You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sentry.apache.org by co...@apache.org on 2016/07/21 05:55:12 UTC
[18/51] [partial] sentry git commit: SENTRY-1205: Refactor the code
for sentry-provider-db and create sentry-service module(Colin Ma,
reviewed by Dapeng Sun)
http://git-wip-us.apache.org/repos/asf/sentry/blob/f1332300/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/SentrySchemaTool.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/SentrySchemaTool.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/SentrySchemaTool.java
deleted file mode 100644
index d75e24b..0000000
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/SentrySchemaTool.java
+++ /dev/null
@@ -1,595 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.provider.db.tools;
-
-import java.io.BufferedReader;
-import java.io.BufferedWriter;
-import java.io.File;
-import java.io.FileReader;
-import java.io.FileWriter;
-import java.io.IOException;
-import java.io.PrintStream;
-import java.net.MalformedURLException;
-import java.sql.Connection;
-import java.sql.DriverManager;
-import java.sql.ResultSet;
-import java.sql.SQLException;
-import java.sql.Statement;
-import java.util.ArrayList;
-import java.util.IllegalFormatException;
-import java.util.List;
-
-import org.apache.commons.cli.CommandLine;
-import org.apache.commons.cli.CommandLineParser;
-import org.apache.commons.cli.GnuParser;
-import org.apache.commons.cli.HelpFormatter;
-import org.apache.commons.cli.Option;
-import org.apache.commons.cli.OptionBuilder;
-import org.apache.commons.cli.OptionGroup;
-import org.apache.commons.cli.Options;
-import org.apache.commons.cli.ParseException;
-import org.apache.commons.io.output.NullOutputStream;
-import org.apache.hadoop.conf.Configuration;
-import org.apache.hive.beeline.BeeLine;
-import org.apache.sentry.Command;
-import org.apache.sentry.core.common.exception.SentryUserException;
-import org.apache.sentry.core.common.exception.SentrySiteConfigurationException;
-import org.apache.sentry.provider.db.service.persistent.SentryStoreSchemaInfo;
-import org.apache.sentry.provider.db.tools.SentrySchemaHelper.NestedScriptParser;
-import org.apache.sentry.service.thrift.SentryService;
-import org.apache.sentry.service.thrift.ServiceConstants;
-
-public class SentrySchemaTool {
- private static final String SENTRY_SCRIP_DIR = File.separatorChar + "scripts"
- + File.separatorChar + "sentrystore" + File.separatorChar + "upgrade";
- private String userName = null;
- private String passWord = null;
- private String connectionURL = null;
- private String driver = null;
- private boolean dryRun = false;
- private String dbOpts = null;
- private boolean verbose = false;
- private final Configuration sentryConf;
- private final String dbType;
- private final SentryStoreSchemaInfo sentryStoreSchemaInfo;
-
- public SentrySchemaTool(Configuration sentryConf, String dbType)
- throws SentryUserException, IOException {
- this(System.getenv("SENTRY_HOME") + SENTRY_SCRIP_DIR, sentryConf, dbType);
- }
-
- public SentrySchemaTool(String sentryScripPath, Configuration sentryConf,
- String dbType) throws SentryUserException, IOException {
- if (sentryScripPath == null || sentryScripPath.isEmpty()) {
- throw new SentryUserException("No Sentry script dir provided");
- }
- this.sentryConf = sentryConf;
- this.dbType = dbType;
- this.sentryStoreSchemaInfo = new SentryStoreSchemaInfo(sentryScripPath,
- dbType);
- userName = sentryConf.get(ServiceConstants.ServerConfig.SENTRY_STORE_JDBC_USER,
- ServiceConstants.ServerConfig.SENTRY_STORE_JDBC_USER_DEFAULT);
- //Password will be read from Credential provider specified using property
- // CREDENTIAL_PROVIDER_PATH("hadoop.security.credential.provider.path" in sentry-site.xml
- // it falls back to reading directly from sentry-site.xml
- char[] passTmp = sentryConf.getPassword(ServiceConstants.ServerConfig.SENTRY_STORE_JDBC_PASS);
- if(passTmp != null) {
- passWord = new String(passTmp);
- } else {
- throw new SentrySiteConfigurationException("Error reading " + ServiceConstants.ServerConfig.SENTRY_STORE_JDBC_PASS);
- }
-
- try {
- connectionURL = getValidConfVar(ServiceConstants.ServerConfig.SENTRY_STORE_JDBC_URL);
- if(dbType.equalsIgnoreCase(SentrySchemaHelper.DB_DERBY)) {
- driver = sentryConf.get(ServiceConstants.ServerConfig.SENTRY_STORE_JDBC_DRIVER,
- ServiceConstants.ServerConfig.SENTRY_STORE_JDBC_DRIVER_DEFAULT);
- } else {
- driver = getValidConfVar(ServiceConstants.ServerConfig.SENTRY_STORE_JDBC_DRIVER);
- }
- // load required JDBC driver
- Class.forName(driver);
- } catch (IOException e) {
- throw new SentryUserException("Missing property: " + e.getMessage());
- } catch (ClassNotFoundException e) {
- throw new SentryUserException("Failed to load driver", e);
- }
- }
-
- public Configuration getConfiguration() {
- return sentryConf;
- }
-
- public void setUserName(String userName) {
- this.userName = userName;
- }
-
- public void setPassWord(String passWord) {
- this.passWord = passWord;
- }
-
- public void setDryRun(boolean dryRun) {
- this.dryRun = dryRun;
- }
-
- public void setVerbose(boolean verbose) {
- this.verbose = verbose;
- }
-
- public String getDbOpts() {
- return dbOpts;
- }
-
- public void setDbOpts(String dbOpts) {
- this.dbOpts = dbOpts;
- }
-
- private static void printAndExit(Options cmdLineOptions) {
- HelpFormatter formatter = new HelpFormatter();
- formatter.printHelp("schemaTool", cmdLineOptions);
- System.exit(1);
- }
-
- /***
- * Print Hive version and schema version
- * @throws SentryUserException
- */
- public void showInfo() throws SentryUserException {
- Connection sentryStoreConn = getConnectionToMetastore(true);
- System.out.println("Sentry distribution version:\t "
- + SentryStoreSchemaInfo.getSentryVersion());
- System.out.println("SentryStore schema version:\t "
- + getMetaStoreSchemaVersion(sentryStoreConn));
- }
-
- // read schema version from sentry store
- private String getMetaStoreSchemaVersion(Connection sentryStoreConn)
- throws SentryUserException {
- String versionQuery;
- if (SentrySchemaHelper.getDbCommandParser(dbType).needsQuotedIdentifier()) {
- versionQuery = "select t.\"SCHEMA_VERSION\" from \"SENTRY_VERSION\" t";
- } else {
- versionQuery = "select t.SCHEMA_VERSION from SENTRY_VERSION t";
- }
- try (Statement stmt = sentryStoreConn.createStatement();
- ResultSet res = stmt.executeQuery(versionQuery)) {
- if (!res.next()) {
- throw new SentryUserException("Didn't find version data in sentry store");
- }
- String currentSchemaVersion = res.getString(1);
- sentryStoreConn.close();
- return currentSchemaVersion;
- } catch (SQLException e) {
- throw new SentryUserException("Failed to get schema version.", e);
- }
- }
-
- // test the connection sentry store using the config property
- private void testConnectionToMetastore() throws SentryUserException {
- try (Connection conn = getConnectionToMetastore(true)) {
- conn.close();
- } catch (SQLException e) {
- throw new SentryUserException("Failed to close sentry store connection", e);
- }
- }
-
- /***
- * get JDBC connection to sentry store db
- *
- * @param printInfo print connection parameters
- * @return
- * @throws SentryUserException
- */
- private Connection getConnectionToMetastore(boolean printInfo)
- throws SentryUserException {
- if (printInfo) {
- System.out.println("Sentry store connection URL:\t " + connectionURL);
- System.out.println("Sentry store Connection Driver :\t " + driver);
- System.out.println("Sentry store connection User:\t " + userName);
- }
- if (userName == null || userName.isEmpty()) {
- throw new SentryUserException("UserName empty ");
- }
- try {
- // Connect using the JDBC URL and user/pass from conf
- return DriverManager.getConnection(connectionURL, userName, passWord);
- } catch (SQLException e) {
- throw new SentryUserException("Failed to make connection to Sentry store.", e);
- }
- }
-
- /**
- * check if the current schema version in sentry store matches the Hive version
- * @throws SentryUserException
- */
- public void verifySchemaVersion() throws SentryUserException {
- // don't check version if its a dry run
- if (dryRun) {
- return;
- }
- String newSchemaVersion =
- getMetaStoreSchemaVersion(getConnectionToMetastore(false));
- // verify that the new version is added to schema
- if (!sentryStoreSchemaInfo.getSentrySchemaVersion().equalsIgnoreCase(
- newSchemaVersion)) {
- throw new SentryUserException("Found unexpected schema version "
- + newSchemaVersion);
- }
- }
-
- /**
- * Perform sentry store schema upgrade. extract the current schema version from sentry store
- * @throws SentryUserException
- */
- public void doUpgrade() throws SentryUserException {
- String fromVersion = getMetaStoreSchemaVersion(getConnectionToMetastore(false));
- if (fromVersion == null || fromVersion.isEmpty()) {
- throw new SentryUserException(
- "Schema version not stored in the sentry store. "
- +
- "Metastore schema is too old or corrupt. Try specifying the version manually");
- }
- doUpgrade(fromVersion);
- }
-
- /**
- * Perform sentry store schema upgrade
- *
- * @param fromSchemaVer
- * Existing version of the sentry store. If null, then read from the sentry store
- * @throws SentryUserException
- */
- public void doUpgrade(String fromSchemaVer) throws SentryUserException {
- if (sentryStoreSchemaInfo.getSentrySchemaVersion().equals(fromSchemaVer)) {
- System.out.println("No schema upgrade required from version " + fromSchemaVer);
- return;
- }
- // Find the list of scripts to execute for this upgrade
- List<String> upgradeScripts =
- sentryStoreSchemaInfo.getUpgradeScripts(fromSchemaVer);
- testConnectionToMetastore();
- System.out.println("Starting upgrade sentry store schema from version " +
- fromSchemaVer + " to "
- + sentryStoreSchemaInfo.getSentrySchemaVersion());
- String scriptDir = sentryStoreSchemaInfo.getSentryStoreScriptDir();
- try {
- for (String scriptFile : upgradeScripts) {
- System.out.println("Upgrade script " + scriptFile);
- if (!dryRun) {
- runBeeLine(scriptDir, scriptFile);
- System.out.println("Completed " + scriptFile);
- }
- }
- } catch (IOException eIO) {
- throw new SentryUserException(
- "Upgrade FAILED! Metastore state would be inconsistent !!", eIO);
- }
-
- // Revalidated the new version after upgrade
- verifySchemaVersion();
- }
-
- /**
- * Initialize the sentry store schema to current version
- *
- * @throws SentryUserException
- */
- public void doInit() throws SentryUserException {
- doInit(sentryStoreSchemaInfo.getSentrySchemaVersion());
-
- // Revalidated the new version after upgrade
- verifySchemaVersion();
- }
-
- /**
- * Initialize the sentry store schema
- *
- * @param toVersion
- * If null then current hive version is used
- * @throws SentryUserException
- */
- public void doInit(String toVersion) throws SentryUserException {
- testConnectionToMetastore();
- System.out.println("Starting sentry store schema initialization to " + toVersion);
-
- String initScriptDir = sentryStoreSchemaInfo.getSentryStoreScriptDir();
- String initScriptFile = sentryStoreSchemaInfo.generateInitFileName(toVersion);
-
- try {
- System.out.println("Initialization script " + initScriptFile);
- if (!dryRun) {
- runBeeLine(initScriptDir, initScriptFile);
- System.out.println("Initialization script completed");
- }
- } catch (IOException e) {
- throw new SentryUserException("Schema initialization FAILED!"
- + " Metastore state would be inconsistent !!", e);
- }
- }
-
- // Flatten the nested upgrade script into a buffer
- public static String buildCommand(NestedScriptParser dbCommandParser,
- String scriptDir, String scriptFile) throws IllegalFormatException, IOException {
-
- BufferedReader bfReader =
- new BufferedReader(new FileReader(scriptDir + File.separatorChar + scriptFile));
- String currLine;
- StringBuilder sb = new StringBuilder();
- String currentCommand = null;
- while ((currLine = bfReader.readLine()) != null) {
- currLine = currLine.trim();
- if (currLine.isEmpty()) {
- continue; // skip empty lines
- }
-
- if (currentCommand == null) {
- currentCommand = currLine;
- } else {
- currentCommand = currentCommand + " " + currLine;
- }
- if (dbCommandParser.isPartialCommand(currLine)) {
- // if its a partial line, continue collecting the pieces
- continue;
- }
-
- // if this is a valid executable command then add it to the buffer
- if (!dbCommandParser.isNonExecCommand(currentCommand)) {
- currentCommand = dbCommandParser.cleanseCommand(currentCommand);
-
- if (dbCommandParser.isNestedScript(currentCommand)) {
- // if this is a nested sql script then flatten it
- String currScript = dbCommandParser.getScriptName(currentCommand);
- sb.append(buildCommand(dbCommandParser, scriptDir, currScript));
- } else {
- // Now we have a complete statement, process it
- // write the line to buffer
- sb.append(currentCommand);
- sb.append(System.getProperty("line.separator"));
- }
- }
- currentCommand = null;
- }
- bfReader.close();
- return sb.toString();
- }
-
- // run beeline on the given sentry store scrip, flatten the nested scripts into single file
- private void runBeeLine(String scriptDir, String scriptFile) throws IOException {
- NestedScriptParser dbCommandParser =
- SentrySchemaHelper.getDbCommandParser(dbType);
- dbCommandParser.setDbOpts(getDbOpts());
- // expand the nested script
- String sqlCommands = buildCommand(dbCommandParser, scriptDir, scriptFile);
- File tmpFile = File.createTempFile("schematool", ".sql");
- tmpFile.deleteOnExit();
-
- // write out the buffer into a file. Add beeline commands for autocommit and close
- try (FileWriter fstream = new FileWriter(tmpFile.getPath());
- BufferedWriter out = new BufferedWriter(fstream)) {
-
- out.write("!set Silent " + verbose + System.getProperty("line.separator"));
- out.write("!autocommit on" + System.getProperty("line.separator"));
- out.write("!set Isolation TRANSACTION_READ_COMMITTED"
- + System.getProperty("line.separator"));
- out.write("!set AllowMultiLineCommand false"
- + System.getProperty("line.separator"));
- out.write(sqlCommands);
- out.write("!closeall" + System.getProperty("line.separator"));
- out.close();
- }
- runBeeLine(tmpFile.getPath());
- }
-
- // Generate the beeline args per hive conf and execute the given script
- public void runBeeLine(String sqlScriptFile) throws IOException {
- List<String> argList = new ArrayList<String>();
- argList.add("-u");
- argList.add(connectionURL);
- argList.add("-d");
- argList
- .add(driver);
- argList.add("-n");
- argList.add(userName);
- argList.add("-p");
- argList.add(passWord);
- argList.add("-f");
- argList.add(sqlScriptFile);
-
- BeeLine beeLine = new BeeLine();
- if (!verbose) {
- beeLine.setOutputStream(new PrintStream(new NullOutputStream()));
- // beeLine.getOpts().setSilent(true);
- }
- // beeLine.getOpts().setAllowMultiLineCommand(false);
- // beeLine.getOpts().setIsolation("TRANSACTION_READ_COMMITTED");
- int status = beeLine.begin(argList.toArray(new String[0]), null);
- if (status != 0) {
- throw new IOException("Schema script failed, errorcode " + status);
- }
- }
-
- private String getValidConfVar(String confVar) throws IOException {
- String confVarKey = confVar;
- String confVarValue = sentryConf.get(confVarKey);
- if (confVarValue == null || confVarValue.isEmpty()) {
- throw new IOException("Empty " + confVar);
- }
- return confVarValue;
- }
-
- // Create the required command line options
- @SuppressWarnings("static-access")
- private static void initOptions(Options cmdLineOptions) {
- Option help = new Option("help", "print this message");
- Option upgradeOpt = new Option("upgradeSchema", "Schema upgrade");
- Option upgradeFromOpt = OptionBuilder.withArgName("upgradeFrom").hasArg().
- withDescription("Schema upgrade from a version").
- create("upgradeSchemaFrom");
- Option initOpt = new Option("initSchema", "Schema initialization");
- Option initToOpt = OptionBuilder.withArgName("initTo").hasArg().
- withDescription("Schema initialization to a version").
- create("initSchemaTo");
- Option infoOpt = new Option("info", "Show config and schema details");
-
- OptionGroup optGroup = new OptionGroup();
- optGroup.addOption(upgradeOpt).addOption(initOpt).
- addOption(help).addOption(upgradeFromOpt).
- addOption(initToOpt).addOption(infoOpt);
- optGroup.setRequired(true);
-
- Option userNameOpt = OptionBuilder.withArgName("user")
- .hasArg()
- .withDescription("Override config file user name")
- .create("userName");
- Option passwdOpt = OptionBuilder.withArgName("password")
- .hasArg()
- .withDescription("Override config file password")
- .create("passWord");
- Option dbTypeOpt = OptionBuilder.withArgName("databaseType")
- .hasArg().withDescription("Metastore database type [" +
- SentrySchemaHelper.DB_DERBY + "," +
- SentrySchemaHelper.DB_MYSQL + "," +
- SentrySchemaHelper.DB_ORACLE + "," +
- SentrySchemaHelper.DB_POSTGRACE + "," +
- SentrySchemaHelper.DB_DB2 + "]")
- .create("dbType");
- Option dbOpts = OptionBuilder.withArgName("databaseOpts")
- .hasArgs().withDescription("Backend DB specific options")
- .create("dbOpts");
-
- Option dryRunOpt = new Option("dryRun", "list SQL scripts (no execute)");
- Option verboseOpt = new Option("verbose", "only print SQL statements");
-
- Option configOpt = OptionBuilder.withArgName("confName").hasArgs()
- .withDescription("Sentry Service configuration file").isRequired(true)
- .create(ServiceConstants.ServiceArgs.CONFIG_FILE_LONG);
-
- cmdLineOptions.addOption(help);
- cmdLineOptions.addOption(dryRunOpt);
- cmdLineOptions.addOption(userNameOpt);
- cmdLineOptions.addOption(passwdOpt);
- cmdLineOptions.addOption(dbTypeOpt);
- cmdLineOptions.addOption(verboseOpt);
- cmdLineOptions.addOption(dbOpts);
- cmdLineOptions.addOption(configOpt);
- cmdLineOptions.addOptionGroup(optGroup);
- }
-
- public static class CommandImpl implements Command {
- @Override
- public void run(String[] args) throws Exception {
- CommandLineParser parser = new GnuParser();
- CommandLine line = null;
- String dbType = null;
- String schemaVer = null;
- Options cmdLineOptions = new Options();
- String configFileName = null;
-
- // Argument handling
- initOptions(cmdLineOptions);
- try {
- line = parser.parse(cmdLineOptions, args);
- } catch (ParseException e) {
- System.err.println("SentrySchemaTool:Parsing failed. Reason: "
- + e.getLocalizedMessage());
- printAndExit(cmdLineOptions);
- }
-
- if (line.hasOption("help")) {
- HelpFormatter formatter = new HelpFormatter();
- formatter.printHelp("schemaTool", cmdLineOptions);
- return;
- }
-
- if (line.hasOption("dbType")) {
- dbType = line.getOptionValue("dbType");
- if (!dbType.equalsIgnoreCase(SentrySchemaHelper.DB_DERBY)
- && !dbType.equalsIgnoreCase(SentrySchemaHelper.DB_MYSQL)
- && !dbType.equalsIgnoreCase(SentrySchemaHelper.DB_POSTGRACE)
- && !dbType.equalsIgnoreCase(SentrySchemaHelper.DB_ORACLE)
- && !dbType.equalsIgnoreCase(SentrySchemaHelper.DB_DB2)) {
- System.err.println("Unsupported dbType " + dbType);
- printAndExit(cmdLineOptions);
- }
- } else {
- System.err.println("no dbType supplied");
- printAndExit(cmdLineOptions);
- }
- if (line.hasOption(ServiceConstants.ServiceArgs.CONFIG_FILE_LONG)) {
- configFileName = line
- .getOptionValue(ServiceConstants.ServiceArgs.CONFIG_FILE_LONG);
- } else {
- System.err.println("no config file specified");
- printAndExit(cmdLineOptions);
- }
- try {
- SentrySchemaTool schemaTool = new SentrySchemaTool(
- SentryService.loadConfig(configFileName), dbType);
-
- if (line.hasOption("userName")) {
- schemaTool.setUserName(line.getOptionValue("userName"));
- }
- if (line.hasOption("passWord")) {
- schemaTool.setPassWord(line.getOptionValue("passWord"));
- }
- if (line.hasOption("dryRun")) {
- schemaTool.setDryRun(true);
- }
- if (line.hasOption("verbose")) {
- schemaTool.setVerbose(true);
- }
- if (line.hasOption("dbOpts")) {
- schemaTool.setDbOpts(line.getOptionValue("dbOpts"));
- }
-
- if (line.hasOption("info")) {
- schemaTool.showInfo();
- } else if (line.hasOption("upgradeSchema")) {
- schemaTool.doUpgrade();
- } else if (line.hasOption("upgradeSchemaFrom")) {
- schemaVer = line.getOptionValue("upgradeSchemaFrom");
- schemaTool.doUpgrade(schemaVer);
- } else if (line.hasOption("initSchema")) {
- schemaTool.doInit();
- } else if (line.hasOption("initSchemaTo")) {
- schemaVer = line.getOptionValue("initSchemaTo");
- schemaTool.doInit(schemaVer);
- } else {
- System.err.println("no valid option supplied");
- printAndExit(cmdLineOptions);
- }
- } catch (SentryUserException e) {
- System.err.println(e);
- if (line.hasOption("verbose")) {
- e.printStackTrace();
- }
- System.err.println("*** Sentry schemaTool failed ***");
- System.exit(1);
- } catch (MalformedURLException e) {
- System.err.println(e);
- if (line.hasOption("verbose")) {
- e.printStackTrace();
- }
- System.err.println("*** Sentry schemaTool failed ***");
- System.exit(1);
- }
- System.out.println("Sentry schemaTool completed");
- }
- }
-
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/f1332300/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/SentryShellCommon.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/SentryShellCommon.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/SentryShellCommon.java
deleted file mode 100644
index 6ddc1de..0000000
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/SentryShellCommon.java
+++ /dev/null
@@ -1,247 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.sentry.provider.db.tools;
-
-import com.google.common.annotations.VisibleForTesting;
-
-import org.apache.commons.cli.CommandLine;
-import org.apache.commons.cli.GnuParser;
-import org.apache.commons.cli.HelpFormatter;
-import org.apache.commons.cli.Option;
-import org.apache.commons.cli.OptionGroup;
-import org.apache.commons.cli.Options;
-import org.apache.commons.cli.ParseException;
-import org.apache.commons.cli.Parser;
-import org.apache.commons.lang.StringUtils;
-
-/**
- * SentryShellCommon provides the function for parsing the argument.
- * For hive model and generic model, child class should be implemented as a sentry admin tool.
- */
-abstract public class SentryShellCommon {
-
- protected String roleName;
- protected String groupName;
- protected String privilegeStr;
- protected String confPath;
- // flag for the command
- protected boolean isCreateRole = false;
- protected boolean isDropRole = false;
- protected boolean isAddRoleGroup = false;
- protected boolean isDeleteRoleGroup = false;
- protected boolean isGrantPrivilegeRole = false;
- protected boolean isRevokePrivilegeRole = false;
- protected boolean isListRole = false;
- protected boolean isListPrivilege = false;
- protected boolean isPrintHelp = false;
- // flag for the parameter check
- protected boolean roleNameRequired = false;
- protected boolean groupNameRequired = false;
- protected boolean privilegeStrRequired = false;
-
- public final static String OPTION_DESC_HELP = "Shell usage";
- public final static String OPTION_DESC_CONF = "sentry-site file path";
- public final static String OPTION_DESC_ROLE_NAME = "Role name";
- public final static String OPTION_DESC_GROUP_NAME = "Group name";
- public final static String OPTION_DESC_PRIVILEGE = "Privilege string";
- public final static String PREFIX_MESSAGE_MISSING_OPTION = "Missing required option: ";
-
- public final static String GROUP_SPLIT_CHAR = ",";
-
- /**
- * parse arguments
- *
- * <pre>
- * -conf,--sentry_conf <filepath> sentry config file path
- * -cr,--create_role -r <rolename> create role
- * -dr,--drop_role -r <rolename> drop role
- * -arg,--add_role_group -r <rolename> -g <groupname> add role to group
- * -drg,--delete_role_group -r <rolename> -g <groupname> delete role from group
- * -gpr,--grant_privilege_role -r <rolename> -p <privilege> grant privilege to role
- * -rpr,--revoke_privilege_role -r <rolename> -p <privilege> revoke privilege from role
- * -lr,--list_role -g <groupname> list roles for group
- * -lp,--list_privilege -r <rolename> list privilege for role
- * -t,--type <typeame> the shell for hive model or generic model
- * </pre>
- *
- * @param args
- */
- protected boolean parseArgs(String[] args) {
- Options simpleShellOptions = new Options();
-
- Option crOpt = new Option("cr", "create_role", false, "Create role");
- crOpt.setRequired(false);
-
- Option drOpt = new Option("dr", "drop_role", false, "Drop role");
- drOpt.setRequired(false);
-
- Option argOpt = new Option("arg", "add_role_group", false, "Add role to group");
- argOpt.setRequired(false);
-
- Option drgOpt = new Option("drg", "delete_role_group", false, "Delete role from group");
- drgOpt.setRequired(false);
-
- Option gprOpt = new Option("gpr", "grant_privilege_role", false, "Grant privilege to role");
- gprOpt.setRequired(false);
-
- Option rprOpt = new Option("rpr", "revoke_privilege_role", false, "Revoke privilege from role");
- rprOpt.setRequired(false);
-
- Option lrOpt = new Option("lr", "list_role", false, "List role");
- lrOpt.setRequired(false);
-
- Option lpOpt = new Option("lp", "list_privilege", false, "List privilege");
- lpOpt.setRequired(false);
-
- // required args group
- OptionGroup simpleShellOptGroup = new OptionGroup();
- simpleShellOptGroup.addOption(crOpt);
- simpleShellOptGroup.addOption(drOpt);
- simpleShellOptGroup.addOption(argOpt);
- simpleShellOptGroup.addOption(drgOpt);
- simpleShellOptGroup.addOption(gprOpt);
- simpleShellOptGroup.addOption(rprOpt);
- simpleShellOptGroup.addOption(lrOpt);
- simpleShellOptGroup.addOption(lpOpt);
- simpleShellOptGroup.setRequired(true);
- simpleShellOptions.addOptionGroup(simpleShellOptGroup);
-
- // optional args
- Option pOpt = new Option("p", "privilege", true, OPTION_DESC_PRIVILEGE);
- pOpt.setRequired(false);
- simpleShellOptions.addOption(pOpt);
-
- Option gOpt = new Option("g", "groupname", true, OPTION_DESC_GROUP_NAME);
- gOpt.setRequired(false);
- simpleShellOptions.addOption(gOpt);
-
- Option rOpt = new Option("r", "rolename", true, OPTION_DESC_ROLE_NAME);
- rOpt.setRequired(false);
- simpleShellOptions.addOption(rOpt);
-
- // this argument should be parsed in the bin/sentryShell
- Option tOpt = new Option("t", "type", true, "[hive|solr|sqoop|.....]");
- tOpt.setRequired(false);
- simpleShellOptions.addOption(tOpt);
-
- // file path of sentry-site
- Option sentrySitePathOpt = new Option("conf", "sentry_conf", true, OPTION_DESC_CONF);
- sentrySitePathOpt.setRequired(true);
- simpleShellOptions.addOption(sentrySitePathOpt);
-
- // help option
- Option helpOpt = new Option("h", "help", false, OPTION_DESC_HELP);
- helpOpt.setRequired(false);
- simpleShellOptions.addOption(helpOpt);
-
- // this Options is parsed first for help option
- Options helpOptions = new Options();
- helpOptions.addOption(helpOpt);
-
- try {
- Parser parser = new GnuParser();
-
- // parse help option first
- CommandLine cmd = parser.parse(helpOptions, args, true);
- for (Option opt : cmd.getOptions()) {
- if (opt.getOpt().equals("h")) {
- // get the help option, print the usage and exit
- usage(simpleShellOptions);
- return false;
- }
- }
-
- // without help option
- cmd = parser.parse(simpleShellOptions, args);
-
- for (Option opt : cmd.getOptions()) {
- if (opt.getOpt().equals("p")) {
- privilegeStr = opt.getValue();
- } else if (opt.getOpt().equals("g")) {
- groupName = opt.getValue();
- } else if (opt.getOpt().equals("r")) {
- roleName = opt.getValue();
- } else if (opt.getOpt().equals("cr")) {
- isCreateRole = true;
- roleNameRequired = true;
- } else if (opt.getOpt().equals("dr")) {
- isDropRole = true;
- roleNameRequired = true;
- } else if (opt.getOpt().equals("arg")) {
- isAddRoleGroup = true;
- roleNameRequired = true;
- groupNameRequired = true;
- } else if (opt.getOpt().equals("drg")) {
- isDeleteRoleGroup = true;
- roleNameRequired = true;
- groupNameRequired = true;
- } else if (opt.getOpt().equals("gpr")) {
- isGrantPrivilegeRole = true;
- roleNameRequired = true;
- privilegeStrRequired = true;
- } else if (opt.getOpt().equals("rpr")) {
- isRevokePrivilegeRole = true;
- roleNameRequired = true;
- privilegeStrRequired = true;
- } else if (opt.getOpt().equals("lr")) {
- isListRole = true;
- } else if (opt.getOpt().equals("lp")) {
- isListPrivilege = true;
- roleNameRequired = true;
- } else if (opt.getOpt().equals("conf")) {
- confPath = opt.getValue();
- }
- }
- checkRequiredParameter(roleNameRequired, roleName, OPTION_DESC_ROLE_NAME);
- checkRequiredParameter(groupNameRequired, groupName, OPTION_DESC_GROUP_NAME);
- checkRequiredParameter(privilegeStrRequired, privilegeStr, OPTION_DESC_PRIVILEGE);
- } catch (ParseException pe) {
- System.out.println(pe.getMessage());
- usage(simpleShellOptions);
- return false;
- }
- return true;
- }
-
- private void checkRequiredParameter(boolean isRequired, String paramValue, String paramName) throws ParseException {
- if (isRequired && StringUtils.isEmpty(paramValue)) {
- throw new ParseException(PREFIX_MESSAGE_MISSING_OPTION + paramName);
- }
- }
-
- // print usage
- private void usage(Options sentryOptions) {
- HelpFormatter formatter = new HelpFormatter();
- formatter.printHelp("sentryShell", sentryOptions);
- }
-
- // hive model and generic model should implement this method
- public abstract void run() throws Exception;
-
- @VisibleForTesting
- public boolean executeShell(String[] args) throws Exception {
- boolean result = true;
- if (parseArgs(args)) {
- run();
- } else {
- result = false;
- }
- return result;
- }
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/f1332300/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/SentryShellHive.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/SentryShellHive.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/SentryShellHive.java
deleted file mode 100644
index dc7f829..0000000
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/SentryShellHive.java
+++ /dev/null
@@ -1,98 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.sentry.provider.db.tools;
-
-import org.apache.commons.lang.StringUtils;
-import org.apache.hadoop.conf.Configuration;
-import org.apache.hadoop.fs.Path;
-import org.apache.hadoop.security.UserGroupInformation;
-import org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient;
-import org.apache.sentry.provider.db.tools.command.hive.*;
-import org.apache.sentry.service.thrift.SentryServiceClientFactory;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-/**
- * SentryShellHive is an admin tool, and responsible for the management of repository.
- * The following function are supported:
- * create role, drop role, add group to role, delete group from role, grant privilege to role,
- * revoke privilege from role, list roles for group, list privilege for role.
- */
-public class SentryShellHive extends SentryShellCommon {
-
- private static final Logger LOGGER = LoggerFactory.getLogger(SentryShellHive.class);
-
- public void run() throws Exception {
- Command command = null;
- SentryPolicyServiceClient client = SentryServiceClientFactory.create(getSentryConf());
- UserGroupInformation ugi = UserGroupInformation.getLoginUser();
- String requestorName = ugi.getShortUserName();
-
- if (isCreateRole) {
- command = new CreateRoleCmd(roleName);
- } else if (isDropRole) {
- command = new DropRoleCmd(roleName);
- } else if (isAddRoleGroup) {
- command = new GrantRoleToGroupsCmd(roleName, groupName);
- } else if (isDeleteRoleGroup) {
- command = new RevokeRoleFromGroupsCmd(roleName, groupName);
- } else if (isGrantPrivilegeRole) {
- command = new GrantPrivilegeToRoleCmd(roleName, privilegeStr);
- } else if (isRevokePrivilegeRole) {
- command = new RevokePrivilegeFromRoleCmd(roleName, privilegeStr);
- } else if (isListRole) {
- command = new ListRolesCmd(groupName);
- } else if (isListPrivilege) {
- command = new ListPrivilegesCmd(roleName);
- }
-
- // check the requestor name
- if (StringUtils.isEmpty(requestorName)) {
- // The exception message will be recoreded in log file.
- throw new Exception("The requestor name is empty.");
- }
-
- if (command != null) {
- command.execute(client, requestorName);
- }
- }
-
- private Configuration getSentryConf() {
- Configuration conf = new Configuration();
- conf.addResource(new Path(confPath));
- return conf;
- }
-
- public static void main(String[] args) throws Exception {
- SentryShellHive sentryShell = new SentryShellHive();
- try {
- sentryShell.executeShell(args);
- } catch (Exception e) {
- LOGGER.error(e.getMessage(), e);
- Throwable current = e;
- // find the first printable message;
- while (current != null && current.getMessage() == null) {
- current = current.getCause();
- }
- System.out.println("The operation failed." +
- (current.getMessage() == null ? "" : " Message: " + current.getMessage()));
- }
- }
-
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/f1332300/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/Command.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/Command.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/Command.java
deleted file mode 100644
index 79aed49..0000000
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/Command.java
+++ /dev/null
@@ -1,27 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.provider.db.tools.command.hive;
-
-import org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient;
-
-/**
- * The interface for all admin commands, eg, CreateRoleCmd.
- */
-public interface Command {
- void execute(SentryPolicyServiceClient client, String requestorName) throws Exception;
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/f1332300/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/CommandUtil.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/CommandUtil.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/CommandUtil.java
deleted file mode 100644
index 51ee9ef..0000000
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/CommandUtil.java
+++ /dev/null
@@ -1,119 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.provider.db.tools.command.hive;
-
-import org.apache.commons.lang.StringUtils;
-import org.apache.sentry.core.common.utils.KeyValue;
-import org.apache.sentry.core.common.utils.PolicyFileConstants;
-import org.apache.sentry.core.common.utils.SentryConstants;
-import org.apache.sentry.core.model.db.AccessConstants;
-import org.apache.sentry.provider.db.service.thrift.TSentryGrantOption;
-import org.apache.sentry.provider.db.service.thrift.TSentryPrivilege;
-import org.apache.sentry.service.thrift.ServiceConstants;
-
-public final class CommandUtil {
-
- public static final String SPLIT_CHAR = ",";
-
- private CommandUtil() {
- // Make constructor private to avoid instantiation
- }
-
- // parse the privilege in String and get the TSentryPrivilege as result
- public static TSentryPrivilege convertToTSentryPrivilege(String privilegeStr) throws Exception {
- TSentryPrivilege tSentryPrivilege = new TSentryPrivilege();
- for (String authorizable : SentryConstants.AUTHORIZABLE_SPLITTER.split(privilegeStr)) {
- KeyValue tempKV = new KeyValue(authorizable);
- String key = tempKV.getKey();
- String value = tempKV.getValue();
-
- if (PolicyFileConstants.PRIVILEGE_SERVER_NAME.equalsIgnoreCase(key)) {
- tSentryPrivilege.setServerName(value);
- } else if (PolicyFileConstants.PRIVILEGE_DATABASE_NAME.equalsIgnoreCase(key)) {
- tSentryPrivilege.setDbName(value);
- } else if (PolicyFileConstants.PRIVILEGE_TABLE_NAME.equalsIgnoreCase(key)) {
- tSentryPrivilege.setTableName(value);
- } else if (PolicyFileConstants.PRIVILEGE_COLUMN_NAME.equalsIgnoreCase(key)) {
- tSentryPrivilege.setColumnName(value);
- } else if (PolicyFileConstants.PRIVILEGE_URI_NAME.equalsIgnoreCase(key)) {
- tSentryPrivilege.setURI(value);
- tSentryPrivilege.setAction(AccessConstants.ALL);
- } else if (PolicyFileConstants.PRIVILEGE_ACTION_NAME.equalsIgnoreCase(key)) {
- tSentryPrivilege.setAction(value);
- } else if (PolicyFileConstants.PRIVILEGE_GRANT_OPTION_NAME.equalsIgnoreCase(key)) {
- TSentryGrantOption grantOption = "true".equalsIgnoreCase(value) ? TSentryGrantOption.TRUE
- : TSentryGrantOption.FALSE;
- tSentryPrivilege.setGrantOption(grantOption);
- }
- }
- tSentryPrivilege.setPrivilegeScope(getPrivilegeScope(tSentryPrivilege));
- validatePrivilegeHierarchy(tSentryPrivilege);
- return tSentryPrivilege;
- }
-
- // for the different hierarchy for hive:
- // 1: server->url
- // 2: server->database->table->column
- // if both of them are found in the privilege string, the privilege scope will be set as
- // PrivilegeScope.URI
- private static String getPrivilegeScope(TSentryPrivilege tSentryPrivilege) {
- ServiceConstants.PrivilegeScope privilegeScope = ServiceConstants.PrivilegeScope.SERVER;
- if (!StringUtils.isEmpty(tSentryPrivilege.getURI())) {
- privilegeScope = ServiceConstants.PrivilegeScope.URI;
- } else if (!StringUtils.isEmpty(tSentryPrivilege.getColumnName())) {
- privilegeScope = ServiceConstants.PrivilegeScope.COLUMN;
- } else if (!StringUtils.isEmpty(tSentryPrivilege.getTableName())) {
- privilegeScope = ServiceConstants.PrivilegeScope.TABLE;
- } else if (!StringUtils.isEmpty(tSentryPrivilege.getDbName())) {
- privilegeScope = ServiceConstants.PrivilegeScope.DATABASE;
- }
- return privilegeScope.toString();
- }
-
- // check the privilege value for the specific privilege scope
- // eg, for the table scope, server and database can't be empty
- private static void validatePrivilegeHierarchy(TSentryPrivilege tSentryPrivilege) throws Exception {
- String serverName = tSentryPrivilege.getServerName();
- String dbName = tSentryPrivilege.getDbName();
- String tableName = tSentryPrivilege.getTableName();
- String columnName = tSentryPrivilege.getColumnName();
- String uri = tSentryPrivilege.getURI();
- if (ServiceConstants.PrivilegeScope.SERVER.toString().equals(tSentryPrivilege.getPrivilegeScope())) {
- if (StringUtils.isEmpty(serverName)) {
- throw new IllegalArgumentException("The hierarchy of privilege is not correct.");
- }
- } else if (ServiceConstants.PrivilegeScope.URI.toString().equals(tSentryPrivilege.getPrivilegeScope())) {
- if (StringUtils.isEmpty(serverName) || StringUtils.isEmpty(uri)) {
- throw new IllegalArgumentException("The hierarchy of privilege is not correct.");
- }
- } else if (ServiceConstants.PrivilegeScope.DATABASE.toString().equals(tSentryPrivilege.getPrivilegeScope())) {
- if (StringUtils.isEmpty(serverName) || StringUtils.isEmpty(dbName)) {
- throw new IllegalArgumentException("The hierarchy of privilege is not correct.");
- }
- } else if (ServiceConstants.PrivilegeScope.TABLE.toString().equals(tSentryPrivilege.getPrivilegeScope())) {
- if (StringUtils.isEmpty(serverName) || StringUtils.isEmpty(dbName)
- || StringUtils.isEmpty(tableName)) {
- throw new IllegalArgumentException("The hierarchy of privilege is not correct.");
- }
- } else if (ServiceConstants.PrivilegeScope.COLUMN.toString().equals(tSentryPrivilege.getPrivilegeScope())
- && (StringUtils.isEmpty(serverName) || StringUtils.isEmpty(dbName)
- || StringUtils.isEmpty(tableName) || StringUtils.isEmpty(columnName))) {
- throw new IllegalArgumentException("The hierarchy of privilege is not correct.");
- }
- }
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/f1332300/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/CreateRoleCmd.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/CreateRoleCmd.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/CreateRoleCmd.java
deleted file mode 100644
index 5a4834a..0000000
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/CreateRoleCmd.java
+++ /dev/null
@@ -1,37 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.provider.db.tools.command.hive;
-
-import org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient;
-
-/**
- * The class for admin command to create role.
- */
-public class CreateRoleCmd implements Command {
-
- private String roleName;
-
- public CreateRoleCmd(String roleName) {
- this.roleName = roleName;
- }
-
- @Override
- public void execute(SentryPolicyServiceClient client, String requestorName) throws Exception {
- client.createRole(requestorName, roleName);
- }
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/f1332300/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/DropRoleCmd.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/DropRoleCmd.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/DropRoleCmd.java
deleted file mode 100644
index facec0e..0000000
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/DropRoleCmd.java
+++ /dev/null
@@ -1,37 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.provider.db.tools.command.hive;
-
-import org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient;
-
-/**
- * The class for admin command to drop role.
- */
-public class DropRoleCmd implements Command {
-
- private String roleName;
-
- public DropRoleCmd(String roleName) {
- this.roleName = roleName;
- }
-
- @Override
- public void execute(SentryPolicyServiceClient client, String requestorName) throws Exception {
- client.dropRole(requestorName, roleName);
- }
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/f1332300/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/GrantPrivilegeToRoleCmd.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/GrantPrivilegeToRoleCmd.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/GrantPrivilegeToRoleCmd.java
deleted file mode 100644
index e3d06a9..0000000
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/GrantPrivilegeToRoleCmd.java
+++ /dev/null
@@ -1,41 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.provider.db.tools.command.hive;
-
-import org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient;
-import org.apache.sentry.provider.db.service.thrift.TSentryPrivilege;
-
-/**
- * The class for admin command to grant privilege to role.
- */
-public class GrantPrivilegeToRoleCmd implements Command {
-
- private String roleName;
- private String privilegeStr;
-
- public GrantPrivilegeToRoleCmd(String roleName, String privilegeStr) {
- this.roleName = roleName;
- this.privilegeStr = privilegeStr;
- }
-
- @Override
- public void execute(SentryPolicyServiceClient client, String requestorName) throws Exception {
- TSentryPrivilege tSentryPrivilege = CommandUtil.convertToTSentryPrivilege(privilegeStr);
- client.grantPrivilege(requestorName, roleName, tSentryPrivilege);
- }
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/f1332300/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/GrantRoleToGroupsCmd.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/GrantRoleToGroupsCmd.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/GrantRoleToGroupsCmd.java
deleted file mode 100644
index 07a3de4..0000000
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/GrantRoleToGroupsCmd.java
+++ /dev/null
@@ -1,44 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.provider.db.tools.command.hive;
-
-import com.google.common.collect.Sets;
-import org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient;
-import org.apache.sentry.provider.db.tools.SentryShellCommon;
-
-import java.util.Set;
-
-/**
- * The class for admin command to grant role to group.
- */
-public class GrantRoleToGroupsCmd implements Command {
-
- private String roleName;
- private String groupNamesStr;
-
- public GrantRoleToGroupsCmd(String roleName, String groupNamesStr) {
- this.roleName = roleName;
- this.groupNamesStr = groupNamesStr;
- }
-
- @Override
- public void execute(SentryPolicyServiceClient client, String requestorName) throws Exception {
- Set<String> groups = Sets.newHashSet(groupNamesStr.split(SentryShellCommon.GROUP_SPLIT_CHAR));
- client.grantRoleToGroups(requestorName, roleName, groups);
- }
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/f1332300/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/ListPrivilegesCmd.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/ListPrivilegesCmd.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/ListPrivilegesCmd.java
deleted file mode 100644
index 5f3e9fb..0000000
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/ListPrivilegesCmd.java
+++ /dev/null
@@ -1,97 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.provider.db.tools.command.hive;
-
-import com.google.common.collect.Lists;
-import org.apache.commons.lang.StringUtils;
-import org.apache.sentry.core.common.utils.SentryConstants;
-import org.apache.sentry.core.common.utils.PolicyFileConstants;
-import org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient;
-import org.apache.sentry.provider.db.service.thrift.TSentryGrantOption;
-import org.apache.sentry.provider.db.service.thrift.TSentryPrivilege;
-
-import java.util.List;
-import java.util.Set;
-
-/**
- * The class for admin command to list privileges.
- */
-public class ListPrivilegesCmd implements Command {
-
- private String roleName;
-
- public ListPrivilegesCmd(String roleName) {
- this.roleName = roleName;
- }
-
- @Override
- public void execute(SentryPolicyServiceClient client, String requestorName) throws Exception {
- Set<TSentryPrivilege> privileges = client
- .listAllPrivilegesByRoleName(requestorName, roleName);
- if (privileges != null) {
- for (TSentryPrivilege privilege : privileges) {
- String privilegeStr = convertToPrivilegeStr(privilege);
- System.out.println(privilegeStr);
- }
- }
- }
-
- // convert TSentryPrivilege to privilege in string
- private String convertToPrivilegeStr(TSentryPrivilege tSentryPrivilege) {
- List<String> privileges = Lists.newArrayList();
- if (tSentryPrivilege != null) {
- String serverName = tSentryPrivilege.getServerName();
- String dbName = tSentryPrivilege.getDbName();
- String tableName = tSentryPrivilege.getTableName();
- String columnName = tSentryPrivilege.getColumnName();
- String uri = tSentryPrivilege.getURI();
- String action = tSentryPrivilege.getAction();
- String grantOption = (tSentryPrivilege.getGrantOption() == TSentryGrantOption.TRUE ? "true"
- : "false");
- if (!StringUtils.isEmpty(serverName)) {
- privileges.add(SentryConstants.KV_JOINER.join(PolicyFileConstants.PRIVILEGE_SERVER_NAME,
- serverName));
- if (!StringUtils.isEmpty(uri)) {
- privileges.add(SentryConstants.KV_JOINER.join(PolicyFileConstants.PRIVILEGE_URI_NAME,
- uri));
- } else if (!StringUtils.isEmpty(dbName)) {
- privileges.add(SentryConstants.KV_JOINER.join(
- PolicyFileConstants.PRIVILEGE_DATABASE_NAME, dbName));
- if (!StringUtils.isEmpty(tableName)) {
- privileges.add(SentryConstants.KV_JOINER.join(
- PolicyFileConstants.PRIVILEGE_TABLE_NAME, tableName));
- if (!StringUtils.isEmpty(columnName)) {
- privileges.add(SentryConstants.KV_JOINER.join(
- PolicyFileConstants.PRIVILEGE_COLUMN_NAME, columnName));
- }
- }
- }
- if (!StringUtils.isEmpty(action)) {
- privileges.add(SentryConstants.KV_JOINER.join(
- PolicyFileConstants.PRIVILEGE_ACTION_NAME, action));
- }
- }
- // only append the grant option to privilege string if it's true
- if ("true".equals(grantOption)) {
- privileges.add(SentryConstants.KV_JOINER.join(
- PolicyFileConstants.PRIVILEGE_GRANT_OPTION_NAME, grantOption));
- }
- }
- return SentryConstants.AUTHORIZABLE_JOINER.join(privileges);
- }
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/f1332300/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/ListRolesCmd.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/ListRolesCmd.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/ListRolesCmd.java
deleted file mode 100644
index 283f2c0..0000000
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/ListRolesCmd.java
+++ /dev/null
@@ -1,51 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.provider.db.tools.command.hive;
-
-import org.apache.commons.lang.StringUtils;
-import org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient;
-import org.apache.sentry.provider.db.service.thrift.TSentryRole;
-
-import java.util.Set;
-
-/**
- * The class for admin command to list roles.
- */
-public class ListRolesCmd implements Command {
-
- private String groupName;
-
- public ListRolesCmd(String groupName) {
- this.groupName = groupName;
- }
-
- @Override
- public void execute(SentryPolicyServiceClient client, String requestorName) throws Exception {
- Set<TSentryRole> roles;
- if (StringUtils.isEmpty(groupName)) {
- roles = client.listRoles(requestorName);
- } else {
- roles = client.listRolesByGroupName(requestorName, groupName);
- }
- if (roles != null) {
- for (TSentryRole role : roles) {
- System.out.println(role.getRoleName());
- }
- }
- }
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/f1332300/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/RevokePrivilegeFromRoleCmd.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/RevokePrivilegeFromRoleCmd.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/RevokePrivilegeFromRoleCmd.java
deleted file mode 100644
index fe6aca5..0000000
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/RevokePrivilegeFromRoleCmd.java
+++ /dev/null
@@ -1,42 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.provider.db.tools.command.hive;
-
-import org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient;
-import org.apache.sentry.provider.db.service.thrift.TSentryPrivilege;
-
-/**
- * The class for admin command to revoke privileges from role.
- */
-public class RevokePrivilegeFromRoleCmd implements Command {
-
- private String roleName;
- private String privilegeStr;
-
- public RevokePrivilegeFromRoleCmd(String roleName, String privilegeStr) {
- this.roleName = roleName;
- this.privilegeStr = privilegeStr;
- }
-
- @Override
- public void execute(SentryPolicyServiceClient client, String requestorName) throws Exception {
- TSentryPrivilege tSentryPrivilege = CommandUtil.convertToTSentryPrivilege(privilegeStr);
- client.revokePrivilege(requestorName, roleName, tSentryPrivilege);
- }
-
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/f1332300/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/RevokeRoleFromGroupsCmd.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/RevokeRoleFromGroupsCmd.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/RevokeRoleFromGroupsCmd.java
deleted file mode 100644
index 86773ca..0000000
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/RevokeRoleFromGroupsCmd.java
+++ /dev/null
@@ -1,43 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.provider.db.tools.command.hive;
-
-import com.google.common.collect.Sets;
-import org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient;
-
-import java.util.Set;
-
-/**
- * The class for admin command to revoke role from group.
- */
-public class RevokeRoleFromGroupsCmd implements Command {
-
- private String roleName;
- private String groupNamesStr;
-
- public RevokeRoleFromGroupsCmd(String roleName, String groupNamesStr) {
- this.roleName = roleName;
- this.groupNamesStr = groupNamesStr;
- }
-
- @Override
- public void execute(SentryPolicyServiceClient client, String requestorName) throws Exception {
- Set<String> groups = Sets.newHashSet(groupNamesStr.split(CommandUtil.SPLIT_CHAR));
- client.revokeRoleFromGroups(requestorName, roleName, groups);
- }
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/f1332300/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/GSSCallback.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/GSSCallback.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/GSSCallback.java
deleted file mode 100644
index b668b95..0000000
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/GSSCallback.java
+++ /dev/null
@@ -1,110 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.service.thrift;
-
-import java.util.Arrays;
-import java.util.List;
-
-import javax.security.auth.callback.Callback;
-import javax.security.auth.callback.UnsupportedCallbackException;
-import javax.security.sasl.AuthorizeCallback;
-
-import org.apache.hadoop.conf.Configuration;
-import org.apache.hadoop.security.SaslRpcServer;
-import org.apache.sentry.core.common.exception.ConnectionDeniedException;
-import org.apache.sentry.service.thrift.ServiceConstants.ServerConfig;
-
-public class GSSCallback extends SaslRpcServer.SaslGssCallbackHandler {
-
- private final Configuration conf;
- public GSSCallback(Configuration conf) {
- super();
- this.conf = conf;
- }
-
- boolean comparePrincipals(String principal1, String principal2) {
- String[] principalParts1 = SaslRpcServer.splitKerberosName(principal1);
- String[] principalParts2 = SaslRpcServer.splitKerberosName(principal2);
- if (principalParts1.length == 0 || principalParts2.length == 0) {
- return false;
- }
- if (principalParts1.length == principalParts2.length) {
- for (int i=0; i < principalParts1.length; i++) {
- if (!principalParts1[i].equals(principalParts2[i])) {
- return false;
- }
- }
- return true;
- } else {
- return false;
- }
- }
-
- boolean allowConnect(String principal) {
- String allowedPrincipals = conf.get(ServerConfig.ALLOW_CONNECT);
- if (allowedPrincipals == null) {
- return false;
- }
- String principalShortName = getShortName(principal);
- List<String> items = Arrays.asList(allowedPrincipals.split("\\s*,\\s*"));
- for (String item : items) {
- if (comparePrincipals(item, principalShortName)) {
- return true;
- }
- }
- return false;
- }
-
- private String getShortName(String principal) {
- String parts[] = SaslRpcServer.splitKerberosName(principal);
- return parts[0];
- }
-
- @Override
- public void handle(Callback[] callbacks)
- throws UnsupportedCallbackException, ConnectionDeniedException {
- AuthorizeCallback ac = null;
- for (Callback callback : callbacks) {
- if (callback instanceof AuthorizeCallback) {
- ac = (AuthorizeCallback) callback;
- } else {
- throw new UnsupportedCallbackException(callback,
- "Unrecognized SASL GSSAPI Callback");
- }
- }
- if (ac != null) {
- String authid = ac.getAuthenticationID();
- String authzid = ac.getAuthorizationID();
-
- if (allowConnect(authid)) {
- if (authid.equals(authzid)) {
- ac.setAuthorized(true);
- } else {
- ac.setAuthorized(false);
- }
- if (ac.isAuthorized()) {
- ac.setAuthorizedID(authzid);
- }
- } else {
- throw new ConnectionDeniedException(ac,
- "Connection to sentry service denied due to lack of client credentials",
- authid);
- }
- }
- }
-}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/sentry/blob/f1332300/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/HAClientInvocationHandler.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/HAClientInvocationHandler.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/HAClientInvocationHandler.java
deleted file mode 100644
index d97a07e..0000000
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/HAClientInvocationHandler.java
+++ /dev/null
@@ -1,139 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.service.thrift;
-
-import java.io.IOException;
-import java.lang.reflect.InvocationTargetException;
-import java.lang.reflect.Method;
-import java.net.InetSocketAddress;
-
-import org.apache.hadoop.conf.Configuration;
-import org.apache.hadoop.security.SecurityUtil;
-import org.apache.curator.x.discovery.ServiceInstance;
-import org.apache.sentry.core.common.exception.SentryUserException;
-import org.apache.sentry.provider.db.service.persistent.HAContext;
-import org.apache.sentry.provider.db.service.persistent.ServiceManager;
-import org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient;
-import org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClientDefaultImpl;
-import org.apache.sentry.service.thrift.ServiceConstants.ServerConfig;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-import com.google.common.base.Preconditions;
-
-public class HAClientInvocationHandler extends SentryClientInvocationHandler {
-
- private static final Logger LOGGER = LoggerFactory.getLogger(HAClientInvocationHandler.class);
-
- private final Configuration conf;
- private ServiceManager manager;
- private ServiceInstance<Void> currentServiceInstance;
- private SentryPolicyServiceClient client = null;
-
- private static final String THRIFT_EXCEPTION_MESSAGE = "Thrift exception occured ";
- public static final String SENTRY_HA_ERROR_MESSAGE = "No Sentry server available. Please ensure that at least one Sentry server is online";
-
- public HAClientInvocationHandler(Configuration conf) throws Exception {
- this.conf = conf;
- checkClientConf();
- }
-
- @Override
- public Object invokeImpl(Object proxy, Method method, Object[] args) throws
- SentryUserException {
- Object result = null;
- try {
- if (!method.isAccessible()) {
- method.setAccessible(true);
- }
- // The client is initialized in the first call instead of constructor.
- // This way we can propagate the connection exception to caller cleanly
- if (client == null) {
- renewSentryClient();
- }
- result = method.invoke(client, args);
- } catch (IllegalAccessException e) {
- throw new SentryUserException(e.getMessage(), e.getCause());
- } catch (InvocationTargetException e) {
- if (e.getTargetException() instanceof SentryUserException) {
- throw (SentryUserException)e.getTargetException();
- } else {
- LOGGER.warn(THRIFT_EXCEPTION_MESSAGE + ": Error in connect current" +
- " service, will retry other service.", e);
- if (client != null) {
- client.close();
- client = null;
- }
- }
- } catch (IOException e1) {
- throw new SentryUserException("Error connecting to sentry service "
- + e1.getMessage(), e1);
- }
- return result;
- }
-
- // Retrieve the new connection endpoint from ZK and connect to new server
- private void renewSentryClient() throws IOException {
- try {
- manager = new ServiceManager(HAContext.getHAContext(conf));
- } catch (Exception e1) {
- throw new IOException("Failed to extract Sentry node info from zookeeper", e1);
- }
-
- try {
- while (true) {
- currentServiceInstance = manager.getServiceInstance();
- if (currentServiceInstance == null) {
- throw new IOException(SENTRY_HA_ERROR_MESSAGE);
- }
- InetSocketAddress serverAddress =
- ServiceManager.convertServiceInstance(currentServiceInstance);
- conf.set(ServiceConstants.ClientConfig.SERVER_RPC_ADDRESS, serverAddress.getHostName());
- conf.setInt(ServiceConstants.ClientConfig.SERVER_RPC_PORT, serverAddress.getPort());
- try {
- client = new SentryPolicyServiceClientDefaultImpl(conf);
- LOGGER.info("Sentry Client using server " + serverAddress.getHostName() +
- ":" + serverAddress.getPort());
- break;
- } catch (IOException e) {
- manager.reportError(currentServiceInstance);
- LOGGER.info("Transport exception while opening transport:", e, e.getMessage());
- }
- }
- } finally {
- manager.close();
- }
- }
-
- private void checkClientConf() {
- if (conf.getBoolean(ServerConfig.SENTRY_HA_ZOOKEEPER_SECURITY,
- ServerConfig.SENTRY_HA_ZOOKEEPER_SECURITY_DEFAULT)) {
- String serverPrincipal = Preconditions.checkNotNull(conf.get(ServerConfig.PRINCIPAL),
- ServerConfig.PRINCIPAL + " is required");
- Preconditions.checkArgument(serverPrincipal.contains(SecurityUtil.HOSTNAME_PATTERN),
- ServerConfig.PRINCIPAL + " : " + serverPrincipal + " should contain " + SecurityUtil.HOSTNAME_PATTERN);
- }
- }
-
- @Override
- public void close() {
- if (client != null) {
- client.close();
- }
- }
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/f1332300/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/JaasConfiguration.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/JaasConfiguration.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/JaasConfiguration.java
deleted file mode 100644
index a79ce5f..0000000
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/JaasConfiguration.java
+++ /dev/null
@@ -1,133 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.service.thrift;
-
-import java.util.HashMap;
-import java.util.Map;
-
-import javax.security.auth.login.AppConfigurationEntry;
-import javax.security.auth.login.Configuration;
-
-/**
- * Creates a programmatic version of a jaas.conf file. This can be used instead of writing a jaas.conf file and setting
- * the system property, "java.security.auth.login.config", to point to that file. It is meant to be used for connecting to
- * ZooKeeper.
- * <p>
- * example usage:
- * JaasConfiguration.addEntry("Client", principal, keytabFile);
- * javax.security.auth.login.Configuration.setConfiguration(JaasConfiguration.getInstance());
- */
-public final class JaasConfiguration extends Configuration {
- private static Map<String, AppConfigurationEntry> entries = new HashMap<String, AppConfigurationEntry>();
- private static JaasConfiguration me = null;
- private static final String krb5LoginModuleName;
-
- static {
- if (System.getProperty("java.vendor").contains("IBM")) {
- krb5LoginModuleName = "com.ibm.security.auth.module.Krb5LoginModule";
- }
- else {
- krb5LoginModuleName = "com.sun.security.auth.module.Krb5LoginModule";
- }
- }
-
- private JaasConfiguration() {
- // don't need to do anything here but we want to make it private
- }
-
- /**
- * Return the singleton. You'd typically use it only to do this:
- * <p>
- * javax.security.auth.login.Configuration.setConfiguration(JaasConfiguration.getInstance());
- *
- * @return
- */
- public static Configuration getInstance() {
- if (me == null) {
- me = new JaasConfiguration();
- }
- return me;
- }
-
- /**
- * Add an entry to the jaas configuration with the passed in name, principal, and keytab. The other necessary options will be
- * set for you.
- *
- * @param name The name of the entry (e.g. "Client")
- * @param principal The principal of the user
- * @param keytab The location of the keytab
- */
- public static void addEntryForKeytab(String name, String principal, String keytab) {
- Map<String, String> options = new HashMap<String, String>();
- options.put("keyTab", keytab);
- options.put("principal", principal);
- options.put("useKeyTab", "true");
- options.put("storeKey", "true");
- options.put("useTicketCache", "false");
- AppConfigurationEntry entry = new AppConfigurationEntry(krb5LoginModuleName,
- AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, options);
- entries.put(name, entry);
- }
-
- /**
- * Add an entry to the jaas configuration with the passed in name. The other
- * necessary options will be set for you.
- *
- * @param name The name of the entry (e.g. "Client")
- */
- public static void addEntryForTicketCache(String sectionName) {
- Map<String, String> options = new HashMap<String, String>();
- options.put("useKeyTab", "false");
- options.put("storeKey", "false");
- options.put("useTicketCache", "true");
- AppConfigurationEntry entry = new AppConfigurationEntry(krb5LoginModuleName,
- AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, options);
- entries.put(sectionName, entry);
- }
-
- /**
- * Removes the specified entry.
- *
- * @param name The name of the entry to remove
- */
- public static void removeEntry(String name) {
- entries.remove(name);
- }
-
- /**
- * Clears all entries.
- */
- public static void clearEntries() {
- entries.clear();
- }
-
- /**
- * Returns the entries map.
- *
- * @return the entries map
- */
- public static Map<String, AppConfigurationEntry> getEntries() {
- return entries;
- }
-
- @Override
- public AppConfigurationEntry[] getAppConfigurationEntry(String name) {
- return new AppConfigurationEntry[]{entries.get(name)};
- }
-}
-
http://git-wip-us.apache.org/repos/asf/sentry/blob/f1332300/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/KerberosConfiguration.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/KerberosConfiguration.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/KerberosConfiguration.java
deleted file mode 100644
index 41e4fe4..0000000
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/KerberosConfiguration.java
+++ /dev/null
@@ -1,107 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.service.thrift;
-
-import java.io.File;
-import java.util.HashMap;
-import java.util.Map;
-
-import javax.security.auth.login.AppConfigurationEntry;
-
-public class KerberosConfiguration extends javax.security.auth.login.Configuration {
- private String principal;
- private String keytab;
- private boolean isInitiator;
- private static final boolean IBM_JAVA = System.getProperty("java.vendor").contains("IBM");
-
- private KerberosConfiguration(String principal, File keytab,
- boolean client) {
- this.principal = principal;
- this.keytab = keytab.getAbsolutePath();
- this.isInitiator = client;
- }
-
- public static javax.security.auth.login.Configuration createClientConfig(String principal,
- File keytab) {
- return new KerberosConfiguration(principal, keytab, true);
- }
-
- public static javax.security.auth.login.Configuration createServerConfig(String principal,
- File keytab) {
- return new KerberosConfiguration(principal, keytab, false);
- }
-
- private static String getKrb5LoginModuleName() {
- return (IBM_JAVA ? "com.ibm.security.auth.module.Krb5LoginModule"
- : "com.sun.security.auth.module.Krb5LoginModule");
- }
-
- @Override
- public AppConfigurationEntry[] getAppConfigurationEntry(String name) {
- Map<String, String> options = new HashMap<String, String>();
-
- if (IBM_JAVA) {
- // IBM JAVA's UseKeytab covers both keyTab and useKeyTab options
- options.put("useKeytab",keytab.startsWith("file://") ? keytab : "file://" + keytab);
-
- options.put("principal", principal);
- options.put("refreshKrb5Config", "true");
-
- // Both "initiator" and "acceptor"
- options.put("credsType", "both");
- } else {
- options.put("keyTab", keytab);
- options.put("principal", principal);
- options.put("useKeyTab", "true");
- options.put("storeKey", "true");
- options.put("doNotPrompt", "true");
- options.put("useTicketCache", "true");
- options.put("renewTGT", "true");
- options.put("refreshKrb5Config", "true");
- options.put("isInitiator", Boolean.toString(isInitiator));
- }
-
- String ticketCache = System.getenv("KRB5CCNAME");
- if (IBM_JAVA) {
- // If cache is specified via env variable, it takes priority
- if (ticketCache != null) {
- // IBM JAVA only respects system property so copy ticket cache to system property
- // The first value searched when "useDefaultCcache" is true.
- System.setProperty("KRB5CCNAME", ticketCache);
- } else {
- ticketCache = System.getProperty("KRB5CCNAME");
- }
-
- if (ticketCache != null) {
- options.put("useDefaultCcache", "true");
- options.put("renewTGT", "true");
- }
- } else {
- if (ticketCache != null) {
- options.put("ticketCache", ticketCache);
- }
- }
- options.put("debug", "true");
-
- return new AppConfigurationEntry[]{
- new AppConfigurationEntry(getKrb5LoginModuleName(),
- AppConfigurationEntry.LoginModuleControlFlag.REQUIRED,
- options)};
- }
-}
-