You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sentry.apache.org by co...@apache.org on 2018/04/30 16:35:45 UTC
[9/9] sentry git commit: SENTRY-2207 Refactor out Sentry CLI from
sentry-provider-db into own module. Steve Moist,
reviewed by Colm O hEigeartaigh.
SENTRY-2207 Refactor out Sentry CLI from sentry-provider-db into own module. Steve Moist, reviewed by Colm O hEigeartaigh.
Project: http://git-wip-us.apache.org/repos/asf/sentry/repo
Commit: http://git-wip-us.apache.org/repos/asf/sentry/commit/6752f14a
Tree: http://git-wip-us.apache.org/repos/asf/sentry/tree/6752f14a
Diff: http://git-wip-us.apache.org/repos/asf/sentry/diff/6752f14a
Branch: refs/heads/master
Commit: 6752f14aafad2f9ead0198f2f840db120182b268
Parents: 0668237
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Mon Apr 30 17:34:56 2018 +0100
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Mon Apr 30 17:35:33 2018 +0100
----------------------------------------------------------------------
bin/sentryShell | 10 +-
pom.xml | 2 +-
sentry-provider/sentry-provider-db/pom.xml | 13 +
.../generic/SentryGenericProviderBackend.java | 2 +-
.../provider/db/generic/UpdatableCache.java | 2 +-
.../tools/GenericPrivilegeConverter.java | 6 +-
.../tools/PermissionsMigrationToolCommon.java | 348 -----------
.../tools/PermissionsMigrationToolSolr.java | 109 ----
.../generic/tools/SentryConfigToolCommon.java | 152 -----
.../generic/tools/SentryConfigToolIndexer.java | 340 ----------
.../db/generic/tools/SentryConfigToolSolr.java | 264 --------
.../db/generic/tools/SentryShellGeneric.java | 158 -----
.../db/generic/tools/SentryShellIndexer.java | 124 ----
.../tools/TSentryPrivilegeConverter.java | 35 ++
.../tools/command/GenericShellCommand.java | 155 -----
.../command/TSentryPrivilegeConverter.java | 34 -
.../provider/db/tools/SentrySchemaHelper.java | 315 ----------
.../provider/db/tools/SentrySchemaTool.java | 595 ------------------
.../provider/db/tools/SentryShellCommon.java | 284 ---------
.../provider/db/tools/SentryShellHive.java | 118 ----
.../sentry/provider/db/tools/ShellCommand.java | 47 --
.../db/tools/command/hive/CommandUtil.java | 63 --
.../db/tools/command/hive/HiveShellCommand.java | 152 -----
.../tools/TestPermissionsMigrationToolSolr.java | 362 -----------
.../tools/TestSentryConfigToolIndexer.java | 263 --------
.../generic/tools/TestSentryConfigToolSolr.java | 261 --------
.../generic/tools/TestSentryShellIndexer.java | 526 ----------------
.../db/generic/tools/TestSentryShellKafka.java | 550 -----------------
.../db/generic/tools/TestSentryShellSolr.java | 534 ----------------
.../db/generic/tools/TestSentryShellSqoop.java | 532 ----------------
.../provider/db/tools/TestSentrySchemaTool.java | 94 ---
.../provider/db/tools/TestSentryShellHive.java | 613 -------------------
.../src/test/resources/indexer_case.ini | 26 -
.../resources/indexer_config_import_tool.ini | 29 -
.../src/test/resources/indexer_invalid.ini | 21 -
.../src/test/resources/solr_case.ini | 26 -
.../test/resources/solr_config_import_tool.ini | 29 -
.../src/test/resources/solr_invalid.ini | 21 -
sentry-tools/pom.xml | 44 +-
.../main/java/org/apache/sentry/SentryMain.java | 2 +-
.../tools/PermissionsMigrationToolCommon.java | 349 +++++++++++
.../cli/tools/PermissionsMigrationToolSolr.java | 109 ++++
.../cli/tools/SentryConfigToolCommon.java | 152 +++++
.../cli/tools/SentryConfigToolIndexer.java | 341 +++++++++++
.../sentry/cli/tools/SentryConfigToolSolr.java | 265 ++++++++
.../sentry/cli/tools/SentrySchemaHelper.java | 315 ++++++++++
.../sentry/cli/tools/SentrySchemaTool.java | 595 ++++++++++++++++++
.../sentry/cli/tools/SentryShellCommon.java | 284 +++++++++
.../sentry/cli/tools/SentryShellGeneric.java | 157 +++++
.../sentry/cli/tools/SentryShellHive.java | 118 ++++
.../sentry/cli/tools/SentryShellIndexer.java | 124 ++++
.../apache/sentry/cli/tools/ShellCommand.java | 47 ++
.../cli/tools/command/GenericShellCommand.java | 156 +++++
.../cli/tools/command/hive/CommandUtil.java | 63 ++
.../tools/command/hive/HiveShellCommand.java | 152 +++++
.../org/apache/sentry/shell/GroupShell.java | 2 +-
.../org/apache/sentry/shell/PrivsShell.java | 2 +-
.../org/apache/sentry/shell/RolesShell.java | 2 +-
.../org/apache/sentry/shell/TopLevelShell.java | 8 +-
.../tools/TestPermissionsMigrationToolSolr.java | 362 +++++++++++
.../cli/tools/TestSentryConfigToolIndexer.java | 263 ++++++++
.../cli/tools/TestSentryConfigToolSolr.java | 260 ++++++++
.../sentry/cli/tools/TestSentrySchemaTool.java | 113 ++++
.../sentry/cli/tools/TestSentryShellHive.java | 613 +++++++++++++++++++
.../cli/tools/TestSentryShellIndexer.java | 525 ++++++++++++++++
.../sentry/cli/tools/TestSentryShellKafka.java | 549 +++++++++++++++++
.../sentry/cli/tools/TestSentryShellSolr.java | 533 ++++++++++++++++
.../sentry/cli/tools/TestSentryShellSqoop.java | 531 ++++++++++++++++
sentry-tools/src/test/resources/cacerts.jks | Bin 0 -> 954 bytes
.../src/test/resources/indexer_case.ini | 26 +
.../resources/indexer_config_import_tool.ini | 29 +
.../src/test/resources/indexer_invalid.ini | 21 +
sentry-tools/src/test/resources/keystore.jks | Bin 0 -> 2245 bytes
.../src/test/resources/log4j.properties | 34 +
sentry-tools/src/test/resources/solr_case.ini | 26 +
.../test/resources/solr_config_import_tool.ini | 29 +
.../src/test/resources/solr_invalid.ini | 21 +
77 files changed, 7266 insertions(+), 7171 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/sentry/blob/6752f14a/bin/sentryShell
----------------------------------------------------------------------
diff --git a/bin/sentryShell b/bin/sentryShell
index 17b1429..140f7ce 100755
--- a/bin/sentryShell
+++ b/bin/sentryShell
@@ -54,15 +54,15 @@ for f in ${SENTRY_HOME}/lib/plugins/*.jar; do
done
args=()
-shell=org.apache.sentry.provider.db.tools.SentryShellHive
+shell=org.apache.sentry.cli.tools.SentryShellHive
# get the type argument for the command
while [ $# -gt 0 ]; do # Until you run out of parameters . . .
if [[ "$1" = "-t" || "$1" = "--type" ]]; then
case $2 in
- "hive") shell=org.apache.sentry.provider.db.tools.SentryShellHive ;;
- "kafka") shell=org.apache.sentry.provider.db.generic.tools.SentryShellGeneric ;;
- "solr") shell=org.apache.sentry.provider.db.generic.tools.SentryShellGeneric ;;
- "sqoop") shell=org.apache.sentry.provider.db.generic.tools.SentryShellGeneric ;;
+ "hive") shell=org.apache.sentry.cli.tools.SentryShellHive ;;
+ "kafka") shell=org.apache.sentry.cli.tools.SentryShellGeneric ;;
+ "solr") shell=org.apache.sentry.cli.tools.SentryShellGeneric ;;
+ "sqoop") shell=org.apache.sentry.cli.tools.SentryShellGeneric ;;
*) echo "Doesn't support the type $2!"; exit 1 ;;
esac
fi
http://git-wip-us.apache.org/repos/asf/sentry/blob/6752f14a/pom.xml
----------------------------------------------------------------------
diff --git a/pom.xml b/pom.xml
index 16a3838..262a9d8 100644
--- a/pom.xml
+++ b/pom.xml
@@ -1048,7 +1048,7 @@ limitations under the License.
<exclude>%regex[org.apache.sentry.provider.db.service.thrift.*.class]</exclude>
<exclude>%regex[org.apache.solr.handler.admin.*.class]</exclude>
<exclude>%regex[org.apache.sentry.provider.db.generic.service.thrift.*.class]</exclude>
- <exclude>%regex[org.apache.sentry.provider.db.generic.tools.*.class]</exclude>
+ <exclude>%regex[org.apache.sentry.cli.tools.*.class]</exclude>
</excludes>
</configuration>
</plugin>
http://git-wip-us.apache.org/repos/asf/sentry/blob/6752f14a/sentry-provider/sentry-provider-db/pom.xml
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/pom.xml b/sentry-provider/sentry-provider-db/pom.xml
index b8cccfa..369e262 100644
--- a/sentry-provider/sentry-provider-db/pom.xml
+++ b/sentry-provider/sentry-provider-db/pom.xml
@@ -398,6 +398,19 @@ limitations under the License.
</execution>
</executions>
</plugin>
+ <!--This is to export SentryGenericServiceIntegrationBase across Modules -->
+ <plugin>
+ <groupId>org.apache.maven.plugins</groupId>
+ <artifactId>maven-jar-plugin</artifactId>
+ <version>2.2</version>
+ <executions>
+ <execution>
+ <goals>
+ <goal>test-jar</goal>
+ </goals>
+ </execution>
+ </executions>
+ </plugin>
</plugins>
<pluginManagement>
<plugins>
http://git-wip-us.apache.org/repos/asf/sentry/blob/6752f14a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/SentryGenericProviderBackend.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/SentryGenericProviderBackend.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/SentryGenericProviderBackend.java
index cf552b1..fe0eb07 100644
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/SentryGenericProviderBackend.java
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/SentryGenericProviderBackend.java
@@ -35,7 +35,7 @@ import org.apache.sentry.provider.common.ProviderBackendContext;
import org.apache.sentry.provider.db.generic.service.thrift.SentryGenericServiceClient;
import org.apache.sentry.provider.db.generic.service.thrift.SentryGenericServiceClientFactory;
import org.apache.sentry.provider.db.generic.service.thrift.TSentryRole;
-import org.apache.sentry.provider.db.generic.tools.command.TSentryPrivilegeConverter;
+import org.apache.sentry.provider.db.generic.tools.TSentryPrivilegeConverter;
import org.apache.sentry.service.thrift.ServiceConstants;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
http://git-wip-us.apache.org/repos/asf/sentry/blob/6752f14a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/UpdatableCache.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/UpdatableCache.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/UpdatableCache.java
index edf0934..31fcfc7 100644
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/UpdatableCache.java
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/UpdatableCache.java
@@ -18,7 +18,7 @@ import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.sentry.provider.common.TableCache;
import org.apache.sentry.provider.db.generic.service.thrift.*;
-import org.apache.sentry.provider.db.generic.tools.command.TSentryPrivilegeConverter;
+import org.apache.sentry.provider.db.generic.tools.TSentryPrivilegeConverter;
import org.apache.sentry.service.thrift.ServiceConstants;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
http://git-wip-us.apache.org/repos/asf/sentry/blob/6752f14a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/GenericPrivilegeConverter.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/GenericPrivilegeConverter.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/GenericPrivilegeConverter.java
index 8de543c..82b21ef 100644
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/GenericPrivilegeConverter.java
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/GenericPrivilegeConverter.java
@@ -1,4 +1,5 @@
-/**
+/*
+ *
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
@@ -7,7 +8,7 @@
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
- * http://www.apache.org/licenses/LICENSE-2.0
+ * http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
@@ -48,7 +49,6 @@ import org.apache.sentry.provider.common.AuthorizationComponent;
import org.apache.sentry.provider.db.generic.service.thrift.TAuthorizable;
import org.apache.sentry.provider.db.generic.service.thrift.TSentryGrantOption;
import org.apache.sentry.provider.db.generic.service.thrift.TSentryPrivilege;
-import org.apache.sentry.provider.db.generic.tools.command.TSentryPrivilegeConverter;
import org.apache.shiro.config.ConfigurationException;
/**
http://git-wip-us.apache.org/repos/asf/sentry/blob/6752f14a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/PermissionsMigrationToolCommon.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/PermissionsMigrationToolCommon.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/PermissionsMigrationToolCommon.java
deleted file mode 100644
index e3d81f8..0000000
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/PermissionsMigrationToolCommon.java
+++ /dev/null
@@ -1,348 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.provider.db.generic.tools;
-
-import java.util.Collection;
-import java.util.Collections;
-import java.util.Optional;
-import java.util.Set;
-
-import org.apache.commons.cli.CommandLine;
-import org.apache.commons.cli.GnuParser;
-import org.apache.commons.cli.HelpFormatter;
-import org.apache.commons.cli.Option;
-import org.apache.commons.cli.Options;
-import org.apache.commons.cli.ParseException;
-import org.apache.commons.cli.Parser;
-import org.apache.hadoop.conf.Configuration;
-import org.apache.hadoop.fs.Path;
-import org.apache.hadoop.security.UserGroupInformation;
-import org.apache.sentry.core.common.ActiveRoleSet;
-import org.apache.sentry.core.common.utils.PolicyFileConstants;
-import org.apache.sentry.core.common.utils.PolicyFiles;
-import org.apache.sentry.core.common.utils.Version;
-import org.apache.sentry.policy.common.PrivilegeUtils;
-import org.apache.sentry.provider.common.ProviderBackendContext;
-import org.apache.sentry.provider.db.generic.service.thrift.SentryGenericServiceClient;
-import org.apache.sentry.provider.db.generic.service.thrift.SentryGenericServiceClientFactory;
-import org.apache.sentry.provider.db.generic.service.thrift.TSentryPrivilege;
-import org.apache.sentry.provider.db.generic.service.thrift.TSentryRole;
-import org.apache.sentry.provider.file.SimpleFileProviderBackend;
-import org.apache.shiro.config.Ini;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-import com.google.common.annotations.VisibleForTesting;
-import com.google.common.collect.Sets;
-import com.google.common.collect.Table;
-
-/**
- * This class provides basic framework required to migrate permissions between different Sentry
- * versions. Individual components (e.g. SOLR, KAFKA) needs to override the this class
- * to provide component specific migration functionality.
- */
-public abstract class PermissionsMigrationToolCommon {
- private static final Logger LOGGER = LoggerFactory.getLogger(PermissionsMigrationToolCommon.class);
- public static final String SOLR_SERVICE_NAME = "sentry.service.client.solr.service.name";
-
- private Version sourceVersion;
- private Optional<String> confPath = Optional.empty();
- private Optional<String> policyFile = Optional.empty();
- private Optional<String> outputFile = Optional.empty();
- private boolean dryRun = false;
-
- /**
- * @return version of Sentry for which the privileges need to be migrated.
- */
- public final Version getSourceVersion() {
- return sourceVersion;
- }
-
- /**
- * This method returns the name of the component for the migration purpose.
- * @param conf The Sentry configuration
- * @return the name of the component
- */
- protected abstract String getComponent(Configuration conf);
-
-
- /**
- * This method returns the name of the service name for the migration purpose.
- *
- * @param conf The Sentry configuration
- * @return the name of the service
- */
- protected abstract String getServiceName(Configuration conf);
-
- /**
- * Migrate the privileges specified via <code>privileges</code>.
- *
- * @param privileges A collection of privileges to be migrated.
- * @return A collection of migrated privileges
- * An empty collection if migration is not necessary for the specified privileges.
- */
- protected abstract Collection<String> transformPrivileges (Collection<String> privileges);
-
- /**
- * parse arguments
- * <pre>
- * -s,--source Sentry source version
- * -c,--sentry_conf <filepath> sentry config file path
- * -p --policy_file <filepath> sentry (source) policy file path
- * -o --output <filepath> sentry (target) policy file path
- * -d --dry_run provides the output the migration for inspection without
- * making any configuration changes.
- * -h,--help print usage
- * </pre>
- * @param args
- */
- protected boolean parseArgs(String [] args) {
- Options options = new Options();
-
- Option sourceVersionOpt = new Option("s", "source", true, "Source Sentry version");
- sourceVersionOpt.setRequired(true);
- options.addOption(sourceVersionOpt);
-
- Option sentryConfPathOpt = new Option("c", "sentry_conf", true,
- "sentry-site.xml file path (only required in case of Sentry service)");
- sentryConfPathOpt.setRequired(false);
- options.addOption(sentryConfPathOpt);
-
- Option sentryPolicyFileOpt = new Option("p", "policy_file", true,
- "sentry (source) policy file path (only in case of file based Sentry configuration)");
- sentryPolicyFileOpt.setRequired(false);
- options.addOption(sentryPolicyFileOpt);
-
- Option sentryOutputFileOpt = new Option("o", "output", true,
- "sentry (target) policy file path (only in case of file based Sentry configuration)");
- sentryOutputFileOpt.setRequired(false);
- options.addOption(sentryOutputFileOpt);
-
- Option dryRunOpt = new Option("d", "dry_run", false,
- "provides the output the migration for inspection without making actual configuration changes");
- dryRunOpt.setRequired(false);
- options.addOption(dryRunOpt);
-
- // help option
- Option helpOpt = new Option("h", "help", false, "Shell usage");
- helpOpt.setRequired(false);
- options.addOption(helpOpt);
-
- // this Option is parsed first for help option
- Options helpOptions = new Options();
- helpOptions.addOption(helpOpt);
-
- try {
- Parser parser = new GnuParser();
-
- // parse help option first
- CommandLine cmd = parser.parse(helpOptions, args, true);
- for (Option opt : cmd.getOptions()) {
- if (opt.getOpt().equals("h")) {
- // get the help option, print the usage and exit
- usage(options);
- return false;
- }
- }
-
- // without help option
- cmd = parser.parse(options, args);
-
- String sourceVersionStr = null;
-
- for (Option opt : cmd.getOptions()) {
- if (opt.getOpt().equals("s")) {
- sourceVersionStr = opt.getValue();
- } else if (opt.getOpt().equals("c")) {
- confPath = Optional.of(opt.getValue());
- } else if (opt.getOpt().equals("p")) {
- policyFile = Optional.of(opt.getValue());
- } else if (opt.getOpt().equals("o")) {
- outputFile = Optional.of(opt.getValue());
- } else if (opt.getOpt().equals("d")) {
- dryRun = true;
- }
- }
-
- sourceVersion = Version.parse(sourceVersionStr);
-
- if (!(confPath.isPresent() || policyFile.isPresent())) {
- System.out.println("Please select either file-based Sentry configuration (-p and -o flags)"
- + " or Sentry service (-c flag) for migration.");
- usage(options);
- return false;
- }
-
- if (confPath.isPresent() && (policyFile.isPresent() || outputFile.isPresent())) {
- System.out.println("In order to migrate service based Sentry configuration,"
- + " do not specify either -p or -o parameters");
- usage(options);
- return false;
- }
-
- if (!confPath.isPresent() && (policyFile.isPresent() ^ outputFile.isPresent())) {
- System.out.println("In order to migrate file based Sentry configuration,"
- + " please make sure to specify both -p and -o parameters.");
- usage(options);
- return false;
- }
-
- } catch (ParseException | java.text.ParseException pe) {
- System.out.println(pe.getMessage());
- usage(options);
- return false;
- }
- return true;
- }
-
- // print usage
- private void usage(Options sentryOptions) {
- HelpFormatter formatter = new HelpFormatter();
- formatter.printHelp("sentryMigrationTool", sentryOptions);
- }
-
- public void run() throws Exception {
- if (policyFile.isPresent()) {
- migratePolicyFile();
- } else {
- migrateSentryServiceConfig();
- }
- }
-
- private void migrateSentryServiceConfig() throws Exception {
- Configuration conf = getSentryConf();
- String component = getComponent(conf);
- String serviceName = getServiceName(conf);
- GenericPrivilegeConverter converter = new GenericPrivilegeConverter(component, serviceName, false);
-
- // instantiate a client for sentry service. This sets the ugi, so must
- // be done before getting the ugi below.
- try(SentryGenericServiceClient client =
- SentryGenericServiceClientFactory.create(getSentryConf())) {
- UserGroupInformation ugi = UserGroupInformation.getLoginUser();
- String requestorName = ugi.getShortUserName();
-
- for (TSentryRole r : client.listAllRoles(requestorName, component)) {
- for (TSentryPrivilege p : client.listAllPrivilegesByRoleName(requestorName,
- r.getRoleName(), component, serviceName)) {
-
- String privilegeStr = converter.toString(p);
- Collection<String> privileges = Collections.singleton(privilegeStr);
- Collection<String> migrated = transformPrivileges(privileges);
- if (!migrated.isEmpty()) {
- LOGGER.info("{} For role {} migrating privileges from {} to {}", getDryRunMessage(), r.getRoleName(),
- privileges, migrated);
-
- /*
- * Note that it is not possible to provide transactional (all-or-nothing) behavior for these configuration
- * changes since the Sentry client/server protocol does not support. e.g. under certain failure conditions
- * like crash of Sentry server or network disconnect between client/server, it is possible that the migration
- * can not complete but can also not be rolled back. Hence this migration tool relies on the fact that privilege
- * grant/revoke operations are idempotent and hence re-execution of the migration tool will fix any inconsistency
- * due to such failures.
- **/
- boolean originalPermPresent = false;
- for (String perm : migrated) {
- if (perm.equalsIgnoreCase(privilegeStr)) {
- originalPermPresent = true;
- continue;
- }
- TSentryPrivilege x = converter.fromString(perm);
- LOGGER.info("{} GRANT permission {}", getDryRunMessage(), perm);
- if (!dryRun) {
- client.grantPrivilege(requestorName, r.getRoleName(), component, x);
- }
- }
-
- // Revoke old permission (only if not part of migrated permissions)
- if (!originalPermPresent) {
- LOGGER.info("{} REVOKE permission {}", getDryRunMessage(), privilegeStr);
- if (!dryRun) {
- client.revokePrivilege(requestorName, r.getRoleName(), component, p);
- }
- }
- }
- }
- }
- }
- }
-
- private void migratePolicyFile () throws Exception {
- Configuration conf = getSentryConf();
- Path sourceFile = new Path (policyFile.get());
- SimpleFileProviderBackend policyFileBackend = new SimpleFileProviderBackend(conf, sourceFile);
- ProviderBackendContext ctx = new ProviderBackendContext();
- policyFileBackend.initialize(ctx);
-
- Set<String> roles = Sets.newHashSet();
- Table<String, String, Set<String>> groupRolePrivilegeTable =
- policyFileBackend.getGroupRolePrivilegeTable();
-
- Ini output = PolicyFiles.loadFromPath(sourceFile.getFileSystem(conf), sourceFile);
- Ini.Section rolesSection = output.get(PolicyFileConstants.ROLES);
-
- for (String groupName : groupRolePrivilegeTable.rowKeySet()) {
- for (String roleName : policyFileBackend.getRoles(Collections.singleton(groupName), ActiveRoleSet.ALL)) {
- if (!roles.contains(roleName)) {
- // Do the actual migration
- Set<String> privileges = groupRolePrivilegeTable.get(groupName, roleName);
- Collection<String> migrated = transformPrivileges(privileges);
-
- if (!migrated.isEmpty()) {
- LOGGER.info("{} For role {} migrating privileges from {} to {}", getDryRunMessage(),
- roleName, privileges, migrated);
- if (!dryRun) {
- rolesSection.put(roleName, PrivilegeUtils.fromPrivilegeStrings(migrated));
- }
- }
-
- roles.add(roleName);
- }
- }
- }
-
- if (!dryRun) {
- Path targetFile = new Path (outputFile.get());
- PolicyFiles.writeToPath(output, targetFile.getFileSystem(conf), targetFile);
- LOGGER.info("Successfully saved migrated Sentry policy file at {}", outputFile.get());
- }
- }
-
- private String getDryRunMessage() {
- return dryRun ? "[Dry Run]" : "";
- }
-
- private Configuration getSentryConf() {
- Configuration conf = new Configuration();
- if (confPath.isPresent()) {
- conf.addResource(new Path(confPath.get()), true);
- }
- return conf;
- }
-
- @VisibleForTesting
- public boolean executeConfigTool(String [] args) throws Exception {
- boolean result = true;
- if (parseArgs(args)) {
- run();
- } else {
- result = false;
- }
- return result;
- }
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/6752f14a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/PermissionsMigrationToolSolr.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/PermissionsMigrationToolSolr.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/PermissionsMigrationToolSolr.java
deleted file mode 100644
index 5799993..0000000
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/PermissionsMigrationToolSolr.java
+++ /dev/null
@@ -1,109 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.provider.db.generic.tools;
-
-import java.util.ArrayList;
-import java.util.Collection;
-import java.util.Collections;
-import java.util.List;
-
-import org.apache.hadoop.conf.Configuration;
-import org.apache.sentry.core.common.utils.SentryConstants;
-import org.apache.sentry.core.model.solr.validator.SolrPrivilegeValidator;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-/**
- * This class provides SOLR specific functionality required for migrating Sentry privileges.
- */
-public class PermissionsMigrationToolSolr extends PermissionsMigrationToolCommon {
- private static final Logger LOGGER = LoggerFactory.getLogger(PermissionsMigrationToolSolr.class);
-
-
- @Override
- protected String getComponent(Configuration conf) {
- return "SOLR";
- }
-
- @Override
- protected String getServiceName(Configuration conf) {
- return conf.get(SOLR_SERVICE_NAME, "service1");
- }
-
- @Override
- protected Collection<String> transformPrivileges(Collection<String> privileges) {
- List<String> result = new ArrayList<>();
- boolean migrated = false;
-
- if (getSourceVersion().major == 1) { // Migrate only Sentry 1.x permissions
- for (String p : privileges) {
- SolrPrivilegeValidator v = new SolrPrivilegeValidator();
- v.validate(p, false);
-
- if ("collection".equalsIgnoreCase(v.getEntityType()) && "admin".equalsIgnoreCase(v.getEntityName())) {
- result.add(getPermissionStr("admin", "collections", v.getActionName()));
- result.add(getPermissionStr("admin", "cores", v.getActionName()));
- migrated = true;
- } else if ("collection".equalsIgnoreCase(v.getEntityType()) && "*".equals(v.getEntityName())) {
- result.add(getPermissionStr("admin", "collections", v.getActionName()));
- result.add(getPermissionStr("admin", "cores", v.getActionName()));
- result.add(p);
- migrated = true;
- } else {
- result.add(p);
- }
- }
- }
-
- return migrated ? result : Collections.emptyList();
- }
-
- private String getPermissionStr (String entityType, String entityName, String action) {
- StringBuilder builder = new StringBuilder();
- builder.append(entityType);
- builder.append(SentryConstants.KV_SEPARATOR);
- builder.append(entityName);
- if (action != null) {
- builder.append(SentryConstants.AUTHORIZABLE_SEPARATOR);
- builder.append(SentryConstants.PRIVILEGE_NAME);
- builder.append(SentryConstants.KV_SEPARATOR);
- builder.append(action);
- }
- return builder.toString();
- }
-
- public static void main(String[] args) throws Exception {
- PermissionsMigrationToolSolr solrTool = new PermissionsMigrationToolSolr();
- try {
- solrTool.executeConfigTool(args);
- } catch (Exception e) {
- LOGGER.error(e.getMessage(), e);
- Throwable current = e;
- // find the first printable message;
- while (current != null && current.getMessage() == null) {
- current = current.getCause();
- }
- String error = "";
- if (current != null && current.getMessage() != null) {
- error = "Message: " + current.getMessage();
- }
- System.out.println("The operation failed. " + error);
- System.exit(1);
- }
- }
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/6752f14a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryConfigToolCommon.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryConfigToolCommon.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryConfigToolCommon.java
deleted file mode 100644
index 013e824..0000000
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryConfigToolCommon.java
+++ /dev/null
@@ -1,152 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.sentry.provider.db.generic.tools;
-
-import com.google.common.annotations.VisibleForTesting;
-
-import org.apache.commons.cli.CommandLine;
-import org.apache.commons.cli.GnuParser;
-import org.apache.commons.cli.HelpFormatter;
-import org.apache.commons.cli.Option;
-import org.apache.commons.cli.Options;
-import org.apache.commons.cli.ParseException;
-import org.apache.commons.cli.Parser;
-
-abstract public class SentryConfigToolCommon {
- private String policyFile;
- private boolean validate;
- private boolean importPolicy;
- private boolean checkCompat;
- private String confPath;
-
- /**
- * parse arguments
- * <pre>
- * -conf,--sentry_conf <filepath> sentry config file path
- * -p,--policy_ini <arg> policy file path
- * -v,--validate validate policy file
- * -c,--checkcompat check compatibility with service
- * -i,--import import policy file
- * -h,--help print usage
- * </pre>
- * @param args
- */
- protected boolean parseArgs(String [] args) {
- Options options = new Options();
-
- Option globalPolicyPath = new Option("p", "policy_ini", true,
- "Policy file path");
- globalPolicyPath.setRequired(true);
- options.addOption(globalPolicyPath);
-
- Option validateOpt = new Option("v", "validate", false,
- "Validate policy file");
- validateOpt.setRequired(false);
- options.addOption(validateOpt);
-
- Option checkCompatOpt = new Option("c","checkcompat",false,
- "Check compatibility with Sentry Service");
- checkCompatOpt.setRequired(false);
- options.addOption(checkCompatOpt);
-
- Option importOpt = new Option("i", "import", false,
- "Import policy file");
- importOpt.setRequired(false);
- options.addOption(importOpt);
-
- // file path of sentry-site
- Option sentrySitePathOpt = new Option("conf", "sentry_conf", true, "sentry-site file path");
- sentrySitePathOpt.setRequired(true);
- options.addOption(sentrySitePathOpt);
-
- // help option
- Option helpOpt = new Option("h", "help", false, "Shell usage");
- helpOpt.setRequired(false);
- options.addOption(helpOpt);
-
- // this Options is parsed first for help option
- Options helpOptions = new Options();
- helpOptions.addOption(helpOpt);
-
- try {
- Parser parser = new GnuParser();
-
- // parse help option first
- CommandLine cmd = parser.parse(helpOptions, args, true);
- for (Option opt : cmd.getOptions()) {
- if (opt.getOpt().equals("h")) {
- // get the help option, print the usage and exit
- usage(options);
- return false;
- }
- }
-
- // without help option
- cmd = parser.parse(options, args);
-
- for (Option opt : cmd.getOptions()) {
- if (opt.getOpt().equals("p")) {
- policyFile = opt.getValue();
- } else if (opt.getOpt().equals("v")) {
- validate = true;
- } else if (opt.getOpt().equals("i")) {
- importPolicy = true;
- } else if (opt.getOpt().equals("c")) {
- checkCompat = true;
- } else if (opt.getOpt().equals("conf")) {
- confPath = opt.getValue();
- }
- }
-
- if (!validate && !importPolicy) {
- throw new IllegalArgumentException("No action specified; at least one of action or import must be specified");
- }
- } catch (ParseException pe) {
- System.out.println(pe.getMessage());
- usage(options);
- return false;
- }
- return true;
- }
-
- // print usage
- private void usage(Options sentryOptions) {
- HelpFormatter formatter = new HelpFormatter();
- formatter.printHelp("sentryConfigTool", sentryOptions);
- }
-
- public abstract void run() throws Exception;
-
- @VisibleForTesting
- public boolean executeConfigTool(String [] args) throws Exception {
- boolean result = true;
- if (parseArgs(args)) {
- run();
- } else {
- result = false;
- }
- return result;
- }
-
- public String getPolicyFile() { return policyFile; }
- public boolean getValidate() { return validate; }
- public boolean getImportPolicy() { return importPolicy; }
- public boolean getCheckCompat() { return checkCompat; }
- public String getConfPath() { return confPath; }
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/6752f14a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryConfigToolIndexer.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryConfigToolIndexer.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryConfigToolIndexer.java
deleted file mode 100644
index a5996a7..0000000
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryConfigToolIndexer.java
+++ /dev/null
@@ -1,340 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.sentry.provider.db.generic.tools;
-
-import com.google.common.collect.Lists;
-import com.google.common.collect.Sets;
-import com.google.common.collect.Table;
-import org.apache.commons.cli.CommandLine;
-import org.apache.commons.cli.Option;
-import org.apache.commons.cli.Options;
-import org.apache.hadoop.conf.Configuration;
-import org.apache.hadoop.fs.Path;
-import org.apache.hadoop.security.UserGroupInformation;
-import org.apache.sentry.core.common.Action;
-import org.apache.sentry.core.common.exception.SentryConfigurationException;
-import org.apache.sentry.core.common.utils.KeyValue;
-import org.apache.sentry.core.model.indexer.IndexerPrivilegeModel;
-import org.apache.sentry.provider.common.ProviderBackend;
-import org.apache.sentry.provider.common.ProviderBackendContext;
-import org.apache.sentry.provider.db.generic.service.thrift.SentryGenericServiceClient;
-import org.apache.sentry.provider.db.generic.service.thrift.SentryGenericServiceClientFactory;
-import org.apache.sentry.provider.file.SimpleFileProviderBackend;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-import java.util.HashMap;
-import java.util.LinkedList;
-import java.util.List;
-import java.util.Locale;
-import java.util.Map;
-import java.util.Set;
-
-import static org.apache.sentry.core.common.utils.SentryConstants.AUTHORIZABLE_SPLITTER;
-import static org.apache.sentry.provider.common.AuthorizationComponent.HBASE_INDEXER;
-import static org.apache.sentry.service.thrift.ServiceConstants.ClientConfig.SERVICE_NAME;
-
-/**
- * SentryConfigToolIndexer is an administrative tool used to parse a HBase Indexer policy file
- * and add the role, group mappings, and privileges therein to the Sentry service.
- */
-public class SentryConfigToolIndexer {
-
- private static final Logger LOGGER = LoggerFactory.getLogger(SentryConfigToolIndexer.class);
-
- private String policyFile;
- private boolean validate;
- private boolean importPolicy;
- private boolean checkCompat;
- private String confPath;
-
- private String serviceName;
-
-
-
- public String getPolicyFile() { return policyFile; }
-
- public boolean getValidate() { return validate; }
- public boolean getImportPolicy() { return importPolicy; }
- public boolean getCheckCompat() { return checkCompat; }
- public String getConfPath() { return confPath; }
- public String getServiceName() {
- return serviceName;
- }
-
- /**
- * Adds command line options for the tool to the passed Options object. Used to extend existing options.
- * @param options
- */
- public void setupOptions(Options options) {
- Option globalPolicyPath = new Option("f", "policy_ini", true,
- "Policy file path");
- globalPolicyPath.setRequired(false);
- options.addOption(globalPolicyPath);
-
- Option validateOpt = new Option("v", "validate", false,
- "Validate policy file");
- validateOpt.setRequired(false);
- options.addOption(validateOpt);
-
- Option checkCompatOpt = new Option("c","checkcompat",false,
- "Check compatibility with Sentry Service");
- checkCompatOpt.setRequired(false);
- options.addOption(checkCompatOpt);
-
- Option importOpt = new Option("i", "import", false,
- "Import policy file");
- importOpt.setRequired(false);
- options.addOption(importOpt);
-
- }
-
- /**
- * Parses and processes the arguments from the given command line object.
- * @param cmd
- */
- public void parseOptions(CommandLine cmd) {
- boolean isToolActive = false;
- for (Option opt : cmd.getOptions()) {
- if (opt.getOpt().equals("mgr")) {
- isToolActive = true;
- }
- }
- if (!isToolActive) {
- return;
- }
- for (Option opt : cmd.getOptions()) {
- if (opt.getOpt().equals("f")) {
- policyFile = opt.getValue();
- } else if (opt.getOpt().equals("v")) {
- validate = true;
- } else if (opt.getOpt().equals("i")) {
- importPolicy = true;
- } else if (opt.getOpt().equals("c")) {
- checkCompat = true;
- } else if (opt.getOpt().equals("conf")) {
- confPath = opt.getValue();
- } else if (opt.getOpt().equals("s")) {
- serviceName = opt.getValue();
- }
- }
- if (policyFile == null) {
- throw new IllegalArgumentException("Missing required option: f");
- }
- if (!validate && !importPolicy) {
- throw new IllegalArgumentException("No action specified; at least one of action or import must be specified");
- }
- }
-
-
- /**
- * Processes the necessary command based on the arguments parsed earlier.
- * @throws Exception
- */
- public void run() throws Exception {
- String component = HBASE_INDEXER;
- Configuration conf = getSentryConf();
-
- String service = conf.get(SERVICE_NAME, getServiceName());
-
- if (service == null) {
- throw new IllegalArgumentException("Service was not defined. Please, use -s command option, or sentry.provider.backend.generic.service-name configuration entry.");
- }
-
- LOGGER.info(String.format("Context: component=%s, service=%s", component, service));
- // instantiate a solr client for sentry service. This sets the ugi, so must
- // be done before getting the ugi below.
- try(SentryGenericServiceClient client =
- SentryGenericServiceClientFactory.create(conf)) {
- UserGroupInformation ugi = UserGroupInformation.getLoginUser();
- String requestorName = ugi.getShortUserName();
-
- convertINIToSentryServiceCmds(component, service, requestorName, conf, client,
- getPolicyFile(), getValidate(), getImportPolicy(), getCheckCompat());
- }
- }
-
- private Configuration getSentryConf() {
- Configuration conf = new Configuration();
- conf.addResource(new Path(getConfPath()), true);
- return conf;
- }
-
- private void convertINIToSentryServiceCmds(String component,
- String service, String requestorName,
- Configuration conf, SentryGenericServiceClient client,
- String policyFile, boolean validate, boolean importPolicy,
- boolean checkCompat) throws Exception {
-
- //instantiate a file providerBackend for parsing
- LOGGER.info("Reading policy file at: " + policyFile);
- SimpleFileProviderBackend policyFileBackend =
- new SimpleFileProviderBackend(conf, policyFile);
- ProviderBackendContext context = new ProviderBackendContext();
- context.setValidators(IndexerPrivilegeModel.getInstance().getPrivilegeValidators());
- policyFileBackend.initialize(context);
- if (validate) {
- validatePolicy(policyFileBackend);
- }
-
- if (checkCompat) {
- checkCompat(policyFileBackend);
- }
-
- //import the relations about group,role and privilege into the DB store
- Set<String> roles = Sets.newHashSet();
- Table<String, String, Set<String>> groupRolePrivilegeTable =
- policyFileBackend.getGroupRolePrivilegeTable();
- GenericPrivilegeConverter converter = new GenericPrivilegeConverter(component, service, false);
-
- for (String groupName : groupRolePrivilegeTable.rowKeySet()) {
- for (String roleName : groupRolePrivilegeTable.columnKeySet()) {
- if (!roles.contains(roleName)) {
- LOGGER.info(dryRunMessage(importPolicy) + "Creating role: " + roleName.toLowerCase(Locale.US));
- if (importPolicy) {
- client.createRoleIfNotExist(requestorName, roleName, component);
- }
- roles.add(roleName);
- }
-
- Set<String> privileges = groupRolePrivilegeTable.get(groupName, roleName);
- if (privileges == null) {
- continue;
- }
- LOGGER.info(dryRunMessage(importPolicy) + "Adding role: " + roleName.toLowerCase(Locale.US) + " to group: " + groupName);
- if (importPolicy) {
- client.grantRoleToGroups(requestorName, roleName, component, Sets.newHashSet(groupName));
- }
-
- for (String permission : privileges) {
- String action = null;
-
- for (String authorizable : AUTHORIZABLE_SPLITTER.
- trimResults().split(permission)) {
- KeyValue kv = new KeyValue(authorizable);
- String key = kv.getKey();
- String value = kv.getValue();
- if ("action".equalsIgnoreCase(key)) {
- action = value;
- }
- }
-
- // Service doesn't support not specifying action
- if (action == null) {
- permission += "->action=" + Action.ALL;
- }
- LOGGER.info(dryRunMessage(importPolicy) + "Adding permission: " + permission + " to role: " + roleName.toLowerCase(Locale.US));
- if (importPolicy) {
- client.grantPrivilege(requestorName, roleName, component, converter.fromString(permission));
- }
- }
- }
- }
- }
-
- private void validatePolicy(ProviderBackend backend) throws Exception {
- try {
- backend.validatePolicy(true);
- } catch (SentryConfigurationException e) {
- printConfigErrorsWarnings(e);
- throw e;
- }
- }
-
- private void printConfigErrorsWarnings(SentryConfigurationException configException) {
- System.out.println(" *** Found configuration problems *** ");
- for (String errMsg : configException.getConfigErrors()) {
- System.out.println("ERROR: " + errMsg);
- }
- for (String warnMsg : configException.getConfigWarnings()) {
- System.out.println("Warning: " + warnMsg);
- }
- }
-
- private void checkCompat(SimpleFileProviderBackend backend) throws Exception {
- Map<String, Set<String>> rolesCaseMapping = new HashMap<String, Set<String>>();
- Table<String, String, Set<String>> groupRolePrivilegeTable =
- backend.getGroupRolePrivilegeTable();
-
- for (String roleName : groupRolePrivilegeTable.columnKeySet()) {
- String roleNameLower = roleName.toLowerCase(Locale.US);
- if (!roleName.equals(roleNameLower)) {
- if (!rolesCaseMapping.containsKey(roleNameLower)) {
- rolesCaseMapping.put(roleNameLower, Sets.newHashSet(roleName));
- } else {
- rolesCaseMapping.get(roleNameLower).add(roleName);
- }
- }
- }
-
- List<String> errors = new LinkedList<String>();
- StringBuilder warningString = new StringBuilder();
- if (!rolesCaseMapping.isEmpty()) {
- warningString.append("The following roles names will be lower cased when added to the Sentry Service.\n");
- warningString.append("This will cause document-level security to fail to match the role tokens.\n");
- warningString.append("Role names: ");
- }
- boolean firstWarning = true;
-
- for (Map.Entry<String, Set<String>> entry : rolesCaseMapping.entrySet()) {
- Set<String> caseMapping = entry.getValue();
- if (caseMapping.size() > 1) {
- StringBuilder errorString = new StringBuilder();
- errorString.append("The following (cased) roles map to the same role in the sentry service: ");
- boolean first = true;
- for (String casedRole : caseMapping) {
- errorString.append(first ? "" : ", ");
- errorString.append(casedRole);
- first = false;
- }
- errorString.append(". Role in service: ").append(entry.getKey());
- errors.add(errorString.toString());
- }
-
- for (String casedRole : caseMapping) {
- warningString.append(firstWarning? "" : ", ");
- warningString.append(casedRole);
- firstWarning = false;
- }
- }
-
- for (String error : errors) {
- System.out.println("ERROR: " + error);
- }
- System.out.println("\n");
-
- System.out.println("Warning: " + warningString.toString());
- if (errors.size() > 0) {
- SentryConfigurationException ex =
- new SentryConfigurationException("Compatibility check failure");
- ex.setConfigErrors(errors);
- ex.setConfigWarnings(Lists.<String>asList(warningString.toString(), new String[0]));
- throw ex;
- }
- }
-
- private String dryRunMessage(boolean importPolicy) {
- if (importPolicy) {
- return "";
- } else {
- return "[Dry Run] ";
- }
- }
-
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/6752f14a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryConfigToolSolr.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryConfigToolSolr.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryConfigToolSolr.java
deleted file mode 100644
index 1a4692e..0000000
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryConfigToolSolr.java
+++ /dev/null
@@ -1,264 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.sentry.provider.db.generic.tools;
-
-import com.google.common.collect.Lists;
-import com.google.common.collect.Sets;
-import com.google.common.collect.Table;
-
-import org.apache.hadoop.conf.Configuration;
-import org.apache.hadoop.fs.Path;
-import org.apache.hadoop.security.UserGroupInformation;
-import org.apache.sentry.core.common.Action;
-import org.apache.sentry.core.common.exception.SentryConfigurationException;
-import org.apache.sentry.core.common.utils.KeyValue;
-import org.apache.sentry.core.common.utils.SentryConstants;
-import org.apache.sentry.core.model.solr.SolrPrivilegeModel;
-import org.apache.sentry.provider.common.ProviderBackend;
-import org.apache.sentry.provider.common.ProviderBackendContext;
-import org.apache.sentry.provider.db.generic.service.thrift.SentryGenericServiceClient;
-import org.apache.sentry.provider.db.generic.service.thrift.SentryGenericServiceClientFactory;
-import org.apache.sentry.provider.file.SimpleFileProviderBackend;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-import java.util.HashMap;
-import java.util.LinkedList;
-import java.util.List;
-import java.util.Locale;
-import java.util.Map;
-import java.util.Set;
-
-/**
- * SentryConfigToolSolr is an administrative tool used to parse a Solr policy file
- * and add the role, group mappings, and privileges therein to the Sentry service.
- */
-public class SentryConfigToolSolr extends SentryConfigToolCommon {
-
- private static final Logger LOGGER = LoggerFactory.getLogger(SentryConfigToolSolr.class);
- public static final String SOLR_SERVICE_NAME = "sentry.service.client.solr.service.name";
-
- @Override
- public void run() throws Exception {
- String component = "SOLR";
- Configuration conf = getSentryConf();
-
- String service = conf.get(SOLR_SERVICE_NAME, "service1");
- // instantiate a solr client for sentry service. This sets the ugi, so must
- // be done before getting the ugi below.
- try(SentryGenericServiceClient client =
- SentryGenericServiceClientFactory.create(conf)) {
- UserGroupInformation ugi = UserGroupInformation.getLoginUser();
- String requestorName = ugi.getShortUserName();
-
- convertINIToSentryServiceCmds(component, service, requestorName, conf, client,
- getPolicyFile(), getValidate(), getImportPolicy(), getCheckCompat());
- }
- }
-
- private Configuration getSentryConf() {
- Configuration conf = new Configuration();
- conf.addResource(new Path(getConfPath()), true);
- return conf;
- }
-
- /**
- * Convert policy file to solrctl commands -- based on SENTRY-480
- */
- private void convertINIToSentryServiceCmds(String component,
- String service, String requestorName,
- Configuration conf, SentryGenericServiceClient client,
- String policyFile, boolean validate, boolean importPolicy,
- boolean checkCompat) throws Exception {
-
- //instantiate a file providerBackend for parsing
- LOGGER.info("Reading policy file at: " + policyFile);
- SimpleFileProviderBackend policyFileBackend =
- new SimpleFileProviderBackend(conf, policyFile);
- ProviderBackendContext context = new ProviderBackendContext();
- context.setValidators(SolrPrivilegeModel.getInstance().getPrivilegeValidators());
- policyFileBackend.initialize(context);
- if (validate) {
- validatePolicy(policyFileBackend);
- }
-
- if (checkCompat) {
- checkCompat(policyFileBackend);
- }
-
- //import the relations about group,role and privilege into the DB store
- Set<String> roles = Sets.newHashSet();
- Table<String, String, Set<String>> groupRolePrivilegeTable =
- policyFileBackend.getGroupRolePrivilegeTable();
- GenericPrivilegeConverter converter = new GenericPrivilegeConverter(component, service, false);
-
- for (String groupName : groupRolePrivilegeTable.rowKeySet()) {
- for (String roleName : groupRolePrivilegeTable.columnKeySet()) {
- if (!roles.contains(roleName)) {
- LOGGER.info(dryRunMessage(importPolicy) + "Creating role: " + roleName.toLowerCase(Locale.US));
- if (importPolicy) {
- client.createRoleIfNotExist(requestorName, roleName, component);
- }
- roles.add(roleName);
- }
-
- Set<String> privileges = groupRolePrivilegeTable.get(groupName, roleName);
- if (privileges == null) {
- continue;
- }
- LOGGER.info(dryRunMessage(importPolicy) + "Adding role: " + roleName.toLowerCase(Locale.US) + " to group: " + groupName);
- if (importPolicy) {
- client.grantRoleToGroups(requestorName, roleName, component, Sets.newHashSet(groupName));
- }
-
- for (String permission : privileges) {
- String action = null;
-
- for (String authorizable : SentryConstants.AUTHORIZABLE_SPLITTER.
- trimResults().split(permission)) {
- KeyValue kv = new KeyValue(authorizable);
- String key = kv.getKey();
- String value = kv.getValue();
- if ("action".equalsIgnoreCase(key)) {
- action = value;
- }
- }
-
- // Service doesn't support not specifying action
- if (action == null) {
- permission += "->action=" + Action.ALL;
- }
- LOGGER.info(dryRunMessage(importPolicy) + "Adding permission: " + permission + " to role: " + roleName.toLowerCase(Locale.US));
- if (importPolicy) {
- client.grantPrivilege(requestorName, roleName, component, converter.fromString(permission));
- }
- }
- }
- }
- }
-
- private void validatePolicy(ProviderBackend backend) throws Exception {
- try {
- backend.validatePolicy(true);
- } catch (SentryConfigurationException e) {
- printConfigErrorsWarnings(e);
- throw e;
- }
- }
-
- private void printConfigErrorsWarnings(SentryConfigurationException configException) {
- System.out.println(" *** Found configuration problems *** ");
- for (String errMsg : configException.getConfigErrors()) {
- System.out.println("ERROR: " + errMsg);
- }
- for (String warnMsg : configException.getConfigWarnings()) {
- System.out.println("Warning: " + warnMsg);
- }
- }
-
- private void checkCompat(SimpleFileProviderBackend backend) throws Exception {
- Map<String, Set<String>> rolesCaseMapping = new HashMap<String, Set<String>>();
- Table<String, String, Set<String>> groupRolePrivilegeTable =
- backend.getGroupRolePrivilegeTable();
-
- for (String roleName : groupRolePrivilegeTable.columnKeySet()) {
- String roleNameLower = roleName.toLowerCase(Locale.US);
- if (!roleName.equals(roleNameLower)) {
- if (!rolesCaseMapping.containsKey(roleNameLower)) {
- rolesCaseMapping.put(roleNameLower, Sets.newHashSet(roleName));
- } else {
- rolesCaseMapping.get(roleNameLower).add(roleName);
- }
- }
- }
-
- List<String> errors = new LinkedList<String>();
- StringBuilder warningString = new StringBuilder();
- if (!rolesCaseMapping.isEmpty()) {
- warningString.append("The following roles names will be lower cased when added to the Sentry Service.\n");
- warningString.append("This will cause document-level security to fail to match the role tokens.\n");
- warningString.append("Role names: ");
- }
- boolean firstWarning = true;
-
- for (Map.Entry<String, Set<String>> entry : rolesCaseMapping.entrySet()) {
- Set<String> caseMapping = entry.getValue();
- if (caseMapping.size() > 1) {
- StringBuilder errorString = new StringBuilder();
- errorString.append("The following (cased) roles map to the same role in the sentry service: ");
- boolean first = true;
- for (String casedRole : caseMapping) {
- errorString.append(first ? "" : ", ");
- errorString.append(casedRole);
- first = false;
- }
- errorString.append(". Role in service: ").append(entry.getKey());
- errors.add(errorString.toString());
- }
-
- for (String casedRole : caseMapping) {
- warningString.append(firstWarning? "" : ", ");
- warningString.append(casedRole);
- firstWarning = false;
- }
- }
-
- for (String error : errors) {
- System.out.println("ERROR: " + error);
- }
- System.out.println("\n");
-
- System.out.println("Warning: " + warningString.toString());
- if (errors.size() > 0) {
- SentryConfigurationException ex =
- new SentryConfigurationException("Compatibility check failure");
- ex.setConfigErrors(errors);
- ex.setConfigWarnings(Lists.<String>asList(warningString.toString(), new String[0]));
- throw ex;
- }
- }
-
- private String dryRunMessage(boolean importPolicy) {
- if (importPolicy) {
- return "";
- } else {
- return "[Dry Run] ";
- }
- }
-
- public static void main(String[] args) throws Exception {
- SentryConfigToolSolr solrTool = new SentryConfigToolSolr();
- try {
- solrTool.executeConfigTool(args);
- } catch (Exception e) {
- LOGGER.error(e.getMessage(), e);
- Throwable current = e;
- // find the first printable message;
- while (current != null && current.getMessage() == null) {
- current = current.getCause();
- }
- String error = "";
- if (current != null && current.getMessage() != null) {
- error = "Message: " + current.getMessage();
- }
- System.out.println("The operation failed. " + error);
- System.exit(1);
- }
- }
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/6752f14a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryShellGeneric.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryShellGeneric.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryShellGeneric.java
deleted file mode 100644
index 4487685..0000000
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryShellGeneric.java
+++ /dev/null
@@ -1,158 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.sentry.provider.db.generic.tools;
-
-import com.google.common.collect.Sets;
-import org.apache.commons.lang.StringUtils;
-import org.apache.hadoop.conf.Configuration;
-import org.apache.hadoop.fs.Path;
-import org.apache.hadoop.security.UserGroupInformation;
-import org.apache.sentry.provider.common.AuthorizationComponent;
-import org.apache.sentry.provider.db.generic.service.thrift.SentryGenericServiceClient;
-import org.apache.sentry.provider.db.generic.service.thrift.SentryGenericServiceClientFactory;
-import org.apache.sentry.provider.db.generic.tools.command.GenericShellCommand;
-import org.apache.sentry.provider.db.generic.tools.command.TSentryPrivilegeConverter;
-import org.apache.sentry.provider.db.tools.SentryShellCommon;
-import org.apache.sentry.provider.db.tools.ShellCommand;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-import java.util.List;
-import java.util.Set;
-
-/**
- * SentryShellGeneric is an admin tool, and responsible for the management of repository.
- * The following commands are supported:
- * create role, drop role, add group to role, grant privilege to role,
- * revoke privilege from role, list roles, list privilege for role.
- */
-public class SentryShellGeneric extends SentryShellCommon {
-
- private static final Logger LOGGER = LoggerFactory.getLogger(SentryShellGeneric.class);
- private static final String KAFKA_SERVICE_NAME = "sentry.service.client.kafka.service.name";
- private static final String SOLR_SERVICE_NAME = "sentry.service.client.solr.service.name";
- private static final String SQOOP_SERVICE_NAME = "sentry.service.client.sqoop.service.name";
-
- @Override
- public void run() throws Exception {
- String component = getComponent();
- Configuration conf = getSentryConf();
-
- String service = getService(conf);
- try (SentryGenericServiceClient client =
- SentryGenericServiceClientFactory.create(conf)) {
- UserGroupInformation ugi = UserGroupInformation.getLoginUser();
- String requestorName = ugi.getShortUserName();
- TSentryPrivilegeConverter converter = getPrivilegeConverter(component, service);
- ShellCommand command = new GenericShellCommand(client, component, service, converter);
-
- // check the requestor name
- if (StringUtils.isEmpty(requestorName)) {
- // The exception message will be recorded in log file.
- throw new Exception("The requestor name is empty.");
- }
-
- if (isCreateRole) {
- command.createRole(requestorName, roleName);
- } else if (isDropRole) {
- command.dropRole(requestorName, roleName);
- } else if (isAddRoleGroup) {
- Set<String> groups = Sets.newHashSet(groupName.split(SentryShellCommon.GROUP_SPLIT_CHAR));
- command.grantRoleToGroups(requestorName, roleName, groups);
- } else if (isDeleteRoleGroup) {
- Set<String> groups = Sets.newHashSet(groupName.split(SentryShellCommon.GROUP_SPLIT_CHAR));
- command.revokeRoleFromGroups(requestorName, roleName, groups);
- } else if (isGrantPrivilegeRole) {
- command.grantPrivilegeToRole(requestorName, roleName, privilegeStr);
- } else if (isRevokePrivilegeRole) {
- command.revokePrivilegeFromRole(requestorName, roleName, privilegeStr);
- } else if (isListRole) {
- List<String> roles = command.listRoles(requestorName, groupName);
- for (String role : roles) {
- System.out.println(role);
- }
- } else if (isListPrivilege) {
- List<String> privileges = command.listPrivileges(requestorName, roleName);
- for (String privilege : privileges) {
- System.out.println(privilege);
- }
- } else if (isListGroup) {
- List<String> groups = command.listGroupRoles(requestorName);
- for (String group : groups) {
- System.out.println(group);
- }
- }
- }
- }
-
- protected GenericPrivilegeConverter getPrivilegeConverter(String component, String service) {
- return new GenericPrivilegeConverter(component, service);
- }
-
- protected String getComponent() throws Exception {
- if (type == TYPE.kafka) {
- return AuthorizationComponent.KAFKA;
- } else if (type == TYPE.solr) {
- return "SOLR";
- } else if (type == TYPE.sqoop) {
- return AuthorizationComponent.SQOOP;
- }
-
- throw new Exception("Invalid type specified for SentryShellGeneric: " + type);
- }
-
- protected String getService(Configuration conf) throws Exception {
- if (type == TYPE.kafka) {
- return conf.get(KAFKA_SERVICE_NAME, AuthorizationComponent.KAFKA);
- } else if (type == TYPE.solr) {
- return conf.get(SOLR_SERVICE_NAME, "service1");
- } else if (type == TYPE.sqoop) {
- return conf.get(SQOOP_SERVICE_NAME, "sqoopServer1");
- }
-
- throw new Exception("Invalid type specified for SentryShellGeneric: " + type);
- }
-
- private Configuration getSentryConf() {
- Configuration conf = new Configuration();
- conf.addResource(new Path(confPath), true);
- return conf;
- }
-
- public static void main(String[] args) throws Exception {
- SentryShellGeneric sentryShell = new SentryShellGeneric();
- try {
- sentryShell.executeShell(args);
- } catch (Exception e) {
- LOGGER.error(e.getMessage(), e);
- Throwable current = e;
- // find the first printable message;
- while (current != null && current.getMessage() == null) {
- current = current.getCause();
- }
- String error = "";
- if (current != null && current.getMessage() != null) {
- error = "Message: " + current.getMessage();
- }
- System.out.println("The operation failed. " + error);
- System.exit(1);
- }
- }
-
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/6752f14a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryShellIndexer.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryShellIndexer.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryShellIndexer.java
deleted file mode 100644
index 5bbe772..0000000
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryShellIndexer.java
+++ /dev/null
@@ -1,124 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- * <p>
- * http://www.apache.org/licenses/LICENSE-2.0
- * <p>
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.sentry.provider.db.generic.tools;
-
-import org.apache.commons.cli.CommandLine;
-import org.apache.commons.cli.Option;
-import org.apache.commons.cli.OptionGroup;
-import org.apache.commons.cli.Options;
-import org.apache.commons.cli.ParseException;
-import org.apache.hadoop.conf.Configuration;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-import static org.apache.sentry.provider.common.AuthorizationComponent.HBASE_INDEXER;
-import static org.apache.sentry.service.thrift.ServiceConstants.ClientConfig.SERVICE_NAME;
-
-/**
- * SentryShellIndexer is an admin tool, and responsible for the management of repository.
- * The following commands are supported:
- * create role, drop role, add group to role, grant privilege to role,
- * revoke privilege from role, list roles, list privilege for role.
- */
-public class SentryShellIndexer extends SentryShellGeneric {
-
- protected boolean isMigration = false;
-
- private static final Logger LOGGER = LoggerFactory.getLogger(SentryShellIndexer.class);
-
- private final SentryConfigToolIndexer configTool = new SentryConfigToolIndexer();
-
- @Override
- protected void setupOptions(Options simpleShellOptions) {
- super.setupOptions(simpleShellOptions);
- configTool.setupOptions(simpleShellOptions);
- }
-
- @Override
- protected void parseOptions(CommandLine cmd) throws ParseException {
- super.parseOptions(cmd);
- configTool.parseOptions(cmd);
- for (Option opt : cmd.getOptions()) {
- if (opt.getOpt().equals("mgr")) {
- isMigration = true;
- }
- }
- }
-
- @Override
- protected OptionGroup getMainOptions() {
- OptionGroup mainOptions = super.getMainOptions();
- Option mgrOpt = new Option("mgr", "migrate", false, "Migrate ini file to Sentry service");
- mgrOpt.setRequired(false);
- mainOptions.addOption(mgrOpt);
- return mainOptions;
- }
-
- /**
- * Processes the necessary command based on the arguments parsed earlier.
- * @throws Exception
- */
- @Override
- public void run() throws Exception {
-
- if (isMigration) {
- configTool.run();
- return;
- }
-
- super.run();
- }
-
- @Override
- protected String getComponent() throws Exception {
- return HBASE_INDEXER;
- }
-
- @Override
- protected String getService(Configuration conf) throws Exception {
- String service = conf.get(SERVICE_NAME, serviceName);
- if (service == null) {
- throw new IllegalArgumentException("Service was not defined. Please, use -s command option, or sentry.provider.backend.generic.service-name configuration entry.");
- }
- return service;
- }
-
- /**
- * Entry-point for Hbase indexer cli tool.
- * @param args
- * @throws Exception
- */
- public static void main(String[] args) throws Exception {
- SentryShellIndexer sentryShell = new SentryShellIndexer();
- try {
- sentryShell.executeShell(args);
- } catch (Exception e) {
- LOGGER.error(e.getMessage(), e);
- Throwable current = e;
- // find the first printable message;
- while (current != null && current.getMessage() == null) {
- current = current.getCause();
- }
- System.out.println("The operation failed." +
- (current.getMessage() == null ? "" : " Message: " + current.getMessage()));
- System.exit(1);
- }
- }
-
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/6752f14a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/TSentryPrivilegeConverter.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/TSentryPrivilegeConverter.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/TSentryPrivilegeConverter.java
new file mode 100644
index 0000000..5e48483
--- /dev/null
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/TSentryPrivilegeConverter.java
@@ -0,0 +1,35 @@
+/*
+ *
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.provider.db.generic.tools;
+
+import org.apache.sentry.core.common.exception.SentryUserException;
+import org.apache.sentry.provider.db.generic.service.thrift.TSentryPrivilege;
+
+public interface TSentryPrivilegeConverter {
+
+ /**
+ * Convert string to privilege
+ */
+ TSentryPrivilege fromString(String privilegeStr) throws SentryUserException;
+
+ /**
+ * Convert privilege to string
+ */
+ String toString(TSentryPrivilege tSentryPrivilege);
+}
http://git-wip-us.apache.org/repos/asf/sentry/blob/6752f14a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/command/GenericShellCommand.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/command/GenericShellCommand.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/command/GenericShellCommand.java
deleted file mode 100644
index a792b5c..0000000
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/command/GenericShellCommand.java
+++ /dev/null
@@ -1,155 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.provider.db.generic.tools.command;
-
-import java.util.ArrayList;
-import java.util.Collections;
-import java.util.HashMap;
-import java.util.HashSet;
-import java.util.LinkedList;
-import java.util.List;
-import java.util.Map;
-import java.util.Set;
-
-import org.apache.commons.lang.StringUtils;
-import org.apache.sentry.core.common.exception.SentryUserException;
-import org.apache.sentry.provider.db.generic.service.thrift.SentryGenericServiceClient;
-import org.apache.sentry.provider.db.generic.service.thrift.TSentryPrivilege;
-import org.apache.sentry.provider.db.generic.service.thrift.TSentryRole;
-import org.apache.sentry.provider.db.tools.ShellCommand;
-
-/**
- * The ShellCommand implementation for the Generic clients
- */
-public class GenericShellCommand implements ShellCommand {
-
- private final SentryGenericServiceClient client;
- private final String component;
- private final TSentryPrivilegeConverter converter;
- private final String serviceName;
-
- public GenericShellCommand(SentryGenericServiceClient client, String component, String serviceName,
- TSentryPrivilegeConverter converter) {
- this.client = client;
- this.component = component;
- this.serviceName = serviceName;
- this.converter = converter;
- }
-
- public void createRole(String requestorName, String roleName) throws SentryUserException {
- client.createRole(requestorName, roleName, component);
- }
-
- public void dropRole(String requestorName, String roleName) throws SentryUserException {
- client.dropRole(requestorName, roleName, component);
- }
-
- public void grantPrivilegeToRole(String requestorName, String roleName, String privilege) throws SentryUserException {
- TSentryPrivilege sentryPrivilege = converter.fromString(privilege);
- client.grantPrivilege(requestorName, roleName, component, sentryPrivilege);
- }
-
- public void grantRoleToGroups(String requestorName, String roleName, Set<String> groups) throws SentryUserException {
- client.grantRoleToGroups(requestorName, roleName, component, groups);
- }
-
- public void revokePrivilegeFromRole(String requestorName, String roleName, String privilege) throws SentryUserException {
- TSentryPrivilege sentryPrivilege = converter.fromString(privilege);
- client.revokePrivilege(requestorName, roleName, component, sentryPrivilege);
- }
-
- public void revokeRoleFromGroups(String requestorName, String roleName, Set<String> groups) throws SentryUserException {
- client.revokeRoleFromGroups(requestorName, roleName, component, groups);
- }
-
- public List<String> listRoles(String requestorName, String group) throws SentryUserException {
- Set<TSentryRole> roles;
- if (StringUtils.isEmpty(group)) {
- roles = client.listAllRoles(requestorName, component);
- } else {
- roles = client.listRolesByGroupName(requestorName, group, component);
- }
-
- List<String> result = new ArrayList<>();
- if (roles != null) {
- for (TSentryRole role : roles) {
- result.add(role.getRoleName());
- }
- }
-
- return result;
- }
-
- public List<String> listPrivileges(String requestorName, String roleName) throws SentryUserException {
- Set<TSentryPrivilege> privileges = client
- .listAllPrivilegesByRoleName(requestorName, roleName, component, serviceName);
-
- List<String> result = new ArrayList<>();
- if (privileges != null) {
- for (TSentryPrivilege privilege : privileges) {
- String privilegeStr = converter.toString(privilege);
- result.add(privilegeStr);
- }
- }
-
- return result;
- }
-
- public List<String> listGroupRoles(String requestorName) throws SentryUserException {
- Set<TSentryRole> roles = client.listAllRoles(requestorName, component);
- if (roles == null || roles.isEmpty()) {
- return Collections.emptyList();
- }
-
- // Set of all group names
- Set<String> groupNames = new HashSet<>();
-
- // Map group to set of roles
- Map<String, Set<String>> groupInfo = new HashMap<>();
-
- // Get all group names
- for (TSentryRole role: roles) {
- for (String group : role.getGroups()) {
- groupNames.add(group);
- Set<String> groupRoles = groupInfo.get(group);
- if (groupRoles != null) {
- // Add a new or existing role
- groupRoles.add(role.getRoleName());
- continue;
- }
- // Never seen this group before
- groupRoles = new HashSet<>();
- groupRoles.add(role.getRoleName());
- groupInfo.put(group, groupRoles);
- }
- }
-
- List<String> groups = new ArrayList<>(groupNames);
-
- // Produce printable result as
- // group1 = role1, role2, ...
- // group2 = ...
- List<String> result = new LinkedList<>();
- for (String groupName: groups) {
- result.add(groupName + " = " + StringUtils.join(groupInfo.get(groupName), ", "));
- }
-
- return result;
- }
-
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/6752f14a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/command/TSentryPrivilegeConverter.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/command/TSentryPrivilegeConverter.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/command/TSentryPrivilegeConverter.java
deleted file mode 100644
index 0bfbc44..0000000
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/command/TSentryPrivilegeConverter.java
+++ /dev/null
@@ -1,34 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.provider.db.generic.tools.command;
-
-import org.apache.sentry.core.common.exception.SentryUserException;
-import org.apache.sentry.provider.db.generic.service.thrift.TSentryPrivilege;
-
-public interface TSentryPrivilegeConverter {
-
- /**
- * Convert string to privilege
- */
- TSentryPrivilege fromString(String privilegeStr) throws SentryUserException;
-
- /**
- * Convert privilege to string
- */
- String toString(TSentryPrivilege tSentryPrivilege);
-}