You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sentry.apache.org by sp...@apache.org on 2018/05/10 00:15:00 UTC
[51/51] [partial] sentry git commit: SENTRY-2206: Refactor out sentry
api from sentry-provider-db to own module (Steve Moist,
reviewed by Sergio Pena)
SENTRY-2206: Refactor out sentry api from sentry-provider-db to own module (Steve Moist, reviewed by Sergio Pena)
Change-Id: I2057d7f6eeb1e04b7b45716997077c7c2032adde
Project: http://git-wip-us.apache.org/repos/asf/sentry/repo
Commit: http://git-wip-us.apache.org/repos/asf/sentry/commit/af8ea0ac
Tree: http://git-wip-us.apache.org/repos/asf/sentry/tree/af8ea0ac
Diff: http://git-wip-us.apache.org/repos/asf/sentry/diff/af8ea0ac
Branch: refs/heads/master
Commit: af8ea0ac16852cd370efb5d76f881c81e327fa6c
Parents: b231468
Author: Sergio Pena <se...@cloudera.com>
Authored: Wed May 9 17:11:14 2018 -0700
Committer: Sergio Pena <se...@cloudera.com>
Committed: Wed May 9 17:11:14 2018 -0700
----------------------------------------------------------------------
pom.xml | 5 +-
.../authz/HBaseIndexerAuthzBinding.java | 4 +-
.../binding/hive/authz/HiveAuthzBinding.java | 2 +-
.../binding/hive/authz/SentryConfigTool.java | 2 +-
.../DefaultSentryAccessController.java | 6 +-
.../SentryMetastorePostEventListenerBaseV2.java | 2 +-
.../hive/v2/util/SentryAuthorizerUtil.java | 6 +-
.../hive/ql/exec/SentryGrantRevokeTask.java | 741 +
.../authz/DefaultSentryAccessController.java | 6 +-
.../binding/hive/authz/SentryConfigTool.java | 2 +-
...rySyncHMSNotificationsPostEventListener.java | 2 +-
.../binding/util/SentryAuthorizerUtil.java | 12 +-
...rySyncHMSNotificationsPostEventListener.java | 2 +-
.../sentry/kafka/binding/KafkaAuthBinding.java | 25 +-
.../binding/solr/authz/SolrAuthzBinding.java | 12 +-
.../sentry/sqoop/binding/SqoopAuthBinding.java | 20 +-
.../apache/sentry/api/common/ApiConstants.java | 90 +
.../sentry/service/common/ServiceConstants.java | 251 +
sentry-dist/src/license/THIRD-PARTY.properties | 3 +-
.../sentry/hdfs/SentryHdfsMetricsUtil.java | 2 +-
.../org/apache/sentry/hdfs/SentryPlugin.java | 22 +-
sentry-provider/sentry-provider-db/pom.xml | 100 +-
.../thrift/SentryGenericPolicyService.java | 10416 -----------
.../TAlterSentryRoleAddGroupsRequest.java | 842 -
.../TAlterSentryRoleAddGroupsResponse.java | 391 -
.../TAlterSentryRoleDeleteGroupsRequest.java | 842 -
.../TAlterSentryRoleDeleteGroupsResponse.java | 391 -
.../TAlterSentryRoleGrantPrivilegeRequest.java | 798 -
.../TAlterSentryRoleGrantPrivilegeResponse.java | 391 -
.../TAlterSentryRoleRevokePrivilegeRequest.java | 798 -
...TAlterSentryRoleRevokePrivilegeResponse.java | 391 -
.../generic/service/thrift/TAuthorizable.java | 490 -
.../thrift/TCreateSentryRoleRequest.java | 692 -
.../thrift/TCreateSentryRoleResponse.java | 391 -
.../service/thrift/TDropPrivilegesRequest.java | 697 -
.../service/thrift/TDropPrivilegesResponse.java | 391 -
.../service/thrift/TDropSentryRoleRequest.java | 692 -
.../service/thrift/TDropSentryRoleResponse.java | 391 -
.../TListSentryPrivilegesByAuthRequest.java | 1112 --
.../TListSentryPrivilegesByAuthResponse.java | 569 -
...TListSentryPrivilegesForProviderRequest.java | 1011 -
...ListSentryPrivilegesForProviderResponse.java | 541 -
.../thrift/TListSentryPrivilegesRequest.java | 957 -
.../thrift/TListSentryPrivilegesResponse.java | 555 -
.../service/thrift/TListSentryRolesRequest.java | 701 -
.../thrift/TListSentryRolesResponse.java | 555 -
.../thrift/TRenamePrivilegesRequest.java | 1002 -
.../thrift/TRenamePrivilegesResponse.java | 391 -
.../service/thrift/TSentryActiveRoleSet.java | 537 -
.../service/thrift/TSentryGrantOption.java | 48 -
.../service/thrift/TSentryPrivilege.java | 1080 --
.../service/thrift/TSentryPrivilegeMap.java | 490 -
.../db/generic/service/thrift/TSentryRole.java | 539 -
.../db/service/thrift/SentryPolicyService.java | 16422 -----------------
.../TAlterSentryRoleAddGroupsRequest.java | 746 -
.../TAlterSentryRoleAddGroupsResponse.java | 394 -
.../thrift/TAlterSentryRoleAddUsersRequest.java | 741 -
.../TAlterSentryRoleAddUsersResponse.java | 394 -
.../TAlterSentryRoleDeleteGroupsRequest.java | 746 -
.../TAlterSentryRoleDeleteGroupsResponse.java | 394 -
.../TAlterSentryRoleDeleteUsersRequest.java | 741 -
.../TAlterSentryRoleDeleteUsersResponse.java | 394 -
.../TAlterSentryRoleGrantPrivilegeRequest.java | 866 -
.../TAlterSentryRoleGrantPrivilegeResponse.java | 669 -
.../TAlterSentryRoleRevokePrivilegeRequest.java | 866 -
...TAlterSentryRoleRevokePrivilegeResponse.java | 394 -
.../thrift/TCreateSentryRoleRequest.java | 591 -
.../thrift/TCreateSentryRoleResponse.java | 394 -
.../service/thrift/TDropPrivilegesRequest.java | 596 -
.../service/thrift/TDropPrivilegesResponse.java | 394 -
.../service/thrift/TDropSentryRoleRequest.java | 591 -
.../service/thrift/TDropSentryRoleResponse.java | 394 -
.../TListSentryPrivilegesByAuthRequest.java | 915 -
.../TListSentryPrivilegesByAuthResponse.java | 571 -
...TListSentryPrivilegesForProviderRequest.java | 915 -
...ListSentryPrivilegesForProviderResponse.java | 544 -
.../thrift/TListSentryPrivilegesRequest.java | 706 -
.../thrift/TListSentryPrivilegesResponse.java | 558 -
.../thrift/TListSentryRolesForUserRequest.java | 591 -
.../service/thrift/TListSentryRolesRequest.java | 600 -
.../thrift/TListSentryRolesResponse.java | 558 -
.../thrift/TRenamePrivilegesRequest.java | 702 -
.../thrift/TRenamePrivilegesResponse.java | 394 -
.../db/service/thrift/TSentryActiveRoleSet.java | 537 -
.../db/service/thrift/TSentryAuthorizable.java | 817 -
.../thrift/TSentryConfigValueRequest.java | 600 -
.../thrift/TSentryConfigValueResponse.java | 504 -
.../thrift/TSentryExportMappingDataRequest.java | 600 -
.../TSentryExportMappingDataResponse.java | 500 -
.../db/service/thrift/TSentryGrantOption.java | 48 -
.../db/service/thrift/TSentryGroup.java | 389 -
.../thrift/TSentryImportMappingDataRequest.java | 693 -
.../TSentryImportMappingDataResponse.java | 394 -
.../db/service/thrift/TSentryMappingData.java | 898 -
.../db/service/thrift/TSentryPrivilege.java | 1258 --
.../db/service/thrift/TSentryPrivilegeMap.java | 490 -
.../provider/db/service/thrift/TSentryRole.java | 645 -
.../db/service/thrift/TSentrySyncIDRequest.java | 484 -
.../service/thrift/TSentrySyncIDResponse.java | 493 -
.../service/thrift/TSentryResponseStatus.java | 598 -
.../thrift/sentry_common_serviceConstants.java | 57 -
.../thrift/SentryGenericPolicyProcessor.java | 829 +
.../SentryGenericPolicyProcessorFactory.java | 44 +
.../sentry/api/service/thrift/ConfServlet.java | 71 +
.../api/service/thrift/LogLevelServlet.java | 122 +
.../api/service/thrift/PubSubServlet.java | 128 +
.../api/service/thrift/SentryAdminServlet.java | 132 +
.../api/service/thrift/SentryAuthFilter.java | 89 +
...SentryHealthCheckServletContextListener.java | 35 +
.../api/service/thrift/SentryMetrics.java | 413 +
.../SentryMetricsServletContextListener.java | 32 +
.../thrift/SentryPolicyStoreProcessor.java | 1236 ++
.../SentryPolicyStoreProcessorFactory.java | 43 +
.../api/service/thrift/SentryWebServer.java | 240 +
.../provider/db/SentryPolicyStorePlugin.java | 16 +-
.../provider/db/SimpleDBProviderBackend.java | 8 +-
.../generic/SentryGenericProviderBackend.java | 24 +-
.../provider/db/generic/UpdatableCache.java | 10 +-
.../service/persistent/DelegateSentryStore.java | 8 +-
.../persistent/PrivilegeOperatePersistence.java | 2 +-
.../service/thrift/NotificationHandler.java | 45 -
.../thrift/NotificationHandlerInvoker.java | 163 -
.../thrift/SentryGenericPolicyProcessor.java | 831 -
.../SentryGenericPolicyProcessorFactory.java | 43 -
.../SentryGenericPolicyProcessorWrapper.java | 39 -
.../thrift/SentryGenericServiceClient.java | 194 -
.../SentryGenericServiceClientDefaultImpl.java | 559 -
.../SentryGenericServiceClientFactory.java | 123 -
.../tools/GenericPrivilegeConverter.java | 6 +-
.../tools/TSentryPrivilegeConverter.java | 2 +-
.../db/log/entity/JsonLogEntityFactory.java | 66 +-
.../provider/db/log/util/CommandUtil.java | 20 +-
.../sentry/provider/db/log/util/Constants.java | 26 +-
.../db/service/persistent/HAContext.java | 2 +-
.../db/service/persistent/HMSFollower.java | 2 +-
.../service/persistent/LeaderStatusMonitor.java | 2 +-
.../persistent/NotificationProcessor.java | 6 +-
.../db/service/persistent/SentryStore.java | 22 +-
.../service/persistent/TransactionManager.java | 4 +-
.../provider/db/service/thrift/ConfServlet.java | 71 -
.../db/service/thrift/LogLevelServlet.java | 122 -
.../db/service/thrift/NotificationHandler.java | 73 -
.../thrift/NotificationHandlerInvoker.java | 164 -
.../db/service/thrift/PubSubServlet.java | 128 -
.../db/service/thrift/SentryAdminServlet.java | 132 -
.../db/service/thrift/SentryAuthFilter.java | 89 -
...SentryHealthCheckServletContextListener.java | 35 -
.../db/service/thrift/SentryMetrics.java | 413 -
.../SentryMetricsServletContextListener.java | 32 -
.../thrift/SentryPolicyServiceClient.java | 227 -
.../SentryPolicyServiceClientDefaultImpl.java | 1081 --
.../thrift/SentryPolicyStoreProcessor.java | 1238 --
.../SentryPolicyStoreProcessorFactory.java | 42 -
.../service/thrift/SentryProcessorWrapper.java | 38 -
.../db/service/thrift/SentryWebServer.java | 240 -
.../GrantPrivilegeRequestValidator.java | 91 -
.../RevokePrivilegeRequestValidator.java | 46 -
.../service/thrift/FullUpdateInitializer.java | 2 +-
.../sentry/service/thrift/GSSCallback.java | 2 +-
.../thrift/HiveSimpleConnectionFactory.java | 2 +-
.../sentry/service/thrift/SentryHMSClient.java | 2 +-
.../sentry/service/thrift/SentryService.java | 14 +-
.../thrift/SentryServiceClientFactory.java | 4 +-
.../service/thrift/SentryServiceUtil.java | 316 -
.../sentry/service/thrift/ServiceConstants.java | 316 -
.../apache/sentry/service/thrift/Status.java | 132 -
.../main/resources/sentry_common_service.thrift | 44 -
.../sentry_generic_policy_service.thrift | 278 -
.../main/resources/sentry_policy_service.thrift | 364 -
.../SentryGenericServiceIntegrationBase.java | 73 +
.../TestAuditLogForSentryGenericService.java | 296 +
.../TestSentryGenericPolicyProcessor.java | 364 +
.../thrift/TestSentryGenericServiceClient.java | 61 +
.../TestSentryGenericServiceIntegration.java | 503 +
.../service/thrift/SentryMiniKdcTestcase.java | 68 +
.../TestAuthorizingDDLAuditLogWithKerberos.java | 295 +
.../thrift/TestConnectionWithTicketTimeout.java | 57 +
.../thrift/TestNotificationHandlerInvoker.java | 102 +
.../thrift/TestSentryPolicyServiceClient.java | 64 +
.../thrift/TestSentryPolicyStoreProcessor.java | 81 +
.../TestSentryServerForPoolWithoutKerberos.java | 35 +
.../thrift/TestSentryServerLogLevel.java | 100 +
.../service/thrift/TestSentryServerPubSub.java | 181 +
.../thrift/TestSentryServerWithoutKerberos.java | 214 +
.../thrift/TestSentryServiceClientPool.java | 111 +
.../thrift/TestSentryServiceFailureCase.java | 75 +
.../TestSentryServiceForPoolWithKerberos.java | 35 +
.../thrift/TestSentryServiceImportExport.java | 751 +
.../thrift/TestSentryServiceIntegration.java | 1102 ++
.../thrift/TestSentryServiceMetrics.java | 86 +
.../TestSentryServiceWithInvalidMsgSize.java | 122 +
.../thrift/TestSentryServiceWithKerberos.java | 58 +
.../thrift/TestSentryWebServerWithKerberos.java | 175 +
.../thrift/TestSentryWebServerWithSSL.java | 64 +
.../TestSentryWebServerWithoutSecurity.java | 95 +
.../TestSentryGenericProviderBackend.java | 8 +-
.../persistent/SentryStoreIntegrationBase.java | 2 +-
.../TestPrivilegeOperatePersistence.java | 2 +-
.../service/persistent/TestSentryRole.java | 2 +-
.../SentryGenericServiceIntegrationBase.java | 73 -
.../TestAuditLogForSentryGenericService.java | 296 -
.../TestSentryGenericPolicyProcessor.java | 364 -
.../thrift/TestSentryGenericServiceClient.java | 61 -
.../TestSentryGenericServiceIntegration.java | 503 -
.../db/log/entity/TestJsonLogEntityFactory.java | 34 +-
.../log/entity/TestJsonLogEntityFactoryGM.java | 32 +-
.../provider/db/log/util/TestCommandUtil.java | 38 +-
.../db/service/persistent/TestHMSFollower.java | 4 +-
.../TestHMSFollowerSentryStoreIntegration.java | 4 +-
.../persistent/TestLeaderStatusMonitor.java | 2 +-
.../persistent/TestNotificationProcessor.java | 4 +-
.../db/service/persistent/TestSentryStore.java | 18 +-
.../persistent/TestSentryStoreImportExport.java | 12 +-
.../service/persistent/TestSentryVersion.java | 4 +-
.../service/thrift/SentryMiniKdcTestcase.java | 68 -
.../TestAuthorizingDDLAuditLogWithKerberos.java | 295 -
.../thrift/TestConnectionWithTicketTimeout.java | 57 -
.../thrift/TestNotificationHandlerInvoker.java | 102 -
.../thrift/TestSentryPolicyServiceClient.java | 64 -
.../thrift/TestSentryPolicyStoreProcessor.java | 81 -
.../TestSentryServerForPoolWithoutKerberos.java | 35 -
.../thrift/TestSentryServerLogLevel.java | 100 -
.../service/thrift/TestSentryServerPubSub.java | 181 -
.../thrift/TestSentryServerWithoutKerberos.java | 214 -
.../thrift/TestSentryServiceClientPool.java | 111 -
.../thrift/TestSentryServiceFailureCase.java | 75 -
.../TestSentryServiceForPoolWithKerberos.java | 35 -
.../thrift/TestSentryServiceImportExport.java | 751 -
.../thrift/TestSentryServiceIntegration.java | 1102 --
.../thrift/TestSentryServiceMetrics.java | 86 -
.../TestSentryServiceWithInvalidMsgSize.java | 121 -
.../thrift/TestSentryServiceWithKerberos.java | 58 -
.../thrift/TestSentryWebServerWithKerberos.java | 175 -
.../thrift/TestSentryWebServerWithSSL.java | 64 -
.../TestSentryWebServerWithoutSecurity.java | 95 -
.../thrift/SentryServiceIntegrationBase.java | 17 +-
sentry-service/pom.xml | 36 +
sentry-service/sentry-service-api/pom.xml | 200 +
.../thrift/SentryGenericPolicyService.java | 10416 +++++++++++
.../TAlterSentryRoleAddGroupsRequest.java | 842 +
.../TAlterSentryRoleAddGroupsResponse.java | 391 +
.../TAlterSentryRoleDeleteGroupsRequest.java | 842 +
.../TAlterSentryRoleDeleteGroupsResponse.java | 391 +
.../TAlterSentryRoleGrantPrivilegeRequest.java | 798 +
.../TAlterSentryRoleGrantPrivilegeResponse.java | 391 +
.../TAlterSentryRoleRevokePrivilegeRequest.java | 798 +
...TAlterSentryRoleRevokePrivilegeResponse.java | 391 +
.../api/generic/thrift/TAuthorizable.java | 490 +
.../thrift/TCreateSentryRoleRequest.java | 692 +
.../thrift/TCreateSentryRoleResponse.java | 391 +
.../generic/thrift/TDropPrivilegesRequest.java | 697 +
.../generic/thrift/TDropPrivilegesResponse.java | 391 +
.../generic/thrift/TDropSentryRoleRequest.java | 692 +
.../generic/thrift/TDropSentryRoleResponse.java | 391 +
.../TListSentryPrivilegesByAuthRequest.java | 1112 ++
.../TListSentryPrivilegesByAuthResponse.java | 569 +
...TListSentryPrivilegesForProviderRequest.java | 1011 +
...ListSentryPrivilegesForProviderResponse.java | 541 +
.../thrift/TListSentryPrivilegesRequest.java | 957 +
.../thrift/TListSentryPrivilegesResponse.java | 555 +
.../generic/thrift/TListSentryRolesRequest.java | 701 +
.../thrift/TListSentryRolesResponse.java | 555 +
.../thrift/TRenamePrivilegesRequest.java | 1002 +
.../thrift/TRenamePrivilegesResponse.java | 391 +
.../generic/thrift/TSentryActiveRoleSet.java | 537 +
.../api/generic/thrift/TSentryGrantOption.java | 48 +
.../api/generic/thrift/TSentryPrivilege.java | 1080 ++
.../api/generic/thrift/TSentryPrivilegeMap.java | 490 +
.../sentry/api/generic/thrift/TSentryRole.java | 539 +
.../api/service/thrift/SentryPolicyService.java | 16422 +++++++++++++++++
.../TAlterSentryRoleAddGroupsRequest.java | 746 +
.../TAlterSentryRoleAddGroupsResponse.java | 394 +
.../thrift/TAlterSentryRoleAddUsersRequest.java | 741 +
.../TAlterSentryRoleAddUsersResponse.java | 394 +
.../TAlterSentryRoleDeleteGroupsRequest.java | 746 +
.../TAlterSentryRoleDeleteGroupsResponse.java | 394 +
.../TAlterSentryRoleDeleteUsersRequest.java | 741 +
.../TAlterSentryRoleDeleteUsersResponse.java | 394 +
.../TAlterSentryRoleGrantPrivilegeRequest.java | 866 +
.../TAlterSentryRoleGrantPrivilegeResponse.java | 669 +
.../TAlterSentryRoleRevokePrivilegeRequest.java | 866 +
...TAlterSentryRoleRevokePrivilegeResponse.java | 394 +
.../thrift/TCreateSentryRoleRequest.java | 591 +
.../thrift/TCreateSentryRoleResponse.java | 394 +
.../service/thrift/TDropPrivilegesRequest.java | 596 +
.../service/thrift/TDropPrivilegesResponse.java | 394 +
.../service/thrift/TDropSentryRoleRequest.java | 591 +
.../service/thrift/TDropSentryRoleResponse.java | 394 +
.../TListSentryPrivilegesByAuthRequest.java | 915 +
.../TListSentryPrivilegesByAuthResponse.java | 571 +
...TListSentryPrivilegesForProviderRequest.java | 915 +
...ListSentryPrivilegesForProviderResponse.java | 544 +
.../thrift/TListSentryPrivilegesRequest.java | 706 +
.../thrift/TListSentryPrivilegesResponse.java | 558 +
.../thrift/TListSentryRolesForUserRequest.java | 591 +
.../service/thrift/TListSentryRolesRequest.java | 600 +
.../thrift/TListSentryRolesResponse.java | 558 +
.../thrift/TRenamePrivilegesRequest.java | 702 +
.../thrift/TRenamePrivilegesResponse.java | 394 +
.../service/thrift/TSentryActiveRoleSet.java | 537 +
.../api/service/thrift/TSentryAuthorizable.java | 817 +
.../thrift/TSentryConfigValueRequest.java | 600 +
.../thrift/TSentryConfigValueResponse.java | 504 +
.../thrift/TSentryExportMappingDataRequest.java | 600 +
.../TSentryExportMappingDataResponse.java | 500 +
.../api/service/thrift/TSentryGrantOption.java | 48 +
.../sentry/api/service/thrift/TSentryGroup.java | 389 +
.../thrift/TSentryImportMappingDataRequest.java | 693 +
.../TSentryImportMappingDataResponse.java | 394 +
.../api/service/thrift/TSentryMappingData.java | 898 +
.../api/service/thrift/TSentryPrivilege.java | 1258 ++
.../api/service/thrift/TSentryPrivilegeMap.java | 490 +
.../sentry/api/service/thrift/TSentryRole.java | 645 +
.../service/thrift/TSentrySyncIDRequest.java | 484 +
.../service/thrift/TSentrySyncIDResponse.java | 493 +
.../service/thrift/TSentryResponseStatus.java | 598 +
.../thrift/sentry_common_serviceConstants.java | 57 +
.../sentry/api/common/SentryServiceUtil.java | 322 +
.../org/apache/sentry/api/common/Status.java | 133 +
.../sentry/api/common/ThriftConstants.java | 30 +
.../api/generic/thrift/NotificationHandler.java | 45 +
.../thrift/NotificationHandlerInvoker.java | 163 +
.../SentryGenericPolicyProcessorWrapper.java | 39 +
.../thrift/SentryGenericServiceClient.java | 194 +
.../SentryGenericServiceClientDefaultImpl.java | 560 +
.../SentryGenericServiceClientFactory.java | 123 +
.../api/service/thrift/NotificationHandler.java | 73 +
.../thrift/NotificationHandlerInvoker.java | 164 +
.../thrift/SentryPolicyServiceClient.java | 227 +
.../SentryPolicyServiceClientDefaultImpl.java | 1082 ++
.../service/thrift/SentryProcessorWrapper.java | 38 +
.../GrantPrivilegeRequestValidator.java | 91 +
.../RevokePrivilegeRequestValidator.java | 46 +
.../api/tools/GenericPrivilegeConverter.java | 190 +
.../api/tools/TSentryPrivilegeConverter.java | 34 +
.../main/resources/sentry_common_service.thrift | 44 +
.../sentry_generic_policy_service.thrift | 278 +
.../main/resources/sentry_policy_service.thrift | 364 +
.../TestSentryWebServiceForAuthTypeNone.java | 2 +-
.../e2e/dbprovider/TestConcurrentClients.java | 2 +-
.../tests/e2e/hdfs/TestHDFSIntegration.java | 2 +-
.../AbstractTestWithStaticConfiguration.java | 2 +-
.../metastore/SentryPolicyProviderForDb.java | 4 +-
.../dbprovider/AbstractTestWithDbProvider.java | 4 +-
.../e2e/dbprovider/TestConcurrentClients.java | 6 +-
.../tests/e2e/hdfs/TestHDFSIntegrationBase.java | 4 +-
.../hdfs/TestHDFSIntegrationTogglingConf.java | 2 +-
.../AbstractTestWithStaticConfiguration.java | 6 +-
.../metastore/SentryPolicyProviderForDb.java | 4 +-
.../tests/e2e/minisentry/InternalSentrySrv.java | 2 +-
.../e2e/kafka/AbstractKafkaSentryTestBase.java | 12 +-
.../sentry/tests/e2e/kafka/TestAuthorize.java | 8 +-
.../e2e/solr/SolrSentryServiceTestBase.java | 8 +-
.../sentry/tests/e2e/solr/TestSentryServer.java | 12 +-
.../e2e/sqoop/AbstractSqoopSentryTestBase.java | 16 +-
.../tools/PermissionsMigrationToolCommon.java | 10 +-
.../cli/tools/SentryConfigToolIndexer.java | 10 +-
.../sentry/cli/tools/SentryConfigToolSolr.java | 6 +-
.../sentry/cli/tools/SentrySchemaTool.java | 2 +-
.../sentry/cli/tools/SentryShellGeneric.java | 8 +-
.../sentry/cli/tools/SentryShellHive.java | 2 +-
.../sentry/cli/tools/SentryShellIndexer.java | 4 +-
.../cli/tools/command/GenericShellCommand.java | 8 +-
.../cli/tools/command/hive/CommandUtil.java | 14 +-
.../tools/command/hive/HiveShellCommand.java | 10 +-
.../java/org/apache/sentry/shell/SentryCli.java | 14 +-
.../org/apache/sentry/shell/TopLevelShell.java | 8 +-
.../tools/TestPermissionsMigrationToolSolr.java | 11 +-
.../cli/tools/TestSentryConfigToolIndexer.java | 12 +-
.../cli/tools/TestSentryConfigToolSolr.java | 9 +-
.../sentry/cli/tools/TestSentrySchemaTool.java | 2 +-
.../sentry/cli/tools/TestSentryShellHive.java | 4 +-
.../cli/tools/TestSentryShellIndexer.java | 10 +-
.../sentry/cli/tools/TestSentryShellKafka.java | 6 +-
.../sentry/cli/tools/TestSentryShellSolr.java | 6 +-
.../sentry/cli/tools/TestSentryShellSqoop.java | 6 +-
376 files changed, 87440 insertions(+), 86260 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/sentry/blob/af8ea0ac/pom.xml
----------------------------------------------------------------------
diff --git a/pom.xml b/pom.xml
index 262a9d8..3b80e03 100644
--- a/pom.xml
+++ b/pom.xml
@@ -756,6 +756,7 @@ limitations under the License.
<module>sentry-tests</module>
<module>sentry-hdfs</module>
<module>sentry-tools</module>
+ <module>sentry-service</module>
<module>sentry-dist</module>
</modules>
@@ -1045,9 +1046,9 @@ limitations under the License.
<excludes combine.children="append">
<exclude>%regex[org.apache.sentry.tests.e2e.*.class]</exclude>
<exclude>%regex[org.apache.sentry.binding.hive.TestURI.class]</exclude>
- <exclude>%regex[org.apache.sentry.provider.db.service.thrift.*.class]</exclude>
+ <exclude>%regex[org.apache.sentry.api.service.thrift.*.class]</exclude>
<exclude>%regex[org.apache.solr.handler.admin.*.class]</exclude>
- <exclude>%regex[org.apache.sentry.provider.db.generic.service.thrift.*.class]</exclude>
+ <exclude>%regex[org.apache.sentry.api.generic.thrift.*.class]</exclude>
<exclude>%regex[org.apache.sentry.cli.tools.*.class]</exclude>
</excludes>
</configuration>
http://git-wip-us.apache.org/repos/asf/sentry/blob/af8ea0ac/sentry-binding/sentry-binding-hbase-indexer/src/main/java/org/apache/sentry/binding/hbaseindexer/authz/HBaseIndexerAuthzBinding.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-hbase-indexer/src/main/java/org/apache/sentry/binding/hbaseindexer/authz/HBaseIndexerAuthzBinding.java b/sentry-binding/sentry-binding-hbase-indexer/src/main/java/org/apache/sentry/binding/hbaseindexer/authz/HBaseIndexerAuthzBinding.java
index 71d1225..3e57cd4 100644
--- a/sentry-binding/sentry-binding-hbase-indexer/src/main/java/org/apache/sentry/binding/hbaseindexer/authz/HBaseIndexerAuthzBinding.java
+++ b/sentry-binding/sentry-binding-hbase-indexer/src/main/java/org/apache/sentry/binding/hbaseindexer/authz/HBaseIndexerAuthzBinding.java
@@ -33,7 +33,7 @@ import org.apache.sentry.policy.common.PolicyEngine;
import org.apache.sentry.provider.common.AuthorizationProvider;
import org.apache.sentry.provider.common.ProviderBackend;
import org.apache.sentry.provider.common.ProviderBackendContext;
-import org.apache.sentry.service.thrift.ServiceConstants;
+import org.apache.sentry.api.common.ApiConstants;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -107,7 +107,7 @@ public class HBaseIndexerAuthzBinding {
}
// For SentryGenericProviderBackend
- authzConf.set(ServiceConstants.ClientConfig.COMPONENT_TYPE, HBASE_INDEXER);
+ authzConf.set(ApiConstants.ClientConfig.COMPONENT_TYPE, HBASE_INDEXER);
providerBackend =
(ProviderBackend) providerBackendConstructor.newInstance(new Object[] {authzConf, resourceName});
http://git-wip-us.apache.org/repos/asf/sentry/blob/af8ea0ac/sentry-binding/sentry-binding-hive-common/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBinding.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-hive-common/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBinding.java b/sentry-binding/sentry-binding-hive-common/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBinding.java
index 7565a34..f1cbbb6 100644
--- a/sentry-binding/sentry-binding-hive-common/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBinding.java
+++ b/sentry-binding/sentry-binding-hive-common/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBinding.java
@@ -48,7 +48,7 @@ import org.apache.sentry.provider.cache.SimpleCacheProviderBackend;
import org.apache.sentry.provider.common.AuthorizationProvider;
import org.apache.sentry.provider.common.ProviderBackend;
import org.apache.sentry.provider.common.ProviderBackendContext;
-import org.apache.sentry.provider.db.service.thrift.TSentryRole;
+import org.apache.sentry.api.service.thrift.TSentryRole;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
http://git-wip-us.apache.org/repos/asf/sentry/blob/af8ea0ac/sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/authz/SentryConfigTool.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/authz/SentryConfigTool.java b/sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/authz/SentryConfigTool.java
index 1dc8f01..f6b4518 100644
--- a/sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/authz/SentryConfigTool.java
+++ b/sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/authz/SentryConfigTool.java
@@ -53,7 +53,7 @@ import org.apache.sentry.core.common.exception.SentryConfigurationException;
import org.apache.sentry.core.common.Subject;
import org.apache.sentry.core.model.db.Server;
import org.apache.sentry.provider.common.AuthorizationProvider;
-import org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient;
+import org.apache.sentry.api.service.thrift.SentryPolicyServiceClient;
import org.apache.sentry.service.thrift.SentryServiceClientFactory;
/**
http://git-wip-us.apache.org/repos/asf/sentry/blob/af8ea0ac/sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/v2/authorizer/DefaultSentryAccessController.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/v2/authorizer/DefaultSentryAccessController.java b/sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/v2/authorizer/DefaultSentryAccessController.java
index 13ee2cf..f21f920 100644
--- a/sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/v2/authorizer/DefaultSentryAccessController.java
+++ b/sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/v2/authorizer/DefaultSentryAccessController.java
@@ -49,9 +49,9 @@ import org.apache.sentry.core.common.exception.SentryUserException;
import org.apache.sentry.core.model.db.AccessConstants;
import org.apache.sentry.core.model.db.DBModelAuthorizable;
import org.apache.sentry.core.model.db.Server;
-import org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient;
-import org.apache.sentry.provider.db.service.thrift.TSentryPrivilege;
-import org.apache.sentry.provider.db.service.thrift.TSentryRole;
+import org.apache.sentry.api.service.thrift.SentryPolicyServiceClient;
+import org.apache.sentry.api.service.thrift.TSentryPrivilege;
+import org.apache.sentry.api.service.thrift.TSentryRole;
import org.apache.sentry.service.thrift.SentryServiceClientFactory;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
http://git-wip-us.apache.org/repos/asf/sentry/blob/af8ea0ac/sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/v2/metastore/SentryMetastorePostEventListenerBaseV2.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/v2/metastore/SentryMetastorePostEventListenerBaseV2.java b/sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/v2/metastore/SentryMetastorePostEventListenerBaseV2.java
index 567e9fa..642e873 100644
--- a/sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/v2/metastore/SentryMetastorePostEventListenerBaseV2.java
+++ b/sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/v2/metastore/SentryMetastorePostEventListenerBaseV2.java
@@ -44,7 +44,7 @@ import org.apache.sentry.core.model.db.Database;
import org.apache.sentry.core.model.db.Server;
import org.apache.sentry.core.model.db.Table;
import org.apache.sentry.provider.db.SentryMetastoreListenerPlugin;
-import org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient;
+import org.apache.sentry.api.service.thrift.SentryPolicyServiceClient;
import org.apache.sentry.service.thrift.SentryServiceClientFactory;
import org.apache.sentry.service.thrift.ServiceConstants.ConfUtilties;
import org.apache.sentry.service.thrift.ServiceConstants.ServerConfig;
http://git-wip-us.apache.org/repos/asf/sentry/blob/af8ea0ac/sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/v2/util/SentryAuthorizerUtil.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/v2/util/SentryAuthorizerUtil.java b/sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/v2/util/SentryAuthorizerUtil.java
index 35bd68c..32479d8 100644
--- a/sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/v2/util/SentryAuthorizerUtil.java
+++ b/sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/v2/util/SentryAuthorizerUtil.java
@@ -49,9 +49,9 @@ import org.apache.sentry.core.model.db.DBModelAuthorizable;
import org.apache.sentry.core.model.db.Database;
import org.apache.sentry.core.model.db.Server;
import org.apache.sentry.core.model.db.Table;
-import org.apache.sentry.provider.db.service.thrift.TSentryGrantOption;
-import org.apache.sentry.provider.db.service.thrift.TSentryPrivilege;
-import org.apache.sentry.provider.db.service.thrift.TSentryRole;
+import org.apache.sentry.api.service.thrift.TSentryGrantOption;
+import org.apache.sentry.api.service.thrift.TSentryPrivilege;
+import org.apache.sentry.api.service.thrift.TSentryRole;
import org.apache.sentry.service.thrift.ServiceConstants.PrivilegeScope;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
http://git-wip-us.apache.org/repos/asf/sentry/blob/af8ea0ac/sentry-binding/sentry-binding-hive/src/main/java/org/apache/hadoop/hive/ql/exec/SentryGrantRevokeTask.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/hadoop/hive/ql/exec/SentryGrantRevokeTask.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/hadoop/hive/ql/exec/SentryGrantRevokeTask.java
new file mode 100644
index 0000000..203632d
--- /dev/null
+++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/hadoop/hive/ql/exec/SentryGrantRevokeTask.java
@@ -0,0 +1,741 @@
+package org.apache.hadoop.hive.ql.exec;
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+import java.io.DataOutputStream;
+import java.io.IOException;
+import java.io.OutputStreamWriter;
+import java.io.Serializable;
+import java.net.URISyntaxException;
+import java.util.ArrayList;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Set;
+
+import org.apache.hadoop.fs.FSDataOutputStream;
+import org.apache.hadoop.fs.FileSystem;
+import org.apache.hadoop.fs.Path;
+import org.apache.hadoop.hive.SentryHiveConstants;
+import org.apache.hadoop.hive.conf.HiveConf;
+import org.apache.hadoop.hive.metastore.api.PrincipalType;
+import org.apache.hadoop.hive.ql.CompilationOpContext;
+import org.apache.hadoop.hive.ql.DriverContext;
+import org.apache.hadoop.hive.ql.QueryPlan;
+import org.apache.hadoop.hive.ql.QueryState;
+import org.apache.hadoop.hive.ql.hooks.ReadEntity;
+import org.apache.hadoop.hive.ql.hooks.WriteEntity;
+import org.apache.hadoop.hive.ql.metadata.AuthorizationException;
+import org.apache.hadoop.hive.ql.metadata.HiveException;
+import org.apache.hadoop.hive.ql.parse.SemanticException;
+import org.apache.hadoop.hive.ql.plan.DDLWork;
+import org.apache.hadoop.hive.ql.plan.GrantDesc;
+import org.apache.hadoop.hive.ql.plan.GrantRevokeRoleDDL;
+import org.apache.hadoop.hive.ql.plan.HiveOperation;
+import org.apache.hadoop.hive.ql.plan.PrincipalDesc;
+import org.apache.hadoop.hive.ql.plan.PrivilegeDesc;
+import org.apache.hadoop.hive.ql.plan.PrivilegeObjectDesc;
+import org.apache.hadoop.hive.ql.plan.RevokeDesc;
+import org.apache.hadoop.hive.ql.plan.RoleDDLDesc;
+import org.apache.hadoop.hive.ql.plan.ShowGrantDesc;
+import org.apache.hadoop.hive.ql.plan.api.StageType;
+import org.apache.hadoop.hive.ql.security.authorization.PrivilegeType;
+import org.apache.hadoop.hive.ql.session.SessionState;
+import org.apache.hadoop.hive.ql.session.SessionState.LogHelper;
+import org.apache.sentry.core.common.exception.SentryUserException;
+import org.apache.sentry.binding.hive.authz.HiveAuthzBindingHookBase;
+import org.apache.sentry.binding.hive.SentryOnFailureHookContext;
+import org.apache.sentry.binding.hive.SentryOnFailureHookContextImpl;
+import org.apache.sentry.binding.hive.authz.HiveAuthzBinding;
+import org.apache.sentry.binding.hive.conf.HiveAuthzConf;
+import org.apache.sentry.binding.hive.conf.HiveAuthzConf.AuthzConfVars;
+import org.apache.sentry.core.common.ActiveRoleSet;
+import org.apache.sentry.core.common.Authorizable;
+import org.apache.sentry.core.common.Subject;
+import org.apache.sentry.core.common.utils.PathUtils;
+import org.apache.sentry.core.model.db.AccessConstants;
+import org.apache.sentry.core.model.db.AccessURI;
+import org.apache.sentry.core.model.db.Column;
+import org.apache.sentry.core.model.db.Database;
+import org.apache.sentry.core.model.db.Server;
+import org.apache.sentry.core.model.db.Table;
+import org.apache.sentry.core.common.exception.SentryAccessDeniedException;
+import org.apache.sentry.api.common.ApiConstants;
+import org.apache.sentry.api.service.thrift.SentryPolicyServiceClient;
+import org.apache.sentry.api.service.thrift.TSentryGrantOption;
+import org.apache.sentry.api.service.thrift.TSentryPrivilege;
+import org.apache.sentry.api.service.thrift.TSentryRole;
+import org.apache.sentry.service.thrift.SentryServiceClientFactory;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import com.google.common.base.Preconditions;
+import com.google.common.base.Splitter;
+import com.google.common.collect.ImmutableList;
+import com.google.common.collect.ImmutableSet;
+import com.google.common.collect.Iterables;
+import com.google.common.collect.Sets;
+
+public class SentryGrantRevokeTask extends Task<DDLWork> implements Serializable {
+ private static final Logger LOG = LoggerFactory
+ .getLogger(SentryGrantRevokeTask.class);
+ private static final int RETURN_CODE_SUCCESS = 0;
+ private static final int RETURN_CODE_FAILURE = 1;
+ private static final Splitter DB_TBL_SPLITTER = Splitter.on(".").omitEmptyStrings().trimResults();
+ private static final int separator = Utilities.tabCode;
+ private static final int terminator = Utilities.newLineCode;
+ private static final long serialVersionUID = -7625118066790571999L;
+
+ private HiveConf conf;
+ private HiveAuthzBinding hiveAuthzBinding;
+ private HiveAuthzConf authzConf;
+ private String server;
+ private Subject subject;
+ private Set<String> subjectGroups;
+ private String ipAddress;
+ private HiveOperation stmtOperation;
+
+ @Override
+ public void initialize(QueryState queryState, QueryPlan queryPlan, DriverContext ctx,
+ CompilationOpContext opContext) {
+ // CompilationOpContext is an unused parameter on the initialize() method.
+ super.initialize(queryState, queryPlan, driverContext, null);
+ this.conf = queryState.getConf();
+ }
+
+ @Override
+ public int execute(DriverContext driverContext) {
+ try (SentryPolicyServiceClient sentryClient =
+ SentryServiceClientFactory.create(authzConf)) {
+ Preconditions.checkNotNull(hiveAuthzBinding, "HiveAuthzBinding cannot be null");
+ Preconditions.checkNotNull(authzConf, "HiveAuthConf cannot be null");
+ Preconditions.checkNotNull(subject, "Subject cannot be null");
+ server = Preconditions.checkNotNull(authzConf.get(AuthzConfVars.AUTHZ_SERVER_NAME.getVar()),
+ "Config " + AuthzConfVars.AUTHZ_SERVER_NAME.getVar() + " is required");
+ try {
+ if (work.getRoleDDLDesc() != null) {
+ return processRoleDDL(console, sentryClient, subject.getName(),
+ hiveAuthzBinding, work.getRoleDDLDesc());
+ }
+ if (work.getGrantDesc() != null) {
+ return processGrantDDL(console, sentryClient,
+ subject.getName(), server, work.getGrantDesc());
+ }
+ if (work.getRevokeDesc() != null) {
+ return processRevokeDDL(console, sentryClient,
+ subject.getName(), server, work.getRevokeDesc());
+ }
+ if (work.getShowGrantDesc() != null) {
+ return processShowGrantDDL(console, sentryClient, subject.getName(),
+ work.getShowGrantDesc());
+ }
+ if (work.getGrantRevokeRoleDDL() != null) {
+ return processGrantRevokeRoleDDL(console, sentryClient,
+ subject.getName(), work.getGrantRevokeRoleDDL());
+ }
+ throw new AssertionError(
+ "Unknown command passed to Sentry Grant/Revoke Task");
+ } catch (SentryAccessDeniedException e) {
+ String csHooks = authzConf.get(
+ HiveAuthzConf.AuthzConfVars.AUTHZ_ONFAILURE_HOOKS.getVar(), "")
+ .trim();
+ SentryOnFailureHookContext hookContext = new SentryOnFailureHookContextImpl(
+ queryPlan.getQueryString(), new HashSet<ReadEntity>(),
+ new HashSet<WriteEntity>(), stmtOperation,
+ null, null, null, null, subject.getName(), ipAddress,
+ new AuthorizationException(e), conf);
+ HiveAuthzBindingHookBase.runFailureHook(hookContext, csHooks);
+ throw e; // rethrow the exception for logging
+ }
+ } catch(SentryUserException e) {
+ setException(new Exception(e.getClass().getSimpleName() + ": " + e.getReason(), e));
+ String msg = "Error processing Sentry command: " + e.getReason() + ".";
+ if (e instanceof SentryAccessDeniedException) {
+ msg += "Please grant admin privilege to " + subject.getName() + ".";
+ }
+ LOG.error(msg, e);
+ console.printError(msg);
+ return RETURN_CODE_FAILURE;
+ } catch(Throwable e) {
+ setException(e);
+ String msg = "Error processing Sentry command: " + e.getMessage();
+ LOG.error(msg, e);
+ console.printError(msg);
+ return RETURN_CODE_FAILURE;
+ } finally {
+ if (hiveAuthzBinding != null) {
+ hiveAuthzBinding.close();
+ }
+ }
+ }
+
+ public void setAuthzConf(HiveAuthzConf authzConf) {
+ Preconditions.checkState(this.authzConf == null,
+ "setAuthzConf should only be called once: " + this.authzConf);
+ this.authzConf = authzConf;
+ }
+ public void setHiveAuthzBinding(HiveAuthzBinding hiveAuthzBinding) {
+ Preconditions.checkState(this.hiveAuthzBinding == null,
+ "setHiveAuthzBinding should only be called once: " + this.hiveAuthzBinding);
+ this.hiveAuthzBinding = hiveAuthzBinding;
+ }
+ public void setSubject(Subject subject) {
+ Preconditions.checkState(this.subject == null,
+ "setSubject should only be called once: " + this.subject);
+ this.subject = subject;
+ }
+ public void setSubjectGroups(Set<String> subjectGroups) {
+ Preconditions.checkState(this.subjectGroups == null,
+ "setSubjectGroups should only be called once: " + this.subjectGroups);
+ this.subjectGroups = subjectGroups;
+ }
+
+ public void setIpAddress(String ipAddress) {
+ this.ipAddress = ipAddress;
+ }
+
+ public void setOperation(HiveOperation stmtOperation) {
+ this.stmtOperation = stmtOperation;
+ }
+
+ private int processRoleDDL(LogHelper console,
+ SentryPolicyServiceClient sentryClient, String subject,
+ HiveAuthzBinding hiveAuthzBinding, RoleDDLDesc desc)
+ throws SentryUserException {
+ RoleDDLDesc.RoleOperation operation = desc.getOperation();
+ DataOutputStream outStream = null;
+ String name = desc.getName();
+ try {
+ if (operation.equals(RoleDDLDesc.RoleOperation.SET_ROLE)) {
+ hiveAuthzBinding.setActiveRoleSet(name, sentryClient.listUserRoles(subject));
+ return RETURN_CODE_SUCCESS;
+ } else if (operation.equals(RoleDDLDesc.RoleOperation.CREATE_ROLE)) {
+ sentryClient.createRole(subject, name);
+ return RETURN_CODE_SUCCESS;
+ } else if (operation.equals(RoleDDLDesc.RoleOperation.DROP_ROLE)) {
+ sentryClient.dropRole(subject, name);
+ return RETURN_CODE_SUCCESS;
+ } else if (operation.equals(RoleDDLDesc.RoleOperation.SHOW_ROLE_GRANT)) {
+ Set<TSentryRole> roles;
+ PrincipalType principalType = desc.getPrincipalType();
+ if (principalType == PrincipalType.GROUP) {
+ roles = sentryClient.listRolesByGroupName(subject, name);
+ } else if (principalType == PrincipalType.USER) {
+ roles = sentryClient.listRolesByUserName(subject, name);
+ } else {
+ String msg = SentryHiveConstants.GRANT_REVOKE_NOT_SUPPORTED_FOR_PRINCIPAL + principalType;
+ throw new HiveException(msg);
+ }
+ writeToFile(writeRoleGrantsInfo(roles), desc.getResFile());
+ return RETURN_CODE_SUCCESS;
+ } else if(operation.equals(RoleDDLDesc.RoleOperation.SHOW_ROLES)) {
+ Set<TSentryRole> roles = sentryClient.listAllRoles(subject);
+ writeToFile(writeRolesInfo(roles), desc.getResFile());
+ return RETURN_CODE_SUCCESS;
+ } else if(operation.equals(RoleDDLDesc.RoleOperation.SHOW_CURRENT_ROLE)) {
+ ActiveRoleSet roleSet = hiveAuthzBinding.getActiveRoleSet();
+ if( roleSet.isAll()) {
+ Set<TSentryRole> roles = sentryClient.listUserRoles(subject);
+ writeToFile(writeRolesInfo(roles), desc.getResFile());
+ return RETURN_CODE_SUCCESS;
+ } else {
+ Set<String> roles = roleSet.getRoles();
+ writeToFile(writeActiveRolesInfo(roles), desc.getResFile());
+ return RETURN_CODE_SUCCESS;
+ }
+ } else {
+ throw new HiveException("Unknown role operation "
+ + operation.getOperationName());
+ }
+ } catch (HiveException e) {
+ String msg = "Error in role operation "
+ + operation.getOperationName() + " on role name "
+ + name + ", error message " + e.getMessage();
+ LOG.warn(msg, e);
+ console.printError(msg);
+ return RETURN_CODE_FAILURE;
+ } catch (IOException e) {
+ String msg = "IO Error in role operation " + e.getMessage();
+ LOG.info(msg, e);
+ console.printError(msg);
+ return RETURN_CODE_FAILURE;
+ } finally {
+ closeQuiet(outStream);
+ }
+ }
+
+ private int processGrantDDL(LogHelper console,
+ SentryPolicyServiceClient sentryClient, String subject,
+ String server, GrantDesc desc) throws SentryUserException {
+ return processGrantRevokeDDL(console, sentryClient, subject,
+ server, true, desc.getPrincipals(), desc.getPrivileges(),
+ desc.getPrivilegeSubjectDesc(), desc.isGrantOption());
+ }
+
+ // For grant option, we use null to stand for revoke the privilege ignore the grant option
+ private int processRevokeDDL(LogHelper console,
+ SentryPolicyServiceClient sentryClient, String subject,
+ String server, RevokeDesc desc) throws SentryUserException {
+ return processGrantRevokeDDL(console, sentryClient, subject,
+ server, false, desc.getPrincipals(), desc.getPrivileges(),
+ desc.getPrivilegeSubjectDesc(), null);
+ }
+
+ private int processShowGrantDDL(LogHelper console, SentryPolicyServiceClient sentryClient,
+ String subject, ShowGrantDesc desc) throws SentryUserException{
+ PrincipalDesc principalDesc = desc.getPrincipalDesc();
+ PrivilegeObjectDesc hiveObjectDesc = desc.getHiveObj();
+ String principalName = principalDesc.getName();
+ Set<TSentryPrivilege> privileges;
+
+ try {
+ if (principalDesc.getType() != PrincipalType.ROLE) {
+ String msg = SentryHiveConstants.GRANT_REVOKE_NOT_SUPPORTED_FOR_PRINCIPAL + principalDesc.getType();
+ throw new HiveException(msg);
+ }
+
+ if (hiveObjectDesc == null) {
+ privileges = sentryClient.listPrivilegesByRoleName(subject, principalName, null);
+ } else {
+ SentryHivePrivilegeObjectDesc privSubjectDesc = toSentryHivePrivilegeObjectDesc(hiveObjectDesc);
+ List<Authorizable> authorizableHeirarchy = toAuthorizable(privSubjectDesc);
+ if (privSubjectDesc.getColumns() != null && !privSubjectDesc.getColumns().isEmpty()) {
+ List<List<Authorizable>> ps = parseColumnToAuthorizable(authorizableHeirarchy, privSubjectDesc);
+ ImmutableSet.Builder<TSentryPrivilege> pbuilder = new ImmutableSet.Builder<TSentryPrivilege>();
+ for (List<Authorizable> p : ps) {
+ pbuilder.addAll(sentryClient.listPrivilegesByRoleName(subject, principalName, p));
+ }
+ privileges = pbuilder.build();
+ } else {
+ privileges = sentryClient.listPrivilegesByRoleName(subject, principalName, authorizableHeirarchy);
+ }
+ }
+ writeToFile(writeGrantInfo(privileges, principalName), desc.getResFile());
+ return RETURN_CODE_SUCCESS;
+ } catch (IOException e) {
+ String msg = "IO Error in show grant " + e.getMessage();
+ LOG.info(msg, e);
+ console.printError(msg);
+ return RETURN_CODE_FAILURE;
+ } catch (HiveException e) {
+ String msg = "Error in show grant operation, error message " + e.getMessage();
+ LOG.warn(msg, e);
+ console.printError(msg);
+ return RETURN_CODE_FAILURE;
+ }
+ }
+
+ private List<Authorizable> toAuthorizable(SentryHivePrivilegeObjectDesc privSubjectDesc) throws HiveException{
+ List<Authorizable> authorizableHeirarchy = new ArrayList<Authorizable>();
+ authorizableHeirarchy.add(new Server(server));
+ String dbName = null;
+ if (privSubjectDesc.getTable()) {
+ DatabaseTable dbTable = parseDBTable(privSubjectDesc.getObject());
+ dbName = dbTable.getDatabase();
+ String tableName = dbTable.getTable();
+ authorizableHeirarchy.add(new Table(tableName));
+ authorizableHeirarchy.add(new Database(dbName));
+ } else if (privSubjectDesc.getUri()) {
+ String uriPath = privSubjectDesc.getObject();
+ String warehouseDir = conf.getVar(HiveConf.ConfVars.METASTOREWAREHOUSE);
+ try {
+ authorizableHeirarchy.add(new AccessURI(PathUtils.parseDFSURI(warehouseDir, uriPath)));
+ } catch(URISyntaxException e) {
+ throw new HiveException(e.getMessage(), e);
+ }
+ } else {
+ dbName = privSubjectDesc.getObject();
+ authorizableHeirarchy.add(new Database(dbName));
+ }
+ return authorizableHeirarchy;
+ }
+
+ private List<List<Authorizable>> parseColumnToAuthorizable(List<Authorizable> authorizableHeirarchy,
+ SentryHivePrivilegeObjectDesc privSubjectDesc) {
+ ImmutableList.Builder<List<Authorizable>> listsBuilder = ImmutableList.builder();
+ List<String> cols = privSubjectDesc.getColumns();
+ if ( cols != null && !cols.isEmpty() ) {
+ for ( String col : cols ) {
+ ImmutableList.Builder<Authorizable> listBuilder = ImmutableList.builder();
+ listBuilder.addAll(authorizableHeirarchy);
+ listBuilder.add(new Column(col));
+ listsBuilder.add(listBuilder.build());
+ }
+ }
+ return listsBuilder.build();
+ }
+
+ private void writeToFile(String data, String file) throws IOException {
+ Path resFile = new Path(file);
+ FileSystem fs = resFile.getFileSystem(conf);
+ FSDataOutputStream out = fs.create(resFile);
+ try {
+ if (data != null && !data.isEmpty()) {
+ try (OutputStreamWriter writer = new OutputStreamWriter(out, "UTF-8")) {
+ writer.write(data);
+ writer.write((char) terminator);
+ writer.flush();
+ }
+ }
+ } finally {
+ closeQuiet(out);
+ }
+ }
+
+ private int processGrantRevokeRoleDDL(LogHelper console,
+ SentryPolicyServiceClient sentryClient, String subject,
+ GrantRevokeRoleDDL desc) throws SentryUserException {
+ try {
+ boolean grantRole = desc.getGrant();
+ List<PrincipalDesc> principals = desc.getPrincipalDesc();
+ List<String> roles = desc.getRoles();
+ // get principals
+ Set<String> groups = Sets.newHashSet();
+ Set<String> users = Sets.newHashSet();
+ for (PrincipalDesc principal : principals) {
+ if (principal.getType() == PrincipalType.GROUP) {
+ groups.add(principal.getName());
+ } else if (principal.getType() == PrincipalType.USER) {
+ users.add(principal.getName());
+ } else {
+ String msg = SentryHiveConstants.GRANT_REVOKE_NOT_SUPPORTED_FOR_PRINCIPAL +
+ principal.getType();
+ throw new HiveException(msg);
+ }
+ }
+
+ // grant/revoke role to/from principals
+ for (String roleName : roles) {
+ if (grantRole) {
+ if (groups.size() > 0) {
+ sentryClient.grantRoleToGroups(subject, roleName, groups);
+ }
+ if (users.size() > 0) {
+ sentryClient.grantRoleToUsers(subject, roleName, users);
+ }
+ } else {
+ if (groups.size() > 0) {
+ sentryClient.revokeRoleFromGroups(subject, roleName, groups);
+ }
+ if (users.size() > 0) {
+ sentryClient.revokeRoleFromUsers(subject, roleName, users);
+ }
+ }
+ }
+
+ } catch (HiveException e) {
+ String msg = "Error in grant/revoke operation, error message " + e.getMessage();
+ LOG.warn(msg, e);
+ console.printError(msg);
+ return RETURN_CODE_FAILURE;
+ }
+ return RETURN_CODE_SUCCESS;
+ }
+
+ static String writeGrantInfo(Set<TSentryPrivilege> privileges, String roleName) {
+ if (privileges == null || privileges.isEmpty()) {
+ return "";
+ }
+ StringBuilder builder = new StringBuilder();
+
+ for (TSentryPrivilege privilege : privileges) {
+
+ if (ApiConstants.PrivilegeScope.URI.name().equalsIgnoreCase(
+ privilege.getPrivilegeScope())) {
+ appendNonNull(builder, privilege.getURI(), true);
+ } else if(ApiConstants.PrivilegeScope.SERVER.name().equalsIgnoreCase(
+ privilege.getPrivilegeScope())) {
+ appendNonNull(builder, "*", true);//Db column would show * if it is a server level privilege
+ } else {
+ appendNonNull(builder, privilege.getDbName(), true);
+ }
+ appendNonNull(builder, privilege.getTableName());
+ appendNonNull(builder, null);//getPartValues()
+ appendNonNull(builder, privilege.getColumnName());//getColumnName()
+ appendNonNull(builder, roleName);//getPrincipalName()
+ appendNonNull(builder, "ROLE");//getPrincipalType()
+ appendNonNull(builder, privilege.getAction());
+ appendNonNull(builder,
+ TSentryGrantOption.TRUE.equals(privilege.getGrantOption()));
+ appendNonNull(builder, privilege.getCreateTime() * 1000L);
+ appendNonNull(builder, "--");
+ }
+ LOG.info("builder.toString(): " + builder.toString());
+ return builder.toString();
+ }
+
+ static String writeRoleGrantsInfo(Set<TSentryRole> roleGrants) {
+ if (roleGrants == null || roleGrants.isEmpty()) {
+ return "";
+ }
+ StringBuilder builder = new StringBuilder();
+ for (TSentryRole roleGrant : roleGrants) {
+ appendNonNull(builder, roleGrant.getRoleName(), true);
+ appendNonNull(builder, false);//isGrantOption()
+ appendNonNull(builder, null);//roleGrant.getGrantTime() * 1000L
+ appendNonNull(builder, "--");
+ }
+ return builder.toString();
+ }
+
+ static String writeRolesInfo(Set<TSentryRole> roles) {
+ if (roles == null || roles.isEmpty()) {
+ return "";
+ }
+ StringBuilder builder = new StringBuilder();
+ for (TSentryRole roleGrant : roles) {
+ appendNonNull(builder, roleGrant.getRoleName(), true);
+ }
+ return builder.toString();
+ }
+
+ static String writeActiveRolesInfo(Set<String> roles) {
+ if (roles == null || roles.isEmpty()) {
+ return "";
+ }
+ StringBuilder builder = new StringBuilder();
+ for (String role : roles) {
+ appendNonNull(builder, role, true);
+ }
+ return builder.toString();
+ }
+
+ static StringBuilder appendNonNull(StringBuilder builder, Object value) {
+ return appendNonNull(builder, value, false);
+ }
+
+ static StringBuilder appendNonNull(StringBuilder builder, Object value, boolean firstColumn) {
+ if (!firstColumn) {
+ builder.append((char)separator);
+ } else if (builder.length() > 0) {
+ builder.append((char)terminator);
+ }
+ if (value != null) {
+ builder.append(value);
+ }
+ return builder;
+ }
+
+ private static int processGrantRevokeDDL(LogHelper console,
+ SentryPolicyServiceClient sentryClient, String subject, String server,
+ boolean isGrant, List<PrincipalDesc> principals,
+ List<PrivilegeDesc> privileges, PrivilegeObjectDesc privSubjectObjDesc,
+ Boolean grantOption) throws SentryUserException {
+ if (privileges == null || privileges.size() == 0) {
+ console.printError("No privilege found.");
+ return RETURN_CODE_FAILURE;
+ }
+
+ String dbName = null;
+ String tableName = null;
+ List<String> columnNames = null;
+ String uriPath = null;
+ String serverName = null;
+ try {
+ SentryHivePrivilegeObjectDesc privSubjectDesc = toSentryHivePrivilegeObjectDesc(privSubjectObjDesc);
+
+ if (privSubjectDesc == null) {
+ throw new HiveException("Privilege subject cannot be null");
+ }
+ if (privSubjectDesc.getPartSpec() != null) {
+ throw new HiveException(SentryHiveConstants.PARTITION_PRIVS_NOT_SUPPORTED);
+ }
+ String obj = privSubjectDesc.getObject();
+ if (privSubjectDesc.getTable()) {
+ DatabaseTable dbTable = parseDBTable(obj);
+ dbName = dbTable.getDatabase();
+ tableName = dbTable.getTable();
+ } else if (privSubjectDesc.getUri()) {
+ uriPath = privSubjectDesc.getObject();
+ } else if (privSubjectDesc.getServer()) {
+ serverName = privSubjectDesc.getObject();
+ } else {
+ dbName = privSubjectDesc.getObject();
+ }
+ for (PrivilegeDesc privDesc : privileges) {
+ List<String> columns = privDesc.getColumns();
+ if (columns != null && !columns.isEmpty()) {
+ columnNames = columns;
+ }
+ if (!SentryHiveConstants.ALLOWED_PRIVS.contains(privDesc.getPrivilege().getPriv())) {
+ String msg = SentryHiveConstants.PRIVILEGE_NOT_SUPPORTED + privDesc.getPrivilege().getPriv();
+ throw new HiveException(msg);
+ }
+ if (columnNames != null && (privDesc.getPrivilege().getPriv().equals(PrivilegeType.INSERT)
+ || privDesc.getPrivilege().getPriv().equals(PrivilegeType.ALL))) {
+ String msg = SentryHiveConstants.PRIVILEGE_NOT_SUPPORTED
+ + privDesc.getPrivilege().getPriv() + " on Column";
+ throw new SemanticException(msg);
+ }
+ }
+ for (PrincipalDesc princ : principals) {
+ if (princ.getType() != PrincipalType.ROLE) {
+ String msg = SentryHiveConstants.GRANT_REVOKE_NOT_SUPPORTED_FOR_PRINCIPAL + princ.getType();
+ throw new HiveException(msg);
+ }
+ for (PrivilegeDesc privDesc : privileges) {
+ if (isGrant) {
+ if (serverName != null) {
+ sentryClient.grantServerPrivilege(subject, princ.getName(), serverName,
+ toSentryAction(privDesc.getPrivilege().getPriv()), grantOption);
+ } else if (uriPath != null) {
+ sentryClient.grantURIPrivilege(subject, princ.getName(), server, uriPath, grantOption);
+ } else if (tableName == null) {
+ sentryClient.grantDatabasePrivilege(subject, princ.getName(), server, dbName,
+ toDbSentryAction(privDesc.getPrivilege().getPriv()), grantOption);
+ } else if (columnNames == null) {
+ sentryClient.grantTablePrivilege(subject, princ.getName(), server, dbName,
+ tableName, toSentryAction(privDesc.getPrivilege().getPriv()), grantOption);
+ } else {
+ sentryClient.grantColumnsPrivileges(subject, princ.getName(), server, dbName,
+ tableName, columnNames, toSentryAction(privDesc.getPrivilege().getPriv()), grantOption);
+ }
+ } else {
+ if (serverName != null) {
+ sentryClient.revokeServerPrivilege(subject, princ.getName(), serverName,
+ toSentryAction(privDesc.getPrivilege().getPriv()), grantOption);
+ } else if (uriPath != null) {
+ sentryClient.revokeURIPrivilege(subject, princ.getName(), server, uriPath, grantOption);
+ } else if (tableName == null) {
+ sentryClient.revokeDatabasePrivilege(subject, princ.getName(), server, dbName,
+ toDbSentryAction(privDesc.getPrivilege().getPriv()), grantOption);
+ } else if (columnNames == null) {
+ sentryClient.revokeTablePrivilege(subject, princ.getName(), server, dbName,
+ tableName, toSentryAction(privDesc.getPrivilege().getPriv()), grantOption);
+ } else {
+ sentryClient.revokeColumnsPrivilege(subject, princ.getName(), server, dbName,
+ tableName, columnNames, toSentryAction(privDesc.getPrivilege().getPriv()), grantOption);
+ }
+ }
+ }
+ }
+ return RETURN_CODE_SUCCESS;
+ } catch (HiveException e) {
+ String msg = "Error in grant/revoke operation, error message " + e.getMessage();
+ LOG.warn(msg, e);
+ console.printError(msg);
+ return RETURN_CODE_FAILURE;
+ }
+ }
+
+ private static String toDbSentryAction(PrivilegeType privilegeType) throws SentryUserException{
+ switch(privilegeType) {
+ case ALL:
+ return AccessConstants.ALL;
+ case SELECT:
+ return AccessConstants.SELECT;
+ case INSERT:
+ return AccessConstants.INSERT;
+ case CREATE:
+ return AccessConstants.CREATE;
+ case DROP:
+ return AccessConstants.DROP;
+ case ALTER_METADATA:
+ return AccessConstants.ALTER;
+ case INDEX:
+ return AccessConstants.INDEX;
+ case LOCK:
+ return AccessConstants.LOCK;
+ default:
+ throw new SentryUserException("Unknown privilege type: " + privilegeType);
+ //Exception is thrown here only for development purposes.
+ }
+ }
+
+ private static SentryHivePrivilegeObjectDesc toSentryHivePrivilegeObjectDesc(PrivilegeObjectDesc privSubjectObjDesc)
+ throws HiveException{
+ if (!(privSubjectObjDesc instanceof SentryHivePrivilegeObjectDesc)) {
+ throw new HiveException(
+ "Privilege subject not parsed correctly by Sentry");
+ }
+ return (SentryHivePrivilegeObjectDesc) privSubjectObjDesc;
+ }
+
+ private static String toSentryAction(PrivilegeType privilegeType) {
+ if (PrivilegeType.ALL.equals(privilegeType)) {
+ return AccessConstants.ALL;
+ } else {
+ return privilegeType.toString();
+ }
+ }
+
+ private static DatabaseTable parseDBTable(String obj) throws HiveException {
+ String[] dbTab = Iterables.toArray(DB_TBL_SPLITTER.split(obj), String.class);
+ if (dbTab.length == 2) {
+ return new DatabaseTable(dbTab[0], dbTab[1]);
+ } else if (dbTab.length == 1){
+ return new DatabaseTable(SessionState.get().getCurrentDatabase(), obj);
+ } else {
+ String msg = "Malformed database.table '" + obj + "'";
+ throw new HiveException(msg);
+ }
+ }
+
+ private static class DatabaseTable {
+ private final String database;
+ private final String table;
+ public DatabaseTable(String database, String table) {
+ this.database = database;
+ this.table = table;
+ }
+ public String getDatabase() {
+ return database;
+ }
+ public String getTable() {
+ return table;
+ }
+ }
+
+ /**
+ * Close to be used in the try block of a try-catch-finally
+ * statement. Returns null so the close/set to null idiom can be
+ * completed in a single line.
+ */
+ private static DataOutputStream close(DataOutputStream out)
+ throws IOException {
+ if (out != null) {
+ out.close();
+ }
+ return null;
+ }
+ /**
+ * Close to be used in the finally block of a try-catch-finally
+ * statement.
+ */
+ private static void closeQuiet(DataOutputStream out) {
+ try {
+ close(out);
+ } catch (IOException e) {
+ LOG.warn("Error closing output stream", e);
+ }
+ }
+
+ @Override
+ public boolean requireLock() {
+ return false;
+ }
+
+ @Override
+ public StageType getType() {
+ return StageType.DDL;
+ }
+
+ @Override
+ public String getName() {
+ return "SENTRY";
+ }
+}
http://git-wip-us.apache.org/repos/asf/sentry/blob/af8ea0ac/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/DefaultSentryAccessController.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/DefaultSentryAccessController.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/DefaultSentryAccessController.java
index 2abe37e..fc2427c 100644
--- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/DefaultSentryAccessController.java
+++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/DefaultSentryAccessController.java
@@ -50,9 +50,9 @@ import org.apache.sentry.core.common.exception.SentryUserException;
import org.apache.sentry.core.model.db.AccessConstants;
import org.apache.sentry.core.model.db.DBModelAuthorizable;
import org.apache.sentry.core.model.db.Server;
-import org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient;
-import org.apache.sentry.provider.db.service.thrift.TSentryPrivilege;
-import org.apache.sentry.provider.db.service.thrift.TSentryRole;
+import org.apache.sentry.api.service.thrift.SentryPolicyServiceClient;
+import org.apache.sentry.api.service.thrift.TSentryPrivilege;
+import org.apache.sentry.api.service.thrift.TSentryRole;
import org.apache.sentry.service.thrift.SentryServiceClientFactory;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
http://git-wip-us.apache.org/repos/asf/sentry/blob/af8ea0ac/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/SentryConfigTool.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/SentryConfigTool.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/SentryConfigTool.java
index c23547a..5f1e3e9 100644
--- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/SentryConfigTool.java
+++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/SentryConfigTool.java
@@ -43,7 +43,7 @@ import org.apache.sentry.core.common.Subject;
import org.apache.sentry.core.common.exception.SentryConfigurationException;
import org.apache.sentry.core.model.db.Server;
import org.apache.sentry.provider.common.AuthorizationProvider;
-import org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient;
+import org.apache.sentry.api.service.thrift.SentryPolicyServiceClient;
import org.apache.sentry.service.thrift.SentryServiceClientFactory;
import java.security.CodeSource;
http://git-wip-us.apache.org/repos/asf/sentry/blob/af8ea0ac/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/metastore/SentrySyncHMSNotificationsPostEventListener.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/metastore/SentrySyncHMSNotificationsPostEventListener.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/metastore/SentrySyncHMSNotificationsPostEventListener.java
index 24d7763..7b2d8be 100644
--- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/metastore/SentrySyncHMSNotificationsPostEventListener.java
+++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/metastore/SentrySyncHMSNotificationsPostEventListener.java
@@ -33,7 +33,7 @@ import org.apache.hadoop.hive.metastore.events.DropPartitionEvent;
import org.apache.hadoop.hive.metastore.events.DropTableEvent;
import org.apache.hadoop.hive.metastore.events.ListenerEvent;
import org.apache.sentry.binding.hive.conf.HiveAuthzConf;
-import org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient;
+import org.apache.sentry.api.service.thrift.SentryPolicyServiceClient;
import org.apache.sentry.service.thrift.SentryServiceClientFactory;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
http://git-wip-us.apache.org/repos/asf/sentry/blob/af8ea0ac/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/util/SentryAuthorizerUtil.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/util/SentryAuthorizerUtil.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/util/SentryAuthorizerUtil.java
index 1c41639..dd6936c 100644
--- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/util/SentryAuthorizerUtil.java
+++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/util/SentryAuthorizerUtil.java
@@ -50,10 +50,10 @@ import org.apache.sentry.core.model.db.DBModelAuthorizable;
import org.apache.sentry.core.model.db.Database;
import org.apache.sentry.core.model.db.Server;
import org.apache.sentry.core.model.db.Table;
-import org.apache.sentry.provider.db.service.thrift.TSentryGrantOption;
-import org.apache.sentry.provider.db.service.thrift.TSentryPrivilege;
-import org.apache.sentry.provider.db.service.thrift.TSentryRole;
-import org.apache.sentry.service.thrift.ServiceConstants.PrivilegeScope;
+import org.apache.sentry.api.common.ApiConstants;
+import org.apache.sentry.api.service.thrift.TSentryGrantOption;
+import org.apache.sentry.api.service.thrift.TSentryPrivilege;
+import org.apache.sentry.api.service.thrift.TSentryRole;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -239,7 +239,7 @@ public class SentryAuthorizerUtil {
*/
public static HivePrivilegeObject convert2HivePrivilegeObject(TSentryPrivilege tSentryPrivilege) {
HivePrivilegeObject privilege = null;
- switch (PrivilegeScope.valueOf(tSentryPrivilege.getPrivilegeScope())) {
+ switch (ApiConstants.PrivilegeScope.valueOf(tSentryPrivilege.getPrivilegeScope())) {
case SERVER:
privilege = new HivePrivilegeObject(HivePrivilegeObjectType.GLOBAL, "*", null);
break;
@@ -271,7 +271,7 @@ public class SentryAuthorizerUtil {
}
default:
LOG.warn("Unknown PrivilegeScope: "
- + PrivilegeScope.valueOf(tSentryPrivilege.getPrivilegeScope()));
+ + ApiConstants.PrivilegeScope.valueOf(tSentryPrivilege.getPrivilegeScope()));
break;
}
return privilege;
http://git-wip-us.apache.org/repos/asf/sentry/blob/af8ea0ac/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/binding/metastore/TestSentrySyncHMSNotificationsPostEventListener.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/binding/metastore/TestSentrySyncHMSNotificationsPostEventListener.java b/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/binding/metastore/TestSentrySyncHMSNotificationsPostEventListener.java
index cca326b..fc1c3d5 100644
--- a/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/binding/metastore/TestSentrySyncHMSNotificationsPostEventListener.java
+++ b/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/binding/metastore/TestSentrySyncHMSNotificationsPostEventListener.java
@@ -27,7 +27,7 @@ import org.apache.hadoop.hive.metastore.events.DropTableEvent;
import org.apache.hadoop.hive.metastore.events.ListenerEvent;
import org.apache.sentry.binding.hive.conf.HiveAuthzConf;
import org.apache.sentry.core.common.exception.SentryUserException;
-import org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient;
+import org.apache.sentry.api.service.thrift.SentryPolicyServiceClient;
import org.junit.Before;
import org.junit.Rule;
import org.junit.Test;
http://git-wip-us.apache.org/repos/asf/sentry/blob/af8ea0ac/sentry-binding/sentry-binding-kafka/src/main/java/org/apache/sentry/kafka/binding/KafkaAuthBinding.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-kafka/src/main/java/org/apache/sentry/kafka/binding/KafkaAuthBinding.java b/sentry-binding/sentry-binding-kafka/src/main/java/org/apache/sentry/kafka/binding/KafkaAuthBinding.java
index e4abdc7..07b21b9 100644
--- a/sentry-binding/sentry-binding-kafka/src/main/java/org/apache/sentry/kafka/binding/KafkaAuthBinding.java
+++ b/sentry-binding/sentry-binding-kafka/src/main/java/org/apache/sentry/kafka/binding/KafkaAuthBinding.java
@@ -56,13 +56,14 @@ import org.apache.sentry.provider.common.AuthorizationProvider;
import org.apache.sentry.provider.common.ProviderBackend;
import org.apache.sentry.provider.common.ProviderBackendContext;
import org.apache.sentry.provider.db.generic.SentryGenericProviderBackend;
-import org.apache.sentry.provider.db.generic.service.thrift.SentryGenericServiceClient;
-import org.apache.sentry.provider.db.generic.service.thrift.SentryGenericServiceClientFactory;
-import org.apache.sentry.provider.db.generic.service.thrift.TAuthorizable;
-import org.apache.sentry.provider.db.generic.service.thrift.TSentryPrivilege;
-import org.apache.sentry.provider.db.generic.service.thrift.TSentryRole;
-import org.apache.sentry.provider.db.generic.tools.GenericPrivilegeConverter;
-import org.apache.sentry.service.thrift.ServiceConstants;
+import org.apache.sentry.api.generic.thrift.SentryGenericServiceClient;
+import org.apache.sentry.api.generic.thrift.SentryGenericServiceClientFactory;
+import org.apache.sentry.api.generic.thrift.TAuthorizable;
+import org.apache.sentry.api.generic.thrift.TSentryPrivilege;
+import org.apache.sentry.api.generic.thrift.TSentryRole;
+import org.apache.sentry.api.common.ApiConstants;
+import org.apache.sentry.api.tools.GenericPrivilegeConverter;
+import org.apache.sentry.service.common.ServiceConstants;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import scala.Option;
@@ -159,23 +160,23 @@ public class KafkaAuthBinding {
if (enableCachingConfig != null) {
String enableCaching = enableCachingConfig.toString();
if (Boolean.parseBoolean(enableCaching)) {
- authConf.set(ServiceConstants.ClientConfig.ENABLE_CACHING, enableCaching);
+ authConf.set(ApiConstants.ClientConfig.ENABLE_CACHING, enableCaching);
final Object cacheTtlMsConfig = kafkaConfigs
.get(AuthzConfVars.AUTHZ_CACHING_TTL_MS_NAME.getVar());
if (cacheTtlMsConfig != null) {
- authConf.set(ServiceConstants.ClientConfig.CACHE_TTL_MS, cacheTtlMsConfig.toString());
+ authConf.set(ApiConstants.ClientConfig.CACHE_TTL_MS, cacheTtlMsConfig.toString());
}
final Object cacheUpdateFailuresCountConfig = kafkaConfigs
.get(AuthzConfVars.AUTHZ_CACHING_UPDATE_FAILURES_COUNT_NAME.getVar());
if (cacheUpdateFailuresCountConfig != null) {
- authConf.set(ServiceConstants.ClientConfig.CACHE_UPDATE_FAILURES_BEFORE_PRIV_REVOKE,
+ authConf.set(ApiConstants.ClientConfig.CACHE_UPDATE_FAILURES_BEFORE_PRIV_REVOKE,
cacheUpdateFailuresCountConfig.toString());
}
- if (authConf.get(ServiceConstants.ClientConfig.PRIVILEGE_CONVERTER) == null) {
- authConf.set(ServiceConstants.ClientConfig.PRIVILEGE_CONVERTER,
+ if (authConf.get(ApiConstants.ClientConfig.PRIVILEGE_CONVERTER) == null) {
+ authConf.set(ApiConstants.ClientConfig.PRIVILEGE_CONVERTER,
GenericPrivilegeConverter.class.getName());
}
}
http://git-wip-us.apache.org/repos/asf/sentry/blob/af8ea0ac/sentry-binding/sentry-binding-solr/src/main/java/org/apache/sentry/binding/solr/authz/SolrAuthzBinding.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-solr/src/main/java/org/apache/sentry/binding/solr/authz/SolrAuthzBinding.java b/sentry-binding/sentry-binding-solr/src/main/java/org/apache/sentry/binding/solr/authz/SolrAuthzBinding.java
index 5c2a301..32a1fc1 100644
--- a/sentry-binding/sentry-binding-solr/src/main/java/org/apache/sentry/binding/solr/authz/SolrAuthzBinding.java
+++ b/sentry-binding/sentry-binding-solr/src/main/java/org/apache/sentry/binding/solr/authz/SolrAuthzBinding.java
@@ -48,10 +48,10 @@ import org.apache.sentry.provider.common.ProviderBackend;
import org.apache.sentry.provider.common.ProviderBackendContext;
import org.apache.sentry.provider.common.GroupMappingService;
import org.apache.sentry.provider.db.generic.SentryGenericProviderBackend;
-import org.apache.sentry.provider.db.generic.service.thrift.SentryGenericServiceClient;
-import org.apache.sentry.provider.db.generic.service.thrift.SentryGenericServiceClientFactory;
-import org.apache.sentry.provider.db.generic.tools.GenericPrivilegeConverter;
-import org.apache.sentry.service.thrift.ServiceConstants;
+import org.apache.sentry.api.generic.thrift.SentryGenericServiceClient;
+import org.apache.sentry.api.generic.thrift.SentryGenericServiceClientFactory;
+import org.apache.sentry.api.common.ApiConstants;
+import org.apache.sentry.api.tools.GenericPrivilegeConverter;
import org.apache.solr.security.AuthorizationResponse;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -110,8 +110,8 @@ public class SolrAuthzBinding implements Closeable {
+ policyEngineName + ", provider backend " + providerBackendName);
// for convenience, set the PrivilegeConverter.
- if (authzConf.get(ServiceConstants.ClientConfig.PRIVILEGE_CONVERTER) == null) {
- authzConf.set(ServiceConstants.ClientConfig.PRIVILEGE_CONVERTER,
+ if (authzConf.get(ApiConstants.ClientConfig.PRIVILEGE_CONVERTER) == null) {
+ authzConf.set(ApiConstants.ClientConfig.PRIVILEGE_CONVERTER,
GenericPrivilegeConverter.class.getName());
}
http://git-wip-us.apache.org/repos/asf/sentry/blob/af8ea0ac/sentry-binding/sentry-binding-sqoop/src/main/java/org/apache/sentry/sqoop/binding/SqoopAuthBinding.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-sqoop/src/main/java/org/apache/sentry/sqoop/binding/SqoopAuthBinding.java b/sentry-binding/sentry-binding-sqoop/src/main/java/org/apache/sentry/sqoop/binding/SqoopAuthBinding.java
index b7cbd32..539ccc1 100644
--- a/sentry-binding/sentry-binding-sqoop/src/main/java/org/apache/sentry/sqoop/binding/SqoopAuthBinding.java
+++ b/sentry-binding/sentry-binding-sqoop/src/main/java/org/apache/sentry/sqoop/binding/SqoopAuthBinding.java
@@ -37,14 +37,14 @@ import org.apache.sentry.provider.common.AuthorizationProvider;
import org.apache.sentry.provider.common.ProviderBackend;
import org.apache.sentry.provider.common.ProviderBackendContext;
import org.apache.sentry.provider.db.generic.SentryGenericProviderBackend;
-import org.apache.sentry.provider.db.generic.service.thrift.SentryGenericServiceClient;
-import org.apache.sentry.provider.db.generic.service.thrift.SentryGenericServiceClientFactory;
-import org.apache.sentry.provider.db.generic.service.thrift.TAuthorizable;
-import org.apache.sentry.provider.db.generic.service.thrift.TSentryGrantOption;
-import org.apache.sentry.provider.db.generic.service.thrift.TSentryPrivilege;
-import org.apache.sentry.provider.db.generic.service.thrift.TSentryRole;
-import org.apache.sentry.provider.db.generic.tools.GenericPrivilegeConverter;
-import org.apache.sentry.service.thrift.ServiceConstants;
+import org.apache.sentry.api.generic.thrift.SentryGenericServiceClient;
+import org.apache.sentry.api.generic.thrift.SentryGenericServiceClientFactory;
+import org.apache.sentry.api.generic.thrift.TAuthorizable;
+import org.apache.sentry.api.generic.thrift.TSentryGrantOption;
+import org.apache.sentry.api.generic.thrift.TSentryPrivilege;
+import org.apache.sentry.api.generic.thrift.TSentryRole;
+import org.apache.sentry.api.common.ApiConstants;
+import org.apache.sentry.api.tools.GenericPrivilegeConverter;
import org.apache.sentry.sqoop.conf.SqoopAuthConf.AuthzConfVars;
import org.apache.sqoop.common.SqoopException;
import org.apache.sqoop.model.MPrivilege;
@@ -112,8 +112,8 @@ public class SqoopAuthBinding {
}
// for convenience, set the PrivilegeConverter.
- if (authConf.get(ServiceConstants.ClientConfig.PRIVILEGE_CONVERTER) == null) {
- authConf.set(ServiceConstants.ClientConfig.PRIVILEGE_CONVERTER, GenericPrivilegeConverter.class.getName());
+ if (authConf.get(ApiConstants.ClientConfig.PRIVILEGE_CONVERTER) == null) {
+ authConf.set(ApiConstants.ClientConfig.PRIVILEGE_CONVERTER, GenericPrivilegeConverter.class.getName());
}
//Instantiate the configured providerBackend
http://git-wip-us.apache.org/repos/asf/sentry/blob/af8ea0ac/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/api/common/ApiConstants.java
----------------------------------------------------------------------
diff --git a/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/api/common/ApiConstants.java b/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/api/common/ApiConstants.java
new file mode 100644
index 0000000..6fcf8ab
--- /dev/null
+++ b/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/api/common/ApiConstants.java
@@ -0,0 +1,90 @@
+/*
+ *
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.api.common;
+
+
+import org.apache.sentry.service.common.ServiceConstants;
+
+public class ApiConstants {
+
+ public static class SentryPolicyServiceConstants {
+ //from SentryPolicyStoreProcessor and SentryGenericPolicyProcessor
+ public static final String SENTRY_GENERIC_SERVICE_NAME = "SentryGenericPolicyService";
+ public static final String SENTRY_POLICY_SERVICE_NAME = "SentryPolicyService";
+ }
+
+ public static class ClientConfig {
+ public static final String SERVER_RPC_PORT = "sentry.service.client.server.rpc-port";
+ public static final int SERVER_RPC_PORT_DEFAULT = ServiceConstants.ServerConfig.RPC_PORT_DEFAULT;
+ public static final String SERVER_RPC_ADDRESS = "sentry.service.client.server.rpc-addresses";
+ public static final String SERVER_RPC_CONN_TIMEOUT = "sentry.service.client.server.rpc-connection-timeout";
+
+ // HA configuration
+ public static final String SENTRY_HA_ZOOKEEPER_QUORUM = ServiceConstants.ServerConfig.SENTRY_HA_ZOOKEEPER_QUORUM;
+ public static final String SENTRY_HA_ZOOKEEPER_NAMESPACE = ServiceConstants.ServerConfig.SENTRY_HA_ZOOKEEPER_NAMESPACE;
+ public static final String SERVER_HA_ZOOKEEPER_NAMESPACE_DEFAULT = ServiceConstants.ServerConfig.SENTRY_HA_ZOOKEEPER_NAMESPACE_DEFAULT;
+
+ // connection pool configuration
+ public static final String SENTRY_POOL_ENABLED = "sentry.service.client.connection.pool.enabled";
+ public static final boolean SENTRY_POOL_ENABLED_DEFAULT = false;
+
+ // commons-pool configuration for pool size
+ public static final String SENTRY_POOL_MAX_TOTAL = "sentry.service.client.connection.pool.max-total";
+ public static final int SENTRY_POOL_MAX_TOTAL_DEFAULT = 8;
+ public static final String SENTRY_POOL_MAX_IDLE = "sentry.service.client.connection.pool.max-idle";
+ public static final int SENTRY_POOL_MAX_IDLE_DEFAULT = 8;
+ public static final String SENTRY_POOL_MIN_IDLE = "sentry.service.client.connection.pool.min-idle";
+ public static final int SENTRY_POOL_MIN_IDLE_DEFAULT = 0;
+
+ // retry num for getting the connection from connection pool
+ public static final String SENTRY_POOL_RETRY_TOTAL = "sentry.service.client.connection.pool.retry-total";
+ public static final int SENTRY_POOL_RETRY_TOTAL_DEFAULT = 3;
+
+ // max message size for thrift messages
+ public static final String SENTRY_POLICY_CLIENT_THRIFT_MAX_MESSAGE_SIZE = "sentry.policy.client.thrift.max.message.size";
+ public static final long SENTRY_POLICY_CLIENT_THRIFT_MAX_MESSAGE_SIZE_DEFAULT = 100 * 1024 * 1024;
+
+ // client retry settings
+ public static final String RETRY_COUNT_CONF = "sentry.provider.backend.db.retry.count";
+ public static final int RETRY_COUNT_DEFAULT = 3;
+ public static final String RETRY_INTERVAL_SEC_CONF = "sentry.provider.backend.db.retry.interval.seconds";
+ public static final int RETRY_INTERVAL_SEC_DEFAULT = 30;
+
+ // provider backend cache settings
+ public static final String ENABLE_CACHING = "sentry.provider.backend.generic.cache.enabled";
+ public static final boolean ENABLE_CACHING_DEFAULT = false;
+ public static final String CACHE_TTL_MS = "sentry.provider.backend.generic.cache.ttl.ms";
+ public static final long CACHING_TTL_MS_DEFAULT = 30000;
+ public static final String CACHE_UPDATE_FAILURES_BEFORE_PRIV_REVOKE = "sentry.provider.backend.generic.cache.update.failures.count";
+ public static final int CACHE_UPDATE_FAILURES_BEFORE_PRIV_REVOKE_DEFAULT = 3;
+ public static final String PRIVILEGE_CONVERTER = "sentry.provider.backend.generic.privilege.converter";
+
+ public static final String COMPONENT_TYPE = "sentry.provider.backend.generic.component-type";
+ public static final String SERVICE_NAME = "sentry.provider.backend.generic.service-name";
+ }
+
+ /* Privilege operation scope */
+ public enum PrivilegeScope {
+ SERVER,
+ URI,
+ DATABASE,
+ TABLE,
+ COLUMN
+ }
+}
\ No newline at end of file