You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sentry.apache.org by sr...@apache.org on 2014/06/24 00:00:35 UTC
git commit: SENTRY-309-addendum: Adding new files
Repository: incubator-sentry
Updated Branches:
refs/heads/master 07b0c9b86 -> 0ebbb3775
SENTRY-309-addendum: Adding new files
Project: http://git-wip-us.apache.org/repos/asf/incubator-sentry/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-sentry/commit/0ebbb377
Tree: http://git-wip-us.apache.org/repos/asf/incubator-sentry/tree/0ebbb377
Diff: http://git-wip-us.apache.org/repos/asf/incubator-sentry/diff/0ebbb377
Branch: refs/heads/master
Commit: 0ebbb3775dc563bbd6f042e414f5ac3b6fdd973b
Parents: 07b0c9b
Author: Sravya Tirukkovalur <sr...@clouera.com>
Authored: Mon Jun 23 14:57:57 2014 -0700
Committer: Sravya Tirukkovalur <sr...@clouera.com>
Committed: Mon Jun 23 14:59:21 2014 -0700
----------------------------------------------------------------------
.../metastore/SentryPolicyProviderForDb.java | 160 +++++++++++++++++++
.../resources/core-site-for-sentry-test.xml | 34 ++++
2 files changed, 194 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/0ebbb377/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/metastore/SentryPolicyProviderForDb.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/metastore/SentryPolicyProviderForDb.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/metastore/SentryPolicyProviderForDb.java
new file mode 100644
index 0000000..c60d0d5
--- /dev/null
+++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/metastore/SentryPolicyProviderForDb.java
@@ -0,0 +1,160 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.tests.e2e.metastore;
+
+import static org.apache.sentry.provider.common.ProviderConstants.AUTHORIZABLE_SPLITTER;
+import static org.apache.sentry.provider.common.ProviderConstants.PRIVILEGE_PREFIX;
+import static org.apache.sentry.provider.common.ProviderConstants.ROLE_SPLITTER;
+import static org.apache.sentry.tests.e2e.hive.StaticUserGroup.ADMIN1;
+import static org.apache.sentry.tests.e2e.hive.StaticUserGroup.ADMINGROUP;
+
+import java.io.File;
+import java.io.IOException;
+import java.util.Collection;
+import java.util.Map.Entry;
+import java.util.Set;
+
+import org.apache.sentry.SentryUserException;
+import org.apache.sentry.core.model.db.AccessConstants;
+import org.apache.sentry.core.model.db.DBModelAction;
+import org.apache.sentry.core.model.db.DBModelAuthorizable;
+import org.apache.sentry.core.model.db.DBModelAuthorizable.AuthorizableType;
+import org.apache.sentry.policy.db.DBModelAuthorizables;
+import org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient;
+import org.apache.sentry.provider.db.service.thrift.TSentryRole;
+import org.apache.sentry.provider.file.PolicyFile;
+import org.apache.tools.ant.util.StringUtils;
+import org.mortbay.log.Log;
+
+import com.google.common.collect.Sets;
+
+public class SentryPolicyProviderForDb extends PolicyFile {
+ protected static final Set<String> ADMIN_GROUP_SET = Sets
+ .newHashSet(ADMINGROUP);
+ private SentryPolicyServiceClient sentryClient;
+
+ protected SentryPolicyServiceClient getSentryClient() {
+ return sentryClient;
+ }
+
+ public SentryPolicyProviderForDb(SentryPolicyServiceClient sentryClient) {
+ this.sentryClient = sentryClient;
+ }
+
+ public static SentryPolicyProviderForDb setAdminOnServer1(String admin,
+ SentryPolicyServiceClient sentryClient)
+ throws Exception {
+ SentryPolicyProviderForDb policyFile = new SentryPolicyProviderForDb(
+ sentryClient);
+ policyFile.addRolesToGroup(admin, "admin_role").addPermissionsToRole(
+ "admin_role", "server=server1");
+ return policyFile;
+ }
+
+ public void write(File file) throws Exception {
+ super.write(file);
+ if (!usingSentryService()) {
+ return;
+ }
+
+ // remove existing metadata
+ for (TSentryRole tRole : sentryClient.listRoles(ADMIN1)) {
+ sentryClient.dropRole(ADMIN1, tRole.getRoleName());
+ }
+
+ // create roles and add privileges
+ for (Entry<String, Collection<String>> roleEntry : rolesToPermissions
+ .asMap().entrySet()) {
+ sentryClient.createRole(ADMIN1, roleEntry.getKey());
+ for (String privilege : roleEntry.getValue()) {
+ addPrivilege(roleEntry.getKey(), privilege);
+ }
+ }
+
+ // grant roles to groups
+ for (Entry<String, Collection<String>> groupEntry : groupsToRoles.asMap()
+ .entrySet()) {
+ for (String roleNames : groupEntry.getValue()) {
+ for (String roleName : roleNames.split(",")) {
+ try {
+ sentryClient
+ .grantRoleToGroup(ADMIN1, groupEntry.getKey(), roleName);
+ } catch (SentryUserException e) {
+ Log.warn("Error granting role " + roleName + " to group "
+ + groupEntry.getKey());
+ }
+ }
+ }
+ }
+ }
+
+ private void addPrivilege(String roleName, String privileges)
+ throws Exception {
+ String serverName = null, dbName = null, tableName = null, uriPath = null;
+ String action = AccessConstants.ALL;
+ for (String privilege : ROLE_SPLITTER.split(privileges)) {
+ for (String section : AUTHORIZABLE_SPLITTER.split(privilege)) {
+ // action is not an authorizeable
+ if (!section.toLowerCase().startsWith(PRIVILEGE_PREFIX)) {
+ DBModelAuthorizable dbAuthorizable = DBModelAuthorizables
+ .from(section);
+ if (dbAuthorizable == null) {
+ throw new IOException("Unknow Auth type " + section);
+ }
+
+ if (AuthorizableType.Server.equals(dbAuthorizable.getAuthzType())) {
+ serverName = dbAuthorizable.getName();
+ } else if (AuthorizableType.Db.equals(dbAuthorizable.getAuthzType())) {
+ dbName = dbAuthorizable.getName();
+ } else if (AuthorizableType.Table.equals(dbAuthorizable
+ .getAuthzType())) {
+ tableName = dbAuthorizable.getName();
+ } else if (AuthorizableType.URI.equals(dbAuthorizable.getAuthzType())) {
+ uriPath = dbAuthorizable.getName();
+ } else {
+ throw new IOException("Unsupported auth type "
+ + dbAuthorizable.getName() + " : "
+ + dbAuthorizable.getTypeName());
+ }
+ } else {
+ action = DBModelAction
+ .valueOf(
+ StringUtils.removePrefix(section, PRIVILEGE_PREFIX)
+ .toUpperCase()).toString();
+ }
+ }
+
+ if (tableName != null) {
+ sentryClient.grantTablePrivilege(ADMIN1, roleName, serverName, dbName,
+ tableName, action);
+ } else if (dbName != null) {
+ sentryClient.grantDatabasePrivilege(ADMIN1, roleName, serverName,
+ dbName, action);
+ } else if (uriPath != null) {
+ sentryClient.grantURIPrivilege(ADMIN1, roleName, serverName, uriPath);
+ } else if (serverName != null) {
+ sentryClient.grantServerPrivilege(ADMIN1, roleName, serverName);
+ ;
+ }
+ }
+
+ }
+
+ private boolean usingSentryService() {
+ return sentryClient != null;
+ }
+}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/0ebbb377/sentry-tests/sentry-tests-hive/src/test/resources/core-site-for-sentry-test.xml
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-hive/src/test/resources/core-site-for-sentry-test.xml b/sentry-tests/sentry-tests-hive/src/test/resources/core-site-for-sentry-test.xml
new file mode 100644
index 0000000..01b8576
--- /dev/null
+++ b/sentry-tests/sentry-tests-hive/src/test/resources/core-site-for-sentry-test.xml
@@ -0,0 +1,34 @@
+<?xml version="1.0"?>
+<?xml-stylesheet type="text/xsl" href="configuration.xsl"?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+
+<configuration>
+ <property>
+ <name>hadoop.security.group.mapping</name>
+ <value>org.apache.sentry.tests.e2e.hive.fs.MiniDFS$PseudoGroupMappingService</value>
+ </property>
+ <property>
+ <name>fs.permissions</name>
+ <value>false</value>
+ </property>
+ <property>
+ <name>fs.permissions.umask-mode</name>
+ <value>000</value>
+ </property>
+</configuration>
+