You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sentry.apache.org by sp...@apache.org on 2018/05/08 05:19:16 UTC
sentry git commit: SENTRY-2215: Remove unused SentryGrantRevokeTask
class (Sergio Pena, reviewed by Na Li, Arjun Mishra)
Repository: sentry
Updated Branches:
refs/heads/master 912b1dbe8 -> 902c90b3f
SENTRY-2215: Remove unused SentryGrantRevokeTask class (Sergio Pena, reviewed by Na Li, Arjun Mishra)
Change-Id: Ia24ab1dc9c706621c1bc7c7c93f97bb438154028
Project: http://git-wip-us.apache.org/repos/asf/sentry/repo
Commit: http://git-wip-us.apache.org/repos/asf/sentry/commit/902c90b3
Tree: http://git-wip-us.apache.org/repos/asf/sentry/tree/902c90b3
Diff: http://git-wip-us.apache.org/repos/asf/sentry/diff/902c90b3
Branch: refs/heads/master
Commit: 902c90b3fa30cb4947258e324917c8a3d74997d7
Parents: 912b1db
Author: Sergio Pena <se...@cloudera.com>
Authored: Mon May 7 22:18:40 2018 -0700
Committer: Sergio Pena <se...@cloudera.com>
Committed: Mon May 7 22:18:40 2018 -0700
----------------------------------------------------------------------
.../sentry-binding-hive-common/pom.xml | 1 -
sentry-binding/sentry-binding-hive/pom.xml | 1 -
.../hive/ql/exec/SentryGrantRevokeTask.java | 741 -------------------
3 files changed, 743 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/sentry/blob/902c90b3/sentry-binding/sentry-binding-hive-common/pom.xml
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-hive-common/pom.xml b/sentry-binding/sentry-binding-hive-common/pom.xml
index e39004b..e154cde 100644
--- a/sentry-binding/sentry-binding-hive-common/pom.xml
+++ b/sentry-binding/sentry-binding-hive-common/pom.xml
@@ -95,7 +95,6 @@ limitations under the License.
<artifactId>mockito-all</artifactId>
<scope>test</scope>
</dependency>
- <!-- required for SentryGrantRevokeTask -->
<dependency>
<groupId>org.apache.sentry</groupId>
<artifactId>sentry-provider-db</artifactId>
http://git-wip-us.apache.org/repos/asf/sentry/blob/902c90b3/sentry-binding/sentry-binding-hive/pom.xml
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-hive/pom.xml b/sentry-binding/sentry-binding-hive/pom.xml
index ccfa9cf..09d75f7de 100644
--- a/sentry-binding/sentry-binding-hive/pom.xml
+++ b/sentry-binding/sentry-binding-hive/pom.xml
@@ -77,7 +77,6 @@ limitations under the License.
<groupId>org.apache.sentry</groupId>
<artifactId>sentry-provider-common</artifactId>
</dependency>
- <!-- required for SentryGrantRevokeTask -->
<dependency>
<groupId>org.apache.sentry</groupId>
<artifactId>sentry-provider-db</artifactId>
http://git-wip-us.apache.org/repos/asf/sentry/blob/902c90b3/sentry-binding/sentry-binding-hive/src/main/java/org/apache/hadoop/hive/ql/exec/SentryGrantRevokeTask.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/hadoop/hive/ql/exec/SentryGrantRevokeTask.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/hadoop/hive/ql/exec/SentryGrantRevokeTask.java
deleted file mode 100644
index 21a6abf..0000000
--- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/hadoop/hive/ql/exec/SentryGrantRevokeTask.java
+++ /dev/null
@@ -1,741 +0,0 @@
-package org.apache.hadoop.hive.ql.exec;
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-import java.io.DataOutputStream;
-import java.io.IOException;
-import java.io.OutputStreamWriter;
-import java.io.Serializable;
-import java.net.URISyntaxException;
-import java.util.ArrayList;
-import java.util.HashSet;
-import java.util.List;
-import java.util.Set;
-
-import org.apache.hadoop.fs.FSDataOutputStream;
-import org.apache.hadoop.fs.FileSystem;
-import org.apache.hadoop.fs.Path;
-import org.apache.hadoop.hive.SentryHiveConstants;
-import org.apache.hadoop.hive.conf.HiveConf;
-import org.apache.hadoop.hive.metastore.api.PrincipalType;
-import org.apache.hadoop.hive.ql.CompilationOpContext;
-import org.apache.hadoop.hive.ql.DriverContext;
-import org.apache.hadoop.hive.ql.QueryPlan;
-import org.apache.hadoop.hive.ql.QueryState;
-import org.apache.hadoop.hive.ql.hooks.ReadEntity;
-import org.apache.hadoop.hive.ql.hooks.WriteEntity;
-import org.apache.hadoop.hive.ql.metadata.AuthorizationException;
-import org.apache.hadoop.hive.ql.metadata.HiveException;
-import org.apache.hadoop.hive.ql.parse.SemanticException;
-import org.apache.hadoop.hive.ql.plan.DDLWork;
-import org.apache.hadoop.hive.ql.plan.GrantDesc;
-import org.apache.hadoop.hive.ql.plan.GrantRevokeRoleDDL;
-import org.apache.hadoop.hive.ql.plan.HiveOperation;
-import org.apache.hadoop.hive.ql.plan.PrincipalDesc;
-import org.apache.hadoop.hive.ql.plan.PrivilegeDesc;
-import org.apache.hadoop.hive.ql.plan.PrivilegeObjectDesc;
-import org.apache.hadoop.hive.ql.plan.RevokeDesc;
-import org.apache.hadoop.hive.ql.plan.RoleDDLDesc;
-import org.apache.hadoop.hive.ql.plan.ShowGrantDesc;
-import org.apache.hadoop.hive.ql.plan.api.StageType;
-import org.apache.hadoop.hive.ql.security.authorization.PrivilegeType;
-import org.apache.hadoop.hive.ql.session.SessionState;
-import org.apache.hadoop.hive.ql.session.SessionState.LogHelper;
-import org.apache.sentry.core.common.exception.SentryUserException;
-import org.apache.sentry.binding.hive.authz.HiveAuthzBindingHookBase;
-import org.apache.sentry.binding.hive.SentryOnFailureHookContext;
-import org.apache.sentry.binding.hive.SentryOnFailureHookContextImpl;
-import org.apache.sentry.binding.hive.authz.HiveAuthzBinding;
-import org.apache.sentry.binding.hive.conf.HiveAuthzConf;
-import org.apache.sentry.binding.hive.conf.HiveAuthzConf.AuthzConfVars;
-import org.apache.sentry.core.common.ActiveRoleSet;
-import org.apache.sentry.core.common.Authorizable;
-import org.apache.sentry.core.common.Subject;
-import org.apache.sentry.core.common.utils.PathUtils;
-import org.apache.sentry.core.model.db.AccessConstants;
-import org.apache.sentry.core.model.db.AccessURI;
-import org.apache.sentry.core.model.db.Column;
-import org.apache.sentry.core.model.db.Database;
-import org.apache.sentry.core.model.db.Server;
-import org.apache.sentry.core.model.db.Table;
-import org.apache.sentry.core.common.exception.SentryAccessDeniedException;
-import org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient;
-import org.apache.sentry.provider.db.service.thrift.TSentryGrantOption;
-import org.apache.sentry.provider.db.service.thrift.TSentryPrivilege;
-import org.apache.sentry.provider.db.service.thrift.TSentryRole;
-import org.apache.sentry.service.thrift.SentryServiceClientFactory;
-import org.apache.sentry.service.thrift.ServiceConstants.PrivilegeScope;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-import com.google.common.base.Preconditions;
-import com.google.common.base.Splitter;
-import com.google.common.collect.ImmutableList;
-import com.google.common.collect.ImmutableSet;
-import com.google.common.collect.Iterables;
-import com.google.common.collect.Sets;
-
-public class SentryGrantRevokeTask extends Task<DDLWork> implements Serializable {
- private static final Logger LOG = LoggerFactory
- .getLogger(SentryGrantRevokeTask.class);
- private static final int RETURN_CODE_SUCCESS = 0;
- private static final int RETURN_CODE_FAILURE = 1;
- private static final Splitter DB_TBL_SPLITTER = Splitter.on(".").omitEmptyStrings().trimResults();
- private static final int separator = Utilities.tabCode;
- private static final int terminator = Utilities.newLineCode;
- private static final long serialVersionUID = -7625118066790571999L;
-
- private HiveConf conf;
- private HiveAuthzBinding hiveAuthzBinding;
- private HiveAuthzConf authzConf;
- private String server;
- private Subject subject;
- private Set<String> subjectGroups;
- private String ipAddress;
- private HiveOperation stmtOperation;
-
- @Override
- public void initialize(QueryState queryState, QueryPlan queryPlan, DriverContext ctx,
- CompilationOpContext opContext) {
- // CompilationOpContext is an unused parameter on the initialize() method.
- super.initialize(queryState, queryPlan, driverContext, null);
- this.conf = queryState.getConf();
- }
-
- @Override
- public int execute(DriverContext driverContext) {
- try (SentryPolicyServiceClient sentryClient =
- SentryServiceClientFactory.create(authzConf)) {
- Preconditions.checkNotNull(hiveAuthzBinding, "HiveAuthzBinding cannot be null");
- Preconditions.checkNotNull(authzConf, "HiveAuthConf cannot be null");
- Preconditions.checkNotNull(subject, "Subject cannot be null");
- server = Preconditions.checkNotNull(authzConf.get(AuthzConfVars.AUTHZ_SERVER_NAME.getVar()),
- "Config " + AuthzConfVars.AUTHZ_SERVER_NAME.getVar() + " is required");
- try {
- if (work.getRoleDDLDesc() != null) {
- return processRoleDDL(console, sentryClient, subject.getName(),
- hiveAuthzBinding, work.getRoleDDLDesc());
- }
- if (work.getGrantDesc() != null) {
- return processGrantDDL(console, sentryClient,
- subject.getName(), server, work.getGrantDesc());
- }
- if (work.getRevokeDesc() != null) {
- return processRevokeDDL(console, sentryClient,
- subject.getName(), server, work.getRevokeDesc());
- }
- if (work.getShowGrantDesc() != null) {
- return processShowGrantDDL(console, sentryClient, subject.getName(),
- work.getShowGrantDesc());
- }
- if (work.getGrantRevokeRoleDDL() != null) {
- return processGrantRevokeRoleDDL(console, sentryClient,
- subject.getName(), work.getGrantRevokeRoleDDL());
- }
- throw new AssertionError(
- "Unknown command passed to Sentry Grant/Revoke Task");
- } catch (SentryAccessDeniedException e) {
- String csHooks = authzConf.get(
- HiveAuthzConf.AuthzConfVars.AUTHZ_ONFAILURE_HOOKS.getVar(), "")
- .trim();
- SentryOnFailureHookContext hookContext = new SentryOnFailureHookContextImpl(
- queryPlan.getQueryString(), new HashSet<ReadEntity>(),
- new HashSet<WriteEntity>(), stmtOperation,
- null, null, null, null, subject.getName(), ipAddress,
- new AuthorizationException(e), conf);
- HiveAuthzBindingHookBase.runFailureHook(hookContext, csHooks);
- throw e; // rethrow the exception for logging
- }
- } catch(SentryUserException e) {
- setException(new Exception(e.getClass().getSimpleName() + ": " + e.getReason(), e));
- String msg = "Error processing Sentry command: " + e.getReason() + ".";
- if (e instanceof SentryAccessDeniedException) {
- msg += "Please grant admin privilege to " + subject.getName() + ".";
- }
- LOG.error(msg, e);
- console.printError(msg);
- return RETURN_CODE_FAILURE;
- } catch(Throwable e) {
- setException(e);
- String msg = "Error processing Sentry command: " + e.getMessage();
- LOG.error(msg, e);
- console.printError(msg);
- return RETURN_CODE_FAILURE;
- } finally {
- if (hiveAuthzBinding != null) {
- hiveAuthzBinding.close();
- }
- }
- }
-
- public void setAuthzConf(HiveAuthzConf authzConf) {
- Preconditions.checkState(this.authzConf == null,
- "setAuthzConf should only be called once: " + this.authzConf);
- this.authzConf = authzConf;
- }
- public void setHiveAuthzBinding(HiveAuthzBinding hiveAuthzBinding) {
- Preconditions.checkState(this.hiveAuthzBinding == null,
- "setHiveAuthzBinding should only be called once: " + this.hiveAuthzBinding);
- this.hiveAuthzBinding = hiveAuthzBinding;
- }
- public void setSubject(Subject subject) {
- Preconditions.checkState(this.subject == null,
- "setSubject should only be called once: " + this.subject);
- this.subject = subject;
- }
- public void setSubjectGroups(Set<String> subjectGroups) {
- Preconditions.checkState(this.subjectGroups == null,
- "setSubjectGroups should only be called once: " + this.subjectGroups);
- this.subjectGroups = subjectGroups;
- }
-
- public void setIpAddress(String ipAddress) {
- this.ipAddress = ipAddress;
- }
-
- public void setOperation(HiveOperation stmtOperation) {
- this.stmtOperation = stmtOperation;
- }
-
- private int processRoleDDL(LogHelper console,
- SentryPolicyServiceClient sentryClient, String subject,
- HiveAuthzBinding hiveAuthzBinding, RoleDDLDesc desc)
- throws SentryUserException {
- RoleDDLDesc.RoleOperation operation = desc.getOperation();
- DataOutputStream outStream = null;
- String name = desc.getName();
- try {
- if (operation.equals(RoleDDLDesc.RoleOperation.SET_ROLE)) {
- hiveAuthzBinding.setActiveRoleSet(name, sentryClient.listUserRoles(subject));
- return RETURN_CODE_SUCCESS;
- } else if (operation.equals(RoleDDLDesc.RoleOperation.CREATE_ROLE)) {
- sentryClient.createRole(subject, name);
- return RETURN_CODE_SUCCESS;
- } else if (operation.equals(RoleDDLDesc.RoleOperation.DROP_ROLE)) {
- sentryClient.dropRole(subject, name);
- return RETURN_CODE_SUCCESS;
- } else if (operation.equals(RoleDDLDesc.RoleOperation.SHOW_ROLE_GRANT)) {
- Set<TSentryRole> roles;
- PrincipalType principalType = desc.getPrincipalType();
- if (principalType == PrincipalType.GROUP) {
- roles = sentryClient.listRolesByGroupName(subject, name);
- } else if (principalType == PrincipalType.USER) {
- roles = sentryClient.listRolesByUserName(subject, name);
- } else {
- String msg = SentryHiveConstants.GRANT_REVOKE_NOT_SUPPORTED_FOR_PRINCIPAL + principalType;
- throw new HiveException(msg);
- }
- writeToFile(writeRoleGrantsInfo(roles), desc.getResFile());
- return RETURN_CODE_SUCCESS;
- } else if(operation.equals(RoleDDLDesc.RoleOperation.SHOW_ROLES)) {
- Set<TSentryRole> roles = sentryClient.listAllRoles(subject);
- writeToFile(writeRolesInfo(roles), desc.getResFile());
- return RETURN_CODE_SUCCESS;
- } else if(operation.equals(RoleDDLDesc.RoleOperation.SHOW_CURRENT_ROLE)) {
- ActiveRoleSet roleSet = hiveAuthzBinding.getActiveRoleSet();
- if( roleSet.isAll()) {
- Set<TSentryRole> roles = sentryClient.listUserRoles(subject);
- writeToFile(writeRolesInfo(roles), desc.getResFile());
- return RETURN_CODE_SUCCESS;
- } else {
- Set<String> roles = roleSet.getRoles();
- writeToFile(writeActiveRolesInfo(roles), desc.getResFile());
- return RETURN_CODE_SUCCESS;
- }
- } else {
- throw new HiveException("Unknown role operation "
- + operation.getOperationName());
- }
- } catch (HiveException e) {
- String msg = "Error in role operation "
- + operation.getOperationName() + " on role name "
- + name + ", error message " + e.getMessage();
- LOG.warn(msg, e);
- console.printError(msg);
- return RETURN_CODE_FAILURE;
- } catch (IOException e) {
- String msg = "IO Error in role operation " + e.getMessage();
- LOG.info(msg, e);
- console.printError(msg);
- return RETURN_CODE_FAILURE;
- } finally {
- closeQuiet(outStream);
- }
- }
-
- private int processGrantDDL(LogHelper console,
- SentryPolicyServiceClient sentryClient, String subject,
- String server, GrantDesc desc) throws SentryUserException {
- return processGrantRevokeDDL(console, sentryClient, subject,
- server, true, desc.getPrincipals(), desc.getPrivileges(),
- desc.getPrivilegeSubjectDesc(), desc.isGrantOption());
- }
-
- // For grant option, we use null to stand for revoke the privilege ignore the grant option
- private int processRevokeDDL(LogHelper console,
- SentryPolicyServiceClient sentryClient, String subject,
- String server, RevokeDesc desc) throws SentryUserException {
- return processGrantRevokeDDL(console, sentryClient, subject,
- server, false, desc.getPrincipals(), desc.getPrivileges(),
- desc.getPrivilegeSubjectDesc(), null);
- }
-
- private int processShowGrantDDL(LogHelper console, SentryPolicyServiceClient sentryClient,
- String subject, ShowGrantDesc desc) throws SentryUserException{
- PrincipalDesc principalDesc = desc.getPrincipalDesc();
- PrivilegeObjectDesc hiveObjectDesc = desc.getHiveObj();
- String principalName = principalDesc.getName();
- Set<TSentryPrivilege> privileges;
-
- try {
- if (principalDesc.getType() != PrincipalType.ROLE) {
- String msg = SentryHiveConstants.GRANT_REVOKE_NOT_SUPPORTED_FOR_PRINCIPAL + principalDesc.getType();
- throw new HiveException(msg);
- }
-
- if (hiveObjectDesc == null) {
- privileges = sentryClient.listPrivilegesByRoleName(subject, principalName, null);
- } else {
- SentryHivePrivilegeObjectDesc privSubjectDesc = toSentryHivePrivilegeObjectDesc(hiveObjectDesc);
- List<Authorizable> authorizableHeirarchy = toAuthorizable(privSubjectDesc);
- if (privSubjectDesc.getColumns() != null && !privSubjectDesc.getColumns().isEmpty()) {
- List<List<Authorizable>> ps = parseColumnToAuthorizable(authorizableHeirarchy, privSubjectDesc);
- ImmutableSet.Builder<TSentryPrivilege> pbuilder = new ImmutableSet.Builder<TSentryPrivilege>();
- for (List<Authorizable> p : ps) {
- pbuilder.addAll(sentryClient.listPrivilegesByRoleName(subject, principalName, p));
- }
- privileges = pbuilder.build();
- } else {
- privileges = sentryClient.listPrivilegesByRoleName(subject, principalName, authorizableHeirarchy);
- }
- }
- writeToFile(writeGrantInfo(privileges, principalName), desc.getResFile());
- return RETURN_CODE_SUCCESS;
- } catch (IOException e) {
- String msg = "IO Error in show grant " + e.getMessage();
- LOG.info(msg, e);
- console.printError(msg);
- return RETURN_CODE_FAILURE;
- } catch (HiveException e) {
- String msg = "Error in show grant operation, error message " + e.getMessage();
- LOG.warn(msg, e);
- console.printError(msg);
- return RETURN_CODE_FAILURE;
- }
- }
-
- private List<Authorizable> toAuthorizable(SentryHivePrivilegeObjectDesc privSubjectDesc) throws HiveException{
- List<Authorizable> authorizableHeirarchy = new ArrayList<Authorizable>();
- authorizableHeirarchy.add(new Server(server));
- String dbName = null;
- if (privSubjectDesc.getTable()) {
- DatabaseTable dbTable = parseDBTable(privSubjectDesc.getObject());
- dbName = dbTable.getDatabase();
- String tableName = dbTable.getTable();
- authorizableHeirarchy.add(new Table(tableName));
- authorizableHeirarchy.add(new Database(dbName));
- } else if (privSubjectDesc.getUri()) {
- String uriPath = privSubjectDesc.getObject();
- String warehouseDir = conf.getVar(HiveConf.ConfVars.METASTOREWAREHOUSE);
- try {
- authorizableHeirarchy.add(new AccessURI(PathUtils.parseDFSURI(warehouseDir, uriPath)));
- } catch(URISyntaxException e) {
- throw new HiveException(e.getMessage(), e);
- }
- } else {
- dbName = privSubjectDesc.getObject();
- authorizableHeirarchy.add(new Database(dbName));
- }
- return authorizableHeirarchy;
- }
-
- private List<List<Authorizable>> parseColumnToAuthorizable(List<Authorizable> authorizableHeirarchy,
- SentryHivePrivilegeObjectDesc privSubjectDesc) {
- ImmutableList.Builder<List<Authorizable>> listsBuilder = ImmutableList.builder();
- List<String> cols = privSubjectDesc.getColumns();
- if ( cols != null && !cols.isEmpty() ) {
- for ( String col : cols ) {
- ImmutableList.Builder<Authorizable> listBuilder = ImmutableList.builder();
- listBuilder.addAll(authorizableHeirarchy);
- listBuilder.add(new Column(col));
- listsBuilder.add(listBuilder.build());
- }
- }
- return listsBuilder.build();
- }
-
- private void writeToFile(String data, String file) throws IOException {
- Path resFile = new Path(file);
- FileSystem fs = resFile.getFileSystem(conf);
- FSDataOutputStream out = fs.create(resFile);
- try {
- if (data != null && !data.isEmpty()) {
- try (OutputStreamWriter writer = new OutputStreamWriter(out, "UTF-8")) {
- writer.write(data);
- writer.write((char) terminator);
- writer.flush();
- }
- }
- } finally {
- closeQuiet(out);
- }
- }
-
- private int processGrantRevokeRoleDDL(LogHelper console,
- SentryPolicyServiceClient sentryClient, String subject,
- GrantRevokeRoleDDL desc) throws SentryUserException {
- try {
- boolean grantRole = desc.getGrant();
- List<PrincipalDesc> principals = desc.getPrincipalDesc();
- List<String> roles = desc.getRoles();
- // get principals
- Set<String> groups = Sets.newHashSet();
- Set<String> users = Sets.newHashSet();
- for (PrincipalDesc principal : principals) {
- if (principal.getType() == PrincipalType.GROUP) {
- groups.add(principal.getName());
- } else if (principal.getType() == PrincipalType.USER) {
- users.add(principal.getName());
- } else {
- String msg = SentryHiveConstants.GRANT_REVOKE_NOT_SUPPORTED_FOR_PRINCIPAL +
- principal.getType();
- throw new HiveException(msg);
- }
- }
-
- // grant/revoke role to/from principals
- for (String roleName : roles) {
- if (grantRole) {
- if (groups.size() > 0) {
- sentryClient.grantRoleToGroups(subject, roleName, groups);
- }
- if (users.size() > 0) {
- sentryClient.grantRoleToUsers(subject, roleName, users);
- }
- } else {
- if (groups.size() > 0) {
- sentryClient.revokeRoleFromGroups(subject, roleName, groups);
- }
- if (users.size() > 0) {
- sentryClient.revokeRoleFromUsers(subject, roleName, users);
- }
- }
- }
-
- } catch (HiveException e) {
- String msg = "Error in grant/revoke operation, error message " + e.getMessage();
- LOG.warn(msg, e);
- console.printError(msg);
- return RETURN_CODE_FAILURE;
- }
- return RETURN_CODE_SUCCESS;
- }
-
- static String writeGrantInfo(Set<TSentryPrivilege> privileges, String roleName) {
- if (privileges == null || privileges.isEmpty()) {
- return "";
- }
- StringBuilder builder = new StringBuilder();
-
- for (TSentryPrivilege privilege : privileges) {
-
- if (PrivilegeScope.URI.name().equalsIgnoreCase(
- privilege.getPrivilegeScope())) {
- appendNonNull(builder, privilege.getURI(), true);
- } else if(PrivilegeScope.SERVER.name().equalsIgnoreCase(
- privilege.getPrivilegeScope())) {
- appendNonNull(builder, "*", true);//Db column would show * if it is a server level privilege
- } else {
- appendNonNull(builder, privilege.getDbName(), true);
- }
- appendNonNull(builder, privilege.getTableName());
- appendNonNull(builder, null);//getPartValues()
- appendNonNull(builder, privilege.getColumnName());//getColumnName()
- appendNonNull(builder, roleName);//getPrincipalName()
- appendNonNull(builder, "ROLE");//getPrincipalType()
- appendNonNull(builder, privilege.getAction());
- appendNonNull(builder,
- TSentryGrantOption.TRUE.equals(privilege.getGrantOption()));
- appendNonNull(builder, privilege.getCreateTime() * 1000L);
- appendNonNull(builder, "--");
- }
- LOG.info("builder.toString(): " + builder.toString());
- return builder.toString();
- }
-
- static String writeRoleGrantsInfo(Set<TSentryRole> roleGrants) {
- if (roleGrants == null || roleGrants.isEmpty()) {
- return "";
- }
- StringBuilder builder = new StringBuilder();
- for (TSentryRole roleGrant : roleGrants) {
- appendNonNull(builder, roleGrant.getRoleName(), true);
- appendNonNull(builder, false);//isGrantOption()
- appendNonNull(builder, null);//roleGrant.getGrantTime() * 1000L
- appendNonNull(builder, "--");
- }
- return builder.toString();
- }
-
- static String writeRolesInfo(Set<TSentryRole> roles) {
- if (roles == null || roles.isEmpty()) {
- return "";
- }
- StringBuilder builder = new StringBuilder();
- for (TSentryRole roleGrant : roles) {
- appendNonNull(builder, roleGrant.getRoleName(), true);
- }
- return builder.toString();
- }
-
- static String writeActiveRolesInfo(Set<String> roles) {
- if (roles == null || roles.isEmpty()) {
- return "";
- }
- StringBuilder builder = new StringBuilder();
- for (String role : roles) {
- appendNonNull(builder, role, true);
- }
- return builder.toString();
- }
-
- static StringBuilder appendNonNull(StringBuilder builder, Object value) {
- return appendNonNull(builder, value, false);
- }
-
- static StringBuilder appendNonNull(StringBuilder builder, Object value, boolean firstColumn) {
- if (!firstColumn) {
- builder.append((char)separator);
- } else if (builder.length() > 0) {
- builder.append((char)terminator);
- }
- if (value != null) {
- builder.append(value);
- }
- return builder;
- }
-
- private static int processGrantRevokeDDL(LogHelper console,
- SentryPolicyServiceClient sentryClient, String subject, String server,
- boolean isGrant, List<PrincipalDesc> principals,
- List<PrivilegeDesc> privileges, PrivilegeObjectDesc privSubjectObjDesc,
- Boolean grantOption) throws SentryUserException {
- if (privileges == null || privileges.size() == 0) {
- console.printError("No privilege found.");
- return RETURN_CODE_FAILURE;
- }
-
- String dbName = null;
- String tableName = null;
- List<String> columnNames = null;
- String uriPath = null;
- String serverName = null;
- try {
- SentryHivePrivilegeObjectDesc privSubjectDesc = toSentryHivePrivilegeObjectDesc(privSubjectObjDesc);
-
- if (privSubjectDesc == null) {
- throw new HiveException("Privilege subject cannot be null");
- }
- if (privSubjectDesc.getPartSpec() != null) {
- throw new HiveException(SentryHiveConstants.PARTITION_PRIVS_NOT_SUPPORTED);
- }
- String obj = privSubjectDesc.getObject();
- if (privSubjectDesc.getTable()) {
- DatabaseTable dbTable = parseDBTable(obj);
- dbName = dbTable.getDatabase();
- tableName = dbTable.getTable();
- } else if (privSubjectDesc.getUri()) {
- uriPath = privSubjectDesc.getObject();
- } else if (privSubjectDesc.getServer()) {
- serverName = privSubjectDesc.getObject();
- } else {
- dbName = privSubjectDesc.getObject();
- }
- for (PrivilegeDesc privDesc : privileges) {
- List<String> columns = privDesc.getColumns();
- if (columns != null && !columns.isEmpty()) {
- columnNames = columns;
- }
- if (!SentryHiveConstants.ALLOWED_PRIVS.contains(privDesc.getPrivilege().getPriv())) {
- String msg = SentryHiveConstants.PRIVILEGE_NOT_SUPPORTED + privDesc.getPrivilege().getPriv();
- throw new HiveException(msg);
- }
- if (columnNames != null && (privDesc.getPrivilege().getPriv().equals(PrivilegeType.INSERT)
- || privDesc.getPrivilege().getPriv().equals(PrivilegeType.ALL))) {
- String msg = SentryHiveConstants.PRIVILEGE_NOT_SUPPORTED
- + privDesc.getPrivilege().getPriv() + " on Column";
- throw new SemanticException(msg);
- }
- }
- for (PrincipalDesc princ : principals) {
- if (princ.getType() != PrincipalType.ROLE) {
- String msg = SentryHiveConstants.GRANT_REVOKE_NOT_SUPPORTED_FOR_PRINCIPAL + princ.getType();
- throw new HiveException(msg);
- }
- for (PrivilegeDesc privDesc : privileges) {
- if (isGrant) {
- if (serverName != null) {
- sentryClient.grantServerPrivilege(subject, princ.getName(), serverName,
- toSentryAction(privDesc.getPrivilege().getPriv()), grantOption);
- } else if (uriPath != null) {
- sentryClient.grantURIPrivilege(subject, princ.getName(), server, uriPath, grantOption);
- } else if (tableName == null) {
- sentryClient.grantDatabasePrivilege(subject, princ.getName(), server, dbName,
- toDbSentryAction(privDesc.getPrivilege().getPriv()), grantOption);
- } else if (columnNames == null) {
- sentryClient.grantTablePrivilege(subject, princ.getName(), server, dbName,
- tableName, toSentryAction(privDesc.getPrivilege().getPriv()), grantOption);
- } else {
- sentryClient.grantColumnsPrivileges(subject, princ.getName(), server, dbName,
- tableName, columnNames, toSentryAction(privDesc.getPrivilege().getPriv()), grantOption);
- }
- } else {
- if (serverName != null) {
- sentryClient.revokeServerPrivilege(subject, princ.getName(), serverName,
- toSentryAction(privDesc.getPrivilege().getPriv()), grantOption);
- } else if (uriPath != null) {
- sentryClient.revokeURIPrivilege(subject, princ.getName(), server, uriPath, grantOption);
- } else if (tableName == null) {
- sentryClient.revokeDatabasePrivilege(subject, princ.getName(), server, dbName,
- toDbSentryAction(privDesc.getPrivilege().getPriv()), grantOption);
- } else if (columnNames == null) {
- sentryClient.revokeTablePrivilege(subject, princ.getName(), server, dbName,
- tableName, toSentryAction(privDesc.getPrivilege().getPriv()), grantOption);
- } else {
- sentryClient.revokeColumnsPrivilege(subject, princ.getName(), server, dbName,
- tableName, columnNames, toSentryAction(privDesc.getPrivilege().getPriv()), grantOption);
- }
- }
- }
- }
- return RETURN_CODE_SUCCESS;
- } catch (HiveException e) {
- String msg = "Error in grant/revoke operation, error message " + e.getMessage();
- LOG.warn(msg, e);
- console.printError(msg);
- return RETURN_CODE_FAILURE;
- }
- }
-
- private static String toDbSentryAction(PrivilegeType privilegeType) throws SentryUserException{
- switch(privilegeType) {
- case ALL:
- return AccessConstants.ALL;
- case SELECT:
- return AccessConstants.SELECT;
- case INSERT:
- return AccessConstants.INSERT;
- case CREATE:
- return AccessConstants.CREATE;
- case DROP:
- return AccessConstants.DROP;
- case ALTER_METADATA:
- return AccessConstants.ALTER;
- case INDEX:
- return AccessConstants.INDEX;
- case LOCK:
- return AccessConstants.LOCK;
- default:
- throw new SentryUserException("Unknown privilege type: " + privilegeType);
- //Exception is thrown here only for development purposes.
- }
- }
-
- private static SentryHivePrivilegeObjectDesc toSentryHivePrivilegeObjectDesc(PrivilegeObjectDesc privSubjectObjDesc)
- throws HiveException{
- if (!(privSubjectObjDesc instanceof SentryHivePrivilegeObjectDesc)) {
- throw new HiveException(
- "Privilege subject not parsed correctly by Sentry");
- }
- return (SentryHivePrivilegeObjectDesc) privSubjectObjDesc;
- }
-
- private static String toSentryAction(PrivilegeType privilegeType) {
- if (PrivilegeType.ALL.equals(privilegeType)) {
- return AccessConstants.ALL;
- } else {
- return privilegeType.toString();
- }
- }
-
- private static DatabaseTable parseDBTable(String obj) throws HiveException {
- String[] dbTab = Iterables.toArray(DB_TBL_SPLITTER.split(obj), String.class);
- if (dbTab.length == 2) {
- return new DatabaseTable(dbTab[0], dbTab[1]);
- } else if (dbTab.length == 1){
- return new DatabaseTable(SessionState.get().getCurrentDatabase(), obj);
- } else {
- String msg = "Malformed database.table '" + obj + "'";
- throw new HiveException(msg);
- }
- }
-
- private static class DatabaseTable {
- private final String database;
- private final String table;
- public DatabaseTable(String database, String table) {
- this.database = database;
- this.table = table;
- }
- public String getDatabase() {
- return database;
- }
- public String getTable() {
- return table;
- }
- }
-
- /**
- * Close to be used in the try block of a try-catch-finally
- * statement. Returns null so the close/set to null idiom can be
- * completed in a single line.
- */
- private static DataOutputStream close(DataOutputStream out)
- throws IOException {
- if (out != null) {
- out.close();
- }
- return null;
- }
- /**
- * Close to be used in the finally block of a try-catch-finally
- * statement.
- */
- private static void closeQuiet(DataOutputStream out) {
- try {
- close(out);
- } catch (IOException e) {
- LOG.warn("Error closing output stream", e);
- }
- }
-
- @Override
- public boolean requireLock() {
- return false;
- }
-
- @Override
- public StageType getType() {
- return StageType.DDL;
- }
-
- @Override
- public String getName() {
- return "SENTRY";
- }
-}