You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sentry.apache.org by co...@apache.org on 2017/10/19 08:59:48 UTC
[07/26] sentry git commit: SENTRY-1974 - Consolidate the Solr + Kafka
PrivilegeValidators into a single GenericPrivilegeValidator. - Reviewed by
kalyan kumar kalvagadda.
SENTRY-1974 - Consolidate the Solr + Kafka PrivilegeValidators into a single GenericPrivilegeValidator.
- Reviewed by kalyan kumar kalvagadda.
Project: http://git-wip-us.apache.org/repos/asf/sentry/repo
Commit: http://git-wip-us.apache.org/repos/asf/sentry/commit/3d0f4705
Tree: http://git-wip-us.apache.org/repos/asf/sentry/tree/3d0f4705
Diff: http://git-wip-us.apache.org/repos/asf/sentry/diff/3d0f4705
Branch: refs/heads/akolb-cli
Commit: 3d0f470529ebc2dc2df7e17f20ba3c13aa13b4d2
Parents: 0607322
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Fri Oct 6 15:56:06 2017 +0100
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Fri Oct 6 15:56:06 2017 +0100
----------------------------------------------------------------------
.../sentry/kafka/binding/KafkaAuthBinding.java | 4 +-
.../binding/solr/authz/SolrAuthzBinding.java | 4 +-
.../tools/GenericPrivilegeConverter.java | 178 +++++++++++++++++++
.../tools/KafkaTSentryPrivilegeConverter.java | 128 -------------
.../db/generic/tools/SentryConfigToolSolr.java | 2 +-
.../db/generic/tools/SentryShellGeneric.java | 17 +-
.../tools/SolrTSentryPrivilegeConverter.java | 137 --------------
.../generic/tools/TestSentryConfigToolSolr.java | 2 +-
8 files changed, 187 insertions(+), 285 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/sentry/blob/3d0f4705/sentry-binding/sentry-binding-kafka/src/main/java/org/apache/sentry/kafka/binding/KafkaAuthBinding.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-kafka/src/main/java/org/apache/sentry/kafka/binding/KafkaAuthBinding.java b/sentry-binding/sentry-binding-kafka/src/main/java/org/apache/sentry/kafka/binding/KafkaAuthBinding.java
index d9dcbb7..7a36c5f 100644
--- a/sentry-binding/sentry-binding-kafka/src/main/java/org/apache/sentry/kafka/binding/KafkaAuthBinding.java
+++ b/sentry-binding/sentry-binding-kafka/src/main/java/org/apache/sentry/kafka/binding/KafkaAuthBinding.java
@@ -61,7 +61,7 @@ import org.apache.sentry.provider.db.generic.service.thrift.SentryGenericService
import org.apache.sentry.provider.db.generic.service.thrift.TAuthorizable;
import org.apache.sentry.provider.db.generic.service.thrift.TSentryPrivilege;
import org.apache.sentry.provider.db.generic.service.thrift.TSentryRole;
-import org.apache.sentry.provider.db.generic.tools.KafkaTSentryPrivilegeConverter;
+import org.apache.sentry.provider.db.generic.tools.GenericPrivilegeConverter;
import org.apache.sentry.service.thrift.ServiceConstants;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -156,7 +156,7 @@ public class KafkaAuthBinding {
// for convenience, set the PrivilegeConverter.
if (authConf.get(ServiceConstants.ClientConfig.PRIVILEGE_CONVERTER) == null) {
- authConf.set(ServiceConstants.ClientConfig.PRIVILEGE_CONVERTER, KafkaTSentryPrivilegeConverter.class.getName());
+ authConf.set(ServiceConstants.ClientConfig.PRIVILEGE_CONVERTER, GenericPrivilegeConverter.class.getName());
}
// Instantiate the configured providerBackend
http://git-wip-us.apache.org/repos/asf/sentry/blob/3d0f4705/sentry-binding/sentry-binding-solr/src/main/java/org/apache/sentry/binding/solr/authz/SolrAuthzBinding.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-solr/src/main/java/org/apache/sentry/binding/solr/authz/SolrAuthzBinding.java b/sentry-binding/sentry-binding-solr/src/main/java/org/apache/sentry/binding/solr/authz/SolrAuthzBinding.java
index 37adb56..0a818e5 100644
--- a/sentry-binding/sentry-binding-solr/src/main/java/org/apache/sentry/binding/solr/authz/SolrAuthzBinding.java
+++ b/sentry-binding/sentry-binding-solr/src/main/java/org/apache/sentry/binding/solr/authz/SolrAuthzBinding.java
@@ -54,7 +54,7 @@ import org.apache.sentry.provider.db.generic.service.thrift.SentryGenericService
import org.apache.sentry.provider.db.generic.service.thrift.TAuthorizable;
import org.apache.sentry.provider.db.generic.service.thrift.TSentryGrantOption;
import org.apache.sentry.provider.db.generic.service.thrift.TSentryPrivilege;
-import org.apache.sentry.provider.db.generic.tools.SolrTSentryPrivilegeConverter;
+import org.apache.sentry.provider.db.generic.tools.GenericPrivilegeConverter;
import org.apache.sentry.service.thrift.ServiceConstants;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -124,7 +124,7 @@ public class SolrAuthzBinding {
// for convenience, set the PrivilegeConverter.
if (authzConf.get(ServiceConstants.ClientConfig.PRIVILEGE_CONVERTER) == null) {
- authzConf.set(ServiceConstants.ClientConfig.PRIVILEGE_CONVERTER, SolrTSentryPrivilegeConverter.class.getName());
+ authzConf.set(ServiceConstants.ClientConfig.PRIVILEGE_CONVERTER, GenericPrivilegeConverter.class.getName());
}
// the SearchProviderBackend is deleted in SENTRY-828, this is for the compatible with the
http://git-wip-us.apache.org/repos/asf/sentry/blob/3d0f4705/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/GenericPrivilegeConverter.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/GenericPrivilegeConverter.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/GenericPrivilegeConverter.java
new file mode 100644
index 0000000..ea8cf07
--- /dev/null
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/GenericPrivilegeConverter.java
@@ -0,0 +1,178 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.provider.db.generic.tools;
+
+import static org.apache.sentry.core.common.utils.SentryConstants.AUTHORIZABLE_SEPARATOR;
+import static org.apache.sentry.core.common.utils.SentryConstants.KV_SEPARATOR;
+import static org.apache.sentry.core.common.utils.SentryConstants.RESOURCE_WILDCARD_VALUE;
+
+import com.google.common.collect.Lists;
+
+import java.util.Iterator;
+import java.util.LinkedList;
+import java.util.List;
+
+import org.apache.sentry.core.common.Authorizable;
+import org.apache.sentry.core.common.utils.KeyValue;
+import org.apache.sentry.core.common.utils.PolicyFileConstants;
+import org.apache.sentry.core.common.utils.SentryConstants;
+import org.apache.sentry.core.common.validator.PrivilegeValidator;
+import org.apache.sentry.core.common.validator.PrivilegeValidatorContext;
+import org.apache.sentry.core.model.kafka.KafkaAuthorizable;
+import org.apache.sentry.core.model.kafka.KafkaModelAuthorizables;
+import org.apache.sentry.core.model.kafka.KafkaPrivilegeModel;
+import org.apache.sentry.core.model.search.SearchModelAuthorizables;
+import org.apache.sentry.core.model.search.SearchPrivilegeModel;
+import org.apache.sentry.provider.common.AuthorizationComponent;
+import org.apache.sentry.provider.db.generic.service.thrift.TAuthorizable;
+import org.apache.sentry.provider.db.generic.service.thrift.TSentryGrantOption;
+import org.apache.sentry.provider.db.generic.service.thrift.TSentryPrivilege;
+import org.apache.sentry.provider.db.generic.tools.command.TSentryPrivilegeConverter;
+import org.apache.shiro.config.ConfigurationException;
+
+/**
+ * A TSentryPrivilegeConverter implementation for "Generic" privileges, covering Apache Kafka and Apache Solr.
+ * It converts privilege Strings to TSentryPrivilege Objects, and vice versa, for Generic clients.
+ *
+ * When a privilege String is converted to a TSentryPrivilege in "fromString", the validators associated with the
+ * given privilege model are also called on the privilege String.
+ */
+public class GenericPrivilegeConverter implements TSentryPrivilegeConverter {
+ private String component;
+ private String service;
+ private boolean validate;
+
+ public GenericPrivilegeConverter(String component, String service) {
+ this(component, service, true);
+ }
+
+ public GenericPrivilegeConverter(String component, String service, boolean validate) {
+ this.component = component;
+ this.service = service;
+ this.validate = validate;
+ }
+
+ public TSentryPrivilege fromString(String privilegeStr) throws Exception {
+ privilegeStr = parsePrivilegeString(privilegeStr);
+ if (validate) {
+ validatePrivilegeHierarchy(privilegeStr);
+ }
+
+ TSentryPrivilege tSentryPrivilege = new TSentryPrivilege();
+ List<TAuthorizable> authorizables = new LinkedList<TAuthorizable>();
+ for (String authorizable : SentryConstants.AUTHORIZABLE_SPLITTER.split(privilegeStr)) {
+ KeyValue keyValue = new KeyValue(authorizable);
+ String key = keyValue.getKey();
+ String value = keyValue.getValue();
+
+ Authorizable authz = getAuthorizable(keyValue);
+ if (authz != null) {
+ authorizables.add(new TAuthorizable(authz.getTypeName(), authz.getName()));
+ } else if (PolicyFileConstants.PRIVILEGE_ACTION_NAME.equalsIgnoreCase(key)) {
+ tSentryPrivilege.setAction(value);
+ } else {
+ throw new IllegalArgumentException("Unknown key: " + key);
+ }
+ }
+
+ if (tSentryPrivilege.getAction() == null) {
+ throw new IllegalArgumentException("Privilege is invalid: action required but not specified.");
+ }
+ tSentryPrivilege.setComponent(component);
+ tSentryPrivilege.setServiceName(service);
+ tSentryPrivilege.setAuthorizables(authorizables);
+ return tSentryPrivilege;
+ }
+
+ public String toString(TSentryPrivilege tSentryPrivilege) {
+ List<String> privileges = Lists.newArrayList();
+ if (tSentryPrivilege != null) {
+ List<TAuthorizable> authorizables = tSentryPrivilege.getAuthorizables();
+ String action = tSentryPrivilege.getAction();
+ String grantOption = (tSentryPrivilege.getGrantOption() == TSentryGrantOption.TRUE ? "true"
+ : "false");
+
+ Iterator<TAuthorizable> it = authorizables.iterator();
+ if (it != null) {
+ while (it.hasNext()) {
+ TAuthorizable tAuthorizable = it.next();
+ privileges.add(SentryConstants.KV_JOINER.join(
+ tAuthorizable.getType(), tAuthorizable.getName()));
+ }
+ }
+
+ if (!authorizables.isEmpty()) {
+ privileges.add(SentryConstants.KV_JOINER.join(
+ PolicyFileConstants.PRIVILEGE_ACTION_NAME, action));
+ }
+
+ // only append the grant option to privilege string if it's true
+ if ("true".equals(grantOption)) {
+ privileges.add(SentryConstants.KV_JOINER.join(
+ PolicyFileConstants.PRIVILEGE_GRANT_OPTION_NAME, grantOption));
+ }
+ }
+ return SentryConstants.AUTHORIZABLE_JOINER.join(privileges);
+ }
+
+ private String parsePrivilegeString(String privilegeStr) {
+ if (AuthorizationComponent.KAFKA.equals(component)) {
+ final String hostPrefix = KafkaAuthorizable.AuthorizableType.HOST.name() + KV_SEPARATOR;
+ final String hostPrefixLowerCase = hostPrefix.toLowerCase();
+ if (!privilegeStr.toLowerCase().startsWith(hostPrefixLowerCase)) {
+ return hostPrefix + RESOURCE_WILDCARD_VALUE + AUTHORIZABLE_SEPARATOR + privilegeStr;
+ }
+ }
+
+ return privilegeStr;
+ }
+
+ private void validatePrivilegeHierarchy(String privilegeStr) throws Exception {
+ List<PrivilegeValidator> validators = getPrivilegeValidators();
+ PrivilegeValidatorContext context = new PrivilegeValidatorContext(null, privilegeStr);
+ for (PrivilegeValidator validator : validators) {
+ try {
+ validator.validate(context);
+ } catch (ConfigurationException e) {
+ throw new IllegalArgumentException(e);
+ }
+ }
+ }
+
+ private List<PrivilegeValidator> getPrivilegeValidators() throws Exception {
+ if (AuthorizationComponent.KAFKA.equals(component)) {
+ return KafkaPrivilegeModel.getInstance().getPrivilegeValidators();
+ } else if ("SOLR".equals(component)) {
+ return SearchPrivilegeModel.getInstance().getPrivilegeValidators();
+ }
+
+ throw new Exception("Invalid component specified for GenericPrivilegeCoverter: " + component);
+ }
+
+ private Authorizable getAuthorizable(KeyValue keyValue) throws Exception {
+ if (AuthorizationComponent.KAFKA.equals(component)) {
+ return KafkaModelAuthorizables.from(keyValue);
+ } else if ("SOLR".equals(component)) {
+ return SearchModelAuthorizables.from(keyValue);
+ }
+
+ throw new Exception("Invalid component specified for GenericPrivilegeCoverter: " + component);
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/sentry/blob/3d0f4705/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/KafkaTSentryPrivilegeConverter.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/KafkaTSentryPrivilegeConverter.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/KafkaTSentryPrivilegeConverter.java
deleted file mode 100644
index c1aac6a..0000000
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/KafkaTSentryPrivilegeConverter.java
+++ /dev/null
@@ -1,128 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.sentry.provider.db.generic.tools;
-
-import com.google.common.collect.Lists;
-import org.apache.sentry.core.common.utils.KeyValue;
-import org.apache.sentry.core.common.utils.SentryConstants;
-import org.apache.sentry.core.common.validator.PrivilegeValidator;
-import org.apache.sentry.core.common.validator.PrivilegeValidatorContext;
-import org.apache.sentry.core.model.kafka.KafkaAuthorizable;
-import org.apache.sentry.core.model.kafka.KafkaModelAuthorizables;
-import org.apache.sentry.core.model.kafka.KafkaPrivilegeModel;
-import org.apache.sentry.core.common.utils.PolicyFileConstants;
-import org.apache.sentry.provider.db.generic.service.thrift.TAuthorizable;
-import org.apache.sentry.provider.db.generic.service.thrift.TSentryGrantOption;
-import org.apache.sentry.provider.db.generic.service.thrift.TSentryPrivilege;
-import org.apache.sentry.provider.db.generic.tools.command.TSentryPrivilegeConverter;
-import org.apache.shiro.config.ConfigurationException;
-
-import java.util.Iterator;
-import java.util.LinkedList;
-import java.util.List;
-
-import static org.apache.sentry.core.common.utils.SentryConstants.AUTHORIZABLE_SEPARATOR;
-import static org.apache.sentry.core.common.utils.SentryConstants.KV_SEPARATOR;
-import static org.apache.sentry.core.common.utils.SentryConstants.RESOURCE_WILDCARD_VALUE;
-
-public class KafkaTSentryPrivilegeConverter implements TSentryPrivilegeConverter {
- private String component;
- private String service;
-
- public KafkaTSentryPrivilegeConverter(String component, String service) {
- this.component = component;
- this.service = service;
- }
-
- public TSentryPrivilege fromString(String privilegeStr) throws Exception {
- final String hostPrefix = KafkaAuthorizable.AuthorizableType.HOST.name() + KV_SEPARATOR;
- final String hostPrefixLowerCase = hostPrefix.toLowerCase();
- if (!privilegeStr.toLowerCase().startsWith(hostPrefixLowerCase)) {
- privilegeStr = hostPrefix + RESOURCE_WILDCARD_VALUE + AUTHORIZABLE_SEPARATOR + privilegeStr;
- }
- validatePrivilegeHierarchy(privilegeStr);
- TSentryPrivilege tSentryPrivilege = new TSentryPrivilege();
- List<TAuthorizable> authorizables = new LinkedList<TAuthorizable>();
- for (String authorizable : SentryConstants.AUTHORIZABLE_SPLITTER.split(privilegeStr)) {
- KeyValue keyValue = new KeyValue(authorizable);
- String key = keyValue.getKey();
- String value = keyValue.getValue();
-
- // is it an authorizable?
- KafkaAuthorizable authz = KafkaModelAuthorizables.from(keyValue);
- if (authz != null) {
- authorizables.add(new TAuthorizable(authz.getTypeName(), authz.getName()));
-
- } else if (PolicyFileConstants.PRIVILEGE_ACTION_NAME.equalsIgnoreCase(key)) {
- tSentryPrivilege.setAction(value);
- }
- }
-
- if (tSentryPrivilege.getAction() == null) {
- throw new IllegalArgumentException("Privilege is invalid: action required but not specified.");
- }
- tSentryPrivilege.setComponent(component);
- tSentryPrivilege.setServiceName(service);
- tSentryPrivilege.setAuthorizables(authorizables);
- return tSentryPrivilege;
- }
-
- public String toString(TSentryPrivilege tSentryPrivilege) {
- List<String> privileges = Lists.newArrayList();
- if (tSentryPrivilege != null) {
- List<TAuthorizable> authorizables = tSentryPrivilege.getAuthorizables();
- String action = tSentryPrivilege.getAction();
- String grantOption = (tSentryPrivilege.getGrantOption() == TSentryGrantOption.TRUE ? "true"
- : "false");
-
- Iterator<TAuthorizable> it = authorizables.iterator();
- if (it != null) {
- while (it.hasNext()) {
- TAuthorizable tAuthorizable = it.next();
- privileges.add(SentryConstants.KV_JOINER.join(
- tAuthorizable.getType(), tAuthorizable.getName()));
- }
- }
-
- if (!authorizables.isEmpty()) {
- privileges.add(SentryConstants.KV_JOINER.join(
- PolicyFileConstants.PRIVILEGE_ACTION_NAME, action));
- }
-
- // only append the grant option to privilege string if it's true
- if ("true".equals(grantOption)) {
- privileges.add(SentryConstants.KV_JOINER.join(
- PolicyFileConstants.PRIVILEGE_GRANT_OPTION_NAME, grantOption));
- }
- }
- return SentryConstants.AUTHORIZABLE_JOINER.join(privileges);
- }
-
- private static void validatePrivilegeHierarchy(String privilegeStr) {
- List<PrivilegeValidator> validators = KafkaPrivilegeModel.getInstance().getPrivilegeValidators();
- PrivilegeValidatorContext context = new PrivilegeValidatorContext(null, privilegeStr);
- for (PrivilegeValidator validator : validators) {
- try {
- validator.validate(context);
- } catch (ConfigurationException e) {
- throw new IllegalArgumentException(e);
- }
- }
- }
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/3d0f4705/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryConfigToolSolr.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryConfigToolSolr.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryConfigToolSolr.java
index b958b09..b2664de 100644
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryConfigToolSolr.java
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryConfigToolSolr.java
@@ -106,7 +106,7 @@ public class SentryConfigToolSolr extends SentryConfigToolCommon {
Set<String> roles = Sets.newHashSet();
Table<String, String, Set<String>> groupRolePrivilegeTable =
policyFileBackend.getGroupRolePrivilegeTable();
- SolrTSentryPrivilegeConverter converter = new SolrTSentryPrivilegeConverter(component, service, false);
+ GenericPrivilegeConverter converter = new GenericPrivilegeConverter(component, service, false);
for (String groupName : groupRolePrivilegeTable.rowKeySet()) {
for (String roleName : groupRolePrivilegeTable.columnKeySet()) {
http://git-wip-us.apache.org/repos/asf/sentry/blob/3d0f4705/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryShellGeneric.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryShellGeneric.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryShellGeneric.java
index 49523a4..e3edc29 100644
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryShellGeneric.java
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryShellGeneric.java
@@ -34,7 +34,6 @@ import org.apache.sentry.provider.db.generic.tools.command.GrantPrivilegeToRoleC
import org.apache.sentry.provider.db.generic.tools.command.ListPrivilegesByRoleCmd;
import org.apache.sentry.provider.db.generic.tools.command.ListRolesCmd;
import org.apache.sentry.provider.db.generic.tools.command.RevokePrivilegeFromRoleCmd;
-import org.apache.sentry.provider.db.generic.tools.command.TSentryPrivilegeConverter;
import org.apache.sentry.provider.db.tools.SentryShellCommon;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -73,15 +72,15 @@ public class SentryShellGeneric extends SentryShellCommon {
command = new DeleteRoleFromGroupCmd(roleName, groupName, component);
} else if (isGrantPrivilegeRole) {
command = new GrantPrivilegeToRoleCmd(roleName, component,
- privilegeStr, getPrivilegeConverter(component, service));
+ privilegeStr, new GenericPrivilegeConverter(component, service));
} else if (isRevokePrivilegeRole) {
command = new RevokePrivilegeFromRoleCmd(roleName, component,
- privilegeStr, getPrivilegeConverter(component, service));
+ privilegeStr, new GenericPrivilegeConverter(component, service));
} else if (isListRole) {
command = new ListRolesCmd(groupName, component);
} else if (isListPrivilege) {
command = new ListPrivilegesByRoleCmd(roleName, component,
- service, getPrivilegeConverter(component, service));
+ service, new GenericPrivilegeConverter(component, service));
}
// check the requestor name
@@ -116,16 +115,6 @@ public class SentryShellGeneric extends SentryShellCommon {
throw new Exception("Invalid type specified for SentryShellGeneric: " + type);
}
- private TSentryPrivilegeConverter getPrivilegeConverter(String component, String service) throws Exception {
- if (type == TYPE.kafka) {
- return new KafkaTSentryPrivilegeConverter(component, service);
- } else if (type == TYPE.solr) {
- return new SolrTSentryPrivilegeConverter(component, service);
- }
-
- throw new Exception("Invalid type specified for SentryShellGeneric: " + type);
- }
-
private Configuration getSentryConf() {
Configuration conf = new Configuration();
conf.addResource(new Path(confPath));
http://git-wip-us.apache.org/repos/asf/sentry/blob/3d0f4705/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SolrTSentryPrivilegeConverter.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SolrTSentryPrivilegeConverter.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SolrTSentryPrivilegeConverter.java
deleted file mode 100644
index f24ebed..0000000
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SolrTSentryPrivilegeConverter.java
+++ /dev/null
@@ -1,137 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.sentry.provider.db.generic.tools;
-
-import com.google.common.collect.Lists;
-
-import org.apache.sentry.core.common.utils.SentryConstants;
-import org.apache.sentry.core.model.search.Collection;
-import org.apache.sentry.core.model.search.SearchModelAuthorizable;
-import org.apache.sentry.core.common.validator.PrivilegeValidator;
-import org.apache.sentry.core.common.validator.PrivilegeValidatorContext;
-import org.apache.sentry.core.model.search.SearchModelAuthorizables;
-import org.apache.sentry.core.model.search.SearchPrivilegeModel;
-import org.apache.sentry.core.common.utils.KeyValue;
-import org.apache.sentry.core.common.utils.PolicyFileConstants;
-import org.apache.sentry.provider.db.generic.service.thrift.TAuthorizable;
-import org.apache.sentry.provider.db.generic.service.thrift.TSentryGrantOption;
-import org.apache.sentry.provider.db.generic.service.thrift.TSentryPrivilege;
-import org.apache.sentry.provider.db.generic.tools.command.TSentryPrivilegeConverter;
-import org.apache.shiro.config.ConfigurationException;
-
-import java.util.Iterator;
-import java.util.LinkedList;
-import java.util.List;
-
-public class SolrTSentryPrivilegeConverter implements TSentryPrivilegeConverter {
- private String component;
- private String service;
- private boolean validate;
-
- public SolrTSentryPrivilegeConverter(String component, String service) {
- this(component, service, true);
- }
-
- public SolrTSentryPrivilegeConverter(String component, String service, boolean validate) {
- this.component = component;
- this.service = service;
- this.validate = validate;
- }
-
- public TSentryPrivilege fromString(String privilegeStr) throws Exception {
- if (validate) {
- validatePrivilegeHierarchy(privilegeStr);
- }
-
- TSentryPrivilege tSentryPrivilege = new TSentryPrivilege();
- List<TAuthorizable> authorizables = new LinkedList<TAuthorizable>();
- for (String authorizable : SentryConstants.AUTHORIZABLE_SPLITTER.split(privilegeStr)) {
- KeyValue keyValue = new KeyValue(authorizable);
- String key = keyValue.getKey();
- String value = keyValue.getValue();
-
- // is it an authorizable?
- SearchModelAuthorizable authz = SearchModelAuthorizables.from(keyValue);
- if (authz != null) {
- if (authz instanceof Collection) {
- Collection coll = (Collection)authz;
- authorizables.add(new TAuthorizable(coll.getTypeName(), coll.getName()));
- } else {
- throw new IllegalArgumentException("Unknown authorizable type: " + authz.getTypeName());
- }
- } else if (PolicyFileConstants.PRIVILEGE_ACTION_NAME.equalsIgnoreCase(key)) {
- tSentryPrivilege.setAction(value);
- // Limitation: don't support grant at this time, since the existing solr use cases don't need it.
- } else {
- throw new IllegalArgumentException("Unknown key: " + key);
- }
- }
-
- if (tSentryPrivilege.getAction() == null) {
- throw new IllegalArgumentException("Privilege is invalid: action required but not specified.");
- }
- tSentryPrivilege.setComponent(component);
- tSentryPrivilege.setServiceName(service);
- tSentryPrivilege.setAuthorizables(authorizables);
- return tSentryPrivilege;
- }
-
- public String toString(TSentryPrivilege tSentryPrivilege) {
- List<String> privileges = Lists.newArrayList();
- if (tSentryPrivilege != null) {
- List<TAuthorizable> authorizables = tSentryPrivilege.getAuthorizables();
- String action = tSentryPrivilege.getAction();
- String grantOption = (tSentryPrivilege.getGrantOption() == TSentryGrantOption.TRUE ? "true"
- : "false");
-
- Iterator<TAuthorizable> it = authorizables.iterator();
- if (it != null) {
- while (it.hasNext()) {
- TAuthorizable tAuthorizable = it.next();
- privileges.add(SentryConstants.KV_JOINER.join(
- tAuthorizable.getType(), tAuthorizable.getName()));
- }
- }
-
- if (!authorizables.isEmpty()) {
- privileges.add(SentryConstants.KV_JOINER.join(
- PolicyFileConstants.PRIVILEGE_ACTION_NAME, action));
- }
-
- // only append the grant option to privilege string if it's true
- if ("true".equals(grantOption)) {
- privileges.add(SentryConstants.KV_JOINER.join(
- PolicyFileConstants.PRIVILEGE_GRANT_OPTION_NAME, grantOption));
- }
- }
- return SentryConstants.AUTHORIZABLE_JOINER.join(privileges);
- }
-
- private static void validatePrivilegeHierarchy(String privilegeStr) {
- List<PrivilegeValidator> validators = SearchPrivilegeModel.getInstance().getPrivilegeValidators();
- PrivilegeValidatorContext context = new PrivilegeValidatorContext(null, privilegeStr);
- for (PrivilegeValidator validator : validators) {
- try {
- validator.validate(context);
- } catch (ConfigurationException e) {
- throw new IllegalArgumentException(e);
- }
- }
- }
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/3d0f4705/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/tools/TestSentryConfigToolSolr.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/tools/TestSentryConfigToolSolr.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/tools/TestSentryConfigToolSolr.java
index d199d20..4b274fd 100644
--- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/tools/TestSentryConfigToolSolr.java
+++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/tools/TestSentryConfigToolSolr.java
@@ -133,7 +133,7 @@ public class TestSentryConfigToolSolr extends SentryGenericServiceIntegrationBas
}
// check privileges
- SolrTSentryPrivilegeConverter convert = new SolrTSentryPrivilegeConverter(SOLR, service);
+ GenericPrivilegeConverter convert = new GenericPrivilegeConverter(SOLR, service);
for (String role : roles) {
Set<TSentryPrivilege> privileges = client.listPrivilegesByRoleName(
requestorName, role, SOLR, service);