You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sentry.apache.org by sr...@apache.org on 2014/05/31 04:25:03 UTC
[1/2] SENTRY-157: Support filter pushdown in DB Store client to
reduce data transfer from DB Store service ( Arun Suresh via Sravya
Tirukkovalur)
Repository: incubator-sentry
Updated Branches:
refs/heads/master a989b17b4 -> a7b456223
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/a7b45622/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java
index 7e2323c..a7734df 100644
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java
@@ -22,7 +22,9 @@ import static org.apache.sentry.provider.common.ProviderConstants.AUTHORIZABLE_J
import static org.apache.sentry.provider.common.ProviderConstants.KV_JOINER;
import java.util.ArrayList;
+import java.util.Collection;
import java.util.HashSet;
+import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import java.util.Properties;
@@ -39,6 +41,7 @@ import javax.jdo.Transaction;
import org.apache.commons.lang.StringUtils;
import org.apache.hadoop.conf.Configuration;
import org.apache.sentry.core.model.db.AccessConstants;
+import org.apache.sentry.core.model.db.DBModelAuthorizable;
import org.apache.sentry.core.model.db.DBModelAuthorizable.AuthorizableType;
import org.apache.sentry.provider.common.ProviderConstants;
import org.apache.sentry.provider.db.SentryAccessDeniedException;
@@ -50,6 +53,7 @@ import org.apache.sentry.provider.db.service.model.MSentryPrivilege;
import org.apache.sentry.provider.db.service.model.MSentryRole;
import org.apache.sentry.provider.db.service.model.MSentryVersion;
import org.apache.sentry.provider.db.service.thrift.TSentryActiveRoleSet;
+import org.apache.sentry.provider.db.service.thrift.TSentryAuthorizable;
import org.apache.sentry.provider.db.service.thrift.TSentryGroup;
import org.apache.sentry.provider.db.service.thrift.TSentryPrivilege;
import org.apache.sentry.provider.db.service.thrift.TSentryRole;
@@ -58,7 +62,9 @@ import org.apache.sentry.service.thrift.ServiceConstants.ServerConfig;
import org.datanucleus.store.rdbms.exceptions.MissingTableException;
import com.google.common.annotations.VisibleForTesting;
+import com.google.common.base.Joiner;
import com.google.common.base.Preconditions;
+import com.google.common.base.Splitter;
import com.google.common.base.Strings;
import com.google.common.collect.HashMultimap;
import com.google.common.collect.Lists;
@@ -84,7 +90,7 @@ public class SentryStore {
private final PersistenceManagerFactory pmf;
public SentryStore(Configuration conf) throws SentryNoSuchObjectException,
- SentryAccessDeniedException {
+ SentryAccessDeniedException {
commitSequenceId = 0;
Properties prop = new Properties();
prop.putAll(ServerConfig.SENTRY_STORE_DEFAULTS);
@@ -114,7 +120,7 @@ public class SentryStore {
boolean checkSchemaVersion = conf.get(
ServerConfig.SENTRY_VERIFY_SCHEM_VERSION,
ServerConfig.SENTRY_VERIFY_SCHEM_VERSION_DEFAULT).equalsIgnoreCase(
- "true");
+ "true");
if (!checkSchemaVersion) {
prop.setProperty("datanucleus.autoCreateSchema", "true");
prop.setProperty("datanucleus.fixedDatastore", "false");
@@ -126,7 +132,7 @@ public class SentryStore {
// ensure that the backend DB schema is set
private void verifySentryStoreSchema(Configuration serverConf,
boolean checkVersion)
- throws SentryNoSuchObjectException, SentryAccessDeniedException {
+ throws SentryNoSuchObjectException, SentryAccessDeniedException {
if (!checkVersion) {
setSentryVersion(SentryStoreSchemaInfo.getSentryVersion(),
"Schema version set implicitly");
@@ -135,8 +141,8 @@ public class SentryStore {
if (!SentryStoreSchemaInfo.getSentryVersion().equals(currentVersion)) {
throw new SentryAccessDeniedException(
"The Sentry store schema version " + currentVersion
- + " is different from distribution version "
- + SentryStoreSchemaInfo.getSentryVersion());
+ + " is different from distribution version "
+ + SentryStoreSchemaInfo.getSentryVersion());
}
}
}
@@ -235,7 +241,7 @@ public class SentryStore {
* @throws SentryAlreadyExistsException
*/
public CommitContext createSentryRole(String roleName, String grantorPrincipal)
- throws SentryAlreadyExistsException {
+ throws SentryAlreadyExistsException {
roleName = trimAndLower(roleName);
boolean rollbackTransaction = true;
PersistenceManager pm = null;
@@ -338,7 +344,7 @@ public class SentryStore {
*/
private void revokePartialPrivilege(PersistenceManager pm, MSentryRole role,
TSentryPrivilege tPrivilege)
- throws SentryNoSuchObjectException, SentryInvalidInputException {
+ throws SentryNoSuchObjectException, SentryInvalidInputException {
// only perform partial revoke if INSERT/SELECT were the action
// and the privilege being revoked is on a table
String action = tPrivilege.getAction();
@@ -452,7 +458,7 @@ public class SentryStore {
public CommitContext dropSentryRole(String roleName)
- throws SentryNoSuchObjectException {
+ throws SentryNoSuchObjectException {
boolean rollbackTransaction = true;
PersistenceManager pm = null;
roleName = roleName.trim().toLowerCase();
@@ -483,7 +489,7 @@ public class SentryStore {
public CommitContext alterSentryRoleAddGroups(String grantorPrincipal,
String roleName, Set<TSentryGroup> groupNames)
- throws SentryNoSuchObjectException {
+ throws SentryNoSuchObjectException {
boolean rollbackTransaction = true;
PersistenceManager pm = null;
roleName = roleName.trim().toLowerCase();
@@ -526,7 +532,7 @@ public class SentryStore {
public CommitContext alterSentryRoleDeleteGroups(String roleName,
Set<TSentryGroup> groupNames)
- throws SentryNoSuchObjectException {
+ throws SentryNoSuchObjectException {
boolean rollbackTransaction = true;
PersistenceManager pm = null;
roleName = roleName.trim().toLowerCase();
@@ -567,7 +573,7 @@ public class SentryStore {
@VisibleForTesting
MSentryRole getMSentryRoleByName(String roleName)
- throws SentryNoSuchObjectException {
+ throws SentryNoSuchObjectException {
boolean rollbackTransaction = true;
PersistenceManager pm = null;
roleName = roleName.trim().toLowerCase();
@@ -593,11 +599,50 @@ public class SentryStore {
}
}
- private Set<MSentryPrivilege> getMSentryPrivilegesByRoleName(String roleName)
- throws SentryNoSuchObjectException {
- MSentryRole mSentryRole = getMSentryRoleByName(roleName);
- return mSentryRole.getPrivileges();
+ List<MSentryPrivilege> getMSentryPrivileges(Set<String> roleNames, TSentryAuthorizable authHierarchy) {
+ if ((roleNames.size() == 0)||(roleNames == null)) return new ArrayList<MSentryPrivilege>();
+ boolean rollbackTransaction = true;
+ PersistenceManager pm = null;
+ try {
+ pm = openTransaction();
+ Query query = pm.newQuery(MSentryPrivilege.class);
+ query.declareVariables("org.apache.sentry.provider.db.service.model.MSentryRole role");
+ List<String> rolesFiler = new LinkedList<String>();
+ for (String rName : roleNames) {
+ rolesFiler.add("role.roleName == \"" + rName.trim().toLowerCase() + "\"");
+ }
+ StringBuilder filters = new StringBuilder("roles.contains(role) "
+ + "&& (" + Joiner.on(" || ").join(rolesFiler) + ") ");
+ if ((authHierarchy != null) && (authHierarchy.getServer() != null)) {
+ filters.append("&& serverName == \"" + authHierarchy.getServer().toLowerCase() + "\"");
+ if (authHierarchy.getDb() != null) {
+ filters.append(" && ((dbName == \"" + authHierarchy.getDb().toLowerCase() + "\") || (dbName == null)) && (URI == null)");
+ if (authHierarchy.getTable() != null) {
+ filters.append(" && ((tableName == \"" + authHierarchy.getTable().toLowerCase() + "\") || (tableName == null)) && (URI == null)");
+ }
+ }
+ if (authHierarchy.getUri() != null) {
+ filters.append(" && ((\"" + authHierarchy.getUri() + "\".startsWith(URI)) || (URI == null)) && (dbName == null)");
+ }
+ }
+
+ query.setFilter(filters.toString());
+ List<MSentryPrivilege> privileges = (List<MSentryPrivilege>) query.execute();
+ rollbackTransaction = false;
+ commitTransaction(pm);
+ return privileges;
+ } finally {
+ if (rollbackTransaction) {
+ rollbackTransaction(pm);
+ }
}
+ }
+
+ private Set<MSentryPrivilege> getMSentryPrivilegesByRoleName(String roleName)
+ throws SentryNoSuchObjectException {
+ MSentryRole mSentryRole = getMSentryRoleByName(roleName);
+ return mSentryRole.getPrivileges();
+ }
/**
* Gets sentry privilege objects for a given roleName from the persistence layer
@@ -606,11 +651,37 @@ public class SentryStore {
* @throws SentryNoSuchObjectException
*/
- public Set<TSentryPrivilege> getTSentryPrivilegesByRoleName(String roleName)
+ public Set<TSentryPrivilege> getAllTSentryPrivilegesByRoleName(String roleName)
throws SentryNoSuchObjectException {
return convertToTSentryPrivileges(getMSentryPrivilegesByRoleName(roleName));
}
+
+ /**
+ * Gets sentry privilege objects for criteria from the persistence layer
+ * @param roleName : roleName to look up
+ * @param serverName : serverName (required)
+ * @param uri : URI (optional)
+ * @param dbName : dbName (optional if tableName is null else required)
+ * @param tableName : tableName (optional)
+ * @return : Set of thrift sentry privilege objects
+ * @throws SentryNoSuchObjectException
+ */
+
+ public Set<TSentryPrivilege> getTSentryPrivileges(Set<String> roleNames, TSentryAuthorizable authHierarchy) throws SentryInvalidInputException {
+ if (authHierarchy.getServer() == null) {
+ throw new SentryInvalidInputException("serverName cannot be null !!");
+ }
+ if ((authHierarchy.getTable() != null) && (authHierarchy.getDb() == null)) {
+ throw new SentryInvalidInputException("dbName cannot be null when tableName is present !!");
+ }
+ if ((authHierarchy.getUri() == null) && (authHierarchy.getDb() == null)) {
+ throw new SentryInvalidInputException("One of uri or dbName must not be null !!");
+ }
+ return convertToTSentryPrivileges(getMSentryPrivileges(roleNames, authHierarchy));
+ }
+
+
private Set<MSentryRole> getMSentryRolesByGroupName(String groupName)
throws SentryNoSuchObjectException {
boolean rollbackTransaction = true;
@@ -692,18 +763,52 @@ public class SentryStore {
}
}
+ private Set<String> getRoleNamesForGroups(Set<String> groups) {
+ Set<String> result = new HashSet<String>();
+ boolean rollbackTransaction = true;
+ PersistenceManager pm = null;
+ try {
+ pm = openTransaction();
+ Query query = pm.newQuery(MSentryGroup.class);
+ query.setFilter("this.groupName == t");
+ query.declareParameters("java.lang.String t");
+ query.setUnique(true);
+ for (String group : toTrimedLower(groups)) {
+ MSentryGroup sentryGroup = (MSentryGroup) query.execute(group);
+ if (sentryGroup != null) {
+ for (MSentryRole role : sentryGroup.getRoles()) {
+ result.add(role.getRoleName());
+ }
+ }
+ }
+ rollbackTransaction = false;
+ commitTransaction(pm);
+ return result;
+ } finally {
+ if (rollbackTransaction) {
+ rollbackTransaction(pm);
+ }
+ }
+ }
+
+ public Set<String> listAllSentryPrivilegesForProvider(Set<String> groups, TSentryActiveRoleSet roleSet) throws SentryInvalidInputException {
+ return listSentryPrivilegesForProvider(groups, roleSet, null);
+ }
+
+
public Set<String> listSentryPrivilegesForProvider(Set<String> groups,
- TSentryActiveRoleSet roleSet) {
- Set<String> result = Sets.newHashSet();
- Set<String> activeRoleNames = toTrimedLower(roleSet.getRoles());
- for (Map.Entry<String, String> entry : getRoleToPrivilegeMap(groups).entries()) {
- if (roleSet.isAll()) {
- result.add(entry.getValue());
- } else if (activeRoleNames.contains(entry.getKey())) {
- result.add(entry.getValue());
- }
- }
- return result;
+ TSentryActiveRoleSet roleSet, TSentryAuthorizable authHierarchy) throws SentryInvalidInputException {
+ Set<String> result = Sets.newHashSet();
+ Set<String> activeRoleNames = toTrimedLower(roleSet.getRoles());
+
+ Set<String> roleNamesForGroups = toTrimedLower(getRoleNamesForGroups(groups));
+ Set<String> rolesToQuery = roleSet.isAll() ? roleNamesForGroups : Sets.intersection(activeRoleNames, roleNamesForGroups);
+ List<MSentryPrivilege> mSentryPrivileges = getMSentryPrivileges(rolesToQuery, authHierarchy);
+
+ for (MSentryPrivilege priv : mSentryPrivileges) {
+ result.add(toAuthorizable(priv));
+ }
+ return result;
}
@VisibleForTesting
@@ -727,7 +832,7 @@ public class SentryStore {
if (!Strings.nullToEmpty(privilege.getAction()).isEmpty()
&& !privilege.getAction().equalsIgnoreCase(AccessConstants.ALL)) {
authorizable
- .add(KV_JOINER.join(ProviderConstants.PRIVILEGE_NAME.toLowerCase(),
+ .add(KV_JOINER.join(ProviderConstants.PRIVILEGE_NAME.toLowerCase(),
privilege.getAction()));
}
return AUTHORIZABLE_JOINER.join(authorizable);
@@ -735,6 +840,7 @@ public class SentryStore {
@VisibleForTesting
static Set<String> toTrimedLower(Set<String> s) {
+ if (null == s) return new HashSet<String>();
Set<String> result = Sets.newHashSet();
for (String v : s) {
result.add(v.trim().toLowerCase());
@@ -750,7 +856,7 @@ public class SentryStore {
* time.
*/
- private Set<TSentryPrivilege> convertToTSentryPrivileges(Set<MSentryPrivilege> mSentryPrivileges) {
+ private Set<TSentryPrivilege> convertToTSentryPrivileges(Collection<MSentryPrivilege> mSentryPrivileges) {
Set<TSentryPrivilege> privileges = new HashSet<TSentryPrivilege>();
for(MSentryPrivilege mSentryPrivilege:mSentryPrivileges) {
privileges.add(convertToTSentryPrivilege(mSentryPrivilege));
@@ -809,9 +915,9 @@ public class SentryStore {
private MSentryPrivilege convertToMSentryPrivilege(TSentryPrivilege privilege)
throws SentryInvalidInputException {
MSentryPrivilege mSentryPrivilege = new MSentryPrivilege();
- mSentryPrivilege.setServerName(safeTrim(privilege.getServerName()));
- mSentryPrivilege.setDbName(safeTrim(privilege.getDbName()));
- mSentryPrivilege.setTableName(safeTrim(privilege.getTableName()));
+ mSentryPrivilege.setServerName(safeTrimLower(privilege.getServerName()));
+ mSentryPrivilege.setDbName(safeTrimLower(privilege.getDbName()));
+ mSentryPrivilege.setTableName(safeTrimLower(privilege.getTableName()));
mSentryPrivilege.setPrivilegeScope(safeTrim(privilege.getPrivilegeScope()));
mSentryPrivilege.setAction(safeTrim(privilege.getAction()));
mSentryPrivilege.setCreateTime(System.currentTimeMillis());
@@ -826,9 +932,15 @@ public class SentryStore {
}
return s.trim();
}
+ private String safeTrimLower(String s) {
+ if (s == null) {
+ return null;
+ }
+ return s.trim().toLowerCase();
+ }
public String getSentryVersion() throws SentryNoSuchObjectException,
- SentryAccessDeniedException {
+ SentryAccessDeniedException {
MSentryVersion mVersion = getMSentryVersion();
return mVersion.getSchemaVersion();
}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/a7b45622/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClient.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClient.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClient.java
index 2aac409..3660607 100644
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClient.java
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClient.java
@@ -18,6 +18,8 @@
package org.apache.sentry.provider.db.service.thrift;
+import com.google.common.base.Preconditions;
+import com.google.common.collect.Sets;
import java.io.IOException;
import java.net.InetSocketAddress;
import java.util.HashSet;
@@ -29,7 +31,9 @@ import org.apache.hadoop.security.SaslRpcServer;
import org.apache.hadoop.security.SaslRpcServer.AuthMethod;
import org.apache.sentry.SentryUserException;
import org.apache.sentry.core.common.ActiveRoleSet;
+import org.apache.sentry.core.common.Authorizable;
import org.apache.sentry.core.model.db.AccessConstants;
+import org.apache.sentry.core.model.db.DBModelAuthorizable;
import org.apache.sentry.service.thrift.ServiceConstants.ClientConfig;
import org.apache.sentry.service.thrift.ServiceConstants.PrivilegeScope;
import org.apache.sentry.service.thrift.ServiceConstants.ServerConfig;
@@ -45,8 +49,7 @@ import org.apache.thrift.transport.TTransportException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
-import com.google.common.base.Preconditions;
-import com.google.common.collect.Sets;
+import java.util.List;
public class SentryPolicyServiceClient {
@@ -171,21 +174,43 @@ public class SentryPolicyServiceClient {
}
}
+ public Set<TSentryPrivilege> listAllPrivilegesByRoleName(String requestorUserName, String roleName)
+ throws SentryUserException {
+ return listPrivilegesByRoleName(requestorUserName, roleName, null);
+ }
+
/**
* Gets sentry privilege objects for a given roleName using the Sentry service
* @param requestorUserName : user on whose behalf the request is issued
* @param requestorUserGroupNames :groups the requesting user belongs to
* @param roleName : roleName to look up
+ * @param authorizable : authorizable Hierarchy (server->db->table etc)
* @return Set of thrift sentry privilege objects
* @throws SentryUserException
*/
- public Set<TSentryPrivilege> listPrivilegesByRoleName(
- String requestorUserName, String roleName)
+ public Set<TSentryPrivilege> listPrivilegesByRoleName(String requestorUserName,
+ String roleName, List<? extends Authorizable> authorizable)
throws SentryUserException {
TListSentryPrivilegesRequest request = new TListSentryPrivilegesRequest();
request.setProtocol_version(ThriftConstants.TSENTRY_SERVICE_VERSION_CURRENT);
request.setRequestorUserName(requestorUserName);
request.setRoleName(roleName);
+ if (authorizable != null) {
+ TSentryAuthorizable tSentryAuthorizable = new TSentryAuthorizable();
+ // TODO : Needed to support SearchModelAuthorizable
+ for (Authorizable authzble : authorizable) {
+ if (authzble.getTypeName().equalsIgnoreCase(DBModelAuthorizable.AuthorizableType.Server.toString())) {
+ tSentryAuthorizable.setServer(authzble.getName());
+ } else if (authzble.getTypeName().equalsIgnoreCase(DBModelAuthorizable.AuthorizableType.URI.toString())) {
+ tSentryAuthorizable.setUri(authzble.getName());
+ } else if (authzble.getTypeName().equalsIgnoreCase(DBModelAuthorizable.AuthorizableType.Db.toString())) {
+ tSentryAuthorizable.setDb(authzble.getName());
+ } else if (authzble.getTypeName().equalsIgnoreCase(DBModelAuthorizable.AuthorizableType.Table.toString())) {
+ tSentryAuthorizable.setTable(authzble.getName());
+ }
+ }
+ request.setAuthorizableHierarchy(tSentryAuthorizable);
+ }
TListSentryPrivilegesResponse response;
try {
response = client.list_sentry_privileges_by_role(request);
@@ -309,12 +334,28 @@ public class SentryPolicyServiceClient {
}
}
- public Set<String> listPrivilegesForProvider(Set<String> groups, ActiveRoleSet roleSet)
+ public Set<String> listPrivilegesForProvider(Set<String> groups, ActiveRoleSet roleSet, Authorizable... authorizable)
throws SentryUserException {
TSentryActiveRoleSet thriftRoleSet = new TSentryActiveRoleSet(roleSet.isAll(), roleSet.getRoles());
TListSentryPrivilegesForProviderRequest request =
new TListSentryPrivilegesForProviderRequest(ThriftConstants.
TSENTRY_SERVICE_VERSION_CURRENT, groups, thriftRoleSet);
+ if ((authorizable != null)&&(authorizable.length > 0)) {
+ TSentryAuthorizable tSentryAuthorizable = new TSentryAuthorizable();
+ // TODO : Needed to support SearchModelAuthorizable
+ for (Authorizable authzble : authorizable) {
+ if (authzble.getTypeName().equalsIgnoreCase(DBModelAuthorizable.AuthorizableType.Server.toString())) {
+ tSentryAuthorizable.setServer(authzble.getName());
+ } else if (authzble.getTypeName().equalsIgnoreCase(DBModelAuthorizable.AuthorizableType.URI.toString())) {
+ tSentryAuthorizable.setUri(authzble.getName());
+ } else if (authzble.getTypeName().equalsIgnoreCase(DBModelAuthorizable.AuthorizableType.Db.toString())) {
+ tSentryAuthorizable.setDb(authzble.getName());
+ } else if (authzble.getTypeName().equalsIgnoreCase(DBModelAuthorizable.AuthorizableType.Table.toString())) {
+ tSentryAuthorizable.setTable(authzble.getName());
+ }
+ }
+ request.setAuthorizableHierarchy(tSentryAuthorizable);
+ }
try {
TListSentryPrivilegesForProviderResponse response = client.list_sentry_privileges_for_provider(request);
Status.throwIfNotOk(response.getStatus());
@@ -357,4 +398,4 @@ TSENTRY_SERVICE_VERSION_CURRENT, requestorUserName,
transport.close();
}
}
-}
\ No newline at end of file
+}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/a7b45622/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessor.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessor.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessor.java
index f92c78a..f06568f 100644
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessor.java
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessor.java
@@ -344,7 +344,12 @@ public class SentryPolicyStoreProcessor implements SentryPolicyService.Iface {
// or allow all users as long as user is granted this role?
authorize(request.getRequestorUserName(),
getRequestorGroups(request.getRequestorUserName()));
- privilegeSet = sentryStore.getTSentryPrivilegesByRoleName(request.getRoleName());
+ if (request.isSetAuthorizableHierarchy()) {
+ TSentryAuthorizable authorizableHierarchy = request.getAuthorizableHierarchy();
+ privilegeSet = sentryStore.getTSentryPrivileges(Sets.newHashSet(request.getRoleName()), authorizableHierarchy);
+ } else {
+ privilegeSet = sentryStore.getAllTSentryPrivilegesByRoleName(request.getRoleName());
+ }
response.setPrivileges(privilegeSet);
response.setStatus(Status.OK());
} catch (SentryNoSuchObjectException e) {
@@ -371,7 +376,7 @@ public class SentryPolicyStoreProcessor implements SentryPolicyService.Iface {
response.setPrivileges(new HashSet<String>());
try {
response.setPrivileges(sentryStore.listSentryPrivilegesForProvider(
- request.getGroups(), request.getRoleSet()));
+ request.getGroups(), request.getRoleSet(), request.getAuthorizableHierarchy()));
response.setStatus(Status.OK());
} catch (Exception e) {
String msg = "Unknown error for request: " + request + ", message: " + e.getMessage();
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/a7b45622/sentry-provider/sentry-provider-db/src/main/resources/sentry_policy_service.thrift
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/resources/sentry_policy_service.thrift b/sentry-provider/sentry-provider-db/src/main/resources/sentry_policy_service.thrift
index b4281c7..5d584c0 100644
--- a/sentry-provider/sentry-provider-db/src/main/resources/sentry_policy_service.thrift
+++ b/sentry-provider/sentry-provider-db/src/main/resources/sentry_policy_service.thrift
@@ -130,11 +130,19 @@ struct TListSentryRolesResponse {
2: required set<TSentryRole> roles
}
+struct TSentryAuthorizable {
+1: required string server,
+2: optional string uri,
+3: optional string db,
+4: optional string table,
+}
+
# SHOW GRANT
struct TListSentryPrivilegesRequest {
1: required i32 protocol_version = sentry_common_service.TSENTRY_SERVICE_V1,
2: required string requestorUserName, # user on whose behalf the request is issued
-3: required string roleName # get privileges assigned for this role
+4: required string roleName, # get privileges assigned for this role
+5: optional TSentryAuthorizable authorizableHierarchy # get privileges assigned for this role
}
struct TListSentryPrivilegesResponse {
1: required sentry_common_service.TSentryResponseStatus status
@@ -153,6 +161,7 @@ struct TListSentryPrivilegesForProviderRequest {
1: required i32 protocol_version = sentry_common_service.TSENTRY_SERVICE_V1,
2: required set<string> groups,
3: required TSentryActiveRoleSet roleSet,
+4: optional TSentryAuthorizable authorizableHierarchy,
}
struct TListSentryPrivilegesForProviderResponse {
1: required sentry_common_service.TSentryResponseStatus status
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/a7b45622/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryStore.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryStore.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryStore.java
index 67b05e6..524eea3 100644
--- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryStore.java
+++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryStore.java
@@ -235,65 +235,65 @@ public class TestSentryStore {
roleName2, groups).getSequenceId());
// group1 all roles
assertEquals(Sets.newHashSet("server=server1->db=db1->table=tbl1->action=select"),
- SentryStore.toTrimedLower(sentryStore.listSentryPrivilegesForProvider(Sets.newHashSet(groupName1),
+ SentryStore.toTrimedLower(sentryStore.listAllSentryPrivilegesForProvider(Sets.newHashSet(groupName1),
new TSentryActiveRoleSet(true, new HashSet<String>()))));
// one active role
assertEquals(Sets.newHashSet("server=server1->db=db1->table=tbl1->action=select"),
- SentryStore.toTrimedLower(sentryStore.listSentryPrivilegesForProvider(Sets.newHashSet(groupName1),
+ SentryStore.toTrimedLower(sentryStore.listAllSentryPrivilegesForProvider(Sets.newHashSet(groupName1),
new TSentryActiveRoleSet(false, Sets.newHashSet(roleName1)))));
// unknown active role
assertEquals(Sets.newHashSet(),
- SentryStore.toTrimedLower(sentryStore.listSentryPrivilegesForProvider(Sets.newHashSet(groupName1),
+ SentryStore.toTrimedLower(sentryStore.listAllSentryPrivilegesForProvider(Sets.newHashSet(groupName1),
new TSentryActiveRoleSet(false, Sets.newHashSet("not a role")))));
// no active roles
assertEquals(Sets.newHashSet(),
- SentryStore.toTrimedLower(sentryStore.listSentryPrivilegesForProvider(Sets.newHashSet(groupName1),
+ SentryStore.toTrimedLower(sentryStore.listAllSentryPrivilegesForProvider(Sets.newHashSet(groupName1),
new TSentryActiveRoleSet(false, new HashSet<String>()))));
// group2 all roles
assertEquals(Sets.newHashSet("server=server1->db=db1->table=tbl1->action=select", "server=server1"),
- SentryStore.toTrimedLower(sentryStore.listSentryPrivilegesForProvider(Sets.newHashSet(groupName2),
+ SentryStore.toTrimedLower(sentryStore.listAllSentryPrivilegesForProvider(Sets.newHashSet(groupName2),
new TSentryActiveRoleSet(true, new HashSet<String>()))));
// one active role
assertEquals(Sets.newHashSet("server=server1->db=db1->table=tbl1->action=select"),
- SentryStore.toTrimedLower(sentryStore.listSentryPrivilegesForProvider(Sets.newHashSet(groupName2),
+ SentryStore.toTrimedLower(sentryStore.listAllSentryPrivilegesForProvider(Sets.newHashSet(groupName2),
new TSentryActiveRoleSet(false, Sets.newHashSet(roleName1)))));
assertEquals(Sets.newHashSet(
"server=server1->db=db1->table=tbl1->action=select", "server=server1"),
- SentryStore.toTrimedLower(sentryStore.listSentryPrivilegesForProvider(Sets.newHashSet(groupName2),
+ SentryStore.toTrimedLower(sentryStore.listAllSentryPrivilegesForProvider(Sets.newHashSet(groupName2),
new TSentryActiveRoleSet(false, Sets.newHashSet(roleName2)))));
// unknown active role
assertEquals(Sets.newHashSet(),
- SentryStore.toTrimedLower(sentryStore.listSentryPrivilegesForProvider(Sets.newHashSet(groupName2),
+ SentryStore.toTrimedLower(sentryStore.listAllSentryPrivilegesForProvider(Sets.newHashSet(groupName2),
new TSentryActiveRoleSet(false, Sets.newHashSet("not a role")))));
// no active roles
assertEquals(Sets.newHashSet(),
- SentryStore.toTrimedLower(sentryStore.listSentryPrivilegesForProvider(Sets.newHashSet(groupName2),
+ SentryStore.toTrimedLower(sentryStore.listAllSentryPrivilegesForProvider(Sets.newHashSet(groupName2),
new TSentryActiveRoleSet(false, new HashSet<String>()))));
// both groups, all active roles
assertEquals(Sets.newHashSet("server=server1->db=db1->table=tbl1->action=select", "server=server1"),
- SentryStore.toTrimedLower(sentryStore.listSentryPrivilegesForProvider(Sets.
+ SentryStore.toTrimedLower(sentryStore.listAllSentryPrivilegesForProvider(Sets.
newHashSet(groupName1, groupName2),
new TSentryActiveRoleSet(true, new HashSet<String>()))));
// one active role
assertEquals(Sets.newHashSet("server=server1->db=db1->table=tbl1->action=select"),
- SentryStore.toTrimedLower(sentryStore.listSentryPrivilegesForProvider(Sets.
+ SentryStore.toTrimedLower(sentryStore.listAllSentryPrivilegesForProvider(Sets.
newHashSet(groupName1, groupName2),
new TSentryActiveRoleSet(false, Sets.newHashSet(roleName1)))));
assertEquals(Sets.newHashSet(
"server=server1->db=db1->table=tbl1->action=select", "server=server1"),
- SentryStore.toTrimedLower(sentryStore.listSentryPrivilegesForProvider(Sets.
+ SentryStore.toTrimedLower(sentryStore.listAllSentryPrivilegesForProvider(Sets.
newHashSet(groupName1, groupName2),
new TSentryActiveRoleSet(false, Sets.newHashSet(roleName2)))));
// unknown active role
assertEquals(Sets.newHashSet(),
- SentryStore.toTrimedLower(sentryStore.listSentryPrivilegesForProvider(Sets.
+ SentryStore.toTrimedLower(sentryStore.listAllSentryPrivilegesForProvider(Sets.
newHashSet(groupName1, groupName2),
new TSentryActiveRoleSet(false, Sets.newHashSet("not a role")))));
// no active roles
assertEquals(Sets.newHashSet(),
- SentryStore.toTrimedLower(sentryStore.listSentryPrivilegesForProvider(Sets.
+ SentryStore.toTrimedLower(sentryStore.listAllSentryPrivilegesForProvider(Sets.
newHashSet(groupName1, groupName2),
new TSentryActiveRoleSet(false, new HashSet<String>()))));
}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/a7b45622/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceIntegration.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceIntegration.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceIntegration.java
index 56dcaf9..1089390 100644
--- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceIntegration.java
+++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceIntegration.java
@@ -18,17 +18,22 @@
package org.apache.sentry.provider.db.service.thrift;
-import org.apache.sentry.core.common.ActiveRoleSet;
-import static junit.framework.Assert.assertEquals;
-import static org.junit.Assert.assertTrue;
-
-import java.util.Set;
+import com.google.common.collect.Lists;
+import com.google.common.collect.Sets;
+import org.apache.sentry.core.common.ActiveRoleSet;
+import org.apache.sentry.core.model.db.Database;
+import org.apache.sentry.core.model.db.Server;
+import org.apache.sentry.core.model.db.Table;
import org.apache.sentry.provider.db.service.persistent.SentryStore;
import org.apache.sentry.service.thrift.SentryServiceIntegrationBase;
import org.junit.Test;
-import com.google.common.collect.Sets;
+import java.util.HashSet;
+import java.util.Set;
+
+import static junit.framework.Assert.assertEquals;
+import static org.junit.Assert.assertTrue;
public class TestSentryServiceIntegration extends SentryServiceIntegrationBase {
@@ -55,6 +60,66 @@ public class TestSentryServiceIntegration extends SentryServiceIntegrationBase {
}
@Test
+ public void testQueryPushDown() throws Exception {
+ String requestorUserName = ADMIN_USER;
+ Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
+ setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
+ writePolicyFile();
+
+ String roleName1 = "admin_r1";
+ String roleName2 = "admin_r2";
+
+ String group1 = "g1";
+ String group2 = "g2";
+
+ client.dropRoleIfExists(requestorUserName, roleName1);
+ client.createRole(requestorUserName, roleName1);
+ client.grantRoleToGroup(requestorUserName, group1, roleName1);
+
+ client.grantTablePrivilege(requestorUserName, roleName1, "server", "db1", "table1", "ALL");
+ client.grantTablePrivilege(requestorUserName, roleName1, "server", "db1", "table2", "ALL");
+ client.grantTablePrivilege(requestorUserName, roleName1, "server", "db2", "table3", "ALL");
+ client.grantTablePrivilege(requestorUserName, roleName1, "server", "db2", "table4", "ALL");
+
+
+ client.dropRoleIfExists(requestorUserName, roleName2);
+ client.createRole(requestorUserName, roleName2);
+ client.grantRoleToGroup(requestorUserName, group1, roleName2);
+ client.grantRoleToGroup(requestorUserName, group2, roleName2);
+
+ client.grantTablePrivilege(requestorUserName, roleName2, "server", "db1", "table1", "ALL");
+ client.grantTablePrivilege(requestorUserName, roleName2, "server", "db1", "table2", "ALL");
+ client.grantTablePrivilege(requestorUserName, roleName2, "server", "db2", "table3", "ALL");
+ client.grantTablePrivilege(requestorUserName, roleName2, "server", "db2", "table4", "ALL");
+ client.grantTablePrivilege(requestorUserName, roleName2, "server", "db3", "table5", "ALL");
+
+ Set<TSentryPrivilege> listPrivilegesByRoleName = client.listPrivilegesByRoleName(requestorUserName, roleName2, Lists.newArrayList(new Server("server"), new Database("db1")));
+ assertEquals("Privilege not assigned to role2 !!", 2, listPrivilegesByRoleName.size());
+
+ listPrivilegesByRoleName = client.listPrivilegesByRoleName(requestorUserName, roleName2, Lists.newArrayList(new Server("server"), new Database("db2"), new Table("table1")));
+ assertEquals("Privilege not assigned to role2 !!", 0, listPrivilegesByRoleName.size());
+
+ listPrivilegesByRoleName = client.listPrivilegesByRoleName(requestorUserName, roleName2, Lists.newArrayList(new Server("server"), new Database("db1"), new Table("table1")));
+ assertEquals("Privilege not assigned to role2 !!", 1, listPrivilegesByRoleName.size());
+
+ listPrivilegesByRoleName = client.listPrivilegesByRoleName(requestorUserName, roleName2, Lists.newArrayList(new Server("server"), new Database("db3")));
+ assertEquals("Privilege not assigned to role2 !!", 1, listPrivilegesByRoleName.size());
+
+ Set<String> listPrivilegesForProvider = client.listPrivilegesForProvider(Sets.newHashSet(group1, group2), ActiveRoleSet.ALL, new Server("server"), new Database("db2"));
+ assertEquals("Privilege not correctly assigned to roles !!",
+ Sets.newHashSet("server=server->db=db2->table=table4->action=ALL", "server=server->db=db2->table=table3->action=ALL"),
+ listPrivilegesForProvider);
+
+ listPrivilegesForProvider = client.listPrivilegesForProvider(Sets.newHashSet(group1, group2), ActiveRoleSet.ALL, new Server("server"), new Database("db3"));
+ assertEquals("Privilege not correctly assigned to roles !!", Sets.newHashSet("server=server->db=db3->table=table5->action=ALL"), listPrivilegesForProvider);
+
+ listPrivilegesForProvider = client.listPrivilegesForProvider(Sets.newHashSet(group1, group2), new ActiveRoleSet(Sets.newHashSet(roleName1)), new Server("server"), new Database("db3"));
+ assertEquals("Privilege not correctly assigned to roles !!", new HashSet<String>(), listPrivilegesForProvider);
+ }
+
+
+
+ @Test
public void testGranRevokePrivilegeOnTableForRole() throws Exception {
String requestorUserName = ADMIN_USER;
Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
@@ -66,49 +131,49 @@ public class TestSentryServiceIntegration extends SentryServiceIntegrationBase {
client.dropRoleIfExists(requestorUserName, roleName1);
client.createRole(requestorUserName, roleName1);
- client.grantTablePrivilege(requestorUserName, roleName1, "server", "db", "table1", "ALL");
- client.grantTablePrivilege(requestorUserName, roleName1, "server", "db", "table2", "ALL");
- client.grantTablePrivilege(requestorUserName, roleName1, "server", "db", "table3", "ALL");
- client.grantTablePrivilege(requestorUserName, roleName1, "server", "db", "table4", "ALL");
+ client.grantTablePrivilege(requestorUserName, roleName1, "server", "db1", "table1", "ALL");
+ client.grantTablePrivilege(requestorUserName, roleName1, "server", "db1", "table2", "ALL");
+ client.grantTablePrivilege(requestorUserName, roleName1, "server", "db2", "table3", "ALL");
+ client.grantTablePrivilege(requestorUserName, roleName1, "server", "db2", "table4", "ALL");
client.dropRoleIfExists(requestorUserName, roleName2);
client.createRole(requestorUserName, roleName2);
- client.grantTablePrivilege(requestorUserName, roleName2, "server", "db", "table1", "ALL");
- client.grantTablePrivilege(requestorUserName, roleName2, "server", "db", "table2", "ALL");
- client.grantTablePrivilege(requestorUserName, roleName2, "server", "db", "table3", "ALL");
- client.grantTablePrivilege(requestorUserName, roleName2, "server", "db", "table4", "ALL");
+ client.grantTablePrivilege(requestorUserName, roleName2, "server", "db1", "table1", "ALL");
+ client.grantTablePrivilege(requestorUserName, roleName2, "server", "db1", "table2", "ALL");
+ client.grantTablePrivilege(requestorUserName, roleName2, "server", "db2", "table3", "ALL");
+ client.grantTablePrivilege(requestorUserName, roleName2, "server", "db2", "table4", "ALL");
- Set<TSentryPrivilege> listPrivilegesByRoleName = client.listPrivilegesByRoleName(requestorUserName, roleName1);
+ Set<TSentryPrivilege> listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName1);
assertEquals("Privilege not assigned to role1 !!", 4, listPrivilegesByRoleName.size());
- listPrivilegesByRoleName = client.listPrivilegesByRoleName(requestorUserName, roleName2);
+ listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName2);
assertEquals("Privilege not assigned to role2 !!", 4, listPrivilegesByRoleName.size());
- client.revokeTablePrivilege(requestorUserName, roleName1, "server", "db", "table1", "ALL");
- listPrivilegesByRoleName = client.listPrivilegesByRoleName(requestorUserName, roleName1);
+ client.revokeTablePrivilege(requestorUserName, roleName1, "server", "db1", "table1", "ALL");
+ listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName1);
assertTrue("Privilege not correctly revoked !!", listPrivilegesByRoleName.size() == 3);
- listPrivilegesByRoleName = client.listPrivilegesByRoleName(requestorUserName, roleName2);
+ listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName2);
assertTrue("Privilege not correctly revoked !!", listPrivilegesByRoleName.size() == 4);
- client.revokeTablePrivilege(requestorUserName, roleName2, "server", "db", "table1", "ALL");
- listPrivilegesByRoleName = client.listPrivilegesByRoleName(requestorUserName, roleName2);
+ client.revokeTablePrivilege(requestorUserName, roleName2, "server", "db1", "table1", "ALL");
+ listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName2);
assertTrue("Privilege not correctly revoked !!", listPrivilegesByRoleName.size() == 3);
- listPrivilegesByRoleName = client.listPrivilegesByRoleName(requestorUserName, roleName1);
+ listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName1);
assertTrue("Privilege not correctly revoked !!", listPrivilegesByRoleName.size() == 3);
- client.revokeTablePrivilege(requestorUserName, roleName1, "server", "db", "table2", "ALL");
- client.revokeTablePrivilege(requestorUserName, roleName1, "server", "db", "table3", "ALL");
- client.revokeTablePrivilege(requestorUserName, roleName1, "server", "db", "table4", "ALL");
- listPrivilegesByRoleName = client.listPrivilegesByRoleName(requestorUserName, roleName1);
+ client.revokeTablePrivilege(requestorUserName, roleName1, "server", "db1", "table2", "ALL");
+ client.revokeTablePrivilege(requestorUserName, roleName1, "server", "db2", "table3", "ALL");
+ client.revokeTablePrivilege(requestorUserName, roleName1, "server", "db2", "table4", "ALL");
+ listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName1);
assertTrue("Privilege not correctly revoked !!", listPrivilegesByRoleName.size() == 0);
- client.revokeTablePrivilege(requestorUserName, roleName2, "server", "db", "table2", "ALL");
- client.revokeTablePrivilege(requestorUserName, roleName2, "server", "db", "table3", "ALL");
- client.revokeTablePrivilege(requestorUserName, roleName2, "server", "db", "table4", "ALL");
- listPrivilegesByRoleName = client.listPrivilegesByRoleName(requestorUserName, roleName2);
+ client.revokeTablePrivilege(requestorUserName, roleName2, "server", "db1", "table2", "ALL");
+ client.revokeTablePrivilege(requestorUserName, roleName2, "server", "db2", "table3", "ALL");
+ client.revokeTablePrivilege(requestorUserName, roleName2, "server", "db2", "table4", "ALL");
+ listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName2);
assertTrue("Privilege not correctly revoked !!", listPrivilegesByRoleName.size() == 0);
}
@@ -127,12 +192,12 @@ public class TestSentryServiceIntegration extends SentryServiceIntegrationBase {
client.dropRoleIfExists(requestorUserName, roleName2);
client.createRole(requestorUserName, roleName2);
- client.grantTablePrivilege(requestorUserName, roleName1, "server", "db", "table", "ALL");
- Set<TSentryPrivilege> listPrivilegesByRoleName = client.listPrivilegesByRoleName(requestorUserName, roleName1);
+ client.grantTablePrivilege(requestorUserName, roleName1, "server", "db", "table", "ALL");
+ Set<TSentryPrivilege> listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName1);
assertTrue("Privilege not assigned to role1 !!", listPrivilegesByRoleName.size() == 1);
- client.grantTablePrivilege(requestorUserName, roleName2, "server", "db", "table", "ALL");
- listPrivilegesByRoleName = client.listPrivilegesByRoleName(requestorUserName, roleName2);
+ client.grantTablePrivilege(requestorUserName, roleName2, "server", "db", "table", "ALL");
+ listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName2);
assertTrue("Privilege not assigned to role2 !!", listPrivilegesByRoleName.size() == 1);
}
@@ -183,8 +248,7 @@ public class TestSentryServiceIntegration extends SentryServiceIntegrationBase {
assertEquals("Incorrect number of roles", 1, roles.size());
client.grantDatabasePrivilege(requestorUserName, roleName, server, db);
- Set<TSentryPrivilege> privileges = client.listPrivilegesByRoleName(requestorUserName,
- roleName);
+ Set<TSentryPrivilege> privileges = client.listAllPrivilegesByRoleName(requestorUserName, roleName);
assertTrue(privileges.size() == 1);
for (TSentryPrivilege privilege:privileges) {
assertTrue(privilege.getPrivilegeName(),
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/a7b45622/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/SimpleFileProviderBackend.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/SimpleFileProviderBackend.java b/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/SimpleFileProviderBackend.java
index 6e8f02f..5245eb4 100644
--- a/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/SimpleFileProviderBackend.java
+++ b/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/SimpleFileProviderBackend.java
@@ -29,10 +29,12 @@ import com.google.common.collect.Multimap;
import com.google.common.collect.Sets;
import com.google.common.collect.Table;
import com.google.common.collect.Table.Cell;
+
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.fs.FileSystem;
import org.apache.hadoop.fs.Path;
import org.apache.sentry.core.common.ActiveRoleSet;
+import org.apache.sentry.core.common.Authorizable;
import org.apache.sentry.core.common.SentryConfigurationException;
import org.apache.sentry.policy.common.PrivilegeUtils;
import org.apache.sentry.policy.common.PrivilegeValidator;
@@ -44,6 +46,7 @@ import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import javax.annotation.Nullable;
+
import java.io.IOException;
import java.net.URI;
import java.util.HashSet;
@@ -140,7 +143,7 @@ public class SimpleFileProviderBackend implements ProviderBackend {
* {@inheritDoc}
*/
@Override
- public ImmutableSet<String> getPrivileges(Set<String> groups, ActiveRoleSet roleSet) {
+ public ImmutableSet<String> getPrivileges(Set<String> groups, ActiveRoleSet roleSet, Authorizable... authorizableHierarchy) {
if (!initialized) {
throw new IllegalStateException("Backend has not been properly initialized");
}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/a7b45622/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDbEndToEnd.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDbEndToEnd.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDbEndToEnd.java
index 1d89e1a..ab65cfd 100644
--- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDbEndToEnd.java
+++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDbEndToEnd.java
@@ -139,7 +139,7 @@ public class TestDbEndToEnd extends AbstractTestWithDbProvider {
statement.execute("create table " + dbName2 + "." + tableName2
+ " (under_col int comment 'the under column', value string)");
statement.execute("load data local inpath '" + dataFile.getPath()
- + "' into table " + tableName2);
+ + "' into table " + tableName2);
// 3
statement.execute("CREATE ROLE all_db1");
@@ -163,8 +163,8 @@ public class TestDbEndToEnd extends AbstractTestWithDbProvider {
+ " TO ROLE select_tb1");
statement
- .execute("GRANT ROLE all_db1, select_tb1, insert_tb1, insert_tb2, data_uri TO GROUP "
- + USERGROUP1);
+ .execute("GRANT ROLE all_db1, select_tb1, insert_tb1, insert_tb2, data_uri TO GROUP "
+ + USERGROUP1);
statement.close();
connection.close();
@@ -177,7 +177,7 @@ public class TestDbEndToEnd extends AbstractTestWithDbProvider {
statement.execute("create table " + dbName1 + "." + tableName1
+ " (under_col int comment 'the under column', value string)");
statement.execute("load data local inpath '" + dataFile.getPath()
- + "' into table " + tableName1);
+ + "' into table " + tableName1);
// 5
statement.execute("CREATE VIEW " + viewName1 + " (value) AS SELECT value from " + tableName1 + " LIMIT 10");
@@ -197,7 +197,30 @@ public class TestDbEndToEnd extends AbstractTestWithDbProvider {
// 8
connection = context.createConnection(USER1_1);
statement = context.createStatement(connection);
+ Exception ex = null;
+ try {
+ statement.execute("USE " + dbName2);
+ } catch (Exception e) {
+ ex = e;
+ } finally {
+ statement.close();
+ connection.close();
+ }
+ System.out.println("Message : " + ex.getMessage());
+ assertTrue("This should not be allowed !!", ex != null);
+
+ connection = context.createConnection(ADMIN1);
+ statement = context.createStatement(connection);
+ statement.execute("CREATE ROLE all_db2");
+ statement.execute("GRANT ALL ON DATABASE " + dbName2 + " TO ROLE all_db2");
+ statement.execute("GRANT ROLE all_db2 TO GROUP " + USERGROUP1);
+ statement.close();
+ connection.close();
+
+ connection = context.createConnection(USER1_1);
+ statement = context.createStatement(connection);
statement.execute("USE " + dbName2);
+
statement.execute("INSERT OVERWRITE TABLE " +
dbName2 + "." + tableName2 + " SELECT * FROM " + dbName1
+ "." + tableName1);
[2/2] git commit: SENTRY-157: Support filter pushdown in DB Store
client to reduce data transfer from DB Store service ( Arun Suresh via Sravya
Tirukkovalur)
Posted by sr...@apache.org.
SENTRY-157: Support filter pushdown in DB Store client to reduce data transfer from DB Store service ( Arun Suresh via Sravya Tirukkovalur)
Project: http://git-wip-us.apache.org/repos/asf/incubator-sentry/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-sentry/commit/a7b45622
Tree: http://git-wip-us.apache.org/repos/asf/incubator-sentry/tree/a7b45622
Diff: http://git-wip-us.apache.org/repos/asf/incubator-sentry/diff/a7b45622
Branch: refs/heads/master
Commit: a7b45622309cc1753fa082be0c52d5e3e90faa42
Parents: a989b17
Author: Sravya Tirukkovalur <sr...@clouera.com>
Authored: Fri May 30 19:24:15 2014 -0700
Committer: Sravya Tirukkovalur <sr...@clouera.com>
Committed: Fri May 30 19:24:15 2014 -0700
----------------------------------------------------------------------
.../hive/ql/exec/SentryGrantRevokeTask.java | 2 +-
.../sentry/policy/common/PolicyEngine.java | 18 +-
.../sentry/policy/db/SimpleDBPolicyEngine.java | 14 +-
.../db/AbstractTestSimplePolicyEngine.java | 14 +-
.../policy/db/TestPolicyParsingNegative.java | 20 +-
.../policy/db/TestSimpleDBPolicyEngineDFS.java | 2 +-
.../policy/search/SimpleSearchPolicyEngine.java | 13 +-
.../cache/SimpleCacheProviderBackend.java | 3 +-
.../sentry/provider/common/ProviderBackend.java | 3 +-
.../common/ResourceAuthorizationProvider.java | 10 +-
.../provider/common/TestGetGroupMapping.java | 14 +-
...TListSentryPrivilegesForProviderRequest.java | 117 ++-
.../thrift/TListSentryPrivilegesRequest.java | 123 +++-
.../db/service/thrift/TSentryAuthorizable.java | 707 +++++++++++++++++++
.../provider/db/SimpleDBProviderBackend.java | 8 +-
.../db/service/model/MSentryPrivilege.java | 2 +-
.../db/service/persistent/SentryStore.java | 178 ++++-
.../thrift/SentryPolicyServiceClient.java | 53 +-
.../thrift/SentryPolicyStoreProcessor.java | 9 +-
.../main/resources/sentry_policy_service.thrift | 11 +-
.../db/service/persistent/TestSentryStore.java | 28 +-
.../thrift/TestSentryServiceIntegration.java | 136 +++-
.../file/SimpleFileProviderBackend.java | 5 +-
.../tests/e2e/dbprovider/TestDbEndToEnd.java | 31 +-
24 files changed, 1384 insertions(+), 137 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/a7b45622/sentry-binding/sentry-binding-hive/src/main/java/org/apache/hadoop/hive/ql/exec/SentryGrantRevokeTask.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/hadoop/hive/ql/exec/SentryGrantRevokeTask.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/hadoop/hive/ql/exec/SentryGrantRevokeTask.java
index f1e6247..1012605 100644
--- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/hadoop/hive/ql/exec/SentryGrantRevokeTask.java
+++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/hadoop/hive/ql/exec/SentryGrantRevokeTask.java
@@ -257,7 +257,7 @@ public class SentryGrantRevokeTask extends Task<DDLWork> implements Serializable
try {
if (hiveObjectDesc == null) {
- privileges = sentryClient.listPrivilegesByRoleName(subject, principalName);
+ privileges = sentryClient.listAllPrivilegesByRoleName(subject, principalName);
writeToFile(writeGrantInfo(privileges, principalName), desc.getResFile());
return RETURN_CODE_SUCCESS;
} else {
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/a7b45622/sentry-policy/sentry-policy-common/src/main/java/org/apache/sentry/policy/common/PolicyEngine.java
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-common/src/main/java/org/apache/sentry/policy/common/PolicyEngine.java b/sentry-policy/sentry-policy-common/src/main/java/org/apache/sentry/policy/common/PolicyEngine.java
index c378a38..38a5b65 100644
--- a/sentry-policy/sentry-policy-common/src/main/java/org/apache/sentry/policy/common/PolicyEngine.java
+++ b/sentry-policy/sentry-policy-common/src/main/java/org/apache/sentry/policy/common/PolicyEngine.java
@@ -17,11 +17,13 @@
package org.apache.sentry.policy.common;
+import java.util.List;
import java.util.Set;
import javax.annotation.concurrent.ThreadSafe;
import org.apache.sentry.core.common.ActiveRoleSet;
+import org.apache.sentry.core.common.Authorizable;
import org.apache.sentry.core.common.SentryConfigurationException;
import com.google.common.collect.ImmutableSet;
@@ -45,9 +47,23 @@ public interface PolicyEngine {
* type of privileges used in a policy file. Additionally it is possible further
* processing of the privileges is needed before resolving to a privilege object.
* @param group name
+ * @param active role-set
* @return non-null immutable set of privileges
*/
- public ImmutableSet<String> getPrivileges(Set<String> groups, ActiveRoleSet roleSet)
+ public ImmutableSet<String> getAllPrivileges(Set<String> groups, ActiveRoleSet roleSet)
+ throws SentryConfigurationException;
+
+ /**
+ * Get privileges associated with a group. Returns Strings which can be resolved
+ * by the caller. Strings are returned to separate the PolicyFile class from the
+ * type of privileges used in a policy file. Additionally it is possible further
+ * processing of the privileges is needed before resolving to a privilege object.
+ * @param group name
+ * @param active role-set
+ * @param authorizable Hierarchy (Can be null)
+ * @return non-null immutable set of privileges
+ */
+ public ImmutableSet<String> getPrivileges(Set<String> groups, ActiveRoleSet roleSet, Authorizable... authorizableHierarchy)
throws SentryConfigurationException;
public void close();
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/a7b45622/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/SimpleDBPolicyEngine.java
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/SimpleDBPolicyEngine.java b/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/SimpleDBPolicyEngine.java
index a95ef7b..a03794e 100644
--- a/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/SimpleDBPolicyEngine.java
+++ b/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/SimpleDBPolicyEngine.java
@@ -16,9 +16,11 @@
*/
package org.apache.sentry.policy.db;
+import java.util.List;
import java.util.Set;
import org.apache.sentry.core.common.ActiveRoleSet;
+import org.apache.sentry.core.common.Authorizable;
import org.apache.sentry.core.common.SentryConfigurationException;
import org.apache.sentry.policy.common.PrivilegeFactory;
import org.apache.sentry.policy.common.PolicyEngine;
@@ -56,16 +58,24 @@ public class SimpleDBPolicyEngine implements PolicyEngine {
return new DBWildcardPrivilege.DBWildcardPrivilegeFactory();
}
+
+
+ @Override
+ public ImmutableSet<String> getAllPrivileges(Set<String> groups,
+ ActiveRoleSet roleSet) throws SentryConfigurationException {
+ return getPrivileges(groups, roleSet, null);
+ }
+
/**
* {@inheritDoc}
*/
@Override
- public ImmutableSet<String> getPrivileges(Set<String> groups, ActiveRoleSet roleSet)
+ public ImmutableSet<String> getPrivileges(Set<String> groups, ActiveRoleSet roleSet, Authorizable... authorizableHierarchy)
throws SentryConfigurationException {
if(LOGGER.isDebugEnabled()) {
LOGGER.debug("Getting permissions for {}", groups);
}
- ImmutableSet<String> result = providerBackend.getPrivileges(groups, roleSet);
+ ImmutableSet<String> result = providerBackend.getPrivileges(groups, roleSet, authorizableHierarchy);
if(LOGGER.isDebugEnabled()) {
LOGGER.debug("result = " + result);
}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/a7b45622/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/AbstractTestSimplePolicyEngine.java
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/AbstractTestSimplePolicyEngine.java b/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/AbstractTestSimplePolicyEngine.java
index 4625d6f..d1151e3 100644
--- a/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/AbstractTestSimplePolicyEngine.java
+++ b/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/AbstractTestSimplePolicyEngine.java
@@ -89,7 +89,7 @@ public abstract class AbstractTestSimplePolicyEngine {
PERM_SERVER1_CUSTOMERS_DB_CUSTOMERS_PARTIAL_SELECT
));
Assert.assertEquals(expected.toString(),
- new TreeSet<String>(policy.getPrivileges(set("manager"), ActiveRoleSet.ALL))
+ new TreeSet<String>(policy.getAllPrivileges(set("manager"), ActiveRoleSet.ALL))
.toString());
}
@@ -99,7 +99,7 @@ public abstract class AbstractTestSimplePolicyEngine {
PERM_SERVER1_CUSTOMERS_SELECT, PERM_SERVER1_ANALYST_ALL,
PERM_SERVER1_JUNIOR_ANALYST_READ));
Assert.assertEquals(expected.toString(),
- new TreeSet<String>(policy.getPrivileges(set("analyst"), ActiveRoleSet.ALL))
+ new TreeSet<String>(policy.getAllPrivileges(set("analyst"), ActiveRoleSet.ALL))
.toString());
}
@@ -109,7 +109,7 @@ public abstract class AbstractTestSimplePolicyEngine {
.newHashSet(PERM_SERVER1_JUNIOR_ANALYST_ALL,
PERM_SERVER1_CUSTOMERS_DB_CUSTOMERS_PARTIAL_SELECT));
Assert.assertEquals(expected.toString(),
- new TreeSet<String>(policy.getPrivileges(set("jranalyst"), ActiveRoleSet.ALL))
+ new TreeSet<String>(policy.getAllPrivileges(set("jranalyst"), ActiveRoleSet.ALL))
.toString());
}
@@ -117,7 +117,7 @@ public abstract class AbstractTestSimplePolicyEngine {
public void testAdmin() throws Exception {
Set<String> expected = Sets.newTreeSet(Sets.newHashSet(PERM_SERVER1_ADMIN));
Assert.assertEquals(expected.toString(),
- new TreeSet<String>(policy.getPrivileges(set("admin"), ActiveRoleSet.ALL))
+ new TreeSet<String>(policy.getAllPrivileges(set("admin"), ActiveRoleSet.ALL))
.toString());
}
@@ -127,7 +127,7 @@ public abstract class AbstractTestSimplePolicyEngine {
Set<String> expected = Sets.newTreeSet(Sets.newHashSet(
PERM_SERVER1_OTHER_GROUP_DB_CUSTOMERS_SELECT));
Assert.assertEquals(expected.toString(),
- new TreeSet<String>(policy.getPrivileges(set("other_group"), ActiveRoleSet.ALL))
+ new TreeSet<String>(policy.getAllPrivileges(set("other_group"), ActiveRoleSet.ALL))
.toString());
}
@@ -137,7 +137,7 @@ public abstract class AbstractTestSimplePolicyEngine {
.newHashSet(PERM_SERVER1_JUNIOR_ANALYST_ALL,
PERM_SERVER1_CUSTOMERS_DB_CUSTOMERS_PARTIAL_SELECT));
Assert.assertEquals(expected.toString(),
- new TreeSet<String>(policy.getPrivileges(set("jranalyst"), ActiveRoleSet.ALL))
+ new TreeSet<String>(policy.getAllPrivileges(set("jranalyst"), ActiveRoleSet.ALL))
.toString());
}
@@ -146,7 +146,7 @@ public abstract class AbstractTestSimplePolicyEngine {
Set<String> expected = Sets.newTreeSet(Sets.newHashSet(
PERM_SERVER1_OTHER_GROUP_DB_CUSTOMERS_SELECT));
Assert.assertEquals(expected.toString(),
- new TreeSet<String>(policy.getPrivileges(set("other_group"), ActiveRoleSet.ALL))
+ new TreeSet<String>(policy.getAllPrivileges(set("other_group"), ActiveRoleSet.ALL))
.toString());
}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/a7b45622/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestPolicyParsingNegative.java
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestPolicyParsingNegative.java b/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestPolicyParsingNegative.java
index e88ae32..5f7c671 100644
--- a/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestPolicyParsingNegative.java
+++ b/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestPolicyParsingNegative.java
@@ -73,7 +73,7 @@ public class TestPolicyParsingNegative {
append("[roles]", otherPolicyFile);
append("malicious_role = server=server1->db=customers->table=purchases->action=select", otherPolicyFile);
PolicyEngine policy = new DBPolicyFileBackend("server1", globalPolicyFile.getPath());
- ImmutableSet<String> permissions = policy.getPrivileges(Sets.newHashSet("other_group"), ActiveRoleSet.ALL);
+ ImmutableSet<String> permissions = policy.getAllPrivileges(Sets.newHashSet("other_group"), ActiveRoleSet.ALL);
Assert.assertTrue(permissions.toString(), permissions.isEmpty());
}
@Test
@@ -87,21 +87,21 @@ public class TestPolicyParsingNegative {
policyFile.write(globalPolicyFile);
policyFile.write(otherPolicyFile);
policy = new DBPolicyFileBackend("server1", globalPolicyFile.getPath());
- permissions = policy.getPrivileges(Sets.newHashSet("admin"), ActiveRoleSet.ALL);
+ permissions = policy.getAllPrivileges(Sets.newHashSet("admin"), ActiveRoleSet.ALL);
Assert.assertEquals(permissions.toString(), "[server=server1]");
// test to ensure [users] fails parsing of per-db file
policyFile.addDatabase("other", otherPolicyFile.getPath());
policyFile.write(globalPolicyFile);
policyFile.write(otherPolicyFile);
policy = new DBPolicyFileBackend("server1", globalPolicyFile.getPath());
- permissions = policy.getPrivileges(Sets.newHashSet("admin"), ActiveRoleSet.ALL);
+ permissions = policy.getAllPrivileges(Sets.newHashSet("admin"), ActiveRoleSet.ALL);
Assert.assertEquals(permissions.toString(), "[server=server1]");
// test to ensure [databases] fails parsing of per-db file
// by removing the user mapping from the per-db policy file
policyFile.removeGroupsFromUser("admin1", "admin")
.write(otherPolicyFile);
policy = new DBPolicyFileBackend("server1", globalPolicyFile.getPath());
- permissions = policy.getPrivileges(Sets.newHashSet("admin"), ActiveRoleSet.ALL);
+ permissions = policy.getAllPrivileges(Sets.newHashSet("admin"), ActiveRoleSet.ALL);
Assert.assertEquals(permissions.toString(), "[server=server1]");
}
@@ -114,7 +114,7 @@ public class TestPolicyParsingNegative {
append("[roles]", otherPolicyFile);
append("malicious_role = server=server1", otherPolicyFile);
PolicyEngine policy = new DBPolicyFileBackend("server1", globalPolicyFile.getPath());
- ImmutableSet<String> permissions = policy.getPrivileges(Sets.newHashSet("other_group"), ActiveRoleSet.ALL);
+ ImmutableSet<String> permissions = policy.getAllPrivileges(Sets.newHashSet("other_group"), ActiveRoleSet.ALL);
Assert.assertTrue(permissions.toString(), permissions.isEmpty());
}
@@ -125,7 +125,7 @@ public class TestPolicyParsingNegative {
append("[roles]", globalPolicyFile);
append("malicious_role = server=*", globalPolicyFile);
PolicyEngine policy = new DBPolicyFileBackend("server1", globalPolicyFile.getPath());
- ImmutableSet<String> permissions = policy.getPrivileges(Sets.newHashSet("group"), ActiveRoleSet.ALL);
+ ImmutableSet<String> permissions = policy.getAllPrivileges(Sets.newHashSet("group"), ActiveRoleSet.ALL);
Assert.assertTrue(permissions.toString(), permissions.isEmpty());
}
@@ -136,7 +136,7 @@ public class TestPolicyParsingNegative {
append("[roles]", globalPolicyFile);
append("malicious_role = server=server2", globalPolicyFile);
PolicyEngine policy = new DBPolicyFileBackend("server1", globalPolicyFile.getPath());
- ImmutableSet<String> permissions = policy.getPrivileges(Sets.newHashSet("group"), ActiveRoleSet.ALL);
+ ImmutableSet<String> permissions = policy.getAllPrivileges(Sets.newHashSet("group"), ActiveRoleSet.ALL);
Assert.assertTrue(permissions.toString(), permissions.isEmpty());
}
@@ -147,7 +147,7 @@ public class TestPolicyParsingNegative {
append("[roles]", globalPolicyFile);
append("malicious_role = *", globalPolicyFile);
PolicyEngine policy = new DBPolicyFileBackend("server1", globalPolicyFile.getPath());
- ImmutableSet<String> permissions = policy.getPrivileges(Sets.newHashSet("group"), ActiveRoleSet.ALL);
+ ImmutableSet<String> permissions = policy.getAllPrivileges(Sets.newHashSet("group"), ActiveRoleSet.ALL);
Assert.assertTrue(permissions.toString(), permissions.isEmpty());
}
@@ -185,10 +185,10 @@ public class TestPolicyParsingNegative {
PolicyEngine policy = new DBPolicyFileBackend("server1", globalPolicyFile.getPath());
// verify that the db1 rule is empty
- ImmutableSet<String> permissions = policy.getPrivileges(Sets.newHashSet("db1_group"), ActiveRoleSet.ALL);
+ ImmutableSet<String> permissions = policy.getAllPrivileges(Sets.newHashSet("db1_group"), ActiveRoleSet.ALL);
Assert.assertTrue(permissions.toString(), permissions.isEmpty());
- permissions = policy.getPrivileges(Sets.newHashSet("db2_group"), ActiveRoleSet.ALL);
+ permissions = policy.getAllPrivileges(Sets.newHashSet("db2_group"), ActiveRoleSet.ALL);
Assert.assertEquals(permissions.toString(), 1, permissions.size());
}
}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/a7b45622/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestSimpleDBPolicyEngineDFS.java
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestSimpleDBPolicyEngineDFS.java b/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestSimpleDBPolicyEngineDFS.java
index 08f84a3..f8c36e2 100644
--- a/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestSimpleDBPolicyEngineDFS.java
+++ b/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestSimpleDBPolicyEngineDFS.java
@@ -108,7 +108,7 @@ public class TestSimpleDBPolicyEngineDFS extends AbstractTestSimplePolicyEngine
Set<String> dbGroups = Sets.newHashSet();
dbGroups.add("group1");
ImmutableSet<String> dbPerms =
- multiFSEngine.getPrivileges(dbGroups, ActiveRoleSet.ALL);
+ multiFSEngine.getAllPrivileges(dbGroups, ActiveRoleSet.ALL);
Assert.assertEquals("No DB permissions found", 1, dbPerms.size());
}
}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/a7b45622/sentry-policy/sentry-policy-search/src/main/java/org/apache/sentry/policy/search/SimpleSearchPolicyEngine.java
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-search/src/main/java/org/apache/sentry/policy/search/SimpleSearchPolicyEngine.java b/sentry-policy/sentry-policy-search/src/main/java/org/apache/sentry/policy/search/SimpleSearchPolicyEngine.java
index 8adcb6f..f428aea 100644
--- a/sentry-policy/sentry-policy-search/src/main/java/org/apache/sentry/policy/search/SimpleSearchPolicyEngine.java
+++ b/sentry-policy/sentry-policy-search/src/main/java/org/apache/sentry/policy/search/SimpleSearchPolicyEngine.java
@@ -19,6 +19,7 @@ package org.apache.sentry.policy.search;
import java.util.Set;
import org.apache.sentry.core.common.ActiveRoleSet;
+import org.apache.sentry.core.common.Authorizable;
import org.apache.sentry.core.common.SentryConfigurationException;
import org.apache.sentry.policy.common.PrivilegeFactory;
import org.apache.sentry.policy.common.PolicyEngine;
@@ -61,7 +62,16 @@ public class SimpleSearchPolicyEngine implements PolicyEngine {
* {@inheritDoc}
*/
@Override
- public ImmutableSet<String> getPrivileges(Set<String> groups, ActiveRoleSet roleSet) {
+ public ImmutableSet<String> getAllPrivileges(Set<String> groups,
+ ActiveRoleSet roleSet) throws SentryConfigurationException {
+ return getPrivileges(groups, roleSet);
+ }
+
+ /**
+ * {@inheritDoc}
+ */
+ @Override
+ public ImmutableSet<String> getPrivileges(Set<String> groups, ActiveRoleSet roleSet, Authorizable... authorizationHierarchy ) {
if(LOGGER.isDebugEnabled()) {
LOGGER.debug("Getting permissions for {}", groups);
}
@@ -88,4 +98,5 @@ public class SimpleSearchPolicyEngine implements PolicyEngine {
providerBackend.close();
}
}
+
}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/a7b45622/sentry-provider/sentry-provider-cache/src/main/java/org/apache/sentry/provider/cache/SimpleCacheProviderBackend.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-cache/src/main/java/org/apache/sentry/provider/cache/SimpleCacheProviderBackend.java b/sentry-provider/sentry-provider-cache/src/main/java/org/apache/sentry/provider/cache/SimpleCacheProviderBackend.java
index 1b0aba6..396c21c 100644
--- a/sentry-provider/sentry-provider-cache/src/main/java/org/apache/sentry/provider/cache/SimpleCacheProviderBackend.java
+++ b/sentry-provider/sentry-provider-cache/src/main/java/org/apache/sentry/provider/cache/SimpleCacheProviderBackend.java
@@ -21,6 +21,7 @@ import java.util.Set;
import org.apache.hadoop.conf.Configuration;
import org.apache.sentry.core.common.ActiveRoleSet;
+import org.apache.sentry.core.common.Authorizable;
import org.apache.sentry.core.common.SentryConfigurationException;
import org.apache.sentry.provider.common.ProviderBackend;
import org.apache.sentry.provider.common.ProviderBackendContext;
@@ -48,7 +49,7 @@ public class SimpleCacheProviderBackend implements ProviderBackend {
@Override
public ImmutableSet<String> getPrivileges(Set<String> groups,
- ActiveRoleSet roleSet) {
+ ActiveRoleSet roleSet, Authorizable... authorizationhierarchy) {
if (!initialized()) {
throw new IllegalStateException(
"Backend has not been properly initialized");
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/a7b45622/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/ProviderBackend.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/ProviderBackend.java b/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/ProviderBackend.java
index a175245..ddb9cf9 100644
--- a/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/ProviderBackend.java
+++ b/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/ProviderBackend.java
@@ -21,6 +21,7 @@ import java.util.Set;
import javax.annotation.concurrent.ThreadSafe;
import org.apache.sentry.core.common.ActiveRoleSet;
+import org.apache.sentry.core.common.Authorizable;
import org.apache.sentry.core.common.SentryConfigurationException;
import com.google.common.collect.ImmutableSet;
@@ -46,7 +47,7 @@ public interface ProviderBackend {
/**
* Get the privileges from the backend.
*/
- public ImmutableSet<String> getPrivileges(Set<String> groups, ActiveRoleSet roleSet);
+ public ImmutableSet<String> getPrivileges(Set<String> groups, ActiveRoleSet roleSet, Authorizable... authorizableHierarchy);
/**
* Get the roles associated with the groups from the backend.
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/a7b45622/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/ResourceAuthorizationProvider.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/ResourceAuthorizationProvider.java b/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/ResourceAuthorizationProvider.java
index e1e7f4a..3a993b0 100644
--- a/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/ResourceAuthorizationProvider.java
+++ b/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/ResourceAuthorizationProvider.java
@@ -95,7 +95,7 @@ public abstract class ResourceAuthorizationProvider implements AuthorizationProv
for (Authorizable authorizable : authorizables) {
hierarchy.add(KV_JOINER.join(authorizable.getTypeName(), authorizable.getName()));
}
- Iterable<Privilege> privileges = getPrivileges(groups, roleSet);
+ Iterable<Privilege> privileges = getPrivileges(groups, roleSet, authorizables.toArray(new Authorizable[0]));
List<String> requestPrivileges = buildPermissions(authorizables, actions);
lastFailedPrivileges.get().clear();
@@ -118,8 +118,8 @@ public abstract class ResourceAuthorizationProvider implements AuthorizationProv
return false;
}
- private Iterable<Privilege> getPrivileges(Set<String> groups, ActiveRoleSet roleSet) {
- return Iterables.transform(policy.getPrivileges(groups, roleSet),
+ private Iterable<Privilege> getPrivileges(Set<String> groups, ActiveRoleSet roleSet, Authorizable[] authorizables) {
+ return Iterables.transform(policy.getPrivileges(groups, roleSet, authorizables),
new Function<String, Privilege>() {
@Override
public Privilege apply(String privilege) {
@@ -144,12 +144,12 @@ public abstract class ResourceAuthorizationProvider implements AuthorizationProv
@Override
public Set<String> listPrivilegesForSubject(Subject subject) throws SentryConfigurationException {
- return policy.getPrivileges(getGroups(subject), ActiveRoleSet.ALL);
+ return policy.getPrivileges(getGroups(subject), ActiveRoleSet.ALL, null);
}
@Override
public Set<String> listPrivilegesForGroup(String groupName) throws SentryConfigurationException {
- return policy.getPrivileges(Sets.newHashSet(groupName), ActiveRoleSet.ALL);
+ return policy.getPrivileges(Sets.newHashSet(groupName), ActiveRoleSet.ALL, null);
}
@Override
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/a7b45622/sentry-provider/sentry-provider-common/src/test/java/org/apache/sentry/provider/common/TestGetGroupMapping.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-common/src/test/java/org/apache/sentry/provider/common/TestGetGroupMapping.java b/sentry-provider/sentry-provider-common/src/test/java/org/apache/sentry/provider/common/TestGetGroupMapping.java
index ece740b..f57198a 100644
--- a/sentry-provider/sentry-provider-common/src/test/java/org/apache/sentry/provider/common/TestGetGroupMapping.java
+++ b/sentry-provider/sentry-provider-common/src/test/java/org/apache/sentry/provider/common/TestGetGroupMapping.java
@@ -19,7 +19,9 @@ package org.apache.sentry.provider.common;
import static org.junit.Assert.assertSame;
import java.util.Set;
+import java.util.List;
+import org.apache.sentry.core.common.Authorizable;
import org.apache.sentry.core.common.SentryConfigurationException;
import org.apache.sentry.core.common.ActiveRoleSet;
import org.apache.sentry.policy.common.PrivilegeFactory;
@@ -44,15 +46,25 @@ public class TestGetGroupMapping {
public void testResourceAuthorizationProvider() {
final Set<String> set = Sets.newHashSet("a", "b", "c");
GroupMappingService mappingService = new GroupMappingService() {
+ @Override
public Set<String> getGroups(String user) { return set; }
};
PolicyEngine policyEngine = new PolicyEngine() {
+ @Override
public PrivilegeFactory getPrivilegeFactory() { return null; }
- public ImmutableSet<String> getPrivileges(Set<String> groups, ActiveRoleSet roleSet) {
+ @Override
+ public ImmutableSet<String> getAllPrivileges(Set<String> groups,
+ ActiveRoleSet roleSet) throws SentryConfigurationException {
+ return getPrivileges(groups, roleSet, null);
+ }
+
+ @Override
+ public ImmutableSet<String> getPrivileges(Set<String> groups, ActiveRoleSet roleSet, Authorizable... authorizableHierarchy) {
return ImmutableSet.of();
}
+ @Override
public void validatePolicy(boolean strictValidation)
throws SentryConfigurationException {
return;
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/a7b45622/sentry-provider/sentry-provider-db/src/gen/thrift/gen-javabean/org/apache/sentry/provider/db/service/thrift/TListSentryPrivilegesForProviderRequest.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/gen/thrift/gen-javabean/org/apache/sentry/provider/db/service/thrift/TListSentryPrivilegesForProviderRequest.java b/sentry-provider/sentry-provider-db/src/gen/thrift/gen-javabean/org/apache/sentry/provider/db/service/thrift/TListSentryPrivilegesForProviderRequest.java
index 65fd5b5..10ab56b 100644
--- a/sentry-provider/sentry-provider-db/src/gen/thrift/gen-javabean/org/apache/sentry/provider/db/service/thrift/TListSentryPrivilegesForProviderRequest.java
+++ b/sentry-provider/sentry-provider-db/src/gen/thrift/gen-javabean/org/apache/sentry/provider/db/service/thrift/TListSentryPrivilegesForProviderRequest.java
@@ -37,6 +37,7 @@ public class TListSentryPrivilegesForProviderRequest implements org.apache.thrif
private static final org.apache.thrift.protocol.TField PROTOCOL_VERSION_FIELD_DESC = new org.apache.thrift.protocol.TField("protocol_version", org.apache.thrift.protocol.TType.I32, (short)1);
private static final org.apache.thrift.protocol.TField GROUPS_FIELD_DESC = new org.apache.thrift.protocol.TField("groups", org.apache.thrift.protocol.TType.SET, (short)2);
private static final org.apache.thrift.protocol.TField ROLE_SET_FIELD_DESC = new org.apache.thrift.protocol.TField("roleSet", org.apache.thrift.protocol.TType.STRUCT, (short)3);
+ private static final org.apache.thrift.protocol.TField AUTHORIZABLE_HIERARCHY_FIELD_DESC = new org.apache.thrift.protocol.TField("authorizableHierarchy", org.apache.thrift.protocol.TType.STRUCT, (short)4);
private static final Map<Class<? extends IScheme>, SchemeFactory> schemes = new HashMap<Class<? extends IScheme>, SchemeFactory>();
static {
@@ -47,12 +48,14 @@ public class TListSentryPrivilegesForProviderRequest implements org.apache.thrif
private int protocol_version; // required
private Set<String> groups; // required
private TSentryActiveRoleSet roleSet; // required
+ private TSentryAuthorizable authorizableHierarchy; // optional
/** The set of fields this struct contains, along with convenience methods for finding and manipulating them. */
public enum _Fields implements org.apache.thrift.TFieldIdEnum {
PROTOCOL_VERSION((short)1, "protocol_version"),
GROUPS((short)2, "groups"),
- ROLE_SET((short)3, "roleSet");
+ ROLE_SET((short)3, "roleSet"),
+ AUTHORIZABLE_HIERARCHY((short)4, "authorizableHierarchy");
private static final Map<String, _Fields> byName = new HashMap<String, _Fields>();
@@ -73,6 +76,8 @@ public class TListSentryPrivilegesForProviderRequest implements org.apache.thrif
return GROUPS;
case 3: // ROLE_SET
return ROLE_SET;
+ case 4: // AUTHORIZABLE_HIERARCHY
+ return AUTHORIZABLE_HIERARCHY;
default:
return null;
}
@@ -115,6 +120,7 @@ public class TListSentryPrivilegesForProviderRequest implements org.apache.thrif
// isset id assignments
private static final int __PROTOCOL_VERSION_ISSET_ID = 0;
private byte __isset_bitfield = 0;
+ private _Fields optionals[] = {_Fields.AUTHORIZABLE_HIERARCHY};
public static final Map<_Fields, org.apache.thrift.meta_data.FieldMetaData> metaDataMap;
static {
Map<_Fields, org.apache.thrift.meta_data.FieldMetaData> tmpMap = new EnumMap<_Fields, org.apache.thrift.meta_data.FieldMetaData>(_Fields.class);
@@ -125,6 +131,8 @@ public class TListSentryPrivilegesForProviderRequest implements org.apache.thrif
new org.apache.thrift.meta_data.FieldValueMetaData(org.apache.thrift.protocol.TType.STRING))));
tmpMap.put(_Fields.ROLE_SET, new org.apache.thrift.meta_data.FieldMetaData("roleSet", org.apache.thrift.TFieldRequirementType.REQUIRED,
new org.apache.thrift.meta_data.StructMetaData(org.apache.thrift.protocol.TType.STRUCT, TSentryActiveRoleSet.class)));
+ tmpMap.put(_Fields.AUTHORIZABLE_HIERARCHY, new org.apache.thrift.meta_data.FieldMetaData("authorizableHierarchy", org.apache.thrift.TFieldRequirementType.OPTIONAL,
+ new org.apache.thrift.meta_data.StructMetaData(org.apache.thrift.protocol.TType.STRUCT, TSentryAuthorizable.class)));
metaDataMap = Collections.unmodifiableMap(tmpMap);
org.apache.thrift.meta_data.FieldMetaData.addStructMetaDataMap(TListSentryPrivilegesForProviderRequest.class, metaDataMap);
}
@@ -162,6 +170,9 @@ public class TListSentryPrivilegesForProviderRequest implements org.apache.thrif
if (other.isSetRoleSet()) {
this.roleSet = new TSentryActiveRoleSet(other.roleSet);
}
+ if (other.isSetAuthorizableHierarchy()) {
+ this.authorizableHierarchy = new TSentryAuthorizable(other.authorizableHierarchy);
+ }
}
public TListSentryPrivilegesForProviderRequest deepCopy() {
@@ -174,6 +185,7 @@ public class TListSentryPrivilegesForProviderRequest implements org.apache.thrif
this.groups = null;
this.roleSet = null;
+ this.authorizableHierarchy = null;
}
public int getProtocol_version() {
@@ -259,6 +271,29 @@ public class TListSentryPrivilegesForProviderRequest implements org.apache.thrif
}
}
+ public TSentryAuthorizable getAuthorizableHierarchy() {
+ return this.authorizableHierarchy;
+ }
+
+ public void setAuthorizableHierarchy(TSentryAuthorizable authorizableHierarchy) {
+ this.authorizableHierarchy = authorizableHierarchy;
+ }
+
+ public void unsetAuthorizableHierarchy() {
+ this.authorizableHierarchy = null;
+ }
+
+ /** Returns true if field authorizableHierarchy is set (has been assigned a value) and false otherwise */
+ public boolean isSetAuthorizableHierarchy() {
+ return this.authorizableHierarchy != null;
+ }
+
+ public void setAuthorizableHierarchyIsSet(boolean value) {
+ if (!value) {
+ this.authorizableHierarchy = null;
+ }
+ }
+
public void setFieldValue(_Fields field, Object value) {
switch (field) {
case PROTOCOL_VERSION:
@@ -285,6 +320,14 @@ public class TListSentryPrivilegesForProviderRequest implements org.apache.thrif
}
break;
+ case AUTHORIZABLE_HIERARCHY:
+ if (value == null) {
+ unsetAuthorizableHierarchy();
+ } else {
+ setAuthorizableHierarchy((TSentryAuthorizable)value);
+ }
+ break;
+
}
}
@@ -299,6 +342,9 @@ public class TListSentryPrivilegesForProviderRequest implements org.apache.thrif
case ROLE_SET:
return getRoleSet();
+ case AUTHORIZABLE_HIERARCHY:
+ return getAuthorizableHierarchy();
+
}
throw new IllegalStateException();
}
@@ -316,6 +362,8 @@ public class TListSentryPrivilegesForProviderRequest implements org.apache.thrif
return isSetGroups();
case ROLE_SET:
return isSetRoleSet();
+ case AUTHORIZABLE_HIERARCHY:
+ return isSetAuthorizableHierarchy();
}
throw new IllegalStateException();
}
@@ -360,6 +408,15 @@ public class TListSentryPrivilegesForProviderRequest implements org.apache.thrif
return false;
}
+ boolean this_present_authorizableHierarchy = true && this.isSetAuthorizableHierarchy();
+ boolean that_present_authorizableHierarchy = true && that.isSetAuthorizableHierarchy();
+ if (this_present_authorizableHierarchy || that_present_authorizableHierarchy) {
+ if (!(this_present_authorizableHierarchy && that_present_authorizableHierarchy))
+ return false;
+ if (!this.authorizableHierarchy.equals(that.authorizableHierarchy))
+ return false;
+ }
+
return true;
}
@@ -382,6 +439,11 @@ public class TListSentryPrivilegesForProviderRequest implements org.apache.thrif
if (present_roleSet)
builder.append(roleSet);
+ boolean present_authorizableHierarchy = true && (isSetAuthorizableHierarchy());
+ builder.append(present_authorizableHierarchy);
+ if (present_authorizableHierarchy)
+ builder.append(authorizableHierarchy);
+
return builder.toHashCode();
}
@@ -423,6 +485,16 @@ public class TListSentryPrivilegesForProviderRequest implements org.apache.thrif
return lastComparison;
}
}
+ lastComparison = Boolean.valueOf(isSetAuthorizableHierarchy()).compareTo(typedOther.isSetAuthorizableHierarchy());
+ if (lastComparison != 0) {
+ return lastComparison;
+ }
+ if (isSetAuthorizableHierarchy()) {
+ lastComparison = org.apache.thrift.TBaseHelper.compareTo(this.authorizableHierarchy, typedOther.authorizableHierarchy);
+ if (lastComparison != 0) {
+ return lastComparison;
+ }
+ }
return 0;
}
@@ -462,6 +534,16 @@ public class TListSentryPrivilegesForProviderRequest implements org.apache.thrif
sb.append(this.roleSet);
}
first = false;
+ if (isSetAuthorizableHierarchy()) {
+ if (!first) sb.append(", ");
+ sb.append("authorizableHierarchy:");
+ if (this.authorizableHierarchy == null) {
+ sb.append("null");
+ } else {
+ sb.append(this.authorizableHierarchy);
+ }
+ first = false;
+ }
sb.append(")");
return sb.toString();
}
@@ -484,6 +566,9 @@ public class TListSentryPrivilegesForProviderRequest implements org.apache.thrif
if (roleSet != null) {
roleSet.validate();
}
+ if (authorizableHierarchy != null) {
+ authorizableHierarchy.validate();
+ }
}
private void writeObject(java.io.ObjectOutputStream out) throws java.io.IOException {
@@ -557,6 +642,15 @@ public class TListSentryPrivilegesForProviderRequest implements org.apache.thrif
org.apache.thrift.protocol.TProtocolUtil.skip(iprot, schemeField.type);
}
break;
+ case 4: // AUTHORIZABLE_HIERARCHY
+ if (schemeField.type == org.apache.thrift.protocol.TType.STRUCT) {
+ struct.authorizableHierarchy = new TSentryAuthorizable();
+ struct.authorizableHierarchy.read(iprot);
+ struct.setAuthorizableHierarchyIsSet(true);
+ } else {
+ org.apache.thrift.protocol.TProtocolUtil.skip(iprot, schemeField.type);
+ }
+ break;
default:
org.apache.thrift.protocol.TProtocolUtil.skip(iprot, schemeField.type);
}
@@ -590,6 +684,13 @@ public class TListSentryPrivilegesForProviderRequest implements org.apache.thrif
struct.roleSet.write(oprot);
oprot.writeFieldEnd();
}
+ if (struct.authorizableHierarchy != null) {
+ if (struct.isSetAuthorizableHierarchy()) {
+ oprot.writeFieldBegin(AUTHORIZABLE_HIERARCHY_FIELD_DESC);
+ struct.authorizableHierarchy.write(oprot);
+ oprot.writeFieldEnd();
+ }
+ }
oprot.writeFieldStop();
oprot.writeStructEnd();
}
@@ -616,6 +717,14 @@ public class TListSentryPrivilegesForProviderRequest implements org.apache.thrif
}
}
struct.roleSet.write(oprot);
+ BitSet optionals = new BitSet();
+ if (struct.isSetAuthorizableHierarchy()) {
+ optionals.set(0);
+ }
+ oprot.writeBitSet(optionals, 1);
+ if (struct.isSetAuthorizableHierarchy()) {
+ struct.authorizableHierarchy.write(oprot);
+ }
}
@Override
@@ -637,6 +746,12 @@ public class TListSentryPrivilegesForProviderRequest implements org.apache.thrif
struct.roleSet = new TSentryActiveRoleSet();
struct.roleSet.read(iprot);
struct.setRoleSetIsSet(true);
+ BitSet incoming = iprot.readBitSet(1);
+ if (incoming.get(0)) {
+ struct.authorizableHierarchy = new TSentryAuthorizable();
+ struct.authorizableHierarchy.read(iprot);
+ struct.setAuthorizableHierarchyIsSet(true);
+ }
}
}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/a7b45622/sentry-provider/sentry-provider-db/src/gen/thrift/gen-javabean/org/apache/sentry/provider/db/service/thrift/TListSentryPrivilegesRequest.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/gen/thrift/gen-javabean/org/apache/sentry/provider/db/service/thrift/TListSentryPrivilegesRequest.java b/sentry-provider/sentry-provider-db/src/gen/thrift/gen-javabean/org/apache/sentry/provider/db/service/thrift/TListSentryPrivilegesRequest.java
index 89afb70..393ff91 100644
--- a/sentry-provider/sentry-provider-db/src/gen/thrift/gen-javabean/org/apache/sentry/provider/db/service/thrift/TListSentryPrivilegesRequest.java
+++ b/sentry-provider/sentry-provider-db/src/gen/thrift/gen-javabean/org/apache/sentry/provider/db/service/thrift/TListSentryPrivilegesRequest.java
@@ -36,7 +36,8 @@ public class TListSentryPrivilegesRequest implements org.apache.thrift.TBase<TLi
private static final org.apache.thrift.protocol.TField PROTOCOL_VERSION_FIELD_DESC = new org.apache.thrift.protocol.TField("protocol_version", org.apache.thrift.protocol.TType.I32, (short)1);
private static final org.apache.thrift.protocol.TField REQUESTOR_USER_NAME_FIELD_DESC = new org.apache.thrift.protocol.TField("requestorUserName", org.apache.thrift.protocol.TType.STRING, (short)2);
- private static final org.apache.thrift.protocol.TField ROLE_NAME_FIELD_DESC = new org.apache.thrift.protocol.TField("roleName", org.apache.thrift.protocol.TType.STRING, (short)3);
+ private static final org.apache.thrift.protocol.TField ROLE_NAME_FIELD_DESC = new org.apache.thrift.protocol.TField("roleName", org.apache.thrift.protocol.TType.STRING, (short)4);
+ private static final org.apache.thrift.protocol.TField AUTHORIZABLE_HIERARCHY_FIELD_DESC = new org.apache.thrift.protocol.TField("authorizableHierarchy", org.apache.thrift.protocol.TType.STRUCT, (short)5);
private static final Map<Class<? extends IScheme>, SchemeFactory> schemes = new HashMap<Class<? extends IScheme>, SchemeFactory>();
static {
@@ -47,12 +48,14 @@ public class TListSentryPrivilegesRequest implements org.apache.thrift.TBase<TLi
private int protocol_version; // required
private String requestorUserName; // required
private String roleName; // required
+ private TSentryAuthorizable authorizableHierarchy; // optional
/** The set of fields this struct contains, along with convenience methods for finding and manipulating them. */
public enum _Fields implements org.apache.thrift.TFieldIdEnum {
PROTOCOL_VERSION((short)1, "protocol_version"),
REQUESTOR_USER_NAME((short)2, "requestorUserName"),
- ROLE_NAME((short)3, "roleName");
+ ROLE_NAME((short)4, "roleName"),
+ AUTHORIZABLE_HIERARCHY((short)5, "authorizableHierarchy");
private static final Map<String, _Fields> byName = new HashMap<String, _Fields>();
@@ -71,8 +74,10 @@ public class TListSentryPrivilegesRequest implements org.apache.thrift.TBase<TLi
return PROTOCOL_VERSION;
case 2: // REQUESTOR_USER_NAME
return REQUESTOR_USER_NAME;
- case 3: // ROLE_NAME
+ case 4: // ROLE_NAME
return ROLE_NAME;
+ case 5: // AUTHORIZABLE_HIERARCHY
+ return AUTHORIZABLE_HIERARCHY;
default:
return null;
}
@@ -115,6 +120,7 @@ public class TListSentryPrivilegesRequest implements org.apache.thrift.TBase<TLi
// isset id assignments
private static final int __PROTOCOL_VERSION_ISSET_ID = 0;
private byte __isset_bitfield = 0;
+ private _Fields optionals[] = {_Fields.AUTHORIZABLE_HIERARCHY};
public static final Map<_Fields, org.apache.thrift.meta_data.FieldMetaData> metaDataMap;
static {
Map<_Fields, org.apache.thrift.meta_data.FieldMetaData> tmpMap = new EnumMap<_Fields, org.apache.thrift.meta_data.FieldMetaData>(_Fields.class);
@@ -124,6 +130,8 @@ public class TListSentryPrivilegesRequest implements org.apache.thrift.TBase<TLi
new org.apache.thrift.meta_data.FieldValueMetaData(org.apache.thrift.protocol.TType.STRING)));
tmpMap.put(_Fields.ROLE_NAME, new org.apache.thrift.meta_data.FieldMetaData("roleName", org.apache.thrift.TFieldRequirementType.REQUIRED,
new org.apache.thrift.meta_data.FieldValueMetaData(org.apache.thrift.protocol.TType.STRING)));
+ tmpMap.put(_Fields.AUTHORIZABLE_HIERARCHY, new org.apache.thrift.meta_data.FieldMetaData("authorizableHierarchy", org.apache.thrift.TFieldRequirementType.OPTIONAL,
+ new org.apache.thrift.meta_data.StructMetaData(org.apache.thrift.protocol.TType.STRUCT, TSentryAuthorizable.class)));
metaDataMap = Collections.unmodifiableMap(tmpMap);
org.apache.thrift.meta_data.FieldMetaData.addStructMetaDataMap(TListSentryPrivilegesRequest.class, metaDataMap);
}
@@ -157,6 +165,9 @@ public class TListSentryPrivilegesRequest implements org.apache.thrift.TBase<TLi
if (other.isSetRoleName()) {
this.roleName = other.roleName;
}
+ if (other.isSetAuthorizableHierarchy()) {
+ this.authorizableHierarchy = new TSentryAuthorizable(other.authorizableHierarchy);
+ }
}
public TListSentryPrivilegesRequest deepCopy() {
@@ -169,6 +180,7 @@ public class TListSentryPrivilegesRequest implements org.apache.thrift.TBase<TLi
this.requestorUserName = null;
this.roleName = null;
+ this.authorizableHierarchy = null;
}
public int getProtocol_version() {
@@ -239,6 +251,29 @@ public class TListSentryPrivilegesRequest implements org.apache.thrift.TBase<TLi
}
}
+ public TSentryAuthorizable getAuthorizableHierarchy() {
+ return this.authorizableHierarchy;
+ }
+
+ public void setAuthorizableHierarchy(TSentryAuthorizable authorizableHierarchy) {
+ this.authorizableHierarchy = authorizableHierarchy;
+ }
+
+ public void unsetAuthorizableHierarchy() {
+ this.authorizableHierarchy = null;
+ }
+
+ /** Returns true if field authorizableHierarchy is set (has been assigned a value) and false otherwise */
+ public boolean isSetAuthorizableHierarchy() {
+ return this.authorizableHierarchy != null;
+ }
+
+ public void setAuthorizableHierarchyIsSet(boolean value) {
+ if (!value) {
+ this.authorizableHierarchy = null;
+ }
+ }
+
public void setFieldValue(_Fields field, Object value) {
switch (field) {
case PROTOCOL_VERSION:
@@ -265,6 +300,14 @@ public class TListSentryPrivilegesRequest implements org.apache.thrift.TBase<TLi
}
break;
+ case AUTHORIZABLE_HIERARCHY:
+ if (value == null) {
+ unsetAuthorizableHierarchy();
+ } else {
+ setAuthorizableHierarchy((TSentryAuthorizable)value);
+ }
+ break;
+
}
}
@@ -279,6 +322,9 @@ public class TListSentryPrivilegesRequest implements org.apache.thrift.TBase<TLi
case ROLE_NAME:
return getRoleName();
+ case AUTHORIZABLE_HIERARCHY:
+ return getAuthorizableHierarchy();
+
}
throw new IllegalStateException();
}
@@ -296,6 +342,8 @@ public class TListSentryPrivilegesRequest implements org.apache.thrift.TBase<TLi
return isSetRequestorUserName();
case ROLE_NAME:
return isSetRoleName();
+ case AUTHORIZABLE_HIERARCHY:
+ return isSetAuthorizableHierarchy();
}
throw new IllegalStateException();
}
@@ -340,6 +388,15 @@ public class TListSentryPrivilegesRequest implements org.apache.thrift.TBase<TLi
return false;
}
+ boolean this_present_authorizableHierarchy = true && this.isSetAuthorizableHierarchy();
+ boolean that_present_authorizableHierarchy = true && that.isSetAuthorizableHierarchy();
+ if (this_present_authorizableHierarchy || that_present_authorizableHierarchy) {
+ if (!(this_present_authorizableHierarchy && that_present_authorizableHierarchy))
+ return false;
+ if (!this.authorizableHierarchy.equals(that.authorizableHierarchy))
+ return false;
+ }
+
return true;
}
@@ -362,6 +419,11 @@ public class TListSentryPrivilegesRequest implements org.apache.thrift.TBase<TLi
if (present_roleName)
builder.append(roleName);
+ boolean present_authorizableHierarchy = true && (isSetAuthorizableHierarchy());
+ builder.append(present_authorizableHierarchy);
+ if (present_authorizableHierarchy)
+ builder.append(authorizableHierarchy);
+
return builder.toHashCode();
}
@@ -403,6 +465,16 @@ public class TListSentryPrivilegesRequest implements org.apache.thrift.TBase<TLi
return lastComparison;
}
}
+ lastComparison = Boolean.valueOf(isSetAuthorizableHierarchy()).compareTo(typedOther.isSetAuthorizableHierarchy());
+ if (lastComparison != 0) {
+ return lastComparison;
+ }
+ if (isSetAuthorizableHierarchy()) {
+ lastComparison = org.apache.thrift.TBaseHelper.compareTo(this.authorizableHierarchy, typedOther.authorizableHierarchy);
+ if (lastComparison != 0) {
+ return lastComparison;
+ }
+ }
return 0;
}
@@ -442,6 +514,16 @@ public class TListSentryPrivilegesRequest implements org.apache.thrift.TBase<TLi
sb.append(this.roleName);
}
first = false;
+ if (isSetAuthorizableHierarchy()) {
+ if (!first) sb.append(", ");
+ sb.append("authorizableHierarchy:");
+ if (this.authorizableHierarchy == null) {
+ sb.append("null");
+ } else {
+ sb.append(this.authorizableHierarchy);
+ }
+ first = false;
+ }
sb.append(")");
return sb.toString();
}
@@ -461,6 +543,9 @@ public class TListSentryPrivilegesRequest implements org.apache.thrift.TBase<TLi
}
// check for sub-struct validity
+ if (authorizableHierarchy != null) {
+ authorizableHierarchy.validate();
+ }
}
private void writeObject(java.io.ObjectOutputStream out) throws java.io.IOException {
@@ -515,7 +600,7 @@ public class TListSentryPrivilegesRequest implements org.apache.thrift.TBase<TLi
org.apache.thrift.protocol.TProtocolUtil.skip(iprot, schemeField.type);
}
break;
- case 3: // ROLE_NAME
+ case 4: // ROLE_NAME
if (schemeField.type == org.apache.thrift.protocol.TType.STRING) {
struct.roleName = iprot.readString();
struct.setRoleNameIsSet(true);
@@ -523,6 +608,15 @@ public class TListSentryPrivilegesRequest implements org.apache.thrift.TBase<TLi
org.apache.thrift.protocol.TProtocolUtil.skip(iprot, schemeField.type);
}
break;
+ case 5: // AUTHORIZABLE_HIERARCHY
+ if (schemeField.type == org.apache.thrift.protocol.TType.STRUCT) {
+ struct.authorizableHierarchy = new TSentryAuthorizable();
+ struct.authorizableHierarchy.read(iprot);
+ struct.setAuthorizableHierarchyIsSet(true);
+ } else {
+ org.apache.thrift.protocol.TProtocolUtil.skip(iprot, schemeField.type);
+ }
+ break;
default:
org.apache.thrift.protocol.TProtocolUtil.skip(iprot, schemeField.type);
}
@@ -549,6 +643,13 @@ public class TListSentryPrivilegesRequest implements org.apache.thrift.TBase<TLi
oprot.writeString(struct.roleName);
oprot.writeFieldEnd();
}
+ if (struct.authorizableHierarchy != null) {
+ if (struct.isSetAuthorizableHierarchy()) {
+ oprot.writeFieldBegin(AUTHORIZABLE_HIERARCHY_FIELD_DESC);
+ struct.authorizableHierarchy.write(oprot);
+ oprot.writeFieldEnd();
+ }
+ }
oprot.writeFieldStop();
oprot.writeStructEnd();
}
@@ -569,6 +670,14 @@ public class TListSentryPrivilegesRequest implements org.apache.thrift.TBase<TLi
oprot.writeI32(struct.protocol_version);
oprot.writeString(struct.requestorUserName);
oprot.writeString(struct.roleName);
+ BitSet optionals = new BitSet();
+ if (struct.isSetAuthorizableHierarchy()) {
+ optionals.set(0);
+ }
+ oprot.writeBitSet(optionals, 1);
+ if (struct.isSetAuthorizableHierarchy()) {
+ struct.authorizableHierarchy.write(oprot);
+ }
}
@Override
@@ -580,6 +689,12 @@ public class TListSentryPrivilegesRequest implements org.apache.thrift.TBase<TLi
struct.setRequestorUserNameIsSet(true);
struct.roleName = iprot.readString();
struct.setRoleNameIsSet(true);
+ BitSet incoming = iprot.readBitSet(1);
+ if (incoming.get(0)) {
+ struct.authorizableHierarchy = new TSentryAuthorizable();
+ struct.authorizableHierarchy.read(iprot);
+ struct.setAuthorizableHierarchyIsSet(true);
+ }
}
}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/a7b45622/sentry-provider/sentry-provider-db/src/gen/thrift/gen-javabean/org/apache/sentry/provider/db/service/thrift/TSentryAuthorizable.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/gen/thrift/gen-javabean/org/apache/sentry/provider/db/service/thrift/TSentryAuthorizable.java b/sentry-provider/sentry-provider-db/src/gen/thrift/gen-javabean/org/apache/sentry/provider/db/service/thrift/TSentryAuthorizable.java
new file mode 100644
index 0000000..59418a3
--- /dev/null
+++ b/sentry-provider/sentry-provider-db/src/gen/thrift/gen-javabean/org/apache/sentry/provider/db/service/thrift/TSentryAuthorizable.java
@@ -0,0 +1,707 @@
+/**
+ * Autogenerated by Thrift Compiler (0.9.0)
+ *
+ * DO NOT EDIT UNLESS YOU ARE SURE THAT YOU KNOW WHAT YOU ARE DOING
+ * @generated
+ */
+package org.apache.sentry.provider.db.service.thrift;
+
+import org.apache.commons.lang.builder.HashCodeBuilder;
+import org.apache.thrift.scheme.IScheme;
+import org.apache.thrift.scheme.SchemeFactory;
+import org.apache.thrift.scheme.StandardScheme;
+
+import org.apache.thrift.scheme.TupleScheme;
+import org.apache.thrift.protocol.TTupleProtocol;
+import org.apache.thrift.protocol.TProtocolException;
+import org.apache.thrift.EncodingUtils;
+import org.apache.thrift.TException;
+import java.util.List;
+import java.util.ArrayList;
+import java.util.Map;
+import java.util.HashMap;
+import java.util.EnumMap;
+import java.util.Set;
+import java.util.HashSet;
+import java.util.EnumSet;
+import java.util.Collections;
+import java.util.BitSet;
+import java.nio.ByteBuffer;
+import java.util.Arrays;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+public class TSentryAuthorizable implements org.apache.thrift.TBase<TSentryAuthorizable, TSentryAuthorizable._Fields>, java.io.Serializable, Cloneable {
+ private static final org.apache.thrift.protocol.TStruct STRUCT_DESC = new org.apache.thrift.protocol.TStruct("TSentryAuthorizable");
+
+ private static final org.apache.thrift.protocol.TField SERVER_FIELD_DESC = new org.apache.thrift.protocol.TField("server", org.apache.thrift.protocol.TType.STRING, (short)1);
+ private static final org.apache.thrift.protocol.TField URI_FIELD_DESC = new org.apache.thrift.protocol.TField("uri", org.apache.thrift.protocol.TType.STRING, (short)2);
+ private static final org.apache.thrift.protocol.TField DB_FIELD_DESC = new org.apache.thrift.protocol.TField("db", org.apache.thrift.protocol.TType.STRING, (short)3);
+ private static final org.apache.thrift.protocol.TField TABLE_FIELD_DESC = new org.apache.thrift.protocol.TField("table", org.apache.thrift.protocol.TType.STRING, (short)4);
+
+ private static final Map<Class<? extends IScheme>, SchemeFactory> schemes = new HashMap<Class<? extends IScheme>, SchemeFactory>();
+ static {
+ schemes.put(StandardScheme.class, new TSentryAuthorizableStandardSchemeFactory());
+ schemes.put(TupleScheme.class, new TSentryAuthorizableTupleSchemeFactory());
+ }
+
+ private String server; // required
+ private String uri; // optional
+ private String db; // optional
+ private String table; // optional
+
+ /** The set of fields this struct contains, along with convenience methods for finding and manipulating them. */
+ public enum _Fields implements org.apache.thrift.TFieldIdEnum {
+ SERVER((short)1, "server"),
+ URI((short)2, "uri"),
+ DB((short)3, "db"),
+ TABLE((short)4, "table");
+
+ private static final Map<String, _Fields> byName = new HashMap<String, _Fields>();
+
+ static {
+ for (_Fields field : EnumSet.allOf(_Fields.class)) {
+ byName.put(field.getFieldName(), field);
+ }
+ }
+
+ /**
+ * Find the _Fields constant that matches fieldId, or null if its not found.
+ */
+ public static _Fields findByThriftId(int fieldId) {
+ switch(fieldId) {
+ case 1: // SERVER
+ return SERVER;
+ case 2: // URI
+ return URI;
+ case 3: // DB
+ return DB;
+ case 4: // TABLE
+ return TABLE;
+ default:
+ return null;
+ }
+ }
+
+ /**
+ * Find the _Fields constant that matches fieldId, throwing an exception
+ * if it is not found.
+ */
+ public static _Fields findByThriftIdOrThrow(int fieldId) {
+ _Fields fields = findByThriftId(fieldId);
+ if (fields == null) throw new IllegalArgumentException("Field " + fieldId + " doesn't exist!");
+ return fields;
+ }
+
+ /**
+ * Find the _Fields constant that matches name, or null if its not found.
+ */
+ public static _Fields findByName(String name) {
+ return byName.get(name);
+ }
+
+ private final short _thriftId;
+ private final String _fieldName;
+
+ _Fields(short thriftId, String fieldName) {
+ _thriftId = thriftId;
+ _fieldName = fieldName;
+ }
+
+ public short getThriftFieldId() {
+ return _thriftId;
+ }
+
+ public String getFieldName() {
+ return _fieldName;
+ }
+ }
+
+ // isset id assignments
+ private _Fields optionals[] = {_Fields.URI,_Fields.DB,_Fields.TABLE};
+ public static final Map<_Fields, org.apache.thrift.meta_data.FieldMetaData> metaDataMap;
+ static {
+ Map<_Fields, org.apache.thrift.meta_data.FieldMetaData> tmpMap = new EnumMap<_Fields, org.apache.thrift.meta_data.FieldMetaData>(_Fields.class);
+ tmpMap.put(_Fields.SERVER, new org.apache.thrift.meta_data.FieldMetaData("server", org.apache.thrift.TFieldRequirementType.REQUIRED,
+ new org.apache.thrift.meta_data.FieldValueMetaData(org.apache.thrift.protocol.TType.STRING)));
+ tmpMap.put(_Fields.URI, new org.apache.thrift.meta_data.FieldMetaData("uri", org.apache.thrift.TFieldRequirementType.OPTIONAL,
+ new org.apache.thrift.meta_data.FieldValueMetaData(org.apache.thrift.protocol.TType.STRING)));
+ tmpMap.put(_Fields.DB, new org.apache.thrift.meta_data.FieldMetaData("db", org.apache.thrift.TFieldRequirementType.OPTIONAL,
+ new org.apache.thrift.meta_data.FieldValueMetaData(org.apache.thrift.protocol.TType.STRING)));
+ tmpMap.put(_Fields.TABLE, new org.apache.thrift.meta_data.FieldMetaData("table", org.apache.thrift.TFieldRequirementType.OPTIONAL,
+ new org.apache.thrift.meta_data.FieldValueMetaData(org.apache.thrift.protocol.TType.STRING)));
+ metaDataMap = Collections.unmodifiableMap(tmpMap);
+ org.apache.thrift.meta_data.FieldMetaData.addStructMetaDataMap(TSentryAuthorizable.class, metaDataMap);
+ }
+
+ public TSentryAuthorizable() {
+ }
+
+ public TSentryAuthorizable(
+ String server)
+ {
+ this();
+ this.server = server;
+ }
+
+ /**
+ * Performs a deep copy on <i>other</i>.
+ */
+ public TSentryAuthorizable(TSentryAuthorizable other) {
+ if (other.isSetServer()) {
+ this.server = other.server;
+ }
+ if (other.isSetUri()) {
+ this.uri = other.uri;
+ }
+ if (other.isSetDb()) {
+ this.db = other.db;
+ }
+ if (other.isSetTable()) {
+ this.table = other.table;
+ }
+ }
+
+ public TSentryAuthorizable deepCopy() {
+ return new TSentryAuthorizable(this);
+ }
+
+ @Override
+ public void clear() {
+ this.server = null;
+ this.uri = null;
+ this.db = null;
+ this.table = null;
+ }
+
+ public String getServer() {
+ return this.server;
+ }
+
+ public void setServer(String server) {
+ this.server = server;
+ }
+
+ public void unsetServer() {
+ this.server = null;
+ }
+
+ /** Returns true if field server is set (has been assigned a value) and false otherwise */
+ public boolean isSetServer() {
+ return this.server != null;
+ }
+
+ public void setServerIsSet(boolean value) {
+ if (!value) {
+ this.server = null;
+ }
+ }
+
+ public String getUri() {
+ return this.uri;
+ }
+
+ public void setUri(String uri) {
+ this.uri = uri;
+ }
+
+ public void unsetUri() {
+ this.uri = null;
+ }
+
+ /** Returns true if field uri is set (has been assigned a value) and false otherwise */
+ public boolean isSetUri() {
+ return this.uri != null;
+ }
+
+ public void setUriIsSet(boolean value) {
+ if (!value) {
+ this.uri = null;
+ }
+ }
+
+ public String getDb() {
+ return this.db;
+ }
+
+ public void setDb(String db) {
+ this.db = db;
+ }
+
+ public void unsetDb() {
+ this.db = null;
+ }
+
+ /** Returns true if field db is set (has been assigned a value) and false otherwise */
+ public boolean isSetDb() {
+ return this.db != null;
+ }
+
+ public void setDbIsSet(boolean value) {
+ if (!value) {
+ this.db = null;
+ }
+ }
+
+ public String getTable() {
+ return this.table;
+ }
+
+ public void setTable(String table) {
+ this.table = table;
+ }
+
+ public void unsetTable() {
+ this.table = null;
+ }
+
+ /** Returns true if field table is set (has been assigned a value) and false otherwise */
+ public boolean isSetTable() {
+ return this.table != null;
+ }
+
+ public void setTableIsSet(boolean value) {
+ if (!value) {
+ this.table = null;
+ }
+ }
+
+ public void setFieldValue(_Fields field, Object value) {
+ switch (field) {
+ case SERVER:
+ if (value == null) {
+ unsetServer();
+ } else {
+ setServer((String)value);
+ }
+ break;
+
+ case URI:
+ if (value == null) {
+ unsetUri();
+ } else {
+ setUri((String)value);
+ }
+ break;
+
+ case DB:
+ if (value == null) {
+ unsetDb();
+ } else {
+ setDb((String)value);
+ }
+ break;
+
+ case TABLE:
+ if (value == null) {
+ unsetTable();
+ } else {
+ setTable((String)value);
+ }
+ break;
+
+ }
+ }
+
+ public Object getFieldValue(_Fields field) {
+ switch (field) {
+ case SERVER:
+ return getServer();
+
+ case URI:
+ return getUri();
+
+ case DB:
+ return getDb();
+
+ case TABLE:
+ return getTable();
+
+ }
+ throw new IllegalStateException();
+ }
+
+ /** Returns true if field corresponding to fieldID is set (has been assigned a value) and false otherwise */
+ public boolean isSet(_Fields field) {
+ if (field == null) {
+ throw new IllegalArgumentException();
+ }
+
+ switch (field) {
+ case SERVER:
+ return isSetServer();
+ case URI:
+ return isSetUri();
+ case DB:
+ return isSetDb();
+ case TABLE:
+ return isSetTable();
+ }
+ throw new IllegalStateException();
+ }
+
+ @Override
+ public boolean equals(Object that) {
+ if (that == null)
+ return false;
+ if (that instanceof TSentryAuthorizable)
+ return this.equals((TSentryAuthorizable)that);
+ return false;
+ }
+
+ public boolean equals(TSentryAuthorizable that) {
+ if (that == null)
+ return false;
+
+ boolean this_present_server = true && this.isSetServer();
+ boolean that_present_server = true && that.isSetServer();
+ if (this_present_server || that_present_server) {
+ if (!(this_present_server && that_present_server))
+ return false;
+ if (!this.server.equals(that.server))
+ return false;
+ }
+
+ boolean this_present_uri = true && this.isSetUri();
+ boolean that_present_uri = true && that.isSetUri();
+ if (this_present_uri || that_present_uri) {
+ if (!(this_present_uri && that_present_uri))
+ return false;
+ if (!this.uri.equals(that.uri))
+ return false;
+ }
+
+ boolean this_present_db = true && this.isSetDb();
+ boolean that_present_db = true && that.isSetDb();
+ if (this_present_db || that_present_db) {
+ if (!(this_present_db && that_present_db))
+ return false;
+ if (!this.db.equals(that.db))
+ return false;
+ }
+
+ boolean this_present_table = true && this.isSetTable();
+ boolean that_present_table = true && that.isSetTable();
+ if (this_present_table || that_present_table) {
+ if (!(this_present_table && that_present_table))
+ return false;
+ if (!this.table.equals(that.table))
+ return false;
+ }
+
+ return true;
+ }
+
+ @Override
+ public int hashCode() {
+ HashCodeBuilder builder = new HashCodeBuilder();
+
+ boolean present_server = true && (isSetServer());
+ builder.append(present_server);
+ if (present_server)
+ builder.append(server);
+
+ boolean present_uri = true && (isSetUri());
+ builder.append(present_uri);
+ if (present_uri)
+ builder.append(uri);
+
+ boolean present_db = true && (isSetDb());
+ builder.append(present_db);
+ if (present_db)
+ builder.append(db);
+
+ boolean present_table = true && (isSetTable());
+ builder.append(present_table);
+ if (present_table)
+ builder.append(table);
+
+ return builder.toHashCode();
+ }
+
+ public int compareTo(TSentryAuthorizable other) {
+ if (!getClass().equals(other.getClass())) {
+ return getClass().getName().compareTo(other.getClass().getName());
+ }
+
+ int lastComparison = 0;
+ TSentryAuthorizable typedOther = (TSentryAuthorizable)other;
+
+ lastComparison = Boolean.valueOf(isSetServer()).compareTo(typedOther.isSetServer());
+ if (lastComparison != 0) {
+ return lastComparison;
+ }
+ if (isSetServer()) {
+ lastComparison = org.apache.thrift.TBaseHelper.compareTo(this.server, typedOther.server);
+ if (lastComparison != 0) {
+ return lastComparison;
+ }
+ }
+ lastComparison = Boolean.valueOf(isSetUri()).compareTo(typedOther.isSetUri());
+ if (lastComparison != 0) {
+ return lastComparison;
+ }
+ if (isSetUri()) {
+ lastComparison = org.apache.thrift.TBaseHelper.compareTo(this.uri, typedOther.uri);
+ if (lastComparison != 0) {
+ return lastComparison;
+ }
+ }
+ lastComparison = Boolean.valueOf(isSetDb()).compareTo(typedOther.isSetDb());
+ if (lastComparison != 0) {
+ return lastComparison;
+ }
+ if (isSetDb()) {
+ lastComparison = org.apache.thrift.TBaseHelper.compareTo(this.db, typedOther.db);
+ if (lastComparison != 0) {
+ return lastComparison;
+ }
+ }
+ lastComparison = Boolean.valueOf(isSetTable()).compareTo(typedOther.isSetTable());
+ if (lastComparison != 0) {
+ return lastComparison;
+ }
+ if (isSetTable()) {
+ lastComparison = org.apache.thrift.TBaseHelper.compareTo(this.table, typedOther.table);
+ if (lastComparison != 0) {
+ return lastComparison;
+ }
+ }
+ return 0;
+ }
+
+ public _Fields fieldForId(int fieldId) {
+ return _Fields.findByThriftId(fieldId);
+ }
+
+ public void read(org.apache.thrift.protocol.TProtocol iprot) throws org.apache.thrift.TException {
+ schemes.get(iprot.getScheme()).getScheme().read(iprot, this);
+ }
+
+ public void write(org.apache.thrift.protocol.TProtocol oprot) throws org.apache.thrift.TException {
+ schemes.get(oprot.getScheme()).getScheme().write(oprot, this);
+ }
+
+ @Override
+ public String toString() {
+ StringBuilder sb = new StringBuilder("TSentryAuthorizable(");
+ boolean first = true;
+
+ sb.append("server:");
+ if (this.server == null) {
+ sb.append("null");
+ } else {
+ sb.append(this.server);
+ }
+ first = false;
+ if (isSetUri()) {
+ if (!first) sb.append(", ");
+ sb.append("uri:");
+ if (this.uri == null) {
+ sb.append("null");
+ } else {
+ sb.append(this.uri);
+ }
+ first = false;
+ }
+ if (isSetDb()) {
+ if (!first) sb.append(", ");
+ sb.append("db:");
+ if (this.db == null) {
+ sb.append("null");
+ } else {
+ sb.append(this.db);
+ }
+ first = false;
+ }
+ if (isSetTable()) {
+ if (!first) sb.append(", ");
+ sb.append("table:");
+ if (this.table == null) {
+ sb.append("null");
+ } else {
+ sb.append(this.table);
+ }
+ first = false;
+ }
+ sb.append(")");
+ return sb.toString();
+ }
+
+ public void validate() throws org.apache.thrift.TException {
+ // check for required fields
+ if (!isSetServer()) {
+ throw new org.apache.thrift.protocol.TProtocolException("Required field 'server' is unset! Struct:" + toString());
+ }
+
+ // check for sub-struct validity
+ }
+
+ private void writeObject(java.io.ObjectOutputStream out) throws java.io.IOException {
+ try {
+ write(new org.apache.thrift.protocol.TCompactProtocol(new org.apache.thrift.transport.TIOStreamTransport(out)));
+ } catch (org.apache.thrift.TException te) {
+ throw new java.io.IOException(te);
+ }
+ }
+
+ private void readObject(java.io.ObjectInputStream in) throws java.io.IOException, ClassNotFoundException {
+ try {
+ read(new org.apache.thrift.protocol.TCompactProtocol(new org.apache.thrift.transport.TIOStreamTransport(in)));
+ } catch (org.apache.thrift.TException te) {
+ throw new java.io.IOException(te);
+ }
+ }
+
+ private static class TSentryAuthorizableStandardSchemeFactory implements SchemeFactory {
+ public TSentryAuthorizableStandardScheme getScheme() {
+ return new TSentryAuthorizableStandardScheme();
+ }
+ }
+
+ private static class TSentryAuthorizableStandardScheme extends StandardScheme<TSentryAuthorizable> {
+
+ public void read(org.apache.thrift.protocol.TProtocol iprot, TSentryAuthorizable struct) throws org.apache.thrift.TException {
+ org.apache.thrift.protocol.TField schemeField;
+ iprot.readStructBegin();
+ while (true)
+ {
+ schemeField = iprot.readFieldBegin();
+ if (schemeField.type == org.apache.thrift.protocol.TType.STOP) {
+ break;
+ }
+ switch (schemeField.id) {
+ case 1: // SERVER
+ if (schemeField.type == org.apache.thrift.protocol.TType.STRING) {
+ struct.server = iprot.readString();
+ struct.setServerIsSet(true);
+ } else {
+ org.apache.thrift.protocol.TProtocolUtil.skip(iprot, schemeField.type);
+ }
+ break;
+ case 2: // URI
+ if (schemeField.type == org.apache.thrift.protocol.TType.STRING) {
+ struct.uri = iprot.readString();
+ struct.setUriIsSet(true);
+ } else {
+ org.apache.thrift.protocol.TProtocolUtil.skip(iprot, schemeField.type);
+ }
+ break;
+ case 3: // DB
+ if (schemeField.type == org.apache.thrift.protocol.TType.STRING) {
+ struct.db = iprot.readString();
+ struct.setDbIsSet(true);
+ } else {
+ org.apache.thrift.protocol.TProtocolUtil.skip(iprot, schemeField.type);
+ }
+ break;
+ case 4: // TABLE
+ if (schemeField.type == org.apache.thrift.protocol.TType.STRING) {
+ struct.table = iprot.readString();
+ struct.setTableIsSet(true);
+ } else {
+ org.apache.thrift.protocol.TProtocolUtil.skip(iprot, schemeField.type);
+ }
+ break;
+ default:
+ org.apache.thrift.protocol.TProtocolUtil.skip(iprot, schemeField.type);
+ }
+ iprot.readFieldEnd();
+ }
+ iprot.readStructEnd();
+ struct.validate();
+ }
+
+ public void write(org.apache.thrift.protocol.TProtocol oprot, TSentryAuthorizable struct) throws org.apache.thrift.TException {
+ struct.validate();
+
+ oprot.writeStructBegin(STRUCT_DESC);
+ if (struct.server != null) {
+ oprot.writeFieldBegin(SERVER_FIELD_DESC);
+ oprot.writeString(struct.server);
+ oprot.writeFieldEnd();
+ }
+ if (struct.uri != null) {
+ if (struct.isSetUri()) {
+ oprot.writeFieldBegin(URI_FIELD_DESC);
+ oprot.writeString(struct.uri);
+ oprot.writeFieldEnd();
+ }
+ }
+ if (struct.db != null) {
+ if (struct.isSetDb()) {
+ oprot.writeFieldBegin(DB_FIELD_DESC);
+ oprot.writeString(struct.db);
+ oprot.writeFieldEnd();
+ }
+ }
+ if (struct.table != null) {
+ if (struct.isSetTable()) {
+ oprot.writeFieldBegin(TABLE_FIELD_DESC);
+ oprot.writeString(struct.table);
+ oprot.writeFieldEnd();
+ }
+ }
+ oprot.writeFieldStop();
+ oprot.writeStructEnd();
+ }
+
+ }
+
+ private static class TSentryAuthorizableTupleSchemeFactory implements SchemeFactory {
+ public TSentryAuthorizableTupleScheme getScheme() {
+ return new TSentryAuthorizableTupleScheme();
+ }
+ }
+
+ private static class TSentryAuthorizableTupleScheme extends TupleScheme<TSentryAuthorizable> {
+
+ @Override
+ public void write(org.apache.thrift.protocol.TProtocol prot, TSentryAuthorizable struct) throws org.apache.thrift.TException {
+ TTupleProtocol oprot = (TTupleProtocol) prot;
+ oprot.writeString(struct.server);
+ BitSet optionals = new BitSet();
+ if (struct.isSetUri()) {
+ optionals.set(0);
+ }
+ if (struct.isSetDb()) {
+ optionals.set(1);
+ }
+ if (struct.isSetTable()) {
+ optionals.set(2);
+ }
+ oprot.writeBitSet(optionals, 3);
+ if (struct.isSetUri()) {
+ oprot.writeString(struct.uri);
+ }
+ if (struct.isSetDb()) {
+ oprot.writeString(struct.db);
+ }
+ if (struct.isSetTable()) {
+ oprot.writeString(struct.table);
+ }
+ }
+
+ @Override
+ public void read(org.apache.thrift.protocol.TProtocol prot, TSentryAuthorizable struct) throws org.apache.thrift.TException {
+ TTupleProtocol iprot = (TTupleProtocol) prot;
+ struct.server = iprot.readString();
+ struct.setServerIsSet(true);
+ BitSet incoming = iprot.readBitSet(3);
+ if (incoming.get(0)) {
+ struct.uri = iprot.readString();
+ struct.setUriIsSet(true);
+ }
+ if (incoming.get(1)) {
+ struct.db = iprot.readString();
+ struct.setDbIsSet(true);
+ }
+ if (incoming.get(2)) {
+ struct.table = iprot.readString();
+ struct.setTableIsSet(true);
+ }
+ }
+ }
+
+}
+
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/a7b45622/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/SimpleDBProviderBackend.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/SimpleDBProviderBackend.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/SimpleDBProviderBackend.java
index 54c1d6d..b66037a 100644
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/SimpleDBProviderBackend.java
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/SimpleDBProviderBackend.java
@@ -22,6 +22,7 @@ import java.util.Set;
import org.apache.hadoop.conf.Configuration;
import org.apache.sentry.SentryUserException;
import org.apache.sentry.core.common.ActiveRoleSet;
+import org.apache.sentry.core.common.Authorizable;
import org.apache.sentry.core.common.SentryConfigurationException;
import org.apache.sentry.provider.common.ProviderBackend;
import org.apache.sentry.provider.common.ProviderBackendContext;
@@ -31,6 +32,7 @@ import org.slf4j.LoggerFactory;
import com.google.common.annotations.VisibleForTesting;
import com.google.common.collect.ImmutableSet;
+import com.google.common.collect.Lists;
public class SimpleDBProviderBackend implements ProviderBackend {
@@ -71,12 +73,12 @@ public class SimpleDBProviderBackend implements ProviderBackend {
* {@inheritDoc}
*/
@Override
- public ImmutableSet<String> getPrivileges(Set<String> groups, ActiveRoleSet roleSet) {
+ public ImmutableSet<String> getPrivileges(Set<String> groups, ActiveRoleSet roleSet, Authorizable... authorizableHierarchy) {
if (!initialized) {
throw new IllegalStateException("Backend has not been properly initialized");
}
try {
- return ImmutableSet.copyOf(policyServiceClient.listPrivilegesForProvider(groups, roleSet));
+ return ImmutableSet.copyOf(policyServiceClient.listPrivilegesForProvider(groups, roleSet, authorizableHierarchy));
} catch (SentryUserException e) {
String msg = "Unable to obtain privileges from server: " + e.getMessage();
LOGGER.error(msg, e);
@@ -109,4 +111,4 @@ public class SimpleDBProviderBackend implements ProviderBackend {
}
// db provider does not implement validation
}
-}
\ No newline at end of file
+}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/a7b45622/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/model/MSentryPrivilege.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/model/MSentryPrivilege.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/model/MSentryPrivilege.java
index 952ee78..5642f8b 100644
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/model/MSentryPrivilege.java
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/model/MSentryPrivilege.java
@@ -41,7 +41,7 @@ public class MSentryPrivilege {
private String URI;
private String action;
// roles this privilege is a part of
- private final Set<MSentryRole> roles;
+ private Set<MSentryRole> roles;
private long createTime;
private String grantorPrincipal;