";
+ public static String PRIVILIEGE6 = "server=server1->db=db1->table=tbl3->column=col1->action=*->grantoption=true";
+ public static String PRIVILIEGE7 = "server=server1->db=db1->table=tbl4->column=col1->action=all->grantoption=true";
+ public static String PRIVILIEGE8 = "server=server1->uri=hdfs://testserver:9999/path2->action=insert";
+ public static String PRIVILIEGE9 = "server=server1->db=db2->table=tbl1->action=insert";
+
+ @BeforeClass
+ public static void setup() throws Exception {
+ SentryServiceIntegrationBase.kerberos = false;
+ SentryServiceIntegrationBase.setupConf();
+ SentryServiceIntegrationBase.startSentryService();
+ }
+
+ @Before
+ public void preparePolicyFile() throws Exception {
+ super.before();
+ String requestorUserName = SentryServiceIntegrationBase.ADMIN_USER;
+ Set<String> requestorUserGroupNames = Sets.newHashSet(SentryServiceIntegrationBase.ADMIN_GROUP);
+ setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
+ writePolicyFile();
+ }
+
+ // Befor import, database is empty.
+ // The following information is imported:
+ // group1=role1,role2,role3
+ // group2=role1,role2,role3
+ // group3=role1,role2,role3
+ // role1=privilege1,privilege2,privilege3,privilege4,privilege5,privilege6,privilege7,privilege8
+ // role2=privilege1,privilege2,privilege3,privilege4,privilege5,privilege6,privilege7,privilege8
+ // role3=privilege1,privilege2,privilege3,privilege4,privilege5,privilege6,privilege7,privilege8
+ // Both import API importPolicy and export API exportPoicy are tested.
+ @Test
+ public void testImportExportPolicy1() throws Exception {
+ runTestAsSubject(new TestOperation() {
+ @Override
+ public void runTestAsSubject() throws Exception {
+ Map<String, Map<String, Set<String>>> policyFileMappingData = Maps.newHashMap();
+ Map<String, Set<String>> groupRolesMap = Maps.newHashMap();
+ Set<String> roles = Sets.newHashSet("role1", "role2", "role3");
+ groupRolesMap.put("group1", roles);
+ groupRolesMap.put("group2", roles);
+ groupRolesMap.put("group3", roles);
+ Map<String, Set<String>> rolePrivilegesMap = Maps.newHashMap();
+ for (String roleName : roles) {
+ rolePrivilegesMap.put(roleName, Sets.newHashSet(PRIVILIEGE1, PRIVILIEGE2, PRIVILIEGE3,
+ PRIVILIEGE4, PRIVILIEGE5, PRIVILIEGE6, PRIVILIEGE7, PRIVILIEGE8));
+ }
+ policyFileMappingData.put(PolicyFileConstants.GROUPS, groupRolesMap);
+ policyFileMappingData.put(PolicyFileConstants.ROLES, rolePrivilegesMap);
+ client.importPolicy(policyFileMappingData, SentryServiceIntegrationBase.ADMIN_USER, false);
+
+ Map<String, Map<String, Set<String>>> sentryMappingData = client.exportPolicy(SentryServiceIntegrationBase.ADMIN_USER, null);
+ validateSentryMappingData(sentryMappingData,
+ policyFileMappingData);
+ }
+ });
+ }
+
+ // call import twice, and there has no duplicate data:
+ // The data for 1st import:
+ // group1=role1
+ // role1=privilege1,privilege2,privilege3,privilege4
+ // The data for 2nd import:
+ // group2=role2,role3
+ // group3=role2,role3
+ // role2=privilege5,privilege6,privilege7,privilege8
+ // role3=privilege5,privilege6,privilege7,privilege8
+ // Both import API importPolicy and export API exportPoicy are tested.
+ @Test
+ public void testImportExportPolicy2() throws Exception {
+ runTestAsSubject(new TestOperation() {
+ @Override
+ public void runTestAsSubject() throws Exception {
+ Map<String, Map<String, Set<String>>> policyFileMappingData1 = Maps.newHashMap();
+ Map<String, Set<String>> groupRolesMap1 = Maps.newHashMap();
+ groupRolesMap1.put("group1", Sets.newHashSet("role1"));
+ Map<String, Set<String>> rolePrivilegesMap1 = Maps.newHashMap();
+ rolePrivilegesMap1.put("role1",
+ Sets.newHashSet(PRIVILIEGE1, PRIVILIEGE2, PRIVILIEGE3, PRIVILIEGE4));
+ policyFileMappingData1.put(PolicyFileConstants.GROUPS, groupRolesMap1);
+ policyFileMappingData1.put(PolicyFileConstants.ROLES, rolePrivilegesMap1);
+ client.importPolicy(policyFileMappingData1, SentryServiceIntegrationBase.ADMIN_USER, false);
+
+ Map<String, Map<String, Set<String>>> policyFileMappingData2 = Maps.newHashMap();
+ Map<String, Set<String>> groupRolesMap2 = Maps.newHashMap();
+ groupRolesMap2.put("group2", Sets.newHashSet("role2", "role3"));
+ groupRolesMap2.put("group3", Sets.newHashSet("role2", "role3"));
+ Map<String, Set<String>> rolePrivilegesMap2 = Maps.newHashMap();
+ rolePrivilegesMap2.put("role2",
+ Sets.newHashSet(PRIVILIEGE5, PRIVILIEGE6, PRIVILIEGE7, PRIVILIEGE8));
+ rolePrivilegesMap2.put("role3",
+ Sets.newHashSet(PRIVILIEGE5, PRIVILIEGE6, PRIVILIEGE7, PRIVILIEGE8));
+ policyFileMappingData2.put(PolicyFileConstants.GROUPS, groupRolesMap2);
+ policyFileMappingData2.put(PolicyFileConstants.ROLES, rolePrivilegesMap2);
+ client.importPolicy(policyFileMappingData2, SentryServiceIntegrationBase.ADMIN_USER, false);
+
+ Map<String, Map<String, Set<String>>> exceptedMappingData = Maps.newHashMap();
+ // for exceptedMappingData, combine policyFileMappingData1 and policyFileMappingData2
+ exceptedMappingData.put(PolicyFileConstants.GROUPS,
+ policyFileMappingData1.get(PolicyFileConstants.GROUPS));
+ exceptedMappingData.get(PolicyFileConstants.GROUPS).putAll(
+ policyFileMappingData2.get(PolicyFileConstants.GROUPS));
+ exceptedMappingData.put(PolicyFileConstants.ROLES,
+ policyFileMappingData1.get(PolicyFileConstants.ROLES));
+ exceptedMappingData.get(PolicyFileConstants.ROLES).putAll(
+ policyFileMappingData2.get(PolicyFileConstants.ROLES));
+
+ Map<String, Map<String, Set<String>>> sentryMappingData = client.exportPolicy(SentryServiceIntegrationBase.ADMIN_USER, null);
+ validateSentryMappingData(sentryMappingData, exceptedMappingData);
+ }
+ });
+ }
+
+ // Call import twice, and there has overlapping groups
+ // The data for 1st import:
+ // group1=role1, role2
+ // group2=role1, role2
+ // group3=role1, role2
+ // role1=privilege1,privilege2,privilege3,privilege4,privilege5
+ // role2=privilege1,privilege2,privilege3,privilege4,privilege5
+ // The data for 2nd import:
+ // group1=role2,role3
+ // group2=role2,role3
+ // group3=role2,role3
+ // role2=privilege4,privilege5,privilege6,privilege7,privilege8
+ // role3=privilege4,privilege5,privilege6,privilege7,privilege8
+ // Both import API importPolicy and export API exportPoicy are tested.
+ @Test
+ public void testImportExportPolicy3() throws Exception {
+ runTestAsSubject(new TestOperation() {
+ @Override
+ public void runTestAsSubject() throws Exception {
+ Map<String, Map<String, Set<String>>> policyFileMappingData1 = Maps.newHashMap();
+ Map<String, Set<String>> groupRolesMap1 = Maps.newHashMap();
+ groupRolesMap1.put("group1", Sets.newHashSet("role1", "role2"));
+ groupRolesMap1.put("group2", Sets.newHashSet("role1", "role2"));
+ groupRolesMap1.put("group3", Sets.newHashSet("role1", "role2"));
+ Map<String, Set<String>> rolePrivilegesMap1 = Maps.newHashMap();
+ rolePrivilegesMap1.put("role1",
+ Sets.newHashSet(PRIVILIEGE1, PRIVILIEGE2, PRIVILIEGE3, PRIVILIEGE4, PRIVILIEGE5));
+ rolePrivilegesMap1.put("role2",
+ Sets.newHashSet(PRIVILIEGE1, PRIVILIEGE2, PRIVILIEGE3, PRIVILIEGE4, PRIVILIEGE5));
+ policyFileMappingData1.put(PolicyFileConstants.GROUPS, groupRolesMap1);
+ policyFileMappingData1.put(PolicyFileConstants.ROLES, rolePrivilegesMap1);
+ client.importPolicy(policyFileMappingData1, SentryServiceIntegrationBase.ADMIN_USER, false);
+
+ Map<String, Map<String, Set<String>>> policyFileMappingData2 = Maps.newHashMap();
+ Map<String, Set<String>> groupRolesMap2 = Maps.newHashMap();
+ groupRolesMap2.put("group1", Sets.newHashSet("role2", "role3"));
+ groupRolesMap2.put("group2", Sets.newHashSet("role2", "role3"));
+ groupRolesMap2.put("group3", Sets.newHashSet("role2", "role3"));
+ Map<String, Set<String>> rolePrivilegesMap2 = Maps.newHashMap();
+ rolePrivilegesMap2.put("role2",
+ Sets.newHashSet(PRIVILIEGE4, PRIVILIEGE5, PRIVILIEGE6, PRIVILIEGE7, PRIVILIEGE8));
+ rolePrivilegesMap2.put("role3",
+ Sets.newHashSet(PRIVILIEGE4, PRIVILIEGE5, PRIVILIEGE6, PRIVILIEGE7, PRIVILIEGE8));
+ policyFileMappingData2.put(PolicyFileConstants.GROUPS, groupRolesMap2);
+ policyFileMappingData2.put(PolicyFileConstants.ROLES, rolePrivilegesMap2);
+ client.importPolicy(policyFileMappingData2, SentryServiceIntegrationBase.ADMIN_USER, false);
+
+ Map<String, Map<String, Set<String>>> exceptedMappingData = Maps.newHashMap();
+ Map<String, Set<String>> exceptedRolesMap = Maps.newHashMap();
+ exceptedRolesMap.put("group1", Sets.newHashSet("role1", "role2", "role3"));
+ exceptedRolesMap.put("group2", Sets.newHashSet("role1", "role2", "role3"));
+ exceptedRolesMap.put("group3", Sets.newHashSet("role1", "role2", "role3"));
+ Map<String, Set<String>> exceptedPrivilegesMap = Maps.newHashMap();
+ exceptedPrivilegesMap.put("role1",
+ Sets.newHashSet(PRIVILIEGE1, PRIVILIEGE2, PRIVILIEGE3, PRIVILIEGE4, PRIVILIEGE5));
+ exceptedPrivilegesMap.put("role2", Sets.newHashSet(PRIVILIEGE1, PRIVILIEGE2, PRIVILIEGE3,
+ PRIVILIEGE4, PRIVILIEGE5, PRIVILIEGE6, PRIVILIEGE7, PRIVILIEGE8));
+ exceptedPrivilegesMap.put("role3",
+ Sets.newHashSet(PRIVILIEGE4, PRIVILIEGE5, PRIVILIEGE6, PRIVILIEGE7, PRIVILIEGE8));
+ exceptedMappingData.put(PolicyFileConstants.GROUPS, exceptedRolesMap);
+ exceptedMappingData.put(PolicyFileConstants.ROLES, exceptedPrivilegesMap);
+
+ Map<String, Map<String, Set<String>>> sentryMappingData = client.exportPolicy(SentryServiceIntegrationBase.ADMIN_USER, null);
+ validateSentryMappingData(sentryMappingData, exceptedMappingData);
+ }
+ });
+ }
+
+ // Only mapping data for [group,role] is imported:
+ // group1=role1,role2
+ @Test
+ public void testImportExportPolicy4() throws Exception {
+ runTestAsSubject(new TestOperation() {
+ @Override
+ public void runTestAsSubject() throws Exception {
+ Map<String, Map<String, Set<String>>> policyFileMappingData = Maps.newHashMap();
+ Map<String, Set<String>> groupRolesMap = Maps.newHashMap();
+ Set<String> roles = Sets.newHashSet("role1", "role2");
+ groupRolesMap.put("group1", roles);
+ Map<String, Set<String>> rolePrivilegesMap = Maps.newHashMap();
+ policyFileMappingData.put(PolicyFileConstants.GROUPS, groupRolesMap);
+ policyFileMappingData.put(PolicyFileConstants.ROLES, rolePrivilegesMap);
+ client.importPolicy(policyFileMappingData, SentryServiceIntegrationBase.ADMIN_USER, false);
+
+ Map<String, Map<String, Set<String>>> sentryMappingData = client.exportPolicy(SentryServiceIntegrationBase.ADMIN_USER, null);
+ validateSentryMappingData(sentryMappingData,
+ policyFileMappingData);
+ }
+ });
+ }
+
+ // call import twice, and there has no duplicate data, the import will be with the overwrite mode:
+ // The data for 1st import:
+ // group1=role1
+ // role1=privilege1
+ // The data for 2nd import:
+ // group2=role2,role3
+ // group3=role2,role3
+ // role2=privilege2
+ // role3=privilege2
+ // Both import API importSentryMetaData and export APIs getRolesMap, getGroupsMap,
+ // getPrivilegesList are tested.
+ @Test
+ public void testImportExportPolicy5() throws Exception {
+ runTestAsSubject(new TestOperation() {
+ @Override
+ public void runTestAsSubject() throws Exception {
+ Map<String, Map<String, Set<String>>> policyFileMappingData1 = Maps.newHashMap();
+ Map<String, Set<String>> groupRolesMap1 = Maps.newHashMap();
+ groupRolesMap1.put("group1", Sets.newHashSet("role1"));
+ Map<String, Set<String>> rolePrivilegesMap1 = Maps.newHashMap();
+ rolePrivilegesMap1.put("role1", Sets.newHashSet(PRIVILIEGE1));
+ policyFileMappingData1.put(PolicyFileConstants.GROUPS, groupRolesMap1);
+ policyFileMappingData1.put(PolicyFileConstants.ROLES, rolePrivilegesMap1);
+ client.importPolicy(policyFileMappingData1, SentryServiceIntegrationBase.ADMIN_USER, true);
+
+ Map<String, Map<String, Set<String>>> policyFileMappingData2 = Maps.newHashMap();
+ Map<String, Set<String>> groupRolesMap2 = Maps.newHashMap();
+ groupRolesMap2.put("group2", Sets.newHashSet("role2", "role3"));
+ groupRolesMap2.put("group3", Sets.newHashSet("role2", "role3"));
+ Map<String, Set<String>> rolePrivilegesMap2 = Maps.newHashMap();
+ rolePrivilegesMap2.put("role2", Sets.newHashSet(PRIVILIEGE2));
+ rolePrivilegesMap2.put("role3", Sets.newHashSet(PRIVILIEGE2));
+ policyFileMappingData2.put(PolicyFileConstants.GROUPS, groupRolesMap2);
+ policyFileMappingData2.put(PolicyFileConstants.ROLES, rolePrivilegesMap2);
+ client.importPolicy(policyFileMappingData2, SentryServiceIntegrationBase.ADMIN_USER, true);
+
+ Map<String, Map<String, Set<String>>> exceptedMappingData = Maps.newHashMap();
+ Map<String, Set<String>> exceptedRolesMap = Maps.newHashMap();
+ exceptedRolesMap.put("group1", Sets.newHashSet("role1"));
+ exceptedRolesMap.put("group2", Sets.newHashSet("role2", "role3"));
+ exceptedRolesMap.put("group3", Sets.newHashSet("role2", "role3"));
+ Map<String, Set<String>> exceptedPrivilegesMap = Maps.newHashMap();
+ exceptedPrivilegesMap.put("role1", Sets.newHashSet(PRIVILIEGE1));
+ exceptedPrivilegesMap.put("role2", Sets.newHashSet(PRIVILIEGE2));
+ exceptedPrivilegesMap.put("role3", Sets.newHashSet(PRIVILIEGE2));
+ exceptedMappingData.put(PolicyFileConstants.GROUPS, exceptedRolesMap);
+ exceptedMappingData.put(PolicyFileConstants.ROLES, exceptedPrivilegesMap);
+
+ Map<String, Map<String, Set<String>>> sentryMappingData = client.exportPolicy(SentryServiceIntegrationBase.ADMIN_USER, null);
+ validateSentryMappingData(sentryMappingData, exceptedMappingData);
+ }
+ });
+ }
+
+ // call import twice, and there has data overlap, the import will be with the overwrite mode:
+ // The data for 1st import:
+ // group1=role1, role2
+ // group2=role1, role2
+ // group3=role1, role2
+ // role1=privilege1,privilege2,privilege3,privilege4,privilege5
+ // role2=privilege1,privilege2,privilege3,privilege4,privilege5
+ // The data for 2nd import:
+ // group1=role2,role3
+ // group2=role2,role3
+ // group3=role2,role3
+ // role2=privilege4,privilege5,privilege6,privilege7,privilege8
+ // role3=privilege4,privilege5,privilege6,privilege7,privilege8
+ // Both import API importSentryMetaData and export APIs getRolesMap, getGroupsMap,
+ // getPrivilegesList are tested.
+ @Test
+ public void testImportExportPolicy6() throws Exception {
+ runTestAsSubject(new TestOperation() {
+ @Override
+ public void runTestAsSubject() throws Exception {
+ Map<String, Map<String, Set<String>>> policyFileMappingData1 = Maps.newHashMap();
+ Map<String, Set<String>> groupRolesMap1 = Maps.newHashMap();
+ groupRolesMap1.put("group1", Sets.newHashSet("role1", "role2"));
+ groupRolesMap1.put("group2", Sets.newHashSet("role1", "role2"));
+ groupRolesMap1.put("group3", Sets.newHashSet("role1", "role2"));
+ Map<String, Set<String>> rolePrivilegesMap1 = Maps.newHashMap();
+ rolePrivilegesMap1.put("role1",
+ Sets.newHashSet(PRIVILIEGE1, PRIVILIEGE2, PRIVILIEGE3, PRIVILIEGE4, PRIVILIEGE5));
+ rolePrivilegesMap1.put("role2",
+ Sets.newHashSet(PRIVILIEGE1, PRIVILIEGE2, PRIVILIEGE3, PRIVILIEGE4, PRIVILIEGE5));
+ policyFileMappingData1.put(PolicyFileConstants.GROUPS, groupRolesMap1);
+ policyFileMappingData1.put(PolicyFileConstants.ROLES, rolePrivilegesMap1);
+ client.importPolicy(policyFileMappingData1, SentryServiceIntegrationBase.ADMIN_USER, true);
+
+ Map<String, Map<String, Set<String>>> policyFileMappingData2 = Maps.newHashMap();
+ Map<String, Set<String>> groupRolesMap2 = Maps.newHashMap();
+ groupRolesMap2.put("group1", Sets.newHashSet("role2", "role3"));
+ groupRolesMap2.put("group2", Sets.newHashSet("role2", "role3"));
+ groupRolesMap2.put("group3", Sets.newHashSet("role2", "role3"));
+ Map<String, Set<String>> rolePrivilegesMap2 = Maps.newHashMap();
+ rolePrivilegesMap2.put("role2",
+ Sets.newHashSet(PRIVILIEGE4, PRIVILIEGE5, PRIVILIEGE6, PRIVILIEGE7, PRIVILIEGE8));
+ rolePrivilegesMap2.put("role3",
+ Sets.newHashSet(PRIVILIEGE4, PRIVILIEGE5, PRIVILIEGE6, PRIVILIEGE7, PRIVILIEGE8));
+ policyFileMappingData2.put(PolicyFileConstants.GROUPS, groupRolesMap2);
+ policyFileMappingData2.put(PolicyFileConstants.ROLES, rolePrivilegesMap2);
+ client.importPolicy(policyFileMappingData2, SentryServiceIntegrationBase.ADMIN_USER, true);
+
+ Map<String, Map<String, Set<String>>> exceptedMappingData = Maps.newHashMap();
+ Map<String, Set<String>> exceptedRolesMap = Maps.newHashMap();
+ exceptedRolesMap.put("group1", Sets.newHashSet("role1", "role2", "role3"));
+ exceptedRolesMap.put("group2", Sets.newHashSet("role1", "role2", "role3"));
+ exceptedRolesMap.put("group3", Sets.newHashSet("role1", "role2", "role3"));
+ Map<String, Set<String>> exceptedPrivilegesMap = Maps.newHashMap();
+ exceptedPrivilegesMap.put("role1",
+ Sets.newHashSet(PRIVILIEGE1, PRIVILIEGE2, PRIVILIEGE3, PRIVILIEGE4, PRIVILIEGE5));
+ exceptedPrivilegesMap.put("role2",
+ Sets.newHashSet(PRIVILIEGE4, PRIVILIEGE5, PRIVILIEGE6, PRIVILIEGE7, PRIVILIEGE8));
+ exceptedPrivilegesMap.put("role3",
+ Sets.newHashSet(PRIVILIEGE4, PRIVILIEGE5, PRIVILIEGE6, PRIVILIEGE7, PRIVILIEGE8));
+ exceptedMappingData.put(PolicyFileConstants.GROUPS, exceptedRolesMap);
+ exceptedMappingData.put(PolicyFileConstants.ROLES, exceptedPrivilegesMap);
+
+ Map<String, Map<String, Set<String>>> sentryMappingData = client.exportPolicy(SentryServiceIntegrationBase.ADMIN_USER, null);
+ validateSentryMappingData(sentryMappingData, exceptedMappingData);
+ }
+ });
+ }
+
+ // test the import privileges with the action: All, *, select, insert
+ // All and * should replace the select and insert
+ // The data for import:
+ // group1=role1, role2
+ // role1=testPrivilege1,testPrivilege2,testPrivilege3,testPrivilege4
+ // role2=testPrivilege5, testPrivilege6,testPrivilege7,testPrivilege8
+ @Test
+ public void testImportExportPolicy7() throws Exception {
+ runTestAsSubject(new TestOperation() {
+ @Override
+ public void runTestAsSubject() throws Exception {
+ String testPrivilege1 = "server=server1->db=db1->table=tbl1->action=select->grantoption=true";
+ String testPrivilege2 = "server=server1->db=db1->table=tbl1->action=insert->grantoption=false";
+ String testPrivilege3 = "server=server1->db=db1->table=tbl1->action=all->grantoption=true";
+ String testPrivilege4 = "server=server1->db=db1->table=tbl1->action=insert->grantoption=true";
+ String testPrivilege5 = "server=server1->db=db1->table=tbl2->action=select->grantoption=true";
+ String testPrivilege6 = "server=server1->db=db1->table=tbl2->action=insert->grantoption=false";
+ String testPrivilege7 = "server=server1->db=db1->table=tbl2->action=*->grantoption=true";
+ String testPrivilege8 = "server=server1->db=db1->table=tbl2->action=insert->grantoption=true";
+
+ Map<String, Map<String, Set<String>>> policyFileMappingData1 = Maps.newHashMap();
+ Map<String, Set<String>> groupRolesMap1 = Maps.newHashMap();
+ groupRolesMap1.put("group1", Sets.newHashSet("role1", "role2"));
+ Map<String, Set<String>> rolePrivilegesMap1 = Maps.newHashMap();
+ rolePrivilegesMap1.put("role1",
+ Sets.newHashSet(testPrivilege1, testPrivilege2, testPrivilege3, testPrivilege4));
+ rolePrivilegesMap1.put("role2",
+ Sets.newHashSet(testPrivilege5, testPrivilege6, testPrivilege7, testPrivilege8));
+ policyFileMappingData1.put(PolicyFileConstants.GROUPS, groupRolesMap1);
+ policyFileMappingData1.put(PolicyFileConstants.ROLES, rolePrivilegesMap1);
+ client.importPolicy(policyFileMappingData1, SentryServiceIntegrationBase.ADMIN_USER, true);
+
+ Map<String, Map<String, Set<String>>> exceptedMappingData = Maps.newHashMap();
+ Map<String, Set<String>> exceptedRolesMap = Maps.newHashMap();
+ exceptedRolesMap.put("group1", Sets.newHashSet("role1", "role2"));
+ Map<String, Set<String>> exceptedPrivilegesMap = Maps.newHashMap();
+ exceptedPrivilegesMap.put("role1", Sets.newHashSet(testPrivilege2, testPrivilege3));
+ exceptedPrivilegesMap.put("role2", Sets.newHashSet(testPrivilege6, testPrivilege7));
+ exceptedMappingData.put(PolicyFileConstants.GROUPS, exceptedRolesMap);
+ exceptedMappingData.put(PolicyFileConstants.ROLES, exceptedPrivilegesMap);
+
+ Map<String, Map<String, Set<String>>> sentryMappingData = client.exportPolicy(SentryServiceIntegrationBase.ADMIN_USER, null);
+ validateSentryMappingData(sentryMappingData, exceptedMappingData);
+ }
+ });
+ }
+
+ // Call import twice, and there has overlapping actions, all and * should replace the select and
+ // insert
+ // The data for 1st import:
+ // group1=role1, role2
+ // role1=privilege1(with select action),privilege2(with insert action)
+ // role2=privilege4(with select action),privilege5(with insert action)
+ // The data for 2nd import:
+ // group1=role1, role2
+ // role1=privilege3(with all action)
+ // role2=privilege6(with * action)
+ @Test
+ public void testImportExportPolicy8() throws Exception {
+ runTestAsSubject(new TestOperation() {
+ @Override
+ public void runTestAsSubject() throws Exception {
+ String testPrivilege1 = "server=server1->db=db1->table=tbl1->action=select->grantoption=true";
+ String testPrivilege2 = "server=server1->db=db1->table=tbl1->action=insert->grantoption=true";
+ String testPrivilege3 = "server=server1->db=db1->table=tbl1->action=all->grantoption=true";
+ String testPrivilege4 = "server=server1->db=db1->table=tbl2->action=select->grantoption=true";
+ String testPrivilege5 = "server=server1->db=db1->table=tbl2->action=insert->grantoption=true";
+ String testPrivilege6 = "server=server1->db=db1->table=tbl2->action=*->grantoption=true";
+
+ Map<String, Map<String, Set<String>>> policyFileMappingData1 = Maps.newHashMap();
+ Map<String, Set<String>> groupRolesMap1 = Maps.newHashMap();
+ groupRolesMap1.put("group1", Sets.newHashSet("role1", "role2"));
+ Map<String, Set<String>> rolePrivilegesMap1 = Maps.newHashMap();
+ rolePrivilegesMap1.put("role1", Sets.newHashSet(testPrivilege1, testPrivilege2));
+ rolePrivilegesMap1.put("role2", Sets.newHashSet(testPrivilege4, testPrivilege5));
+ policyFileMappingData1.put(PolicyFileConstants.GROUPS, groupRolesMap1);
+ policyFileMappingData1.put(PolicyFileConstants.ROLES, rolePrivilegesMap1);
+ client.importPolicy(policyFileMappingData1, SentryServiceIntegrationBase.ADMIN_USER, false);
+
+ Map<String, Map<String, Set<String>>> policyFileMappingData2 = Maps.newHashMap();
+ Map<String, Set<String>> groupRolesMap2 = Maps.newHashMap();
+ groupRolesMap2.put("group1", Sets.newHashSet("role1", "role2"));
+ Map<String, Set<String>> rolePrivilegesMap2 = Maps.newHashMap();
+ rolePrivilegesMap2.put("role1", Sets.newHashSet(testPrivilege3));
+ rolePrivilegesMap2.put("role2", Sets.newHashSet(testPrivilege6));
+ policyFileMappingData2.put(PolicyFileConstants.GROUPS, groupRolesMap2);
+ policyFileMappingData2.put(PolicyFileConstants.ROLES, rolePrivilegesMap2);
+ client.importPolicy(policyFileMappingData2, SentryServiceIntegrationBase.ADMIN_USER, false);
+
+ Map<String, Map<String, Set<String>>> exceptedMappingData = policyFileMappingData2;
+ Map<String, Map<String, Set<String>>> sentryMappingData = client.exportPolicy(SentryServiceIntegrationBase.ADMIN_USER, null);
+ // all and * should replace the select and insert
+ validateSentryMappingData(sentryMappingData, exceptedMappingData);
+ }
+ });
+ }
+
+ // test the user not in the admin group can't do the import/export
+ @Test
+ public void testImportExportPolicy9() throws Exception {
+ runTestAsSubject(new TestOperation() {
+ @Override
+ public void runTestAsSubject() throws Exception {
+ Map<String, Map<String, Set<String>>> policyFileMappingData1 = Maps.newHashMap();
+ Map<String, Set<String>> groupRolesMap1 = Maps.newHashMap();
+ Map<String, Set<String>> rolePrivilegesMap1 = Maps.newHashMap();
+ policyFileMappingData1.put(PolicyFileConstants.GROUPS, groupRolesMap1);
+ policyFileMappingData1.put(PolicyFileConstants.ROLES, rolePrivilegesMap1);
+ try {
+ client.importPolicy(policyFileMappingData1, "no-admin-user", false);
+ fail("non-admin can't do the import.");
+ } catch (Exception e) {
+ // excepted exception
+ }
+
+ try {
+ client.exportPolicy("no-admin-user", null);
+ fail("non-admin can't do the export.");
+ } catch (Exception e) {
+ // excepted exception
+ }
+ }
+ });
+ }
+
+ // The following data is imported:
+ // group1=role1
+ // group2=role1,role2
+ // group3=role2,role3
+ // group4=role1,role2,role3
+ // role1=privilege3,privilege4,privilege9
+ // role2=privilege3,privilege4,privilege5,privilege6,privilege7
+ // role3=privilege4,privilege5,privilege6,privilege7,privilege8
+ // Export APIs getRoleNameTPrivilegesMap, getGroupNameRoleNamesMap are tested.
+ @Test
+ public void testExportPolicyWithSpecificObject() throws Exception {
+ runTestAsSubject(new TestOperation() {
+ @Override
+ public void runTestAsSubject() throws Exception {
+ // import the test data
+ Map<String, Map<String, Set<String>>> policyFileMappingData = Maps.newHashMap();
+ Map<String, Set<String>> groupRolesMap = Maps.newHashMap();
+ groupRolesMap.put("group1", Sets.newHashSet("role1"));
+ groupRolesMap.put("group2", Sets.newHashSet("role1", "role2"));
+ groupRolesMap.put("group3", Sets.newHashSet("role2", "role3"));
+ groupRolesMap.put("group4", Sets.newHashSet("role1", "role2", "role3"));
+ Map<String, Set<String>> rolePrivilegesMap1 = Maps.newHashMap();
+ rolePrivilegesMap1.put("role1",
+ Sets.newHashSet(PRIVILIEGE3, PRIVILIEGE4, PRIVILIEGE9));
+ rolePrivilegesMap1.put("role2",
+ Sets.newHashSet(PRIVILIEGE3, PRIVILIEGE4, PRIVILIEGE5,
+ PRIVILIEGE6, PRIVILIEGE7));
+ rolePrivilegesMap1.put("role3",
+ Sets.newHashSet(PRIVILIEGE4, PRIVILIEGE5, PRIVILIEGE6,
+ PRIVILIEGE7, PRIVILIEGE8));
+ policyFileMappingData.put(PolicyFileConstants.GROUPS, groupRolesMap);
+ policyFileMappingData.put(PolicyFileConstants.ROLES, rolePrivilegesMap1);
+ client.importPolicy(policyFileMappingData, SentryServiceIntegrationBase.ADMIN_USER, true);
+
+ // verify the rolePrivilegesMap and groupRolesMap with null objectPath
+ Map<String, Map<String, Set<String>>> expectedMappingData = Maps.newHashMap();
+ Map<String, Set<String>> expectedGroupRoles = Maps.newHashMap();
+ expectedGroupRoles.put("group1", Sets.newHashSet("role1"));
+ expectedGroupRoles.put("group2", Sets.newHashSet("role1", "role2"));
+ expectedGroupRoles.put("group3", Sets.newHashSet("role2", "role3"));
+ expectedGroupRoles.put("group4", Sets.newHashSet("role1", "role2", "role3"));
+ Map<String, Set<String>> expectedRolePrivileges = Maps.newHashMap();
+ expectedRolePrivileges.put("role1", Sets.newHashSet(
+ PRIVILIEGE3, PRIVILIEGE4, PRIVILIEGE9));
+ expectedRolePrivileges.put("role2", Sets.newHashSet(PRIVILIEGE3, PRIVILIEGE4,
+ PRIVILIEGE5, PRIVILIEGE6, PRIVILIEGE7));
+ expectedRolePrivileges.put("role3", Sets.newHashSet(PRIVILIEGE4,
+ PRIVILIEGE5, PRIVILIEGE6, PRIVILIEGE7, PRIVILIEGE8));
+ expectedMappingData.put(PolicyFileConstants.GROUPS, expectedGroupRoles);
+ expectedMappingData.put(PolicyFileConstants.ROLES, expectedRolePrivileges);
+
+ Map<String, Map<String, Set<String>>> sentryMappingData = client.exportPolicy(SentryServiceIntegrationBase.ADMIN_USER, null);
+ validateSentryMappingData(sentryMappingData, expectedMappingData);
+
+ // verify the rolePrivilegesMap and groupRolesMap with empty objectPath
+ expectedMappingData = Maps.newHashMap();
+ expectedGroupRoles = Maps.newHashMap();
+ expectedGroupRoles.put("group1", Sets.newHashSet("role1"));
+ expectedGroupRoles.put("group2", Sets.newHashSet("role1", "role2"));
+ expectedGroupRoles.put("group3", Sets.newHashSet("role2", "role3"));
+ expectedGroupRoles.put("group4", Sets.newHashSet("role1", "role2", "role3"));
+ expectedRolePrivileges = Maps.newHashMap();
+ expectedRolePrivileges.put("role1", Sets.newHashSet(
+ PRIVILIEGE3, PRIVILIEGE4, PRIVILIEGE9));
+ expectedRolePrivileges.put("role2", Sets.newHashSet(PRIVILIEGE3, PRIVILIEGE4,
+ PRIVILIEGE5, PRIVILIEGE6, PRIVILIEGE7));
+ expectedRolePrivileges.put("role3", Sets.newHashSet(PRIVILIEGE4,
+ PRIVILIEGE5, PRIVILIEGE6, PRIVILIEGE7, PRIVILIEGE8));
+ expectedMappingData.put(PolicyFileConstants.GROUPS, expectedGroupRoles);
+ expectedMappingData.put(PolicyFileConstants.ROLES, expectedRolePrivileges);
+
+ sentryMappingData = client.exportPolicy(SentryServiceIntegrationBase.ADMIN_USER, "");
+ validateSentryMappingData(sentryMappingData, expectedMappingData);
+
+ // verify the rolePrivilegesMap and groupRolesMap for db=db1
+ expectedMappingData = Maps.newHashMap();
+ expectedGroupRoles = Maps.newHashMap();
+ expectedGroupRoles.put("group1", Sets.newHashSet("role1"));
+ expectedGroupRoles.put("group2", Sets.newHashSet("role1", "role2"));
+ expectedGroupRoles.put("group3", Sets.newHashSet("role2", "role3"));
+ expectedGroupRoles.put("group4", Sets.newHashSet("role1", "role2", "role3"));
+ expectedRolePrivileges = Maps.newHashMap();
+ expectedRolePrivileges.put("role1", Sets.newHashSet(PRIVILIEGE4));
+ expectedRolePrivileges.put("role2", Sets.newHashSet(PRIVILIEGE4,
+ PRIVILIEGE5, PRIVILIEGE6, PRIVILIEGE7));
+ expectedRolePrivileges.put("role3", Sets.newHashSet(PRIVILIEGE4,
+ PRIVILIEGE5, PRIVILIEGE6, PRIVILIEGE7));
+ expectedMappingData.put(PolicyFileConstants.GROUPS, expectedGroupRoles);
+ expectedMappingData.put(PolicyFileConstants.ROLES, expectedRolePrivileges);
+
+ sentryMappingData = client.exportPolicy(SentryServiceIntegrationBase.ADMIN_USER, "db=db1");
+ validateSentryMappingData(sentryMappingData, expectedMappingData);
+
+ // verify the rolePrivilegesMap and groupRolesMap for db=db2
+ expectedMappingData = Maps.newHashMap();
+ expectedGroupRoles = Maps.newHashMap();
+ expectedGroupRoles.put("group1", Sets.newHashSet("role1"));
+ expectedGroupRoles.put("group2", Sets.newHashSet("role1", "role2"));
+ expectedGroupRoles.put("group3", Sets.newHashSet("role2"));
+ expectedGroupRoles.put("group4", Sets.newHashSet("role1", "role2"));
+ expectedRolePrivileges = Maps.newHashMap();
+ expectedRolePrivileges.put("role1", Sets.newHashSet(PRIVILIEGE3, PRIVILIEGE9));
+ expectedRolePrivileges.put("role2", Sets.newHashSet(PRIVILIEGE3));
+ expectedMappingData.put(PolicyFileConstants.GROUPS, expectedGroupRoles);
+ expectedMappingData.put(PolicyFileConstants.ROLES, expectedRolePrivileges);
+
+ sentryMappingData = client.exportPolicy(SentryServiceIntegrationBase.ADMIN_USER, "db=db2");
+ validateSentryMappingData(sentryMappingData, expectedMappingData);
+
+ // verify the rolePrivilegesMap and groupRolesMap for db=db1->table=tbl1
+ expectedMappingData = Maps.newHashMap();
+ expectedGroupRoles = Maps.newHashMap();
+ expectedGroupRoles.put("group1", Sets.newHashSet("role1"));
+ expectedGroupRoles.put("group2", Sets.newHashSet("role1", "role2"));
+ expectedGroupRoles.put("group3", Sets.newHashSet("role2", "role3"));
+ expectedGroupRoles.put("group4", Sets.newHashSet("role1", "role2", "role3"));
+ expectedRolePrivileges = Maps.newHashMap();
+ expectedRolePrivileges.put("role1", Sets.newHashSet(PRIVILIEGE4));
+ expectedRolePrivileges.put("role2", Sets.newHashSet(PRIVILIEGE4));
+ expectedRolePrivileges.put("role3", Sets.newHashSet(PRIVILIEGE4));
+ expectedMappingData.put(PolicyFileConstants.GROUPS, expectedGroupRoles);
+ expectedMappingData.put(PolicyFileConstants.ROLES, expectedRolePrivileges);
+
+ sentryMappingData = client.exportPolicy(SentryServiceIntegrationBase.ADMIN_USER, "db=db1->table=tbl1");
+ validateSentryMappingData(sentryMappingData, expectedMappingData);
+
+ // verify the rolePrivilegesMap and groupRolesMap for db=db1->table=tbl2
+ expectedMappingData = Maps.newHashMap();
+ expectedGroupRoles = Maps.newHashMap();
+ expectedGroupRoles.put("group2", Sets.newHashSet("role2"));
+ expectedGroupRoles.put("group3", Sets.newHashSet("role2", "role3"));
+ expectedGroupRoles.put("group4", Sets.newHashSet("role2", "role3"));
+ expectedRolePrivileges = Maps.newHashMap();
+ expectedRolePrivileges.put("role2", Sets.newHashSet(PRIVILIEGE5));
+ expectedRolePrivileges.put("role3", Sets.newHashSet(PRIVILIEGE5));
+ expectedMappingData.put(PolicyFileConstants.GROUPS, expectedGroupRoles);
+ expectedMappingData.put(PolicyFileConstants.ROLES, expectedRolePrivileges);
+
+ sentryMappingData = client.exportPolicy(SentryServiceIntegrationBase.ADMIN_USER, "db=db1->table=tbl2");
+ validateSentryMappingData(sentryMappingData, expectedMappingData);
+
+ // verify the rolePrivilegesMap and groupRolesMap for db=db1->table=tbl1
+ expectedMappingData = Maps.newHashMap();
+ expectedGroupRoles = Maps.newHashMap();
+ expectedGroupRoles.put("group1", Sets.newHashSet("role1"));
+ expectedGroupRoles.put("group2", Sets.newHashSet("role1", "role2"));
+ expectedGroupRoles.put("group3", Sets.newHashSet("role2", "role3"));
+ expectedGroupRoles.put("group4", Sets.newHashSet("role1", "role2", "role3"));
+ expectedRolePrivileges = Maps.newHashMap();
+ expectedRolePrivileges.put("role1", Sets.newHashSet(PRIVILIEGE4, PRIVILIEGE9));
+ expectedRolePrivileges.put("role2", Sets.newHashSet(PRIVILIEGE4));
+ expectedRolePrivileges.put("role3", Sets.newHashSet(PRIVILIEGE4));
+ expectedMappingData.put(PolicyFileConstants.GROUPS, expectedGroupRoles);
+ expectedMappingData.put(PolicyFileConstants.ROLES, expectedRolePrivileges);
+
+ sentryMappingData = client.exportPolicy(SentryServiceIntegrationBase.ADMIN_USER, "table=tbl1");
+ validateSentryMappingData(sentryMappingData, expectedMappingData);
+
+ // verify the invalid exportObject string
+ try {
+ client.exportPolicy(SentryServiceIntegrationBase.ADMIN_USER, "invalidString");
+ fail("RuntimeException should be thrown.");
+ } catch (RuntimeException sue) {
+ // excepted exception
+ }
+ }
+ });
+ }
+
+ // Befor import, database is empty.
+ // The following information is imported:
+ // group1=role1,role2,role3
+ // group2=role1,role2,role3
+ // user1=role1,role2,role3
+ // user2=role1,role2,role3
+ // role1=privilege1,privilege2,privilege3,privilege4
+ // role2=privilege1,privilege2,privilege3,privilege4
+ // role3=privilege1,privilege2,privilege3,privilege4
+ @Test
+ public void testImportExportPolicyWithUser() throws Exception {
+ runTestAsSubject(new TestOperation() {
+ @Override
+ public void runTestAsSubject() throws Exception {
+ Map<String, Map<String, Set<String>>> policyFileMappingData = Maps.newHashMap();
+ Map<String, Set<String>> groupRolesMap = Maps.newHashMap();
+ Map<String, Set<String>> userRolesMap = Maps.newHashMap();
+ Set<String> roles = Sets.newHashSet("role1", "role2", "role3");
+ groupRolesMap.put("group1", roles);
+ groupRolesMap.put("group2", roles);
+ userRolesMap.put("user1", roles);
+ userRolesMap.put("user2", roles);
+ Map<String, Set<String>> rolePrivilegesMap = Maps.newHashMap();
+ for (String roleName : roles) {
+ rolePrivilegesMap.put(roleName, Sets.newHashSet(PRIVILIEGE1,
+ PRIVILIEGE2, PRIVILIEGE3, PRIVILIEGE4));
+ }
+ policyFileMappingData.put(PolicyFileConstants.USER_ROLES, userRolesMap);
+ policyFileMappingData.put(PolicyFileConstants.GROUPS, groupRolesMap);
+ policyFileMappingData.put(PolicyFileConstants.ROLES, rolePrivilegesMap);
+ client.importPolicy(policyFileMappingData, SentryServiceIntegrationBase.ADMIN_USER, false);
+
+ Map<String, Map<String, Set<String>>> sentryMappingData =
+ client.exportPolicy(SentryServiceIntegrationBase.ADMIN_USER, null);
+ // validate the [user, role] mapping
+ validateRolesMap(sentryMappingData.get(PolicyFileConstants.USER_ROLES),
+ policyFileMappingData.get(PolicyFileConstants.USER_ROLES));
+ validateSentryMappingData(sentryMappingData,
+ policyFileMappingData);
+ }
+ });
+ }
+
+ // verify the mapping data
+ public void validateSentryMappingData(
+ Map<String, Map<String, Set<String>>> actualMappingData,
+ Map<String, Map<String, Set<String>>> expectedMappingData) {
+ validateRolesMap(actualMappingData.get(PolicyFileConstants.GROUPS),
+ expectedMappingData.get(PolicyFileConstants.GROUPS));
+ validateRolePrivilegesMap(actualMappingData.get(PolicyFileConstants.ROLES),
+ expectedMappingData.get(PolicyFileConstants.ROLES));
+ }
+
+ // verify the mapping data for [group,role] and [user,role]
+ private void validateRolesMap(Map<String, Set<String>> actualMap,
+ Map<String, Set<String>> expectedMap) {
+ assertEquals(expectedMap.keySet().size(), actualMap.keySet().size());
+ for (String name : actualMap.keySet()) {
+ Set<String> actualRoles = actualMap.get(name);
+ Set<String> expectedRoles = expectedMap.get(name);
+ assertEquals(actualRoles.size(), expectedRoles.size());
+ assertTrue(actualRoles.equals(expectedRoles));
+ }
+ }
+
+ // verify the mapping data for [role,privilege]
+ private void validateRolePrivilegesMap(Map<String, Set<String>> actualMap,
+ Map<String, Set<String>> expectedMap) {
+ assertEquals(expectedMap.keySet().size(), actualMap.keySet().size());
+ for (String roleName : actualMap.keySet()) {
+ Set<String> actualPrivileges = actualMap.get(roleName);
+ Set<String> exceptedPrivileges = expectedMap.get(roleName);
+ assertEquals(exceptedPrivileges.size(), actualPrivileges.size());
+ for (String actualPrivilege : actualPrivileges) {
+ boolean isFound = exceptedPrivileges.contains(actualPrivilege);
+ if (!isFound) {
+ String withOptionPrivilege = SentryConstants.AUTHORIZABLE_JOINER.join(actualPrivilege,
+ SentryConstants.KV_JOINER.join(PolicyFileConstants.PRIVILEGE_GRANT_OPTION_NAME,
+ "false"));
+ isFound = exceptedPrivileges.contains(withOptionPrivilege);
+ }
+ assertTrue(isFound);
+ }
+ }
+ }
+}
[11/44] sentry git commit: SENTRY-1287: Create sentry-service-server
module(Colin Ma, reviewed by Dapeng Sun)
Posted by co...@apache.org.
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/main/webapp/css/sentry.css
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/main/webapp/css/sentry.css b/sentry-service/sentry-service-server/src/main/webapp/css/sentry.css
new file mode 100644
index 0000000..69cba19
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/main/webapp/css/sentry.css
@@ -0,0 +1,52 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+html {
+ position: relative;
+ min-height: 100%;
+}
+
+body {
+ /* Margin bottom by footer height */
+ margin-bottom: 60px;
+ padding-top: 80px;
+}
+
+.navbar-collapse {margin-top:10px}
+
+.footer {
+ position: absolute;
+ bottom: 0;
+ width: 100%;
+ /* Set the fixed height of the footer here */
+ height: 60px;
+ background-color: #f5f5f5;
+}
+
+.container .text-muted {
+ margin: 20px 0;
+}
+
+.footer > .container {
+ padding-right: 15px;
+ padding-left: 15px;
+}
+
+code {
+ font-size: 80%;
+}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/main/webapp/sentry.png
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/main/webapp/sentry.png b/sentry-service/sentry-service-server/src/main/webapp/sentry.png
new file mode 100644
index 0000000..67edd90
Binary files /dev/null and b/sentry-service/sentry-service-server/src/main/webapp/sentry.png differ
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/generic/service/persistent/SentryStoreIntegrationBase.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/generic/service/persistent/SentryStoreIntegrationBase.java b/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/generic/service/persistent/SentryStoreIntegrationBase.java
new file mode 100644
index 0000000..590900f
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/generic/service/persistent/SentryStoreIntegrationBase.java
@@ -0,0 +1,91 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.provider.db.generic.service.persistent;
+
+import java.io.File;
+
+import org.apache.commons.io.FileUtils;
+import org.apache.hadoop.conf.Configuration;
+import org.apache.sentry.core.common.utils.PolicyFile;
+import org.apache.sentry.service.thrift.ServiceConstants.ServerConfig;
+import org.junit.After;
+import org.junit.AfterClass;
+import org.junit.BeforeClass;
+
+import com.google.common.io.Files;
+
+public abstract class SentryStoreIntegrationBase {
+ protected final static String[] adminGroups = { "adminGroup" };
+ private static File dataDir;
+ private static File policyFilePath;
+ protected static Configuration conf;
+ protected static DelegateSentryStore sentryStore;
+ protected static PolicyFile policyFile;
+
+ @BeforeClass
+ public static void setup() throws Exception {
+ conf = new Configuration(false);
+ setup(conf);
+ sentryStore = new DelegateSentryStore(conf);
+ }
+
+ private static void setup(Configuration conf) throws Exception {
+ dataDir = new File(Files.createTempDir(), "sentry_policy_db");
+ conf.set(ServerConfig.SENTRY_VERIFY_SCHEM_VERSION, "false");
+ conf.set(ServerConfig.SENTRY_STORE_JDBC_URL,
+ "jdbc:derby:;databaseName=" + dataDir.getPath() + ";create=true");
+ conf.set(ServerConfig.SENTRY_STORE_JDBC_PASS, "dummy");
+ conf.setStrings(ServerConfig.ADMIN_GROUPS, adminGroups);
+ conf.set(ServerConfig.SENTRY_STORE_GROUP_MAPPING,
+ ServerConfig.SENTRY_STORE_LOCAL_GROUP_MAPPING);
+
+ policyFilePath = new File(Files.createTempDir(), "local_policy_file.ini");
+ conf.set(ServerConfig.SENTRY_STORE_GROUP_MAPPING_RESOURCE,
+ policyFilePath.getPath());
+ }
+
+ @After
+ public void clearData() {
+ sentryStore.clearAllTables();
+ }
+
+ @AfterClass
+ public static void teardown() {
+ if (sentryStore != null) {
+ sentryStore.close();
+ }
+ if (dataDir != null) {
+ FileUtils.deleteQuietly(dataDir);
+ }
+ if (policyFilePath != null) {
+ FileUtils.deleteQuietly(policyFilePath);
+ }
+ }
+
+ public static void addGroupsToUser(String user, String... groupNames) {
+ policyFile.addGroupsToUser(user, groupNames);
+ }
+
+ public static void writePolicyFile() throws Exception {
+ policyFile.write(policyFilePath);
+ }
+
+ public String[] getAdminGroups() {
+ return adminGroups;
+ }
+}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/generic/service/persistent/TestDelegateSentryStore.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/generic/service/persistent/TestDelegateSentryStore.java b/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/generic/service/persistent/TestDelegateSentryStore.java
new file mode 100644
index 0000000..5ada04c
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/generic/service/persistent/TestDelegateSentryStore.java
@@ -0,0 +1,182 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.provider.db.generic.service.persistent;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.fail;
+
+import java.util.Set;
+
+import org.apache.sentry.core.common.exception.SentryAlreadyExistsException;
+import org.apache.sentry.core.common.exception.SentryNoSuchObjectException;
+import org.apache.sentry.core.common.utils.PolicyFile;
+import org.junit.Before;
+import org.junit.Test;
+
+import com.google.common.collect.Sets;
+
+public class TestDelegateSentryStore extends SentryStoreIntegrationBase{
+ private static final String SEARCH = "solr";
+
+ @Before
+ public void configure() throws Exception {
+ /**
+ * add the admin user to admin groups
+ */
+ policyFile = new PolicyFile();
+ addGroupsToUser("admin", getAdminGroups());
+ writePolicyFile();
+ }
+
+ @Test
+ public void testCreateDropRole() throws Exception {
+ String roleName = "test-drop-role";
+ String grantor = "grantor";
+ long seqId = sentryStore.createRole(SEARCH, roleName, grantor).getSequenceId();
+ assertEquals(seqId + 1, sentryStore.dropRole(SEARCH, roleName, grantor).getSequenceId());
+ }
+
+ @Test
+ public void testCaseInsensitiveCreateDropRole() throws Exception {
+ String roleName1 = "test";
+ String roleName2 = "TeSt";
+ String grantor = "grantor";
+ sentryStore.createRole(SEARCH, roleName1, grantor);
+ try {
+ sentryStore.createRole(SEARCH, roleName2, grantor);
+ fail("Fail to throw SentryAlreadyExistsException");
+ } catch (SentryAlreadyExistsException e) {
+ //ignore the exception
+ }
+
+ try {
+ sentryStore.dropRole(SEARCH, roleName2, grantor);
+ } catch (SentryNoSuchObjectException e) {
+ fail("Shouldn't throw SentryNoSuchObjectException");
+ }
+ }
+
+ @Test(expected=SentryAlreadyExistsException.class)
+ public void testCreateDuplicateRole() throws Exception {
+ String roleName = "test-dup-role";
+ String grantor = "grantor";
+ sentryStore.createRole(SEARCH, roleName, grantor);
+ sentryStore.createRole(SEARCH, roleName, grantor);
+ }
+
+ @Test(expected=SentryNoSuchObjectException.class)
+ public void testDropNotExistRole() throws Exception {
+ String roleName = "not-exist";
+ String grantor = "grantor";
+ sentryStore.dropRole(SEARCH, roleName, grantor);
+ }
+
+ @Test(expected = SentryNoSuchObjectException.class)
+ public void testAddGroupsNonExistantRole()
+ throws Exception {
+ String roleName = "non-existant-role";
+ String grantor = "grantor";
+ sentryStore.alterRoleAddGroups(SEARCH, roleName, Sets.newHashSet("g1"), grantor);
+ }
+
+ @Test(expected = SentryNoSuchObjectException.class)
+ public void testDeleteGroupsNonExistantRole()
+ throws Exception {
+ String roleName = "non-existant-role";
+ String grantor = "grantor";
+ sentryStore.alterRoleDeleteGroups(SEARCH, roleName, Sets.newHashSet("g1"), grantor);
+ }
+
+ @Test
+ public void testAddDeleteRoleToGroups() throws Exception {
+ String role1 = "r1", role2 = "r2";
+ Set<String> twoGroups = Sets.newHashSet("g1", "g2");
+ Set<String> oneGroup = Sets.newHashSet("g3");
+ String grantor = "grantor";
+
+ sentryStore.createRole(SEARCH, role1, grantor);
+ sentryStore.createRole(SEARCH, role2, grantor);
+
+ sentryStore.alterRoleAddGroups(SEARCH, role1, twoGroups, grantor);
+ assertEquals(twoGroups, sentryStore.getGroupsByRoles(SEARCH,Sets.newHashSet(role1)));
+
+ assertEquals(Sets.newHashSet(role1), sentryStore.getRolesByGroups(SEARCH, twoGroups));
+
+ sentryStore.alterRoleAddGroups(SEARCH, role2, oneGroup, grantor);
+ assertEquals(oneGroup, sentryStore.getGroupsByRoles(SEARCH, Sets.newHashSet(role2)));
+
+ sentryStore.alterRoleDeleteGroups(SEARCH, role1, Sets.newHashSet("g1"), grantor);
+ assertEquals(Sets.newHashSet("g2"), sentryStore.getGroupsByRoles(SEARCH, Sets.newHashSet(role1)));
+
+ sentryStore.alterRoleDeleteGroups(SEARCH, role2, oneGroup, grantor);
+ assertEquals(Sets.newHashSet(), sentryStore.getGroupsByRoles(SEARCH, Sets.newHashSet(role2)));
+ }
+
+ @Test
+ public void testGetRolesByGroupNames() throws Exception {
+ String role1 = "r1", role2 = "r2";
+ Set<String> twoGroups = Sets.newHashSet("g1", "g2");
+ String grantor = "grantor";
+
+ sentryStore.createRole(SEARCH, role1, grantor);
+ sentryStore.createRole(SEARCH, role2, grantor);
+
+ sentryStore.alterRoleAddGroups(SEARCH, role1, twoGroups, grantor);
+ sentryStore.alterRoleAddGroups(SEARCH, role2, twoGroups, grantor);
+
+ assertEquals(Sets.newHashSet(role1,role2), sentryStore.getRolesByGroups(SEARCH, twoGroups));
+ }
+
+ @Test
+ public void testGetGroupsByRoleNames() throws Exception {
+ String role1 = "r1", role2 = "r2";
+ Set<String> twoGroups = Sets.newHashSet("g1", "g2");
+ String grantor = "grantor";
+
+ sentryStore.createRole(SEARCH, role1, grantor);
+ sentryStore.createRole(SEARCH, role2, grantor);
+
+ sentryStore.alterRoleAddGroups(SEARCH, role1, twoGroups, grantor);
+ sentryStore.alterRoleAddGroups(SEARCH, role2, twoGroups, grantor);
+
+ assertEquals(twoGroups, sentryStore.getGroupsByRoles(SEARCH, Sets.newHashSet(role1)));
+ assertEquals(twoGroups, sentryStore.getGroupsByRoles(SEARCH, Sets.newHashSet(role2)));
+ assertEquals(twoGroups, sentryStore.getGroupsByRoles(SEARCH, Sets.newHashSet(role1,role2)));
+ }
+
+ @Test
+ public void testGetAllRoles() throws Exception {
+ String role1 = "r1", role2 = "r2";
+ Set<String> twoGroups = Sets.newHashSet("g1", "g2");
+ String grantor = "grantor";
+
+ sentryStore.createRole(SEARCH, role1, grantor);
+ sentryStore.createRole(SEARCH, role2, grantor);
+
+ sentryStore.alterRoleAddGroups(SEARCH, role1, twoGroups, grantor);
+ sentryStore.alterRoleAddGroups(SEARCH, role2, twoGroups, grantor);
+
+ //test get all roles by groupName=null
+ String groupName = null;
+ Set<String> groups = Sets.newHashSet(groupName);
+ assertEquals(Sets.newHashSet(role1,role2), sentryStore.getRolesByGroups(SEARCH, groups));
+
+ groups.clear();
+ assertEquals(0, sentryStore.getRolesByGroups(SEARCH, groups).size());
+ }
+}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/generic/service/persistent/TestPrivilegeOperatePersistence.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/generic/service/persistent/TestPrivilegeOperatePersistence.java b/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/generic/service/persistent/TestPrivilegeOperatePersistence.java
new file mode 100644
index 0000000..714ed23
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/generic/service/persistent/TestPrivilegeOperatePersistence.java
@@ -0,0 +1,1139 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.provider.db.generic.service.persistent;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.fail;
+
+import java.util.Arrays;
+import java.util.Collections;
+import java.util.List;
+
+import com.google.common.collect.Lists;
+import org.apache.hadoop.conf.Configuration;
+import org.apache.sentry.core.common.exception.SentryUserException;
+import org.apache.sentry.core.common.Authorizable;
+import org.apache.sentry.core.common.BitFieldAction;
+import org.apache.sentry.core.common.BitFieldActionFactory;
+import org.apache.sentry.core.model.search.Collection;
+import org.apache.sentry.core.model.search.Field;
+import org.apache.sentry.core.model.search.SearchConstants;
+import org.apache.sentry.core.model.sqoop.SqoopActionConstant;
+import org.apache.sentry.core.common.exception.SentryGrantDeniedException;
+import org.apache.sentry.provider.db.generic.service.persistent.PrivilegeObject.Builder;
+import org.apache.sentry.core.common.utils.PolicyFile;
+import org.apache.sentry.service.thrift.ServiceConstants;
+import org.junit.Before;
+import org.junit.Test;
+
+import com.google.common.collect.Sets;
+
+/**
+ * The test cases are used for search component The authorizables are COLLECTION and Field
+ * The actions of search privilege are ALL,QUERY and UPDATE
+ */
+public class TestPrivilegeOperatePersistence extends SentryStoreIntegrationBase {
+ private static final String SEARCH = "solr";
+ private static final String ADMIN_USER = "solr";
+ private static final String GRANT_OPTION_USER = "user_grant_option";
+ private static final String[] GRANT_OPTION_GROUP = { "group_grant_option" };
+ private static final String NO_GRANT_OPTION_USER = "user_no_grant_option";
+ private static final String[] NO_GRANT_OPTION_GROUP = { "group_no_grant_option" };
+
+ private static final String SERVICE = "service";
+ private static final String COLLECTION_NAME = "collection1";
+ private static final String NOT_COLLECTION_NAME = "not_collection1";
+ private static final String FIELD_NAME = "field1";
+ private static final String NOT_FIELD_NAME = "not_field1";
+
+ @Before
+ public void configure() throws Exception {
+ /**
+ * add the solr user to admin groups
+ */
+ policyFile = new PolicyFile();
+ addGroupsToUser(ADMIN_USER, getAdminGroups());
+ writePolicyFile();
+ }
+
+ /**
+ * Grant query privilege to role r1
+ */
+ @Test
+ public void testGrantPrivilege() throws Exception {
+ testGrantPrivilege(sentryStore, SEARCH);
+ }
+
+ @Test
+ public void testGrantPrivilegeTwice() throws Exception {
+ String roleName = "r1";
+ /**
+ * grantor is admin, there is no need to check grant option
+ */
+ String grantor = ADMIN_USER;
+ sentryStore.createRole(SEARCH, roleName, grantor);
+
+ PrivilegeObject queryPrivilegeWithOption = new Builder()
+ .setComponent(SEARCH)
+ .setAction(SearchConstants.QUERY)
+ .setService(SERVICE)
+ .setAuthorizables(Arrays.asList(new Collection(COLLECTION_NAME)))
+ .withGrantOption(true)
+ .build();
+
+ sentryStore.alterRoleGrantPrivilege(SEARCH, roleName, queryPrivilegeWithOption, grantor);
+ assertEquals(1,sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName)).size());
+ //grant again
+ sentryStore.alterRoleGrantPrivilege(SEARCH, roleName, queryPrivilegeWithOption, grantor);
+ assertEquals(1,sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName)).size());
+
+ PrivilegeObject queryPrivilegeWithNoOption = new Builder()
+ .setComponent(SEARCH)
+ .setAction(SearchConstants.QUERY)
+ .setService(SERVICE)
+ .setAuthorizables(Arrays.asList(new Collection(COLLECTION_NAME)))
+ .withGrantOption(false)
+ .build();
+
+ sentryStore.alterRoleGrantPrivilege(SEARCH, roleName, queryPrivilegeWithNoOption, grantor);
+ assertEquals(2,sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName)).size());
+ //grant again
+ sentryStore.alterRoleGrantPrivilege(SEARCH, roleName, queryPrivilegeWithNoOption, grantor);
+ assertEquals(2,sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName)).size());
+
+ PrivilegeObject queryPrivilegeWithNullGrant = new Builder()
+ .setComponent(SEARCH)
+ .setAction(SearchConstants.QUERY)
+ .setService(SERVICE)
+ .setAuthorizables(Arrays.asList(new Collection(COLLECTION_NAME)))
+ .withGrantOption(null)
+ .build();
+
+ sentryStore.alterRoleGrantPrivilege(SEARCH, roleName, queryPrivilegeWithNullGrant, grantor);
+
+ assertEquals(3,sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName)).size());
+ //grant again
+ sentryStore.alterRoleGrantPrivilege(SEARCH, roleName, queryPrivilegeWithNullGrant, grantor);
+ assertEquals(3,sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName)).size());
+
+ }
+
+ /**
+ * Grant query privilege to role r1 and there is ALL privilege related this
+ * collection existed
+ */
+ @Test
+ public void testGrantPrivilegeWithAllPrivilegeExist() throws Exception {
+ String roleName = "r1";
+ /**
+ * grantor is admin, there is no need to check grant option
+ */
+ String grantor = ADMIN_USER;
+ PrivilegeObject allPrivilege = new Builder()
+ .setComponent(SEARCH)
+ .setAction(SearchConstants.ALL)
+ .setService(SERVICE)
+ .setAuthorizables(Arrays.asList(new Collection(COLLECTION_NAME)))
+ .build();
+
+ sentryStore.createRole(SEARCH, roleName, grantor);
+ /**
+ * grant all privilege to role r1
+ */
+ sentryStore.alterRoleGrantPrivilege(SEARCH, roleName, allPrivilege, grantor);
+ /**
+ * check role r1 truly has the privilege been granted
+ */
+ assertEquals(Sets.newHashSet(allPrivilege),
+ sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName)));
+
+ PrivilegeObject queryPrivilege = new Builder(allPrivilege)
+ .setAction(SearchConstants.QUERY)
+ .build();
+
+ /**
+ * grant query privilege to role r1
+ */
+ sentryStore.alterRoleGrantPrivilege(SEARCH, roleName, queryPrivilege, grantor);
+ /**
+ * all privilege has been existed, the query privilege will not persistent
+ */
+ assertEquals(Sets.newHashSet(allPrivilege),
+ sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName)));
+ }
+
+ /**
+ * Grant query privilege to role r1 and there are query and update privileges
+ * related this collection existed
+ */
+ @Test
+ public void testGrantALLPrivilegeWithOtherPrivilegesExist() throws Exception {
+ String roleName1 = "r1";
+ String roleName2 = "r2";
+ /**
+ * grantor is admin, there is no need to check grant option
+ */
+ String grantor = ADMIN_USER;
+
+ PrivilegeObject queryPrivilege = new Builder()
+ .setComponent(SEARCH)
+ .setAction(SearchConstants.QUERY)
+ .setService(SERVICE)
+ .setAuthorizables(Arrays.asList(new Collection(COLLECTION_NAME)))
+ .build();
+
+ PrivilegeObject updatePrivilege = new Builder(queryPrivilege)
+ .setAction(SearchConstants.UPDATE)
+ .build();
+
+ sentryStore.createRole(SEARCH, roleName1, grantor);
+ sentryStore.createRole(SEARCH, roleName2, grantor);
+ /**
+ * grant query and update privilege to role r1 and role r2
+ */
+ sentryStore.alterRoleGrantPrivilege(SEARCH, roleName1, queryPrivilege, grantor);
+ sentryStore.alterRoleGrantPrivilege(SEARCH, roleName1, updatePrivilege,grantor);
+ assertEquals(Sets.newHashSet(queryPrivilege, updatePrivilege),
+ sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName1)));
+
+ sentryStore.alterRoleGrantPrivilege(SEARCH, roleName2, queryPrivilege, grantor);
+ sentryStore.alterRoleGrantPrivilege(SEARCH, roleName2, updatePrivilege,grantor);
+ assertEquals(Sets.newHashSet(queryPrivilege, updatePrivilege),
+ sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName2)));
+
+ PrivilegeObject allPrivilege = new Builder(queryPrivilege)
+ .setAction(SearchConstants.ALL)
+ .build();
+
+ /**
+ * grant all privilege to role r1
+ */
+ sentryStore.alterRoleGrantPrivilege(SEARCH, roleName1, allPrivilege, grantor);
+
+ /**
+ * check the query and update privileges of roleName1 will be removed because of ALl privilege
+ * granted
+ */
+ assertEquals(Sets.newHashSet(allPrivilege),
+ sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName1)));
+
+ /**
+ * check the query and update privileges of roleName2 will not affected and exist
+ */
+ assertEquals(Sets.newHashSet(queryPrivilege, updatePrivilege),
+ sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName2)));
+ }
+
+ @Test
+ public void testGrantRevokeCheckWithGrantOption() throws Exception {
+
+ addGroupsToUser(GRANT_OPTION_USER, GRANT_OPTION_GROUP);
+ addGroupsToUser(NO_GRANT_OPTION_USER, NO_GRANT_OPTION_GROUP);
+ writePolicyFile();
+
+ String roleName1 = "r1";
+ String roleName2 = "r2";
+ String grantor = "g1";
+ sentryStore.createRole(SEARCH, roleName1, grantor);
+ sentryStore.createRole(SEARCH, roleName2, grantor);
+ /**
+ * grant query privilege to role r1 with grant option
+ */
+ PrivilegeObject queryPrivilege1 = new Builder()
+ .setComponent(SEARCH)
+ .setAction(SearchConstants.QUERY)
+ .setService(SERVICE)
+ .setAuthorizables(Arrays.asList(new Collection(COLLECTION_NAME)))
+ .withGrantOption(true)
+ .build();
+
+ sentryStore.alterRoleGrantPrivilege(SEARCH, roleName1, queryPrivilege1,
+ ADMIN_USER);
+ assertEquals(Sets.newHashSet(queryPrivilege1),
+ sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName1)));
+ /**
+ * grant query privilege to role r2 no grant option
+ */
+ PrivilegeObject queryPrivilege2 = new Builder()
+ .setComponent(SEARCH)
+ .setAction(SearchConstants.QUERY)
+ .setService(SERVICE)
+ .setAuthorizables(Arrays.asList(new Collection(COLLECTION_NAME)))
+ .withGrantOption(false).build();
+
+ sentryStore.alterRoleGrantPrivilege(SEARCH, roleName2, queryPrivilege2,
+ ADMIN_USER);
+ assertEquals(Sets.newHashSet(queryPrivilege2),
+ sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName2)));
+
+ sentryStore.alterRoleAddGroups(SEARCH, roleName1,
+ Sets.newHashSet(GRANT_OPTION_GROUP), grantor);
+ sentryStore.alterRoleAddGroups(SEARCH, roleName2,
+ Sets.newHashSet(NO_GRANT_OPTION_GROUP), grantor);
+
+ String roleName3 = "r3";
+ sentryStore.createRole(SEARCH, roleName3, grantor);
+ /**
+ * the user with grant option grant query privilege to rolr r3
+ */
+ try{
+ sentryStore.alterRoleGrantPrivilege(SEARCH, roleName3, queryPrivilege1,
+ GRANT_OPTION_USER);
+ } catch (SentryGrantDeniedException e) {
+ fail("SentryGrantDeniedException shouldn't have been thrown");
+ }
+
+ /**
+ * the user with grant option revoke query privilege to rolr r3
+ */
+ try{
+ sentryStore.alterRoleRevokePrivilege(SEARCH, roleName3, queryPrivilege1,
+ GRANT_OPTION_USER);
+ } catch (SentryGrantDeniedException e) {
+ fail("SentryGrantDeniedException shouldn't have been thrown");
+ }
+
+ /**
+ * the user with no grant option grant query privilege to rolr r3, it will
+ * throw SentryGrantDeniedException
+ */
+ try {
+ sentryStore.alterRoleGrantPrivilege(SEARCH, roleName3, queryPrivilege2,
+ NO_GRANT_OPTION_USER);
+ fail("SentryGrantDeniedException should have been thrown");
+ } catch (SentryGrantDeniedException e) {
+ //ignore the exception
+ }
+
+ /**
+ * the user with no grant option revoke query privilege to rolr r3, it will
+ * throw SentryGrantDeniedException
+ */
+ try {
+ sentryStore.alterRoleGrantPrivilege(SEARCH, roleName3, queryPrivilege2,
+ NO_GRANT_OPTION_USER);
+ fail("SentryGrantDeniedException should have been thrown");
+ } catch (SentryGrantDeniedException e) {
+ //ignore the exception
+ }
+ }
+
+ @Test
+ public void testGrantWithGrantOption() throws Exception {
+
+ addGroupsToUser(GRANT_OPTION_USER, GRANT_OPTION_GROUP);
+ addGroupsToUser(NO_GRANT_OPTION_USER, NO_GRANT_OPTION_GROUP);
+ writePolicyFile();
+
+ String roleName1 = "r1";
+ String grantor = "g1";
+ sentryStore.createRole(SEARCH, roleName1, grantor);
+ /**
+ * grant query privilege to role r1 with grant option
+ */
+ PrivilegeObject queryPrivilege = new Builder()
+ .setComponent(SEARCH)
+ .setAction(SearchConstants.QUERY)
+ .setService(SERVICE)
+ .setAuthorizables(Arrays.asList(new Collection(COLLECTION_NAME)))
+ .withGrantOption(true)
+ .build();
+
+ sentryStore.alterRoleGrantPrivilege(SEARCH, roleName1, queryPrivilege,ADMIN_USER);
+ sentryStore.alterRoleAddGroups(SEARCH, roleName1,
+ Sets.newHashSet(GRANT_OPTION_GROUP), grantor);
+
+ /**
+ * the user with grant option grant query privilege to rolr r2
+ */
+ String roleName2 = "r2";
+ sentryStore.createRole(SEARCH, roleName2, grantor);
+ sentryStore.alterRoleGrantPrivilege(SEARCH, roleName2, queryPrivilege, GRANT_OPTION_USER);
+
+ assertEquals(Sets.newHashSet(queryPrivilege),
+ sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName2)));
+
+ }
+
+
+ /**
+ * Grant query and update privileges to role r1 and revoke query privilege
+ * there is left update privilege related to role r1
+ */
+ @Test
+ public void testRevokePrivilege() throws Exception {
+ String roleName = "r1";
+ /**
+ * grantor is admin, there is no need to check grant option
+ */
+ String grantor = ADMIN_USER;
+ PrivilegeObject queryPrivilege = new Builder()
+ .setComponent(SEARCH)
+ .setAction(SearchConstants.QUERY)
+ .setService(SERVICE)
+ .setAuthorizables(Arrays.asList(new Collection(COLLECTION_NAME), new Field(FIELD_NAME)))
+ .build();
+
+ PrivilegeObject updatePrivilege = new Builder(queryPrivilege)
+ .setAction(SearchConstants.UPDATE)
+ .build();
+
+ sentryStore.createRole(SEARCH, roleName, grantor);
+ sentryStore.alterRoleGrantPrivilege(SEARCH, roleName, queryPrivilege, grantor);
+ sentryStore.alterRoleGrantPrivilege(SEARCH, roleName, updatePrivilege, grantor);
+
+ assertEquals(Sets.newHashSet(queryPrivilege,updatePrivilege),
+ sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName)));
+ /**
+ * revoke query privilege
+ */
+ sentryStore.alterRoleRevokePrivilege(SEARCH, roleName, queryPrivilege, grantor);
+ assertEquals(Sets.newHashSet(updatePrivilege),
+ sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName)));
+ }
+
+ /**
+ * Grant query and update privileges to role r1 and revoke all privilege,
+ * there is no privilege related to role r1
+ */
+ @Test
+ public void testRevokeAllPrivilege() throws Exception {
+ String roleName = "r1";
+ /**
+ * grantor is admin, there is no need to check grant option
+ */
+ String grantor = ADMIN_USER;
+ PrivilegeObject queryPrivilege = new Builder()
+ .setComponent(SEARCH)
+ .setAction(SearchConstants.QUERY)
+ .setService(SERVICE)
+ .setAuthorizables(Arrays.asList(new Collection(COLLECTION_NAME),new Field(FIELD_NAME)))
+ .build();
+
+ PrivilegeObject updatePrivilege = new Builder(queryPrivilege)
+ .setAction(SearchConstants.UPDATE)
+ .build();
+
+ sentryStore.createRole(SEARCH, roleName, grantor);
+
+ sentryStore.alterRoleGrantPrivilege(SEARCH, roleName, queryPrivilege, grantor);
+ sentryStore.alterRoleGrantPrivilege(SEARCH, roleName, updatePrivilege, grantor);
+
+ assertEquals(Sets.newHashSet(queryPrivilege,updatePrivilege),
+ sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName)));
+ /**
+ * revoke all privilege
+ */
+ PrivilegeObject allPrivilege = new Builder(queryPrivilege)
+ .setAction(SearchConstants.ALL)
+ .build();
+
+ sentryStore.alterRoleRevokePrivilege(SEARCH, roleName, allPrivilege, grantor);
+
+ assertEquals(Sets.newHashSet(),
+ sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName)));
+ }
+
+ /**
+ * Grant all privilege to role r1 and revoke query privilege
+ * there is update privilege related to role r1
+ */
+ @Test
+ public void testRevokePrivilegeWithAllPrivilegeExist() throws Exception {
+ String roleName = "r1";
+ /**
+ * grantor is admin, there is no need to check grant option
+ */
+ String grantor = ADMIN_USER;
+ PrivilegeObject allPrivilege = new Builder()
+ .setComponent(SEARCH)
+ .setAction(SearchConstants.ALL)
+ .setService(SERVICE)
+ .setAuthorizables(Arrays.asList(new Collection(COLLECTION_NAME), new Field(FIELD_NAME)))
+ .build();
+
+ sentryStore.createRole(SEARCH, roleName, grantor);
+
+ sentryStore.alterRoleGrantPrivilege(SEARCH, roleName, allPrivilege, grantor);
+
+ assertEquals(Sets.newHashSet(allPrivilege),
+ sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName)));
+ /**
+ * revoke update privilege
+ */
+ PrivilegeObject updatePrivilege = new Builder(allPrivilege)
+ .setAction(SearchConstants.UPDATE)
+ .build();
+
+ PrivilegeObject queryPrivilege = new Builder(allPrivilege)
+ .setAction(SearchConstants.QUERY)
+ .build();
+
+ sentryStore.alterRoleRevokePrivilege(SEARCH, roleName, updatePrivilege, grantor);
+
+ assertEquals(Sets.newHashSet(queryPrivilege),
+ sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName)));
+ }
+
+ /**
+ * Grant update, query and all privilege to role r1
+ * Revoke query privilege from role r1
+ * there is update privilege related to role r1
+ */
+ @Test
+ public void testRevokePrivilegeWithAllPrivilegesGranted() throws Exception {
+ String roleName = "r1";
+ /**
+ * grantor is admin, there is no need to check grant option
+ */
+ String grantor = ADMIN_USER;
+ PrivilegeObject allPrivilege = new Builder()
+ .setComponent(SEARCH)
+ .setAction(SearchConstants.ALL)
+ .setService(SERVICE)
+ .setAuthorizables(Arrays.asList(new Collection(COLLECTION_NAME), new Field(FIELD_NAME)))
+ .build();
+
+ PrivilegeObject updatePrivilege = new Builder(allPrivilege)
+ .setAction(SearchConstants.UPDATE)
+ .build();
+
+ PrivilegeObject queryPrivilege = new Builder(allPrivilege)
+ .setAction(SearchConstants.QUERY)
+ .build();
+
+ sentryStore.createRole(SEARCH, roleName, grantor);
+ //grant query to role r1
+ sentryStore.alterRoleGrantPrivilege(SEARCH, roleName, queryPrivilege, grantor);
+ assertEquals(Sets.newHashSet(queryPrivilege),
+ sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName)));
+
+ //grant update to role r1
+ sentryStore.alterRoleGrantPrivilege(SEARCH, roleName, updatePrivilege, grantor);
+ assertEquals(Sets.newHashSet(queryPrivilege, updatePrivilege),
+ sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName)));
+ /**
+ * grant all action privilege to role r1, because all action includes query and update action,
+ * The role r1 only has the action all privilege
+ */
+ sentryStore.alterRoleGrantPrivilege(SEARCH, roleName, allPrivilege, grantor);
+ assertEquals(Sets.newHashSet(allPrivilege),
+ sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName)));
+ /**
+ * revoke update privilege from role r1, the query privilege has been left
+ */
+ sentryStore.alterRoleRevokePrivilege(SEARCH, roleName, updatePrivilege, grantor);
+ assertEquals(Sets.newHashSet(queryPrivilege),
+ sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName)));
+ }
+
+ @Test
+ public void testRevokeParentPrivilegeWithChildsExist() throws Exception {
+ String roleName = "r1";
+ /**
+ * grantor is admin, there is no need to check grant option
+ */
+ String grantor = ADMIN_USER;
+ PrivilegeObject updatePrivilege1 = new Builder()
+ .setComponent(SEARCH)
+ .setAction(SearchConstants.UPDATE)
+ .setService(SERVICE)
+ .setAuthorizables(Arrays.asList(new Collection(COLLECTION_NAME), new Field(FIELD_NAME)))
+ .build();
+
+ PrivilegeObject queryPrivilege1 = new Builder()
+ .setComponent(SEARCH)
+ .setAction(SearchConstants.QUERY)
+ .setService(SERVICE)
+ .setAuthorizables(Arrays.asList(new Collection(COLLECTION_NAME),new Field(FIELD_NAME)))
+ .build();
+
+ PrivilegeObject queryPrivilege2 = new Builder()
+ .setComponent(SEARCH)
+ .setAction(SearchConstants.QUERY)
+ .setService(SERVICE)
+ .setAuthorizables(Arrays.asList(new Collection(NOT_COLLECTION_NAME)))
+ .build();
+
+ sentryStore.createRole(SEARCH, roleName, grantor);
+ sentryStore.alterRoleGrantPrivilege(SEARCH, roleName, updatePrivilege1, grantor);
+ sentryStore.alterRoleGrantPrivilege(SEARCH, roleName, queryPrivilege1, grantor);
+
+ sentryStore.alterRoleGrantPrivilege(SEARCH, roleName, queryPrivilege2, grantor);
+
+ /**
+ * revoke all privilege with collection[COLLECTION_NAME=collection1] and its child privileges
+ */
+ PrivilegeObject allPrivilege = new Builder()
+ .setComponent(SEARCH)
+ .setAction(SearchConstants.ALL)
+ .setService(SERVICE)
+ .setAuthorizables(Arrays.asList(new Collection(COLLECTION_NAME)))
+ .build();
+
+ sentryStore.alterRoleRevokePrivilege(SEARCH, roleName, allPrivilege, grantor);
+ assertEquals(Sets.newHashSet(queryPrivilege2),
+ sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName)));
+ }
+
+ @Test
+ public void testRevokeWithGrantOption() throws Exception {
+
+ addGroupsToUser(GRANT_OPTION_USER, GRANT_OPTION_GROUP);
+ addGroupsToUser(NO_GRANT_OPTION_USER, NO_GRANT_OPTION_GROUP);
+ writePolicyFile();
+
+ String roleName1 = "r1";
+ String grantor = "g1";
+ sentryStore.createRole(SEARCH, roleName1, grantor);
+ /**
+ * grant query privilege to role r1 with grant option
+ */
+ PrivilegeObject queryPrivilege = new Builder()
+ .setComponent(SEARCH)
+ .setAction(SearchConstants.QUERY)
+ .setService(SERVICE)
+ .setAuthorizables(Arrays.asList(new Collection(COLLECTION_NAME)))
+ .withGrantOption(true)
+ .build();
+
+ sentryStore.alterRoleGrantPrivilege(SEARCH, roleName1, queryPrivilege,
+ ADMIN_USER);
+ assertEquals(Sets.newHashSet(queryPrivilege),
+ sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName1)));
+
+ sentryStore.alterRoleAddGroups(SEARCH, roleName1,
+ Sets.newHashSet(GRANT_OPTION_GROUP), grantor);
+
+ String roleName2 = "r2";
+ sentryStore.createRole(SEARCH, roleName2, grantor);
+ /**
+ * the user with grant option grant query privilege to rolr r2
+ */
+ sentryStore.alterRoleGrantPrivilege(SEARCH, roleName2, queryPrivilege,
+ GRANT_OPTION_USER);
+ assertEquals(Sets.newHashSet(queryPrivilege),
+ sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName2)));
+
+ /**
+ * the user with grant option revoke query privilege to rolr r3
+ */
+ sentryStore.alterRoleRevokePrivilege(SEARCH, roleName2, queryPrivilege, GRANT_OPTION_USER);
+ assertEquals(Sets.newHashSet(),
+ sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName2)));
+ }
+
+ @Test
+ public void testDropPrivilege() throws Exception{
+ String roleName1 = "r1";
+ String roleName2 = "r2";
+ String grantor = ADMIN_USER;
+
+ PrivilegeObject queryPrivilege = new Builder()
+ .setComponent(SEARCH)
+ .setAction(SearchConstants.QUERY)
+ .setService(SERVICE)
+ .setAuthorizables(Arrays.asList(new Collection(COLLECTION_NAME), new Field(FIELD_NAME)))
+ .build();
+
+ PrivilegeObject updatePrivilege = new Builder(queryPrivilege)
+ .setAction(SearchConstants.UPDATE)
+ .build();
+
+ /**
+ * grant query and update privilege to role r1 and r2
+ */
+ sentryStore.createRole(SEARCH, roleName1, grantor);
+ sentryStore.alterRoleGrantPrivilege(SEARCH, roleName1, queryPrivilege, grantor);
+ sentryStore.alterRoleGrantPrivilege(SEARCH, roleName1, updatePrivilege, grantor);
+
+ sentryStore.createRole(SEARCH, roleName2, grantor);
+ sentryStore.alterRoleGrantPrivilege(SEARCH, roleName2, queryPrivilege, grantor);
+ sentryStore.alterRoleGrantPrivilege(SEARCH, roleName2, updatePrivilege, grantor);
+
+ assertEquals(Sets.newHashSet(queryPrivilege,updatePrivilege),
+ sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName1)));
+
+ assertEquals(Sets.newHashSet(queryPrivilege,updatePrivilege),
+ sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName2)));
+ /**
+ * drop query privilege
+ */
+ sentryStore.dropPrivilege(SEARCH, queryPrivilege, grantor);
+
+ assertEquals(Sets.newHashSet(updatePrivilege),
+ sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName1)));
+
+ assertEquals(Sets.newHashSet(updatePrivilege),
+ sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName2)));
+
+ /**
+ * drop ALL privilege
+ */
+ PrivilegeObject allPrivilege = new Builder(queryPrivilege)
+ .setAction(SearchConstants.ALL)
+ .build();
+
+ sentryStore.dropPrivilege(SEARCH, allPrivilege, grantor);
+
+ assertEquals(Sets.newHashSet(),
+ sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName1)));
+
+ assertEquals(Sets.newHashSet(),
+ sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName2)));
+
+ /**
+ * grant query and update field scope[collection1,field1] privilege to role r1
+ * drop collection scope[collection1] privilege
+ * there is no privilege
+ */
+ sentryStore.alterRoleGrantPrivilege(SEARCH, roleName1, queryPrivilege, grantor);
+ sentryStore.alterRoleGrantPrivilege(SEARCH, roleName1, updatePrivilege, grantor);
+
+ PrivilegeObject parentPrivilege = new Builder()
+ .setComponent(SEARCH)
+ .setAction(SearchConstants.ALL)
+ .setService(SERVICE)
+ .setAuthorizables(Arrays.asList(new Collection(COLLECTION_NAME)))
+ .build();
+
+ sentryStore.dropPrivilege(SEARCH, parentPrivilege, grantor);
+ assertEquals(Sets.newHashSet(),
+ sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName1)));
+ }
+
+ @Test
+ public void testRenamePrivilege() throws Exception{
+ String roleName1 = "r1";
+ String roleName2 = "r2";
+ String grantor = ADMIN_USER;
+
+ List<? extends Authorizable> oldAuthoriables = Arrays.asList(new Collection(COLLECTION_NAME), new Field(FIELD_NAME));
+ List<? extends Authorizable> newAuthoriables = Arrays.asList(new Collection(COLLECTION_NAME), new Field(NOT_FIELD_NAME));
+
+ PrivilegeObject oldQueryPrivilege = new Builder()
+ .setComponent(SEARCH)
+ .setAction(SearchConstants.QUERY)
+ .setService(SERVICE)
+ .setAuthorizables(oldAuthoriables)
+ .build();
+
+ PrivilegeObject oldUpdatePrivilege = new Builder(oldQueryPrivilege)
+ .setAction(SearchConstants.UPDATE)
+ .build();
+
+ PrivilegeObject oldALLPrivilege = new Builder(oldQueryPrivilege)
+ .setAction(SearchConstants.ALL)
+ .build();
+
+
+ PrivilegeObject newQueryPrivilege = new Builder()
+ .setComponent(SEARCH)
+ .setAction(SearchConstants.QUERY)
+ .setService(SERVICE)
+ .setAuthorizables(newAuthoriables)
+ .build();
+
+ PrivilegeObject newUpdatePrivilege = new Builder(newQueryPrivilege)
+ .setAction(SearchConstants.UPDATE)
+ .build();
+
+ PrivilegeObject newALLPrivilege = new Builder(newQueryPrivilege)
+ .setAction(SearchConstants.ALL)
+ .build();
+
+
+ /**
+ * grant query and update privilege to role r1
+ * grant all privilege to role r2
+ */
+ sentryStore.createRole(SEARCH, roleName1, grantor);
+ sentryStore.alterRoleGrantPrivilege(SEARCH, roleName1, oldQueryPrivilege, grantor);
+ sentryStore.alterRoleGrantPrivilege(SEARCH, roleName1, oldUpdatePrivilege, grantor);
+
+ sentryStore.createRole(SEARCH, roleName2, grantor);
+ sentryStore.alterRoleGrantPrivilege(SEARCH, roleName2, oldALLPrivilege, grantor);
+
+ assertEquals(Sets.newHashSet(oldQueryPrivilege,oldUpdatePrivilege),
+ sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName1)));
+
+ assertEquals(Sets.newHashSet(oldALLPrivilege),
+ sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName2)));
+ /**
+ * rename old query privilege to new query privilege
+ */
+ sentryStore.renamePrivilege(SEARCH, SERVICE,
+ oldAuthoriables,
+ newAuthoriables,
+ grantor);
+
+ assertEquals(Sets.newHashSet(newQueryPrivilege,newUpdatePrivilege),
+ sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName1)));
+
+ assertEquals(Sets.newHashSet(newALLPrivilege),
+ sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName2)));
+ /**
+ * rename collection scope[collection=collection1] privilege to [collection=not_collection1]
+ * These privileges belong to collection scope[collection=collection1] will change to
+ * [collection=not_collection1]
+ */
+
+ List<? extends Authorizable> newAuthoriables1 = Arrays.asList(new Collection(NOT_COLLECTION_NAME),new Field(NOT_FIELD_NAME));
+
+ PrivilegeObject newQueryPrivilege1 = new Builder(newQueryPrivilege)
+ .setAuthorizables(newAuthoriables1)
+ .build();
+
+ PrivilegeObject newUpdatePrivilege1 = new Builder(newUpdatePrivilege)
+ .setAuthorizables(newAuthoriables1)
+ .build();
+
+ PrivilegeObject newALLPrivilege1 = new Builder(newALLPrivilege)
+ .setAuthorizables(newAuthoriables1)
+ .build();
+
+ sentryStore.renamePrivilege(SEARCH, SERVICE,
+ Arrays.asList(new Collection(COLLECTION_NAME)),
+ Arrays.asList(new Collection(NOT_COLLECTION_NAME)),
+ grantor);
+
+ assertEquals(Sets.newHashSet(newQueryPrivilege1,newUpdatePrivilege1),
+ sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName1)));
+
+ assertEquals(Sets.newHashSet(newALLPrivilege1),
+ sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName2)));
+ }
+
+ @Test
+ public void testGetPrivilegesByRoleName() throws Exception {
+ String roleName1 = "r1";
+ String roleName2 = "r2";
+ String grantor = "g1";
+
+ PrivilegeObject queryPrivilege = new Builder()
+ .setComponent(SEARCH)
+ .setAction(SearchConstants.QUERY)
+ .setService(SERVICE)
+ .setAuthorizables(Arrays.asList(new Collection(COLLECTION_NAME)))
+ .build();
+
+ sentryStore.createRole(SEARCH, roleName1, grantor);
+ sentryStore.alterRoleGrantPrivilege(SEARCH, roleName1, queryPrivilege,
+ ADMIN_USER);
+
+ PrivilegeObject updatePrivilege = new Builder()
+ .setComponent(SEARCH)
+ .setAction(SearchConstants.QUERY)
+ .setService(SERVICE)
+ .setAuthorizables(Arrays.asList(new Collection(COLLECTION_NAME)))
+ .build();
+
+ sentryStore.createRole(SEARCH, roleName2, grantor);
+ sentryStore.alterRoleGrantPrivilege(SEARCH, roleName2, updatePrivilege,
+ ADMIN_USER);
+
+ assertEquals(Sets.newHashSet(queryPrivilege,updatePrivilege),
+ sentryStore.getPrivilegesByRole(SEARCH, Sets.newHashSet(roleName1,roleName2)));
+
+ }
+
+ @Test
+ public void testGetPrivilegesByProvider() throws Exception {
+ String roleName1 = "r1";
+ String roleName2 = "r2";
+ String roleName3 = "r3";
+ String group = "g3";
+ String grantor = ADMIN_USER;
+
+ String service1 = "service1";
+
+ PrivilegeObject queryPrivilege1 = new Builder()
+ .setComponent(SEARCH)
+ .setAction(SearchConstants.QUERY)
+ .setService(service1)
+ .setAuthorizables(Arrays.asList(new Collection(COLLECTION_NAME)))
+ .build();
+
+ PrivilegeObject updatePrivilege1 = new Builder()
+ .setComponent(SEARCH)
+ .setAction(SearchConstants.UPDATE)
+ .setService(service1)
+ .setAuthorizables(Arrays.asList(new Collection(COLLECTION_NAME), new Field(FIELD_NAME)))
+ .build();
+
+ PrivilegeObject queryPrivilege2 = new Builder()
+ .setComponent(SEARCH)
+ .setAction(SearchConstants.QUERY)
+ .setService(service1)
+ .setAuthorizables(Arrays.asList(new Collection(COLLECTION_NAME)))
+ .build();
+
+ PrivilegeObject updatePrivilege2 = new Builder()
+ .setComponent(SEARCH)
+ .setAction(SearchConstants.UPDATE)
+ .setService(service1)
+ .setAuthorizables(Arrays.asList(new Collection(COLLECTION_NAME), new Field(FIELD_NAME)))
+ .build();
+
+ sentryStore.createRole(SEARCH, roleName1, grantor);
+ sentryStore.createRole(SEARCH, roleName2, grantor);
+ sentryStore.createRole(SEARCH, roleName3, grantor);
+
+ sentryStore.alterRoleAddGroups(SEARCH, roleName3, Sets.newHashSet(group), grantor);
+
+ sentryStore.alterRoleGrantPrivilege(SEARCH, roleName1, queryPrivilege1, grantor);
+ sentryStore.alterRoleGrantPrivilege(SEARCH, roleName1, updatePrivilege1, grantor);
+ sentryStore.alterRoleGrantPrivilege(SEARCH, roleName2, queryPrivilege2, grantor);
+ sentryStore.alterRoleGrantPrivilege(SEARCH, roleName3, updatePrivilege2, grantor);
+
+ assertEquals(Sets.newHashSet(updatePrivilege1, queryPrivilege1),
+ sentryStore.getPrivilegesByProvider(SEARCH, service1, Sets.newHashSet(roleName1), null, null));
+
+ assertEquals(Sets.newHashSet(updatePrivilege1, queryPrivilege1, queryPrivilege2),
+ sentryStore.getPrivilegesByProvider(SEARCH, service1, Sets.newHashSet(roleName1,roleName2),
+ null, null));
+
+ assertEquals(Sets.newHashSet(updatePrivilege1, queryPrivilege1, queryPrivilege2, updatePrivilege2),
+ sentryStore.getPrivilegesByProvider(SEARCH, service1, Sets.newHashSet(roleName1,roleName2),
+ Sets.newHashSet(group), null));
+
+ List<? extends Authorizable> authorizables = Arrays.asList(new Collection(COLLECTION_NAME), new Field(FIELD_NAME));
+ assertEquals(Sets.newHashSet(updatePrivilege1, updatePrivilege2),
+ sentryStore.getPrivilegesByProvider(SEARCH, service1, Sets.newHashSet(roleName1,roleName2),
+ Sets.newHashSet(group), authorizables));
+ }
+
+ @Test
+ public void testGetPrivilegesByAuthorizable() throws Exception {
+ String roleName1 = "r1";
+ String roleName2 = "r2";
+ String roleName3 = "r3";
+ String grantor = ADMIN_USER;
+
+ String service1 = "service1";
+
+ PrivilegeObject queryPrivilege1 = new Builder()
+ .setComponent(SEARCH)
+ .setAction(SearchConstants.QUERY)
+ .setService(service1)
+ .setAuthorizables(Arrays.asList(new Collection(COLLECTION_NAME)))
+ .build();
+
+ PrivilegeObject updatePrivilege1 = new Builder()
+ .setComponent(SEARCH)
+ .setAction(SearchConstants.UPDATE)
+ .setService(service1)
+ .setAuthorizables(Arrays.asList(new Collection(COLLECTION_NAME), new Field(FIELD_NAME)))
+ .build();
+
+ PrivilegeObject queryPrivilege2 = new Builder()
+ .setComponent(SEARCH)
+ .setAction(SearchConstants.QUERY)
+ .setService(service1)
+ .setAuthorizables(Arrays.asList(new Collection(COLLECTION_NAME)))
+ .build();
+
+ PrivilegeObject updatePrivilege2 = new Builder()
+ .setComponent(SEARCH)
+ .setAction(SearchConstants.UPDATE)
+ .setService(service1)
+ .setAuthorizables(Arrays.asList(new Collection(COLLECTION_NAME), new Field(FIELD_NAME)))
+ .build();
+
+ sentryStore.createRole(SEARCH, roleName1, grantor);
+ sentryStore.createRole(SEARCH, roleName2, grantor);
+ sentryStore.createRole(SEARCH, roleName3, grantor);
+
+ sentryStore.alterRoleGrantPrivilege(SEARCH, roleName1, queryPrivilege1, grantor);
+ sentryStore.alterRoleGrantPrivilege(SEARCH, roleName1, updatePrivilege1, grantor);
+ sentryStore.alterRoleGrantPrivilege(SEARCH, roleName2, queryPrivilege2, grantor);
+ sentryStore.alterRoleGrantPrivilege(SEARCH, roleName3, updatePrivilege2, grantor);
+
+ assertEquals(0, sentryStore.getPrivilegesByAuthorizable(SEARCH, service1, null,
+ Arrays.asList(new Collection(COLLECTION_NAME), new Field(FIELD_NAME))).size());
+ assertEquals(1, sentryStore.getPrivilegesByAuthorizable(SEARCH, service1, Sets.newHashSet(roleName1),
+ Arrays.asList(new Collection(COLLECTION_NAME), new Field(FIELD_NAME))).size());
+ assertEquals(2, sentryStore.getPrivilegesByAuthorizable(SEARCH, service1,
+ Sets.newHashSet(roleName1), null).size());
+ assertEquals(2, sentryStore.getPrivilegesByAuthorizable(SEARCH, service1,
+ Sets.newHashSet(roleName1,roleName2), null).size());
+ assertEquals(2, sentryStore.getPrivilegesByAuthorizable(SEARCH, service1,
+ Sets.newHashSet(roleName1,roleName2, roleName3), null).size());
+ }
+
+ @Test(expected = RuntimeException.class)
+ public void testGrantPrivilegeExternalComponentMissingConf() throws SentryUserException {
+ testGrantPrivilege(sentryStore, "externalComponent");
+ }
+
+ @Test(expected = RuntimeException.class)
+ public void testGrantPrivilegeExternalComponentInvalidConf() throws Exception {
+ String externalComponent = "mycomponent";
+ Configuration confCopy = new Configuration(conf);
+ confCopy.set(String.format(ServiceConstants.ServerConfig.SENTRY_COMPONENT_ACTION_FACTORY_FORMAT, externalComponent),
+ InvalidActionFactory.class.getName());
+ SentryStoreLayer store = new DelegateSentryStore(confCopy);
+ testGrantPrivilege(store, externalComponent);
+ }
+
+ @Test
+ public void testGrantPrivilegeExternalComponent() throws Exception {
+ String externalComponent = "mycomponent";
+ Configuration confCopy = new Configuration(conf);
+ confCopy.set(String.format(ServiceConstants.ServerConfig.SENTRY_COMPONENT_ACTION_FACTORY_FORMAT, externalComponent),
+ MyComponentActionFactory.class.getName());
+ SentryStoreLayer store = new DelegateSentryStore(confCopy);
+ testGrantPrivilege(store, externalComponent);
+ }
+
+ @Test
+ public void testGrantPrivilegeExternalComponentCaseInsensitivity() throws Exception {
+ String externalComponent = "MyCoMpOnEnT";
+ Configuration confCopy = new Configuration(conf);
+ confCopy.set(String.format(ServiceConstants.ServerConfig.SENTRY_COMPONENT_ACTION_FACTORY_FORMAT, "mycomponent"),
+ MyComponentActionFactory.class.getName());
+ SentryStoreLayer store = new DelegateSentryStore(confCopy);
+ testGrantPrivilege(store, externalComponent);
+ }
+
+ private void testGrantPrivilege(SentryStoreLayer sentryStore, String component) throws SentryUserException {
+ String roleName = "r1";
+ /**
+ * grantor is admin, there is no need to check grant option
+ */
+ String grantor = ADMIN_USER;
+ PrivilegeObject queryPrivilege = new Builder()
+ .setComponent(component)
+ .setAction(SearchConstants.QUERY)
+ .setService(SERVICE)
+ .setAuthorizables(Collections.singletonList(new Collection(COLLECTION_NAME)))
+ .withGrantOption(null)
+ .build();
+
+ sentryStore.createRole(component, roleName, grantor);
+ sentryStore.alterRoleGrantPrivilege(component, roleName, queryPrivilege, grantor);
+
+ assertEquals(Sets.newHashSet(queryPrivilege),
+ sentryStore.getPrivilegesByRole(component, Sets.newHashSet(roleName)));
+
+ PrivilegeObject queryPrivilegeWithOption = new Builder()
+ .setComponent(component)
+ .setAction(SearchConstants.QUERY)
+ .setService(SERVICE)
+ .setAuthorizables(Collections.singletonList(new Collection(COLLECTION_NAME)))
+ .withGrantOption(true)
+ .build();
+
+ sentryStore.alterRoleGrantPrivilege(component, roleName, queryPrivilegeWithOption, grantor);
+
+ assertEquals(Sets.newHashSet(queryPrivilege, queryPrivilegeWithOption),
+ sentryStore.getPrivilegesByRole(component, Sets.newHashSet(roleName)));
+
+ PrivilegeObject queryPrivilegeWithNoOption = new Builder()
+ .setComponent(component)
+ .setAction(SearchConstants.QUERY)
+ .setService(SERVICE)
+ .setAuthorizables(Collections.singletonList(new Collection(COLLECTION_NAME)))
+ .withGrantOption(false)
+ .build();
+
+ sentryStore.alterRoleGrantPrivilege(component, roleName, queryPrivilegeWithNoOption, grantor);
+
+ assertEquals(Sets.newHashSet(queryPrivilege, queryPrivilegeWithOption, queryPrivilegeWithNoOption),
+ sentryStore.getPrivilegesByRole(component, Sets.newHashSet(roleName)));
+ }
+
+ public static final class InvalidActionFactory {
+
+ }
+
+ public static final class MyComponentActionFactory extends BitFieldActionFactory {
+
+ public enum MyComponentActionType {
+ FOO("foo", 1),
+ BAR("bar", 2),
+ QUERY(SearchConstants.QUERY, 4),
+ ALL("*", FOO.getCode() | BAR.getCode() | QUERY.getCode());
+
+ private String name;
+ private int code;
+ MyComponentActionType(String name, int code) {
+ this.name = name;
+ this.code = code;
+ }
+
+ public int getCode() {
+ return code;
+ }
+
+ public String getName() {
+ return name;
+ }
+
+ static MyComponentActionType getActionByName(String name) {
+ for (MyComponentActionType action : MyComponentActionType.values()) {
+ if (action.name.equalsIgnoreCase(name)) {
+ return action;
+ }
+ }
+ throw new RuntimeException("can't get MyComponentActionType by name:" + name);
+ }
+
+ static List<MyComponentActionType> getActionByCode(int code) {
+ List<MyComponentActionType> actions = Lists.newArrayList();
+ for (MyComponentActionType action : MyComponentActionType.values()) {
+ if ((action.code & code) == action.code && action != MyComponentActionType.ALL) {
+ //MyComponentActionType.ALL action should not return in the list
+ actions.add(action);
+ }
+ }
+ if (actions.isEmpty()) {
+ throw new RuntimeException("can't get sqoopActionType by code:" + code);
+ }
+ return actions;
+ }
+ }
+
+ public static class MyComponentAction extends BitFieldAction {
+ public MyComponentAction(String name) {
+ this(MyComponentActionType.getActionByName(name));
+ }
+ public MyComponentAction(MyComponentActionType myComponentActionType) {
+ super(myComponentActionType.name, myComponentActionType.code);
+ }
+ }
+
+ @Override
+ public List<? extends BitFieldAction> getActionsByCode(int actionCode) {
+ List<MyComponentAction> actions = Lists.newArrayList();
+ for (MyComponentActionType action : MyComponentActionType.getActionByCode(actionCode)) {
+ actions.add(new MyComponentAction(action));
+ }
+ return actions;
+ }
+
+ @Override
+ public BitFieldAction getActionByName(String name) {
+ // Check the name is All
+ if (SqoopActionConstant.ALL_NAME.equalsIgnoreCase(name)) {
+ return new MyComponentAction(MyComponentActionType.ALL);
+ }
+ return new MyComponentAction(name);
+ }
+ }
+}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/generic/service/persistent/TestSentryGMPrivilege.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/generic/service/persistent/TestSentryGMPrivilege.java b/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/generic/service/persistent/TestSentryGMPrivilege.java
new file mode 100644
index 0000000..258721e
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/generic/service/persistent/TestSentryGMPrivilege.java
@@ -0,0 +1,207 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.provider.db.generic.service.persistent;
+
+import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.fail;
+
+import java.util.Arrays;
+
+import org.apache.sentry.core.model.db.AccessConstants;
+import org.apache.sentry.core.model.search.Collection;
+import org.apache.sentry.core.model.search.Field;
+import org.apache.sentry.core.model.search.SearchConstants;
+import org.apache.sentry.provider.db.service.model.MSentryGMPrivilege;
+import org.junit.Test;
+
+public class TestSentryGMPrivilege {
+
+ @Test
+ public void testValidateAuthorizables() throws Exception {
+ try {
+ new MSentryGMPrivilege("solr",
+ "service1", Arrays.asList(new Collection("c1"), new Field("f1")),SearchConstants.QUERY, false);
+ } catch (IllegalStateException e) {
+ fail("unexpect happend: it is a validated privilege");
+ }
+
+ try {
+ new MSentryGMPrivilege("solr",
+ "service1", Arrays.asList(new Collection(""), new Field("f1")),SearchConstants.QUERY, false);
+ fail("unexpect happend: it is not a validated privilege, The empty name of authorizable can't be empty");
+ } catch (IllegalStateException e) {
+ }
+
+ try {
+ new MSentryGMPrivilege("solr",
+ "service1", Arrays.asList(null, new Field("f1")),SearchConstants.QUERY, false);
+ fail("unexpect happend: it is not a validated privilege, The authorizable can't be null");
+ } catch (IllegalStateException e) {
+ }
+ }
+
+ @Test
+ public void testImpliesWithServerScope() throws Exception {
+ //The persistent privilege is server scope
+ MSentryGMPrivilege serverPrivilege = new MSentryGMPrivilege("solr",
+ "service1", null,SearchConstants.QUERY, false);
+
+ MSentryGMPrivilege collectionPrivilege = new MSentryGMPrivilege("solr",
+ "service1", Arrays.asList(new Collection("c1")),
+ SearchConstants.QUERY, false);
+ assertTrue(serverPrivilege.implies(collectionPrivilege));
+
+ MSentryGMPrivilege fieldPrivilege = new MSentryGMPrivilege("solr",
+ "service1", Arrays.asList(new Collection("c1"), new Field("f1")),
+ SearchConstants.QUERY, false);
+ assertTrue(serverPrivilege.implies(fieldPrivilege));
+ assertTrue(collectionPrivilege.implies(fieldPrivilege));
+
+ serverPrivilege.setAction(SearchConstants.UPDATE);
+ assertFalse(serverPrivilege.implies(collectionPrivilege));
+ assertFalse(serverPrivilege.implies(fieldPrivilege));
+
+ serverPrivilege.setAction(SearchConstants.ALL);
+ assertTrue(serverPrivilege.implies(collectionPrivilege));
+ assertTrue(serverPrivilege.implies(fieldPrivilege));
+ }
+ /**
+ * The requested privilege has the different authorizable size with the persistent privilege
+ * @throws Exception
+ */
+ @Test
+ public void testImpliesDifferentAuthorizable() throws Exception {
+ /**
+ * Test the scope of persistent privilege is the larger than the requested privilege
+ */
+ MSentryGMPrivilege serverPrivilege = new MSentryGMPrivilege("solr",
+ "service1", null, SearchConstants.QUERY, false);
+
+ MSentryGMPrivilege collectionPrivilege = new MSentryGMPrivilege("solr",
+ "service1", Arrays.asList(new Collection("c1")),
+ SearchConstants.QUERY, false);
+
+ MSentryGMPrivilege fieldPrivilege = new MSentryGMPrivilege("solr",
+ "service1", Arrays.asList(new Collection("c1"), new Field("f1")),
+ SearchConstants.QUERY, false);
+ assertTrue(serverPrivilege.implies(collectionPrivilege));
+ assertTrue(serverPrivilege.implies(fieldPrivilege));
+ assertTrue(collectionPrivilege.implies(fieldPrivilege));
+ /**
+ * Test the scope of persistent privilege is less than the request privilege
+ */
+ assertFalse(fieldPrivilege.implies(collectionPrivilege));
+ assertFalse(fieldPrivilege.implies(serverPrivilege));
+ assertFalse(collectionPrivilege.implies(serverPrivilege));
+
+ /**
+ * Test the scope of persistent privilege is less than the request privilege,
+ * but the name of left authorizable is ALL
+ */
+ MSentryGMPrivilege fieldAllPrivilege = new MSentryGMPrivilege("solr",
+ "service1", Arrays.asList(new Collection("c1"), new Field(AccessConstants.ALL)),
+ SearchConstants.QUERY, false);
+
+ assertTrue(fieldAllPrivilege.implies(collectionPrivilege));
+
+ /**
+ * Test the scope of persistent privilege has the same scope as request privilege
+ */
+ MSentryGMPrivilege fieldPrivilege1 = new MSentryGMPrivilege("solr",
+ "service1", Arrays.asList(new Collection("c1"), new Field("f1")),
+ SearchConstants.QUERY, false);
+
+ MSentryGMPrivilege fieldPrivilege2 = new MSentryGMPrivilege("solr",
+ "service1", Arrays.asList(new Collection("c2"), new Field("f2")),
+ SearchConstants.QUERY, false);
+ assertFalse(fieldPrivilege1.implies(fieldPrivilege2));
+ }
+
+ /**
+ * The requested privilege has the same authorizable size as with the persistent privilege
+ * @throws Exception
+ */
+ @Test
+ public void testSearchImpliesEqualAuthorizable() throws Exception {
+
+ MSentryGMPrivilege serverPrivilege1 = new MSentryGMPrivilege("solr",
+ "service1", null,SearchConstants.QUERY, false);
+
+ MSentryGMPrivilege serverPrivilege2 = new MSentryGMPrivilege("solr",
+ "service2", null,SearchConstants.QUERY, false);
+
+ assertFalse(serverPrivilege1.implies(serverPrivilege2));
+
+ MSentryGMPrivilege collectionPrivilege1 = new MSentryGMPrivilege("solr",
+ "service1", Arrays.asList(new Collection("c1")),
+ SearchConstants.QUERY, false);
+
+ MSentryGMPrivilege collectionPrivilege2 = new MSentryGMPrivilege("solr",
+ "service1", Arrays.asList(new Collection("c2")),
+ SearchConstants.QUERY, false);
+
+ assertFalse(collectionPrivilege1.implies(collectionPrivilege2));
+
+ MSentryGMPrivilege fieldPrivilege1 = new MSentryGMPrivilege("solr",
+ "service1", Arrays.asList(new Collection("c1"), new Field("f1")),
+ SearchConstants.QUERY, false);
+
+ MSentryGMPrivilege fieldPrivilege2 = new MSentryGMPrivilege("solr",
+ "service1", Arrays.asList(new Collection("c1"), new Field("f2")),
+ SearchConstants.QUERY, false);
+
+ assertFalse(fieldPrivilege1.implies(fieldPrivilege2));
+
+ /**
+ * The authorizables aren't equal,but the persistent privilege has the ALL name
+ */
+ collectionPrivilege2.setAuthorizables(Arrays.asList(new Collection(AccessConstants.ALL)));
+ collectionPrivilege2.implies(collectionPrivilege1);
+
+ fieldPrivilege2.setAuthorizables(Arrays.asList(new Collection("c1"), new Field(AccessConstants.ALL)));
+ fieldPrivilege2.implies(fieldPrivilege1);
+ }
+
+ @Test
+ public void testSearchImpliesAction() throws Exception {
+ /**
+ * action is equal
+ */
+ MSentryGMPrivilege fieldPrivilege1 = new MSentryGMPrivilege("solr",
+ "service1", Arrays.asList(new Collection("c1"), new Field("f2")),
+ SearchConstants.QUERY, false);
+
+ MSentryGMPrivilege fieldPrivilege2 = new MSentryGMPrivilege("solr",
+ "service1", Arrays.asList(new Collection("c1"), new Field("f2")),
+ SearchConstants.QUERY, false);
+
+ assertTrue(fieldPrivilege1.implies(fieldPrivilege2));
+
+ /**
+ * action isn't equal
+ */
+ fieldPrivilege2.setAction(SearchConstants.UPDATE);
+ assertFalse(fieldPrivilege1.implies(fieldPrivilege2));
+ /**
+ * action isn't equal,but the persistent privilege has the ALL action
+ */
+ fieldPrivilege1.setAction(SearchConstants.ALL);
+ assertTrue(fieldPrivilege1.implies(fieldPrivilege2));
+ }
+}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/generic/service/persistent/TestSentryRole.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/generic/service/persistent/TestSentryRole.java b/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/generic/service/persistent/TestSentryRole.java
new file mode 100644
index 0000000..29134fe
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/generic/service/persistent/TestSentryRole.java
@@ -0,0 +1,372 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.provider.db.generic.service.persistent;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.fail;
+
+import java.io.File;
+import java.util.Arrays;
+import java.util.Properties;
+
+import javax.jdo.JDOHelper;
+import javax.jdo.PersistenceManager;
+import javax.jdo.PersistenceManagerFactory;
+import javax.jdo.Query;
+import javax.jdo.Transaction;
+
+import org.apache.commons.io.FileUtils;
+import org.apache.sentry.core.model.search.Collection;
+import org.apache.sentry.provider.db.service.model.MSentryGMPrivilege;
+import org.apache.sentry.provider.db.service.model.MSentryPrivilege;
+import org.apache.sentry.provider.db.service.model.MSentryRole;
+import org.apache.sentry.provider.db.service.persistent.SentryStore;
+import org.apache.sentry.service.thrift.ServiceConstants.ServerConfig;
+import org.junit.After;
+import org.junit.Before;
+import org.junit.Test;
+
+import com.google.common.base.Preconditions;
+import com.google.common.io.Files;
+/**
+ * The class tests that the new feature SENTRY-398 generic model adds the new field in the MSentryRole
+ * will not affect the functionality of the origin hive/impala authorization model
+ */
+public class TestSentryRole {
+ private static PersistenceManagerFactory pmf;
+ private static File dataDir;
+
+ @Before
+ public void setup() throws Exception {
+ dataDir = new File(Files.createTempDir(), "sentry_policy_db");
+ Properties prop = new Properties();
+ prop.setProperty(ServerConfig.JAVAX_JDO_URL, "jdbc:derby:;databaseName=" + dataDir.getPath() + ";create=true");
+ prop.setProperty(ServerConfig.JAVAX_JDO_USER, "Sentry");
+ prop.setProperty(ServerConfig.JAVAX_JDO_PASS, "Sentry");
+ prop.setProperty(ServerConfig.JAVAX_JDO_DRIVER_NAME, "org.apache.derby.jdbc.EmbeddedDriver");
+ prop.setProperty("datanucleus.schema.autoCreateAll", "true");
+ prop.setProperty("datanucleus.autoCreateSchema", "true");
+ prop.setProperty("datanucleus.fixedDatastore", "false");
+ prop.setProperty("datanucleus.NontransactionalRead", "false");
+ prop.setProperty("datanucleus.NontransactionalWrite", "false");
+ pmf = JDOHelper.getPersistenceManagerFactory(prop);
+ }
+
+ @After
+ public void tearDown() throws Exception {
+ pmf.close();
+ FileUtils.deleteQuietly(dataDir);
+ }
+
+ @Test
+ public void grantMixedPrivilegeTest() throws Exception {
+ String roleName = "r1";
+ //hive/impala privilege
+ MSentryPrivilege hivePrivilege = new MSentryPrivilege();
+ hivePrivilege.setServerName("hive.server1");
+ hivePrivilege.setDbName("db1");
+ hivePrivilege.setTableName("tb1");
+ hivePrivilege.setPrivilegeScope("table");
+ hivePrivilege.setAction("select");
+ hivePrivilege.setGrantOption(true);
+ //solr privilege
+ MSentryGMPrivilege solrPrivilege = new MSentryGMPrivilege();
+ solrPrivilege.setComponentName("solr");
+ solrPrivilege.setServiceName("solr.server1");
+ solrPrivilege.setAuthorizables(Arrays.asList(new Collection("c1")));
+ solrPrivilege.setAction("query");
+ solrPrivilege.setGrantOption(true);
+
+ PersistenceManager pm = null;
+ //create role
+ pm = openTransaction();
+ pm.makePersistent(new MSentryRole(roleName, System.currentTimeMillis()));
+ commitTransaction(pm);
+ //add hivePrivilege to role
+ pm = openTransaction();
+ MSentryRole role = getMSentryRole(pm, roleName);
+ hivePrivilege.appendRole(role);
+ pm.makePersistent(hivePrivilege);
+ commitTransaction(pm);
+ //check hivePrivlege and solrPrivilege
+ pm = openTransaction();
+ role = getMSentryRole(pm, roleName);
+ pm.retrieve(role);
+ assertEquals(1, role.getPrivileges().size());
+ assertEquals(0, role.getGmPrivileges().size());
+ commitTransaction(pm);
+ //add solrPrivilege to role
+ pm = openTransaction();
+ role = getMSentryRole(pm, roleName);
+ pm.retrieve(role);
+ solrPrivilege.appendRole(role);
+ pm.makePersistent(solrPrivilege);
+ commitTransaction(pm);
+ //check hivePrivlege and solrPrivilege
+ pm = openTransaction();
+ role = getMSentryRole(pm, roleName);
+ pm.retrieve(role);
+ assertEquals(1, role.getPrivileges().size());
+ assertEquals(1, role.getGmPrivileges().size());
+ commitTransaction(pm);
+ }
+
+ @Test
+ public void testWantGrantPrivilegeTwice() throws Exception {
+ String roleName = "r1";
+ //hive/impala privilege
+ MSentryPrivilege hivePrivilege = new MSentryPrivilege();
+ hivePrivilege.setServerName("hive.server1");
+ hivePrivilege.setDbName("db1");
+ hivePrivilege.setTableName("tb1");
+ hivePrivilege.setPrivilegeScope("table");
+ hivePrivilege.setAction("select");
+ hivePrivilege.setURI(SentryStore.NULL_COL);
+ hivePrivilege.setColumnName(SentryStore.NULL_COL);
+ hivePrivilege.setGrantOption(true);
+ //The same hivePrivilege
+ MSentryPrivilege hivePrivilege2 = new MSentryPrivilege(hivePrivilege);
+ //solr privilege
+ MSentryGMPrivilege solrPrivilege = new MSentryGMPrivilege();
+ solrPrivilege.setComponentName("solr");
+ solrPrivilege.setServiceName("solr.server1");
+ solrPrivilege.setAuthorizables(Arrays.asList(new Collection("c1")));
+ solrPrivilege.setAction("query");
+ solrPrivilege.setGrantOption(true);
+ //The same solrPrivilege
+ MSentryGMPrivilege solrPrivilege2 = new MSentryGMPrivilege(solrPrivilege);
+
+ PersistenceManager pm = null;
+ //create role
+ pm = openTransaction();
+ pm.makePersistent(new MSentryRole(roleName, System.currentTimeMillis()));
+ commitTransaction(pm);
+
+ //grant hivePrivilege and solrPrivilege to role
+ pm = openTransaction();
+ MSentryRole role = getMSentryRole(pm, roleName);
+ solrPrivilege.appendRole(role);
+ hivePrivilege.appendRole(role);
+ pm.makePersistent(solrPrivilege);
+ pm.makePersistent(hivePrivilege);
+ commitTransaction(pm);
+ //check
+ pm = openTransaction();
+ role = getMSentryRole(pm, roleName);
+ pm.retrieve(role);
+ assertEquals(1, role.getPrivileges().size());
+ assertEquals(1, role.getGmPrivileges().size());
+ commitTransaction(pm);
+
+ //want to grant the same hivePrivilege and solrPrivilege to role again
+ //hivePrivilege2 is equal to hivePrivilege
+ //solrPrivilege2 is equal to solrPrivilege
+ pm = openTransaction();
+ role = getMSentryRole(pm, roleName);
+ pm.retrieve(role);
+ if (!role.getGmPrivileges().contains(solrPrivilege2)) {
+ fail("unexpect happend: the MSentryGMPrivilege:" + solrPrivilege2 + " already be granted");
+ }
+ if (!role.getPrivileges().contains(hivePrivilege2)) {
+ fail("unexpect happend: the MSentryPrivilege:" + hivePrivilege2 + " already be granted");
+ }
+ commitTransaction(pm);
+ }
+
+ @Test
+ public void testMixedRevokePrivilege() throws Exception {
+ String roleName = "r1";
+ //hive/impala privilege
+ MSentryPrivilege hivePrivilege = new MSentryPrivilege();
+ hivePrivilege.setServerName("hive.server1");
+ hivePrivilege.setDbName("db1");
+ hivePrivilege.setTableName("tb1");
+ hivePrivilege.setPrivilegeScope("table");
+ hivePrivilege.setAction("select");
+ hivePrivilege.setURI(SentryStore.NULL_COL);
+ hivePrivilege.setColumnName(SentryStore.NULL_COL);
+ hivePrivilege.setGrantOption(true);
+
+ //solr privilege
+ MSentryGMPrivilege solrPrivilege = new MSentryGMPrivilege();
+ solrPrivilege.setComponentName("solr");
+ solrPrivilege.setServiceName("solr.server1");
+ solrPrivilege.setAuthorizables(Arrays.asList(new Collection("c1")));
+ solrPrivilege.setAction("query");
+ solrPrivilege.setGrantOption(true);
+
+ PersistenceManager pm = null;
+ //create role
+ pm = openTransaction();
+ pm.makePersistent(new MSentryRole(roleName, System.currentTimeMillis()));
+ commitTransaction(pm);
+
+ //grant hivePrivilege and solrPrivilege to role
+ pm = openTransaction();
+ MSentryRole role = getMSentryRole(pm, roleName);
+ hivePrivilege.appendRole(role);
+ solrPrivilege.appendRole(role);
+ pm.makePersistent(hivePrivilege);
+ pm.makePersistent(solrPrivilege);
+ commitTransaction(pm);
+
+ //check
+ pm = openTransaction();
+ role = getMSentryRole(pm, roleName);
+ pm.retrieve(role);
+ assertEquals(1, role.getPrivileges().size());
+ assertEquals(1, role.getGmPrivileges().size());
+ commitTransaction(pm);
+
+ //revoke solrPrivilege from role
+ pm = openTransaction();
+ role = getMSentryRole(pm, roleName);
+ solrPrivilege = (MSentryGMPrivilege)role.getGmPrivileges().toArray()[0];
+ solrPrivilege.removeRole(role);
+ pm.makePersistent(solrPrivilege);
+ commitTransaction(pm);
+
+ //check
+ pm = openTransaction();
+ role = getMSentryRole(pm, roleName);
+ pm.retrieve(role);
+ assertEquals(1, role.getPrivileges().size());
+ assertEquals(0, role.getGmPrivileges().size());
+ commitTransaction(pm);
+
+ //revoke hivePrivilege from role
+ pm = openTransaction();
+ role = getMSentryRole(pm, roleName);
+ pm.retrieve(role);
+ hivePrivilege = (MSentryPrivilege)role.getPrivileges().toArray()[0];
+ hivePrivilege.removeRole(role);
+ pm.makePersistent(hivePrivilege);
+ commitTransaction(pm);
+
+ //check
+ pm = openTransaction();
+ role = getMSentryRole(pm, roleName);
+ pm.retrieve(role);
+ assertEquals(0, role.getPrivileges().size());
+ assertEquals(0, role.getGmPrivileges().size());
+ commitTransaction(pm);
+ }
+
+ @Test
+ public void testDeletePrivilegeAndRole() throws Exception {
+ String roleName = "r1";
+ //hive/impala privilege
+ MSentryPrivilege hivePrivilege = new MSentryPrivilege();
+ hivePrivilege.setServerName("hive.server1");
+ hivePrivilege.setDbName("db1");
+ hivePrivilege.setTableName("tb1");
+ hivePrivilege.setPrivilegeScope("table");
+ hivePrivilege.setAction("select");
+ hivePrivilege.setURI(SentryStore.NULL_COL);
+ hivePrivilege.setColumnName(SentryStore.NULL_COL);
+ hivePrivilege.setGrantOption(true);
+
+ //solr privilege
+ MSentryGMPrivilege solrPrivilege = new MSentryGMPrivilege();
+ solrPrivilege.setComponentName("solr");
+ solrPrivilege.setServiceName("solr.server1");
+ solrPrivilege.setAuthorizables(Arrays.asList(new Collection("c1")));
+ solrPrivilege.setAction("query");
+ solrPrivilege.setGrantOption(true);
+
+ PersistenceManager pm = null;
+ //create role
+ pm = openTransaction();
+ pm.makePersistent(new MSentryRole(roleName, System.currentTimeMillis()));
+ commitTransaction(pm);
+
+ //grant hivePrivilege and solrPrivilege to role
+ pm = openTransaction();
+ MSentryRole role = getMSentryRole(pm, roleName);
+ hivePrivilege.appendRole(role);
+ solrPrivilege.appendRole(role);
+ pm.makePersistent(hivePrivilege);
+ pm.makePersistent(solrPrivilege);
+ commitTransaction(pm);
+
+ //check
+ pm = openTransaction();
+ role = getMSentryRole(pm, roleName);
+ pm.retrieve(role);
+ assertEquals(1, role.getPrivileges().size());
+ assertEquals(1, role.getGmPrivileges().size());
+ commitTransaction(pm);
+
+ //remove all privileges
+ pm = openTransaction();
+ role = getMSentryRole(pm, roleName);
+ role.removeGMPrivileges();
+ role.removePrivileges();
+ pm.makePersistent(role);
+ commitTransaction(pm);
+
+ //check
+ pm = openTransaction();
+ role = getMSentryRole(pm, roleName);
+ pm.retrieve(role);
+ assertEquals(0, role.getPrivileges().size());
+ assertEquals(0, role.getGmPrivileges().size());
+ commitTransaction(pm);
+
+ //delete role
+ pm = openTransaction();
+ role = getMSentryRole(pm, roleName);
+ pm.deletePersistent(role);
+ commitTransaction(pm);
+
+ //check
+ pm = openTransaction();
+ role = getMSentryRole(pm, roleName);
+ assertTrue(role == null);
+ commitTransaction(pm);
+ }
+
+ private PersistenceManager openTransaction() {
+ PersistenceManager pm = pmf.getPersistenceManager();
+ Transaction currentTransaction = pm.currentTransaction();
+ currentTransaction.begin();
+ return pm;
+ }
+
+ private void commitTransaction(PersistenceManager pm) {
+ Transaction currentTransaction = pm.currentTransaction();
+ try {
+ Preconditions.checkState(currentTransaction.isActive(), "Transaction is not active");
+ currentTransaction.commit();
+ } finally {
+ pm.close();
+ }
+ }
+
+ private MSentryRole getMSentryRole(PersistenceManager pm, String roleName) {
+ Query query = pm.newQuery(MSentryRole.class);
+ query.setFilter("this.roleName == t");
+ query.declareParameters("java.lang.String t");
+ query.setUnique(true);
+ MSentryRole sentryRole = (MSentryRole) query.execute(roleName);
+ return sentryRole;
+ }
+
+
+}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericServiceIntegrationBase.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericServiceIntegrationBase.java b/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericServiceIntegrationBase.java
new file mode 100644
index 0000000..89d549e
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericServiceIntegrationBase.java
@@ -0,0 +1,73 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.provider.db.generic.service.thrift;
+
+import java.security.PrivilegedExceptionAction;
+import java.util.Set;
+
+import org.apache.sentry.service.thrift.SentryServiceIntegrationBase;
+import org.junit.After;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+public class SentryGenericServiceIntegrationBase extends SentryServiceIntegrationBase {
+ private static final Logger LOGGER = LoggerFactory.getLogger(SentryGenericServiceIntegrationBase.class);
+ protected static final String SOLR = "SOLR";
+ protected SentryGenericServiceClient client;
+
+ /**
+ * use the generic client to connect sentry service
+ */
+ @Override
+ public void connectToSentryService() throws Exception {
+ // The client should already be logged in when running in solr
+ // therefore we must manually login in the integration tests
+ if (SentryServiceIntegrationBase.kerberos) {
+ this.client = SentryServiceIntegrationBase.clientUgi.doAs( new PrivilegedExceptionAction<SentryGenericServiceClient>() {
+ @Override
+ public SentryGenericServiceClient run() throws Exception {
+ return SentryGenericServiceClientFactory.create(SentryServiceIntegrationBase.conf);
+ }
+ });
+ } else {
+ this.client = SentryGenericServiceClientFactory.create(SentryServiceIntegrationBase.conf);
+ }
+ }
+
+ @After
+ public void after() {
+ try {
+ runTestAsSubject(new TestOperation(){
+ @Override
+ public void runTestAsSubject() throws Exception {
+ Set<TSentryRole> tRoles = client.listAllRoles(SentryServiceIntegrationBase.ADMIN_USER, SOLR);
+ for (TSentryRole tRole : tRoles) {
+ client.dropRole(SentryServiceIntegrationBase.ADMIN_USER, tRole.getRoleName(), SOLR);
+ }
+ if(client != null) {
+ client.close();
+ }
+ }
+ });
+ } catch (Exception e) {
+ LOGGER.error(e.getMessage(), e);
+ } finally {
+ policyFilePath.delete();
+ }
+ }
+}
[23/44] sentry git commit: SENTRY-1287: Create sentry-service-server
module(Colin Ma, reviewed by Dapeng Sun)
Posted by co...@apache.org.
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/tools/TestSentryShellHive.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/tools/TestSentryShellHive.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/tools/TestSentryShellHive.java
deleted file mode 100644
index 81059c5..0000000
--- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/tools/TestSentryShellHive.java
+++ /dev/null
@@ -1,608 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.sentry.provider.db.tools;
-
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertTrue;
-import static org.junit.Assert.fail;
-
-import java.io.ByteArrayOutputStream;
-import java.io.File;
-import java.io.FileOutputStream;
-import java.io.PrintStream;
-import java.util.HashSet;
-import java.util.Iterator;
-import java.util.Set;
-
-import org.apache.commons.io.FileUtils;
-import org.apache.sentry.core.common.exception.SentryUserException;
-import org.apache.sentry.provider.db.service.thrift.TSentryPrivilege;
-import org.apache.sentry.provider.db.service.thrift.TSentryRole;
-import org.apache.sentry.service.thrift.SentryServiceIntegrationBase;
-import org.junit.After;
-import org.junit.Before;
-import org.junit.Test;
-
-import com.google.common.collect.Sets;
-import com.google.common.io.Files;
-
-public class TestSentryShellHive extends SentryServiceIntegrationBase {
-
- private File confDir;
- private File confPath;
- private static String TEST_ROLE_NAME_1 = "testRole1";
- private static String TEST_ROLE_NAME_2 = "testRole2";
- private String requestorName = "";
-
- @Before
- public void prepareForTest() throws Exception {
- confDir = Files.createTempDir();
- confPath = new File(confDir, "sentry-site.xml");
- if (confPath.createNewFile()) {
- FileOutputStream to = new FileOutputStream(confPath);
- conf.writeXml(to);
- to.close();
- }
- requestorName = clientUgi.getShortUserName();
- Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
- setLocalGroupMapping(requestorName, requestorUserGroupNames);
- // add ADMIN_USER for the after() in SentryServiceIntegrationBase
- setLocalGroupMapping(ADMIN_USER, requestorUserGroupNames);
- writePolicyFile();
- }
-
- @After
- public void clearTestData() throws Exception {
- FileUtils.deleteQuietly(confDir);
- }
-
- @Test
- public void testCreateDropRole() throws Exception {
- runTestAsSubject(new TestOperation() {
- @Override
- public void runTestAsSubject() throws Exception {
- // test: create role with -cr
- String[] args = { "-cr", "-r", TEST_ROLE_NAME_1, "-conf", confPath.getAbsolutePath() };
- SentryShellHive.main(args);
- // test: create role with --create_role
- args = new String[] { "--create_role", "-r", TEST_ROLE_NAME_2, "-conf",
- confPath.getAbsolutePath() };
- SentryShellHive.main(args);
-
- // validate the result, list roles with -lr
- args = new String[] { "-lr", "-conf", confPath.getAbsolutePath() };
- SentryShellHive sentryShell = new SentryShellHive();
- Set<String> roleNames = getShellResultWithOSRedirect(sentryShell, args, true);
- validateRoleNames(roleNames, TEST_ROLE_NAME_1, TEST_ROLE_NAME_2);
-
- // validate the result, list roles with --list_role
- args = new String[] { "--list_role", "-conf", confPath.getAbsolutePath() };
- sentryShell = new SentryShellHive();
- roleNames = getShellResultWithOSRedirect(sentryShell, args, true);
- validateRoleNames(roleNames, TEST_ROLE_NAME_1, TEST_ROLE_NAME_2);
-
- // test: drop role with -dr
- args = new String[] { "-dr", "-r", TEST_ROLE_NAME_1, "-conf", confPath.getAbsolutePath() };
- SentryShellHive.main(args);
- // test: drop role with --drop_role
- args = new String[] { "--drop_role", "-r", TEST_ROLE_NAME_2, "-conf",
- confPath.getAbsolutePath() };
- SentryShellHive.main(args);
-
- // validate the result
- Set<TSentryRole> roles = client.listRoles(requestorName);
- assertEquals("Incorrect number of roles", 0, roles.size());
- }
- });
- }
-
- @Test
- public void testAddDeleteRoleForGroup() throws Exception {
- runTestAsSubject(new TestOperation() {
- @Override
- public void runTestAsSubject() throws Exception {
- // create the role for test
- client.createRole(requestorName, TEST_ROLE_NAME_1);
- client.createRole(requestorName, TEST_ROLE_NAME_2);
- // test: add role to group with -arg
- String[] args = { "-arg", "-r", TEST_ROLE_NAME_1, "-g", "testGroup1", "-conf",
- confPath.getAbsolutePath() };
- SentryShellHive.main(args);
- // test: add role to multiple groups
- args = new String[] { "-arg", "-r", TEST_ROLE_NAME_1, "-g", "testGroup2,testGroup3",
- "-conf",
- confPath.getAbsolutePath() };
- SentryShellHive.main(args);
- // test: add role to group with --add_role_group
- args = new String[] { "--add_role_group", "-r", TEST_ROLE_NAME_2, "-g", "testGroup1",
- "-conf",
- confPath.getAbsolutePath() };
- SentryShellHive.main(args);
-
- // validate the result list roles with -lr and -g
- args = new String[] { "-lr", "-g", "testGroup1", "-conf", confPath.getAbsolutePath() };
- SentryShellHive sentryShell = new SentryShellHive();
- Set<String> roleNames = getShellResultWithOSRedirect(sentryShell, args, true);
- validateRoleNames(roleNames, TEST_ROLE_NAME_1, TEST_ROLE_NAME_2);
-
-
- // list roles with --list_role and -g
- args = new String[] { "--list_role", "-g", "testGroup2", "-conf",
- confPath.getAbsolutePath() };
- sentryShell = new SentryShellHive();
- roleNames = getShellResultWithOSRedirect(sentryShell, args, true);
- validateRoleNames(roleNames, TEST_ROLE_NAME_1);
-
- args = new String[] { "--list_role", "-g", "testGroup3", "-conf",
- confPath.getAbsolutePath() };
- sentryShell = new SentryShellHive();
- roleNames = getShellResultWithOSRedirect(sentryShell, args, true);
- validateRoleNames(roleNames, TEST_ROLE_NAME_1);
-
- // test: delete role from group with -drg
- args = new String[] { "-drg", "-r", TEST_ROLE_NAME_1, "-g", "testGroup1", "-conf",
- confPath.getAbsolutePath() };
- SentryShellHive.main(args);
- // test: delete role to multiple groups
- args = new String[] { "-drg", "-r", TEST_ROLE_NAME_1, "-g", "testGroup2,testGroup3",
- "-conf",
- confPath.getAbsolutePath() };
- SentryShellHive.main(args);
- // test: delete role from group with --delete_role_group
- args = new String[] { "--delete_role_group", "-r", TEST_ROLE_NAME_2, "-g", "testGroup1",
- "-conf", confPath.getAbsolutePath() };
- SentryShellHive.main(args);
-
- // validate the result
- Set<TSentryRole> roles = client.listRolesByGroupName(requestorName, "testGroup1");
- assertEquals("Incorrect number of roles", 0, roles.size());
- roles = client.listRolesByGroupName(requestorName, "testGroup2");
- assertEquals("Incorrect number of roles", 0, roles.size());
- roles = client.listRolesByGroupName(requestorName, "testGroup3");
- assertEquals("Incorrect number of roles", 0, roles.size());
- // clear the test data
- client.dropRole(requestorName, TEST_ROLE_NAME_1);
- client.dropRole(requestorName, TEST_ROLE_NAME_2);
- }
- });
- }
-
- @Test
- public void testGrantRevokePrivilegeWithShortOption() throws Exception {
- runTestAsSubject(new TestOperation() {
- @Override
- public void runTestAsSubject() throws Exception {
- // create the role for test
- client.createRole(requestorName, TEST_ROLE_NAME_1);
- client.createRole(requestorName, TEST_ROLE_NAME_2);
-
- // test: grant privilege to role with -gpr
- String[] args = { "-gpr", "-r", TEST_ROLE_NAME_1, "-p",
- "server=server1->action=*",
- "-conf", confPath.getAbsolutePath() };
- SentryShellHive.main(args);
- args = new String[] { "-gpr", "-r", TEST_ROLE_NAME_1, "-p",
- "server=server1->db=db1->action=select", "-conf", confPath.getAbsolutePath() };
- SentryShellHive.main(args);
- args = new String[] { "-gpr", "-r", TEST_ROLE_NAME_1, "-p",
- "server=server1->db=db1->table=tbl1->action=insert", "-conf",
- confPath.getAbsolutePath() };
- SentryShellHive.main(args);
- args = new String[] { "-gpr", "-r", TEST_ROLE_NAME_1, "-p",
- "server=server1->db=db1->table=tbl1->column=col1->action=insert", "-conf",
- confPath.getAbsolutePath() };
- SentryShellHive.main(args);
- args = new String[] { "-gpr", "-r", TEST_ROLE_NAME_1, "-p",
- "server=server1->db=db1->table=tbl1->column=col2->action=insert->grantoption=true",
- "-conf", confPath.getAbsolutePath() };
- SentryShellHive.main(args);
- // for the uri privilege, the action will be awalys *
- args = new String[] { "-gpr", "-r", TEST_ROLE_NAME_1, "-p",
- "server=server1->uri=hdfs://path/testuri", "-conf", confPath.getAbsolutePath() };
- SentryShellHive.main(args);
-
- // test the list privilege with -lp
- args = new String[] { "-lp", "-r", TEST_ROLE_NAME_1, "-conf", confPath.getAbsolutePath() };
- SentryShellHive sentryShell = new SentryShellHive();
- Set<String> privilegeStrs = getShellResultWithOSRedirect(sentryShell, args, true);
- // validate the result for -lp
- assertEquals("Incorrect number of privileges", 6, privilegeStrs.size());
- assertTrue(privilegeStrs.contains("server=server1->action=*"));
- assertTrue(privilegeStrs.contains("server=server1->db=db1->action=select"));
- assertTrue(privilegeStrs.contains("server=server1->db=db1->table=tbl1->action=insert"));
- assertTrue(privilegeStrs
- .contains("server=server1->db=db1->table=tbl1->column=col1->action=insert"));
- assertTrue(privilegeStrs
- .contains("server=server1->db=db1->table=tbl1->column=col2->action=insert->grantoption=true"));
- // for the uri privilege, the action will be awalys *
- assertTrue(privilegeStrs.contains("server=server1->uri=hdfs://path/testuri->action=*"));
-
- // test: revoke privilege from role with -rpr
- args = new String[] { "-rpr", "-r", TEST_ROLE_NAME_1, "-p",
- "server=server1->db=db1->table=tbl1->column=col1->action=insert", "-conf",
- confPath.getAbsolutePath() };
- SentryShellHive.main(args);
- Set<TSentryPrivilege> privileges = client.listAllPrivilegesByRoleName(requestorName,
- TEST_ROLE_NAME_1);
- assertEquals("Incorrect number of privileges", 5, privileges.size());
-
- args = new String[] { "-rpr", "-r", TEST_ROLE_NAME_1, "-p",
- "server=server1->db=db1->table=tbl1->column=col2->action=insert->grantoption=true",
- "-conf", confPath.getAbsolutePath() };
- SentryShellHive.main(args);
- privileges = client.listAllPrivilegesByRoleName(requestorName, TEST_ROLE_NAME_1);
- assertEquals("Incorrect number of privileges", 4, privileges.size());
-
- args = new String[] { "-rpr", "-r", TEST_ROLE_NAME_1, "-p",
- "server=server1->uri=hdfs://path/testuri", "-conf", confPath.getAbsolutePath() };
- SentryShellHive.main(args);
- privileges = client.listAllPrivilegesByRoleName(requestorName, TEST_ROLE_NAME_1);
- assertEquals("Incorrect number of privileges", 3, privileges.size());
-
- args = new String[] { "-rpr", "-r", TEST_ROLE_NAME_1, "-p",
- "server=server1->db=db1->table=tbl1->action=insert", "-conf",
- confPath.getAbsolutePath() };
- SentryShellHive.main(args);
- privileges = client.listAllPrivilegesByRoleName(requestorName, TEST_ROLE_NAME_1);
- assertEquals("Incorrect number of privileges", 2, privileges.size());
-
- args = new String[] { "-rpr", "-r", TEST_ROLE_NAME_1, "-p",
- "server=server1->db=db1->action=select", "-conf", confPath.getAbsolutePath() };
- SentryShellHive.main(args);
- privileges = client.listAllPrivilegesByRoleName(requestorName, TEST_ROLE_NAME_1);
- assertEquals("Incorrect number of privileges", 1, privileges.size());
-
- args = new String[] { "-rpr", "-r", TEST_ROLE_NAME_1, "-p", "server=server1->action=*",
- "-conf",
- confPath.getAbsolutePath() };
- SentryShellHive.main(args);
- privileges = client.listAllPrivilegesByRoleName(requestorName, TEST_ROLE_NAME_1);
- assertEquals("Incorrect number of privileges", 0, privileges.size());
-
- // clear the test data
- client.dropRole(requestorName, TEST_ROLE_NAME_1);
- client.dropRole(requestorName, TEST_ROLE_NAME_2);
- }
- });
- }
-
- @Test
- public void testGrantRevokePrivilegeWithLongOption() throws Exception {
- runTestAsSubject(new TestOperation() {
- @Override
- public void runTestAsSubject() throws Exception {
- // create the role for test
- client.createRole(requestorName, TEST_ROLE_NAME_1);
- client.createRole(requestorName, TEST_ROLE_NAME_2);
-
- // test: grant privilege to role with -gpr
- String[] args = { "--grant_privilege_role", "-r", TEST_ROLE_NAME_1, "-p",
- "server=server1->action=*", "-conf", confPath.getAbsolutePath() };
- SentryShellHive.main(args);
- args = new String[] { "--grant_privilege_role", "-r", TEST_ROLE_NAME_1, "-p",
- "server=server1->db=db1->action=select", "-conf", confPath.getAbsolutePath() };
- SentryShellHive.main(args);
- args = new String[] { "--grant_privilege_role", "-r", TEST_ROLE_NAME_1, "-p",
- "server=server1->db=db1->table=tbl1->action=insert", "-conf",
- confPath.getAbsolutePath() };
- SentryShellHive.main(args);
- args = new String[] { "--grant_privilege_role", "-r", TEST_ROLE_NAME_1, "-p",
- "server=server1->db=db1->table=tbl1->column=col1->action=insert", "-conf",
- confPath.getAbsolutePath() };
- SentryShellHive.main(args);
- args = new String[] { "--grant_privilege_role", "-r", TEST_ROLE_NAME_1, "-p",
- "server=server1->db=db1->table=tbl1->column=col2->action=insert->grantoption=true",
- "-conf", confPath.getAbsolutePath() };
- SentryShellHive.main(args);
- // for the uri privilege, the action will be awalys *
- args = new String[] { "--grant_privilege_role", "-r", TEST_ROLE_NAME_1, "-p",
- "server=server1->uri=hdfs://path/testuri", "-conf", confPath.getAbsolutePath() };
- SentryShellHive.main(args);
-
- // test the list privilege with -lp
- args = new String[] { "--list_privilege", "-r", TEST_ROLE_NAME_1, "-conf",
- confPath.getAbsolutePath() };
- SentryShellHive sentryShell = new SentryShellHive();
- Set<String> privilegeStrs = getShellResultWithOSRedirect(sentryShell, args, true);
- // validate the result for -lp
- assertEquals("Incorrect number of privileges", 6, privilegeStrs.size());
- assertTrue(privilegeStrs.contains("server=server1->action=*"));
- assertTrue(privilegeStrs.contains("server=server1->db=db1->action=select"));
- assertTrue(privilegeStrs.contains("server=server1->db=db1->table=tbl1->action=insert"));
- assertTrue(privilegeStrs
- .contains("server=server1->db=db1->table=tbl1->column=col1->action=insert"));
- assertTrue(privilegeStrs
- .contains("server=server1->db=db1->table=tbl1->column=col2->action=insert->grantoption=true"));
- // for the uri privilege, the action will be awalys *
- assertTrue(privilegeStrs.contains("server=server1->uri=hdfs://path/testuri->action=*"));
-
- // test: revoke privilege from role with -rpr
- args = new String[] { "--revoke_privilege_role", "-r", TEST_ROLE_NAME_1, "-p",
- "server=server1->db=db1->table=tbl1->column=col1->action=insert", "-conf",
- confPath.getAbsolutePath() };
- SentryShellHive.main(args);
- Set<TSentryPrivilege> privileges = client.listAllPrivilegesByRoleName(requestorName,
- TEST_ROLE_NAME_1);
- assertEquals("Incorrect number of privileges", 5, privileges.size());
-
- args = new String[] { "--revoke_privilege_role", "-r", TEST_ROLE_NAME_1, "-p",
- "server=server1->db=db1->table=tbl1->column=col2->action=insert->grantoption=true",
- "-conf", confPath.getAbsolutePath() };
- SentryShellHive.main(args);
- privileges = client.listAllPrivilegesByRoleName(requestorName, TEST_ROLE_NAME_1);
- assertEquals("Incorrect number of privileges", 4, privileges.size());
-
- args = new String[] { "--revoke_privilege_role", "-r", TEST_ROLE_NAME_1, "-p",
- "server=server1->uri=hdfs://path/testuri", "-conf", confPath.getAbsolutePath() };
- SentryShellHive.main(args);
- privileges = client.listAllPrivilegesByRoleName(requestorName, TEST_ROLE_NAME_1);
- assertEquals("Incorrect number of privileges", 3, privileges.size());
-
- args = new String[] { "--revoke_privilege_role", "-r", TEST_ROLE_NAME_1, "-p",
- "server=server1->db=db1->table=tbl1->action=insert", "-conf",
- confPath.getAbsolutePath() };
- SentryShellHive.main(args);
- privileges = client.listAllPrivilegesByRoleName(requestorName, TEST_ROLE_NAME_1);
- assertEquals("Incorrect number of privileges", 2, privileges.size());
-
- args = new String[] { "--revoke_privilege_role", "-r", TEST_ROLE_NAME_1, "-p",
- "server=server1->db=db1->action=select", "-conf", confPath.getAbsolutePath() };
- SentryShellHive.main(args);
- privileges = client.listAllPrivilegesByRoleName(requestorName, TEST_ROLE_NAME_1);
- assertEquals("Incorrect number of privileges", 1, privileges.size());
-
- args = new String[] { "--revoke_privilege_role", "-r", TEST_ROLE_NAME_1, "-p",
- "server=server1->action=*", "-conf", confPath.getAbsolutePath() };
- SentryShellHive.main(args);
- privileges = client.listAllPrivilegesByRoleName(requestorName, TEST_ROLE_NAME_1);
- assertEquals("Incorrect number of privileges", 0, privileges.size());
-
- // clear the test data
- client.dropRole(requestorName, TEST_ROLE_NAME_1);
- client.dropRole(requestorName, TEST_ROLE_NAME_2);
- }
- });
- }
-
- @Test
- public void testNegativeCaseWithInvalidArgument() throws Exception {
- runTestAsSubject(new TestOperation() {
- @Override
- public void runTestAsSubject() throws Exception {
- client.createRole(requestorName, TEST_ROLE_NAME_1);
- // test: create duplicate role with -cr
- String[] args = { "-cr", "-r", TEST_ROLE_NAME_1, "-conf", confPath.getAbsolutePath() };
- SentryShellHive sentryShell = new SentryShellHive();
- try {
- sentryShell.executeShell(args);
- fail("Exception should be thrown for creating duplicate role");
- } catch (SentryUserException e) {
- // excepted exception
- }
-
- // test: drop non-exist role with -dr
- args = new String[] { "-dr", "-r", TEST_ROLE_NAME_2, "-conf", confPath.getAbsolutePath() };
- sentryShell = new SentryShellHive();
- try {
- sentryShell.executeShell(args);
- fail("Exception should be thrown for dropping non-exist role");
- } catch (SentryUserException e) {
- // excepted exception
- }
-
- // test: add non-exist role to group with -arg
- args = new String[] { "-arg", "-r", TEST_ROLE_NAME_2, "-g", "testGroup1", "-conf",
- confPath.getAbsolutePath() };
- sentryShell = new SentryShellHive();
- try {
- sentryShell.executeShell(args);
- fail("Exception should be thrown for granting non-exist role to group");
- } catch (SentryUserException e) {
- // excepted exception
- }
-
- // test: drop group from non-exist role with -drg
- args = new String[] { "-drg", "-r", TEST_ROLE_NAME_2, "-g", "testGroup1", "-conf",
- confPath.getAbsolutePath() };
- sentryShell = new SentryShellHive();
- try {
- sentryShell.executeShell(args);
- fail("Exception should be thrown for drop group from non-exist role");
- } catch (SentryUserException e) {
- // excepted exception
- }
-
- // test: grant privilege to role with the error privilege format
- args = new String[] { "-gpr", "-r", TEST_ROLE_NAME_1, "-p", "serverserver1->action=*",
- "-conf", confPath.getAbsolutePath() };
- sentryShell = new SentryShellHive();
- try {
- sentryShell.executeShell(args);
- fail("Exception should be thrown for the error privilege format, invalid key value.");
- } catch (IllegalArgumentException e) {
- // excepted exception
- }
-
- // test: grant privilege to role with the error privilege hierarchy
- args = new String[] { "-gpr", "-r", TEST_ROLE_NAME_1, "-p",
- "server=server1->table=tbl1->column=col2->action=insert", "-conf",
- confPath.getAbsolutePath() };
- sentryShell = new SentryShellHive();
- try {
- sentryShell.executeShell(args);
- fail("Exception should be thrown for the error privilege format, invalid key value.");
- } catch (IllegalArgumentException e) {
- // excepted exception
- }
-
- // clear the test data
- client.dropRole(requestorName, TEST_ROLE_NAME_1);
- }
- });
- }
-
- @Test
- public void testNegativeCaseWithoutRequiredArgument() throws Exception {
- runTestAsSubject(new TestOperation() {
- @Override
- public void runTestAsSubject() throws Exception {
- String strOptionConf = "conf";
- client.createRole(requestorName, TEST_ROLE_NAME_1);
- // test: the conf is required argument
- String[] args = { "-cr", "-r", TEST_ROLE_NAME_1 };
- SentryShellHive sentryShell = new SentryShellHive();
- validateMissingParameterMsg(sentryShell, args,
- SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + strOptionConf);
-
- // test: -r is required when create role
- args = new String[] { "-cr", "-conf", confPath.getAbsolutePath() };
- sentryShell = new SentryShellHive();
- validateMissingParameterMsg(sentryShell, args,
- SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_ROLE_NAME);
-
- // test: -r is required when drop role
- args = new String[] { "-dr", "-conf", confPath.getAbsolutePath() };
- sentryShell = new SentryShellHive();
- validateMissingParameterMsg(sentryShell, args,
- SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_ROLE_NAME);
-
- // test: -r is required when add role to group
- args = new String[] { "-arg", "-g", "testGroup1", "-conf", confPath.getAbsolutePath() };
- sentryShell = new SentryShellHive();
- validateMissingParameterMsg(sentryShell, args,
- SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_ROLE_NAME);
-
- // test: -g is required when add role to group
- args = new String[] { "-arg", "-r", TEST_ROLE_NAME_2, "-conf", confPath.getAbsolutePath() };
- sentryShell = new SentryShellHive();
- validateMissingParameterMsg(sentryShell, args,
- SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_GROUP_NAME);
-
- // test: -r is required when delete role from group
- args = new String[] { "-drg", "-g", "testGroup1", "-conf", confPath.getAbsolutePath() };
- sentryShell = new SentryShellHive();
- validateMissingParameterMsg(sentryShell, args,
- SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_ROLE_NAME);
-
- // test: -g is required when delete role from group
- args = new String[] { "-drg", "-r", TEST_ROLE_NAME_2, "-conf", confPath.getAbsolutePath() };
- sentryShell = new SentryShellHive();
- validateMissingParameterMsg(sentryShell, args,
- SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_GROUP_NAME);
-
- // test: -r is required when grant privilege to role
- args = new String[] { "-gpr", "-p", "server=server1", "-conf", confPath.getAbsolutePath() };
- sentryShell = new SentryShellHive();
- validateMissingParameterMsg(sentryShell, args,
- SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_ROLE_NAME);
-
- // test: -p is required when grant privilege to role
- args = new String[] { "-gpr", "-r", TEST_ROLE_NAME_1, "-conf", confPath.getAbsolutePath() };
- sentryShell = new SentryShellHive();
- validateMissingParameterMsg(sentryShell, args,
- SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_PRIVILEGE);
-
- // test: -r is required when revoke privilege from role
- args = new String[] { "-rpr", "-p", "server=server1", "-conf", confPath.getAbsolutePath() };
- sentryShell = new SentryShellHive();
- validateMissingParameterMsg(sentryShell, args,
- SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_ROLE_NAME);
-
- // test: -p is required when revoke privilege from role
- args = new String[] { "-rpr", "-r", TEST_ROLE_NAME_1, "-conf", confPath.getAbsolutePath() };
- sentryShell = new SentryShellHive();
- validateMissingParameterMsg(sentryShell, args,
- SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_PRIVILEGE);
-
- // test: command option is required for shell
- args = new String[] {"-conf", confPath.getAbsolutePath() };
- sentryShell = new SentryShellHive();
- validateMissingParameterMsgsContains(sentryShell, args,
- SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + "[",
- "-arg Add role to group",
- "-cr Create role",
- "-rpr Revoke privilege from role",
- "-drg Delete role from group",
- "-lr List role",
- "-lp List privilege",
- "-gpr Grant privilege to role",
- "-dr Drop role");
-
- // clear the test data
- client.dropRole(requestorName, TEST_ROLE_NAME_1);
- }
- });
- }
-
- // redirect the System.out to ByteArrayOutputStream, then execute the command and parse the result.
- private Set<String> getShellResultWithOSRedirect(SentryShellHive sentryShell,
- String[] args, boolean exceptedExecuteResult) throws Exception {
- PrintStream oldOut = System.out;
- ByteArrayOutputStream outContent = new ByteArrayOutputStream();
- System.setOut(new PrintStream(outContent));
- assertEquals(exceptedExecuteResult, sentryShell.executeShell(args));
- Set<String> resultSet = Sets.newHashSet(outContent.toString().split("\n"));
- System.setOut(oldOut);
- return resultSet;
- }
-
- private void validateRoleNames(Set<String> roleNames, String ... expectedRoleNames) {
- if (expectedRoleNames != null && expectedRoleNames.length > 0) {
- assertEquals("Found: " + roleNames.size() + " roles, expected: " + expectedRoleNames.length,
- expectedRoleNames.length, roleNames.size());
- Set<String> lowerCaseRoles = new HashSet<String>();
- for (String role : roleNames) {
- lowerCaseRoles.add(role.toLowerCase());
- }
-
- for (String expectedRole : expectedRoleNames) {
- assertTrue("Expected role: " + expectedRole,
- lowerCaseRoles.contains(expectedRole.toLowerCase()));
- }
- }
- }
-
- private void validateMissingParameterMsg(SentryShellHive sentryShell, String[] args,
- String exceptedErrorMsg) throws Exception {
- Set<String> errorMsgs = getShellResultWithOSRedirect(sentryShell, args, false);
- assertTrue(errorMsgs.contains(exceptedErrorMsg));
- }
-
- private void validateMissingParameterMsgsContains(SentryShellHive sentryShell, String[] args,
- String ... expectedErrorMsgsContains) throws Exception {
- Set<String> errorMsgs = getShellResultWithOSRedirect(sentryShell, args, false);
- boolean foundAllMessages = false;
- Iterator<String> it = errorMsgs.iterator();
- while (it.hasNext()) {
- String errorMessage = it.next();
- boolean missingExpected = false;
- for (String expectedContains : expectedErrorMsgsContains) {
- if (!errorMessage.contains(expectedContains)) {
- missingExpected = true;
- break;
- }
- }
- if (!missingExpected) {
- foundAllMessages = true;
- break;
- }
- }
- assertTrue(foundAllMessages);
- }
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/service/thrift/SentryServiceIntegrationBase.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/service/thrift/SentryServiceIntegrationBase.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/service/thrift/SentryServiceIntegrationBase.java
deleted file mode 100644
index cb2d9c9..0000000
--- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/service/thrift/SentryServiceIntegrationBase.java
+++ /dev/null
@@ -1,355 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.sentry.service.thrift;
-import java.io.File;
-import java.security.PrivilegedExceptionAction;
-import java.util.Properties;
-import java.util.Set;
-import java.util.concurrent.TimeoutException;
-
-
-import com.google.common.io.Resources;
-import org.apache.commons.io.FileUtils;
-import org.apache.curator.test.TestingServer;
-import org.apache.hadoop.conf.Configuration;
-import org.apache.hadoop.minikdc.MiniKdc;
-import org.apache.hadoop.net.NetUtils;
-import org.apache.hadoop.security.UserGroupInformation;
-import org.apache.sentry.provider.db.service.persistent.HAContext;
-import org.apache.sentry.provider.db.service.thrift.SentryMiniKdcTestcase;
-import org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient;
-import org.apache.sentry.provider.db.service.thrift.TSentryRole;
-import org.apache.sentry.provider.file.PolicyFile;
-import org.apache.sentry.service.thrift.ServiceConstants.ClientConfig;
-import org.apache.sentry.service.thrift.ServiceConstants.ServerConfig;
-import org.apache.zookeeper.server.ZooKeeperSaslServer;
-import org.junit.After;
-import org.junit.AfterClass;
-import org.junit.Assert;
-import org.junit.Before;
-import org.junit.BeforeClass;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-import com.google.common.base.Strings;
-import com.google.common.io.Files;
-
-public abstract class SentryServiceIntegrationBase extends SentryMiniKdcTestcase {
- private static final Logger LOGGER = LoggerFactory.getLogger(SentryServiceIntegrationBase.class);
-
- protected static final String SERVER_HOST = NetUtils.createSocketAddr("localhost:80").getAddress().getCanonicalHostName();
- protected static final String REALM = "EXAMPLE.COM";
- protected static final String SERVER_PRINCIPAL = "sentry/" + SERVER_HOST;
- protected static String SERVER_KERBEROS_NAME = "sentry/" + SERVER_HOST + "@" + REALM;
- protected static final String HTTP_PRINCIPAL = "HTTP/" + SERVER_HOST;
- protected static final String CLIENT_PRINCIPAL = "hive/" + SERVER_HOST;
- protected static final String CLIENT_KERBEROS_SHORT_NAME = "hive";
- protected static final String CLIENT_KERBEROS_NAME = CLIENT_KERBEROS_SHORT_NAME
- + "/" + SERVER_HOST + "@" + REALM;
- protected static final String ADMIN_USER = "admin_user";
- protected static final String ADMIN_GROUP = "admin_group";
-
- protected static SentryService server;
- protected SentryPolicyServiceClient client;
- protected static MiniKdc kdc;
- protected static File kdcWorkDir;
- protected static File dbDir;
- protected static File serverKeytab;
- protected static File httpKeytab;
- protected static File clientKeytab;
- protected static UserGroupInformation clientUgi;
- protected static boolean kerberos;
- protected final static Configuration conf = new Configuration(false);
- protected PolicyFile policyFile;
- protected File policyFilePath;
- protected static Properties kdcConfOverlay = new Properties();
-
- protected static boolean haEnabled = false;
- protected static final String ZK_SERVER_PRINCIPAL = "zookeeper/" + SERVER_HOST;
- protected static TestingServer zkServer;
-
- private static File ZKKeytabFile;
-
- protected static boolean webServerEnabled = false;
- protected static int webServerPort = ServerConfig.SENTRY_WEB_PORT_DEFAULT;
- protected static boolean webSecurity = false;
-
- protected static boolean pooled = false;
-
- protected static boolean useSSL = false;
-
- @BeforeClass
- public static void setup() throws Exception {
- kerberos = true;
- pooled = true;
- beforeSetup();
- setupConf();
- startSentryService();
- afterSetup();
- }
-
- private static void setupKdc() throws Exception {
- startMiniKdc(kdcConfOverlay);
- }
-
- public static void startSentryService() throws Exception {
- server.start();
- final long start = System.currentTimeMillis();
- while(!server.isRunning()) {
- Thread.sleep(1000);
- if(System.currentTimeMillis() - start > 60000L) {
- throw new TimeoutException("Server did not start after 60 seconds");
- }
- }
- }
-
- public void stopSentryService() throws Exception {
- server.stop();
- Thread.sleep(30000);
- }
-
- public static void setupConf() throws Exception {
- if (kerberos) {
- setupKdc();
- kdc = getKdc();
- kdcWorkDir = getWorkDir();
- serverKeytab = new File(kdcWorkDir, "server.keytab");
- clientKeytab = new File(kdcWorkDir, "client.keytab");
- kdc.createPrincipal(serverKeytab, SERVER_PRINCIPAL);
- kdc.createPrincipal(clientKeytab, CLIENT_PRINCIPAL);
- conf.set(ServerConfig.PRINCIPAL, getServerKerberosName());
- conf.set(ServerConfig.KEY_TAB, serverKeytab.getPath());
- conf.set(ServerConfig.ALLOW_CONNECT, CLIENT_KERBEROS_SHORT_NAME);
- conf.set(ServerConfig.SERVER_HA_ZOOKEEPER_CLIENT_PRINCIPAL,
- getServerKerberosName());
- conf.set(ServerConfig.SERVER_HA_ZOOKEEPER_CLIENT_KEYTAB,
- serverKeytab.getPath());
-
- conf.set(ServerConfig.SECURITY_USE_UGI_TRANSPORT, "true");
- conf.set("hadoop.security.authentication", "kerberos");
- UserGroupInformation.setConfiguration(conf);
- UserGroupInformation.loginUserFromKeytab(CLIENT_PRINCIPAL, clientKeytab.getPath());
- clientUgi = UserGroupInformation.getLoginUser();
- } else {
- LOGGER.info("Stopped KDC");
- conf.set(ServerConfig.SECURITY_MODE, ServerConfig.SECURITY_MODE_NONE);
- }
- if (haEnabled) {
- zkServer = getZKServer();
- conf.set(ServerConfig.SENTRY_HA_ENABLED, "true");
- conf.set(ServerConfig.SENTRY_HA_ZOOKEEPER_QUORUM, zkServer.getConnectString());
- conf.set(ServerConfig.SENTRY_HA_ZOOKEEPER_NAMESPACE, "sentry-test-case");
- if (kerberos) {
- conf.set(ServerConfig.SENTRY_HA_ZOOKEEPER_SECURITY, "true");
- }
- }
- if (webServerEnabled) {
- conf.set(ServerConfig.SENTRY_WEB_ENABLE, "true");
- conf.set(ServerConfig.SENTRY_WEB_PORT, String.valueOf(webServerPort));
- if (webSecurity) {
- httpKeytab = new File(kdcWorkDir, "http.keytab");
- kdc.createPrincipal(httpKeytab, HTTP_PRINCIPAL);
- conf.set(ServerConfig.SENTRY_WEB_SECURITY_TYPE,
- ServerConfig.SENTRY_WEB_SECURITY_TYPE_KERBEROS);
- conf.set(ServerConfig.SENTRY_WEB_SECURITY_PRINCIPAL, HTTP_PRINCIPAL);
- conf.set(ServerConfig.SENTRY_WEB_SECURITY_KEYTAB, httpKeytab.getPath());
- } else {
- conf.set(ServerConfig.SENTRY_WEB_SECURITY_TYPE,
- ServerConfig.SENTRY_WEB_SECURITY_TYPE_NONE);
- }
- } else {
- conf.set(ServerConfig.SENTRY_WEB_ENABLE, "false");
- }
- if (pooled) {
- conf.set(ClientConfig.SENTRY_POOL_ENABLED, "true");
- }
- if (useSSL) {
- conf.set(ServerConfig.SENTRY_WEB_USE_SSL, "true");
- conf.set(ServerConfig.SENTRY_WEB_SSL_KEYSTORE_PATH,
- Resources.getResource("keystore.jks").getPath());
- conf.set(ServerConfig.SENTRY_WEB_SSL_KEYSTORE_PASSWORD, "password");
- }
- conf.set(ServerConfig.SENTRY_VERIFY_SCHEM_VERSION, "false");
- conf.set(ServerConfig.ADMIN_GROUPS, ADMIN_GROUP);
- conf.set(ServerConfig.RPC_ADDRESS, SERVER_HOST);
- conf.set(ServerConfig.RPC_PORT, String.valueOf(0));
- dbDir = new File(Files.createTempDir(), "sentry_policy_db");
- conf.set(ServerConfig.SENTRY_STORE_JDBC_URL,
- "jdbc:derby:;databaseName=" + dbDir.getPath() + ";create=true");
- conf.set(ServerConfig.SENTRY_STORE_JDBC_PASS, "dummy");
- server = new SentryServiceFactory().create(conf);
- conf.set(ClientConfig.SERVER_RPC_ADDRESS, server.getAddress().getHostName());
- conf.set(ClientConfig.SERVER_RPC_PORT, String.valueOf(server.getAddress().getPort()));
- conf.set(ServerConfig.SENTRY_STORE_GROUP_MAPPING,
- ServerConfig.SENTRY_STORE_LOCAL_GROUP_MAPPING);
- }
-
- @Before
- public void before() throws Exception {
- policyFilePath = new File(dbDir, "local_policy_file.ini");
- conf.set(ServerConfig.SENTRY_STORE_GROUP_MAPPING_RESOURCE,
- policyFilePath.getPath());
- policyFile = new PolicyFile();
- connectToSentryService();
- }
-
- @After
- public void after() {
- try {
- runTestAsSubject(new TestOperation() {
- @Override
- public void runTestAsSubject() throws Exception {
- if (client != null) {
- Set<TSentryRole> tRoles = client.listRoles(ADMIN_USER);
- if (tRoles != null) {
- for (TSentryRole tRole : tRoles) {
- client.dropRole(ADMIN_USER, tRole.getRoleName());
- }
- }
- client.close();
- }
- }
- });
- } catch (Exception e) {
- LOGGER.error(e.getMessage(), e);
- } finally {
- policyFilePath.delete();
- }
- }
-
- public void connectToSentryService() throws Exception {
- if (kerberos) {
- client = clientUgi.doAs(new PrivilegedExceptionAction<SentryPolicyServiceClient>() {
- @Override
- public SentryPolicyServiceClient run() throws Exception {
- return SentryServiceClientFactory.create(conf);
- }
- });
- } else {
- client = SentryServiceClientFactory.create(conf);
- }
- }
-
- @AfterClass
- public static void tearDown() throws Exception {
- beforeTeardown();
-
- if(server != null) {
- server.stop();
- }
- if (dbDir != null) {
- FileUtils.deleteQuietly(dbDir);
- }
- stopMiniKdc();
- afterTeardown();
- }
-
- public static String getServerKerberosName() {
- return SERVER_KERBEROS_NAME;
- }
-
- public static void beforeSetup() throws Exception {
-
- }
- public static void afterSetup() throws Exception {
-
- }
- public static void beforeTeardown() throws Exception {
-
- }
- public static void afterTeardown() throws Exception {
-
- }
- protected static void assertOK(TSentryResponseStatus resp) {
- assertStatus(Status.OK, resp);
- }
-
- protected static void assertStatus(Status status, TSentryResponseStatus resp) {
- if (resp.getValue() != status.getCode()) {
- String message = "Expected: " + status + ", Response: " + Status.fromCode(resp.getValue())
- + ", Code: " + resp.getValue() + ", Message: " + resp.getMessage();
- String stackTrace = Strings.nullToEmpty(resp.getStack()).trim();
- if (!stackTrace.isEmpty()) {
- message += ", StackTrace: " + stackTrace;
- }
- Assert.fail(message);
- }
- }
-
- protected void setLocalGroupMapping(String user, Set<String> groupSet) {
- for (String group : groupSet) {
- policyFile.addGroupsToUser(user, group);
- }
- }
-
- protected void writePolicyFile() throws Exception {
- policyFile.write(policyFilePath);
- }
-
- protected static TestingServer getZKServer() throws Exception {
- if (!kerberos) {
- LOGGER.info("Creating a non-security ZooKeeper Server.");
- return new TestingServer();
- } else {
- LOGGER.info("Creating a security ZooKeeper Server.");
- // Not entirely sure exactly what "javax.security.auth.useSubjectCredsOnly=false" does, but it has something to do with
- // re-authenticating in cases where it otherwise wouldn't. One of the sections on this page briefly mentions it:
- // http://docs.oracle.com/javase/7/docs/technotes/guides/security/jgss/tutorials/Troubleshooting.html
- System.setProperty("javax.security.auth.useSubjectCredsOnly", "false");
-
- // Setup KDC and principal
- kdc = getKdc();
- ZKKeytabFile = new File(kdcWorkDir, "test.keytab");
- kdc.createPrincipal(ZKKeytabFile, ZK_SERVER_PRINCIPAL);
-
- System.setProperty("zookeeper.authProvider.1", "org.apache.zookeeper.server.auth.SASLAuthenticationProvider");
- System.setProperty("zookeeper.kerberos.removeHostFromPrincipal", "true");
- System.setProperty("zookeeper.kerberos.removeRealmFromPrincipal", "true");
-
- JaasConfiguration.addEntryForKeytab("Server", ZK_SERVER_PRINCIPAL, ZKKeytabFile.getAbsolutePath());
- // Here's where we add the "Client" to the jaas configuration, even though we'd like not to
- JaasConfiguration.addEntryForKeytab(HAContext.SENTRY_ZK_JAAS_NAME,
- SERVER_KERBEROS_NAME, serverKeytab.getAbsolutePath());
- javax.security.auth.login.Configuration.setConfiguration(JaasConfiguration.getInstance());
-
- System.setProperty(ZooKeeperSaslServer.LOGIN_CONTEXT_NAME_KEY, "Server");
-
- return new TestingServer();
- }
-
- }
-
- protected void runTestAsSubject(final TestOperation test) throws Exception {
- /*if (false) {
- clientUgi.doAs(new PrivilegedExceptionAction<Void>() {
- @Override
- public Void run() throws Exception {
- test.runTestAsSubject();
- return null;
- }});
- } else {
- */ test.runTestAsSubject();
- //}
- }
-
- protected interface TestOperation {
- void runTestAsSubject() throws Exception;
- }
-
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/test/resources/cacerts.jks
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/resources/cacerts.jks b/sentry-provider/sentry-provider-db/src/test/resources/cacerts.jks
deleted file mode 100644
index 6ac6495..0000000
Binary files a/sentry-provider/sentry-provider-db/src/test/resources/cacerts.jks and /dev/null differ
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/test/resources/keystore.jks
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/resources/keystore.jks b/sentry-provider/sentry-provider-db/src/test/resources/keystore.jks
deleted file mode 100644
index a6beece..0000000
Binary files a/sentry-provider/sentry-provider-db/src/test/resources/keystore.jks and /dev/null differ
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/test/resources/log4j.properties
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/resources/log4j.properties b/sentry-provider/sentry-provider-db/src/test/resources/log4j.properties
deleted file mode 100644
index 9766758..0000000
--- a/sentry-provider/sentry-provider-db/src/test/resources/log4j.properties
+++ /dev/null
@@ -1,34 +0,0 @@
-#
-# Licensed to the Apache Software Foundation (ASF) under one
-# or more contributor license agreements. See the NOTICE file
-# distributed with this work for additional information
-# regarding copyright ownership. The ASF licenses this file
-# to you under the Apache License, Version 2.0 (the
-# "License"); you may not use this file except in compliance
-# with the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing,
-# software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-# KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations
-# under the License.
-#
-
-# Define some default values that can be overridden by system properties.
-#
-# For testing, it may also be convenient to specify
-
-log4j.rootLogger=DEBUG,console
-
-log4j.appender.console=org.apache.log4j.ConsoleAppender
-log4j.appender.console.target=System.err
-log4j.appender.console.layout=org.apache.log4j.PatternLayout
-log4j.appender.console.layout.ConversionPattern=%d (%t) [%p - %l] %m%n
-
-log4j.logger.org.apache.hadoop.conf.Configuration=INFO
-log4j.logger.org.apache.hadoop.metrics2=INFO
-log4j.logger.org.apache.directory=INFO
-log4j.logger.org.apache.directory.api.ldap.model.entry.AbstractValue=WARN
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/test/resources/solr_case.ini
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/resources/solr_case.ini b/sentry-provider/sentry-provider-db/src/test/resources/solr_case.ini
deleted file mode 100644
index fbbebfc..0000000
--- a/sentry-provider/sentry-provider-db/src/test/resources/solr_case.ini
+++ /dev/null
@@ -1,26 +0,0 @@
-# Licensed to the Apache Software Foundation (ASF) under one
-# or more contributor license agreements. See the NOTICE file
-# distributed with this work for additional information
-# regarding copyright ownership. The ASF licenses this file
-# to you under the Apache License, Version 2.0 (the
-# "License"); you may not use this file except in compliance
-# with the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing,
-# software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-# KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations
-# under the License.
-
-[groups]
-groupa = RoLe1
-groupb = rOlE1
-groupc = ROLE2
-
-[roles]
-RoLe1 = collection=*
-rOlE1 = collection=*
-ROLE2 = collection=*
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/test/resources/solr_config_import_tool.ini
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/resources/solr_config_import_tool.ini b/sentry-provider/sentry-provider-db/src/test/resources/solr_config_import_tool.ini
deleted file mode 100644
index da7df4c..0000000
--- a/sentry-provider/sentry-provider-db/src/test/resources/solr_config_import_tool.ini
+++ /dev/null
@@ -1,29 +0,0 @@
-# Licensed to the Apache Software Foundation (ASF) under one
-# or more contributor license agreements. See the NOTICE file
-# distributed with this work for additional information
-# regarding copyright ownership. The ASF licenses this file
-# to you under the Apache License, Version 2.0 (the
-# "License"); you may not use this file except in compliance
-# with the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing,
-# software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-# KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations
-# under the License.
-
-[groups]
-corporal = corporal_role
-sergeant = corporal_role, sergeant_role
-general = corporal_role, sergeant_role, general_role
-commander_in_chief = corporal_role, sergeant_role, general_role, commander_in_chief_role
-
-[roles]
-corporal_role = collection=info->action=query, \
- collection=info->action=update
-sergeant_role = collection=info->action=update
-general_role = collection=info->action=*
-commander_in_chief_role = collection=*
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/test/resources/solr_invalid.ini
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/resources/solr_invalid.ini b/sentry-provider/sentry-provider-db/src/test/resources/solr_invalid.ini
deleted file mode 100644
index 03083a7..0000000
--- a/sentry-provider/sentry-provider-db/src/test/resources/solr_invalid.ini
+++ /dev/null
@@ -1,21 +0,0 @@
-# Licensed to the Apache Software Foundation (ASF) under one
-# or more contributor license agreements. See the NOTICE file
-# distributed with this work for additional information
-# regarding copyright ownership. The ASF licenses this file
-# to you under the Apache License, Version 2.0 (the
-# "License"); you may not use this file except in compliance
-# with the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing,
-# software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-# KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations
-# under the License.
-
-[groups]
-
-[roles]
-
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/PolicyFile.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/PolicyFile.java b/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/PolicyFile.java
deleted file mode 100644
index 6a77827..0000000
--- a/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/PolicyFile.java
+++ /dev/null
@@ -1,202 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.sentry.provider.file;
-
-import static org.apache.sentry.core.common.utils.PolicyFileConstants.DATABASES;
-import static org.apache.sentry.core.common.utils.PolicyFileConstants.GROUPS;
-import static org.apache.sentry.core.common.utils.PolicyFileConstants.ROLES;
-import static org.apache.sentry.core.common.utils.PolicyFileConstants.USERS;
-
-import java.io.File;
-import java.util.Collection;
-import java.util.List;
-import java.util.Map;
-import java.util.Map.Entry;
-
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-import com.google.common.annotations.VisibleForTesting;
-import com.google.common.base.Charsets;
-import com.google.common.base.Joiner;
-import com.google.common.collect.ArrayListMultimap;
-import com.google.common.collect.Lists;
-import com.google.common.collect.Maps;
-import com.google.common.collect.Multimap;
-import com.google.common.io.Files;
-
-/**
- * PolicyFile creator. Written specifically to be used with tests. Specifically
- * due to the fact that methods that would typically return true or false to
- * indicate success or failure these methods throw an unchecked exception.
- * This is because in a test if you mean to remove a user from the policy file,
- * the user should absolutely be there. If not, the test is mis-behaving.
- */
-@VisibleForTesting
-public class PolicyFile {
-
- private static final Logger LOGGER = LoggerFactory
- .getLogger(PolicyFile.class);
-
- private static final String NL = System.getProperty("line.separator", "\n");
-
- private final Map<String, String> databasesToPolicyFiles = Maps.newHashMap();
- private final Multimap<String, String> usersToGroups = ArrayListMultimap.create();
- private final Multimap<String, String> groupsToRoles = ArrayListMultimap
- .create();
- private final Multimap<String, String> rolesToPermissions = ArrayListMultimap
- .create();
-
- public Multimap<String, String> getGroupsToRoles() {
- return groupsToRoles;
- }
- public Multimap<String, String> getRolesToPermissions() {
- return rolesToPermissions;
- }
- public PolicyFile addRolesToGroup(String groupName, String... roleNames)
- throws Exception {
- return addRolesToGroup(groupName, false, roleNames);
- }
- public PolicyFile addRolesToGroup(String groupName, boolean allowDuplicates, String... roleNames) {
- return add(groupsToRoles.get(groupName), allowDuplicates, roleNames);
- }
- public PolicyFile addPermissionsToRole(String roleName, String... permissionNames) {
- return addPermissionsToRole(roleName, false, permissionNames);
- }
- public PolicyFile addPermissionsToRole(String roleName, boolean allowDuplicates, String... permissionNames) {
- return add(rolesToPermissions.get(roleName), allowDuplicates, permissionNames);
- }
- public PolicyFile addGroupsToUser(String userName, String... groupNames) {
- LOGGER.warn("Static user:group mapping is not being used");
- return addGroupsToUser(userName, false, groupNames);
- }
- public PolicyFile addGroupsToUser(String userName, boolean allowDuplicates, String... groupNames) {
- LOGGER.warn("Static user:group mapping is not being used");
- return add(usersToGroups.get(userName), allowDuplicates, groupNames);
- }
- public PolicyFile setUserGroupMapping(Map<String, String> mapping) {
- for (Entry<String, String> entry : mapping.entrySet()) {
- usersToGroups.put(entry.getKey(), entry.getValue());
- }
- return this;
- }
- public PolicyFile addDatabase(String databaseName, String path) {
- String oldPath = databasesToPolicyFiles.put(databaseName, path);
- if (oldPath != null) {
- throw new IllegalStateException("Database " + databaseName + " already existed in " +
- databasesToPolicyFiles + " with value of " + oldPath);
- }
- databasesToPolicyFiles.put(databaseName, path);
- return this;
- }
- public PolicyFile removeRolesFromGroup(String groupName, String... roleNames) {
- return remove(groupsToRoles.get(groupName), roleNames);
- }
- public PolicyFile removePermissionsFromRole(String roleName, String... permissionNames) {
- return remove(rolesToPermissions.get(roleName), permissionNames);
- }
- public PolicyFile removeGroupsFromUser(String userName, String... groupNames) {
- LOGGER.warn("Static user:group mapping is not being used");
- return remove(usersToGroups.get(userName), groupNames);
- }
- public PolicyFile removeDatabase(String databaseName) {
- if(databasesToPolicyFiles.remove(databaseName) == null) {
- throw new IllegalStateException("Database " + databaseName + " did not exist in " +
- databasesToPolicyFiles);
- }
- return this;
- }
- public PolicyFile copy() {
- PolicyFile other = new PolicyFile();
- other.databasesToPolicyFiles.putAll(databasesToPolicyFiles);
- other.usersToGroups.putAll(usersToGroups);
- other.groupsToRoles.putAll(groupsToRoles);
- other.rolesToPermissions.putAll(rolesToPermissions);
- return other;
- }
-
- public void write(File clientFile, File serverFile) throws Exception {
- write(clientFile);
- write(serverFile);
- }
-
- public void write(File file) throws Exception {
- if(file.exists() && !file.delete()) {
- throw new IllegalStateException("Unable to delete " + file);
- }
- String contents = Joiner.on(NL)
- .join(getSection(DATABASES, databasesToPolicyFiles),
- getSection(USERS, usersToGroups),
- getSection(GROUPS, groupsToRoles),
- getSection(ROLES, rolesToPermissions),
- "");
- LOGGER.info("Writing policy file to " + file + ":\n" + contents);
- Files.write(contents, file, Charsets.UTF_8);
- }
-
- private String getSection(String name, Map<String, String> mapping) {
- if(mapping.isEmpty()) {
- return "";
- }
- Joiner kvJoiner = Joiner.on(" = ");
- List<String> lines = Lists.newArrayList();
- lines.add("[" + name + "]");
- for (Entry<String, String> entry : mapping.entrySet()) {
- lines.add(kvJoiner.join(entry.getKey(), entry.getValue()));
- }
- return Joiner.on(NL).join(lines);
- }
- private String getSection(String name, Multimap<String, String> mapping) {
- if(mapping.isEmpty()) {
- return "";
- }
- Joiner kvJoiner = Joiner.on(" = ");
- Joiner itemJoiner = Joiner.on(" , ");
- List<String> lines = Lists.newArrayList();
- lines.add("[" + name + "]");
- for(String key : mapping.keySet()) {
- lines.add(kvJoiner.join(key, itemJoiner.join(mapping.get(key))));
- }
- return Joiner.on(NL).join(lines);
- }
-
- private PolicyFile remove(Collection<String> exitingItems, String[] newItems) {
- for(String newItem : newItems) {
- if(!exitingItems.remove(newItem)) {
- throw new IllegalStateException("Item " + newItem + " did not exist in " + exitingItems);
- }
- }
- return this;
- }
- private PolicyFile add(Collection<String> exitingItems, boolean allowDuplicates, String[] newItems) {
- for(String newItem : newItems) {
- if(exitingItems.contains(newItem) && !allowDuplicates) {
- throw new IllegalStateException("Item " + newItem + " already exists in " + exitingItems);
- }
- exitingItems.add(newItem);
- }
- return this;
- }
-
- //User:Group mapping for the admin user needs to be set separately
- public static PolicyFile setAdminOnServer1(String admin) throws Exception {
- return new PolicyFile()
- .addRolesToGroup(admin, "admin_role")
- .addPermissionsToRole("admin_role", "server=server1");
- }
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/pom.xml
----------------------------------------------------------------------
diff --git a/sentry-service/pom.xml b/sentry-service/pom.xml
index bea89e5..ae42d0f 100644
--- a/sentry-service/pom.xml
+++ b/sentry-service/pom.xml
@@ -31,6 +31,7 @@ limitations under the License.
<modules>
<module>sentry-service-common</module>
+ <module>sentry-service-server</module>
</modules>
</project>
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-common/src/main/java/org/apache/sentry/service/thrift/SentryServiceUtil.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-common/src/main/java/org/apache/sentry/service/thrift/SentryServiceUtil.java b/sentry-service/sentry-service-common/src/main/java/org/apache/sentry/service/thrift/SentryServiceUtil.java
new file mode 100644
index 0000000..ce73358
--- /dev/null
+++ b/sentry-service/sentry-service-common/src/main/java/org/apache/sentry/service/thrift/SentryServiceUtil.java
@@ -0,0 +1,158 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.service.thrift;
+
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+
+import org.apache.commons.lang.StringUtils;
+import org.apache.sentry.core.common.utils.SentryConstants;
+import org.apache.sentry.core.common.utils.KeyValue;
+import org.apache.sentry.core.common.utils.PolicyFileConstants;
+import org.apache.sentry.provider.db.service.thrift.TSentryGrantOption;
+import org.apache.sentry.provider.db.service.thrift.TSentryPrivilege;
+import org.apache.sentry.service.thrift.ServiceConstants.PrivilegeScope;
+
+import com.google.common.collect.Lists;
+
+public final class SentryServiceUtil {
+
+ // parse the privilege in String and get the TSentryPrivilege as result
+ public static TSentryPrivilege convertToTSentryPrivilege(String privilegeStr) {
+ TSentryPrivilege tSentryPrivilege = new TSentryPrivilege();
+ for (String authorizable : SentryConstants.AUTHORIZABLE_SPLITTER.split(privilegeStr)) {
+ KeyValue tempKV = new KeyValue(authorizable);
+ String key = tempKV.getKey();
+ String value = tempKV.getValue();
+
+ if (PolicyFileConstants.PRIVILEGE_SERVER_NAME.equalsIgnoreCase(key)) {
+ tSentryPrivilege.setServerName(value);
+ } else if (PolicyFileConstants.PRIVILEGE_DATABASE_NAME.equalsIgnoreCase(key)) {
+ tSentryPrivilege.setDbName(value);
+ } else if (PolicyFileConstants.PRIVILEGE_TABLE_NAME.equalsIgnoreCase(key)) {
+ tSentryPrivilege.setTableName(value);
+ } else if (PolicyFileConstants.PRIVILEGE_COLUMN_NAME.equalsIgnoreCase(key)) {
+ tSentryPrivilege.setColumnName(value);
+ } else if (PolicyFileConstants.PRIVILEGE_URI_NAME.equalsIgnoreCase(key)) {
+ tSentryPrivilege.setURI(value);
+ } else if (PolicyFileConstants.PRIVILEGE_ACTION_NAME.equalsIgnoreCase(key)) {
+ tSentryPrivilege.setAction(value);
+ } else if (PolicyFileConstants.PRIVILEGE_GRANT_OPTION_NAME.equalsIgnoreCase(key)) {
+ TSentryGrantOption grantOption = "true".equalsIgnoreCase(value) ? TSentryGrantOption.TRUE
+ : TSentryGrantOption.FALSE;
+ tSentryPrivilege.setGrantOption(grantOption);
+ }
+ }
+ tSentryPrivilege.setPrivilegeScope(getPrivilegeScope(tSentryPrivilege));
+ return tSentryPrivilege;
+ }
+
+ /**
+ * Parse the object path from string to map.
+ * @param objectPath the string format as db=db1->table=tbl1
+ * @return Map
+ */
+ public static Map<String, String> parseObjectPath(String objectPath) {
+ Map<String, String> objectMap = new HashMap<String, String>();
+ if (StringUtils.isEmpty(objectPath)) {
+ return objectMap;
+ }
+ for (String kvStr : SentryConstants.AUTHORIZABLE_SPLITTER.split(objectPath)) {
+ KeyValue kv = new KeyValue(kvStr);
+ String key = kv.getKey();
+ String value = kv.getValue();
+
+ if (PolicyFileConstants.PRIVILEGE_DATABASE_NAME.equalsIgnoreCase(key)) {
+ objectMap.put(PolicyFileConstants.PRIVILEGE_DATABASE_NAME, value);
+ } else if (PolicyFileConstants.PRIVILEGE_TABLE_NAME.equalsIgnoreCase(key)) {
+ objectMap.put(PolicyFileConstants.PRIVILEGE_TABLE_NAME, value);
+ }
+ }
+ return objectMap;
+ }
+
+ // for the different hierarchy for hive:
+ // 1: server->url
+ // 2: server->database->table->column
+ // if both of them are found in the privilege string, the privilege scope will be set as
+ // PrivilegeScope.URI
+ public static String getPrivilegeScope(TSentryPrivilege tSentryPrivilege) {
+ PrivilegeScope privilegeScope = PrivilegeScope.SERVER;
+ if (!StringUtils.isEmpty(tSentryPrivilege.getURI())) {
+ privilegeScope = PrivilegeScope.URI;
+ } else if (!StringUtils.isEmpty(tSentryPrivilege.getColumnName())) {
+ privilegeScope = PrivilegeScope.COLUMN;
+ } else if (!StringUtils.isEmpty(tSentryPrivilege.getTableName())) {
+ privilegeScope = PrivilegeScope.TABLE;
+ } else if (!StringUtils.isEmpty(tSentryPrivilege.getDbName())) {
+ privilegeScope = PrivilegeScope.DATABASE;
+ }
+ return privilegeScope.toString();
+ }
+
+ // convert TSentryPrivilege to privilege in string
+ public static String convertTSentryPrivilegeToStr(TSentryPrivilege tSentryPrivilege) {
+ List<String> privileges = Lists.newArrayList();
+ if (tSentryPrivilege != null) {
+ String serverName = tSentryPrivilege.getServerName();
+ String dbName = tSentryPrivilege.getDbName();
+ String tableName = tSentryPrivilege.getTableName();
+ String columnName = tSentryPrivilege.getColumnName();
+ String uri = tSentryPrivilege.getURI();
+ String action = tSentryPrivilege.getAction();
+ String grantOption = (tSentryPrivilege.getGrantOption() == TSentryGrantOption.TRUE ? "true"
+ : "false");
+ if (!StringUtils.isEmpty(serverName)) {
+ privileges.add(SentryConstants.KV_JOINER.join(PolicyFileConstants.PRIVILEGE_SERVER_NAME,
+ serverName));
+ if (!StringUtils.isEmpty(uri)) {
+ privileges.add(SentryConstants.KV_JOINER.join(PolicyFileConstants.PRIVILEGE_URI_NAME,
+ uri));
+ } else if (!StringUtils.isEmpty(dbName)) {
+ privileges.add(SentryConstants.KV_JOINER.join(
+ PolicyFileConstants.PRIVILEGE_DATABASE_NAME, dbName));
+ if (!StringUtils.isEmpty(tableName)) {
+ privileges.add(SentryConstants.KV_JOINER.join(
+ PolicyFileConstants.PRIVILEGE_TABLE_NAME, tableName));
+ if (!StringUtils.isEmpty(columnName)) {
+ privileges.add(SentryConstants.KV_JOINER.join(
+ PolicyFileConstants.PRIVILEGE_COLUMN_NAME, columnName));
+ }
+ }
+ }
+ if (!StringUtils.isEmpty(action)) {
+ privileges.add(SentryConstants.KV_JOINER.join(
+ PolicyFileConstants.PRIVILEGE_ACTION_NAME, action));
+ }
+ }
+ // only append the grant option to privilege string if it's true
+ if ("true".equals(grantOption)) {
+ privileges.add(SentryConstants.KV_JOINER.join(
+ PolicyFileConstants.PRIVILEGE_GRANT_OPTION_NAME, grantOption));
+ }
+ }
+ return SentryConstants.AUTHORIZABLE_JOINER.join(privileges);
+ }
+
+ private SentryServiceUtil() {
+ // Make constructor private to avoid instantiation
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-common/src/main/java/org/apache/sentry/service/thrift/ServiceConstants.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-common/src/main/java/org/apache/sentry/service/thrift/ServiceConstants.java b/sentry-service/sentry-service-common/src/main/java/org/apache/sentry/service/thrift/ServiceConstants.java
index ab0930b..5ec364c 100644
--- a/sentry-service/sentry-service-common/src/main/java/org/apache/sentry/service/thrift/ServiceConstants.java
+++ b/sentry-service/sentry-service-common/src/main/java/org/apache/sentry/service/thrift/ServiceConstants.java
@@ -28,6 +28,8 @@ import com.google.common.collect.ImmutableMap;
public class ServiceConstants {
private static final ImmutableMap<String, String> SASL_PROPERTIES;
+ public static final String SENTRY_POLICY_SERVICE_NAME = "SentryPolicyService";
+ public static final String SENTRY_GENERIC_SERVICE_NAME = "SentryGenericPolicyService";
static {
Map<String, String> saslProps = new HashMap<String, String>();
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/pom.xml
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/pom.xml b/sentry-service/sentry-service-server/pom.xml
new file mode 100644
index 0000000..d327bf6
--- /dev/null
+++ b/sentry-service/sentry-service-server/pom.xml
@@ -0,0 +1,283 @@
+<?xml version="1.0"?>
+<!--
+Licensed to the Apache Software Foundation (ASF) under one or more
+contributor license agreements. See the NOTICE file distributed with
+this work for additional information regarding copyright ownership.
+The ASF licenses this file to You under the Apache License, Version 2.0
+(the "License"); you may not use this file except in compliance with
+the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+-->
+<project xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd" xmlns="http://maven.apache.org/POM/4.0.0"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+ <modelVersion>4.0.0</modelVersion>
+ <parent>
+ <groupId>org.apache.sentry</groupId>
+ <artifactId>sentry-service</artifactId>
+ <version>1.8.0-SNAPSHOT</version>
+ </parent>
+
+ <artifactId>sentry-service-server</artifactId>
+ <name>Sentry Service Server</name>
+
+ <dependencies>
+ <dependency>
+ <groupId>commons-lang</groupId>
+ <artifactId>commons-lang</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>org.slf4j</groupId>
+ <artifactId>slf4j-api</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>org.slf4j</groupId>
+ <artifactId>slf4j-log4j12</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.thrift</groupId>
+ <artifactId>libfb303</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.thrift</groupId>
+ <artifactId>libthrift</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.sentry</groupId>
+ <artifactId>sentry-core-common</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.sentry</groupId>
+ <artifactId>sentry-service-common</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.sentry</groupId>
+ <artifactId>sentry-core-model-db</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.sentry</groupId>
+ <artifactId>sentry-core-model-kafka</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.sentry</groupId>
+ <artifactId>sentry-core-model-search</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.sentry</groupId>
+ <artifactId>sentry-core-model-sqoop</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>org.codehaus.jackson</groupId>
+ <artifactId>jackson-core-asl</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>org.codehaus.jackson</groupId>
+ <artifactId>jackson-mapper-asl</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>javax.jdo</groupId>
+ <artifactId>jdo-api</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>com.codahale.metrics</groupId>
+ <artifactId>metrics-core</artifactId>
+ <version>${metrics.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>com.codahale.metrics</groupId>
+ <artifactId>metrics-servlets</artifactId>
+ <version>${metrics.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>com.codahale.metrics</groupId>
+ <artifactId>metrics-jvm</artifactId>
+ <version>${metrics.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>org.eclipse.jetty.aggregate</groupId>
+ <artifactId>jetty-all</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>org.eclipse.jetty</groupId>
+ <artifactId>jetty-server</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>org.eclipse.jetty</groupId>
+ <artifactId>jetty-servlet</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.sentry</groupId>
+ <artifactId>sentry-provider-db</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.hive</groupId>
+ <artifactId>hive-beeline</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>org.mockito</groupId>
+ <artifactId>mockito-all</artifactId>
+ <scope>test</scope>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.hadoop</groupId>
+ <artifactId>hadoop-minikdc</artifactId>
+ <scope>test</scope>
+ </dependency>
+ <dependency>
+ <groupId>junit</groupId>
+ <artifactId>junit</artifactId>
+ <scope>test</scope>
+ </dependency>
+ </dependencies>
+
+ <build>
+ <sourceDirectory>${basedir}/src/main/java</sourceDirectory>
+ <testSourceDirectory>${basedir}/src/test/java</testSourceDirectory>
+ <resources>
+ <resource>
+ <directory>../../sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/model</directory>
+ <includes>
+ <include>package.jdo</include>
+ </includes>
+ </resource>
+ <resource>
+ <directory>${basedir}/src/main</directory>
+ <includes>
+ <include>webapp/*</include>
+ <include>webapp/css/*</include>
+ </includes>
+ </resource>
+ </resources>
+ <plugins>
+ <plugin>
+ <groupId>com.google.code.maven-replacer-plugin</groupId>
+ <artifactId>replacer</artifactId>
+ <version>1.5.2</version>
+ <executions>
+ <execution>
+ <id>replaceTokens</id>
+ <phase>clean</phase>
+ <goals>
+ <goal>replace</goal>
+ </goals>
+ </execution>
+ </executions>
+ <configuration>
+ <file>${basedir}/src/main/webapp/SentryService.html</file>
+ <replacements>
+ <replacement>
+ <token>%PROJECT_VERSION%</token>
+ <value>${version}</value>
+ </replacement>
+ </replacements>
+ </configuration>
+ </plugin>
+ <plugin>
+ <groupId>org.datanucleus</groupId>
+ <artifactId>datanucleus-maven-plugin</artifactId>
+ <configuration>
+ <api>JDO</api>
+ <metadataIncludes>**/*.jdo</metadataIncludes>
+ <verbose>true</verbose>
+ </configuration>
+ <executions>
+ <execution>
+ <phase>process-classes</phase>
+ <goals>
+ <goal>enhance</goal>
+ </goals>
+ </execution>
+ </executions>
+ </plugin>
+ <plugin>
+ <groupId>org.apache.maven.plugins</groupId>
+ <artifactId>maven-jar-plugin</artifactId>
+ <executions>
+ <execution>
+ <goals>
+ <goal>test-jar</goal>
+ </goals>
+ </execution>
+ </executions>
+ </plugin>
+ <plugin>
+ <groupId>org.apache.maven.plugins</groupId>
+ <artifactId>maven-surefire-plugin</artifactId>
+ <configuration>
+ <reuseForks>false</reuseForks>
+ </configuration>
+ </plugin>
+ </plugins>
+ </build>
+
+ <profiles>
+ <profile>
+ <id>datanucleus3</id>
+ <activation>
+ <activeByDefault>true</activeByDefault>
+ </activation>
+ <properties>
+ <datanucleus-api-jdo.version>3.2.6</datanucleus-api-jdo.version>
+ <datanucleus-core.version>3.2.12</datanucleus-core.version>
+ <datanucleus-rdbms.version>3.2.12</datanucleus-rdbms.version>
+ </properties>
+ <dependencies>
+ <dependency>
+ <groupId>org.datanucleus</groupId>
+ <artifactId>datanucleus-core</artifactId>
+ <version>${datanucleus-core.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>org.datanucleus</groupId>
+ <artifactId>datanucleus-api-jdo</artifactId>
+ <version>${datanucleus-api-jdo.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>org.datanucleus</groupId>
+ <artifactId>datanucleus-rdbms</artifactId>
+ <version>${datanucleus-rdbms.version}</version>
+ </dependency>
+ </dependencies>
+ </profile>
+ <profile>
+ <id>datanucleus4</id>
+ <activation>
+ <activeByDefault>false</activeByDefault>
+ </activation>
+ <properties>
+ <datanucleus-api-jdo.version>4.2.1</datanucleus-api-jdo.version>
+ <datanucleus-core.version>4.1.6</datanucleus-core.version>
+ <datanucleus-rdbms.version>4.1.7</datanucleus-rdbms.version>
+ <datanucleus-jdo.version>3.2.0-m3</datanucleus-jdo.version>
+ </properties>
+ <dependencies>
+ <dependency>
+ <groupId>org.datanucleus</groupId>
+ <artifactId>datanucleus-core</artifactId>
+ <version>${datanucleus-core.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>org.datanucleus</groupId>
+ <artifactId>datanucleus-api-jdo</artifactId>
+ <version>${datanucleus-api-jdo.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>org.datanucleus</groupId>
+ <artifactId>datanucleus-rdbms</artifactId>
+ <version>${datanucleus-rdbms.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>org.datanucleus</groupId>
+ <artifactId>javax.jdo</artifactId>
+ <version>${datanucleus-jdo.version}</version>
+ </dependency>
+ </dependencies>
+ </profile>
+ </profiles>
+</project>
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/SentryPolicyStorePlugin.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/SentryPolicyStorePlugin.java b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/SentryPolicyStorePlugin.java
new file mode 100644
index 0000000..2ff715f
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/SentryPolicyStorePlugin.java
@@ -0,0 +1,60 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.provider.db;
+
+import org.apache.hadoop.conf.Configuration;
+import org.apache.sentry.core.common.exception.SentryUserException;
+import org.apache.sentry.provider.db.service.persistent.SentryStore;
+import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleAddGroupsRequest;
+import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleDeleteGroupsRequest;
+import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleGrantPrivilegeRequest;
+import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleRevokePrivilegeRequest;
+import org.apache.sentry.provider.db.service.thrift.TDropPrivilegesRequest;
+import org.apache.sentry.provider.db.service.thrift.TDropSentryRoleRequest;
+import org.apache.sentry.provider.db.service.thrift.TRenamePrivilegesRequest;
+
+public interface SentryPolicyStorePlugin {
+
+ @SuppressWarnings("serial")
+ class SentryPluginException extends SentryUserException {
+ public SentryPluginException(String msg) {
+ super(msg);
+ }
+ public SentryPluginException(String msg, Throwable t) {
+ super(msg, t);
+ }
+ }
+
+ void initialize(Configuration conf, SentryStore sentryStore) throws SentryPluginException;
+
+ void onAlterSentryRoleAddGroups(TAlterSentryRoleAddGroupsRequest tRequest) throws SentryPluginException;
+
+ void onAlterSentryRoleDeleteGroups(TAlterSentryRoleDeleteGroupsRequest tRequest) throws SentryPluginException;
+
+ void onAlterSentryRoleGrantPrivilege(TAlterSentryRoleGrantPrivilegeRequest tRequest) throws SentryPluginException;
+
+ void onAlterSentryRoleRevokePrivilege(TAlterSentryRoleRevokePrivilegeRequest tRequest) throws SentryPluginException;
+
+ void onDropSentryRole(TDropSentryRoleRequest tRequest) throws SentryPluginException;
+
+ void onRenameSentryPrivilege(TRenamePrivilegesRequest request) throws SentryPluginException;
+
+ void onDropSentryPrivilege(TDropPrivilegesRequest request) throws SentryPluginException;
+
+}
[20/44] sentry git commit: SENTRY-1287: Create sentry-service-server
module(Colin Ma, reviewed by Dapeng Sun)
Posted by co...@apache.org.
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/log/util/CommandUtil.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/log/util/CommandUtil.java b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/log/util/CommandUtil.java
new file mode 100644
index 0000000..3058650
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/log/util/CommandUtil.java
@@ -0,0 +1,233 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.provider.db.log.util;
+
+import java.net.InetAddress;
+import java.net.NetworkInterface;
+import java.util.Enumeration;
+import java.util.List;
+import java.util.Set;
+
+import org.apache.commons.lang.StringUtils;
+import org.apache.sentry.core.model.db.AccessConstants;
+import org.apache.sentry.provider.db.generic.service.thrift.TAuthorizable;
+import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleGrantPrivilegeRequest;
+import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleRevokePrivilegeRequest;
+import org.apache.sentry.provider.db.service.thrift.TSentryGrantOption;
+import org.apache.sentry.provider.db.service.thrift.TSentryPrivilege;
+import org.apache.sentry.service.thrift.ServiceConstants.PrivilegeScope;
+
+import com.google.common.annotations.VisibleForTesting;
+
+public final class CommandUtil {
+
+ public CommandUtil() {
+ // Make constructor private to avoid instantiation
+ }
+
+ public static String createCmdForCreateOrDropRole(String roleName,
+ boolean isCreate) {
+ if (isCreate) {
+ return "CREATE ROLE " + roleName;
+ }
+ return "DROP ROLE " + roleName;
+ }
+
+ public static String createCmdForRoleAddGroup(String roleName, String groups) {
+ return createCmdForRoleGrant(roleName, groups, true, true);
+ }
+
+ public static String createCmdForRoleDeleteGroup(String roleName, String groups) {
+ return createCmdForRoleGrant(roleName, groups, false, true);
+ }
+
+ private static String createCmdForRoleGrant(String roleName, String principals,
+ boolean isGrant, boolean isGroup) {
+ StringBuilder sb = new StringBuilder();
+ if (isGrant) {
+ sb.append("GRANT ROLE ");
+ } else {
+ sb.append("REVOKE ROLE ");
+ }
+ sb.append(roleName);
+ if (isGrant) {
+ sb.append(" TO ");
+ } else {
+ sb.append(" FROM ");
+ }
+
+ String principalType = isGroup ? "GROUP" : "USER";
+ if (!StringUtils.isEmpty(principals)) {
+ sb.append(principalType).append(" ").append(principals);
+ } else {
+ sb = new StringBuilder("Missing " + principalType + " information.");
+ }
+
+ return sb.toString();
+ }
+
+ public static String createCmdForRoleAddUser(String roleName, String users) {
+ return createCmdForRoleGrant(roleName, users, true, false);
+ }
+
+ public static String createCmdForRoleDeleteUser(String roleName, String users) {
+ return createCmdForRoleGrant(roleName, users, false, false);
+ }
+
+ public static String createCmdForGrantPrivilege(
+ TAlterSentryRoleGrantPrivilegeRequest request) {
+ return createCmdForGrantOrRevokePrivileges(request.getRoleName(),
+ request.getPrivileges(), true);
+ }
+
+ public static String createCmdForRevokePrivilege(
+ TAlterSentryRoleRevokePrivilegeRequest request) {
+ return createCmdForGrantOrRevokePrivileges(request.getRoleName(),
+ request.getPrivileges(), false);
+ }
+
+ private static String createCmdForGrantOrRevokePrivileges(String roleName,
+ Set<TSentryPrivilege> privileges, boolean isGrant) {
+ StringBuilder sb = new StringBuilder();
+ if (privileges != null) {
+ for (TSentryPrivilege privilege : privileges) {
+ sb.append(createCmdForGrantOrRevokePrivilege(roleName, privilege, isGrant));
+ }
+ }
+ return sb.toString();
+ }
+
+ private static String createCmdForGrantOrRevokePrivilege(String roleName,
+ TSentryPrivilege privilege, boolean isGrant) {
+ StringBuilder sb = new StringBuilder();
+ if (isGrant) {
+ sb.append("GRANT ");
+ } else {
+ sb.append("REVOKE ");
+ }
+
+ String action = privilege.getAction();
+ String privilegeScope = privilege.getPrivilegeScope();
+ if (AccessConstants.ALL.equalsIgnoreCase(action)) {
+ sb.append("ALL");
+ } else {
+ if (action != null) {
+ action = action.toUpperCase();
+ }
+ sb.append(action);
+ }
+
+ sb.append(" ON ").append(privilege.getPrivilegeScope()).append(" ");
+ if (PrivilegeScope.DATABASE.name().equalsIgnoreCase(privilegeScope)) {
+ sb.append(privilege.getDbName());
+ } else if (PrivilegeScope.TABLE.name().equalsIgnoreCase(privilegeScope)) {
+ sb.append(privilege.getTableName());
+ } else if (PrivilegeScope.SERVER.name().equalsIgnoreCase(privilegeScope)) {
+ sb.append(privilege.getServerName());
+ } else if (PrivilegeScope.URI.name().equalsIgnoreCase(privilegeScope)) {
+ sb.append(privilege.getURI());
+ }
+
+ if (isGrant) {
+ sb.append(" TO ROLE ");
+ } else {
+ sb.append(" FROM ROLE ");
+ }
+ sb.append(roleName);
+
+ if (privilege.getGrantOption() == TSentryGrantOption.TRUE) {
+ sb.append(" WITH GRANT OPTION");
+ }
+
+ return sb.toString();
+ }
+
+ public static String createCmdForGrantGMPrivilege(
+ org.apache.sentry.provider.db.generic.service.thrift.TAlterSentryRoleGrantPrivilegeRequest request) {
+ return createCmdForGrantOrRevokeGMPrivilege(request.getRoleName(), request.getPrivilege(), true);
+ }
+
+ public static String createCmdForRevokeGMPrivilege(
+ org.apache.sentry.provider.db.generic.service.thrift.TAlterSentryRoleRevokePrivilegeRequest request) {
+ return createCmdForGrantOrRevokeGMPrivilege(request.getRoleName(), request.getPrivilege(),
+ false);
+ }
+
+ private static String createCmdForGrantOrRevokeGMPrivilege(String roleName,
+ org.apache.sentry.provider.db.generic.service.thrift.TSentryPrivilege privilege,
+ boolean isGrant) {
+ StringBuilder sb = new StringBuilder();
+ if (isGrant) {
+ sb.append("GRANT ");
+ } else {
+ sb.append("REVOKE ");
+ }
+
+ String action = privilege.getAction();
+ if (AccessConstants.ALL.equalsIgnoreCase(action)) {
+ sb.append("ALL");
+ } else {
+ if (action != null) {
+ action = action.toUpperCase();
+ }
+ sb.append(action);
+ }
+
+ sb.append(" ON");
+
+ List<TAuthorizable> authorizables = privilege.getAuthorizables();
+ if (authorizables != null) {
+ for (TAuthorizable authorizable : authorizables) {
+ sb.append(" ").append(authorizable.getType()).append(" ").append(authorizable.getName());
+ }
+ }
+
+ if (isGrant) {
+ sb.append(" TO ROLE ");
+ } else {
+ sb.append(" FROM ROLE ");
+ }
+ sb.append(roleName);
+
+ if (privilege.getGrantOption() == org.apache.sentry.provider.db.generic.service.thrift.TSentryGrantOption.TRUE) {
+ sb.append(" WITH GRANT OPTION");
+ }
+
+ return sb.toString();
+ }
+
+ // Check if the given IP is one of the local IP.
+ @VisibleForTesting
+ public static boolean assertIPInAuditLog(String ipInAuditLog) throws Exception {
+ if (ipInAuditLog == null) {
+ return false;
+ }
+ Enumeration<NetworkInterface> netInterfaces = NetworkInterface.getNetworkInterfaces();
+ while (netInterfaces.hasMoreElements()) {
+ NetworkInterface ni = netInterfaces.nextElement();
+ Enumeration<InetAddress> ips = ni.getInetAddresses();
+ while (ips.hasMoreElements()) {
+ if (ipInAuditLog.indexOf(ips.nextElement().getHostAddress()) != -1) {
+ return true;
+ }
+ }
+ }
+ return false;
+ }
+}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/log/util/Constants.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/log/util/Constants.java b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/log/util/Constants.java
new file mode 100644
index 0000000..2e71ce0
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/log/util/Constants.java
@@ -0,0 +1,162 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.provider.db.log.util;
+
+import java.util.HashMap;
+import java.util.Map;
+
+import org.apache.sentry.provider.db.service.thrift.*;
+
+public final class Constants {
+ public final static String AUDIT_LOGGER_NAME = "sentry.hive.authorization.ddl.logger";
+ public final static String AUDIT_LOGGER_NAME_GENERIC = "sentry.generic.authorization.ddl.logger";
+
+ public final static String LOG_FIELD_SERVICE_NAME = "serviceName";
+ public final static String LOG_FIELD_USER_NAME = "userName";
+ public final static String LOG_FIELD_IMPERSONATOR = "impersonator";
+ public final static String LOG_FIELD_IP_ADDRESS = "ipAddress";
+ public final static String LOG_FIELD_OPERATION = "operation";
+ public final static String LOG_FIELD_EVENT_TIME = "eventTime";
+ public final static String LOG_FIELD_OPERATION_TEXT = "operationText";
+ public final static String LOG_FIELD_ALLOWED = "allowed";
+ public final static String LOG_FIELD_DATABASE_NAME = "databaseName";
+ public final static String LOG_FIELD_TABLE_NAME = "tableName";
+ public final static String LOG_FIELD_COLUMN_NAME = "column";
+ public final static String LOG_FIELD_RESOURCE_PATH = "resourcePath";
+ public final static String LOG_FIELD_OBJECT_TYPE = "objectType";
+ public final static String LOG_FIELD_COMPONENT = "component";
+
+ public final static String OPERATION_CREATE_ROLE = "CREATE_ROLE";
+ public final static String OPERATION_DROP_ROLE = "DROP_ROLE";
+ public final static String OPERATION_ADD_ROLE = "ADD_ROLE_TO_GROUP";
+ public final static String OPERATION_DELETE_ROLE = "DELETE_ROLE_FROM_GROUP";
+ public final static String OPERATION_ADD_ROLE_USER = "ADD_ROLE_TO_USER";
+ public final static String OPERATION_DELETE_ROLE_USER = "DELETE_ROLE_FROM_USER";
+ public final static String OPERATION_GRANT_PRIVILEGE = "GRANT_PRIVILEGE";
+ public final static String OPERATION_REVOKE_PRIVILEGE = "REVOKE_PRIVILEGE";
+
+ public final static String OBJECT_TYPE_PRINCIPAL = "PRINCIPAL";
+ public final static String OBJECT_TYPE_ROLE = "ROLE";
+
+ public final static String TRUE = "true";
+ public final static String FALSE = "false";
+
+ public static final Map<String, String> requestTypeToOperationMap = new HashMap<String, String>();
+ public static final Map<String, String> requestTypeToObjectTypeMap = new HashMap<String, String>();
+
+ static {
+ // for hive audit log
+ requestTypeToOperationMap.put(TCreateSentryRoleRequest.class.getName(),
+ Constants.OPERATION_CREATE_ROLE);
+ requestTypeToOperationMap.put(
+ TAlterSentryRoleGrantPrivilegeRequest.class.getName(),
+ Constants.OPERATION_GRANT_PRIVILEGE);
+ requestTypeToOperationMap.put(
+ TAlterSentryRoleRevokePrivilegeRequest.class.getName(),
+ Constants.OPERATION_REVOKE_PRIVILEGE);
+ requestTypeToOperationMap.put(TDropSentryRoleRequest.class.getName(),
+ Constants.OPERATION_DROP_ROLE);
+ requestTypeToOperationMap.put(
+ TAlterSentryRoleAddGroupsRequest.class.getName(),
+ Constants.OPERATION_ADD_ROLE);
+ requestTypeToOperationMap.put(
+ TAlterSentryRoleDeleteGroupsRequest.class.getName(),
+ Constants.OPERATION_DELETE_ROLE);
+ requestTypeToOperationMap.put(
+ TAlterSentryRoleAddUsersRequest.class.getName(),
+ Constants.OPERATION_ADD_ROLE_USER);
+ requestTypeToOperationMap.put(
+ TAlterSentryRoleDeleteUsersRequest.class.getName(),
+ Constants.OPERATION_DELETE_ROLE_USER);
+
+ // for generic model audit log
+ requestTypeToOperationMap.put(
+ org.apache.sentry.provider.db.generic.service.thrift.TCreateSentryRoleRequest.class
+ .getName(), Constants.OPERATION_CREATE_ROLE);
+ requestTypeToOperationMap
+ .put(org.apache.sentry.provider.db.generic.service.thrift.TDropSentryRoleRequest.class
+ .getName(), Constants.OPERATION_DROP_ROLE);
+ requestTypeToOperationMap
+ .put(
+ org.apache.sentry.provider.db.generic.service.thrift.TAlterSentryRoleGrantPrivilegeRequest.class
+ .getName(), Constants.OPERATION_GRANT_PRIVILEGE);
+ requestTypeToOperationMap
+ .put(
+ org.apache.sentry.provider.db.generic.service.thrift.TAlterSentryRoleRevokePrivilegeRequest.class
+ .getName(), Constants.OPERATION_REVOKE_PRIVILEGE);
+ requestTypeToOperationMap.put(
+ org.apache.sentry.provider.db.generic.service.thrift.TAlterSentryRoleAddGroupsRequest.class
+ .getName(), Constants.OPERATION_ADD_ROLE);
+ requestTypeToOperationMap
+ .put(
+ org.apache.sentry.provider.db.generic.service.thrift.TAlterSentryRoleDeleteGroupsRequest.class
+ .getName(), Constants.OPERATION_DELETE_ROLE);
+
+ // for hive audit log
+ requestTypeToObjectTypeMap.put(TCreateSentryRoleRequest.class.getName(),
+ Constants.OBJECT_TYPE_ROLE);
+ requestTypeToObjectTypeMap.put(TDropSentryRoleRequest.class.getName(),
+ Constants.OBJECT_TYPE_ROLE);
+ requestTypeToObjectTypeMap.put(
+ TAlterSentryRoleAddGroupsRequest.class.getName(),
+ Constants.OBJECT_TYPE_ROLE);
+ requestTypeToObjectTypeMap.put(
+ TAlterSentryRoleDeleteGroupsRequest.class.getName(),
+ Constants.OBJECT_TYPE_ROLE);
+ requestTypeToObjectTypeMap.put(
+ TAlterSentryRoleAddUsersRequest.class.getName(),
+ Constants.OBJECT_TYPE_ROLE);
+ requestTypeToObjectTypeMap.put(
+ TAlterSentryRoleDeleteUsersRequest.class.getName(),
+ Constants.OBJECT_TYPE_ROLE);
+ requestTypeToObjectTypeMap.put(
+ TAlterSentryRoleGrantPrivilegeRequest.class.getName(),
+ Constants.OBJECT_TYPE_PRINCIPAL);
+ requestTypeToObjectTypeMap.put(
+ TAlterSentryRoleRevokePrivilegeRequest.class.getName(),
+ Constants.OBJECT_TYPE_PRINCIPAL);
+ // for generic model audit log
+ requestTypeToObjectTypeMap.put(
+ org.apache.sentry.provider.db.generic.service.thrift.TCreateSentryRoleRequest.class
+ .getName(), Constants.OBJECT_TYPE_ROLE);
+ requestTypeToObjectTypeMap
+ .put(org.apache.sentry.provider.db.generic.service.thrift.TDropSentryRoleRequest.class
+ .getName(), Constants.OBJECT_TYPE_ROLE);
+ requestTypeToObjectTypeMap.put(
+ org.apache.sentry.provider.db.generic.service.thrift.TAlterSentryRoleAddGroupsRequest.class
+ .getName(), Constants.OBJECT_TYPE_ROLE);
+ requestTypeToObjectTypeMap
+ .put(
+ org.apache.sentry.provider.db.generic.service.thrift.TAlterSentryRoleDeleteGroupsRequest.class
+ .getName(), Constants.OBJECT_TYPE_ROLE);
+ requestTypeToObjectTypeMap
+ .put(
+ org.apache.sentry.provider.db.generic.service.thrift.TAlterSentryRoleGrantPrivilegeRequest.class
+ .getName(), Constants.OBJECT_TYPE_PRINCIPAL);
+ requestTypeToObjectTypeMap
+ .put(
+ org.apache.sentry.provider.db.generic.service.thrift.TAlterSentryRoleRevokePrivilegeRequest.class
+ .getName(), Constants.OBJECT_TYPE_PRINCIPAL);
+ }
+
+ private Constants() {
+ // Make constructor private to avoid instantiation
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/model/MSentryGMPrivilege.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/model/MSentryGMPrivilege.java b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/model/MSentryGMPrivilege.java
new file mode 100644
index 0000000..55b61ac
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/model/MSentryGMPrivilege.java
@@ -0,0 +1,497 @@
+/**
+vim * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.provider.db.service.model;
+
+import static org.apache.sentry.core.common.utils.SentryConstants.AUTHORIZABLE_JOINER;
+import static org.apache.sentry.core.common.utils.SentryConstants.KV_JOINER;
+
+import java.lang.reflect.Field;
+import java.util.HashSet;
+import java.util.Iterator;
+import java.util.List;
+import java.util.Set;
+
+import javax.jdo.annotations.PersistenceCapable;
+import org.apache.sentry.core.common.Authorizable;
+import org.apache.sentry.core.model.db.AccessConstants;
+
+import com.google.common.base.Strings;
+import com.google.common.collect.Lists;
+
+/**
+ * Database backed Sentry Generic Privilege for new authorization Model
+ * Any changes to this object
+ * require re-running the maven build so DN an re-enhance.
+ */
+@PersistenceCapable
+public class MSentryGMPrivilege {
+ private static final String PREFIX_RESOURCE_NAME = "resourceName";
+ private static final String PREFIX_RESOURCE_TYPE = "resourceType";
+ private static final String NULL_COL = "__NULL__";
+ private static final String SERVICE_SCOPE = "Server";
+ private static final int AUTHORIZABLE_LEVEL = 4;
+ /**
+ * The authorizable List has been stored into resourceName and resourceField columns
+ * We assume that the generic model privilege for any component(hive/impala or solr) doesn't exceed four level.
+ * This generic model privilege currently can support maximum 4 level.
+ **/
+ private String resourceName0 = NULL_COL; //NOPMD
+ private String resourceType0 = NULL_COL; //NOPMD
+ private String resourceName1 = NULL_COL; //NOPMD
+ private String resourceType1 = NULL_COL; //NOPMD
+ private String resourceName2 = NULL_COL; //NOPMD
+ private String resourceType2 = NULL_COL; //NOPMD
+ private String resourceName3 = NULL_COL; //NOPMD
+ private String resourceType3 = NULL_COL; //NOPMD
+
+
+ private String serviceName;
+ private String componentName;
+ private String action;
+ private String scope;
+
+ private Boolean grantOption = false;
+ // roles this privilege is a part of
+ private Set<MSentryRole> roles;
+ private long createTime;
+
+ public MSentryGMPrivilege() {
+ this.roles = new HashSet<MSentryRole>();
+ }
+
+ public MSentryGMPrivilege(String componentName, String serviceName,
+ List<? extends Authorizable> authorizables,
+ String action, Boolean grantOption) {
+ this.componentName = componentName;
+ this.serviceName = serviceName;
+ this.action = action;
+ this.grantOption = grantOption;
+ this.roles = new HashSet<MSentryRole>();
+ this.createTime = System.currentTimeMillis();
+ setAuthorizables(authorizables);
+ }
+
+ public MSentryGMPrivilege(MSentryGMPrivilege copy) {
+ this.action = copy.action;
+ this.componentName = copy.componentName;
+ this.serviceName = copy.serviceName;
+ this.grantOption = copy.grantOption;
+ this.scope = copy.scope;
+ this.createTime = copy.createTime;
+ setAuthorizables(copy.getAuthorizables());
+ this.roles = new HashSet<MSentryRole>();
+ for (MSentryRole role : copy.roles) {
+ roles.add(role);
+ }
+ }
+
+ public String getServiceName() {
+ return serviceName;
+ }
+
+ public void setServiceName(String serviceName) {
+ this.serviceName = serviceName;
+ }
+
+ public String getComponentName() {
+ return componentName;
+ }
+
+ public void setComponentName(String componentName) {
+ this.componentName = componentName;
+ }
+
+ public String getAction() {
+ return action;
+ }
+
+ public void setAction(String action) {
+ this.action = action;
+ }
+
+ public Boolean getGrantOption() {
+ return grantOption;
+ }
+
+ public void setGrantOption(Boolean grantOption) {
+ this.grantOption = grantOption;
+ }
+
+ public Set<MSentryRole> getRoles() {
+ return roles;
+ }
+
+ public void setRoles(Set<MSentryRole> roles) {
+ this.roles = roles;
+ }
+
+ public long getCreateTime() {
+ return createTime;
+ }
+
+ public void setCreateTime(long createTime) {
+ this.createTime = createTime;
+ }
+
+ public String getScope() {
+ return scope;
+ }
+
+ public List<? extends Authorizable> getAuthorizables() {
+ List<Authorizable> authorizables = Lists.newArrayList();
+ //construct atuhorizable lists
+ for (int i = 0; i < AUTHORIZABLE_LEVEL; i++) {
+ final String resourceName = (String) getField(this, PREFIX_RESOURCE_NAME + String.valueOf(i));
+ final String resourceTYpe = (String) getField(this, PREFIX_RESOURCE_TYPE + String.valueOf(i));
+
+ if (notNULL(resourceName) && notNULL(resourceTYpe)) {
+ authorizables.add(new Authorizable() {
+ @Override
+ public String getTypeName() {
+ return resourceTYpe;
+ }
+ @Override
+ public String getName() {
+ return resourceName;
+ }
+ });
+ }
+ }
+ return authorizables;
+ }
+
+ /**
+ * Only allow strict hierarchies. That is, can level =1 be not null when level = 0 is null
+ * @param authorizables
+ */
+ public void setAuthorizables(List<? extends Authorizable> authorizables) {
+ if (authorizables == null || authorizables.isEmpty()) {
+ //service scope
+ scope = SERVICE_SCOPE;
+ return;
+ }
+ if (authorizables.size() > AUTHORIZABLE_LEVEL) {
+ throw new IllegalStateException("This generic privilege model only supports maximum 4 level.");
+ }
+
+ for (int i = 0; i < authorizables.size(); i++) {
+ Authorizable authorizable = authorizables.get(i);
+ if (authorizable == null) {
+ String msg = String.format("The authorizable can't be null. Please check authorizables[%d]:", i);
+ throw new IllegalStateException(msg);
+ }
+ String resourceName = authorizable.getName();
+ String resourceTYpe = authorizable.getTypeName();
+ if (isNULL(resourceName) || isNULL(resourceTYpe)) {
+ String msg = String.format("The name and type of authorizable can't be empty or null.Please check authorizables[%d]", i);
+ throw new IllegalStateException(msg);
+ }
+ setField(this, PREFIX_RESOURCE_NAME + String.valueOf(i), toNULLCol(resourceName));
+ setField(this, PREFIX_RESOURCE_TYPE + String.valueOf(i), toNULLCol(resourceTYpe));
+ scope = resourceTYpe;
+ }
+ }
+
+ public void appendRole(MSentryRole role) {
+ if (roles.add(role)) {
+ role.appendGMPrivilege(this);
+ }
+ }
+
+ public void removeRole(MSentryRole role) {
+ if(roles.remove(role)) {
+ role.removeGMPrivilege(this);
+ }
+ }
+
+ @Override
+ public int hashCode() {
+ final int prime = 31;
+ int result = 1;
+ result = prime * result + ((action == null) ? 0 : action.hashCode());
+ result = prime * result + ((componentName == null) ? 0 : componentName.hashCode());
+ result = prime * result + ((serviceName == null) ? 0 : serviceName.hashCode());
+ result = prime * result + ((grantOption == null) ? 0 : grantOption.hashCode());
+ result = prime * result + ((scope == null) ? 0 : scope.hashCode());
+
+ for (Authorizable authorizable : getAuthorizables()) {
+ result = prime * result + authorizable.getName().hashCode();
+ result = prime * result + authorizable.getTypeName().hashCode();
+ }
+
+ return result;
+ }
+
+ @Override
+ public String toString() {
+ List<String> unifiedNames = Lists.newArrayList();
+ for (Authorizable auth : getAuthorizables()) {
+ unifiedNames.add(KV_JOINER.join(auth.getTypeName(),auth.getName()));
+ }
+
+ return "MSentryGMPrivilege ["
+ + "serverName=" + serviceName + ", componentName=" + componentName
+ + ", authorizables=" + AUTHORIZABLE_JOINER.join(unifiedNames)+ ", scope=" + scope
+ + ", action=" + action + ", roles=[...]" + ", createTime="
+ + createTime + ", grantOption=" + grantOption +"]";
+ }
+
+ @Override
+ public boolean equals(Object obj) {
+ if (this == obj) {
+ return true;
+ }
+ if (obj == null) {
+ return false;
+ }
+ if (getClass() != obj.getClass()) {
+ return false;
+ }
+ MSentryGMPrivilege other = (MSentryGMPrivilege) obj;
+ if (action == null) {
+ if (other.action != null) {
+ return false;
+ }
+ } else if (!action.equalsIgnoreCase(other.action)) {
+ return false;
+ }
+ if (scope == null) {
+ if (other.scope != null) {
+ return false;
+ }
+ } else if (!scope.equals(other.scope)) {
+ return false;
+ }
+ if (serviceName == null) {
+ if (other.serviceName != null) {
+ return false;
+ }
+ } else if (!serviceName.equals(other.serviceName)) {
+ return false;
+ }
+ if (componentName == null) {
+ if (other.componentName != null) {
+ return false;
+ }
+ } else if (!componentName.equals(other.componentName)) {
+ return false;
+ }
+ if (grantOption == null) {
+ if (other.grantOption != null) {
+ return false;
+ }
+ } else if (!grantOption.equals(other.grantOption)) {
+ return false;
+ }
+
+ List<? extends Authorizable> authorizables = getAuthorizables();
+ List<? extends Authorizable> otherAuthorizables = other.getAuthorizables();
+
+ if (authorizables.size() != otherAuthorizables.size()) {
+ return false;
+ }
+ for (int i = 0; i < authorizables.size(); i++) {
+ String o1 = KV_JOINER.join(authorizables.get(i).getTypeName(),
+ authorizables.get(i).getName());
+ String o2 = KV_JOINER.join(otherAuthorizables.get(i).getTypeName(),
+ otherAuthorizables.get(i).getName());
+ if (!o1.equals(o2)) {
+ return false;
+ }
+ }
+ return true;
+ }
+
+ /**
+ * Return true if this privilege implies request privilege
+ * Otherwise, return false
+ * @param other, other privilege
+ */
+ public boolean implies(MSentryGMPrivilege request) {
+ //component check
+ if (!componentName.equals(request.getComponentName())) {
+ return false;
+ }
+ //service check
+ if (!serviceName.equals(request.getServiceName())) {
+ return false;
+ }
+ // check action implies
+ if (!action.equalsIgnoreCase(AccessConstants.ALL)
+ && !action.equalsIgnoreCase(request.getAction())
+ && !action.equalsIgnoreCase(AccessConstants.ACTION_ALL)) {
+ return false;
+ }
+ //check authorizable list implies
+ Iterator<? extends Authorizable> existIterator = getAuthorizables().iterator();
+ Iterator<? extends Authorizable> requestIterator = request.getAuthorizables().iterator();
+ while (existIterator.hasNext() && requestIterator.hasNext()) {
+ Authorizable existAuth = existIterator.next();
+ Authorizable requestAuth = requestIterator.next();
+ //check authorizable type
+ if (!existAuth.getTypeName().equals(requestAuth.getTypeName())) {
+ return false;
+ }
+ //check authorizable name
+ if (!existAuth.getName().equals(requestAuth.getName())) {
+ /**The persistent authorizable isn't equal the request authorizable
+ * but the following situations are pass check
+ * The name of persistent authorizable is ALL or "*"
+ */
+ if (existAuth.getName().equalsIgnoreCase(AccessConstants.ACTION_ALL)
+ || existAuth.getName().equalsIgnoreCase(AccessConstants.ALL)) {
+ continue;
+ } else {
+ return false;
+ }
+ }
+ }
+
+ if ( !existIterator.hasNext() && !requestIterator.hasNext() ){
+ /**
+ * The persistent privilege has the same authorizables size as the requested privilege
+ * The check is pass
+ */
+ return true;
+
+ } else if (existIterator.hasNext()) {
+ /**
+ * The persistent privilege has much more authorizables than request privilege,so its scope is less
+ * than the requested privilege.
+ * There is a situation that the check is pass, the name of the exceeding authorizables is ALL or "*".
+ * Take the Solr for example,the exist privilege is collection=c1->field=*->action=query
+ * the request privilege is collection=c1->action=query, the check is pass
+ */
+ while (existIterator.hasNext()) {
+ Authorizable existAuthorizable = existIterator.next();
+ if (existAuthorizable.getName().equalsIgnoreCase(AccessConstants.ALL)
+ || existAuthorizable.getName().equalsIgnoreCase(AccessConstants.ACTION_ALL)) {
+ continue;
+ } else {
+ return false;
+ }
+ }
+ } else {
+ /**
+ * The requested privilege has much more authorizables than persistent privilege, so its scope is less
+ * than the persistent privilege
+ * The check is pass
+ */
+ return true;
+ }
+
+ return true;
+ }
+
+ public static String toNULLCol(String col) {
+ return Strings.isNullOrEmpty(col) ? NULL_COL : col;
+ }
+
+ public static boolean notNULL(String s) {
+ return !(Strings.isNullOrEmpty(s) || NULL_COL.equals(s));
+ }
+
+ public static boolean isNULL(String s) {
+ return !notNULL(s);
+ }
+
+ public static <T> void setField(Object obj, String fieldName, T fieldValue) {
+ try {
+ Class<?> clazz = obj.getClass();
+ Field field=clazz.getDeclaredField(fieldName);
+ field.setAccessible(true);
+ field.set(obj, fieldValue);
+ } catch (Exception e) {
+ throw new RuntimeException("setField error: " + e.getMessage(), e);
+ }
+ }
+
+ @SuppressWarnings("unchecked")
+ public static <T> T getField(Object obj, String fieldName) {
+ try {
+ Class<?> clazz = obj.getClass();
+ Field field=clazz.getDeclaredField(fieldName);
+ field.setAccessible(true);
+ return (T)field.get(obj);
+ } catch (Exception e) {
+ throw new RuntimeException("getField error: " + e.getMessage(), e);
+ }
+ }
+
+ /**
+ * return the query to execute in JDO for search the given privilege
+ * @param privilege
+ * @return query
+ */
+ public static String toQuery(MSentryGMPrivilege privilege) {
+ StringBuilder query = new StringBuilder();
+ query.append("serviceName == \"" + toNULLCol(privilege.getServiceName()) + "\" ");
+ query.append("&& componentName == \"" + toNULLCol(privilege.getComponentName()) + "\" ");
+ query.append("&& scope == \"" + toNULLCol(privilege.getScope()) + "\" ");
+ query.append("&& action == \"" + toNULLCol(privilege.getAction()) + "\"");
+ if (privilege.getGrantOption() == null) {
+ query.append("&& this.grantOption == null ");
+ } else if (privilege.getGrantOption()) {
+ query.append("&& grantOption ");
+ } else {
+ query.append("&& !grantOption ");
+ }
+ List<? extends Authorizable> authorizables = privilege.getAuthorizables();
+ for (int i = 0; i < AUTHORIZABLE_LEVEL; i++) {
+ String resourceName = PREFIX_RESOURCE_NAME + String.valueOf(i);
+ String resourceType = PREFIX_RESOURCE_TYPE + String.valueOf(i);
+
+ if (i >= authorizables.size()) {
+ query.append("&& " + resourceName + " == \"" + NULL_COL + "\" ");
+ query.append("&& " + resourceType + " == \"" + NULL_COL + "\" ");
+ } else {
+ query.append("&& " + resourceName + " == \"" + authorizables.get(i).getName() + "\" ");
+ query.append("&& " + resourceType + " == \"" + authorizables.get(i).getTypeName() + "\" ");
+ }
+ }
+ return query.toString();
+ }
+
+ /**
+ * Get the query to execute in the JDO deducing privileges include the scope of according to the given privilege
+ * The query was used in three privilege operations:
+ * 1.revoking privilege
+ * 2.renaming privilege
+ * 3.dropping privilege
+ * Take the Solr for example, if there exists three privileges such as p1:Collection=c1->action=query,
+ * p2:Collection=c1->Field=f1->action=query and p3:Collection=c1->Field=f2->action=query.
+ * When the revoking operation happens, the request privilege is p4:Collection=c1->action=query.
+ * The result is that not only p1 should be revoked, but also p2 and p3 should be revoked together.
+ * So the populateIncludePrivilegesQuery should be Collection=c1
+ * @param privilege
+ * @return query
+ */
+ public static String populateIncludePrivilegesQuery(MSentryGMPrivilege privilege) {
+ StringBuilder query = new StringBuilder();
+ query.append("serviceName == \"" + toNULLCol(privilege.getServiceName()) + "\" ");
+ query.append("&& componentName == \"" + toNULLCol(privilege.getComponentName()) + "\" ");
+ List<? extends Authorizable> authorizables = privilege.getAuthorizables();
+ for (int i= 0 ; i < authorizables.size(); i++) {
+ String resourceName = PREFIX_RESOURCE_NAME + String.valueOf(i);
+ String resourceType = PREFIX_RESOURCE_TYPE + String.valueOf(i);
+ query.append("&& " + resourceName + " == \"" + authorizables.get(i).getName() + "\" ");
+ query.append("&& " + resourceType + " == \"" + authorizables.get(i).getTypeName() + "\" ");
+ }
+ return query.toString();
+ }
+}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/model/MSentryGroup.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/model/MSentryGroup.java b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/model/MSentryGroup.java
new file mode 100644
index 0000000..7e41c93
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/model/MSentryGroup.java
@@ -0,0 +1,116 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.provider.db.service.model;
+
+import java.util.Set;
+
+import javax.jdo.annotations.PersistenceCapable;
+
+/**
+ * Database backed Sentry Group. Any changes to this object
+ * require re-running the maven build so DN an re-enhance.
+ */
+@PersistenceCapable
+public class MSentryGroup {
+
+ /**
+ * Group name is unique
+ */
+ private String groupName;
+ // set of roles granted to this group
+ private Set<MSentryRole> roles;
+ private long createTime;
+
+ public MSentryGroup(String groupName, long createTime, Set<MSentryRole> roles) {
+ this.setGroupName(groupName);
+ this.createTime = createTime;
+ this.roles = roles;
+ }
+
+ public long getCreateTime() {
+ return createTime;
+ }
+
+ public void setCreateTime(long createTime) {
+ this.createTime = createTime;
+ }
+
+ public Set<MSentryRole> getRoles() {
+ return roles;
+ }
+
+ public String getGroupName() {
+ return groupName;
+ }
+
+ public void setGroupName(String groupName) {
+ this.groupName = groupName;
+ }
+
+ public void appendRole(MSentryRole role) {
+ if (roles.add(role)) {
+ role.appendGroup(this);
+ }
+ }
+
+ public void removeRole(MSentryRole role) {
+ if (roles.remove(role)) {
+ role.removeGroup(this);
+ }
+ }
+
+ @Override
+ public String toString() {
+ return "MSentryGroup [groupName=" + groupName + ", roles=[...]"
+ + ", createTime=" + createTime + "]";
+ }
+
+ @Override
+ public int hashCode() {
+ final int prime = 31;
+ int result = 1;
+ result = prime * result + ((groupName == null) ? 0 : groupName.hashCode());
+ return result;
+ }
+
+ @Override
+ public boolean equals(Object obj) {
+ if (this == obj) {
+ return true;
+ }
+ if (obj == null) {
+ return false;
+ }
+ if (getClass() != obj.getClass()) {
+ return false;
+ }
+ MSentryGroup other = (MSentryGroup) obj;
+ if (createTime != other.createTime) {
+ return false;
+ }
+ if (groupName == null) {
+ if (other.groupName != null) {
+ return false;
+ }
+ } else if (!groupName.equals(other.groupName)) {
+ return false;
+ }
+ return true;
+ }
+}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/model/MSentryPrivilege.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/model/MSentryPrivilege.java b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/model/MSentryPrivilege.java
new file mode 100644
index 0000000..4c3af79
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/model/MSentryPrivilege.java
@@ -0,0 +1,332 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.provider.db.service.model;
+
+import java.util.HashSet;
+import java.util.Set;
+
+import javax.jdo.annotations.PersistenceCapable;
+
+import org.apache.sentry.core.common.utils.PathUtils;
+import org.apache.sentry.core.model.db.AccessConstants;
+import org.apache.sentry.provider.db.service.persistent.SentryStore;
+
+/**
+ * Database backed Sentry Privilege. Any changes to this object
+ * require re-running the maven build so DN an re-enhance.
+ */
+@PersistenceCapable
+public class MSentryPrivilege {
+
+ private String privilegeScope;
+ /**
+ * Privilege name is unique
+ */
+ private String serverName = "";
+ private String dbName = "";
+ private String tableName = "";
+ private String columnName = "";
+ private String URI = "";
+ private String action = "";
+ private Boolean grantOption = false;
+ // roles this privilege is a part of
+ private Set<MSentryRole> roles;
+ private long createTime;
+
+ public MSentryPrivilege() {
+ this.roles = new HashSet<MSentryRole>();
+ }
+
+ public MSentryPrivilege(String privilegeScope,
+ String serverName, String dbName, String tableName, String columnName,
+ String URI, String action, Boolean grantOption) {
+ this.privilegeScope = privilegeScope;
+ this.serverName = serverName;
+ this.dbName = SentryStore.toNULLCol(dbName);
+ this.tableName = SentryStore.toNULLCol(tableName);
+ this.columnName = SentryStore.toNULLCol(columnName);
+ this.URI = SentryStore.toNULLCol(URI);
+ this.action = SentryStore.toNULLCol(action);
+ this.grantOption = grantOption;
+ this.roles = new HashSet<MSentryRole>();
+ }
+
+ public MSentryPrivilege(String privilegeScope,
+ String serverName, String dbName, String tableName, String columnName,
+ String URI, String action) {
+ this(privilegeScope, serverName, dbName, tableName,
+ columnName, URI, action, false);
+ }
+
+ public MSentryPrivilege(MSentryPrivilege other) {
+ this.privilegeScope = other.privilegeScope;
+ this.serverName = other.serverName;
+ this.dbName = SentryStore.toNULLCol(other.dbName);
+ this.tableName = SentryStore.toNULLCol(other.tableName);
+ this.columnName = SentryStore.toNULLCol(other.columnName);
+ this.URI = SentryStore.toNULLCol(other.URI);
+ this.action = SentryStore.toNULLCol(other.action);
+ this.grantOption = other.grantOption;
+ this.roles = new HashSet<MSentryRole>();
+ for (MSentryRole role : other.roles) {
+ roles.add(role);
+ }
+ }
+
+ public String getServerName() {
+ return serverName;
+ }
+
+ public void setServerName(String serverName) {
+ this.serverName = (serverName == null) ? "" : serverName;
+ }
+
+ public String getDbName() {
+ return dbName;
+ }
+
+ public void setDbName(String dbName) {
+ this.dbName = (dbName == null) ? "" : dbName;
+ }
+
+ public String getTableName() {
+ return tableName;
+ }
+
+ public void setTableName(String tableName) {
+ this.tableName = (tableName == null) ? "" : tableName;
+ }
+
+ public String getColumnName() {
+ return columnName;
+ }
+
+ public void setColumnName(String columnName) {
+ this.columnName = (columnName == null) ? "" : columnName;
+ }
+
+ public String getURI() {
+ return URI;
+ }
+
+ public void setURI(String uRI) {
+ URI = (uRI == null) ? "" : uRI;
+ }
+
+ public String getAction() {
+ return action;
+ }
+
+ public void setAction(String action) {
+ this.action = (action == null) ? "" : action;
+ }
+
+ public long getCreateTime() {
+ return createTime;
+ }
+
+ public void setCreateTime(long createTime) {
+ this.createTime = createTime;
+ }
+
+ public String getPrivilegeScope() {
+ return privilegeScope;
+ }
+
+ public void setPrivilegeScope(String privilegeScope) {
+ this.privilegeScope = privilegeScope;
+ }
+
+ public Boolean getGrantOption() {
+ return grantOption;
+ }
+
+ public void setGrantOption(Boolean grantOption) {
+ this.grantOption = grantOption;
+ }
+
+ public void appendRole(MSentryRole role) {
+ roles.add(role);
+ }
+
+ public Set<MSentryRole> getRoles() {
+ return roles;
+ }
+
+ public void removeRole(MSentryRole role) {
+ roles.remove(role);
+ role.removePrivilege(this);
+ }
+
+ @Override
+ public String toString() {
+ return "MSentryPrivilege [privilegeScope=" + privilegeScope
+ + ", serverName=" + serverName + ", dbName=" + dbName
+ + ", tableName=" + tableName + ", columnName=" + columnName
+ + ", URI=" + URI + ", action=" + action + ", roles=[...]"
+ + ", createTime=" + createTime + ", grantOption=" + grantOption +"]";
+ }
+
+ @Override
+ public int hashCode() {
+ final int prime = 31;
+ int result = 1;
+ result = prime * result + ((URI == null) ? 0 : URI.hashCode());
+ result = prime * result + ((action == null) ? 0 : action.hashCode());
+ result = prime * result + ((dbName == null) ? 0 : dbName.hashCode());
+ result = prime * result
+ + ((serverName == null) ? 0 : serverName.hashCode());
+ result = prime * result + ((tableName == null) ? 0 : tableName.hashCode());
+ result = prime * result
+ + ((columnName == null) ? 0 : columnName.hashCode());
+ result = prime * result
+ + ((grantOption == null) ? 0 : grantOption.hashCode());
+ return result;
+ }
+
+ @Override
+ public boolean equals(Object obj) {
+ if (this == obj) {
+ return true;
+ }
+ if (obj == null) {
+ return false;
+ }
+ if (getClass() != obj.getClass()) {
+ return false;
+ }
+ MSentryPrivilege other = (MSentryPrivilege) obj;
+ if (URI == null) {
+ if (other.URI != null) {
+ return false;
+ }
+ } else if (!URI.equals(other.URI)) {
+ return false;
+ }
+ if (action == null) {
+ if (other.action != null) {
+ return false;
+ }
+ } else if (!action.equals(other.action)) {
+ return false;
+ }
+ if (dbName == null) {
+ if (other.dbName != null) {
+ return false;
+ }
+ } else if (!dbName.equals(other.dbName)) {
+ return false;
+ }
+ if (serverName == null) {
+ if (other.serverName != null) {
+ return false;
+ }
+ } else if (!serverName.equals(other.serverName)) {
+ return false;
+ }
+ if (tableName == null) {
+ if (other.tableName != null) {
+ return false;
+ }
+ } else if (!tableName.equals(other.tableName)) {
+ return false;
+ }
+ if (columnName == null) {
+ if (other.columnName != null) {
+ return false;
+ }
+ } else if (!columnName.equals(other.columnName)) {
+ return false;
+ }
+ if (grantOption == null) {
+ if (other.grantOption != null) {
+ return false;
+ }
+ } else if (!grantOption.equals(other.grantOption)) {
+ return false;
+ }
+ return true;
+ }
+
+ /**
+ * Return true if this privilege implies other privilege
+ * Otherwise, return false
+ * @param other, other privilege
+ */
+ public boolean implies(MSentryPrivilege other) {
+ // serverName never be null
+ if (isNULL(serverName) || isNULL(other.serverName)) {
+ return false;
+ } else if (!serverName.equals(other.serverName)) {
+ return false;
+ }
+
+ // check URI implies
+ if (!isNULL(URI) && !isNULL(other.URI)) {
+ if (!PathUtils.impliesURI(URI, other.URI)) {
+ return false;
+ }
+ // if URI is NULL, check dbName and tableName
+ } else if (isNULL(URI) && isNULL(other.URI)) {
+ if (!isNULL(dbName)) {
+ if (isNULL(other.dbName)) {
+ return false;
+ } else if (!dbName.equals(other.dbName)) {
+ return false;
+ }
+ }
+ if (!isNULL(tableName)) {
+ if (isNULL(other.tableName)) {
+ return false;
+ } else if (!tableName.equals(other.tableName)) {
+ return false;
+ }
+ }
+ if (!isNULL(columnName)) {
+ if (isNULL(other.columnName)) {
+ return false;
+ } else if (!columnName.equals(other.columnName)) {
+ return false;
+ }
+ }
+ // if URI is not NULL, but other's URI is NULL, return false
+ } else if (!isNULL(URI) && isNULL(other.URI)){
+ return false;
+ }
+
+ // check action implies
+ if (!action.equalsIgnoreCase(AccessConstants.ALL)
+ && !action.equalsIgnoreCase(other.action)
+ && !action.equalsIgnoreCase(AccessConstants.ACTION_ALL)) {
+ return false;
+ }
+
+ return true;
+ }
+
+ private boolean isNULL(String s) {
+ return SentryStore.isNULL(s);
+ }
+
+ public boolean isActionALL() {
+ return AccessConstants.ACTION_ALL.equalsIgnoreCase(action)
+ || AccessConstants.ALL.equals(action);
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/model/MSentryRole.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/model/MSentryRole.java b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/model/MSentryRole.java
new file mode 100644
index 0000000..0484eaa
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/model/MSentryRole.java
@@ -0,0 +1,216 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.provider.db.service.model;
+
+import java.util.HashSet;
+import java.util.Set;
+
+import javax.jdo.annotations.PersistenceCapable;
+
+import com.google.common.base.Preconditions;
+import com.google.common.collect.ImmutableSet;
+
+/**
+ * Database backed Sentry Role. Any changes to this object
+ * require re-running the maven build so DN an re-enhance.
+ */
+@PersistenceCapable
+public class MSentryRole {
+
+ private String roleName;
+ // set of privileges granted to this role
+ private Set<MSentryPrivilege> privileges;
+ // set of generic model privileges grant ro this role
+ private Set<MSentryGMPrivilege> gmPrivileges;
+
+ // set of groups this role belongs to
+ private Set<MSentryGroup> groups;
+ // set of users this role belongs to
+ private Set<MSentryUser> users;
+ private long createTime;
+
+ public MSentryRole(String roleName, long createTime) {
+ this.roleName = roleName;
+ this.createTime = createTime;
+ privileges = new HashSet<MSentryPrivilege>();
+ gmPrivileges = new HashSet<MSentryGMPrivilege>();
+ groups = new HashSet<MSentryGroup>();
+ users = new HashSet<MSentryUser>();
+ }
+
+ public long getCreateTime() {
+ return createTime;
+ }
+
+ public void setCreateTime(long createTime) {
+ this.createTime = createTime;
+ }
+
+ public String getRoleName() {
+ return roleName;
+ }
+
+ public void setRoleName(String roleName) {
+ this.roleName = roleName;
+ }
+
+ public void setPrivileges(Set<MSentryPrivilege> privileges) {
+ this.privileges = privileges;
+ }
+
+ public Set<MSentryPrivilege> getPrivileges() {
+ return privileges;
+ }
+
+ public Set<MSentryGMPrivilege> getGmPrivileges() {
+ return gmPrivileges;
+ }
+
+ public void setGmPrivileges(Set<MSentryGMPrivilege> gmPrivileges) {
+ this.gmPrivileges = gmPrivileges;
+ }
+
+ public void setGroups(Set<MSentryGroup> groups) {
+ this.groups = groups;
+ }
+
+ public Set<MSentryGroup> getGroups() {
+ return groups;
+ }
+
+ public Set<MSentryUser> getUsers() {
+ return users;
+ }
+
+ public void setUsers(Set<MSentryUser> users) {
+ this.users = users;
+ }
+
+ public void removePrivilege(MSentryPrivilege privilege) {
+ if (privileges.remove(privilege)) {
+ privilege.removeRole(this);
+ }
+ }
+
+ public void appendPrivileges(Set<MSentryPrivilege> privileges) {
+ this.privileges.addAll(privileges);
+ }
+
+ public void appendPrivilege(MSentryPrivilege privilege) {
+ if (privileges.add(privilege)) {
+ privilege.appendRole(this);
+ }
+ }
+
+ public void removeGMPrivilege(MSentryGMPrivilege gmPrivilege) {
+ if (gmPrivileges.remove(gmPrivilege)) {
+ gmPrivilege.removeRole(this);
+ }
+ }
+
+ public void appendGMPrivilege(MSentryGMPrivilege gmPrivilege) {
+ if (gmPrivileges.add(gmPrivilege)) {
+ gmPrivilege.appendRole(this);
+ }
+ }
+
+ public void removeGMPrivileges() {
+ for (MSentryGMPrivilege privilege : ImmutableSet.copyOf(gmPrivileges)) {
+ privilege.removeRole(this);
+ }
+ Preconditions.checkState(gmPrivileges.isEmpty(), "gmPrivileges should be empty: " + gmPrivileges);
+ }
+
+ public void appendGroups(Set<MSentryGroup> groups) {
+ this.groups.addAll(groups);
+ }
+
+ public void appendGroup(MSentryGroup group) {
+ if (groups.add(group)) {
+ group.appendRole(this);
+ }
+ }
+
+ public void removeGroup(MSentryGroup group) {
+ if (groups.remove(group)) {
+ group.removeRole(this);
+ }
+ }
+
+ public void appendUsers(Set<MSentryUser> users) {
+ this.users.addAll(users);
+ }
+
+ public void appendUser(MSentryUser user) {
+ if (users.add(user)) {
+ user.appendRole(this);
+ }
+ }
+
+ public void removeUser(MSentryUser user) {
+ if (users.remove(user)) {
+ user.removeRole(this);
+ }
+ }
+
+ public void removePrivileges() {
+ // copy is required since privilege.removeRole will call remotePrivilege
+ for (MSentryPrivilege privilege : ImmutableSet.copyOf(privileges)) {
+ privilege.removeRole(this);
+ }
+ Preconditions.checkState(privileges.isEmpty(), "Privileges should be empty: " + privileges);
+ }
+
+ @Override
+ public String toString() {
+ return "MSentryRole [roleName=" + roleName + ", privileges=[..]" + ", gmPrivileges=[..]"
+ + ", groups=[...]" + ", users=[...]" + ", createTime=" + createTime + "]";
+ }
+
+ @Override
+ public int hashCode() {
+ final int prime = 31;
+ int result = 1;
+ result = prime * result + ((roleName == null) ? 0 : roleName.hashCode());
+ return result;
+ }
+
+ @Override
+ public boolean equals(Object obj) {
+ if (this == obj) {
+ return true;
+ }
+ if (obj == null) {
+ return false;
+ }
+ if (getClass() != obj.getClass()) {
+ return false;
+ }
+ MSentryRole other = (MSentryRole) obj;
+ if (roleName == null) {
+ if (other.roleName != null) {
+ return false;
+ }
+ } else if (!roleName.equals(other.roleName)) {
+ return false;
+ }
+ return true;
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/model/MSentryUser.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/model/MSentryUser.java b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/model/MSentryUser.java
new file mode 100644
index 0000000..ff57249
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/model/MSentryUser.java
@@ -0,0 +1,116 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.provider.db.service.model;
+
+import java.util.Set;
+
+import javax.jdo.annotations.PersistenceCapable;
+
+/**
+ * Database backed Sentry User. Any changes to this object
+ * require re-running the maven build so DN an re-enhance.
+ */
+@PersistenceCapable
+public class MSentryUser {
+
+ /**
+ * User name is unique
+ */
+ private String userName;
+ // set of roles granted to this user
+ private Set<MSentryRole> roles;
+ private long createTime;
+
+ public MSentryUser(String userName, long createTime, Set<MSentryRole> roles) {
+ this.setUserName(userName);
+ this.createTime = createTime;
+ this.roles = roles;
+ }
+
+ public long getCreateTime() {
+ return createTime;
+ }
+
+ public void setCreateTime(long createTime) {
+ this.createTime = createTime;
+ }
+
+ public Set<MSentryRole> getRoles() {
+ return roles;
+ }
+
+ public String getUserName() {
+ return userName;
+ }
+
+ public void setUserName(String userName) {
+ this.userName = userName;
+ }
+
+ public void appendRole(MSentryRole role) {
+ if (roles.add(role)) {
+ role.appendUser(this);
+ }
+ }
+
+ public void removeRole(MSentryRole role) {
+ if (roles.remove(role)) {
+ role.removeUser(this);
+ }
+ }
+
+ @Override
+ public String toString() {
+ return "MSentryUser [userName=" + userName + ", roles=[...]" + ", createTime=" + createTime
+ + "]";
+ }
+
+ @Override
+ public int hashCode() {
+ final int prime = 31;
+ int result = 1;
+ result = prime * result + ((userName == null) ? 0 : userName.hashCode());
+ return result;
+ }
+
+ @Override
+ public boolean equals(Object obj) {
+ if (this == obj) {
+ return true;
+ }
+ if (obj == null) {
+ return false;
+ }
+ if (getClass() != obj.getClass()) {
+ return false;
+ }
+ MSentryUser other = (MSentryUser) obj;
+ if (createTime != other.createTime) {
+ return false;
+ }
+ if (userName == null) {
+ if (other.userName != null) {
+ return false;
+ }
+ } else if (!userName.equals(other.userName)) {
+ return false;
+ }
+ return true;
+ }
+}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/model/MSentryVersion.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/model/MSentryVersion.java b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/model/MSentryVersion.java
new file mode 100644
index 0000000..ff8830f
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/model/MSentryVersion.java
@@ -0,0 +1,66 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.provider.db.service.model;
+
+import javax.jdo.annotations.PersistenceCapable;
+
+@PersistenceCapable
+public class MSentryVersion {
+ private String schemaVersion;
+ private String versionComment;
+
+ public MSentryVersion() {
+ }
+
+ public MSentryVersion(String schemaVersion, String versionComment) {
+ this.schemaVersion = schemaVersion;
+ this.versionComment = versionComment;
+ }
+
+ /**
+ * @return the versionComment
+ */
+ public String getVersionComment() {
+ return versionComment;
+ }
+
+ /**
+ * @param versionComment
+ * the versionComment to set
+ */
+ public void setVersionComment(String versionComment) {
+ this.versionComment = versionComment;
+ }
+
+ /**
+ * @return the schemaVersion
+ */
+ public String getSchemaVersion() {
+ return schemaVersion;
+ }
+
+ /**
+ * @param schemaVersion
+ * the schemaVersion to set
+ */
+ public void setSchemaVersion(String schemaVersion) {
+ this.schemaVersion = schemaVersion;
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/model/package.jdo
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/model/package.jdo b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/model/package.jdo
new file mode 100644
index 0000000..b3b9494
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/model/package.jdo
@@ -0,0 +1,242 @@
+<?xml version="1.0"?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements. See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership. The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+<!DOCTYPE jdo PUBLIC "-//Sun Microsystems, Inc.//DTD Java Data Objects Metadata 2.0//EN"
+ "http://java.sun.com/dtd/jdo_2_0.dtd">
+<!--
+ Size Limitations:
+
+ Indexed VARCHAR: 767 bytes (MySQL running on InnoDB Engine http://bugs.mysql.com/bug.php?id=13315)
+ Non-indexed VARCHAR: 4000 bytes (max length on Oracle 9i/10g/11g)
+
+-->
+<jdo>
+ <package name="org.apache.sentry.provider.db.service.model">
+ <class name="MSentryGroup" identity-type="datastore" table="SENTRY_GROUP" detachable="true">
+ <datastore-identity>
+ <column name="GROUP_ID"/>
+ </datastore-identity>
+ <field name="groupName">
+ <column name="GROUP_NAME" length="128" jdbc-type="VARCHAR"/>
+ <index name="SentryGroupName" unique="true"/>
+ </field>
+ <field name = "createTime">
+ <column name = "CREATE_TIME" jdbc-type="BIGINT"/>
+ </field>
+
+ <field name="roles" mapped-by="groups">
+ <collection element-type="org.apache.sentry.provider.db.service.model.MSentryRole"/>
+ </field>
+
+ </class>
+
+ <class name="MSentryUser" identity-type="datastore" table="SENTRY_USER" detachable="true">
+ <datastore-identity>
+ <column name="USER_ID"/>
+ </datastore-identity>
+ <field name="userName">
+ <column name="USER_NAME" length="128" jdbc-type="VARCHAR"/>
+ <index name="SentryUserName" unique="true"/>
+ </field>
+ <field name = "createTime">
+ <column name = "CREATE_TIME" jdbc-type="BIGINT"/>
+ </field>
+
+ <field name="roles" mapped-by="users">
+ <collection element-type="org.apache.sentry.provider.db.service.model.MSentryRole"/>
+ </field>
+
+ </class>
+
+ <class name="MSentryRole" identity-type="datastore" table="SENTRY_ROLE" detachable="true">
+ <datastore-identity>
+ <column name="ROLE_ID"/>
+ </datastore-identity>
+ <field name="roleName">
+ <column name="ROLE_NAME" length="128" jdbc-type="VARCHAR"/>
+ <index name="SentryRoleName" unique="true"/>
+ </field>
+ <field name = "createTime">
+ <column name = "CREATE_TIME" jdbc-type="BIGINT"/>
+ </field>
+ <field name = "privileges" table="SENTRY_ROLE_DB_PRIVILEGE_MAP" default-fetch-group="true">
+ <collection element-type="org.apache.sentry.provider.db.service.model.MSentryPrivilege"/>
+ <join>
+ <column name="ROLE_ID"/>
+ </join>
+ <element>
+ <column name="DB_PRIVILEGE_ID"/>
+ </element>
+ </field>
+
+ <field name = "gmPrivileges" table="SENTRY_ROLE_GM_PRIVILEGE_MAP" default-fetch-group="true">
+ <collection element-type="org.apache.sentry.provider.db.service.model.MSentryGMPrivilege"/>
+ <join>
+ <column name="ROLE_ID"/>
+ </join>
+ <element>
+ <column name="GM_PRIVILEGE_ID"/>
+ </element>
+ </field>
+
+ <field name = "groups" table="SENTRY_ROLE_GROUP_MAP" default-fetch-group="true">
+ <collection element-type="org.apache.sentry.provider.db.service.model.MSentryGroup"/>
+ <join>
+ <column name="ROLE_ID"/>
+ </join>
+ <element>
+ <column name="GROUP_ID"/>
+ </element>
+ </field>
+
+ <field name = "users" table="SENTRY_ROLE_USER_MAP" default-fetch-group="true">
+ <collection element-type="org.apache.sentry.provider.db.service.model.MSentryUser"/>
+ <join>
+ <column name="ROLE_ID"/>
+ </join>
+ <element>
+ <column name="USER_ID"/>
+ </element>
+ </field>
+ </class>
+
+ <class name="MSentryPrivilege" identity-type="datastore" table="SENTRY_DB_PRIVILEGE" detachable="true">
+ <datastore-identity>
+ <column name="DB_PRIVILEGE_ID"/>
+ </datastore-identity>
+ <index name="PRIVILEGE_INDEX" unique="true">
+ <field name="serverName"/>
+ <field name="dbName"/>
+ <field name="tableName"/>
+ <field name="columnName"/>
+ <field name="URI"/>
+ <field name="action"/>
+ <field name="grantOption"/>
+ </index>
+ <field name="privilegeScope">
+ <column name="PRIVILEGE_SCOPE" length="40" jdbc-type="VARCHAR"/>
+ </field>
+ <field name="serverName">
+ <column name="SERVER_NAME" length="4000" jdbc-type="VARCHAR"/>
+ </field>
+ <field name="dbName">
+ <column name="DB_NAME" length="4000" jdbc-type="VARCHAR"/>
+ </field>
+ <field name="tableName">
+ <column name="TABLE_NAME" length="4000" jdbc-type="VARCHAR"/>
+ </field>
+ <field name="columnName">
+ <column name="COLUMN_NAME" length="4000" jdbc-type="VARCHAR"/>
+ </field>
+ <field name="URI">
+ <column name="URI" length="4000" jdbc-type="VARCHAR"/>
+ </field>
+ <field name="action">
+ <column name="ACTION" length="40" jdbc-type="VARCHAR"/>
+ </field>
+ <field name = "createTime">
+ <column name = "CREATE_TIME" jdbc-type="BIGINT"/>
+ </field>
+ <field name="grantOption">
+ <column name="WITH_GRANT_OPTION" length="1" jdbc-type="CHAR"/>
+ </field>
+ <field name="roles" mapped-by="privileges">
+ <collection element-type="org.apache.sentry.provider.db.service.model.MSentryRole"/>
+ </field>
+ </class>
+
+ <class name="MSentryGMPrivilege" identity-type="datastore" table="SENTRY_GM_PRIVILEGE" detachable="true">
+ <datastore-identity>
+ <column name="GM_PRIVILEGE_ID"/>
+ </datastore-identity>
+ <index name="GM_PRIVILEGE_INDEX" unique="true">
+ <field name="componentName"/>
+ <field name="serviceName"/>
+ <field name="resourceName0"/>
+ <field name="resourceType0"/>
+ <field name="resourceName1"/>
+ <field name="resourceType1"/>
+ <field name="resourceName2"/>
+ <field name="resourceType2"/>
+ <field name="resourceName3"/>
+ <field name="resourceType3"/>
+ <field name="action"/>
+ <field name="grantOption"/>
+ </index>
+ <field name="componentName">
+ <column name="COMPONENT_NAME" length="100" jdbc-type="VARCHAR"/>
+ </field>
+ <field name="serviceName">
+ <column name="SERVICE_NAME" length="100" jdbc-type="VARCHAR"/>
+ </field>
+ <field name="resourceName0">
+ <column name="RESOURCE_NAME_0" length="100" jdbc-type="VARCHAR"/>
+ </field>
+ <field name="resourceType0">
+ <column name="RESOURCE_TYPE_0" length="100" jdbc-type="VARCHAR"/>
+ </field>
+ <field name="resourceName1">
+ <column name="RESOURCE_NAME_1" length="100" jdbc-type="VARCHAR"/>
+ </field>
+ <field name="resourceType1">
+ <column name="RESOURCE_TYPE_1" length="100" jdbc-type="VARCHAR"/>
+ </field>
+ <field name="resourceName2">
+ <column name="RESOURCE_NAME_2" length="100" jdbc-type="VARCHAR"/>
+ </field>
+ <field name="resourceType2">
+ <column name="RESOURCE_TYPE_2" length="100" jdbc-type="VARCHAR"/>
+ </field>
+ <field name="resourceName3">
+ <column name="RESOURCE_NAME_3" length="100" jdbc-type="VARCHAR"/>
+ </field>
+ <field name="resourceType3">
+ <column name="RESOURCE_TYPE_3" length="100" jdbc-type="VARCHAR"/>
+ </field>
+ <field name="action">
+ <column name="ACTION" length="100" jdbc-type="VARCHAR"/>
+ </field>
+ <field name="scope">
+ <column name="SCOPE" length="100" jdbc-type="VARCHAR"/>
+ </field>
+ <field name = "createTime">
+ <column name = "CREATE_TIME" jdbc-type="BIGINT"/>
+ </field>
+ <field name="grantOption">
+ <column name="WITH_GRANT_OPTION" length="1" jdbc-type="CHAR"/>
+ </field>
+ <field name="roles" mapped-by="gmPrivileges">
+ <collection element-type="org.apache.sentry.provider.db.service.model.MSentryRole"/>
+ </field>
+ </class>
+
+ <class name="MSentryVersion" table="SENTRY_VERSION" identity-type="datastore" detachable="true">
+ <datastore-identity>
+ <column name="VER_ID"/>
+ </datastore-identity>
+ <field name ="schemaVersion">
+ <column name="SCHEMA_VERSION" length="127" jdbc-type="VARCHAR" allows-null="false"/>
+ </field>
+ <field name ="versionComment">
+ <column name="VERSION_COMMENT" length="255" jdbc-type="VARCHAR" allows-null="false"/>
+ </field>
+ </class>
+
+ </package>
+</jdo>
+
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/persistent/CommitContext.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/persistent/CommitContext.java b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/persistent/CommitContext.java
new file mode 100644
index 0000000..c74dbf3
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/persistent/CommitContext.java
@@ -0,0 +1,42 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.provider.db.service.persistent;
+
+import java.util.UUID;
+
+/**
+ * Stores the UUID associated with the server who processed
+ * a commit and a commit order sequence id.
+ */
+public class CommitContext {
+
+ private final String serverUUID;
+ private final long sequenceId;
+
+ public CommitContext(UUID serverUUID, long sequenceId) {
+ this.serverUUID = serverUUID.toString();
+ this.sequenceId = sequenceId;
+ }
+ public String getServerUUID() {
+ return serverUUID;
+ }
+ public long getSequenceId() {
+ return sequenceId;
+ }
+}
\ No newline at end of file
[22/44] sentry git commit: SENTRY-1287: Create sentry-service-server
module(Colin Ma, reviewed by Dapeng Sun)
Posted by co...@apache.org.
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/generic/service/persistent/DelegateSentryStore.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/generic/service/persistent/DelegateSentryStore.java b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/generic/service/persistent/DelegateSentryStore.java
new file mode 100644
index 0000000..c23042d
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/generic/service/persistent/DelegateSentryStore.java
@@ -0,0 +1,542 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.provider.db.generic.service.persistent;
+
+import java.io.IOException;
+import java.util.Arrays;
+import java.util.HashSet;
+import java.util.LinkedList;
+import java.util.List;
+import java.util.Set;
+
+import javax.jdo.PersistenceManager;
+import javax.jdo.Query;
+
+import org.apache.hadoop.conf.Configuration;
+import org.apache.sentry.core.common.exception.SentryUserException;
+import org.apache.sentry.core.common.Authorizable;
+import org.apache.sentry.core.common.exception.SentryAccessDeniedException;
+import org.apache.sentry.core.common.exception.SentryAlreadyExistsException;
+import org.apache.sentry.core.common.exception.SentryGrantDeniedException;
+import org.apache.sentry.core.common.exception.SentryInvalidInputException;
+import org.apache.sentry.core.common.exception.SentryNoSuchObjectException;
+import org.apache.sentry.core.common.exception.SentrySiteConfigurationException;
+import org.apache.sentry.provider.db.service.model.MSentryGMPrivilege;
+import org.apache.sentry.provider.db.service.model.MSentryGroup;
+import org.apache.sentry.provider.db.service.model.MSentryRole;
+import org.apache.sentry.provider.db.service.persistent.CommitContext;
+import org.apache.sentry.provider.db.service.persistent.SentryStore;
+import org.apache.sentry.provider.db.service.thrift.SentryPolicyStoreProcessor;
+import org.apache.sentry.provider.db.service.thrift.TSentryGroup;
+import org.apache.sentry.provider.db.service.thrift.TSentryRole;
+import org.apache.sentry.service.thrift.ServiceConstants.ServerConfig;
+
+import com.google.common.annotations.VisibleForTesting;
+import com.google.common.base.Joiner;
+import com.google.common.base.Preconditions;
+import com.google.common.base.Strings;
+import com.google.common.collect.ImmutableSet;
+import com.google.common.collect.Sets;
+
+/**
+ * The DelegateSentryStore will supports the generic authorizable model. It stores the authorizables
+ * into separated column. Take the authorizables:[DATABASE=db1,TABLE=tb1,COLUMN=cl1] for example,
+ * The DATABASE,db1,TABLE,tb1,COLUMN and cl1 will be stored into the six columns(resourceName0=db1,resourceType0=DATABASE,
+ * resourceName1=tb1,resourceType1=TABLE,
+ * resourceName2=cl1,resourceType2=COLUMN ) of generic privilege table
+ */
+public class DelegateSentryStore implements SentryStoreLayer {
+ private SentryStore delegate;
+ private Configuration conf;
+ private Set<String> adminGroups;
+ private PrivilegeOperatePersistence privilegeOperator;
+
+ public DelegateSentryStore(Configuration conf) throws SentryNoSuchObjectException,
+ SentryAccessDeniedException, SentrySiteConfigurationException, IOException {
+ this.privilegeOperator = new PrivilegeOperatePersistence(conf);
+ // The generic model doesn't turn on the thread that cleans hive privileges
+ conf.set(ServerConfig.SENTRY_STORE_ORPHANED_PRIVILEGE_REMOVAL,"false");
+ this.conf = conf;
+ //delegated old sentryStore
+ this.delegate = new SentryStore(conf);
+ adminGroups = ImmutableSet.copyOf(toTrimmed(Sets.newHashSet(conf.getStrings(
+ ServerConfig.ADMIN_GROUPS, new String[]{}))));
+ }
+
+ private PersistenceManager openTransaction() {
+ return delegate.openTransaction();
+ }
+
+ private CommitContext commitUpdateTransaction(PersistenceManager pm) {
+ return delegate.commitUpdateTransaction(pm);
+ }
+
+ private void rollbackTransaction(PersistenceManager pm) {
+ delegate.rollbackTransaction(pm);
+ }
+
+ private void commitTransaction(PersistenceManager pm) {
+ delegate.commitTransaction(pm);
+ }
+
+ private MSentryRole getRole(String roleName, PersistenceManager pm) {
+ return delegate.getMSentryRole(pm, roleName);
+ }
+
+ @Override
+ public CommitContext createRole(String component, String role,
+ String requestor) throws SentryAlreadyExistsException {
+ return delegate.createSentryRole(role);
+ }
+
+ /**
+ * The role is global in the generic model, such as the role may be has more than one component
+ * privileges, so delete role will remove all privileges related to it.
+ */
+ @Override
+ public CommitContext dropRole(String component, String role, String requestor)
+ throws SentryNoSuchObjectException {
+ boolean rollbackTransaction = true;
+ PersistenceManager pm = null;
+ String trimmedRole = toTrimmedLower(role);
+ try {
+ pm = openTransaction();
+ Query query = pm.newQuery(MSentryRole.class);
+ query.setFilter("this.roleName == t");
+ query.declareParameters("java.lang.String t");
+ query.setUnique(true);
+ MSentryRole sentryRole = (MSentryRole) query.execute(trimmedRole);
+ if (sentryRole == null) {
+ throw new SentryNoSuchObjectException("Role: " + trimmedRole + " doesn't exist");
+ } else {
+ pm.retrieve(sentryRole);
+ sentryRole.removeGMPrivileges();
+ sentryRole.removePrivileges();
+ pm.deletePersistent(sentryRole);
+ }
+ CommitContext commit = commitUpdateTransaction(pm);
+ rollbackTransaction = false;
+ return commit;
+ } finally {
+ if (rollbackTransaction) {
+ rollbackTransaction(pm);
+ }
+ }
+ }
+
+ @Override
+ public Set<String> getAllRoleNames() {
+ return delegate.getAllRoleNames();
+ }
+
+ @Override
+ public CommitContext alterRoleAddGroups(String component, String role,
+ Set<String> groups, String requestor) throws SentryNoSuchObjectException {
+ return delegate.alterSentryRoleAddGroups(requestor, role, toTSentryGroups(groups));
+ }
+
+ @Override
+ public CommitContext alterRoleDeleteGroups(String component, String role,
+ Set<String> groups, String requestor) throws SentryNoSuchObjectException {
+ //called to old sentryStore
+ return delegate.alterSentryRoleDeleteGroups(role, toTSentryGroups(groups));
+ }
+
+ @Override
+ public CommitContext alterRoleGrantPrivilege(String component, String role,
+ PrivilegeObject privilege, String grantorPrincipal)
+ throws SentryUserException {
+ String trimmedRole = toTrimmedLower(role);
+ PersistenceManager pm = null;
+ boolean rollbackTransaction = true;
+ try{
+ pm = openTransaction();
+ MSentryRole mRole = getRole(trimmedRole, pm);
+ if (mRole == null) {
+ throw new SentryNoSuchObjectException("Role: " + trimmedRole + " doesn't exist");
+ }
+ /**
+ * check with grant option
+ */
+ grantOptionCheck(privilege, grantorPrincipal, pm);
+
+ privilegeOperator.grantPrivilege(privilege, mRole, pm);
+
+ CommitContext commitContext = delegate.commitUpdateTransaction(pm);
+ rollbackTransaction = false;
+ return commitContext;
+
+ } finally {
+ if (rollbackTransaction) {
+ rollbackTransaction(pm);
+ }
+ }
+ }
+
+ @Override
+ public CommitContext alterRoleRevokePrivilege(String component,
+ String role, PrivilegeObject privilege, String grantorPrincipal)
+ throws SentryUserException {
+ String trimmedRole = toTrimmedLower(role);
+ PersistenceManager pm = null;
+ boolean rollbackTransaction = true;
+ try{
+ pm = openTransaction();
+ MSentryRole mRole = getRole(trimmedRole, pm);
+ if (mRole == null) {
+ throw new SentryNoSuchObjectException("Role: " + trimmedRole + " doesn't exist");
+ }
+ /**
+ * check with grant option
+ */
+ grantOptionCheck(privilege, grantorPrincipal, pm);
+
+ privilegeOperator.revokePrivilege(privilege, mRole, pm);
+
+ CommitContext commitContext = commitUpdateTransaction(pm);
+ rollbackTransaction = false;
+ return commitContext;
+
+ } finally {
+ if (rollbackTransaction) {
+ rollbackTransaction(pm);
+ }
+ }
+ }
+
+ @Override
+ public CommitContext renamePrivilege(String component, String service,
+ List<? extends Authorizable> oldAuthorizables,
+ List<? extends Authorizable> newAuthorizables, String requestor)
+ throws SentryUserException {
+ Preconditions.checkNotNull(component);
+ Preconditions.checkNotNull(service);
+ Preconditions.checkNotNull(oldAuthorizables);
+ Preconditions.checkNotNull(newAuthorizables);
+
+ if (oldAuthorizables.size() != newAuthorizables.size()) {
+ throw new SentryAccessDeniedException(
+ "rename privilege denied: the size of oldAuthorizables must equals the newAuthorizables "
+ + "oldAuthorizables:" + Arrays.toString(oldAuthorizables.toArray()) + " "
+ + "newAuthorizables:" + Arrays.toString(newAuthorizables.toArray()));
+ }
+
+ PersistenceManager pm = null;
+ boolean rollbackTransaction = true;
+ try {
+ pm = openTransaction();
+
+ privilegeOperator.renamePrivilege(toTrimmedLower(component), toTrimmedLower(service),
+ oldAuthorizables, newAuthorizables, requestor, pm);
+
+ CommitContext commitContext = commitUpdateTransaction(pm);
+ rollbackTransaction = false;
+ return commitContext;
+ } finally {
+ if (rollbackTransaction) {
+ rollbackTransaction(pm);
+ }
+ }
+ }
+
+ @Override
+ public CommitContext dropPrivilege(String component,
+ PrivilegeObject privilege, String requestor) throws SentryUserException {
+ Preconditions.checkNotNull(requestor);
+
+ PersistenceManager pm = null;
+ boolean rollbackTransaction = true;
+ try {
+ pm = openTransaction();
+
+ privilegeOperator.dropPrivilege(privilege, pm);
+
+ CommitContext commitContext = commitUpdateTransaction(pm);
+ rollbackTransaction = false;
+ return commitContext;
+ } finally {
+ if (rollbackTransaction) {
+ rollbackTransaction(pm);
+ }
+ }
+ }
+
+ /**
+ * Grant option check
+ * @param component
+ * @param pm
+ * @param privilegeReader
+ * @throws SentryUserException
+ */
+ private void grantOptionCheck(PrivilegeObject requestPrivilege, String grantorPrincipal,PersistenceManager pm)
+ throws SentryUserException {
+
+ if (Strings.isNullOrEmpty(grantorPrincipal)) {
+ throw new SentryInvalidInputException("grantorPrincipal should not be null or empty");
+ }
+
+ Set<String> groups = getRequestorGroups(grantorPrincipal);
+ if (groups == null || groups.isEmpty()) {
+ throw new SentryGrantDeniedException(grantorPrincipal
+ + " has no grant!");
+ }
+ //admin group check
+ if (!Sets.intersection(adminGroups, toTrimmed(groups)).isEmpty()) {
+ return;
+ }
+ //privilege grant option check
+ Set<MSentryRole> mRoles = delegate.getRolesForGroups(pm, groups);
+ if (!privilegeOperator.checkPrivilegeOption(mRoles, requestPrivilege, pm)) {
+ throw new SentryGrantDeniedException(grantorPrincipal
+ + " has no grant!");
+ }
+ }
+
+ @Override
+ public Set<String> getRolesByGroups(String component, Set<String> groups)
+ throws SentryUserException {
+ Set<String> roles = Sets.newHashSet();
+ if (groups == null) {
+ return roles;
+ }
+ for (TSentryRole tSentryRole : delegate.getTSentryRolesByGroupName(groups, true)) {
+ roles.add(tSentryRole.getRoleName());
+ }
+ return roles;
+ }
+
+ @Override
+ public Set<String> getGroupsByRoles(String component, Set<String> roles)
+ throws SentryUserException {
+ Set<String> trimmedRoles = toTrimmedLower(roles);
+ Set<String> groupNames = Sets.newHashSet();
+ if (trimmedRoles.size() == 0) {
+ return groupNames;
+ }
+
+ PersistenceManager pm = null;
+ try{
+ pm = openTransaction();
+ //get groups by roles
+ Query query = pm.newQuery(MSentryGroup.class);
+ StringBuilder filters = new StringBuilder();
+ query.declareVariables("MSentryRole role");
+ List<String> rolesFiler = new LinkedList<String>();
+ for (String role : trimmedRoles) {
+ rolesFiler.add("role.roleName == \"" + role + "\" ");
+ }
+ filters.append("roles.contains(role) " + "&& (" + Joiner.on(" || ").join(rolesFiler) + ")");
+ query.setFilter(filters.toString());
+
+ List<MSentryGroup> groups = (List<MSentryGroup>)query.execute();
+ if (groups == null) {
+ return groupNames;
+ }
+ for (MSentryGroup group : groups) {
+ groupNames.add(group.getGroupName());
+ }
+ return groupNames;
+ } finally {
+ if (pm != null) {
+ commitTransaction(pm);
+ }
+ }
+ }
+
+ @Override
+ public Set<PrivilegeObject> getPrivilegesByRole(String component,
+ Set<String> roles) throws SentryUserException {
+ Preconditions.checkNotNull(roles);
+ Set<PrivilegeObject> privileges = Sets.newHashSet();
+ if (roles.isEmpty()) {
+ return privileges;
+ }
+
+ PersistenceManager pm = null;
+ try {
+ pm = openTransaction();
+ Set<MSentryRole> mRoles = Sets.newHashSet();
+ for (String role : roles) {
+ MSentryRole mRole = getRole(toTrimmedLower(role), pm);
+ if (mRole != null) {
+ mRoles.add(mRole);
+ }
+ }
+ privileges.addAll(privilegeOperator.getPrivilegesByRole(mRoles, pm));
+ } finally {
+ if (pm != null) {
+ commitTransaction(pm);
+ }
+ }
+ return privileges;
+ }
+
+ @Override
+ public Set<PrivilegeObject> getPrivilegesByProvider(String component,
+ String service, Set<String> roles, Set<String> groups,
+ List<? extends Authorizable> authorizables) throws SentryUserException {
+ Preconditions.checkNotNull(component);
+ Preconditions.checkNotNull(service);
+
+ String trimmedComponent = toTrimmedLower(component);
+ String trimmedService = toTrimmedLower(service);
+
+ Set<PrivilegeObject> privileges = Sets.newHashSet();
+ PersistenceManager pm = null;
+ try {
+ pm = openTransaction();
+ //CaseInsensitive roleNames
+ Set<String> trimmedRoles = toTrimmedLower(roles);
+
+ if (groups != null) {
+ trimmedRoles.addAll(delegate.getRoleNamesForGroups(groups));
+ }
+
+ if (trimmedRoles.size() == 0) {
+ return privileges;
+ }
+
+ Set<MSentryRole> mRoles = Sets.newHashSet();
+ for (String role : trimmedRoles) {
+ MSentryRole mRole = getRole(role, pm);
+ if (mRole != null) {
+ mRoles.add(mRole);
+ }
+ }
+ //get the privileges
+ privileges.addAll(privilegeOperator.getPrivilegesByProvider(trimmedComponent, trimmedService, mRoles, authorizables, pm));
+ } finally {
+ if (pm != null) {
+ commitTransaction(pm);
+ }
+ }
+ return privileges;
+ }
+
+ @Override
+ public Set<MSentryGMPrivilege> getPrivilegesByAuthorizable(String component, String service,
+ Set<String> validActiveRoles, List<? extends Authorizable> authorizables)
+ throws SentryUserException {
+
+ Preconditions.checkNotNull(component);
+ Preconditions.checkNotNull(service);
+
+ component = toTrimmedLower(component);
+ service = toTrimmedLower(service);
+
+ Set<MSentryGMPrivilege> privileges = Sets.newHashSet();
+
+ if (validActiveRoles == null || validActiveRoles.isEmpty()) {
+ return privileges;
+ }
+
+ PersistenceManager pm = null;
+ try {
+ pm = openTransaction();
+
+ Set<MSentryRole> mRoles = Sets.newHashSet();
+ for (String role : validActiveRoles) {
+ MSentryRole mRole = getRole(role, pm);
+ if (mRole != null) {
+ mRoles.add(mRole);
+ }
+ }
+
+ //get the privileges
+ Set<MSentryGMPrivilege> mSentryGMPrivileges = privilegeOperator.getPrivilegesByAuthorizable(component, service, mRoles, authorizables, pm);
+
+ for (MSentryGMPrivilege mSentryGMPrivilege : mSentryGMPrivileges) {
+ /**
+ * force to load all roles related this privilege
+ * avoid the lazy-loading
+ */
+ pm.retrieve(mSentryGMPrivilege);
+ privileges.add(mSentryGMPrivilege);
+ }
+
+ } finally {
+ commitTransaction(pm);
+ }
+ return privileges;
+ }
+
+ @Override
+ public void close() {
+ delegate.stop();
+ }
+
+ private Set<TSentryGroup> toTSentryGroups(Set<String> groups) {
+ Set<TSentryGroup> tSentryGroups = Sets.newHashSet();
+ for (String group : groups) {
+ tSentryGroups.add(new TSentryGroup(group));
+ }
+ return tSentryGroups;
+ }
+
+ private Set<String> toTrimmedLower(Set<String> s) {
+ if (s == null) {
+ return new HashSet<String>();
+ }
+ Set<String> result = Sets.newHashSet();
+ for (String v : s) {
+ result.add(v.trim().toLowerCase());
+ }
+ return result;
+ }
+
+ private Set<String> toTrimmed(Set<String> s) {
+ if (s == null) {
+ return new HashSet<String>();
+ }
+ Set<String> result = Sets.newHashSet();
+ for (String v : s) {
+ result.add(v.trim());
+ }
+ return result;
+ }
+
+ private String toTrimmedLower(String s) {
+ if (s == null) {
+ return "";
+ }
+ return s.trim().toLowerCase();
+ }
+
+ private Set<String> getRequestorGroups(String userName)
+ throws SentryUserException {
+ return SentryPolicyStoreProcessor.getGroupsFromUserName(this.conf, userName);
+ }
+
+ @VisibleForTesting
+ void clearAllTables() {
+ boolean rollbackTransaction = true;
+ PersistenceManager pm = null;
+ try {
+ pm = openTransaction();
+ pm.newQuery(MSentryRole.class).deletePersistentAll();
+ pm.newQuery(MSentryGroup.class).deletePersistentAll();
+ pm.newQuery(MSentryGMPrivilege.class).deletePersistentAll();
+ commitUpdateTransaction(pm);
+ rollbackTransaction = false;
+ } finally {
+ if (rollbackTransaction) {
+ rollbackTransaction(pm);
+ }
+ }
+ }
+}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/generic/service/persistent/PrivilegeObject.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/generic/service/persistent/PrivilegeObject.java b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/generic/service/persistent/PrivilegeObject.java
new file mode 100644
index 0000000..feab1e9
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/generic/service/persistent/PrivilegeObject.java
@@ -0,0 +1,231 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.provider.db.generic.service.persistent;
+
+import static org.apache.sentry.core.common.utils.SentryConstants.KV_JOINER;
+import static org.apache.sentry.core.common.utils.SentryConstants.AUTHORIZABLE_JOINER;
+
+import java.util.List;
+import org.apache.sentry.core.common.Authorizable;
+import com.google.common.base.Preconditions;
+import com.google.common.collect.Lists;
+
+public final class PrivilegeObject {
+ private final String component;
+ private final String service;
+ private final String action;
+ private final Boolean grantOption;
+ private List<? extends Authorizable> authorizables;
+
+ private PrivilegeObject(String component, String service, String action,
+ Boolean grantOption,
+ List<? extends Authorizable> authorizables) {
+ this.component = component;
+ this.service = service;
+ this.action = action;
+ this.grantOption = grantOption;
+ this.authorizables = authorizables;
+ }
+
+ public List<? extends Authorizable> getAuthorizables() {
+ return authorizables;
+ }
+
+ public String getAction() {
+ return action;
+ }
+
+ public String getComponent() {
+ return component;
+ }
+
+ public String getService() {
+ return service;
+ }
+
+ public Boolean getGrantOption() {
+ return grantOption;
+ }
+
+ @Override
+ public String toString() {
+ List<String> authorizable = Lists.newArrayList();
+ for (Authorizable az : authorizables) {
+ authorizable.add(KV_JOINER.join(az.getTypeName(),az.getName()));
+ }
+ return "PrivilegeObject [" + ", service=" + service + ", component="
+ + component + ", authorizables=" + AUTHORIZABLE_JOINER.join(authorizable)
+ + ", action=" + action + ", grantOption=" + grantOption + "]";
+ }
+
+ @Override
+ public int hashCode() {
+ final int prime = 31;
+ int result = 1;
+ result = prime * result + ((action == null) ? 0 : action.hashCode());
+ result = prime * result + ((component == null) ? 0 : component.hashCode());
+ result = prime * result + ((service == null) ? 0 : service.hashCode());
+ result = prime * result + ((grantOption == null) ? 0 : grantOption.hashCode());
+ for (Authorizable authorizable : authorizables) {
+ result = prime * result + authorizable.getTypeName().hashCode();
+ result = prime * result + authorizable.getName().hashCode();
+ }
+ return result;
+ }
+
+ @Override
+ public boolean equals(Object obj) {
+ if (this == obj) {
+ return true;
+ }
+ if (obj == null) {
+ return false;
+ }
+ if (getClass() != obj.getClass()) {
+ return false;
+ }
+ PrivilegeObject other = (PrivilegeObject) obj;
+ if (action == null) {
+ if (other.action != null) {
+ return false;
+ }
+ } else if (!action.equals(other.action)) {
+ return false;
+ }
+ if (service == null) {
+ if (other.service != null) {
+ return false;
+ }
+ } else if (!service.equals(other.service)) {
+ return false;
+ }
+ if (component == null) {
+ if (other.component != null) {
+ return false;
+ }
+ } else if (!component.equals(other.component)) {
+ return false;
+ }
+ if (grantOption == null) {
+ if (other.grantOption != null) {
+ return false;
+ }
+ } else if (!grantOption.equals(other.grantOption)) {
+ return false;
+ }
+
+ if (authorizables.size() != other.authorizables.size()) {
+ return false;
+ }
+ for (int i = 0; i < authorizables.size(); i++) {
+ String o1 = KV_JOINER.join(authorizables.get(i).getTypeName(),
+ authorizables.get(i).getName());
+ String o2 = KV_JOINER.join(other.authorizables.get(i).getTypeName(),
+ other.authorizables.get(i).getName());
+ if (!o1.equalsIgnoreCase(o2)) {
+ return false;
+ }
+ }
+ return true;
+ }
+
+ public static class Builder {
+ private String component;
+ private String service;
+ private String action;
+ private Boolean grantOption;
+ private List<? extends Authorizable> authorizables;
+
+ public Builder() {
+
+ }
+
+ public Builder(PrivilegeObject privilege) {
+ this.component = privilege.component;
+ this.service = privilege.service;
+ this.action = privilege.action;
+ this.grantOption = privilege.grantOption;
+ this.authorizables = privilege.authorizables;
+ }
+
+ public Builder setComponent(String component) {
+ this.component = component;
+ return this;
+ }
+
+ public Builder setService(String service) {
+ this.service = service;
+ return this;
+ }
+
+ public Builder setAction(String action) {
+ this.action = action;
+ return this;
+ }
+
+ public Builder withGrantOption(Boolean grantOption) {
+ this.grantOption = grantOption;
+ return this;
+ }
+
+ public Builder setAuthorizables(List<? extends Authorizable> authorizables) {
+ this.authorizables = authorizables;
+ return this;
+ }
+
+ /**
+ * TolowerCase the authorizable name, the authorizable type is define when it was created.
+ * Take the Solr for example, it has two Authorizable objects. They have the type Collection
+ * and Field, they are can't be changed. So we should unified the authorizable name tolowercase.
+ * @return new authorizable lists
+ */
+ private List<? extends Authorizable> toLowerAuthorizableName(List<? extends Authorizable> authorizables) {
+ List<Authorizable> newAuthorizable = Lists.newArrayList();
+ if (authorizables == null || authorizables.size() == 0) {
+ return newAuthorizable;
+ }
+ for (final Authorizable authorizable : authorizables) {
+ newAuthorizable.add(new Authorizable() {
+ @Override
+ public String getTypeName() {
+ return authorizable.getTypeName();
+ }
+ @Override
+ public String getName() {
+ return authorizable.getName();
+ }
+ });
+ }
+ return newAuthorizable;
+ }
+
+ public PrivilegeObject build() {
+ Preconditions.checkNotNull(component);
+ Preconditions.checkNotNull(service);
+ Preconditions.checkNotNull(action);
+ //CaseInsensitive authorizable name
+ List<? extends Authorizable> newAuthorizable = toLowerAuthorizableName(authorizables);
+
+ return new PrivilegeObject(component.toLowerCase(),
+ service.toLowerCase(),
+ action.toLowerCase(),
+ grantOption,
+ newAuthorizable);
+ }
+ }
+}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/generic/service/persistent/PrivilegeOperatePersistence.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/generic/service/persistent/PrivilegeOperatePersistence.java b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/generic/service/persistent/PrivilegeOperatePersistence.java
new file mode 100644
index 0000000..b1180bf
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/generic/service/persistent/PrivilegeOperatePersistence.java
@@ -0,0 +1,485 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.provider.db.generic.service.persistent;
+
+import java.lang.reflect.Constructor;
+import java.util.ArrayList;
+import java.util.LinkedList;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+
+import javax.jdo.PersistenceManager;
+import javax.jdo.Query;
+
+import org.apache.hadoop.conf.Configuration;
+import org.apache.sentry.core.common.exception.SentryUserException;
+import org.apache.sentry.core.common.Action;
+import org.apache.sentry.core.common.Authorizable;
+import org.apache.sentry.core.common.BitFieldAction;
+import org.apache.sentry.core.common.BitFieldActionFactory;
+import org.apache.sentry.core.model.kafka.KafkaActionFactory;
+import org.apache.sentry.core.model.search.SearchActionFactory;
+import org.apache.sentry.core.model.sqoop.SqoopActionFactory;
+import org.apache.sentry.provider.db.generic.service.persistent.PrivilegeObject.Builder;
+import org.apache.sentry.provider.db.service.model.MSentryGMPrivilege;
+import org.apache.sentry.provider.db.service.model.MSentryRole;
+
+import com.google.common.base.Joiner;
+import com.google.common.base.Strings;
+import com.google.common.collect.Maps;
+import com.google.common.collect.Sets;
+import org.apache.sentry.service.thrift.ServiceConstants;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/**
+ * This class used do some operations related privilege and make the results
+ * persistence
+ */
+public class PrivilegeOperatePersistence {
+ private static final Logger LOGGER = LoggerFactory.getLogger(PrivilegeOperatePersistence.class);
+ private static final Map<String, BitFieldActionFactory> actionFactories = Maps.newHashMap();
+ static{
+ actionFactories.put("solr", new SearchActionFactory());
+ actionFactories.put("sqoop", new SqoopActionFactory());
+ actionFactories.put("kafka", KafkaActionFactory.getInstance());
+ }
+
+ private final Configuration conf;
+
+ public PrivilegeOperatePersistence(Configuration conf) {
+ this.conf = conf;
+ }
+
+ public boolean checkPrivilegeOption(Set<MSentryRole> roles, PrivilegeObject privilege, PersistenceManager pm) {
+ MSentryGMPrivilege requestPrivilege = convertToPrivilege(privilege);
+ boolean hasGrant = false;
+ //get persistent privileges by roles
+ Query query = pm.newQuery(MSentryGMPrivilege.class);
+ StringBuilder filters = new StringBuilder();
+ if (roles != null && roles.size() > 0) {
+ query.declareVariables("MSentryRole role");
+ List<String> rolesFiler = new LinkedList<String>();
+ for (MSentryRole role : roles) {
+ rolesFiler.add("role.roleName == \"" + role.getRoleName() + "\" ");
+ }
+ filters.append("roles.contains(role) " + "&& (" + Joiner.on(" || ").join(rolesFiler) + ")");
+ }
+ query.setFilter(filters.toString());
+
+ List<MSentryGMPrivilege> tPrivileges = (List<MSentryGMPrivilege>)query.execute();
+ for (MSentryGMPrivilege tPrivilege : tPrivileges) {
+ if (tPrivilege.getGrantOption() && tPrivilege.implies(requestPrivilege)) {
+ hasGrant = true;
+ break;
+ }
+ }
+ return hasGrant;
+ }
+ public void grantPrivilege(PrivilegeObject privilege,MSentryRole role, PersistenceManager pm) throws SentryUserException {
+ MSentryGMPrivilege mPrivilege = convertToPrivilege(privilege);
+ grantRolePartial(mPrivilege, role, pm);
+ }
+
+ private void grantRolePartial(MSentryGMPrivilege grantPrivilege,
+ MSentryRole role,PersistenceManager pm) {
+ /**
+ * If Grant is for ALL action and other actions belongs to ALL action already exists..
+ * need to remove it and GRANT ALL action
+ */
+ String component = grantPrivilege.getComponentName();
+ BitFieldAction action = getAction(component, grantPrivilege.getAction());
+ BitFieldAction allAction = getAction(component, Action.ALL);
+
+ if (action.implies(allAction)) {
+ /**
+ * ALL action is a multi-bit set action that includes some actions such as INSERT,SELECT and CREATE.
+ */
+ List<? extends BitFieldAction> actions = getActionFactory(component).getActionsByCode(allAction.getActionCode());
+ for (BitFieldAction ac : actions) {
+ grantPrivilege.setAction(ac.getValue());
+ MSentryGMPrivilege existPriv = getPrivilege(grantPrivilege, pm);
+ if (existPriv != null && role.getGmPrivileges().contains(existPriv)) {
+ /**
+ * force to load all roles related this privilege
+ * avoid the lazy-loading risk,such as:
+ * if the roles field of privilege aren't loaded, then the roles is a empty set
+ * privilege.removeRole(role) and pm.makePersistent(privilege)
+ * will remove other roles that shouldn't been removed
+ */
+ pm.retrieve(existPriv);
+ existPriv.removeRole(role);
+ pm.makePersistent(existPriv);
+ }
+ }
+ } else {
+ /**
+ * If ALL Action already exists..
+ * do nothing.
+ */
+ grantPrivilege.setAction(allAction.getValue());
+ MSentryGMPrivilege allPrivilege = getPrivilege(grantPrivilege, pm);
+ if (allPrivilege != null && role.getGmPrivileges().contains(allPrivilege)) {
+ return;
+ }
+ }
+
+ /**
+ * restore the action
+ */
+ grantPrivilege.setAction(action.getValue());
+ /**
+ * check the privilege is exist or not
+ */
+ MSentryGMPrivilege mPrivilege = getPrivilege(grantPrivilege, pm);
+ if (mPrivilege == null) {
+ mPrivilege = grantPrivilege;
+ }
+ mPrivilege.appendRole(role);
+ pm.makePersistent(mPrivilege);
+ }
+
+
+ public void revokePrivilege(PrivilegeObject privilege,MSentryRole role, PersistenceManager pm) throws SentryUserException {
+ MSentryGMPrivilege mPrivilege = getPrivilege(convertToPrivilege(privilege), pm);
+ if (mPrivilege == null) {
+ mPrivilege = convertToPrivilege(privilege);
+ } else {
+ mPrivilege = (MSentryGMPrivilege) pm.detachCopy(mPrivilege);
+ }
+
+ Set<MSentryGMPrivilege> privilegeGraph = Sets.newHashSet();
+ privilegeGraph.addAll(populateIncludePrivileges(Sets.newHashSet(role), mPrivilege, pm));
+
+ /**
+ * Get the privilege graph
+ * populateIncludePrivileges will get the privileges that needed revoke
+ */
+ for (MSentryGMPrivilege persistedPriv : privilegeGraph) {
+ /**
+ * force to load all roles related this privilege
+ * avoid the lazy-loading risk,such as:
+ * if the roles field of privilege aren't loaded, then the roles is a empty set
+ * privilege.removeRole(role) and pm.makePersistent(privilege)
+ * will remove other roles that shouldn't been removed
+ */
+ revokeRolePartial(mPrivilege, persistedPriv, role, pm);
+ }
+ pm.makePersistent(role);
+ }
+
+ /**
+ * Explore Privilege graph and collect privileges that are belong to the specific privilege
+ */
+ @SuppressWarnings("unchecked")
+ private Set<MSentryGMPrivilege> populateIncludePrivileges(Set<MSentryRole> roles,
+ MSentryGMPrivilege parent, PersistenceManager pm) {
+ Set<MSentryGMPrivilege> childrens = Sets.newHashSet();
+
+ Query query = pm.newQuery(MSentryGMPrivilege.class);
+ StringBuilder filters = new StringBuilder();
+ //add populateIncludePrivilegesQuery
+ filters.append(MSentryGMPrivilege.populateIncludePrivilegesQuery(parent));
+ // add filter for role names
+ if (roles != null && roles.size() > 0) {
+ query.declareVariables("MSentryRole role");
+ List<String> rolesFiler = new LinkedList<String>();
+ for (MSentryRole role : roles) {
+ rolesFiler.add("role.roleName == \"" + role.getRoleName() + "\" ");
+ }
+ filters.append("&& roles.contains(role) " + "&& (" + Joiner.on(" || ").join(rolesFiler) + ")");
+ }
+ query.setFilter(filters.toString());
+
+ List<MSentryGMPrivilege> privileges = (List<MSentryGMPrivilege>)query.execute();
+ childrens.addAll(privileges);
+ return childrens;
+ }
+
+ /**
+ * Roles can be granted multi-bit set action like ALL action on resource object.
+ * Take solr component for example, When a role has been granted ALL action but
+ * QUERY or UPDATE or CREATE are revoked, we need to remove the ALL
+ * privilege and add left privileges like UPDATE and CREATE(QUERY was revoked) or
+ * QUERY and UPDATE(CREATEE was revoked).
+ */
+ private void revokeRolePartial(MSentryGMPrivilege revokePrivilege,
+ MSentryGMPrivilege persistedPriv, MSentryRole role,
+ PersistenceManager pm) {
+ String component = revokePrivilege.getComponentName();
+ BitFieldAction revokeaction = getAction(component, revokePrivilege.getAction());
+ BitFieldAction persistedAction = getAction(component, persistedPriv.getAction());
+ BitFieldAction allAction = getAction(component, Action.ALL);
+
+ if (revokeaction.implies(allAction)) {
+ /**
+ * if revoke action is ALL, directly revoke its children privileges and itself
+ */
+ persistedPriv.removeRole(role);
+ pm.makePersistent(persistedPriv);
+ } else {
+ /**
+ * if persisted action is ALL, it only revoke the requested action and left partial actions
+ * like the requested action is SELECT, the UPDATE and CREATE action are left
+ */
+ if (persistedAction.implies(allAction)) {
+ /**
+ * revoke the ALL privilege
+ */
+ persistedPriv.removeRole(role);
+ pm.makePersistent(persistedPriv);
+
+ List<? extends BitFieldAction> actions = getActionFactory(component).getActionsByCode(allAction.getActionCode());
+ for (BitFieldAction ac: actions) {
+ if (ac.getActionCode() != revokeaction.getActionCode()) {
+ /**
+ * grant the left privileges to role
+ */
+ MSentryGMPrivilege tmpPriv = new MSentryGMPrivilege(persistedPriv);
+ tmpPriv.setAction(ac.getValue());
+ MSentryGMPrivilege leftPersistedPriv = getPrivilege(tmpPriv, pm);
+ if (leftPersistedPriv == null) {
+ //leftPersistedPriv isn't exist
+ leftPersistedPriv = tmpPriv;
+ role.appendGMPrivilege(leftPersistedPriv);
+ }
+ leftPersistedPriv.appendRole(role);
+ pm.makePersistent(leftPersistedPriv);
+ }
+ }
+ } else if (revokeaction.implies(persistedAction)) {
+ /**
+ * if the revoke action is equal to the persisted action and they aren't ALL action
+ * directly remove the role from privilege
+ */
+ persistedPriv.removeRole(role);
+ pm.makePersistent(persistedPriv);
+ }
+ /**
+ * if the revoke action is not equal to the persisted action,
+ * do nothing
+ */
+ }
+ }
+
+ /**
+ * Drop any role related to the requested privilege and its children privileges
+ */
+ public void dropPrivilege(PrivilegeObject privilege,PersistenceManager pm) {
+ MSentryGMPrivilege requestPrivilege = convertToPrivilege(privilege);
+
+ if (Strings.isNullOrEmpty(privilege.getAction())) {
+ requestPrivilege.setAction(getAction(privilege.getComponent(), Action.ALL).getValue());
+ }
+ /**
+ * Get the privilege graph
+ * populateIncludePrivileges will get the privileges that need dropped,
+ */
+ Set<MSentryGMPrivilege> privilegeGraph = Sets.newHashSet();
+ privilegeGraph.addAll(populateIncludePrivileges(null, requestPrivilege, pm));
+
+ for (MSentryGMPrivilege mPrivilege : privilegeGraph) {
+ /**
+ * force to load all roles related this privilege
+ * avoid the lazy-loading
+ */
+ pm.retrieve(mPrivilege);
+ Set<MSentryRole> roles = mPrivilege.getRoles();
+ for (MSentryRole role : roles) {
+ revokeRolePartial(requestPrivilege, mPrivilege, role, pm);
+ }
+ }
+ }
+
+ private MSentryGMPrivilege convertToPrivilege(PrivilegeObject privilege) {
+ return new MSentryGMPrivilege(privilege.getComponent(),
+ privilege.getService(), privilege.getAuthorizables(),
+ privilege.getAction(), privilege.getGrantOption());
+ }
+
+ private MSentryGMPrivilege getPrivilege(MSentryGMPrivilege privilege, PersistenceManager pm) {
+ Query query = pm.newQuery(MSentryGMPrivilege.class);
+ query.setFilter(MSentryGMPrivilege.toQuery(privilege));
+ query.setUnique(true);
+ return (MSentryGMPrivilege)query.execute();
+ }
+
+ @SuppressWarnings("unchecked")
+ public Set<PrivilegeObject> getPrivilegesByRole(Set<MSentryRole> roles, PersistenceManager pm) {
+ Set<PrivilegeObject> privileges = Sets.newHashSet();
+ if (roles == null || roles.size() == 0) {
+ return privileges;
+ }
+ Query query = pm.newQuery(MSentryGMPrivilege.class);
+ StringBuilder filters = new StringBuilder();
+ // add filter for role names
+ query.declareVariables("MSentryRole role");
+ List<String> rolesFiler = new LinkedList<String>();
+ for (MSentryRole role : roles) {
+ rolesFiler.add("role.roleName == \"" + role.getRoleName() + "\" ");
+ }
+ filters.append("roles.contains(role) " + "&& (" + Joiner.on(" || ").join(rolesFiler) + ")");
+
+ query.setFilter(filters.toString());
+ List<MSentryGMPrivilege> mPrivileges = (List<MSentryGMPrivilege>) query.execute();
+ if (mPrivileges == null || mPrivileges.isEmpty()) {
+ return privileges;
+ }
+ for (MSentryGMPrivilege mPrivilege : mPrivileges) {
+ privileges.add(new Builder()
+ .setComponent(mPrivilege.getComponentName())
+ .setService(mPrivilege.getServiceName())
+ .setAction(mPrivilege.getAction())
+ .setAuthorizables(mPrivilege.getAuthorizables())
+ .withGrantOption(mPrivilege.getGrantOption())
+ .build());
+ }
+ return privileges;
+ }
+
+ public Set<PrivilegeObject> getPrivilegesByProvider(String component,
+ String service, Set<MSentryRole> roles,
+ List<? extends Authorizable> authorizables, PersistenceManager pm) {
+ Set<PrivilegeObject> privileges = Sets.newHashSet();
+ if (roles == null || roles.isEmpty()) {
+ return privileges;
+ }
+
+ MSentryGMPrivilege parentPrivilege = new MSentryGMPrivilege(component, service, authorizables, null, null);
+ Set<MSentryGMPrivilege> privilegeGraph = Sets.newHashSet();
+ privilegeGraph.addAll(populateIncludePrivileges(roles, parentPrivilege, pm));
+
+ for (MSentryGMPrivilege mPrivilege : privilegeGraph) {
+ privileges.add(new Builder()
+ .setComponent(mPrivilege.getComponentName())
+ .setService(mPrivilege.getServiceName())
+ .setAction(mPrivilege.getAction())
+ .setAuthorizables(mPrivilege.getAuthorizables())
+ .withGrantOption(mPrivilege.getGrantOption())
+ .build());
+ }
+ return privileges;
+ }
+
+ public Set<MSentryGMPrivilege> getPrivilegesByAuthorizable(String component,
+ String service, Set<MSentryRole> roles,
+ List<? extends Authorizable> authorizables, PersistenceManager pm) {
+
+ Set<MSentryGMPrivilege> privilegeGraph = Sets.newHashSet();
+
+ if (roles == null || roles.isEmpty()) {
+ return privilegeGraph;
+ }
+
+ MSentryGMPrivilege parentPrivilege = new MSentryGMPrivilege(component, service, authorizables, null, null);
+ privilegeGraph.addAll(populateIncludePrivileges(roles, parentPrivilege, pm));
+ return privilegeGraph;
+ }
+
+ public void renamePrivilege(String component, String service,
+ List<? extends Authorizable> oldAuthorizables, List<? extends Authorizable> newAuthorizables,
+ String grantorPrincipal, PersistenceManager pm)
+ throws SentryUserException {
+ MSentryGMPrivilege oldPrivilege = new MSentryGMPrivilege(component, service, oldAuthorizables, null, null);
+ oldPrivilege.setAction(getAction(component,Action.ALL).getValue());
+ /**
+ * Get the privilege graph
+ * populateIncludePrivileges will get the old privileges that need dropped
+ */
+ Set<MSentryGMPrivilege> privilegeGraph = Sets.newHashSet();
+ privilegeGraph.addAll(populateIncludePrivileges(null, oldPrivilege, pm));
+
+ for (MSentryGMPrivilege dropPrivilege : privilegeGraph) {
+ /**
+ * construct the new privilege needed to add
+ */
+ List<Authorizable> authorizables = new ArrayList<Authorizable>(
+ dropPrivilege.getAuthorizables());
+ for (int i = 0; i < newAuthorizables.size(); i++) {
+ authorizables.set(i, newAuthorizables.get(i));
+ }
+ MSentryGMPrivilege newPrivilge = new MSentryGMPrivilege(
+ component,service, authorizables, dropPrivilege.getAction(),
+ dropPrivilege.getGrantOption());
+
+ /**
+ * force to load all roles related this privilege
+ * avoid the lazy-loading
+ */
+ pm.retrieve(dropPrivilege);
+
+ Set<MSentryRole> roles = dropPrivilege.getRoles();
+ for (MSentryRole role : roles) {
+ revokeRolePartial(oldPrivilege, dropPrivilege, role, pm);
+ grantRolePartial(newPrivilge, role, pm);
+ }
+ }
+ }
+
+ private BitFieldAction getAction(String component, String name) {
+ BitFieldActionFactory actionFactory = getActionFactory(component);
+ BitFieldAction action = actionFactory.getActionByName(name);
+ if (action == null) {
+ throw new RuntimeException("Can not get BitFieldAction for name: " + name);
+ }
+ return action;
+ }
+
+ private BitFieldActionFactory getActionFactory(String component) {
+ String caseInsensitiveComponent = component.toLowerCase();
+ if (actionFactories.containsKey(caseInsensitiveComponent)) {
+ return actionFactories.get(caseInsensitiveComponent);
+ }
+ BitFieldActionFactory actionFactory = createActionFactory(caseInsensitiveComponent);
+ actionFactories.put(caseInsensitiveComponent, actionFactory);
+ LOGGER.info("Action factory for component {} is not found in cache. Loaded it from configuration as {}.",
+ component, actionFactory.getClass().getName());
+ return actionFactory;
+ }
+
+ private BitFieldActionFactory createActionFactory(String component) {
+ String actionFactoryClassName =
+ conf.get(String.format(ServiceConstants.ServerConfig.SENTRY_COMPONENT_ACTION_FACTORY_FORMAT, component));
+ if (actionFactoryClassName == null) {
+ throw new RuntimeException("ActionFactory not defined for component " + component +
+ ". Please define the parameter " +
+ "sentry." + component + ".action.factory in configuration");
+ }
+ Class<?> actionFactoryClass;
+ try {
+ actionFactoryClass = Class.forName(actionFactoryClassName);
+ } catch (ClassNotFoundException e) {
+ throw new RuntimeException("ActionFactory class " + actionFactoryClassName + " not found.");
+ }
+ if (!BitFieldActionFactory.class.isAssignableFrom(actionFactoryClass)) {
+ throw new RuntimeException("ActionFactory class " + actionFactoryClassName + " must extend "
+ + BitFieldActionFactory.class.getName());
+ }
+ BitFieldActionFactory actionFactory;
+ try {
+ Constructor<?> actionFactoryConstructor = actionFactoryClass.getDeclaredConstructor();
+ actionFactoryConstructor.setAccessible(true);
+ actionFactory = (BitFieldActionFactory) actionFactoryClass.newInstance();
+ } catch (NoSuchMethodException | InstantiationException | IllegalAccessException e) {
+ throw new RuntimeException("Could not instantiate actionFactory " + actionFactoryClassName +
+ " for component: " + component, e);
+ }
+ return actionFactory;
+ }
+}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/generic/service/persistent/SentryStoreLayer.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/generic/service/persistent/SentryStoreLayer.java b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/generic/service/persistent/SentryStoreLayer.java
new file mode 100644
index 0000000..c003965
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/generic/service/persistent/SentryStoreLayer.java
@@ -0,0 +1,198 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.provider.db.generic.service.persistent;
+
+import java.util.List;
+import java.util.Set;
+
+import org.apache.sentry.core.common.exception.SentryUserException;
+import org.apache.sentry.core.common.Authorizable;
+import org.apache.sentry.core.common.exception.SentryAlreadyExistsException;
+import org.apache.sentry.core.common.exception.SentryNoSuchObjectException;
+import org.apache.sentry.provider.db.service.model.MSentryGMPrivilege;
+import org.apache.sentry.provider.db.service.persistent.CommitContext;
+
+/**
+ * Sentry store for persistent the authorize object to database
+ */
+public interface SentryStoreLayer {
+ /**
+ * Create a role
+ * @param component: The request respond to which component
+ * @param role: The name of role
+ * @param requestor: User on whose behalf the request is launched
+ * @returns commit context used for notification handlers
+ * @throws SentryAlreadyExistsException
+ */
+ CommitContext createRole(String component, String role,
+ String requestor) throws SentryAlreadyExistsException;
+
+ /**
+ * Drop a role
+ * @param component: The request respond to which component
+ * @param role: The name of role
+ * @param requestor: user on whose behalf the request is launched
+ * @returns commit context used for notification handlers
+ * @throws SentryNoSuchObjectException
+ */
+ CommitContext dropRole(String component, String role,
+ String requestor) throws SentryNoSuchObjectException;
+
+ /**
+ * Add a role to groups.
+ * @param component: The request respond to which component
+ * @param role: The name of role
+ * @param groups: The name of groups
+ * @param requestor: User on whose behalf the request is issued
+ * @returns commit context used for notification handlers
+ * @throws SentryNoSuchObjectException
+ */
+ CommitContext alterRoleAddGroups(String component, String role,
+ Set<String> groups, String requestor) throws SentryNoSuchObjectException;
+
+ /**
+ * Delete a role from groups.
+ * @param component: The request respond to which component
+ * @param role: The name of role
+ * @param groups: The name of groups
+ * @param requestor: User on whose behalf the request is launched
+ * @returns commit context used for notification handlers
+ * @throws SentryNoSuchObjectException
+ */
+ CommitContext alterRoleDeleteGroups(String component, String role,
+ Set<String> groups, String requestor) throws SentryNoSuchObjectException;
+
+ /**
+ * Grant a privilege to role.
+ * @param component: The request respond to which component
+ * @param role: The name of role
+ * @param privilege: The privilege object will be granted
+ * @param grantorPrincipal: User on whose behalf the request is launched
+ * @returns commit context Used for notification handlers
+ * @throws SentryUserException
+ */
+ CommitContext alterRoleGrantPrivilege(String component, String role,
+ PrivilegeObject privilege, String grantorPrincipal) throws SentryUserException;
+
+ /**
+ * Revoke a privilege from role.
+ * @param component: The request respond to which component
+ * @param role: The name of role
+ * @param privilege: The privilege object will revoked
+ * @param grantorPrincipal: User on whose behalf the request is launched
+ * @returns commit context used for notification handlers
+ * @throws SentryUserException
+ */
+ CommitContext alterRoleRevokePrivilege(String component, String role,
+ PrivilegeObject privilege, String grantorPrincipal) throws SentryUserException;
+
+ /**
+ * Rename privilege
+ *
+ * @param component: The request respond to which component
+ * @param service: The name of service
+ * @param oldAuthorizables: The old list of authorize objects
+ * @param newAuthorizables: The new list of authorize objects
+ * @param requestor: User on whose behalf the request is launched
+ * @returns commit context used for notification handlers
+ * @throws SentryUserException
+ */
+ CommitContext renamePrivilege(
+ String component, String service, List<? extends Authorizable> oldAuthorizables,
+ List<? extends Authorizable> newAuthorizables, String requestor) throws SentryUserException;
+
+ /**
+ * Drop privilege
+ * @param component: The request respond to which component
+ * @param privilege: The privilege will be dropped
+ * @param requestor: User on whose behalf the request is launched
+ * @returns commit context used for notification handlers
+ * @throws SentryUserException
+ */
+ CommitContext dropPrivilege(String component, PrivilegeObject privilege,
+ String requestor) throws SentryUserException;
+
+ /**
+ * Get roles
+ * @param component: The request respond to which component
+ * @param groups: The name of groups
+ * @returns the set of roles
+ * @throws SentryUserException
+ */
+ Set<String> getRolesByGroups(String component, Set<String> groups) throws SentryUserException;
+
+ /**
+ * Get groups
+ * @param component: The request respond to which component
+ * @param roles: The name of roles
+ * @returns the set of groups
+ * @throws SentryUserException
+ */
+ Set<String> getGroupsByRoles(String component, Set<String> roles) throws SentryUserException;
+
+ /**
+ * Get privileges
+ * @param component: The request respond to which component
+ * @param roles: The name of roles
+ * @returns the set of privileges
+ * @throws SentryUserException
+ */
+ Set<PrivilegeObject> getPrivilegesByRole(String component, Set<String> roles) throws SentryUserException;
+
+ /**
+ * get sentry privileges from provider as followings:
+ * @param component: The request respond to which component
+ * @param service: The name of service
+ * @param roles: The name of roles
+ * @param groups: The name of groups
+ * @param authorizables: The list of authorize objects
+ * @returns the set of privileges
+ * @throws SentryUserException
+ */
+
+ Set<PrivilegeObject> getPrivilegesByProvider(String component, String service, Set<String> roles,
+ Set<String> groups, List<? extends Authorizable> authorizables)
+ throws SentryUserException;
+
+ /**
+ * Get all roles name.
+ *
+ * @returns The set of roles name,
+ */
+ Set<String> getAllRoleNames();
+
+ /**
+ * Get sentry privileges based on valid active roles and the authorize objects.
+ *
+ * @param component: The request respond to which component
+ * @param service: The name of service
+ * @param validActiveRoles: The valid active roles
+ * @param authorizables: The list of authorize objects
+ * @returns The set of MSentryGMPrivilege
+ * @throws SentryUserException
+ */
+ Set<MSentryGMPrivilege> getPrivilegesByAuthorizable(String component, String service,
+ Set<String> validActiveRoles, List<? extends Authorizable> authorizables)
+ throws SentryUserException;
+
+ /**
+ * close sentryStore
+ */
+ void close();
+
+}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/NotificationHandler.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/NotificationHandler.java b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/NotificationHandler.java
new file mode 100644
index 0000000..e0a5f03
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/NotificationHandler.java
@@ -0,0 +1,47 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.provider.db.generic.service.thrift;
+
+import org.apache.sentry.provider.db.service.persistent.CommitContext;
+
+public interface NotificationHandler {
+
+ void create_sentry_role(CommitContext context,
+ TCreateSentryRoleRequest request, TCreateSentryRoleResponse response);
+
+ void drop_sentry_role(CommitContext context, TDropSentryRoleRequest request,
+ TDropSentryRoleResponse response);
+
+ void alter_sentry_role_grant_privilege(CommitContext context, TAlterSentryRoleGrantPrivilegeRequest request,
+ TAlterSentryRoleGrantPrivilegeResponse response);
+
+ void alter_sentry_role_revoke_privilege(CommitContext context, TAlterSentryRoleRevokePrivilegeRequest request,
+ TAlterSentryRoleRevokePrivilegeResponse response);
+
+ void alter_sentry_role_add_groups(CommitContext context,TAlterSentryRoleAddGroupsRequest request,
+ TAlterSentryRoleAddGroupsResponse response);
+
+ void alter_sentry_role_delete_groups(CommitContext context, TAlterSentryRoleDeleteGroupsRequest request,
+ TAlterSentryRoleDeleteGroupsResponse response);
+
+ void drop_sentry_privilege(CommitContext context, TDropPrivilegesRequest request,
+ TDropPrivilegesResponse response);
+
+ void rename_sentry_privilege(CommitContext context, TRenamePrivilegesRequest request,
+ TRenamePrivilegesResponse response);
+}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/NotificationHandlerInvoker.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/NotificationHandlerInvoker.java b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/NotificationHandlerInvoker.java
new file mode 100644
index 0000000..1d9c246
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/NotificationHandlerInvoker.java
@@ -0,0 +1,164 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.provider.db.generic.service.thrift;
+
+import java.util.List;
+
+import org.apache.sentry.provider.db.service.persistent.CommitContext;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import com.google.common.collect.Lists;
+
+/**
+ * Invokes configured instances of NotificationHandler. Importantly
+ * NotificationHandler's each receive a copy of the request and
+ * response thrift objects from each successful request.
+ */
+public class NotificationHandlerInvoker implements NotificationHandler {
+ private static final Logger LOGGER = LoggerFactory.getLogger(NotificationHandlerInvoker.class);
+ private List<? extends NotificationHandler> handlers = Lists.newArrayList();
+
+ public NotificationHandlerInvoker(List<? extends NotificationHandler> handlers) {
+ this.handlers = handlers;
+ }
+ @Override
+ public void create_sentry_role(CommitContext context,
+ TCreateSentryRoleRequest request, TCreateSentryRoleResponse response) {
+ for (NotificationHandler handler : handlers) {
+ try {
+ LOGGER.debug("Calling " + handler);
+ handler.create_sentry_role(context, new TCreateSentryRoleRequest(request),
+ new TCreateSentryRoleResponse(response));
+ } catch (Exception ex) {
+ LOGGER.error("Unexpected error in " + handler + ". Request: "
+ + request + ", Response: " + response, ex);
+ }
+ }
+ }
+
+ @Override
+ public void drop_sentry_role(CommitContext context,
+ TDropSentryRoleRequest request, TDropSentryRoleResponse response) {
+ for (NotificationHandler handler : handlers) {
+ try {
+ LOGGER.debug("Calling " + handler);
+ handler.drop_sentry_role(context, new TDropSentryRoleRequest(request),
+ new TDropSentryRoleResponse(response));
+ } catch (Exception ex) {
+ LOGGER.error("Unexpected error in " + handler + ". Request: "
+ + request + ", Response: " + response, ex);
+ }
+ }
+ }
+
+ @Override
+ public void alter_sentry_role_grant_privilege(CommitContext context,
+ TAlterSentryRoleGrantPrivilegeRequest request,
+ TAlterSentryRoleGrantPrivilegeResponse response) {
+ for (NotificationHandler handler : handlers) {
+ try {
+ LOGGER.debug("Calling " + handler);
+ handler.alter_sentry_role_grant_privilege(context,
+ new TAlterSentryRoleGrantPrivilegeRequest(request),
+ new TAlterSentryRoleGrantPrivilegeResponse(response));
+ } catch (Exception ex) {
+ LOGGER.error("Unexpected error in " + handler + ". Request: "
+ + request + ", Response: " + response, ex);
+ }
+ }
+ }
+
+ @Override
+ public void alter_sentry_role_revoke_privilege(CommitContext context,
+ TAlterSentryRoleRevokePrivilegeRequest request,
+ TAlterSentryRoleRevokePrivilegeResponse response) {
+ for (NotificationHandler handler : handlers) {
+ try {
+ LOGGER.debug("Calling " + handler);
+ handler.alter_sentry_role_revoke_privilege(context,
+ new TAlterSentryRoleRevokePrivilegeRequest(request),
+ new TAlterSentryRoleRevokePrivilegeResponse(response));
+ } catch (Exception ex) {
+ LOGGER.error("Unexpected error in " + handler + ". Request: "
+ + request + ", Response: " + response, ex);
+ }
+ }
+ }
+
+ @Override
+ public void alter_sentry_role_add_groups(CommitContext context,
+ TAlterSentryRoleAddGroupsRequest request,
+ TAlterSentryRoleAddGroupsResponse response) {
+ for (NotificationHandler handler : handlers) {
+ try {
+ LOGGER.debug("Calling " + handler);
+ handler.alter_sentry_role_add_groups(context, new TAlterSentryRoleAddGroupsRequest(request),
+ new TAlterSentryRoleAddGroupsResponse(response));
+ } catch (Exception ex) {
+ LOGGER.error("Unexpected error in " + handler + ". Request: "
+ + request + ", Response: " + response, ex);
+ }
+ }
+ }
+
+ @Override
+ public void alter_sentry_role_delete_groups(CommitContext context,
+ TAlterSentryRoleDeleteGroupsRequest request,
+ TAlterSentryRoleDeleteGroupsResponse response) {
+ for (NotificationHandler handler : handlers) {
+ try {
+ LOGGER.debug("Calling " + handler);
+ handler.alter_sentry_role_delete_groups(context, new TAlterSentryRoleDeleteGroupsRequest(request),
+ new TAlterSentryRoleDeleteGroupsResponse(response));
+ } catch (Exception ex) {
+ LOGGER.error("Unexpected error in " + handler + ". Request: "
+ + request + ", Response: " + response, ex);
+ }
+ }
+ }
+ @Override
+ public void drop_sentry_privilege(CommitContext context,
+ TDropPrivilegesRequest request, TDropPrivilegesResponse response) {
+ for (NotificationHandler handler : handlers) {
+ try {
+ LOGGER.debug("Calling " + handler);
+ handler.drop_sentry_privilege(context, new TDropPrivilegesRequest(request),
+ new TDropPrivilegesResponse(response));
+ } catch (Exception ex) {
+ LOGGER.error("Unexpected error in " + handler + ". Request: "
+ + request + ", Response: " + response, ex);
+ }
+ }
+ }
+ @Override
+ public void rename_sentry_privilege(CommitContext context,
+ TRenamePrivilegesRequest request, TRenamePrivilegesResponse response) {
+ for (NotificationHandler handler : handlers) {
+ try {
+ LOGGER.debug("Calling " + handler);
+ handler.rename_sentry_privilege(context, new TRenamePrivilegesRequest(request),
+ new TRenamePrivilegesResponse(response));
+ } catch (Exception ex) {
+ LOGGER.error("Unexpected error in " + handler + ". Request: "
+ + request + ", Response: " + response, ex);
+ }
+ }
+ }
+
+}
[42/44] sentry git commit: SENTRY-1287: Create sentry-service-server
module(Colin Ma, reviewed by Dapeng Sun)
Posted by co...@apache.org.
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/log/appender/RollingFileWithoutDeleteAppender.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/log/appender/RollingFileWithoutDeleteAppender.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/log/appender/RollingFileWithoutDeleteAppender.java
deleted file mode 100644
index fd133f3..0000000
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/log/appender/RollingFileWithoutDeleteAppender.java
+++ /dev/null
@@ -1,175 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.sentry.provider.db.log.appender;
-
-import java.io.File;
-import java.io.IOException;
-import java.io.InterruptedIOException;
-import java.io.Writer;
-
-import org.apache.log4j.FileAppender;
-import org.apache.log4j.Layout;
-import org.apache.log4j.helpers.CountingQuietWriter;
-import org.apache.log4j.helpers.LogLog;
-import org.apache.log4j.helpers.OptionConverter;
-import org.apache.log4j.spi.LoggingEvent;
-
-public class RollingFileWithoutDeleteAppender extends FileAppender {
- /**
- * The default maximum file size is 10MB.
- */
- protected long maxFileSize = 10 * 1024 * 1024;
-
- private long nextRollover = 0;
-
- /**
- * The default constructor simply calls its {@link FileAppender#FileAppender
- * parents constructor}.
- */
- public RollingFileWithoutDeleteAppender() {
- super();
- }
-
- /**
- * Instantiate a RollingFileAppender and open the file designated by
- * <code>filename</code>. The opened filename will become the ouput
- * destination for this appender.
- * <p>
- * If the <code>append</code> parameter is true, the file will be appended to.
- * Otherwise, the file desginated by <code>filename</code> will be truncated
- * before being opened.
- */
- public RollingFileWithoutDeleteAppender(Layout layout, String filename,
- boolean append) throws IOException {
- super(layout, getLogFileName(filename), append);
- }
-
- /**
- * Instantiate a FileAppender and open the file designated by
- * <code>filename</code>. The opened filename will become the output
- * destination for this appender.
- * <p>
- * The file will be appended to.
- */
- public RollingFileWithoutDeleteAppender(Layout layout, String filename)
- throws IOException {
- super(layout, getLogFileName(filename));
- }
-
- /**
- * Get the maximum size that the output file is allowed to reach before being
- * rolled over to backup files.
- */
- public long getMaximumFileSize() {
- return maxFileSize;
- }
-
- /**
- * Implements the usual roll over behaviour.
- * <p>
- * <code>File</code> is renamed <code>File.yyyyMMddHHmmss</code> and closed. A
- * new <code>File</code> is created to receive further log output.
- */
- // synchronization not necessary since doAppend is alreasy synched
- public void rollOver() {
- if (qw != null) {
- long size = ((CountingQuietWriter) qw).getCount();
- LogLog.debug("rolling over count=" + size);
- // if operation fails, do not roll again until
- // maxFileSize more bytes are written
- nextRollover = size + maxFileSize;
- }
-
- this.closeFile(); // keep windows happy.
-
- String newFileName = getLogFileName(fileName);
- try {
- // This will also close the file. This is OK since multiple
- // close operations are safe.
- this.setFile(newFileName, false, bufferedIO, bufferSize);
- nextRollover = 0;
- } catch (IOException e) {
- if (e instanceof InterruptedIOException) {
- Thread.currentThread().interrupt();
- }
- LogLog.error("setFile(" + newFileName + ", false) call failed: " + e.getMessage(), e);
- }
- }
-
- public synchronized void setFile(String fileName, boolean append,
- boolean bufferedIO, int bufferSize) throws IOException {
- super.setFile(fileName, append, this.bufferedIO, this.bufferSize);
- if (append) {
- File f = new File(fileName);
- ((CountingQuietWriter) qw).setCount(f.length());
- }
- }
-
- /**
- * Set the maximum size that the output file is allowed to reach before being
- * rolled over to backup files.
- * <p>
- * This method is equivalent to {@link #setMaxFileSize} except that it is
- * required for differentiating the setter taking a <code>long</code> argument
- * from the setter taking a <code>String</code> argument by the JavaBeans
- * {@link java.beans.Introspector Introspector}.
- *
- * @see #setMaxFileSize(String)
- */
- public void setMaximumFileSize(long maxFileSize) {
- this.maxFileSize = maxFileSize;
- }
-
- /**
- * Set the maximum size that the output file is allowed to reach before being
- * rolled over to backup files.
- * <p>
- * In configuration files, the <b>MaxFileSize</b> option takes an long integer
- * in the range 0 - 2^63. You can specify the value with the suffixes "KB",
- * "MB" or "GB" so that the integer is interpreted being expressed
- * respectively in kilobytes, megabytes or gigabytes. For example, the value
- * "10KB" will be interpreted as 10240.
- */
- public void setMaxFileSize(String value) {
- maxFileSize = OptionConverter.toFileSize(value, maxFileSize + 1);
- }
-
- protected void setQWForFiles(Writer writer) {
- this.qw = new CountingQuietWriter(writer, errorHandler);
- }
-
- /**
- * This method differentiates RollingFileAppender from its super class.
- */
- protected void subAppend(LoggingEvent event) {
- super.subAppend(event);
-
- if (fileName != null && qw != null) {
- long size = ((CountingQuietWriter) qw).getCount();
- if (size >= maxFileSize && size >= nextRollover) {
- rollOver();
- }
- }
- }
-
- // Mangled file name. Append the current timestamp
- private static String getLogFileName(String oldFileName) {
- return oldFileName + "." + Long.toString(System.currentTimeMillis());
- }
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/log/entity/AuditMetadataLogEntity.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/log/entity/AuditMetadataLogEntity.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/log/entity/AuditMetadataLogEntity.java
deleted file mode 100644
index a5fe4ec..0000000
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/log/entity/AuditMetadataLogEntity.java
+++ /dev/null
@@ -1,155 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.sentry.provider.db.log.entity;
-
-import java.io.IOException;
-
-import org.codehaus.jackson.JsonFactory;
-import org.codehaus.jackson.JsonNode;
-import org.codehaus.jackson.map.MappingJsonFactory;
-import org.codehaus.jackson.map.ObjectMapper;
-import org.codehaus.jackson.node.ContainerNode;
-
-abstract public class AuditMetadataLogEntity implements JsonLogEntity {
-
- static final JsonFactory factory = new MappingJsonFactory();
- private String serviceName;
- private String userName;
- private String impersonator;
- private String ipAddress;
- private String operation;
- private String eventTime;
- private String operationText;
- private String allowed;
- private String objectType;
- private String component;
-
- void setCommonAttr(String serviceName, String userName, String impersonator, String ipAddress,
- String operation, String eventTime, String operationText, String allowed, String objectType,
- String component) {
- this.serviceName = serviceName;
- this.userName = userName;
- this.impersonator = impersonator;
- this.ipAddress = ipAddress;
- this.operation = operation;
- this.eventTime = eventTime;
- this.operationText = operationText;
- this.allowed = allowed;
- this.objectType = objectType;
- this.component = component;
- }
-
- public String getServiceName() {
- return serviceName;
- }
-
- public void setServiceName(String serviceName) {
- this.serviceName = serviceName;
- }
-
- public String getUserName() {
- return userName;
- }
-
- public void setUserName(String userName) {
- this.userName = userName;
- }
-
- public String getImpersonator() {
- return impersonator;
- }
-
- public void setImpersonator(String impersonator) {
- this.impersonator = impersonator;
- }
-
- public String getIpAddress() {
- return ipAddress;
- }
-
- public void setIpAddress(String ipAddress) {
- this.ipAddress = ipAddress;
- }
-
- public String getOperation() {
- return operation;
- }
-
- public void setOperation(String operation) {
- this.operation = operation;
- }
-
- public String getEventTime() {
- return eventTime;
- }
-
- public void setEventTime(String eventTime) {
- this.eventTime = eventTime;
- }
-
- public String getOperationText() {
- return operationText;
- }
-
- public void setOperationText(String operationText) {
- this.operationText = operationText;
- }
-
- public String getAllowed() {
- return allowed;
- }
-
- public void setAllowed(String allowed) {
- this.allowed = allowed;
- }
-
- public String getObjectType() {
- return objectType;
- }
-
- public void setObjectType(String objectType) {
- this.objectType = objectType;
- }
-
- public String getComponent() {
- return component;
- }
-
- public void setComponent(String component) {
- this.component = component;
- }
-
- /**
- * For use in tests
- *
- * @param json
- * incoming JSON to parse
- * @return a node tree
- * @throws IOException
- * on any parsing problems
- */
- public static ContainerNode parse(String json) throws IOException {
- ObjectMapper mapper = new ObjectMapper(factory);
- JsonNode jsonNode = mapper.readTree(json);
- if (!(jsonNode instanceof ContainerNode)) {
- throw new IOException("Wrong JSON data: " + json);
- }
- return (ContainerNode) jsonNode;
- }
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/log/entity/DBAuditMetadataLogEntity.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/log/entity/DBAuditMetadataLogEntity.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/log/entity/DBAuditMetadataLogEntity.java
deleted file mode 100644
index 4949ac7..0000000
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/log/entity/DBAuditMetadataLogEntity.java
+++ /dev/null
@@ -1,124 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.sentry.provider.db.log.entity;
-
-import java.io.IOException;
-import java.io.StringWriter;
-
-import org.apache.sentry.provider.db.log.util.Constants;
-import org.codehaus.jackson.JsonGenerator;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-public class DBAuditMetadataLogEntity extends AuditMetadataLogEntity {
- private static final Logger LOGGER = LoggerFactory.getLogger(DBAuditMetadataLogEntity.class);
-
- private String databaseName;
- private String tableName;
- private String columnName;
- private String resourcePath;
-
- public DBAuditMetadataLogEntity() {
- }
-
- public DBAuditMetadataLogEntity(String serviceName, String userName, String impersonator,
- String ipAddress, String operation, String eventTime, String operationText, String allowed,
- String objectType, String component, String databaseName, String tableName,
- String columnName, String resourcePath) {
- setCommonAttr(serviceName, userName, impersonator, ipAddress, operation, eventTime,
- operationText, allowed, objectType, component);
- this.databaseName = databaseName;
- this.tableName = tableName;
- this.columnName = columnName;
- this.resourcePath = resourcePath;
- }
-
- public String getDatabaseName() {
- return databaseName;
- }
-
- public void setDatabaseName(String databaseName) {
- this.databaseName = databaseName;
- }
-
- public String getTableName() {
- return tableName;
- }
-
- public void setTableName(String tableName) {
- this.tableName = tableName;
- }
-
- public String getColumnName() {
- return columnName;
- }
-
- public void setColumnName(String columnName) {
- this.columnName = columnName;
- }
-
- public String getResourcePath() {
- return resourcePath;
- }
-
- public void setResourcePath(String resourcePath) {
- this.resourcePath = resourcePath;
- }
-
- @Override
- public String toJsonFormatLog() throws Exception {
- StringWriter stringWriter = new StringWriter();
- JsonGenerator json = null;
- try {
- json = factory.createJsonGenerator(stringWriter);
- json.writeStartObject();
- json.writeStringField(Constants.LOG_FIELD_SERVICE_NAME, getServiceName());
- json.writeStringField(Constants.LOG_FIELD_USER_NAME, getUserName());
- json.writeStringField(Constants.LOG_FIELD_IMPERSONATOR, getImpersonator());
- json.writeStringField(Constants.LOG_FIELD_IP_ADDRESS, getIpAddress());
- json.writeStringField(Constants.LOG_FIELD_OPERATION, getOperation());
- json.writeStringField(Constants.LOG_FIELD_EVENT_TIME, getEventTime());
- json.writeStringField(Constants.LOG_FIELD_OPERATION_TEXT, getOperationText());
- json.writeStringField(Constants.LOG_FIELD_ALLOWED, getAllowed());
- json.writeStringField(Constants.LOG_FIELD_DATABASE_NAME, databaseName);
- json.writeStringField(Constants.LOG_FIELD_TABLE_NAME, tableName);
- json.writeStringField(Constants.LOG_FIELD_COLUMN_NAME, columnName);
- json.writeStringField(Constants.LOG_FIELD_RESOURCE_PATH, resourcePath);
- json.writeStringField(Constants.LOG_FIELD_OBJECT_TYPE, getObjectType());
- json.writeEndObject();
- json.flush();
- } catch (IOException e) {
- String msg = "Error creating audit log in json format: " + e.getMessage();
- LOGGER.error(msg, e);
- throw e;
- } finally {
- try {
- if (json != null) {
- json.close();
- }
- } catch (IOException e) {
- String msg = "Error when close json object: " + e.getMessage();
- LOGGER.error(msg, e);
- throw e;
- }
- }
-
- return stringWriter.toString();
- }
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/log/entity/GMAuditMetadataLogEntity.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/log/entity/GMAuditMetadataLogEntity.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/log/entity/GMAuditMetadataLogEntity.java
deleted file mode 100644
index 6911772..0000000
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/log/entity/GMAuditMetadataLogEntity.java
+++ /dev/null
@@ -1,97 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.sentry.provider.db.log.entity;
-
-import java.io.IOException;
-import java.io.StringWriter;
-import java.util.LinkedHashMap;
-import java.util.Map;
-
-import org.apache.sentry.provider.db.log.util.Constants;
-import org.codehaus.jackson.JsonGenerator;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-public class GMAuditMetadataLogEntity extends AuditMetadataLogEntity {
-
- private static final Logger LOGGER = LoggerFactory.getLogger(GMAuditMetadataLogEntity.class);
- private Map<String, String> privilegesMap;
-
- public GMAuditMetadataLogEntity() {
- privilegesMap = new LinkedHashMap<String, String>();
- }
-
- public GMAuditMetadataLogEntity(String serviceName, String userName, String impersonator,
- String ipAddress, String operation, String eventTime, String operationText, String allowed,
- String objectType, String component, Map<String, String> privilegesMap) {
- setCommonAttr(serviceName, userName, impersonator, ipAddress, operation, eventTime,
- operationText, allowed, objectType, component);
- this.privilegesMap = privilegesMap;
- }
-
- @Override
- public String toJsonFormatLog() throws Exception {
- StringWriter stringWriter = new StringWriter();
- JsonGenerator json = null;
- try {
- json = factory.createJsonGenerator(stringWriter);
- json.writeStartObject();
- json.writeStringField(Constants.LOG_FIELD_SERVICE_NAME, getServiceName());
- json.writeStringField(Constants.LOG_FIELD_USER_NAME, getUserName());
- json.writeStringField(Constants.LOG_FIELD_IMPERSONATOR, getImpersonator());
- json.writeStringField(Constants.LOG_FIELD_IP_ADDRESS, getIpAddress());
- json.writeStringField(Constants.LOG_FIELD_OPERATION, getOperation());
- json.writeStringField(Constants.LOG_FIELD_EVENT_TIME, getEventTime());
- json.writeStringField(Constants.LOG_FIELD_OPERATION_TEXT, getOperationText());
- json.writeStringField(Constants.LOG_FIELD_ALLOWED, getAllowed());
- for (Map.Entry<String, String> entry : privilegesMap.entrySet()) {
- json.writeStringField(entry.getKey(), entry.getValue());
- }
- json.writeStringField(Constants.LOG_FIELD_OBJECT_TYPE, getObjectType());
- json.writeStringField(Constants.LOG_FIELD_COMPONENT, getComponent());
- json.writeEndObject();
- json.flush();
- } catch (IOException e) {
- String msg = "Error creating audit log in json format: " + e.getMessage();
- LOGGER.error(msg, e);
- throw e;
- } finally {
- try {
- if (json != null) {
- json.close();
- }
- } catch (IOException e) {
- String msg = "Error when close json object: " + e.getMessage();
- LOGGER.error(msg, e);
- throw e;
- }
- }
-
- return stringWriter.toString();
- }
-
- public Map<String, String> getPrivilegesMap() {
- return privilegesMap;
- }
-
- public void setPrivilegesMap(Map<String, String> privilegesMap) {
- this.privilegesMap = privilegesMap;
- }
-
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/log/entity/JsonLogEntity.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/log/entity/JsonLogEntity.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/log/entity/JsonLogEntity.java
deleted file mode 100644
index 913f125..0000000
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/log/entity/JsonLogEntity.java
+++ /dev/null
@@ -1,25 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.sentry.provider.db.log.entity;
-
-public interface JsonLogEntity {
-
- String toJsonFormatLog() throws Exception;
-
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/log/entity/JsonLogEntityFactory.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/log/entity/JsonLogEntityFactory.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/log/entity/JsonLogEntityFactory.java
deleted file mode 100644
index f6bb8a5..0000000
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/log/entity/JsonLogEntityFactory.java
+++ /dev/null
@@ -1,351 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.sentry.provider.db.log.entity;
-
-import java.util.Iterator;
-import java.util.LinkedHashMap;
-import java.util.List;
-import java.util.Map;
-import java.util.Set;
-
-import org.apache.hadoop.conf.Configuration;
-import org.apache.sentry.provider.db.generic.service.thrift.TAuthorizable;
-import org.apache.sentry.provider.db.log.util.CommandUtil;
-import org.apache.sentry.provider.db.log.util.Constants;
-import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleAddGroupsRequest;
-import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleAddGroupsResponse;
-import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleAddUsersRequest;
-import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleAddUsersResponse;
-import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleDeleteGroupsRequest;
-import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleDeleteGroupsResponse;
-import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleDeleteUsersRequest;
-import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleDeleteUsersResponse;
-import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleGrantPrivilegeRequest;
-import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleGrantPrivilegeResponse;
-import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleRevokePrivilegeRequest;
-import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleRevokePrivilegeResponse;
-import org.apache.sentry.provider.db.service.thrift.TCreateSentryRoleRequest;
-import org.apache.sentry.provider.db.service.thrift.TCreateSentryRoleResponse;
-import org.apache.sentry.provider.db.service.thrift.TDropSentryRoleRequest;
-import org.apache.sentry.provider.db.service.thrift.TDropSentryRoleResponse;
-import org.apache.sentry.provider.db.service.thrift.TSentryGroup;
-import org.apache.sentry.provider.db.service.thrift.TSentryPrivilege;
-import org.apache.sentry.provider.db.service.thrift.ThriftUtil;
-import org.apache.sentry.service.thrift.ServiceConstants.ServerConfig;
-import org.apache.sentry.service.thrift.Status;
-import org.apache.sentry.service.thrift.TSentryResponseStatus;
-
-import com.google.common.base.Joiner;
-import com.google.common.collect.ImmutableSet;
-
-public final class JsonLogEntityFactory {
-
- private static JsonLogEntityFactory factory = new JsonLogEntityFactory();
-
- private JsonLogEntityFactory() {
- }
-
- public static JsonLogEntityFactory getInstance() {
- return factory;
- }
-
- // log entity for hive/impala create role
- public JsonLogEntity createJsonLogEntity(TCreateSentryRoleRequest request,
- TCreateSentryRoleResponse response, Configuration conf) {
- DBAuditMetadataLogEntity hamle = createCommonHAMLE(conf, response.getStatus(),
- request.getRequestorUserName(), request.getClass().getName());
- hamle.setOperationText(CommandUtil.createCmdForCreateOrDropRole(
- request.getRoleName(), true));
-
- return hamle;
- }
-
- // log entity for hive/impala drop role
- public JsonLogEntity createJsonLogEntity(TDropSentryRoleRequest request,
- TDropSentryRoleResponse response, Configuration conf) {
- DBAuditMetadataLogEntity hamle = createCommonHAMLE(conf, response.getStatus(),
- request.getRequestorUserName(), request.getClass().getName());
- hamle.setOperationText(CommandUtil.createCmdForCreateOrDropRole(
- request.getRoleName(), false));
-
- return hamle;
- }
-
- // log entity for hive/impala grant privilege
- public Set<JsonLogEntity> createJsonLogEntitys(
- TAlterSentryRoleGrantPrivilegeRequest request,
- TAlterSentryRoleGrantPrivilegeResponse response, Configuration conf) {
- ImmutableSet.Builder<JsonLogEntity> setBuilder = ImmutableSet.builder();
- if (request.isSetPrivileges()) {
- for (TSentryPrivilege privilege : request.getPrivileges()) {
- JsonLogEntity logEntity = createJsonLogEntity(request, privilege, response, conf);
- setBuilder.add(logEntity);
- }
- }
- return setBuilder.build();
- }
-
- private JsonLogEntity createJsonLogEntity(
- TAlterSentryRoleGrantPrivilegeRequest request, TSentryPrivilege privilege,
- TAlterSentryRoleGrantPrivilegeResponse response, Configuration conf) {
- DBAuditMetadataLogEntity hamle = createCommonHAMLE(conf, response.getStatus(),
- request.getRequestorUserName(), request.getClass().getName());
- hamle.setOperationText(CommandUtil.createCmdForGrantPrivilege(request));
- hamle.setDatabaseName(privilege.getDbName());
- hamle.setTableName(privilege.getTableName());
- hamle.setResourcePath(privilege.getURI());
- return hamle;
- }
-
- // log entity for hive/impala revoke privilege
- public Set<JsonLogEntity> createJsonLogEntitys(
- TAlterSentryRoleRevokePrivilegeRequest request,
- TAlterSentryRoleRevokePrivilegeResponse response, Configuration conf) {
- ImmutableSet.Builder<JsonLogEntity> setBuilder = ImmutableSet.builder();
- if (request.isSetPrivileges()) {
- for (TSentryPrivilege privilege : request.getPrivileges()) {
- JsonLogEntity logEntity = createJsonLogEntity(request, privilege, response, conf);
- setBuilder.add(logEntity);
- }
- }
- return setBuilder.build();
- }
-
- private JsonLogEntity createJsonLogEntity(
- TAlterSentryRoleRevokePrivilegeRequest request, TSentryPrivilege privilege,
- TAlterSentryRoleRevokePrivilegeResponse response, Configuration conf) {
- DBAuditMetadataLogEntity hamle = createCommonHAMLE(conf, response.getStatus(),
- request.getRequestorUserName(), request.getClass().getName());
- hamle.setOperationText(CommandUtil.createCmdForRevokePrivilege(request));
- hamle.setDatabaseName(privilege.getDbName());
- hamle.setTableName(privilege.getTableName());
- hamle.setResourcePath(privilege.getURI());
-
- return hamle;
- }
-
- // log entity for hive/impala add role to group
- public JsonLogEntity createJsonLogEntity(
- TAlterSentryRoleAddGroupsRequest request,
- TAlterSentryRoleAddGroupsResponse response, Configuration conf) {
- DBAuditMetadataLogEntity hamle = createCommonHAMLE(conf, response.getStatus(),
- request.getRequestorUserName(), request.getClass().getName());
- String groups = getGroupsStr(request.getGroupsIterator());
- hamle.setOperationText(CommandUtil.createCmdForRoleAddGroup(request.getRoleName(), groups));
-
- return hamle;
- }
-
- // log entity for hive/impala delete role from group
- public JsonLogEntity createJsonLogEntity(
- TAlterSentryRoleDeleteGroupsRequest request,
- TAlterSentryRoleDeleteGroupsResponse response, Configuration conf) {
- DBAuditMetadataLogEntity hamle = createCommonHAMLE(conf, response.getStatus(),
- request.getRequestorUserName(), request.getClass().getName());
- String groups = getGroupsStr(request.getGroupsIterator());
- hamle.setOperationText(CommandUtil.createCmdForRoleDeleteGroup(request.getRoleName(), groups));
-
- return hamle;
- }
-
- private String getGroupsStr(Iterator<TSentryGroup> iter) {
- StringBuilder groups = new StringBuilder("");
- if (iter != null) {
- boolean commaFlg = false;
- while (iter.hasNext()) {
- if (commaFlg) {
- groups.append(", ");
- } else {
- commaFlg = true;
- }
- groups.append(iter.next().getGroupName());
- }
- }
- return groups.toString();
- }
-
- public JsonLogEntity createJsonLogEntity(TAlterSentryRoleAddUsersRequest request,
- TAlterSentryRoleAddUsersResponse response, Configuration conf) {
- AuditMetadataLogEntity amle = createCommonHAMLE(conf, response.getStatus(),
- request.getRequestorUserName(), request.getClass().getName());
- String users = getUsersStr(request.getUsersIterator());
- amle.setOperationText(CommandUtil.createCmdForRoleAddUser(request.getRoleName(), users));
-
- return amle;
- }
-
- public JsonLogEntity createJsonLogEntity(TAlterSentryRoleDeleteUsersRequest request,
- TAlterSentryRoleDeleteUsersResponse response, Configuration conf) {
- AuditMetadataLogEntity amle = createCommonHAMLE(conf, response.getStatus(),
- request.getRequestorUserName(), request.getClass().getName());
- String users = getUsersStr(request.getUsersIterator());
- amle.setOperationText(CommandUtil.createCmdForRoleDeleteUser(request.getRoleName(), users));
-
- return amle;
- }
-
- private String getUsersStr(Iterator<String> iter) {
- StringBuilder users = new StringBuilder("");
- if (iter != null) {
- boolean commaFlg = false;
- while (iter.hasNext()) {
- if (commaFlg) {
- users.append(", ");
- } else {
- commaFlg = true;
- }
- users.append(iter.next());
- }
- }
- return users.toString();
- }
-
- public String isAllowed(TSentryResponseStatus status) {
- if (status.equals(Status.OK())) {
- return Constants.TRUE;
- }
- return Constants.FALSE;
- }
-
- // log entity for generic model create role
- public JsonLogEntity createJsonLogEntity(
- org.apache.sentry.provider.db.generic.service.thrift.TCreateSentryRoleRequest request,
- org.apache.sentry.provider.db.generic.service.thrift.TCreateSentryRoleResponse response,
- Configuration conf) {
- GMAuditMetadataLogEntity gmamle = createCommonGMAMLE(conf, response.getStatus(),
- request.getRequestorUserName(), request.getClass().getName(), request.getComponent());
- gmamle.setOperationText(CommandUtil.createCmdForCreateOrDropRole(request.getRoleName(), true));
-
- return gmamle;
- }
-
- // log entity for generic model drop role
- public JsonLogEntity createJsonLogEntity(
- org.apache.sentry.provider.db.generic.service.thrift.TDropSentryRoleRequest request,
- org.apache.sentry.provider.db.generic.service.thrift.TDropSentryRoleResponse response,
- Configuration conf) {
- GMAuditMetadataLogEntity gmamle = createCommonGMAMLE(conf, response.getStatus(),
- request.getRequestorUserName(), request.getClass().getName(), request.getComponent());
- gmamle.setOperationText(CommandUtil.createCmdForCreateOrDropRole(request.getRoleName(), false));
-
- return gmamle;
- }
-
- // log entity for generic model grant privilege
- public JsonLogEntity createJsonLogEntity(
- org.apache.sentry.provider.db.generic.service.thrift.TAlterSentryRoleGrantPrivilegeRequest request,
- org.apache.sentry.provider.db.generic.service.thrift.TAlterSentryRoleGrantPrivilegeResponse response,
- Configuration conf) {
- GMAuditMetadataLogEntity gmamle = createCommonGMAMLE(conf, response.getStatus(),
- request.getRequestorUserName(), request.getClass().getName(), request.getComponent());
- if (request.getPrivilege() != null) {
- List<TAuthorizable> authorizables = request.getPrivilege().getAuthorizables();
- Map<String, String> privilegesMap = new LinkedHashMap<String, String>();
- if (authorizables != null) {
- for (TAuthorizable authorizable : authorizables) {
- privilegesMap.put(authorizable.getType(), authorizable.getName());
- }
- }
- gmamle.setPrivilegesMap(privilegesMap);
- }
- gmamle.setOperationText(CommandUtil.createCmdForGrantGMPrivilege(request));
-
- return gmamle;
- }
-
- // log entity for generic model revoke privilege
- public JsonLogEntity createJsonLogEntity(
- org.apache.sentry.provider.db.generic.service.thrift.TAlterSentryRoleRevokePrivilegeRequest request,
- org.apache.sentry.provider.db.generic.service.thrift.TAlterSentryRoleRevokePrivilegeResponse response,
- Configuration conf) {
- GMAuditMetadataLogEntity gmamle = createCommonGMAMLE(conf, response.getStatus(),
- request.getRequestorUserName(), request.getClass().getName(), request.getComponent());
- if (request.getPrivilege() != null) {
- List<TAuthorizable> authorizables = request.getPrivilege().getAuthorizables();
- Map<String, String> privilegesMap = new LinkedHashMap<String, String>();
- if (authorizables != null) {
- for (TAuthorizable authorizable : authorizables) {
- privilegesMap.put(authorizable.getType(), authorizable.getName());
- }
- }
- gmamle.setPrivilegesMap(privilegesMap);
- }
- gmamle.setOperationText(CommandUtil.createCmdForRevokeGMPrivilege(request));
-
- return gmamle;
- }
-
- // log entity for generic model add role to group
- public JsonLogEntity createJsonLogEntity(
- org.apache.sentry.provider.db.generic.service.thrift.TAlterSentryRoleAddGroupsRequest request,
- org.apache.sentry.provider.db.generic.service.thrift.TAlterSentryRoleAddGroupsResponse response,
- Configuration conf) {
- GMAuditMetadataLogEntity gmamle = createCommonGMAMLE(conf, response.getStatus(),
- request.getRequestorUserName(), request.getClass().getName(), request.getComponent());
- Joiner joiner = Joiner.on(",");
- String groups = joiner.join(request.getGroupsIterator());
- gmamle.setOperationText(CommandUtil.createCmdForRoleAddGroup(request.getRoleName(), groups));
-
- return gmamle;
- }
-
- // log entity for hive delete role from group
- public JsonLogEntity createJsonLogEntity(
- org.apache.sentry.provider.db.generic.service.thrift.TAlterSentryRoleDeleteGroupsRequest request,
- org.apache.sentry.provider.db.generic.service.thrift.TAlterSentryRoleDeleteGroupsResponse response,
- Configuration conf) {
- GMAuditMetadataLogEntity gmamle = createCommonGMAMLE(conf, response.getStatus(),
- request.getRequestorUserName(), request.getClass().getName(), request.getComponent());
- Joiner joiner = Joiner.on(",");
- String groups = joiner.join(request.getGroupsIterator());
- gmamle.setOperationText(CommandUtil.createCmdForRoleDeleteGroup(request.getRoleName(), groups));
-
- return gmamle;
- }
-
- private DBAuditMetadataLogEntity createCommonHAMLE(Configuration conf,
- TSentryResponseStatus responseStatus, String userName, String requestClassName) {
- DBAuditMetadataLogEntity hamle = new DBAuditMetadataLogEntity();
- setCommAttrForAMLE(hamle, conf, responseStatus, userName, requestClassName);
- return hamle;
- }
-
- private GMAuditMetadataLogEntity createCommonGMAMLE(Configuration conf,
- TSentryResponseStatus responseStatus, String userName, String requestClassName,
- String component) {
- GMAuditMetadataLogEntity gmamle = new GMAuditMetadataLogEntity();
- setCommAttrForAMLE(gmamle, conf, responseStatus, userName, requestClassName);
- gmamle.setComponent(component);
- return gmamle;
- }
-
- private void setCommAttrForAMLE(AuditMetadataLogEntity amle, Configuration conf,
- TSentryResponseStatus responseStatus, String userName, String requestClassName) {
- amle.setUserName(userName);
- amle.setServiceName(conf.get(ServerConfig.SENTRY_SERVICE_NAME,
- ServerConfig.SENTRY_SERVICE_NAME_DEFAULT).trim());
- amle.setImpersonator(ThriftUtil.getImpersonator());
- amle.setIpAddress(ThriftUtil.getIpAddress());
- amle.setOperation(Constants.requestTypeToOperationMap.get(requestClassName));
- amle.setEventTime(Long.toString(System.currentTimeMillis()));
- amle.setAllowed(isAllowed(responseStatus));
- amle.setObjectType(Constants.requestTypeToObjectTypeMap
- .get(requestClassName));
- }
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/log/util/CommandUtil.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/log/util/CommandUtil.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/log/util/CommandUtil.java
deleted file mode 100644
index 328bbbb..0000000
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/log/util/CommandUtil.java
+++ /dev/null
@@ -1,233 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.sentry.provider.db.log.util;
-
-import java.net.InetAddress;
-import java.net.NetworkInterface;
-import java.util.Enumeration;
-import java.util.List;
-import java.util.Set;
-
-import org.apache.sentry.core.model.db.AccessConstants;
-import org.apache.sentry.provider.db.generic.service.thrift.TAuthorizable;
-import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleGrantPrivilegeRequest;
-import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleRevokePrivilegeRequest;
-import org.apache.sentry.provider.db.service.thrift.TSentryGrantOption;
-import org.apache.sentry.provider.db.service.thrift.TSentryPrivilege;
-import org.apache.sentry.service.thrift.ServiceConstants.PrivilegeScope;
-import org.datanucleus.util.StringUtils;
-
-import com.google.common.annotations.VisibleForTesting;
-
-public final class CommandUtil {
-
- public CommandUtil() {
- // Make constructor private to avoid instantiation
- }
-
- public static String createCmdForCreateOrDropRole(String roleName,
- boolean isCreate) {
- if (isCreate) {
- return "CREATE ROLE " + roleName;
- }
- return "DROP ROLE " + roleName;
- }
-
- public static String createCmdForRoleAddGroup(String roleName, String groups) {
- return createCmdForRoleGrant(roleName, groups, true, true);
- }
-
- public static String createCmdForRoleDeleteGroup(String roleName, String groups) {
- return createCmdForRoleGrant(roleName, groups, false, true);
- }
-
- private static String createCmdForRoleGrant(String roleName, String principals,
- boolean isGrant, boolean isGroup) {
- StringBuilder sb = new StringBuilder();
- if (isGrant) {
- sb.append("GRANT ROLE ");
- } else {
- sb.append("REVOKE ROLE ");
- }
- sb.append(roleName);
- if (isGrant) {
- sb.append(" TO ");
- } else {
- sb.append(" FROM ");
- }
-
- String principalType = isGroup ? "GROUP" : "USER";
- if (!StringUtils.isEmpty(principals)) {
- sb.append(principalType).append(" ").append(principals);
- } else {
- sb = new StringBuilder("Missing " + principalType + " information.");
- }
-
- return sb.toString();
- }
-
- public static String createCmdForRoleAddUser(String roleName, String users) {
- return createCmdForRoleGrant(roleName, users, true, false);
- }
-
- public static String createCmdForRoleDeleteUser(String roleName, String users) {
- return createCmdForRoleGrant(roleName, users, false, false);
- }
-
- public static String createCmdForGrantPrivilege(
- TAlterSentryRoleGrantPrivilegeRequest request) {
- return createCmdForGrantOrRevokePrivileges(request.getRoleName(),
- request.getPrivileges(), true);
- }
-
- public static String createCmdForRevokePrivilege(
- TAlterSentryRoleRevokePrivilegeRequest request) {
- return createCmdForGrantOrRevokePrivileges(request.getRoleName(),
- request.getPrivileges(), false);
- }
-
- private static String createCmdForGrantOrRevokePrivileges(String roleName,
- Set<TSentryPrivilege> privileges, boolean isGrant) {
- StringBuilder sb = new StringBuilder();
- if (privileges != null) {
- for (TSentryPrivilege privilege : privileges) {
- sb.append(createCmdForGrantOrRevokePrivilege(roleName, privilege, isGrant));
- }
- }
- return sb.toString();
- }
-
- private static String createCmdForGrantOrRevokePrivilege(String roleName,
- TSentryPrivilege privilege, boolean isGrant) {
- StringBuilder sb = new StringBuilder();
- if (isGrant) {
- sb.append("GRANT ");
- } else {
- sb.append("REVOKE ");
- }
-
- String action = privilege.getAction();
- String privilegeScope = privilege.getPrivilegeScope();
- if (AccessConstants.ALL.equalsIgnoreCase(action)) {
- sb.append("ALL");
- } else {
- if (action != null) {
- action = action.toUpperCase();
- }
- sb.append(action);
- }
-
- sb.append(" ON ").append(privilege.getPrivilegeScope()).append(" ");
- if (PrivilegeScope.DATABASE.name().equalsIgnoreCase(privilegeScope)) {
- sb.append(privilege.getDbName());
- } else if (PrivilegeScope.TABLE.name().equalsIgnoreCase(privilegeScope)) {
- sb.append(privilege.getTableName());
- } else if (PrivilegeScope.SERVER.name().equalsIgnoreCase(privilegeScope)) {
- sb.append(privilege.getServerName());
- } else if (PrivilegeScope.URI.name().equalsIgnoreCase(privilegeScope)) {
- sb.append(privilege.getURI());
- }
-
- if (isGrant) {
- sb.append(" TO ROLE ");
- } else {
- sb.append(" FROM ROLE ");
- }
- sb.append(roleName);
-
- if (privilege.getGrantOption() == TSentryGrantOption.TRUE) {
- sb.append(" WITH GRANT OPTION");
- }
-
- return sb.toString();
- }
-
- public static String createCmdForGrantGMPrivilege(
- org.apache.sentry.provider.db.generic.service.thrift.TAlterSentryRoleGrantPrivilegeRequest request) {
- return createCmdForGrantOrRevokeGMPrivilege(request.getRoleName(), request.getPrivilege(), true);
- }
-
- public static String createCmdForRevokeGMPrivilege(
- org.apache.sentry.provider.db.generic.service.thrift.TAlterSentryRoleRevokePrivilegeRequest request) {
- return createCmdForGrantOrRevokeGMPrivilege(request.getRoleName(), request.getPrivilege(),
- false);
- }
-
- private static String createCmdForGrantOrRevokeGMPrivilege(String roleName,
- org.apache.sentry.provider.db.generic.service.thrift.TSentryPrivilege privilege,
- boolean isGrant) {
- StringBuilder sb = new StringBuilder();
- if (isGrant) {
- sb.append("GRANT ");
- } else {
- sb.append("REVOKE ");
- }
-
- String action = privilege.getAction();
- if (AccessConstants.ALL.equalsIgnoreCase(action)) {
- sb.append("ALL");
- } else {
- if (action != null) {
- action = action.toUpperCase();
- }
- sb.append(action);
- }
-
- sb.append(" ON");
-
- List<TAuthorizable> authorizables = privilege.getAuthorizables();
- if (authorizables != null) {
- for (TAuthorizable authorizable : authorizables) {
- sb.append(" ").append(authorizable.getType()).append(" ").append(authorizable.getName());
- }
- }
-
- if (isGrant) {
- sb.append(" TO ROLE ");
- } else {
- sb.append(" FROM ROLE ");
- }
- sb.append(roleName);
-
- if (privilege.getGrantOption() == org.apache.sentry.provider.db.generic.service.thrift.TSentryGrantOption.TRUE) {
- sb.append(" WITH GRANT OPTION");
- }
-
- return sb.toString();
- }
-
- // Check if the given IP is one of the local IP.
- @VisibleForTesting
- public static boolean assertIPInAuditLog(String ipInAuditLog) throws Exception {
- if (ipInAuditLog == null) {
- return false;
- }
- Enumeration<NetworkInterface> netInterfaces = NetworkInterface.getNetworkInterfaces();
- while (netInterfaces.hasMoreElements()) {
- NetworkInterface ni = netInterfaces.nextElement();
- Enumeration<InetAddress> ips = ni.getInetAddresses();
- while (ips.hasMoreElements()) {
- if (ipInAuditLog.indexOf(ips.nextElement().getHostAddress()) != -1) {
- return true;
- }
- }
- }
- return false;
- }
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/log/util/Constants.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/log/util/Constants.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/log/util/Constants.java
deleted file mode 100644
index 2e71ce0..0000000
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/log/util/Constants.java
+++ /dev/null
@@ -1,162 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.sentry.provider.db.log.util;
-
-import java.util.HashMap;
-import java.util.Map;
-
-import org.apache.sentry.provider.db.service.thrift.*;
-
-public final class Constants {
- public final static String AUDIT_LOGGER_NAME = "sentry.hive.authorization.ddl.logger";
- public final static String AUDIT_LOGGER_NAME_GENERIC = "sentry.generic.authorization.ddl.logger";
-
- public final static String LOG_FIELD_SERVICE_NAME = "serviceName";
- public final static String LOG_FIELD_USER_NAME = "userName";
- public final static String LOG_FIELD_IMPERSONATOR = "impersonator";
- public final static String LOG_FIELD_IP_ADDRESS = "ipAddress";
- public final static String LOG_FIELD_OPERATION = "operation";
- public final static String LOG_FIELD_EVENT_TIME = "eventTime";
- public final static String LOG_FIELD_OPERATION_TEXT = "operationText";
- public final static String LOG_FIELD_ALLOWED = "allowed";
- public final static String LOG_FIELD_DATABASE_NAME = "databaseName";
- public final static String LOG_FIELD_TABLE_NAME = "tableName";
- public final static String LOG_FIELD_COLUMN_NAME = "column";
- public final static String LOG_FIELD_RESOURCE_PATH = "resourcePath";
- public final static String LOG_FIELD_OBJECT_TYPE = "objectType";
- public final static String LOG_FIELD_COMPONENT = "component";
-
- public final static String OPERATION_CREATE_ROLE = "CREATE_ROLE";
- public final static String OPERATION_DROP_ROLE = "DROP_ROLE";
- public final static String OPERATION_ADD_ROLE = "ADD_ROLE_TO_GROUP";
- public final static String OPERATION_DELETE_ROLE = "DELETE_ROLE_FROM_GROUP";
- public final static String OPERATION_ADD_ROLE_USER = "ADD_ROLE_TO_USER";
- public final static String OPERATION_DELETE_ROLE_USER = "DELETE_ROLE_FROM_USER";
- public final static String OPERATION_GRANT_PRIVILEGE = "GRANT_PRIVILEGE";
- public final static String OPERATION_REVOKE_PRIVILEGE = "REVOKE_PRIVILEGE";
-
- public final static String OBJECT_TYPE_PRINCIPAL = "PRINCIPAL";
- public final static String OBJECT_TYPE_ROLE = "ROLE";
-
- public final static String TRUE = "true";
- public final static String FALSE = "false";
-
- public static final Map<String, String> requestTypeToOperationMap = new HashMap<String, String>();
- public static final Map<String, String> requestTypeToObjectTypeMap = new HashMap<String, String>();
-
- static {
- // for hive audit log
- requestTypeToOperationMap.put(TCreateSentryRoleRequest.class.getName(),
- Constants.OPERATION_CREATE_ROLE);
- requestTypeToOperationMap.put(
- TAlterSentryRoleGrantPrivilegeRequest.class.getName(),
- Constants.OPERATION_GRANT_PRIVILEGE);
- requestTypeToOperationMap.put(
- TAlterSentryRoleRevokePrivilegeRequest.class.getName(),
- Constants.OPERATION_REVOKE_PRIVILEGE);
- requestTypeToOperationMap.put(TDropSentryRoleRequest.class.getName(),
- Constants.OPERATION_DROP_ROLE);
- requestTypeToOperationMap.put(
- TAlterSentryRoleAddGroupsRequest.class.getName(),
- Constants.OPERATION_ADD_ROLE);
- requestTypeToOperationMap.put(
- TAlterSentryRoleDeleteGroupsRequest.class.getName(),
- Constants.OPERATION_DELETE_ROLE);
- requestTypeToOperationMap.put(
- TAlterSentryRoleAddUsersRequest.class.getName(),
- Constants.OPERATION_ADD_ROLE_USER);
- requestTypeToOperationMap.put(
- TAlterSentryRoleDeleteUsersRequest.class.getName(),
- Constants.OPERATION_DELETE_ROLE_USER);
-
- // for generic model audit log
- requestTypeToOperationMap.put(
- org.apache.sentry.provider.db.generic.service.thrift.TCreateSentryRoleRequest.class
- .getName(), Constants.OPERATION_CREATE_ROLE);
- requestTypeToOperationMap
- .put(org.apache.sentry.provider.db.generic.service.thrift.TDropSentryRoleRequest.class
- .getName(), Constants.OPERATION_DROP_ROLE);
- requestTypeToOperationMap
- .put(
- org.apache.sentry.provider.db.generic.service.thrift.TAlterSentryRoleGrantPrivilegeRequest.class
- .getName(), Constants.OPERATION_GRANT_PRIVILEGE);
- requestTypeToOperationMap
- .put(
- org.apache.sentry.provider.db.generic.service.thrift.TAlterSentryRoleRevokePrivilegeRequest.class
- .getName(), Constants.OPERATION_REVOKE_PRIVILEGE);
- requestTypeToOperationMap.put(
- org.apache.sentry.provider.db.generic.service.thrift.TAlterSentryRoleAddGroupsRequest.class
- .getName(), Constants.OPERATION_ADD_ROLE);
- requestTypeToOperationMap
- .put(
- org.apache.sentry.provider.db.generic.service.thrift.TAlterSentryRoleDeleteGroupsRequest.class
- .getName(), Constants.OPERATION_DELETE_ROLE);
-
- // for hive audit log
- requestTypeToObjectTypeMap.put(TCreateSentryRoleRequest.class.getName(),
- Constants.OBJECT_TYPE_ROLE);
- requestTypeToObjectTypeMap.put(TDropSentryRoleRequest.class.getName(),
- Constants.OBJECT_TYPE_ROLE);
- requestTypeToObjectTypeMap.put(
- TAlterSentryRoleAddGroupsRequest.class.getName(),
- Constants.OBJECT_TYPE_ROLE);
- requestTypeToObjectTypeMap.put(
- TAlterSentryRoleDeleteGroupsRequest.class.getName(),
- Constants.OBJECT_TYPE_ROLE);
- requestTypeToObjectTypeMap.put(
- TAlterSentryRoleAddUsersRequest.class.getName(),
- Constants.OBJECT_TYPE_ROLE);
- requestTypeToObjectTypeMap.put(
- TAlterSentryRoleDeleteUsersRequest.class.getName(),
- Constants.OBJECT_TYPE_ROLE);
- requestTypeToObjectTypeMap.put(
- TAlterSentryRoleGrantPrivilegeRequest.class.getName(),
- Constants.OBJECT_TYPE_PRINCIPAL);
- requestTypeToObjectTypeMap.put(
- TAlterSentryRoleRevokePrivilegeRequest.class.getName(),
- Constants.OBJECT_TYPE_PRINCIPAL);
- // for generic model audit log
- requestTypeToObjectTypeMap.put(
- org.apache.sentry.provider.db.generic.service.thrift.TCreateSentryRoleRequest.class
- .getName(), Constants.OBJECT_TYPE_ROLE);
- requestTypeToObjectTypeMap
- .put(org.apache.sentry.provider.db.generic.service.thrift.TDropSentryRoleRequest.class
- .getName(), Constants.OBJECT_TYPE_ROLE);
- requestTypeToObjectTypeMap.put(
- org.apache.sentry.provider.db.generic.service.thrift.TAlterSentryRoleAddGroupsRequest.class
- .getName(), Constants.OBJECT_TYPE_ROLE);
- requestTypeToObjectTypeMap
- .put(
- org.apache.sentry.provider.db.generic.service.thrift.TAlterSentryRoleDeleteGroupsRequest.class
- .getName(), Constants.OBJECT_TYPE_ROLE);
- requestTypeToObjectTypeMap
- .put(
- org.apache.sentry.provider.db.generic.service.thrift.TAlterSentryRoleGrantPrivilegeRequest.class
- .getName(), Constants.OBJECT_TYPE_PRINCIPAL);
- requestTypeToObjectTypeMap
- .put(
- org.apache.sentry.provider.db.generic.service.thrift.TAlterSentryRoleRevokePrivilegeRequest.class
- .getName(), Constants.OBJECT_TYPE_PRINCIPAL);
- }
-
- private Constants() {
- // Make constructor private to avoid instantiation
- }
-
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/model/MSentryGMPrivilege.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/model/MSentryGMPrivilege.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/model/MSentryGMPrivilege.java
deleted file mode 100644
index 55b61ac..0000000
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/model/MSentryGMPrivilege.java
+++ /dev/null
@@ -1,497 +0,0 @@
-/**
-vim * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.provider.db.service.model;
-
-import static org.apache.sentry.core.common.utils.SentryConstants.AUTHORIZABLE_JOINER;
-import static org.apache.sentry.core.common.utils.SentryConstants.KV_JOINER;
-
-import java.lang.reflect.Field;
-import java.util.HashSet;
-import java.util.Iterator;
-import java.util.List;
-import java.util.Set;
-
-import javax.jdo.annotations.PersistenceCapable;
-import org.apache.sentry.core.common.Authorizable;
-import org.apache.sentry.core.model.db.AccessConstants;
-
-import com.google.common.base.Strings;
-import com.google.common.collect.Lists;
-
-/**
- * Database backed Sentry Generic Privilege for new authorization Model
- * Any changes to this object
- * require re-running the maven build so DN an re-enhance.
- */
-@PersistenceCapable
-public class MSentryGMPrivilege {
- private static final String PREFIX_RESOURCE_NAME = "resourceName";
- private static final String PREFIX_RESOURCE_TYPE = "resourceType";
- private static final String NULL_COL = "__NULL__";
- private static final String SERVICE_SCOPE = "Server";
- private static final int AUTHORIZABLE_LEVEL = 4;
- /**
- * The authorizable List has been stored into resourceName and resourceField columns
- * We assume that the generic model privilege for any component(hive/impala or solr) doesn't exceed four level.
- * This generic model privilege currently can support maximum 4 level.
- **/
- private String resourceName0 = NULL_COL; //NOPMD
- private String resourceType0 = NULL_COL; //NOPMD
- private String resourceName1 = NULL_COL; //NOPMD
- private String resourceType1 = NULL_COL; //NOPMD
- private String resourceName2 = NULL_COL; //NOPMD
- private String resourceType2 = NULL_COL; //NOPMD
- private String resourceName3 = NULL_COL; //NOPMD
- private String resourceType3 = NULL_COL; //NOPMD
-
-
- private String serviceName;
- private String componentName;
- private String action;
- private String scope;
-
- private Boolean grantOption = false;
- // roles this privilege is a part of
- private Set<MSentryRole> roles;
- private long createTime;
-
- public MSentryGMPrivilege() {
- this.roles = new HashSet<MSentryRole>();
- }
-
- public MSentryGMPrivilege(String componentName, String serviceName,
- List<? extends Authorizable> authorizables,
- String action, Boolean grantOption) {
- this.componentName = componentName;
- this.serviceName = serviceName;
- this.action = action;
- this.grantOption = grantOption;
- this.roles = new HashSet<MSentryRole>();
- this.createTime = System.currentTimeMillis();
- setAuthorizables(authorizables);
- }
-
- public MSentryGMPrivilege(MSentryGMPrivilege copy) {
- this.action = copy.action;
- this.componentName = copy.componentName;
- this.serviceName = copy.serviceName;
- this.grantOption = copy.grantOption;
- this.scope = copy.scope;
- this.createTime = copy.createTime;
- setAuthorizables(copy.getAuthorizables());
- this.roles = new HashSet<MSentryRole>();
- for (MSentryRole role : copy.roles) {
- roles.add(role);
- }
- }
-
- public String getServiceName() {
- return serviceName;
- }
-
- public void setServiceName(String serviceName) {
- this.serviceName = serviceName;
- }
-
- public String getComponentName() {
- return componentName;
- }
-
- public void setComponentName(String componentName) {
- this.componentName = componentName;
- }
-
- public String getAction() {
- return action;
- }
-
- public void setAction(String action) {
- this.action = action;
- }
-
- public Boolean getGrantOption() {
- return grantOption;
- }
-
- public void setGrantOption(Boolean grantOption) {
- this.grantOption = grantOption;
- }
-
- public Set<MSentryRole> getRoles() {
- return roles;
- }
-
- public void setRoles(Set<MSentryRole> roles) {
- this.roles = roles;
- }
-
- public long getCreateTime() {
- return createTime;
- }
-
- public void setCreateTime(long createTime) {
- this.createTime = createTime;
- }
-
- public String getScope() {
- return scope;
- }
-
- public List<? extends Authorizable> getAuthorizables() {
- List<Authorizable> authorizables = Lists.newArrayList();
- //construct atuhorizable lists
- for (int i = 0; i < AUTHORIZABLE_LEVEL; i++) {
- final String resourceName = (String) getField(this, PREFIX_RESOURCE_NAME + String.valueOf(i));
- final String resourceTYpe = (String) getField(this, PREFIX_RESOURCE_TYPE + String.valueOf(i));
-
- if (notNULL(resourceName) && notNULL(resourceTYpe)) {
- authorizables.add(new Authorizable() {
- @Override
- public String getTypeName() {
- return resourceTYpe;
- }
- @Override
- public String getName() {
- return resourceName;
- }
- });
- }
- }
- return authorizables;
- }
-
- /**
- * Only allow strict hierarchies. That is, can level =1 be not null when level = 0 is null
- * @param authorizables
- */
- public void setAuthorizables(List<? extends Authorizable> authorizables) {
- if (authorizables == null || authorizables.isEmpty()) {
- //service scope
- scope = SERVICE_SCOPE;
- return;
- }
- if (authorizables.size() > AUTHORIZABLE_LEVEL) {
- throw new IllegalStateException("This generic privilege model only supports maximum 4 level.");
- }
-
- for (int i = 0; i < authorizables.size(); i++) {
- Authorizable authorizable = authorizables.get(i);
- if (authorizable == null) {
- String msg = String.format("The authorizable can't be null. Please check authorizables[%d]:", i);
- throw new IllegalStateException(msg);
- }
- String resourceName = authorizable.getName();
- String resourceTYpe = authorizable.getTypeName();
- if (isNULL(resourceName) || isNULL(resourceTYpe)) {
- String msg = String.format("The name and type of authorizable can't be empty or null.Please check authorizables[%d]", i);
- throw new IllegalStateException(msg);
- }
- setField(this, PREFIX_RESOURCE_NAME + String.valueOf(i), toNULLCol(resourceName));
- setField(this, PREFIX_RESOURCE_TYPE + String.valueOf(i), toNULLCol(resourceTYpe));
- scope = resourceTYpe;
- }
- }
-
- public void appendRole(MSentryRole role) {
- if (roles.add(role)) {
- role.appendGMPrivilege(this);
- }
- }
-
- public void removeRole(MSentryRole role) {
- if(roles.remove(role)) {
- role.removeGMPrivilege(this);
- }
- }
-
- @Override
- public int hashCode() {
- final int prime = 31;
- int result = 1;
- result = prime * result + ((action == null) ? 0 : action.hashCode());
- result = prime * result + ((componentName == null) ? 0 : componentName.hashCode());
- result = prime * result + ((serviceName == null) ? 0 : serviceName.hashCode());
- result = prime * result + ((grantOption == null) ? 0 : grantOption.hashCode());
- result = prime * result + ((scope == null) ? 0 : scope.hashCode());
-
- for (Authorizable authorizable : getAuthorizables()) {
- result = prime * result + authorizable.getName().hashCode();
- result = prime * result + authorizable.getTypeName().hashCode();
- }
-
- return result;
- }
-
- @Override
- public String toString() {
- List<String> unifiedNames = Lists.newArrayList();
- for (Authorizable auth : getAuthorizables()) {
- unifiedNames.add(KV_JOINER.join(auth.getTypeName(),auth.getName()));
- }
-
- return "MSentryGMPrivilege ["
- + "serverName=" + serviceName + ", componentName=" + componentName
- + ", authorizables=" + AUTHORIZABLE_JOINER.join(unifiedNames)+ ", scope=" + scope
- + ", action=" + action + ", roles=[...]" + ", createTime="
- + createTime + ", grantOption=" + grantOption +"]";
- }
-
- @Override
- public boolean equals(Object obj) {
- if (this == obj) {
- return true;
- }
- if (obj == null) {
- return false;
- }
- if (getClass() != obj.getClass()) {
- return false;
- }
- MSentryGMPrivilege other = (MSentryGMPrivilege) obj;
- if (action == null) {
- if (other.action != null) {
- return false;
- }
- } else if (!action.equalsIgnoreCase(other.action)) {
- return false;
- }
- if (scope == null) {
- if (other.scope != null) {
- return false;
- }
- } else if (!scope.equals(other.scope)) {
- return false;
- }
- if (serviceName == null) {
- if (other.serviceName != null) {
- return false;
- }
- } else if (!serviceName.equals(other.serviceName)) {
- return false;
- }
- if (componentName == null) {
- if (other.componentName != null) {
- return false;
- }
- } else if (!componentName.equals(other.componentName)) {
- return false;
- }
- if (grantOption == null) {
- if (other.grantOption != null) {
- return false;
- }
- } else if (!grantOption.equals(other.grantOption)) {
- return false;
- }
-
- List<? extends Authorizable> authorizables = getAuthorizables();
- List<? extends Authorizable> otherAuthorizables = other.getAuthorizables();
-
- if (authorizables.size() != otherAuthorizables.size()) {
- return false;
- }
- for (int i = 0; i < authorizables.size(); i++) {
- String o1 = KV_JOINER.join(authorizables.get(i).getTypeName(),
- authorizables.get(i).getName());
- String o2 = KV_JOINER.join(otherAuthorizables.get(i).getTypeName(),
- otherAuthorizables.get(i).getName());
- if (!o1.equals(o2)) {
- return false;
- }
- }
- return true;
- }
-
- /**
- * Return true if this privilege implies request privilege
- * Otherwise, return false
- * @param other, other privilege
- */
- public boolean implies(MSentryGMPrivilege request) {
- //component check
- if (!componentName.equals(request.getComponentName())) {
- return false;
- }
- //service check
- if (!serviceName.equals(request.getServiceName())) {
- return false;
- }
- // check action implies
- if (!action.equalsIgnoreCase(AccessConstants.ALL)
- && !action.equalsIgnoreCase(request.getAction())
- && !action.equalsIgnoreCase(AccessConstants.ACTION_ALL)) {
- return false;
- }
- //check authorizable list implies
- Iterator<? extends Authorizable> existIterator = getAuthorizables().iterator();
- Iterator<? extends Authorizable> requestIterator = request.getAuthorizables().iterator();
- while (existIterator.hasNext() && requestIterator.hasNext()) {
- Authorizable existAuth = existIterator.next();
- Authorizable requestAuth = requestIterator.next();
- //check authorizable type
- if (!existAuth.getTypeName().equals(requestAuth.getTypeName())) {
- return false;
- }
- //check authorizable name
- if (!existAuth.getName().equals(requestAuth.getName())) {
- /**The persistent authorizable isn't equal the request authorizable
- * but the following situations are pass check
- * The name of persistent authorizable is ALL or "*"
- */
- if (existAuth.getName().equalsIgnoreCase(AccessConstants.ACTION_ALL)
- || existAuth.getName().equalsIgnoreCase(AccessConstants.ALL)) {
- continue;
- } else {
- return false;
- }
- }
- }
-
- if ( !existIterator.hasNext() && !requestIterator.hasNext() ){
- /**
- * The persistent privilege has the same authorizables size as the requested privilege
- * The check is pass
- */
- return true;
-
- } else if (existIterator.hasNext()) {
- /**
- * The persistent privilege has much more authorizables than request privilege,so its scope is less
- * than the requested privilege.
- * There is a situation that the check is pass, the name of the exceeding authorizables is ALL or "*".
- * Take the Solr for example,the exist privilege is collection=c1->field=*->action=query
- * the request privilege is collection=c1->action=query, the check is pass
- */
- while (existIterator.hasNext()) {
- Authorizable existAuthorizable = existIterator.next();
- if (existAuthorizable.getName().equalsIgnoreCase(AccessConstants.ALL)
- || existAuthorizable.getName().equalsIgnoreCase(AccessConstants.ACTION_ALL)) {
- continue;
- } else {
- return false;
- }
- }
- } else {
- /**
- * The requested privilege has much more authorizables than persistent privilege, so its scope is less
- * than the persistent privilege
- * The check is pass
- */
- return true;
- }
-
- return true;
- }
-
- public static String toNULLCol(String col) {
- return Strings.isNullOrEmpty(col) ? NULL_COL : col;
- }
-
- public static boolean notNULL(String s) {
- return !(Strings.isNullOrEmpty(s) || NULL_COL.equals(s));
- }
-
- public static boolean isNULL(String s) {
- return !notNULL(s);
- }
-
- public static <T> void setField(Object obj, String fieldName, T fieldValue) {
- try {
- Class<?> clazz = obj.getClass();
- Field field=clazz.getDeclaredField(fieldName);
- field.setAccessible(true);
- field.set(obj, fieldValue);
- } catch (Exception e) {
- throw new RuntimeException("setField error: " + e.getMessage(), e);
- }
- }
-
- @SuppressWarnings("unchecked")
- public static <T> T getField(Object obj, String fieldName) {
- try {
- Class<?> clazz = obj.getClass();
- Field field=clazz.getDeclaredField(fieldName);
- field.setAccessible(true);
- return (T)field.get(obj);
- } catch (Exception e) {
- throw new RuntimeException("getField error: " + e.getMessage(), e);
- }
- }
-
- /**
- * return the query to execute in JDO for search the given privilege
- * @param privilege
- * @return query
- */
- public static String toQuery(MSentryGMPrivilege privilege) {
- StringBuilder query = new StringBuilder();
- query.append("serviceName == \"" + toNULLCol(privilege.getServiceName()) + "\" ");
- query.append("&& componentName == \"" + toNULLCol(privilege.getComponentName()) + "\" ");
- query.append("&& scope == \"" + toNULLCol(privilege.getScope()) + "\" ");
- query.append("&& action == \"" + toNULLCol(privilege.getAction()) + "\"");
- if (privilege.getGrantOption() == null) {
- query.append("&& this.grantOption == null ");
- } else if (privilege.getGrantOption()) {
- query.append("&& grantOption ");
- } else {
- query.append("&& !grantOption ");
- }
- List<? extends Authorizable> authorizables = privilege.getAuthorizables();
- for (int i = 0; i < AUTHORIZABLE_LEVEL; i++) {
- String resourceName = PREFIX_RESOURCE_NAME + String.valueOf(i);
- String resourceType = PREFIX_RESOURCE_TYPE + String.valueOf(i);
-
- if (i >= authorizables.size()) {
- query.append("&& " + resourceName + " == \"" + NULL_COL + "\" ");
- query.append("&& " + resourceType + " == \"" + NULL_COL + "\" ");
- } else {
- query.append("&& " + resourceName + " == \"" + authorizables.get(i).getName() + "\" ");
- query.append("&& " + resourceType + " == \"" + authorizables.get(i).getTypeName() + "\" ");
- }
- }
- return query.toString();
- }
-
- /**
- * Get the query to execute in the JDO deducing privileges include the scope of according to the given privilege
- * The query was used in three privilege operations:
- * 1.revoking privilege
- * 2.renaming privilege
- * 3.dropping privilege
- * Take the Solr for example, if there exists three privileges such as p1:Collection=c1->action=query,
- * p2:Collection=c1->Field=f1->action=query and p3:Collection=c1->Field=f2->action=query.
- * When the revoking operation happens, the request privilege is p4:Collection=c1->action=query.
- * The result is that not only p1 should be revoked, but also p2 and p3 should be revoked together.
- * So the populateIncludePrivilegesQuery should be Collection=c1
- * @param privilege
- * @return query
- */
- public static String populateIncludePrivilegesQuery(MSentryGMPrivilege privilege) {
- StringBuilder query = new StringBuilder();
- query.append("serviceName == \"" + toNULLCol(privilege.getServiceName()) + "\" ");
- query.append("&& componentName == \"" + toNULLCol(privilege.getComponentName()) + "\" ");
- List<? extends Authorizable> authorizables = privilege.getAuthorizables();
- for (int i= 0 ; i < authorizables.size(); i++) {
- String resourceName = PREFIX_RESOURCE_NAME + String.valueOf(i);
- String resourceType = PREFIX_RESOURCE_TYPE + String.valueOf(i);
- query.append("&& " + resourceName + " == \"" + authorizables.get(i).getName() + "\" ");
- query.append("&& " + resourceType + " == \"" + authorizables.get(i).getTypeName() + "\" ");
- }
- return query.toString();
- }
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/model/MSentryGroup.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/model/MSentryGroup.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/model/MSentryGroup.java
deleted file mode 100644
index 7e41c93..0000000
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/model/MSentryGroup.java
+++ /dev/null
@@ -1,116 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.sentry.provider.db.service.model;
-
-import java.util.Set;
-
-import javax.jdo.annotations.PersistenceCapable;
-
-/**
- * Database backed Sentry Group. Any changes to this object
- * require re-running the maven build so DN an re-enhance.
- */
-@PersistenceCapable
-public class MSentryGroup {
-
- /**
- * Group name is unique
- */
- private String groupName;
- // set of roles granted to this group
- private Set<MSentryRole> roles;
- private long createTime;
-
- public MSentryGroup(String groupName, long createTime, Set<MSentryRole> roles) {
- this.setGroupName(groupName);
- this.createTime = createTime;
- this.roles = roles;
- }
-
- public long getCreateTime() {
- return createTime;
- }
-
- public void setCreateTime(long createTime) {
- this.createTime = createTime;
- }
-
- public Set<MSentryRole> getRoles() {
- return roles;
- }
-
- public String getGroupName() {
- return groupName;
- }
-
- public void setGroupName(String groupName) {
- this.groupName = groupName;
- }
-
- public void appendRole(MSentryRole role) {
- if (roles.add(role)) {
- role.appendGroup(this);
- }
- }
-
- public void removeRole(MSentryRole role) {
- if (roles.remove(role)) {
- role.removeGroup(this);
- }
- }
-
- @Override
- public String toString() {
- return "MSentryGroup [groupName=" + groupName + ", roles=[...]"
- + ", createTime=" + createTime + "]";
- }
-
- @Override
- public int hashCode() {
- final int prime = 31;
- int result = 1;
- result = prime * result + ((groupName == null) ? 0 : groupName.hashCode());
- return result;
- }
-
- @Override
- public boolean equals(Object obj) {
- if (this == obj) {
- return true;
- }
- if (obj == null) {
- return false;
- }
- if (getClass() != obj.getClass()) {
- return false;
- }
- MSentryGroup other = (MSentryGroup) obj;
- if (createTime != other.createTime) {
- return false;
- }
- if (groupName == null) {
- if (other.groupName != null) {
- return false;
- }
- } else if (!groupName.equals(other.groupName)) {
- return false;
- }
- return true;
- }
-}
[10/44] sentry git commit: SENTRY-1287: Create sentry-service-server
module(Colin Ma, reviewed by Dapeng Sun)
Posted by co...@apache.org.
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/generic/service/thrift/TestAuditLogForSentryGenericService.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/generic/service/thrift/TestAuditLogForSentryGenericService.java b/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/generic/service/thrift/TestAuditLogForSentryGenericService.java
new file mode 100644
index 0000000..187676d
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/generic/service/thrift/TestAuditLogForSentryGenericService.java
@@ -0,0 +1,296 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.provider.db.generic.service.thrift;
+
+import static org.hamcrest.core.Is.is;
+import static org.junit.Assert.assertThat;
+import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.fail;
+
+import java.security.PrivilegedExceptionAction;
+import java.util.HashMap;
+import java.util.Map;
+import java.util.Set;
+
+import org.apache.log4j.Level;
+import org.apache.log4j.Logger;
+import org.apache.sentry.provider.db.log.appender.AuditLoggerTestAppender;
+import org.apache.sentry.provider.db.log.util.CommandUtil;
+import org.apache.sentry.provider.db.log.util.Constants;
+import org.apache.sentry.service.thrift.SentryServiceIntegrationBase;
+import org.codehaus.jettison.json.JSONObject;
+import org.junit.After;
+import org.junit.BeforeClass;
+import org.junit.Test;
+import org.slf4j.LoggerFactory;
+
+import com.google.common.collect.Lists;
+import com.google.common.collect.Sets;
+
+public class TestAuditLogForSentryGenericService extends SentryServiceIntegrationBase {
+
+ private SentryGenericServiceClient client;
+ private static final String COMPONENT = "SQOOP";
+ private static final org.slf4j.Logger LOGGER = LoggerFactory
+ .getLogger(TestAuditLogForSentryGenericService.class);
+
+ @BeforeClass
+ public static void setup() throws Exception {
+ SentryServiceIntegrationBase.setup();
+ Logger logger = Logger.getLogger("sentry.generic.authorization.ddl.logger");
+ AuditLoggerTestAppender testAppender = new AuditLoggerTestAppender();
+ logger.addAppender(testAppender);
+ logger.setLevel(Level.INFO);
+ }
+
+ @Override
+ @After
+ public void after() {
+ try {
+ runTestAsSubject(new TestOperation() {
+ @Override
+ public void runTestAsSubject() throws Exception {
+ Set<TSentryRole> tRoles = client.listAllRoles(SentryServiceIntegrationBase.ADMIN_USER, COMPONENT);
+ for (TSentryRole tRole : tRoles) {
+ client.dropRole(SentryServiceIntegrationBase.ADMIN_USER, tRole.getRoleName(), COMPONENT);
+ }
+ if (client != null) {
+ client.close();
+ }
+ }
+ });
+ } catch (Exception e) {
+ // log the exception
+ LOGGER.warn("Exception happened after test case.", e);
+ } finally {
+ policyFilePath.delete();
+ }
+ }
+
+ /**
+ * use the generic client to connect sentry service
+ */
+ @Override
+ public void connectToSentryService() throws Exception {
+ if (SentryServiceIntegrationBase.kerberos) {
+ this.client = SentryServiceIntegrationBase.clientUgi.doAs(new PrivilegedExceptionAction<SentryGenericServiceClient>() {
+ @Override
+ public SentryGenericServiceClient run() throws Exception {
+ return SentryGenericServiceClientFactory.create(SentryServiceIntegrationBase.conf);
+ }
+ });
+ } else {
+ this.client = SentryGenericServiceClientFactory.create(SentryServiceIntegrationBase.conf);
+ }
+ }
+
+ @Test
+ public void testAuditLogForGenericModel() throws Exception {
+ runTestAsSubject(new TestOperation() {
+ @Override
+ public void runTestAsSubject() throws Exception {
+ String requestorUserName = SentryServiceIntegrationBase.ADMIN_USER;
+ Set<String> requestorUserGroupNames = Sets.newHashSet(SentryServiceIntegrationBase.ADMIN_GROUP);
+ String roleName = "admin_r";
+ String testGroupName = "g1";
+ String action = "all";
+ String service = "sentryService";
+ setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
+ writePolicyFile();
+
+ // test the audit log for create role, success
+ client.createRole(requestorUserName, roleName, COMPONENT);
+ Map<String, String> fieldValueMap = new HashMap<String, String>();
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_CREATE_ROLE);
+ fieldValueMap.put(Constants.LOG_FIELD_COMPONENT, COMPONENT);
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT, "CREATE ROLE " + roleName);
+ fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.TRUE);
+ fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null);
+ assertAuditLog(fieldValueMap);
+
+ // test the audit log for create role, failed
+ try {
+ client.createRole(requestorUserName, roleName, COMPONENT);
+ fail("Exception should have been thrown");
+ } catch (Exception e) {
+ fieldValueMap.clear();
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_CREATE_ROLE);
+ fieldValueMap.put(Constants.LOG_FIELD_COMPONENT, COMPONENT);
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT, "CREATE ROLE " + roleName);
+ fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.FALSE);
+ fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null);
+ assertAuditLog(fieldValueMap);
+ }
+
+ // test the audit log for add role to group, success
+ client.addRoleToGroups(requestorUserName, roleName, COMPONENT,
+ Sets.newHashSet(testGroupName));
+ fieldValueMap.clear();
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_ADD_ROLE);
+ fieldValueMap.put(Constants.LOG_FIELD_COMPONENT, COMPONENT);
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT, "GRANT ROLE " + roleName
+ + " TO GROUP " + testGroupName);
+ fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.TRUE);
+ fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null);
+ assertAuditLog(fieldValueMap);
+
+ // test the audit log for add role to group, failed
+ try {
+ client.addRoleToGroups(requestorUserName, "invalidRole", COMPONENT,
+ Sets.newHashSet(testGroupName));
+ fail("Exception should have been thrown");
+ } catch (Exception e) {
+ fieldValueMap.clear();
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_ADD_ROLE);
+ fieldValueMap.put(Constants.LOG_FIELD_COMPONENT, COMPONENT);
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT, "GRANT ROLE invalidRole TO GROUP "
+ + testGroupName);
+ fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.FALSE);
+ fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null);
+ assertAuditLog(fieldValueMap);
+ }
+
+ // test the audit log for grant privilege, success
+ TSentryPrivilege privilege = new TSentryPrivilege(COMPONENT, service, Lists.newArrayList(
+ new TAuthorizable("resourceType1", "resourceName1"), new TAuthorizable("resourceType2",
+ "resourceName2")), action);
+ client.grantPrivilege(requestorUserName, roleName, COMPONENT, privilege);
+ fieldValueMap.clear();
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_GRANT_PRIVILEGE);
+ fieldValueMap.put(Constants.LOG_FIELD_COMPONENT, COMPONENT);
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT,
+ "GRANT ALL ON resourceType1 resourceName1 resourceType2 resourceName2 TO ROLE "
+ + roleName);
+ fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.TRUE);
+ fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null);
+ assertAuditLog(fieldValueMap);
+
+ // for error audit log
+ TSentryPrivilege invalidPrivilege = new TSentryPrivilege(COMPONENT, service,
+ Lists.newArrayList(new TAuthorizable("resourceType1", "resourceName1")),
+ "invalidAction");
+ // test the audit log for grant privilege, failed
+ try {
+ client.grantPrivilege(requestorUserName, roleName, COMPONENT, invalidPrivilege);
+ fail("Exception should have been thrown");
+ } catch (Exception e) {
+ fieldValueMap.clear();
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_GRANT_PRIVILEGE);
+ fieldValueMap.put(Constants.LOG_FIELD_COMPONENT, COMPONENT);
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT,
+ "GRANT INVALIDACTION ON resourceType1 resourceName1 TO ROLE " + roleName);
+ fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.FALSE);
+ fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null);
+ assertAuditLog(fieldValueMap);
+ }
+
+ // test the audit log for revoke privilege, success
+ client.revokePrivilege(requestorUserName, roleName, COMPONENT, privilege);
+ fieldValueMap.clear();
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_REVOKE_PRIVILEGE);
+ fieldValueMap.put(Constants.LOG_FIELD_COMPONENT, COMPONENT);
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT,
+ "REVOKE ALL ON resourceType1 resourceName1 resourceType2 resourceName2 FROM ROLE "
+ + roleName);
+ fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.TRUE);
+ fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null);
+ assertAuditLog(fieldValueMap);
+
+ // test the audit log for revoke privilege, failed
+ try {
+ client.revokePrivilege(requestorUserName, "invalidRole", COMPONENT, invalidPrivilege);
+ fail("Exception should have been thrown");
+ } catch (Exception e) {
+ fieldValueMap.clear();
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_REVOKE_PRIVILEGE);
+ fieldValueMap.put(Constants.LOG_FIELD_COMPONENT, COMPONENT);
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT,
+ "REVOKE INVALIDACTION ON resourceType1 resourceName1 FROM ROLE invalidRole");
+ fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.FALSE);
+ fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null);
+ assertAuditLog(fieldValueMap);
+ }
+
+ // test the audit log for delete role from group, success
+ client.deleteRoleToGroups(requestorUserName, roleName, COMPONENT,
+ Sets.newHashSet(testGroupName));
+ fieldValueMap.clear();
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_DELETE_ROLE);
+ fieldValueMap.put(Constants.LOG_FIELD_COMPONENT, COMPONENT);
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT, "REVOKE ROLE " + roleName
+ + " FROM GROUP " + testGroupName);
+ fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.TRUE);
+ fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null);
+ assertAuditLog(fieldValueMap);
+ // test the audit log for delete role from group, failed
+ try {
+ client.deleteRoleToGroups(requestorUserName, "invalidRole", COMPONENT,
+ Sets.newHashSet(testGroupName));
+ fail("Exception should have been thrown");
+ } catch (Exception e) {
+ fieldValueMap.clear();
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_DELETE_ROLE);
+ fieldValueMap.put(Constants.LOG_FIELD_COMPONENT, COMPONENT);
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT,
+ "REVOKE ROLE invalidRole FROM GROUP " + testGroupName);
+ fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.FALSE);
+ fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null);
+ assertAuditLog(fieldValueMap);
+ }
+ // test the audit log for drop role, success
+ client.dropRole(requestorUserName, roleName, COMPONENT);
+ fieldValueMap.clear();
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_DROP_ROLE);
+ fieldValueMap.put(Constants.LOG_FIELD_COMPONENT, COMPONENT);
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT, "DROP ROLE " + roleName);
+ fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.TRUE);
+ fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null);
+ assertAuditLog(fieldValueMap);
+ // test the audit log for drop role, failed
+ try {
+ client.dropRole(requestorUserName, roleName, COMPONENT);
+ fail("Exception should have been thrown");
+ } catch (Exception e) {
+ fieldValueMap.clear();
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_DROP_ROLE);
+ fieldValueMap.put(Constants.LOG_FIELD_COMPONENT, COMPONENT);
+ fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT, "DROP ROLE " + roleName);
+ fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.FALSE);
+ fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null);
+ assertAuditLog(fieldValueMap);
+ }
+ }
+ });
+ }
+
+ private void assertAuditLog(Map<String, String> fieldValueMap) throws Exception {
+ assertThat(AuditLoggerTestAppender.getLastLogLevel(), is(Level.INFO));
+ JSONObject jsonObject = new JSONObject(AuditLoggerTestAppender.getLastLogEvent());
+ if (fieldValueMap != null) {
+ for (Map.Entry<String, String> entry : fieldValueMap.entrySet()) {
+ String entryKey = entry.getKey();
+ if (Constants.LOG_FIELD_IP_ADDRESS.equals(entryKey)) {
+ assertTrue(CommandUtil.assertIPInAuditLog(jsonObject.get(entryKey).toString()));
+ } else {
+ assertTrue(entry.getValue().equalsIgnoreCase(jsonObject.get(entryKey).toString()));
+ }
+ }
+ }
+ }
+}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/generic/service/thrift/TestSentryGenericPolicyProcessor.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/generic/service/thrift/TestSentryGenericPolicyProcessor.java b/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/generic/service/thrift/TestSentryGenericPolicyProcessor.java
new file mode 100644
index 0000000..8b3599f
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/generic/service/thrift/TestSentryGenericPolicyProcessor.java
@@ -0,0 +1,349 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.provider.db.generic.service.thrift;
+
+import java.util.*;
+
+import org.apache.hadoop.conf.Configuration;
+import org.apache.sentry.core.common.Authorizable;
+import org.apache.sentry.core.common.exception.SentrySiteConfigurationException;
+import org.apache.sentry.core.model.search.Collection;
+import org.apache.sentry.core.model.search.Field;
+import org.apache.sentry.core.model.search.SearchConstants;
+import org.apache.sentry.core.common.service.GroupMappingService;
+import org.apache.sentry.core.common.exception.SentryAlreadyExistsException;
+import org.apache.sentry.core.common.exception.SentryGrantDeniedException;
+import org.apache.sentry.core.common.exception.SentryInvalidInputException;
+import org.apache.sentry.core.common.exception.SentryNoSuchObjectException;
+import org.apache.sentry.provider.db.generic.service.persistent.PrivilegeObject;
+import org.apache.sentry.provider.db.generic.service.persistent.SentryStoreLayer;
+import org.apache.sentry.provider.db.generic.service.persistent.PrivilegeObject.Builder;
+import org.apache.sentry.provider.db.service.model.MSentryGMPrivilege;
+import org.apache.sentry.provider.db.service.model.MSentryRole;
+import org.apache.sentry.provider.db.service.persistent.CommitContext;
+import org.apache.sentry.provider.db.service.thrift.PolicyStoreConstants;
+import org.apache.sentry.service.thrift.ServiceConstants.ServerConfig;
+import org.apache.sentry.service.thrift.Status;
+import org.apache.sentry.service.thrift.TSentryResponseStatus;
+import org.junit.Before;
+import org.junit.Test;
+import org.mockito.Mockito;
+import org.mockito.Matchers;
+
+import com.google.common.collect.Sets;
+
+public class TestSentryGenericPolicyProcessor extends org.junit.Assert {
+ private static final String ADMIN_GROUP = "admin_group";
+ private static final String ADMIN_USER = "admin_user";
+ private static final UUID SERVER_UUID = UUID.randomUUID();
+ private static final long SEQ_ID = 10000;
+
+ private SentryStoreLayer mockStore = Mockito.mock(SentryStoreLayer.class);
+ private SentryGenericPolicyProcessor processor;
+
+ @Before
+ public void setup() throws Exception {
+ Configuration conf = new Configuration();
+ conf.set(ServerConfig.ADMIN_GROUPS, ADMIN_GROUP);
+ conf.set(ServerConfig.SENTRY_STORE_GROUP_MAPPING, MockGroupMapping.class.getName());
+ processor = new SentryGenericPolicyProcessor(conf, mockStore);
+ }
+
+ @Test
+ public void testNotAdminOperation() throws Exception {
+ String requestUser = "not_" + ADMIN_USER;
+ Status validateStatus = Status.ACCESS_DENIED;
+ testOperation(requestUser, validateStatus);
+ }
+
+ private void testOperation(String requestUser, Status validateStatus) throws Exception {
+ TCreateSentryRoleRequest createrequest = new TCreateSentryRoleRequest();
+ createrequest.setRequestorUserName(requestUser);
+ createrequest.setRoleName("r1");
+ assertEquals(validateStatus, fromTSentryStatus(processor.create_sentry_role(createrequest).getStatus()));
+
+ TDropSentryRoleRequest dropRequest = new TDropSentryRoleRequest();
+ dropRequest.setRequestorUserName(requestUser);
+ dropRequest.setRoleName("r1");
+ assertEquals(validateStatus, fromTSentryStatus(processor.drop_sentry_role(dropRequest).getStatus()));
+
+ TAlterSentryRoleAddGroupsRequest addRequest = new TAlterSentryRoleAddGroupsRequest();
+ addRequest.setRequestorUserName(requestUser);
+ addRequest.setRoleName("r1");
+ addRequest.setGroups(Sets.newHashSet("g1"));
+ assertEquals(validateStatus, fromTSentryStatus(processor.alter_sentry_role_add_groups(addRequest).getStatus()));
+
+ TAlterSentryRoleDeleteGroupsRequest delRequest = new TAlterSentryRoleDeleteGroupsRequest();
+ delRequest.setRequestorUserName(requestUser);
+ delRequest.setRoleName("r1");
+ delRequest.setGroups(Sets.newHashSet("g1"));
+ assertEquals(validateStatus, fromTSentryStatus(processor.alter_sentry_role_delete_groups(delRequest).getStatus()));
+
+ TDropPrivilegesRequest dropPrivRequest = new TDropPrivilegesRequest();
+ dropPrivRequest.setRequestorUserName(requestUser);
+ dropPrivRequest.setPrivilege(new TSentryPrivilege("test", "test", new ArrayList<TAuthorizable>(), "test"));
+ assertEquals(validateStatus, fromTSentryStatus(processor.drop_sentry_privilege(dropPrivRequest).getStatus()));
+
+ TRenamePrivilegesRequest renameRequest = new TRenamePrivilegesRequest();
+ renameRequest.setRequestorUserName(requestUser);
+ assertEquals(validateStatus, fromTSentryStatus(processor.rename_sentry_privilege(renameRequest).getStatus()));
+ }
+
+ private Status fromTSentryStatus(TSentryResponseStatus status) {
+ return Status.fromCode(status.getValue());
+ }
+
+ @Test
+ public void testAdminOperation() throws Exception {
+ Mockito.when(mockStore.createRole(Matchers.anyString(), Matchers.anyString(), Matchers.anyString()))
+ .thenReturn(new CommitContext(SERVER_UUID, SEQ_ID));
+
+ Mockito.when(mockStore.dropRole(Matchers.anyString(), Matchers.anyString(), Matchers.anyString()))
+ .thenReturn(new CommitContext(SERVER_UUID, SEQ_ID + 1));
+
+ Mockito.when(mockStore.alterRoleAddGroups(Matchers.anyString(), Matchers.anyString(), Matchers.anySetOf(String.class), Matchers.anyString()))
+ .thenReturn(new CommitContext(SERVER_UUID, SEQ_ID + 2));
+
+ Mockito.when(mockStore.alterRoleDeleteGroups(Matchers.anyString(), Matchers.anyString(), Matchers.anySetOf(String.class), Matchers.anyString()))
+ .thenReturn(new CommitContext(SERVER_UUID, SEQ_ID + 3));
+
+ Mockito.when(mockStore.dropPrivilege(Matchers.anyString(), Matchers.any(PrivilegeObject.class), Matchers.anyString()))
+ .thenReturn(new CommitContext(SERVER_UUID, SEQ_ID + 4));
+
+ Mockito.when(mockStore.renamePrivilege(Matchers.anyString(), Matchers.anyString(), Matchers.anyListOf(Authorizable.class),
+ Matchers.anyListOf(Authorizable.class), Matchers.anyString()))
+ .thenReturn(new CommitContext(SERVER_UUID, SEQ_ID + 5));
+ testOperation(ADMIN_USER, Status.OK);
+ }
+
+ @Test
+ public void testGrantAndRevokePrivilege() throws Exception {
+ Mockito.when(mockStore.alterRoleGrantPrivilege(Matchers.anyString(), Matchers.anyString(), Matchers.any(PrivilegeObject.class), Matchers.anyString()))
+ .thenReturn(new CommitContext(SERVER_UUID, SEQ_ID + 6));
+
+ Mockito.when(mockStore.alterRoleRevokePrivilege(Matchers.anyString(), Matchers.anyString(), Matchers.any(PrivilegeObject.class), Matchers.anyString()))
+ .thenReturn(new CommitContext(SERVER_UUID, SEQ_ID + 7));
+ setup();
+
+ TSentryPrivilege tprivilege = new TSentryPrivilege("test", "test", new ArrayList<TAuthorizable>(), "test");
+ tprivilege.setGrantOption(TSentryGrantOption.UNSET);
+
+ TAlterSentryRoleGrantPrivilegeRequest grantRequest = new TAlterSentryRoleGrantPrivilegeRequest();
+ grantRequest.setRequestorUserName(ADMIN_USER);
+ grantRequest.setRoleName("r1");
+ grantRequest.setPrivilege(tprivilege);
+ assertEquals(Status.OK, fromTSentryStatus(processor.alter_sentry_role_grant_privilege(grantRequest).getStatus()));
+
+ TAlterSentryRoleRevokePrivilegeRequest revokeRequest = new TAlterSentryRoleRevokePrivilegeRequest();
+ revokeRequest.setRequestorUserName(ADMIN_USER);
+ revokeRequest.setRoleName("r1");
+ revokeRequest.setPrivilege(tprivilege);
+ assertEquals(Status.OK, fromTSentryStatus(processor.alter_sentry_role_revoke_privilege(revokeRequest).getStatus()));
+ }
+
+ @Test
+ public void testOperationWithException() throws Exception {
+ String roleName = Matchers.anyString();
+ Mockito.when(mockStore.createRole(Matchers.anyString(), roleName, Matchers.anyString()))
+ .thenThrow(new SentryAlreadyExistsException("Role: " + roleName + " already exists"));
+
+ roleName = Matchers.anyString();
+ Mockito.when(mockStore.dropRole(Matchers.anyString(), roleName, Matchers.anyString()))
+ .thenThrow(new SentryNoSuchObjectException("Role: " + roleName + " doesn't exist"));
+
+ roleName = Matchers.anyString();
+ Mockito.when(mockStore.alterRoleAddGroups(Matchers.anyString(), roleName, Matchers.anySetOf(String.class), Matchers.anyString()))
+ .thenThrow(new SentryNoSuchObjectException("Role: " + roleName + " doesn't exist"));
+
+ roleName = Matchers.anyString();
+ Mockito.when(mockStore.alterRoleDeleteGroups(Matchers.anyString(), roleName, Matchers.anySetOf(String.class), Matchers.anyString()))
+ .thenThrow(new SentryNoSuchObjectException("Role: " + roleName + " doesn't exist"));
+
+ roleName = Matchers.anyString();
+ Mockito.when(mockStore.alterRoleGrantPrivilege(Matchers.anyString(), roleName, Matchers.any(PrivilegeObject.class), Matchers.anyString()))
+ .thenThrow(new SentryGrantDeniedException("Role: " + roleName + " is not allowed to do grant"));
+
+ roleName = Matchers.anyString();
+ Mockito.when(mockStore.alterRoleRevokePrivilege(Matchers.anyString(), roleName, Matchers.any(PrivilegeObject.class), Matchers.anyString()))
+ .thenThrow(new SentryGrantDeniedException("Role: " + roleName + " is not allowed to do grant"));
+
+ Mockito.when(mockStore.dropPrivilege(Matchers.anyString(), Matchers.any(PrivilegeObject.class), Matchers.anyString()))
+ .thenThrow(new SentryInvalidInputException("Invalid input privilege object"));
+
+ Mockito.when(mockStore.renamePrivilege(Matchers.anyString(), Matchers.anyString(), Matchers.anyListOf(Authorizable.class),
+ Matchers.anyListOf(Authorizable.class), Matchers.anyString()))
+ .thenThrow(new RuntimeException("Unknown error"));
+
+ setup();
+
+ TCreateSentryRoleRequest createrequest = new TCreateSentryRoleRequest();
+ createrequest.setRequestorUserName(ADMIN_USER);
+ createrequest.setRoleName("r1");
+ assertEquals(Status.ALREADY_EXISTS, fromTSentryStatus(processor.create_sentry_role(createrequest).getStatus()));
+
+ TDropSentryRoleRequest dropRequest = new TDropSentryRoleRequest();
+ dropRequest.setRequestorUserName(ADMIN_USER);
+ dropRequest.setRoleName("r1");
+ assertEquals(Status.NO_SUCH_OBJECT, fromTSentryStatus(processor.drop_sentry_role(dropRequest).getStatus()));
+
+ TAlterSentryRoleAddGroupsRequest addRequest = new TAlterSentryRoleAddGroupsRequest();
+ addRequest.setRequestorUserName(ADMIN_USER);
+ addRequest.setRoleName("r1");
+ addRequest.setGroups(Sets.newHashSet("g1"));
+ assertEquals(Status.NO_SUCH_OBJECT, fromTSentryStatus(processor.alter_sentry_role_add_groups(addRequest).getStatus()));
+
+ TAlterSentryRoleDeleteGroupsRequest delRequest = new TAlterSentryRoleDeleteGroupsRequest();
+ delRequest.setRequestorUserName(ADMIN_USER);
+ delRequest.setRoleName("r1");
+ delRequest.setGroups(Sets.newHashSet("g1"));
+ assertEquals(Status.NO_SUCH_OBJECT, fromTSentryStatus(processor.alter_sentry_role_delete_groups(delRequest).getStatus()));
+
+ TDropPrivilegesRequest dropPrivRequest = new TDropPrivilegesRequest();
+ dropPrivRequest.setRequestorUserName(ADMIN_USER);
+ dropPrivRequest.setPrivilege(new TSentryPrivilege("test", "test", new ArrayList<TAuthorizable>(), "test"));
+ assertEquals(Status.INVALID_INPUT, fromTSentryStatus(processor.drop_sentry_privilege(dropPrivRequest).getStatus()));
+
+ TRenamePrivilegesRequest renameRequest = new TRenamePrivilegesRequest();
+ renameRequest.setRequestorUserName(ADMIN_USER);
+ assertEquals(Status.RUNTIME_ERROR, fromTSentryStatus(processor.rename_sentry_privilege(renameRequest).getStatus()));
+
+ TSentryPrivilege tprivilege = new TSentryPrivilege("test", "test", new ArrayList<TAuthorizable>(), "test");
+ tprivilege.setGrantOption(TSentryGrantOption.UNSET);
+
+ TAlterSentryRoleGrantPrivilegeRequest grantRequest = new TAlterSentryRoleGrantPrivilegeRequest();
+ grantRequest.setRequestorUserName(ADMIN_USER);
+ grantRequest.setRoleName("r1");
+ grantRequest.setPrivilege(tprivilege);
+ assertEquals(Status.ACCESS_DENIED, fromTSentryStatus(processor.alter_sentry_role_grant_privilege(grantRequest).getStatus()));
+
+ TAlterSentryRoleRevokePrivilegeRequest revokeRequest = new TAlterSentryRoleRevokePrivilegeRequest();
+ revokeRequest.setRequestorUserName(ADMIN_USER);
+ revokeRequest.setRoleName("r1");
+ revokeRequest.setPrivilege(tprivilege);
+ assertEquals(Status.ACCESS_DENIED, fromTSentryStatus(processor.alter_sentry_role_revoke_privilege(revokeRequest).getStatus()));
+ }
+
+ @Test
+ public void testGetRolesAndPrivileges() throws Exception {
+ String roleName = "r1";
+ String groupName = "g1";
+ PrivilegeObject queryPrivilege = new Builder()
+ .setComponent("SOLR")
+ .setAction(SearchConstants.QUERY)
+ .setService("service1")
+ .setAuthorizables(Arrays.asList(new Collection("c1"), new Field("f1")))
+ .build();
+ PrivilegeObject updatePrivilege = new Builder(queryPrivilege)
+ .setAction(SearchConstants.UPDATE)
+ .build();
+
+ MSentryGMPrivilege mSentryGMPrivilege = new MSentryGMPrivilege("SOLR", "service1",
+ Arrays.asList(new Collection("c1"), new Field("f1")),
+ SearchConstants.QUERY, true);
+
+ MSentryRole role = new MSentryRole("r1", 290);
+ mSentryGMPrivilege.setRoles(Sets.newHashSet(role));
+
+ Mockito.when(mockStore.getRolesByGroups(Matchers.anyString(), Matchers.anySetOf(String.class)))
+ .thenReturn(Sets.newHashSet(roleName));
+
+ Mockito.when(mockStore.getPrivilegesByProvider(Matchers.anyString(), Matchers.anyString(), Matchers.anySetOf(String.class),
+ Matchers.anySetOf(String.class), Matchers.anyListOf(Authorizable.class)))
+ .thenReturn(Sets.newHashSet(queryPrivilege, updatePrivilege));
+
+ Mockito.when(mockStore.getGroupsByRoles(Matchers.anyString(), Matchers.anySetOf(String.class)))
+ .thenReturn(Sets.newHashSet(groupName));
+
+ Mockito.when(mockStore.getPrivilegesByAuthorizable(Matchers.anyString(), Matchers.anyString(), Matchers.anySetOf(String.class), Matchers.anyListOf(Authorizable.class)))
+ .thenReturn(Sets.newHashSet(mSentryGMPrivilege));
+
+ Mockito.when(mockStore.getAllRoleNames())
+ .thenReturn(Sets.newHashSet(roleName));
+
+ TListSentryPrivilegesRequest request1 = new TListSentryPrivilegesRequest();
+ request1.setRoleName(roleName);
+ request1.setRequestorUserName(ADMIN_USER);
+ TListSentryPrivilegesResponse response1 = processor.list_sentry_privileges_by_role(request1);
+ assertEquals(Status.OK, fromTSentryStatus(response1.getStatus()));
+ assertEquals(2, response1.getPrivileges().size());
+
+ TListSentryRolesRequest request2 = new TListSentryRolesRequest();
+ request2.setRequestorUserName(ADMIN_USER);
+ request2.setGroupName(groupName);
+ TListSentryRolesResponse response2 = processor.list_sentry_roles_by_group(request2);
+ assertEquals(Status.OK, fromTSentryStatus(response2.getStatus()));
+ assertEquals(1, response2.getRoles().size());
+
+ TListSentryPrivilegesForProviderRequest request3 = new TListSentryPrivilegesForProviderRequest();
+ request3.setGroups(Sets.newHashSet(groupName));
+ request3.setRoleSet(new TSentryActiveRoleSet(true, null));
+ TListSentryPrivilegesForProviderResponse response3 = processor.list_sentry_privileges_for_provider(request3);
+ assertEquals(Status.OK, fromTSentryStatus(response3.getStatus()));
+ assertEquals(2, response3.getPrivileges().size());
+
+ // Optional parameters activeRoleSet and requested group name are both provided.
+ TListSentryPrivilegesByAuthRequest request4 = new TListSentryPrivilegesByAuthRequest();
+ request4.setGroups(Sets.newHashSet(groupName));
+ request4.setRoleSet(new TSentryActiveRoleSet(true, null));
+ request4.setRequestorUserName(ADMIN_USER);
+ Set<String> authorizablesSet = Sets.newHashSet("Collection=c1->Field=f1");
+ request4.setAuthorizablesSet(authorizablesSet);
+
+ TListSentryPrivilegesByAuthResponse response4 = processor.list_sentry_privileges_by_authorizable(request4);
+ assertEquals(Status.OK, fromTSentryStatus(response4.getStatus()));
+ assertEquals(1, response4.getPrivilegesMapByAuth().size());
+
+ // Optional parameters activeRoleSet and requested group name are both not provided.
+ TListSentryPrivilegesByAuthRequest request5 = new TListSentryPrivilegesByAuthRequest();
+ request5.setRequestorUserName("not_" + ADMIN_USER);
+ authorizablesSet = Sets.newHashSet("Collection=c1->Field=f2");
+ request5.setAuthorizablesSet(authorizablesSet);
+
+ TListSentryPrivilegesByAuthResponse response5 = processor.list_sentry_privileges_by_authorizable(request5);
+ assertEquals(Status.OK, fromTSentryStatus(response5.getStatus()));
+ assertEquals(1, response5.getPrivilegesMapByAuth().size());
+ }
+
+ @Test(expected=SentrySiteConfigurationException.class)
+ public void testConfigCannotCreateNotificationHandler() throws Exception {
+ Configuration conf = new Configuration();
+ conf.set(PolicyStoreConstants.SENTRY_GENERIC_POLICY_NOTIFICATION,"junk");
+ SentryGenericPolicyProcessor.createHandlers(conf);
+ }
+
+ @Test(expected=SentrySiteConfigurationException.class)
+ public void testConfigCannotCreateSentryStore() throws Exception {
+ Configuration conf = new Configuration();
+ conf.set(PolicyStoreConstants.SENTRY_GENERIC_POLICY_STORE,"junk");
+ SentryGenericPolicyProcessor.createStore(conf);
+ }
+
+ public static class MockGroupMapping implements GroupMappingService {
+ public MockGroupMapping(Configuration conf, String resource) { //NOPMD
+ }
+ @Override
+ public Set<String> getGroups(String user) {
+ if (user.equalsIgnoreCase(ADMIN_USER)) {
+ return Sets.newHashSet(ADMIN_GROUP);
+ } else {
+ return Sets.newHashSet("not" + ADMIN_GROUP);
+ }
+ }
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/generic/service/thrift/TestSentryGenericServiceIntegration.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/generic/service/thrift/TestSentryGenericServiceIntegration.java b/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/generic/service/thrift/TestSentryGenericServiceIntegration.java
new file mode 100644
index 0000000..b59d172
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/generic/service/thrift/TestSentryGenericServiceIntegration.java
@@ -0,0 +1,503 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.provider.db.generic.service.thrift;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.fail;
+
+import java.util.Arrays;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+
+import org.apache.sentry.core.common.exception.SentryUserException;
+import org.apache.sentry.core.common.ActiveRoleSet;
+import org.apache.sentry.core.common.Authorizable;
+import org.apache.sentry.core.model.search.Collection;
+import org.apache.sentry.core.model.search.Field;
+import org.apache.sentry.core.model.search.SearchConstants;
+import org.junit.Test;
+
+import com.google.common.collect.Lists;
+import com.google.common.collect.Sets;
+
+public class TestSentryGenericServiceIntegration extends SentryGenericServiceIntegrationBase {
+
+ @Test
+ public void testCreateDropShowRole() throws Exception {
+ runTestAsSubject(new TestOperation(){
+ @Override
+ public void runTestAsSubject() throws Exception {
+ String requestorUserName = ADMIN_USER;
+ Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
+ String roleName = "admin_r";
+ setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
+ writePolicyFile();
+
+ client.dropRoleIfExists(requestorUserName, roleName, SOLR);
+
+ client.createRole(requestorUserName, roleName, SOLR);
+
+ client.addRoleToGroups(requestorUserName, roleName, SOLR, Sets.newHashSet(requestorUserGroupNames));
+
+ Set<TSentryRole> roles = client.listUserRoles(requestorUserName,SOLR);
+ assertEquals("Incorrect number of roles", 1, roles.size());
+ for (TSentryRole role:roles) {
+ assertTrue(role.getRoleName(), role.getRoleName().equalsIgnoreCase(roleName));
+ }
+ client.dropRole(requestorUserName, roleName, SOLR);
+ }});
+ }
+
+ @Test
+ public void testAddDeleteRoleToGroup() throws Exception {
+ runTestAsSubject(new TestOperation(){
+ @Override
+ public void runTestAsSubject() throws Exception {
+ String requestorUserName = ADMIN_USER;
+ Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
+ String testGroupName = "g1";
+ String roleName = "admin_r";
+ setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
+ setLocalGroupMapping(requestorUserName, Sets.newHashSet(testGroupName));
+ writePolicyFile();
+
+ client.dropRoleIfExists(requestorUserName, roleName, SOLR);
+
+ client.createRole(requestorUserName, roleName, SOLR);
+
+ client.addRoleToGroups(requestorUserName, roleName, SOLR, Sets.newHashSet(testGroupName));
+
+ Set<TSentryRole> roles = client.listUserRoles(requestorUserName,SOLR);
+ assertEquals("Incorrect number of roles", 1, roles.size());
+ for (TSentryRole role:roles) {
+ assertTrue(role.getRoleName(), role.getRoleName().equalsIgnoreCase(roleName));
+ assertTrue(role.getGroups().size() == 1);
+ for (String group :role.getGroups()) {
+ assertEquals(testGroupName, group);
+ }
+ }
+
+ client.deleteRoleToGroups(requestorUserName, roleName, SOLR, Sets.newHashSet(testGroupName));
+ roles = client.listUserRoles(requestorUserName,SOLR);
+ assertEquals("Incorrect number of roles", 0, roles.size());
+
+ client.dropRole(requestorUserName, roleName, SOLR);
+ }});
+ }
+
+ @Test
+ public void testGranRevokePrivilege() throws Exception {
+ runTestAsSubject(new TestOperation(){
+ @Override
+ public void runTestAsSubject() throws Exception {
+ String requestorUserName = ADMIN_USER;
+ Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
+ setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
+ writePolicyFile();
+ String roleName1 = "admin_r1";
+ String roleName2 = "admin_r2";
+
+ client.dropRoleIfExists(requestorUserName, roleName1, SOLR);
+ client.createRole(requestorUserName, roleName1, SOLR);
+
+ client.dropRoleIfExists(requestorUserName, roleName2, SOLR);
+ client.createRole(requestorUserName, roleName2, SOLR);
+
+ TSentryPrivilege queryPrivilege = new TSentryPrivilege(SOLR, "service1",
+ fromAuthorizable(Arrays.asList(new Collection("c1"), new Field("f1"))),
+ SearchConstants.QUERY);
+
+ TSentryPrivilege updatePrivilege = new TSentryPrivilege(SOLR, "service1",
+ fromAuthorizable(Arrays.asList(new Collection("c1"), new Field("f1"))),
+ SearchConstants.UPDATE);
+
+ client.grantPrivilege(requestorUserName, roleName1, SOLR, queryPrivilege);
+ client.grantPrivilege(requestorUserName, roleName2, SOLR, updatePrivilege);
+
+ client.revokePrivilege(requestorUserName, roleName1, SOLR, queryPrivilege);
+ client.revokePrivilege(requestorUserName, roleName2, SOLR, updatePrivilege);
+ }});
+ }
+
+ @Test
+ public void testMultipleRolesSamePrivilege() throws Exception {
+ runTestAsSubject(new TestOperation(){
+ @Override
+ public void runTestAsSubject() throws Exception {
+ String requestorUserName = ADMIN_USER;
+ Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
+ setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
+ writePolicyFile();
+ String roleName1 = "admin_r1";
+ String roleName2 = "admin_r2";
+
+ client.dropRoleIfExists(requestorUserName, roleName1, SOLR);
+ client.createRole(requestorUserName, roleName1, SOLR);
+
+ client.dropRoleIfExists(requestorUserName, roleName2, SOLR);
+ client.createRole(requestorUserName, roleName2, SOLR);
+
+ TSentryPrivilege queryPrivilege = new TSentryPrivilege(SOLR, "service1",
+ fromAuthorizable(Arrays.asList(new Collection("c1"), new Field("f1"))),
+ SearchConstants.QUERY);
+
+ client.grantPrivilege(requestorUserName, roleName1, SOLR, queryPrivilege);
+ Set<TSentryPrivilege> listPrivilegesByRoleName = client.listPrivilegesByRoleName(requestorUserName, roleName1, SOLR, "service1");
+ assertTrue("Privilege not assigned to role1 !!", listPrivilegesByRoleName.size() == 1);
+
+ client.grantPrivilege(requestorUserName, roleName2, SOLR, queryPrivilege);
+ listPrivilegesByRoleName = client.listPrivilegesByRoleName(requestorUserName, roleName2, SOLR, "service1");
+ assertTrue("Privilege not assigned to role2 !!", listPrivilegesByRoleName.size() == 1);
+ }});
+ }
+
+ @Test
+ public void testShowRoleGrant() throws Exception {
+ runTestAsSubject(new TestOperation(){
+ @Override
+ public void runTestAsSubject() throws Exception {
+ String requestorUserName = ADMIN_USER;
+ Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
+ String roleName = "admin_r1";
+ String groupName = "group1";
+ setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
+ setLocalGroupMapping(requestorUserName, Sets.newHashSet(groupName));
+ writePolicyFile();
+
+ client.dropRoleIfExists(requestorUserName, roleName, SOLR);
+ client.createRole(requestorUserName, roleName, SOLR);
+ client.addRoleToGroups(requestorUserName, roleName, SOLR, Sets.newHashSet(groupName));
+
+ Set<TSentryRole> groupRoles = client.listRolesByGroupName(requestorUserName, groupName,SOLR);
+ assertTrue(groupRoles.size() == 1);
+ for (TSentryRole role:groupRoles) {
+ assertTrue(role.getRoleName(), role.getRoleName().equalsIgnoreCase(roleName));
+ assertTrue(role.getGroups().size() == 1);
+ for (String group :role.getGroups()) {
+ assertEquals(groupName, group);
+ }
+ }
+
+ client.dropRole(requestorUserName, roleName, SOLR);
+ }});
+ }
+
+ @Test
+ public void testShowGrant() throws Exception {
+ runTestAsSubject(new TestOperation(){
+ @Override
+ public void runTestAsSubject() throws Exception {
+ String requestorUserName = ADMIN_USER;
+ Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
+ String roleName = "admin_r1";
+ setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
+ writePolicyFile();
+
+ client.dropRoleIfExists(requestorUserName, roleName, SOLR);
+ client.createRole(requestorUserName, roleName, SOLR);
+
+ TSentryPrivilege queryPrivilege = new TSentryPrivilege(SOLR, "service1",
+ fromAuthorizable(Arrays.asList(new Collection("c1"), new Field("f1"))),
+ SearchConstants.QUERY);
+
+ TSentryPrivilege updatePrivilege = new TSentryPrivilege(SOLR, "service1",
+ fromAuthorizable(Arrays.asList(new Collection("c1"), new Field("f1"))),
+ SearchConstants.UPDATE);
+
+ client.grantPrivilege(requestorUserName, roleName, SOLR, updatePrivilege);
+ client.grantPrivilege(requestorUserName, roleName, SOLR, queryPrivilege);
+ Set<TSentryPrivilege> privileges = client.listPrivilegesByRoleName(requestorUserName, roleName, SOLR, "service1");
+ assertTrue(privileges.size() == 2);
+
+ client.revokePrivilege(requestorUserName, roleName, SOLR, updatePrivilege);
+ privileges = client.listPrivilegesByRoleName(requestorUserName, roleName, SOLR, "service1");
+ assertTrue(privileges.size() == 1);
+ }});
+ }
+
+ @Test
+ public void testSameGrantTwice() throws Exception {
+ runTestAsSubject(new TestOperation(){
+ @Override
+ public void runTestAsSubject() throws Exception {
+ String requestorUserName = ADMIN_USER;
+ Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
+ setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
+ writePolicyFile();
+ String roleName = "admin_r1";
+
+ client.createRole(requestorUserName, roleName, SOLR);
+
+ TSentryPrivilege queryPrivilege = new TSentryPrivilege(SOLR, "service1",
+ fromAuthorizable(Arrays.asList(new Collection("c1"), new Field("f1"))),
+ SearchConstants.QUERY);
+
+ client.grantPrivilege(requestorUserName, roleName, SOLR, queryPrivilege);
+ assertEquals(1, client.listPrivilegesByRoleName(requestorUserName, roleName, SOLR, "service1").size());
+ }});
+ }
+
+ @Test
+ public void testGrantRevokeWithGrantOption() throws Exception {
+ runTestAsSubject(new TestOperation(){
+ @Override
+ public void runTestAsSubject() throws Exception {
+ String adminUser = ADMIN_USER;
+ Set<String> adminGroup = Sets.newHashSet(ADMIN_GROUP);
+ String grantOptionUser = "user1";
+ Set<String> grantOptionGroup = Sets.newHashSet("group1");
+ String noGrantOptionUser = "user2";
+ Set<String> noGrantOptionGroup = Sets.newHashSet("group2");
+
+ setLocalGroupMapping(adminUser, adminGroup);
+ setLocalGroupMapping(grantOptionUser, grantOptionGroup);
+ setLocalGroupMapping(noGrantOptionUser, noGrantOptionGroup);
+ writePolicyFile();
+
+ String grantRole = "grant_r";
+ String noGrantRole = "no_grant_r";
+ String testRole = "test_role";
+
+ client.createRole(adminUser, grantRole, SOLR);
+ client.createRole(adminUser, noGrantRole, SOLR);
+ client.createRole(adminUser, testRole, SOLR);
+
+ TSentryPrivilege grantPrivilege = new TSentryPrivilege(SOLR, "service1",
+ fromAuthorizable(Arrays.asList(new Collection("c1"))),
+ SearchConstants.QUERY);
+ grantPrivilege.setGrantOption(TSentryGrantOption.TRUE);
+
+ TSentryPrivilege noGrantPrivilege = new TSentryPrivilege(SOLR, "service1",
+ fromAuthorizable(Arrays.asList(new Collection("c1"))),
+ SearchConstants.QUERY);
+ noGrantPrivilege.setGrantOption(TSentryGrantOption.FALSE);
+
+ TSentryPrivilege testPrivilege = new TSentryPrivilege(SOLR, "service1",
+ fromAuthorizable(Arrays.asList(new Collection("c1"), new Field("f1"))),
+ SearchConstants.QUERY);
+ testPrivilege.setGrantOption(TSentryGrantOption.FALSE);
+
+ client.grantPrivilege(adminUser, grantRole, SOLR, grantPrivilege);
+ client.grantPrivilege(adminUser, noGrantRole, SOLR, noGrantPrivilege);
+
+ client.addRoleToGroups(adminUser, grantRole, SOLR, grantOptionGroup);
+ client.addRoleToGroups(adminUser, noGrantRole, SOLR, noGrantOptionGroup);
+
+ try {
+ client.grantPrivilege(grantOptionUser,testRole,SOLR, testPrivilege);
+ } catch (SentryUserException e) {
+ fail("grantOptionUser failed grant privilege to user");
+ }
+
+ try {
+ client.grantPrivilege(noGrantOptionUser, testRole, SOLR, testPrivilege);
+ fail("noGrantOptionUser can't grant privilege to user");
+ } catch (SentryUserException e) {
+ }
+
+ try {
+ client.revokePrivilege(grantOptionUser, testRole, SOLR, testPrivilege);
+ } catch(SentryUserException e) {
+ fail("grantOptionUser failed revoke privilege to user");
+ }
+
+ try {
+ client.revokePrivilege(noGrantOptionUser, testRole, SOLR, testPrivilege);
+ fail("noGrantOptionUser can't revoke privilege to user");
+ } catch (SentryUserException e) {
+ }
+ }});
+ }
+
+ @Test
+ public void testGetPrivilegeByHierarchy() throws Exception {
+ runTestAsSubject(new TestOperation(){
+ @Override
+ public void runTestAsSubject() throws Exception {
+ String adminUser = ADMIN_USER;
+ Set<String> adminGroup = Sets.newHashSet(ADMIN_GROUP);
+ String testRole = "role1";
+ Set<String> testGroup = Sets.newHashSet("group1");
+ String testUser = "user1";
+ setLocalGroupMapping(adminUser, adminGroup);
+ setLocalGroupMapping(testUser, testGroup);
+ writePolicyFile();
+
+
+ client.createRole(adminUser, testRole, SOLR);
+ client.addRoleToGroups(adminUser, testRole, SOLR, testGroup);
+
+ TSentryPrivilege queryPrivilege = new TSentryPrivilege(SOLR, "service1",
+ fromAuthorizable(Arrays.asList(new Collection("c1"), new Field("f1"))),
+ SearchConstants.QUERY);
+
+ TSentryPrivilege updatePrivilege = new TSentryPrivilege(SOLR, "service1",
+ fromAuthorizable(Arrays.asList(new Collection("c2"), new Field("f2"))),
+ SearchConstants.UPDATE);
+
+ client.grantPrivilege(adminUser, testRole, SOLR, queryPrivilege);
+ client.grantPrivilege(adminUser, testRole, SOLR, updatePrivilege);
+
+ assertEquals(2, client.listPrivilegesByRoleName(testUser, testRole, SOLR, "service1").size());
+
+ assertEquals(1, client.listPrivilegesByRoleName(testUser, testRole,
+ SOLR, "service1", Arrays.asList(new Collection("c1"))).size());
+
+ assertEquals(1, client.listPrivilegesByRoleName(testUser, testRole,
+ SOLR, "service1", Arrays.asList(new Collection("c2"))).size());
+
+ assertEquals(1, client.listPrivilegesByRoleName(testUser, testRole,
+ SOLR, "service1", Arrays.asList(new Collection("c1"), new Field("f1"))).size());
+
+ assertEquals(1, client.listPrivilegesByRoleName(testUser, testRole,
+ SOLR, "service1", Arrays.asList(new Collection("c2"), new Field("f2"))).size());
+
+ //test listPrivilegesForProvider by group(testGroup)
+ ActiveRoleSet roleSet = ActiveRoleSet.ALL;
+
+ assertEquals(1, client.listPrivilegesForProvider(SOLR, "service1", roleSet,
+ testGroup, Arrays.asList(new Collection("c1"))).size());
+
+ assertEquals(1, client.listPrivilegesForProvider(SOLR, "service1", roleSet,
+ testGroup, Arrays.asList(new Collection("c2"))).size());
+
+ assertEquals(1, client.listPrivilegesForProvider(SOLR, "service1", roleSet,
+ testGroup, Arrays.asList(new Collection("c1"), new Field("f1"))).size());
+
+ assertEquals(1, client.listPrivilegesForProvider(SOLR, "service1", roleSet,
+ testGroup, Arrays.asList(new Collection("c2"), new Field("f2"))).size());
+ }});
+ }
+
+ @Test
+ public void testGetPrivilegeByAuthorizable() throws Exception {
+ runTestAsSubject(new TestOperation(){
+ @Override
+ public void runTestAsSubject() throws Exception {
+ String adminUser = ADMIN_USER;
+ Set<String> adminGroup = Sets.newHashSet(ADMIN_GROUP);
+ String testRole = "role1";
+ Set<String> testGroup = Sets.newHashSet("group1");
+ String testUser = "user1";
+ setLocalGroupMapping(adminUser, adminGroup);
+ setLocalGroupMapping(testUser, testGroup);
+ writePolicyFile();
+
+ client.createRole(adminUser, testRole, SOLR);
+ client.addRoleToGroups(adminUser, testRole, SOLR, adminGroup);
+
+ TSentryPrivilege queryPrivilege = new TSentryPrivilege(SOLR, "service1",
+ fromAuthorizable(Arrays.asList(new Collection("c1"), new Field("f1"))),
+ SearchConstants.QUERY);
+
+ TSentryPrivilege updatePrivilege = new TSentryPrivilege(SOLR, "service1",
+ fromAuthorizable(Arrays.asList(new Collection("c1"), new Field("f2"))),
+ SearchConstants.UPDATE);
+
+ client.grantPrivilege(adminUser, testRole, SOLR, queryPrivilege);
+ client.grantPrivilege(adminUser, testRole, SOLR, updatePrivilege);
+
+ //test listPrivilegsbyAuthorizable without requested group and active role set.
+ assertEquals(1, client.listPrivilegsbyAuthorizable(SOLR, "service1", adminUser,
+ Sets.newHashSet(new String("Collection=c1->Field=f1")), null, null).size());
+
+ //test listPrivilegsbyAuthorizable with requested group (testGroup)
+ Map<String, TSentryPrivilegeMap> privilegeMap = client.listPrivilegsbyAuthorizable(SOLR,
+ "service1", adminUser, Sets.newHashSet(new String("Collection=c1->Field=f1")), testGroup, null);
+ TSentryPrivilegeMap actualMap = privilegeMap.get(new String("Collection=c1->Field=f1"));
+ assertEquals(0, actualMap.getPrivilegeMap().size());
+
+ //test listPrivilegsbyAuthorizable with active role set.
+ ActiveRoleSet roleSet = ActiveRoleSet.ALL;
+ assertEquals(1, client.listPrivilegsbyAuthorizable(SOLR, "service1", adminUser,
+ Sets.newHashSet(new String("Collection=c1->Field=f1")), null, roleSet).size());
+ privilegeMap = client.listPrivilegsbyAuthorizable(SOLR,
+ "service1", adminUser, Sets.newHashSet(new String("Collection=c1->Field=f1")), null, roleSet);
+ actualMap = privilegeMap.get(new String("Collection=c1->Field=f1"));
+ assertEquals(1, actualMap.getPrivilegeMap().size());
+
+ privilegeMap = client.listPrivilegsbyAuthorizable(SOLR,
+ "service1", testUser, Sets.newHashSet(new String("Collection=c1->Field=f1")), null, roleSet);
+ actualMap = privilegeMap.get(new String("Collection=c1->Field=f1"));
+ assertEquals(0, actualMap.getPrivilegeMap().size());
+
+ // grant tesRole to testGroup.
+ client.addRoleToGroups(adminUser, testRole, SOLR, testGroup);
+
+ privilegeMap = client.listPrivilegsbyAuthorizable(SOLR,
+ "service1", testUser, Sets.newHashSet(new String("Collection=c1")), null, roleSet);
+ actualMap = privilegeMap.get(new String("Collection=c1"));
+ assertEquals(1, actualMap.getPrivilegeMap().size());
+ assertEquals(2, actualMap.getPrivilegeMap().get(testRole).size());
+ }});
+ }
+
+ @Test
+ public void testDropAndRenamePrivilege() throws Exception {
+ runTestAsSubject(new TestOperation(){
+ @Override
+ public void runTestAsSubject() throws Exception {
+ String requestorUserName = ADMIN_USER;
+ Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
+ setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
+ writePolicyFile();
+ String roleName = "admin_r1";
+
+ client.createRole(requestorUserName, roleName, SOLR);
+
+ TSentryPrivilege queryPrivilege = new TSentryPrivilege(SOLR, "service1",
+ fromAuthorizable(Arrays.asList(new Collection("c1"), new Field("f1"))),
+ SearchConstants.QUERY);
+ client.grantPrivilege(requestorUserName, roleName, SOLR, queryPrivilege);
+
+ assertEquals(1, client.listPrivilegesByRoleName(requestorUserName, roleName,
+ SOLR, "service1", Arrays.asList(new Collection("c1"), new Field("f1"))).size());
+
+ assertEquals(0, client.listPrivilegesByRoleName(requestorUserName, roleName,
+ SOLR, "service1", Arrays.asList(new Collection("c2"), new Field("f2"))).size());
+
+ client.renamePrivilege(requestorUserName, SOLR, "service1", Arrays.asList(new Collection("c1"), new Field("f1")),
+ Arrays.asList(new Collection("c2"), new Field("f2")));
+
+ assertEquals(0, client.listPrivilegesByRoleName(requestorUserName, roleName,
+ SOLR, "service1", Arrays.asList(new Collection("c1"), new Field("f1"))).size());
+
+ assertEquals(1, client.listPrivilegesByRoleName(requestorUserName, roleName,
+ SOLR, "service1", Arrays.asList(new Collection("c2"), new Field("f2"))).size());
+
+ TSentryPrivilege dropPrivilege = new TSentryPrivilege(SOLR, "service1",
+ fromAuthorizable(Arrays.asList(new Collection("c2"), new Field("f2"))),
+ SearchConstants.QUERY);
+
+ client.dropPrivilege(requestorUserName, SOLR, dropPrivilege);
+
+ assertEquals(0, client.listPrivilegesByRoleName(requestorUserName, roleName,
+ SOLR, "service1", Arrays.asList(new Collection("c2"), new Field("f2"))).size());
+ }});
+ }
+
+ private List<TAuthorizable> fromAuthorizable(List<? extends Authorizable> authorizables) {
+ List<TAuthorizable> tAuthorizables = Lists.newArrayList();
+ for (Authorizable authorizable : authorizables) {
+ tAuthorizables.add(new TAuthorizable(authorizable.getTypeName(), authorizable.getName()));
+ }
+ return tAuthorizables;
+ }
+}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/generic/tools/TestSentryConfigToolSolr.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/generic/tools/TestSentryConfigToolSolr.java b/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/generic/tools/TestSentryConfigToolSolr.java
new file mode 100644
index 0000000..d199d20
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/generic/tools/TestSentryConfigToolSolr.java
@@ -0,0 +1,261 @@
+ /**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.provider.db.generic.tools;
+
+import com.google.common.io.Files;
+import com.google.common.collect.Sets;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.fail;
+
+import java.io.File;
+import java.io.FileOutputStream;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.Map;
+import java.util.Set;
+
+import org.apache.commons.io.FileUtils;
+import org.apache.sentry.provider.db.generic.service.thrift.SentryGenericServiceIntegrationBase;
+import org.apache.sentry.provider.db.generic.service.thrift.TSentryRole;
+import org.apache.sentry.provider.db.generic.service.thrift.TSentryPrivilege;
+import org.apache.sentry.core.common.exception.SentryConfigurationException;
+
+import org.junit.After;
+import org.junit.Before;
+import org.junit.Test;
+
+public class TestSentryConfigToolSolr extends SentryGenericServiceIntegrationBase {
+ private static String RESOURCES_DIR = "target" + File.separator + "test-classes" + File.separator;
+ private static String VALID_POLICY_INI = RESOURCES_DIR + "solr_config_import_tool.ini";
+ private static String INVALID_POLICY_INI = RESOURCES_DIR + "solr_invalid.ini";
+ private static String CASE_POLICY_INI = RESOURCES_DIR + "solr_case.ini";
+ private File confDir;
+ private File confPath;
+ private String requestorName = "";
+ private String service = "service1";
+
+ @Before
+ public void prepareForTest() throws Exception {
+ confDir = Files.createTempDir();
+ confPath = new File(confDir, "sentry-site.xml");
+ if (confPath.createNewFile()) {
+ FileOutputStream to = new FileOutputStream(confPath);
+ conf.writeXml(to);
+ to.close();
+ }
+ requestorName = clientUgi.getShortUserName();//System.getProperty("user.name", "");
+ Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
+ setLocalGroupMapping(requestorName, requestorUserGroupNames);
+ // add ADMIN_USER for the after() in SentryServiceIntegrationBase
+ setLocalGroupMapping(ADMIN_USER, requestorUserGroupNames);
+ writePolicyFile();
+ }
+
+ @After
+ public void clearTestData() throws Exception {
+ FileUtils.deleteQuietly(confDir);
+
+ // clear roles and privileges
+ Set<TSentryRole> tRoles = client.listAllRoles(requestorName, SOLR);
+ for (TSentryRole tRole : tRoles) {
+ String role = tRole.getRoleName();
+ Set<TSentryPrivilege> privileges = client.listPrivilegesByRoleName(
+ requestorName, role, SOLR, service);
+ for (TSentryPrivilege privilege : privileges) {
+ client.revokePrivilege(requestorName, role, SOLR, privilege);
+ }
+ client.dropRole(requestorName, role, SOLR);
+ }
+ }
+
+ @Test
+ public void testConvertIni() throws Exception {
+ runTestAsSubject(new TestOperation() {
+ @Override
+ public void runTestAsSubject() throws Exception {
+ String[] args = { "-p", VALID_POLICY_INI, "-conf", confPath.getAbsolutePath(), "-v", "-i"};
+ SentryConfigToolSolr sentryTool = new SentryConfigToolSolr();
+ sentryTool.executeConfigTool(args);
+
+ Map<String, Set<String>> groupMapping = new HashMap<String, Set<String>>();
+ groupMapping.put("corporal_role", Sets.newHashSet("corporal", "sergeant", "general", "commander_in_chief"));
+ groupMapping.put("sergeant_role", Sets.newHashSet("sergeant", "general", "commander_in_chief"));
+ groupMapping.put("general_role", Sets.newHashSet("general", "commander_in_chief"));
+ groupMapping.put("commander_in_chief_role", Sets.newHashSet("commander_in_chief"));
+
+ Map<String, Set<String>> privilegeMapping = new HashMap<String, Set<String>>();
+ privilegeMapping.put("corporal_role",
+ Sets.newHashSet("Collection=info->action=query", "Collection=info->action=update"));
+ privilegeMapping.put("sergeant_role",
+ Sets.newHashSet("Collection=info->action=update"));
+ privilegeMapping.put("general_role",
+ Sets.newHashSet("Collection=info->action=*"));
+ privilegeMapping.put("commander_in_chief_role",
+ Sets.newHashSet("Collection=*->action=*"));
+
+ // check roles
+ Set<TSentryRole> tRoles = client.listAllRoles(requestorName, SOLR);
+ assertEquals("Unexpected number of roles", groupMapping.keySet().size(), tRoles.size());
+ Set<String> roles = new HashSet<String>();
+ for (TSentryRole tRole : tRoles) {
+ roles.add(tRole.getRoleName());
+ }
+
+ for (String expectedRole : groupMapping.keySet()) {
+ assertTrue("Didn't find expected role: " + expectedRole, roles.contains(expectedRole));
+ }
+
+ // check groups
+ for (TSentryRole tRole : tRoles) {
+ Set<String> expectedGroups = groupMapping.get(tRole.getRoleName());
+ assertEquals("Group size doesn't match for role: " + tRole.getRoleName(),
+ expectedGroups.size(), tRole.getGroups().size());
+ assertTrue("Group does not contain all expected members for role: " + tRole.getRoleName(),
+ tRole.getGroups().containsAll(expectedGroups));
+ }
+
+ // check privileges
+ SolrTSentryPrivilegeConverter convert = new SolrTSentryPrivilegeConverter(SOLR, service);
+ for (String role : roles) {
+ Set<TSentryPrivilege> privileges = client.listPrivilegesByRoleName(
+ requestorName, role, SOLR, service);
+ Set<String> expectedPrivileges = privilegeMapping.get(role);
+ assertEquals("Privilege set size doesn't match for role: " + role,
+ expectedPrivileges.size(), privileges.size());
+
+ Set<String> privilegeStrs = new HashSet<String>();
+ for (TSentryPrivilege privilege : privileges) {
+ privilegeStrs.add(convert.toString(privilege));
+ }
+
+ for (String expectedPrivilege : expectedPrivileges) {
+ assertTrue("Did not find expected privilege: " + expectedPrivilege,
+ privilegeStrs.contains(expectedPrivilege));
+ }
+ }
+ }
+ });
+ }
+
+ @Test
+ public void testNoPolicyFile() throws Exception {
+ runTestAsSubject(new TestOperation() {
+ @Override
+ public void runTestAsSubject() throws Exception {
+ String[] args = { "-p", INVALID_POLICY_INI + "Foobar", "-conf", confPath.getAbsolutePath(), "-v", "-i"};
+ SentryConfigToolSolr sentryTool = new SentryConfigToolSolr();
+ try {
+ sentryTool.executeConfigTool(args);
+ fail("Exception should be thrown for nonexistant ini");
+ } catch (SentryConfigurationException e) {
+ // expected exception
+ }
+ }
+ });
+ }
+
+ @Test
+ public void testNoValidateNorImport() throws Exception {
+ runTestAsSubject(new TestOperation() {
+ @Override
+ public void runTestAsSubject() throws Exception {
+ String[] args = { "-p", INVALID_POLICY_INI, "-conf", confPath.getAbsolutePath()};
+ SentryConfigToolSolr sentryTool = new SentryConfigToolSolr();
+ try {
+ sentryTool.executeConfigTool(args);
+ fail("Exception should be thrown for validating invalid ini");
+ } catch (IllegalArgumentException e) {
+ // expected exception
+ }
+ }
+ });
+ }
+
+ @Test
+ public void testConvertInvalidIni() throws Exception {
+ runTestAsSubject(new TestOperation() {
+ @Override
+ public void runTestAsSubject() throws Exception {
+ // test: validate an invalid ini
+ String[] args = { "-p", INVALID_POLICY_INI, "-conf", confPath.getAbsolutePath(), "-v", "-i"};
+ SentryConfigToolSolr sentryTool = new SentryConfigToolSolr();
+ try {
+ sentryTool.executeConfigTool(args);
+ fail("Exception should be thrown for validating invalid ini");
+ } catch (SentryConfigurationException e) {
+ // expected exception
+ }
+
+ // test without validating, should not error
+ args = new String[] { "-p", INVALID_POLICY_INI, "-conf", confPath.getAbsolutePath(), "-i"};
+ sentryTool = new SentryConfigToolSolr();
+ sentryTool.executeConfigTool(args);
+ }
+ });
+ }
+
+ @Test
+ public void testCompatCheck() throws Exception {
+ runTestAsSubject(new TestOperation() {
+ @Override
+ public void runTestAsSubject() throws Exception {
+ // test: validate an invalid ini
+ String[] args = { "-p", CASE_POLICY_INI, "-conf", confPath.getAbsolutePath(), "-v", "-i", "-c"};
+ SentryConfigToolSolr sentryTool = new SentryConfigToolSolr();
+ try {
+ sentryTool.executeConfigTool(args);
+ fail("Exception should be thrown for validating invalid ini");
+ } catch (SentryConfigurationException e) {
+ assertEquals("Expected error", 1, e.getConfigErrors().size());
+ String error = e.getConfigErrors().get(0);
+ assertCasedRoleNamesInMessage(error, "RoLe1", "rOlE1");
+ String warning = e.getConfigWarnings().get(0);
+ assertCasedRoleNamesInMessage(warning, "ROLE2", "RoLe1", "rOlE1");
+ assertEquals("Expected warning", 1, e.getConfigWarnings().size());
+ }
+
+ // test without compat checking
+ args = new String[] { "-p", CASE_POLICY_INI, "-conf", confPath.getAbsolutePath(), "-i", "-v"};
+ sentryTool = new SentryConfigToolSolr();
+ sentryTool.executeConfigTool(args);
+ }
+ });
+ }
+
+ // Test that a valid compat check doesn't throw an exception
+ @Test
+ public void testCompatCheckValid() throws Exception {
+ runTestAsSubject(new TestOperation() {
+ @Override
+ public void runTestAsSubject() throws Exception {
+ String[] args = { "-p", VALID_POLICY_INI, "-conf", confPath.getAbsolutePath(), "-v", "-i", "-c"};
+ SentryConfigToolSolr sentryTool = new SentryConfigToolSolr();
+ sentryTool.executeConfigTool(args);
+ }
+ });
+ }
+
+ private void assertCasedRoleNamesInMessage(String message, String ... casedRoleNames) {
+ for (String casedRoleName : casedRoleNames) {
+ assertTrue("Expected cased role name: " + casedRoleName, message.contains(casedRoleName));
+ }
+ }
+}
[39/44] sentry git commit: SENTRY-1287: Create sentry-service-server
module(Colin Ma, reviewed by Dapeng Sun)
Posted by co...@apache.org.
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStoreSchemaInfo.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStoreSchemaInfo.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStoreSchemaInfo.java
deleted file mode 100644
index 223cc87..0000000
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStoreSchemaInfo.java
+++ /dev/null
@@ -1,143 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.sentry.provider.db.service.persistent;
-
-import java.io.BufferedReader;
-import java.io.File;
-import java.io.FileNotFoundException;
-import java.io.FileReader;
-import java.io.IOException;
-import java.util.ArrayList;
-import java.util.List;
-
-import org.apache.sentry.core.common.exception.SentryUserException;
-
-public class SentryStoreSchemaInfo {
- private static final String SQL_FILE_EXTENSION = ".sql";
- private static final String UPGRADE_FILE_PREFIX = "upgrade-";
- private static final String INIT_FILE_PREFIX = "sentry-";
- private static final String VERSION_UPGRADE_LIST = "upgrade.order";
- private final String dbType;
- private final String sentrySchemaVersions[];
- private final String sentryScriptDir;
-
- private static final String SENTRY_VERSION = "1.8.0";
-
- public SentryStoreSchemaInfo(String sentryScriptDir, String dbType)
- throws SentryUserException {
- this.sentryScriptDir = sentryScriptDir;
- this.dbType = dbType;
- // load upgrade order for the given dbType
- List<String> upgradeOrderList = new ArrayList<String>();
- String upgradeListFile = getSentryStoreScriptDir() + File.separator
- + VERSION_UPGRADE_LIST + "." + dbType;
- try (BufferedReader bfReader = new BufferedReader(new FileReader(upgradeListFile))) {
- String currSchemaVersion;
- while ((currSchemaVersion = bfReader.readLine()) != null) {
- upgradeOrderList.add(currSchemaVersion.trim());
- }
- } catch (FileNotFoundException e) {
- throw new SentryUserException("File " + upgradeListFile + " not found ", e);
- } catch (IOException e) {
- throw new SentryUserException("Error reading " + upgradeListFile, e);
- }
- sentrySchemaVersions = upgradeOrderList.toArray(new String[0]);
- }
-
- public String getSentrySchemaVersion() {
- return SENTRY_VERSION;
- }
-
- public List<String> getUpgradeScripts(String fromSchemaVer)
- throws SentryUserException {
- List<String> upgradeScriptList = new ArrayList<String>();
-
- // check if we are already at current schema level
- if (getSentryVersion().equals(fromSchemaVer)) {
- return upgradeScriptList;
- }
-
- // Find the list of scripts to execute for this upgrade
- int firstScript = sentrySchemaVersions.length;
- for (int i = 0; i < sentrySchemaVersions.length; i++) {
- String fromVersion = sentrySchemaVersions[i].split("-to-")[0];
- if (fromVersion.equals(fromSchemaVer)) {
- firstScript = i;
- break;
- }
- }
- if (firstScript == sentrySchemaVersions.length) {
- throw new SentryUserException("Unknown version specified for upgrade "
- + fromSchemaVer + " Metastore schema may be too old or newer");
- }
-
- for (int i = firstScript; i < sentrySchemaVersions.length; i++) {
- String scriptFile = generateUpgradeFileName(sentrySchemaVersions[i]);
- upgradeScriptList.add(scriptFile);
- }
- return upgradeScriptList;
- }
-
- /***
- * Get the name of the script to initialize the schema for given version
- *
- * @param toVersion
- * Target version. If it's null, then the current server version is
- * used
- * @return
- * @throws SentryUserException
- */
- public String generateInitFileName(String toVersion)
- throws SentryUserException {
- String version = toVersion;
- if (version == null) {
- version = getSentryVersion();
- }
- String initScriptName = INIT_FILE_PREFIX + dbType + "-" + version
- + SQL_FILE_EXTENSION;
- // check if the file exists
- if (!(new File(getSentryStoreScriptDir() + File.separatorChar
- + initScriptName).exists())) {
- throw new SentryUserException(
- "Unknown version specified for initialization: " + version);
- }
- return initScriptName;
- }
-
- /**
- * Find the directory of sentry store scripts
- *
- * @return
- */
- public String getSentryStoreScriptDir() {
- return sentryScriptDir;
- }
-
- // format the upgrade script name eg upgrade-x-y-dbType.sql
- private String generateUpgradeFileName(String fileVersion) {
- return INIT_FILE_PREFIX + UPGRADE_FILE_PREFIX + dbType + "-"
- + fileVersion + SQL_FILE_EXTENSION;
- }
-
- // Current hive version, in majorVersion.minorVersion.changeVersion format
- // TODO: store the version using the build script
- public static String getSentryVersion() {
- return SENTRY_VERSION;
- }
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/ServiceRegister.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/ServiceRegister.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/ServiceRegister.java
deleted file mode 100644
index 79dfe48..0000000
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/ServiceRegister.java
+++ /dev/null
@@ -1,52 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.sentry.provider.db.service.persistent;
-
-import org.apache.curator.x.discovery.ServiceDiscoveryBuilder;
-import org.apache.curator.x.discovery.ServiceInstance;
-import org.apache.curator.x.discovery.details.InstanceSerializer;
-
-public class ServiceRegister {
-
- private HAContext haContext;
-
- public ServiceRegister(HAContext haContext) {
- this.haContext = haContext;
- }
-
- public void regService(String host, int port) throws Exception {
-
- haContext.startCuratorFramework();
- ServiceInstance<Void> serviceInstance = ServiceInstance.<Void>builder()
- .address(host)
- .port(port)
- .name(HAContext.SENTRY_SERVICE_REGISTER_NAMESPACE)
- .build();
-
- InstanceSerializer<Void> instanceSerializer = new FixedJsonInstanceSerializer<Void>(Void.class);
- ServiceDiscoveryBuilder.builder(Void.class)
- .basePath(HAContext.SENTRY_SERVICE_REGISTER_NAMESPACE)
- .client(haContext.getCuratorFramework())
- .serializer(instanceSerializer)
- .thisInstance(serviceInstance)
- .build()
- .start();
- }
-
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/ConfServlet.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/ConfServlet.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/ConfServlet.java
deleted file mode 100644
index 9e7fca8..0000000
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/ConfServlet.java
+++ /dev/null
@@ -1,69 +0,0 @@
-package org.apache.sentry.provider.db.service.thrift;
-
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-import java.io.IOException;
-import java.io.Writer;
-
-import javax.servlet.ServletException;
-import javax.servlet.http.HttpServlet;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-
-import org.apache.hadoop.conf.Configuration;
-
-/**
- * Servlet to print out all sentry configuration.
- */
-public class ConfServlet extends HttpServlet {
- public static final String CONF_CONTEXT_ATTRIBUTE = "sentry.conf";
- public static final String FORMAT_JSON = "json";
- public static final String FORMAT_XML = "xml";
- public static final String FORMAT_PARAM = "format";
- private static final long serialVersionUID = 1L;
-
- @Override
- public void doGet(HttpServletRequest request, HttpServletResponse response)
- throws ServletException, IOException {
- String format = request.getParameter(FORMAT_PARAM);
- if (format == null) {
- format = FORMAT_XML;
- }
-
- if (FORMAT_XML.equals(format)) {
- response.setContentType("text/xml; charset=utf-8");
- } else if (FORMAT_JSON.equals(format)) {
- response.setContentType("application/json; charset=utf-8");
- }
-
- Configuration conf = (Configuration)getServletContext().getAttribute(
- CONF_CONTEXT_ATTRIBUTE);
- assert conf != null;
-
- Writer out = response.getWriter();
- if (FORMAT_JSON.equals(format)) {
- Configuration.dumpConfiguration(conf, out);
- } else if (FORMAT_XML.equals(format)) {
- conf.writeXml(out);
- } else {
- response.sendError(HttpServletResponse.SC_BAD_REQUEST, "Bad format: " + format);
- }
- out.close();
- }
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/NotificationHandler.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/NotificationHandler.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/NotificationHandler.java
deleted file mode 100644
index b1a4b7f..0000000
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/NotificationHandler.java
+++ /dev/null
@@ -1,79 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.sentry.provider.db.service.thrift;
-
-import org.apache.hadoop.conf.Configuration;
-import org.apache.sentry.provider.db.service.persistent.CommitContext;
-
-/**
- * Users wishing to be notified when a metadata changing event occurs
- * should extend this abstract class. All methods which modify the underlying
- * metadata in SentryPolicyStoreProcessor will have a corresponding method
- * on this class. Each method will contain a copy of the request and response
- * object. Therefore any change to the request or response object will be ignored.
- * Additionally each method will be passed a CommitContext.
- *
- * Sub-classes should be thread-safe.
- */
-public abstract class NotificationHandler {
-
- private final Configuration config;
-
- public NotificationHandler(Configuration config) throws Exception {
- this.config = config;
- }
-
- protected Configuration getConf() {
- return config;
- }
-
- public void create_sentry_role(CommitContext context,
- TCreateSentryRoleRequest request, TCreateSentryRoleResponse response) {
- }
-
- public void drop_sentry_role(CommitContext context, TDropSentryRoleRequest request,
- TDropSentryRoleResponse response) {
- }
-
- public void alter_sentry_role_grant_privilege(CommitContext context, TAlterSentryRoleGrantPrivilegeRequest request,
- TAlterSentryRoleGrantPrivilegeResponse response) {
- }
-
- public void alter_sentry_role_revoke_privilege(CommitContext context, TAlterSentryRoleRevokePrivilegeRequest request,
- TAlterSentryRoleRevokePrivilegeResponse response) {
- }
-
- public void alter_sentry_role_add_groups(CommitContext context,
- TAlterSentryRoleAddGroupsRequest request,
- TAlterSentryRoleAddGroupsResponse response) {
- }
-
- public void alter_sentry_role_delete_groups(
- CommitContext context, TAlterSentryRoleDeleteGroupsRequest request,
- TAlterSentryRoleDeleteGroupsResponse response) {
- }
-
- public void alter_sentry_role_add_users(CommitContext context,
- TAlterSentryRoleAddUsersRequest request, TAlterSentryRoleAddUsersResponse response) {
- }
-
- public void alter_sentry_role_delete_users(CommitContext context,
- TAlterSentryRoleDeleteUsersRequest request, TAlterSentryRoleDeleteUsersResponse response) {
- }
-}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/NotificationHandlerInvoker.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/NotificationHandlerInvoker.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/NotificationHandlerInvoker.java
deleted file mode 100644
index 856ef9a..0000000
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/NotificationHandlerInvoker.java
+++ /dev/null
@@ -1,176 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.sentry.provider.db.service.thrift;
-
-import java.util.List;
-
-import org.apache.hadoop.conf.Configuration;
-import org.apache.sentry.provider.db.service.persistent.CommitContext;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-import com.google.common.collect.ImmutableList;
-
-/**
- * Invokes configured instances of NotificationHandler. Importantly
- * NotificationHandler's each receive a copy of the request and
- * response thrift objects from each successful request.
- */
-public class NotificationHandlerInvoker extends NotificationHandler {
- private static final Logger LOGGER = LoggerFactory.getLogger(NotificationHandlerInvoker.class);
-
- private final ImmutableList<NotificationHandler> handlers;
-
- public NotificationHandlerInvoker(Configuration conf, NotificationHandler handler)
- throws Exception {
- this(conf, ImmutableList.of(handler));
- }
-
- public NotificationHandlerInvoker(Configuration conf, List<NotificationHandler> handlers)
- throws Exception {
- super(conf);
- this.handlers = ImmutableList.copyOf(handlers);
- }
-
- @Override
- public void create_sentry_role(CommitContext context,
- TCreateSentryRoleRequest request, TCreateSentryRoleResponse response) {
- for (NotificationHandler handler : handlers) {
- try {
- LOGGER.debug("Calling " + handler);
- handler.create_sentry_role(context, new TCreateSentryRoleRequest(request),
- new TCreateSentryRoleResponse(response));
- } catch (Exception ex) {
- LOGGER.error("Unexpected error in " + handler + ". Request: "
- + request + ", Response: " + response, ex);
- }
- }
- }
-
- @Override
- public void drop_sentry_role(CommitContext context, TDropSentryRoleRequest request,
- TDropSentryRoleResponse response) {
- for (NotificationHandler handler : handlers) {
- try {
- LOGGER.debug("Calling " + handler);
- handler.drop_sentry_role(context, new TDropSentryRoleRequest(request),
- new TDropSentryRoleResponse(response));
- } catch (Exception ex) {
- LOGGER.error("Unexpected error in " + handler + ". Request: "
- + request + ", Response: " + response, ex);
- }
- }
- }
-
- @Override
- public void alter_sentry_role_grant_privilege(CommitContext context,
- TAlterSentryRoleGrantPrivilegeRequest request,
- TAlterSentryRoleGrantPrivilegeResponse response) {
- for (NotificationHandler handler : handlers) {
- try {
- LOGGER.debug("Calling " + handler);
- handler.alter_sentry_role_grant_privilege(context,
- new TAlterSentryRoleGrantPrivilegeRequest(request),
- new TAlterSentryRoleGrantPrivilegeResponse(response));
- } catch (Exception ex) {
- LOGGER.error("Unexpected error in " + handler + ". Request: "
- + request + ", Response: " + response, ex);
- }
- }
- }
-
- @Override
- public void alter_sentry_role_revoke_privilege(CommitContext context,
- TAlterSentryRoleRevokePrivilegeRequest request,
- TAlterSentryRoleRevokePrivilegeResponse response) {
- for (NotificationHandler handler : handlers) {
- try {
- LOGGER.debug("Calling " + handler);
- handler.alter_sentry_role_revoke_privilege(context,
- new TAlterSentryRoleRevokePrivilegeRequest(request),
- new TAlterSentryRoleRevokePrivilegeResponse(response));
- } catch (Exception ex) {
- LOGGER.error("Unexpected error in " + handler + ". Request: "
- + request + ", Response: " + response, ex);
- }
- }
- }
-
- @Override
- public void alter_sentry_role_add_groups(CommitContext context,
- TAlterSentryRoleAddGroupsRequest request,
- TAlterSentryRoleAddGroupsResponse response) {
- for (NotificationHandler handler : handlers) {
- try {
- LOGGER.debug("Calling " + handler);
- handler.alter_sentry_role_add_groups(context, new TAlterSentryRoleAddGroupsRequest(request),
- new TAlterSentryRoleAddGroupsResponse(response));
- } catch (Exception ex) {
- LOGGER.error("Unexpected error in " + handler + ". Request: "
- + request + ", Response: " + response, ex);
- }
- }
- }
-
- @Override
- public void alter_sentry_role_delete_groups(
- CommitContext context, TAlterSentryRoleDeleteGroupsRequest request,
- TAlterSentryRoleDeleteGroupsResponse response) {
- for (NotificationHandler handler : handlers) {
- try {
- LOGGER.debug("Calling " + handler);
- handler.alter_sentry_role_delete_groups(context, new TAlterSentryRoleDeleteGroupsRequest(request),
- new TAlterSentryRoleDeleteGroupsResponse(response));
- } catch (Exception ex) {
- LOGGER.error("Unexpected error in " + handler + ". Request: "
- + request + ", Response: " + response, ex);
- }
- }
- }
-
- @Override
- public void alter_sentry_role_add_users(CommitContext context,
- TAlterSentryRoleAddUsersRequest request, TAlterSentryRoleAddUsersResponse response) {
- for (NotificationHandler handler : handlers) {
- try {
- LOGGER.debug("Calling " + handler);
- handler.alter_sentry_role_add_users(context, new TAlterSentryRoleAddUsersRequest(request),
- new TAlterSentryRoleAddUsersResponse(response));
- } catch (Exception ex) {
- LOGGER.error("Unexpected error in " + handler + ". Request: " + request + ", Response: "
- + response, ex);
- }
- }
- }
-
- @Override
- public void alter_sentry_role_delete_users(CommitContext context,
- TAlterSentryRoleDeleteUsersRequest request, TAlterSentryRoleDeleteUsersResponse response) {
- for (NotificationHandler handler : handlers) {
- try {
- LOGGER.debug("Calling " + handler);
- handler.alter_sentry_role_delete_users(context, new TAlterSentryRoleDeleteUsersRequest(
- request), new TAlterSentryRoleDeleteUsersResponse(response));
- } catch (Exception ex) {
- LOGGER.error("Unexpected error in " + handler + ". Request: " + request + ", Response: "
- + response, ex);
- }
- }
- }
-}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/PolicyStoreConstants.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/PolicyStoreConstants.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/PolicyStoreConstants.java
deleted file mode 100644
index 8cf1c1a..0000000
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/PolicyStoreConstants.java
+++ /dev/null
@@ -1,32 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.provider.db.service.thrift;
-
-public final class PolicyStoreConstants {
- public static final String SENTRY_GENERIC_POLICY_NOTIFICATION = "sentry.generic.policy.notification";
- public static final String SENTRY_GENERIC_POLICY_STORE = "sentry.generic.policy.store";
- public static final String SENTRY_GENERIC_POLICY_STORE_DEFAULT =
- "org.apache.sentry.provider.db.generic.service.persistent.DelegateSentryStore";
- public static class PolicyStoreServerConfig {
- public static final String NOTIFICATION_HANDLERS = "sentry.policy.store.notification.handlers";
- }
-
- private PolicyStoreConstants() {
- // Make constructor private to avoid instantiation
- }
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryAuthFilter.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryAuthFilter.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryAuthFilter.java
deleted file mode 100644
index c1cfc1b..0000000
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryAuthFilter.java
+++ /dev/null
@@ -1,92 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.provider.db.service.thrift;
-
-import java.io.IOException;
-import java.util.Enumeration;
-import java.util.Properties;
-import java.util.Set;
-
-import javax.servlet.FilterChain;
-import javax.servlet.FilterConfig;
-import javax.servlet.ServletException;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-
-import org.apache.hadoop.security.authentication.server.AuthenticationFilter;
-import org.apache.hadoop.util.StringUtils;
-import org.apache.sentry.service.thrift.ServiceConstants.ServerConfig;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-import com.google.common.collect.Sets;
-
-/**
- * SentryAuthFilter is a subclass of AuthenticationFilter,
- * add authorization: Only allowed users could connect the web server.
- */
-public class SentryAuthFilter extends AuthenticationFilter {
-
- private static final Logger LOG = LoggerFactory.getLogger(SentryAuthFilter.class);
-
- public static final String ALLOW_WEB_CONNECT_USERS = ServerConfig.SENTRY_WEB_SECURITY_ALLOW_CONNECT_USERS;
-
- private Set<String> allowUsers;
-
- @Override
- protected void doFilter(FilterChain filterChain, HttpServletRequest request,
- HttpServletResponse response) throws IOException, ServletException {
- String userName = request.getRemoteUser();
- LOG.debug("Authenticating user: " + userName + " from request.");
- if (!allowUsers.contains(userName)) {
- response.sendError(HttpServletResponse.SC_FORBIDDEN,
- "Unauthorized user status code: " + HttpServletResponse.SC_FORBIDDEN);
- throw new ServletException(userName + " is unauthorized. status code: " + HttpServletResponse.SC_FORBIDDEN);
- }
- super.doFilter(filterChain, request, response);
- }
-
- /**
- * Override <code>getConfiguration<code> to get <code>ALLOW_WEB_CONNECT_USERS<code>.
- */
- @Override
- protected Properties getConfiguration(String configPrefix, FilterConfig filterConfig) throws ServletException {
- Properties props = new Properties();
- Enumeration<?> names = filterConfig.getInitParameterNames();
- while (names.hasMoreElements()) {
- String name = (String) names.nextElement();
- if (name.startsWith(configPrefix)) {
- String value = filterConfig.getInitParameter(name);
- if (ALLOW_WEB_CONNECT_USERS.equals(name)) {
- allowUsers = parseConnectUsersFromConf(value);
- } else {
- props.put(name.substring(configPrefix.length()), value);
- }
- }
- }
- return props;
- }
-
- private static Set<String> parseConnectUsersFromConf(String value) {
- String lcValue = value;
- if (lcValue != null) {
- lcValue = lcValue.toLowerCase();
- }
- return Sets.newHashSet(StringUtils.getStrings(lcValue));
- }
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryHealthCheckServletContextListener.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryHealthCheckServletContextListener.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryHealthCheckServletContextListener.java
deleted file mode 100644
index 8822c2e..0000000
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryHealthCheckServletContextListener.java
+++ /dev/null
@@ -1,35 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.provider.db.service.thrift;
-
-import com.codahale.metrics.health.HealthCheckRegistry;
-import com.codahale.metrics.servlets.HealthCheckServlet;
-
-/**
- * Use this class's registry to register health checks: Can be some tests which make sure Sentry service is healthy
- */
-public class SentryHealthCheckServletContextListener extends HealthCheckServlet.ContextListener {
-
- //This is just a place holder for health check registry, with out this AdminServlet throws out an error
- public static final HealthCheckRegistry HEALTH_CHECK_REGISTRY = new HealthCheckRegistry();
-
- @Override
- protected HealthCheckRegistry getHealthCheckRegistry() {
- return HEALTH_CHECK_REGISTRY;
- }
-}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryMetrics.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryMetrics.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryMetrics.java
deleted file mode 100644
index c6d4d02..0000000
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryMetrics.java
+++ /dev/null
@@ -1,162 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.provider.db.service.thrift;
-
-import com.codahale.metrics.ConsoleReporter;
-import com.codahale.metrics.Counter;
-import com.codahale.metrics.Gauge;
-import com.codahale.metrics.Histogram;
-import com.codahale.metrics.JmxReporter;
-import com.codahale.metrics.Metric;
-import com.codahale.metrics.MetricRegistry;
-import com.codahale.metrics.MetricSet;
-import com.codahale.metrics.Timer;
-import com.codahale.metrics.jvm.BufferPoolMetricSet;
-import com.codahale.metrics.jvm.GarbageCollectorMetricSet;
-import com.codahale.metrics.jvm.MemoryUsageGaugeSet;
-import com.codahale.metrics.jvm.ThreadStatesGaugeSet;
-import org.apache.sentry.provider.db.service.persistent.SentryStore;
-
-import java.lang.management.ManagementFactory;
-import java.util.Map;
-import java.util.concurrent.TimeUnit;
-
-/**
- * A singleton class which holds metrics related utility functions as well as the list of metrics
- */
-public final class SentryMetrics {
- private static SentryMetrics sentryMetrics = null;
- private boolean reportingInitialized = false;
- private boolean gaugesAdded = false;
-
- public final Timer createRoleTimer = SentryMetricsServletContextListener.METRIC_REGISTRY.timer(
- MetricRegistry.name(SentryPolicyStoreProcessor.class, "create-role"));
- public final Timer dropRoleTimer = SentryMetricsServletContextListener.METRIC_REGISTRY.timer(
- MetricRegistry.name(SentryPolicyStoreProcessor.class, "drop-role"));
- public final Timer grantRoleTimer = SentryMetricsServletContextListener.METRIC_REGISTRY.timer(
- MetricRegistry.name(SentryPolicyStoreProcessor.class, "grant-role"));
- public final Timer revokeRoleTimer = SentryMetricsServletContextListener.METRIC_REGISTRY.timer(
- MetricRegistry.name(SentryPolicyStoreProcessor.class, "revoke-role"));
- public final Timer grantTimer = SentryMetricsServletContextListener.METRIC_REGISTRY.timer(
- MetricRegistry.name(SentryPolicyStoreProcessor.class, "grant-privilege"));
- public final Timer revokeTimer = SentryMetricsServletContextListener.METRIC_REGISTRY.timer(
- MetricRegistry.name(SentryPolicyStoreProcessor.class, "revoke-privilege"));
-
- public final Timer dropPrivilegeTimer = SentryMetricsServletContextListener.METRIC_REGISTRY.timer(
- MetricRegistry.name(SentryPolicyStoreProcessor.class, "drop-privilege"));
- public final Timer renamePrivilegeTimer = SentryMetricsServletContextListener.METRIC_REGISTRY.timer(
- MetricRegistry.name(SentryPolicyStoreProcessor.class, "rename-privilege"));
-
- public final Timer listRolesByGroupTimer = SentryMetricsServletContextListener.METRIC_REGISTRY.timer(
- MetricRegistry.name(SentryPolicyStoreProcessor.class, "list-roles-by-group"));
- public final Timer listPrivilegesByRoleTimer = SentryMetricsServletContextListener.METRIC_REGISTRY.timer(
- MetricRegistry.name(SentryPolicyStoreProcessor.class, "list-privileges-by-role"));
- public final Timer listPrivilegesForProviderTimer = SentryMetricsServletContextListener.METRIC_REGISTRY.timer(
- MetricRegistry.name(SentryPolicyStoreProcessor.class, "list-privileges-for-provider"));
- public final Timer listPrivilegesByAuthorizableTimer = SentryMetricsServletContextListener.METRIC_REGISTRY.timer(
- MetricRegistry.name(SentryPolicyStoreProcessor.class, "list-privileges-by-authorizable"));
-
- /**
- * Return a Timer with name.
- */
- public Timer getTimer(String name) {
- return SentryMetricsServletContextListener.METRIC_REGISTRY.timer(name);
- }
-
- /**
- * Return a Histogram with name.
- */
- public Histogram getHistogram(String name) {
- return SentryMetricsServletContextListener.METRIC_REGISTRY.histogram(name);
- }
-
- /**
- * Return a Counter with name.
- */
- public Counter getCounter(String name) {
- return SentryMetricsServletContextListener.METRIC_REGISTRY.counter(name);
- }
-
- private SentryMetrics() {
- registerMetricSet("gc", new GarbageCollectorMetricSet(), SentryMetricsServletContextListener.METRIC_REGISTRY);
- registerMetricSet("buffers", new BufferPoolMetricSet(ManagementFactory.getPlatformMBeanServer()),
- SentryMetricsServletContextListener.METRIC_REGISTRY);
- registerMetricSet("memory", new MemoryUsageGaugeSet(), SentryMetricsServletContextListener.METRIC_REGISTRY);
- registerMetricSet("threads", new ThreadStatesGaugeSet(), SentryMetricsServletContextListener.METRIC_REGISTRY);
- }
-
- public static synchronized SentryMetrics getInstance() {
- if (sentryMetrics == null) {
- sentryMetrics = new SentryMetrics();
- }
- return sentryMetrics;
- }
-
- public void addSentryStoreGauges(SentryStore sentryStore) {
- if(!gaugesAdded) {
- addGauge(SentryStore.class, "role_count", sentryStore.getRoleCountGauge());
- addGauge(SentryStore.class, "privilege_count", sentryStore.getPrivilegeCountGauge());
- addGauge(SentryStore.class, "group_count", sentryStore.getGroupCountGauge());
- gaugesAdded = true;
- }
- }
-
-
- /* Should be only called once to initialize the reporters
- */
- public synchronized void initReporting(Reporting reporting) {
- if(!reportingInitialized) {
- switch(reporting) {
- case CONSOLE:
- final ConsoleReporter consoleReporter = ConsoleReporter.forRegistry(SentryMetricsServletContextListener.METRIC_REGISTRY)
- .convertRatesTo(TimeUnit.SECONDS)
- .convertDurationsTo(TimeUnit.MILLISECONDS)
- .build();
- consoleReporter.start(1, TimeUnit.SECONDS);
- break;
- case JMX:
- final JmxReporter jmxReporter = JmxReporter.forRegistry(SentryMetricsServletContextListener.METRIC_REGISTRY)
- .convertRatesTo(TimeUnit.SECONDS)
- .convertDurationsTo(TimeUnit.MILLISECONDS)
- .build();
- jmxReporter.start();
- break;
- }
- }
- }
-
- private <T, V> void addGauge(Class<T> tClass, String gaugeName, Gauge<V> gauge) {
- SentryMetricsServletContextListener.METRIC_REGISTRY.register(
- MetricRegistry.name(tClass, gaugeName), gauge);
- }
-
- private void registerMetricSet(String prefix, MetricSet metricSet, MetricRegistry registry) {
- for (Map.Entry<String, Metric> entry : metricSet.getMetrics().entrySet()) {
- if (entry.getValue() instanceof MetricSet) {
- registerMetricSet(prefix + "." + entry.getKey(), (MetricSet) entry.getValue(), registry);
- } else {
- registry.register(prefix + "." + entry.getKey(), entry.getValue());
- }
- }
- }
-
- public enum Reporting {
- JMX,
- CONSOLE;
- }
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryMetricsServletContextListener.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryMetricsServletContextListener.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryMetricsServletContextListener.java
deleted file mode 100644
index 6692197..0000000
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryMetricsServletContextListener.java
+++ /dev/null
@@ -1,32 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.provider.db.service.thrift;
-
-import com.codahale.metrics.MetricRegistry;
-import com.codahale.metrics.servlets.MetricsServlet;
-
-public class SentryMetricsServletContextListener extends MetricsServlet.ContextListener {
-
- public static final MetricRegistry METRIC_REGISTRY = new MetricRegistry();
-
- @Override
- protected MetricRegistry getMetricRegistry() {
- return METRIC_REGISTRY;
- }
-
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClientDefaultImpl.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClientDefaultImpl.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClientDefaultImpl.java
index 1039e6e..ffa461a 100644
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClientDefaultImpl.java
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClientDefaultImpl.java
@@ -172,7 +172,7 @@ public class SentryPolicyServiceClientDefaultImpl implements SentryPolicyService
ServiceConstants.ClientConfig.SENTRY_POLICY_CLIENT_THRIFT_MAX_MESSAGE_SIZE_DEFAULT);
TMultiplexedProtocol protocol = new TMultiplexedProtocol(
new TBinaryProtocol(transport, maxMessageSize, maxMessageSize, true, true),
- SentryPolicyStoreProcessor.SENTRY_POLICY_SERVICE_NAME);
+ ServiceConstants.SENTRY_POLICY_SERVICE_NAME);
client = new SentryPolicyService.Client(protocol);
LOGGER.debug("Successfully created client");
}
[34/44] sentry git commit: SENTRY-1287: Create sentry-service-server
module(Colin Ma, reviewed by Dapeng Sun)
Posted by co...@apache.org.
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/main/resources/sentry-postgres-1.5.0.sql
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/resources/sentry-postgres-1.5.0.sql b/sentry-provider/sentry-provider-db/src/main/resources/sentry-postgres-1.5.0.sql
deleted file mode 100644
index fb26770..0000000
--- a/sentry-provider/sentry-provider-db/src/main/resources/sentry-postgres-1.5.0.sql
+++ /dev/null
@@ -1,182 +0,0 @@
---Licensed to the Apache Software Foundation (ASF) under one or more
---contributor license agreements. See the NOTICE file distributed with
---this work for additional information regarding copyright ownership.
---The ASF licenses this file to You under the Apache License, Version 2.0
---(the "License"); you may not use this file except in compliance with
---the License. You may obtain a copy of the License at
---
--- http://www.apache.org/licenses/LICENSE-2.0
---
---Unless required by applicable law or agreed to in writing, software
---distributed under the License is distributed on an "AS IS" BASIS,
---WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
---See the License for the specific language governing permissions and
---limitations under the License.
-
-START TRANSACTION;
-
-SET statement_timeout = 0;
-SET client_encoding = 'UTF8';
-SET standard_conforming_strings = off;
-SET check_function_bodies = false;
-SET client_min_messages = warning;
-SET escape_string_warning = off;
-SET search_path = public, pg_catalog;
-SET default_tablespace = '';
-SET default_with_oids = false;
-
-CREATE TABLE "SENTRY_DB_PRIVILEGE" (
- "DB_PRIVILEGE_ID" BIGINT NOT NULL,
- "PRIVILEGE_SCOPE" character varying(32) NOT NULL,
- "SERVER_NAME" character varying(128) NOT NULL,
- "DB_NAME" character varying(128) DEFAULT '__NULL__',
- "TABLE_NAME" character varying(128) DEFAULT '__NULL__',
- "COLUMN_NAME" character varying(128) DEFAULT '__NULL__',
- "URI" character varying(4000) DEFAULT '__NULL__',
- "ACTION" character varying(128) NOT NULL,
- "CREATE_TIME" BIGINT NOT NULL,
- "WITH_GRANT_OPTION" CHAR(1) NOT NULL
-);
-
-CREATE TABLE "SENTRY_ROLE" (
- "ROLE_ID" BIGINT NOT NULL,
- "ROLE_NAME" character varying(128) NOT NULL,
- "CREATE_TIME" BIGINT NOT NULL
-);
-
-CREATE TABLE "SENTRY_GROUP" (
- "GROUP_ID" BIGINT NOT NULL,
- "GROUP_NAME" character varying(128) NOT NULL,
- "CREATE_TIME" BIGINT NOT NULL
-);
-
-CREATE TABLE "SENTRY_ROLE_DB_PRIVILEGE_MAP" (
- "ROLE_ID" BIGINT NOT NULL,
- "DB_PRIVILEGE_ID" BIGINT NOT NULL,
- "GRANTOR_PRINCIPAL" character varying(128)
-);
-
-CREATE TABLE "SENTRY_ROLE_GROUP_MAP" (
- "ROLE_ID" BIGINT NOT NULL,
- "GROUP_ID" BIGINT NOT NULL,
- "GRANTOR_PRINCIPAL" character varying(128)
-);
-
-CREATE TABLE "SENTRY_VERSION" (
- "VER_ID" bigint,
- "SCHEMA_VERSION" character varying(127) NOT NULL,
- "VERSION_COMMENT" character varying(255) NOT NULL
-);
-
-
-ALTER TABLE ONLY "SENTRY_DB_PRIVILEGE"
- ADD CONSTRAINT "SENTRY_DB_PRIV_PK" PRIMARY KEY ("DB_PRIVILEGE_ID");
-
-ALTER TABLE ONLY "SENTRY_ROLE"
- ADD CONSTRAINT "SENTRY_ROLE_PK" PRIMARY KEY ("ROLE_ID");
-
-ALTER TABLE ONLY "SENTRY_GROUP"
- ADD CONSTRAINT "SENTRY_GROUP_PK" PRIMARY KEY ("GROUP_ID");
-
-ALTER TABLE ONLY "SENTRY_VERSION" ADD CONSTRAINT "SENTRY_VERSION_PK" PRIMARY KEY ("VER_ID");
-
-ALTER TABLE ONLY "SENTRY_DB_PRIVILEGE"
- ADD CONSTRAINT "SENTRY_DB_PRIV_PRIV_NAME_UNIQ" UNIQUE ("SERVER_NAME","DB_NAME","TABLE_NAME","COLUMN_NAME","URI", "ACTION","WITH_GRANT_OPTION");
-
-CREATE INDEX "SENTRY_PRIV_SERV_IDX" ON "SENTRY_DB_PRIVILEGE" USING btree ("SERVER_NAME");
-
-CREATE INDEX "SENTRY_PRIV_DB_IDX" ON "SENTRY_DB_PRIVILEGE" USING btree ("DB_NAME");
-
-CREATE INDEX "SENTRY_PRIV_TBL_IDX" ON "SENTRY_DB_PRIVILEGE" USING btree ("TABLE_NAME");
-
-CREATE INDEX "SENTRY_PRIV_COL_IDX" ON "SENTRY_DB_PRIVILEGE" USING btree ("COLUMN_NAME");
-
-CREATE INDEX "SENTRY_PRIV_URI_IDX" ON "SENTRY_DB_PRIVILEGE" USING btree ("URI");
-
-ALTER TABLE ONLY "SENTRY_ROLE"
- ADD CONSTRAINT "SENTRY_ROLE_ROLE_NAME_UNIQUE" UNIQUE ("ROLE_NAME");
-
-ALTER TABLE ONLY "SENTRY_GROUP"
- ADD CONSTRAINT "SENTRY_GRP_GRP_NAME_UNIQUE" UNIQUE ("GROUP_NAME");
-
-ALTER TABLE "SENTRY_ROLE_DB_PRIVILEGE_MAP"
- ADD CONSTRAINT "SENTRY_ROLE_DB_PRIVILEGE_MAP_PK" PRIMARY KEY ("ROLE_ID","DB_PRIVILEGE_ID");
-
-ALTER TABLE "SENTRY_ROLE_GROUP_MAP"
- ADD CONSTRAINT "SENTRY_ROLE_GROUP_MAP_PK" PRIMARY KEY ("ROLE_ID","GROUP_ID");
-
-ALTER TABLE ONLY "SENTRY_ROLE_DB_PRIVILEGE_MAP"
- ADD CONSTRAINT "SEN_RLE_DB_PRV_MAP_SN_RLE_FK"
- FOREIGN KEY ("ROLE_ID") REFERENCES "SENTRY_ROLE"("ROLE_ID") DEFERRABLE;
-
-ALTER TABLE ONLY "SENTRY_ROLE_DB_PRIVILEGE_MAP"
- ADD CONSTRAINT "SEN_RL_DB_PRV_MAP_SN_DB_PRV_FK"
- FOREIGN KEY ("DB_PRIVILEGE_ID") REFERENCES "SENTRY_DB_PRIVILEGE"("DB_PRIVILEGE_ID") DEFERRABLE;
-
-ALTER TABLE ONLY "SENTRY_ROLE_GROUP_MAP"
- ADD CONSTRAINT "SEN_ROLE_GROUP_MAP_SEN_ROLE_FK"
- FOREIGN KEY ("ROLE_ID") REFERENCES "SENTRY_ROLE"("ROLE_ID") DEFERRABLE;
-
-ALTER TABLE ONLY "SENTRY_ROLE_GROUP_MAP"
- ADD CONSTRAINT "SEN_ROLE_GROUP_MAP_SEN_GRP_FK"
- FOREIGN KEY ("GROUP_ID") REFERENCES "SENTRY_GROUP"("GROUP_ID") DEFERRABLE;
-
-INSERT INTO "SENTRY_VERSION" ("VER_ID", "SCHEMA_VERSION", "VERSION_COMMENT") VALUES (1, '1.5.0', 'Sentry release version 1.5.0');
-
--- Generic Model
--- Table SENTRY_GM_PRIVILEGE for classes [org.apache.sentry.provider.db.service.model.MSentryGMPrivilege]
-CREATE TABLE "SENTRY_GM_PRIVILEGE" (
- "GM_PRIVILEGE_ID" BIGINT NOT NULL,
- "COMPONENT_NAME" character varying(32) NOT NULL,
- "SERVICE_NAME" character varying(64) NOT NULL,
- "RESOURCE_NAME_0" character varying(64) DEFAULT '__NULL__',
- "RESOURCE_NAME_1" character varying(64) DEFAULT '__NULL__',
- "RESOURCE_NAME_2" character varying(64) DEFAULT '__NULL__',
- "RESOURCE_NAME_3" character varying(64) DEFAULT '__NULL__',
- "RESOURCE_TYPE_0" character varying(64) DEFAULT '__NULL__',
- "RESOURCE_TYPE_1" character varying(64) DEFAULT '__NULL__',
- "RESOURCE_TYPE_2" character varying(64) DEFAULT '__NULL__',
- "RESOURCE_TYPE_3" character varying(64) DEFAULT '__NULL__',
- "ACTION" character varying(32) NOT NULL,
- "SCOPE" character varying(128) NOT NULL,
- "CREATE_TIME" BIGINT NOT NULL,
- "WITH_GRANT_OPTION" CHAR(1) NOT NULL
-);
-ALTER TABLE ONLY "SENTRY_GM_PRIVILEGE"
- ADD CONSTRAINT "SENTRY_GM_PRIV_PK" PRIMARY KEY ("GM_PRIVILEGE_ID");
--- Constraints for table SENTRY_GM_PRIVILEGE for class(es) [org.apache.sentry.provider.db.service.model.MSentryGMPrivilege]
-ALTER TABLE ONLY "SENTRY_GM_PRIVILEGE"
- ADD CONSTRAINT "SENTRY_GM_PRIV_PRIV_NAME_UNIQ" UNIQUE ("COMPONENT_NAME","SERVICE_NAME","RESOURCE_NAME_0","RESOURCE_NAME_1","RESOURCE_NAME_2",
- "RESOURCE_NAME_3","RESOURCE_TYPE_0","RESOURCE_TYPE_1","RESOURCE_TYPE_2","RESOURCE_TYPE_3","ACTION","WITH_GRANT_OPTION");
-
-CREATE INDEX "SENTRY_GM_PRIV_COMP_IDX" ON "SENTRY_GM_PRIVILEGE" USING btree ("COMPONENT_NAME");
-
-CREATE INDEX "SENTRY_GM_PRIV_SERV_IDX" ON "SENTRY_GM_PRIVILEGE" USING btree ("SERVICE_NAME");
-
-CREATE INDEX "SENTRY_GM_PRIV_RES0_IDX" ON "SENTRY_GM_PRIVILEGE" USING btree ("RESOURCE_NAME_0","RESOURCE_TYPE_0");
-
-CREATE INDEX "SENTRY_GM_PRIV_RES1_IDX" ON "SENTRY_GM_PRIVILEGE" USING btree ("RESOURCE_NAME_1","RESOURCE_TYPE_1");
-
-CREATE INDEX "SENTRY_GM_PRIV_RES2_IDX" ON "SENTRY_GM_PRIVILEGE" USING btree ("RESOURCE_NAME_2","RESOURCE_TYPE_2");
-
-CREATE INDEX "SENTRY_GM_PRIV_RES3_IDX" ON "SENTRY_GM_PRIVILEGE" USING btree ("RESOURCE_NAME_3","RESOURCE_TYPE_3");
-
--- Table SENTRY_ROLE_GM_PRIVILEGE_MAP for join relationship
-CREATE TABLE "SENTRY_ROLE_GM_PRIVILEGE_MAP" (
- "ROLE_ID" BIGINT NOT NULL,
- "GM_PRIVILEGE_ID" BIGINT NOT NULL
-);
-
-ALTER TABLE "SENTRY_ROLE_GM_PRIVILEGE_MAP"
- ADD CONSTRAINT "SENTRY_ROLE_GM_PRIVILEGE_MAP_PK" PRIMARY KEY ("ROLE_ID","GM_PRIVILEGE_ID");
-
--- Constraints for table SENTRY_ROLE_GM_PRIVILEGE_MAP
-ALTER TABLE ONLY "SENTRY_ROLE_GM_PRIVILEGE_MAP"
- ADD CONSTRAINT "SEN_RLE_GM_PRV_MAP_SN_RLE_FK"
- FOREIGN KEY ("ROLE_ID") REFERENCES "SENTRY_ROLE"("ROLE_ID") DEFERRABLE;
-
-ALTER TABLE ONLY "SENTRY_ROLE_GM_PRIVILEGE_MAP"
- ADD CONSTRAINT "SEN_RL_GM_PRV_MAP_SN_DB_PRV_FK"
- FOREIGN KEY ("GM_PRIVILEGE_ID") REFERENCES "SENTRY_GM_PRIVILEGE"("GM_PRIVILEGE_ID") DEFERRABLE;
-
-COMMIT;
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/main/resources/sentry-postgres-1.6.0.sql
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/resources/sentry-postgres-1.6.0.sql b/sentry-provider/sentry-provider-db/src/main/resources/sentry-postgres-1.6.0.sql
deleted file mode 100644
index 62edf3e..0000000
--- a/sentry-provider/sentry-provider-db/src/main/resources/sentry-postgres-1.6.0.sql
+++ /dev/null
@@ -1,182 +0,0 @@
---Licensed to the Apache Software Foundation (ASF) under one or more
---contributor license agreements. See the NOTICE file distributed with
---this work for additional information regarding copyright ownership.
---The ASF licenses this file to You under the Apache License, Version 2.0
---(the "License"); you may not use this file except in compliance with
---the License. You may obtain a copy of the License at
---
--- http://www.apache.org/licenses/LICENSE-2.0
---
---Unless required by applicable law or agreed to in writing, software
---distributed under the License is distributed on an "AS IS" BASIS,
---WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
---See the License for the specific language governing permissions and
---limitations under the License.
-
-START TRANSACTION;
-
-SET statement_timeout = 0;
-SET client_encoding = 'UTF8';
-SET standard_conforming_strings = off;
-SET check_function_bodies = false;
-SET client_min_messages = warning;
-SET escape_string_warning = off;
-SET search_path = public, pg_catalog;
-SET default_tablespace = '';
-SET default_with_oids = false;
-
-CREATE TABLE "SENTRY_DB_PRIVILEGE" (
- "DB_PRIVILEGE_ID" BIGINT NOT NULL,
- "PRIVILEGE_SCOPE" character varying(32) NOT NULL,
- "SERVER_NAME" character varying(128) NOT NULL,
- "DB_NAME" character varying(128) DEFAULT '__NULL__',
- "TABLE_NAME" character varying(128) DEFAULT '__NULL__',
- "COLUMN_NAME" character varying(128) DEFAULT '__NULL__',
- "URI" character varying(4000) DEFAULT '__NULL__',
- "ACTION" character varying(128) NOT NULL,
- "CREATE_TIME" BIGINT NOT NULL,
- "WITH_GRANT_OPTION" CHAR(1) NOT NULL
-);
-
-CREATE TABLE "SENTRY_ROLE" (
- "ROLE_ID" BIGINT NOT NULL,
- "ROLE_NAME" character varying(128) NOT NULL,
- "CREATE_TIME" BIGINT NOT NULL
-);
-
-CREATE TABLE "SENTRY_GROUP" (
- "GROUP_ID" BIGINT NOT NULL,
- "GROUP_NAME" character varying(128) NOT NULL,
- "CREATE_TIME" BIGINT NOT NULL
-);
-
-CREATE TABLE "SENTRY_ROLE_DB_PRIVILEGE_MAP" (
- "ROLE_ID" BIGINT NOT NULL,
- "DB_PRIVILEGE_ID" BIGINT NOT NULL,
- "GRANTOR_PRINCIPAL" character varying(128)
-);
-
-CREATE TABLE "SENTRY_ROLE_GROUP_MAP" (
- "ROLE_ID" BIGINT NOT NULL,
- "GROUP_ID" BIGINT NOT NULL,
- "GRANTOR_PRINCIPAL" character varying(128)
-);
-
-CREATE TABLE "SENTRY_VERSION" (
- "VER_ID" bigint,
- "SCHEMA_VERSION" character varying(127) NOT NULL,
- "VERSION_COMMENT" character varying(255) NOT NULL
-);
-
-
-ALTER TABLE ONLY "SENTRY_DB_PRIVILEGE"
- ADD CONSTRAINT "SENTRY_DB_PRIV_PK" PRIMARY KEY ("DB_PRIVILEGE_ID");
-
-ALTER TABLE ONLY "SENTRY_ROLE"
- ADD CONSTRAINT "SENTRY_ROLE_PK" PRIMARY KEY ("ROLE_ID");
-
-ALTER TABLE ONLY "SENTRY_GROUP"
- ADD CONSTRAINT "SENTRY_GROUP_PK" PRIMARY KEY ("GROUP_ID");
-
-ALTER TABLE ONLY "SENTRY_VERSION" ADD CONSTRAINT "SENTRY_VERSION_PK" PRIMARY KEY ("VER_ID");
-
-ALTER TABLE ONLY "SENTRY_DB_PRIVILEGE"
- ADD CONSTRAINT "SENTRY_DB_PRIV_PRIV_NAME_UNIQ" UNIQUE ("SERVER_NAME","DB_NAME","TABLE_NAME","COLUMN_NAME","URI", "ACTION","WITH_GRANT_OPTION");
-
-CREATE INDEX "SENTRY_PRIV_SERV_IDX" ON "SENTRY_DB_PRIVILEGE" USING btree ("SERVER_NAME");
-
-CREATE INDEX "SENTRY_PRIV_DB_IDX" ON "SENTRY_DB_PRIVILEGE" USING btree ("DB_NAME");
-
-CREATE INDEX "SENTRY_PRIV_TBL_IDX" ON "SENTRY_DB_PRIVILEGE" USING btree ("TABLE_NAME");
-
-CREATE INDEX "SENTRY_PRIV_COL_IDX" ON "SENTRY_DB_PRIVILEGE" USING btree ("COLUMN_NAME");
-
-CREATE INDEX "SENTRY_PRIV_URI_IDX" ON "SENTRY_DB_PRIVILEGE" USING btree ("URI");
-
-ALTER TABLE ONLY "SENTRY_ROLE"
- ADD CONSTRAINT "SENTRY_ROLE_ROLE_NAME_UNIQUE" UNIQUE ("ROLE_NAME");
-
-ALTER TABLE ONLY "SENTRY_GROUP"
- ADD CONSTRAINT "SENTRY_GRP_GRP_NAME_UNIQUE" UNIQUE ("GROUP_NAME");
-
-ALTER TABLE "SENTRY_ROLE_DB_PRIVILEGE_MAP"
- ADD CONSTRAINT "SENTRY_ROLE_DB_PRIVILEGE_MAP_PK" PRIMARY KEY ("ROLE_ID","DB_PRIVILEGE_ID");
-
-ALTER TABLE "SENTRY_ROLE_GROUP_MAP"
- ADD CONSTRAINT "SENTRY_ROLE_GROUP_MAP_PK" PRIMARY KEY ("ROLE_ID","GROUP_ID");
-
-ALTER TABLE ONLY "SENTRY_ROLE_DB_PRIVILEGE_MAP"
- ADD CONSTRAINT "SEN_RLE_DB_PRV_MAP_SN_RLE_FK"
- FOREIGN KEY ("ROLE_ID") REFERENCES "SENTRY_ROLE"("ROLE_ID") DEFERRABLE;
-
-ALTER TABLE ONLY "SENTRY_ROLE_DB_PRIVILEGE_MAP"
- ADD CONSTRAINT "SEN_RL_DB_PRV_MAP_SN_DB_PRV_FK"
- FOREIGN KEY ("DB_PRIVILEGE_ID") REFERENCES "SENTRY_DB_PRIVILEGE"("DB_PRIVILEGE_ID") DEFERRABLE;
-
-ALTER TABLE ONLY "SENTRY_ROLE_GROUP_MAP"
- ADD CONSTRAINT "SEN_ROLE_GROUP_MAP_SEN_ROLE_FK"
- FOREIGN KEY ("ROLE_ID") REFERENCES "SENTRY_ROLE"("ROLE_ID") DEFERRABLE;
-
-ALTER TABLE ONLY "SENTRY_ROLE_GROUP_MAP"
- ADD CONSTRAINT "SEN_ROLE_GROUP_MAP_SEN_GRP_FK"
- FOREIGN KEY ("GROUP_ID") REFERENCES "SENTRY_GROUP"("GROUP_ID") DEFERRABLE;
-
-INSERT INTO "SENTRY_VERSION" ("VER_ID", "SCHEMA_VERSION", "VERSION_COMMENT") VALUES (1, '1.6.0', 'Sentry release version 1.6.0');
-
--- Generic Model
--- Table SENTRY_GM_PRIVILEGE for classes [org.apache.sentry.provider.db.service.model.MSentryGMPrivilege]
-CREATE TABLE "SENTRY_GM_PRIVILEGE" (
- "GM_PRIVILEGE_ID" BIGINT NOT NULL,
- "COMPONENT_NAME" character varying(32) NOT NULL,
- "SERVICE_NAME" character varying(64) NOT NULL,
- "RESOURCE_NAME_0" character varying(64) DEFAULT '__NULL__',
- "RESOURCE_NAME_1" character varying(64) DEFAULT '__NULL__',
- "RESOURCE_NAME_2" character varying(64) DEFAULT '__NULL__',
- "RESOURCE_NAME_3" character varying(64) DEFAULT '__NULL__',
- "RESOURCE_TYPE_0" character varying(64) DEFAULT '__NULL__',
- "RESOURCE_TYPE_1" character varying(64) DEFAULT '__NULL__',
- "RESOURCE_TYPE_2" character varying(64) DEFAULT '__NULL__',
- "RESOURCE_TYPE_3" character varying(64) DEFAULT '__NULL__',
- "ACTION" character varying(32) NOT NULL,
- "SCOPE" character varying(128) NOT NULL,
- "CREATE_TIME" BIGINT NOT NULL,
- "WITH_GRANT_OPTION" CHAR(1) NOT NULL
-);
-ALTER TABLE ONLY "SENTRY_GM_PRIVILEGE"
- ADD CONSTRAINT "SENTRY_GM_PRIV_PK" PRIMARY KEY ("GM_PRIVILEGE_ID");
--- Constraints for table SENTRY_GM_PRIVILEGE for class(es) [org.apache.sentry.provider.db.service.model.MSentryGMPrivilege]
-ALTER TABLE ONLY "SENTRY_GM_PRIVILEGE"
- ADD CONSTRAINT "SENTRY_GM_PRIV_PRIV_NAME_UNIQ" UNIQUE ("COMPONENT_NAME","SERVICE_NAME","RESOURCE_NAME_0","RESOURCE_NAME_1","RESOURCE_NAME_2",
- "RESOURCE_NAME_3","RESOURCE_TYPE_0","RESOURCE_TYPE_1","RESOURCE_TYPE_2","RESOURCE_TYPE_3","ACTION","WITH_GRANT_OPTION");
-
-CREATE INDEX "SENTRY_GM_PRIV_COMP_IDX" ON "SENTRY_GM_PRIVILEGE" USING btree ("COMPONENT_NAME");
-
-CREATE INDEX "SENTRY_GM_PRIV_SERV_IDX" ON "SENTRY_GM_PRIVILEGE" USING btree ("SERVICE_NAME");
-
-CREATE INDEX "SENTRY_GM_PRIV_RES0_IDX" ON "SENTRY_GM_PRIVILEGE" USING btree ("RESOURCE_NAME_0","RESOURCE_TYPE_0");
-
-CREATE INDEX "SENTRY_GM_PRIV_RES1_IDX" ON "SENTRY_GM_PRIVILEGE" USING btree ("RESOURCE_NAME_1","RESOURCE_TYPE_1");
-
-CREATE INDEX "SENTRY_GM_PRIV_RES2_IDX" ON "SENTRY_GM_PRIVILEGE" USING btree ("RESOURCE_NAME_2","RESOURCE_TYPE_2");
-
-CREATE INDEX "SENTRY_GM_PRIV_RES3_IDX" ON "SENTRY_GM_PRIVILEGE" USING btree ("RESOURCE_NAME_3","RESOURCE_TYPE_3");
-
--- Table SENTRY_ROLE_GM_PRIVILEGE_MAP for join relationship
-CREATE TABLE "SENTRY_ROLE_GM_PRIVILEGE_MAP" (
- "ROLE_ID" BIGINT NOT NULL,
- "GM_PRIVILEGE_ID" BIGINT NOT NULL
-);
-
-ALTER TABLE "SENTRY_ROLE_GM_PRIVILEGE_MAP"
- ADD CONSTRAINT "SENTRY_ROLE_GM_PRIVILEGE_MAP_PK" PRIMARY KEY ("ROLE_ID","GM_PRIVILEGE_ID");
-
--- Constraints for table SENTRY_ROLE_GM_PRIVILEGE_MAP
-ALTER TABLE ONLY "SENTRY_ROLE_GM_PRIVILEGE_MAP"
- ADD CONSTRAINT "SEN_RLE_GM_PRV_MAP_SN_RLE_FK"
- FOREIGN KEY ("ROLE_ID") REFERENCES "SENTRY_ROLE"("ROLE_ID") DEFERRABLE;
-
-ALTER TABLE ONLY "SENTRY_ROLE_GM_PRIVILEGE_MAP"
- ADD CONSTRAINT "SEN_RL_GM_PRV_MAP_SN_DB_PRV_FK"
- FOREIGN KEY ("GM_PRIVILEGE_ID") REFERENCES "SENTRY_GM_PRIVILEGE"("GM_PRIVILEGE_ID") DEFERRABLE;
-
-COMMIT;
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/main/resources/sentry-postgres-1.7.0.sql
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/resources/sentry-postgres-1.7.0.sql b/sentry-provider/sentry-provider-db/src/main/resources/sentry-postgres-1.7.0.sql
deleted file mode 100644
index 9f4f85b..0000000
--- a/sentry-provider/sentry-provider-db/src/main/resources/sentry-postgres-1.7.0.sql
+++ /dev/null
@@ -1,182 +0,0 @@
---Licensed to the Apache Software Foundation (ASF) under one or more
---contributor license agreements. See the NOTICE file distributed with
---this work for additional information regarding copyright ownership.
---The ASF licenses this file to You under the Apache License, Version 2.0
---(the "License"); you may not use this file except in compliance with
---the License. You may obtain a copy of the License at
---
--- http://www.apache.org/licenses/LICENSE-2.0
---
---Unless required by applicable law or agreed to in writing, software
---distributed under the License is distributed on an "AS IS" BASIS,
---WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
---See the License for the specific language governing permissions and
---limitations under the License.
-
-START TRANSACTION;
-
-SET statement_timeout = 0;
-SET client_encoding = 'UTF8';
-SET standard_conforming_strings = off;
-SET check_function_bodies = false;
-SET client_min_messages = warning;
-SET escape_string_warning = off;
-SET search_path = public, pg_catalog;
-SET default_tablespace = '';
-SET default_with_oids = false;
-
-CREATE TABLE "SENTRY_DB_PRIVILEGE" (
- "DB_PRIVILEGE_ID" BIGINT NOT NULL,
- "PRIVILEGE_SCOPE" character varying(32) NOT NULL,
- "SERVER_NAME" character varying(128) NOT NULL,
- "DB_NAME" character varying(128) DEFAULT '__NULL__',
- "TABLE_NAME" character varying(128) DEFAULT '__NULL__',
- "COLUMN_NAME" character varying(128) DEFAULT '__NULL__',
- "URI" character varying(4000) DEFAULT '__NULL__',
- "ACTION" character varying(128) NOT NULL,
- "CREATE_TIME" BIGINT NOT NULL,
- "WITH_GRANT_OPTION" CHAR(1) NOT NULL
-);
-
-CREATE TABLE "SENTRY_ROLE" (
- "ROLE_ID" BIGINT NOT NULL,
- "ROLE_NAME" character varying(128) NOT NULL,
- "CREATE_TIME" BIGINT NOT NULL
-);
-
-CREATE TABLE "SENTRY_GROUP" (
- "GROUP_ID" BIGINT NOT NULL,
- "GROUP_NAME" character varying(128) NOT NULL,
- "CREATE_TIME" BIGINT NOT NULL
-);
-
-CREATE TABLE "SENTRY_ROLE_DB_PRIVILEGE_MAP" (
- "ROLE_ID" BIGINT NOT NULL,
- "DB_PRIVILEGE_ID" BIGINT NOT NULL,
- "GRANTOR_PRINCIPAL" character varying(128)
-);
-
-CREATE TABLE "SENTRY_ROLE_GROUP_MAP" (
- "ROLE_ID" BIGINT NOT NULL,
- "GROUP_ID" BIGINT NOT NULL,
- "GRANTOR_PRINCIPAL" character varying(128)
-);
-
-CREATE TABLE "SENTRY_VERSION" (
- "VER_ID" bigint,
- "SCHEMA_VERSION" character varying(127) NOT NULL,
- "VERSION_COMMENT" character varying(255) NOT NULL
-);
-
-
-ALTER TABLE ONLY "SENTRY_DB_PRIVILEGE"
- ADD CONSTRAINT "SENTRY_DB_PRIV_PK" PRIMARY KEY ("DB_PRIVILEGE_ID");
-
-ALTER TABLE ONLY "SENTRY_ROLE"
- ADD CONSTRAINT "SENTRY_ROLE_PK" PRIMARY KEY ("ROLE_ID");
-
-ALTER TABLE ONLY "SENTRY_GROUP"
- ADD CONSTRAINT "SENTRY_GROUP_PK" PRIMARY KEY ("GROUP_ID");
-
-ALTER TABLE ONLY "SENTRY_VERSION" ADD CONSTRAINT "SENTRY_VERSION_PK" PRIMARY KEY ("VER_ID");
-
-ALTER TABLE ONLY "SENTRY_DB_PRIVILEGE"
- ADD CONSTRAINT "SENTRY_DB_PRIV_PRIV_NAME_UNIQ" UNIQUE ("SERVER_NAME","DB_NAME","TABLE_NAME","COLUMN_NAME","URI", "ACTION","WITH_GRANT_OPTION");
-
-CREATE INDEX "SENTRY_PRIV_SERV_IDX" ON "SENTRY_DB_PRIVILEGE" USING btree ("SERVER_NAME");
-
-CREATE INDEX "SENTRY_PRIV_DB_IDX" ON "SENTRY_DB_PRIVILEGE" USING btree ("DB_NAME");
-
-CREATE INDEX "SENTRY_PRIV_TBL_IDX" ON "SENTRY_DB_PRIVILEGE" USING btree ("TABLE_NAME");
-
-CREATE INDEX "SENTRY_PRIV_COL_IDX" ON "SENTRY_DB_PRIVILEGE" USING btree ("COLUMN_NAME");
-
-CREATE INDEX "SENTRY_PRIV_URI_IDX" ON "SENTRY_DB_PRIVILEGE" USING btree ("URI");
-
-ALTER TABLE ONLY "SENTRY_ROLE"
- ADD CONSTRAINT "SENTRY_ROLE_ROLE_NAME_UNIQUE" UNIQUE ("ROLE_NAME");
-
-ALTER TABLE ONLY "SENTRY_GROUP"
- ADD CONSTRAINT "SENTRY_GRP_GRP_NAME_UNIQUE" UNIQUE ("GROUP_NAME");
-
-ALTER TABLE "SENTRY_ROLE_DB_PRIVILEGE_MAP"
- ADD CONSTRAINT "SENTRY_ROLE_DB_PRIVILEGE_MAP_PK" PRIMARY KEY ("ROLE_ID","DB_PRIVILEGE_ID");
-
-ALTER TABLE "SENTRY_ROLE_GROUP_MAP"
- ADD CONSTRAINT "SENTRY_ROLE_GROUP_MAP_PK" PRIMARY KEY ("ROLE_ID","GROUP_ID");
-
-ALTER TABLE ONLY "SENTRY_ROLE_DB_PRIVILEGE_MAP"
- ADD CONSTRAINT "SEN_RLE_DB_PRV_MAP_SN_RLE_FK"
- FOREIGN KEY ("ROLE_ID") REFERENCES "SENTRY_ROLE"("ROLE_ID") DEFERRABLE;
-
-ALTER TABLE ONLY "SENTRY_ROLE_DB_PRIVILEGE_MAP"
- ADD CONSTRAINT "SEN_RL_DB_PRV_MAP_SN_DB_PRV_FK"
- FOREIGN KEY ("DB_PRIVILEGE_ID") REFERENCES "SENTRY_DB_PRIVILEGE"("DB_PRIVILEGE_ID") DEFERRABLE;
-
-ALTER TABLE ONLY "SENTRY_ROLE_GROUP_MAP"
- ADD CONSTRAINT "SEN_ROLE_GROUP_MAP_SEN_ROLE_FK"
- FOREIGN KEY ("ROLE_ID") REFERENCES "SENTRY_ROLE"("ROLE_ID") DEFERRABLE;
-
-ALTER TABLE ONLY "SENTRY_ROLE_GROUP_MAP"
- ADD CONSTRAINT "SEN_ROLE_GROUP_MAP_SEN_GRP_FK"
- FOREIGN KEY ("GROUP_ID") REFERENCES "SENTRY_GROUP"("GROUP_ID") DEFERRABLE;
-
-INSERT INTO "SENTRY_VERSION" ("VER_ID", "SCHEMA_VERSION", "VERSION_COMMENT") VALUES (1, '1.7.0', 'Sentry release version 1.7.0');
-
--- Generic Model
--- Table SENTRY_GM_PRIVILEGE for classes [org.apache.sentry.provider.db.service.model.MSentryGMPrivilege]
-CREATE TABLE "SENTRY_GM_PRIVILEGE" (
- "GM_PRIVILEGE_ID" BIGINT NOT NULL,
- "COMPONENT_NAME" character varying(32) NOT NULL,
- "SERVICE_NAME" character varying(64) NOT NULL,
- "RESOURCE_NAME_0" character varying(64) DEFAULT '__NULL__',
- "RESOURCE_NAME_1" character varying(64) DEFAULT '__NULL__',
- "RESOURCE_NAME_2" character varying(64) DEFAULT '__NULL__',
- "RESOURCE_NAME_3" character varying(64) DEFAULT '__NULL__',
- "RESOURCE_TYPE_0" character varying(64) DEFAULT '__NULL__',
- "RESOURCE_TYPE_1" character varying(64) DEFAULT '__NULL__',
- "RESOURCE_TYPE_2" character varying(64) DEFAULT '__NULL__',
- "RESOURCE_TYPE_3" character varying(64) DEFAULT '__NULL__',
- "ACTION" character varying(32) NOT NULL,
- "SCOPE" character varying(128) NOT NULL,
- "CREATE_TIME" BIGINT NOT NULL,
- "WITH_GRANT_OPTION" CHAR(1) NOT NULL
-);
-ALTER TABLE ONLY "SENTRY_GM_PRIVILEGE"
- ADD CONSTRAINT "SENTRY_GM_PRIV_PK" PRIMARY KEY ("GM_PRIVILEGE_ID");
--- Constraints for table SENTRY_GM_PRIVILEGE for class(es) [org.apache.sentry.provider.db.service.model.MSentryGMPrivilege]
-ALTER TABLE ONLY "SENTRY_GM_PRIVILEGE"
- ADD CONSTRAINT "SENTRY_GM_PRIV_PRIV_NAME_UNIQ" UNIQUE ("COMPONENT_NAME","SERVICE_NAME","RESOURCE_NAME_0","RESOURCE_NAME_1","RESOURCE_NAME_2",
- "RESOURCE_NAME_3","RESOURCE_TYPE_0","RESOURCE_TYPE_1","RESOURCE_TYPE_2","RESOURCE_TYPE_3","ACTION","WITH_GRANT_OPTION");
-
-CREATE INDEX "SENTRY_GM_PRIV_COMP_IDX" ON "SENTRY_GM_PRIVILEGE" USING btree ("COMPONENT_NAME");
-
-CREATE INDEX "SENTRY_GM_PRIV_SERV_IDX" ON "SENTRY_GM_PRIVILEGE" USING btree ("SERVICE_NAME");
-
-CREATE INDEX "SENTRY_GM_PRIV_RES0_IDX" ON "SENTRY_GM_PRIVILEGE" USING btree ("RESOURCE_NAME_0","RESOURCE_TYPE_0");
-
-CREATE INDEX "SENTRY_GM_PRIV_RES1_IDX" ON "SENTRY_GM_PRIVILEGE" USING btree ("RESOURCE_NAME_1","RESOURCE_TYPE_1");
-
-CREATE INDEX "SENTRY_GM_PRIV_RES2_IDX" ON "SENTRY_GM_PRIVILEGE" USING btree ("RESOURCE_NAME_2","RESOURCE_TYPE_2");
-
-CREATE INDEX "SENTRY_GM_PRIV_RES3_IDX" ON "SENTRY_GM_PRIVILEGE" USING btree ("RESOURCE_NAME_3","RESOURCE_TYPE_3");
-
--- Table SENTRY_ROLE_GM_PRIVILEGE_MAP for join relationship
-CREATE TABLE "SENTRY_ROLE_GM_PRIVILEGE_MAP" (
- "ROLE_ID" BIGINT NOT NULL,
- "GM_PRIVILEGE_ID" BIGINT NOT NULL
-);
-
-ALTER TABLE "SENTRY_ROLE_GM_PRIVILEGE_MAP"
- ADD CONSTRAINT "SENTRY_ROLE_GM_PRIVILEGE_MAP_PK" PRIMARY KEY ("ROLE_ID","GM_PRIVILEGE_ID");
-
--- Constraints for table SENTRY_ROLE_GM_PRIVILEGE_MAP
-ALTER TABLE ONLY "SENTRY_ROLE_GM_PRIVILEGE_MAP"
- ADD CONSTRAINT "SEN_RLE_GM_PRV_MAP_SN_RLE_FK"
- FOREIGN KEY ("ROLE_ID") REFERENCES "SENTRY_ROLE"("ROLE_ID") DEFERRABLE;
-
-ALTER TABLE ONLY "SENTRY_ROLE_GM_PRIVILEGE_MAP"
- ADD CONSTRAINT "SEN_RL_GM_PRV_MAP_SN_DB_PRV_FK"
- FOREIGN KEY ("GM_PRIVILEGE_ID") REFERENCES "SENTRY_GM_PRIVILEGE"("GM_PRIVILEGE_ID") DEFERRABLE;
-
-COMMIT;
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/main/resources/sentry-postgres-1.8.0.sql
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/resources/sentry-postgres-1.8.0.sql b/sentry-provider/sentry-provider-db/src/main/resources/sentry-postgres-1.8.0.sql
deleted file mode 100644
index 6d56332..0000000
--- a/sentry-provider/sentry-provider-db/src/main/resources/sentry-postgres-1.8.0.sql
+++ /dev/null
@@ -1,211 +0,0 @@
---Licensed to the Apache Software Foundation (ASF) under one or more
---contributor license agreements. See the NOTICE file distributed with
---this work for additional information regarding copyright ownership.
---The ASF licenses this file to You under the Apache License, Version 2.0
---(the "License"); you may not use this file except in compliance with
---the License. You may obtain a copy of the License at
---
--- http://www.apache.org/licenses/LICENSE-2.0
---
---Unless required by applicable law or agreed to in writing, software
---distributed under the License is distributed on an "AS IS" BASIS,
---WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
---See the License for the specific language governing permissions and
---limitations under the License.
-
-START TRANSACTION;
-
-SET statement_timeout = 0;
-SET client_encoding = 'UTF8';
-SET standard_conforming_strings = off;
-SET check_function_bodies = false;
-SET client_min_messages = warning;
-SET escape_string_warning = off;
-SET search_path = public, pg_catalog;
-SET default_tablespace = '';
-SET default_with_oids = false;
-
-CREATE TABLE "SENTRY_DB_PRIVILEGE" (
- "DB_PRIVILEGE_ID" BIGINT NOT NULL,
- "PRIVILEGE_SCOPE" character varying(32) NOT NULL,
- "SERVER_NAME" character varying(128) NOT NULL,
- "DB_NAME" character varying(128) DEFAULT '__NULL__',
- "TABLE_NAME" character varying(128) DEFAULT '__NULL__',
- "COLUMN_NAME" character varying(128) DEFAULT '__NULL__',
- "URI" character varying(4000) DEFAULT '__NULL__',
- "ACTION" character varying(128) NOT NULL,
- "CREATE_TIME" BIGINT NOT NULL,
- "WITH_GRANT_OPTION" CHAR(1) NOT NULL
-);
-
-CREATE TABLE "SENTRY_ROLE" (
- "ROLE_ID" BIGINT NOT NULL,
- "ROLE_NAME" character varying(128) NOT NULL,
- "CREATE_TIME" BIGINT NOT NULL
-);
-
-CREATE TABLE "SENTRY_GROUP" (
- "GROUP_ID" BIGINT NOT NULL,
- "GROUP_NAME" character varying(128) NOT NULL,
- "CREATE_TIME" BIGINT NOT NULL
-);
-
-CREATE TABLE "SENTRY_ROLE_DB_PRIVILEGE_MAP" (
- "ROLE_ID" BIGINT NOT NULL,
- "DB_PRIVILEGE_ID" BIGINT NOT NULL,
- "GRANTOR_PRINCIPAL" character varying(128)
-);
-
-CREATE TABLE "SENTRY_ROLE_GROUP_MAP" (
- "ROLE_ID" BIGINT NOT NULL,
- "GROUP_ID" BIGINT NOT NULL,
- "GRANTOR_PRINCIPAL" character varying(128)
-);
-
-CREATE TABLE "SENTRY_VERSION" (
- "VER_ID" bigint,
- "SCHEMA_VERSION" character varying(127) NOT NULL,
- "VERSION_COMMENT" character varying(255) NOT NULL
-);
-
-
-ALTER TABLE ONLY "SENTRY_DB_PRIVILEGE"
- ADD CONSTRAINT "SENTRY_DB_PRIV_PK" PRIMARY KEY ("DB_PRIVILEGE_ID");
-
-ALTER TABLE ONLY "SENTRY_ROLE"
- ADD CONSTRAINT "SENTRY_ROLE_PK" PRIMARY KEY ("ROLE_ID");
-
-ALTER TABLE ONLY "SENTRY_GROUP"
- ADD CONSTRAINT "SENTRY_GROUP_PK" PRIMARY KEY ("GROUP_ID");
-
-ALTER TABLE ONLY "SENTRY_VERSION" ADD CONSTRAINT "SENTRY_VERSION_PK" PRIMARY KEY ("VER_ID");
-
-ALTER TABLE ONLY "SENTRY_DB_PRIVILEGE"
- ADD CONSTRAINT "SENTRY_DB_PRIV_PRIV_NAME_UNIQ" UNIQUE ("SERVER_NAME","DB_NAME","TABLE_NAME","COLUMN_NAME","URI", "ACTION","WITH_GRANT_OPTION");
-
-CREATE INDEX "SENTRY_PRIV_SERV_IDX" ON "SENTRY_DB_PRIVILEGE" USING btree ("SERVER_NAME");
-
-CREATE INDEX "SENTRY_PRIV_DB_IDX" ON "SENTRY_DB_PRIVILEGE" USING btree ("DB_NAME");
-
-CREATE INDEX "SENTRY_PRIV_TBL_IDX" ON "SENTRY_DB_PRIVILEGE" USING btree ("TABLE_NAME");
-
-CREATE INDEX "SENTRY_PRIV_COL_IDX" ON "SENTRY_DB_PRIVILEGE" USING btree ("COLUMN_NAME");
-
-CREATE INDEX "SENTRY_PRIV_URI_IDX" ON "SENTRY_DB_PRIVILEGE" USING btree ("URI");
-
-ALTER TABLE ONLY "SENTRY_ROLE"
- ADD CONSTRAINT "SENTRY_ROLE_ROLE_NAME_UNIQUE" UNIQUE ("ROLE_NAME");
-
-ALTER TABLE ONLY "SENTRY_GROUP"
- ADD CONSTRAINT "SENTRY_GRP_GRP_NAME_UNIQUE" UNIQUE ("GROUP_NAME");
-
-ALTER TABLE "SENTRY_ROLE_DB_PRIVILEGE_MAP"
- ADD CONSTRAINT "SENTRY_ROLE_DB_PRIVILEGE_MAP_PK" PRIMARY KEY ("ROLE_ID","DB_PRIVILEGE_ID");
-
-ALTER TABLE "SENTRY_ROLE_GROUP_MAP"
- ADD CONSTRAINT "SENTRY_ROLE_GROUP_MAP_PK" PRIMARY KEY ("ROLE_ID","GROUP_ID");
-
-ALTER TABLE ONLY "SENTRY_ROLE_DB_PRIVILEGE_MAP"
- ADD CONSTRAINT "SEN_RLE_DB_PRV_MAP_SN_RLE_FK"
- FOREIGN KEY ("ROLE_ID") REFERENCES "SENTRY_ROLE"("ROLE_ID") DEFERRABLE;
-
-ALTER TABLE ONLY "SENTRY_ROLE_DB_PRIVILEGE_MAP"
- ADD CONSTRAINT "SEN_RL_DB_PRV_MAP_SN_DB_PRV_FK"
- FOREIGN KEY ("DB_PRIVILEGE_ID") REFERENCES "SENTRY_DB_PRIVILEGE"("DB_PRIVILEGE_ID") DEFERRABLE;
-
-ALTER TABLE ONLY "SENTRY_ROLE_GROUP_MAP"
- ADD CONSTRAINT "SEN_ROLE_GROUP_MAP_SEN_ROLE_FK"
- FOREIGN KEY ("ROLE_ID") REFERENCES "SENTRY_ROLE"("ROLE_ID") DEFERRABLE;
-
-ALTER TABLE ONLY "SENTRY_ROLE_GROUP_MAP"
- ADD CONSTRAINT "SEN_ROLE_GROUP_MAP_SEN_GRP_FK"
- FOREIGN KEY ("GROUP_ID") REFERENCES "SENTRY_GROUP"("GROUP_ID") DEFERRABLE;
-
-INSERT INTO "SENTRY_VERSION" ("VER_ID", "SCHEMA_VERSION", "VERSION_COMMENT") VALUES (1, '1.8.0', 'Sentry release version 1.8.0');
-
--- Generic Model
--- Table SENTRY_GM_PRIVILEGE for classes [org.apache.sentry.provider.db.service.model.MSentryGMPrivilege]
-CREATE TABLE "SENTRY_GM_PRIVILEGE" (
- "GM_PRIVILEGE_ID" BIGINT NOT NULL,
- "COMPONENT_NAME" character varying(32) NOT NULL,
- "SERVICE_NAME" character varying(64) NOT NULL,
- "RESOURCE_NAME_0" character varying(64) DEFAULT '__NULL__',
- "RESOURCE_NAME_1" character varying(64) DEFAULT '__NULL__',
- "RESOURCE_NAME_2" character varying(64) DEFAULT '__NULL__',
- "RESOURCE_NAME_3" character varying(64) DEFAULT '__NULL__',
- "RESOURCE_TYPE_0" character varying(64) DEFAULT '__NULL__',
- "RESOURCE_TYPE_1" character varying(64) DEFAULT '__NULL__',
- "RESOURCE_TYPE_2" character varying(64) DEFAULT '__NULL__',
- "RESOURCE_TYPE_3" character varying(64) DEFAULT '__NULL__',
- "ACTION" character varying(32) NOT NULL,
- "SCOPE" character varying(128) NOT NULL,
- "CREATE_TIME" BIGINT NOT NULL,
- "WITH_GRANT_OPTION" CHAR(1) NOT NULL
-);
-ALTER TABLE ONLY "SENTRY_GM_PRIVILEGE"
- ADD CONSTRAINT "SENTRY_GM_PRIV_PK" PRIMARY KEY ("GM_PRIVILEGE_ID");
--- Constraints for table SENTRY_GM_PRIVILEGE for class(es) [org.apache.sentry.provider.db.service.model.MSentryGMPrivilege]
-ALTER TABLE ONLY "SENTRY_GM_PRIVILEGE"
- ADD CONSTRAINT "SENTRY_GM_PRIV_PRIV_NAME_UNIQ" UNIQUE ("COMPONENT_NAME","SERVICE_NAME","RESOURCE_NAME_0","RESOURCE_NAME_1","RESOURCE_NAME_2",
- "RESOURCE_NAME_3","RESOURCE_TYPE_0","RESOURCE_TYPE_1","RESOURCE_TYPE_2","RESOURCE_TYPE_3","ACTION","WITH_GRANT_OPTION");
-
-CREATE INDEX "SENTRY_GM_PRIV_COMP_IDX" ON "SENTRY_GM_PRIVILEGE" USING btree ("COMPONENT_NAME");
-
-CREATE INDEX "SENTRY_GM_PRIV_SERV_IDX" ON "SENTRY_GM_PRIVILEGE" USING btree ("SERVICE_NAME");
-
-CREATE INDEX "SENTRY_GM_PRIV_RES0_IDX" ON "SENTRY_GM_PRIVILEGE" USING btree ("RESOURCE_NAME_0","RESOURCE_TYPE_0");
-
-CREATE INDEX "SENTRY_GM_PRIV_RES1_IDX" ON "SENTRY_GM_PRIVILEGE" USING btree ("RESOURCE_NAME_1","RESOURCE_TYPE_1");
-
-CREATE INDEX "SENTRY_GM_PRIV_RES2_IDX" ON "SENTRY_GM_PRIVILEGE" USING btree ("RESOURCE_NAME_2","RESOURCE_TYPE_2");
-
-CREATE INDEX "SENTRY_GM_PRIV_RES3_IDX" ON "SENTRY_GM_PRIVILEGE" USING btree ("RESOURCE_NAME_3","RESOURCE_TYPE_3");
-
--- Table SENTRY_ROLE_GM_PRIVILEGE_MAP for join relationship
-CREATE TABLE "SENTRY_ROLE_GM_PRIVILEGE_MAP" (
- "ROLE_ID" BIGINT NOT NULL,
- "GM_PRIVILEGE_ID" BIGINT NOT NULL
-);
-
-ALTER TABLE "SENTRY_ROLE_GM_PRIVILEGE_MAP"
- ADD CONSTRAINT "SENTRY_ROLE_GM_PRIVILEGE_MAP_PK" PRIMARY KEY ("ROLE_ID","GM_PRIVILEGE_ID");
-
--- Constraints for table SENTRY_ROLE_GM_PRIVILEGE_MAP
-ALTER TABLE ONLY "SENTRY_ROLE_GM_PRIVILEGE_MAP"
- ADD CONSTRAINT "SEN_RLE_GM_PRV_MAP_SN_RLE_FK"
- FOREIGN KEY ("ROLE_ID") REFERENCES "SENTRY_ROLE"("ROLE_ID") DEFERRABLE;
-
-ALTER TABLE ONLY "SENTRY_ROLE_GM_PRIVILEGE_MAP"
- ADD CONSTRAINT "SEN_RL_GM_PRV_MAP_SN_DB_PRV_FK"
- FOREIGN KEY ("GM_PRIVILEGE_ID") REFERENCES "SENTRY_GM_PRIVILEGE"("GM_PRIVILEGE_ID") DEFERRABLE;
-
-CREATE TABLE "SENTRY_USER" (
- "USER_ID" BIGINT NOT NULL,
- "USER_NAME" character varying(128) NOT NULL,
- "CREATE_TIME" BIGINT NOT NULL
-);
-
-ALTER TABLE ONLY "SENTRY_USER"
- ADD CONSTRAINT "SENTRY_USER_PK" PRIMARY KEY ("USER_ID");
-
-ALTER TABLE ONLY "SENTRY_USER"
- ADD CONSTRAINT "SENTRY_USER_USER_NAME_UNIQUE" UNIQUE ("USER_NAME");
-
-CREATE TABLE "SENTRY_ROLE_USER_MAP" (
- "ROLE_ID" BIGINT NOT NULL,
- "USER_ID" BIGINT NOT NULL,
- "GRANTOR_PRINCIPAL" character varying(128)
-);
-
-ALTER TABLE "SENTRY_ROLE_USER_MAP"
- ADD CONSTRAINT "SENTRY_ROLE_USER_MAP_PK" PRIMARY KEY ("ROLE_ID","USER_ID");
-
-ALTER TABLE ONLY "SENTRY_ROLE_USER_MAP"
- ADD CONSTRAINT "SEN_ROLE_USER_MAP_SEN_ROLE_FK"
- FOREIGN KEY ("ROLE_ID") REFERENCES "SENTRY_ROLE"("ROLE_ID") DEFERRABLE;
-
-ALTER TABLE ONLY "SENTRY_ROLE_USER_MAP"
- ADD CONSTRAINT "SEN_ROLE_USER_MAP_SEN_USER_FK"
- FOREIGN KEY ("USER_ID") REFERENCES "SENTRY_USER"("USER_ID") DEFERRABLE;
-
-COMMIT;
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/main/resources/sentry-upgrade-db2-1.4.0-to-1.5.0.sql
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/resources/sentry-upgrade-db2-1.4.0-to-1.5.0.sql b/sentry-provider/sentry-provider-db/src/main/resources/sentry-upgrade-db2-1.4.0-to-1.5.0.sql
deleted file mode 100644
index 26721c9..0000000
--- a/sentry-provider/sentry-provider-db/src/main/resources/sentry-upgrade-db2-1.4.0-to-1.5.0.sql
+++ /dev/null
@@ -1,61 +0,0 @@
--- SENTRY-327
-ALTER TABLE SENTRY_DB_PRIVILEGE ADD WITH_GRANT_OPTION CHAR(1) NOT NULL;
-
--- SENTRY-339
-DROP INDEX SENTRYPRIVILEGENAME;
-CREATE UNIQUE INDEX SENTRYPRIVILEGENAME ON SENTRY_DB_PRIVILEGE ("SERVER_NAME",DB_NAME,"TABLE_NAME",URI,"ACTION",WITH_GRANT_OPTION);
-ALTER TABLE SENTRY_DB_PRIVILEGE DROP PRIVILEGE_NAME;
-
--- SENTRY-380
-ALTER TABLE `SENTRY_DB_PRIVILEGE` DROP `GRANTOR_PRINCIPAL`;
-ALTER TABLE `SENTRY_ROLE` DROP `GRANTOR_PRINCIPAL`;
-ALTER TABLE `SENTRY_GROUP` DROP `GRANTOR_PRINCIPAL`;
-
-ALTER TABLE `SENTRY_ROLE_DB_PRIVILEGE_MAP` ADD `GRANTOR_PRINCIPAL` VARCHAR(128);
-ALTER TABLE `SENTRY_ROLE_GROUP_MAP` ADD `GRANTOR_PRINCIPAL` VARCHAR(128);
-
--- SENTRY-74
-ALTER TABLE `SENTRY_DB_PRIVILEGE` ADD `COLUMN_NAME` CHAR(4000);
-DROP INDEX SENTRYPRIVILEGENAME;
-CREATE UNIQUE INDEX SENTRYPRIVILEGENAME ON SENTRY_DB_PRIVILEGE ("SERVER_NAME",DB_NAME,"TABLE_NAME","COLUMN_NAME",URI,"ACTION",WITH_GRANT_OPTION);
-
--- SENTRY-398
-CREATE TABLE SENTRY_GM_PRIVILEGE
-(
- GM_PRIVILEGE_ID BIGINT NOT NULL,
- "ACTION" VARCHAR(40),
- COMPONENT_NAME VARCHAR(400),
- CREATE_TIME BIGINT NOT NULL,
- WITH_GRANT_OPTION CHAR(1),
- RESOURCE_NAME_0 VARCHAR(400),
- RESOURCE_NAME_1 VARCHAR(400),
- RESOURCE_NAME_2 VARCHAR(400),
- RESOURCE_NAME_3 VARCHAR(400),
- RESOURCE_TYPE_0 VARCHAR(400),
- RESOURCE_TYPE_1 VARCHAR(400),
- RESOURCE_TYPE_2 VARCHAR(400),
- RESOURCE_TYPE_3 VARCHAR(400),
- "SCOPE" VARCHAR(40),
- SERVICE_NAME VARCHAR(400)
-);
-ALTER TABLE SENTRY_GM_PRIVILEGE ADD CONSTRAINT SENTRY_GM_PRIVILEGE_PK PRIMARY KEY (GM_PRIVILEGE_ID);
-
-CREATE UNIQUE INDEX GM_PRIVILEGE_INDEX ON SENTRY_GM_PRIVILEGE (COMPONENT_NAME,SERVICE_NAME,RESOURCE_NAME_0,RESOURCE_TYPE_0,RESOURCE_NAME_1,RESOURCE_TYPE_1,RESOURCE_NAME_2,RESOURCE_TYPE_2,RESOURCE_NAME_3,RESOURCE_TYPE_3,"ACTION",WITH_GRANT_OPTION);
-
-CREATE TABLE SENTRY_ROLE_GM_PRIVILEGE_MAP
-(
- ROLE_ID BIGINT NOT NULL,
- GM_PRIVILEGE_ID BIGINT NOT NULL
-);
-ALTER TABLE SENTRY_ROLE_GM_PRIVILEGE_MAP ADD CONSTRAINT SENTRY_ROLE_GM_PRIVILEGE_MAP_PK PRIMARY KEY (ROLE_ID,GM_PRIVILEGE_ID);
-
-CREATE INDEX SENTRY_ROLE_GM_PRIVILEGE_MAP_N50 ON SENTRY_ROLE_GM_PRIVILEGE_MAP (ROLE_ID);
-
-CREATE INDEX SENTRY_ROLE_GM_PRIVILEGE_MAP_N49 ON SENTRY_ROLE_GM_PRIVILEGE_MAP (GM_PRIVILEGE_ID);
-
-ALTER TABLE SENTRY_ROLE_GM_PRIVILEGE_MAP ADD CONSTRAINT SENTRY_ROLE_GM_PRIVILEGE_MAP_FK2 FOREIGN KEY (GM_PRIVILEGE_ID) REFERENCES SENTRY_GM_PRIVILEGE (GM_PRIVILEGE_ID);
-
-ALTER TABLE SENTRY_ROLE_GM_PRIVILEGE_MAP ADD CONSTRAINT SENTRY_ROLE_GM_PRIVILEGE_MAP_FK1 FOREIGN KEY (ROLE_ID) REFERENCES SENTRY_ROLE (ROLE_ID);
-
--- Version update
-UPDATE SENTRY_VERSION SET SCHEMA_VERSION='1.5.0', VERSION_COMMENT='Sentry release version 1.5.0' WHERE VER_ID=1;
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/main/resources/sentry-upgrade-db2-1.5.0-to-1.6.0.sql
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/resources/sentry-upgrade-db2-1.5.0-to-1.6.0.sql b/sentry-provider/sentry-provider-db/src/main/resources/sentry-upgrade-db2-1.5.0-to-1.6.0.sql
deleted file mode 100644
index 5560d9f..0000000
--- a/sentry-provider/sentry-provider-db/src/main/resources/sentry-upgrade-db2-1.5.0-to-1.6.0.sql
+++ /dev/null
@@ -1,2 +0,0 @@
--- Version update
-UPDATE SENTRY_VERSION SET SCHEMA_VERSION='1.6.0', VERSION_COMMENT='Sentry release version 1.6.0' WHERE VER_ID=1;
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/main/resources/sentry-upgrade-db2-1.6.0-to-1.7.0.sql
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/resources/sentry-upgrade-db2-1.6.0-to-1.7.0.sql b/sentry-provider/sentry-provider-db/src/main/resources/sentry-upgrade-db2-1.6.0-to-1.7.0.sql
deleted file mode 100644
index e2494a2..0000000
--- a/sentry-provider/sentry-provider-db/src/main/resources/sentry-upgrade-db2-1.6.0-to-1.7.0.sql
+++ /dev/null
@@ -1,2 +0,0 @@
--- Version update
-UPDATE SENTRY_VERSION SET SCHEMA_VERSION='1.7.0', VERSION_COMMENT='Sentry release version 1.7.0' WHERE VER_ID=1;
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/main/resources/sentry-upgrade-db2-1.7.0-to-1.8.0.sql
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/resources/sentry-upgrade-db2-1.7.0-to-1.8.0.sql b/sentry-provider/sentry-provider-db/src/main/resources/sentry-upgrade-db2-1.7.0-to-1.8.0.sql
deleted file mode 100644
index 927f302..0000000
--- a/sentry-provider/sentry-provider-db/src/main/resources/sentry-upgrade-db2-1.7.0-to-1.8.0.sql
+++ /dev/null
@@ -1,31 +0,0 @@
--- SENTRY-711
-CREATE TABLE SENTRY_USER
-(
- USER_ID BIGINT NOT NULL generated always as identity (start with 1),
- CREATE_TIME BIGINT NOT NULL,
- USER_NAME VARCHAR(128)
-);
-
-ALTER TABLE SENTRY_USER ADD CONSTRAINT SENTRY_USER_PK PRIMARY KEY (USER_ID);
-
-CREATE UNIQUE INDEX SENTRYUSERNAME ON SENTRY_USER (USER_NAME);
-
-CREATE TABLE SENTRY_ROLE_USER_MAP
-(
- USER_ID BIGINT NOT NULL,
- ROLE_ID BIGINT NOT NULL,
- GRANTOR_PRINCIPAL VARCHAR(128)
-);
-
-ALTER TABLE SENTRY_ROLE_USER_MAP ADD CONSTRAINT SENTRY_ROLE_USER_MAP_PK PRIMARY KEY (USER_ID,ROLE_ID);
-
-CREATE INDEX SENTRY_ROLE_USER_MAP_N49 ON SENTRY_ROLE_USER_MAP (USER_ID);
-
-CREATE INDEX SENTRY_ROLE_USER_MAP_N50 ON SENTRY_ROLE_USER_MAP (ROLE_ID);
-
-ALTER TABLE SENTRY_ROLE_USER_MAP ADD CONSTRAINT SENTRY_ROLE_USER_MAP_FK2 FOREIGN KEY (ROLE_ID) REFERENCES SENTRY_ROLE (ROLE_ID) ;
-
-ALTER TABLE SENTRY_ROLE_USER_MAP ADD CONSTRAINT SENTRY_ROLE_USER_MAP_FK1 FOREIGN KEY (USER_ID) REFERENCES SENTRY_USER (USER_ID) ;
-
--- Version update
-UPDATE SENTRY_VERSION SET SCHEMA_VERSION='1.8.0', VERSION_COMMENT='Sentry release version 1.8.0' WHERE VER_ID=1;
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/main/resources/sentry-upgrade-derby-1.4.0-to-1.5.0.sql
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/resources/sentry-upgrade-derby-1.4.0-to-1.5.0.sql b/sentry-provider/sentry-provider-db/src/main/resources/sentry-upgrade-derby-1.4.0-to-1.5.0.sql
deleted file mode 100644
index bc06849..0000000
--- a/sentry-provider/sentry-provider-db/src/main/resources/sentry-upgrade-derby-1.4.0-to-1.5.0.sql
+++ /dev/null
@@ -1,8 +0,0 @@
-RUN '001-SENTRY-327.derby.sql';
-RUN '002-SENTRY-339.derby.sql';
-RUN '003-SENTRY-380.derby.sql';
-RUN '004-SENTRY-74.derby.sql';
-RUN '005-SENTRY-398.derby.sql';
-
--- Version update
-UPDATE SENTRY_VERSION SET SCHEMA_VERSION='1.5.0', VERSION_COMMENT='Sentry release version 1.5.0' WHERE VER_ID=1;
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/main/resources/sentry-upgrade-derby-1.5.0-to-1.6.0.sql
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/resources/sentry-upgrade-derby-1.5.0-to-1.6.0.sql b/sentry-provider/sentry-provider-db/src/main/resources/sentry-upgrade-derby-1.5.0-to-1.6.0.sql
deleted file mode 100644
index 5560d9f..0000000
--- a/sentry-provider/sentry-provider-db/src/main/resources/sentry-upgrade-derby-1.5.0-to-1.6.0.sql
+++ /dev/null
@@ -1,2 +0,0 @@
--- Version update
-UPDATE SENTRY_VERSION SET SCHEMA_VERSION='1.6.0', VERSION_COMMENT='Sentry release version 1.6.0' WHERE VER_ID=1;
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/main/resources/sentry-upgrade-derby-1.6.0-to-1.7.0.sql
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/resources/sentry-upgrade-derby-1.6.0-to-1.7.0.sql b/sentry-provider/sentry-provider-db/src/main/resources/sentry-upgrade-derby-1.6.0-to-1.7.0.sql
deleted file mode 100644
index e2494a2..0000000
--- a/sentry-provider/sentry-provider-db/src/main/resources/sentry-upgrade-derby-1.6.0-to-1.7.0.sql
+++ /dev/null
@@ -1,2 +0,0 @@
--- Version update
-UPDATE SENTRY_VERSION SET SCHEMA_VERSION='1.7.0', VERSION_COMMENT='Sentry release version 1.7.0' WHERE VER_ID=1;
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/main/resources/sentry-upgrade-derby-1.7.0-to-1.8.0.sql
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/resources/sentry-upgrade-derby-1.7.0-to-1.8.0.sql b/sentry-provider/sentry-provider-db/src/main/resources/sentry-upgrade-derby-1.7.0-to-1.8.0.sql
deleted file mode 100644
index fbe2dc8..0000000
--- a/sentry-provider/sentry-provider-db/src/main/resources/sentry-upgrade-derby-1.7.0-to-1.8.0.sql
+++ /dev/null
@@ -1,4 +0,0 @@
-RUN '006-SENTRY-711.derby.sql';
-
--- Version update
-UPDATE SENTRY_VERSION SET SCHEMA_VERSION='1.8.0', VERSION_COMMENT='Sentry release version 1.8.0' WHERE VER_ID=1;
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/main/resources/sentry-upgrade-mysql-1.4.0-to-1.5.0.sql
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/resources/sentry-upgrade-mysql-1.4.0-to-1.5.0.sql b/sentry-provider/sentry-provider-db/src/main/resources/sentry-upgrade-mysql-1.4.0-to-1.5.0.sql
deleted file mode 100644
index a7bc9d0..0000000
--- a/sentry-provider/sentry-provider-db/src/main/resources/sentry-upgrade-mysql-1.4.0-to-1.5.0.sql
+++ /dev/null
@@ -1,10 +0,0 @@
-SELECT 'Upgrading Sentry store schema from 1.4.0 to 1.5.0' AS ' ';
-SOURCE 001-SENTRY-327.mysql.sql;
-SOURCE 002-SENTRY-339.mysql.sql;
-SOURCE 003-SENTRY-380.mysql.sql;
-SOURCE 004-SENTRY-74.mysql.sql;
-SOURCE 005-SENTRY-398.mysql.sql;
-
-UPDATE SENTRY_VERSION SET SCHEMA_VERSION='1.5.0', VERSION_COMMENT='Sentry release version 1.5.0' WHERE VER_ID=1;
-SELECT 'Finish upgrading Sentry store schema from 1.4.0 to 1.5.0' AS ' ';
-
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/main/resources/sentry-upgrade-mysql-1.5.0-to-1.6.0.sql
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/resources/sentry-upgrade-mysql-1.5.0-to-1.6.0.sql b/sentry-provider/sentry-provider-db/src/main/resources/sentry-upgrade-mysql-1.5.0-to-1.6.0.sql
deleted file mode 100644
index 352332c..0000000
--- a/sentry-provider/sentry-provider-db/src/main/resources/sentry-upgrade-mysql-1.5.0-to-1.6.0.sql
+++ /dev/null
@@ -1,5 +0,0 @@
-SELECT 'Upgrading Sentry store schema from 1.5.0 to 1.6.0' AS ' ';
-
-UPDATE SENTRY_VERSION SET SCHEMA_VERSION='1.6.0', VERSION_COMMENT='Sentry release version 1.6.0' WHERE VER_ID=1;
-
-SELECT 'Finish upgrading Sentry store schema from 1.5.0 to 1.6.0' AS ' ';
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/main/resources/sentry-upgrade-mysql-1.6.0-to-1.7.0.sql
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/resources/sentry-upgrade-mysql-1.6.0-to-1.7.0.sql b/sentry-provider/sentry-provider-db/src/main/resources/sentry-upgrade-mysql-1.6.0-to-1.7.0.sql
deleted file mode 100644
index 3413ede..0000000
--- a/sentry-provider/sentry-provider-db/src/main/resources/sentry-upgrade-mysql-1.6.0-to-1.7.0.sql
+++ /dev/null
@@ -1,5 +0,0 @@
-SELECT 'Upgrading Sentry store schema from 1.6.0 to 1.7.0' AS ' ';
-
-UPDATE SENTRY_VERSION SET SCHEMA_VERSION='1.7.0', VERSION_COMMENT='Sentry release version 1.7.0' WHERE VER_ID=1;
-
-SELECT 'Finish upgrading Sentry store schema from 1.6.0 to 1.7.0' AS ' ';
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/main/resources/sentry-upgrade-mysql-1.7.0-to-1.8.0.sql
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/resources/sentry-upgrade-mysql-1.7.0-to-1.8.0.sql b/sentry-provider/sentry-provider-db/src/main/resources/sentry-upgrade-mysql-1.7.0-to-1.8.0.sql
deleted file mode 100644
index f0df187..0000000
--- a/sentry-provider/sentry-provider-db/src/main/resources/sentry-upgrade-mysql-1.7.0-to-1.8.0.sql
+++ /dev/null
@@ -1,6 +0,0 @@
-SELECT 'Upgrading Sentry store schema from 1.7.0 to 1.8.0' AS ' ';
-SOURCE 006-SENTRY-711.mysql.sql;
-
-UPDATE SENTRY_VERSION SET SCHEMA_VERSION='1.8.0', VERSION_COMMENT='Sentry release version 1.8.0' WHERE VER_ID=1;
-
-SELECT 'Finish upgrading Sentry store schema from 1.7.0 to 1.8.0' AS ' ';
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/main/resources/sentry-upgrade-oracle-1.4.0-to-1.5.0.sql
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/resources/sentry-upgrade-oracle-1.4.0-to-1.5.0.sql b/sentry-provider/sentry-provider-db/src/main/resources/sentry-upgrade-oracle-1.4.0-to-1.5.0.sql
deleted file mode 100644
index 9526366..0000000
--- a/sentry-provider/sentry-provider-db/src/main/resources/sentry-upgrade-oracle-1.4.0-to-1.5.0.sql
+++ /dev/null
@@ -1,9 +0,0 @@
-SELECT 'Upgrading Sentry store schema from 1.4.0 to 1.5.0' AS Status from dual;
-@001-SENTRY-327.oracle.sql;
-@002-SENTRY-339.oracle.sql;
-@003-SENTRY-380.oracle.sql;
-@004-SENTRY-74.oracle.sql;
-@005-SENTRY-398.oracle.sql;
-
-UPDATE SENTRY_VERSION SET SCHEMA_VERSION='1.5.0', VERSION_COMMENT='Sentry release version 1.5.0' WHERE VER_ID=1;
-SELECT 'Finished upgrading Sentry store schema from 1.4.0 to 1.5.0' AS Status from dual;
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/main/resources/sentry-upgrade-oracle-1.5.0-to-1.6.0.sql
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/resources/sentry-upgrade-oracle-1.5.0-to-1.6.0.sql b/sentry-provider/sentry-provider-db/src/main/resources/sentry-upgrade-oracle-1.5.0-to-1.6.0.sql
deleted file mode 100644
index 3437075..0000000
--- a/sentry-provider/sentry-provider-db/src/main/resources/sentry-upgrade-oracle-1.5.0-to-1.6.0.sql
+++ /dev/null
@@ -1,5 +0,0 @@
-SELECT 'Upgrading Sentry store schema from 1.5.0 to 1.6.0' AS Status from dual;
-
-UPDATE SENTRY_VERSION SET SCHEMA_VERSION='1.6.0', VERSION_COMMENT='Sentry release version 1.6.0' WHERE VER_ID=1;
-
-SELECT 'Finished upgrading Sentry store schema from 1.5.0 to 1.6.0' AS Status from dual;
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/main/resources/sentry-upgrade-oracle-1.6.0-to-1.7.0.sql
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/resources/sentry-upgrade-oracle-1.6.0-to-1.7.0.sql b/sentry-provider/sentry-provider-db/src/main/resources/sentry-upgrade-oracle-1.6.0-to-1.7.0.sql
deleted file mode 100644
index fa82c87..0000000
--- a/sentry-provider/sentry-provider-db/src/main/resources/sentry-upgrade-oracle-1.6.0-to-1.7.0.sql
+++ /dev/null
@@ -1,5 +0,0 @@
-SELECT 'Upgrading Sentry store schema from 1.6.0 to 1.7.0' AS Status from dual;
-
-UPDATE SENTRY_VERSION SET SCHEMA_VERSION='1.7.0', VERSION_COMMENT='Sentry release version 1.7.0' WHERE VER_ID=1;
-
-SELECT 'Finished upgrading Sentry store schema from 1.6.0 to 1.7.0' AS Status from dual;
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/main/resources/sentry-upgrade-oracle-1.7.0-to-1.8.0.sql
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/resources/sentry-upgrade-oracle-1.7.0-to-1.8.0.sql b/sentry-provider/sentry-provider-db/src/main/resources/sentry-upgrade-oracle-1.7.0-to-1.8.0.sql
deleted file mode 100644
index f1666be..0000000
--- a/sentry-provider/sentry-provider-db/src/main/resources/sentry-upgrade-oracle-1.7.0-to-1.8.0.sql
+++ /dev/null
@@ -1,6 +0,0 @@
-SELECT 'Upgrading Sentry store schema from 1.7.0 to 1.8.0' AS Status from dual;
-@006-SENTRY-711.oracle.sql;
-
-UPDATE SENTRY_VERSION SET SCHEMA_VERSION='1.8.0', VERSION_COMMENT='Sentry release version 1.8.0' WHERE VER_ID=1;
-
-SELECT 'Finished upgrading Sentry store schema from 1.7.0 to 1.8.0' AS Status from dual;
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/main/resources/sentry-upgrade-postgres-1.4.0-to-1.5.0.sql
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/resources/sentry-upgrade-postgres-1.4.0-to-1.5.0.sql b/sentry-provider/sentry-provider-db/src/main/resources/sentry-upgrade-postgres-1.4.0-to-1.5.0.sql
deleted file mode 100644
index 2f03d5e..0000000
--- a/sentry-provider/sentry-provider-db/src/main/resources/sentry-upgrade-postgres-1.4.0-to-1.5.0.sql
+++ /dev/null
@@ -1,9 +0,0 @@
-SELECT 'Upgrading Sentry store schema from 1.4.0 to 1.5.0';
-\i 001-SENTRY-327.postgres.sql;
-\i 002-SENTRY-339.postgres.sql;
-\i 003-SENTRY-380.postgres.sql;
-\i 004-SENTRY-74.postgres.sql;
-\i 005-SENTRY-398.postgres.sql;
-
-UPDATE "SENTRY_VERSION" SET "SCHEMA_VERSION"='1.5.0', "VERSION_COMMENT"='Sentry release version 1.5.0' WHERE "VER_ID"=1;
-SELECT 'Finished upgrading Sentry store schema from 1.4.0 to 1.5.0';
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/main/resources/sentry-upgrade-postgres-1.5.0-to-1.6.0.sql
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/resources/sentry-upgrade-postgres-1.5.0-to-1.6.0.sql b/sentry-provider/sentry-provider-db/src/main/resources/sentry-upgrade-postgres-1.5.0-to-1.6.0.sql
deleted file mode 100644
index 5982596..0000000
--- a/sentry-provider/sentry-provider-db/src/main/resources/sentry-upgrade-postgres-1.5.0-to-1.6.0.sql
+++ /dev/null
@@ -1,5 +0,0 @@
-SELECT 'Upgrading Sentry store schema from 1.5.0 to 1.6.0';
-
-UPDATE "SENTRY_VERSION" SET "SCHEMA_VERSION"='1.6.0', "VERSION_COMMENT"='Sentry release version 1.6.0' WHERE "VER_ID"=1;
-
-SELECT 'Finished upgrading Sentry store schema from 1.5.0 to 1.6.0';
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/main/resources/sentry-upgrade-postgres-1.6.0-to-1.7.0.sql
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/resources/sentry-upgrade-postgres-1.6.0-to-1.7.0.sql b/sentry-provider/sentry-provider-db/src/main/resources/sentry-upgrade-postgres-1.6.0-to-1.7.0.sql
deleted file mode 100644
index ff10e10..0000000
--- a/sentry-provider/sentry-provider-db/src/main/resources/sentry-upgrade-postgres-1.6.0-to-1.7.0.sql
+++ /dev/null
@@ -1,5 +0,0 @@
-SELECT 'Upgrading Sentry store schema from 1.6.0 to 1.7.0';
-
-UPDATE "SENTRY_VERSION" SET "SCHEMA_VERSION"='1.7.0', "VERSION_COMMENT"='Sentry release version 1.7.0' WHERE "VER_ID"=1;
-
-SELECT 'Finished upgrading Sentry store schema from 1.6.0 to 1.7.0';
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/main/resources/sentry-upgrade-postgres-1.7.0-to-1.8.0.sql
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/resources/sentry-upgrade-postgres-1.7.0-to-1.8.0.sql b/sentry-provider/sentry-provider-db/src/main/resources/sentry-upgrade-postgres-1.7.0-to-1.8.0.sql
deleted file mode 100644
index b39292d..0000000
--- a/sentry-provider/sentry-provider-db/src/main/resources/sentry-upgrade-postgres-1.7.0-to-1.8.0.sql
+++ /dev/null
@@ -1,6 +0,0 @@
-SELECT 'Upgrading Sentry store schema from 1.7.0 to 1.8.0';
-\i 006-SENTRY-711.postgres.sql;
-
-UPDATE "SENTRY_VERSION" SET "SCHEMA_VERSION"='1.8.0', "VERSION_COMMENT"='Sentry release version 1.8.0' WHERE "VER_ID"=1;
-
-SELECT 'Finished upgrading Sentry store schema from 1.7.0 to 1.8.0';
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/main/resources/upgrade.order.db2
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/resources/upgrade.order.db2 b/sentry-provider/sentry-provider-db/src/main/resources/upgrade.order.db2
deleted file mode 100644
index 8da8c9c..0000000
--- a/sentry-provider/sentry-provider-db/src/main/resources/upgrade.order.db2
+++ /dev/null
@@ -1,4 +0,0 @@
-1.4.0-to-1.5.0
-1.5.0-to-1.6.0
-1.6.0-to-1.7.0
-1.7.0-to-1.8.0
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/main/resources/upgrade.order.derby
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/resources/upgrade.order.derby b/sentry-provider/sentry-provider-db/src/main/resources/upgrade.order.derby
deleted file mode 100644
index 8da8c9c..0000000
--- a/sentry-provider/sentry-provider-db/src/main/resources/upgrade.order.derby
+++ /dev/null
@@ -1,4 +0,0 @@
-1.4.0-to-1.5.0
-1.5.0-to-1.6.0
-1.6.0-to-1.7.0
-1.7.0-to-1.8.0
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/main/resources/upgrade.order.mysql
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/resources/upgrade.order.mysql b/sentry-provider/sentry-provider-db/src/main/resources/upgrade.order.mysql
deleted file mode 100644
index 8da8c9c..0000000
--- a/sentry-provider/sentry-provider-db/src/main/resources/upgrade.order.mysql
+++ /dev/null
@@ -1,4 +0,0 @@
-1.4.0-to-1.5.0
-1.5.0-to-1.6.0
-1.6.0-to-1.7.0
-1.7.0-to-1.8.0
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/main/resources/upgrade.order.oracle
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/resources/upgrade.order.oracle b/sentry-provider/sentry-provider-db/src/main/resources/upgrade.order.oracle
deleted file mode 100644
index 8da8c9c..0000000
--- a/sentry-provider/sentry-provider-db/src/main/resources/upgrade.order.oracle
+++ /dev/null
@@ -1,4 +0,0 @@
-1.4.0-to-1.5.0
-1.5.0-to-1.6.0
-1.6.0-to-1.7.0
-1.7.0-to-1.8.0
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/main/resources/upgrade.order.postgres
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/resources/upgrade.order.postgres b/sentry-provider/sentry-provider-db/src/main/resources/upgrade.order.postgres
deleted file mode 100644
index 8da8c9c..0000000
--- a/sentry-provider/sentry-provider-db/src/main/resources/upgrade.order.postgres
+++ /dev/null
@@ -1,4 +0,0 @@
-1.4.0-to-1.5.0
-1.5.0-to-1.6.0
-1.6.0-to-1.7.0
-1.7.0-to-1.8.0
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/main/webapp/SentryService.html
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/webapp/SentryService.html b/sentry-provider/sentry-provider-db/src/main/webapp/SentryService.html
deleted file mode 100644
index 9eb5f0e..0000000
--- a/sentry-provider/sentry-provider-db/src/main/webapp/SentryService.html
+++ /dev/null
@@ -1,61 +0,0 @@
-<!--
-Licensed to the Apache Software Foundation (ASF) under one or more
-contributor license agreements. See the NOTICE file distributed with
-this work for additional information regarding copyright ownership.
-The ASF licenses this file to You under the Apache License, Version 2.0
-(the "License"); you may not use this file except in compliance with
-the License. You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
--->
-<!DOCTYPE HTML>
-<html lang="en">
- <head>
- <meta charset="utf-8">
- <title>Sentry Service</title>
- <meta name="viewport" content="width=device-width, initial-scale=1.0">
- <meta name="description" content="">
- <link href="css/bootstrap.min.css" rel="stylesheet">
- <link href="css/bootstrap-theme.min.css" rel="stylesheet">
- <link href="css/sentry.css" rel="stylesheet">
- </head>
-
- <body>
- <nav class="navbar navbar-default navbar-fixed-top">
- <div class="container">
- <div class="navbar-header">
- <a class="navbar-brand" href="#"><img src="sentry.png" alt="Sentry Logo"/></a>
- </div>
- <div class="collapse navbar-collapse">
- <ul class="nav navbar-nav">
- <li class="active"><a href="#">Home</a></li>
- <li><a href="/metrics?pretty=true">Metrics</a></li>
- <li><a href="/threads">Threads</a></li>
- <li><a href="/conf">Configuration</a></li>
- </ul>
- </div>
- </div>
- </nav>
-
- <div class="container">
- <div class="page-header"><h2>Sentry Service</h2></div>
- <ul>
- <li><a href="/metrics?pretty=true">Metrics</a></li>
- <li><a href="/threads">Threads</a></li>
- <li><a href="/conf">Configuration</a></li>
- </ul>
- </div>
-
- <footer class="footer">
- <div class="container">
- <p class="text-muted">SENTRY 1.8.0-SNAPSHOT</p>
- </div>
- </footer>
- </body>
-</html>
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/main/webapp/css/bootstrap-theme.min.css
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/webapp/css/bootstrap-theme.min.css b/sentry-provider/sentry-provider-db/src/main/webapp/css/bootstrap-theme.min.css
deleted file mode 100644
index c31428b..0000000
--- a/sentry-provider/sentry-provider-db/src/main/webapp/css/bootstrap-theme.min.css
+++ /dev/null
@@ -1,10 +0,0 @@
-/*!
- * Bootstrap v3.0.0
- *
- * Copyright 2013 Twitter, Inc
- * Licensed under the Apache License v2.0
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Designed and built with all the love in the world by @mdo and @fat.
- */
-.btn-default,.btn-primary,.btn-success,.btn-info,.btn-warning,.btn-danger{text-shadow:0 -1px 0 rgba(0,0,0,0.2);-webkit-box-shadow:inset 0 1px 0 rgba(255,255,255,0.15),0 1px 1px rgba(0,0,0,0.075);box-shadow:inset 0 1px 0 rgba(255,255,255,0.15),0 1px 1px rgba(0,0,0,0.075)}.btn-default:active,.btn-primary:active,.btn-success:active,.btn-info:active,.btn-warning:active,.btn-danger:active,.btn-default.active,.btn-primary.active,.btn-success.active,.btn-info.active,.btn-warning.active,.btn-danger.active{-webkit-box-shadow:inset 0 3px 5px rgba(0,0,0,0.125);box-shadow:inset 0 3px 5px rgba(0,0,0,0.125)}.btn:active,.btn.active{background-image:none}.btn-default{text-shadow:0 1px 0 #fff;background-image:-webkit-gradient(linear,left 0,left 100%,from(#fff),to(#e6e6e6));background-image:-webkit-linear-gradient(top,#fff,0%,#e6e6e6,100%);background-image:-moz-linear-gradient(top,#fff 0,#e6e6e6 100%);background-image:linear-gradient(to bottom,#fff 0,#e6e6e6 100%);background-repeat:repeat-x;border-co
lor:#e0e0e0;border-color:#ccc;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ffffffff',endColorstr='#ffe6e6e6',GradientType=0)}.btn-default:active,.btn-default.active{background-color:#e6e6e6;border-color:#e0e0e0}.btn-primary{background-image:-webkit-gradient(linear,left 0,left 100%,from(#428bca),to(#3071a9));background-image:-webkit-linear-gradient(top,#428bca,0%,#3071a9,100%);background-image:-moz-linear-gradient(top,#428bca 0,#3071a9 100%);background-image:linear-gradient(to bottom,#428bca 0,#3071a9 100%);background-repeat:repeat-x;border-color:#2d6ca2;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ff428bca',endColorstr='#ff3071a9',GradientType=0)}.btn-primary:active,.btn-primary.active{background-color:#3071a9;border-color:#2d6ca2}.btn-success{background-image:-webkit-gradient(linear,left 0,left 100%,from(#5cb85c),to(#449d44));background-image:-webkit-linear-gradient(top,#5cb85c,0%,#449d44,100%);background-image:-moz-linear-gradient(top,#5cb
85c 0,#449d44 100%);background-image:linear-gradient(to bottom,#5cb85c 0,#449d44 100%);background-repeat:repeat-x;border-color:#419641;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ff5cb85c',endColorstr='#ff449d44',GradientType=0)}.btn-success:active,.btn-success.active{background-color:#449d44;border-color:#419641}.btn-warning{background-image:-webkit-gradient(linear,left 0,left 100%,from(#f0ad4e),to(#ec971f));background-image:-webkit-linear-gradient(top,#f0ad4e,0%,#ec971f,100%);background-image:-moz-linear-gradient(top,#f0ad4e 0,#ec971f 100%);background-image:linear-gradient(to bottom,#f0ad4e 0,#ec971f 100%);background-repeat:repeat-x;border-color:#eb9316;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#fff0ad4e',endColorstr='#ffec971f',GradientType=0)}.btn-warning:active,.btn-warning.active{background-color:#ec971f;border-color:#eb9316}.btn-danger{background-image:-webkit-gradient(linear,left 0,left 100%,from(#d9534f),to(#c9302c));background-i
mage:-webkit-linear-gradient(top,#d9534f,0%,#c9302c,100%);background-image:-moz-linear-gradient(top,#d9534f 0,#c9302c 100%);background-image:linear-gradient(to bottom,#d9534f 0,#c9302c 100%);background-repeat:repeat-x;border-color:#c12e2a;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ffd9534f',endColorstr='#ffc9302c',GradientType=0)}.btn-danger:active,.btn-danger.active{background-color:#c9302c;border-color:#c12e2a}.btn-info{background-image:-webkit-gradient(linear,left 0,left 100%,from(#5bc0de),to(#31b0d5));background-image:-webkit-linear-gradient(top,#5bc0de,0%,#31b0d5,100%);background-image:-moz-linear-gradient(top,#5bc0de 0,#31b0d5 100%);background-image:linear-gradient(to bottom,#5bc0de 0,#31b0d5 100%);background-repeat:repeat-x;border-color:#2aabd2;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ff5bc0de',endColorstr='#ff31b0d5',GradientType=0)}.btn-info:active,.btn-info.active{background-color:#31b0d5;border-color:#2aabd2}.thumbnail,.img-
thumbnail{-webkit-box-shadow:0 1px 2px rgba(0,0,0,0.075);box-shadow:0 1px 2px rgba(0,0,0,0.075)}.dropdown-menu>li>a:hover,.dropdown-menu>li>a:focus,.dropdown-menu>.active>a,.dropdown-menu>.active>a:hover,.dropdown-menu>.active>a:focus{background-color:#357ebd;background-image:-webkit-gradient(linear,left 0,left 100%,from(#428bca),to(#357ebd));background-image:-webkit-linear-gradient(top,#428bca,0%,#357ebd,100%);background-image:-moz-linear-gradient(top,#428bca 0,#357ebd 100%);background-image:linear-gradient(to bottom,#428bca 0,#357ebd 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ff428bca',endColorstr='#ff357ebd',GradientType=0)}.navbar{background-image:-webkit-gradient(linear,left 0,left 100%,from(#fff),to(#f8f8f8));background-image:-webkit-linear-gradient(top,#fff,0%,#f8f8f8,100%);background-image:-moz-linear-gradient(top,#fff 0,#f8f8f8 100%);background-image:linear-gradient(to bottom,#fff 0,#f8f8f8 100%);background-repeat:repe
at-x;border-radius:4px;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ffffffff',endColorstr='#fff8f8f8',GradientType=0);-webkit-box-shadow:inset 0 1px 0 rgba(255,255,255,0.15),0 1px 5px rgba(0,0,0,0.075);box-shadow:inset 0 1px 0 rgba(255,255,255,0.15),0 1px 5px rgba(0,0,0,0.075)}.navbar .navbar-nav>.active>a{background-color:#f8f8f8}.navbar-brand,.navbar-nav>li>a{text-shadow:0 1px 0 rgba(255,255,255,0.25)}.navbar-inverse{background-image:-webkit-gradient(linear,left 0,left 100%,from(#3c3c3c),to(#222));background-image:-webkit-linear-gradient(top,#3c3c3c,0%,#222,100%);background-image:-moz-linear-gradient(top,#3c3c3c 0,#222 100%);background-image:linear-gradient(to bottom,#3c3c3c 0,#222 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ff3c3c3c',endColorstr='#ff222222',GradientType=0)}.navbar-inverse .navbar-nav>.active>a{background-color:#222}.navbar-inverse .navbar-brand,.navbar-inverse .navbar-nav>li>a{text-shadow
:0 -1px 0 rgba(0,0,0,0.25)}.navbar-static-top,.navbar-fixed-top,.navbar-fixed-bottom{border-radius:0}.alert{text-shadow:0 1px 0 rgba(255,255,255,0.2);-webkit-box-shadow:inset 0 1px 0 rgba(255,255,255,0.25),0 1px 2px rgba(0,0,0,0.05);box-shadow:inset 0 1px 0 rgba(255,255,255,0.25),0 1px 2px rgba(0,0,0,0.05)}.alert-success{background-image:-webkit-gradient(linear,left 0,left 100%,from(#dff0d8),to(#c8e5bc));background-image:-webkit-linear-gradient(top,#dff0d8,0%,#c8e5bc,100%);background-image:-moz-linear-gradient(top,#dff0d8 0,#c8e5bc 100%);background-image:linear-gradient(to bottom,#dff0d8 0,#c8e5bc 100%);background-repeat:repeat-x;border-color:#b2dba1;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ffdff0d8',endColorstr='#ffc8e5bc',GradientType=0)}.alert-info{background-image:-webkit-gradient(linear,left 0,left 100%,from(#d9edf7),to(#b9def0));background-image:-webkit-linear-gradient(top,#d9edf7,0%,#b9def0,100%);background-image:-moz-linear-gradient(top,#d9edf7 0,#b9
def0 100%);background-image:linear-gradient(to bottom,#d9edf7 0,#b9def0 100%);background-repeat:repeat-x;border-color:#9acfea;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ffd9edf7',endColorstr='#ffb9def0',GradientType=0)}.alert-warning{background-image:-webkit-gradient(linear,left 0,left 100%,from(#fcf8e3),to(#f8efc0));background-image:-webkit-linear-gradient(top,#fcf8e3,0%,#f8efc0,100%);background-image:-moz-linear-gradient(top,#fcf8e3 0,#f8efc0 100%);background-image:linear-gradient(to bottom,#fcf8e3 0,#f8efc0 100%);background-repeat:repeat-x;border-color:#f5e79e;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#fffcf8e3',endColorstr='#fff8efc0',GradientType=0)}.alert-danger{background-image:-webkit-gradient(linear,left 0,left 100%,from(#f2dede),to(#e7c3c3));background-image:-webkit-linear-gradient(top,#f2dede,0%,#e7c3c3,100%);background-image:-moz-linear-gradient(top,#f2dede 0,#e7c3c3 100%);background-image:linear-gradient(to bottom,#f2dede 0,
#e7c3c3 100%);background-repeat:repeat-x;border-color:#dca7a7;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#fff2dede',endColorstr='#ffe7c3c3',GradientType=0)}.progress{background-image:-webkit-gradient(linear,left 0,left 100%,from(#ebebeb),to(#f5f5f5));background-image:-webkit-linear-gradient(top,#ebebeb,0%,#f5f5f5,100%);background-image:-moz-linear-gradient(top,#ebebeb 0,#f5f5f5 100%);background-image:linear-gradient(to bottom,#ebebeb 0,#f5f5f5 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ffebebeb',endColorstr='#fff5f5f5',GradientType=0)}.progress-bar{background-image:-webkit-gradient(linear,left 0,left 100%,from(#428bca),to(#3071a9));background-image:-webkit-linear-gradient(top,#428bca,0%,#3071a9,100%);background-image:-moz-linear-gradient(top,#428bca 0,#3071a9 100%);background-image:linear-gradient(to bottom,#428bca 0,#3071a9 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient
(startColorstr='#ff428bca',endColorstr='#ff3071a9',GradientType=0)}.progress-bar-success{background-image:-webkit-gradient(linear,left 0,left 100%,from(#5cb85c),to(#449d44));background-image:-webkit-linear-gradient(top,#5cb85c,0%,#449d44,100%);background-image:-moz-linear-gradient(top,#5cb85c 0,#449d44 100%);background-image:linear-gradient(to bottom,#5cb85c 0,#449d44 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ff5cb85c',endColorstr='#ff449d44',GradientType=0)}.progress-bar-info{background-image:-webkit-gradient(linear,left 0,left 100%,from(#5bc0de),to(#31b0d5));background-image:-webkit-linear-gradient(top,#5bc0de,0%,#31b0d5,100%);background-image:-moz-linear-gradient(top,#5bc0de 0,#31b0d5 100%);background-image:linear-gradient(to bottom,#5bc0de 0,#31b0d5 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ff5bc0de',endColorstr='#ff31b0d5',GradientType=0)}.progress-bar-warning{backg
round-image:-webkit-gradient(linear,left 0,left 100%,from(#f0ad4e),to(#ec971f));background-image:-webkit-linear-gradient(top,#f0ad4e,0%,#ec971f,100%);background-image:-moz-linear-gradient(top,#f0ad4e 0,#ec971f 100%);background-image:linear-gradient(to bottom,#f0ad4e 0,#ec971f 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#fff0ad4e',endColorstr='#ffec971f',GradientType=0)}.progress-bar-danger{background-image:-webkit-gradient(linear,left 0,left 100%,from(#d9534f),to(#c9302c));background-image:-webkit-linear-gradient(top,#d9534f,0%,#c9302c,100%);background-image:-moz-linear-gradient(top,#d9534f 0,#c9302c 100%);background-image:linear-gradient(to bottom,#d9534f 0,#c9302c 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ffd9534f',endColorstr='#ffc9302c',GradientType=0)}.list-group{border-radius:4px;-webkit-box-shadow:0 1px 2px rgba(0,0,0,0.075);box-shadow:0 1px 2px rgba(0,0,0,0.075)}.li
st-group-item.active,.list-group-item.active:hover,.list-group-item.active:focus{text-shadow:0 -1px 0 #3071a9;background-image:-webkit-gradient(linear,left 0,left 100%,from(#428bca),to(#3278b3));background-image:-webkit-linear-gradient(top,#428bca,0%,#3278b3,100%);background-image:-moz-linear-gradient(top,#428bca 0,#3278b3 100%);background-image:linear-gradient(to bottom,#428bca 0,#3278b3 100%);background-repeat:repeat-x;border-color:#3278b3;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ff428bca',endColorstr='#ff3278b3',GradientType=0)}.panel{-webkit-box-shadow:0 1px 2px rgba(0,0,0,0.05);box-shadow:0 1px 2px rgba(0,0,0,0.05)}.panel-default>.panel-heading{background-image:-webkit-gradient(linear,left 0,left 100%,from(#f5f5f5),to(#e8e8e8));background-image:-webkit-linear-gradient(top,#f5f5f5,0%,#e8e8e8,100%);background-image:-moz-linear-gradient(top,#f5f5f5 0,#e8e8e8 100%);background-image:linear-gradient(to bottom,#f5f5f5 0,#e8e8e8 100%);background-repeat:repeat-x
;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#fff5f5f5',endColorstr='#ffe8e8e8',GradientType=0)}.panel-primary>.panel-heading{background-image:-webkit-gradient(linear,left 0,left 100%,from(#428bca),to(#357ebd));background-image:-webkit-linear-gradient(top,#428bca,0%,#357ebd,100%);background-image:-moz-linear-gradient(top,#428bca 0,#357ebd 100%);background-image:linear-gradient(to bottom,#428bca 0,#357ebd 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ff428bca',endColorstr='#ff357ebd',GradientType=0)}.panel-success>.panel-heading{background-image:-webkit-gradient(linear,left 0,left 100%,from(#dff0d8),to(#d0e9c6));background-image:-webkit-linear-gradient(top,#dff0d8,0%,#d0e9c6,100%);background-image:-moz-linear-gradient(top,#dff0d8 0,#d0e9c6 100%);background-image:linear-gradient(to bottom,#dff0d8 0,#d0e9c6 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ffdff0d8
',endColorstr='#ffd0e9c6',GradientType=0)}.panel-info>.panel-heading{background-image:-webkit-gradient(linear,left 0,left 100%,from(#d9edf7),to(#c4e3f3));background-image:-webkit-linear-gradient(top,#d9edf7,0%,#c4e3f3,100%);background-image:-moz-linear-gradient(top,#d9edf7 0,#c4e3f3 100%);background-image:linear-gradient(to bottom,#d9edf7 0,#c4e3f3 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ffd9edf7',endColorstr='#ffc4e3f3',GradientType=0)}.panel-warning>.panel-heading{background-image:-webkit-gradient(linear,left 0,left 100%,from(#fcf8e3),to(#faf2cc));background-image:-webkit-linear-gradient(top,#fcf8e3,0%,#faf2cc,100%);background-image:-moz-linear-gradient(top,#fcf8e3 0,#faf2cc 100%);background-image:linear-gradient(to bottom,#fcf8e3 0,#faf2cc 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#fffcf8e3',endColorstr='#fffaf2cc',GradientType=0)}.panel-danger>.panel-heading{backgro
und-image:-webkit-gradient(linear,left 0,left 100%,from(#f2dede),to(#ebcccc));background-image:-webkit-linear-gradient(top,#f2dede,0%,#ebcccc,100%);background-image:-moz-linear-gradient(top,#f2dede 0,#ebcccc 100%);background-image:linear-gradient(to bottom,#f2dede 0,#ebcccc 100%);background-repeat:repeat-x;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#fff2dede',endColorstr='#ffebcccc',GradientType=0)}.well{background-image:-webkit-gradient(linear,left 0,left 100%,from(#e8e8e8),to(#f5f5f5));background-image:-webkit-linear-gradient(top,#e8e8e8,0%,#f5f5f5,100%);background-image:-moz-linear-gradient(top,#e8e8e8 0,#f5f5f5 100%);background-image:linear-gradient(to bottom,#e8e8e8 0,#f5f5f5 100%);background-repeat:repeat-x;border-color:#dcdcdc;filter:progid:DXImageTransform.Microsoft.gradient(startColorstr='#ffe8e8e8',endColorstr='#fff5f5f5',GradientType=0);-webkit-box-shadow:inset 0 1px 3px rgba(0,0,0,0.05),0 1px 0 rgba(255,255,255,0.1);box-shadow:inset 0 1px 3px rgba(0
,0,0,0.05),0 1px 0 rgba(255,255,255,0.1)}
\ No newline at end of file
[21/44] sentry git commit: SENTRY-1287: Create sentry-service-server
module(Colin Ma, reviewed by Dapeng Sun)
Posted by co...@apache.org.
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericPolicyProcessor.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericPolicyProcessor.java b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericPolicyProcessor.java
new file mode 100644
index 0000000..e59d12a
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericPolicyProcessor.java
@@ -0,0 +1,835 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.provider.db.generic.service.thrift;
+
+import static org.apache.sentry.core.common.utils.SentryConstants.AUTHORIZABLE_JOINER;
+import static org.apache.sentry.core.common.utils.SentryConstants.KV_JOINER;
+
+import java.lang.reflect.Constructor;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+
+import org.apache.hadoop.conf.Configuration;
+import org.apache.sentry.core.common.exception.SentryUserException;
+import org.apache.sentry.core.common.Authorizable;
+import org.apache.sentry.core.common.utils.SentryConstants;
+import org.apache.sentry.core.common.exception.SentrySiteConfigurationException;
+import org.apache.sentry.core.model.db.AccessConstants;
+import org.apache.sentry.core.common.utils.KeyValue;
+import org.apache.sentry.core.common.utils.AuthorizationComponent;
+import org.apache.sentry.core.common.exception.SentryAccessDeniedException;
+import org.apache.sentry.core.common.exception.SentryAlreadyExistsException;
+import org.apache.sentry.core.common.exception.SentryInvalidInputException;
+import org.apache.sentry.core.common.exception.SentryNoSuchObjectException;
+import org.apache.sentry.core.common.exception.SentryThriftAPIMismatchException;
+import org.apache.sentry.provider.db.generic.service.persistent.PrivilegeObject;
+import org.apache.sentry.provider.db.generic.service.persistent.PrivilegeObject.Builder;
+import org.apache.sentry.provider.db.generic.service.persistent.SentryStoreLayer;
+import org.apache.sentry.provider.db.log.entity.JsonLogEntityFactory;
+import org.apache.sentry.provider.db.log.util.Constants;
+import org.apache.sentry.provider.db.service.model.MSentryGMPrivilege;
+import org.apache.sentry.provider.db.service.model.MSentryRole;
+import org.apache.sentry.provider.db.service.persistent.CommitContext;
+import org.apache.sentry.provider.db.service.thrift.PolicyStoreConstants;
+import org.apache.sentry.provider.db.service.thrift.SentryPolicyStoreProcessor;
+import org.apache.sentry.service.thrift.ServiceConstants.ServerConfig;
+import org.apache.sentry.service.thrift.ServiceConstants.ThriftConstants;
+import org.apache.sentry.service.thrift.ServiceConstants;
+import org.apache.sentry.service.thrift.Status;
+import org.apache.sentry.service.thrift.TSentryResponseStatus;
+import org.apache.thrift.TException;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import com.google.common.annotations.VisibleForTesting;
+import com.google.common.base.Splitter;
+import com.google.common.base.Strings;
+import com.google.common.collect.ImmutableSet;
+import com.google.common.collect.Lists;
+import com.google.common.collect.Maps;
+import com.google.common.collect.Sets;
+
+public class SentryGenericPolicyProcessor implements SentryGenericPolicyService.Iface {
+ private static final Logger LOGGER = LoggerFactory.getLogger(SentryGenericPolicyProcessor.class);
+ private static final Logger AUDIT_LOGGER = LoggerFactory
+ .getLogger(Constants.AUDIT_LOGGER_NAME_GENERIC);
+ private final Configuration conf;
+ private final ImmutableSet<String> adminGroups;
+ private final SentryStoreLayer store;
+ private final NotificationHandlerInvoker handerInvoker;
+
+ private static final String ACCESS_DENIAL_MESSAGE = "Access denied to ";
+
+ public SentryGenericPolicyProcessor(Configuration conf) throws Exception {
+ this.store = createStore(conf);
+ this.handerInvoker = new NotificationHandlerInvoker(createHandlers(conf));
+ this.conf = conf;
+ adminGroups = ImmutableSet.copyOf((Sets.newHashSet(conf.getStrings(
+ ServerConfig.ADMIN_GROUPS, new String[]{}))));
+ }
+
+ @VisibleForTesting
+ public SentryGenericPolicyProcessor(Configuration conf, SentryStoreLayer store) throws Exception {
+ this.store = store;
+ this.handerInvoker = new NotificationHandlerInvoker(createHandlers(conf));
+ this.conf = conf;
+ adminGroups = ImmutableSet.copyOf(toTrimmed(Sets.newHashSet(conf.getStrings(
+ ServerConfig.ADMIN_GROUPS, new String[]{}))));
+ }
+
+ private void authorize(String requestorUser, Set<String> requestorGroups)
+ throws SentryAccessDeniedException {
+ if (!inAdminGroups(requestorGroups)) {
+ String msg = "User: " + requestorUser + " is part of " + requestorGroups +
+ " which does not, intersect admin groups " + adminGroups;
+ LOGGER.warn(msg);
+ throw new SentryAccessDeniedException(ACCESS_DENIAL_MESSAGE + requestorUser);
+ }
+ }
+
+ private Set<String> toTrimmedLower(Set<String> s) {
+ if (null == s) {
+ return new HashSet<String>();
+ }
+ Set<String> result = Sets.newHashSet();
+ for (String v : s) {
+ result.add(v.trim().toLowerCase());
+ }
+ return result;
+ }
+
+ private Set<String> toTrimmed(Set<String> s) {
+ if (null == s) {
+ return new HashSet<String>();
+ }
+ Set<String> result = Sets.newHashSet();
+ for (String v : s) {
+ result.add(v.trim());
+ }
+ return result;
+ }
+
+ private String toTrimmedLower(String s) {
+ if (Strings.isNullOrEmpty(s)){
+ return "";
+ }
+ return s.trim().toLowerCase();
+ }
+
+ public static Set<String> getRequestorGroups(Configuration conf, String userName) throws SentryUserException {
+ return SentryPolicyStoreProcessor.getGroupsFromUserName(conf, userName);
+ }
+
+ private boolean inAdminGroups(Set<String> requestorGroups) {
+ if (Sets.intersection(adminGroups, requestorGroups).isEmpty()) {
+ return false;
+ }
+ return true;
+ }
+
+ public static SentryStoreLayer createStore(Configuration conf) throws SentrySiteConfigurationException {
+ SentryStoreLayer storeLayer = null;
+ String store = conf.get(PolicyStoreConstants.SENTRY_GENERIC_POLICY_STORE, PolicyStoreConstants.SENTRY_GENERIC_POLICY_STORE_DEFAULT);
+
+ if (Strings.isNullOrEmpty(store)) {
+ throw new SentrySiteConfigurationException("sentry.generic.policy.store can not be empty");
+ }
+ try {
+ storeLayer = createInstance(store, conf, SentryStoreLayer.class);
+ } catch (Exception e) {
+ throw new SentrySiteConfigurationException("Create sentryStore error: " + e.getMessage(), e);
+ }
+ return storeLayer;
+ }
+
+ public static List<NotificationHandler> createHandlers(Configuration conf) throws SentrySiteConfigurationException {
+
+ List<NotificationHandler> handlers = Lists.newArrayList();
+ Iterable<String> notificationHandlers = Splitter.onPattern("[\\s,]").trimResults()
+ .omitEmptyStrings().split(conf.get(PolicyStoreConstants.SENTRY_GENERIC_POLICY_NOTIFICATION, ""));
+ try {
+ for (String notificationHandler : notificationHandlers) {
+ handlers.add(createInstance(notificationHandler, conf, NotificationHandler.class));
+ }
+ } catch (Exception e) {
+ throw new SentrySiteConfigurationException("Create notificationHandlers error: " + e.getMessage(), e);
+ }
+ return handlers;
+ }
+
+ @SuppressWarnings("unchecked")
+ public static <T> T createInstance(String className, Configuration conf, Class<T> iface) throws Exception {
+ T result;
+ try {
+ Class<?> clazz = Class.forName(className);
+ if (!iface.isAssignableFrom(clazz)) {
+ throw new IllegalArgumentException("Class " + clazz + " is not a " +
+ iface.getName());
+ }
+ Constructor<T> meth = (Constructor<T>)clazz.getDeclaredConstructor(Configuration.class);
+ meth.setAccessible(true);
+ result = meth.newInstance(new Object[]{conf});
+ } catch (Exception e) {
+ throw new RuntimeException(e);
+ }
+ return result;
+ }
+
+ private <T> Response<T> requestHandle(RequestHandler<T> handler) {
+ Response<T> response = new Response<T>();
+ try {
+ response = handler.handle();
+ } catch (SentryAccessDeniedException e) {
+ String msg = "Sentry access denied: " + e.getMessage();
+ LOGGER.error(msg, e);
+ response.status = Status.AccessDenied(e.getMessage(), e);
+ } catch (SentryAlreadyExistsException e) {
+ String msg = "Sentry object already exists: " + e.getMessage();
+ LOGGER.error(msg, e);
+ response.status = Status.AlreadyExists(e.getMessage(), e);
+ } catch (SentryNoSuchObjectException e) {
+ String msg = "Sentry object doesn't exist: " + e.getMessage();
+ LOGGER.error(msg, e);
+ response.status = Status.NoSuchObject(e.getMessage(), e);
+ } catch (SentryInvalidInputException e) {
+ String msg = "Invalid input privilege object: " + e.getMessage();
+ LOGGER.error(msg, e);
+ response.status = Status.InvalidInput(msg, e);
+ } catch (SentryThriftAPIMismatchException e) {
+ String msg = "Sentry thrift API mismatch error: " + e.getMessage();
+ LOGGER.error(msg, e);
+ response.status = Status.THRIFT_VERSION_MISMATCH(e.getMessage(), e);
+ } catch (Exception e) {
+ String msg = "Unknown error:" + e.getMessage();
+ LOGGER.error(msg, e);
+ response.status = Status.RuntimeError(msg, e);
+ }
+ return response;
+ }
+
+ private PrivilegeObject toPrivilegeObject(TSentryPrivilege tSentryPrivilege) {
+ Boolean grantOption;
+ if (tSentryPrivilege.getGrantOption().equals(TSentryGrantOption.TRUE)) {
+ grantOption = true;
+ } else if (tSentryPrivilege.getGrantOption().equals(TSentryGrantOption.FALSE)) {
+ grantOption = false;
+ } else {
+ grantOption = null;
+ }
+ return new Builder().setComponent(tSentryPrivilege.getComponent())
+ .setService(tSentryPrivilege.getServiceName())
+ .setAuthorizables(toAuthorizables(tSentryPrivilege.getAuthorizables()))
+ .setAction(tSentryPrivilege.getAction())
+ .withGrantOption(grantOption)
+ .build();
+ }
+
+ private TSentryPrivilege fromPrivilegeObject(PrivilegeObject privilege) {
+
+ TSentryPrivilege tPrivilege = new TSentryPrivilege(privilege.getComponent(), privilege.getService(),
+ fromAuthorizable(privilege.getAuthorizables()),
+ privilege.getAction());
+ if (privilege.getGrantOption() == null) {
+ tPrivilege.setGrantOption(TSentryGrantOption.UNSET);
+ } else if (privilege.getGrantOption()) {
+ tPrivilege.setGrantOption(TSentryGrantOption.TRUE);
+ } else {
+ tPrivilege.setGrantOption(TSentryGrantOption.FALSE);
+ }
+ return tPrivilege;
+ }
+
+ private List<TAuthorizable> fromAuthorizable(List<? extends Authorizable> authorizables) {
+ List<TAuthorizable> tAuthorizables = Lists.newArrayList();
+ for (Authorizable authorizable : authorizables) {
+ tAuthorizables.add(new TAuthorizable(authorizable.getTypeName(), authorizable.getName()));
+ }
+ return tAuthorizables;
+ }
+
+ private String fromAuthorizableToStr(List<? extends Authorizable> authorizables) {
+ if (authorizables != null && !authorizables.isEmpty()) {
+ List<String> privileges = Lists.newArrayList();
+
+ for (Authorizable authorizable : authorizables) {
+
+ privileges.add(SentryConstants.KV_JOINER.join(authorizable.getTypeName(),
+ authorizable.getName()));
+ }
+
+ return SentryConstants.AUTHORIZABLE_JOINER.join(privileges);
+ } else {
+ return "";
+ }
+ }
+
+ private List<? extends Authorizable> toAuthorizables(List<TAuthorizable> tAuthorizables) {
+ List<Authorizable> authorizables = Lists.newArrayList();
+ if (tAuthorizables == null) {
+ return authorizables;
+ }
+ for (final TAuthorizable tAuthorizable : tAuthorizables) {
+ authorizables.add(new Authorizable() {
+ @Override
+ public String getTypeName() {
+ return tAuthorizable.getType();
+ }
+ @Override
+ public String getName() {
+ return tAuthorizable.getName();
+ }
+ });
+ }
+ return authorizables;
+ }
+
+ private List<? extends Authorizable> toAuthorizables(String privilegeStr) {
+ List<Authorizable> authorizables = Lists.newArrayList();
+ if (privilegeStr == null) {
+ return authorizables;
+ }
+
+ for (String authorizable : SentryConstants.AUTHORIZABLE_SPLITTER.split(privilegeStr)) {
+ KeyValue tempKV = new KeyValue(authorizable);
+ final String key = tempKV.getKey();
+ final String value = tempKV.getValue();
+
+ authorizables.add(new Authorizable() {
+ @Override
+ public String getTypeName() {
+ return key;
+ }
+
+ @Override
+ public String getName() {
+ return value;
+ }
+ });
+ }
+
+ return authorizables;
+ }
+
+ // Construct the role to set of privileges mapping based on the
+ // MSentryGMPrivilege information.
+ private TSentryPrivilegeMap toTSentryPrivilegeMap(Set<MSentryGMPrivilege> mPrivileges) {
+
+ // Mapping of <Role, Set<Privilege>>.
+ Map<String, Set<TSentryPrivilege>> tPrivilegeMap = Maps.newTreeMap();
+
+ for (MSentryGMPrivilege mPrivilege : mPrivileges) {
+ for (MSentryRole role : mPrivilege.getRoles()) {
+
+ TSentryPrivilege tPrivilege = toTSentryPrivilege(mPrivilege);
+
+ if (tPrivilegeMap.containsKey(role.getRoleName())) {
+ tPrivilegeMap.get(role.getRoleName()).add(tPrivilege);
+ } else {
+ Set<TSentryPrivilege> tPrivilegeSet = Sets.newTreeSet();
+ tPrivilegeSet.add(tPrivilege);
+ tPrivilegeMap.put(role.getRoleName(), tPrivilegeSet);
+ }
+ }
+ }
+
+ return new TSentryPrivilegeMap(tPrivilegeMap);
+ }
+
+ // Construct TSentryPrivilege based on MSentryGMPrivilege information.
+ private TSentryPrivilege toTSentryPrivilege(MSentryGMPrivilege mPrivilege) {
+
+ TSentryPrivilege tPrivilege = new TSentryPrivilege(mPrivilege.getComponentName(),
+ mPrivilege.getServiceName(), fromAuthorizable(mPrivilege.getAuthorizables()), mPrivilege.getAction());
+
+ if (mPrivilege.getGrantOption() == null) {
+ tPrivilege.setGrantOption(TSentryGrantOption.UNSET);
+ } else if (mPrivilege.getGrantOption()) {
+ tPrivilege.setGrantOption(TSentryGrantOption.TRUE);
+ } else {
+ tPrivilege.setGrantOption(TSentryGrantOption.FALSE);
+ }
+
+ return tPrivilege;
+ }
+
+ private Set<String> buildPermissions(Set<PrivilegeObject> privileges) {
+ Set<String> permissions = Sets.newHashSet();
+ for (PrivilegeObject privilege : privileges) {
+ List<String> hierarchy = Lists.newArrayList();
+ if (hasComponentServerPrivilege(privilege.getComponent())) {
+ hierarchy.add(KV_JOINER.join("server", privilege.getService()));
+ }
+ for (Authorizable authorizable : privilege.getAuthorizables()) {
+ hierarchy.add(KV_JOINER.join(authorizable.getTypeName(),authorizable.getName()));
+ }
+ hierarchy.add(KV_JOINER.join("action", privilege.getAction()));
+ permissions.add(AUTHORIZABLE_JOINER.join(hierarchy));
+ }
+ return permissions;
+ }
+
+ private boolean hasComponentServerPrivilege(String component) {
+ //judge the component whether has the server privilege, for example: sqoop has the privilege on the server
+ return AuthorizationComponent.SQOOP.equalsIgnoreCase(component);
+ }
+
+ @Override
+ public TCreateSentryRoleResponse create_sentry_role(
+ final TCreateSentryRoleRequest request) throws TException {
+ Response<Void> respose = requestHandle(new RequestHandler<Void>() {
+ @Override
+ public Response<Void> handle() throws Exception {
+ validateClientVersion(request.getProtocol_version());
+ authorize(request.getRequestorUserName(),
+ getRequestorGroups(conf, request.getRequestorUserName()));
+ CommitContext context = store.createRole(request.getComponent(), request.getRoleName(), request.getRequestorUserName());
+ return new Response<Void>(Status.OK(), context);
+ }
+ });
+
+ TCreateSentryRoleResponse tResponse = new TCreateSentryRoleResponse(respose.status);
+ if (Status.OK.getCode() == respose.status.getValue()) {
+ handerInvoker.create_sentry_role(respose.context, request, tResponse);
+ }
+
+ try {
+ AUDIT_LOGGER.info(JsonLogEntityFactory.getInstance()
+ .createJsonLogEntity(request, tResponse, conf).toJsonFormatLog());
+ } catch (Exception e) {
+ // if any exception, log the exception.
+ String msg = "Error in creating audit log for create role: " + e.getMessage();
+ LOGGER.error(msg, e);
+ }
+ return tResponse;
+ }
+
+ @Override
+ public TDropSentryRoleResponse drop_sentry_role(final TDropSentryRoleRequest request)
+ throws TException {
+ Response<Void> respose = requestHandle(new RequestHandler<Void>() {
+ @Override
+ public Response<Void> handle() throws Exception {
+ validateClientVersion(request.getProtocol_version());
+ authorize(request.getRequestorUserName(),
+ getRequestorGroups(conf, request.getRequestorUserName()));
+ CommitContext context = store.dropRole(request.getComponent(), request.getRoleName(), request.getRequestorUserName());
+ return new Response<Void>(Status.OK(), context);
+ }
+ });
+
+ TDropSentryRoleResponse tResponse = new TDropSentryRoleResponse(respose.status);
+ if (Status.OK.getCode() == respose.status.getValue()) {
+ handerInvoker.drop_sentry_role(respose.context, request, tResponse);
+ }
+
+ try {
+ AUDIT_LOGGER.info(JsonLogEntityFactory.getInstance()
+ .createJsonLogEntity(request, tResponse, conf).toJsonFormatLog());
+ } catch (Exception e) {
+ // if any exception, log the exception.
+ String msg = "Error in creating audit log for drop role: " + e.getMessage();
+ LOGGER.error(msg, e);
+ }
+ return tResponse;
+ }
+
+ @Override
+ public TAlterSentryRoleGrantPrivilegeResponse alter_sentry_role_grant_privilege(
+ final TAlterSentryRoleGrantPrivilegeRequest request) throws TException {
+ Response<Void> respose = requestHandle(new RequestHandler<Void>() {
+ @Override
+ public Response<Void> handle() throws Exception {
+ validateClientVersion(request.getProtocol_version());
+ CommitContext context = store.alterRoleGrantPrivilege(request.getComponent(), request.getRoleName(), toPrivilegeObject(request.getPrivilege()), request.getRequestorUserName());
+ return new Response<Void>(Status.OK(), context);
+ }
+ });
+
+ TAlterSentryRoleGrantPrivilegeResponse tResponse = new TAlterSentryRoleGrantPrivilegeResponse(respose.status);
+ if (Status.OK.getCode() == respose.status.getValue()) {
+ handerInvoker.alter_sentry_role_grant_privilege(respose.context, request, tResponse);
+ }
+
+ try {
+ AUDIT_LOGGER.info(JsonLogEntityFactory.getInstance()
+ .createJsonLogEntity(request, tResponse, conf).toJsonFormatLog());
+ } catch (Exception e) {
+ // if any exception, log the exception.
+ String msg = "Error in creating audit log for grant privilege to role: " + e.getMessage();
+ LOGGER.error(msg, e);
+ }
+ return tResponse;
+ }
+
+ @Override
+ public TAlterSentryRoleRevokePrivilegeResponse alter_sentry_role_revoke_privilege(
+ final TAlterSentryRoleRevokePrivilegeRequest request) throws TException {
+ Response<Void> respose = requestHandle(new RequestHandler<Void>() {
+ @Override
+ public Response<Void> handle() throws Exception {
+ validateClientVersion(request.getProtocol_version());
+ CommitContext context = store.alterRoleRevokePrivilege(request.getComponent(), request.getRoleName(), toPrivilegeObject(request.getPrivilege()), request.getRequestorUserName());
+ return new Response<Void>(Status.OK(), context);
+ }
+ });
+
+ TAlterSentryRoleRevokePrivilegeResponse tResponse = new TAlterSentryRoleRevokePrivilegeResponse(respose.status);
+ if (Status.OK.getCode() == respose.status.getValue()) {
+ handerInvoker.alter_sentry_role_revoke_privilege(respose.context, request, tResponse);
+ }
+
+ try {
+ AUDIT_LOGGER.info(JsonLogEntityFactory.getInstance()
+ .createJsonLogEntity(request, tResponse, conf).toJsonFormatLog());
+ } catch (Exception e) {
+ // if any exception, log the exception.
+ String msg = "Error in creating audit log for revoke privilege from role: " + e.getMessage();
+ LOGGER.error(msg, e);
+ }
+ return tResponse;
+ }
+
+ @Override
+ public TAlterSentryRoleAddGroupsResponse alter_sentry_role_add_groups(
+ final TAlterSentryRoleAddGroupsRequest request) throws TException {
+ Response<Void> respose = requestHandle(new RequestHandler<Void>() {
+ @Override
+ public Response<Void> handle() throws Exception {
+ validateClientVersion(request.getProtocol_version());
+ authorize(request.getRequestorUserName(),
+ getRequestorGroups(conf, request.getRequestorUserName()));
+ CommitContext context = store.alterRoleAddGroups(request.getComponent(), request.getRoleName(), request.getGroups(), request.getRequestorUserName());
+ return new Response<Void>(Status.OK(), context);
+ }
+ });
+
+ TAlterSentryRoleAddGroupsResponse tResponse = new TAlterSentryRoleAddGroupsResponse(respose.status);
+ if (Status.OK.getCode() == respose.status.getValue()) {
+ handerInvoker.alter_sentry_role_add_groups(respose.context, request, tResponse);
+ }
+
+ try {
+ AUDIT_LOGGER.info(JsonLogEntityFactory.getInstance()
+ .createJsonLogEntity(request, tResponse, conf).toJsonFormatLog());
+ } catch (Exception e) {
+ // if any exception, log the exception.
+ String msg = "Error in creating audit log for add role to group: " + e.getMessage();
+ LOGGER.error(msg, e);
+ }
+ return tResponse;
+ }
+
+ @Override
+ public TAlterSentryRoleDeleteGroupsResponse alter_sentry_role_delete_groups(
+ final TAlterSentryRoleDeleteGroupsRequest request) throws TException {
+ Response<Void> respose = requestHandle(new RequestHandler<Void>() {
+ @Override
+ public Response<Void> handle() throws Exception {
+ validateClientVersion(request.getProtocol_version());
+ authorize(request.getRequestorUserName(),
+ getRequestorGroups(conf, request.getRequestorUserName()));
+ CommitContext context = store.alterRoleDeleteGroups(request.getComponent(), request.getRoleName(), request.getGroups(), request.getRequestorUserName());
+ return new Response<Void>(Status.OK(), context);
+ }
+ });
+
+ TAlterSentryRoleDeleteGroupsResponse tResponse = new TAlterSentryRoleDeleteGroupsResponse(respose.status);
+ if (Status.OK.getCode() == respose.status.getValue()) {
+ handerInvoker.alter_sentry_role_delete_groups(respose.context, request, tResponse);
+ }
+
+ try {
+ AUDIT_LOGGER.info(JsonLogEntityFactory.getInstance()
+ .createJsonLogEntity(request, tResponse, conf).toJsonFormatLog());
+ } catch (Exception e) {
+ // if any exception, log the exception.
+ String msg = "Error in creating audit log for delete role from group: " + e.getMessage();
+ LOGGER.error(msg, e);
+ }
+ return tResponse;
+ }
+
+ @Override
+ public TListSentryRolesResponse list_sentry_roles_by_group(
+ final TListSentryRolesRequest request) throws TException {
+ Response<Set<TSentryRole>> respose = requestHandle(new RequestHandler<Set<TSentryRole>>() {
+ @Override
+ public Response<Set<TSentryRole>> handle() throws Exception {
+ validateClientVersion(request.getProtocol_version());
+ Set<String> groups = getRequestorGroups(conf, request.getRequestorUserName());
+ if (!AccessConstants.ALL.equalsIgnoreCase(request.getGroupName())) {
+ boolean admin = inAdminGroups(groups);
+ //Only admin users can list all roles in the system ( groupname = null)
+ //Non admin users are only allowed to list only groups which they belong to
+ if(!admin && (request.getGroupName() == null || !groups.contains(request.getGroupName()))) {
+ throw new SentryAccessDeniedException(ACCESS_DENIAL_MESSAGE + request.getRequestorUserName());
+ }
+ groups.clear();
+ groups.add(request.getGroupName());
+ }
+
+ Set<String> roleNames = store.getRolesByGroups(request.getComponent(), groups);
+ Set<TSentryRole> tSentryRoles = Sets.newHashSet();
+ for (String roleName : roleNames) {
+ Set<String> groupsForRoleName = store.getGroupsByRoles(request.getComponent(), Sets.newHashSet(roleName));
+ tSentryRoles.add(new TSentryRole(roleName, groupsForRoleName));
+ }
+ return new Response<Set<TSentryRole>>(Status.OK(), tSentryRoles);
+ }
+ });
+ TListSentryRolesResponse tResponse = new TListSentryRolesResponse();
+ tResponse.setStatus(respose.status);
+ tResponse.setRoles(respose.content);
+ return tResponse;
+ }
+
+ @Override
+ public TListSentryPrivilegesResponse list_sentry_privileges_by_role(
+ final TListSentryPrivilegesRequest request) throws TException {
+ Response<Set<TSentryPrivilege>> respose = requestHandle(new RequestHandler<Set<TSentryPrivilege>>() {
+ @Override
+ public Response<Set<TSentryPrivilege>> handle() throws Exception {
+ validateClientVersion(request.getProtocol_version());
+ Set<String> groups = getRequestorGroups(conf, request.getRequestorUserName());
+ if (!inAdminGroups(groups)) {
+ Set<String> roleNamesForGroups = toTrimmedLower(store.getRolesByGroups(request.getComponent(), groups));
+ if (!roleNamesForGroups.contains(toTrimmedLower(request.getRoleName()))) {
+ throw new SentryAccessDeniedException(ACCESS_DENIAL_MESSAGE + request.getRequestorUserName());
+ }
+ }
+ Set<PrivilegeObject> privileges = store.getPrivilegesByProvider(request.getComponent(),
+ request.getServiceName(),
+ Sets.newHashSet(request.getRoleName()),
+ null, toAuthorizables(request.getAuthorizables()));
+ Set<TSentryPrivilege> tSentryPrivileges = Sets.newHashSet();
+ for (PrivilegeObject privilege : privileges) {
+ tSentryPrivileges.add(fromPrivilegeObject(privilege));
+ }
+ return new Response<Set<TSentryPrivilege>>(Status.OK(), tSentryPrivileges);
+ }
+ });
+ TListSentryPrivilegesResponse tResponse = new TListSentryPrivilegesResponse();
+ tResponse.setStatus(respose.status);
+ tResponse.setPrivileges(respose.content);
+ return tResponse;
+ }
+
+ @Override
+ public TListSentryPrivilegesForProviderResponse list_sentry_privileges_for_provider(
+ final TListSentryPrivilegesForProviderRequest request) throws TException {
+ Response<Set<String>> respose = requestHandle(new RequestHandler<Set<String>>() {
+ @Override
+ public Response<Set<String>> handle() throws Exception {
+ validateClientVersion(request.getProtocol_version());
+ Set<String> activeRoleNames = toTrimmedLower(request.getRoleSet().getRoles());
+ Set<String> roleNamesForGroups = store.getRolesByGroups(request.getComponent(), request.getGroups());
+ Set<String> rolesToQuery = request.getRoleSet().isAll() ? roleNamesForGroups : Sets.intersection(activeRoleNames, roleNamesForGroups);
+ Set<PrivilegeObject> privileges = store.getPrivilegesByProvider(request.getComponent(),
+ request.getServiceName(),
+ rolesToQuery, null,
+ toAuthorizables(request.getAuthorizables()));
+ return new Response<Set<String>>(Status.OK(), buildPermissions(privileges));
+ }
+ });
+ TListSentryPrivilegesForProviderResponse tResponse = new TListSentryPrivilegesForProviderResponse();
+ tResponse.setStatus(respose.status);
+ tResponse.setPrivileges(respose.content);
+ return tResponse;
+ }
+
+ @Override
+ public TListSentryPrivilegesByAuthResponse list_sentry_privileges_by_authorizable(TListSentryPrivilegesByAuthRequest request) throws TException {
+
+ TListSentryPrivilegesByAuthResponse response = new TListSentryPrivilegesByAuthResponse();
+ Map<String, TSentryPrivilegeMap> authRoleMap = Maps.newHashMap();
+
+ // Group names are case sensitive.
+ Set<String> requestedGroups = request.getGroups();
+ String subject = request.getRequestorUserName();
+ TSentryActiveRoleSet activeRoleSet = request.getRoleSet();
+ Set<String> validActiveRoles = Sets.newHashSet();
+
+ try {
+ validateClientVersion(request.getProtocol_version());
+ Set<String> memberGroups = getRequestorGroups(conf, subject);
+
+ // Disallow non-admin users to lookup groups that
+ // they are not part of.
+ if(!inAdminGroups(memberGroups)) {
+
+ if (requestedGroups != null && !requestedGroups.isEmpty()) {
+ for (String requestedGroup : requestedGroups) {
+
+ // If user doesn't belong to one of the requested groups,
+ // then raise security exception.
+ if (!memberGroups.contains(requestedGroup)) {
+ throw new SentryAccessDeniedException(ACCESS_DENIAL_MESSAGE + subject);
+ }
+ }
+ } else {
+ // Non-admin's search is limited to its own groups.
+ requestedGroups = memberGroups;
+ }
+
+ Set<String> grantedRoles = toTrimmedLower(store.getRolesByGroups(request.getComponent(), requestedGroups));
+
+ // If activeRoleSet is not null, disallow non-admin to lookup roles that they are not part of.
+ if (activeRoleSet != null && !activeRoleSet.isAll()) {
+
+ Set<String> activeRoleNames = toTrimmedLower(activeRoleSet.getRoles());
+ for (String activeRole : activeRoleNames) {
+ if (!grantedRoles.contains(activeRole)) {
+ throw new SentryAccessDeniedException(ACCESS_DENIAL_MESSAGE
+ + subject);
+ }
+ }
+
+ // For non-admin, valid active roles are intersection of active roles and granted roles.
+ validActiveRoles.addAll(activeRoleSet.isAll() ? grantedRoles : Sets.intersection(activeRoleNames, grantedRoles));
+ } else {
+ // For non-admin, if activeRoleSet is null, valid active roles would be the granted roles.
+ validActiveRoles.addAll(grantedRoles);
+ }
+ } else {
+ // For admin, if requestedGroups are empty, requested roles will be all roles.
+ Set<String> requestedRoles = toTrimmedLower(store.getAllRoleNames());
+ if (requestedGroups != null && !requestedGroups.isEmpty()) {
+ requestedRoles = toTrimmedLower(store.getRolesByGroups(request.getComponent(), requestedGroups));
+ }
+
+ // If activeRoleSet (which is optional) is not null, valid active role will be intersection
+ // of active roles and requested roles. Otherwise, valid active roles are the requested roles.
+ if (activeRoleSet != null && !activeRoleSet.isAll()) {
+ validActiveRoles.addAll(Sets.intersection(toTrimmedLower(activeRoleSet.getRoles()), requestedRoles));
+ } else {
+ validActiveRoles.addAll(requestedRoles);
+ }
+ }
+
+ // If user is not part of any group.. return empty response
+ if (request.getAuthorizablesSet() != null) {
+ for (String authorizablesStr : request.getAuthorizablesSet()) {
+
+ List<? extends Authorizable> authorizables = toAuthorizables(authorizablesStr);
+ Set<MSentryGMPrivilege> sentryPrivileges = store.getPrivilegesByAuthorizable(request.getComponent(), request.getServiceName(), validActiveRoles, authorizables);
+ authRoleMap.put(fromAuthorizableToStr(authorizables), toTSentryPrivilegeMap(sentryPrivileges));
+ }
+ }
+
+ response.setPrivilegesMapByAuth(authRoleMap);
+ response.setStatus(Status.OK());
+ } catch (SentryAccessDeniedException e) {
+ LOGGER.error(e.getMessage(), e);
+ response.setStatus(Status.AccessDenied(e.getMessage(), e));
+ } catch (SentryThriftAPIMismatchException e) {
+ LOGGER.error(e.getMessage(), e);
+ response.setStatus(Status.THRIFT_VERSION_MISMATCH(e.getMessage(), e));
+ } catch (Exception e) {
+ String msg = "Unknown error for request: " + request + ", message: "
+ + e.getMessage();
+ LOGGER.error(msg, e);
+ response.setStatus(Status.RuntimeError(msg, e));
+ }
+
+ return response;
+ }
+
+ @Override
+ public TDropPrivilegesResponse drop_sentry_privilege(
+ final TDropPrivilegesRequest request) throws TException {
+ Response<Void> respose = requestHandle(new RequestHandler<Void>() {
+ @Override
+ public Response<Void> handle() throws Exception {
+ validateClientVersion(request.getProtocol_version());
+ authorize(request.getRequestorUserName(),
+ getRequestorGroups(conf, request.getRequestorUserName()));
+ CommitContext context = store.dropPrivilege(request.getComponent(),
+ toPrivilegeObject(request.getPrivilege()),
+ request.getRequestorUserName());
+ return new Response<Void>(Status.OK(), context);
+ }
+ });
+
+ TDropPrivilegesResponse tResponse = new TDropPrivilegesResponse(respose.status);
+ if (Status.OK.getCode() == respose.status.getValue()) {
+ handerInvoker.drop_sentry_privilege(respose.context, request, tResponse);
+ }
+ return tResponse;
+ }
+
+ @Override
+ public TRenamePrivilegesResponse rename_sentry_privilege(
+ final TRenamePrivilegesRequest request) throws TException {
+ Response<Void> respose = requestHandle(new RequestHandler<Void>() {
+ @Override
+ public Response<Void> handle() throws Exception {
+ validateClientVersion(request.getProtocol_version());
+ authorize(request.getRequestorUserName(),
+ getRequestorGroups(conf, request.getRequestorUserName()));
+ CommitContext context = store.renamePrivilege(request.getComponent(), request.getServiceName(),
+ toAuthorizables(request.getOldAuthorizables()),
+ toAuthorizables(request.getNewAuthorizables()),
+ request.getRequestorUserName());
+ return new Response<Void>(Status.OK(),context);
+ }
+ });
+
+ TRenamePrivilegesResponse tResponse = new TRenamePrivilegesResponse(respose.status);
+ if (Status.OK.getCode() == respose.status.getValue()) {
+ handerInvoker.rename_sentry_privilege(respose.context, request, tResponse);
+ }
+ return tResponse;
+ }
+
+ private static class Response<T> {
+ private TSentryResponseStatus status;
+ private CommitContext context;
+ private T content;
+
+ Response() {
+ }
+
+ Response(TSentryResponseStatus status, CommitContext context) {
+ this(status,context,null);
+ }
+
+ Response(TSentryResponseStatus status, T content) {
+ this(status,null,content);
+ }
+
+ Response(TSentryResponseStatus status, CommitContext context, T content) {
+ this.status = status;
+ this.context = context;
+ this.content = content;
+ }
+ }
+ private interface RequestHandler <T>{
+ Response<T> handle() throws Exception ;
+ }
+
+ private static void validateClientVersion(int protocolVersion) throws SentryThriftAPIMismatchException {
+ if (ServiceConstants.ThriftConstants.TSENTRY_SERVICE_VERSION_CURRENT != protocolVersion) {
+ String msg = "Sentry thrift API protocol version mismatch: Client thrift version " +
+ "is: " + protocolVersion + " , server thrift version " +
+ "is " + ThriftConstants.TSENTRY_SERVICE_VERSION_CURRENT;
+ throw new SentryThriftAPIMismatchException(msg);
+ }
+ }
+}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericPolicyProcessorFactory.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericPolicyProcessorFactory.java b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericPolicyProcessorFactory.java
new file mode 100644
index 0000000..e9ff627
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericPolicyProcessorFactory.java
@@ -0,0 +1,41 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.provider.db.generic.service.thrift;
+
+import org.apache.hadoop.conf.Configuration;
+import org.apache.sentry.service.thrift.ProcessorFactory;
+import org.apache.sentry.service.thrift.ServiceConstants;
+import org.apache.thrift.TMultiplexedProcessor;
+import org.apache.thrift.TProcessor;
+
+public class SentryGenericPolicyProcessorFactory extends ProcessorFactory {
+
+ public SentryGenericPolicyProcessorFactory(Configuration conf) {
+ super(conf);
+ }
+
+ @Override
+ public boolean register(TMultiplexedProcessor multiplexedProcessor) throws Exception {
+ SentryGenericPolicyProcessor processHandler = new SentryGenericPolicyProcessor(conf);
+ TProcessor processor = new SentryGenericPolicyProcessorWrapper<SentryGenericPolicyService.Iface>(
+ processHandler);
+ multiplexedProcessor.registerProcessor(ServiceConstants.SENTRY_GENERIC_SERVICE_NAME, processor);
+ return true;
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericPolicyProcessorWrapper.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericPolicyProcessorWrapper.java b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericPolicyProcessorWrapper.java
new file mode 100644
index 0000000..d320d0f
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericPolicyProcessorWrapper.java
@@ -0,0 +1,39 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.provider.db.generic.service.thrift;
+
+import org.apache.sentry.provider.db.service.thrift.ThriftUtil;
+import org.apache.thrift.TException;
+import org.apache.thrift.protocol.TProtocol;
+
+public class SentryGenericPolicyProcessorWrapper<I extends SentryGenericPolicyService.Iface>
+ extends SentryGenericPolicyService.Processor<SentryGenericPolicyService.Iface> {
+
+ public SentryGenericPolicyProcessorWrapper(I iface) {
+ super(iface);
+ }
+
+ @Override
+ public boolean process(TProtocol in, TProtocol out) throws TException {
+ // set the ip and impersonator for audit log
+ ThriftUtil.setIpAddress(in);
+ ThriftUtil.setImpersonator(in);
+ return super.process(in, out);
+ }
+}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/log/appender/AuditLoggerTestAppender.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/log/appender/AuditLoggerTestAppender.java b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/log/appender/AuditLoggerTestAppender.java
new file mode 100644
index 0000000..8000ebd
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/log/appender/AuditLoggerTestAppender.java
@@ -0,0 +1,52 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.provider.db.log.appender;
+
+import java.util.ArrayList;
+import java.util.List;
+
+import org.apache.log4j.AppenderSkeleton;
+import org.apache.log4j.Level;
+import org.apache.log4j.spi.LoggingEvent;
+
+import com.google.common.annotations.VisibleForTesting;
+
+@VisibleForTesting
+public class AuditLoggerTestAppender extends AppenderSkeleton {
+ public static final List<LoggingEvent> events = new ArrayList<LoggingEvent>();
+
+ public void close() {
+ }
+
+ public boolean requiresLayout() {
+ return false;
+ }
+
+ @Override
+ protected void append(LoggingEvent event) {
+ events.add(event);
+ }
+
+ public static String getLastLogEvent() {
+ return events.get(events.size() - 1).getMessage().toString();
+ }
+
+ public static Level getLastLogLevel() {
+ return events.get(events.size() - 1).getLevel();
+ }
+}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/log/appender/RollingFileWithoutDeleteAppender.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/log/appender/RollingFileWithoutDeleteAppender.java b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/log/appender/RollingFileWithoutDeleteAppender.java
new file mode 100644
index 0000000..fd133f3
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/log/appender/RollingFileWithoutDeleteAppender.java
@@ -0,0 +1,175 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.provider.db.log.appender;
+
+import java.io.File;
+import java.io.IOException;
+import java.io.InterruptedIOException;
+import java.io.Writer;
+
+import org.apache.log4j.FileAppender;
+import org.apache.log4j.Layout;
+import org.apache.log4j.helpers.CountingQuietWriter;
+import org.apache.log4j.helpers.LogLog;
+import org.apache.log4j.helpers.OptionConverter;
+import org.apache.log4j.spi.LoggingEvent;
+
+public class RollingFileWithoutDeleteAppender extends FileAppender {
+ /**
+ * The default maximum file size is 10MB.
+ */
+ protected long maxFileSize = 10 * 1024 * 1024;
+
+ private long nextRollover = 0;
+
+ /**
+ * The default constructor simply calls its {@link FileAppender#FileAppender
+ * parents constructor}.
+ */
+ public RollingFileWithoutDeleteAppender() {
+ super();
+ }
+
+ /**
+ * Instantiate a RollingFileAppender and open the file designated by
+ * <code>filename</code>. The opened filename will become the ouput
+ * destination for this appender.
+ * <p>
+ * If the <code>append</code> parameter is true, the file will be appended to.
+ * Otherwise, the file desginated by <code>filename</code> will be truncated
+ * before being opened.
+ */
+ public RollingFileWithoutDeleteAppender(Layout layout, String filename,
+ boolean append) throws IOException {
+ super(layout, getLogFileName(filename), append);
+ }
+
+ /**
+ * Instantiate a FileAppender and open the file designated by
+ * <code>filename</code>. The opened filename will become the output
+ * destination for this appender.
+ * <p>
+ * The file will be appended to.
+ */
+ public RollingFileWithoutDeleteAppender(Layout layout, String filename)
+ throws IOException {
+ super(layout, getLogFileName(filename));
+ }
+
+ /**
+ * Get the maximum size that the output file is allowed to reach before being
+ * rolled over to backup files.
+ */
+ public long getMaximumFileSize() {
+ return maxFileSize;
+ }
+
+ /**
+ * Implements the usual roll over behaviour.
+ * <p>
+ * <code>File</code> is renamed <code>File.yyyyMMddHHmmss</code> and closed. A
+ * new <code>File</code> is created to receive further log output.
+ */
+ // synchronization not necessary since doAppend is alreasy synched
+ public void rollOver() {
+ if (qw != null) {
+ long size = ((CountingQuietWriter) qw).getCount();
+ LogLog.debug("rolling over count=" + size);
+ // if operation fails, do not roll again until
+ // maxFileSize more bytes are written
+ nextRollover = size + maxFileSize;
+ }
+
+ this.closeFile(); // keep windows happy.
+
+ String newFileName = getLogFileName(fileName);
+ try {
+ // This will also close the file. This is OK since multiple
+ // close operations are safe.
+ this.setFile(newFileName, false, bufferedIO, bufferSize);
+ nextRollover = 0;
+ } catch (IOException e) {
+ if (e instanceof InterruptedIOException) {
+ Thread.currentThread().interrupt();
+ }
+ LogLog.error("setFile(" + newFileName + ", false) call failed: " + e.getMessage(), e);
+ }
+ }
+
+ public synchronized void setFile(String fileName, boolean append,
+ boolean bufferedIO, int bufferSize) throws IOException {
+ super.setFile(fileName, append, this.bufferedIO, this.bufferSize);
+ if (append) {
+ File f = new File(fileName);
+ ((CountingQuietWriter) qw).setCount(f.length());
+ }
+ }
+
+ /**
+ * Set the maximum size that the output file is allowed to reach before being
+ * rolled over to backup files.
+ * <p>
+ * This method is equivalent to {@link #setMaxFileSize} except that it is
+ * required for differentiating the setter taking a <code>long</code> argument
+ * from the setter taking a <code>String</code> argument by the JavaBeans
+ * {@link java.beans.Introspector Introspector}.
+ *
+ * @see #setMaxFileSize(String)
+ */
+ public void setMaximumFileSize(long maxFileSize) {
+ this.maxFileSize = maxFileSize;
+ }
+
+ /**
+ * Set the maximum size that the output file is allowed to reach before being
+ * rolled over to backup files.
+ * <p>
+ * In configuration files, the <b>MaxFileSize</b> option takes an long integer
+ * in the range 0 - 2^63. You can specify the value with the suffixes "KB",
+ * "MB" or "GB" so that the integer is interpreted being expressed
+ * respectively in kilobytes, megabytes or gigabytes. For example, the value
+ * "10KB" will be interpreted as 10240.
+ */
+ public void setMaxFileSize(String value) {
+ maxFileSize = OptionConverter.toFileSize(value, maxFileSize + 1);
+ }
+
+ protected void setQWForFiles(Writer writer) {
+ this.qw = new CountingQuietWriter(writer, errorHandler);
+ }
+
+ /**
+ * This method differentiates RollingFileAppender from its super class.
+ */
+ protected void subAppend(LoggingEvent event) {
+ super.subAppend(event);
+
+ if (fileName != null && qw != null) {
+ long size = ((CountingQuietWriter) qw).getCount();
+ if (size >= maxFileSize && size >= nextRollover) {
+ rollOver();
+ }
+ }
+ }
+
+ // Mangled file name. Append the current timestamp
+ private static String getLogFileName(String oldFileName) {
+ return oldFileName + "." + Long.toString(System.currentTimeMillis());
+ }
+}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/log/entity/AuditMetadataLogEntity.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/log/entity/AuditMetadataLogEntity.java b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/log/entity/AuditMetadataLogEntity.java
new file mode 100644
index 0000000..a5fe4ec
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/log/entity/AuditMetadataLogEntity.java
@@ -0,0 +1,155 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.provider.db.log.entity;
+
+import java.io.IOException;
+
+import org.codehaus.jackson.JsonFactory;
+import org.codehaus.jackson.JsonNode;
+import org.codehaus.jackson.map.MappingJsonFactory;
+import org.codehaus.jackson.map.ObjectMapper;
+import org.codehaus.jackson.node.ContainerNode;
+
+abstract public class AuditMetadataLogEntity implements JsonLogEntity {
+
+ static final JsonFactory factory = new MappingJsonFactory();
+ private String serviceName;
+ private String userName;
+ private String impersonator;
+ private String ipAddress;
+ private String operation;
+ private String eventTime;
+ private String operationText;
+ private String allowed;
+ private String objectType;
+ private String component;
+
+ void setCommonAttr(String serviceName, String userName, String impersonator, String ipAddress,
+ String operation, String eventTime, String operationText, String allowed, String objectType,
+ String component) {
+ this.serviceName = serviceName;
+ this.userName = userName;
+ this.impersonator = impersonator;
+ this.ipAddress = ipAddress;
+ this.operation = operation;
+ this.eventTime = eventTime;
+ this.operationText = operationText;
+ this.allowed = allowed;
+ this.objectType = objectType;
+ this.component = component;
+ }
+
+ public String getServiceName() {
+ return serviceName;
+ }
+
+ public void setServiceName(String serviceName) {
+ this.serviceName = serviceName;
+ }
+
+ public String getUserName() {
+ return userName;
+ }
+
+ public void setUserName(String userName) {
+ this.userName = userName;
+ }
+
+ public String getImpersonator() {
+ return impersonator;
+ }
+
+ public void setImpersonator(String impersonator) {
+ this.impersonator = impersonator;
+ }
+
+ public String getIpAddress() {
+ return ipAddress;
+ }
+
+ public void setIpAddress(String ipAddress) {
+ this.ipAddress = ipAddress;
+ }
+
+ public String getOperation() {
+ return operation;
+ }
+
+ public void setOperation(String operation) {
+ this.operation = operation;
+ }
+
+ public String getEventTime() {
+ return eventTime;
+ }
+
+ public void setEventTime(String eventTime) {
+ this.eventTime = eventTime;
+ }
+
+ public String getOperationText() {
+ return operationText;
+ }
+
+ public void setOperationText(String operationText) {
+ this.operationText = operationText;
+ }
+
+ public String getAllowed() {
+ return allowed;
+ }
+
+ public void setAllowed(String allowed) {
+ this.allowed = allowed;
+ }
+
+ public String getObjectType() {
+ return objectType;
+ }
+
+ public void setObjectType(String objectType) {
+ this.objectType = objectType;
+ }
+
+ public String getComponent() {
+ return component;
+ }
+
+ public void setComponent(String component) {
+ this.component = component;
+ }
+
+ /**
+ * For use in tests
+ *
+ * @param json
+ * incoming JSON to parse
+ * @return a node tree
+ * @throws IOException
+ * on any parsing problems
+ */
+ public static ContainerNode parse(String json) throws IOException {
+ ObjectMapper mapper = new ObjectMapper(factory);
+ JsonNode jsonNode = mapper.readTree(json);
+ if (!(jsonNode instanceof ContainerNode)) {
+ throw new IOException("Wrong JSON data: " + json);
+ }
+ return (ContainerNode) jsonNode;
+ }
+}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/log/entity/DBAuditMetadataLogEntity.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/log/entity/DBAuditMetadataLogEntity.java b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/log/entity/DBAuditMetadataLogEntity.java
new file mode 100644
index 0000000..4949ac7
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/log/entity/DBAuditMetadataLogEntity.java
@@ -0,0 +1,124 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.provider.db.log.entity;
+
+import java.io.IOException;
+import java.io.StringWriter;
+
+import org.apache.sentry.provider.db.log.util.Constants;
+import org.codehaus.jackson.JsonGenerator;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+public class DBAuditMetadataLogEntity extends AuditMetadataLogEntity {
+ private static final Logger LOGGER = LoggerFactory.getLogger(DBAuditMetadataLogEntity.class);
+
+ private String databaseName;
+ private String tableName;
+ private String columnName;
+ private String resourcePath;
+
+ public DBAuditMetadataLogEntity() {
+ }
+
+ public DBAuditMetadataLogEntity(String serviceName, String userName, String impersonator,
+ String ipAddress, String operation, String eventTime, String operationText, String allowed,
+ String objectType, String component, String databaseName, String tableName,
+ String columnName, String resourcePath) {
+ setCommonAttr(serviceName, userName, impersonator, ipAddress, operation, eventTime,
+ operationText, allowed, objectType, component);
+ this.databaseName = databaseName;
+ this.tableName = tableName;
+ this.columnName = columnName;
+ this.resourcePath = resourcePath;
+ }
+
+ public String getDatabaseName() {
+ return databaseName;
+ }
+
+ public void setDatabaseName(String databaseName) {
+ this.databaseName = databaseName;
+ }
+
+ public String getTableName() {
+ return tableName;
+ }
+
+ public void setTableName(String tableName) {
+ this.tableName = tableName;
+ }
+
+ public String getColumnName() {
+ return columnName;
+ }
+
+ public void setColumnName(String columnName) {
+ this.columnName = columnName;
+ }
+
+ public String getResourcePath() {
+ return resourcePath;
+ }
+
+ public void setResourcePath(String resourcePath) {
+ this.resourcePath = resourcePath;
+ }
+
+ @Override
+ public String toJsonFormatLog() throws Exception {
+ StringWriter stringWriter = new StringWriter();
+ JsonGenerator json = null;
+ try {
+ json = factory.createJsonGenerator(stringWriter);
+ json.writeStartObject();
+ json.writeStringField(Constants.LOG_FIELD_SERVICE_NAME, getServiceName());
+ json.writeStringField(Constants.LOG_FIELD_USER_NAME, getUserName());
+ json.writeStringField(Constants.LOG_FIELD_IMPERSONATOR, getImpersonator());
+ json.writeStringField(Constants.LOG_FIELD_IP_ADDRESS, getIpAddress());
+ json.writeStringField(Constants.LOG_FIELD_OPERATION, getOperation());
+ json.writeStringField(Constants.LOG_FIELD_EVENT_TIME, getEventTime());
+ json.writeStringField(Constants.LOG_FIELD_OPERATION_TEXT, getOperationText());
+ json.writeStringField(Constants.LOG_FIELD_ALLOWED, getAllowed());
+ json.writeStringField(Constants.LOG_FIELD_DATABASE_NAME, databaseName);
+ json.writeStringField(Constants.LOG_FIELD_TABLE_NAME, tableName);
+ json.writeStringField(Constants.LOG_FIELD_COLUMN_NAME, columnName);
+ json.writeStringField(Constants.LOG_FIELD_RESOURCE_PATH, resourcePath);
+ json.writeStringField(Constants.LOG_FIELD_OBJECT_TYPE, getObjectType());
+ json.writeEndObject();
+ json.flush();
+ } catch (IOException e) {
+ String msg = "Error creating audit log in json format: " + e.getMessage();
+ LOGGER.error(msg, e);
+ throw e;
+ } finally {
+ try {
+ if (json != null) {
+ json.close();
+ }
+ } catch (IOException e) {
+ String msg = "Error when close json object: " + e.getMessage();
+ LOGGER.error(msg, e);
+ throw e;
+ }
+ }
+
+ return stringWriter.toString();
+ }
+}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/log/entity/GMAuditMetadataLogEntity.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/log/entity/GMAuditMetadataLogEntity.java b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/log/entity/GMAuditMetadataLogEntity.java
new file mode 100644
index 0000000..6911772
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/log/entity/GMAuditMetadataLogEntity.java
@@ -0,0 +1,97 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.provider.db.log.entity;
+
+import java.io.IOException;
+import java.io.StringWriter;
+import java.util.LinkedHashMap;
+import java.util.Map;
+
+import org.apache.sentry.provider.db.log.util.Constants;
+import org.codehaus.jackson.JsonGenerator;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+public class GMAuditMetadataLogEntity extends AuditMetadataLogEntity {
+
+ private static final Logger LOGGER = LoggerFactory.getLogger(GMAuditMetadataLogEntity.class);
+ private Map<String, String> privilegesMap;
+
+ public GMAuditMetadataLogEntity() {
+ privilegesMap = new LinkedHashMap<String, String>();
+ }
+
+ public GMAuditMetadataLogEntity(String serviceName, String userName, String impersonator,
+ String ipAddress, String operation, String eventTime, String operationText, String allowed,
+ String objectType, String component, Map<String, String> privilegesMap) {
+ setCommonAttr(serviceName, userName, impersonator, ipAddress, operation, eventTime,
+ operationText, allowed, objectType, component);
+ this.privilegesMap = privilegesMap;
+ }
+
+ @Override
+ public String toJsonFormatLog() throws Exception {
+ StringWriter stringWriter = new StringWriter();
+ JsonGenerator json = null;
+ try {
+ json = factory.createJsonGenerator(stringWriter);
+ json.writeStartObject();
+ json.writeStringField(Constants.LOG_FIELD_SERVICE_NAME, getServiceName());
+ json.writeStringField(Constants.LOG_FIELD_USER_NAME, getUserName());
+ json.writeStringField(Constants.LOG_FIELD_IMPERSONATOR, getImpersonator());
+ json.writeStringField(Constants.LOG_FIELD_IP_ADDRESS, getIpAddress());
+ json.writeStringField(Constants.LOG_FIELD_OPERATION, getOperation());
+ json.writeStringField(Constants.LOG_FIELD_EVENT_TIME, getEventTime());
+ json.writeStringField(Constants.LOG_FIELD_OPERATION_TEXT, getOperationText());
+ json.writeStringField(Constants.LOG_FIELD_ALLOWED, getAllowed());
+ for (Map.Entry<String, String> entry : privilegesMap.entrySet()) {
+ json.writeStringField(entry.getKey(), entry.getValue());
+ }
+ json.writeStringField(Constants.LOG_FIELD_OBJECT_TYPE, getObjectType());
+ json.writeStringField(Constants.LOG_FIELD_COMPONENT, getComponent());
+ json.writeEndObject();
+ json.flush();
+ } catch (IOException e) {
+ String msg = "Error creating audit log in json format: " + e.getMessage();
+ LOGGER.error(msg, e);
+ throw e;
+ } finally {
+ try {
+ if (json != null) {
+ json.close();
+ }
+ } catch (IOException e) {
+ String msg = "Error when close json object: " + e.getMessage();
+ LOGGER.error(msg, e);
+ throw e;
+ }
+ }
+
+ return stringWriter.toString();
+ }
+
+ public Map<String, String> getPrivilegesMap() {
+ return privilegesMap;
+ }
+
+ public void setPrivilegesMap(Map<String, String> privilegesMap) {
+ this.privilegesMap = privilegesMap;
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/log/entity/JsonLogEntity.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/log/entity/JsonLogEntity.java b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/log/entity/JsonLogEntity.java
new file mode 100644
index 0000000..913f125
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/log/entity/JsonLogEntity.java
@@ -0,0 +1,25 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.provider.db.log.entity;
+
+public interface JsonLogEntity {
+
+ String toJsonFormatLog() throws Exception;
+
+}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/log/entity/JsonLogEntityFactory.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/log/entity/JsonLogEntityFactory.java b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/log/entity/JsonLogEntityFactory.java
new file mode 100644
index 0000000..f6bb8a5
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/log/entity/JsonLogEntityFactory.java
@@ -0,0 +1,351 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.provider.db.log.entity;
+
+import java.util.Iterator;
+import java.util.LinkedHashMap;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+
+import org.apache.hadoop.conf.Configuration;
+import org.apache.sentry.provider.db.generic.service.thrift.TAuthorizable;
+import org.apache.sentry.provider.db.log.util.CommandUtil;
+import org.apache.sentry.provider.db.log.util.Constants;
+import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleAddGroupsRequest;
+import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleAddGroupsResponse;
+import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleAddUsersRequest;
+import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleAddUsersResponse;
+import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleDeleteGroupsRequest;
+import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleDeleteGroupsResponse;
+import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleDeleteUsersRequest;
+import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleDeleteUsersResponse;
+import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleGrantPrivilegeRequest;
+import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleGrantPrivilegeResponse;
+import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleRevokePrivilegeRequest;
+import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleRevokePrivilegeResponse;
+import org.apache.sentry.provider.db.service.thrift.TCreateSentryRoleRequest;
+import org.apache.sentry.provider.db.service.thrift.TCreateSentryRoleResponse;
+import org.apache.sentry.provider.db.service.thrift.TDropSentryRoleRequest;
+import org.apache.sentry.provider.db.service.thrift.TDropSentryRoleResponse;
+import org.apache.sentry.provider.db.service.thrift.TSentryGroup;
+import org.apache.sentry.provider.db.service.thrift.TSentryPrivilege;
+import org.apache.sentry.provider.db.service.thrift.ThriftUtil;
+import org.apache.sentry.service.thrift.ServiceConstants.ServerConfig;
+import org.apache.sentry.service.thrift.Status;
+import org.apache.sentry.service.thrift.TSentryResponseStatus;
+
+import com.google.common.base.Joiner;
+import com.google.common.collect.ImmutableSet;
+
+public final class JsonLogEntityFactory {
+
+ private static JsonLogEntityFactory factory = new JsonLogEntityFactory();
+
+ private JsonLogEntityFactory() {
+ }
+
+ public static JsonLogEntityFactory getInstance() {
+ return factory;
+ }
+
+ // log entity for hive/impala create role
+ public JsonLogEntity createJsonLogEntity(TCreateSentryRoleRequest request,
+ TCreateSentryRoleResponse response, Configuration conf) {
+ DBAuditMetadataLogEntity hamle = createCommonHAMLE(conf, response.getStatus(),
+ request.getRequestorUserName(), request.getClass().getName());
+ hamle.setOperationText(CommandUtil.createCmdForCreateOrDropRole(
+ request.getRoleName(), true));
+
+ return hamle;
+ }
+
+ // log entity for hive/impala drop role
+ public JsonLogEntity createJsonLogEntity(TDropSentryRoleRequest request,
+ TDropSentryRoleResponse response, Configuration conf) {
+ DBAuditMetadataLogEntity hamle = createCommonHAMLE(conf, response.getStatus(),
+ request.getRequestorUserName(), request.getClass().getName());
+ hamle.setOperationText(CommandUtil.createCmdForCreateOrDropRole(
+ request.getRoleName(), false));
+
+ return hamle;
+ }
+
+ // log entity for hive/impala grant privilege
+ public Set<JsonLogEntity> createJsonLogEntitys(
+ TAlterSentryRoleGrantPrivilegeRequest request,
+ TAlterSentryRoleGrantPrivilegeResponse response, Configuration conf) {
+ ImmutableSet.Builder<JsonLogEntity> setBuilder = ImmutableSet.builder();
+ if (request.isSetPrivileges()) {
+ for (TSentryPrivilege privilege : request.getPrivileges()) {
+ JsonLogEntity logEntity = createJsonLogEntity(request, privilege, response, conf);
+ setBuilder.add(logEntity);
+ }
+ }
+ return setBuilder.build();
+ }
+
+ private JsonLogEntity createJsonLogEntity(
+ TAlterSentryRoleGrantPrivilegeRequest request, TSentryPrivilege privilege,
+ TAlterSentryRoleGrantPrivilegeResponse response, Configuration conf) {
+ DBAuditMetadataLogEntity hamle = createCommonHAMLE(conf, response.getStatus(),
+ request.getRequestorUserName(), request.getClass().getName());
+ hamle.setOperationText(CommandUtil.createCmdForGrantPrivilege(request));
+ hamle.setDatabaseName(privilege.getDbName());
+ hamle.setTableName(privilege.getTableName());
+ hamle.setResourcePath(privilege.getURI());
+ return hamle;
+ }
+
+ // log entity for hive/impala revoke privilege
+ public Set<JsonLogEntity> createJsonLogEntitys(
+ TAlterSentryRoleRevokePrivilegeRequest request,
+ TAlterSentryRoleRevokePrivilegeResponse response, Configuration conf) {
+ ImmutableSet.Builder<JsonLogEntity> setBuilder = ImmutableSet.builder();
+ if (request.isSetPrivileges()) {
+ for (TSentryPrivilege privilege : request.getPrivileges()) {
+ JsonLogEntity logEntity = createJsonLogEntity(request, privilege, response, conf);
+ setBuilder.add(logEntity);
+ }
+ }
+ return setBuilder.build();
+ }
+
+ private JsonLogEntity createJsonLogEntity(
+ TAlterSentryRoleRevokePrivilegeRequest request, TSentryPrivilege privilege,
+ TAlterSentryRoleRevokePrivilegeResponse response, Configuration conf) {
+ DBAuditMetadataLogEntity hamle = createCommonHAMLE(conf, response.getStatus(),
+ request.getRequestorUserName(), request.getClass().getName());
+ hamle.setOperationText(CommandUtil.createCmdForRevokePrivilege(request));
+ hamle.setDatabaseName(privilege.getDbName());
+ hamle.setTableName(privilege.getTableName());
+ hamle.setResourcePath(privilege.getURI());
+
+ return hamle;
+ }
+
+ // log entity for hive/impala add role to group
+ public JsonLogEntity createJsonLogEntity(
+ TAlterSentryRoleAddGroupsRequest request,
+ TAlterSentryRoleAddGroupsResponse response, Configuration conf) {
+ DBAuditMetadataLogEntity hamle = createCommonHAMLE(conf, response.getStatus(),
+ request.getRequestorUserName(), request.getClass().getName());
+ String groups = getGroupsStr(request.getGroupsIterator());
+ hamle.setOperationText(CommandUtil.createCmdForRoleAddGroup(request.getRoleName(), groups));
+
+ return hamle;
+ }
+
+ // log entity for hive/impala delete role from group
+ public JsonLogEntity createJsonLogEntity(
+ TAlterSentryRoleDeleteGroupsRequest request,
+ TAlterSentryRoleDeleteGroupsResponse response, Configuration conf) {
+ DBAuditMetadataLogEntity hamle = createCommonHAMLE(conf, response.getStatus(),
+ request.getRequestorUserName(), request.getClass().getName());
+ String groups = getGroupsStr(request.getGroupsIterator());
+ hamle.setOperationText(CommandUtil.createCmdForRoleDeleteGroup(request.getRoleName(), groups));
+
+ return hamle;
+ }
+
+ private String getGroupsStr(Iterator<TSentryGroup> iter) {
+ StringBuilder groups = new StringBuilder("");
+ if (iter != null) {
+ boolean commaFlg = false;
+ while (iter.hasNext()) {
+ if (commaFlg) {
+ groups.append(", ");
+ } else {
+ commaFlg = true;
+ }
+ groups.append(iter.next().getGroupName());
+ }
+ }
+ return groups.toString();
+ }
+
+ public JsonLogEntity createJsonLogEntity(TAlterSentryRoleAddUsersRequest request,
+ TAlterSentryRoleAddUsersResponse response, Configuration conf) {
+ AuditMetadataLogEntity amle = createCommonHAMLE(conf, response.getStatus(),
+ request.getRequestorUserName(), request.getClass().getName());
+ String users = getUsersStr(request.getUsersIterator());
+ amle.setOperationText(CommandUtil.createCmdForRoleAddUser(request.getRoleName(), users));
+
+ return amle;
+ }
+
+ public JsonLogEntity createJsonLogEntity(TAlterSentryRoleDeleteUsersRequest request,
+ TAlterSentryRoleDeleteUsersResponse response, Configuration conf) {
+ AuditMetadataLogEntity amle = createCommonHAMLE(conf, response.getStatus(),
+ request.getRequestorUserName(), request.getClass().getName());
+ String users = getUsersStr(request.getUsersIterator());
+ amle.setOperationText(CommandUtil.createCmdForRoleDeleteUser(request.getRoleName(), users));
+
+ return amle;
+ }
+
+ private String getUsersStr(Iterator<String> iter) {
+ StringBuilder users = new StringBuilder("");
+ if (iter != null) {
+ boolean commaFlg = false;
+ while (iter.hasNext()) {
+ if (commaFlg) {
+ users.append(", ");
+ } else {
+ commaFlg = true;
+ }
+ users.append(iter.next());
+ }
+ }
+ return users.toString();
+ }
+
+ public String isAllowed(TSentryResponseStatus status) {
+ if (status.equals(Status.OK())) {
+ return Constants.TRUE;
+ }
+ return Constants.FALSE;
+ }
+
+ // log entity for generic model create role
+ public JsonLogEntity createJsonLogEntity(
+ org.apache.sentry.provider.db.generic.service.thrift.TCreateSentryRoleRequest request,
+ org.apache.sentry.provider.db.generic.service.thrift.TCreateSentryRoleResponse response,
+ Configuration conf) {
+ GMAuditMetadataLogEntity gmamle = createCommonGMAMLE(conf, response.getStatus(),
+ request.getRequestorUserName(), request.getClass().getName(), request.getComponent());
+ gmamle.setOperationText(CommandUtil.createCmdForCreateOrDropRole(request.getRoleName(), true));
+
+ return gmamle;
+ }
+
+ // log entity for generic model drop role
+ public JsonLogEntity createJsonLogEntity(
+ org.apache.sentry.provider.db.generic.service.thrift.TDropSentryRoleRequest request,
+ org.apache.sentry.provider.db.generic.service.thrift.TDropSentryRoleResponse response,
+ Configuration conf) {
+ GMAuditMetadataLogEntity gmamle = createCommonGMAMLE(conf, response.getStatus(),
+ request.getRequestorUserName(), request.getClass().getName(), request.getComponent());
+ gmamle.setOperationText(CommandUtil.createCmdForCreateOrDropRole(request.getRoleName(), false));
+
+ return gmamle;
+ }
+
+ // log entity for generic model grant privilege
+ public JsonLogEntity createJsonLogEntity(
+ org.apache.sentry.provider.db.generic.service.thrift.TAlterSentryRoleGrantPrivilegeRequest request,
+ org.apache.sentry.provider.db.generic.service.thrift.TAlterSentryRoleGrantPrivilegeResponse response,
+ Configuration conf) {
+ GMAuditMetadataLogEntity gmamle = createCommonGMAMLE(conf, response.getStatus(),
+ request.getRequestorUserName(), request.getClass().getName(), request.getComponent());
+ if (request.getPrivilege() != null) {
+ List<TAuthorizable> authorizables = request.getPrivilege().getAuthorizables();
+ Map<String, String> privilegesMap = new LinkedHashMap<String, String>();
+ if (authorizables != null) {
+ for (TAuthorizable authorizable : authorizables) {
+ privilegesMap.put(authorizable.getType(), authorizable.getName());
+ }
+ }
+ gmamle.setPrivilegesMap(privilegesMap);
+ }
+ gmamle.setOperationText(CommandUtil.createCmdForGrantGMPrivilege(request));
+
+ return gmamle;
+ }
+
+ // log entity for generic model revoke privilege
+ public JsonLogEntity createJsonLogEntity(
+ org.apache.sentry.provider.db.generic.service.thrift.TAlterSentryRoleRevokePrivilegeRequest request,
+ org.apache.sentry.provider.db.generic.service.thrift.TAlterSentryRoleRevokePrivilegeResponse response,
+ Configuration conf) {
+ GMAuditMetadataLogEntity gmamle = createCommonGMAMLE(conf, response.getStatus(),
+ request.getRequestorUserName(), request.getClass().getName(), request.getComponent());
+ if (request.getPrivilege() != null) {
+ List<TAuthorizable> authorizables = request.getPrivilege().getAuthorizables();
+ Map<String, String> privilegesMap = new LinkedHashMap<String, String>();
+ if (authorizables != null) {
+ for (TAuthorizable authorizable : authorizables) {
+ privilegesMap.put(authorizable.getType(), authorizable.getName());
+ }
+ }
+ gmamle.setPrivilegesMap(privilegesMap);
+ }
+ gmamle.setOperationText(CommandUtil.createCmdForRevokeGMPrivilege(request));
+
+ return gmamle;
+ }
+
+ // log entity for generic model add role to group
+ public JsonLogEntity createJsonLogEntity(
+ org.apache.sentry.provider.db.generic.service.thrift.TAlterSentryRoleAddGroupsRequest request,
+ org.apache.sentry.provider.db.generic.service.thrift.TAlterSentryRoleAddGroupsResponse response,
+ Configuration conf) {
+ GMAuditMetadataLogEntity gmamle = createCommonGMAMLE(conf, response.getStatus(),
+ request.getRequestorUserName(), request.getClass().getName(), request.getComponent());
+ Joiner joiner = Joiner.on(",");
+ String groups = joiner.join(request.getGroupsIterator());
+ gmamle.setOperationText(CommandUtil.createCmdForRoleAddGroup(request.getRoleName(), groups));
+
+ return gmamle;
+ }
+
+ // log entity for hive delete role from group
+ public JsonLogEntity createJsonLogEntity(
+ org.apache.sentry.provider.db.generic.service.thrift.TAlterSentryRoleDeleteGroupsRequest request,
+ org.apache.sentry.provider.db.generic.service.thrift.TAlterSentryRoleDeleteGroupsResponse response,
+ Configuration conf) {
+ GMAuditMetadataLogEntity gmamle = createCommonGMAMLE(conf, response.getStatus(),
+ request.getRequestorUserName(), request.getClass().getName(), request.getComponent());
+ Joiner joiner = Joiner.on(",");
+ String groups = joiner.join(request.getGroupsIterator());
+ gmamle.setOperationText(CommandUtil.createCmdForRoleDeleteGroup(request.getRoleName(), groups));
+
+ return gmamle;
+ }
+
+ private DBAuditMetadataLogEntity createCommonHAMLE(Configuration conf,
+ TSentryResponseStatus responseStatus, String userName, String requestClassName) {
+ DBAuditMetadataLogEntity hamle = new DBAuditMetadataLogEntity();
+ setCommAttrForAMLE(hamle, conf, responseStatus, userName, requestClassName);
+ return hamle;
+ }
+
+ private GMAuditMetadataLogEntity createCommonGMAMLE(Configuration conf,
+ TSentryResponseStatus responseStatus, String userName, String requestClassName,
+ String component) {
+ GMAuditMetadataLogEntity gmamle = new GMAuditMetadataLogEntity();
+ setCommAttrForAMLE(gmamle, conf, responseStatus, userName, requestClassName);
+ gmamle.setComponent(component);
+ return gmamle;
+ }
+
+ private void setCommAttrForAMLE(AuditMetadataLogEntity amle, Configuration conf,
+ TSentryResponseStatus responseStatus, String userName, String requestClassName) {
+ amle.setUserName(userName);
+ amle.setServiceName(conf.get(ServerConfig.SENTRY_SERVICE_NAME,
+ ServerConfig.SENTRY_SERVICE_NAME_DEFAULT).trim());
+ amle.setImpersonator(ThriftUtil.getImpersonator());
+ amle.setIpAddress(ThriftUtil.getIpAddress());
+ amle.setOperation(Constants.requestTypeToOperationMap.get(requestClassName));
+ amle.setEventTime(Long.toString(System.currentTimeMillis()));
+ amle.setAllowed(isAllowed(responseStatus));
+ amle.setObjectType(Constants.requestTypeToObjectTypeMap
+ .get(requestClassName));
+ }
+}
[17/44] sentry git commit: SENTRY-1287: Create sentry-service-server
module(Colin Ma, reviewed by Dapeng Sun)
Posted by co...@apache.org.
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessor.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessor.java b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessor.java
new file mode 100644
index 0000000..5dff12a
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessor.java
@@ -0,0 +1,1111 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.provider.db.service.thrift;
+
+import java.lang.reflect.Constructor;
+import java.lang.reflect.InvocationTargetException;
+import java.util.HashSet;
+import java.util.LinkedList;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+import java.util.regex.Pattern;
+
+import org.apache.commons.lang.StringUtils;
+import org.apache.hadoop.conf.Configuration;
+import org.apache.sentry.core.common.exception.SentryUserException;
+import org.apache.sentry.core.common.exception.SentrySiteConfigurationException;
+import org.apache.sentry.core.model.db.AccessConstants;
+import org.apache.sentry.core.common.service.GroupMappingService;
+import org.apache.sentry.core.common.utils.PolicyFileConstants;
+import org.apache.sentry.core.common.exception.SentryGroupNotFoundException;
+import org.apache.sentry.core.common.exception.SentryAccessDeniedException;
+import org.apache.sentry.core.common.exception.SentryAlreadyExistsException;
+import org.apache.sentry.core.common.exception.SentryInvalidInputException;
+import org.apache.sentry.core.common.exception.SentryNoSuchObjectException;
+import org.apache.sentry.provider.db.SentryPolicyStorePlugin;
+import org.apache.sentry.provider.db.SentryPolicyStorePlugin.SentryPluginException;
+import org.apache.sentry.core.common.exception.SentryThriftAPIMismatchException;
+import org.apache.sentry.provider.db.log.entity.JsonLogEntity;
+import org.apache.sentry.provider.db.log.entity.JsonLogEntityFactory;
+import org.apache.sentry.provider.db.log.util.Constants;
+import org.apache.sentry.provider.db.service.persistent.CommitContext;
+import org.apache.sentry.provider.db.service.persistent.HAContext;
+import org.apache.sentry.provider.db.service.persistent.SentryStore;
+import org.apache.sentry.provider.db.service.persistent.ServiceRegister;
+import org.apache.sentry.provider.db.service.thrift.PolicyStoreConstants.PolicyStoreServerConfig;
+import org.apache.sentry.service.thrift.SentryServiceUtil;
+import org.apache.sentry.service.thrift.ServiceConstants;
+import org.apache.sentry.service.thrift.ServiceConstants.ConfUtilties;
+import org.apache.sentry.service.thrift.ServiceConstants.ServerConfig;
+import org.apache.sentry.service.thrift.ServiceConstants.ThriftConstants;
+import org.apache.sentry.service.thrift.Status;
+import org.apache.sentry.service.thrift.TSentryResponseStatus;
+import org.apache.thrift.TException;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import com.codahale.metrics.Timer;
+import com.google.common.annotations.VisibleForTesting;
+import com.google.common.base.Preconditions;
+import com.google.common.base.Splitter;
+import com.google.common.collect.ImmutableSet;
+import com.google.common.collect.Lists;
+import com.google.common.collect.Maps;
+import com.google.common.collect.Sets;
+
+@SuppressWarnings("unused")
+public class SentryPolicyStoreProcessor implements SentryPolicyService.Iface {
+ private static final Logger LOGGER = LoggerFactory.getLogger(SentryPolicyStoreProcessor.class);
+ private static final Logger AUDIT_LOGGER = LoggerFactory.getLogger(Constants.AUDIT_LOGGER_NAME);
+
+ public static volatile SentryPolicyStoreProcessor instance;
+
+ private final String name;
+ private final Configuration conf;
+ private final SentryStore sentryStore;
+ private final NotificationHandlerInvoker notificationHandlerInvoker;
+ private final ImmutableSet<String> adminGroups;
+ private boolean isReady;
+ SentryMetrics sentryMetrics;
+ private HAContext haContext;
+
+ private List<SentryPolicyStorePlugin> sentryPlugins = new LinkedList<SentryPolicyStorePlugin>();
+
+ public SentryPolicyStoreProcessor(String name, Configuration conf) throws Exception {
+ super();
+ this.name = name;
+ this.conf = conf;
+ this.notificationHandlerInvoker = new NotificationHandlerInvoker(conf,
+ createHandlers(conf));
+ isReady = false;
+ if (conf.getBoolean(ServerConfig.SENTRY_HA_ENABLED,
+ ServerConfig.SENTRY_HA_ENABLED_DEFAULT)) {
+ haContext = HAContext.getHAServerContext(conf);
+ sentryStore = new SentryStore(conf);
+ ServiceRegister reg = new ServiceRegister(haContext);
+ reg.regService(conf.get(ServerConfig.RPC_ADDRESS),
+ conf.getInt(ServerConfig.RPC_PORT,ServerConfig.RPC_PORT_DEFAULT));
+ } else {
+ sentryStore = new SentryStore(conf);
+ }
+ isReady = true;
+ adminGroups = ImmutableSet.copyOf(toTrimedLower(Sets.newHashSet(conf.getStrings(
+ ServerConfig.ADMIN_GROUPS, new String[]{}))));
+ Iterable<String> pluginClasses = ConfUtilties.CLASS_SPLITTER
+ .split(conf.get(ServerConfig.SENTRY_POLICY_STORE_PLUGINS,
+ ServerConfig.SENTRY_POLICY_STORE_PLUGINS_DEFAULT).trim());
+ for (String pluginClassStr : pluginClasses) {
+ Class<?> clazz = conf.getClassByName(pluginClassStr);
+ if (!SentryPolicyStorePlugin.class.isAssignableFrom(clazz)) {
+ throw new IllegalArgumentException("Sentry Plugin ["
+ + pluginClassStr + "] is not a "
+ + SentryPolicyStorePlugin.class.getName());
+ }
+ SentryPolicyStorePlugin plugin = (SentryPolicyStorePlugin)clazz.newInstance();
+ plugin.initialize(conf, sentryStore);
+ sentryPlugins.add(plugin);
+ }
+ if (instance == null) {
+ instance = this;
+ }
+ initMetrics();
+ }
+
+ private void initMetrics() {
+ sentryMetrics = SentryMetrics.getInstance();
+ sentryMetrics.addSentryStoreGauges(sentryStore);
+
+ String sentryReporting = conf.get(ServerConfig.SENTRY_REPORTER);
+ if (sentryReporting != null) {
+ SentryMetrics.Reporting reporting;
+ try {
+ reporting = SentryMetrics.Reporting.valueOf(sentryReporting.toUpperCase());
+ sentryMetrics.initReporting(reporting);
+
+ } catch (IllegalArgumentException e) {
+ LOGGER.warn("Metrics reporting not configured correctly, please set " + ServerConfig.SENTRY_REPORTER +
+ " to: " + SentryMetrics.Reporting.CONSOLE.name() + "/" + SentryMetrics.Reporting.JMX.name());
+ }
+ }
+ }
+
+ public void stop() {
+ if (isReady) {
+ sentryStore.stop();
+ }
+ if (haContext != null) {
+ try {
+ haContext.getCuratorFramework().close();
+ } catch (Exception e) {
+ LOGGER.warn("Error in stopping processor", e);
+ }
+ }
+ }
+
+ public void registerPlugin(SentryPolicyStorePlugin plugin) throws SentryPluginException {
+ plugin.initialize(conf, sentryStore);
+ sentryPlugins.add(plugin);
+ }
+
+ @VisibleForTesting
+ static List<NotificationHandler> createHandlers(Configuration conf)
+ throws SentrySiteConfigurationException {
+ List<NotificationHandler> handlers = Lists.newArrayList();
+ Iterable<String> notificationHandlers = Splitter.onPattern("[\\s,]").trimResults()
+ .omitEmptyStrings().split(conf.get(PolicyStoreServerConfig.NOTIFICATION_HANDLERS, ""));
+ for (String notificationHandler : notificationHandlers) {
+ Class<?> clazz = null;
+ try {
+ clazz = Class.forName(notificationHandler);
+ if (!NotificationHandler.class.isAssignableFrom(clazz)) {
+ throw new SentrySiteConfigurationException("Class " + notificationHandler + " is not a " +
+ NotificationHandler.class.getName());
+ }
+ } catch (ClassNotFoundException e) {
+ throw new SentrySiteConfigurationException("Value " + notificationHandler +
+ " is not a class", e);
+ }
+ Preconditions.checkNotNull(clazz, "Error class cannot be null");
+ try {
+ Constructor<?> constructor = clazz.getConstructor(Configuration.class);
+ handlers.add((NotificationHandler)constructor.newInstance(conf));
+ } catch (Exception e) {
+ throw new SentrySiteConfigurationException("Error attempting to create " + notificationHandler, e);
+ }
+ }
+ return handlers;
+ }
+
+ @VisibleForTesting
+ public Configuration getSentryStoreConf() {
+ return conf;
+ }
+
+ private static Set<String> toTrimedLower(Set<String> s) {
+ Set<String> result = Sets.newHashSet();
+ for (String v : s) {
+ result.add(v.trim().toLowerCase());
+ }
+ return result;
+ }
+
+ private boolean inAdminGroups(Set<String> requestorGroups) {
+ Set<String> trimmedRequestorGroups = toTrimedLower(requestorGroups);
+ return !Sets.intersection(adminGroups, trimmedRequestorGroups).isEmpty();
+ }
+
+ private void authorize(String requestorUser, Set<String> requestorGroups)
+ throws SentryAccessDeniedException {
+ if (!inAdminGroups(requestorGroups)) {
+ String msg = "User: " + requestorUser + " is part of " + requestorGroups +
+ " which does not, intersect admin groups " + adminGroups;
+ LOGGER.warn(msg);
+ throw new SentryAccessDeniedException("Access denied to " + requestorUser);
+ }
+ }
+
+ @Override
+ public TCreateSentryRoleResponse create_sentry_role(
+ TCreateSentryRoleRequest request) throws TException {
+ final Timer.Context timerContext = sentryMetrics.createRoleTimer.time();
+ TCreateSentryRoleResponse response = new TCreateSentryRoleResponse();
+ try {
+ validateClientVersion(request.getProtocol_version());
+ authorize(request.getRequestorUserName(),
+ getRequestorGroups(request.getRequestorUserName()));
+ CommitContext commitContext = sentryStore.createSentryRole(request.getRoleName());
+ response.setStatus(Status.OK());
+ notificationHandlerInvoker.create_sentry_role(commitContext,
+ request, response);
+ } catch (SentryAlreadyExistsException e) {
+ String msg = "Role: " + request + " already exists.";
+ LOGGER.error(msg, e);
+ response.setStatus(Status.AlreadyExists(msg, e));
+ } catch (SentryAccessDeniedException e) {
+ LOGGER.error(e.getMessage(), e);
+ response.setStatus(Status.AccessDenied(e.getMessage(), e));
+ } catch (SentryThriftAPIMismatchException e) {
+ LOGGER.error(e.getMessage(), e);
+ response.setStatus(Status.THRIFT_VERSION_MISMATCH(e.getMessage(), e));
+ } catch (Exception e) {
+ String msg = "Unknown error for request: " + request + ", message: " + e.getMessage();
+ LOGGER.error(msg, e);
+ response.setStatus(Status.RuntimeError(msg, e));
+ } finally {
+ timerContext.stop();
+ }
+
+ try {
+ AUDIT_LOGGER.info(JsonLogEntityFactory.getInstance()
+ .createJsonLogEntity(request, response, conf).toJsonFormatLog());
+ } catch (Exception e) {
+ // if any exception, log the exception.
+ String msg = "Error creating audit log for create role: " + e.getMessage();
+ LOGGER.error(msg, e);
+ }
+ return response;
+ }
+
+ @Override
+ public TAlterSentryRoleGrantPrivilegeResponse alter_sentry_role_grant_privilege
+ (TAlterSentryRoleGrantPrivilegeRequest request) throws TException {
+ final Timer.Context timerContext = sentryMetrics.grantTimer.time();
+
+ TAlterSentryRoleGrantPrivilegeResponse response = new TAlterSentryRoleGrantPrivilegeResponse();
+ try {
+ validateClientVersion(request.getProtocol_version());
+ // There should only one field be set
+ if ( !(request.isSetPrivileges()^request.isSetPrivilege()) ) {
+ throw new SentryUserException("SENTRY API version is not right!");
+ }
+ // Maintain compatibility for old API: Set privilege field to privileges field
+ if (request.isSetPrivilege()) {
+ request.setPrivileges(Sets.newHashSet(request.getPrivilege()));
+ }
+ CommitContext commitContext = sentryStore.alterSentryRoleGrantPrivileges(request.getRequestorUserName(),
+ request.getRoleName(), request.getPrivileges());
+ response.setStatus(Status.OK());
+ response.setPrivileges(request.getPrivileges());
+ // Maintain compatibility for old API: Set privilege field to response
+ if (response.isSetPrivileges() && response.getPrivileges().size() == 1) {
+ response.setPrivilege(response.getPrivileges().iterator().next());
+ }
+ notificationHandlerInvoker.alter_sentry_role_grant_privilege(commitContext,
+ request, response);
+ for (SentryPolicyStorePlugin plugin : sentryPlugins) {
+ plugin.onAlterSentryRoleGrantPrivilege(request);
+ }
+ } catch (SentryNoSuchObjectException e) {
+ String msg = "Role: " + request.getRoleName() + " doesn't exist";
+ LOGGER.error(msg, e);
+ response.setStatus(Status.NoSuchObject(msg, e));
+ } catch (SentryInvalidInputException e) {
+ String msg = "Invalid input privilege object";
+ LOGGER.error(msg, e);
+ response.setStatus(Status.InvalidInput(msg, e));
+ } catch (SentryAccessDeniedException e) {
+ LOGGER.error(e.getMessage(), e);
+ response.setStatus(Status.AccessDenied(e.getMessage(), e));
+ } catch (SentryThriftAPIMismatchException e) {
+ LOGGER.error(e.getMessage(), e);
+ response.setStatus(Status.THRIFT_VERSION_MISMATCH(e.getMessage(), e));
+ } catch (Exception e) {
+ String msg = "Unknown error for request: " + request + ", message: " + e.getMessage();
+ LOGGER.error(msg, e);
+ response.setStatus(Status.RuntimeError(msg, e));
+ } finally {
+ timerContext.stop();
+ }
+
+ try {
+ Set<JsonLogEntity> jsonLogEntitys = JsonLogEntityFactory.getInstance().createJsonLogEntitys(
+ request, response, conf);
+ for (JsonLogEntity jsonLogEntity : jsonLogEntitys) {
+ AUDIT_LOGGER.info(jsonLogEntity.toJsonFormatLog());
+ }
+ } catch (Exception e) {
+ // if any exception, log the exception.
+ String msg = "Error creating audit log for grant privilege to role: " + e.getMessage();
+ LOGGER.error(msg, e);
+ }
+ return response;
+ }
+
+ @Override
+ public TAlterSentryRoleRevokePrivilegeResponse alter_sentry_role_revoke_privilege
+ (TAlterSentryRoleRevokePrivilegeRequest request) throws TException {
+ final Timer.Context timerContext = sentryMetrics.revokeTimer.time();
+ TAlterSentryRoleRevokePrivilegeResponse response = new TAlterSentryRoleRevokePrivilegeResponse();
+ try {
+ validateClientVersion(request.getProtocol_version());
+ // There should only one field be set
+ if ( !(request.isSetPrivileges()^request.isSetPrivilege()) ) {
+ throw new SentryUserException("SENTRY API version is not right!");
+ }
+ // Maintain compatibility for old API: Set privilege field to privileges field
+ if (request.isSetPrivilege()) {
+ request.setPrivileges(Sets.newHashSet(request.getPrivilege()));
+ }
+ CommitContext commitContext = sentryStore.alterSentryRoleRevokePrivileges(request.getRequestorUserName(),
+ request.getRoleName(), request.getPrivileges());
+ response.setStatus(Status.OK());
+ notificationHandlerInvoker.alter_sentry_role_revoke_privilege(commitContext,
+ request, response);
+ for (SentryPolicyStorePlugin plugin : sentryPlugins) {
+ plugin.onAlterSentryRoleRevokePrivilege(request);
+ }
+ } catch (SentryNoSuchObjectException e) {
+ StringBuilder msg = new StringBuilder();
+ if (request.getPrivileges().size() > 0) {
+ for (TSentryPrivilege privilege : request.getPrivileges()) {
+ msg.append("Privilege: [server=");
+ msg.append(privilege.getServerName());
+ msg.append(",db=");
+ msg.append(privilege.getDbName());
+ msg.append(",table=");
+ msg.append(privilege.getTableName());
+ msg.append(",URI=");
+ msg.append(privilege.getURI());
+ msg.append(",action=");
+ msg.append(privilege.getAction());
+ msg.append("] ");
+ }
+ msg.append("doesn't exist.");
+ }
+ LOGGER.error(msg.toString(), e);
+ response.setStatus(Status.NoSuchObject(msg.toString(), e));
+ } catch (SentryInvalidInputException e) {
+ String msg = "Invalid input privilege object";
+ LOGGER.error(msg, e);
+ response.setStatus(Status.InvalidInput(msg, e));
+ } catch (SentryAccessDeniedException e) {
+ LOGGER.error(e.getMessage(), e);
+ response.setStatus(Status.AccessDenied(e.getMessage(), e));
+ } catch (SentryThriftAPIMismatchException e) {
+ LOGGER.error(e.getMessage(), e);
+ response.setStatus(Status.THRIFT_VERSION_MISMATCH(e.getMessage(), e));
+ } catch (Exception e) {
+ String msg = "Unknown error for request: " + request + ", message: " + e.getMessage();
+ LOGGER.error(msg, e);
+ response.setStatus(Status.RuntimeError(msg, e));
+ } finally {
+ timerContext.stop();
+ }
+
+ try {
+ Set<JsonLogEntity> jsonLogEntitys = JsonLogEntityFactory.getInstance().createJsonLogEntitys(
+ request, response, conf);
+ for (JsonLogEntity jsonLogEntity : jsonLogEntitys) {
+ AUDIT_LOGGER.info(jsonLogEntity.toJsonFormatLog());
+ }
+ } catch (Exception e) {
+ // if any exception, log the exception.
+ String msg = "Error creating audit log for revoke privilege from role: " + e.getMessage();
+ LOGGER.error(msg, e);
+ }
+ return response;
+ }
+
+ @Override
+ public TDropSentryRoleResponse drop_sentry_role(
+ TDropSentryRoleRequest request) throws TException {
+ final Timer.Context timerContext = sentryMetrics.dropRoleTimer.time();
+ TDropSentryRoleResponse response = new TDropSentryRoleResponse();
+ TSentryResponseStatus status;
+ try {
+ validateClientVersion(request.getProtocol_version());
+ authorize(request.getRequestorUserName(),
+ getRequestorGroups(request.getRequestorUserName()));
+ CommitContext commitContext = sentryStore.dropSentryRole(request.getRoleName());
+ response.setStatus(Status.OK());
+ notificationHandlerInvoker.drop_sentry_role(commitContext,
+ request, response);
+ for (SentryPolicyStorePlugin plugin : sentryPlugins) {
+ plugin.onDropSentryRole(request);
+ }
+ } catch (SentryNoSuchObjectException e) {
+ String msg = "Role :" + request + " doesn't exist";
+ LOGGER.error(msg, e);
+ response.setStatus(Status.NoSuchObject(msg, e));
+ } catch (SentryAccessDeniedException e) {
+ LOGGER.error(e.getMessage(), e);
+ response.setStatus(Status.AccessDenied(e.getMessage(), e));
+ } catch (SentryThriftAPIMismatchException e) {
+ LOGGER.error(e.getMessage(), e);
+ response.setStatus(Status.THRIFT_VERSION_MISMATCH(e.getMessage(), e));
+ } catch (Exception e) {
+ String msg = "Unknown error for request: " + request + ", message: " + e.getMessage();
+ LOGGER.error(msg, e);
+ response.setStatus(Status.RuntimeError(msg, e));
+ } finally {
+ timerContext.stop();
+ }
+
+ try {
+ AUDIT_LOGGER.info(JsonLogEntityFactory.getInstance()
+ .createJsonLogEntity(request, response, conf).toJsonFormatLog());
+ } catch (Exception e) {
+ // if any exception, log the exception.
+ String msg = "Error creating audit log for drop role: " + e.getMessage();
+ LOGGER.error(msg, e);
+ }
+ return response;
+ }
+
+ @Override
+ public TAlterSentryRoleAddGroupsResponse alter_sentry_role_add_groups(
+ TAlterSentryRoleAddGroupsRequest request) throws TException {
+ final Timer.Context timerContext = sentryMetrics.grantRoleTimer.time();
+ TAlterSentryRoleAddGroupsResponse response = new TAlterSentryRoleAddGroupsResponse();
+ try {
+ validateClientVersion(request.getProtocol_version());
+ authorize(request.getRequestorUserName(),
+ getRequestorGroups(request.getRequestorUserName()));
+ CommitContext commitContext = sentryStore.alterSentryRoleAddGroups(
+ request.getRequestorUserName(), request.getRoleName(),
+ request.getGroups());
+ response.setStatus(Status.OK());
+ notificationHandlerInvoker.alter_sentry_role_add_groups(commitContext,
+ request, response);
+ for (SentryPolicyStorePlugin plugin : sentryPlugins) {
+ plugin.onAlterSentryRoleAddGroups(request);
+ }
+ } catch (SentryNoSuchObjectException e) {
+ String msg = "Role: " + request + " doesn't exist";
+ LOGGER.error(msg, e);
+ response.setStatus(Status.NoSuchObject(msg, e));
+ } catch (SentryAccessDeniedException e) {
+ LOGGER.error(e.getMessage(), e);
+ response.setStatus(Status.AccessDenied(e.getMessage(), e));
+ } catch (SentryThriftAPIMismatchException e) {
+ LOGGER.error(e.getMessage(), e);
+ response.setStatus(Status.THRIFT_VERSION_MISMATCH(e.getMessage(), e));
+ } catch (Exception e) {
+ String msg = "Unknown error for request: " + request + ", message: " + e.getMessage();
+ LOGGER.error(msg, e);
+ response.setStatus(Status.RuntimeError(msg, e));
+ } finally {
+ timerContext.stop();
+ }
+
+ try {
+ AUDIT_LOGGER.info(JsonLogEntityFactory.getInstance()
+ .createJsonLogEntity(request, response, conf).toJsonFormatLog());
+ } catch (Exception e) {
+ // if any exception, log the exception.
+ String msg = "Error creating audit log for add role to group: " + e.getMessage();
+ LOGGER.error(msg, e);
+ }
+ return response;
+ }
+
+ @Override
+ public TAlterSentryRoleAddUsersResponse alter_sentry_role_add_users(
+ TAlterSentryRoleAddUsersRequest request) throws TException {
+ final Timer.Context timerContext = sentryMetrics.grantRoleTimer.time();
+ TAlterSentryRoleAddUsersResponse response = new TAlterSentryRoleAddUsersResponse();
+ try {
+ validateClientVersion(request.getProtocol_version());
+ authorize(request.getRequestorUserName(), getRequestorGroups(request.getRequestorUserName()));
+ CommitContext commitContext = sentryStore.alterSentryRoleAddUsers(request.getRoleName(),
+ request.getUsers());
+ response.setStatus(Status.OK());
+ notificationHandlerInvoker.alter_sentry_role_add_users(commitContext, request, response);
+ } catch (SentryNoSuchObjectException e) {
+ String msg = "Role: " + request + " does not exist.";
+ LOGGER.error(msg, e);
+ response.setStatus(Status.NoSuchObject(msg, e));
+ } catch (SentryAccessDeniedException e) {
+ LOGGER.error(e.getMessage(), e);
+ response.setStatus(Status.AccessDenied(e.getMessage(), e));
+ } catch (SentryThriftAPIMismatchException e) {
+ LOGGER.error(e.getMessage(), e);
+ response.setStatus(Status.THRIFT_VERSION_MISMATCH(e.getMessage(), e));
+ } catch (Exception e) {
+ String msg = "Unknown error for request: " + request + ", message: " + e.getMessage();
+ LOGGER.error(msg, e);
+ response.setStatus(Status.RuntimeError(msg, e));
+ } finally {
+ timerContext.stop();
+ }
+
+ try {
+ AUDIT_LOGGER.info(JsonLogEntityFactory.getInstance()
+ .createJsonLogEntity(request, response, conf).toJsonFormatLog());
+ } catch (Exception e) {
+ // if any exception, log the exception.
+ String msg = "Error creating audit log for add role to user: " + e.getMessage();
+ LOGGER.error(msg, e);
+ }
+ return response;
+ }
+
+ @Override
+ public TAlterSentryRoleDeleteUsersResponse alter_sentry_role_delete_users(
+ TAlterSentryRoleDeleteUsersRequest request) throws TException {
+ final Timer.Context timerContext = sentryMetrics.grantRoleTimer.time();
+ TAlterSentryRoleDeleteUsersResponse response = new TAlterSentryRoleDeleteUsersResponse();
+ try {
+ validateClientVersion(request.getProtocol_version());
+ authorize(request.getRequestorUserName(), getRequestorGroups(request.getRequestorUserName()));
+ CommitContext commitContext = sentryStore.alterSentryRoleDeleteUsers(request.getRoleName(),
+ request.getUsers());
+ response.setStatus(Status.OK());
+ notificationHandlerInvoker.alter_sentry_role_delete_users(commitContext, request, response);
+ } catch (SentryNoSuchObjectException e) {
+ String msg = "Role: " + request + " does not exist.";
+ LOGGER.error(msg, e);
+ response.setStatus(Status.NoSuchObject(msg, e));
+ } catch (SentryAccessDeniedException e) {
+ LOGGER.error(e.getMessage(), e);
+ response.setStatus(Status.AccessDenied(e.getMessage(), e));
+ } catch (SentryThriftAPIMismatchException e) {
+ LOGGER.error(e.getMessage(), e);
+ response.setStatus(Status.THRIFT_VERSION_MISMATCH(e.getMessage(), e));
+ } catch (Exception e) {
+ String msg = "Unknown error for request: " + request + ", message: " + e.getMessage();
+ LOGGER.error(msg, e);
+ response.setStatus(Status.RuntimeError(msg, e));
+ } finally {
+ timerContext.stop();
+ }
+
+ try {
+ AUDIT_LOGGER.info(JsonLogEntityFactory.getInstance()
+ .createJsonLogEntity(request, response, conf).toJsonFormatLog());
+ } catch (Exception e) {
+ // if any exception, log the exception.
+ String msg = "Error creating audit log for delete role from user: " + e.getMessage();
+ LOGGER.error(msg, e);
+ }
+ return response;
+ }
+
+ @Override
+ public TAlterSentryRoleDeleteGroupsResponse alter_sentry_role_delete_groups(
+ TAlterSentryRoleDeleteGroupsRequest request) throws TException {
+ final Timer.Context timerContext = sentryMetrics.revokeRoleTimer.time();
+ TAlterSentryRoleDeleteGroupsResponse response = new TAlterSentryRoleDeleteGroupsResponse();
+ try {
+ validateClientVersion(request.getProtocol_version());
+ authorize(request.getRequestorUserName(),
+ getRequestorGroups(request.getRequestorUserName()));
+ CommitContext commitContext = sentryStore.alterSentryRoleDeleteGroups(request.getRoleName(),
+ request.getGroups());
+ response.setStatus(Status.OK());
+ notificationHandlerInvoker.alter_sentry_role_delete_groups(commitContext,
+ request, response);
+ for (SentryPolicyStorePlugin plugin : sentryPlugins) {
+ plugin.onAlterSentryRoleDeleteGroups(request);
+ }
+ } catch (SentryNoSuchObjectException e) {
+ String msg = "Role: " + request + " does not exist.";
+ LOGGER.error(msg, e);
+ response.setStatus(Status.NoSuchObject(msg, e));
+ } catch (SentryAccessDeniedException e) {
+ LOGGER.error(e.getMessage(), e);
+ response.setStatus(Status.AccessDenied(e.getMessage(), e));
+ } catch (SentryThriftAPIMismatchException e) {
+ LOGGER.error(e.getMessage(), e);
+ response.setStatus(Status.THRIFT_VERSION_MISMATCH(e.getMessage(), e));
+ } catch (Exception e) {
+ String msg = "Unknown error adding groups to role: " + request;
+ LOGGER.error(msg, e);
+ response.setStatus(Status.RuntimeError(msg, e));
+ } finally {
+ timerContext.stop();
+ }
+
+ try {
+ AUDIT_LOGGER.info(JsonLogEntityFactory.getInstance()
+ .createJsonLogEntity(request, response, conf).toJsonFormatLog());
+ } catch (Exception e) {
+ // if any exception, log the exception.
+ String msg = "Error creating audit log for delete role from group: " + e.getMessage();
+ LOGGER.error(msg, e);
+ }
+ return response;
+ }
+
+ @Override
+ public TListSentryRolesResponse list_sentry_roles_by_group(
+ TListSentryRolesRequest request) throws TException {
+ final Timer.Context timerContext = sentryMetrics.listRolesByGroupTimer.time();
+ TListSentryRolesResponse response = new TListSentryRolesResponse();
+ TSentryResponseStatus status;
+ Set<TSentryRole> roleSet = new HashSet<TSentryRole>();
+ String subject = request.getRequestorUserName();
+ boolean checkAllGroups = false;
+ try {
+ validateClientVersion(request.getProtocol_version());
+ Set<String> groups = getRequestorGroups(subject);
+ // Don't check admin permissions for listing requestor's own roles
+ if (AccessConstants.ALL.equalsIgnoreCase(request.getGroupName())) {
+ checkAllGroups = true;
+ } else {
+ boolean admin = inAdminGroups(groups);
+ //Only admin users can list all roles in the system ( groupname = null)
+ //Non admin users are only allowed to list only groups which they belong to
+ if(!admin && (request.getGroupName() == null || !groups.contains(request.getGroupName()))) {
+ throw new SentryAccessDeniedException("Access denied to " + subject);
+ }else {
+ groups.clear();
+ groups.add(request.getGroupName());
+ }
+ }
+ roleSet = sentryStore.getTSentryRolesByGroupName(groups, checkAllGroups);
+ response.setRoles(roleSet);
+ response.setStatus(Status.OK());
+ } catch (SentryNoSuchObjectException e) {
+ response.setRoles(roleSet);
+ String msg = "Request: " + request + " couldn't be completed, message: " + e.getMessage();
+ LOGGER.error(msg, e);
+ response.setStatus(Status.NoSuchObject(msg, e));
+ } catch (SentryAccessDeniedException e) {
+ LOGGER.error(e.getMessage(), e);
+ response.setStatus(Status.AccessDenied(e.getMessage(), e));
+ } catch (SentryThriftAPIMismatchException e) {
+ LOGGER.error(e.getMessage(), e);
+ response.setStatus(Status.THRIFT_VERSION_MISMATCH(e.getMessage(), e));
+ } catch (Exception e) {
+ String msg = "Unknown error for request: " + request + ", message: " + e.getMessage();
+ LOGGER.error(msg, e);
+ response.setStatus(Status.RuntimeError(msg, e));
+ } finally {
+ timerContext.stop();
+ }
+ return response;
+ }
+
+ public TListSentryRolesResponse list_sentry_roles_by_user(TListSentryRolesForUserRequest request)
+ throws TException {
+ final Timer.Context timerContext = sentryMetrics.listRolesByGroupTimer.time();
+ TListSentryRolesResponse response = new TListSentryRolesResponse();
+ TSentryResponseStatus status;
+ Set<TSentryRole> roleSet = new HashSet<TSentryRole>();
+ String requestor = request.getRequestorUserName();
+ String userName = request.getUserName();
+ boolean checkAllGroups = false;
+ try {
+ validateClientVersion(request.getProtocol_version());
+ // userName can't be empty
+ if (StringUtils.isEmpty(userName)) {
+ throw new SentryAccessDeniedException("The user name can't be empty.");
+ }
+
+ Set<String> requestorGroups = getRequestorGroups(requestor);
+ Set<String> userGroups = getRequestorGroups(userName);
+ boolean isAdmin = inAdminGroups(requestorGroups);
+
+ // Only admin users can list other user's roles in the system
+ // Non admin users are only allowed to list only their own roles related user and group
+ if (!isAdmin && !userName.equals(requestor)) {
+ throw new SentryAccessDeniedException("Access denied to list the roles for " + userName);
+ }
+ roleSet = sentryStore.getTSentryRolesByUserNames(Sets.newHashSet(userName));
+ response.setRoles(roleSet);
+ response.setStatus(Status.OK());
+ } catch (SentryGroupNotFoundException e) {
+ LOGGER.error(e.getMessage(), e);
+ String msg = "Group couldn't be retrieved for " + requestor + " or " + userName + ".";
+ response.setStatus(Status.AccessDenied(msg, e));
+ } catch (SentryNoSuchObjectException e) {
+ response.setRoles(roleSet);
+ String msg = "Role: " + request + " couldn't be retrieved.";
+ LOGGER.error(msg, e);
+ response.setStatus(Status.NoSuchObject(msg, e));
+ } catch (SentryAccessDeniedException e) {
+ LOGGER.error(e.getMessage(), e);
+ response.setStatus(Status.AccessDenied(e.getMessage(), e));
+ } catch (SentryThriftAPIMismatchException e) {
+ LOGGER.error(e.getMessage(), e);
+ response.setStatus(Status.THRIFT_VERSION_MISMATCH(e.getMessage(), e));
+ } catch (Exception e) {
+ String msg = "Unknown error for request: " + request + ", message: " + e.getMessage();
+ LOGGER.error(msg, e);
+ response.setStatus(Status.RuntimeError(msg, e));
+ } finally {
+ timerContext.stop();
+ }
+ return response;
+ }
+
+ @Override
+ public TListSentryPrivilegesResponse list_sentry_privileges_by_role(
+ TListSentryPrivilegesRequest request) throws TException {
+ final Timer.Context timerContext = sentryMetrics.listPrivilegesByRoleTimer.time();
+ TListSentryPrivilegesResponse response = new TListSentryPrivilegesResponse();
+ TSentryResponseStatus status;
+ Set<TSentryPrivilege> privilegeSet = new HashSet<TSentryPrivilege>();
+ String subject = request.getRequestorUserName();
+ try {
+ validateClientVersion(request.getProtocol_version());
+ Set<String> groups = getRequestorGroups(subject);
+ Boolean admin = inAdminGroups(groups);
+ if(!admin) {
+ Set<String> roleNamesForGroups = toTrimedLower(sentryStore.getRoleNamesForGroups(groups));
+ if(!roleNamesForGroups.contains(request.getRoleName().trim().toLowerCase())) {
+ throw new SentryAccessDeniedException("Access denied to " + subject);
+ }
+ }
+ if (request.isSetAuthorizableHierarchy()) {
+ TSentryAuthorizable authorizableHierarchy = request.getAuthorizableHierarchy();
+ privilegeSet = sentryStore.getTSentryPrivileges(Sets.newHashSet(request.getRoleName()), authorizableHierarchy);
+ } else {
+ privilegeSet = sentryStore.getAllTSentryPrivilegesByRoleName(request.getRoleName());
+ }
+ response.setPrivileges(privilegeSet);
+ response.setStatus(Status.OK());
+ } catch (SentryNoSuchObjectException e) {
+ response.setPrivileges(privilegeSet);
+ String msg = "Privilege: " + request + " couldn't be retrieved.";
+ LOGGER.error(msg, e);
+ response.setStatus(Status.NoSuchObject(msg, e));
+ } catch (SentryAccessDeniedException e) {
+ LOGGER.error(e.getMessage(), e);
+ response.setStatus(Status.AccessDenied(e.getMessage(), e));
+ } catch (SentryThriftAPIMismatchException e) {
+ LOGGER.error(e.getMessage(), e);
+ response.setStatus(Status.THRIFT_VERSION_MISMATCH(e.getMessage(), e));
+ } catch (Exception e) {
+ String msg = "Unknown error for request: " + request + ", message: " + e.getMessage();
+ LOGGER.error(msg, e);
+ response.setStatus(Status.RuntimeError(msg, e));
+ } finally {
+ timerContext.stop();
+ }
+ return response;
+ }
+
+ /**
+ * This method was created specifically for ProviderBackend.getPrivileges() and is not meant
+ * to be used for general privilege retrieval. More details in the .thrift file.
+ */
+ @Override
+ public TListSentryPrivilegesForProviderResponse list_sentry_privileges_for_provider(
+ TListSentryPrivilegesForProviderRequest request) throws TException {
+ final Timer.Context timerContext = sentryMetrics.listPrivilegesForProviderTimer.time();
+ TListSentryPrivilegesForProviderResponse response = new TListSentryPrivilegesForProviderResponse();
+ response.setPrivileges(new HashSet<String>());
+ try {
+ validateClientVersion(request.getProtocol_version());
+ Set<String> privilegesForProvider =
+ sentryStore.listSentryPrivilegesForProvider(request.getGroups(), request.getUsers(),
+ request.getRoleSet(), request.getAuthorizableHierarchy());
+ response.setPrivileges(privilegesForProvider);
+ if (privilegesForProvider == null
+ || privilegesForProvider.size() == 0
+ && request.getAuthorizableHierarchy() != null
+ && sentryStore.hasAnyServerPrivileges(request.getGroups(), request.getUsers(),
+ request.getRoleSet(), request.getAuthorizableHierarchy().getServer())) {
+
+ // REQUIRED for ensuring 'default' Db is accessible by any user
+ // with privileges to atleast 1 object with the specific server as root
+
+ // Need some way to specify that even though user has no privilege
+ // For the specific AuthorizableHierarchy.. he has privilege on
+ // atleast 1 object in the server hierarchy
+ HashSet<String> serverPriv = Sets.newHashSet("server=+");
+ response.setPrivileges(serverPriv);
+ }
+ response.setStatus(Status.OK());
+ } catch (SentryThriftAPIMismatchException e) {
+ LOGGER.error(e.getMessage(), e);
+ response.setStatus(Status.THRIFT_VERSION_MISMATCH(e.getMessage(), e));
+ } catch (Exception e) {
+ String msg = "Unknown error for request: " + request + ", message: " + e.getMessage();
+ LOGGER.error(msg, e);
+ response.setStatus(Status.RuntimeError(msg, e));
+ } finally {
+ timerContext.stop();
+ }
+ return response;
+ }
+
+ // retrieve the group mapping for the given user name
+ private Set<String> getRequestorGroups(String userName)
+ throws SentryUserException {
+ return getGroupsFromUserName(this.conf, userName);
+ }
+
+ public static Set<String> getGroupsFromUserName(Configuration conf,
+ String userName) throws SentryUserException {
+ String groupMapping = conf.get(ServerConfig.SENTRY_STORE_GROUP_MAPPING,
+ ServerConfig.SENTRY_STORE_GROUP_MAPPING_DEFAULT);
+ String authResoruce = conf
+ .get(ServerConfig.SENTRY_STORE_GROUP_MAPPING_RESOURCE);
+
+ // load the group mapping provider class
+ GroupMappingService groupMappingService;
+ try {
+ Constructor<?> constrctor = Class.forName(groupMapping)
+ .getDeclaredConstructor(Configuration.class, String.class);
+ constrctor.setAccessible(true);
+ groupMappingService = (GroupMappingService) constrctor
+ .newInstance(new Object[] { conf, authResoruce });
+ } catch (NoSuchMethodException e) {
+ throw new SentryUserException("Unable to instantiate group mapping", e);
+ } catch (SecurityException e) {
+ throw new SentryUserException("Unable to instantiate group mapping", e);
+ } catch (ClassNotFoundException e) {
+ throw new SentryUserException("Unable to instantiate group mapping", e);
+ } catch (InstantiationException e) {
+ throw new SentryUserException("Unable to instantiate group mapping", e);
+ } catch (IllegalAccessException e) {
+ throw new SentryUserException("Unable to instantiate group mapping", e);
+ } catch (IllegalArgumentException e) {
+ throw new SentryUserException("Unable to instantiate group mapping", e);
+ } catch (InvocationTargetException e) {
+ throw new SentryUserException("Unable to instantiate group mapping", e);
+ }
+ return groupMappingService.getGroups(userName);
+ }
+
+ @Override
+ public TDropPrivilegesResponse drop_sentry_privilege(
+ TDropPrivilegesRequest request) throws TException {
+ final Timer.Context timerContext = sentryMetrics.dropPrivilegeTimer.time();
+ TDropPrivilegesResponse response = new TDropPrivilegesResponse();
+ try {
+ validateClientVersion(request.getProtocol_version());
+ authorize(request.getRequestorUserName(), adminGroups);
+ sentryStore.dropPrivilege(request.getAuthorizable());
+ for (SentryPolicyStorePlugin plugin : sentryPlugins) {
+ plugin.onDropSentryPrivilege(request);
+ }
+ response.setStatus(Status.OK());
+ } catch (SentryAccessDeniedException e) {
+ LOGGER.error(e.getMessage(), e);
+ response.setStatus(Status.AccessDenied(e.getMessage(), e));
+ } catch (SentryThriftAPIMismatchException e) {
+ LOGGER.error(e.getMessage(), e);
+ response.setStatus(Status.THRIFT_VERSION_MISMATCH(e.getMessage(), e));
+ } catch (Exception e) {
+ String msg = "Unknown error for request: " + request + ", message: "
+ + e.getMessage();
+ LOGGER.error(msg, e);
+ response.setStatus(Status.RuntimeError(msg, e));
+ } finally {
+ timerContext.stop();
+ }
+ return response;
+ }
+
+ @Override
+ public TRenamePrivilegesResponse rename_sentry_privilege(
+ TRenamePrivilegesRequest request) throws TException {
+ final Timer.Context timerContext = sentryMetrics.renamePrivilegeTimer.time();
+ TRenamePrivilegesResponse response = new TRenamePrivilegesResponse();
+ try {
+ validateClientVersion(request.getProtocol_version());
+ authorize(request.getRequestorUserName(), adminGroups);
+ sentryStore.renamePrivilege(request.getOldAuthorizable(),
+ request.getNewAuthorizable());
+ for (SentryPolicyStorePlugin plugin : sentryPlugins) {
+ plugin.onRenameSentryPrivilege(request);
+ }
+ response.setStatus(Status.OK());
+ } catch (SentryAccessDeniedException e) {
+ LOGGER.error(e.getMessage(), e);
+ response.setStatus(Status.AccessDenied(e.getMessage(), e));
+ } catch (SentryThriftAPIMismatchException e) {
+ LOGGER.error(e.getMessage(), e);
+ response.setStatus(Status.THRIFT_VERSION_MISMATCH(e.getMessage(), e));
+ } catch (Exception e) {
+ String msg = "Unknown error for request: " + request + ", message: "
+ + e.getMessage();
+ LOGGER.error(msg, e);
+ response.setStatus(Status.RuntimeError(msg, e));
+ } finally {
+ timerContext.close();
+ }
+ return response;
+ }
+
+ @Override
+ public TListSentryPrivilegesByAuthResponse list_sentry_privileges_by_authorizable(
+ TListSentryPrivilegesByAuthRequest request) throws TException {
+ final Timer.Context timerContext = sentryMetrics.listPrivilegesByAuthorizableTimer.time();
+ TListSentryPrivilegesByAuthResponse response = new TListSentryPrivilegesByAuthResponse();
+ Map<TSentryAuthorizable, TSentryPrivilegeMap> authRoleMap = Maps.newHashMap();
+ String subject = request.getRequestorUserName();
+ Set<String> requestedGroups = request.getGroups();
+ TSentryActiveRoleSet requestedRoleSet = request.getRoleSet();
+ try {
+ validateClientVersion(request.getProtocol_version());
+ Set<String> memberGroups = getRequestorGroups(subject);
+ if(!inAdminGroups(memberGroups)) {
+ // disallow non-admin to lookup groups that they are not part of
+ if (requestedGroups != null && !requestedGroups.isEmpty()) {
+ for (String requestedGroup : requestedGroups) {
+ if (!memberGroups.contains(requestedGroup)) {
+ // if user doesn't belong to one of the requested group then raise error
+ throw new SentryAccessDeniedException("Access denied to " + subject);
+ }
+ }
+ } else {
+ // non-admin's search is limited to it's own groups
+ requestedGroups = memberGroups;
+ }
+
+ // disallow non-admin to lookup roles that they are not part of
+ if (requestedRoleSet != null && !requestedRoleSet.isAll()) {
+ Set<String> roles = toTrimedLower(sentryStore
+ .getRoleNamesForGroups(memberGroups));
+ for (String role : toTrimedLower(requestedRoleSet.getRoles())) {
+ if (!roles.contains(role)) {
+ throw new SentryAccessDeniedException("Access denied to "
+ + subject);
+ }
+ }
+ }
+ }
+
+ // If user is not part of any group.. return empty response
+ for (TSentryAuthorizable authorizable : request.getAuthorizableSet()) {
+ authRoleMap.put(authorizable, sentryStore
+ .listSentryPrivilegesByAuthorizable(requestedGroups,
+ request.getRoleSet(), authorizable, inAdminGroups(memberGroups)));
+ }
+ response.setPrivilegesMapByAuth(authRoleMap);
+ response.setStatus(Status.OK());
+ // TODO : Sentry - HDFS : Have to handle this
+ } catch (SentryAccessDeniedException e) {
+ LOGGER.error(e.getMessage(), e);
+ response.setStatus(Status.AccessDenied(e.getMessage(), e));
+ } catch (SentryThriftAPIMismatchException e) {
+ LOGGER.error(e.getMessage(), e);
+ response.setStatus(Status.THRIFT_VERSION_MISMATCH(e.getMessage(), e));
+ } catch (Exception e) {
+ String msg = "Unknown error for request: " + request + ", message: "
+ + e.getMessage();
+ LOGGER.error(msg, e);
+ response.setStatus(Status.RuntimeError(msg, e));
+ } finally {
+ timerContext.stop();
+ }
+ return response;
+ }
+
+ /**
+ * Respond to a request for a config value in the sentry server. The client
+ * can request any config value that starts with "sentry." and doesn't contain
+ * "keytab".
+ * @param request Contains config parameter sought and default if not found
+ * @return The response, containing the value and status
+ * @throws TException
+ */
+ @Override
+ public TSentryConfigValueResponse get_sentry_config_value(
+ TSentryConfigValueRequest request) throws TException {
+
+ final String requirePattern = "^sentry\\..*";
+ final String excludePattern = ".*keytab.*|.*\\.jdbc\\..*|.*password.*";
+
+ TSentryConfigValueResponse response = new TSentryConfigValueResponse();
+ String attr = request.getPropertyName();
+
+ try {
+ validateClientVersion(request.getProtocol_version());
+ } catch (SentryThriftAPIMismatchException e) {
+ LOGGER.error(e.getMessage(), e);
+ response.setStatus(Status.THRIFT_VERSION_MISMATCH(e.getMessage(), e));
+ }
+ // Only allow config parameters like...
+ if (!Pattern.matches(requirePattern, attr) ||
+ Pattern.matches(excludePattern, attr)) {
+ String msg = "Attempted access of the configuration property " + attr +
+ " was denied";
+ LOGGER.error(msg);
+ response.setStatus(Status.AccessDenied(msg,
+ new SentryAccessDeniedException(msg)));
+ return response;
+ }
+
+ response.setValue(conf.get(attr,request.getDefaultValue()));
+ response.setStatus(Status.OK());
+ return response;
+ }
+
+ @VisibleForTesting
+ static void validateClientVersion(int protocolVersion) throws SentryThriftAPIMismatchException {
+ if (ServiceConstants.ThriftConstants.TSENTRY_SERVICE_VERSION_CURRENT != protocolVersion) {
+ String msg = "Sentry thrift API protocol version mismatch: Client thrift version " +
+ "is: " + protocolVersion + " , server thrift verion " +
+ "is " + ThriftConstants.TSENTRY_SERVICE_VERSION_CURRENT;
+ throw new SentryThriftAPIMismatchException(msg);
+ }
+ }
+
+ // get the sentry mapping data and return the data with map structure
+ @Override
+ public TSentryExportMappingDataResponse export_sentry_mapping_data(
+ TSentryExportMappingDataRequest request) throws TException {
+ TSentryExportMappingDataResponse response = new TSentryExportMappingDataResponse();
+ try {
+ String requestor = request.getRequestorUserName();
+ Set<String> memberGroups = getRequestorGroups(requestor);
+ String objectPath = request.getObjectPath();
+ String databaseName = null;
+ String tableName = null;
+
+ Map<String, String> objectMap =
+ SentryServiceUtil.parseObjectPath(objectPath);
+ databaseName = objectMap.get(PolicyFileConstants.PRIVILEGE_DATABASE_NAME);
+ tableName = objectMap.get(PolicyFileConstants.PRIVILEGE_TABLE_NAME);
+
+ if (!inAdminGroups(memberGroups)) {
+ // disallow non-admin to import the metadata of sentry
+ throw new SentryAccessDeniedException("Access denied to " + requestor
+ + " for export the metadata of sentry.");
+ }
+ TSentryMappingData tSentryMappingData = new TSentryMappingData();
+ Map<String, Set<TSentryPrivilege>> rolePrivileges =
+ sentryStore.getRoleNameTPrivilegesMap(databaseName, tableName);
+ tSentryMappingData.setRolePrivilegesMap(rolePrivileges);
+ Set<String> roleNames = rolePrivileges.keySet();
+ // roleNames should be null if databaseName == null and tableName == null
+ if (databaseName == null && tableName == null) {
+ roleNames = null;
+ }
+ List<Map<String, Set<String>>> mapList = sentryStore.getGroupUserRoleMapList(
+ roleNames);
+ tSentryMappingData.setGroupRolesMap(mapList.get(
+ SentryStore.INDEX_GROUP_ROLES_MAP));
+ tSentryMappingData.setUserRolesMap(mapList.get(SentryStore.INDEX_USER_ROLES_MAP));
+
+ response.setMappingData(tSentryMappingData);
+ response.setStatus(Status.OK());
+ } catch (Exception e) {
+ String msg = "Unknown error for request: " + request + ", message: " + e.getMessage();
+ LOGGER.error(msg, e);
+ response.setMappingData(new TSentryMappingData());
+ response.setStatus(Status.RuntimeError(msg, e));
+ }
+ return response;
+ }
+
+ // import the sentry mapping data
+ @Override
+ public TSentryImportMappingDataResponse import_sentry_mapping_data(
+ TSentryImportMappingDataRequest request) throws TException {
+ TSentryImportMappingDataResponse response = new TSentryImportMappingDataResponse();
+ try {
+ String requestor = request.getRequestorUserName();
+ Set<String> memberGroups = getRequestorGroups(requestor);
+ if (!inAdminGroups(memberGroups)) {
+ // disallow non-admin to import the metadata of sentry
+ throw new SentryAccessDeniedException("Access denied to " + requestor
+ + " for import the metadata of sentry.");
+ }
+ sentryStore.importSentryMetaData(request.getMappingData(), request.isOverwriteRole());
+ response.setStatus(Status.OK());
+ } catch (SentryInvalidInputException e) {
+ String msg = "Invalid input privilege object";
+ LOGGER.error(msg, e);
+ response.setStatus(Status.InvalidInput(msg, e));
+ } catch (Exception e) {
+ String msg = "Unknown error for request: " + request + ", message: " + e.getMessage();
+ LOGGER.error(msg, e);
+ response.setStatus(Status.RuntimeError(msg, e));
+ }
+ return response;
+ }
+}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessorFactory.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessorFactory.java b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessorFactory.java
new file mode 100644
index 0000000..45966e5
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessorFactory.java
@@ -0,0 +1,40 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.provider.db.service.thrift;
+
+import org.apache.hadoop.conf.Configuration;
+import org.apache.sentry.service.thrift.ProcessorFactory;
+import org.apache.sentry.service.thrift.ServiceConstants;
+import org.apache.thrift.TMultiplexedProcessor;
+import org.apache.thrift.TProcessor;
+
+public class SentryPolicyStoreProcessorFactory extends ProcessorFactory {
+ public SentryPolicyStoreProcessorFactory(Configuration conf) {
+ super(conf);
+ }
+
+ public boolean register(TMultiplexedProcessor multiplexedProcessor) throws Exception {
+ SentryPolicyStoreProcessor sentryServiceHandler =
+ new SentryPolicyStoreProcessor(ServiceConstants.SENTRY_POLICY_SERVICE_NAME,
+ conf);
+ TProcessor processor =
+ new SentryProcessorWrapper<SentryPolicyService.Iface>(sentryServiceHandler);
+ multiplexedProcessor.registerProcessor(ServiceConstants.SENTRY_POLICY_SERVICE_NAME, processor);
+ return true;
+ }
+}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryProcessorWrapper.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryProcessorWrapper.java b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryProcessorWrapper.java
new file mode 100644
index 0000000..a5f11a9
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryProcessorWrapper.java
@@ -0,0 +1,37 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.provider.db.service.thrift;
+
+import org.apache.thrift.TException;
+import org.apache.thrift.protocol.TProtocol;
+
+public class SentryProcessorWrapper<I extends SentryPolicyService.Iface> extends
+ SentryPolicyService.Processor<SentryPolicyService.Iface> {
+
+ public SentryProcessorWrapper(I iface) {
+ super(iface);
+ }
+
+ @Override
+ public boolean process(TProtocol in, TProtocol out) throws TException {
+ ThriftUtil.setIpAddress(in);
+ ThriftUtil.setImpersonator(in);
+ return super.process(in, out);
+ }
+}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryWebServer.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryWebServer.java b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryWebServer.java
new file mode 100644
index 0000000..a42f395
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryWebServer.java
@@ -0,0 +1,184 @@
+package org.apache.sentry.provider.db.service.thrift;
+
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+import com.codahale.metrics.servlets.AdminServlet;
+import com.google.common.base.Preconditions;
+
+import java.io.IOException;
+import java.util.EnumSet;
+import java.net.URL;
+import java.util.EventListener;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+
+import com.google.common.base.Splitter;
+import com.google.common.base.Strings;
+import com.google.common.collect.Sets;
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.security.SecurityUtil;
+import org.apache.hadoop.security.UserGroupInformation;
+import org.apache.hadoop.security.authentication.server.AuthenticationFilter;
+import org.apache.sentry.service.thrift.ServiceConstants.ServerConfig;
+import org.eclipse.jetty.server.DispatcherType;
+import org.eclipse.jetty.server.Handler;
+import org.eclipse.jetty.server.handler.ContextHandler;
+import org.eclipse.jetty.server.handler.ContextHandlerCollection;
+import org.eclipse.jetty.server.handler.ResourceHandler;
+import org.eclipse.jetty.server.nio.SelectChannelConnector;
+import org.eclipse.jetty.server.Server;
+import org.eclipse.jetty.server.ssl.SslSelectChannelConnector;
+import org.eclipse.jetty.servlet.FilterHolder;
+import org.eclipse.jetty.servlet.ServletContextHandler;
+import org.eclipse.jetty.servlet.ServletHolder;
+import org.eclipse.jetty.util.resource.Resource;
+import org.eclipse.jetty.util.ssl.SslContextFactory;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+public class SentryWebServer {
+
+ private static final Logger LOGGER = LoggerFactory.getLogger(SentryWebServer.class);
+ private static final String RESOURCE_DIR = "/webapp";
+ private static final String WELCOME_PAGE = "SentryService.html";
+
+ private Server server;
+
+ public SentryWebServer(List<EventListener> listeners, int port, Configuration conf) {
+ server = new Server();
+
+ // Create a channel connector for "http/https" requests
+ SelectChannelConnector connector = new SelectChannelConnector();
+ if (conf.getBoolean(ServerConfig.SENTRY_WEB_USE_SSL, false)) {
+ SslContextFactory sslContextFactory = new SslContextFactory();
+ sslContextFactory.setKeyStorePath(conf.get(ServerConfig.SENTRY_WEB_SSL_KEYSTORE_PATH, ""));
+ sslContextFactory.setKeyStorePassword(
+ conf.get(ServerConfig.SENTRY_WEB_SSL_KEYSTORE_PASSWORD, ""));
+ // Exclude SSL blacklist protocols
+ sslContextFactory.setExcludeProtocols(ServerConfig.SENTRY_SSL_PROTOCOL_BLACKLIST_DEFAULT);
+ Set<String> moreExcludedSSLProtocols =
+ Sets.newHashSet(Splitter.on(",").trimResults().omitEmptyStrings()
+ .split(Strings.nullToEmpty(conf.get(ServerConfig.SENTRY_SSL_PROTOCOL_BLACKLIST))));
+ sslContextFactory.addExcludeProtocols(moreExcludedSSLProtocols.toArray(
+ new String[moreExcludedSSLProtocols.size()]));
+ connector = new SslSelectChannelConnector(sslContextFactory);
+ LOGGER.info("Now using SSL mode.");
+ }
+
+ connector.setPort(port);
+ server.addConnector(connector);
+
+ ServletContextHandler servletContextHandler = new ServletContextHandler();
+ ServletHolder servletHolder = new ServletHolder(AdminServlet.class);
+ servletContextHandler.addServlet(servletHolder, "/*");
+
+ for(EventListener listener:listeners) {
+ servletContextHandler.addEventListener(listener);
+ }
+
+ ServletHolder confServletHolder = new ServletHolder(ConfServlet.class);
+ servletContextHandler.addServlet(confServletHolder, "/conf");
+ servletContextHandler.getServletContext()
+ .setAttribute(ConfServlet.CONF_CONTEXT_ATTRIBUTE, conf);
+
+ ResourceHandler resourceHandler = new ResourceHandler();
+ resourceHandler.setDirectoriesListed(true);
+ URL url = this.getClass().getResource(RESOURCE_DIR);
+ try {
+ resourceHandler.setBaseResource(Resource.newResource(url.toString()));
+ } catch (IOException e) {
+ LOGGER.error("Got exception while setBaseResource for Sentry Service web UI", e);
+ }
+ resourceHandler.setWelcomeFiles(new String[]{WELCOME_PAGE});
+ ContextHandler contextHandler= new ContextHandler();
+ contextHandler.setHandler(resourceHandler);
+
+ ContextHandlerCollection contextHandlerCollection = new ContextHandlerCollection();
+ contextHandlerCollection.setHandlers(new Handler[]{contextHandler, servletContextHandler});
+
+ String authMethod = conf.get(ServerConfig.SENTRY_WEB_SECURITY_TYPE);
+ if (!ServerConfig.SENTRY_WEB_SECURITY_TYPE_NONE.equals(authMethod)) {
+ /**
+ * SentryAuthFilter is a subclass of AuthenticationFilter and
+ * AuthenticationFilter tagged as private and unstable interface:
+ * While there are not guarantees that this interface will not change,
+ * it is fairly stable and used by other projects (ie - Oozie)
+ */
+ FilterHolder filterHolder = servletContextHandler.addFilter(SentryAuthFilter.class, "/*", EnumSet.of(DispatcherType.REQUEST));
+ filterHolder.setInitParameters(loadWebAuthenticationConf(conf));
+ }
+
+ server.setHandler(contextHandlerCollection);
+ }
+
+ public void start() throws Exception{
+ server.start();
+ }
+ public void stop() throws Exception{
+ server.stop();
+ }
+ public boolean isAlive() {
+ return server != null && server.isStarted();
+ }
+ private static Map<String, String> loadWebAuthenticationConf(Configuration conf) {
+ Map<String,String> prop = new HashMap<String, String>();
+ prop.put(AuthenticationFilter.CONFIG_PREFIX, ServerConfig.SENTRY_WEB_SECURITY_PREFIX);
+ String allowUsers = conf.get(ServerConfig.SENTRY_WEB_SECURITY_ALLOW_CONNECT_USERS);
+ if (allowUsers == null || allowUsers.equals("")) {
+ allowUsers = conf.get(ServerConfig.ALLOW_CONNECT);
+ conf.set(ServerConfig.SENTRY_WEB_SECURITY_ALLOW_CONNECT_USERS, allowUsers);
+ }
+ validateConf(conf);
+ for (Map.Entry<String, String> entry : conf) {
+ String name = entry.getKey();
+ if (name.startsWith(ServerConfig.SENTRY_WEB_SECURITY_PREFIX)) {
+ String value = conf.get(name);
+ prop.put(name, value);
+ }
+ }
+ return prop;
+ }
+
+ private static void validateConf(Configuration conf) {
+ String authHandlerName = conf.get(ServerConfig.SENTRY_WEB_SECURITY_TYPE);
+ Preconditions.checkNotNull(authHandlerName, "Web authHandler should not be null.");
+ String allowUsers = conf.get(ServerConfig.SENTRY_WEB_SECURITY_ALLOW_CONNECT_USERS);
+ Preconditions.checkNotNull(allowUsers, "Allow connect user(s) should not be null.");
+ if (ServerConfig.SENTRY_WEB_SECURITY_TYPE_KERBEROS.equalsIgnoreCase(authHandlerName)) {
+ String principal = conf.get(ServerConfig.SENTRY_WEB_SECURITY_PRINCIPAL);
+ Preconditions.checkNotNull(principal, "Kerberos principal should not be null.");
+ Preconditions.checkArgument(principal.length() != 0, "Kerberos principal is not right.");
+ String keytabFile = conf.get(ServerConfig.SENTRY_WEB_SECURITY_KEYTAB);
+ Preconditions.checkNotNull(keytabFile, "Keytab File should not be null.");
+ Preconditions.checkArgument(keytabFile.length() != 0, "Keytab File is not right.");
+ try {
+ UserGroupInformation.setConfiguration(conf);
+ String hostPrincipal = SecurityUtil.getServerPrincipal(principal, ServerConfig.RPC_ADDRESS_DEFAULT);
+ UserGroupInformation.loginUserFromKeytab(hostPrincipal, keytabFile);
+ } catch (IOException ex) {
+ throw new IllegalArgumentException("Can't use Kerberos authentication, principal ["
+ + principal + "] keytab [" + keytabFile + "]", ex);
+ }
+ LOGGER.info("Using Kerberos authentication, principal ["
+ + principal + "] keytab [" + keytabFile + "]");
+ }
+ }
+}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/thrift/ThriftUtil.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/thrift/ThriftUtil.java b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/thrift/ThriftUtil.java
new file mode 100644
index 0000000..3a96d0b
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/thrift/ThriftUtil.java
@@ -0,0 +1,112 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.provider.db.service.thrift;
+
+import org.apache.thrift.protocol.TProtocol;
+import org.apache.thrift.transport.TSaslClientTransport;
+import org.apache.thrift.transport.TSaslServerTransport;
+import org.apache.thrift.transport.TSocket;
+import org.apache.thrift.transport.TTransport;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import com.google.common.base.Preconditions;
+
+public final class ThriftUtil {
+
+ private static final Logger LOGGER = LoggerFactory.getLogger(ThriftUtil.class);
+
+ public static void setImpersonator(final TProtocol in) {
+ try {
+ TTransport transport = in.getTransport();
+ if (transport instanceof TSaslServerTransport) {
+ String impersonator = ((TSaslServerTransport) transport).getSaslServer()
+ .getAuthorizationID();
+ setImpersonator(impersonator);
+ }
+ } catch (Exception e) {
+ // If there has exception when get impersonator info, log the error information.
+ LOGGER.warn("There is an error when get the impersonator:" + e.getMessage());
+ }
+ }
+
+ public static void setIpAddress(final TProtocol in) {
+ try {
+ TTransport transport = in.getTransport();
+ TSocket tSocket = getUnderlyingSocketFromTransport(transport);
+ if (tSocket != null) {
+ setIpAddress(tSocket.getSocket().getInetAddress().toString());
+ } else {
+ LOGGER.warn("Unknown Transport, cannot determine ipAddress");
+ }
+ } catch (Exception e) {
+ // If there has exception when get impersonator info, log the error information.
+ LOGGER.warn("There is an error when get the client's ip address:" + e.getMessage());
+ }
+ }
+
+ /**
+ * Returns the underlying TSocket from the transport, or null of the transport type is unknown.
+ */
+ private static TSocket getUnderlyingSocketFromTransport(TTransport transport) {
+ Preconditions.checkNotNull(transport);
+ if (transport instanceof TSaslServerTransport) {
+ return (TSocket) ((TSaslServerTransport) transport).getUnderlyingTransport();
+ } else if (transport instanceof TSaslClientTransport) {
+ return (TSocket) ((TSaslClientTransport) transport).getUnderlyingTransport();
+ } else if (transport instanceof TSocket) {
+ return (TSocket) transport;
+ }
+ return null;
+ }
+
+ private static ThreadLocal<String> threadLocalIpAddress = new ThreadLocal<String>() {
+ @Override
+ protected synchronized String initialValue() {
+ return "";
+ }
+ };
+
+ public static void setIpAddress(String ipAddress) {
+ threadLocalIpAddress.set(ipAddress);
+ }
+
+ public static String getIpAddress() {
+ return threadLocalIpAddress.get();
+ }
+
+ private static ThreadLocal<String> threadLocalImpersonator = new ThreadLocal<String>() {
+ @Override
+ protected synchronized String initialValue() {
+ return "";
+ }
+ };
+
+ public static void setImpersonator(String impersonator) {
+ threadLocalImpersonator.set(impersonator);
+ }
+
+ public static String getImpersonator() {
+ return threadLocalImpersonator.get();
+ }
+
+ private ThriftUtil() {
+ // Make constructor private to avoid instantiation
+ }
+}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/tools/SentrySchemaHelper.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/tools/SentrySchemaHelper.java b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/tools/SentrySchemaHelper.java
new file mode 100644
index 0000000..cf1c725
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/tools/SentrySchemaHelper.java
@@ -0,0 +1,315 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.provider.db.tools;
+
+import java.util.IllegalFormatException;
+
+public final class SentrySchemaHelper {
+ public static final String DB_DERBY = "derby";
+ public static final String DB_MYSQL = "mysql";
+ public static final String DB_POSTGRACE = "postgres";
+ public static final String DB_ORACLE = "oracle";
+ public static final String DB_DB2 = "db2";
+
+ public interface NestedScriptParser {
+
+ public enum CommandType {
+ PARTIAL_STATEMENT,
+ TERMINATED_STATEMENT,
+ COMMENT
+ }
+
+ String DEFAUTL_DELIMITER = ";";
+ /***
+ * Find the type of given command
+ * @param dbCommand
+ * @return
+ */
+ boolean isPartialCommand(String dbCommand) throws IllegalArgumentException;
+
+ /** Parse the DB specific nesting format and extract the inner script name if any
+ * @param dbCommand command from parent script
+ * @return
+ * @throws IllegalFormatException
+ */
+ String getScriptName(String dbCommand) throws IllegalArgumentException;
+
+ /***
+ * Find if the given command is a nested script execution
+ * @param dbCommand
+ * @return
+ */
+ boolean isNestedScript(String dbCommand);
+
+ /***
+ * Find if the given command is should be passed to DB
+ * @param dbCommand
+ * @return
+ */
+ boolean isNonExecCommand(String dbCommand);
+
+ /***
+ * Get the SQL statement delimiter
+ * @return
+ */
+ String getDelimiter();
+
+ /***
+ * Clear any client specific tags
+ * @return
+ */
+ String cleanseCommand(String dbCommand);
+
+ /***
+ * Does the DB required table/column names quoted
+ * @return
+ */
+ boolean needsQuotedIdentifier();
+
+ /***
+ * Set DB specific options if any
+ * @param dbOps
+ */
+ void setDbOpts(String dbOps);
+ }
+
+
+ /***
+ * Base implemenation of NestedScriptParser
+ * abstractCommandParser.
+ *
+ */
+ private static abstract class AbstractCommandParser implements NestedScriptParser {
+ private String dbOpts = null;
+
+ @Override
+ public boolean isPartialCommand(String dbCommand) throws IllegalArgumentException{
+ if (dbCommand == null || dbCommand.isEmpty()) {
+ throw new IllegalArgumentException("invalid command line " + dbCommand);
+ }
+ String trimmedDbCommand = dbCommand.trim();
+ return !(trimmedDbCommand.endsWith(getDelimiter()) || isNonExecCommand(trimmedDbCommand));
+ }
+
+ @Override
+ public boolean isNonExecCommand(String dbCommand) {
+ return dbCommand.startsWith("--") || dbCommand.startsWith("#");
+ }
+
+ @Override
+ public String getDelimiter() {
+ return DEFAUTL_DELIMITER;
+ }
+
+ @Override
+ public String cleanseCommand(String dbCommand) {
+ // strip off the delimiter
+ if (dbCommand.endsWith(getDelimiter())) {
+ dbCommand = dbCommand.substring(0,
+ dbCommand.length() - getDelimiter().length());
+ }
+ return dbCommand;
+ }
+
+ @Override
+ public boolean needsQuotedIdentifier() {
+ return false;
+ }
+
+ @Override
+ public void setDbOpts(String dbOpts) {
+ this.dbOpts = dbOpts;
+ }
+
+ protected String getDbOpts() {
+ return dbOpts;
+ }
+ }
+
+
+ // Derby commandline parser
+ public static class DerbyCommandParser extends AbstractCommandParser {
+ private static final String DERBY_NESTING_TOKEN = "RUN";
+
+ @Override
+ public String getScriptName(String dbCommand) throws IllegalArgumentException {
+
+ if (!isNestedScript(dbCommand)) {
+ throw new IllegalArgumentException("Not a script format " + dbCommand);
+ }
+ String[] tokens = dbCommand.split(" ");
+ if (tokens.length != 2) {
+ throw new IllegalArgumentException("Couldn't parse line " + dbCommand);
+ }
+ return tokens[1].replace(";", "").replaceAll("'", "");
+ }
+
+ @Override
+ public boolean isNestedScript(String dbCommand) {
+ // Derby script format is RUN '<file>'
+ return dbCommand.startsWith(DERBY_NESTING_TOKEN);
+ }
+ }
+
+
+ // MySQL parser
+ public static class MySqlCommandParser extends AbstractCommandParser {
+ private static final String MYSQL_NESTING_TOKEN = "SOURCE";
+ private static final String DELIMITER_TOKEN = "DELIMITER";
+ private String delimiter = DEFAUTL_DELIMITER;
+
+ @Override
+ public boolean isPartialCommand(String dbCommand) throws IllegalArgumentException{
+ boolean isPartial = super.isPartialCommand(dbCommand);
+ // if this is a delimiter directive, reset our delimiter
+ if (dbCommand.startsWith(DELIMITER_TOKEN)) {
+ String[] tokens = dbCommand.split(" ");
+ if (tokens.length != 2) {
+ throw new IllegalArgumentException("Couldn't parse line " + dbCommand);
+ }
+ delimiter = tokens[1];
+ }
+ return isPartial;
+ }
+
+ @Override
+ public String getScriptName(String dbCommand) throws IllegalArgumentException {
+ String[] tokens = dbCommand.split(" ");
+ if (tokens.length != 2) {
+ throw new IllegalArgumentException("Couldn't parse line " + dbCommand);
+ }
+ // remove ending ';'
+ return tokens[1].replace(";", "");
+ }
+
+ @Override
+ public boolean isNestedScript(String dbCommand) {
+ return dbCommand.startsWith(MYSQL_NESTING_TOKEN);
+ }
+
+ @Override
+ public String getDelimiter() {
+ return delimiter;
+ }
+
+ @Override
+ public boolean isNonExecCommand(String dbCommand) {
+ return super.isNonExecCommand(dbCommand) ||
+ dbCommand.startsWith("/*") && dbCommand.endsWith("*/") ||
+ dbCommand.startsWith(DELIMITER_TOKEN);
+ }
+
+ @Override
+ public String cleanseCommand(String dbCommand) {
+ return super.cleanseCommand(dbCommand).replaceAll("/\\*.*?\\*/[^;]", "");
+ }
+
+ }
+
+ // Postgres specific parser
+ public static class PostgresCommandParser extends AbstractCommandParser {
+ public static final String POSTGRES_STRING_COMMAND_FILTER = "SET standard_conforming_strings";
+ public static final String POSTGRES_STRING_CLIENT_ENCODING = "SET client_encoding";
+ public static final String POSTGRES_SKIP_STANDARD_STRING = "postgres.filter.81";
+ private static final String POSTGRES_NESTING_TOKEN = "\\i";
+
+ @Override
+ public String getScriptName(String dbCommand) throws IllegalArgumentException {
+ String[] tokens = dbCommand.split(" ");
+ if (tokens.length != 2) {
+ throw new IllegalArgumentException("Couldn't parse line " + dbCommand);
+ }
+ // remove ending ';'
+ return tokens[1].replace(";", "");
+ }
+
+ @Override
+ public boolean isNestedScript(String dbCommand) {
+ return dbCommand.startsWith(POSTGRES_NESTING_TOKEN);
+ }
+
+ @Override
+ public boolean needsQuotedIdentifier() {
+ return true;
+ }
+
+ @Override
+ public boolean isNonExecCommand(String dbCommand) {
+ // Skip "standard_conforming_strings" command which is not supported in older postgres
+ if (POSTGRES_SKIP_STANDARD_STRING.equalsIgnoreCase(getDbOpts())
+ && (dbCommand.startsWith(POSTGRES_STRING_COMMAND_FILTER) || dbCommand.startsWith(POSTGRES_STRING_CLIENT_ENCODING))) {
+ return true;
+ }
+ return super.isNonExecCommand(dbCommand);
+ }
+ }
+
+ //Oracle specific parser
+ public static class OracleCommandParser extends AbstractCommandParser {
+ private static final String ORACLE_NESTING_TOKEN = "@";
+ @Override
+ public String getScriptName(String dbCommand) throws IllegalArgumentException {
+ if (!isNestedScript(dbCommand)) {
+ throw new IllegalArgumentException("Not a nested script format " + dbCommand);
+ }
+ // remove ending ';' and starting '@'
+ return dbCommand.replace(";", "").replace(ORACLE_NESTING_TOKEN, "");
+ }
+
+ @Override
+ public boolean isNestedScript(String dbCommand) {
+ return dbCommand.startsWith(ORACLE_NESTING_TOKEN);
+ }
+ }
+
+ // DB2 commandline parser
+ public static class DB2CommandParser extends AbstractCommandParser {
+
+ @Override
+ public String getScriptName(String dbCommand) throws IllegalArgumentException {
+ //DB2 does not support nesting script
+ throw new IllegalArgumentException("DB2 does not support nesting script " + dbCommand);
+ }
+
+ @Override
+ public boolean isNestedScript(String dbCommand) {
+ //DB2 does not support nesting script
+ return false;
+ }
+ }
+
+ public static NestedScriptParser getDbCommandParser(String dbName) {
+ if (dbName.equalsIgnoreCase(DB_DERBY)) {
+ return new DerbyCommandParser();
+ } else if (dbName.equalsIgnoreCase(DB_MYSQL)) {
+ return new MySqlCommandParser();
+ } else if (dbName.equalsIgnoreCase(DB_POSTGRACE)) {
+ return new PostgresCommandParser();
+ } else if (dbName.equalsIgnoreCase(DB_ORACLE)) {
+ return new OracleCommandParser();
+ } else if (dbName.equalsIgnoreCase(DB_DB2)) {
+ return new DB2CommandParser();
+ } else {
+ throw new IllegalArgumentException("Unknown dbType " + dbName);
+ }
+ }
+
+ private SentrySchemaHelper() {
+ // Make constructor private to avoid instantiation
+ }
+}
[15/44] sentry git commit: SENTRY-1287: Create sentry-service-server
module(Colin Ma, reviewed by Dapeng Sun)
Posted by co...@apache.org.
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/main/resources/006-SENTRY-711.mysql.sql
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/main/resources/006-SENTRY-711.mysql.sql b/sentry-service/sentry-service-server/src/main/resources/006-SENTRY-711.mysql.sql
new file mode 100644
index 0000000..b3a9828
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/main/resources/006-SENTRY-711.mysql.sql
@@ -0,0 +1,28 @@
+CREATE TABLE `SENTRY_USER` (
+ `USER_ID` BIGINT NOT NULL,
+ `USER_NAME` VARCHAR(128) CHARACTER SET utf8 COLLATE utf8_bin NOT NULL,
+ `CREATE_TIME` BIGINT NOT NULL
+) ENGINE=InnoDB DEFAULT CHARSET=utf8;
+
+ALTER TABLE `SENTRY_USER`
+ ADD CONSTRAINT `SENTRY_USER_PK` PRIMARY KEY (`USER_ID`);
+
+ALTER TABLE `SENTRY_USER`
+ ADD CONSTRAINT `SENTRY_USER_USER_NAME_UNIQUE` UNIQUE (`USER_NAME`);
+
+CREATE TABLE `SENTRY_ROLE_USER_MAP` (
+ `ROLE_ID` BIGINT NOT NULL,
+ `USER_ID` BIGINT NOT NULL,
+ `GRANTOR_PRINCIPAL` VARCHAR(128) CHARACTER SET utf8 COLLATE utf8_bin
+) ENGINE=InnoDB DEFAULT CHARSET=utf8;
+
+ALTER TABLE `SENTRY_ROLE_USER_MAP`
+ ADD CONSTRAINT `SENTRY_ROLE_USER_MAP_PK` PRIMARY KEY (`ROLE_ID`,`USER_ID`);
+
+ALTER TABLE `SENTRY_ROLE_USER_MAP`
+ ADD CONSTRAINT `SEN_ROLE_USER_MAP_SEN_ROLE_FK`
+ FOREIGN KEY (`ROLE_ID`) REFERENCES `SENTRY_ROLE`(`ROLE_ID`);
+
+ALTER TABLE `SENTRY_ROLE_USER_MAP`
+ ADD CONSTRAINT `SEN_ROLE_USER_MAP_SEN_USER_FK`
+ FOREIGN KEY (`USER_ID`) REFERENCES `SENTRY_USER`(`USER_ID`);
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/main/resources/006-SENTRY-711.oracle.sql
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/main/resources/006-SENTRY-711.oracle.sql b/sentry-service/sentry-service-server/src/main/resources/006-SENTRY-711.oracle.sql
new file mode 100644
index 0000000..76ae0d5
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/main/resources/006-SENTRY-711.oracle.sql
@@ -0,0 +1,28 @@
+CREATE TABLE "SENTRY_USER" (
+ "USER_ID" NUMBER NOT NULL,
+ "USER_NAME" VARCHAR2(128) NOT NULL,
+ "CREATE_TIME" NUMBER NOT NULL
+);
+
+ALTER TABLE "SENTRY_USER"
+ ADD CONSTRAINT "SENTRY_USER_PK" PRIMARY KEY ("USER_ID");
+
+ALTER TABLE "SENTRY_USER"
+ ADD CONSTRAINT "SENTRY_USER_USER_NAME_UNIQUE" UNIQUE ("USER_NAME");
+
+CREATE TABLE "SENTRY_ROLE_USER_MAP" (
+ "ROLE_ID" NUMBER NOT NULL,
+ "USER_ID" NUMBER NOT NULL,
+ "GRANTOR_PRINCIPAL" VARCHAR2(128)
+);
+
+ALTER TABLE "SENTRY_ROLE_USER_MAP"
+ ADD CONSTRAINT "SENTRY_ROLE_USER_MAP_PK" PRIMARY KEY ("ROLE_ID","USER_ID");
+
+ALTER TABLE "SENTRY_ROLE_USER_MAP"
+ ADD CONSTRAINT "SEN_ROLE_USER_MAP_SEN_ROLE_FK"
+ FOREIGN KEY ("ROLE_ID") REFERENCES "SENTRY_ROLE"("ROLE_ID") INITIALLY DEFERRED;
+
+ALTER TABLE "SENTRY_ROLE_USER_MAP"
+ ADD CONSTRAINT "SEN_ROLE_USER_MAP_SEN_USER_FK"
+ FOREIGN KEY ("USER_ID") REFERENCES "SENTRY_USER"("USER_ID") INITIALLY DEFERRED;
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/main/resources/006-SENTRY-711.postgres.sql
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/main/resources/006-SENTRY-711.postgres.sql b/sentry-service/sentry-service-server/src/main/resources/006-SENTRY-711.postgres.sql
new file mode 100644
index 0000000..37e8abc
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/main/resources/006-SENTRY-711.postgres.sql
@@ -0,0 +1,28 @@
+CREATE TABLE "SENTRY_USER" (
+ "USER_ID" BIGINT NOT NULL,
+ "USER_NAME" character varying(128) NOT NULL,
+ "CREATE_TIME" BIGINT NOT NULL
+);
+
+ALTER TABLE ONLY "SENTRY_USER"
+ ADD CONSTRAINT "SENTRY_USER_PK" PRIMARY KEY ("USER_ID");
+
+ALTER TABLE ONLY "SENTRY_USER"
+ ADD CONSTRAINT "SENTRY_USER_USER_NAME_UNIQUE" UNIQUE ("USER_NAME");
+
+CREATE TABLE "SENTRY_ROLE_USER_MAP" (
+ "ROLE_ID" BIGINT NOT NULL,
+ "USER_ID" BIGINT NOT NULL,
+ "GRANTOR_PRINCIPAL" character varying(128)
+);
+
+ALTER TABLE "SENTRY_ROLE_USER_MAP"
+ ADD CONSTRAINT "SENTRY_ROLE_USER_MAP_PK" PRIMARY KEY ("ROLE_ID","USER_ID");
+
+ALTER TABLE ONLY "SENTRY_ROLE_USER_MAP"
+ ADD CONSTRAINT "SEN_ROLE_USER_MAP_SEN_ROLE_FK"
+ FOREIGN KEY ("ROLE_ID") REFERENCES "SENTRY_ROLE"("ROLE_ID") DEFERRABLE;
+
+ALTER TABLE ONLY "SENTRY_ROLE_USER_MAP"
+ ADD CONSTRAINT "SEN_ROLE_USER_MAP_SEN_USER_FK"
+ FOREIGN KEY ("USER_ID") REFERENCES "SENTRY_USER"("USER_ID") DEFERRABLE;
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/main/resources/sentry-db2-1.4.0.sql
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/main/resources/sentry-db2-1.4.0.sql b/sentry-service/sentry-service-server/src/main/resources/sentry-db2-1.4.0.sql
new file mode 100644
index 0000000..f2a62d2
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/main/resources/sentry-db2-1.4.0.sql
@@ -0,0 +1,112 @@
+--Licensed to the Apache Software Foundation (ASF) under one or more
+--contributor license agreements. See the NOTICE file distributed with
+--this work for additional information regarding copyright ownership.
+--The ASF licenses this file to You under the Apache License, Version 2.0
+--(the "License"); you may not use this file except in compliance with
+--the License. You may obtain a copy of the License at
+--
+-- http://www.apache.org/licenses/LICENSE-2.0
+--
+--Unless required by applicable law or agreed to in writing, software
+--distributed under the License is distributed on an "AS IS" BASIS,
+--WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+--See the License for the specific language governing permissions and
+--limitations under the License.
+
+-- Table SENTRY_DB_PRIVILEGE for classes [org.apache.sentry.provider.db.service.model.MSentryPrivilege]
+CREATE TABLE SENTRY_DB_PRIVILEGE
+(
+ DB_PRIVILEGE_ID BIGINT NOT NULL generated always as identity (start with 1),
+ URI VARCHAR(4000),
+ "ACTION" VARCHAR(40),
+ CREATE_TIME BIGINT NOT NULL,
+ DB_NAME VARCHAR(4000),
+ GRANTOR_PRINCIPAL VARCHAR(4000),
+ PRIVILEGE_NAME VARCHAR(4000),
+ PRIVILEGE_SCOPE VARCHAR(40),
+ "SERVER_NAME" VARCHAR(4000),
+ "TABLE_NAME" VARCHAR(4000)
+);
+
+ALTER TABLE SENTRY_DB_PRIVILEGE ADD CONSTRAINT SENTRY_DB_PRIVILEGE_PK PRIMARY KEY (DB_PRIVILEGE_ID);
+
+-- Table SENTRY_ROLE for classes [org.apache.sentry.provider.db.service.model.MSentryRole]
+CREATE TABLE SENTRY_ROLE
+(
+ ROLE_ID BIGINT NOT NULL generated always as identity (start with 1),
+ CREATE_TIME BIGINT NOT NULL,
+ GRANTOR_PRINCIPAL VARCHAR(4000),
+ ROLE_NAME VARCHAR(128)
+);
+
+ALTER TABLE SENTRY_ROLE ADD CONSTRAINT SENTRY_ROLE_PK PRIMARY KEY (ROLE_ID);
+
+-- Table SENTRY_GROUP for classes [org.apache.sentry.provider.db.service.model.MSentryGroup]
+CREATE TABLE SENTRY_GROUP
+(
+ GROUP_ID BIGINT NOT NULL generated always as identity (start with 1),
+ CREATE_TIME BIGINT NOT NULL,
+ GRANTOR_PRINCIPAL VARCHAR(4000),
+ GROUP_NAME VARCHAR(128)
+);
+
+ALTER TABLE SENTRY_GROUP ADD CONSTRAINT SENTRY_GROUP_PK PRIMARY KEY (GROUP_ID);
+
+-- Table SENTRY_ROLE_GROUP_MAP for join relationship
+CREATE TABLE SENTRY_ROLE_GROUP_MAP
+(
+ GROUP_ID BIGINT NOT NULL,
+ ROLE_ID BIGINT NOT NULL
+);
+
+ALTER TABLE SENTRY_ROLE_GROUP_MAP ADD CONSTRAINT SENTRY_ROLE_GROUP_MAP_PK PRIMARY KEY (GROUP_ID,ROLE_ID);
+
+-- Table SENTRY_ROLE_DB_PRIVILEGE_MAP for join relationship
+CREATE TABLE SENTRY_ROLE_DB_PRIVILEGE_MAP
+(
+ ROLE_ID BIGINT NOT NULL,
+ DB_PRIVILEGE_ID BIGINT NOT NULL
+);
+
+ALTER TABLE SENTRY_ROLE_DB_PRIVILEGE_MAP ADD CONSTRAINT SENTRY_ROLE_DB_PRIVILEGE_MAP_PK PRIMARY KEY (ROLE_ID,DB_PRIVILEGE_ID);
+
+CREATE TABLE "SENTRY_VERSION" (
+ VER_ID BIGINT NOT NULL,
+ SCHEMA_VERSION VARCHAR(127),
+ VERSION_COMMENT VARCHAR(255)
+);
+
+ALTER TABLE SENTRY_VERSION ADD CONSTRAINT SENTRY_VERSION_PK PRIMARY KEY (VER_ID);
+
+-- Constraints for table SENTRY_DB_PRIVILEGE for class(es) [org.apache.sentry.provider.db.service.model.MSentryPrivilege]
+CREATE UNIQUE INDEX SENTRYPRIVILEGENAME ON SENTRY_DB_PRIVILEGE (PRIVILEGE_NAME);
+
+
+-- Constraints for table SENTRY_ROLE for class(es) [org.apache.sentry.provider.db.service.model.MSentryRole]
+CREATE UNIQUE INDEX SENTRYROLENAME ON SENTRY_ROLE (ROLE_NAME);
+
+
+-- Constraints for table SENTRY_GROUP for class(es) [org.apache.sentry.provider.db.service.model.MSentryGroup]
+CREATE UNIQUE INDEX SENTRYGROUPNAME ON SENTRY_GROUP (GROUP_NAME);
+
+
+-- Constraints for table SENTRY_ROLE_GROUP_MAP
+CREATE INDEX SENTRY_ROLE_GROUP_MAP_N49 ON SENTRY_ROLE_GROUP_MAP (GROUP_ID);
+
+CREATE INDEX SENTRY_ROLE_GROUP_MAP_N50 ON SENTRY_ROLE_GROUP_MAP (ROLE_ID);
+
+ALTER TABLE SENTRY_ROLE_GROUP_MAP ADD CONSTRAINT SENTRY_ROLE_GROUP_MAP_FK2 FOREIGN KEY (ROLE_ID) REFERENCES SENTRY_ROLE (ROLE_ID) ;
+
+ALTER TABLE SENTRY_ROLE_GROUP_MAP ADD CONSTRAINT SENTRY_ROLE_GROUP_MAP_FK1 FOREIGN KEY (GROUP_ID) REFERENCES SENTRY_GROUP (GROUP_ID) ;
+
+
+-- Constraints for table SENTRY_ROLE_DB_PRIVILEGE_MAP
+CREATE INDEX SENTRY_ROLE_DB_PRIVILEGE_MAP_N50 ON SENTRY_ROLE_DB_PRIVILEGE_MAP (ROLE_ID);
+
+CREATE INDEX SENTRY_ROLE_DB_PRIVILEGE_MAP_N49 ON SENTRY_ROLE_DB_PRIVILEGE_MAP (DB_PRIVILEGE_ID);
+
+ALTER TABLE SENTRY_ROLE_DB_PRIVILEGE_MAP ADD CONSTRAINT SENTRY_ROLE_DB_PRIVILEGE_MAP_FK2 FOREIGN KEY (DB_PRIVILEGE_ID) REFERENCES SENTRY_DB_PRIVILEGE (DB_PRIVILEGE_ID) ;
+
+ALTER TABLE SENTRY_ROLE_DB_PRIVILEGE_MAP ADD CONSTRAINT SENTRY_ROLE_DB_PRIVILEGE_MAP_FK1 FOREIGN KEY (ROLE_ID) REFERENCES SENTRY_ROLE (ROLE_ID) ;
+
+INSERT INTO SENTRY_VERSION (VER_ID, SCHEMA_VERSION, VERSION_COMMENT) VALUES (1, '1.4.0', 'Sentry release version 1.4.0');
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/main/resources/sentry-db2-1.5.0.sql
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/main/resources/sentry-db2-1.5.0.sql b/sentry-service/sentry-service-server/src/main/resources/sentry-db2-1.5.0.sql
new file mode 100644
index 0000000..53b163a
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/main/resources/sentry-db2-1.5.0.sql
@@ -0,0 +1,155 @@
+--Licensed to the Apache Software Foundation (ASF) under one or more
+--contributor license agreements. See the NOTICE file distributed with
+--this work for additional information regarding copyright ownership.
+--The ASF licenses this file to You under the Apache License, Version 2.0
+--(the "License"); you may not use this file except in compliance with
+--the License. You may obtain a copy of the License at
+--
+-- http://www.apache.org/licenses/LICENSE-2.0
+--
+--Unless required by applicable law or agreed to in writing, software
+--distributed under the License is distributed on an "AS IS" BASIS,
+--WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+--See the License for the specific language governing permissions and
+--limitations under the License.
+
+-- Table SENTRY_DB_PRIVILEGE for classes [org.apache.sentry.provider.db.service.model.MSentryPrivilege]
+CREATE TABLE SENTRY_DB_PRIVILEGE
+(
+ DB_PRIVILEGE_ID BIGINT NOT NULL generated always as identity (start with 1),
+ URI VARCHAR(4000),
+ "ACTION" VARCHAR(40),
+ CREATE_TIME BIGINT NOT NULL,
+ DB_NAME VARCHAR(4000),
+ PRIVILEGE_SCOPE VARCHAR(40),
+ "SERVER_NAME" VARCHAR(4000),
+ "TABLE_NAME" VARCHAR(4000),
+ "COLUMN_NAME" VARCHAR(4000),
+ WITH_GRANT_OPTION CHAR(1) NOT NULL
+);
+
+ALTER TABLE SENTRY_DB_PRIVILEGE ADD CONSTRAINT SENTRY_DB_PRIVILEGE_PK PRIMARY KEY (DB_PRIVILEGE_ID);
+
+-- Table SENTRY_ROLE for classes [org.apache.sentry.provider.db.service.model.MSentryRole]
+CREATE TABLE SENTRY_ROLE
+(
+ ROLE_ID BIGINT NOT NULL generated always as identity (start with 1),
+ CREATE_TIME BIGINT NOT NULL,
+ ROLE_NAME VARCHAR(128)
+);
+
+ALTER TABLE SENTRY_ROLE ADD CONSTRAINT SENTRY_ROLE_PK PRIMARY KEY (ROLE_ID);
+
+-- Table SENTRY_GROUP for classes [org.apache.sentry.provider.db.service.model.MSentryGroup]
+CREATE TABLE SENTRY_GROUP
+(
+ GROUP_ID BIGINT NOT NULL generated always as identity (start with 1),
+ CREATE_TIME BIGINT NOT NULL,
+ GROUP_NAME VARCHAR(128)
+);
+
+ALTER TABLE SENTRY_GROUP ADD CONSTRAINT SENTRY_GROUP_PK PRIMARY KEY (GROUP_ID);
+
+-- Table SENTRY_ROLE_GROUP_MAP for join relationship
+CREATE TABLE SENTRY_ROLE_GROUP_MAP
+(
+ GROUP_ID BIGINT NOT NULL,
+ ROLE_ID BIGINT NOT NULL,
+ GRANTOR_PRINCIPAL VARCHAR(128)
+);
+
+ALTER TABLE SENTRY_ROLE_GROUP_MAP ADD CONSTRAINT SENTRY_ROLE_GROUP_MAP_PK PRIMARY KEY (GROUP_ID,ROLE_ID);
+
+-- Table SENTRY_ROLE_DB_PRIVILEGE_MAP for join relationship
+CREATE TABLE SENTRY_ROLE_DB_PRIVILEGE_MAP
+(
+ ROLE_ID BIGINT NOT NULL,
+ DB_PRIVILEGE_ID BIGINT NOT NULL,
+ GRANTOR_PRINCIPAL VARCHAR(128)
+);
+
+ALTER TABLE SENTRY_ROLE_DB_PRIVILEGE_MAP ADD CONSTRAINT SENTRY_ROLE_DB_PRIVILEGE_MAP_PK PRIMARY KEY (ROLE_ID,DB_PRIVILEGE_ID);
+
+CREATE TABLE "SENTRY_VERSION" (
+ VER_ID BIGINT NOT NULL,
+ SCHEMA_VERSION VARCHAR(127),
+ VERSION_COMMENT VARCHAR(255)
+);
+
+ALTER TABLE SENTRY_VERSION ADD CONSTRAINT SENTRY_VERSION_PK PRIMARY KEY (VER_ID);
+
+-- Constraints for table SENTRY_DB_PRIVILEGE for class(es) [org.apache.sentry.provider.db.service.model.MSentryPrivilege]
+CREATE UNIQUE INDEX SENTRYPRIVILEGENAME ON SENTRY_DB_PRIVILEGE ("SERVER_NAME",DB_NAME,"TABLE_NAME","COLUMN_NAME",URI,"ACTION",WITH_GRANT_OPTION);
+
+
+-- Constraints for table SENTRY_ROLE for class(es) [org.apache.sentry.provider.db.service.model.MSentryRole]
+CREATE UNIQUE INDEX SENTRYROLENAME ON SENTRY_ROLE (ROLE_NAME);
+
+
+-- Constraints for table SENTRY_GROUP for class(es) [org.apache.sentry.provider.db.service.model.MSentryGroup]
+CREATE UNIQUE INDEX SENTRYGROUPNAME ON SENTRY_GROUP (GROUP_NAME);
+
+
+-- Constraints for table SENTRY_ROLE_GROUP_MAP
+CREATE INDEX SENTRY_ROLE_GROUP_MAP_N49 ON SENTRY_ROLE_GROUP_MAP (GROUP_ID);
+
+CREATE INDEX SENTRY_ROLE_GROUP_MAP_N50 ON SENTRY_ROLE_GROUP_MAP (ROLE_ID);
+
+ALTER TABLE SENTRY_ROLE_GROUP_MAP ADD CONSTRAINT SENTRY_ROLE_GROUP_MAP_FK2 FOREIGN KEY (ROLE_ID) REFERENCES SENTRY_ROLE (ROLE_ID) ;
+
+ALTER TABLE SENTRY_ROLE_GROUP_MAP ADD CONSTRAINT SENTRY_ROLE_GROUP_MAP_FK1 FOREIGN KEY (GROUP_ID) REFERENCES SENTRY_GROUP (GROUP_ID) ;
+
+
+-- Constraints for table SENTRY_ROLE_DB_PRIVILEGE_MAP
+CREATE INDEX SENTRY_ROLE_DB_PRIVILEGE_MAP_N50 ON SENTRY_ROLE_DB_PRIVILEGE_MAP (ROLE_ID);
+
+CREATE INDEX SENTRY_ROLE_DB_PRIVILEGE_MAP_N49 ON SENTRY_ROLE_DB_PRIVILEGE_MAP (DB_PRIVILEGE_ID);
+
+ALTER TABLE SENTRY_ROLE_DB_PRIVILEGE_MAP ADD CONSTRAINT SENTRY_ROLE_DB_PRIVILEGE_MAP_FK2 FOREIGN KEY (DB_PRIVILEGE_ID) REFERENCES SENTRY_DB_PRIVILEGE (DB_PRIVILEGE_ID) ;
+
+ALTER TABLE SENTRY_ROLE_DB_PRIVILEGE_MAP ADD CONSTRAINT SENTRY_ROLE_DB_PRIVILEGE_MAP_FK1 FOREIGN KEY (ROLE_ID) REFERENCES SENTRY_ROLE (ROLE_ID) ;
+
+INSERT INTO SENTRY_VERSION (VER_ID, SCHEMA_VERSION, VERSION_COMMENT) VALUES (1, '1.5.0', 'Sentry release version 1.5.0');
+
+-- Generic model
+-- Table SENTRY_GM_PRIVILEGE for classes [org.apache.sentry.provider.db.service.model.MSentryGMPrivilege]
+CREATE TABLE SENTRY_GM_PRIVILEGE
+(
+ GM_PRIVILEGE_ID BIGINT NOT NULL,
+ "ACTION" VARCHAR(40),
+ COMPONENT_NAME VARCHAR(400),
+ CREATE_TIME BIGINT NOT NULL,
+ WITH_GRANT_OPTION CHAR(1),
+ RESOURCE_NAME_0 VARCHAR(400),
+ RESOURCE_NAME_1 VARCHAR(400),
+ RESOURCE_NAME_2 VARCHAR(400),
+ RESOURCE_NAME_3 VARCHAR(400),
+ RESOURCE_TYPE_0 VARCHAR(400),
+ RESOURCE_TYPE_1 VARCHAR(400),
+ RESOURCE_TYPE_2 VARCHAR(400),
+ RESOURCE_TYPE_3 VARCHAR(400),
+ "SCOPE" VARCHAR(40),
+ SERVICE_NAME VARCHAR(400)
+);
+-- Primary key(GM_PRIVILEGE_ID)
+ALTER TABLE SENTRY_GM_PRIVILEGE ADD CONSTRAINT SENTRY_GM_PRIVILEGE_PK PRIMARY KEY (GM_PRIVILEGE_ID);
+
+-- Constraints for table SENTRY_GM_PRIVILEGE for class(es) [org.apache.sentry.provider.db.service.model.MSentryGMPrivilege]
+CREATE UNIQUE INDEX GM_PRIVILEGE_INDEX ON SENTRY_GM_PRIVILEGE (COMPONENT_NAME,SERVICE_NAME,RESOURCE_NAME_0,RESOURCE_TYPE_0,RESOURCE_NAME_1,RESOURCE_TYPE_1,RESOURCE_NAME_2,RESOURCE_TYPE_2,RESOURCE_NAME_3,RESOURCE_TYPE_3,"ACTION",WITH_GRANT_OPTION);
+
+-- Table SENTRY_ROLE_GM_PRIVILEGE_MAP for join relationship
+CREATE TABLE SENTRY_ROLE_GM_PRIVILEGE_MAP
+(
+ ROLE_ID BIGINT NOT NULL,
+ GM_PRIVILEGE_ID BIGINT NOT NULL
+);
+ALTER TABLE SENTRY_ROLE_GM_PRIVILEGE_MAP ADD CONSTRAINT SENTRY_ROLE_GM_PRIVILEGE_MAP_PK PRIMARY KEY (ROLE_ID,GM_PRIVILEGE_ID);
+
+-- Constraints for table SENTRY_ROLE_GM_PRIVILEGE_MAP
+CREATE INDEX SENTRY_ROLE_GM_PRIVILEGE_MAP_N50 ON SENTRY_ROLE_GM_PRIVILEGE_MAP (ROLE_ID);
+
+CREATE INDEX SENTRY_ROLE_GM_PRIVILEGE_MAP_N49 ON SENTRY_ROLE_GM_PRIVILEGE_MAP (GM_PRIVILEGE_ID);
+
+ALTER TABLE SENTRY_ROLE_GM_PRIVILEGE_MAP ADD CONSTRAINT SENTRY_ROLE_GM_PRIVILEGE_MAP_FK2 FOREIGN KEY (GM_PRIVILEGE_ID) REFERENCES SENTRY_GM_PRIVILEGE (GM_PRIVILEGE_ID);
+
+ALTER TABLE SENTRY_ROLE_GM_PRIVILEGE_MAP ADD CONSTRAINT SENTRY_ROLE_GM_PRIVILEGE_MAP_FK1 FOREIGN KEY (ROLE_ID) REFERENCES SENTRY_ROLE (ROLE_ID);
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/main/resources/sentry-db2-1.6.0.sql
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/main/resources/sentry-db2-1.6.0.sql b/sentry-service/sentry-service-server/src/main/resources/sentry-db2-1.6.0.sql
new file mode 100644
index 0000000..0f8f0af
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/main/resources/sentry-db2-1.6.0.sql
@@ -0,0 +1,155 @@
+--Licensed to the Apache Software Foundation (ASF) under one or more
+--contributor license agreements. See the NOTICE file distributed with
+--this work for additional information regarding copyright ownership.
+--The ASF licenses this file to You under the Apache License, Version 2.0
+--(the "License"); you may not use this file except in compliance with
+--the License. You may obtain a copy of the License at
+--
+-- http://www.apache.org/licenses/LICENSE-2.0
+--
+--Unless required by applicable law or agreed to in writing, software
+--distributed under the License is distributed on an "AS IS" BASIS,
+--WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+--See the License for the specific language governing permissions and
+--limitations under the License.
+
+-- Table SENTRY_DB_PRIVILEGE for classes [org.apache.sentry.provider.db.service.model.MSentryPrivilege]
+CREATE TABLE SENTRY_DB_PRIVILEGE
+(
+ DB_PRIVILEGE_ID BIGINT NOT NULL generated always as identity (start with 1),
+ URI VARCHAR(4000),
+ "ACTION" VARCHAR(40),
+ CREATE_TIME BIGINT NOT NULL,
+ DB_NAME VARCHAR(4000),
+ PRIVILEGE_SCOPE VARCHAR(40),
+ "SERVER_NAME" VARCHAR(4000),
+ "TABLE_NAME" VARCHAR(4000),
+ "COLUMN_NAME" VARCHAR(4000),
+ WITH_GRANT_OPTION CHAR(1) NOT NULL
+);
+
+ALTER TABLE SENTRY_DB_PRIVILEGE ADD CONSTRAINT SENTRY_DB_PRIVILEGE_PK PRIMARY KEY (DB_PRIVILEGE_ID);
+
+-- Table SENTRY_ROLE for classes [org.apache.sentry.provider.db.service.model.MSentryRole]
+CREATE TABLE SENTRY_ROLE
+(
+ ROLE_ID BIGINT NOT NULL generated always as identity (start with 1),
+ CREATE_TIME BIGINT NOT NULL,
+ ROLE_NAME VARCHAR(128)
+);
+
+ALTER TABLE SENTRY_ROLE ADD CONSTRAINT SENTRY_ROLE_PK PRIMARY KEY (ROLE_ID);
+
+-- Table SENTRY_GROUP for classes [org.apache.sentry.provider.db.service.model.MSentryGroup]
+CREATE TABLE SENTRY_GROUP
+(
+ GROUP_ID BIGINT NOT NULL generated always as identity (start with 1),
+ CREATE_TIME BIGINT NOT NULL,
+ GROUP_NAME VARCHAR(128)
+);
+
+ALTER TABLE SENTRY_GROUP ADD CONSTRAINT SENTRY_GROUP_PK PRIMARY KEY (GROUP_ID);
+
+-- Table SENTRY_ROLE_GROUP_MAP for join relationship
+CREATE TABLE SENTRY_ROLE_GROUP_MAP
+(
+ GROUP_ID BIGINT NOT NULL,
+ ROLE_ID BIGINT NOT NULL,
+ GRANTOR_PRINCIPAL VARCHAR(128)
+);
+
+ALTER TABLE SENTRY_ROLE_GROUP_MAP ADD CONSTRAINT SENTRY_ROLE_GROUP_MAP_PK PRIMARY KEY (GROUP_ID,ROLE_ID);
+
+-- Table SENTRY_ROLE_DB_PRIVILEGE_MAP for join relationship
+CREATE TABLE SENTRY_ROLE_DB_PRIVILEGE_MAP
+(
+ ROLE_ID BIGINT NOT NULL,
+ DB_PRIVILEGE_ID BIGINT NOT NULL,
+ GRANTOR_PRINCIPAL VARCHAR(128)
+);
+
+ALTER TABLE SENTRY_ROLE_DB_PRIVILEGE_MAP ADD CONSTRAINT SENTRY_ROLE_DB_PRIVILEGE_MAP_PK PRIMARY KEY (ROLE_ID,DB_PRIVILEGE_ID);
+
+CREATE TABLE "SENTRY_VERSION" (
+ VER_ID BIGINT NOT NULL,
+ SCHEMA_VERSION VARCHAR(127),
+ VERSION_COMMENT VARCHAR(255)
+);
+
+ALTER TABLE SENTRY_VERSION ADD CONSTRAINT SENTRY_VERSION_PK PRIMARY KEY (VER_ID);
+
+-- Constraints for table SENTRY_DB_PRIVILEGE for class(es) [org.apache.sentry.provider.db.service.model.MSentryPrivilege]
+CREATE UNIQUE INDEX SENTRYPRIVILEGENAME ON SENTRY_DB_PRIVILEGE ("SERVER_NAME",DB_NAME,"TABLE_NAME","COLUMN_NAME",URI,"ACTION",WITH_GRANT_OPTION);
+
+
+-- Constraints for table SENTRY_ROLE for class(es) [org.apache.sentry.provider.db.service.model.MSentryRole]
+CREATE UNIQUE INDEX SENTRYROLENAME ON SENTRY_ROLE (ROLE_NAME);
+
+
+-- Constraints for table SENTRY_GROUP for class(es) [org.apache.sentry.provider.db.service.model.MSentryGroup]
+CREATE UNIQUE INDEX SENTRYGROUPNAME ON SENTRY_GROUP (GROUP_NAME);
+
+
+-- Constraints for table SENTRY_ROLE_GROUP_MAP
+CREATE INDEX SENTRY_ROLE_GROUP_MAP_N49 ON SENTRY_ROLE_GROUP_MAP (GROUP_ID);
+
+CREATE INDEX SENTRY_ROLE_GROUP_MAP_N50 ON SENTRY_ROLE_GROUP_MAP (ROLE_ID);
+
+ALTER TABLE SENTRY_ROLE_GROUP_MAP ADD CONSTRAINT SENTRY_ROLE_GROUP_MAP_FK2 FOREIGN KEY (ROLE_ID) REFERENCES SENTRY_ROLE (ROLE_ID) ;
+
+ALTER TABLE SENTRY_ROLE_GROUP_MAP ADD CONSTRAINT SENTRY_ROLE_GROUP_MAP_FK1 FOREIGN KEY (GROUP_ID) REFERENCES SENTRY_GROUP (GROUP_ID) ;
+
+
+-- Constraints for table SENTRY_ROLE_DB_PRIVILEGE_MAP
+CREATE INDEX SENTRY_ROLE_DB_PRIVILEGE_MAP_N50 ON SENTRY_ROLE_DB_PRIVILEGE_MAP (ROLE_ID);
+
+CREATE INDEX SENTRY_ROLE_DB_PRIVILEGE_MAP_N49 ON SENTRY_ROLE_DB_PRIVILEGE_MAP (DB_PRIVILEGE_ID);
+
+ALTER TABLE SENTRY_ROLE_DB_PRIVILEGE_MAP ADD CONSTRAINT SENTRY_ROLE_DB_PRIVILEGE_MAP_FK2 FOREIGN KEY (DB_PRIVILEGE_ID) REFERENCES SENTRY_DB_PRIVILEGE (DB_PRIVILEGE_ID) ;
+
+ALTER TABLE SENTRY_ROLE_DB_PRIVILEGE_MAP ADD CONSTRAINT SENTRY_ROLE_DB_PRIVILEGE_MAP_FK1 FOREIGN KEY (ROLE_ID) REFERENCES SENTRY_ROLE (ROLE_ID) ;
+
+INSERT INTO SENTRY_VERSION (VER_ID, SCHEMA_VERSION, VERSION_COMMENT) VALUES (1, '1.6.0', 'Sentry release version 1.6.0');
+
+-- Generic model
+-- Table SENTRY_GM_PRIVILEGE for classes [org.apache.sentry.provider.db.service.model.MSentryGMPrivilege]
+CREATE TABLE SENTRY_GM_PRIVILEGE
+(
+ GM_PRIVILEGE_ID BIGINT NOT NULL,
+ "ACTION" VARCHAR(40),
+ COMPONENT_NAME VARCHAR(400),
+ CREATE_TIME BIGINT NOT NULL,
+ WITH_GRANT_OPTION CHAR(1),
+ RESOURCE_NAME_0 VARCHAR(400),
+ RESOURCE_NAME_1 VARCHAR(400),
+ RESOURCE_NAME_2 VARCHAR(400),
+ RESOURCE_NAME_3 VARCHAR(400),
+ RESOURCE_TYPE_0 VARCHAR(400),
+ RESOURCE_TYPE_1 VARCHAR(400),
+ RESOURCE_TYPE_2 VARCHAR(400),
+ RESOURCE_TYPE_3 VARCHAR(400),
+ "SCOPE" VARCHAR(40),
+ SERVICE_NAME VARCHAR(400)
+);
+-- Primary key(GM_PRIVILEGE_ID)
+ALTER TABLE SENTRY_GM_PRIVILEGE ADD CONSTRAINT SENTRY_GM_PRIVILEGE_PK PRIMARY KEY (GM_PRIVILEGE_ID);
+
+-- Constraints for table SENTRY_GM_PRIVILEGE for class(es) [org.apache.sentry.provider.db.service.model.MSentryGMPrivilege]
+CREATE UNIQUE INDEX GM_PRIVILEGE_INDEX ON SENTRY_GM_PRIVILEGE (COMPONENT_NAME,SERVICE_NAME,RESOURCE_NAME_0,RESOURCE_TYPE_0,RESOURCE_NAME_1,RESOURCE_TYPE_1,RESOURCE_NAME_2,RESOURCE_TYPE_2,RESOURCE_NAME_3,RESOURCE_TYPE_3,"ACTION",WITH_GRANT_OPTION);
+
+-- Table SENTRY_ROLE_GM_PRIVILEGE_MAP for join relationship
+CREATE TABLE SENTRY_ROLE_GM_PRIVILEGE_MAP
+(
+ ROLE_ID BIGINT NOT NULL,
+ GM_PRIVILEGE_ID BIGINT NOT NULL
+);
+ALTER TABLE SENTRY_ROLE_GM_PRIVILEGE_MAP ADD CONSTRAINT SENTRY_ROLE_GM_PRIVILEGE_MAP_PK PRIMARY KEY (ROLE_ID,GM_PRIVILEGE_ID);
+
+-- Constraints for table SENTRY_ROLE_GM_PRIVILEGE_MAP
+CREATE INDEX SENTRY_ROLE_GM_PRIVILEGE_MAP_N50 ON SENTRY_ROLE_GM_PRIVILEGE_MAP (ROLE_ID);
+
+CREATE INDEX SENTRY_ROLE_GM_PRIVILEGE_MAP_N49 ON SENTRY_ROLE_GM_PRIVILEGE_MAP (GM_PRIVILEGE_ID);
+
+ALTER TABLE SENTRY_ROLE_GM_PRIVILEGE_MAP ADD CONSTRAINT SENTRY_ROLE_GM_PRIVILEGE_MAP_FK2 FOREIGN KEY (GM_PRIVILEGE_ID) REFERENCES SENTRY_GM_PRIVILEGE (GM_PRIVILEGE_ID);
+
+ALTER TABLE SENTRY_ROLE_GM_PRIVILEGE_MAP ADD CONSTRAINT SENTRY_ROLE_GM_PRIVILEGE_MAP_FK1 FOREIGN KEY (ROLE_ID) REFERENCES SENTRY_ROLE (ROLE_ID);
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/main/resources/sentry-db2-1.7.0.sql
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/main/resources/sentry-db2-1.7.0.sql b/sentry-service/sentry-service-server/src/main/resources/sentry-db2-1.7.0.sql
new file mode 100644
index 0000000..b1e8649
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/main/resources/sentry-db2-1.7.0.sql
@@ -0,0 +1,155 @@
+--Licensed to the Apache Software Foundation (ASF) under one or more
+--contributor license agreements. See the NOTICE file distributed with
+--this work for additional information regarding copyright ownership.
+--The ASF licenses this file to You under the Apache License, Version 2.0
+--(the "License"); you may not use this file except in compliance with
+--the License. You may obtain a copy of the License at
+--
+-- http://www.apache.org/licenses/LICENSE-2.0
+--
+--Unless required by applicable law or agreed to in writing, software
+--distributed under the License is distributed on an "AS IS" BASIS,
+--WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+--See the License for the specific language governing permissions and
+--limitations under the License.
+
+-- Table SENTRY_DB_PRIVILEGE for classes [org.apache.sentry.provider.db.service.model.MSentryPrivilege]
+CREATE TABLE SENTRY_DB_PRIVILEGE
+(
+ DB_PRIVILEGE_ID BIGINT NOT NULL generated always as identity (start with 1),
+ URI VARCHAR(4000),
+ "ACTION" VARCHAR(40),
+ CREATE_TIME BIGINT NOT NULL,
+ DB_NAME VARCHAR(4000),
+ PRIVILEGE_SCOPE VARCHAR(40),
+ "SERVER_NAME" VARCHAR(4000),
+ "TABLE_NAME" VARCHAR(4000),
+ "COLUMN_NAME" VARCHAR(4000),
+ WITH_GRANT_OPTION CHAR(1) NOT NULL
+);
+
+ALTER TABLE SENTRY_DB_PRIVILEGE ADD CONSTRAINT SENTRY_DB_PRIVILEGE_PK PRIMARY KEY (DB_PRIVILEGE_ID);
+
+-- Table SENTRY_ROLE for classes [org.apache.sentry.provider.db.service.model.MSentryRole]
+CREATE TABLE SENTRY_ROLE
+(
+ ROLE_ID BIGINT NOT NULL generated always as identity (start with 1),
+ CREATE_TIME BIGINT NOT NULL,
+ ROLE_NAME VARCHAR(128)
+);
+
+ALTER TABLE SENTRY_ROLE ADD CONSTRAINT SENTRY_ROLE_PK PRIMARY KEY (ROLE_ID);
+
+-- Table SENTRY_GROUP for classes [org.apache.sentry.provider.db.service.model.MSentryGroup]
+CREATE TABLE SENTRY_GROUP
+(
+ GROUP_ID BIGINT NOT NULL generated always as identity (start with 1),
+ CREATE_TIME BIGINT NOT NULL,
+ GROUP_NAME VARCHAR(128)
+);
+
+ALTER TABLE SENTRY_GROUP ADD CONSTRAINT SENTRY_GROUP_PK PRIMARY KEY (GROUP_ID);
+
+-- Table SENTRY_ROLE_GROUP_MAP for join relationship
+CREATE TABLE SENTRY_ROLE_GROUP_MAP
+(
+ GROUP_ID BIGINT NOT NULL,
+ ROLE_ID BIGINT NOT NULL,
+ GRANTOR_PRINCIPAL VARCHAR(128)
+);
+
+ALTER TABLE SENTRY_ROLE_GROUP_MAP ADD CONSTRAINT SENTRY_ROLE_GROUP_MAP_PK PRIMARY KEY (GROUP_ID,ROLE_ID);
+
+-- Table SENTRY_ROLE_DB_PRIVILEGE_MAP for join relationship
+CREATE TABLE SENTRY_ROLE_DB_PRIVILEGE_MAP
+(
+ ROLE_ID BIGINT NOT NULL,
+ DB_PRIVILEGE_ID BIGINT NOT NULL,
+ GRANTOR_PRINCIPAL VARCHAR(128)
+);
+
+ALTER TABLE SENTRY_ROLE_DB_PRIVILEGE_MAP ADD CONSTRAINT SENTRY_ROLE_DB_PRIVILEGE_MAP_PK PRIMARY KEY (ROLE_ID,DB_PRIVILEGE_ID);
+
+CREATE TABLE "SENTRY_VERSION" (
+ VER_ID BIGINT NOT NULL,
+ SCHEMA_VERSION VARCHAR(127),
+ VERSION_COMMENT VARCHAR(255)
+);
+
+ALTER TABLE SENTRY_VERSION ADD CONSTRAINT SENTRY_VERSION_PK PRIMARY KEY (VER_ID);
+
+-- Constraints for table SENTRY_DB_PRIVILEGE for class(es) [org.apache.sentry.provider.db.service.model.MSentryPrivilege]
+CREATE UNIQUE INDEX SENTRYPRIVILEGENAME ON SENTRY_DB_PRIVILEGE ("SERVER_NAME",DB_NAME,"TABLE_NAME","COLUMN_NAME",URI,"ACTION",WITH_GRANT_OPTION);
+
+
+-- Constraints for table SENTRY_ROLE for class(es) [org.apache.sentry.provider.db.service.model.MSentryRole]
+CREATE UNIQUE INDEX SENTRYROLENAME ON SENTRY_ROLE (ROLE_NAME);
+
+
+-- Constraints for table SENTRY_GROUP for class(es) [org.apache.sentry.provider.db.service.model.MSentryGroup]
+CREATE UNIQUE INDEX SENTRYGROUPNAME ON SENTRY_GROUP (GROUP_NAME);
+
+
+-- Constraints for table SENTRY_ROLE_GROUP_MAP
+CREATE INDEX SENTRY_ROLE_GROUP_MAP_N49 ON SENTRY_ROLE_GROUP_MAP (GROUP_ID);
+
+CREATE INDEX SENTRY_ROLE_GROUP_MAP_N50 ON SENTRY_ROLE_GROUP_MAP (ROLE_ID);
+
+ALTER TABLE SENTRY_ROLE_GROUP_MAP ADD CONSTRAINT SENTRY_ROLE_GROUP_MAP_FK2 FOREIGN KEY (ROLE_ID) REFERENCES SENTRY_ROLE (ROLE_ID) ;
+
+ALTER TABLE SENTRY_ROLE_GROUP_MAP ADD CONSTRAINT SENTRY_ROLE_GROUP_MAP_FK1 FOREIGN KEY (GROUP_ID) REFERENCES SENTRY_GROUP (GROUP_ID) ;
+
+
+-- Constraints for table SENTRY_ROLE_DB_PRIVILEGE_MAP
+CREATE INDEX SENTRY_ROLE_DB_PRIVILEGE_MAP_N50 ON SENTRY_ROLE_DB_PRIVILEGE_MAP (ROLE_ID);
+
+CREATE INDEX SENTRY_ROLE_DB_PRIVILEGE_MAP_N49 ON SENTRY_ROLE_DB_PRIVILEGE_MAP (DB_PRIVILEGE_ID);
+
+ALTER TABLE SENTRY_ROLE_DB_PRIVILEGE_MAP ADD CONSTRAINT SENTRY_ROLE_DB_PRIVILEGE_MAP_FK2 FOREIGN KEY (DB_PRIVILEGE_ID) REFERENCES SENTRY_DB_PRIVILEGE (DB_PRIVILEGE_ID) ;
+
+ALTER TABLE SENTRY_ROLE_DB_PRIVILEGE_MAP ADD CONSTRAINT SENTRY_ROLE_DB_PRIVILEGE_MAP_FK1 FOREIGN KEY (ROLE_ID) REFERENCES SENTRY_ROLE (ROLE_ID) ;
+
+INSERT INTO SENTRY_VERSION (VER_ID, SCHEMA_VERSION, VERSION_COMMENT) VALUES (1, '1.7.0', 'Sentry release version 1.7.0');
+
+-- Generic model
+-- Table SENTRY_GM_PRIVILEGE for classes [org.apache.sentry.provider.db.service.model.MSentryGMPrivilege]
+CREATE TABLE SENTRY_GM_PRIVILEGE
+(
+ GM_PRIVILEGE_ID BIGINT NOT NULL,
+ "ACTION" VARCHAR(40),
+ COMPONENT_NAME VARCHAR(400),
+ CREATE_TIME BIGINT NOT NULL,
+ WITH_GRANT_OPTION CHAR(1),
+ RESOURCE_NAME_0 VARCHAR(400),
+ RESOURCE_NAME_1 VARCHAR(400),
+ RESOURCE_NAME_2 VARCHAR(400),
+ RESOURCE_NAME_3 VARCHAR(400),
+ RESOURCE_TYPE_0 VARCHAR(400),
+ RESOURCE_TYPE_1 VARCHAR(400),
+ RESOURCE_TYPE_2 VARCHAR(400),
+ RESOURCE_TYPE_3 VARCHAR(400),
+ "SCOPE" VARCHAR(40),
+ SERVICE_NAME VARCHAR(400)
+);
+-- Primary key(GM_PRIVILEGE_ID)
+ALTER TABLE SENTRY_GM_PRIVILEGE ADD CONSTRAINT SENTRY_GM_PRIVILEGE_PK PRIMARY KEY (GM_PRIVILEGE_ID);
+
+-- Constraints for table SENTRY_GM_PRIVILEGE for class(es) [org.apache.sentry.provider.db.service.model.MSentryGMPrivilege]
+CREATE UNIQUE INDEX GM_PRIVILEGE_INDEX ON SENTRY_GM_PRIVILEGE (COMPONENT_NAME,SERVICE_NAME,RESOURCE_NAME_0,RESOURCE_TYPE_0,RESOURCE_NAME_1,RESOURCE_TYPE_1,RESOURCE_NAME_2,RESOURCE_TYPE_2,RESOURCE_NAME_3,RESOURCE_TYPE_3,"ACTION",WITH_GRANT_OPTION);
+
+-- Table SENTRY_ROLE_GM_PRIVILEGE_MAP for join relationship
+CREATE TABLE SENTRY_ROLE_GM_PRIVILEGE_MAP
+(
+ ROLE_ID BIGINT NOT NULL,
+ GM_PRIVILEGE_ID BIGINT NOT NULL
+);
+ALTER TABLE SENTRY_ROLE_GM_PRIVILEGE_MAP ADD CONSTRAINT SENTRY_ROLE_GM_PRIVILEGE_MAP_PK PRIMARY KEY (ROLE_ID,GM_PRIVILEGE_ID);
+
+-- Constraints for table SENTRY_ROLE_GM_PRIVILEGE_MAP
+CREATE INDEX SENTRY_ROLE_GM_PRIVILEGE_MAP_N50 ON SENTRY_ROLE_GM_PRIVILEGE_MAP (ROLE_ID);
+
+CREATE INDEX SENTRY_ROLE_GM_PRIVILEGE_MAP_N49 ON SENTRY_ROLE_GM_PRIVILEGE_MAP (GM_PRIVILEGE_ID);
+
+ALTER TABLE SENTRY_ROLE_GM_PRIVILEGE_MAP ADD CONSTRAINT SENTRY_ROLE_GM_PRIVILEGE_MAP_FK2 FOREIGN KEY (GM_PRIVILEGE_ID) REFERENCES SENTRY_GM_PRIVILEGE (GM_PRIVILEGE_ID);
+
+ALTER TABLE SENTRY_ROLE_GM_PRIVILEGE_MAP ADD CONSTRAINT SENTRY_ROLE_GM_PRIVILEGE_MAP_FK1 FOREIGN KEY (ROLE_ID) REFERENCES SENTRY_ROLE (ROLE_ID);
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/main/resources/sentry-db2-1.8.0.sql
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/main/resources/sentry-db2-1.8.0.sql b/sentry-service/sentry-service-server/src/main/resources/sentry-db2-1.8.0.sql
new file mode 100644
index 0000000..6d08b5c
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/main/resources/sentry-db2-1.8.0.sql
@@ -0,0 +1,183 @@
+--Licensed to the Apache Software Foundation (ASF) under one or more
+--contributor license agreements. See the NOTICE file distributed with
+--this work for additional information regarding copyright ownership.
+--The ASF licenses this file to You under the Apache License, Version 2.0
+--(the "License"); you may not use this file except in compliance with
+--the License. You may obtain a copy of the License at
+--
+-- http://www.apache.org/licenses/LICENSE-2.0
+--
+--Unless required by applicable law or agreed to in writing, software
+--distributed under the License is distributed on an "AS IS" BASIS,
+--WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+--See the License for the specific language governing permissions and
+--limitations under the License.
+
+-- Table SENTRY_DB_PRIVILEGE for classes [org.apache.sentry.provider.db.service.model.MSentryPrivilege]
+CREATE TABLE SENTRY_DB_PRIVILEGE
+(
+ DB_PRIVILEGE_ID BIGINT NOT NULL generated always as identity (start with 1),
+ URI VARCHAR(4000),
+ "ACTION" VARCHAR(40),
+ CREATE_TIME BIGINT NOT NULL,
+ DB_NAME VARCHAR(4000),
+ PRIVILEGE_SCOPE VARCHAR(40),
+ "SERVER_NAME" VARCHAR(4000),
+ "TABLE_NAME" VARCHAR(4000),
+ "COLUMN_NAME" VARCHAR(4000),
+ WITH_GRANT_OPTION CHAR(1) NOT NULL
+);
+
+ALTER TABLE SENTRY_DB_PRIVILEGE ADD CONSTRAINT SENTRY_DB_PRIVILEGE_PK PRIMARY KEY (DB_PRIVILEGE_ID);
+
+-- Table SENTRY_ROLE for classes [org.apache.sentry.provider.db.service.model.MSentryRole]
+CREATE TABLE SENTRY_ROLE
+(
+ ROLE_ID BIGINT NOT NULL generated always as identity (start with 1),
+ CREATE_TIME BIGINT NOT NULL,
+ ROLE_NAME VARCHAR(128)
+);
+
+ALTER TABLE SENTRY_ROLE ADD CONSTRAINT SENTRY_ROLE_PK PRIMARY KEY (ROLE_ID);
+
+-- Table SENTRY_GROUP for classes [org.apache.sentry.provider.db.service.model.MSentryGroup]
+CREATE TABLE SENTRY_GROUP
+(
+ GROUP_ID BIGINT NOT NULL generated always as identity (start with 1),
+ CREATE_TIME BIGINT NOT NULL,
+ GROUP_NAME VARCHAR(128)
+);
+
+ALTER TABLE SENTRY_GROUP ADD CONSTRAINT SENTRY_GROUP_PK PRIMARY KEY (GROUP_ID);
+
+-- Table SENTRY_ROLE_GROUP_MAP for join relationship
+CREATE TABLE SENTRY_ROLE_GROUP_MAP
+(
+ GROUP_ID BIGINT NOT NULL,
+ ROLE_ID BIGINT NOT NULL,
+ GRANTOR_PRINCIPAL VARCHAR(128)
+);
+
+ALTER TABLE SENTRY_ROLE_GROUP_MAP ADD CONSTRAINT SENTRY_ROLE_GROUP_MAP_PK PRIMARY KEY (GROUP_ID,ROLE_ID);
+
+-- Table SENTRY_ROLE_DB_PRIVILEGE_MAP for join relationship
+CREATE TABLE SENTRY_ROLE_DB_PRIVILEGE_MAP
+(
+ ROLE_ID BIGINT NOT NULL,
+ DB_PRIVILEGE_ID BIGINT NOT NULL,
+ GRANTOR_PRINCIPAL VARCHAR(128)
+);
+
+ALTER TABLE SENTRY_ROLE_DB_PRIVILEGE_MAP ADD CONSTRAINT SENTRY_ROLE_DB_PRIVILEGE_MAP_PK PRIMARY KEY (ROLE_ID,DB_PRIVILEGE_ID);
+
+CREATE TABLE "SENTRY_VERSION" (
+ VER_ID BIGINT NOT NULL,
+ SCHEMA_VERSION VARCHAR(127),
+ VERSION_COMMENT VARCHAR(255)
+);
+
+ALTER TABLE SENTRY_VERSION ADD CONSTRAINT SENTRY_VERSION_PK PRIMARY KEY (VER_ID);
+
+-- Constraints for table SENTRY_DB_PRIVILEGE for class(es) [org.apache.sentry.provider.db.service.model.MSentryPrivilege]
+CREATE UNIQUE INDEX SENTRYPRIVILEGENAME ON SENTRY_DB_PRIVILEGE ("SERVER_NAME",DB_NAME,"TABLE_NAME","COLUMN_NAME",URI,"ACTION",WITH_GRANT_OPTION);
+
+
+-- Constraints for table SENTRY_ROLE for class(es) [org.apache.sentry.provider.db.service.model.MSentryRole]
+CREATE UNIQUE INDEX SENTRYROLENAME ON SENTRY_ROLE (ROLE_NAME);
+
+
+-- Constraints for table SENTRY_GROUP for class(es) [org.apache.sentry.provider.db.service.model.MSentryGroup]
+CREATE UNIQUE INDEX SENTRYGROUPNAME ON SENTRY_GROUP (GROUP_NAME);
+
+
+-- Constraints for table SENTRY_ROLE_GROUP_MAP
+CREATE INDEX SENTRY_ROLE_GROUP_MAP_N49 ON SENTRY_ROLE_GROUP_MAP (GROUP_ID);
+
+CREATE INDEX SENTRY_ROLE_GROUP_MAP_N50 ON SENTRY_ROLE_GROUP_MAP (ROLE_ID);
+
+ALTER TABLE SENTRY_ROLE_GROUP_MAP ADD CONSTRAINT SENTRY_ROLE_GROUP_MAP_FK2 FOREIGN KEY (ROLE_ID) REFERENCES SENTRY_ROLE (ROLE_ID) ;
+
+ALTER TABLE SENTRY_ROLE_GROUP_MAP ADD CONSTRAINT SENTRY_ROLE_GROUP_MAP_FK1 FOREIGN KEY (GROUP_ID) REFERENCES SENTRY_GROUP (GROUP_ID) ;
+
+
+-- Constraints for table SENTRY_ROLE_DB_PRIVILEGE_MAP
+CREATE INDEX SENTRY_ROLE_DB_PRIVILEGE_MAP_N50 ON SENTRY_ROLE_DB_PRIVILEGE_MAP (ROLE_ID);
+
+CREATE INDEX SENTRY_ROLE_DB_PRIVILEGE_MAP_N49 ON SENTRY_ROLE_DB_PRIVILEGE_MAP (DB_PRIVILEGE_ID);
+
+ALTER TABLE SENTRY_ROLE_DB_PRIVILEGE_MAP ADD CONSTRAINT SENTRY_ROLE_DB_PRIVILEGE_MAP_FK2 FOREIGN KEY (DB_PRIVILEGE_ID) REFERENCES SENTRY_DB_PRIVILEGE (DB_PRIVILEGE_ID) ;
+
+ALTER TABLE SENTRY_ROLE_DB_PRIVILEGE_MAP ADD CONSTRAINT SENTRY_ROLE_DB_PRIVILEGE_MAP_FK1 FOREIGN KEY (ROLE_ID) REFERENCES SENTRY_ROLE (ROLE_ID) ;
+
+INSERT INTO SENTRY_VERSION (VER_ID, SCHEMA_VERSION, VERSION_COMMENT) VALUES (1, '1.8.0', 'Sentry release version 1.8.0');
+
+-- Generic model
+-- Table SENTRY_GM_PRIVILEGE for classes [org.apache.sentry.provider.db.service.model.MSentryGMPrivilege]
+CREATE TABLE SENTRY_GM_PRIVILEGE
+(
+ GM_PRIVILEGE_ID BIGINT NOT NULL,
+ "ACTION" VARCHAR(40),
+ COMPONENT_NAME VARCHAR(400),
+ CREATE_TIME BIGINT NOT NULL,
+ WITH_GRANT_OPTION CHAR(1),
+ RESOURCE_NAME_0 VARCHAR(400),
+ RESOURCE_NAME_1 VARCHAR(400),
+ RESOURCE_NAME_2 VARCHAR(400),
+ RESOURCE_NAME_3 VARCHAR(400),
+ RESOURCE_TYPE_0 VARCHAR(400),
+ RESOURCE_TYPE_1 VARCHAR(400),
+ RESOURCE_TYPE_2 VARCHAR(400),
+ RESOURCE_TYPE_3 VARCHAR(400),
+ "SCOPE" VARCHAR(40),
+ SERVICE_NAME VARCHAR(400)
+);
+-- Primary key(GM_PRIVILEGE_ID)
+ALTER TABLE SENTRY_GM_PRIVILEGE ADD CONSTRAINT SENTRY_GM_PRIVILEGE_PK PRIMARY KEY (GM_PRIVILEGE_ID);
+
+-- Constraints for table SENTRY_GM_PRIVILEGE for class(es) [org.apache.sentry.provider.db.service.model.MSentryGMPrivilege]
+CREATE UNIQUE INDEX GM_PRIVILEGE_INDEX ON SENTRY_GM_PRIVILEGE (COMPONENT_NAME,SERVICE_NAME,RESOURCE_NAME_0,RESOURCE_TYPE_0,RESOURCE_NAME_1,RESOURCE_TYPE_1,RESOURCE_NAME_2,RESOURCE_TYPE_2,RESOURCE_NAME_3,RESOURCE_TYPE_3,"ACTION",WITH_GRANT_OPTION);
+
+-- Table SENTRY_ROLE_GM_PRIVILEGE_MAP for join relationship
+CREATE TABLE SENTRY_ROLE_GM_PRIVILEGE_MAP
+(
+ ROLE_ID BIGINT NOT NULL,
+ GM_PRIVILEGE_ID BIGINT NOT NULL
+);
+ALTER TABLE SENTRY_ROLE_GM_PRIVILEGE_MAP ADD CONSTRAINT SENTRY_ROLE_GM_PRIVILEGE_MAP_PK PRIMARY KEY (ROLE_ID,GM_PRIVILEGE_ID);
+
+-- Constraints for table SENTRY_ROLE_GM_PRIVILEGE_MAP
+CREATE INDEX SENTRY_ROLE_GM_PRIVILEGE_MAP_N50 ON SENTRY_ROLE_GM_PRIVILEGE_MAP (ROLE_ID);
+
+CREATE INDEX SENTRY_ROLE_GM_PRIVILEGE_MAP_N49 ON SENTRY_ROLE_GM_PRIVILEGE_MAP (GM_PRIVILEGE_ID);
+
+ALTER TABLE SENTRY_ROLE_GM_PRIVILEGE_MAP ADD CONSTRAINT SENTRY_ROLE_GM_PRIVILEGE_MAP_FK2 FOREIGN KEY (GM_PRIVILEGE_ID) REFERENCES SENTRY_GM_PRIVILEGE (GM_PRIVILEGE_ID);
+
+ALTER TABLE SENTRY_ROLE_GM_PRIVILEGE_MAP ADD CONSTRAINT SENTRY_ROLE_GM_PRIVILEGE_MAP_FK1 FOREIGN KEY (ROLE_ID) REFERENCES SENTRY_ROLE (ROLE_ID);
+
+CREATE TABLE SENTRY_USER
+(
+ USER_ID BIGINT NOT NULL generated always as identity (start with 1),
+ CREATE_TIME BIGINT NOT NULL,
+ USER_NAME VARCHAR(128)
+);
+
+ALTER TABLE SENTRY_USER ADD CONSTRAINT SENTRY_USER_PK PRIMARY KEY (USER_ID);
+
+CREATE UNIQUE INDEX SENTRYUSERNAME ON SENTRY_USER (USER_NAME);
+
+CREATE TABLE SENTRY_ROLE_USER_MAP
+(
+ USER_ID BIGINT NOT NULL,
+ ROLE_ID BIGINT NOT NULL,
+ GRANTOR_PRINCIPAL VARCHAR(128)
+);
+
+ALTER TABLE SENTRY_ROLE_USER_MAP ADD CONSTRAINT SENTRY_ROLE_USER_MAP_PK PRIMARY KEY (USER_ID,ROLE_ID);
+
+CREATE INDEX SENTRY_ROLE_USER_MAP_N49 ON SENTRY_ROLE_USER_MAP (USER_ID);
+
+CREATE INDEX SENTRY_ROLE_USER_MAP_N50 ON SENTRY_ROLE_USER_MAP (ROLE_ID);
+
+ALTER TABLE SENTRY_ROLE_USER_MAP ADD CONSTRAINT SENTRY_ROLE_USER_MAP_FK2 FOREIGN KEY (ROLE_ID) REFERENCES SENTRY_ROLE (ROLE_ID) ;
+
+ALTER TABLE SENTRY_ROLE_USER_MAP ADD CONSTRAINT SENTRY_ROLE_USER_MAP_FK1 FOREIGN KEY (USER_ID) REFERENCES SENTRY_USER (USER_ID) ;
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/main/resources/sentry-derby-1.4.0.sql
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/main/resources/sentry-derby-1.4.0.sql b/sentry-service/sentry-service-server/src/main/resources/sentry-derby-1.4.0.sql
new file mode 100644
index 0000000..f2a62d2
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/main/resources/sentry-derby-1.4.0.sql
@@ -0,0 +1,112 @@
+--Licensed to the Apache Software Foundation (ASF) under one or more
+--contributor license agreements. See the NOTICE file distributed with
+--this work for additional information regarding copyright ownership.
+--The ASF licenses this file to You under the Apache License, Version 2.0
+--(the "License"); you may not use this file except in compliance with
+--the License. You may obtain a copy of the License at
+--
+-- http://www.apache.org/licenses/LICENSE-2.0
+--
+--Unless required by applicable law or agreed to in writing, software
+--distributed under the License is distributed on an "AS IS" BASIS,
+--WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+--See the License for the specific language governing permissions and
+--limitations under the License.
+
+-- Table SENTRY_DB_PRIVILEGE for classes [org.apache.sentry.provider.db.service.model.MSentryPrivilege]
+CREATE TABLE SENTRY_DB_PRIVILEGE
+(
+ DB_PRIVILEGE_ID BIGINT NOT NULL generated always as identity (start with 1),
+ URI VARCHAR(4000),
+ "ACTION" VARCHAR(40),
+ CREATE_TIME BIGINT NOT NULL,
+ DB_NAME VARCHAR(4000),
+ GRANTOR_PRINCIPAL VARCHAR(4000),
+ PRIVILEGE_NAME VARCHAR(4000),
+ PRIVILEGE_SCOPE VARCHAR(40),
+ "SERVER_NAME" VARCHAR(4000),
+ "TABLE_NAME" VARCHAR(4000)
+);
+
+ALTER TABLE SENTRY_DB_PRIVILEGE ADD CONSTRAINT SENTRY_DB_PRIVILEGE_PK PRIMARY KEY (DB_PRIVILEGE_ID);
+
+-- Table SENTRY_ROLE for classes [org.apache.sentry.provider.db.service.model.MSentryRole]
+CREATE TABLE SENTRY_ROLE
+(
+ ROLE_ID BIGINT NOT NULL generated always as identity (start with 1),
+ CREATE_TIME BIGINT NOT NULL,
+ GRANTOR_PRINCIPAL VARCHAR(4000),
+ ROLE_NAME VARCHAR(128)
+);
+
+ALTER TABLE SENTRY_ROLE ADD CONSTRAINT SENTRY_ROLE_PK PRIMARY KEY (ROLE_ID);
+
+-- Table SENTRY_GROUP for classes [org.apache.sentry.provider.db.service.model.MSentryGroup]
+CREATE TABLE SENTRY_GROUP
+(
+ GROUP_ID BIGINT NOT NULL generated always as identity (start with 1),
+ CREATE_TIME BIGINT NOT NULL,
+ GRANTOR_PRINCIPAL VARCHAR(4000),
+ GROUP_NAME VARCHAR(128)
+);
+
+ALTER TABLE SENTRY_GROUP ADD CONSTRAINT SENTRY_GROUP_PK PRIMARY KEY (GROUP_ID);
+
+-- Table SENTRY_ROLE_GROUP_MAP for join relationship
+CREATE TABLE SENTRY_ROLE_GROUP_MAP
+(
+ GROUP_ID BIGINT NOT NULL,
+ ROLE_ID BIGINT NOT NULL
+);
+
+ALTER TABLE SENTRY_ROLE_GROUP_MAP ADD CONSTRAINT SENTRY_ROLE_GROUP_MAP_PK PRIMARY KEY (GROUP_ID,ROLE_ID);
+
+-- Table SENTRY_ROLE_DB_PRIVILEGE_MAP for join relationship
+CREATE TABLE SENTRY_ROLE_DB_PRIVILEGE_MAP
+(
+ ROLE_ID BIGINT NOT NULL,
+ DB_PRIVILEGE_ID BIGINT NOT NULL
+);
+
+ALTER TABLE SENTRY_ROLE_DB_PRIVILEGE_MAP ADD CONSTRAINT SENTRY_ROLE_DB_PRIVILEGE_MAP_PK PRIMARY KEY (ROLE_ID,DB_PRIVILEGE_ID);
+
+CREATE TABLE "SENTRY_VERSION" (
+ VER_ID BIGINT NOT NULL,
+ SCHEMA_VERSION VARCHAR(127),
+ VERSION_COMMENT VARCHAR(255)
+);
+
+ALTER TABLE SENTRY_VERSION ADD CONSTRAINT SENTRY_VERSION_PK PRIMARY KEY (VER_ID);
+
+-- Constraints for table SENTRY_DB_PRIVILEGE for class(es) [org.apache.sentry.provider.db.service.model.MSentryPrivilege]
+CREATE UNIQUE INDEX SENTRYPRIVILEGENAME ON SENTRY_DB_PRIVILEGE (PRIVILEGE_NAME);
+
+
+-- Constraints for table SENTRY_ROLE for class(es) [org.apache.sentry.provider.db.service.model.MSentryRole]
+CREATE UNIQUE INDEX SENTRYROLENAME ON SENTRY_ROLE (ROLE_NAME);
+
+
+-- Constraints for table SENTRY_GROUP for class(es) [org.apache.sentry.provider.db.service.model.MSentryGroup]
+CREATE UNIQUE INDEX SENTRYGROUPNAME ON SENTRY_GROUP (GROUP_NAME);
+
+
+-- Constraints for table SENTRY_ROLE_GROUP_MAP
+CREATE INDEX SENTRY_ROLE_GROUP_MAP_N49 ON SENTRY_ROLE_GROUP_MAP (GROUP_ID);
+
+CREATE INDEX SENTRY_ROLE_GROUP_MAP_N50 ON SENTRY_ROLE_GROUP_MAP (ROLE_ID);
+
+ALTER TABLE SENTRY_ROLE_GROUP_MAP ADD CONSTRAINT SENTRY_ROLE_GROUP_MAP_FK2 FOREIGN KEY (ROLE_ID) REFERENCES SENTRY_ROLE (ROLE_ID) ;
+
+ALTER TABLE SENTRY_ROLE_GROUP_MAP ADD CONSTRAINT SENTRY_ROLE_GROUP_MAP_FK1 FOREIGN KEY (GROUP_ID) REFERENCES SENTRY_GROUP (GROUP_ID) ;
+
+
+-- Constraints for table SENTRY_ROLE_DB_PRIVILEGE_MAP
+CREATE INDEX SENTRY_ROLE_DB_PRIVILEGE_MAP_N50 ON SENTRY_ROLE_DB_PRIVILEGE_MAP (ROLE_ID);
+
+CREATE INDEX SENTRY_ROLE_DB_PRIVILEGE_MAP_N49 ON SENTRY_ROLE_DB_PRIVILEGE_MAP (DB_PRIVILEGE_ID);
+
+ALTER TABLE SENTRY_ROLE_DB_PRIVILEGE_MAP ADD CONSTRAINT SENTRY_ROLE_DB_PRIVILEGE_MAP_FK2 FOREIGN KEY (DB_PRIVILEGE_ID) REFERENCES SENTRY_DB_PRIVILEGE (DB_PRIVILEGE_ID) ;
+
+ALTER TABLE SENTRY_ROLE_DB_PRIVILEGE_MAP ADD CONSTRAINT SENTRY_ROLE_DB_PRIVILEGE_MAP_FK1 FOREIGN KEY (ROLE_ID) REFERENCES SENTRY_ROLE (ROLE_ID) ;
+
+INSERT INTO SENTRY_VERSION (VER_ID, SCHEMA_VERSION, VERSION_COMMENT) VALUES (1, '1.4.0', 'Sentry release version 1.4.0');
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/main/resources/sentry-derby-1.5.0.sql
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/main/resources/sentry-derby-1.5.0.sql b/sentry-service/sentry-service-server/src/main/resources/sentry-derby-1.5.0.sql
new file mode 100644
index 0000000..89d73bb
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/main/resources/sentry-derby-1.5.0.sql
@@ -0,0 +1,155 @@
+--Licensed to the Apache Software Foundation (ASF) under one or more
+--contributor license agreements. See the NOTICE file distributed with
+--this work for additional information regarding copyright ownership.
+--The ASF licenses this file to You under the Apache License, Version 2.0
+--(the "License"); you may not use this file except in compliance with
+--the License. You may obtain a copy of the License at
+--
+-- http://www.apache.org/licenses/LICENSE-2.0
+--
+--Unless required by applicable law or agreed to in writing, software
+--distributed under the License is distributed on an "AS IS" BASIS,
+--WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+--See the License for the specific language governing permissions and
+--limitations under the License.
+
+-- Table SENTRY_DB_PRIVILEGE for classes [org.apache.sentry.provider.db.service.model.MSentryPrivilege]
+CREATE TABLE SENTRY_DB_PRIVILEGE
+(
+ DB_PRIVILEGE_ID BIGINT NOT NULL generated always as identity (start with 1),
+ URI VARCHAR(4000) DEFAULT '__NULL__',
+ "ACTION" VARCHAR(40),
+ CREATE_TIME BIGINT NOT NULL,
+ DB_NAME VARCHAR(4000) DEFAULT '__NULL__',
+ PRIVILEGE_SCOPE VARCHAR(40),
+ "SERVER_NAME" VARCHAR(4000),
+ "TABLE_NAME" VARCHAR(4000) DEFAULT '__NULL__',
+ "COLUMN_NAME" VARCHAR(4000) DEFAULT '__NULL__',
+ WITH_GRANT_OPTION CHAR(1) NOT NULL
+);
+
+ALTER TABLE SENTRY_DB_PRIVILEGE ADD CONSTRAINT SENTRY_DB_PRIVILEGE_PK PRIMARY KEY (DB_PRIVILEGE_ID);
+
+-- Table SENTRY_ROLE for classes [org.apache.sentry.provider.db.service.model.MSentryRole]
+CREATE TABLE SENTRY_ROLE
+(
+ ROLE_ID BIGINT NOT NULL generated always as identity (start with 1),
+ CREATE_TIME BIGINT NOT NULL,
+ ROLE_NAME VARCHAR(128)
+);
+
+ALTER TABLE SENTRY_ROLE ADD CONSTRAINT SENTRY_ROLE_PK PRIMARY KEY (ROLE_ID);
+
+-- Table SENTRY_GROUP for classes [org.apache.sentry.provider.db.service.model.MSentryGroup]
+CREATE TABLE SENTRY_GROUP
+(
+ GROUP_ID BIGINT NOT NULL generated always as identity (start with 1),
+ CREATE_TIME BIGINT NOT NULL,
+ GROUP_NAME VARCHAR(128)
+);
+
+ALTER TABLE SENTRY_GROUP ADD CONSTRAINT SENTRY_GROUP_PK PRIMARY KEY (GROUP_ID);
+
+-- Table SENTRY_ROLE_GROUP_MAP for join relationship
+CREATE TABLE SENTRY_ROLE_GROUP_MAP
+(
+ GROUP_ID BIGINT NOT NULL,
+ ROLE_ID BIGINT NOT NULL,
+ GRANTOR_PRINCIPAL VARCHAR(128)
+);
+
+ALTER TABLE SENTRY_ROLE_GROUP_MAP ADD CONSTRAINT SENTRY_ROLE_GROUP_MAP_PK PRIMARY KEY (GROUP_ID,ROLE_ID);
+
+-- Table SENTRY_ROLE_DB_PRIVILEGE_MAP for join relationship
+CREATE TABLE SENTRY_ROLE_DB_PRIVILEGE_MAP
+(
+ ROLE_ID BIGINT NOT NULL,
+ DB_PRIVILEGE_ID BIGINT NOT NULL,
+ GRANTOR_PRINCIPAL VARCHAR(128)
+);
+
+ALTER TABLE SENTRY_ROLE_DB_PRIVILEGE_MAP ADD CONSTRAINT SENTRY_ROLE_DB_PRIVILEGE_MAP_PK PRIMARY KEY (ROLE_ID,DB_PRIVILEGE_ID);
+
+CREATE TABLE "SENTRY_VERSION" (
+ VER_ID BIGINT NOT NULL,
+ SCHEMA_VERSION VARCHAR(127),
+ VERSION_COMMENT VARCHAR(255)
+);
+
+ALTER TABLE SENTRY_VERSION ADD CONSTRAINT SENTRY_VERSION_PK PRIMARY KEY (VER_ID);
+
+-- Constraints for table SENTRY_DB_PRIVILEGE for class(es) [org.apache.sentry.provider.db.service.model.MSentryPrivilege]
+CREATE UNIQUE INDEX SENTRYPRIVILEGENAME ON SENTRY_DB_PRIVILEGE ("SERVER_NAME",DB_NAME,"TABLE_NAME","COLUMN_NAME",URI,"ACTION",WITH_GRANT_OPTION);
+
+
+-- Constraints for table SENTRY_ROLE for class(es) [org.apache.sentry.provider.db.service.model.MSentryRole]
+CREATE UNIQUE INDEX SENTRYROLENAME ON SENTRY_ROLE (ROLE_NAME);
+
+
+-- Constraints for table SENTRY_GROUP for class(es) [org.apache.sentry.provider.db.service.model.MSentryGroup]
+CREATE UNIQUE INDEX SENTRYGROUPNAME ON SENTRY_GROUP (GROUP_NAME);
+
+
+-- Constraints for table SENTRY_ROLE_GROUP_MAP
+CREATE INDEX SENTRY_ROLE_GROUP_MAP_N49 ON SENTRY_ROLE_GROUP_MAP (GROUP_ID);
+
+CREATE INDEX SENTRY_ROLE_GROUP_MAP_N50 ON SENTRY_ROLE_GROUP_MAP (ROLE_ID);
+
+ALTER TABLE SENTRY_ROLE_GROUP_MAP ADD CONSTRAINT SENTRY_ROLE_GROUP_MAP_FK2 FOREIGN KEY (ROLE_ID) REFERENCES SENTRY_ROLE (ROLE_ID) ;
+
+ALTER TABLE SENTRY_ROLE_GROUP_MAP ADD CONSTRAINT SENTRY_ROLE_GROUP_MAP_FK1 FOREIGN KEY (GROUP_ID) REFERENCES SENTRY_GROUP (GROUP_ID) ;
+
+
+-- Constraints for table SENTRY_ROLE_DB_PRIVILEGE_MAP
+CREATE INDEX SENTRY_ROLE_DB_PRIVILEGE_MAP_N50 ON SENTRY_ROLE_DB_PRIVILEGE_MAP (ROLE_ID);
+
+CREATE INDEX SENTRY_ROLE_DB_PRIVILEGE_MAP_N49 ON SENTRY_ROLE_DB_PRIVILEGE_MAP (DB_PRIVILEGE_ID);
+
+ALTER TABLE SENTRY_ROLE_DB_PRIVILEGE_MAP ADD CONSTRAINT SENTRY_ROLE_DB_PRIVILEGE_MAP_FK2 FOREIGN KEY (DB_PRIVILEGE_ID) REFERENCES SENTRY_DB_PRIVILEGE (DB_PRIVILEGE_ID) ;
+
+ALTER TABLE SENTRY_ROLE_DB_PRIVILEGE_MAP ADD CONSTRAINT SENTRY_ROLE_DB_PRIVILEGE_MAP_FK1 FOREIGN KEY (ROLE_ID) REFERENCES SENTRY_ROLE (ROLE_ID) ;
+
+INSERT INTO SENTRY_VERSION (VER_ID, SCHEMA_VERSION, VERSION_COMMENT) VALUES (1, '1.5.0', 'Sentry release version 1.5.0');
+
+-- Generic Model
+-- Table SENTRY_GM_PRIVILEGE for classes [org.apache.sentry.provider.db.service.model.MSentryGMPrivilege]
+CREATE TABLE SENTRY_GM_PRIVILEGE
+(
+ GM_PRIVILEGE_ID BIGINT NOT NULL,
+ "ACTION" VARCHAR(40),
+ COMPONENT_NAME VARCHAR(400),
+ CREATE_TIME BIGINT NOT NULL,
+ WITH_GRANT_OPTION CHAR(1),
+ RESOURCE_NAME_0 VARCHAR(400) DEFAULT '__NULL__',
+ RESOURCE_NAME_1 VARCHAR(400) DEFAULT '__NULL__',
+ RESOURCE_NAME_2 VARCHAR(400) DEFAULT '__NULL__',
+ RESOURCE_NAME_3 VARCHAR(400) DEFAULT '__NULL__',
+ RESOURCE_TYPE_0 VARCHAR(400) DEFAULT '__NULL__',
+ RESOURCE_TYPE_1 VARCHAR(400) DEFAULT '__NULL__',
+ RESOURCE_TYPE_2 VARCHAR(400) DEFAULT '__NULL__',
+ RESOURCE_TYPE_3 VARCHAR(400) DEFAULT '__NULL__',
+ "SCOPE" VARCHAR(40),
+ SERVICE_NAME VARCHAR(400)
+);
+-- Primary key(GM_PRIVILEGE_ID)
+ALTER TABLE SENTRY_GM_PRIVILEGE ADD CONSTRAINT SENTRY_GM_PRIVILEGE_PK PRIMARY KEY (GM_PRIVILEGE_ID);
+
+-- Constraints for table SENTRY_GM_PRIVILEGE for class(es) [org.apache.sentry.provider.db.service.model.MSentryGMPrivilege]
+CREATE UNIQUE INDEX GM_PRIVILEGE_INDEX ON SENTRY_GM_PRIVILEGE (COMPONENT_NAME,SERVICE_NAME,RESOURCE_NAME_0,RESOURCE_TYPE_0,RESOURCE_NAME_1,RESOURCE_TYPE_1,RESOURCE_NAME_2,RESOURCE_TYPE_2,RESOURCE_NAME_3,RESOURCE_TYPE_3,"ACTION",WITH_GRANT_OPTION);
+
+-- Table SENTRY_ROLE_GM_PRIVILEGE_MAP for join relationship
+CREATE TABLE SENTRY_ROLE_GM_PRIVILEGE_MAP
+(
+ ROLE_ID BIGINT NOT NULL,
+ GM_PRIVILEGE_ID BIGINT NOT NULL
+);
+ALTER TABLE SENTRY_ROLE_GM_PRIVILEGE_MAP ADD CONSTRAINT SENTRY_ROLE_GM_PRIVILEGE_MAP_PK PRIMARY KEY (ROLE_ID,GM_PRIVILEGE_ID);
+
+-- Constraints for table SENTRY_ROLE_GM_PRIVILEGE_MAP
+CREATE INDEX SENTRY_ROLE_GM_PRIVILEGE_MAP_N50 ON SENTRY_ROLE_GM_PRIVILEGE_MAP (ROLE_ID);
+
+CREATE INDEX SENTRY_ROLE_GM_PRIVILEGE_MAP_N49 ON SENTRY_ROLE_GM_PRIVILEGE_MAP (GM_PRIVILEGE_ID);
+
+ALTER TABLE SENTRY_ROLE_GM_PRIVILEGE_MAP ADD CONSTRAINT SENTRY_ROLE_GM_PRIVILEGE_MAP_FK2 FOREIGN KEY (GM_PRIVILEGE_ID) REFERENCES SENTRY_GM_PRIVILEGE (GM_PRIVILEGE_ID);
+
+ALTER TABLE SENTRY_ROLE_GM_PRIVILEGE_MAP ADD CONSTRAINT SENTRY_ROLE_GM_PRIVILEGE_MAP_FK1 FOREIGN KEY (ROLE_ID) REFERENCES SENTRY_ROLE (ROLE_ID);
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/main/resources/sentry-derby-1.6.0.sql
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/main/resources/sentry-derby-1.6.0.sql b/sentry-service/sentry-service-server/src/main/resources/sentry-derby-1.6.0.sql
new file mode 100644
index 0000000..9ceb4c5
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/main/resources/sentry-derby-1.6.0.sql
@@ -0,0 +1,155 @@
+--Licensed to the Apache Software Foundation (ASF) under one or more
+--contributor license agreements. See the NOTICE file distributed with
+--this work for additional information regarding copyright ownership.
+--The ASF licenses this file to You under the Apache License, Version 2.0
+--(the "License"); you may not use this file except in compliance with
+--the License. You may obtain a copy of the License at
+--
+-- http://www.apache.org/licenses/LICENSE-2.0
+--
+--Unless required by applicable law or agreed to in writing, software
+--distributed under the License is distributed on an "AS IS" BASIS,
+--WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+--See the License for the specific language governing permissions and
+--limitations under the License.
+
+-- Table SENTRY_DB_PRIVILEGE for classes [org.apache.sentry.provider.db.service.model.MSentryPrivilege]
+CREATE TABLE SENTRY_DB_PRIVILEGE
+(
+ DB_PRIVILEGE_ID BIGINT NOT NULL generated always as identity (start with 1),
+ URI VARCHAR(4000) DEFAULT '__NULL__',
+ "ACTION" VARCHAR(40),
+ CREATE_TIME BIGINT NOT NULL,
+ DB_NAME VARCHAR(4000) DEFAULT '__NULL__',
+ PRIVILEGE_SCOPE VARCHAR(40),
+ "SERVER_NAME" VARCHAR(4000),
+ "TABLE_NAME" VARCHAR(4000) DEFAULT '__NULL__',
+ "COLUMN_NAME" VARCHAR(4000) DEFAULT '__NULL__',
+ WITH_GRANT_OPTION CHAR(1) NOT NULL
+);
+
+ALTER TABLE SENTRY_DB_PRIVILEGE ADD CONSTRAINT SENTRY_DB_PRIVILEGE_PK PRIMARY KEY (DB_PRIVILEGE_ID);
+
+-- Table SENTRY_ROLE for classes [org.apache.sentry.provider.db.service.model.MSentryRole]
+CREATE TABLE SENTRY_ROLE
+(
+ ROLE_ID BIGINT NOT NULL generated always as identity (start with 1),
+ CREATE_TIME BIGINT NOT NULL,
+ ROLE_NAME VARCHAR(128)
+);
+
+ALTER TABLE SENTRY_ROLE ADD CONSTRAINT SENTRY_ROLE_PK PRIMARY KEY (ROLE_ID);
+
+-- Table SENTRY_GROUP for classes [org.apache.sentry.provider.db.service.model.MSentryGroup]
+CREATE TABLE SENTRY_GROUP
+(
+ GROUP_ID BIGINT NOT NULL generated always as identity (start with 1),
+ CREATE_TIME BIGINT NOT NULL,
+ GROUP_NAME VARCHAR(128)
+);
+
+ALTER TABLE SENTRY_GROUP ADD CONSTRAINT SENTRY_GROUP_PK PRIMARY KEY (GROUP_ID);
+
+-- Table SENTRY_ROLE_GROUP_MAP for join relationship
+CREATE TABLE SENTRY_ROLE_GROUP_MAP
+(
+ GROUP_ID BIGINT NOT NULL,
+ ROLE_ID BIGINT NOT NULL,
+ GRANTOR_PRINCIPAL VARCHAR(128)
+);
+
+ALTER TABLE SENTRY_ROLE_GROUP_MAP ADD CONSTRAINT SENTRY_ROLE_GROUP_MAP_PK PRIMARY KEY (GROUP_ID,ROLE_ID);
+
+-- Table SENTRY_ROLE_DB_PRIVILEGE_MAP for join relationship
+CREATE TABLE SENTRY_ROLE_DB_PRIVILEGE_MAP
+(
+ ROLE_ID BIGINT NOT NULL,
+ DB_PRIVILEGE_ID BIGINT NOT NULL,
+ GRANTOR_PRINCIPAL VARCHAR(128)
+);
+
+ALTER TABLE SENTRY_ROLE_DB_PRIVILEGE_MAP ADD CONSTRAINT SENTRY_ROLE_DB_PRIVILEGE_MAP_PK PRIMARY KEY (ROLE_ID,DB_PRIVILEGE_ID);
+
+CREATE TABLE "SENTRY_VERSION" (
+ VER_ID BIGINT NOT NULL,
+ SCHEMA_VERSION VARCHAR(127),
+ VERSION_COMMENT VARCHAR(255)
+);
+
+ALTER TABLE SENTRY_VERSION ADD CONSTRAINT SENTRY_VERSION_PK PRIMARY KEY (VER_ID);
+
+-- Constraints for table SENTRY_DB_PRIVILEGE for class(es) [org.apache.sentry.provider.db.service.model.MSentryPrivilege]
+CREATE UNIQUE INDEX SENTRYPRIVILEGENAME ON SENTRY_DB_PRIVILEGE ("SERVER_NAME",DB_NAME,"TABLE_NAME","COLUMN_NAME",URI,"ACTION",WITH_GRANT_OPTION);
+
+
+-- Constraints for table SENTRY_ROLE for class(es) [org.apache.sentry.provider.db.service.model.MSentryRole]
+CREATE UNIQUE INDEX SENTRYROLENAME ON SENTRY_ROLE (ROLE_NAME);
+
+
+-- Constraints for table SENTRY_GROUP for class(es) [org.apache.sentry.provider.db.service.model.MSentryGroup]
+CREATE UNIQUE INDEX SENTRYGROUPNAME ON SENTRY_GROUP (GROUP_NAME);
+
+
+-- Constraints for table SENTRY_ROLE_GROUP_MAP
+CREATE INDEX SENTRY_ROLE_GROUP_MAP_N49 ON SENTRY_ROLE_GROUP_MAP (GROUP_ID);
+
+CREATE INDEX SENTRY_ROLE_GROUP_MAP_N50 ON SENTRY_ROLE_GROUP_MAP (ROLE_ID);
+
+ALTER TABLE SENTRY_ROLE_GROUP_MAP ADD CONSTRAINT SENTRY_ROLE_GROUP_MAP_FK2 FOREIGN KEY (ROLE_ID) REFERENCES SENTRY_ROLE (ROLE_ID) ;
+
+ALTER TABLE SENTRY_ROLE_GROUP_MAP ADD CONSTRAINT SENTRY_ROLE_GROUP_MAP_FK1 FOREIGN KEY (GROUP_ID) REFERENCES SENTRY_GROUP (GROUP_ID) ;
+
+
+-- Constraints for table SENTRY_ROLE_DB_PRIVILEGE_MAP
+CREATE INDEX SENTRY_ROLE_DB_PRIVILEGE_MAP_N50 ON SENTRY_ROLE_DB_PRIVILEGE_MAP (ROLE_ID);
+
+CREATE INDEX SENTRY_ROLE_DB_PRIVILEGE_MAP_N49 ON SENTRY_ROLE_DB_PRIVILEGE_MAP (DB_PRIVILEGE_ID);
+
+ALTER TABLE SENTRY_ROLE_DB_PRIVILEGE_MAP ADD CONSTRAINT SENTRY_ROLE_DB_PRIVILEGE_MAP_FK2 FOREIGN KEY (DB_PRIVILEGE_ID) REFERENCES SENTRY_DB_PRIVILEGE (DB_PRIVILEGE_ID) ;
+
+ALTER TABLE SENTRY_ROLE_DB_PRIVILEGE_MAP ADD CONSTRAINT SENTRY_ROLE_DB_PRIVILEGE_MAP_FK1 FOREIGN KEY (ROLE_ID) REFERENCES SENTRY_ROLE (ROLE_ID) ;
+
+INSERT INTO SENTRY_VERSION (VER_ID, SCHEMA_VERSION, VERSION_COMMENT) VALUES (1, '1.6.0', 'Sentry release version 1.6.0');
+
+-- Generic Model
+-- Table SENTRY_GM_PRIVILEGE for classes [org.apache.sentry.provider.db.service.model.MSentryGMPrivilege]
+CREATE TABLE SENTRY_GM_PRIVILEGE
+(
+ GM_PRIVILEGE_ID BIGINT NOT NULL,
+ "ACTION" VARCHAR(40),
+ COMPONENT_NAME VARCHAR(400),
+ CREATE_TIME BIGINT NOT NULL,
+ WITH_GRANT_OPTION CHAR(1),
+ RESOURCE_NAME_0 VARCHAR(400) DEFAULT '__NULL__',
+ RESOURCE_NAME_1 VARCHAR(400) DEFAULT '__NULL__',
+ RESOURCE_NAME_2 VARCHAR(400) DEFAULT '__NULL__',
+ RESOURCE_NAME_3 VARCHAR(400) DEFAULT '__NULL__',
+ RESOURCE_TYPE_0 VARCHAR(400) DEFAULT '__NULL__',
+ RESOURCE_TYPE_1 VARCHAR(400) DEFAULT '__NULL__',
+ RESOURCE_TYPE_2 VARCHAR(400) DEFAULT '__NULL__',
+ RESOURCE_TYPE_3 VARCHAR(400) DEFAULT '__NULL__',
+ "SCOPE" VARCHAR(40),
+ SERVICE_NAME VARCHAR(400)
+);
+-- Primary key(GM_PRIVILEGE_ID)
+ALTER TABLE SENTRY_GM_PRIVILEGE ADD CONSTRAINT SENTRY_GM_PRIVILEGE_PK PRIMARY KEY (GM_PRIVILEGE_ID);
+
+-- Constraints for table SENTRY_GM_PRIVILEGE for class(es) [org.apache.sentry.provider.db.service.model.MSentryGMPrivilege]
+CREATE UNIQUE INDEX GM_PRIVILEGE_INDEX ON SENTRY_GM_PRIVILEGE (COMPONENT_NAME,SERVICE_NAME,RESOURCE_NAME_0,RESOURCE_TYPE_0,RESOURCE_NAME_1,RESOURCE_TYPE_1,RESOURCE_NAME_2,RESOURCE_TYPE_2,RESOURCE_NAME_3,RESOURCE_TYPE_3,"ACTION",WITH_GRANT_OPTION);
+
+-- Table SENTRY_ROLE_GM_PRIVILEGE_MAP for join relationship
+CREATE TABLE SENTRY_ROLE_GM_PRIVILEGE_MAP
+(
+ ROLE_ID BIGINT NOT NULL,
+ GM_PRIVILEGE_ID BIGINT NOT NULL
+);
+ALTER TABLE SENTRY_ROLE_GM_PRIVILEGE_MAP ADD CONSTRAINT SENTRY_ROLE_GM_PRIVILEGE_MAP_PK PRIMARY KEY (ROLE_ID,GM_PRIVILEGE_ID);
+
+-- Constraints for table SENTRY_ROLE_GM_PRIVILEGE_MAP
+CREATE INDEX SENTRY_ROLE_GM_PRIVILEGE_MAP_N50 ON SENTRY_ROLE_GM_PRIVILEGE_MAP (ROLE_ID);
+
+CREATE INDEX SENTRY_ROLE_GM_PRIVILEGE_MAP_N49 ON SENTRY_ROLE_GM_PRIVILEGE_MAP (GM_PRIVILEGE_ID);
+
+ALTER TABLE SENTRY_ROLE_GM_PRIVILEGE_MAP ADD CONSTRAINT SENTRY_ROLE_GM_PRIVILEGE_MAP_FK2 FOREIGN KEY (GM_PRIVILEGE_ID) REFERENCES SENTRY_GM_PRIVILEGE (GM_PRIVILEGE_ID);
+
+ALTER TABLE SENTRY_ROLE_GM_PRIVILEGE_MAP ADD CONSTRAINT SENTRY_ROLE_GM_PRIVILEGE_MAP_FK1 FOREIGN KEY (ROLE_ID) REFERENCES SENTRY_ROLE (ROLE_ID);
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/main/resources/sentry-derby-1.7.0.sql
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/main/resources/sentry-derby-1.7.0.sql b/sentry-service/sentry-service-server/src/main/resources/sentry-derby-1.7.0.sql
new file mode 100644
index 0000000..b06fc4a
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/main/resources/sentry-derby-1.7.0.sql
@@ -0,0 +1,155 @@
+--Licensed to the Apache Software Foundation (ASF) under one or more
+--contributor license agreements. See the NOTICE file distributed with
+--this work for additional information regarding copyright ownership.
+--The ASF licenses this file to You under the Apache License, Version 2.0
+--(the "License"); you may not use this file except in compliance with
+--the License. You may obtain a copy of the License at
+--
+-- http://www.apache.org/licenses/LICENSE-2.0
+--
+--Unless required by applicable law or agreed to in writing, software
+--distributed under the License is distributed on an "AS IS" BASIS,
+--WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+--See the License for the specific language governing permissions and
+--limitations under the License.
+
+-- Table SENTRY_DB_PRIVILEGE for classes [org.apache.sentry.provider.db.service.model.MSentryPrivilege]
+CREATE TABLE SENTRY_DB_PRIVILEGE
+(
+ DB_PRIVILEGE_ID BIGINT NOT NULL generated always as identity (start with 1),
+ URI VARCHAR(4000) DEFAULT '__NULL__',
+ "ACTION" VARCHAR(40),
+ CREATE_TIME BIGINT NOT NULL,
+ DB_NAME VARCHAR(4000) DEFAULT '__NULL__',
+ PRIVILEGE_SCOPE VARCHAR(40),
+ "SERVER_NAME" VARCHAR(4000),
+ "TABLE_NAME" VARCHAR(4000) DEFAULT '__NULL__',
+ "COLUMN_NAME" VARCHAR(4000) DEFAULT '__NULL__',
+ WITH_GRANT_OPTION CHAR(1) NOT NULL
+);
+
+ALTER TABLE SENTRY_DB_PRIVILEGE ADD CONSTRAINT SENTRY_DB_PRIVILEGE_PK PRIMARY KEY (DB_PRIVILEGE_ID);
+
+-- Table SENTRY_ROLE for classes [org.apache.sentry.provider.db.service.model.MSentryRole]
+CREATE TABLE SENTRY_ROLE
+(
+ ROLE_ID BIGINT NOT NULL generated always as identity (start with 1),
+ CREATE_TIME BIGINT NOT NULL,
+ ROLE_NAME VARCHAR(128)
+);
+
+ALTER TABLE SENTRY_ROLE ADD CONSTRAINT SENTRY_ROLE_PK PRIMARY KEY (ROLE_ID);
+
+-- Table SENTRY_GROUP for classes [org.apache.sentry.provider.db.service.model.MSentryGroup]
+CREATE TABLE SENTRY_GROUP
+(
+ GROUP_ID BIGINT NOT NULL generated always as identity (start with 1),
+ CREATE_TIME BIGINT NOT NULL,
+ GROUP_NAME VARCHAR(128)
+);
+
+ALTER TABLE SENTRY_GROUP ADD CONSTRAINT SENTRY_GROUP_PK PRIMARY KEY (GROUP_ID);
+
+-- Table SENTRY_ROLE_GROUP_MAP for join relationship
+CREATE TABLE SENTRY_ROLE_GROUP_MAP
+(
+ GROUP_ID BIGINT NOT NULL,
+ ROLE_ID BIGINT NOT NULL,
+ GRANTOR_PRINCIPAL VARCHAR(128)
+);
+
+ALTER TABLE SENTRY_ROLE_GROUP_MAP ADD CONSTRAINT SENTRY_ROLE_GROUP_MAP_PK PRIMARY KEY (GROUP_ID,ROLE_ID);
+
+-- Table SENTRY_ROLE_DB_PRIVILEGE_MAP for join relationship
+CREATE TABLE SENTRY_ROLE_DB_PRIVILEGE_MAP
+(
+ ROLE_ID BIGINT NOT NULL,
+ DB_PRIVILEGE_ID BIGINT NOT NULL,
+ GRANTOR_PRINCIPAL VARCHAR(128)
+);
+
+ALTER TABLE SENTRY_ROLE_DB_PRIVILEGE_MAP ADD CONSTRAINT SENTRY_ROLE_DB_PRIVILEGE_MAP_PK PRIMARY KEY (ROLE_ID,DB_PRIVILEGE_ID);
+
+CREATE TABLE "SENTRY_VERSION" (
+ VER_ID BIGINT NOT NULL,
+ SCHEMA_VERSION VARCHAR(127),
+ VERSION_COMMENT VARCHAR(255)
+);
+
+ALTER TABLE SENTRY_VERSION ADD CONSTRAINT SENTRY_VERSION_PK PRIMARY KEY (VER_ID);
+
+-- Constraints for table SENTRY_DB_PRIVILEGE for class(es) [org.apache.sentry.provider.db.service.model.MSentryPrivilege]
+CREATE UNIQUE INDEX SENTRYPRIVILEGENAME ON SENTRY_DB_PRIVILEGE ("SERVER_NAME",DB_NAME,"TABLE_NAME","COLUMN_NAME",URI,"ACTION",WITH_GRANT_OPTION);
+
+
+-- Constraints for table SENTRY_ROLE for class(es) [org.apache.sentry.provider.db.service.model.MSentryRole]
+CREATE UNIQUE INDEX SENTRYROLENAME ON SENTRY_ROLE (ROLE_NAME);
+
+
+-- Constraints for table SENTRY_GROUP for class(es) [org.apache.sentry.provider.db.service.model.MSentryGroup]
+CREATE UNIQUE INDEX SENTRYGROUPNAME ON SENTRY_GROUP (GROUP_NAME);
+
+
+-- Constraints for table SENTRY_ROLE_GROUP_MAP
+CREATE INDEX SENTRY_ROLE_GROUP_MAP_N49 ON SENTRY_ROLE_GROUP_MAP (GROUP_ID);
+
+CREATE INDEX SENTRY_ROLE_GROUP_MAP_N50 ON SENTRY_ROLE_GROUP_MAP (ROLE_ID);
+
+ALTER TABLE SENTRY_ROLE_GROUP_MAP ADD CONSTRAINT SENTRY_ROLE_GROUP_MAP_FK2 FOREIGN KEY (ROLE_ID) REFERENCES SENTRY_ROLE (ROLE_ID) ;
+
+ALTER TABLE SENTRY_ROLE_GROUP_MAP ADD CONSTRAINT SENTRY_ROLE_GROUP_MAP_FK1 FOREIGN KEY (GROUP_ID) REFERENCES SENTRY_GROUP (GROUP_ID) ;
+
+
+-- Constraints for table SENTRY_ROLE_DB_PRIVILEGE_MAP
+CREATE INDEX SENTRY_ROLE_DB_PRIVILEGE_MAP_N50 ON SENTRY_ROLE_DB_PRIVILEGE_MAP (ROLE_ID);
+
+CREATE INDEX SENTRY_ROLE_DB_PRIVILEGE_MAP_N49 ON SENTRY_ROLE_DB_PRIVILEGE_MAP (DB_PRIVILEGE_ID);
+
+ALTER TABLE SENTRY_ROLE_DB_PRIVILEGE_MAP ADD CONSTRAINT SENTRY_ROLE_DB_PRIVILEGE_MAP_FK2 FOREIGN KEY (DB_PRIVILEGE_ID) REFERENCES SENTRY_DB_PRIVILEGE (DB_PRIVILEGE_ID) ;
+
+ALTER TABLE SENTRY_ROLE_DB_PRIVILEGE_MAP ADD CONSTRAINT SENTRY_ROLE_DB_PRIVILEGE_MAP_FK1 FOREIGN KEY (ROLE_ID) REFERENCES SENTRY_ROLE (ROLE_ID) ;
+
+INSERT INTO SENTRY_VERSION (VER_ID, SCHEMA_VERSION, VERSION_COMMENT) VALUES (1, '1.7.0', 'Sentry release version 1.7.0');
+
+-- Generic Model
+-- Table SENTRY_GM_PRIVILEGE for classes [org.apache.sentry.provider.db.service.model.MSentryGMPrivilege]
+CREATE TABLE SENTRY_GM_PRIVILEGE
+(
+ GM_PRIVILEGE_ID BIGINT NOT NULL,
+ "ACTION" VARCHAR(40),
+ COMPONENT_NAME VARCHAR(400),
+ CREATE_TIME BIGINT NOT NULL,
+ WITH_GRANT_OPTION CHAR(1),
+ RESOURCE_NAME_0 VARCHAR(400) DEFAULT '__NULL__',
+ RESOURCE_NAME_1 VARCHAR(400) DEFAULT '__NULL__',
+ RESOURCE_NAME_2 VARCHAR(400) DEFAULT '__NULL__',
+ RESOURCE_NAME_3 VARCHAR(400) DEFAULT '__NULL__',
+ RESOURCE_TYPE_0 VARCHAR(400) DEFAULT '__NULL__',
+ RESOURCE_TYPE_1 VARCHAR(400) DEFAULT '__NULL__',
+ RESOURCE_TYPE_2 VARCHAR(400) DEFAULT '__NULL__',
+ RESOURCE_TYPE_3 VARCHAR(400) DEFAULT '__NULL__',
+ "SCOPE" VARCHAR(40),
+ SERVICE_NAME VARCHAR(400)
+);
+-- Primary key(GM_PRIVILEGE_ID)
+ALTER TABLE SENTRY_GM_PRIVILEGE ADD CONSTRAINT SENTRY_GM_PRIVILEGE_PK PRIMARY KEY (GM_PRIVILEGE_ID);
+
+-- Constraints for table SENTRY_GM_PRIVILEGE for class(es) [org.apache.sentry.provider.db.service.model.MSentryGMPrivilege]
+CREATE UNIQUE INDEX GM_PRIVILEGE_INDEX ON SENTRY_GM_PRIVILEGE (COMPONENT_NAME,SERVICE_NAME,RESOURCE_NAME_0,RESOURCE_TYPE_0,RESOURCE_NAME_1,RESOURCE_TYPE_1,RESOURCE_NAME_2,RESOURCE_TYPE_2,RESOURCE_NAME_3,RESOURCE_TYPE_3,"ACTION",WITH_GRANT_OPTION);
+
+-- Table SENTRY_ROLE_GM_PRIVILEGE_MAP for join relationship
+CREATE TABLE SENTRY_ROLE_GM_PRIVILEGE_MAP
+(
+ ROLE_ID BIGINT NOT NULL,
+ GM_PRIVILEGE_ID BIGINT NOT NULL
+);
+ALTER TABLE SENTRY_ROLE_GM_PRIVILEGE_MAP ADD CONSTRAINT SENTRY_ROLE_GM_PRIVILEGE_MAP_PK PRIMARY KEY (ROLE_ID,GM_PRIVILEGE_ID);
+
+-- Constraints for table SENTRY_ROLE_GM_PRIVILEGE_MAP
+CREATE INDEX SENTRY_ROLE_GM_PRIVILEGE_MAP_N50 ON SENTRY_ROLE_GM_PRIVILEGE_MAP (ROLE_ID);
+
+CREATE INDEX SENTRY_ROLE_GM_PRIVILEGE_MAP_N49 ON SENTRY_ROLE_GM_PRIVILEGE_MAP (GM_PRIVILEGE_ID);
+
+ALTER TABLE SENTRY_ROLE_GM_PRIVILEGE_MAP ADD CONSTRAINT SENTRY_ROLE_GM_PRIVILEGE_MAP_FK2 FOREIGN KEY (GM_PRIVILEGE_ID) REFERENCES SENTRY_GM_PRIVILEGE (GM_PRIVILEGE_ID);
+
+ALTER TABLE SENTRY_ROLE_GM_PRIVILEGE_MAP ADD CONSTRAINT SENTRY_ROLE_GM_PRIVILEGE_MAP_FK1 FOREIGN KEY (ROLE_ID) REFERENCES SENTRY_ROLE (ROLE_ID);
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/main/resources/sentry-derby-1.8.0.sql
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/main/resources/sentry-derby-1.8.0.sql b/sentry-service/sentry-service-server/src/main/resources/sentry-derby-1.8.0.sql
new file mode 100644
index 0000000..d522026
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/main/resources/sentry-derby-1.8.0.sql
@@ -0,0 +1,184 @@
+--Licensed to the Apache Software Foundation (ASF) under one or more
+--contributor license agreements. See the NOTICE file distributed with
+--this work for additional information regarding copyright ownership.
+--The ASF licenses this file to You under the Apache License, Version 2.0
+--(the "License"); you may not use this file except in compliance with
+--the License. You may obtain a copy of the License at
+--
+-- http://www.apache.org/licenses/LICENSE-2.0
+--
+--Unless required by applicable law or agreed to in writing, software
+--distributed under the License is distributed on an "AS IS" BASIS,
+--WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+--See the License for the specific language governing permissions and
+--limitations under the License.
+
+-- Table SENTRY_DB_PRIVILEGE for classes [org.apache.sentry.provider.db.service.model.MSentryPrivilege]
+CREATE TABLE SENTRY_DB_PRIVILEGE
+(
+ DB_PRIVILEGE_ID BIGINT NOT NULL generated always as identity (start with 1),
+ URI VARCHAR(4000) DEFAULT '__NULL__',
+ "ACTION" VARCHAR(40),
+ CREATE_TIME BIGINT NOT NULL,
+ DB_NAME VARCHAR(4000) DEFAULT '__NULL__',
+ PRIVILEGE_SCOPE VARCHAR(40),
+ "SERVER_NAME" VARCHAR(4000),
+ "TABLE_NAME" VARCHAR(4000) DEFAULT '__NULL__',
+ "COLUMN_NAME" VARCHAR(4000) DEFAULT '__NULL__',
+ WITH_GRANT_OPTION CHAR(1) NOT NULL
+);
+
+ALTER TABLE SENTRY_DB_PRIVILEGE ADD CONSTRAINT SENTRY_DB_PRIVILEGE_PK PRIMARY KEY (DB_PRIVILEGE_ID);
+
+-- Table SENTRY_ROLE for classes [org.apache.sentry.provider.db.service.model.MSentryRole]
+CREATE TABLE SENTRY_ROLE
+(
+ ROLE_ID BIGINT NOT NULL generated always as identity (start with 1),
+ CREATE_TIME BIGINT NOT NULL,
+ ROLE_NAME VARCHAR(128)
+);
+
+ALTER TABLE SENTRY_ROLE ADD CONSTRAINT SENTRY_ROLE_PK PRIMARY KEY (ROLE_ID);
+
+-- Table SENTRY_GROUP for classes [org.apache.sentry.provider.db.service.model.MSentryGroup]
+CREATE TABLE SENTRY_GROUP
+(
+ GROUP_ID BIGINT NOT NULL generated always as identity (start with 1),
+ CREATE_TIME BIGINT NOT NULL,
+ GROUP_NAME VARCHAR(128)
+);
+
+ALTER TABLE SENTRY_GROUP ADD CONSTRAINT SENTRY_GROUP_PK PRIMARY KEY (GROUP_ID);
+
+-- Table SENTRY_ROLE_GROUP_MAP for join relationship
+CREATE TABLE SENTRY_ROLE_GROUP_MAP
+(
+ GROUP_ID BIGINT NOT NULL,
+ ROLE_ID BIGINT NOT NULL,
+ GRANTOR_PRINCIPAL VARCHAR(128)
+);
+
+ALTER TABLE SENTRY_ROLE_GROUP_MAP ADD CONSTRAINT SENTRY_ROLE_GROUP_MAP_PK PRIMARY KEY (GROUP_ID,ROLE_ID);
+
+-- Table SENTRY_ROLE_DB_PRIVILEGE_MAP for join relationship
+CREATE TABLE SENTRY_ROLE_DB_PRIVILEGE_MAP
+(
+ ROLE_ID BIGINT NOT NULL,
+ DB_PRIVILEGE_ID BIGINT NOT NULL,
+ GRANTOR_PRINCIPAL VARCHAR(128)
+);
+
+ALTER TABLE SENTRY_ROLE_DB_PRIVILEGE_MAP ADD CONSTRAINT SENTRY_ROLE_DB_PRIVILEGE_MAP_PK PRIMARY KEY (ROLE_ID,DB_PRIVILEGE_ID);
+
+CREATE TABLE "SENTRY_VERSION" (
+ VER_ID BIGINT NOT NULL,
+ SCHEMA_VERSION VARCHAR(127),
+ VERSION_COMMENT VARCHAR(255)
+);
+
+ALTER TABLE SENTRY_VERSION ADD CONSTRAINT SENTRY_VERSION_PK PRIMARY KEY (VER_ID);
+
+-- Constraints for table SENTRY_DB_PRIVILEGE for class(es) [org.apache.sentry.provider.db.service.model.MSentryPrivilege]
+CREATE UNIQUE INDEX SENTRYPRIVILEGENAME ON SENTRY_DB_PRIVILEGE ("SERVER_NAME",DB_NAME,"TABLE_NAME","COLUMN_NAME",URI,"ACTION",WITH_GRANT_OPTION);
+
+
+-- Constraints for table SENTRY_ROLE for class(es) [org.apache.sentry.provider.db.service.model.MSentryRole]
+CREATE UNIQUE INDEX SENTRYROLENAME ON SENTRY_ROLE (ROLE_NAME);
+
+
+-- Constraints for table SENTRY_GROUP for class(es) [org.apache.sentry.provider.db.service.model.MSentryGroup]
+CREATE UNIQUE INDEX SENTRYGROUPNAME ON SENTRY_GROUP (GROUP_NAME);
+
+
+-- Constraints for table SENTRY_ROLE_GROUP_MAP
+CREATE INDEX SENTRY_ROLE_GROUP_MAP_N49 ON SENTRY_ROLE_GROUP_MAP (GROUP_ID);
+
+CREATE INDEX SENTRY_ROLE_GROUP_MAP_N50 ON SENTRY_ROLE_GROUP_MAP (ROLE_ID);
+
+ALTER TABLE SENTRY_ROLE_GROUP_MAP ADD CONSTRAINT SENTRY_ROLE_GROUP_MAP_FK2 FOREIGN KEY (ROLE_ID) REFERENCES SENTRY_ROLE (ROLE_ID) ;
+
+ALTER TABLE SENTRY_ROLE_GROUP_MAP ADD CONSTRAINT SENTRY_ROLE_GROUP_MAP_FK1 FOREIGN KEY (GROUP_ID) REFERENCES SENTRY_GROUP (GROUP_ID) ;
+
+
+-- Constraints for table SENTRY_ROLE_DB_PRIVILEGE_MAP
+CREATE INDEX SENTRY_ROLE_DB_PRIVILEGE_MAP_N50 ON SENTRY_ROLE_DB_PRIVILEGE_MAP (ROLE_ID);
+
+CREATE INDEX SENTRY_ROLE_DB_PRIVILEGE_MAP_N49 ON SENTRY_ROLE_DB_PRIVILEGE_MAP (DB_PRIVILEGE_ID);
+
+ALTER TABLE SENTRY_ROLE_DB_PRIVILEGE_MAP ADD CONSTRAINT SENTRY_ROLE_DB_PRIVILEGE_MAP_FK2 FOREIGN KEY (DB_PRIVILEGE_ID) REFERENCES SENTRY_DB_PRIVILEGE (DB_PRIVILEGE_ID) ;
+
+ALTER TABLE SENTRY_ROLE_DB_PRIVILEGE_MAP ADD CONSTRAINT SENTRY_ROLE_DB_PRIVILEGE_MAP_FK1 FOREIGN KEY (ROLE_ID) REFERENCES SENTRY_ROLE (ROLE_ID) ;
+
+INSERT INTO SENTRY_VERSION (VER_ID, SCHEMA_VERSION, VERSION_COMMENT) VALUES (1, '1.8.0', 'Sentry release version 1.8.0');
+
+-- Generic Model
+-- Table SENTRY_GM_PRIVILEGE for classes [org.apache.sentry.provider.db.service.model.MSentryGMPrivilege]
+CREATE TABLE SENTRY_GM_PRIVILEGE
+(
+ GM_PRIVILEGE_ID BIGINT NOT NULL,
+ "ACTION" VARCHAR(40),
+ COMPONENT_NAME VARCHAR(400),
+ CREATE_TIME BIGINT NOT NULL,
+ WITH_GRANT_OPTION CHAR(1),
+ RESOURCE_NAME_0 VARCHAR(400) DEFAULT '__NULL__',
+ RESOURCE_NAME_1 VARCHAR(400) DEFAULT '__NULL__',
+ RESOURCE_NAME_2 VARCHAR(400) DEFAULT '__NULL__',
+ RESOURCE_NAME_3 VARCHAR(400) DEFAULT '__NULL__',
+ RESOURCE_TYPE_0 VARCHAR(400) DEFAULT '__NULL__',
+ RESOURCE_TYPE_1 VARCHAR(400) DEFAULT '__NULL__',
+ RESOURCE_TYPE_2 VARCHAR(400) DEFAULT '__NULL__',
+ RESOURCE_TYPE_3 VARCHAR(400) DEFAULT '__NULL__',
+ "SCOPE" VARCHAR(40),
+ SERVICE_NAME VARCHAR(400)
+);
+-- Primary key(GM_PRIVILEGE_ID)
+ALTER TABLE SENTRY_GM_PRIVILEGE ADD CONSTRAINT SENTRY_GM_PRIVILEGE_PK PRIMARY KEY (GM_PRIVILEGE_ID);
+
+-- Constraints for table SENTRY_GM_PRIVILEGE for class(es) [org.apache.sentry.provider.db.service.model.MSentryGMPrivilege]
+CREATE UNIQUE INDEX GM_PRIVILEGE_INDEX ON SENTRY_GM_PRIVILEGE (COMPONENT_NAME,SERVICE_NAME,RESOURCE_NAME_0,RESOURCE_TYPE_0,RESOURCE_NAME_1,RESOURCE_TYPE_1,RESOURCE_NAME_2,RESOURCE_TYPE_2,RESOURCE_NAME_3,RESOURCE_TYPE_3,"ACTION",WITH_GRANT_OPTION);
+
+-- Table SENTRY_ROLE_GM_PRIVILEGE_MAP for join relationship
+CREATE TABLE SENTRY_ROLE_GM_PRIVILEGE_MAP
+(
+ ROLE_ID BIGINT NOT NULL,
+ GM_PRIVILEGE_ID BIGINT NOT NULL
+);
+ALTER TABLE SENTRY_ROLE_GM_PRIVILEGE_MAP ADD CONSTRAINT SENTRY_ROLE_GM_PRIVILEGE_MAP_PK PRIMARY KEY (ROLE_ID,GM_PRIVILEGE_ID);
+
+-- Constraints for table SENTRY_ROLE_GM_PRIVILEGE_MAP
+CREATE INDEX SENTRY_ROLE_GM_PRIVILEGE_MAP_N50 ON SENTRY_ROLE_GM_PRIVILEGE_MAP (ROLE_ID);
+
+CREATE INDEX SENTRY_ROLE_GM_PRIVILEGE_MAP_N49 ON SENTRY_ROLE_GM_PRIVILEGE_MAP (GM_PRIVILEGE_ID);
+
+ALTER TABLE SENTRY_ROLE_GM_PRIVILEGE_MAP ADD CONSTRAINT SENTRY_ROLE_GM_PRIVILEGE_MAP_FK2 FOREIGN KEY (GM_PRIVILEGE_ID) REFERENCES SENTRY_GM_PRIVILEGE (GM_PRIVILEGE_ID);
+
+ALTER TABLE SENTRY_ROLE_GM_PRIVILEGE_MAP ADD CONSTRAINT SENTRY_ROLE_GM_PRIVILEGE_MAP_FK1 FOREIGN KEY (ROLE_ID) REFERENCES SENTRY_ROLE (ROLE_ID);
+
+CREATE TABLE SENTRY_USER
+(
+ USER_ID BIGINT NOT NULL generated always as identity (start with 1),
+ CREATE_TIME BIGINT NOT NULL,
+ USER_NAME VARCHAR(128)
+);
+
+ALTER TABLE SENTRY_USER ADD CONSTRAINT SENTRY_USER_PK PRIMARY KEY (USER_ID);
+
+CREATE UNIQUE INDEX SENTRYUSERNAME ON SENTRY_USER (USER_NAME);
+
+CREATE TABLE SENTRY_ROLE_USER_MAP
+(
+ USER_ID BIGINT NOT NULL,
+ ROLE_ID BIGINT NOT NULL,
+ GRANTOR_PRINCIPAL VARCHAR(128)
+);
+
+ALTER TABLE SENTRY_ROLE_USER_MAP ADD CONSTRAINT SENTRY_ROLE_USER_MAP_PK PRIMARY KEY (USER_ID,ROLE_ID);
+
+CREATE INDEX SENTRY_ROLE_USER_MAP_N49 ON SENTRY_ROLE_USER_MAP (USER_ID);
+
+CREATE INDEX SENTRY_ROLE_USER_MAP_N50 ON SENTRY_ROLE_USER_MAP (ROLE_ID);
+
+ALTER TABLE SENTRY_ROLE_USER_MAP ADD CONSTRAINT SENTRY_ROLE_USER_MAP_FK2 FOREIGN KEY (ROLE_ID) REFERENCES SENTRY_ROLE (ROLE_ID) ;
+
+ALTER TABLE SENTRY_ROLE_USER_MAP ADD CONSTRAINT SENTRY_ROLE_USER_MAP_FK1 FOREIGN KEY (USER_ID) REFERENCES SENTRY_USER (USER_ID) ;
+
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/main/resources/sentry-mysql-1.4.0.sql
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/main/resources/sentry-mysql-1.4.0.sql b/sentry-service/sentry-service-server/src/main/resources/sentry-mysql-1.4.0.sql
new file mode 100644
index 0000000..70f4dbb
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/main/resources/sentry-mysql-1.4.0.sql
@@ -0,0 +1,126 @@
+-- Licensed to the Apache Software Foundation (ASF) under one or more
+-- contributor license agreements. See the NOTICE file distributed with
+-- this work for additional information regarding copyright ownership.
+-- The ASF licenses this file to You under the Apache License, Version 2.0
+-- (the "License"); you may not use this file except in compliance with
+-- the License. You may obtain a copy of the License at
+--
+-- http://www.apache.org/licenses/LICENSE-2.0
+--
+-- Unless required by applicable law or agreed to in writing, software
+-- distributed under the License is distributed on an "AS IS" BASIS,
+-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+-- See the License for the specific language governing permissions and
+-- limitations under the License.
+
+
+/*!40101 SET @OLD_CHARACTER_SET_CLIENT=@@CHARACTER_SET_CLIENT */;
+/*!40101 SET @OLD_CHARACTER_SET_RESULTS=@@CHARACTER_SET_RESULTS */;
+/*!40101 SET @OLD_COLLATION_CONNECTION=@@COLLATION_CONNECTION */;
+/*!40101 SET NAMES utf8 */;
+/*!40103 SET @OLD_TIME_ZONE=@@TIME_ZONE */;
+/*!40103 SET TIME_ZONE='+00:00' */;
+/*!40014 SET @OLD_UNIQUE_CHECKS=@@UNIQUE_CHECKS, UNIQUE_CHECKS=0 */;
+/*!40014 SET @OLD_FOREIGN_KEY_CHECKS=@@FOREIGN_KEY_CHECKS, FOREIGN_KEY_CHECKS=0 */;
+/*!40101 SET @OLD_SQL_MODE=@@SQL_MODE, SQL_MODE='NO_AUTO_VALUE_ON_ZERO' */;
+/*!40111 SET @OLD_SQL_NOTES=@@SQL_NOTES, SQL_NOTES=0 */;
+
+CREATE TABLE `SENTRY_DB_PRIVILEGE` (
+ `DB_PRIVILEGE_ID` BIGINT NOT NULL,
+ `PRIVILEGE_NAME` VARCHAR(4000) CHARACTER SET utf8 COLLATE utf8_bin NOT NULL,
+ `PRIVILEGE_SCOPE` VARCHAR(32) CHARACTER SET utf8 COLLATE utf8_bin NOT NULL,
+ `SERVER_NAME` VARCHAR(128) CHARACTER SET utf8 COLLATE utf8_bin NOT NULL,
+ `DB_NAME` VARCHAR(128) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT NULL,
+ `TABLE_NAME` VARCHAR(128) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT NULL,
+ `URI` VARCHAR(4000) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT NULL,
+ `ACTION` VARCHAR(128) CHARACTER SET utf8 COLLATE utf8_bin NOT NULL,
+ `CREATE_TIME` BIGINT NOT NULL,
+ `GRANTOR_PRINCIPAL` VARCHAR(128) CHARACTER SET utf8 COLLATE utf8_bin NOT NULL
+) ENGINE=InnoDB DEFAULT CHARSET=utf8;
+
+CREATE TABLE `SENTRY_ROLE` (
+ `ROLE_ID` BIGINT NOT NULL,
+ `ROLE_NAME` VARCHAR(128) CHARACTER SET utf8 COLLATE utf8_bin NOT NULL,
+ `CREATE_TIME` BIGINT NOT NULL,
+ `GRANTOR_PRINCIPAL` VARCHAR(128) CHARACTER SET utf8 COLLATE utf8_bin NOT NULL
+) ENGINE=InnoDB DEFAULT CHARSET=utf8;
+
+CREATE TABLE `SENTRY_GROUP` (
+ `GROUP_ID` BIGINT NOT NULL,
+ `GROUP_NAME` VARCHAR(128) CHARACTER SET utf8 COLLATE utf8_bin NOT NULL,
+ `CREATE_TIME` BIGINT NOT NULL,
+ `GRANTOR_PRINCIPAL` VARCHAR(128) CHARACTER SET utf8 COLLATE utf8_bin NOT NULL
+) ENGINE=InnoDB DEFAULT CHARSET=utf8;
+
+CREATE TABLE `SENTRY_ROLE_DB_PRIVILEGE_MAP` (
+ `ROLE_ID` BIGINT NOT NULL,
+ `DB_PRIVILEGE_ID` BIGINT NOT NULL
+) ENGINE=InnoDB DEFAULT CHARSET=utf8;
+
+CREATE TABLE `SENTRY_ROLE_GROUP_MAP` (
+ `ROLE_ID` BIGINT NOT NULL,
+ `GROUP_ID` BIGINT NOT NULL
+) ENGINE=InnoDB DEFAULT CHARSET=utf8;
+
+CREATE TABLE IF NOT EXISTS `SENTRY_VERSION` (
+ `VER_ID` BIGINT NOT NULL,
+ `SCHEMA_VERSION` VARCHAR(127) NOT NULL,
+ `VERSION_COMMENT` VARCHAR(255) NOT NULL
+) ENGINE=InnoDB DEFAULT CHARSET=utf8;
+
+ALTER TABLE `SENTRY_DB_PRIVILEGE`
+ ADD CONSTRAINT `SENTRY_DB_PRIV_PK` PRIMARY KEY (`DB_PRIVILEGE_ID`);
+
+ALTER TABLE `SENTRY_ROLE`
+ ADD CONSTRAINT `SENTRY_ROLE_PK` PRIMARY KEY (`ROLE_ID`);
+
+ALTER TABLE `SENTRY_GROUP`
+ ADD CONSTRAINT `SENTRY_GROUP_PK` PRIMARY KEY (`GROUP_ID`);
+
+ALTER TABLE `SENTRY_VERSION`
+ ADD CONSTRAINT `SENTRY_VERSION` PRIMARY KEY (`VER_ID`);
+
+ALTER TABLE `SENTRY_DB_PRIVILEGE`
+ ADD INDEX `SENTRY_DB_PRIV_PRIV_NAME_UNIQ` (`PRIVILEGE_NAME`(250));
+
+ALTER TABLE `SENTRY_DB_PRIVILEGE`
+ ADD INDEX `SENTRY_PRIV_SERV_IDX` (`SERVER_NAME`);
+
+ALTER TABLE `SENTRY_DB_PRIVILEGE`
+ ADD INDEX `SENTRY_PRIV_DB_IDX` (`DB_NAME`);
+
+ALTER TABLE `SENTRY_DB_PRIVILEGE`
+ ADD INDEX `SENTRY_PRIV_TBL_IDX` (`TABLE_NAME`);
+
+ALTER TABLE `SENTRY_DB_PRIVILEGE`
+ ADD INDEX `SENTRY_PRIV_URI_IDX` (`URI`);
+
+ALTER TABLE `SENTRY_ROLE`
+ ADD CONSTRAINT `SENTRY_ROLE_ROLE_NAME_UNIQUE` UNIQUE (`ROLE_NAME`);
+
+ALTER TABLE `SENTRY_GROUP`
+ ADD CONSTRAINT `SENTRY_GRP_GRP_NAME_UNIQUE` UNIQUE (`GROUP_NAME`);
+
+ALTER TABLE `SENTRY_ROLE_DB_PRIVILEGE_MAP`
+ ADD CONSTRAINT `SENTRY_ROLE_DB_PRIVILEGE_MAP_PK` PRIMARY KEY (`ROLE_ID`,`DB_PRIVILEGE_ID`);
+
+ALTER TABLE `SENTRY_ROLE_GROUP_MAP`
+ ADD CONSTRAINT `SENTRY_ROLE_GROUP_MAP_PK` PRIMARY KEY (`ROLE_ID`,`GROUP_ID`);
+
+ALTER TABLE `SENTRY_ROLE_DB_PRIVILEGE_MAP`
+ ADD CONSTRAINT `SEN_RLE_DB_PRV_MAP_SN_RLE_FK`
+ FOREIGN KEY (`ROLE_ID`) REFERENCES `SENTRY_ROLE`(`ROLE_ID`);
+
+ALTER TABLE `SENTRY_ROLE_DB_PRIVILEGE_MAP`
+ ADD CONSTRAINT `SEN_RL_DB_PRV_MAP_SN_DB_PRV_FK`
+ FOREIGN KEY (`DB_PRIVILEGE_ID`) REFERENCES `SENTRY_DB_PRIVILEGE`(`DB_PRIVILEGE_ID`);
+
+ALTER TABLE `SENTRY_ROLE_GROUP_MAP`
+ ADD CONSTRAINT `SEN_ROLE_GROUP_MAP_SEN_ROLE_FK`
+ FOREIGN KEY (`ROLE_ID`) REFERENCES `SENTRY_ROLE`(`ROLE_ID`);
+
+ALTER TABLE `SENTRY_ROLE_GROUP_MAP`
+ ADD CONSTRAINT `SEN_ROLE_GROUP_MAP_SEN_GRP_FK`
+ FOREIGN KEY (`GROUP_ID`) REFERENCES `SENTRY_GROUP`(`GROUP_ID`);
+
+INSERT INTO SENTRY_VERSION (VER_ID, SCHEMA_VERSION, VERSION_COMMENT) VALUES (1, '1.4.0', 'Sentry release version 1.4.0');