You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sentry.apache.org by co...@apache.org on 2016/06/27 01:27:23 UTC
[1/6] sentry git commit: SENTRY-1288: Create sentry-service-client
module(Colin Ma, reviewed by Dapeng Sun)
Repository: sentry
Updated Branches:
refs/heads/SENTRY-1205 e72e6eacf -> 018750927
http://git-wip-us.apache.org/repos/asf/sentry/blob/01875092/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/provider/db/tools/command/hive/CommandUtil.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/provider/db/tools/command/hive/CommandUtil.java b/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/provider/db/tools/command/hive/CommandUtil.java
new file mode 100644
index 0000000..2d2dcb5
--- /dev/null
+++ b/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/provider/db/tools/command/hive/CommandUtil.java
@@ -0,0 +1,117 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.provider.db.tools.command.hive;
+
+import org.apache.commons.lang.StringUtils;
+import org.apache.sentry.core.common.utils.SentryConstants;
+import org.apache.sentry.core.common.utils.KeyValue;
+import org.apache.sentry.core.common.utils.PolicyFileConstants;
+import org.apache.sentry.provider.db.service.thrift.TSentryGrantOption;
+import org.apache.sentry.provider.db.service.thrift.TSentryPrivilege;
+import org.apache.sentry.service.thrift.ServiceConstants;
+
+public final class CommandUtil {
+
+ public static final String SPLIT_CHAR = ",";
+
+ private CommandUtil() {
+ // Make constructor private to avoid instantiation
+ }
+
+ // parse the privilege in String and get the TSentryPrivilege as result
+ public static TSentryPrivilege convertToTSentryPrivilege(String privilegeStr) throws Exception {
+ TSentryPrivilege tSentryPrivilege = new TSentryPrivilege();
+ for (String authorizable : SentryConstants.AUTHORIZABLE_SPLITTER.split(privilegeStr)) {
+ KeyValue tempKV = new KeyValue(authorizable);
+ String key = tempKV.getKey();
+ String value = tempKV.getValue();
+
+ if (PolicyFileConstants.PRIVILEGE_SERVER_NAME.equalsIgnoreCase(key)) {
+ tSentryPrivilege.setServerName(value);
+ } else if (PolicyFileConstants.PRIVILEGE_DATABASE_NAME.equalsIgnoreCase(key)) {
+ tSentryPrivilege.setDbName(value);
+ } else if (PolicyFileConstants.PRIVILEGE_TABLE_NAME.equalsIgnoreCase(key)) {
+ tSentryPrivilege.setTableName(value);
+ } else if (PolicyFileConstants.PRIVILEGE_COLUMN_NAME.equalsIgnoreCase(key)) {
+ tSentryPrivilege.setColumnName(value);
+ } else if (PolicyFileConstants.PRIVILEGE_URI_NAME.equalsIgnoreCase(key)) {
+ tSentryPrivilege.setURI(value);
+ } else if (PolicyFileConstants.PRIVILEGE_ACTION_NAME.equalsIgnoreCase(key)) {
+ tSentryPrivilege.setAction(value);
+ } else if (PolicyFileConstants.PRIVILEGE_GRANT_OPTION_NAME.equalsIgnoreCase(key)) {
+ TSentryGrantOption grantOption = "true".equalsIgnoreCase(value) ? TSentryGrantOption.TRUE
+ : TSentryGrantOption.FALSE;
+ tSentryPrivilege.setGrantOption(grantOption);
+ }
+ }
+ tSentryPrivilege.setPrivilegeScope(getPrivilegeScope(tSentryPrivilege));
+ validatePrivilegeHierarchy(tSentryPrivilege);
+ return tSentryPrivilege;
+ }
+
+ // for the different hierarchy for hive:
+ // 1: server->url
+ // 2: server->database->table->column
+ // if both of them are found in the privilege string, the privilege scope will be set as
+ // PrivilegeScope.URI
+ private static String getPrivilegeScope(TSentryPrivilege tSentryPrivilege) {
+ ServiceConstants.PrivilegeScope privilegeScope = ServiceConstants.PrivilegeScope.SERVER;
+ if (!StringUtils.isEmpty(tSentryPrivilege.getURI())) {
+ privilegeScope = ServiceConstants.PrivilegeScope.URI;
+ } else if (!StringUtils.isEmpty(tSentryPrivilege.getColumnName())) {
+ privilegeScope = ServiceConstants.PrivilegeScope.COLUMN;
+ } else if (!StringUtils.isEmpty(tSentryPrivilege.getTableName())) {
+ privilegeScope = ServiceConstants.PrivilegeScope.TABLE;
+ } else if (!StringUtils.isEmpty(tSentryPrivilege.getDbName())) {
+ privilegeScope = ServiceConstants.PrivilegeScope.DATABASE;
+ }
+ return privilegeScope.toString();
+ }
+
+ // check the privilege value for the specific privilege scope
+ // eg, for the table scope, server and database can't be empty
+ private static void validatePrivilegeHierarchy(TSentryPrivilege tSentryPrivilege) throws Exception {
+ String serverName = tSentryPrivilege.getServerName();
+ String dbName = tSentryPrivilege.getDbName();
+ String tableName = tSentryPrivilege.getTableName();
+ String columnName = tSentryPrivilege.getColumnName();
+ String uri = tSentryPrivilege.getURI();
+ if (ServiceConstants.PrivilegeScope.SERVER.toString().equals(tSentryPrivilege.getPrivilegeScope())) {
+ if (StringUtils.isEmpty(serverName)) {
+ throw new IllegalArgumentException("The hierarchy of privilege is not correct.");
+ }
+ } else if (ServiceConstants.PrivilegeScope.URI.toString().equals(tSentryPrivilege.getPrivilegeScope())) {
+ if (StringUtils.isEmpty(serverName) || StringUtils.isEmpty(uri)) {
+ throw new IllegalArgumentException("The hierarchy of privilege is not correct.");
+ }
+ } else if (ServiceConstants.PrivilegeScope.DATABASE.toString().equals(tSentryPrivilege.getPrivilegeScope())) {
+ if (StringUtils.isEmpty(serverName) || StringUtils.isEmpty(dbName)) {
+ throw new IllegalArgumentException("The hierarchy of privilege is not correct.");
+ }
+ } else if (ServiceConstants.PrivilegeScope.TABLE.toString().equals(tSentryPrivilege.getPrivilegeScope())) {
+ if (StringUtils.isEmpty(serverName) || StringUtils.isEmpty(dbName)
+ || StringUtils.isEmpty(tableName)) {
+ throw new IllegalArgumentException("The hierarchy of privilege is not correct.");
+ }
+ } else if (ServiceConstants.PrivilegeScope.COLUMN.toString().equals(tSentryPrivilege.getPrivilegeScope())
+ && (StringUtils.isEmpty(serverName) || StringUtils.isEmpty(dbName)
+ || StringUtils.isEmpty(tableName) || StringUtils.isEmpty(columnName))) {
+ throw new IllegalArgumentException("The hierarchy of privilege is not correct.");
+ }
+ }
+}
http://git-wip-us.apache.org/repos/asf/sentry/blob/01875092/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/provider/db/tools/command/hive/CreateRoleCmd.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/provider/db/tools/command/hive/CreateRoleCmd.java b/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/provider/db/tools/command/hive/CreateRoleCmd.java
new file mode 100644
index 0000000..5a4834a
--- /dev/null
+++ b/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/provider/db/tools/command/hive/CreateRoleCmd.java
@@ -0,0 +1,37 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.provider.db.tools.command.hive;
+
+import org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient;
+
+/**
+ * The class for admin command to create role.
+ */
+public class CreateRoleCmd implements Command {
+
+ private String roleName;
+
+ public CreateRoleCmd(String roleName) {
+ this.roleName = roleName;
+ }
+
+ @Override
+ public void execute(SentryPolicyServiceClient client, String requestorName) throws Exception {
+ client.createRole(requestorName, roleName);
+ }
+}
http://git-wip-us.apache.org/repos/asf/sentry/blob/01875092/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/provider/db/tools/command/hive/DropRoleCmd.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/provider/db/tools/command/hive/DropRoleCmd.java b/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/provider/db/tools/command/hive/DropRoleCmd.java
new file mode 100644
index 0000000..facec0e
--- /dev/null
+++ b/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/provider/db/tools/command/hive/DropRoleCmd.java
@@ -0,0 +1,37 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.provider.db.tools.command.hive;
+
+import org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient;
+
+/**
+ * The class for admin command to drop role.
+ */
+public class DropRoleCmd implements Command {
+
+ private String roleName;
+
+ public DropRoleCmd(String roleName) {
+ this.roleName = roleName;
+ }
+
+ @Override
+ public void execute(SentryPolicyServiceClient client, String requestorName) throws Exception {
+ client.dropRole(requestorName, roleName);
+ }
+}
http://git-wip-us.apache.org/repos/asf/sentry/blob/01875092/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/provider/db/tools/command/hive/GrantPrivilegeToRoleCmd.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/provider/db/tools/command/hive/GrantPrivilegeToRoleCmd.java b/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/provider/db/tools/command/hive/GrantPrivilegeToRoleCmd.java
new file mode 100644
index 0000000..a1ef2f9
--- /dev/null
+++ b/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/provider/db/tools/command/hive/GrantPrivilegeToRoleCmd.java
@@ -0,0 +1,61 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.provider.db.tools.command.hive;
+
+import org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient;
+import org.apache.sentry.provider.db.service.thrift.TSentryGrantOption;
+import org.apache.sentry.provider.db.service.thrift.TSentryPrivilege;
+import org.apache.sentry.service.thrift.ServiceConstants;
+
+/**
+ * The class for admin command to grant privilege to role.
+ */
+public class GrantPrivilegeToRoleCmd implements Command {
+
+ private String roleName;
+ private String privilegeStr;
+
+ public GrantPrivilegeToRoleCmd(String roleName, String privilegeStr) {
+ this.roleName = roleName;
+ this.privilegeStr = privilegeStr;
+ }
+
+ @Override
+ public void execute(SentryPolicyServiceClient client, String requestorName) throws Exception {
+ TSentryPrivilege tSentryPrivilege = CommandUtil.convertToTSentryPrivilege(privilegeStr);
+ boolean grantOption = tSentryPrivilege.getGrantOption().equals(TSentryGrantOption.TRUE) ? true : false;
+ if (ServiceConstants.PrivilegeScope.SERVER.toString().equals(tSentryPrivilege.getPrivilegeScope())) {
+ client.grantServerPrivilege(requestorName, roleName, tSentryPrivilege.getServerName(),
+ tSentryPrivilege.getAction(), grantOption);
+ } else if (ServiceConstants.PrivilegeScope.DATABASE.toString().equals(tSentryPrivilege.getPrivilegeScope())) {
+ client.grantDatabasePrivilege(requestorName, roleName, tSentryPrivilege.getServerName(),
+ tSentryPrivilege.getDbName(), tSentryPrivilege.getAction(), grantOption);
+ } else if (ServiceConstants.PrivilegeScope.TABLE.toString().equals(tSentryPrivilege.getPrivilegeScope())) {
+ client.grantTablePrivilege(requestorName, roleName, tSentryPrivilege.getServerName(),
+ tSentryPrivilege.getDbName(), tSentryPrivilege.getTableName(),
+ tSentryPrivilege.getAction(), grantOption);
+ } else if (ServiceConstants.PrivilegeScope.COLUMN.toString().equals(tSentryPrivilege.getPrivilegeScope())) {
+ client.grantColumnPrivilege(requestorName, roleName, tSentryPrivilege.getServerName(),
+ tSentryPrivilege.getDbName(), tSentryPrivilege.getTableName(),
+ tSentryPrivilege.getColumnName(), tSentryPrivilege.getAction(), grantOption);
+ } else if (ServiceConstants.PrivilegeScope.URI.toString().equals(tSentryPrivilege.getPrivilegeScope())) {
+ client.grantURIPrivilege(requestorName, roleName, tSentryPrivilege.getServerName(),
+ tSentryPrivilege.getURI(), grantOption);
+ }
+ }
+}
http://git-wip-us.apache.org/repos/asf/sentry/blob/01875092/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/provider/db/tools/command/hive/GrantRoleToGroupsCmd.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/provider/db/tools/command/hive/GrantRoleToGroupsCmd.java b/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/provider/db/tools/command/hive/GrantRoleToGroupsCmd.java
new file mode 100644
index 0000000..07a3de4
--- /dev/null
+++ b/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/provider/db/tools/command/hive/GrantRoleToGroupsCmd.java
@@ -0,0 +1,44 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.provider.db.tools.command.hive;
+
+import com.google.common.collect.Sets;
+import org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient;
+import org.apache.sentry.provider.db.tools.SentryShellCommon;
+
+import java.util.Set;
+
+/**
+ * The class for admin command to grant role to group.
+ */
+public class GrantRoleToGroupsCmd implements Command {
+
+ private String roleName;
+ private String groupNamesStr;
+
+ public GrantRoleToGroupsCmd(String roleName, String groupNamesStr) {
+ this.roleName = roleName;
+ this.groupNamesStr = groupNamesStr;
+ }
+
+ @Override
+ public void execute(SentryPolicyServiceClient client, String requestorName) throws Exception {
+ Set<String> groups = Sets.newHashSet(groupNamesStr.split(SentryShellCommon.GROUP_SPLIT_CHAR));
+ client.grantRoleToGroups(requestorName, roleName, groups);
+ }
+}
http://git-wip-us.apache.org/repos/asf/sentry/blob/01875092/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/provider/db/tools/command/hive/ListPrivilegesCmd.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/provider/db/tools/command/hive/ListPrivilegesCmd.java b/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/provider/db/tools/command/hive/ListPrivilegesCmd.java
new file mode 100644
index 0000000..5f3e9fb
--- /dev/null
+++ b/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/provider/db/tools/command/hive/ListPrivilegesCmd.java
@@ -0,0 +1,97 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.provider.db.tools.command.hive;
+
+import com.google.common.collect.Lists;
+import org.apache.commons.lang.StringUtils;
+import org.apache.sentry.core.common.utils.SentryConstants;
+import org.apache.sentry.core.common.utils.PolicyFileConstants;
+import org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient;
+import org.apache.sentry.provider.db.service.thrift.TSentryGrantOption;
+import org.apache.sentry.provider.db.service.thrift.TSentryPrivilege;
+
+import java.util.List;
+import java.util.Set;
+
+/**
+ * The class for admin command to list privileges.
+ */
+public class ListPrivilegesCmd implements Command {
+
+ private String roleName;
+
+ public ListPrivilegesCmd(String roleName) {
+ this.roleName = roleName;
+ }
+
+ @Override
+ public void execute(SentryPolicyServiceClient client, String requestorName) throws Exception {
+ Set<TSentryPrivilege> privileges = client
+ .listAllPrivilegesByRoleName(requestorName, roleName);
+ if (privileges != null) {
+ for (TSentryPrivilege privilege : privileges) {
+ String privilegeStr = convertToPrivilegeStr(privilege);
+ System.out.println(privilegeStr);
+ }
+ }
+ }
+
+ // convert TSentryPrivilege to privilege in string
+ private String convertToPrivilegeStr(TSentryPrivilege tSentryPrivilege) {
+ List<String> privileges = Lists.newArrayList();
+ if (tSentryPrivilege != null) {
+ String serverName = tSentryPrivilege.getServerName();
+ String dbName = tSentryPrivilege.getDbName();
+ String tableName = tSentryPrivilege.getTableName();
+ String columnName = tSentryPrivilege.getColumnName();
+ String uri = tSentryPrivilege.getURI();
+ String action = tSentryPrivilege.getAction();
+ String grantOption = (tSentryPrivilege.getGrantOption() == TSentryGrantOption.TRUE ? "true"
+ : "false");
+ if (!StringUtils.isEmpty(serverName)) {
+ privileges.add(SentryConstants.KV_JOINER.join(PolicyFileConstants.PRIVILEGE_SERVER_NAME,
+ serverName));
+ if (!StringUtils.isEmpty(uri)) {
+ privileges.add(SentryConstants.KV_JOINER.join(PolicyFileConstants.PRIVILEGE_URI_NAME,
+ uri));
+ } else if (!StringUtils.isEmpty(dbName)) {
+ privileges.add(SentryConstants.KV_JOINER.join(
+ PolicyFileConstants.PRIVILEGE_DATABASE_NAME, dbName));
+ if (!StringUtils.isEmpty(tableName)) {
+ privileges.add(SentryConstants.KV_JOINER.join(
+ PolicyFileConstants.PRIVILEGE_TABLE_NAME, tableName));
+ if (!StringUtils.isEmpty(columnName)) {
+ privileges.add(SentryConstants.KV_JOINER.join(
+ PolicyFileConstants.PRIVILEGE_COLUMN_NAME, columnName));
+ }
+ }
+ }
+ if (!StringUtils.isEmpty(action)) {
+ privileges.add(SentryConstants.KV_JOINER.join(
+ PolicyFileConstants.PRIVILEGE_ACTION_NAME, action));
+ }
+ }
+ // only append the grant option to privilege string if it's true
+ if ("true".equals(grantOption)) {
+ privileges.add(SentryConstants.KV_JOINER.join(
+ PolicyFileConstants.PRIVILEGE_GRANT_OPTION_NAME, grantOption));
+ }
+ }
+ return SentryConstants.AUTHORIZABLE_JOINER.join(privileges);
+ }
+}
http://git-wip-us.apache.org/repos/asf/sentry/blob/01875092/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/provider/db/tools/command/hive/ListRolesCmd.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/provider/db/tools/command/hive/ListRolesCmd.java b/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/provider/db/tools/command/hive/ListRolesCmd.java
new file mode 100644
index 0000000..283f2c0
--- /dev/null
+++ b/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/provider/db/tools/command/hive/ListRolesCmd.java
@@ -0,0 +1,51 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.provider.db.tools.command.hive;
+
+import org.apache.commons.lang.StringUtils;
+import org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient;
+import org.apache.sentry.provider.db.service.thrift.TSentryRole;
+
+import java.util.Set;
+
+/**
+ * The class for admin command to list roles.
+ */
+public class ListRolesCmd implements Command {
+
+ private String groupName;
+
+ public ListRolesCmd(String groupName) {
+ this.groupName = groupName;
+ }
+
+ @Override
+ public void execute(SentryPolicyServiceClient client, String requestorName) throws Exception {
+ Set<TSentryRole> roles;
+ if (StringUtils.isEmpty(groupName)) {
+ roles = client.listRoles(requestorName);
+ } else {
+ roles = client.listRolesByGroupName(requestorName, groupName);
+ }
+ if (roles != null) {
+ for (TSentryRole role : roles) {
+ System.out.println(role.getRoleName());
+ }
+ }
+ }
+}
http://git-wip-us.apache.org/repos/asf/sentry/blob/01875092/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/provider/db/tools/command/hive/RevokePrivilegeFromRoleCmd.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/provider/db/tools/command/hive/RevokePrivilegeFromRoleCmd.java b/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/provider/db/tools/command/hive/RevokePrivilegeFromRoleCmd.java
new file mode 100644
index 0000000..f3da6c4
--- /dev/null
+++ b/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/provider/db/tools/command/hive/RevokePrivilegeFromRoleCmd.java
@@ -0,0 +1,62 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.provider.db.tools.command.hive;
+
+import org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient;
+import org.apache.sentry.provider.db.service.thrift.TSentryGrantOption;
+import org.apache.sentry.provider.db.service.thrift.TSentryPrivilege;
+import org.apache.sentry.service.thrift.ServiceConstants;
+
+/**
+ * The class for admin command to revoke privileges from role.
+ */
+public class RevokePrivilegeFromRoleCmd implements Command {
+
+ private String roleName;
+ private String privilegeStr;
+
+ public RevokePrivilegeFromRoleCmd(String roleName, String privilegeStr) {
+ this.roleName = roleName;
+ this.privilegeStr = privilegeStr;
+ }
+
+ @Override
+ public void execute(SentryPolicyServiceClient client, String requestorName) throws Exception {
+ TSentryPrivilege tSentryPrivilege = CommandUtil.convertToTSentryPrivilege(privilegeStr);
+ boolean grantOption = tSentryPrivilege.getGrantOption().equals(TSentryGrantOption.TRUE) ? true : false;
+ if (ServiceConstants.PrivilegeScope.SERVER.toString().equals(tSentryPrivilege.getPrivilegeScope())) {
+ client.revokeServerPrivilege(requestorName, roleName, tSentryPrivilege.getServerName(),
+ grantOption);
+ } else if (ServiceConstants.PrivilegeScope.DATABASE.toString().equals(tSentryPrivilege.getPrivilegeScope())) {
+ client.revokeDatabasePrivilege(requestorName, roleName, tSentryPrivilege.getServerName(),
+ tSentryPrivilege.getDbName(), tSentryPrivilege.getAction(), grantOption);
+ } else if (ServiceConstants.PrivilegeScope.TABLE.toString().equals(tSentryPrivilege.getPrivilegeScope())) {
+ client.revokeTablePrivilege(requestorName, roleName, tSentryPrivilege.getServerName(),
+ tSentryPrivilege.getDbName(), tSentryPrivilege.getTableName(),
+ tSentryPrivilege.getAction(), grantOption);
+ } else if (ServiceConstants.PrivilegeScope.COLUMN.toString().equals(tSentryPrivilege.getPrivilegeScope())) {
+ client.revokeColumnPrivilege(requestorName, roleName, tSentryPrivilege.getServerName(),
+ tSentryPrivilege.getDbName(), tSentryPrivilege.getTableName(),
+ tSentryPrivilege.getColumnName(), tSentryPrivilege.getAction(), grantOption);
+ } else if (ServiceConstants.PrivilegeScope.URI.toString().equals(tSentryPrivilege.getPrivilegeScope())) {
+ client.revokeURIPrivilege(requestorName, roleName, tSentryPrivilege.getServerName(),
+ tSentryPrivilege.getURI(), grantOption);
+ }
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/sentry/blob/01875092/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/provider/db/tools/command/hive/RevokeRoleFromGroupsCmd.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/provider/db/tools/command/hive/RevokeRoleFromGroupsCmd.java b/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/provider/db/tools/command/hive/RevokeRoleFromGroupsCmd.java
new file mode 100644
index 0000000..86773ca
--- /dev/null
+++ b/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/provider/db/tools/command/hive/RevokeRoleFromGroupsCmd.java
@@ -0,0 +1,43 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.provider.db.tools.command.hive;
+
+import com.google.common.collect.Sets;
+import org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient;
+
+import java.util.Set;
+
+/**
+ * The class for admin command to revoke role from group.
+ */
+public class RevokeRoleFromGroupsCmd implements Command {
+
+ private String roleName;
+ private String groupNamesStr;
+
+ public RevokeRoleFromGroupsCmd(String roleName, String groupNamesStr) {
+ this.roleName = roleName;
+ this.groupNamesStr = groupNamesStr;
+ }
+
+ @Override
+ public void execute(SentryPolicyServiceClient client, String requestorName) throws Exception {
+ Set<String> groups = Sets.newHashSet(groupNamesStr.split(CommandUtil.SPLIT_CHAR));
+ client.revokeRoleFromGroups(requestorName, roleName, groups);
+ }
+}
http://git-wip-us.apache.org/repos/asf/sentry/blob/01875092/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/service/thrift/HAClientInvocationHandler.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/service/thrift/HAClientInvocationHandler.java b/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/service/thrift/HAClientInvocationHandler.java
new file mode 100644
index 0000000..d97a07e
--- /dev/null
+++ b/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/service/thrift/HAClientInvocationHandler.java
@@ -0,0 +1,139 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.service.thrift;
+
+import java.io.IOException;
+import java.lang.reflect.InvocationTargetException;
+import java.lang.reflect.Method;
+import java.net.InetSocketAddress;
+
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.security.SecurityUtil;
+import org.apache.curator.x.discovery.ServiceInstance;
+import org.apache.sentry.core.common.exception.SentryUserException;
+import org.apache.sentry.provider.db.service.persistent.HAContext;
+import org.apache.sentry.provider.db.service.persistent.ServiceManager;
+import org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient;
+import org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClientDefaultImpl;
+import org.apache.sentry.service.thrift.ServiceConstants.ServerConfig;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import com.google.common.base.Preconditions;
+
+public class HAClientInvocationHandler extends SentryClientInvocationHandler {
+
+ private static final Logger LOGGER = LoggerFactory.getLogger(HAClientInvocationHandler.class);
+
+ private final Configuration conf;
+ private ServiceManager manager;
+ private ServiceInstance<Void> currentServiceInstance;
+ private SentryPolicyServiceClient client = null;
+
+ private static final String THRIFT_EXCEPTION_MESSAGE = "Thrift exception occured ";
+ public static final String SENTRY_HA_ERROR_MESSAGE = "No Sentry server available. Please ensure that at least one Sentry server is online";
+
+ public HAClientInvocationHandler(Configuration conf) throws Exception {
+ this.conf = conf;
+ checkClientConf();
+ }
+
+ @Override
+ public Object invokeImpl(Object proxy, Method method, Object[] args) throws
+ SentryUserException {
+ Object result = null;
+ try {
+ if (!method.isAccessible()) {
+ method.setAccessible(true);
+ }
+ // The client is initialized in the first call instead of constructor.
+ // This way we can propagate the connection exception to caller cleanly
+ if (client == null) {
+ renewSentryClient();
+ }
+ result = method.invoke(client, args);
+ } catch (IllegalAccessException e) {
+ throw new SentryUserException(e.getMessage(), e.getCause());
+ } catch (InvocationTargetException e) {
+ if (e.getTargetException() instanceof SentryUserException) {
+ throw (SentryUserException)e.getTargetException();
+ } else {
+ LOGGER.warn(THRIFT_EXCEPTION_MESSAGE + ": Error in connect current" +
+ " service, will retry other service.", e);
+ if (client != null) {
+ client.close();
+ client = null;
+ }
+ }
+ } catch (IOException e1) {
+ throw new SentryUserException("Error connecting to sentry service "
+ + e1.getMessage(), e1);
+ }
+ return result;
+ }
+
+ // Retrieve the new connection endpoint from ZK and connect to new server
+ private void renewSentryClient() throws IOException {
+ try {
+ manager = new ServiceManager(HAContext.getHAContext(conf));
+ } catch (Exception e1) {
+ throw new IOException("Failed to extract Sentry node info from zookeeper", e1);
+ }
+
+ try {
+ while (true) {
+ currentServiceInstance = manager.getServiceInstance();
+ if (currentServiceInstance == null) {
+ throw new IOException(SENTRY_HA_ERROR_MESSAGE);
+ }
+ InetSocketAddress serverAddress =
+ ServiceManager.convertServiceInstance(currentServiceInstance);
+ conf.set(ServiceConstants.ClientConfig.SERVER_RPC_ADDRESS, serverAddress.getHostName());
+ conf.setInt(ServiceConstants.ClientConfig.SERVER_RPC_PORT, serverAddress.getPort());
+ try {
+ client = new SentryPolicyServiceClientDefaultImpl(conf);
+ LOGGER.info("Sentry Client using server " + serverAddress.getHostName() +
+ ":" + serverAddress.getPort());
+ break;
+ } catch (IOException e) {
+ manager.reportError(currentServiceInstance);
+ LOGGER.info("Transport exception while opening transport:", e, e.getMessage());
+ }
+ }
+ } finally {
+ manager.close();
+ }
+ }
+
+ private void checkClientConf() {
+ if (conf.getBoolean(ServerConfig.SENTRY_HA_ZOOKEEPER_SECURITY,
+ ServerConfig.SENTRY_HA_ZOOKEEPER_SECURITY_DEFAULT)) {
+ String serverPrincipal = Preconditions.checkNotNull(conf.get(ServerConfig.PRINCIPAL),
+ ServerConfig.PRINCIPAL + " is required");
+ Preconditions.checkArgument(serverPrincipal.contains(SecurityUtil.HOSTNAME_PATTERN),
+ ServerConfig.PRINCIPAL + " : " + serverPrincipal + " should contain " + SecurityUtil.HOSTNAME_PATTERN);
+ }
+ }
+
+ @Override
+ public void close() {
+ if (client != null) {
+ client.close();
+ }
+ }
+}
http://git-wip-us.apache.org/repos/asf/sentry/blob/01875092/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/service/thrift/PoolClientInvocationHandler.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/service/thrift/PoolClientInvocationHandler.java b/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/service/thrift/PoolClientInvocationHandler.java
new file mode 100644
index 0000000..a35bf1d
--- /dev/null
+++ b/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/service/thrift/PoolClientInvocationHandler.java
@@ -0,0 +1,154 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.service.thrift;
+
+import java.lang.reflect.InvocationTargetException;
+import java.lang.reflect.Method;
+
+import org.apache.commons.pool2.PooledObjectFactory;
+import org.apache.commons.pool2.impl.AbandonedConfig;
+import org.apache.commons.pool2.impl.GenericObjectPool;
+import org.apache.commons.pool2.impl.GenericObjectPoolConfig;
+import org.apache.hadoop.conf.Configuration;
+import org.apache.sentry.core.common.exception.SentryUserException;
+import org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient;
+import org.apache.sentry.service.thrift.ServiceConstants.ClientConfig;
+import org.apache.thrift.transport.TTransportException;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/**
+ * The PoolClientInvocationHandler is a proxy class for handling thrift call. For every thrift call,
+ * get the instance of SentryPolicyServiceBaseClient from the commons-pool, and return the instance
+ * to the commons-pool after complete the call. For any exception with the call, discard the
+ * instance and create a new one added to the commons-pool. Then, get the instance and do the call
+ * again. For the thread safe, the commons-pool will manage the connection pool, and every thread
+ * can get the connection by borrowObject() and return the connection to the pool by returnObject().
+ */
+
+public class PoolClientInvocationHandler extends SentryClientInvocationHandler {
+
+ private static final Logger LOGGER = LoggerFactory.getLogger(PoolClientInvocationHandler.class);
+
+ private final Configuration conf;
+ private PooledObjectFactory<SentryPolicyServiceClient> poolFactory;
+ private GenericObjectPool<SentryPolicyServiceClient> pool;
+ private GenericObjectPoolConfig poolConfig;
+ private int connectionRetryTotal;
+
+ private static final String POOL_EXCEPTION_MESSAGE = "Pool exception occured ";
+
+ public PoolClientInvocationHandler(Configuration conf) throws Exception {
+ this.conf = conf;
+ readConfiguration();
+ poolFactory = new SentryServiceClientPoolFactory(conf);
+ pool = new GenericObjectPool<SentryPolicyServiceClient>(poolFactory, poolConfig, new AbandonedConfig());
+ }
+
+ @Override
+ public Object invokeImpl(Object proxy, Method method, Object[] args) throws Exception {
+ int retryCount = 0;
+ Object result = null;
+ while (retryCount < connectionRetryTotal) {
+ try {
+ // The wapper here is for the retry of thrift call, the default retry number is 3.
+ result = invokeFromPool(method, args);
+ break;
+ } catch (TTransportException e) {
+ // TTransportException means there has connection problem, create a new connection and try
+ // again. Get the lock of pool and add new connection.
+ synchronized (pool) {
+ // If there has room, create new instance and add it to the commons-pool, this instance
+ // will be back first from the commons-pool because the configuration is LIFO.
+ if (pool.getNumIdle() + pool.getNumActive() < pool.getMaxTotal()) {
+ pool.addObject();
+ }
+ }
+ // Increase the retry num, and throw the exception if can't retry again.
+ retryCount++;
+ if (retryCount == connectionRetryTotal) {
+ throw new SentryUserException(e.getMessage(), e);
+ }
+ }
+ }
+ return result;
+ }
+
+ private Object invokeFromPool(Method method, Object[] args) throws Exception {
+ Object result = null;
+ SentryPolicyServiceClient client;
+ try {
+ // get the connection from the pool, don't know if the connection is broken.
+ client = pool.borrowObject();
+ } catch (Exception e) {
+ LOGGER.debug(POOL_EXCEPTION_MESSAGE, e);
+ throw new SentryUserException(e.getMessage(), e);
+ }
+ try {
+ // do the thrift call
+ result = method.invoke(client, args);
+ } catch (InvocationTargetException e) {
+ // Get the target exception, check if SentryUserException or TTransportException is wrapped.
+ // TTransportException means there has connection problem with the pool.
+ Throwable targetException = e.getCause();
+ if (targetException instanceof SentryUserException) {
+ Throwable sentryTargetException = targetException.getCause();
+ // If there has connection problem, eg, invalid connection if the service restarted,
+ // sentryTargetException instanceof TTransportException = true.
+ if (sentryTargetException instanceof TTransportException) {
+ // If the exception is caused by connection problem, destroy the instance and
+ // remove it from the commons-pool. Throw the TTransportException for reconnect.
+ pool.invalidateObject(client);
+ throw new TTransportException(sentryTargetException);
+ }
+ // The exception is thrown by thrift call, eg, SentryAccessDeniedException.
+ throw (SentryUserException) targetException;
+ }
+ throw e;
+ } finally{
+ try {
+ // return the instance to commons-pool
+ pool.returnObject(client);
+ } catch (Exception e) {
+ LOGGER.error(POOL_EXCEPTION_MESSAGE, e);
+ throw e;
+ }
+ }
+ return result;
+ }
+
+ @Override
+ public void close() {
+ try {
+ pool.close();
+ } catch (Exception e) {
+ LOGGER.debug(POOL_EXCEPTION_MESSAGE, e);
+ }
+ }
+
+ private void readConfiguration() {
+ poolConfig = new GenericObjectPoolConfig();
+ // config the pool size for commons-pool
+ poolConfig.setMaxTotal(conf.getInt(ClientConfig.SENTRY_POOL_MAX_TOTAL, ClientConfig.SENTRY_POOL_MAX_TOTAL_DEFAULT));
+ poolConfig.setMinIdle(conf.getInt(ClientConfig.SENTRY_POOL_MIN_IDLE, ClientConfig.SENTRY_POOL_MIN_IDLE_DEFAULT));
+ poolConfig.setMaxIdle(conf.getInt(ClientConfig.SENTRY_POOL_MAX_IDLE, ClientConfig.SENTRY_POOL_MAX_IDLE_DEFAULT));
+ // get the retry number for reconnecting service
+ connectionRetryTotal = conf.getInt(ClientConfig.SENTRY_POOL_RETRY_TOTAL,
+ ClientConfig.SENTRY_POOL_RETRY_TOTAL_DEFAULT);
+ }
+}
http://git-wip-us.apache.org/repos/asf/sentry/blob/01875092/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/service/thrift/SentryClientInvocationHandler.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/service/thrift/SentryClientInvocationHandler.java b/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/service/thrift/SentryClientInvocationHandler.java
new file mode 100644
index 0000000..a41be7f
--- /dev/null
+++ b/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/service/thrift/SentryClientInvocationHandler.java
@@ -0,0 +1,54 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.service.thrift;
+
+import java.lang.reflect.InvocationHandler;
+import java.lang.reflect.Method;
+
+/**
+ * SentryClientInvocationHandler is the base interface for all the InvocationHandler in SENTRY
+ */
+public abstract class SentryClientInvocationHandler implements InvocationHandler {
+
+ /**
+ * Close the InvocationHandler: An InvocationHandler may create some contexts,
+ * these contexts should be close when the method "close()" of client be called.
+ */
+ @Override
+ public final Object invoke(Object proxy, Method method, Object[] args) throws Exception {
+ // close() doesn't throw exception we supress that in case of connection
+ // loss. Changing SentryPolicyServiceClient#close() to throw an
+ // exception would be a backward incompatible change for Sentry clients.
+ if ("close".equals(method.getName()) && null == args) {
+ close();
+ return null;
+ }
+ return invokeImpl(proxy, method, args);
+ }
+
+ /**
+ * Subclass should implement this method for special function
+ */
+ public abstract Object invokeImpl(Object proxy, Method method, Object[] args) throws Exception;
+
+ /**
+ * An abstract method "close", an invocationHandler should close its contexts at here.
+ */
+ public abstract void close();
+
+}
http://git-wip-us.apache.org/repos/asf/sentry/blob/01875092/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/service/thrift/SentryServiceClientFactory.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/service/thrift/SentryServiceClientFactory.java b/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/service/thrift/SentryServiceClientFactory.java
new file mode 100644
index 0000000..48ee66a
--- /dev/null
+++ b/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/service/thrift/SentryServiceClientFactory.java
@@ -0,0 +1,52 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.service.thrift;
+
+import java.lang.reflect.Proxy;
+
+import org.apache.hadoop.conf.Configuration;
+
+import org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient;
+import org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClientDefaultImpl;
+import org.apache.sentry.service.thrift.ServiceConstants.ClientConfig;
+
+public final class SentryServiceClientFactory {
+
+ private SentryServiceClientFactory() {
+ }
+
+ public static SentryPolicyServiceClient create(Configuration conf) throws Exception {
+ boolean haEnabled = conf.getBoolean(ClientConfig.SERVER_HA_ENABLED, false);
+ boolean pooled = conf.getBoolean(ClientConfig.SENTRY_POOL_ENABLED, false);
+ if (pooled) {
+ return (SentryPolicyServiceClient) Proxy
+ .newProxyInstance(SentryPolicyServiceClientDefaultImpl.class.getClassLoader(),
+ SentryPolicyServiceClientDefaultImpl.class.getInterfaces(),
+ new PoolClientInvocationHandler(conf));
+ } else if (haEnabled) {
+ return (SentryPolicyServiceClient) Proxy
+ .newProxyInstance(SentryPolicyServiceClientDefaultImpl.class.getClassLoader(),
+ SentryPolicyServiceClientDefaultImpl.class.getInterfaces(),
+ new HAClientInvocationHandler(conf));
+ } else {
+ return new SentryPolicyServiceClientDefaultImpl(conf);
+ }
+ }
+
+}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/sentry/blob/01875092/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/service/thrift/SentryServiceClientPoolFactory.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/service/thrift/SentryServiceClientPoolFactory.java b/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/service/thrift/SentryServiceClientPoolFactory.java
new file mode 100644
index 0000000..3a38b24
--- /dev/null
+++ b/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/service/thrift/SentryServiceClientPoolFactory.java
@@ -0,0 +1,78 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.service.thrift;
+
+import java.lang.reflect.Proxy;
+
+import org.apache.commons.pool2.BasePooledObjectFactory;
+import org.apache.commons.pool2.PooledObject;
+import org.apache.commons.pool2.impl.DefaultPooledObject;
+import org.apache.hadoop.conf.Configuration;
+import org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient;
+import org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClientDefaultImpl;
+import org.apache.sentry.service.thrift.ServiceConstants.ClientConfig;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/**
+ * SentryServiceClientPoolFactory is for connection pool to manage the object. Implement the related
+ * method to create object, destroy object and wrap object.
+ */
+
+public class SentryServiceClientPoolFactory extends BasePooledObjectFactory<SentryPolicyServiceClient> {
+
+ private static final Logger LOGGER = LoggerFactory.getLogger(SentryServiceClientPoolFactory.class);
+
+ private Configuration conf;
+
+ public SentryServiceClientPoolFactory(Configuration conf) {
+ this.conf = conf;
+ }
+
+ @Override
+ public SentryPolicyServiceClient create() throws Exception {
+ LOGGER.debug("Creating Sentry Service Client...");
+ boolean haEnabled = conf.getBoolean(ClientConfig.SERVER_HA_ENABLED, false);
+ if (haEnabled) {
+ return (SentryPolicyServiceClient) Proxy
+ .newProxyInstance(SentryPolicyServiceClientDefaultImpl.class.getClassLoader(),
+ SentryPolicyServiceClientDefaultImpl.class.getInterfaces(),
+ new HAClientInvocationHandler(conf));
+ } else {
+ return new SentryPolicyServiceClientDefaultImpl(conf);
+ }
+ }
+
+ @Override
+ public PooledObject<SentryPolicyServiceClient> wrap(SentryPolicyServiceClient client) {
+ return new DefaultPooledObject<SentryPolicyServiceClient>(client);
+ }
+
+ @Override
+ public void destroyObject(PooledObject<SentryPolicyServiceClient> pooledObject) {
+ SentryPolicyServiceClient client = pooledObject.getObject();
+ LOGGER.debug("Destroying Sentry Service Client: " + client);
+ if (client != null) {
+ // The close() of TSocket or TSaslClientTransport is called actually, and there has no
+ // exception even there has some problems, eg, the client is closed already.
+ // The close here is just try to close the socket and the client will be destroyed soon.
+ client.close();
+ }
+ }
+}
http://git-wip-us.apache.org/repos/asf/sentry/blob/01875092/sentry-service/sentry-service-server/pom.xml
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/pom.xml b/sentry-service/sentry-service-server/pom.xml
index d327bf6..6cfd982 100644
--- a/sentry-service/sentry-service-server/pom.xml
+++ b/sentry-service/sentry-service-server/pom.xml
@@ -33,6 +33,10 @@ limitations under the License.
<artifactId>commons-lang</artifactId>
</dependency>
<dependency>
+ <groupId>org.apache.derby</groupId>
+ <artifactId>derby</artifactId>
+ </dependency>
+ <dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-api</artifactId>
</dependency>
@@ -54,7 +58,7 @@ limitations under the License.
</dependency>
<dependency>
<groupId>org.apache.sentry</groupId>
- <artifactId>sentry-service-common</artifactId>
+ <artifactId>sentry-service-client</artifactId>
</dependency>
<dependency>
<groupId>org.apache.sentry</groupId>
@@ -112,10 +116,6 @@ limitations under the License.
<artifactId>jetty-servlet</artifactId>
</dependency>
<dependency>
- <groupId>org.apache.sentry</groupId>
- <artifactId>sentry-provider-db</artifactId>
- </dependency>
- <dependency>
<groupId>org.apache.hive</groupId>
<artifactId>hive-beeline</artifactId>
</dependency>
[5/6] sentry git commit: SENTRY-1288: Create sentry-service-client
module(Colin Ma, reviewed by Dapeng Sun)
Posted by co...@apache.org.
http://git-wip-us.apache.org/repos/asf/sentry/blob/01875092/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/command/Command.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/command/Command.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/command/Command.java
deleted file mode 100644
index e824fb3..0000000
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/command/Command.java
+++ /dev/null
@@ -1,27 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.provider.db.generic.tools.command;
-
-import org.apache.sentry.provider.db.generic.service.thrift.SentryGenericServiceClient;
-
-/**
- * The interface for all admin commands, eg, CreateRoleCmd.
- */
-public interface Command {
- void execute(SentryGenericServiceClient client, String requestorName) throws Exception;
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/01875092/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/command/CreateRoleCmd.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/command/CreateRoleCmd.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/command/CreateRoleCmd.java
deleted file mode 100644
index da60a64..0000000
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/command/CreateRoleCmd.java
+++ /dev/null
@@ -1,39 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.provider.db.generic.tools.command;
-
-import org.apache.sentry.provider.db.generic.service.thrift.SentryGenericServiceClient;
-
-/**
- * The class for admin command to create role.
- */
-public class CreateRoleCmd implements Command {
-
- private String roleName;
- private String component;
-
- public CreateRoleCmd(String roleName, String component) {
- this.roleName = roleName;
- this.component = component;
- }
-
- @Override
- public void execute(SentryGenericServiceClient client, String requestorName) throws Exception {
- client.createRole(requestorName, roleName, component);
- }
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/01875092/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/command/DeleteRoleFromGroupCmd.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/command/DeleteRoleFromGroupCmd.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/command/DeleteRoleFromGroupCmd.java
deleted file mode 100644
index 95f39ea..0000000
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/command/DeleteRoleFromGroupCmd.java
+++ /dev/null
@@ -1,46 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.provider.db.generic.tools.command;
-
-import com.google.common.collect.Sets;
-import org.apache.sentry.provider.db.generic.service.thrift.SentryGenericServiceClient;
-import org.apache.sentry.provider.db.tools.SentryShellCommon;
-
-import java.util.Set;
-
-/**
- * Command for deleting groups from a role.
- */
-public class DeleteRoleFromGroupCmd implements Command {
-
- private String roleName;
- private String groups;
- private String component;
-
- public DeleteRoleFromGroupCmd(String roleName, String groups, String component) {
- this.groups = groups;
- this.roleName = roleName;
- this.component = component;
- }
-
- @Override
- public void execute(SentryGenericServiceClient client, String requestorName) throws Exception {
- Set<String> groupSet = Sets.newHashSet(groups.split(SentryShellCommon.GROUP_SPLIT_CHAR));
- client.deleteRoleToGroups(requestorName, roleName, component, groupSet);
- }
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/01875092/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/command/DropRoleCmd.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/command/DropRoleCmd.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/command/DropRoleCmd.java
deleted file mode 100644
index ac2a328..0000000
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/command/DropRoleCmd.java
+++ /dev/null
@@ -1,39 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.provider.db.generic.tools.command;
-
-import org.apache.sentry.provider.db.generic.service.thrift.SentryGenericServiceClient;
-
-/**
- * The class for admin command to drop role.
- */
-public class DropRoleCmd implements Command {
-
- private String roleName;
- private String component;
-
- public DropRoleCmd(String roleName, String component) {
- this.roleName = roleName;
- this.component = component;
- }
-
- @Override
- public void execute(SentryGenericServiceClient client, String requestorName) throws Exception {
- client.dropRole(requestorName, roleName, component);
- }
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/01875092/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/command/GrantPrivilegeToRoleCmd.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/command/GrantPrivilegeToRoleCmd.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/command/GrantPrivilegeToRoleCmd.java
deleted file mode 100644
index 634bb42..0000000
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/command/GrantPrivilegeToRoleCmd.java
+++ /dev/null
@@ -1,47 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.provider.db.generic.tools.command;
-
-import org.apache.sentry.provider.db.generic.service.thrift.SentryGenericServiceClient;
-import org.apache.sentry.provider.db.generic.service.thrift.TSentryPrivilege;
-
-/**
- * The class for admin command to grant privilege to role.
- */
-public class GrantPrivilegeToRoleCmd implements Command {
-
- private String roleName;
- private String component;
- private String privilegeStr;
- private TSentryPrivilegeConverter converter;
-
- public GrantPrivilegeToRoleCmd(String roleName, String component, String privilegeStr,
- TSentryPrivilegeConverter converter) {
- this.roleName = roleName;
- this.component = component;
- this.privilegeStr = privilegeStr;
- this.converter = converter;
- }
-
- @Override
- public void execute(SentryGenericServiceClient client, String requestorName) throws Exception {
- TSentryPrivilege privilege = converter.fromString(privilegeStr);
- client.grantPrivilege(requestorName, roleName, component, privilege);
-
- }
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/01875092/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/command/ListPrivilegesByRoleCmd.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/command/ListPrivilegesByRoleCmd.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/command/ListPrivilegesByRoleCmd.java
deleted file mode 100644
index ce6db3a..0000000
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/command/ListPrivilegesByRoleCmd.java
+++ /dev/null
@@ -1,54 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.provider.db.generic.tools.command;
-
-import org.apache.sentry.provider.db.generic.service.thrift.SentryGenericServiceClient;
-import org.apache.sentry.provider.db.generic.service.thrift.TSentryPrivilege;
-
-import java.util.Set;
-
-/**
- * The class for admin command to list privileges by role.
- */
-public class ListPrivilegesByRoleCmd implements Command {
-
- private String roleName;
- private String component;
- private String serviceName;
- private TSentryPrivilegeConverter converter;
-
- public ListPrivilegesByRoleCmd(String roleName, String component, String serviceName,
- TSentryPrivilegeConverter converter) {
- this.roleName = roleName;
- this.component = component;
- this.serviceName = serviceName;
- this.converter = converter;
- }
-
- @Override
- public void execute(SentryGenericServiceClient client, String requestorName) throws Exception {
- Set<TSentryPrivilege> privileges = client
- .listPrivilegesByRoleName(requestorName, roleName, component, serviceName);
- if (privileges != null) {
- for (TSentryPrivilege privilege : privileges) {
- String privilegeStr = converter.toString(privilege);
- System.out.println(privilegeStr);
- }
- }
- }
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/01875092/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/command/ListRolesCmd.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/command/ListRolesCmd.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/command/ListRolesCmd.java
deleted file mode 100644
index 6b68d06..0000000
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/command/ListRolesCmd.java
+++ /dev/null
@@ -1,53 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.provider.db.generic.tools.command;
-
-import org.apache.commons.lang.StringUtils;
-import org.apache.sentry.provider.db.generic.service.thrift.SentryGenericServiceClient;
-import org.apache.sentry.provider.db.generic.service.thrift.TSentryRole;
-
-import java.util.Set;
-
-/**
- * The class for admin command to list roles.
- */
-public class ListRolesCmd implements Command {
-
- private String groupName;
- private String component;
-
- public ListRolesCmd(String groupName, String component) {
- this.groupName = groupName;
- this.component = component;
- }
-
- @Override
- public void execute(SentryGenericServiceClient client, String requestorName) throws Exception {
- Set<TSentryRole> roles;
- if (StringUtils.isEmpty(groupName)) {
- roles = client.listAllRoles(requestorName, component);
- } else {
- roles = client.listRolesByGroupName(requestorName, groupName, component);
- }
- if (roles != null) {
- for (TSentryRole role : roles) {
- System.out.println(role.getRoleName());
- }
- }
- }
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/01875092/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/command/RevokePrivilegeFromRoleCmd.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/command/RevokePrivilegeFromRoleCmd.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/command/RevokePrivilegeFromRoleCmd.java
deleted file mode 100644
index 3e42e60..0000000
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/command/RevokePrivilegeFromRoleCmd.java
+++ /dev/null
@@ -1,47 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.provider.db.generic.tools.command;
-
-import org.apache.sentry.provider.db.generic.service.thrift.SentryGenericServiceClient;
-import org.apache.sentry.provider.db.generic.service.thrift.TSentryPrivilege;
-
-/**
- * The class for admin command to revoke privileges from role.
- */
-public class RevokePrivilegeFromRoleCmd implements Command {
-
- private String roleName;
- private String component;
- private String privilegeStr;
- private TSentryPrivilegeConverter converter;
-
- public RevokePrivilegeFromRoleCmd(String roleName, String component, String privilegeStr,
- TSentryPrivilegeConverter converter) {
- this.roleName = roleName;
- this.component = component;
- this.privilegeStr = privilegeStr;
- this.converter = converter;
- }
-
- @Override
- public void execute(SentryGenericServiceClient client, String requestorName) throws Exception {
- TSentryPrivilege privilege = converter.fromString(privilegeStr);
- client.revokePrivilege(requestorName, roleName, component, privilege);
- }
-
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/01875092/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/command/TSentryPrivilegeConverter.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/command/TSentryPrivilegeConverter.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/command/TSentryPrivilegeConverter.java
deleted file mode 100644
index ab44895..0000000
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/command/TSentryPrivilegeConverter.java
+++ /dev/null
@@ -1,33 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.provider.db.generic.tools.command;
-
-import org.apache.sentry.provider.db.generic.service.thrift.TSentryPrivilege;
-
-public interface TSentryPrivilegeConverter {
-
- /**
- * Convert string to privilege
- */
- TSentryPrivilege fromString(String privilegeStr) throws Exception;
-
- /**
- * Convert privilege to string
- */
- String toString(TSentryPrivilege tSentryPrivilege);
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/01875092/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/ServiceManager.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/ServiceManager.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/ServiceManager.java
deleted file mode 100644
index 9f921d4..0000000
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/ServiceManager.java
+++ /dev/null
@@ -1,97 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.sentry.provider.db.service.persistent;
-
-import java.io.IOException;
-import java.net.InetSocketAddress;
-
-import org.apache.curator.x.discovery.ServiceDiscovery;
-import org.apache.curator.x.discovery.ServiceDiscoveryBuilder;
-import org.apache.curator.x.discovery.ServiceInstance;
-import org.apache.curator.x.discovery.ServiceProvider;
-import org.apache.curator.x.discovery.details.InstanceSerializer;
-import org.apache.hadoop.net.NetUtils;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-/***
- * ServerManager handles registration of the Sentry service for Curator service
- * discovery. Each server registers with ZK and add its host:port details which
- * is used by the clients to discover available servers
- */
-public class ServiceManager {
- private static final Logger LOGGER = LoggerFactory
- .getLogger(ServiceManager.class);
- private HAContext haContext;
- private ServiceProvider<Void> serviceProvider;
- private ServiceDiscovery<Void> serviceDiscovery;
-
- public ServiceManager(HAContext haContext) throws IOException {
- this.haContext = haContext;
- init();
- }
-
- private void init() throws IOException {
- try {
- haContext.startCuratorFramework();
- InstanceSerializer<Void> instanceSerializer = new FixedJsonInstanceSerializer<Void>(Void.class);
- serviceDiscovery = ServiceDiscoveryBuilder.<Void>builder(Void.class)
- .basePath(HAContext.SENTRY_SERVICE_REGISTER_NAMESPACE)
- .serializer(instanceSerializer)
- .client(haContext.getCuratorFramework())
- .build();
- serviceDiscovery.start();
- serviceProvider = serviceDiscovery
- .serviceProviderBuilder()
- .serviceName(HAContext.SENTRY_SERVICE_REGISTER_NAMESPACE)
- .build();
- serviceProvider.start();
- } catch (Exception e) {
- throw new IOException(e);
- }
- }
-
- public ServiceInstance<Void> getServiceInstance() throws IOException {
- ServiceInstance<Void> service;
- try {
- service = serviceProvider.getInstance();
- return service;
- } catch (Exception e) {
- throw new IOException(e);
- }
- }
-
- public void reportError(ServiceInstance<Void> instance) {
- serviceProvider.noteError(instance);
- }
-
- public static InetSocketAddress convertServiceInstance(ServiceInstance<?> service) {
- return NetUtils.createSocketAddr(service.getAddress(),service.getPort());
- }
-
- public void close() {
- try {
- serviceProvider.close();
- serviceDiscovery.close();
- LOGGER.debug("Closed ZK resources");
- } catch (IOException e) {
- LOGGER.warn("Error closing the service manager", e);
- }
- }
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/01875092/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClient.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClient.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClient.java
deleted file mode 100644
index 1e72b74..0000000
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClient.java
+++ /dev/null
@@ -1,207 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.sentry.provider.db.service.thrift;
-
-import java.util.List;
-import java.util.Map;
-import java.util.Set;
-
-import org.apache.sentry.core.common.exception.SentryUserException;
-import org.apache.sentry.core.common.ActiveRoleSet;
-import org.apache.sentry.core.common.Authorizable;
-
-public interface SentryPolicyServiceClient {
-
- void createRole(String requestorUserName, String roleName) throws SentryUserException;
-
- void dropRole(String requestorUserName, String roleName) throws SentryUserException;
-
- void dropRoleIfExists(String requestorUserName, String roleName)
- throws SentryUserException;
-
- Set<TSentryRole> listRolesByUserName(String requestorUserName, String userName)
- throws SentryUserException;
-
- Set<TSentryRole> listRolesByGroupName(String requestorUserName, String groupName)
- throws SentryUserException;
-
- Set<TSentryPrivilege> listAllPrivilegesByRoleName(String requestorUserName, String roleName)
- throws SentryUserException;
-
- /**
- * Gets sentry privilege objects for a given roleName using the Sentry service
- *
- * @param requestorUserName : user on whose behalf the request is issued
- * @param roleName : roleName to look up
- * @param authorizable : authorizable Hierarchy (server->db->table etc)
- * @return Set of thrift sentry privilege objects
- * @throws SentryUserException
- */
- Set<TSentryPrivilege> listPrivilegesByRoleName(String requestorUserName, String roleName,
- List<? extends Authorizable> authorizable) throws SentryUserException;
-
- Set<TSentryRole> listRoles(String requestorUserName) throws SentryUserException;
-
- Set<TSentryRole> listUserRoles(String requestorUserName) throws SentryUserException;
-
- TSentryPrivilege grantURIPrivilege(String requestorUserName, String roleName,
- String server, String uri) throws SentryUserException;
-
- TSentryPrivilege grantURIPrivilege(String requestorUserName, String roleName,
- String server, String uri, Boolean grantOption) throws SentryUserException;
-
- void grantServerPrivilege(String requestorUserName, String roleName, String server,
- String action) throws SentryUserException;
-
- TSentryPrivilege grantServerPrivilege(String requestorUserName, String roleName,
- String server, Boolean grantOption) throws SentryUserException;
-
- TSentryPrivilege grantServerPrivilege(String requestorUserName, String roleName,
- String server, String action, Boolean grantOption) throws SentryUserException;
-
- TSentryPrivilege grantDatabasePrivilege(String requestorUserName, String roleName,
- String server, String db, String action) throws SentryUserException;
-
- TSentryPrivilege grantDatabasePrivilege(String requestorUserName, String roleName,
- String server, String db, String action, Boolean grantOption) throws SentryUserException;
-
- TSentryPrivilege grantTablePrivilege(String requestorUserName, String roleName,
- String server, String db, String table, String action) throws SentryUserException;
-
- TSentryPrivilege grantTablePrivilege(String requestorUserName, String roleName,
- String server, String db, String table, String action, Boolean grantOption)
- throws SentryUserException;
-
- TSentryPrivilege grantColumnPrivilege(String requestorUserName, String roleName,
- String server, String db, String table, String columnName, String action)
- throws SentryUserException;
-
- TSentryPrivilege grantColumnPrivilege(String requestorUserName, String roleName,
- String server, String db, String table, String columnName, String action, Boolean grantOption)
- throws SentryUserException;
-
- Set<TSentryPrivilege> grantColumnsPrivileges(String requestorUserName, String roleName,
- String server, String db, String table, List<String> columnNames, String action)
- throws SentryUserException;
-
- Set<TSentryPrivilege> grantColumnsPrivileges(String requestorUserName, String roleName,
- String server, String db, String table, List<String> columnNames, String action,
- Boolean grantOption) throws SentryUserException;
-
- void revokeURIPrivilege(String requestorUserName, String roleName, String server,
- String uri) throws SentryUserException;
-
- void revokeURIPrivilege(String requestorUserName, String roleName, String server,
- String uri, Boolean grantOption) throws SentryUserException;
-
- void revokeServerPrivilege(String requestorUserName, String roleName, String server,
- String action) throws SentryUserException;
-
- void revokeServerPrivilege(String requestorUserName, String roleName, String server,
- String action, Boolean grantOption) throws SentryUserException;
-
- void revokeServerPrivilege(String requestorUserName, String roleName, String server,
- boolean grantOption) throws SentryUserException;
-
- void revokeDatabasePrivilege(String requestorUserName, String roleName, String server,
- String db, String action) throws SentryUserException;
-
- void revokeDatabasePrivilege(String requestorUserName, String roleName, String server,
- String db, String action, Boolean grantOption) throws SentryUserException;
-
- void revokeTablePrivilege(String requestorUserName, String roleName, String server,
- String db, String table, String action) throws SentryUserException;
-
- void revokeTablePrivilege(String requestorUserName, String roleName, String server,
- String db, String table, String action, Boolean grantOption) throws SentryUserException;
-
- void revokeColumnPrivilege(String requestorUserName, String roleName, String server,
- String db, String table, String columnName, String action) throws SentryUserException;
-
- void revokeColumnPrivilege(String requestorUserName, String roleName, String server,
- String db, String table, String columnName, String action, Boolean grantOption)
- throws SentryUserException;
-
- void revokeColumnsPrivilege(String requestorUserName, String roleName, String server,
- String db, String table, List<String> columns, String action) throws SentryUserException;
-
- void revokeColumnsPrivilege(String requestorUserName, String roleName, String server,
- String db, String table, List<String> columns, String action, Boolean grantOption)
- throws SentryUserException;
-
- Set<String> listPrivilegesForProvider(Set<String> groups, Set<String> users,
- ActiveRoleSet roleSet, Authorizable... authorizable) throws SentryUserException;
-
- void grantRoleToGroup(String requestorUserName, String groupName, String roleName)
- throws SentryUserException;
-
- void revokeRoleFromGroup(String requestorUserName, String groupName, String roleName)
- throws SentryUserException;
-
- void grantRoleToGroups(String requestorUserName, String roleName, Set<String> groups)
- throws SentryUserException;
-
- void revokeRoleFromGroups(String requestorUserName, String roleName, Set<String> groups)
- throws SentryUserException;
-
- void grantRoleToUser(String requestorUserName, String userName, String roleName)
- throws SentryUserException;
-
- void revokeRoleFromUser(String requestorUserName, String userName, String roleName)
- throws SentryUserException;
-
- void grantRoleToUsers(String requestorUserName, String roleName, Set<String> users)
- throws SentryUserException;
-
- void revokeRoleFromUsers(String requestorUserName, String roleName, Set<String> users)
- throws SentryUserException;
-
- void dropPrivileges(String requestorUserName,
- List<? extends Authorizable> authorizableObjects) throws SentryUserException;
-
- void renamePrivileges(String requestorUserName,
- List<? extends Authorizable> oldAuthorizables, List<? extends Authorizable> newAuthorizables)
- throws SentryUserException;
-
- Map<TSentryAuthorizable, TSentryPrivilegeMap> listPrivilegsbyAuthorizable(
- String requestorUserName, Set<List<? extends Authorizable>> authorizables,
- Set<String> groups, ActiveRoleSet roleSet) throws SentryUserException;
-
- /**
- * Returns the configuration value in the sentry server associated with propertyName, or if
- * propertyName does not exist, the defaultValue. There is no "requestorUserName" because this is
- * regarded as an internal interface.
- *
- * @param propertyName Config attribute to search for
- * @param defaultValue String to return if not found
- * @return The value of the propertyName
- * @throws SentryUserException
- */
- String getConfigValue(String propertyName, String defaultValue) throws SentryUserException;
-
- void close();
-
- // Import the sentry mapping data with map structure
- void importPolicy(Map<String, Map<String, Set<String>>> policyFileMappingData,
- String requestorUserName, boolean isOverwriteRole) throws SentryUserException;
-
- // export the sentry mapping data with map structure
- Map<String, Map<String, Set<String>>> exportPolicy(String requestorUserName, String objectPath)
- throws SentryUserException;
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/01875092/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClientDefaultImpl.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClientDefaultImpl.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClientDefaultImpl.java
deleted file mode 100644
index ffa461a..0000000
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClientDefaultImpl.java
+++ /dev/null
@@ -1,1051 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.sentry.provider.db.service.thrift;
-
-import java.io.IOException;
-import java.net.InetSocketAddress;
-import java.security.PrivilegedExceptionAction;
-import java.util.List;
-import java.util.Map;
-import java.util.Set;
-
-import javax.security.auth.callback.CallbackHandler;
-
-import org.apache.commons.lang.StringUtils;
-import org.apache.hadoop.conf.Configuration;
-import org.apache.hadoop.net.NetUtils;
-import org.apache.hadoop.security.SaslRpcServer;
-import org.apache.hadoop.security.SaslRpcServer.AuthMethod;
-import org.apache.hadoop.security.SecurityUtil;
-import org.apache.hadoop.security.UserGroupInformation;
-import org.apache.sentry.core.common.exception.SentryUserException;
-import org.apache.sentry.core.common.ActiveRoleSet;
-import org.apache.sentry.core.common.Authorizable;
-import org.apache.sentry.core.model.db.AccessConstants;
-import org.apache.sentry.core.model.db.DBModelAuthorizable;
-import org.apache.sentry.core.common.utils.PolicyFileConstants;
-import org.apache.sentry.service.thrift.SentryServiceUtil;
-import org.apache.sentry.service.thrift.ServiceConstants;
-import org.apache.sentry.service.thrift.ServiceConstants.ClientConfig;
-import org.apache.sentry.service.thrift.ServiceConstants.PrivilegeScope;
-import org.apache.sentry.service.thrift.ServiceConstants.ServerConfig;
-import org.apache.sentry.service.thrift.ServiceConstants.ThriftConstants;
-import org.apache.sentry.service.thrift.Status;
-import org.apache.thrift.TException;
-import org.apache.thrift.protocol.TBinaryProtocol;
-import org.apache.thrift.protocol.TMultiplexedProtocol;
-import org.apache.thrift.transport.TSaslClientTransport;
-import org.apache.thrift.transport.TSocket;
-import org.apache.thrift.transport.TTransport;
-import org.apache.thrift.transport.TTransportException;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-import com.google.common.annotations.VisibleForTesting;
-import com.google.common.base.Preconditions;
-import com.google.common.collect.ImmutableList;
-import com.google.common.collect.ImmutableSet;
-import com.google.common.collect.Lists;
-import com.google.common.collect.Maps;
-import com.google.common.collect.Sets;
-
-/*
- A Sentry Client in which all the operations are synchronized for thread safety
- Note: When using this client, if there is an exception in RPC, socket can get into an inconsistent state.
- So it is important to recreate the client, which uses a new socket.
- */
-public class SentryPolicyServiceClientDefaultImpl implements SentryPolicyServiceClient {
-
- private final Configuration conf;
- private final InetSocketAddress serverAddress;
- private final boolean kerberos;
- private final String[] serverPrincipalParts;
- private SentryPolicyService.Client client;
- private TTransport transport;
- private int connectionTimeout;
- private static final Logger LOGGER = LoggerFactory
- .getLogger(SentryPolicyServiceClient.class);
- private static final String THRIFT_EXCEPTION_MESSAGE = "Thrift exception occurred ";
-
- /**
- * This transport wraps the Sasl transports to set up the right UGI context for open().
- */
- public static class UgiSaslClientTransport extends TSaslClientTransport {
- protected UserGroupInformation ugi = null;
-
- public UgiSaslClientTransport(String mechanism, String authorizationId,
- String protocol, String serverName, Map<String, String> props,
- CallbackHandler cbh, TTransport transport, boolean wrapUgi)
- throws IOException {
- super(mechanism, authorizationId, protocol, serverName, props, cbh,
- transport);
- if (wrapUgi) {
- ugi = UserGroupInformation.getLoginUser();
- }
- }
-
- // open the SASL transport with using the current UserGroupInformation
- // This is needed to get the current login context stored
- @Override
- public synchronized void open() throws TTransportException {
- if (ugi == null) {
- baseOpen();
- } else {
- try {
- if (ugi.isFromKeytab()) {
- ugi.checkTGTAndReloginFromKeytab();
- }
- ugi.doAs(new PrivilegedExceptionAction<Void>() {
- public Void run() throws TTransportException {
- baseOpen();
- return null;
- }
- });
- } catch (IOException e) {
- throw new TTransportException("Failed to open SASL transport", e);
- } catch (InterruptedException e) {
- throw new TTransportException(
- "Interrupted while opening underlying transport", e);
- }
- }
- }
-
- private void baseOpen() throws TTransportException {
- super.open();
- }
- }
-
- public SentryPolicyServiceClientDefaultImpl(Configuration conf) throws IOException {
- this.conf = conf;
- Preconditions.checkNotNull(this.conf, "Configuration object cannot be null");
- this.serverAddress = NetUtils.createSocketAddr(Preconditions.checkNotNull(
- conf.get(ClientConfig.SERVER_RPC_ADDRESS), "Config key "
- + ClientConfig.SERVER_RPC_ADDRESS + " is required"), conf.getInt(
- ClientConfig.SERVER_RPC_PORT, ClientConfig.SERVER_RPC_PORT_DEFAULT));
- this.connectionTimeout = conf.getInt(ClientConfig.SERVER_RPC_CONN_TIMEOUT,
- ClientConfig.SERVER_RPC_CONN_TIMEOUT_DEFAULT);
- kerberos = ServerConfig.SECURITY_MODE_KERBEROS.equalsIgnoreCase(
- conf.get(ServerConfig.SECURITY_MODE, ServerConfig.SECURITY_MODE_KERBEROS).trim());
- transport = new TSocket(serverAddress.getHostName(),
- serverAddress.getPort(), connectionTimeout);
- if (kerberos) {
- String serverPrincipal = Preconditions.checkNotNull(conf.get(ServerConfig.PRINCIPAL), ServerConfig.PRINCIPAL + " is required");
-
- // Resolve server host in the same way as we are doing on server side
- serverPrincipal = SecurityUtil.getServerPrincipal(serverPrincipal, serverAddress.getAddress());
- LOGGER.debug("Using server kerberos principal: " + serverPrincipal);
-
- serverPrincipalParts = SaslRpcServer.splitKerberosName(serverPrincipal);
- Preconditions.checkArgument(serverPrincipalParts.length == 3,
- "Kerberos principal should have 3 parts: " + serverPrincipal);
- boolean wrapUgi = "true".equalsIgnoreCase(conf
- .get(ServerConfig.SECURITY_USE_UGI_TRANSPORT, "true"));
- transport = new UgiSaslClientTransport(AuthMethod.KERBEROS.getMechanismName(),
- null, serverPrincipalParts[0], serverPrincipalParts[1],
- ClientConfig.SASL_PROPERTIES, null, transport, wrapUgi);
- } else {
- serverPrincipalParts = null;
- }
- try {
- transport.open();
- } catch (TTransportException e) {
- throw new IOException("Transport exception while opening transport: " + e.getMessage(), e);
- }
- LOGGER.debug("Successfully opened transport: " + transport + " to " + serverAddress);
- long maxMessageSize = conf.getLong(ServiceConstants.ClientConfig.SENTRY_POLICY_CLIENT_THRIFT_MAX_MESSAGE_SIZE,
- ServiceConstants.ClientConfig.SENTRY_POLICY_CLIENT_THRIFT_MAX_MESSAGE_SIZE_DEFAULT);
- TMultiplexedProtocol protocol = new TMultiplexedProtocol(
- new TBinaryProtocol(transport, maxMessageSize, maxMessageSize, true, true),
- ServiceConstants.SENTRY_POLICY_SERVICE_NAME);
- client = new SentryPolicyService.Client(protocol);
- LOGGER.debug("Successfully created client");
- }
-
- public synchronized void createRole(String requestorUserName, String roleName)
- throws SentryUserException {
- TCreateSentryRoleRequest request = new TCreateSentryRoleRequest();
- request.setProtocol_version(ThriftConstants.TSENTRY_SERVICE_VERSION_CURRENT);
- request.setRequestorUserName(requestorUserName);
- request.setRoleName(roleName);
- try {
- TCreateSentryRoleResponse response = client.create_sentry_role(request);
- Status.throwIfNotOk(response.getStatus());
- } catch (TException e) {
- throw new SentryUserException(THRIFT_EXCEPTION_MESSAGE, e);
- }
- }
-
- public synchronized void dropRole(String requestorUserName,
- String roleName)
- throws SentryUserException {
- dropRole(requestorUserName, roleName, false);
- }
-
- public synchronized void dropRoleIfExists(String requestorUserName,
- String roleName)
- throws SentryUserException {
- dropRole(requestorUserName, roleName, true);
- }
-
- private synchronized void dropRole(String requestorUserName,
- String roleName, boolean ifExists)
- throws SentryUserException {
- TDropSentryRoleRequest request = new TDropSentryRoleRequest();
- request.setProtocol_version(ThriftConstants.TSENTRY_SERVICE_VERSION_CURRENT);
- request.setRequestorUserName(requestorUserName);
- request.setRoleName(roleName);
- try {
- TDropSentryRoleResponse response = client.drop_sentry_role(request);
- Status status = Status.fromCode(response.getStatus().getValue());
- if (ifExists && status == Status.NO_SUCH_OBJECT) {
- return;
- }
- Status.throwIfNotOk(response.getStatus());
- } catch (TException e) {
- throw new SentryUserException(THRIFT_EXCEPTION_MESSAGE, e);
- }
- }
-
- /**
- * Gets sentry role objects for a given groupName using the Sentry service
- * @param requestorUserName : user on whose behalf the request is issued
- * @param groupName : groupName to look up ( if null returns all roles for all groups)
- * @return Set of thrift sentry role objects
- * @throws SentryUserException
- */
- public synchronized Set<TSentryRole> listRolesByGroupName(
- String requestorUserName,
- String groupName)
- throws SentryUserException {
- TListSentryRolesRequest request = new TListSentryRolesRequest();
- request.setProtocol_version(ThriftConstants.TSENTRY_SERVICE_VERSION_CURRENT);
- request.setRequestorUserName(requestorUserName);
- request.setGroupName(groupName);
- TListSentryRolesResponse response;
- try {
- response = client.list_sentry_roles_by_group(request);
- Status.throwIfNotOk(response.getStatus());
- return response.getRoles();
- } catch (TException e) {
- throw new SentryUserException(THRIFT_EXCEPTION_MESSAGE, e);
- }
- }
-
- /**
- * Gets sentry role objects for a given userName using the Sentry service
- *
- * @param requestorUserName
- * : user on whose behalf the request is issued
- * @param userName
- * : userName to look up (can't be empty)
- * @return Set of thrift sentry role objects
- * @throws SentryUserException
- */
- public Set<TSentryRole> listRolesByUserName(String requestorUserName, String userName)
- throws SentryUserException {
- TListSentryRolesForUserRequest request = new TListSentryRolesForUserRequest();
- request.setProtocol_version(ThriftConstants.TSENTRY_SERVICE_VERSION_CURRENT);
- request.setRequestorUserName(requestorUserName);
- request.setUserName(userName);
- TListSentryRolesResponse response;
- try {
- response = client.list_sentry_roles_by_user(request);
- Status.throwIfNotOk(response.getStatus());
- return response.getRoles();
- } catch (TException e) {
- throw new SentryUserException(THRIFT_EXCEPTION_MESSAGE, e);
- }
- }
-
- public synchronized Set<TSentryPrivilege> listAllPrivilegesByRoleName(String requestorUserName,
- String roleName)
- throws SentryUserException {
- return listPrivilegesByRoleName(requestorUserName, roleName, null);
- }
-
- /**
- * Gets sentry privilege objects for a given roleName using the Sentry service
- * @param requestorUserName : user on whose behalf the request is issued
- * @param roleName : roleName to look up
- * @param authorizable : authorizable Hierarchy (server->db->table etc)
- * @return Set of thrift sentry privilege objects
- * @throws SentryUserException
- */
- public synchronized Set<TSentryPrivilege> listPrivilegesByRoleName(String requestorUserName,
- String roleName, List<? extends Authorizable> authorizable)
- throws SentryUserException {
- TListSentryPrivilegesRequest request = new TListSentryPrivilegesRequest();
- request.setProtocol_version(ThriftConstants.TSENTRY_SERVICE_VERSION_CURRENT);
- request.setRequestorUserName(requestorUserName);
- request.setRoleName(roleName);
- if (authorizable != null && !authorizable.isEmpty()) {
- TSentryAuthorizable tSentryAuthorizable = setupSentryAuthorizable(authorizable);
- request.setAuthorizableHierarchy(tSentryAuthorizable);
- }
- TListSentryPrivilegesResponse response;
- try {
- response = client.list_sentry_privileges_by_role(request);
- Status.throwIfNotOk(response.getStatus());
- return response.getPrivileges();
- } catch (TException e) {
- throw new SentryUserException(THRIFT_EXCEPTION_MESSAGE, e);
- }
- }
-
- public synchronized Set<TSentryRole> listRoles(String requestorUserName)
- throws SentryUserException {
- return listRolesByGroupName(requestorUserName, null);
- }
-
- public synchronized Set<TSentryRole> listUserRoles(String requestorUserName)
- throws SentryUserException {
- Set<TSentryRole> tSentryRoles = Sets.newHashSet();
- tSentryRoles.addAll(listRolesByGroupName(requestorUserName, AccessConstants.ALL));
- tSentryRoles.addAll(listRolesByUserName(requestorUserName, requestorUserName));
- return tSentryRoles;
- }
-
- public synchronized TSentryPrivilege grantURIPrivilege(String requestorUserName,
- String roleName, String server, String uri)
- throws SentryUserException {
- return grantPrivilege(requestorUserName, roleName,
- PrivilegeScope.URI, server, uri, null, null, null, AccessConstants.ALL);
- }
-
- public synchronized TSentryPrivilege grantURIPrivilege(String requestorUserName,
- String roleName, String server, String uri, Boolean grantOption)
- throws SentryUserException {
- return grantPrivilege(requestorUserName, roleName,
- PrivilegeScope.URI, server, uri, null, null, null, AccessConstants.ALL, grantOption);
- }
-
- public synchronized void grantServerPrivilege(String requestorUserName,
- String roleName, String server, String action)
- throws SentryUserException {
-
- // "ALL" and "*" should be synonyms for action and need to be unified with grantServerPrivilege without
- // action explicitly specified.
- if (AccessConstants.ACTION_ALL.equalsIgnoreCase(action) || AccessConstants.ALL.equals(action)) {
- action = AccessConstants.ALL;
- }
-
- grantPrivilege(requestorUserName, roleName,
- PrivilegeScope.SERVER, server, null, null, null, null, action);
- }
-
- @Deprecated
- /***
- * Should use grantServerPrivilege(String requestorUserName,
- * String roleName, String server, String action, Boolean grantOption)
- */
- public synchronized TSentryPrivilege grantServerPrivilege(String requestorUserName,
- String roleName, String server, Boolean grantOption) throws SentryUserException {
- return grantServerPrivilege(requestorUserName, roleName, server,
- AccessConstants.ALL, grantOption);
- }
-
- public synchronized TSentryPrivilege grantServerPrivilege(String requestorUserName,
- String roleName, String server, String action, Boolean grantOption)
- throws SentryUserException {
-
- // "ALL" and "*" should be synonyms for action and need to be unified with grantServerPrivilege without
- // action explicitly specified.
- if (AccessConstants.ACTION_ALL.equalsIgnoreCase(action) || AccessConstants.ALL.equals(action)) {
- action = AccessConstants.ALL;
- }
-
- return grantPrivilege(requestorUserName, roleName,
- PrivilegeScope.SERVER, server, null, null, null, null, action, grantOption);
- }
-
- public synchronized TSentryPrivilege grantDatabasePrivilege(String requestorUserName,
- String roleName, String server, String db, String action)
- throws SentryUserException {
- return grantPrivilege(requestorUserName, roleName,
- PrivilegeScope.DATABASE, server, null, db, null, null, action);
- }
-
- public synchronized TSentryPrivilege grantDatabasePrivilege(String requestorUserName,
- String roleName, String server, String db, String action, Boolean grantOption)
- throws SentryUserException {
- return grantPrivilege(requestorUserName, roleName,
- PrivilegeScope.DATABASE, server, null, db, null, null, action, grantOption);
- }
-
- public synchronized TSentryPrivilege grantTablePrivilege(String requestorUserName,
- String roleName, String server, String db, String table, String action)
- throws SentryUserException {
- return grantPrivilege(requestorUserName, roleName, PrivilegeScope.TABLE, server,
- null,
- db, table, null, action);
- }
-
- public synchronized TSentryPrivilege grantTablePrivilege(String requestorUserName,
- String roleName, String server, String db, String table, String action, Boolean grantOption)
- throws SentryUserException {
- return grantPrivilege(requestorUserName, roleName, PrivilegeScope.TABLE, server,
- null, db, table, null, action, grantOption);
- }
-
- public synchronized TSentryPrivilege grantColumnPrivilege(String requestorUserName,
- String roleName, String server, String db, String table, String columnName, String action)
- throws SentryUserException {
- return grantPrivilege(requestorUserName, roleName, PrivilegeScope.COLUMN, server,
- null,
- db, table, columnName, action);
- }
-
- public synchronized TSentryPrivilege grantColumnPrivilege(String requestorUserName,
- String roleName, String server, String db, String table, String columnName, String action, Boolean grantOption)
- throws SentryUserException {
- return grantPrivilege(requestorUserName, roleName, PrivilegeScope.COLUMN, server,
- null, db, table, columnName, action, grantOption);
- }
-
- public synchronized Set<TSentryPrivilege> grantColumnsPrivileges(String requestorUserName,
- String roleName, String server, String db, String table, List<String> columnNames, String action)
- throws SentryUserException {
- return grantPrivileges(requestorUserName, roleName, PrivilegeScope.COLUMN, server,
- null,
- db, table, columnNames, action);
- }
-
- public synchronized Set<TSentryPrivilege> grantColumnsPrivileges(String requestorUserName,
- String roleName, String server, String db, String table, List<String> columnNames, String action, Boolean grantOption)
- throws SentryUserException {
- return grantPrivileges(requestorUserName, roleName, PrivilegeScope.COLUMN,
- server,
- null, db, table, columnNames, action, grantOption);
- }
-
- @VisibleForTesting
- public static TSentryAuthorizable setupSentryAuthorizable(
- List<? extends Authorizable> authorizable) {
- TSentryAuthorizable tSentryAuthorizable = new TSentryAuthorizable();
-
- for (Authorizable authzble : authorizable) {
- if (authzble.getTypeName().equalsIgnoreCase(
- DBModelAuthorizable.AuthorizableType.Server.toString())) {
- tSentryAuthorizable.setServer(authzble.getName());
- } else if (authzble.getTypeName().equalsIgnoreCase(
- DBModelAuthorizable.AuthorizableType.URI.toString())) {
- tSentryAuthorizable.setUri(authzble.getName());
- } else if (authzble.getTypeName().equalsIgnoreCase(
- DBModelAuthorizable.AuthorizableType.Db.toString())) {
- tSentryAuthorizable.setDb(authzble.getName());
- } else if (authzble.getTypeName().equalsIgnoreCase(
- DBModelAuthorizable.AuthorizableType.Table.toString())) {
- tSentryAuthorizable.setTable(authzble.getName());
- } else if (authzble.getTypeName().equalsIgnoreCase(
- DBModelAuthorizable.AuthorizableType.Column.toString())) {
- tSentryAuthorizable.setColumn(authzble.getName());
- }
- }
- return tSentryAuthorizable;
- }
-
- private TSentryPrivilege grantPrivilege(String requestorUserName,
- String roleName,
- PrivilegeScope scope, String serverName, String uri, String db,
- String table, String column, String action) throws SentryUserException {
- return grantPrivilege(requestorUserName, roleName, scope, serverName, uri,
- db, table, column, action, false);
- }
-
- private TSentryPrivilege grantPrivilege(String requestorUserName,
- String roleName, PrivilegeScope scope, String serverName, String uri, String db, String table,
- String column, String action, Boolean grantOption)
- throws SentryUserException {
- TAlterSentryRoleGrantPrivilegeRequest request = new TAlterSentryRoleGrantPrivilegeRequest();
- request.setProtocol_version(ThriftConstants.TSENTRY_SERVICE_VERSION_CURRENT);
- request.setRequestorUserName(requestorUserName);
- request.setRoleName(roleName);
- Set<TSentryPrivilege> privileges = convertColumnPrivilege(scope,
- serverName, uri, db, table, column, action, grantOption);
- request.setPrivileges(privileges);
- try {
- TAlterSentryRoleGrantPrivilegeResponse response = client.alter_sentry_role_grant_privilege(request);
- Status.throwIfNotOk(response.getStatus());
- if (response.isSetPrivileges()
- && response.getPrivilegesSize()>0 ) {
- return response.getPrivileges().iterator().next();
- } else {
- return new TSentryPrivilege();
- }
- } catch (TException e) {
- throw new SentryUserException(THRIFT_EXCEPTION_MESSAGE, e);
- }
- }
-
- private Set<TSentryPrivilege> grantPrivileges(String requestorUserName,
- String roleName,
- PrivilegeScope scope, String serverName, String uri, String db,
- String table, List<String> columns, String action) throws SentryUserException {
- return grantPrivileges(requestorUserName, roleName, scope, serverName, uri,
- db, table, columns, action, false);
- }
-
- private Set<TSentryPrivilege> grantPrivileges(String requestorUserName,
- String roleName, PrivilegeScope scope, String serverName, String uri, String db, String table,
- List<String> columns, String action, Boolean grantOption)
- throws SentryUserException {
- TAlterSentryRoleGrantPrivilegeRequest request = new TAlterSentryRoleGrantPrivilegeRequest();
- request.setProtocol_version(ThriftConstants.TSENTRY_SERVICE_VERSION_CURRENT);
- request.setRequestorUserName(requestorUserName);
- request.setRoleName(roleName);
- Set<TSentryPrivilege> privileges = convertColumnPrivileges(scope,
- serverName, uri, db, table, columns, action, grantOption);
- request.setPrivileges(privileges);
- try {
- TAlterSentryRoleGrantPrivilegeResponse response = client.alter_sentry_role_grant_privilege(request);
- Status.throwIfNotOk(response.getStatus());
- return response.getPrivileges();
- } catch (TException e) {
- throw new SentryUserException(THRIFT_EXCEPTION_MESSAGE, e);
- }
- }
-
- public synchronized void revokeURIPrivilege(String requestorUserName,
- String roleName, String server, String uri)
- throws SentryUserException {
- revokePrivilege(requestorUserName, roleName,
- PrivilegeScope.URI, server, uri, null, null, null, AccessConstants.ALL);
- }
-
- public synchronized void revokeURIPrivilege(String requestorUserName,
- String roleName, String server, String uri, Boolean grantOption)
- throws SentryUserException {
- revokePrivilege(requestorUserName, roleName,
- PrivilegeScope.URI, server, uri, null, null, null, AccessConstants.ALL, grantOption);
- }
-
- public synchronized void revokeServerPrivilege(String requestorUserName,
- String roleName, String server, String action)
- throws SentryUserException {
-
- // "ALL" and "*" should be synonyms for action and need to be unified with revokeServerPrivilege without
- // action explicitly specified.
- if (AccessConstants.ACTION_ALL.equalsIgnoreCase(action) || AccessConstants.ALL.equals(action)) {
- action = AccessConstants.ALL;
- }
-
- revokePrivilege(requestorUserName, roleName,
- PrivilegeScope.SERVER, server, null, null, null, null, action);
- }
-
- public synchronized void revokeServerPrivilege(String requestorUserName,
- String roleName, String server, String action, Boolean grantOption)
- throws SentryUserException {
-
- // "ALL" and "*" should be synonyms for action and need to be unified with revokeServerPrivilege without
- // action explicitly specified.
- if (AccessConstants.ACTION_ALL.equalsIgnoreCase(action) || AccessConstants.ALL.equals(action)) {
- action = AccessConstants.ALL;
- }
-
- revokePrivilege(requestorUserName, roleName,
- PrivilegeScope.SERVER, server, null, null, null, null, action, grantOption);
- }
-
- @Deprecated
- /***
- * Should use revokeServerPrivilege(String requestorUserName,
- * String roleName, String server, String action, Boolean grantOption)
- */
- public synchronized void revokeServerPrivilege(String requestorUserName,
- String roleName, String server, boolean grantOption)
- throws SentryUserException {
- revokePrivilege(requestorUserName, roleName,
- PrivilegeScope.SERVER, server, null, null, null, null, AccessConstants.ALL, grantOption);
- }
-
- public synchronized void revokeDatabasePrivilege(String requestorUserName,
- String roleName, String server, String db, String action)
- throws SentryUserException {
- revokePrivilege(requestorUserName, roleName,
- PrivilegeScope.DATABASE, server, null, db, null, null, action);
- }
-
- public synchronized void revokeDatabasePrivilege(String requestorUserName,
- String roleName, String server, String db, String action, Boolean grantOption)
- throws SentryUserException {
- revokePrivilege(requestorUserName, roleName,
- PrivilegeScope.DATABASE, server, null, db, null, null, action, grantOption);
- }
-
- public synchronized void revokeTablePrivilege(String requestorUserName,
- String roleName, String server, String db, String table, String action)
- throws SentryUserException {
- revokePrivilege(requestorUserName, roleName,
- PrivilegeScope.TABLE, server, null,
- db, table, null, action);
- }
-
- public synchronized void revokeTablePrivilege(String requestorUserName,
- String roleName, String server, String db, String table, String action, Boolean grantOption)
- throws SentryUserException {
- revokePrivilege(requestorUserName, roleName,
- PrivilegeScope.TABLE, server, null,
- db, table, null, action, grantOption);
- }
-
- public synchronized void revokeColumnPrivilege(String requestorUserName, String roleName,
- String server, String db, String table, String columnName, String action)
- throws SentryUserException {
- ImmutableList.Builder<String> listBuilder = ImmutableList.builder();
- listBuilder.add(columnName);
- revokePrivilege(requestorUserName, roleName,
- PrivilegeScope.COLUMN, server, null,
- db, table, listBuilder.build(), action);
- }
-
- public synchronized void revokeColumnPrivilege(String requestorUserName, String roleName,
- String server, String db, String table, String columnName, String action, Boolean grantOption)
- throws SentryUserException {
- ImmutableList.Builder<String> listBuilder = ImmutableList.builder();
- listBuilder.add(columnName);
- revokePrivilege(requestorUserName, roleName,
- PrivilegeScope.COLUMN, server, null,
- db, table, listBuilder.build(), action, grantOption);
- }
-
- public synchronized void revokeColumnsPrivilege(String requestorUserName, String roleName,
- String server, String db, String table, List<String> columns, String action)
- throws SentryUserException {
- revokePrivilege(requestorUserName, roleName,
- PrivilegeScope.COLUMN, server, null,
- db, table, columns, action);
- }
-
- public synchronized void revokeColumnsPrivilege(String requestorUserName, String roleName,
- String server, String db, String table, List<String> columns, String action, Boolean grantOption)
- throws SentryUserException {
- revokePrivilege(requestorUserName, roleName,
- PrivilegeScope.COLUMN, server, null,
- db, table, columns, action, grantOption);
- }
-
- private void revokePrivilege(String requestorUserName,
- String roleName, PrivilegeScope scope, String serverName, String uri,
- String db, String table, List<String> columns, String action)
- throws SentryUserException {
- this.revokePrivilege(requestorUserName, roleName, scope, serverName, uri, db, table, columns, action, false);
- }
-
- private void revokePrivilege(String requestorUserName, String roleName,
- PrivilegeScope scope, String serverName, String uri, String db, String table, List<String> columns,
- String action, Boolean grantOption)
- throws SentryUserException {
- TAlterSentryRoleRevokePrivilegeRequest request = new TAlterSentryRoleRevokePrivilegeRequest();
- request.setProtocol_version(ThriftConstants.TSENTRY_SERVICE_VERSION_CURRENT);
- request.setRequestorUserName(requestorUserName);
- request.setRoleName(roleName);
- Set<TSentryPrivilege> privileges = convertColumnPrivileges(scope,
- serverName, uri, db, table, columns, action, grantOption);
- request.setPrivileges(privileges);
- try {
- TAlterSentryRoleRevokePrivilegeResponse response = client.alter_sentry_role_revoke_privilege(request);
- Status.throwIfNotOk(response.getStatus());
- } catch (TException e) {
- throw new SentryUserException(THRIFT_EXCEPTION_MESSAGE, e);
- }
- }
-
- private Set<TSentryPrivilege> convertColumnPrivileges(
- PrivilegeScope scope, String serverName, String uri, String db, String table, List<String> columns,
- String action, Boolean grantOption) {
- ImmutableSet.Builder<TSentryPrivilege> setBuilder = ImmutableSet.builder();
- if (columns == null || columns.isEmpty()) {
- TSentryPrivilege privilege = new TSentryPrivilege();
- privilege.setPrivilegeScope(scope.toString());
- privilege.setServerName(serverName);
- privilege.setURI(uri);
- privilege.setDbName(db);
- privilege.setTableName(table);
- privilege.setColumnName(null);
- privilege.setAction(action);
- privilege.setCreateTime(System.currentTimeMillis());
- privilege.setGrantOption(convertTSentryGrantOption(grantOption));
- setBuilder.add(privilege);
- } else {
- for (String column : columns) {
- TSentryPrivilege privilege = new TSentryPrivilege();
- privilege.setPrivilegeScope(scope.toString());
- privilege.setServerName(serverName);
- privilege.setURI(uri);
- privilege.setDbName(db);
- privilege.setTableName(table);
- privilege.setColumnName(column);
- privilege.setAction(action);
- privilege.setCreateTime(System.currentTimeMillis());
- privilege.setGrantOption(convertTSentryGrantOption(grantOption));
- setBuilder.add(privilege);
- }
- }
- return setBuilder.build();
- }
-
- private Set<TSentryPrivilege> convertColumnPrivilege(
- PrivilegeScope scope, String serverName, String uri, String db, String table, String column,
- String action, Boolean grantOption) {
- ImmutableSet.Builder<TSentryPrivilege> setBuilder = ImmutableSet.builder();
- TSentryPrivilege privilege = new TSentryPrivilege();
- privilege.setPrivilegeScope(scope.toString());
- privilege.setServerName(serverName);
- privilege.setURI(uri);
- privilege.setDbName(db);
- privilege.setTableName(table);
- privilege.setColumnName(column);
- privilege.setAction(action);
- privilege.setCreateTime(System.currentTimeMillis());
- privilege.setGrantOption(convertTSentryGrantOption(grantOption));
- setBuilder.add(privilege);
- return setBuilder.build();
- }
-
- private TSentryGrantOption convertTSentryGrantOption(Boolean grantOption) {
- if (grantOption == null) {
- return TSentryGrantOption.UNSET;
- } else if (grantOption.equals(true)) {
- return TSentryGrantOption.TRUE;
- } else if (grantOption.equals(false)) {
- return TSentryGrantOption.FALSE;
- }
- return TSentryGrantOption.FALSE;
- }
-
- public synchronized Set<String> listPrivilegesForProvider(Set<String> groups, Set<String> users,
- ActiveRoleSet roleSet, Authorizable... authorizable) throws SentryUserException {
- TSentryActiveRoleSet thriftRoleSet = new TSentryActiveRoleSet(roleSet.isAll(), roleSet.getRoles());
- TListSentryPrivilegesForProviderRequest request =
- new TListSentryPrivilegesForProviderRequest(ThriftConstants.
- TSENTRY_SERVICE_VERSION_CURRENT, groups, thriftRoleSet);
- if (authorizable != null && authorizable.length > 0) {
- TSentryAuthorizable tSentryAuthorizable = setupSentryAuthorizable(Lists
- .newArrayList(authorizable));
- request.setAuthorizableHierarchy(tSentryAuthorizable);
- }
- if (users != null) {
- request.setUsers(users);
- }
- try {
- TListSentryPrivilegesForProviderResponse response = client.list_sentry_privileges_for_provider(request);
- Status.throwIfNotOk(response.getStatus());
- return response.getPrivileges();
- } catch (TException e) {
- throw new SentryUserException(THRIFT_EXCEPTION_MESSAGE, e);
- }
- }
-
- @Override
- public synchronized void grantRoleToGroup(String requestorUserName,
- String groupName, String roleName)
- throws SentryUserException {
- grantRoleToGroups(requestorUserName, roleName, Sets.newHashSet(groupName));
- }
-
- @Override
- public synchronized void revokeRoleFromGroup(String requestorUserName,
- String groupName, String roleName)
- throws SentryUserException {
- revokeRoleFromGroups(requestorUserName, roleName, Sets.newHashSet(groupName));
- }
-
- @Override
- public synchronized void grantRoleToGroups(String requestorUserName,
- String roleName, Set<String> groups)
- throws SentryUserException {
- TAlterSentryRoleAddGroupsRequest request = new TAlterSentryRoleAddGroupsRequest(
- ThriftConstants.TSENTRY_SERVICE_VERSION_CURRENT, requestorUserName,
- roleName, convert2TGroups(groups));
- try {
- TAlterSentryRoleAddGroupsResponse response = client.alter_sentry_role_add_groups(request);
- Status.throwIfNotOk(response.getStatus());
- } catch (TException e) {
- throw new SentryUserException(THRIFT_EXCEPTION_MESSAGE, e);
- }
- }
-
- @Override
- public synchronized void revokeRoleFromGroups(String requestorUserName,
- String roleName, Set<String> groups)
- throws SentryUserException {
- TAlterSentryRoleDeleteGroupsRequest request = new TAlterSentryRoleDeleteGroupsRequest(
- ThriftConstants.TSENTRY_SERVICE_VERSION_CURRENT, requestorUserName,
- roleName, convert2TGroups(groups));
- try {
- TAlterSentryRoleDeleteGroupsResponse response = client.alter_sentry_role_delete_groups(request);
- Status.throwIfNotOk(response.getStatus());
- } catch (TException e) {
- throw new SentryUserException(THRIFT_EXCEPTION_MESSAGE, e);
- }
- }
-
- @Override
- public synchronized void grantRoleToUser(String requestorUserName, String userName,
- String roleName) throws SentryUserException {
- grantRoleToUsers(requestorUserName, roleName, Sets.newHashSet(userName));
- }
-
- @Override
- public synchronized void revokeRoleFromUser(String requestorUserName, String userName,
- String roleName) throws SentryUserException {
- revokeRoleFromUsers(requestorUserName, roleName, Sets.newHashSet(userName));
- }
-
- @Override
- public synchronized void grantRoleToUsers(String requestorUserName, String roleName,
- Set<String> users) throws SentryUserException {
- TAlterSentryRoleAddUsersRequest request = new TAlterSentryRoleAddUsersRequest(
- ThriftConstants.TSENTRY_SERVICE_VERSION_CURRENT, requestorUserName, roleName, users);
- try {
- TAlterSentryRoleAddUsersResponse response = client.alter_sentry_role_add_users(request);
- Status.throwIfNotOk(response.getStatus());
- } catch (TException e) {
- throw new SentryUserException(THRIFT_EXCEPTION_MESSAGE, e);
- }
- }
-
- @Override
- public synchronized void revokeRoleFromUsers(String requestorUserName, String roleName,
- Set<String> users) throws SentryUserException {
- TAlterSentryRoleDeleteUsersRequest request = new TAlterSentryRoleDeleteUsersRequest(
- ThriftConstants.TSENTRY_SERVICE_VERSION_CURRENT, requestorUserName, roleName, users);
- try {
- TAlterSentryRoleDeleteUsersResponse response = client.alter_sentry_role_delete_users(request);
- Status.throwIfNotOk(response.getStatus());
- } catch (TException e) {
- throw new SentryUserException(THRIFT_EXCEPTION_MESSAGE, e);
- }
- }
-
- private Set<TSentryGroup> convert2TGroups(Set<String> groups) {
- Set<TSentryGroup> tGroups = Sets.newHashSet();
- if (groups != null) {
- for (String groupName : groups) {
- tGroups.add(new TSentryGroup(groupName));
- }
- }
- return tGroups;
- }
-
- public synchronized void dropPrivileges(String requestorUserName,
- List<? extends Authorizable> authorizableObjects)
- throws SentryUserException {
- TSentryAuthorizable tSentryAuthorizable = setupSentryAuthorizable(authorizableObjects);
-
- TDropPrivilegesRequest request = new TDropPrivilegesRequest(
- ThriftConstants.TSENTRY_SERVICE_VERSION_CURRENT, requestorUserName,
- tSentryAuthorizable);
- try {
- TDropPrivilegesResponse response = client.drop_sentry_privilege(request);
- Status.throwIfNotOk(response.getStatus());
- } catch (TException e) {
- throw new SentryUserException(THRIFT_EXCEPTION_MESSAGE, e);
- }
- }
-
- public synchronized void renamePrivileges(String requestorUserName,
- List<? extends Authorizable> oldAuthorizables,
- List<? extends Authorizable> newAuthorizables) throws SentryUserException {
- TSentryAuthorizable tOldSentryAuthorizable = setupSentryAuthorizable(oldAuthorizables);
- TSentryAuthorizable tNewSentryAuthorizable = setupSentryAuthorizable(newAuthorizables);
-
- TRenamePrivilegesRequest request = new TRenamePrivilegesRequest(
- ThriftConstants.TSENTRY_SERVICE_VERSION_CURRENT, requestorUserName,
- tOldSentryAuthorizable, tNewSentryAuthorizable);
- try {
- TRenamePrivilegesResponse response = client
- .rename_sentry_privilege(request);
- Status.throwIfNotOk(response.getStatus());
- } catch (TException e) {
- throw new SentryUserException(THRIFT_EXCEPTION_MESSAGE, e);
- }
- }
-
- public synchronized Map<TSentryAuthorizable, TSentryPrivilegeMap> listPrivilegsbyAuthorizable(
- String requestorUserName,
- Set<List<? extends Authorizable>> authorizables, Set<String> groups,
- ActiveRoleSet roleSet) throws SentryUserException {
- Set<TSentryAuthorizable> authSet = Sets.newTreeSet();
-
- for (List<? extends Authorizable> authorizableHierarchy : authorizables) {
- authSet.add(setupSentryAuthorizable(authorizableHierarchy));
- }
- TListSentryPrivilegesByAuthRequest request = new TListSentryPrivilegesByAuthRequest(
- ThriftConstants.TSENTRY_SERVICE_VERSION_CURRENT, requestorUserName,
- authSet);
- if (groups != null) {
- request.setGroups(groups);
- }
- if (roleSet != null) {
- request.setRoleSet(new TSentryActiveRoleSet(roleSet.isAll(), roleSet.getRoles()));
- }
-
- try {
- TListSentryPrivilegesByAuthResponse response = client
- .list_sentry_privileges_by_authorizable(request);
- Status.throwIfNotOk(response.getStatus());
- return response.getPrivilegesMapByAuth();
- } catch (TException e) {
- throw new SentryUserException(THRIFT_EXCEPTION_MESSAGE, e);
- }
- }
-
- /**
- * Returns the configuration value in the sentry server associated with
- * propertyName, or if propertyName does not exist, the defaultValue.
- * There is no "requestorUserName" because this is regarded as an
- * internal interface.
- * @param propertyName Config attribute to search for
- * @param defaultValue String to return if not found
- * @return The value of the propertyName
- * @throws SentryUserException
- */
- public synchronized String getConfigValue(String propertyName, String defaultValue)
- throws SentryUserException {
- TSentryConfigValueRequest request = new TSentryConfigValueRequest(
- ThriftConstants.TSENTRY_SERVICE_VERSION_CURRENT, propertyName);
- if (defaultValue != null) {
- request.setDefaultValue(defaultValue);
- }
- try {
- TSentryConfigValueResponse response = client.get_sentry_config_value(request);
- Status.throwIfNotOk(response.getStatus());
- return response.getValue();
- } catch (TException e) {
- throw new SentryUserException(THRIFT_EXCEPTION_MESSAGE, e);
- }
- }
-
- public synchronized void close() {
- if (transport != null) {
- transport.close();
- }
- }
-
- /**
- * Import the sentry mapping data, convert the mapping data from map structure to
- * TSentryMappingData, and call the import API.
- *
- * @param policyFileMappingData
- * Include 2 maps to save the mapping data, the following is the example of the data
- * structure:
- * for the following mapping data:
- * group1=role1,role2
- * group2=role2,role3
- * role1=server=server1->db=db1
- * role2=server=server1->db=db1->table=tbl1,server=server1->db=db1->table=tbl2
- * role3=server=server1->url=hdfs://localhost/path
- *
- * The policyFileMappingData will be inputed as:
- * {
- * groups={[group1={role1, role2}], group2=[role2, role3]},
- * roles={role1=[server=server1->db=db1],
- * role2=[server=server1->db=db1->table=tbl1,server=server1->db=db1->table=tbl2],
- * role3=[server=server1->url=hdfs://localhost/path]
- * }
- * }
- * @param requestorUserName
- * The name of the request user
- */
- public synchronized void importPolicy(Map<String, Map<String, Set<String>>> policyFileMappingData,
- String requestorUserName, boolean isOverwriteRole)
- throws SentryUserException {
- try {
- TSentryMappingData tSentryMappingData = new TSentryMappingData();
- // convert the mapping data for [group,role] from map structure to
- // TSentryMappingData.GroupRolesMap
- tSentryMappingData.setGroupRolesMap(policyFileMappingData.get(PolicyFileConstants.GROUPS));
- tSentryMappingData.setUserRolesMap(policyFileMappingData.get(PolicyFileConstants.USER_ROLES));
- // convert the mapping data for [role,privilege] from map structure to
- // TSentryMappingData.RolePrivilegesMap
- tSentryMappingData
- .setRolePrivilegesMap(convertRolePrivilegesMapForSentryDB(policyFileMappingData
- .get(PolicyFileConstants.ROLES)));
- TSentryImportMappingDataRequest request = new TSentryImportMappingDataRequest(
- ThriftConstants.TSENTRY_SERVICE_VERSION_CURRENT, requestorUserName, isOverwriteRole,
- tSentryMappingData);
- TSentryImportMappingDataResponse response = client.import_sentry_mapping_data(request);
- Status.throwIfNotOk(response.getStatus());
- } catch (TException e) {
- throw new SentryUserException(THRIFT_EXCEPTION_MESSAGE, e);
- }
- }
-
- // convert the mapping data for [role,privilege] from map structure to
- // TSentryMappingData.RolePrivilegesMap
- private Map<String, Set<TSentryPrivilege>> convertRolePrivilegesMapForSentryDB(
- Map<String, Set<String>> rolePrivilegesMap) {
- Map<String, Set<TSentryPrivilege>> rolePrivilegesMapResult = Maps.newHashMap();
- if (rolePrivilegesMap != null) {
- for (Map.Entry<String, Set<String>> entry : rolePrivilegesMap.entrySet()) {
- Set<TSentryPrivilege> tempTSentryPrivileges = Sets.newHashSet();
- Set<String> tempPrivileges = entry.getValue();
- for (String tempPrivilege : tempPrivileges) {
- tempTSentryPrivileges.add(SentryServiceUtil.convertToTSentryPrivilege(tempPrivilege));
- }
- rolePrivilegesMapResult.put(entry.getKey(), tempTSentryPrivileges);
- }
- }
- return rolePrivilegesMapResult;
- }
-
- // export the sentry mapping data with map structure
- public synchronized Map<String, Map<String, Set<String>>> exportPolicy(String requestorUserName,
- String objectPath) throws SentryUserException {
- TSentryExportMappingDataRequest request = new TSentryExportMappingDataRequest(
- ThriftConstants.TSENTRY_SERVICE_VERSION_CURRENT, requestorUserName);
- request.setObjectPath(objectPath);
- try {
- TSentryExportMappingDataResponse response = client.export_sentry_mapping_data(request);
- Status.throwIfNotOk(response.getStatus());
- TSentryMappingData tSentryMappingData = response.getMappingData();
- Map<String, Map<String, Set<String>>> resultMap = Maps.newHashMap();
- resultMap.put(PolicyFileConstants.USER_ROLES, tSentryMappingData.getUserRolesMap());
- resultMap.put(PolicyFileConstants.GROUPS, tSentryMappingData.getGroupRolesMap());
- resultMap.put(PolicyFileConstants.ROLES, convertRolePrivilegesMapForPolicyFile(tSentryMappingData.getRolePrivilegesMap()));
- return resultMap;
- } catch (TException e) {
- throw new SentryUserException(THRIFT_EXCEPTION_MESSAGE, e);
- }
- }
-
- // convert the mapping data for [roleName,privilege] from TSentryMappingData.RolePrivilegesMap to
- // map structure
- private Map<String, Set<String>> convertRolePrivilegesMapForPolicyFile(
- Map<String, Set<TSentryPrivilege>> rolePrivilegesMap) {
- Map<String, Set<String>> rolePrivilegesMapForFile = Maps.newHashMap();
- if (rolePrivilegesMap != null) {
- for (Map.Entry<String, Set<TSentryPrivilege>> entry : rolePrivilegesMap.entrySet()) {
- Set<TSentryPrivilege> tempSentryPrivileges = entry.getValue();
- Set<String> tempStrPrivileges = Sets.newHashSet();
- for (TSentryPrivilege tSentryPrivilege : tempSentryPrivileges) {
- // convert TSentryPrivilege to privilege in string
- String privilegeStr = SentryServiceUtil.convertTSentryPrivilegeToStr(tSentryPrivilege);
- if (!StringUtils.isEmpty(privilegeStr)) {
- tempStrPrivileges.add(privilegeStr);
- }
- }
- rolePrivilegesMapForFile.put(entry.getKey(), tempStrPrivileges);
- }
- }
- return rolePrivilegesMapForFile;
- }
-}
\ No newline at end of file
[4/6] sentry git commit: SENTRY-1288: Create sentry-service-client
module(Colin Ma, reviewed by Dapeng Sun)
Posted by co...@apache.org.
http://git-wip-us.apache.org/repos/asf/sentry/blob/01875092/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/SentryShellCommon.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/SentryShellCommon.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/SentryShellCommon.java
deleted file mode 100644
index 6ddc1de..0000000
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/SentryShellCommon.java
+++ /dev/null
@@ -1,247 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.sentry.provider.db.tools;
-
-import com.google.common.annotations.VisibleForTesting;
-
-import org.apache.commons.cli.CommandLine;
-import org.apache.commons.cli.GnuParser;
-import org.apache.commons.cli.HelpFormatter;
-import org.apache.commons.cli.Option;
-import org.apache.commons.cli.OptionGroup;
-import org.apache.commons.cli.Options;
-import org.apache.commons.cli.ParseException;
-import org.apache.commons.cli.Parser;
-import org.apache.commons.lang.StringUtils;
-
-/**
- * SentryShellCommon provides the function for parsing the argument.
- * For hive model and generic model, child class should be implemented as a sentry admin tool.
- */
-abstract public class SentryShellCommon {
-
- protected String roleName;
- protected String groupName;
- protected String privilegeStr;
- protected String confPath;
- // flag for the command
- protected boolean isCreateRole = false;
- protected boolean isDropRole = false;
- protected boolean isAddRoleGroup = false;
- protected boolean isDeleteRoleGroup = false;
- protected boolean isGrantPrivilegeRole = false;
- protected boolean isRevokePrivilegeRole = false;
- protected boolean isListRole = false;
- protected boolean isListPrivilege = false;
- protected boolean isPrintHelp = false;
- // flag for the parameter check
- protected boolean roleNameRequired = false;
- protected boolean groupNameRequired = false;
- protected boolean privilegeStrRequired = false;
-
- public final static String OPTION_DESC_HELP = "Shell usage";
- public final static String OPTION_DESC_CONF = "sentry-site file path";
- public final static String OPTION_DESC_ROLE_NAME = "Role name";
- public final static String OPTION_DESC_GROUP_NAME = "Group name";
- public final static String OPTION_DESC_PRIVILEGE = "Privilege string";
- public final static String PREFIX_MESSAGE_MISSING_OPTION = "Missing required option: ";
-
- public final static String GROUP_SPLIT_CHAR = ",";
-
- /**
- * parse arguments
- *
- * <pre>
- * -conf,--sentry_conf <filepath> sentry config file path
- * -cr,--create_role -r <rolename> create role
- * -dr,--drop_role -r <rolename> drop role
- * -arg,--add_role_group -r <rolename> -g <groupname> add role to group
- * -drg,--delete_role_group -r <rolename> -g <groupname> delete role from group
- * -gpr,--grant_privilege_role -r <rolename> -p <privilege> grant privilege to role
- * -rpr,--revoke_privilege_role -r <rolename> -p <privilege> revoke privilege from role
- * -lr,--list_role -g <groupname> list roles for group
- * -lp,--list_privilege -r <rolename> list privilege for role
- * -t,--type <typeame> the shell for hive model or generic model
- * </pre>
- *
- * @param args
- */
- protected boolean parseArgs(String[] args) {
- Options simpleShellOptions = new Options();
-
- Option crOpt = new Option("cr", "create_role", false, "Create role");
- crOpt.setRequired(false);
-
- Option drOpt = new Option("dr", "drop_role", false, "Drop role");
- drOpt.setRequired(false);
-
- Option argOpt = new Option("arg", "add_role_group", false, "Add role to group");
- argOpt.setRequired(false);
-
- Option drgOpt = new Option("drg", "delete_role_group", false, "Delete role from group");
- drgOpt.setRequired(false);
-
- Option gprOpt = new Option("gpr", "grant_privilege_role", false, "Grant privilege to role");
- gprOpt.setRequired(false);
-
- Option rprOpt = new Option("rpr", "revoke_privilege_role", false, "Revoke privilege from role");
- rprOpt.setRequired(false);
-
- Option lrOpt = new Option("lr", "list_role", false, "List role");
- lrOpt.setRequired(false);
-
- Option lpOpt = new Option("lp", "list_privilege", false, "List privilege");
- lpOpt.setRequired(false);
-
- // required args group
- OptionGroup simpleShellOptGroup = new OptionGroup();
- simpleShellOptGroup.addOption(crOpt);
- simpleShellOptGroup.addOption(drOpt);
- simpleShellOptGroup.addOption(argOpt);
- simpleShellOptGroup.addOption(drgOpt);
- simpleShellOptGroup.addOption(gprOpt);
- simpleShellOptGroup.addOption(rprOpt);
- simpleShellOptGroup.addOption(lrOpt);
- simpleShellOptGroup.addOption(lpOpt);
- simpleShellOptGroup.setRequired(true);
- simpleShellOptions.addOptionGroup(simpleShellOptGroup);
-
- // optional args
- Option pOpt = new Option("p", "privilege", true, OPTION_DESC_PRIVILEGE);
- pOpt.setRequired(false);
- simpleShellOptions.addOption(pOpt);
-
- Option gOpt = new Option("g", "groupname", true, OPTION_DESC_GROUP_NAME);
- gOpt.setRequired(false);
- simpleShellOptions.addOption(gOpt);
-
- Option rOpt = new Option("r", "rolename", true, OPTION_DESC_ROLE_NAME);
- rOpt.setRequired(false);
- simpleShellOptions.addOption(rOpt);
-
- // this argument should be parsed in the bin/sentryShell
- Option tOpt = new Option("t", "type", true, "[hive|solr|sqoop|.....]");
- tOpt.setRequired(false);
- simpleShellOptions.addOption(tOpt);
-
- // file path of sentry-site
- Option sentrySitePathOpt = new Option("conf", "sentry_conf", true, OPTION_DESC_CONF);
- sentrySitePathOpt.setRequired(true);
- simpleShellOptions.addOption(sentrySitePathOpt);
-
- // help option
- Option helpOpt = new Option("h", "help", false, OPTION_DESC_HELP);
- helpOpt.setRequired(false);
- simpleShellOptions.addOption(helpOpt);
-
- // this Options is parsed first for help option
- Options helpOptions = new Options();
- helpOptions.addOption(helpOpt);
-
- try {
- Parser parser = new GnuParser();
-
- // parse help option first
- CommandLine cmd = parser.parse(helpOptions, args, true);
- for (Option opt : cmd.getOptions()) {
- if (opt.getOpt().equals("h")) {
- // get the help option, print the usage and exit
- usage(simpleShellOptions);
- return false;
- }
- }
-
- // without help option
- cmd = parser.parse(simpleShellOptions, args);
-
- for (Option opt : cmd.getOptions()) {
- if (opt.getOpt().equals("p")) {
- privilegeStr = opt.getValue();
- } else if (opt.getOpt().equals("g")) {
- groupName = opt.getValue();
- } else if (opt.getOpt().equals("r")) {
- roleName = opt.getValue();
- } else if (opt.getOpt().equals("cr")) {
- isCreateRole = true;
- roleNameRequired = true;
- } else if (opt.getOpt().equals("dr")) {
- isDropRole = true;
- roleNameRequired = true;
- } else if (opt.getOpt().equals("arg")) {
- isAddRoleGroup = true;
- roleNameRequired = true;
- groupNameRequired = true;
- } else if (opt.getOpt().equals("drg")) {
- isDeleteRoleGroup = true;
- roleNameRequired = true;
- groupNameRequired = true;
- } else if (opt.getOpt().equals("gpr")) {
- isGrantPrivilegeRole = true;
- roleNameRequired = true;
- privilegeStrRequired = true;
- } else if (opt.getOpt().equals("rpr")) {
- isRevokePrivilegeRole = true;
- roleNameRequired = true;
- privilegeStrRequired = true;
- } else if (opt.getOpt().equals("lr")) {
- isListRole = true;
- } else if (opt.getOpt().equals("lp")) {
- isListPrivilege = true;
- roleNameRequired = true;
- } else if (opt.getOpt().equals("conf")) {
- confPath = opt.getValue();
- }
- }
- checkRequiredParameter(roleNameRequired, roleName, OPTION_DESC_ROLE_NAME);
- checkRequiredParameter(groupNameRequired, groupName, OPTION_DESC_GROUP_NAME);
- checkRequiredParameter(privilegeStrRequired, privilegeStr, OPTION_DESC_PRIVILEGE);
- } catch (ParseException pe) {
- System.out.println(pe.getMessage());
- usage(simpleShellOptions);
- return false;
- }
- return true;
- }
-
- private void checkRequiredParameter(boolean isRequired, String paramValue, String paramName) throws ParseException {
- if (isRequired && StringUtils.isEmpty(paramValue)) {
- throw new ParseException(PREFIX_MESSAGE_MISSING_OPTION + paramName);
- }
- }
-
- // print usage
- private void usage(Options sentryOptions) {
- HelpFormatter formatter = new HelpFormatter();
- formatter.printHelp("sentryShell", sentryOptions);
- }
-
- // hive model and generic model should implement this method
- public abstract void run() throws Exception;
-
- @VisibleForTesting
- public boolean executeShell(String[] args) throws Exception {
- boolean result = true;
- if (parseArgs(args)) {
- run();
- } else {
- result = false;
- }
- return result;
- }
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/01875092/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/SentryShellHive.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/SentryShellHive.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/SentryShellHive.java
deleted file mode 100644
index dc7f829..0000000
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/SentryShellHive.java
+++ /dev/null
@@ -1,98 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.sentry.provider.db.tools;
-
-import org.apache.commons.lang.StringUtils;
-import org.apache.hadoop.conf.Configuration;
-import org.apache.hadoop.fs.Path;
-import org.apache.hadoop.security.UserGroupInformation;
-import org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient;
-import org.apache.sentry.provider.db.tools.command.hive.*;
-import org.apache.sentry.service.thrift.SentryServiceClientFactory;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-/**
- * SentryShellHive is an admin tool, and responsible for the management of repository.
- * The following function are supported:
- * create role, drop role, add group to role, delete group from role, grant privilege to role,
- * revoke privilege from role, list roles for group, list privilege for role.
- */
-public class SentryShellHive extends SentryShellCommon {
-
- private static final Logger LOGGER = LoggerFactory.getLogger(SentryShellHive.class);
-
- public void run() throws Exception {
- Command command = null;
- SentryPolicyServiceClient client = SentryServiceClientFactory.create(getSentryConf());
- UserGroupInformation ugi = UserGroupInformation.getLoginUser();
- String requestorName = ugi.getShortUserName();
-
- if (isCreateRole) {
- command = new CreateRoleCmd(roleName);
- } else if (isDropRole) {
- command = new DropRoleCmd(roleName);
- } else if (isAddRoleGroup) {
- command = new GrantRoleToGroupsCmd(roleName, groupName);
- } else if (isDeleteRoleGroup) {
- command = new RevokeRoleFromGroupsCmd(roleName, groupName);
- } else if (isGrantPrivilegeRole) {
- command = new GrantPrivilegeToRoleCmd(roleName, privilegeStr);
- } else if (isRevokePrivilegeRole) {
- command = new RevokePrivilegeFromRoleCmd(roleName, privilegeStr);
- } else if (isListRole) {
- command = new ListRolesCmd(groupName);
- } else if (isListPrivilege) {
- command = new ListPrivilegesCmd(roleName);
- }
-
- // check the requestor name
- if (StringUtils.isEmpty(requestorName)) {
- // The exception message will be recoreded in log file.
- throw new Exception("The requestor name is empty.");
- }
-
- if (command != null) {
- command.execute(client, requestorName);
- }
- }
-
- private Configuration getSentryConf() {
- Configuration conf = new Configuration();
- conf.addResource(new Path(confPath));
- return conf;
- }
-
- public static void main(String[] args) throws Exception {
- SentryShellHive sentryShell = new SentryShellHive();
- try {
- sentryShell.executeShell(args);
- } catch (Exception e) {
- LOGGER.error(e.getMessage(), e);
- Throwable current = e;
- // find the first printable message;
- while (current != null && current.getMessage() == null) {
- current = current.getCause();
- }
- System.out.println("The operation failed." +
- (current.getMessage() == null ? "" : " Message: " + current.getMessage()));
- }
- }
-
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/01875092/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/Command.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/Command.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/Command.java
deleted file mode 100644
index 79aed49..0000000
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/Command.java
+++ /dev/null
@@ -1,27 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.provider.db.tools.command.hive;
-
-import org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient;
-
-/**
- * The interface for all admin commands, eg, CreateRoleCmd.
- */
-public interface Command {
- void execute(SentryPolicyServiceClient client, String requestorName) throws Exception;
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/01875092/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/CommandUtil.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/CommandUtil.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/CommandUtil.java
deleted file mode 100644
index 2d2dcb5..0000000
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/CommandUtil.java
+++ /dev/null
@@ -1,117 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.provider.db.tools.command.hive;
-
-import org.apache.commons.lang.StringUtils;
-import org.apache.sentry.core.common.utils.SentryConstants;
-import org.apache.sentry.core.common.utils.KeyValue;
-import org.apache.sentry.core.common.utils.PolicyFileConstants;
-import org.apache.sentry.provider.db.service.thrift.TSentryGrantOption;
-import org.apache.sentry.provider.db.service.thrift.TSentryPrivilege;
-import org.apache.sentry.service.thrift.ServiceConstants;
-
-public final class CommandUtil {
-
- public static final String SPLIT_CHAR = ",";
-
- private CommandUtil() {
- // Make constructor private to avoid instantiation
- }
-
- // parse the privilege in String and get the TSentryPrivilege as result
- public static TSentryPrivilege convertToTSentryPrivilege(String privilegeStr) throws Exception {
- TSentryPrivilege tSentryPrivilege = new TSentryPrivilege();
- for (String authorizable : SentryConstants.AUTHORIZABLE_SPLITTER.split(privilegeStr)) {
- KeyValue tempKV = new KeyValue(authorizable);
- String key = tempKV.getKey();
- String value = tempKV.getValue();
-
- if (PolicyFileConstants.PRIVILEGE_SERVER_NAME.equalsIgnoreCase(key)) {
- tSentryPrivilege.setServerName(value);
- } else if (PolicyFileConstants.PRIVILEGE_DATABASE_NAME.equalsIgnoreCase(key)) {
- tSentryPrivilege.setDbName(value);
- } else if (PolicyFileConstants.PRIVILEGE_TABLE_NAME.equalsIgnoreCase(key)) {
- tSentryPrivilege.setTableName(value);
- } else if (PolicyFileConstants.PRIVILEGE_COLUMN_NAME.equalsIgnoreCase(key)) {
- tSentryPrivilege.setColumnName(value);
- } else if (PolicyFileConstants.PRIVILEGE_URI_NAME.equalsIgnoreCase(key)) {
- tSentryPrivilege.setURI(value);
- } else if (PolicyFileConstants.PRIVILEGE_ACTION_NAME.equalsIgnoreCase(key)) {
- tSentryPrivilege.setAction(value);
- } else if (PolicyFileConstants.PRIVILEGE_GRANT_OPTION_NAME.equalsIgnoreCase(key)) {
- TSentryGrantOption grantOption = "true".equalsIgnoreCase(value) ? TSentryGrantOption.TRUE
- : TSentryGrantOption.FALSE;
- tSentryPrivilege.setGrantOption(grantOption);
- }
- }
- tSentryPrivilege.setPrivilegeScope(getPrivilegeScope(tSentryPrivilege));
- validatePrivilegeHierarchy(tSentryPrivilege);
- return tSentryPrivilege;
- }
-
- // for the different hierarchy for hive:
- // 1: server->url
- // 2: server->database->table->column
- // if both of them are found in the privilege string, the privilege scope will be set as
- // PrivilegeScope.URI
- private static String getPrivilegeScope(TSentryPrivilege tSentryPrivilege) {
- ServiceConstants.PrivilegeScope privilegeScope = ServiceConstants.PrivilegeScope.SERVER;
- if (!StringUtils.isEmpty(tSentryPrivilege.getURI())) {
- privilegeScope = ServiceConstants.PrivilegeScope.URI;
- } else if (!StringUtils.isEmpty(tSentryPrivilege.getColumnName())) {
- privilegeScope = ServiceConstants.PrivilegeScope.COLUMN;
- } else if (!StringUtils.isEmpty(tSentryPrivilege.getTableName())) {
- privilegeScope = ServiceConstants.PrivilegeScope.TABLE;
- } else if (!StringUtils.isEmpty(tSentryPrivilege.getDbName())) {
- privilegeScope = ServiceConstants.PrivilegeScope.DATABASE;
- }
- return privilegeScope.toString();
- }
-
- // check the privilege value for the specific privilege scope
- // eg, for the table scope, server and database can't be empty
- private static void validatePrivilegeHierarchy(TSentryPrivilege tSentryPrivilege) throws Exception {
- String serverName = tSentryPrivilege.getServerName();
- String dbName = tSentryPrivilege.getDbName();
- String tableName = tSentryPrivilege.getTableName();
- String columnName = tSentryPrivilege.getColumnName();
- String uri = tSentryPrivilege.getURI();
- if (ServiceConstants.PrivilegeScope.SERVER.toString().equals(tSentryPrivilege.getPrivilegeScope())) {
- if (StringUtils.isEmpty(serverName)) {
- throw new IllegalArgumentException("The hierarchy of privilege is not correct.");
- }
- } else if (ServiceConstants.PrivilegeScope.URI.toString().equals(tSentryPrivilege.getPrivilegeScope())) {
- if (StringUtils.isEmpty(serverName) || StringUtils.isEmpty(uri)) {
- throw new IllegalArgumentException("The hierarchy of privilege is not correct.");
- }
- } else if (ServiceConstants.PrivilegeScope.DATABASE.toString().equals(tSentryPrivilege.getPrivilegeScope())) {
- if (StringUtils.isEmpty(serverName) || StringUtils.isEmpty(dbName)) {
- throw new IllegalArgumentException("The hierarchy of privilege is not correct.");
- }
- } else if (ServiceConstants.PrivilegeScope.TABLE.toString().equals(tSentryPrivilege.getPrivilegeScope())) {
- if (StringUtils.isEmpty(serverName) || StringUtils.isEmpty(dbName)
- || StringUtils.isEmpty(tableName)) {
- throw new IllegalArgumentException("The hierarchy of privilege is not correct.");
- }
- } else if (ServiceConstants.PrivilegeScope.COLUMN.toString().equals(tSentryPrivilege.getPrivilegeScope())
- && (StringUtils.isEmpty(serverName) || StringUtils.isEmpty(dbName)
- || StringUtils.isEmpty(tableName) || StringUtils.isEmpty(columnName))) {
- throw new IllegalArgumentException("The hierarchy of privilege is not correct.");
- }
- }
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/01875092/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/CreateRoleCmd.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/CreateRoleCmd.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/CreateRoleCmd.java
deleted file mode 100644
index 5a4834a..0000000
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/CreateRoleCmd.java
+++ /dev/null
@@ -1,37 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.provider.db.tools.command.hive;
-
-import org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient;
-
-/**
- * The class for admin command to create role.
- */
-public class CreateRoleCmd implements Command {
-
- private String roleName;
-
- public CreateRoleCmd(String roleName) {
- this.roleName = roleName;
- }
-
- @Override
- public void execute(SentryPolicyServiceClient client, String requestorName) throws Exception {
- client.createRole(requestorName, roleName);
- }
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/01875092/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/DropRoleCmd.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/DropRoleCmd.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/DropRoleCmd.java
deleted file mode 100644
index facec0e..0000000
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/DropRoleCmd.java
+++ /dev/null
@@ -1,37 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.provider.db.tools.command.hive;
-
-import org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient;
-
-/**
- * The class for admin command to drop role.
- */
-public class DropRoleCmd implements Command {
-
- private String roleName;
-
- public DropRoleCmd(String roleName) {
- this.roleName = roleName;
- }
-
- @Override
- public void execute(SentryPolicyServiceClient client, String requestorName) throws Exception {
- client.dropRole(requestorName, roleName);
- }
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/01875092/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/GrantPrivilegeToRoleCmd.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/GrantPrivilegeToRoleCmd.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/GrantPrivilegeToRoleCmd.java
deleted file mode 100644
index a1ef2f9..0000000
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/GrantPrivilegeToRoleCmd.java
+++ /dev/null
@@ -1,61 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.provider.db.tools.command.hive;
-
-import org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient;
-import org.apache.sentry.provider.db.service.thrift.TSentryGrantOption;
-import org.apache.sentry.provider.db.service.thrift.TSentryPrivilege;
-import org.apache.sentry.service.thrift.ServiceConstants;
-
-/**
- * The class for admin command to grant privilege to role.
- */
-public class GrantPrivilegeToRoleCmd implements Command {
-
- private String roleName;
- private String privilegeStr;
-
- public GrantPrivilegeToRoleCmd(String roleName, String privilegeStr) {
- this.roleName = roleName;
- this.privilegeStr = privilegeStr;
- }
-
- @Override
- public void execute(SentryPolicyServiceClient client, String requestorName) throws Exception {
- TSentryPrivilege tSentryPrivilege = CommandUtil.convertToTSentryPrivilege(privilegeStr);
- boolean grantOption = tSentryPrivilege.getGrantOption().equals(TSentryGrantOption.TRUE) ? true : false;
- if (ServiceConstants.PrivilegeScope.SERVER.toString().equals(tSentryPrivilege.getPrivilegeScope())) {
- client.grantServerPrivilege(requestorName, roleName, tSentryPrivilege.getServerName(),
- tSentryPrivilege.getAction(), grantOption);
- } else if (ServiceConstants.PrivilegeScope.DATABASE.toString().equals(tSentryPrivilege.getPrivilegeScope())) {
- client.grantDatabasePrivilege(requestorName, roleName, tSentryPrivilege.getServerName(),
- tSentryPrivilege.getDbName(), tSentryPrivilege.getAction(), grantOption);
- } else if (ServiceConstants.PrivilegeScope.TABLE.toString().equals(tSentryPrivilege.getPrivilegeScope())) {
- client.grantTablePrivilege(requestorName, roleName, tSentryPrivilege.getServerName(),
- tSentryPrivilege.getDbName(), tSentryPrivilege.getTableName(),
- tSentryPrivilege.getAction(), grantOption);
- } else if (ServiceConstants.PrivilegeScope.COLUMN.toString().equals(tSentryPrivilege.getPrivilegeScope())) {
- client.grantColumnPrivilege(requestorName, roleName, tSentryPrivilege.getServerName(),
- tSentryPrivilege.getDbName(), tSentryPrivilege.getTableName(),
- tSentryPrivilege.getColumnName(), tSentryPrivilege.getAction(), grantOption);
- } else if (ServiceConstants.PrivilegeScope.URI.toString().equals(tSentryPrivilege.getPrivilegeScope())) {
- client.grantURIPrivilege(requestorName, roleName, tSentryPrivilege.getServerName(),
- tSentryPrivilege.getURI(), grantOption);
- }
- }
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/01875092/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/GrantRoleToGroupsCmd.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/GrantRoleToGroupsCmd.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/GrantRoleToGroupsCmd.java
deleted file mode 100644
index 07a3de4..0000000
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/GrantRoleToGroupsCmd.java
+++ /dev/null
@@ -1,44 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.provider.db.tools.command.hive;
-
-import com.google.common.collect.Sets;
-import org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient;
-import org.apache.sentry.provider.db.tools.SentryShellCommon;
-
-import java.util.Set;
-
-/**
- * The class for admin command to grant role to group.
- */
-public class GrantRoleToGroupsCmd implements Command {
-
- private String roleName;
- private String groupNamesStr;
-
- public GrantRoleToGroupsCmd(String roleName, String groupNamesStr) {
- this.roleName = roleName;
- this.groupNamesStr = groupNamesStr;
- }
-
- @Override
- public void execute(SentryPolicyServiceClient client, String requestorName) throws Exception {
- Set<String> groups = Sets.newHashSet(groupNamesStr.split(SentryShellCommon.GROUP_SPLIT_CHAR));
- client.grantRoleToGroups(requestorName, roleName, groups);
- }
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/01875092/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/ListPrivilegesCmd.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/ListPrivilegesCmd.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/ListPrivilegesCmd.java
deleted file mode 100644
index 5f3e9fb..0000000
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/ListPrivilegesCmd.java
+++ /dev/null
@@ -1,97 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.provider.db.tools.command.hive;
-
-import com.google.common.collect.Lists;
-import org.apache.commons.lang.StringUtils;
-import org.apache.sentry.core.common.utils.SentryConstants;
-import org.apache.sentry.core.common.utils.PolicyFileConstants;
-import org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient;
-import org.apache.sentry.provider.db.service.thrift.TSentryGrantOption;
-import org.apache.sentry.provider.db.service.thrift.TSentryPrivilege;
-
-import java.util.List;
-import java.util.Set;
-
-/**
- * The class for admin command to list privileges.
- */
-public class ListPrivilegesCmd implements Command {
-
- private String roleName;
-
- public ListPrivilegesCmd(String roleName) {
- this.roleName = roleName;
- }
-
- @Override
- public void execute(SentryPolicyServiceClient client, String requestorName) throws Exception {
- Set<TSentryPrivilege> privileges = client
- .listAllPrivilegesByRoleName(requestorName, roleName);
- if (privileges != null) {
- for (TSentryPrivilege privilege : privileges) {
- String privilegeStr = convertToPrivilegeStr(privilege);
- System.out.println(privilegeStr);
- }
- }
- }
-
- // convert TSentryPrivilege to privilege in string
- private String convertToPrivilegeStr(TSentryPrivilege tSentryPrivilege) {
- List<String> privileges = Lists.newArrayList();
- if (tSentryPrivilege != null) {
- String serverName = tSentryPrivilege.getServerName();
- String dbName = tSentryPrivilege.getDbName();
- String tableName = tSentryPrivilege.getTableName();
- String columnName = tSentryPrivilege.getColumnName();
- String uri = tSentryPrivilege.getURI();
- String action = tSentryPrivilege.getAction();
- String grantOption = (tSentryPrivilege.getGrantOption() == TSentryGrantOption.TRUE ? "true"
- : "false");
- if (!StringUtils.isEmpty(serverName)) {
- privileges.add(SentryConstants.KV_JOINER.join(PolicyFileConstants.PRIVILEGE_SERVER_NAME,
- serverName));
- if (!StringUtils.isEmpty(uri)) {
- privileges.add(SentryConstants.KV_JOINER.join(PolicyFileConstants.PRIVILEGE_URI_NAME,
- uri));
- } else if (!StringUtils.isEmpty(dbName)) {
- privileges.add(SentryConstants.KV_JOINER.join(
- PolicyFileConstants.PRIVILEGE_DATABASE_NAME, dbName));
- if (!StringUtils.isEmpty(tableName)) {
- privileges.add(SentryConstants.KV_JOINER.join(
- PolicyFileConstants.PRIVILEGE_TABLE_NAME, tableName));
- if (!StringUtils.isEmpty(columnName)) {
- privileges.add(SentryConstants.KV_JOINER.join(
- PolicyFileConstants.PRIVILEGE_COLUMN_NAME, columnName));
- }
- }
- }
- if (!StringUtils.isEmpty(action)) {
- privileges.add(SentryConstants.KV_JOINER.join(
- PolicyFileConstants.PRIVILEGE_ACTION_NAME, action));
- }
- }
- // only append the grant option to privilege string if it's true
- if ("true".equals(grantOption)) {
- privileges.add(SentryConstants.KV_JOINER.join(
- PolicyFileConstants.PRIVILEGE_GRANT_OPTION_NAME, grantOption));
- }
- }
- return SentryConstants.AUTHORIZABLE_JOINER.join(privileges);
- }
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/01875092/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/ListRolesCmd.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/ListRolesCmd.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/ListRolesCmd.java
deleted file mode 100644
index 283f2c0..0000000
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/ListRolesCmd.java
+++ /dev/null
@@ -1,51 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.provider.db.tools.command.hive;
-
-import org.apache.commons.lang.StringUtils;
-import org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient;
-import org.apache.sentry.provider.db.service.thrift.TSentryRole;
-
-import java.util.Set;
-
-/**
- * The class for admin command to list roles.
- */
-public class ListRolesCmd implements Command {
-
- private String groupName;
-
- public ListRolesCmd(String groupName) {
- this.groupName = groupName;
- }
-
- @Override
- public void execute(SentryPolicyServiceClient client, String requestorName) throws Exception {
- Set<TSentryRole> roles;
- if (StringUtils.isEmpty(groupName)) {
- roles = client.listRoles(requestorName);
- } else {
- roles = client.listRolesByGroupName(requestorName, groupName);
- }
- if (roles != null) {
- for (TSentryRole role : roles) {
- System.out.println(role.getRoleName());
- }
- }
- }
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/01875092/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/RevokePrivilegeFromRoleCmd.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/RevokePrivilegeFromRoleCmd.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/RevokePrivilegeFromRoleCmd.java
deleted file mode 100644
index f3da6c4..0000000
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/RevokePrivilegeFromRoleCmd.java
+++ /dev/null
@@ -1,62 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.provider.db.tools.command.hive;
-
-import org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient;
-import org.apache.sentry.provider.db.service.thrift.TSentryGrantOption;
-import org.apache.sentry.provider.db.service.thrift.TSentryPrivilege;
-import org.apache.sentry.service.thrift.ServiceConstants;
-
-/**
- * The class for admin command to revoke privileges from role.
- */
-public class RevokePrivilegeFromRoleCmd implements Command {
-
- private String roleName;
- private String privilegeStr;
-
- public RevokePrivilegeFromRoleCmd(String roleName, String privilegeStr) {
- this.roleName = roleName;
- this.privilegeStr = privilegeStr;
- }
-
- @Override
- public void execute(SentryPolicyServiceClient client, String requestorName) throws Exception {
- TSentryPrivilege tSentryPrivilege = CommandUtil.convertToTSentryPrivilege(privilegeStr);
- boolean grantOption = tSentryPrivilege.getGrantOption().equals(TSentryGrantOption.TRUE) ? true : false;
- if (ServiceConstants.PrivilegeScope.SERVER.toString().equals(tSentryPrivilege.getPrivilegeScope())) {
- client.revokeServerPrivilege(requestorName, roleName, tSentryPrivilege.getServerName(),
- grantOption);
- } else if (ServiceConstants.PrivilegeScope.DATABASE.toString().equals(tSentryPrivilege.getPrivilegeScope())) {
- client.revokeDatabasePrivilege(requestorName, roleName, tSentryPrivilege.getServerName(),
- tSentryPrivilege.getDbName(), tSentryPrivilege.getAction(), grantOption);
- } else if (ServiceConstants.PrivilegeScope.TABLE.toString().equals(tSentryPrivilege.getPrivilegeScope())) {
- client.revokeTablePrivilege(requestorName, roleName, tSentryPrivilege.getServerName(),
- tSentryPrivilege.getDbName(), tSentryPrivilege.getTableName(),
- tSentryPrivilege.getAction(), grantOption);
- } else if (ServiceConstants.PrivilegeScope.COLUMN.toString().equals(tSentryPrivilege.getPrivilegeScope())) {
- client.revokeColumnPrivilege(requestorName, roleName, tSentryPrivilege.getServerName(),
- tSentryPrivilege.getDbName(), tSentryPrivilege.getTableName(),
- tSentryPrivilege.getColumnName(), tSentryPrivilege.getAction(), grantOption);
- } else if (ServiceConstants.PrivilegeScope.URI.toString().equals(tSentryPrivilege.getPrivilegeScope())) {
- client.revokeURIPrivilege(requestorName, roleName, tSentryPrivilege.getServerName(),
- tSentryPrivilege.getURI(), grantOption);
- }
- }
-
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/01875092/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/RevokeRoleFromGroupsCmd.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/RevokeRoleFromGroupsCmd.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/RevokeRoleFromGroupsCmd.java
deleted file mode 100644
index 86773ca..0000000
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/RevokeRoleFromGroupsCmd.java
+++ /dev/null
@@ -1,43 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.provider.db.tools.command.hive;
-
-import com.google.common.collect.Sets;
-import org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient;
-
-import java.util.Set;
-
-/**
- * The class for admin command to revoke role from group.
- */
-public class RevokeRoleFromGroupsCmd implements Command {
-
- private String roleName;
- private String groupNamesStr;
-
- public RevokeRoleFromGroupsCmd(String roleName, String groupNamesStr) {
- this.roleName = roleName;
- this.groupNamesStr = groupNamesStr;
- }
-
- @Override
- public void execute(SentryPolicyServiceClient client, String requestorName) throws Exception {
- Set<String> groups = Sets.newHashSet(groupNamesStr.split(CommandUtil.SPLIT_CHAR));
- client.revokeRoleFromGroups(requestorName, roleName, groups);
- }
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/01875092/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/HAClientInvocationHandler.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/HAClientInvocationHandler.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/HAClientInvocationHandler.java
deleted file mode 100644
index d97a07e..0000000
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/HAClientInvocationHandler.java
+++ /dev/null
@@ -1,139 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.service.thrift;
-
-import java.io.IOException;
-import java.lang.reflect.InvocationTargetException;
-import java.lang.reflect.Method;
-import java.net.InetSocketAddress;
-
-import org.apache.hadoop.conf.Configuration;
-import org.apache.hadoop.security.SecurityUtil;
-import org.apache.curator.x.discovery.ServiceInstance;
-import org.apache.sentry.core.common.exception.SentryUserException;
-import org.apache.sentry.provider.db.service.persistent.HAContext;
-import org.apache.sentry.provider.db.service.persistent.ServiceManager;
-import org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient;
-import org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClientDefaultImpl;
-import org.apache.sentry.service.thrift.ServiceConstants.ServerConfig;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-import com.google.common.base.Preconditions;
-
-public class HAClientInvocationHandler extends SentryClientInvocationHandler {
-
- private static final Logger LOGGER = LoggerFactory.getLogger(HAClientInvocationHandler.class);
-
- private final Configuration conf;
- private ServiceManager manager;
- private ServiceInstance<Void> currentServiceInstance;
- private SentryPolicyServiceClient client = null;
-
- private static final String THRIFT_EXCEPTION_MESSAGE = "Thrift exception occured ";
- public static final String SENTRY_HA_ERROR_MESSAGE = "No Sentry server available. Please ensure that at least one Sentry server is online";
-
- public HAClientInvocationHandler(Configuration conf) throws Exception {
- this.conf = conf;
- checkClientConf();
- }
-
- @Override
- public Object invokeImpl(Object proxy, Method method, Object[] args) throws
- SentryUserException {
- Object result = null;
- try {
- if (!method.isAccessible()) {
- method.setAccessible(true);
- }
- // The client is initialized in the first call instead of constructor.
- // This way we can propagate the connection exception to caller cleanly
- if (client == null) {
- renewSentryClient();
- }
- result = method.invoke(client, args);
- } catch (IllegalAccessException e) {
- throw new SentryUserException(e.getMessage(), e.getCause());
- } catch (InvocationTargetException e) {
- if (e.getTargetException() instanceof SentryUserException) {
- throw (SentryUserException)e.getTargetException();
- } else {
- LOGGER.warn(THRIFT_EXCEPTION_MESSAGE + ": Error in connect current" +
- " service, will retry other service.", e);
- if (client != null) {
- client.close();
- client = null;
- }
- }
- } catch (IOException e1) {
- throw new SentryUserException("Error connecting to sentry service "
- + e1.getMessage(), e1);
- }
- return result;
- }
-
- // Retrieve the new connection endpoint from ZK and connect to new server
- private void renewSentryClient() throws IOException {
- try {
- manager = new ServiceManager(HAContext.getHAContext(conf));
- } catch (Exception e1) {
- throw new IOException("Failed to extract Sentry node info from zookeeper", e1);
- }
-
- try {
- while (true) {
- currentServiceInstance = manager.getServiceInstance();
- if (currentServiceInstance == null) {
- throw new IOException(SENTRY_HA_ERROR_MESSAGE);
- }
- InetSocketAddress serverAddress =
- ServiceManager.convertServiceInstance(currentServiceInstance);
- conf.set(ServiceConstants.ClientConfig.SERVER_RPC_ADDRESS, serverAddress.getHostName());
- conf.setInt(ServiceConstants.ClientConfig.SERVER_RPC_PORT, serverAddress.getPort());
- try {
- client = new SentryPolicyServiceClientDefaultImpl(conf);
- LOGGER.info("Sentry Client using server " + serverAddress.getHostName() +
- ":" + serverAddress.getPort());
- break;
- } catch (IOException e) {
- manager.reportError(currentServiceInstance);
- LOGGER.info("Transport exception while opening transport:", e, e.getMessage());
- }
- }
- } finally {
- manager.close();
- }
- }
-
- private void checkClientConf() {
- if (conf.getBoolean(ServerConfig.SENTRY_HA_ZOOKEEPER_SECURITY,
- ServerConfig.SENTRY_HA_ZOOKEEPER_SECURITY_DEFAULT)) {
- String serverPrincipal = Preconditions.checkNotNull(conf.get(ServerConfig.PRINCIPAL),
- ServerConfig.PRINCIPAL + " is required");
- Preconditions.checkArgument(serverPrincipal.contains(SecurityUtil.HOSTNAME_PATTERN),
- ServerConfig.PRINCIPAL + " : " + serverPrincipal + " should contain " + SecurityUtil.HOSTNAME_PATTERN);
- }
- }
-
- @Override
- public void close() {
- if (client != null) {
- client.close();
- }
- }
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/01875092/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/PoolClientInvocationHandler.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/PoolClientInvocationHandler.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/PoolClientInvocationHandler.java
deleted file mode 100644
index a35bf1d..0000000
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/PoolClientInvocationHandler.java
+++ /dev/null
@@ -1,154 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.service.thrift;
-
-import java.lang.reflect.InvocationTargetException;
-import java.lang.reflect.Method;
-
-import org.apache.commons.pool2.PooledObjectFactory;
-import org.apache.commons.pool2.impl.AbandonedConfig;
-import org.apache.commons.pool2.impl.GenericObjectPool;
-import org.apache.commons.pool2.impl.GenericObjectPoolConfig;
-import org.apache.hadoop.conf.Configuration;
-import org.apache.sentry.core.common.exception.SentryUserException;
-import org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient;
-import org.apache.sentry.service.thrift.ServiceConstants.ClientConfig;
-import org.apache.thrift.transport.TTransportException;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-/**
- * The PoolClientInvocationHandler is a proxy class for handling thrift call. For every thrift call,
- * get the instance of SentryPolicyServiceBaseClient from the commons-pool, and return the instance
- * to the commons-pool after complete the call. For any exception with the call, discard the
- * instance and create a new one added to the commons-pool. Then, get the instance and do the call
- * again. For the thread safe, the commons-pool will manage the connection pool, and every thread
- * can get the connection by borrowObject() and return the connection to the pool by returnObject().
- */
-
-public class PoolClientInvocationHandler extends SentryClientInvocationHandler {
-
- private static final Logger LOGGER = LoggerFactory.getLogger(PoolClientInvocationHandler.class);
-
- private final Configuration conf;
- private PooledObjectFactory<SentryPolicyServiceClient> poolFactory;
- private GenericObjectPool<SentryPolicyServiceClient> pool;
- private GenericObjectPoolConfig poolConfig;
- private int connectionRetryTotal;
-
- private static final String POOL_EXCEPTION_MESSAGE = "Pool exception occured ";
-
- public PoolClientInvocationHandler(Configuration conf) throws Exception {
- this.conf = conf;
- readConfiguration();
- poolFactory = new SentryServiceClientPoolFactory(conf);
- pool = new GenericObjectPool<SentryPolicyServiceClient>(poolFactory, poolConfig, new AbandonedConfig());
- }
-
- @Override
- public Object invokeImpl(Object proxy, Method method, Object[] args) throws Exception {
- int retryCount = 0;
- Object result = null;
- while (retryCount < connectionRetryTotal) {
- try {
- // The wapper here is for the retry of thrift call, the default retry number is 3.
- result = invokeFromPool(method, args);
- break;
- } catch (TTransportException e) {
- // TTransportException means there has connection problem, create a new connection and try
- // again. Get the lock of pool and add new connection.
- synchronized (pool) {
- // If there has room, create new instance and add it to the commons-pool, this instance
- // will be back first from the commons-pool because the configuration is LIFO.
- if (pool.getNumIdle() + pool.getNumActive() < pool.getMaxTotal()) {
- pool.addObject();
- }
- }
- // Increase the retry num, and throw the exception if can't retry again.
- retryCount++;
- if (retryCount == connectionRetryTotal) {
- throw new SentryUserException(e.getMessage(), e);
- }
- }
- }
- return result;
- }
-
- private Object invokeFromPool(Method method, Object[] args) throws Exception {
- Object result = null;
- SentryPolicyServiceClient client;
- try {
- // get the connection from the pool, don't know if the connection is broken.
- client = pool.borrowObject();
- } catch (Exception e) {
- LOGGER.debug(POOL_EXCEPTION_MESSAGE, e);
- throw new SentryUserException(e.getMessage(), e);
- }
- try {
- // do the thrift call
- result = method.invoke(client, args);
- } catch (InvocationTargetException e) {
- // Get the target exception, check if SentryUserException or TTransportException is wrapped.
- // TTransportException means there has connection problem with the pool.
- Throwable targetException = e.getCause();
- if (targetException instanceof SentryUserException) {
- Throwable sentryTargetException = targetException.getCause();
- // If there has connection problem, eg, invalid connection if the service restarted,
- // sentryTargetException instanceof TTransportException = true.
- if (sentryTargetException instanceof TTransportException) {
- // If the exception is caused by connection problem, destroy the instance and
- // remove it from the commons-pool. Throw the TTransportException for reconnect.
- pool.invalidateObject(client);
- throw new TTransportException(sentryTargetException);
- }
- // The exception is thrown by thrift call, eg, SentryAccessDeniedException.
- throw (SentryUserException) targetException;
- }
- throw e;
- } finally{
- try {
- // return the instance to commons-pool
- pool.returnObject(client);
- } catch (Exception e) {
- LOGGER.error(POOL_EXCEPTION_MESSAGE, e);
- throw e;
- }
- }
- return result;
- }
-
- @Override
- public void close() {
- try {
- pool.close();
- } catch (Exception e) {
- LOGGER.debug(POOL_EXCEPTION_MESSAGE, e);
- }
- }
-
- private void readConfiguration() {
- poolConfig = new GenericObjectPoolConfig();
- // config the pool size for commons-pool
- poolConfig.setMaxTotal(conf.getInt(ClientConfig.SENTRY_POOL_MAX_TOTAL, ClientConfig.SENTRY_POOL_MAX_TOTAL_DEFAULT));
- poolConfig.setMinIdle(conf.getInt(ClientConfig.SENTRY_POOL_MIN_IDLE, ClientConfig.SENTRY_POOL_MIN_IDLE_DEFAULT));
- poolConfig.setMaxIdle(conf.getInt(ClientConfig.SENTRY_POOL_MAX_IDLE, ClientConfig.SENTRY_POOL_MAX_IDLE_DEFAULT));
- // get the retry number for reconnecting service
- connectionRetryTotal = conf.getInt(ClientConfig.SENTRY_POOL_RETRY_TOTAL,
- ClientConfig.SENTRY_POOL_RETRY_TOTAL_DEFAULT);
- }
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/01875092/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/SentryClientInvocationHandler.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/SentryClientInvocationHandler.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/SentryClientInvocationHandler.java
deleted file mode 100644
index a41be7f..0000000
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/SentryClientInvocationHandler.java
+++ /dev/null
@@ -1,54 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.service.thrift;
-
-import java.lang.reflect.InvocationHandler;
-import java.lang.reflect.Method;
-
-/**
- * SentryClientInvocationHandler is the base interface for all the InvocationHandler in SENTRY
- */
-public abstract class SentryClientInvocationHandler implements InvocationHandler {
-
- /**
- * Close the InvocationHandler: An InvocationHandler may create some contexts,
- * these contexts should be close when the method "close()" of client be called.
- */
- @Override
- public final Object invoke(Object proxy, Method method, Object[] args) throws Exception {
- // close() doesn't throw exception we supress that in case of connection
- // loss. Changing SentryPolicyServiceClient#close() to throw an
- // exception would be a backward incompatible change for Sentry clients.
- if ("close".equals(method.getName()) && null == args) {
- close();
- return null;
- }
- return invokeImpl(proxy, method, args);
- }
-
- /**
- * Subclass should implement this method for special function
- */
- public abstract Object invokeImpl(Object proxy, Method method, Object[] args) throws Exception;
-
- /**
- * An abstract method "close", an invocationHandler should close its contexts at here.
- */
- public abstract void close();
-
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/01875092/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/SentryServiceClientFactory.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/SentryServiceClientFactory.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/SentryServiceClientFactory.java
deleted file mode 100644
index 48ee66a..0000000
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/SentryServiceClientFactory.java
+++ /dev/null
@@ -1,52 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.sentry.service.thrift;
-
-import java.lang.reflect.Proxy;
-
-import org.apache.hadoop.conf.Configuration;
-
-import org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient;
-import org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClientDefaultImpl;
-import org.apache.sentry.service.thrift.ServiceConstants.ClientConfig;
-
-public final class SentryServiceClientFactory {
-
- private SentryServiceClientFactory() {
- }
-
- public static SentryPolicyServiceClient create(Configuration conf) throws Exception {
- boolean haEnabled = conf.getBoolean(ClientConfig.SERVER_HA_ENABLED, false);
- boolean pooled = conf.getBoolean(ClientConfig.SENTRY_POOL_ENABLED, false);
- if (pooled) {
- return (SentryPolicyServiceClient) Proxy
- .newProxyInstance(SentryPolicyServiceClientDefaultImpl.class.getClassLoader(),
- SentryPolicyServiceClientDefaultImpl.class.getInterfaces(),
- new PoolClientInvocationHandler(conf));
- } else if (haEnabled) {
- return (SentryPolicyServiceClient) Proxy
- .newProxyInstance(SentryPolicyServiceClientDefaultImpl.class.getClassLoader(),
- SentryPolicyServiceClientDefaultImpl.class.getInterfaces(),
- new HAClientInvocationHandler(conf));
- } else {
- return new SentryPolicyServiceClientDefaultImpl(conf);
- }
- }
-
-}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/sentry/blob/01875092/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/SentryServiceClientPoolFactory.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/SentryServiceClientPoolFactory.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/SentryServiceClientPoolFactory.java
deleted file mode 100644
index 3a38b24..0000000
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/SentryServiceClientPoolFactory.java
+++ /dev/null
@@ -1,78 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.sentry.service.thrift;
-
-import java.lang.reflect.Proxy;
-
-import org.apache.commons.pool2.BasePooledObjectFactory;
-import org.apache.commons.pool2.PooledObject;
-import org.apache.commons.pool2.impl.DefaultPooledObject;
-import org.apache.hadoop.conf.Configuration;
-import org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient;
-import org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClientDefaultImpl;
-import org.apache.sentry.service.thrift.ServiceConstants.ClientConfig;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-/**
- * SentryServiceClientPoolFactory is for connection pool to manage the object. Implement the related
- * method to create object, destroy object and wrap object.
- */
-
-public class SentryServiceClientPoolFactory extends BasePooledObjectFactory<SentryPolicyServiceClient> {
-
- private static final Logger LOGGER = LoggerFactory.getLogger(SentryServiceClientPoolFactory.class);
-
- private Configuration conf;
-
- public SentryServiceClientPoolFactory(Configuration conf) {
- this.conf = conf;
- }
-
- @Override
- public SentryPolicyServiceClient create() throws Exception {
- LOGGER.debug("Creating Sentry Service Client...");
- boolean haEnabled = conf.getBoolean(ClientConfig.SERVER_HA_ENABLED, false);
- if (haEnabled) {
- return (SentryPolicyServiceClient) Proxy
- .newProxyInstance(SentryPolicyServiceClientDefaultImpl.class.getClassLoader(),
- SentryPolicyServiceClientDefaultImpl.class.getInterfaces(),
- new HAClientInvocationHandler(conf));
- } else {
- return new SentryPolicyServiceClientDefaultImpl(conf);
- }
- }
-
- @Override
- public PooledObject<SentryPolicyServiceClient> wrap(SentryPolicyServiceClient client) {
- return new DefaultPooledObject<SentryPolicyServiceClient>(client);
- }
-
- @Override
- public void destroyObject(PooledObject<SentryPolicyServiceClient> pooledObject) {
- SentryPolicyServiceClient client = pooledObject.getObject();
- LOGGER.debug("Destroying Sentry Service Client: " + client);
- if (client != null) {
- // The close() of TSocket or TSaslClientTransport is called actually, and there has no
- // exception even there has some problems, eg, the client is closed already.
- // The close here is just try to close the socket and the client will be destroyed soon.
- client.close();
- }
- }
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/01875092/sentry-service/pom.xml
----------------------------------------------------------------------
diff --git a/sentry-service/pom.xml b/sentry-service/pom.xml
index ae42d0f..4bcb7f1 100644
--- a/sentry-service/pom.xml
+++ b/sentry-service/pom.xml
@@ -32,6 +32,7 @@ limitations under the License.
<modules>
<module>sentry-service-common</module>
<module>sentry-service-server</module>
+ <module>sentry-service-client</module>
</modules>
</project>
http://git-wip-us.apache.org/repos/asf/sentry/blob/01875092/sentry-service/sentry-service-client/pom.xml
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-client/pom.xml b/sentry-service/sentry-service-client/pom.xml
new file mode 100644
index 0000000..614f0d3
--- /dev/null
+++ b/sentry-service/sentry-service-client/pom.xml
@@ -0,0 +1,61 @@
+<?xml version="1.0"?>
+<!--
+Licensed to the Apache Software Foundation (ASF) under one or more
+contributor license agreements. See the NOTICE file distributed with
+this work for additional information regarding copyright ownership.
+The ASF licenses this file to You under the Apache License, Version 2.0
+(the "License"); you may not use this file except in compliance with
+the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+-->
+<project xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd" xmlns="http://maven.apache.org/POM/4.0.0"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+ <modelVersion>4.0.0</modelVersion>
+ <parent>
+ <groupId>org.apache.sentry</groupId>
+ <artifactId>sentry-service</artifactId>
+ <version>1.8.0-SNAPSHOT</version>
+ </parent>
+
+ <artifactId>sentry-service-client</artifactId>
+ <name>Sentry Service Client</name>
+
+ <dependencies>
+ <dependency>
+ <groupId>org.apache.sentry</groupId>
+ <artifactId>sentry-service-common</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.hadoop</groupId>
+ <artifactId>hadoop-common</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.sentry</groupId>
+ <artifactId>sentry-core-model-kafka</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.sentry</groupId>
+ <artifactId>sentry-core-model-db</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.sentry</groupId>
+ <artifactId>sentry-core-model-search</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.sentry</groupId>
+ <artifactId>sentry-provider-file</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.commons</groupId>
+ <artifactId>commons-pool2</artifactId>
+ </dependency>
+ </dependencies>
+
+</project>
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/sentry/blob/01875092/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericServiceClient.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericServiceClient.java b/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericServiceClient.java
new file mode 100644
index 0000000..11cdee7
--- /dev/null
+++ b/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericServiceClient.java
@@ -0,0 +1,196 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.provider.db.generic.service.thrift;
+
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+
+import org.apache.sentry.core.common.exception.SentryUserException;
+import org.apache.sentry.core.common.ActiveRoleSet;
+import org.apache.sentry.core.common.Authorizable;
+
+public interface SentryGenericServiceClient {
+
+ /**
+ * Create a sentry role
+ * @param requestorUserName: user on whose behalf the request is issued
+ * @param roleName: Name of the role
+ * @param component: The request is issued to which component
+ * @throws SentryUserException
+ */
+ void createRole(String requestorUserName, String roleName,
+ String component) throws SentryUserException;
+
+ void createRoleIfNotExist(String requestorUserName,
+ String roleName, String component) throws SentryUserException;
+
+ /**
+ * Drop a sentry role
+ * @param requestorUserName: user on whose behalf the request is issued
+ * @param roleName: Name of the role
+ * @param component: The request is issued to which component
+ * @throws SentryUserException
+ */
+ void dropRole(String requestorUserName, String roleName,
+ String component) throws SentryUserException;
+
+ void dropRoleIfExists(String requestorUserName, String roleName,
+ String component) throws SentryUserException;
+
+ /**
+ * add a sentry role to groups.
+ * @param requestorUserName: user on whose behalf the request is issued
+ * @param roleName: Name of the role
+ * @param component: The request is issued to which component
+ * @param groups: The name of groups
+ * @throws SentryUserException
+ */
+ void addRoleToGroups(String requestorUserName, String roleName,
+ String component, Set<String> groups) throws SentryUserException;
+
+ /**
+ * delete a sentry role from groups.
+ * @param requestorUserName: user on whose behalf the request is issued
+ * @param roleName: Name of the role
+ * @param component: The request is issued to which component
+ * @param groups: The name of groups
+ * @throws SentryUserException
+ */
+ void deleteRoleToGroups(String requestorUserName, String roleName,
+ String component, Set<String> groups) throws SentryUserException;
+
+ /**
+ * grant privilege
+ * @param requestorUserName: user on whose behalf the request is issued
+ * @param roleName: Name of the role
+ * @param component: The request is issued to which component
+ * @param privilege
+ * @throws SentryUserException
+ */
+ void grantPrivilege(String requestorUserName, String roleName,
+ String component, TSentryPrivilege privilege) throws SentryUserException;
+
+ /**
+ * revoke privilege
+ * @param requestorUserName: user on whose behalf the request is issued
+ * @param roleName: Name of the role
+ * @param component: The request is issued to which component
+ * @param privilege
+ * @throws SentryUserException
+ */
+ void revokePrivilege(String requestorUserName, String roleName,
+ String component, TSentryPrivilege privilege) throws SentryUserException;
+
+ /**
+ * drop privilege
+ * @param requestorUserName: user on whose behalf the request is issued
+ * @param component: The request is issued to which component
+ * @param privilege
+ * @throws SentryUserException
+ */
+ void dropPrivilege(String requestorUserName,String component,
+ TSentryPrivilege privilege) throws SentryUserException;
+
+ /**
+ * rename privilege
+ * @param requestorUserName: user on whose behalf the request is issued
+ * @param component: The request is issued to which component
+ * @param serviceName: The Authorizable belongs to which service
+ * @param oldAuthorizables
+ * @param newAuthorizables
+ * @throws SentryUserException
+ */
+ void renamePrivilege(String requestorUserName, String component,
+ String serviceName, List<? extends Authorizable> oldAuthorizables,
+ List<? extends Authorizable> newAuthorizables) throws SentryUserException;
+
+ /**
+ * Gets sentry role objects for a given groupName using the Sentry service
+ * @param requestorUserName : user on whose behalf the request is issued
+ * @param groupName : groupName to look up ( if null returns all roles for groups related to requestorUserName)
+ * @param component: The request is issued to which component
+ * @return Set of thrift sentry role objects
+ * @throws SentryUserException
+ */
+ Set<TSentryRole> listRolesByGroupName(
+ String requestorUserName,
+ String groupName,
+ String component)
+ throws SentryUserException;
+
+ Set<TSentryRole> listUserRoles(String requestorUserName, String component)
+ throws SentryUserException;
+
+ Set<TSentryRole> listAllRoles(String requestorUserName, String component)
+ throws SentryUserException;
+
+ /**
+ * Gets sentry privileges for a given roleName and Authorizable Hierarchy using the Sentry service
+ * @param requestorUserName: user on whose behalf the request is issued
+ * @param roleName:
+ * @param component: The request is issued to which component
+ * @param serviceName
+ * @param authorizables
+ * @return
+ * @throws SentryUserException
+ */
+ Set<TSentryPrivilege> listPrivilegesByRoleName(
+ String requestorUserName, String roleName, String component,
+ String serviceName, List<? extends Authorizable> authorizables)
+ throws SentryUserException;
+
+ Set<TSentryPrivilege> listPrivilegesByRoleName(
+ String requestorUserName, String roleName, String component,
+ String serviceName) throws SentryUserException;
+
+ /**
+ * get sentry permissions from provider as followings:
+ * @param: component: The request is issued to which component
+ * @param: serviceName: The privilege belongs to which service
+ * @param: roleSet
+ * @param: groupNames
+ * @param: the authorizables
+ * @returns the set of permissions
+ * @throws SentryUserException
+ */
+ Set<String> listPrivilegesForProvider(String component,
+ String serviceName, ActiveRoleSet roleSet, Set<String> groups,
+ List<? extends Authorizable> authorizables) throws SentryUserException;
+
+ /**
+ * Get sentry privileges based on valid active roles and the authorize objects. Note that
+ * it is client responsibility to ensure the requestor username, etc. is not impersonated.
+ *
+ * @param component: The request respond to which component.
+ * @param serviceName: The name of service.
+ * @param requestorUserName: The requestor user name.
+ * @param authorizablesSet: The set of authorize objects. One authorize object is represented
+ * as a string. e.g resourceType1=resourceName1->resourceType2=resourceName2->resourceType3=resourceName3.
+ * @param groups: The requested groups.
+ * @param roleSet: The active roles set.
+ *
+ * @returns The mapping of authorize objects and TSentryPrivilegeMap(<role, set<privileges>).
+ * @throws SentryUserException
+ */
+ Map<String, TSentryPrivilegeMap> listPrivilegsbyAuthorizable(String component,
+ String serviceName, String requestorUserName, Set<String> authorizablesSet,
+ Set<String> groups, ActiveRoleSet roleSet) throws SentryUserException;
+
+ void close();
+}
[6/6] sentry git commit: SENTRY-1288: Create sentry-service-client
module(Colin Ma, reviewed by Dapeng Sun)
Posted by co...@apache.org.
SENTRY-1288: Create sentry-service-client module(Colin Ma, reviewed by Dapeng Sun)
Project: http://git-wip-us.apache.org/repos/asf/sentry/repo
Commit: http://git-wip-us.apache.org/repos/asf/sentry/commit/01875092
Tree: http://git-wip-us.apache.org/repos/asf/sentry/tree/01875092
Diff: http://git-wip-us.apache.org/repos/asf/sentry/diff/01875092
Branch: refs/heads/SENTRY-1205
Commit: 018750927cadc04943dd521107ddd6a08d46a871
Parents: e72e6ea
Author: Colin Ma <co...@apache.org>
Authored: Mon Jun 27 10:12:01 2016 +0800
Committer: Colin Ma <co...@apache.org>
Committed: Mon Jun 27 10:12:01 2016 +0800
----------------------------------------------------------------------
pom.xml | 5 +
sentry-dist/pom.xml | 4 +
sentry-dist/src/main/assembly/bin.xml | 1 +
sentry-provider/sentry-provider-db/pom.xml | 14 +-
.../thrift/SentryGenericServiceClient.java | 196 ----
.../SentryGenericServiceClientDefaultImpl.java | 591 ----------
.../SentryGenericServiceClientFactory.java | 34 -
.../tools/KafkaTSentryPrivilegeConverter.java | 118 --
.../generic/tools/SentryConfigToolCommon.java | 152 ---
.../db/generic/tools/SentryConfigToolSolr.java | 262 -----
.../db/generic/tools/SentryShellKafka.java | 113 --
.../db/generic/tools/SentryShellSolr.java | 112 --
.../tools/SolrTSentryPrivilegeConverter.java | 137 ---
.../tools/command/AddRoleToGroupCmd.java | 46 -
.../db/generic/tools/command/Command.java | 27 -
.../db/generic/tools/command/CreateRoleCmd.java | 39 -
.../tools/command/DeleteRoleFromGroupCmd.java | 46 -
.../db/generic/tools/command/DropRoleCmd.java | 39 -
.../tools/command/GrantPrivilegeToRoleCmd.java | 47 -
.../tools/command/ListPrivilegesByRoleCmd.java | 54 -
.../db/generic/tools/command/ListRolesCmd.java | 53 -
.../command/RevokePrivilegeFromRoleCmd.java | 47 -
.../command/TSentryPrivilegeConverter.java | 33 -
.../db/service/persistent/ServiceManager.java | 97 --
.../thrift/SentryPolicyServiceClient.java | 207 ----
.../SentryPolicyServiceClientDefaultImpl.java | 1051 -----------------
.../provider/db/tools/SentryShellCommon.java | 247 ----
.../provider/db/tools/SentryShellHive.java | 98 --
.../provider/db/tools/command/hive/Command.java | 27 -
.../db/tools/command/hive/CommandUtil.java | 117 --
.../db/tools/command/hive/CreateRoleCmd.java | 37 -
.../db/tools/command/hive/DropRoleCmd.java | 37 -
.../command/hive/GrantPrivilegeToRoleCmd.java | 61 -
.../command/hive/GrantRoleToGroupsCmd.java | 44 -
.../tools/command/hive/ListPrivilegesCmd.java | 97 --
.../db/tools/command/hive/ListRolesCmd.java | 51 -
.../hive/RevokePrivilegeFromRoleCmd.java | 62 --
.../command/hive/RevokeRoleFromGroupsCmd.java | 43 -
.../thrift/HAClientInvocationHandler.java | 139 ---
.../thrift/PoolClientInvocationHandler.java | 154 ---
.../thrift/SentryClientInvocationHandler.java | 54 -
.../thrift/SentryServiceClientFactory.java | 52 -
.../thrift/SentryServiceClientPoolFactory.java | 78 --
sentry-service/pom.xml | 1 +
sentry-service/sentry-service-client/pom.xml | 61 +
.../thrift/SentryGenericServiceClient.java | 196 ++++
.../SentryGenericServiceClientDefaultImpl.java | 591 ++++++++++
.../SentryGenericServiceClientFactory.java | 34 +
.../tools/KafkaTSentryPrivilegeConverter.java | 118 ++
.../generic/tools/SentryConfigToolCommon.java | 152 +++
.../db/generic/tools/SentryConfigToolSolr.java | 262 +++++
.../db/generic/tools/SentryShellKafka.java | 113 ++
.../db/generic/tools/SentryShellSolr.java | 112 ++
.../tools/SolrTSentryPrivilegeConverter.java | 137 +++
.../tools/command/AddRoleToGroupCmd.java | 46 +
.../db/generic/tools/command/Command.java | 27 +
.../db/generic/tools/command/CreateRoleCmd.java | 39 +
.../tools/command/DeleteRoleFromGroupCmd.java | 46 +
.../db/generic/tools/command/DropRoleCmd.java | 39 +
.../tools/command/GrantPrivilegeToRoleCmd.java | 47 +
.../tools/command/ListPrivilegesByRoleCmd.java | 54 +
.../db/generic/tools/command/ListRolesCmd.java | 53 +
.../command/RevokePrivilegeFromRoleCmd.java | 47 +
.../command/TSentryPrivilegeConverter.java | 33 +
.../db/service/persistent/ServiceManager.java | 97 ++
.../thrift/SentryPolicyServiceClient.java | 207 ++++
.../SentryPolicyServiceClientDefaultImpl.java | 1054 ++++++++++++++++++
.../provider/db/tools/SentryShellCommon.java | 247 ++++
.../provider/db/tools/SentryShellHive.java | 98 ++
.../provider/db/tools/command/hive/Command.java | 27 +
.../db/tools/command/hive/CommandUtil.java | 117 ++
.../db/tools/command/hive/CreateRoleCmd.java | 37 +
.../db/tools/command/hive/DropRoleCmd.java | 37 +
.../command/hive/GrantPrivilegeToRoleCmd.java | 61 +
.../command/hive/GrantRoleToGroupsCmd.java | 44 +
.../tools/command/hive/ListPrivilegesCmd.java | 97 ++
.../db/tools/command/hive/ListRolesCmd.java | 51 +
.../hive/RevokePrivilegeFromRoleCmd.java | 62 ++
.../command/hive/RevokeRoleFromGroupsCmd.java | 43 +
.../thrift/HAClientInvocationHandler.java | 139 +++
.../thrift/PoolClientInvocationHandler.java | 154 +++
.../thrift/SentryClientInvocationHandler.java | 54 +
.../thrift/SentryServiceClientFactory.java | 52 +
.../thrift/SentryServiceClientPoolFactory.java | 78 ++
sentry-service/sentry-service-server/pom.xml | 10 +-
85 files changed, 4980 insertions(+), 4917 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/sentry/blob/01875092/pom.xml
----------------------------------------------------------------------
diff --git a/pom.xml b/pom.xml
index a434fdb..bc4d8d5 100644
--- a/pom.xml
+++ b/pom.xml
@@ -436,6 +436,11 @@ limitations under the License.
</dependency>
<dependency>
<groupId>org.apache.sentry</groupId>
+ <artifactId>sentry-service-client</artifactId>
+ <version>${project.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.sentry</groupId>
<artifactId>sentry-provider-common</artifactId>
<version>${project.version}</version>
</dependency>
http://git-wip-us.apache.org/repos/asf/sentry/blob/01875092/sentry-dist/pom.xml
----------------------------------------------------------------------
diff --git a/sentry-dist/pom.xml b/sentry-dist/pom.xml
index 8b3022f..04645ad 100644
--- a/sentry-dist/pom.xml
+++ b/sentry-dist/pom.xml
@@ -80,6 +80,10 @@ limitations under the License.
</dependency>
<dependency>
<groupId>org.apache.sentry</groupId>
+ <artifactId>sentry-service-client</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.sentry</groupId>
<artifactId>sentry-provider-common</artifactId>
</dependency>
<dependency>
http://git-wip-us.apache.org/repos/asf/sentry/blob/01875092/sentry-dist/src/main/assembly/bin.xml
----------------------------------------------------------------------
diff --git a/sentry-dist/src/main/assembly/bin.xml b/sentry-dist/src/main/assembly/bin.xml
index 5727fc9..ab95aac 100644
--- a/sentry-dist/src/main/assembly/bin.xml
+++ b/sentry-dist/src/main/assembly/bin.xml
@@ -102,6 +102,7 @@
<exclude>sentry-policy/**</exclude>
<exclude>sentry-tests/**</exclude>
<exclude>sentry-hdfs/**</exclude>
+ <exclude>sentry-service/**</exclude>
<exclude>sentry-solr/**</exclude>
</excludes>
http://git-wip-us.apache.org/repos/asf/sentry/blob/01875092/sentry-provider/sentry-provider-db/pom.xml
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/pom.xml b/sentry-provider/sentry-provider-db/pom.xml
index 8061433..f028ee3 100644
--- a/sentry-provider/sentry-provider-db/pom.xml
+++ b/sentry-provider/sentry-provider-db/pom.xml
@@ -46,10 +46,6 @@ limitations under the License.
<scope>test</scope>
</dependency>
<dependency>
- <groupId>org.apache.derby</groupId>
- <artifactId>derby</artifactId>
- </dependency>
- <dependency>
<groupId>log4j</groupId>
<artifactId>log4j</artifactId>
</dependency>
@@ -79,11 +75,7 @@ limitations under the License.
</dependency>
<dependency>
<groupId>org.apache.sentry</groupId>
- <artifactId>sentry-service-common</artifactId>
- </dependency>
- <dependency>
- <groupId>org.apache.sentry</groupId>
- <artifactId>sentry-provider-file</artifactId>
+ <artifactId>sentry-service-client</artifactId>
</dependency>
<dependency>
<groupId>org.apache.sentry</groupId>
@@ -159,9 +151,5 @@ limitations under the License.
<artifactId>mockito-all</artifactId>
<scope>test</scope>
</dependency>
- <dependency>
- <groupId>org.apache.commons</groupId>
- <artifactId>commons-pool2</artifactId>
- </dependency>
</dependencies>
</project>
http://git-wip-us.apache.org/repos/asf/sentry/blob/01875092/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericServiceClient.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericServiceClient.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericServiceClient.java
deleted file mode 100644
index 11cdee7..0000000
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericServiceClient.java
+++ /dev/null
@@ -1,196 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.provider.db.generic.service.thrift;
-
-import java.util.List;
-import java.util.Map;
-import java.util.Set;
-
-import org.apache.sentry.core.common.exception.SentryUserException;
-import org.apache.sentry.core.common.ActiveRoleSet;
-import org.apache.sentry.core.common.Authorizable;
-
-public interface SentryGenericServiceClient {
-
- /**
- * Create a sentry role
- * @param requestorUserName: user on whose behalf the request is issued
- * @param roleName: Name of the role
- * @param component: The request is issued to which component
- * @throws SentryUserException
- */
- void createRole(String requestorUserName, String roleName,
- String component) throws SentryUserException;
-
- void createRoleIfNotExist(String requestorUserName,
- String roleName, String component) throws SentryUserException;
-
- /**
- * Drop a sentry role
- * @param requestorUserName: user on whose behalf the request is issued
- * @param roleName: Name of the role
- * @param component: The request is issued to which component
- * @throws SentryUserException
- */
- void dropRole(String requestorUserName, String roleName,
- String component) throws SentryUserException;
-
- void dropRoleIfExists(String requestorUserName, String roleName,
- String component) throws SentryUserException;
-
- /**
- * add a sentry role to groups.
- * @param requestorUserName: user on whose behalf the request is issued
- * @param roleName: Name of the role
- * @param component: The request is issued to which component
- * @param groups: The name of groups
- * @throws SentryUserException
- */
- void addRoleToGroups(String requestorUserName, String roleName,
- String component, Set<String> groups) throws SentryUserException;
-
- /**
- * delete a sentry role from groups.
- * @param requestorUserName: user on whose behalf the request is issued
- * @param roleName: Name of the role
- * @param component: The request is issued to which component
- * @param groups: The name of groups
- * @throws SentryUserException
- */
- void deleteRoleToGroups(String requestorUserName, String roleName,
- String component, Set<String> groups) throws SentryUserException;
-
- /**
- * grant privilege
- * @param requestorUserName: user on whose behalf the request is issued
- * @param roleName: Name of the role
- * @param component: The request is issued to which component
- * @param privilege
- * @throws SentryUserException
- */
- void grantPrivilege(String requestorUserName, String roleName,
- String component, TSentryPrivilege privilege) throws SentryUserException;
-
- /**
- * revoke privilege
- * @param requestorUserName: user on whose behalf the request is issued
- * @param roleName: Name of the role
- * @param component: The request is issued to which component
- * @param privilege
- * @throws SentryUserException
- */
- void revokePrivilege(String requestorUserName, String roleName,
- String component, TSentryPrivilege privilege) throws SentryUserException;
-
- /**
- * drop privilege
- * @param requestorUserName: user on whose behalf the request is issued
- * @param component: The request is issued to which component
- * @param privilege
- * @throws SentryUserException
- */
- void dropPrivilege(String requestorUserName,String component,
- TSentryPrivilege privilege) throws SentryUserException;
-
- /**
- * rename privilege
- * @param requestorUserName: user on whose behalf the request is issued
- * @param component: The request is issued to which component
- * @param serviceName: The Authorizable belongs to which service
- * @param oldAuthorizables
- * @param newAuthorizables
- * @throws SentryUserException
- */
- void renamePrivilege(String requestorUserName, String component,
- String serviceName, List<? extends Authorizable> oldAuthorizables,
- List<? extends Authorizable> newAuthorizables) throws SentryUserException;
-
- /**
- * Gets sentry role objects for a given groupName using the Sentry service
- * @param requestorUserName : user on whose behalf the request is issued
- * @param groupName : groupName to look up ( if null returns all roles for groups related to requestorUserName)
- * @param component: The request is issued to which component
- * @return Set of thrift sentry role objects
- * @throws SentryUserException
- */
- Set<TSentryRole> listRolesByGroupName(
- String requestorUserName,
- String groupName,
- String component)
- throws SentryUserException;
-
- Set<TSentryRole> listUserRoles(String requestorUserName, String component)
- throws SentryUserException;
-
- Set<TSentryRole> listAllRoles(String requestorUserName, String component)
- throws SentryUserException;
-
- /**
- * Gets sentry privileges for a given roleName and Authorizable Hierarchy using the Sentry service
- * @param requestorUserName: user on whose behalf the request is issued
- * @param roleName:
- * @param component: The request is issued to which component
- * @param serviceName
- * @param authorizables
- * @return
- * @throws SentryUserException
- */
- Set<TSentryPrivilege> listPrivilegesByRoleName(
- String requestorUserName, String roleName, String component,
- String serviceName, List<? extends Authorizable> authorizables)
- throws SentryUserException;
-
- Set<TSentryPrivilege> listPrivilegesByRoleName(
- String requestorUserName, String roleName, String component,
- String serviceName) throws SentryUserException;
-
- /**
- * get sentry permissions from provider as followings:
- * @param: component: The request is issued to which component
- * @param: serviceName: The privilege belongs to which service
- * @param: roleSet
- * @param: groupNames
- * @param: the authorizables
- * @returns the set of permissions
- * @throws SentryUserException
- */
- Set<String> listPrivilegesForProvider(String component,
- String serviceName, ActiveRoleSet roleSet, Set<String> groups,
- List<? extends Authorizable> authorizables) throws SentryUserException;
-
- /**
- * Get sentry privileges based on valid active roles and the authorize objects. Note that
- * it is client responsibility to ensure the requestor username, etc. is not impersonated.
- *
- * @param component: The request respond to which component.
- * @param serviceName: The name of service.
- * @param requestorUserName: The requestor user name.
- * @param authorizablesSet: The set of authorize objects. One authorize object is represented
- * as a string. e.g resourceType1=resourceName1->resourceType2=resourceName2->resourceType3=resourceName3.
- * @param groups: The requested groups.
- * @param roleSet: The active roles set.
- *
- * @returns The mapping of authorize objects and TSentryPrivilegeMap(<role, set<privileges>).
- * @throws SentryUserException
- */
- Map<String, TSentryPrivilegeMap> listPrivilegsbyAuthorizable(String component,
- String serviceName, String requestorUserName, Set<String> authorizablesSet,
- Set<String> groups, ActiveRoleSet roleSet) throws SentryUserException;
-
- void close();
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/01875092/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericServiceClientDefaultImpl.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericServiceClientDefaultImpl.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericServiceClientDefaultImpl.java
deleted file mode 100644
index d22cfe2..0000000
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericServiceClientDefaultImpl.java
+++ /dev/null
@@ -1,591 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.provider.db.generic.service.thrift;
-
-import java.io.IOException;
-import java.net.InetSocketAddress;
-import java.security.PrivilegedExceptionAction;
-import java.util.*;
-
-import javax.security.auth.callback.CallbackHandler;
-
-import org.apache.hadoop.conf.Configuration;
-import static org.apache.hadoop.fs.CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHENTICATION;
-import org.apache.hadoop.net.NetUtils;
-import org.apache.hadoop.security.SaslRpcServer;
-import org.apache.hadoop.security.SaslRpcServer.AuthMethod;
-import org.apache.hadoop.security.SecurityUtil;
-import org.apache.hadoop.security.UserGroupInformation;
-import org.apache.sentry.core.common.exception.SentryUserException;
-import org.apache.sentry.core.common.ActiveRoleSet;
-import org.apache.sentry.core.common.Authorizable;
-import org.apache.sentry.core.model.db.AccessConstants;
-import org.apache.sentry.service.thrift.ServiceConstants;
-import org.apache.sentry.service.thrift.ServiceConstants.ClientConfig;
-import org.apache.sentry.service.thrift.ServiceConstants.ServerConfig;
-import org.apache.sentry.service.thrift.Status;
-import org.apache.sentry.service.thrift.sentry_common_serviceConstants;
-import org.apache.thrift.TException;
-import org.apache.thrift.protocol.TBinaryProtocol;
-import org.apache.thrift.protocol.TMultiplexedProtocol;
-import org.apache.thrift.transport.TSaslClientTransport;
-import org.apache.thrift.transport.TSocket;
-import org.apache.thrift.transport.TTransport;
-import org.apache.thrift.transport.TTransportException;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-import com.google.common.base.Preconditions;
-import com.google.common.collect.Lists;
-
-public class SentryGenericServiceClientDefaultImpl implements SentryGenericServiceClient {
- private final Configuration conf;
- private final InetSocketAddress serverAddress;
- private final boolean kerberos;
- private final String[] serverPrincipalParts;
- private SentryGenericPolicyService.Client client;
- private TTransport transport;
- private int connectionTimeout;
- private static final Logger LOGGER = LoggerFactory
- .getLogger(SentryGenericServiceClientDefaultImpl.class);
- private static final String THRIFT_EXCEPTION_MESSAGE = "Thrift exception occured ";
-
- /**
- * This transport wraps the Sasl transports to set up the right UGI context for open().
- */
- public static class UgiSaslClientTransport extends TSaslClientTransport {
- protected UserGroupInformation ugi = null;
-
- public UgiSaslClientTransport(String mechanism, String authorizationId,
- String protocol, String serverName, Map<String, String> props,
- CallbackHandler cbh, TTransport transport, boolean wrapUgi, Configuration conf)
- throws IOException {
- super(mechanism, authorizationId, protocol, serverName, props, cbh,
- transport);
- if (wrapUgi) {
- // If we don't set the configuration, the UGI will be created based on
- // what's on the classpath, which may lack the kerberos changes we require
- UserGroupInformation.setConfiguration(conf);
- ugi = UserGroupInformation.getLoginUser();
- }
- }
-
- // open the SASL transport with using the current UserGroupInformation
- // This is needed to get the current login context stored
- @Override
- public void open() throws TTransportException {
- if (ugi == null) {
- baseOpen();
- } else {
- try {
- if (ugi.isFromKeytab()) {
- ugi.checkTGTAndReloginFromKeytab();
- }
- ugi.doAs(new PrivilegedExceptionAction<Void>() {
- public Void run() throws TTransportException {
- baseOpen();
- return null;
- }
- });
- } catch (IOException e) {
- throw new TTransportException("Failed to open SASL transport: " + e.getMessage(), e);
- } catch (InterruptedException e) {
- throw new TTransportException(
- "Interrupted while opening underlying transport: " + e.getMessage(), e);
- }
- }
- }
-
- private void baseOpen() throws TTransportException {
- super.open();
- }
- }
-
- public SentryGenericServiceClientDefaultImpl(Configuration conf) throws IOException {
- // copy the configuration because we may make modifications to it.
- this.conf = new Configuration(conf);
- Preconditions.checkNotNull(this.conf, "Configuration object cannot be null");
- this.serverAddress = NetUtils.createSocketAddr(Preconditions.checkNotNull(
- conf.get(ClientConfig.SERVER_RPC_ADDRESS), "Config key "
- + ClientConfig.SERVER_RPC_ADDRESS + " is required"), conf.getInt(
- ClientConfig.SERVER_RPC_PORT, ClientConfig.SERVER_RPC_PORT_DEFAULT));
- this.connectionTimeout = conf.getInt(ClientConfig.SERVER_RPC_CONN_TIMEOUT,
- ClientConfig.SERVER_RPC_CONN_TIMEOUT_DEFAULT);
- kerberos = ServerConfig.SECURITY_MODE_KERBEROS.equalsIgnoreCase(
- conf.get(ServerConfig.SECURITY_MODE, ServerConfig.SECURITY_MODE_KERBEROS).trim());
- transport = new TSocket(serverAddress.getHostName(),
- serverAddress.getPort(), connectionTimeout);
- if (kerberos) {
- String serverPrincipal = Preconditions.checkNotNull(conf.get(ServerConfig.PRINCIPAL), ServerConfig.PRINCIPAL + " is required");
- // since the client uses hadoop-auth, we need to set kerberos in
- // hadoop-auth if we plan to use kerberos
- conf.set(HADOOP_SECURITY_AUTHENTICATION, ServerConfig.SECURITY_MODE_KERBEROS);
-
- // Resolve server host in the same way as we are doing on server side
- serverPrincipal = SecurityUtil.getServerPrincipal(serverPrincipal, serverAddress.getAddress());
- LOGGER.debug("Using server kerberos principal: " + serverPrincipal);
-
- serverPrincipalParts = SaslRpcServer.splitKerberosName(serverPrincipal);
- Preconditions.checkArgument(serverPrincipalParts.length == 3,
- "Kerberos principal should have 3 parts: " + serverPrincipal);
- boolean wrapUgi = "true".equalsIgnoreCase(conf
- .get(ServerConfig.SECURITY_USE_UGI_TRANSPORT, "true"));
- transport = new UgiSaslClientTransport(AuthMethod.KERBEROS.getMechanismName(),
- null, serverPrincipalParts[0], serverPrincipalParts[1],
- ClientConfig.SASL_PROPERTIES, null, transport, wrapUgi, conf);
- } else {
- serverPrincipalParts = null;
- }
- try {
- transport.open();
- } catch (TTransportException e) {
- throw new IOException("Transport exception while opening transport: " + e.getMessage(), e);
- }
- LOGGER.debug("Successfully opened transport: " + transport + " to " + serverAddress);
- long maxMessageSize = conf.getLong(ServiceConstants.ClientConfig.SENTRY_POLICY_CLIENT_THRIFT_MAX_MESSAGE_SIZE,
- ServiceConstants.ClientConfig.SENTRY_POLICY_CLIENT_THRIFT_MAX_MESSAGE_SIZE_DEFAULT);
- TMultiplexedProtocol protocol = new TMultiplexedProtocol(
- new TBinaryProtocol(transport, maxMessageSize, maxMessageSize, true, true),
- ServiceConstants.SENTRY_GENERIC_SERVICE_NAME);
- client = new SentryGenericPolicyService.Client(protocol);
- LOGGER.debug("Successfully created client");
- }
-
-
-
- /**
- * Create a sentry role
- * @param requestorUserName: user on whose behalf the request is issued
- * @param roleName: Name of the role
- * @param component: The request is issued to which component
- * @throws SentryUserException
- */
- public synchronized void createRole(String requestorUserName, String roleName, String component)
- throws SentryUserException {
- TCreateSentryRoleRequest request = new TCreateSentryRoleRequest();
- request.setProtocol_version(sentry_common_serviceConstants.TSENTRY_SERVICE_V2);
- request.setRequestorUserName(requestorUserName);
- request.setRoleName(roleName);
- request.setComponent(component);
- try {
- TCreateSentryRoleResponse response = client.create_sentry_role(request);
- Status.throwIfNotOk(response.getStatus());
- } catch (TException e) {
- throw new SentryUserException(THRIFT_EXCEPTION_MESSAGE, e);
- }
- }
-
- public void createRoleIfNotExist(String requestorUserName, String roleName, String component) throws SentryUserException {
- TCreateSentryRoleRequest request = new TCreateSentryRoleRequest();
- request.setProtocol_version(sentry_common_serviceConstants.TSENTRY_SERVICE_V2);
- request.setRequestorUserName(requestorUserName);
- request.setRoleName(roleName);
- request.setComponent(component);
- try {
- TCreateSentryRoleResponse response = client.create_sentry_role(request);
- Status status = Status.fromCode(response.getStatus().getValue());
- if (status == Status.ALREADY_EXISTS) {
- return;
- }
- Status.throwIfNotOk(response.getStatus());
- } catch (TException e) {
- throw new SentryUserException(THRIFT_EXCEPTION_MESSAGE, e);
- }
- }
-
- /**
- * Drop a sentry role
- * @param requestorUserName: user on whose behalf the request is issued
- * @param roleName: Name of the role
- * @param component: The request is issued to which component
- * @throws SentryUserException
- */
- public void dropRole(String requestorUserName,
- String roleName, String component)
- throws SentryUserException {
- dropRole(requestorUserName, roleName, component, false);
- }
-
- public void dropRoleIfExists(String requestorUserName,
- String roleName, String component)
- throws SentryUserException {
- dropRole(requestorUserName, roleName, component, true);
- }
-
- private void dropRole(String requestorUserName,
- String roleName, String component , boolean ifExists)
- throws SentryUserException {
- TDropSentryRoleRequest request = new TDropSentryRoleRequest();
- request.setProtocol_version(sentry_common_serviceConstants.TSENTRY_SERVICE_V2);
- request.setRequestorUserName(requestorUserName);
- request.setRoleName(roleName);
- request.setComponent(component);
- try {
- TDropSentryRoleResponse response = client.drop_sentry_role(request);
- Status status = Status.fromCode(response.getStatus().getValue());
- if (ifExists && status == Status.NO_SUCH_OBJECT) {
- return;
- }
- Status.throwIfNotOk(response.getStatus());
- } catch (TException e) {
- throw new SentryUserException(THRIFT_EXCEPTION_MESSAGE, e);
- }
- }
-
- /**
- * add a sentry role to groups.
- * @param requestorUserName: user on whose behalf the request is issued
- * @param roleName: Name of the role
- * @param component: The request is issued to which component
- * @param groups: The name of groups
- * @throws SentryUserException
- */
- public void addRoleToGroups(String requestorUserName, String roleName,
- String component, Set<String> groups) throws SentryUserException {
- TAlterSentryRoleAddGroupsRequest request = new TAlterSentryRoleAddGroupsRequest();
- request.setProtocol_version(sentry_common_serviceConstants.TSENTRY_SERVICE_V2);
- request.setRequestorUserName(requestorUserName);
- request.setRoleName(roleName);
- request.setGroups(groups);
- request.setComponent(component);
-
- try {
- TAlterSentryRoleAddGroupsResponse response = client.alter_sentry_role_add_groups(request);
- Status.throwIfNotOk(response.getStatus());
- } catch (TException e) {
- throw new SentryUserException(THRIFT_EXCEPTION_MESSAGE, e);
- }
- }
-
- /**
- * delete a sentry role from groups.
- * @param requestorUserName: user on whose behalf the request is issued
- * @param roleName: Name of the role
- * @param component: The request is issued to which component
- * @param groups: The name of groups
- * @throws SentryUserException
- */
- public void deleteRoleToGroups(String requestorUserName, String roleName,
- String component, Set<String> groups) throws SentryUserException {
- TAlterSentryRoleDeleteGroupsRequest request = new TAlterSentryRoleDeleteGroupsRequest();
- request.setProtocol_version(sentry_common_serviceConstants.TSENTRY_SERVICE_V2);
- request.setRequestorUserName(requestorUserName);
- request.setRoleName(roleName);
- request.setGroups(groups);
- request.setComponent(component);
-
- try {
- TAlterSentryRoleDeleteGroupsResponse response = client.alter_sentry_role_delete_groups(request);
- Status.throwIfNotOk(response.getStatus());
- } catch (TException e) {
- throw new SentryUserException(THRIFT_EXCEPTION_MESSAGE, e);
- }
- }
-
- /**
- * grant privilege
- * @param requestorUserName: user on whose behalf the request is issued
- * @param roleName: Name of the role
- * @param component: The request is issued to which component
- * @param privilege
- * @throws SentryUserException
- */
- public void grantPrivilege(String requestorUserName, String roleName,
- String component, TSentryPrivilege privilege) throws SentryUserException {
- TAlterSentryRoleGrantPrivilegeRequest request = new TAlterSentryRoleGrantPrivilegeRequest();
- request.setProtocol_version(sentry_common_serviceConstants.TSENTRY_SERVICE_V2);
- request.setComponent(component);
- request.setRoleName(roleName);
- request.setRequestorUserName(requestorUserName);
- request.setPrivilege(privilege);
-
- try {
- TAlterSentryRoleGrantPrivilegeResponse response = client.alter_sentry_role_grant_privilege(request);
- Status.throwIfNotOk(response.getStatus());
- } catch (TException e) {
- throw new SentryUserException(THRIFT_EXCEPTION_MESSAGE, e);
- }
- }
-
- /**
- * revoke privilege
- * @param requestorUserName: user on whose behalf the request is issued
- * @param roleName: Name of the role
- * @param component: The request is issued to which component
- * @param privilege
- * @throws SentryUserException
- */
- public void revokePrivilege(String requestorUserName, String roleName,
- String component, TSentryPrivilege privilege) throws SentryUserException {
- TAlterSentryRoleRevokePrivilegeRequest request = new TAlterSentryRoleRevokePrivilegeRequest();
- request.setProtocol_version(sentry_common_serviceConstants.TSENTRY_SERVICE_V2);
- request.setComponent(component);
- request.setRequestorUserName(requestorUserName);
- request.setRoleName(roleName);
- request.setPrivilege(privilege);
-
- try {
- TAlterSentryRoleRevokePrivilegeResponse response = client.alter_sentry_role_revoke_privilege(request);
- Status.throwIfNotOk(response.getStatus());
- } catch (TException e) {
- throw new SentryUserException(THRIFT_EXCEPTION_MESSAGE, e);
- }
- }
-
- /**
- * drop privilege
- * @param requestorUserName: user on whose behalf the request is issued
- * @param component: The request is issued to which component
- * @param privilege
- * @throws SentryUserException
- */
- public void dropPrivilege(String requestorUserName,String component,
- TSentryPrivilege privilege) throws SentryUserException {
- TDropPrivilegesRequest request = new TDropPrivilegesRequest();
- request.setProtocol_version(sentry_common_serviceConstants.TSENTRY_SERVICE_V2);
- request.setComponent(component);
- request.setRequestorUserName(requestorUserName);
- request.setPrivilege(privilege);
-
- try {
- TDropPrivilegesResponse response = client.drop_sentry_privilege(request);
- Status.throwIfNotOk(response.getStatus());
- } catch (TException e) {
- throw new SentryUserException(THRIFT_EXCEPTION_MESSAGE, e);
- }
- }
-
- /**
- * rename privilege
- * @param requestorUserName: user on whose behalf the request is issued
- * @param component: The request is issued to which component
- * @param serviceName: The Authorizable belongs to which service
- * @param oldAuthorizables
- * @param newAuthorizables
- * @throws SentryUserException
- */
- public void renamePrivilege(String requestorUserName, String component,
- String serviceName, List<? extends Authorizable> oldAuthorizables,
- List<? extends Authorizable> newAuthorizables) throws SentryUserException {
- if (oldAuthorizables == null || oldAuthorizables.isEmpty()
- || newAuthorizables == null || newAuthorizables.isEmpty()) {
- throw new SentryUserException("oldAuthorizables or newAuthorizables can not be null or empty");
- }
-
- TRenamePrivilegesRequest request = new TRenamePrivilegesRequest();
- request.setProtocol_version(sentry_common_serviceConstants.TSENTRY_SERVICE_V2);
- request.setComponent(component);
- request.setRequestorUserName(requestorUserName);
- request.setServiceName(serviceName);
-
- List<TAuthorizable> oldTAuthorizables = Lists.newArrayList();
- List<TAuthorizable> newTAuthorizables = Lists.newArrayList();
- for (Authorizable authorizable : oldAuthorizables) {
- oldTAuthorizables.add(new TAuthorizable(authorizable.getTypeName(), authorizable.getName()));
- request.setOldAuthorizables(oldTAuthorizables);
- }
- for (Authorizable authorizable : newAuthorizables) {
- newTAuthorizables.add(new TAuthorizable(authorizable.getTypeName(), authorizable.getName()));
- request.setNewAuthorizables(newTAuthorizables);
- }
-
- try {
- TRenamePrivilegesResponse response = client.rename_sentry_privilege(request);
- Status.throwIfNotOk(response.getStatus());
- } catch (TException e) {
- throw new SentryUserException(THRIFT_EXCEPTION_MESSAGE, e);
- }
- }
-
- /**
- * Gets sentry role objects for a given groupName using the Sentry service
- * @param requestorUserName : user on whose behalf the request is issued
- * @param groupName : groupName to look up ( if null returns all roles for groups related to requestorUserName)
- * @param component: The request is issued to which component
- * @return Set of thrift sentry role objects
- * @throws SentryUserException
- */
- public synchronized Set<TSentryRole> listRolesByGroupName(
- String requestorUserName,
- String groupName,
- String component)
- throws SentryUserException {
- TListSentryRolesRequest request = new TListSentryRolesRequest();
- request.setProtocol_version(sentry_common_serviceConstants.TSENTRY_SERVICE_V2);
- request.setRequestorUserName(requestorUserName);
- request.setGroupName(groupName);
- request.setComponent(component);
- TListSentryRolesResponse response;
- try {
- response = client.list_sentry_roles_by_group(request);
- Status.throwIfNotOk(response.getStatus());
- return response.getRoles();
- } catch (TException e) {
- throw new SentryUserException(THRIFT_EXCEPTION_MESSAGE, e);
- }
- }
-
- public Set<TSentryRole> listUserRoles(String requestorUserName, String component)
- throws SentryUserException {
- return listRolesByGroupName(requestorUserName, AccessConstants.ALL, component);
- }
-
- public Set<TSentryRole> listAllRoles(String requestorUserName, String component)
- throws SentryUserException {
- return listRolesByGroupName(requestorUserName, null, component);
- }
-
- /**
- * Gets sentry privileges for a given roleName and Authorizable Hirerchys using the Sentry service
- * @param requestorUserName: user on whose behalf the request is issued
- * @param roleName:
- * @param component: The request is issued to which component
- * @param serviceName
- * @param authorizables
- * @return
- * @throws SentryUserException
- */
- public Set<TSentryPrivilege> listPrivilegesByRoleName(
- String requestorUserName, String roleName, String component,
- String serviceName, List<? extends Authorizable> authorizables)
- throws SentryUserException {
- TListSentryPrivilegesRequest request = new TListSentryPrivilegesRequest();
- request.setProtocol_version(sentry_common_serviceConstants.TSENTRY_SERVICE_V2);
- request.setComponent(component);
- request.setServiceName(serviceName);
- request.setRequestorUserName(requestorUserName);
- request.setRoleName(roleName);
- if (authorizables != null && !authorizables.isEmpty()) {
- List<TAuthorizable> tAuthorizables = Lists.newArrayList();
- for (Authorizable authorizable : authorizables) {
- tAuthorizables.add(new TAuthorizable(authorizable.getTypeName(), authorizable.getName()));
- }
- request.setAuthorizables(tAuthorizables);
- }
-
- TListSentryPrivilegesResponse response;
- try {
- response = client.list_sentry_privileges_by_role(request);
- Status.throwIfNotOk(response.getStatus());
- } catch (TException e) {
- throw new SentryUserException(THRIFT_EXCEPTION_MESSAGE, e);
- }
- return response.getPrivileges();
- }
-
- public Set<TSentryPrivilege> listPrivilegesByRoleName(
- String requestorUserName, String roleName, String component,
- String serviceName) throws SentryUserException {
- return listPrivilegesByRoleName(requestorUserName, roleName, component, serviceName, null);
- }
-
- /**
- * get sentry permissions from provider as followings:
- * @param: component: The request is issued to which component
- * @param: serviceName: The privilege belongs to which service
- * @param: roleSet
- * @param: groupNames
- * @param: the authorizables
- * @returns the set of permissions
- * @throws SentryUserException
- */
- public Set<String> listPrivilegesForProvider(String component,
- String serviceName, ActiveRoleSet roleSet, Set<String> groups,
- List<? extends Authorizable> authorizables) throws SentryUserException {
- TSentryActiveRoleSet thriftRoleSet = new TSentryActiveRoleSet(roleSet.isAll(), roleSet.getRoles());
- TListSentryPrivilegesForProviderRequest request = new TListSentryPrivilegesForProviderRequest();
- request.setProtocol_version(sentry_common_serviceConstants.TSENTRY_SERVICE_V2);
- request.setComponent(component);
- request.setServiceName(serviceName);
- request.setRoleSet(thriftRoleSet);
- if (groups == null) {
- request.setGroups(new HashSet<String>());
- } else {
- request.setGroups(groups);
- }
- List<TAuthorizable> tAuthoriables = Lists.newArrayList();
- if (authorizables != null && !authorizables.isEmpty()) {
- for (Authorizable authorizable : authorizables) {
- tAuthoriables.add(new TAuthorizable(authorizable.getTypeName(), authorizable.getName()));
- }
- request.setAuthorizables(tAuthoriables);
- }
-
- try {
- TListSentryPrivilegesForProviderResponse response = client.list_sentry_privileges_for_provider(request);
- Status.throwIfNotOk(response.getStatus());
- return response.getPrivileges();
- } catch (TException e) {
- throw new SentryUserException(THRIFT_EXCEPTION_MESSAGE, e);
- }
- }
-
- /**
- * Get sentry privileges based on valid active roles and the authorize objects. Note that
- * it is client responsibility to ensure the requestor username, etc. is not impersonated.
- *
- * @param component: The request respond to which component.
- * @param serviceName: The name of service.
- * @param requestorUserName: The requestor user name.
- * @param authorizablesSet: The set of authorize objects. One authorize object is represented
- * as a string. e.g resourceType1=resourceName1->resourceType2=resourceName2->resourceType3=resourceName3.
- * @param groups: The requested groups.
- * @param roleSet: The active roles set.
- *
- * @returns The mapping of authorize objects and TSentryPrivilegeMap(<role, set<privileges>).
- * @throws SentryUserException
- */
- public Map<String, TSentryPrivilegeMap> listPrivilegsbyAuthorizable(String component,
- String serviceName, String requestorUserName, Set<String> authorizablesSet,
- Set<String> groups, ActiveRoleSet roleSet) throws SentryUserException {
-
- TListSentryPrivilegesByAuthRequest request = new TListSentryPrivilegesByAuthRequest();
-
- request.setProtocol_version(sentry_common_serviceConstants.TSENTRY_SERVICE_V2);
- request.setComponent(component);
- request.setServiceName(serviceName);
- request.setRequestorUserName(requestorUserName);
- request.setAuthorizablesSet(authorizablesSet);
-
- if (groups == null) {
- request.setGroups(new HashSet<String>());
- } else {
- request.setGroups(groups);
- }
-
- if (roleSet != null) {
- request.setRoleSet(new TSentryActiveRoleSet(roleSet.isAll(), roleSet.getRoles()));
- }
-
- try {
- TListSentryPrivilegesByAuthResponse response = client.list_sentry_privileges_by_authorizable(request);
- Status.throwIfNotOk(response.getStatus());
- return response.getPrivilegesMapByAuth();
- } catch (TException e) {
- throw new SentryUserException(THRIFT_EXCEPTION_MESSAGE, e);
- }
- }
-
- @Override
- public void close() {
- if (transport != null) {
- transport.close();
- }
- }
-
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/01875092/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericServiceClientFactory.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericServiceClientFactory.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericServiceClientFactory.java
deleted file mode 100644
index 980d930..0000000
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericServiceClientFactory.java
+++ /dev/null
@@ -1,34 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.provider.db.generic.service.thrift;
-
-import org.apache.hadoop.conf.Configuration;
-
-/**
- * SentryGenericServiceClientFactory is a public class for the components which using Generic Model to create sentry client.
- */
-public final class SentryGenericServiceClientFactory {
-
- private SentryGenericServiceClientFactory() {
- }
-
- public static SentryGenericServiceClient create(Configuration conf) throws Exception {
- return new SentryGenericServiceClientDefaultImpl(conf);
- }
-
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/01875092/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/KafkaTSentryPrivilegeConverter.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/KafkaTSentryPrivilegeConverter.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/KafkaTSentryPrivilegeConverter.java
deleted file mode 100644
index 688bc9e..0000000
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/KafkaTSentryPrivilegeConverter.java
+++ /dev/null
@@ -1,118 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.sentry.provider.db.generic.tools;
-
-import com.google.common.collect.Lists;
-import org.apache.sentry.core.common.utils.KeyValue;
-import org.apache.sentry.core.common.utils.SentryConstants;
-import org.apache.sentry.core.common.validator.PrivilegeValidatorContext;
-import org.apache.sentry.core.model.kafka.KafkaAuthorizable;
-import org.apache.sentry.core.model.kafka.KafkaModelAuthorizables;
-import org.apache.sentry.core.model.kafka.validator.KafkaPrivilegeValidator;
-import org.apache.sentry.core.common.utils.PolicyFileConstants;
-import org.apache.sentry.provider.db.generic.service.thrift.TAuthorizable;
-import org.apache.sentry.provider.db.generic.service.thrift.TSentryGrantOption;
-import org.apache.sentry.provider.db.generic.service.thrift.TSentryPrivilege;
-import org.apache.sentry.provider.db.generic.tools.command.TSentryPrivilegeConverter;
-
-import java.util.Iterator;
-import java.util.LinkedList;
-import java.util.List;
-
-import static org.apache.sentry.core.common.utils.SentryConstants.AUTHORIZABLE_SEPARATOR;
-import static org.apache.sentry.core.common.utils.SentryConstants.KV_SEPARATOR;
-import static org.apache.sentry.core.common.utils.SentryConstants.RESOURCE_WILDCARD_VALUE;
-
-public class KafkaTSentryPrivilegeConverter implements TSentryPrivilegeConverter {
- private String component;
- private String service;
-
- public KafkaTSentryPrivilegeConverter(String component, String service) {
- this.component = component;
- this.service = service;
- }
-
- public TSentryPrivilege fromString(String privilegeStr) throws Exception {
- final String hostPrefix = KafkaAuthorizable.AuthorizableType.HOST.name() + KV_SEPARATOR;
- final String hostPrefixLowerCase = hostPrefix.toLowerCase();
- if (!privilegeStr.toLowerCase().startsWith(hostPrefixLowerCase)) {
- privilegeStr = hostPrefix + RESOURCE_WILDCARD_VALUE + AUTHORIZABLE_SEPARATOR + privilegeStr;
- }
- validatePrivilegeHierarchy(privilegeStr);
- TSentryPrivilege tSentryPrivilege = new TSentryPrivilege();
- List<TAuthorizable> authorizables = new LinkedList<TAuthorizable>();
- for (String authorizable : SentryConstants.AUTHORIZABLE_SPLITTER.split(privilegeStr)) {
- KeyValue keyValue = new KeyValue(authorizable);
- String key = keyValue.getKey();
- String value = keyValue.getValue();
-
- // is it an authorizable?
- KafkaAuthorizable authz = KafkaModelAuthorizables.from(keyValue);
- if (authz != null) {
- authorizables.add(new TAuthorizable(authz.getTypeName(), authz.getName()));
-
- } else if (PolicyFileConstants.PRIVILEGE_ACTION_NAME.equalsIgnoreCase(key)) {
- tSentryPrivilege.setAction(value);
- }
- }
-
- if (tSentryPrivilege.getAction() == null) {
- throw new IllegalArgumentException("Privilege is invalid: action required but not specified.");
- }
- tSentryPrivilege.setComponent(component);
- tSentryPrivilege.setServiceName(service);
- tSentryPrivilege.setAuthorizables(authorizables);
- return tSentryPrivilege;
- }
-
- public String toString(TSentryPrivilege tSentryPrivilege) {
- List<String> privileges = Lists.newArrayList();
- if (tSentryPrivilege != null) {
- List<TAuthorizable> authorizables = tSentryPrivilege.getAuthorizables();
- String action = tSentryPrivilege.getAction();
- String grantOption = (tSentryPrivilege.getGrantOption() == TSentryGrantOption.TRUE ? "true"
- : "false");
-
- Iterator<TAuthorizable> it = authorizables.iterator();
- if (it != null) {
- while (it.hasNext()) {
- TAuthorizable tAuthorizable = it.next();
- privileges.add(SentryConstants.KV_JOINER.join(
- tAuthorizable.getType(), tAuthorizable.getName()));
- }
- }
-
- if (!authorizables.isEmpty()) {
- privileges.add(SentryConstants.KV_JOINER.join(
- PolicyFileConstants.PRIVILEGE_ACTION_NAME, action));
- }
-
- // only append the grant option to privilege string if it's true
- if ("true".equals(grantOption)) {
- privileges.add(SentryConstants.KV_JOINER.join(
- PolicyFileConstants.PRIVILEGE_GRANT_OPTION_NAME, grantOption));
- }
- }
- return SentryConstants.AUTHORIZABLE_JOINER.join(privileges);
- }
-
- private static void validatePrivilegeHierarchy(String privilegeStr) throws Exception {
- new KafkaPrivilegeValidator().validate(new PrivilegeValidatorContext(privilegeStr));
- }
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/01875092/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryConfigToolCommon.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryConfigToolCommon.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryConfigToolCommon.java
deleted file mode 100644
index 013e824..0000000
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryConfigToolCommon.java
+++ /dev/null
@@ -1,152 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.sentry.provider.db.generic.tools;
-
-import com.google.common.annotations.VisibleForTesting;
-
-import org.apache.commons.cli.CommandLine;
-import org.apache.commons.cli.GnuParser;
-import org.apache.commons.cli.HelpFormatter;
-import org.apache.commons.cli.Option;
-import org.apache.commons.cli.Options;
-import org.apache.commons.cli.ParseException;
-import org.apache.commons.cli.Parser;
-
-abstract public class SentryConfigToolCommon {
- private String policyFile;
- private boolean validate;
- private boolean importPolicy;
- private boolean checkCompat;
- private String confPath;
-
- /**
- * parse arguments
- * <pre>
- * -conf,--sentry_conf <filepath> sentry config file path
- * -p,--policy_ini <arg> policy file path
- * -v,--validate validate policy file
- * -c,--checkcompat check compatibility with service
- * -i,--import import policy file
- * -h,--help print usage
- * </pre>
- * @param args
- */
- protected boolean parseArgs(String [] args) {
- Options options = new Options();
-
- Option globalPolicyPath = new Option("p", "policy_ini", true,
- "Policy file path");
- globalPolicyPath.setRequired(true);
- options.addOption(globalPolicyPath);
-
- Option validateOpt = new Option("v", "validate", false,
- "Validate policy file");
- validateOpt.setRequired(false);
- options.addOption(validateOpt);
-
- Option checkCompatOpt = new Option("c","checkcompat",false,
- "Check compatibility with Sentry Service");
- checkCompatOpt.setRequired(false);
- options.addOption(checkCompatOpt);
-
- Option importOpt = new Option("i", "import", false,
- "Import policy file");
- importOpt.setRequired(false);
- options.addOption(importOpt);
-
- // file path of sentry-site
- Option sentrySitePathOpt = new Option("conf", "sentry_conf", true, "sentry-site file path");
- sentrySitePathOpt.setRequired(true);
- options.addOption(sentrySitePathOpt);
-
- // help option
- Option helpOpt = new Option("h", "help", false, "Shell usage");
- helpOpt.setRequired(false);
- options.addOption(helpOpt);
-
- // this Options is parsed first for help option
- Options helpOptions = new Options();
- helpOptions.addOption(helpOpt);
-
- try {
- Parser parser = new GnuParser();
-
- // parse help option first
- CommandLine cmd = parser.parse(helpOptions, args, true);
- for (Option opt : cmd.getOptions()) {
- if (opt.getOpt().equals("h")) {
- // get the help option, print the usage and exit
- usage(options);
- return false;
- }
- }
-
- // without help option
- cmd = parser.parse(options, args);
-
- for (Option opt : cmd.getOptions()) {
- if (opt.getOpt().equals("p")) {
- policyFile = opt.getValue();
- } else if (opt.getOpt().equals("v")) {
- validate = true;
- } else if (opt.getOpt().equals("i")) {
- importPolicy = true;
- } else if (opt.getOpt().equals("c")) {
- checkCompat = true;
- } else if (opt.getOpt().equals("conf")) {
- confPath = opt.getValue();
- }
- }
-
- if (!validate && !importPolicy) {
- throw new IllegalArgumentException("No action specified; at least one of action or import must be specified");
- }
- } catch (ParseException pe) {
- System.out.println(pe.getMessage());
- usage(options);
- return false;
- }
- return true;
- }
-
- // print usage
- private void usage(Options sentryOptions) {
- HelpFormatter formatter = new HelpFormatter();
- formatter.printHelp("sentryConfigTool", sentryOptions);
- }
-
- public abstract void run() throws Exception;
-
- @VisibleForTesting
- public boolean executeConfigTool(String [] args) throws Exception {
- boolean result = true;
- if (parseArgs(args)) {
- run();
- } else {
- result = false;
- }
- return result;
- }
-
- public String getPolicyFile() { return policyFile; }
- public boolean getValidate() { return validate; }
- public boolean getImportPolicy() { return importPolicy; }
- public boolean getCheckCompat() { return checkCompat; }
- public String getConfPath() { return confPath; }
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/01875092/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryConfigToolSolr.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryConfigToolSolr.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryConfigToolSolr.java
deleted file mode 100644
index 404adb8..0000000
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryConfigToolSolr.java
+++ /dev/null
@@ -1,262 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.sentry.provider.db.generic.tools;
-
-import com.google.common.collect.Lists;
-import com.google.common.collect.Sets;
-import com.google.common.collect.Table;
-
-import org.apache.hadoop.conf.Configuration;
-import org.apache.hadoop.fs.Path;
-import org.apache.hadoop.security.UserGroupInformation;
-import org.apache.sentry.core.common.Action;
-import org.apache.sentry.core.common.exception.SentryConfigurationException;
-import org.apache.sentry.core.common.utils.KeyValue;
-import org.apache.sentry.core.common.utils.SentryConstants;
-import org.apache.sentry.core.model.search.SearchPrivilegeModel;
-import org.apache.sentry.provider.common.ProviderBackend;
-import org.apache.sentry.provider.common.ProviderBackendContext;
-import org.apache.sentry.provider.db.generic.service.thrift.SentryGenericServiceClient;
-import org.apache.sentry.provider.db.generic.service.thrift.SentryGenericServiceClientFactory;
-import org.apache.sentry.provider.file.SimpleFileProviderBackend;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-import java.util.HashMap;
-import java.util.LinkedList;
-import java.util.List;
-import java.util.Locale;
-import java.util.Map;
-import java.util.Set;
-
-/**
- * SentryConfigToolSolr is an administrative tool used to parse a Solr policy file
- * and add the role, group mappings, and privileges therein to the Sentry service.
- */
-public class SentryConfigToolSolr extends SentryConfigToolCommon {
-
- private static final Logger LOGGER = LoggerFactory.getLogger(SentryConfigToolSolr.class);
- public static final String SOLR_SERVICE_NAME = "sentry.service.client.solr.service.name";
-
- @Override
- public void run() throws Exception {
- String component = "SOLR";
- Configuration conf = getSentryConf();
-
- String service = conf.get(SOLR_SERVICE_NAME, "service1");
- // instantiate a solr client for sentry service. This sets the ugi, so must
- // be done before getting the ugi below.
- SentryGenericServiceClient client = SentryGenericServiceClientFactory.create(conf);
- UserGroupInformation ugi = UserGroupInformation.getLoginUser();
- String requestorName = ugi.getShortUserName();
-
- convertINIToSentryServiceCmds(component, service, requestorName, conf, client,
- getPolicyFile(), getValidate(), getImportPolicy(), getCheckCompat());
- }
-
- private Configuration getSentryConf() {
- Configuration conf = new Configuration();
- conf.addResource(new Path(getConfPath()));
- return conf;
- }
-
- /**
- * Convert policy file to solrctl commands -- based on SENTRY-480
- */
- private void convertINIToSentryServiceCmds(String component,
- String service, String requestorName,
- Configuration conf, SentryGenericServiceClient client,
- String policyFile, boolean validate, boolean importPolicy,
- boolean checkCompat) throws Exception {
-
- //instantiate a file providerBackend for parsing
- LOGGER.info("Reading policy file at: " + policyFile);
- SimpleFileProviderBackend policyFileBackend =
- new SimpleFileProviderBackend(conf, policyFile);
- ProviderBackendContext context = new ProviderBackendContext();
- context.setValidators(SearchPrivilegeModel.getInstance().getPrivilegeValidators());
- policyFileBackend.initialize(context);
- if (validate) {
- validatePolicy(policyFileBackend);
- }
-
- if (checkCompat) {
- checkCompat(policyFileBackend);
- }
-
- //import the relations about group,role and privilege into the DB store
- Set<String> roles = Sets.newHashSet();
- Table<String, String, Set<String>> groupRolePrivilegeTable =
- policyFileBackend.getGroupRolePrivilegeTable();
- SolrTSentryPrivilegeConverter converter = new SolrTSentryPrivilegeConverter(component, service, false);
-
- for (String groupName : groupRolePrivilegeTable.rowKeySet()) {
- for (String roleName : groupRolePrivilegeTable.columnKeySet()) {
- if (!roles.contains(roleName)) {
- LOGGER.info(dryRunMessage(importPolicy) + "Creating role: " + roleName.toLowerCase(Locale.US));
- if (importPolicy) {
- client.createRoleIfNotExist(requestorName, roleName, component);
- }
- roles.add(roleName);
- }
-
- Set<String> privileges = groupRolePrivilegeTable.get(groupName, roleName);
- if (privileges == null) {
- continue;
- }
- LOGGER.info(dryRunMessage(importPolicy) + "Adding role: " + roleName.toLowerCase(Locale.US) + " to group: " + groupName);
- if (importPolicy) {
- client.addRoleToGroups(requestorName, roleName, component, Sets.newHashSet(groupName));
- }
-
- for (String permission : privileges) {
- String action = null;
-
- for (String authorizable : SentryConstants.AUTHORIZABLE_SPLITTER.
- trimResults().split(permission)) {
- KeyValue kv = new KeyValue(authorizable);
- String key = kv.getKey();
- String value = kv.getValue();
- if ("action".equalsIgnoreCase(key)) {
- action = value;
- }
- }
-
- // Service doesn't support not specifying action
- if (action == null) {
- permission += "->action=" + Action.ALL;
- }
- LOGGER.info(dryRunMessage(importPolicy) + "Adding permission: " + permission + " to role: " + roleName.toLowerCase(Locale.US));
- if (importPolicy) {
- client.grantPrivilege(requestorName, roleName, component, converter.fromString(permission));
- }
- }
- }
- }
- }
-
- private void validatePolicy(ProviderBackend backend) throws Exception {
- try {
- backend.validatePolicy(true);
- } catch (SentryConfigurationException e) {
- printConfigErrorsWarnings(e);
- throw e;
- }
- }
-
- private void printConfigErrorsWarnings(SentryConfigurationException configException) {
- System.out.println(" *** Found configuration problems *** ");
- for (String errMsg : configException.getConfigErrors()) {
- System.out.println("ERROR: " + errMsg);
- }
- for (String warnMsg : configException.getConfigWarnings()) {
- System.out.println("Warning: " + warnMsg);
- }
- }
-
- private void checkCompat(SimpleFileProviderBackend backend) throws Exception {
- Map<String, Set<String>> rolesCaseMapping = new HashMap<String, Set<String>>();
- Table<String, String, Set<String>> groupRolePrivilegeTable =
- backend.getGroupRolePrivilegeTable();
-
- for (String roleName : groupRolePrivilegeTable.columnKeySet()) {
- String roleNameLower = roleName.toLowerCase(Locale.US);
- if (!roleName.equals(roleNameLower)) {
- if (!rolesCaseMapping.containsKey(roleNameLower)) {
- rolesCaseMapping.put(roleNameLower, Sets.newHashSet(roleName));
- } else {
- rolesCaseMapping.get(roleNameLower).add(roleName);
- }
- }
- }
-
- List<String> errors = new LinkedList<String>();
- StringBuilder warningString = new StringBuilder();
- if (!rolesCaseMapping.isEmpty()) {
- warningString.append("The following roles names will be lower cased when added to the Sentry Service.\n");
- warningString.append("This will cause document-level security to fail to match the role tokens.\n");
- warningString.append("Role names: ");
- }
- boolean firstWarning = true;
-
- for (Map.Entry<String, Set<String>> entry : rolesCaseMapping.entrySet()) {
- Set<String> caseMapping = entry.getValue();
- if (caseMapping.size() > 1) {
- StringBuilder errorString = new StringBuilder();
- errorString.append("The following (cased) roles map to the same role in the sentry service: ");
- boolean first = true;
- for (String casedRole : caseMapping) {
- errorString.append(first ? "" : ", ");
- errorString.append(casedRole);
- first = false;
- }
- errorString.append(". Role in service: ").append(entry.getKey());
- errors.add(errorString.toString());
- }
-
- for (String casedRole : caseMapping) {
- warningString.append(firstWarning? "" : ", ");
- warningString.append(casedRole);
- firstWarning = false;
- }
- }
-
- for (String error : errors) {
- System.out.println("ERROR: " + error);
- }
- System.out.println("\n");
-
- System.out.println("Warning: " + warningString.toString());
- if (errors.size() > 0) {
- SentryConfigurationException ex =
- new SentryConfigurationException("Compatibility check failure");
- ex.setConfigErrors(errors);
- ex.setConfigWarnings(Lists.<String>asList(warningString.toString(), new String[0]));
- throw ex;
- }
- }
-
- private String dryRunMessage(boolean importPolicy) {
- if (importPolicy) {
- return "";
- } else {
- return "[Dry Run] ";
- }
- }
-
- public static void main(String[] args) throws Exception {
- SentryConfigToolSolr solrTool = new SentryConfigToolSolr();
- try {
- solrTool.executeConfigTool(args);
- } catch (Exception e) {
- LOGGER.error(e.getMessage(), e);
- Throwable current = e;
- // find the first printable message;
- while (current != null && current.getMessage() == null) {
- current = current.getCause();
- }
- String error = "";
- if (current != null && current.getMessage() != null) {
- error = "Message: " + current.getMessage();
- }
- System.out.println("The operation failed. " + error);
- System.exit(1);
- }
- }
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/01875092/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryShellKafka.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryShellKafka.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryShellKafka.java
deleted file mode 100644
index ea05db7..0000000
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryShellKafka.java
+++ /dev/null
@@ -1,113 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.sentry.provider.db.generic.tools;
-
-import org.apache.commons.lang.StringUtils;
-import org.apache.hadoop.conf.Configuration;
-import org.apache.hadoop.fs.Path;
-import org.apache.hadoop.security.UserGroupInformation;
-import org.apache.sentry.core.common.utils.AuthorizationComponent;
-import org.apache.sentry.provider.db.generic.service.thrift.SentryGenericServiceClient;
-import org.apache.sentry.provider.db.generic.service.thrift.SentryGenericServiceClientFactory;
-import org.apache.sentry.provider.db.generic.tools.command.*;
-import org.apache.sentry.provider.db.tools.SentryShellCommon;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-/**
- * SentryShellKafka is an admin tool, and responsible for the management of repository.
- * The following commands are supported:
- * create role, drop role, add group to role, grant privilege to role,
- * revoke privilege from role, list roles, list privilege for role.
- */
-public class SentryShellKafka extends SentryShellCommon {
-
- private static final Logger LOGGER = LoggerFactory.getLogger(SentryShellKafka.class);
- public static final String KAFKA_SERVICE_NAME = "sentry.service.client.kafka.service.name";
-
- @Override
- public void run() throws Exception {
- Command command = null;
- String component = AuthorizationComponent.KAFKA;
- Configuration conf = getSentryConf();
-
- String service = conf.get(KAFKA_SERVICE_NAME, "kafka1");
- SentryGenericServiceClient client = SentryGenericServiceClientFactory.create(conf);
- UserGroupInformation ugi = UserGroupInformation.getLoginUser();
- String requestorName = ugi.getShortUserName();
-
- if (isCreateRole) {
- command = new CreateRoleCmd(roleName, component);
- } else if (isDropRole) {
- command = new DropRoleCmd(roleName, component);
- } else if (isAddRoleGroup) {
- command = new AddRoleToGroupCmd(roleName, groupName, component);
- } else if (isDeleteRoleGroup) {
- command = new DeleteRoleFromGroupCmd(roleName, groupName, component);
- } else if (isGrantPrivilegeRole) {
- command = new GrantPrivilegeToRoleCmd(roleName, component,
- privilegeStr, new KafkaTSentryPrivilegeConverter(component, service));
- } else if (isRevokePrivilegeRole) {
- command = new RevokePrivilegeFromRoleCmd(roleName, component,
- privilegeStr, new KafkaTSentryPrivilegeConverter(component, service));
- } else if (isListRole) {
- command = new ListRolesCmd(groupName, component);
- } else if (isListPrivilege) {
- command = new ListPrivilegesByRoleCmd(roleName, component,
- service, new KafkaTSentryPrivilegeConverter(component, service));
- }
-
- // check the requestor name
- if (StringUtils.isEmpty(requestorName)) {
- // The exception message will be recorded in log file.
- throw new Exception("The requestor name is empty.");
- }
-
- if (command != null) {
- command.execute(client, requestorName);
- }
- }
-
- private Configuration getSentryConf() {
- Configuration conf = new Configuration();
- conf.addResource(new Path(confPath));
- return conf;
- }
-
- public static void main(String[] args) throws Exception {
- SentryShellKafka sentryShell = new SentryShellKafka();
- try {
- sentryShell.executeShell(args);
- } catch (Exception e) {
- LOGGER.error(e.getMessage(), e);
- Throwable current = e;
- // find the first printable message;
- while (current != null && current.getMessage() == null) {
- current = current.getCause();
- }
- String error = "";
- if (current != null && current.getMessage() != null) {
- error = "Message: " + current.getMessage();
- }
- System.out.println("The operation failed. " + error);
- System.exit(1);
- }
- }
-
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/01875092/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryShellSolr.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryShellSolr.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryShellSolr.java
deleted file mode 100644
index 695c008..0000000
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryShellSolr.java
+++ /dev/null
@@ -1,112 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.sentry.provider.db.generic.tools;
-
-import org.apache.commons.lang.StringUtils;
-import org.apache.hadoop.conf.Configuration;
-import org.apache.hadoop.fs.Path;
-import org.apache.hadoop.security.UserGroupInformation;
-import org.apache.sentry.provider.db.generic.service.thrift.SentryGenericServiceClient;
-import org.apache.sentry.provider.db.generic.service.thrift.SentryGenericServiceClientFactory;
-import org.apache.sentry.provider.db.generic.tools.command.*;
-import org.apache.sentry.provider.db.tools.SentryShellCommon;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-/**
- * SentryShellSolr is an admin tool, and responsible for the management of repository.
- * The following commands are supported:
- * create role, drop role, add group to role, grant privilege to role,
- * revoke privilege from role, list roles, list privilege for role.
- */
-public class SentryShellSolr extends SentryShellCommon {
-
- private static final Logger LOGGER = LoggerFactory.getLogger(SentryShellSolr.class);
- public static final String SOLR_SERVICE_NAME = "sentry.service.client.solr.service.name";
-
- @Override
- public void run() throws Exception {
- Command command = null;
- String component = "SOLR";
- Configuration conf = getSentryConf();
-
- String service = conf.get(SOLR_SERVICE_NAME, "service1");
- SentryGenericServiceClient client = SentryGenericServiceClientFactory.create(conf);
- UserGroupInformation ugi = UserGroupInformation.getLoginUser();
- String requestorName = ugi.getShortUserName();
-
- if (isCreateRole) {
- command = new CreateRoleCmd(roleName, component);
- } else if (isDropRole) {
- command = new DropRoleCmd(roleName, component);
- } else if (isAddRoleGroup) {
- command = new AddRoleToGroupCmd(roleName, groupName, component);
- } else if (isDeleteRoleGroup) {
- command = new DeleteRoleFromGroupCmd(roleName, groupName, component);
- } else if (isGrantPrivilegeRole) {
- command = new GrantPrivilegeToRoleCmd(roleName, component,
- privilegeStr, new SolrTSentryPrivilegeConverter(component, service));
- } else if (isRevokePrivilegeRole) {
- command = new RevokePrivilegeFromRoleCmd(roleName, component,
- privilegeStr, new SolrTSentryPrivilegeConverter(component, service));
- } else if (isListRole) {
- command = new ListRolesCmd(groupName, component);
- } else if (isListPrivilege) {
- command = new ListPrivilegesByRoleCmd(roleName, component,
- service, new SolrTSentryPrivilegeConverter(component, service));
- }
-
- // check the requestor name
- if (StringUtils.isEmpty(requestorName)) {
- // The exception message will be recorded in log file.
- throw new Exception("The requestor name is empty.");
- }
-
- if (command != null) {
- command.execute(client, requestorName);
- }
- }
-
- private Configuration getSentryConf() {
- Configuration conf = new Configuration();
- conf.addResource(new Path(confPath));
- return conf;
- }
-
- public static void main(String[] args) throws Exception {
- SentryShellSolr sentryShell = new SentryShellSolr();
- try {
- sentryShell.executeShell(args);
- } catch (Exception e) {
- LOGGER.error(e.getMessage(), e);
- Throwable current = e;
- // find the first printable message;
- while (current != null && current.getMessage() == null) {
- current = current.getCause();
- }
- String error = "";
- if (current != null && current.getMessage() != null) {
- error = "Message: " + current.getMessage();
- }
- System.out.println("The operation failed. " + error);
- System.exit(1);
- }
- }
-
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/01875092/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SolrTSentryPrivilegeConverter.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SolrTSentryPrivilegeConverter.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SolrTSentryPrivilegeConverter.java
deleted file mode 100644
index 92c6c59..0000000
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SolrTSentryPrivilegeConverter.java
+++ /dev/null
@@ -1,137 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.sentry.provider.db.generic.tools;
-
-import com.google.common.collect.Lists;
-
-import org.apache.sentry.core.common.utils.SentryConstants;
-import org.apache.sentry.core.model.search.Collection;
-import org.apache.sentry.core.model.search.SearchModelAuthorizable;
-import org.apache.sentry.core.common.validator.PrivilegeValidator;
-import org.apache.sentry.core.common.validator.PrivilegeValidatorContext;
-import org.apache.sentry.core.model.search.SearchModelAuthorizables;
-import org.apache.sentry.core.model.search.SearchPrivilegeModel;
-import org.apache.sentry.core.common.utils.KeyValue;
-import org.apache.sentry.core.common.utils.PolicyFileConstants;
-import org.apache.sentry.provider.db.generic.service.thrift.TAuthorizable;
-import org.apache.sentry.provider.db.generic.service.thrift.TSentryGrantOption;
-import org.apache.sentry.provider.db.generic.service.thrift.TSentryPrivilege;
-import org.apache.sentry.provider.db.generic.tools.command.TSentryPrivilegeConverter;
-import org.apache.shiro.config.ConfigurationException;
-
-import java.util.Iterator;
-import java.util.LinkedList;
-import java.util.List;
-
-public class SolrTSentryPrivilegeConverter implements TSentryPrivilegeConverter {
- private String component;
- private String service;
- private boolean validate;
-
- public SolrTSentryPrivilegeConverter(String component, String service) {
- this(component, service, true);
- }
-
- public SolrTSentryPrivilegeConverter(String component, String service, boolean validate) {
- this.component = component;
- this.service = service;
- this.validate = validate;
- }
-
- public TSentryPrivilege fromString(String privilegeStr) throws Exception {
- if (validate) {
- validatePrivilegeHierarchy(privilegeStr);
- }
-
- TSentryPrivilege tSentryPrivilege = new TSentryPrivilege();
- List<TAuthorizable> authorizables = new LinkedList<TAuthorizable>();
- for (String authorizable : SentryConstants.AUTHORIZABLE_SPLITTER.split(privilegeStr)) {
- KeyValue keyValue = new KeyValue(authorizable);
- String key = keyValue.getKey();
- String value = keyValue.getValue();
-
- // is it an authorizable?
- SearchModelAuthorizable authz = SearchModelAuthorizables.from(keyValue);
- if (authz != null) {
- if (authz instanceof Collection) {
- Collection coll = (Collection)authz;
- authorizables.add(new TAuthorizable(coll.getTypeName(), coll.getName()));
- } else {
- throw new IllegalArgumentException("Unknown authorizable type: " + authz.getTypeName());
- }
- } else if (PolicyFileConstants.PRIVILEGE_ACTION_NAME.equalsIgnoreCase(key)) {
- tSentryPrivilege.setAction(value);
- // Limitation: don't support grant at this time, since the existing solr use cases don't need it.
- } else {
- throw new IllegalArgumentException("Unknown key: " + key);
- }
- }
-
- if (tSentryPrivilege.getAction() == null) {
- throw new IllegalArgumentException("Privilege is invalid: action required but not specified.");
- }
- tSentryPrivilege.setComponent(component);
- tSentryPrivilege.setServiceName(service);
- tSentryPrivilege.setAuthorizables(authorizables);
- return tSentryPrivilege;
- }
-
- public String toString(TSentryPrivilege tSentryPrivilege) {
- List<String> privileges = Lists.newArrayList();
- if (tSentryPrivilege != null) {
- List<TAuthorizable> authorizables = tSentryPrivilege.getAuthorizables();
- String action = tSentryPrivilege.getAction();
- String grantOption = (tSentryPrivilege.getGrantOption() == TSentryGrantOption.TRUE ? "true"
- : "false");
-
- Iterator<TAuthorizable> it = authorizables.iterator();
- if (it != null) {
- while (it.hasNext()) {
- TAuthorizable tAuthorizable = it.next();
- privileges.add(SentryConstants.KV_JOINER.join(
- tAuthorizable.getType(), tAuthorizable.getName()));
- }
- }
-
- if (!authorizables.isEmpty()) {
- privileges.add(SentryConstants.KV_JOINER.join(
- PolicyFileConstants.PRIVILEGE_ACTION_NAME, action));
- }
-
- // only append the grant option to privilege string if it's true
- if ("true".equals(grantOption)) {
- privileges.add(SentryConstants.KV_JOINER.join(
- PolicyFileConstants.PRIVILEGE_GRANT_OPTION_NAME, grantOption));
- }
- }
- return SentryConstants.AUTHORIZABLE_JOINER.join(privileges);
- }
-
- private static void validatePrivilegeHierarchy(String privilegeStr) throws Exception {
- List<PrivilegeValidator> validators = SearchPrivilegeModel.getInstance().getPrivilegeValidators();
- PrivilegeValidatorContext context = new PrivilegeValidatorContext(null, privilegeStr);
- for (PrivilegeValidator validator : validators) {
- try {
- validator.validate(context);
- } catch (ConfigurationException e) {
- throw new IllegalArgumentException(e);
- }
- }
- }
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/01875092/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/command/AddRoleToGroupCmd.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/command/AddRoleToGroupCmd.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/command/AddRoleToGroupCmd.java
deleted file mode 100644
index a45d7e4..0000000
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/command/AddRoleToGroupCmd.java
+++ /dev/null
@@ -1,46 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.provider.db.generic.tools.command;
-
-import com.google.common.collect.Sets;
-import org.apache.sentry.provider.db.generic.service.thrift.SentryGenericServiceClient;
-import org.apache.sentry.provider.db.tools.SentryShellCommon;
-
-import java.util.Set;
-
-/**
- * Command for adding groups to a role.
- */
-public class AddRoleToGroupCmd implements Command {
-
- private String roleName;
- private String groups;
- private String component;
-
- public AddRoleToGroupCmd(String roleName, String groups, String component) {
- this.roleName = roleName;
- this.groups = groups;
- this.component = component;
- }
-
- @Override
- public void execute(SentryGenericServiceClient client, String requestorName) throws Exception {
- Set<String> groupSet = Sets.newHashSet(groups.split(SentryShellCommon.GROUP_SPLIT_CHAR));
- client.addRoleToGroups(requestorName, roleName, component, groupSet);
- }
-}
[3/6] sentry git commit: SENTRY-1288: Create sentry-service-client
module(Colin Ma, reviewed by Dapeng Sun)
Posted by co...@apache.org.
http://git-wip-us.apache.org/repos/asf/sentry/blob/01875092/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericServiceClientDefaultImpl.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericServiceClientDefaultImpl.java b/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericServiceClientDefaultImpl.java
new file mode 100644
index 0000000..d129c35
--- /dev/null
+++ b/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericServiceClientDefaultImpl.java
@@ -0,0 +1,591 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.provider.db.generic.service.thrift;
+
+import java.io.IOException;
+import java.net.InetSocketAddress;
+import java.security.PrivilegedExceptionAction;
+import java.util.*;
+
+import javax.security.auth.callback.CallbackHandler;
+
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.fs.CommonConfigurationKeysPublic;
+import org.apache.hadoop.net.NetUtils;
+import org.apache.hadoop.security.SaslRpcServer;
+import org.apache.hadoop.security.SaslRpcServer.AuthMethod;
+import org.apache.hadoop.security.SecurityUtil;
+import org.apache.hadoop.security.UserGroupInformation;
+import org.apache.sentry.core.common.exception.SentryUserException;
+import org.apache.sentry.core.common.ActiveRoleSet;
+import org.apache.sentry.core.common.Authorizable;
+import org.apache.sentry.core.common.utils.SentryConstants;
+import org.apache.sentry.service.thrift.ServiceConstants;
+import org.apache.sentry.service.thrift.ServiceConstants.ClientConfig;
+import org.apache.sentry.service.thrift.ServiceConstants.ServerConfig;
+import org.apache.sentry.service.thrift.Status;
+import org.apache.sentry.service.thrift.sentry_common_serviceConstants;
+import org.apache.thrift.TException;
+import org.apache.thrift.protocol.TBinaryProtocol;
+import org.apache.thrift.protocol.TMultiplexedProtocol;
+import org.apache.thrift.transport.TSaslClientTransport;
+import org.apache.thrift.transport.TSocket;
+import org.apache.thrift.transport.TTransport;
+import org.apache.thrift.transport.TTransportException;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import com.google.common.base.Preconditions;
+import com.google.common.collect.Lists;
+
+public class SentryGenericServiceClientDefaultImpl implements SentryGenericServiceClient {
+ private final Configuration conf;
+ private final InetSocketAddress serverAddress;
+ private final boolean kerberos;
+ private final String[] serverPrincipalParts;
+ private SentryGenericPolicyService.Client client;
+ private TTransport transport;
+ private int connectionTimeout;
+ private static final Logger LOGGER = LoggerFactory
+ .getLogger(SentryGenericServiceClientDefaultImpl.class);
+ private static final String THRIFT_EXCEPTION_MESSAGE = "Thrift exception occured ";
+
+ /**
+ * This transport wraps the Sasl transports to set up the right UGI context for open().
+ */
+ public static class UgiSaslClientTransport extends TSaslClientTransport {
+ protected UserGroupInformation ugi = null;
+
+ public UgiSaslClientTransport(String mechanism, String authorizationId,
+ String protocol, String serverName, Map<String, String> props,
+ CallbackHandler cbh, TTransport transport, boolean wrapUgi, Configuration conf)
+ throws IOException {
+ super(mechanism, authorizationId, protocol, serverName, props, cbh,
+ transport);
+ if (wrapUgi) {
+ // If we don't set the configuration, the UGI will be created based on
+ // what's on the classpath, which may lack the kerberos changes we require
+ UserGroupInformation.setConfiguration(conf);
+ ugi = UserGroupInformation.getLoginUser();
+ }
+ }
+
+ // open the SASL transport with using the current UserGroupInformation
+ // This is needed to get the current login context stored
+ @Override
+ public void open() throws TTransportException {
+ if (ugi == null) {
+ baseOpen();
+ } else {
+ try {
+ if (ugi.isFromKeytab()) {
+ ugi.checkTGTAndReloginFromKeytab();
+ }
+ ugi.doAs(new PrivilegedExceptionAction<Void>() {
+ public Void run() throws TTransportException {
+ baseOpen();
+ return null;
+ }
+ });
+ } catch (IOException e) {
+ throw new TTransportException("Failed to open SASL transport: " + e.getMessage(), e);
+ } catch (InterruptedException e) {
+ throw new TTransportException(
+ "Interrupted while opening underlying transport: " + e.getMessage(), e);
+ }
+ }
+ }
+
+ private void baseOpen() throws TTransportException {
+ super.open();
+ }
+ }
+
+ public SentryGenericServiceClientDefaultImpl(Configuration conf) throws IOException {
+ // copy the configuration because we may make modifications to it.
+ this.conf = new Configuration(conf);
+ Preconditions.checkNotNull(this.conf, "Configuration object cannot be null");
+ this.serverAddress = NetUtils.createSocketAddr(Preconditions.checkNotNull(
+ conf.get(ClientConfig.SERVER_RPC_ADDRESS), "Config key "
+ + ClientConfig.SERVER_RPC_ADDRESS + " is required"), conf.getInt(
+ ClientConfig.SERVER_RPC_PORT, ClientConfig.SERVER_RPC_PORT_DEFAULT));
+ this.connectionTimeout = conf.getInt(ClientConfig.SERVER_RPC_CONN_TIMEOUT,
+ ClientConfig.SERVER_RPC_CONN_TIMEOUT_DEFAULT);
+ kerberos = ServerConfig.SECURITY_MODE_KERBEROS.equalsIgnoreCase(
+ conf.get(ServerConfig.SECURITY_MODE, ServerConfig.SECURITY_MODE_KERBEROS).trim());
+ transport = new TSocket(serverAddress.getHostName(),
+ serverAddress.getPort(), connectionTimeout);
+ if (kerberos) {
+ String serverPrincipal = Preconditions.checkNotNull(conf.get(ServerConfig.PRINCIPAL), ServerConfig.PRINCIPAL + " is required");
+ // since the client uses hadoop-auth, we need to set kerberos in
+ // hadoop-auth if we plan to use kerberos
+ conf.set(CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHENTICATION, ServerConfig.SECURITY_MODE_KERBEROS);
+
+ // Resolve server host in the same way as we are doing on server side
+ serverPrincipal = SecurityUtil.getServerPrincipal(serverPrincipal, serverAddress.getAddress());
+ LOGGER.debug("Using server kerberos principal: " + serverPrincipal);
+
+ serverPrincipalParts = SaslRpcServer.splitKerberosName(serverPrincipal);
+ Preconditions.checkArgument(serverPrincipalParts.length == 3,
+ "Kerberos principal should have 3 parts: " + serverPrincipal);
+ boolean wrapUgi = "true".equalsIgnoreCase(conf
+ .get(ServerConfig.SECURITY_USE_UGI_TRANSPORT, "true"));
+ transport = new UgiSaslClientTransport(AuthMethod.KERBEROS.getMechanismName(),
+ null, serverPrincipalParts[0], serverPrincipalParts[1],
+ ClientConfig.SASL_PROPERTIES, null, transport, wrapUgi, conf);
+ } else {
+ serverPrincipalParts = null;
+ }
+ try {
+ transport.open();
+ } catch (TTransportException e) {
+ throw new IOException("Transport exception while opening transport: " + e.getMessage(), e);
+ }
+ LOGGER.debug("Successfully opened transport: " + transport + " to " + serverAddress);
+ long maxMessageSize = conf.getLong(ServiceConstants.ClientConfig.SENTRY_POLICY_CLIENT_THRIFT_MAX_MESSAGE_SIZE,
+ ServiceConstants.ClientConfig.SENTRY_POLICY_CLIENT_THRIFT_MAX_MESSAGE_SIZE_DEFAULT);
+ TMultiplexedProtocol protocol = new TMultiplexedProtocol(
+ new TBinaryProtocol(transport, maxMessageSize, maxMessageSize, true, true),
+ ServiceConstants.SENTRY_GENERIC_SERVICE_NAME);
+ client = new SentryGenericPolicyService.Client(protocol);
+ LOGGER.debug("Successfully created client");
+ }
+
+
+
+ /**
+ * Create a sentry role
+ * @param requestorUserName: user on whose behalf the request is issued
+ * @param roleName: Name of the role
+ * @param component: The request is issued to which component
+ * @throws SentryUserException
+ */
+ public synchronized void createRole(String requestorUserName, String roleName, String component)
+ throws SentryUserException {
+ TCreateSentryRoleRequest request = new TCreateSentryRoleRequest();
+ request.setProtocol_version(sentry_common_serviceConstants.TSENTRY_SERVICE_V2);
+ request.setRequestorUserName(requestorUserName);
+ request.setRoleName(roleName);
+ request.setComponent(component);
+ try {
+ TCreateSentryRoleResponse response = client.create_sentry_role(request);
+ Status.throwIfNotOk(response.getStatus());
+ } catch (TException e) {
+ throw new SentryUserException(THRIFT_EXCEPTION_MESSAGE, e);
+ }
+ }
+
+ public void createRoleIfNotExist(String requestorUserName, String roleName, String component) throws SentryUserException {
+ TCreateSentryRoleRequest request = new TCreateSentryRoleRequest();
+ request.setProtocol_version(sentry_common_serviceConstants.TSENTRY_SERVICE_V2);
+ request.setRequestorUserName(requestorUserName);
+ request.setRoleName(roleName);
+ request.setComponent(component);
+ try {
+ TCreateSentryRoleResponse response = client.create_sentry_role(request);
+ Status status = Status.fromCode(response.getStatus().getValue());
+ if (status == Status.ALREADY_EXISTS) {
+ return;
+ }
+ Status.throwIfNotOk(response.getStatus());
+ } catch (TException e) {
+ throw new SentryUserException(THRIFT_EXCEPTION_MESSAGE, e);
+ }
+ }
+
+ /**
+ * Drop a sentry role
+ * @param requestorUserName: user on whose behalf the request is issued
+ * @param roleName: Name of the role
+ * @param component: The request is issued to which component
+ * @throws SentryUserException
+ */
+ public void dropRole(String requestorUserName,
+ String roleName, String component)
+ throws SentryUserException {
+ dropRole(requestorUserName, roleName, component, false);
+ }
+
+ public void dropRoleIfExists(String requestorUserName,
+ String roleName, String component)
+ throws SentryUserException {
+ dropRole(requestorUserName, roleName, component, true);
+ }
+
+ private void dropRole(String requestorUserName,
+ String roleName, String component , boolean ifExists)
+ throws SentryUserException {
+ TDropSentryRoleRequest request = new TDropSentryRoleRequest();
+ request.setProtocol_version(sentry_common_serviceConstants.TSENTRY_SERVICE_V2);
+ request.setRequestorUserName(requestorUserName);
+ request.setRoleName(roleName);
+ request.setComponent(component);
+ try {
+ TDropSentryRoleResponse response = client.drop_sentry_role(request);
+ Status status = Status.fromCode(response.getStatus().getValue());
+ if (ifExists && status == Status.NO_SUCH_OBJECT) {
+ return;
+ }
+ Status.throwIfNotOk(response.getStatus());
+ } catch (TException e) {
+ throw new SentryUserException(THRIFT_EXCEPTION_MESSAGE, e);
+ }
+ }
+
+ /**
+ * add a sentry role to groups.
+ * @param requestorUserName: user on whose behalf the request is issued
+ * @param roleName: Name of the role
+ * @param component: The request is issued to which component
+ * @param groups: The name of groups
+ * @throws SentryUserException
+ */
+ public void addRoleToGroups(String requestorUserName, String roleName,
+ String component, Set<String> groups) throws SentryUserException {
+ TAlterSentryRoleAddGroupsRequest request = new TAlterSentryRoleAddGroupsRequest();
+ request.setProtocol_version(sentry_common_serviceConstants.TSENTRY_SERVICE_V2);
+ request.setRequestorUserName(requestorUserName);
+ request.setRoleName(roleName);
+ request.setGroups(groups);
+ request.setComponent(component);
+
+ try {
+ TAlterSentryRoleAddGroupsResponse response = client.alter_sentry_role_add_groups(request);
+ Status.throwIfNotOk(response.getStatus());
+ } catch (TException e) {
+ throw new SentryUserException(THRIFT_EXCEPTION_MESSAGE, e);
+ }
+ }
+
+ /**
+ * delete a sentry role from groups.
+ * @param requestorUserName: user on whose behalf the request is issued
+ * @param roleName: Name of the role
+ * @param component: The request is issued to which component
+ * @param groups: The name of groups
+ * @throws SentryUserException
+ */
+ public void deleteRoleToGroups(String requestorUserName, String roleName,
+ String component, Set<String> groups) throws SentryUserException {
+ TAlterSentryRoleDeleteGroupsRequest request = new TAlterSentryRoleDeleteGroupsRequest();
+ request.setProtocol_version(sentry_common_serviceConstants.TSENTRY_SERVICE_V2);
+ request.setRequestorUserName(requestorUserName);
+ request.setRoleName(roleName);
+ request.setGroups(groups);
+ request.setComponent(component);
+
+ try {
+ TAlterSentryRoleDeleteGroupsResponse response = client.alter_sentry_role_delete_groups(request);
+ Status.throwIfNotOk(response.getStatus());
+ } catch (TException e) {
+ throw new SentryUserException(THRIFT_EXCEPTION_MESSAGE, e);
+ }
+ }
+
+ /**
+ * grant privilege
+ * @param requestorUserName: user on whose behalf the request is issued
+ * @param roleName: Name of the role
+ * @param component: The request is issued to which component
+ * @param privilege
+ * @throws SentryUserException
+ */
+ public void grantPrivilege(String requestorUserName, String roleName,
+ String component, TSentryPrivilege privilege) throws SentryUserException {
+ TAlterSentryRoleGrantPrivilegeRequest request = new TAlterSentryRoleGrantPrivilegeRequest();
+ request.setProtocol_version(sentry_common_serviceConstants.TSENTRY_SERVICE_V2);
+ request.setComponent(component);
+ request.setRoleName(roleName);
+ request.setRequestorUserName(requestorUserName);
+ request.setPrivilege(privilege);
+
+ try {
+ TAlterSentryRoleGrantPrivilegeResponse response = client.alter_sentry_role_grant_privilege(request);
+ Status.throwIfNotOk(response.getStatus());
+ } catch (TException e) {
+ throw new SentryUserException(THRIFT_EXCEPTION_MESSAGE, e);
+ }
+ }
+
+ /**
+ * revoke privilege
+ * @param requestorUserName: user on whose behalf the request is issued
+ * @param roleName: Name of the role
+ * @param component: The request is issued to which component
+ * @param privilege
+ * @throws SentryUserException
+ */
+ public void revokePrivilege(String requestorUserName, String roleName,
+ String component, TSentryPrivilege privilege) throws SentryUserException {
+ TAlterSentryRoleRevokePrivilegeRequest request = new TAlterSentryRoleRevokePrivilegeRequest();
+ request.setProtocol_version(sentry_common_serviceConstants.TSENTRY_SERVICE_V2);
+ request.setComponent(component);
+ request.setRequestorUserName(requestorUserName);
+ request.setRoleName(roleName);
+ request.setPrivilege(privilege);
+
+ try {
+ TAlterSentryRoleRevokePrivilegeResponse response = client.alter_sentry_role_revoke_privilege(request);
+ Status.throwIfNotOk(response.getStatus());
+ } catch (TException e) {
+ throw new SentryUserException(THRIFT_EXCEPTION_MESSAGE, e);
+ }
+ }
+
+ /**
+ * drop privilege
+ * @param requestorUserName: user on whose behalf the request is issued
+ * @param component: The request is issued to which component
+ * @param privilege
+ * @throws SentryUserException
+ */
+ public void dropPrivilege(String requestorUserName,String component,
+ TSentryPrivilege privilege) throws SentryUserException {
+ TDropPrivilegesRequest request = new TDropPrivilegesRequest();
+ request.setProtocol_version(sentry_common_serviceConstants.TSENTRY_SERVICE_V2);
+ request.setComponent(component);
+ request.setRequestorUserName(requestorUserName);
+ request.setPrivilege(privilege);
+
+ try {
+ TDropPrivilegesResponse response = client.drop_sentry_privilege(request);
+ Status.throwIfNotOk(response.getStatus());
+ } catch (TException e) {
+ throw new SentryUserException(THRIFT_EXCEPTION_MESSAGE, e);
+ }
+ }
+
+ /**
+ * rename privilege
+ * @param requestorUserName: user on whose behalf the request is issued
+ * @param component: The request is issued to which component
+ * @param serviceName: The Authorizable belongs to which service
+ * @param oldAuthorizables
+ * @param newAuthorizables
+ * @throws SentryUserException
+ */
+ public void renamePrivilege(String requestorUserName, String component,
+ String serviceName, List<? extends Authorizable> oldAuthorizables,
+ List<? extends Authorizable> newAuthorizables) throws SentryUserException {
+ if (oldAuthorizables == null || oldAuthorizables.isEmpty()
+ || newAuthorizables == null || newAuthorizables.isEmpty()) {
+ throw new SentryUserException("oldAuthorizables or newAuthorizables can not be null or empty");
+ }
+
+ TRenamePrivilegesRequest request = new TRenamePrivilegesRequest();
+ request.setProtocol_version(sentry_common_serviceConstants.TSENTRY_SERVICE_V2);
+ request.setComponent(component);
+ request.setRequestorUserName(requestorUserName);
+ request.setServiceName(serviceName);
+
+ List<TAuthorizable> oldTAuthorizables = Lists.newArrayList();
+ List<TAuthorizable> newTAuthorizables = Lists.newArrayList();
+ for (Authorizable authorizable : oldAuthorizables) {
+ oldTAuthorizables.add(new TAuthorizable(authorizable.getTypeName(), authorizable.getName()));
+ request.setOldAuthorizables(oldTAuthorizables);
+ }
+ for (Authorizable authorizable : newAuthorizables) {
+ newTAuthorizables.add(new TAuthorizable(authorizable.getTypeName(), authorizable.getName()));
+ request.setNewAuthorizables(newTAuthorizables);
+ }
+
+ try {
+ TRenamePrivilegesResponse response = client.rename_sentry_privilege(request);
+ Status.throwIfNotOk(response.getStatus());
+ } catch (TException e) {
+ throw new SentryUserException(THRIFT_EXCEPTION_MESSAGE, e);
+ }
+ }
+
+ /**
+ * Gets sentry role objects for a given groupName using the Sentry service
+ * @param requestorUserName : user on whose behalf the request is issued
+ * @param groupName : groupName to look up ( if null returns all roles for groups related to requestorUserName)
+ * @param component: The request is issued to which component
+ * @return Set of thrift sentry role objects
+ * @throws SentryUserException
+ */
+ public synchronized Set<TSentryRole> listRolesByGroupName(
+ String requestorUserName,
+ String groupName,
+ String component)
+ throws SentryUserException {
+ TListSentryRolesRequest request = new TListSentryRolesRequest();
+ request.setProtocol_version(sentry_common_serviceConstants.TSENTRY_SERVICE_V2);
+ request.setRequestorUserName(requestorUserName);
+ request.setGroupName(groupName);
+ request.setComponent(component);
+ TListSentryRolesResponse response;
+ try {
+ response = client.list_sentry_roles_by_group(request);
+ Status.throwIfNotOk(response.getStatus());
+ return response.getRoles();
+ } catch (TException e) {
+ throw new SentryUserException(THRIFT_EXCEPTION_MESSAGE, e);
+ }
+ }
+
+ public Set<TSentryRole> listUserRoles(String requestorUserName, String component)
+ throws SentryUserException {
+ return listRolesByGroupName(requestorUserName, SentryConstants.RESOURCE_WILDCARD_VALUE, component);
+ }
+
+ public Set<TSentryRole> listAllRoles(String requestorUserName, String component)
+ throws SentryUserException {
+ return listRolesByGroupName(requestorUserName, null, component);
+ }
+
+ /**
+ * Gets sentry privileges for a given roleName and Authorizable Hirerchys using the Sentry service
+ * @param requestorUserName: user on whose behalf the request is issued
+ * @param roleName:
+ * @param component: The request is issued to which component
+ * @param serviceName
+ * @param authorizables
+ * @return
+ * @throws SentryUserException
+ */
+ public Set<TSentryPrivilege> listPrivilegesByRoleName(
+ String requestorUserName, String roleName, String component,
+ String serviceName, List<? extends Authorizable> authorizables)
+ throws SentryUserException {
+ TListSentryPrivilegesRequest request = new TListSentryPrivilegesRequest();
+ request.setProtocol_version(sentry_common_serviceConstants.TSENTRY_SERVICE_V2);
+ request.setComponent(component);
+ request.setServiceName(serviceName);
+ request.setRequestorUserName(requestorUserName);
+ request.setRoleName(roleName);
+ if (authorizables != null && !authorizables.isEmpty()) {
+ List<TAuthorizable> tAuthorizables = Lists.newArrayList();
+ for (Authorizable authorizable : authorizables) {
+ tAuthorizables.add(new TAuthorizable(authorizable.getTypeName(), authorizable.getName()));
+ }
+ request.setAuthorizables(tAuthorizables);
+ }
+
+ TListSentryPrivilegesResponse response;
+ try {
+ response = client.list_sentry_privileges_by_role(request);
+ Status.throwIfNotOk(response.getStatus());
+ } catch (TException e) {
+ throw new SentryUserException(THRIFT_EXCEPTION_MESSAGE, e);
+ }
+ return response.getPrivileges();
+ }
+
+ public Set<TSentryPrivilege> listPrivilegesByRoleName(
+ String requestorUserName, String roleName, String component,
+ String serviceName) throws SentryUserException {
+ return listPrivilegesByRoleName(requestorUserName, roleName, component, serviceName, null);
+ }
+
+ /**
+ * get sentry permissions from provider as followings:
+ * @param: component: The request is issued to which component
+ * @param: serviceName: The privilege belongs to which service
+ * @param: roleSet
+ * @param: groupNames
+ * @param: the authorizables
+ * @returns the set of permissions
+ * @throws SentryUserException
+ */
+ public Set<String> listPrivilegesForProvider(String component,
+ String serviceName, ActiveRoleSet roleSet, Set<String> groups,
+ List<? extends Authorizable> authorizables) throws SentryUserException {
+ TSentryActiveRoleSet thriftRoleSet = new TSentryActiveRoleSet(roleSet.isAll(), roleSet.getRoles());
+ TListSentryPrivilegesForProviderRequest request = new TListSentryPrivilegesForProviderRequest();
+ request.setProtocol_version(sentry_common_serviceConstants.TSENTRY_SERVICE_V2);
+ request.setComponent(component);
+ request.setServiceName(serviceName);
+ request.setRoleSet(thriftRoleSet);
+ if (groups == null) {
+ request.setGroups(new HashSet<String>());
+ } else {
+ request.setGroups(groups);
+ }
+ List<TAuthorizable> tAuthoriables = Lists.newArrayList();
+ if (authorizables != null && !authorizables.isEmpty()) {
+ for (Authorizable authorizable : authorizables) {
+ tAuthoriables.add(new TAuthorizable(authorizable.getTypeName(), authorizable.getName()));
+ }
+ request.setAuthorizables(tAuthoriables);
+ }
+
+ try {
+ TListSentryPrivilegesForProviderResponse response = client.list_sentry_privileges_for_provider(request);
+ Status.throwIfNotOk(response.getStatus());
+ return response.getPrivileges();
+ } catch (TException e) {
+ throw new SentryUserException(THRIFT_EXCEPTION_MESSAGE, e);
+ }
+ }
+
+ /**
+ * Get sentry privileges based on valid active roles and the authorize objects. Note that
+ * it is client responsibility to ensure the requestor username, etc. is not impersonated.
+ *
+ * @param component: The request respond to which component.
+ * @param serviceName: The name of service.
+ * @param requestorUserName: The requestor user name.
+ * @param authorizablesSet: The set of authorize objects. One authorize object is represented
+ * as a string. e.g resourceType1=resourceName1->resourceType2=resourceName2->resourceType3=resourceName3.
+ * @param groups: The requested groups.
+ * @param roleSet: The active roles set.
+ *
+ * @returns The mapping of authorize objects and TSentryPrivilegeMap(<role, set<privileges>).
+ * @throws SentryUserException
+ */
+ public Map<String, TSentryPrivilegeMap> listPrivilegsbyAuthorizable(String component,
+ String serviceName, String requestorUserName, Set<String> authorizablesSet,
+ Set<String> groups, ActiveRoleSet roleSet) throws SentryUserException {
+
+ TListSentryPrivilegesByAuthRequest request = new TListSentryPrivilegesByAuthRequest();
+
+ request.setProtocol_version(sentry_common_serviceConstants.TSENTRY_SERVICE_V2);
+ request.setComponent(component);
+ request.setServiceName(serviceName);
+ request.setRequestorUserName(requestorUserName);
+ request.setAuthorizablesSet(authorizablesSet);
+
+ if (groups == null) {
+ request.setGroups(new HashSet<String>());
+ } else {
+ request.setGroups(groups);
+ }
+
+ if (roleSet != null) {
+ request.setRoleSet(new TSentryActiveRoleSet(roleSet.isAll(), roleSet.getRoles()));
+ }
+
+ try {
+ TListSentryPrivilegesByAuthResponse response = client.list_sentry_privileges_by_authorizable(request);
+ Status.throwIfNotOk(response.getStatus());
+ return response.getPrivilegesMapByAuth();
+ } catch (TException e) {
+ throw new SentryUserException(THRIFT_EXCEPTION_MESSAGE, e);
+ }
+ }
+
+ @Override
+ public void close() {
+ if (transport != null) {
+ transport.close();
+ }
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/sentry/blob/01875092/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericServiceClientFactory.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericServiceClientFactory.java b/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericServiceClientFactory.java
new file mode 100644
index 0000000..980d930
--- /dev/null
+++ b/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericServiceClientFactory.java
@@ -0,0 +1,34 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.provider.db.generic.service.thrift;
+
+import org.apache.hadoop.conf.Configuration;
+
+/**
+ * SentryGenericServiceClientFactory is a public class for the components which using Generic Model to create sentry client.
+ */
+public final class SentryGenericServiceClientFactory {
+
+ private SentryGenericServiceClientFactory() {
+ }
+
+ public static SentryGenericServiceClient create(Configuration conf) throws Exception {
+ return new SentryGenericServiceClientDefaultImpl(conf);
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/sentry/blob/01875092/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/provider/db/generic/tools/KafkaTSentryPrivilegeConverter.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/provider/db/generic/tools/KafkaTSentryPrivilegeConverter.java b/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/provider/db/generic/tools/KafkaTSentryPrivilegeConverter.java
new file mode 100644
index 0000000..688bc9e
--- /dev/null
+++ b/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/provider/db/generic/tools/KafkaTSentryPrivilegeConverter.java
@@ -0,0 +1,118 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.provider.db.generic.tools;
+
+import com.google.common.collect.Lists;
+import org.apache.sentry.core.common.utils.KeyValue;
+import org.apache.sentry.core.common.utils.SentryConstants;
+import org.apache.sentry.core.common.validator.PrivilegeValidatorContext;
+import org.apache.sentry.core.model.kafka.KafkaAuthorizable;
+import org.apache.sentry.core.model.kafka.KafkaModelAuthorizables;
+import org.apache.sentry.core.model.kafka.validator.KafkaPrivilegeValidator;
+import org.apache.sentry.core.common.utils.PolicyFileConstants;
+import org.apache.sentry.provider.db.generic.service.thrift.TAuthorizable;
+import org.apache.sentry.provider.db.generic.service.thrift.TSentryGrantOption;
+import org.apache.sentry.provider.db.generic.service.thrift.TSentryPrivilege;
+import org.apache.sentry.provider.db.generic.tools.command.TSentryPrivilegeConverter;
+
+import java.util.Iterator;
+import java.util.LinkedList;
+import java.util.List;
+
+import static org.apache.sentry.core.common.utils.SentryConstants.AUTHORIZABLE_SEPARATOR;
+import static org.apache.sentry.core.common.utils.SentryConstants.KV_SEPARATOR;
+import static org.apache.sentry.core.common.utils.SentryConstants.RESOURCE_WILDCARD_VALUE;
+
+public class KafkaTSentryPrivilegeConverter implements TSentryPrivilegeConverter {
+ private String component;
+ private String service;
+
+ public KafkaTSentryPrivilegeConverter(String component, String service) {
+ this.component = component;
+ this.service = service;
+ }
+
+ public TSentryPrivilege fromString(String privilegeStr) throws Exception {
+ final String hostPrefix = KafkaAuthorizable.AuthorizableType.HOST.name() + KV_SEPARATOR;
+ final String hostPrefixLowerCase = hostPrefix.toLowerCase();
+ if (!privilegeStr.toLowerCase().startsWith(hostPrefixLowerCase)) {
+ privilegeStr = hostPrefix + RESOURCE_WILDCARD_VALUE + AUTHORIZABLE_SEPARATOR + privilegeStr;
+ }
+ validatePrivilegeHierarchy(privilegeStr);
+ TSentryPrivilege tSentryPrivilege = new TSentryPrivilege();
+ List<TAuthorizable> authorizables = new LinkedList<TAuthorizable>();
+ for (String authorizable : SentryConstants.AUTHORIZABLE_SPLITTER.split(privilegeStr)) {
+ KeyValue keyValue = new KeyValue(authorizable);
+ String key = keyValue.getKey();
+ String value = keyValue.getValue();
+
+ // is it an authorizable?
+ KafkaAuthorizable authz = KafkaModelAuthorizables.from(keyValue);
+ if (authz != null) {
+ authorizables.add(new TAuthorizable(authz.getTypeName(), authz.getName()));
+
+ } else if (PolicyFileConstants.PRIVILEGE_ACTION_NAME.equalsIgnoreCase(key)) {
+ tSentryPrivilege.setAction(value);
+ }
+ }
+
+ if (tSentryPrivilege.getAction() == null) {
+ throw new IllegalArgumentException("Privilege is invalid: action required but not specified.");
+ }
+ tSentryPrivilege.setComponent(component);
+ tSentryPrivilege.setServiceName(service);
+ tSentryPrivilege.setAuthorizables(authorizables);
+ return tSentryPrivilege;
+ }
+
+ public String toString(TSentryPrivilege tSentryPrivilege) {
+ List<String> privileges = Lists.newArrayList();
+ if (tSentryPrivilege != null) {
+ List<TAuthorizable> authorizables = tSentryPrivilege.getAuthorizables();
+ String action = tSentryPrivilege.getAction();
+ String grantOption = (tSentryPrivilege.getGrantOption() == TSentryGrantOption.TRUE ? "true"
+ : "false");
+
+ Iterator<TAuthorizable> it = authorizables.iterator();
+ if (it != null) {
+ while (it.hasNext()) {
+ TAuthorizable tAuthorizable = it.next();
+ privileges.add(SentryConstants.KV_JOINER.join(
+ tAuthorizable.getType(), tAuthorizable.getName()));
+ }
+ }
+
+ if (!authorizables.isEmpty()) {
+ privileges.add(SentryConstants.KV_JOINER.join(
+ PolicyFileConstants.PRIVILEGE_ACTION_NAME, action));
+ }
+
+ // only append the grant option to privilege string if it's true
+ if ("true".equals(grantOption)) {
+ privileges.add(SentryConstants.KV_JOINER.join(
+ PolicyFileConstants.PRIVILEGE_GRANT_OPTION_NAME, grantOption));
+ }
+ }
+ return SentryConstants.AUTHORIZABLE_JOINER.join(privileges);
+ }
+
+ private static void validatePrivilegeHierarchy(String privilegeStr) throws Exception {
+ new KafkaPrivilegeValidator().validate(new PrivilegeValidatorContext(privilegeStr));
+ }
+}
http://git-wip-us.apache.org/repos/asf/sentry/blob/01875092/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryConfigToolCommon.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryConfigToolCommon.java b/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryConfigToolCommon.java
new file mode 100644
index 0000000..013e824
--- /dev/null
+++ b/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryConfigToolCommon.java
@@ -0,0 +1,152 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.provider.db.generic.tools;
+
+import com.google.common.annotations.VisibleForTesting;
+
+import org.apache.commons.cli.CommandLine;
+import org.apache.commons.cli.GnuParser;
+import org.apache.commons.cli.HelpFormatter;
+import org.apache.commons.cli.Option;
+import org.apache.commons.cli.Options;
+import org.apache.commons.cli.ParseException;
+import org.apache.commons.cli.Parser;
+
+abstract public class SentryConfigToolCommon {
+ private String policyFile;
+ private boolean validate;
+ private boolean importPolicy;
+ private boolean checkCompat;
+ private String confPath;
+
+ /**
+ * parse arguments
+ * <pre>
+ * -conf,--sentry_conf <filepath> sentry config file path
+ * -p,--policy_ini <arg> policy file path
+ * -v,--validate validate policy file
+ * -c,--checkcompat check compatibility with service
+ * -i,--import import policy file
+ * -h,--help print usage
+ * </pre>
+ * @param args
+ */
+ protected boolean parseArgs(String [] args) {
+ Options options = new Options();
+
+ Option globalPolicyPath = new Option("p", "policy_ini", true,
+ "Policy file path");
+ globalPolicyPath.setRequired(true);
+ options.addOption(globalPolicyPath);
+
+ Option validateOpt = new Option("v", "validate", false,
+ "Validate policy file");
+ validateOpt.setRequired(false);
+ options.addOption(validateOpt);
+
+ Option checkCompatOpt = new Option("c","checkcompat",false,
+ "Check compatibility with Sentry Service");
+ checkCompatOpt.setRequired(false);
+ options.addOption(checkCompatOpt);
+
+ Option importOpt = new Option("i", "import", false,
+ "Import policy file");
+ importOpt.setRequired(false);
+ options.addOption(importOpt);
+
+ // file path of sentry-site
+ Option sentrySitePathOpt = new Option("conf", "sentry_conf", true, "sentry-site file path");
+ sentrySitePathOpt.setRequired(true);
+ options.addOption(sentrySitePathOpt);
+
+ // help option
+ Option helpOpt = new Option("h", "help", false, "Shell usage");
+ helpOpt.setRequired(false);
+ options.addOption(helpOpt);
+
+ // this Options is parsed first for help option
+ Options helpOptions = new Options();
+ helpOptions.addOption(helpOpt);
+
+ try {
+ Parser parser = new GnuParser();
+
+ // parse help option first
+ CommandLine cmd = parser.parse(helpOptions, args, true);
+ for (Option opt : cmd.getOptions()) {
+ if (opt.getOpt().equals("h")) {
+ // get the help option, print the usage and exit
+ usage(options);
+ return false;
+ }
+ }
+
+ // without help option
+ cmd = parser.parse(options, args);
+
+ for (Option opt : cmd.getOptions()) {
+ if (opt.getOpt().equals("p")) {
+ policyFile = opt.getValue();
+ } else if (opt.getOpt().equals("v")) {
+ validate = true;
+ } else if (opt.getOpt().equals("i")) {
+ importPolicy = true;
+ } else if (opt.getOpt().equals("c")) {
+ checkCompat = true;
+ } else if (opt.getOpt().equals("conf")) {
+ confPath = opt.getValue();
+ }
+ }
+
+ if (!validate && !importPolicy) {
+ throw new IllegalArgumentException("No action specified; at least one of action or import must be specified");
+ }
+ } catch (ParseException pe) {
+ System.out.println(pe.getMessage());
+ usage(options);
+ return false;
+ }
+ return true;
+ }
+
+ // print usage
+ private void usage(Options sentryOptions) {
+ HelpFormatter formatter = new HelpFormatter();
+ formatter.printHelp("sentryConfigTool", sentryOptions);
+ }
+
+ public abstract void run() throws Exception;
+
+ @VisibleForTesting
+ public boolean executeConfigTool(String [] args) throws Exception {
+ boolean result = true;
+ if (parseArgs(args)) {
+ run();
+ } else {
+ result = false;
+ }
+ return result;
+ }
+
+ public String getPolicyFile() { return policyFile; }
+ public boolean getValidate() { return validate; }
+ public boolean getImportPolicy() { return importPolicy; }
+ public boolean getCheckCompat() { return checkCompat; }
+ public String getConfPath() { return confPath; }
+}
http://git-wip-us.apache.org/repos/asf/sentry/blob/01875092/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryConfigToolSolr.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryConfigToolSolr.java b/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryConfigToolSolr.java
new file mode 100644
index 0000000..404adb8
--- /dev/null
+++ b/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryConfigToolSolr.java
@@ -0,0 +1,262 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.provider.db.generic.tools;
+
+import com.google.common.collect.Lists;
+import com.google.common.collect.Sets;
+import com.google.common.collect.Table;
+
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.fs.Path;
+import org.apache.hadoop.security.UserGroupInformation;
+import org.apache.sentry.core.common.Action;
+import org.apache.sentry.core.common.exception.SentryConfigurationException;
+import org.apache.sentry.core.common.utils.KeyValue;
+import org.apache.sentry.core.common.utils.SentryConstants;
+import org.apache.sentry.core.model.search.SearchPrivilegeModel;
+import org.apache.sentry.provider.common.ProviderBackend;
+import org.apache.sentry.provider.common.ProviderBackendContext;
+import org.apache.sentry.provider.db.generic.service.thrift.SentryGenericServiceClient;
+import org.apache.sentry.provider.db.generic.service.thrift.SentryGenericServiceClientFactory;
+import org.apache.sentry.provider.file.SimpleFileProviderBackend;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.util.HashMap;
+import java.util.LinkedList;
+import java.util.List;
+import java.util.Locale;
+import java.util.Map;
+import java.util.Set;
+
+/**
+ * SentryConfigToolSolr is an administrative tool used to parse a Solr policy file
+ * and add the role, group mappings, and privileges therein to the Sentry service.
+ */
+public class SentryConfigToolSolr extends SentryConfigToolCommon {
+
+ private static final Logger LOGGER = LoggerFactory.getLogger(SentryConfigToolSolr.class);
+ public static final String SOLR_SERVICE_NAME = "sentry.service.client.solr.service.name";
+
+ @Override
+ public void run() throws Exception {
+ String component = "SOLR";
+ Configuration conf = getSentryConf();
+
+ String service = conf.get(SOLR_SERVICE_NAME, "service1");
+ // instantiate a solr client for sentry service. This sets the ugi, so must
+ // be done before getting the ugi below.
+ SentryGenericServiceClient client = SentryGenericServiceClientFactory.create(conf);
+ UserGroupInformation ugi = UserGroupInformation.getLoginUser();
+ String requestorName = ugi.getShortUserName();
+
+ convertINIToSentryServiceCmds(component, service, requestorName, conf, client,
+ getPolicyFile(), getValidate(), getImportPolicy(), getCheckCompat());
+ }
+
+ private Configuration getSentryConf() {
+ Configuration conf = new Configuration();
+ conf.addResource(new Path(getConfPath()));
+ return conf;
+ }
+
+ /**
+ * Convert policy file to solrctl commands -- based on SENTRY-480
+ */
+ private void convertINIToSentryServiceCmds(String component,
+ String service, String requestorName,
+ Configuration conf, SentryGenericServiceClient client,
+ String policyFile, boolean validate, boolean importPolicy,
+ boolean checkCompat) throws Exception {
+
+ //instantiate a file providerBackend for parsing
+ LOGGER.info("Reading policy file at: " + policyFile);
+ SimpleFileProviderBackend policyFileBackend =
+ new SimpleFileProviderBackend(conf, policyFile);
+ ProviderBackendContext context = new ProviderBackendContext();
+ context.setValidators(SearchPrivilegeModel.getInstance().getPrivilegeValidators());
+ policyFileBackend.initialize(context);
+ if (validate) {
+ validatePolicy(policyFileBackend);
+ }
+
+ if (checkCompat) {
+ checkCompat(policyFileBackend);
+ }
+
+ //import the relations about group,role and privilege into the DB store
+ Set<String> roles = Sets.newHashSet();
+ Table<String, String, Set<String>> groupRolePrivilegeTable =
+ policyFileBackend.getGroupRolePrivilegeTable();
+ SolrTSentryPrivilegeConverter converter = new SolrTSentryPrivilegeConverter(component, service, false);
+
+ for (String groupName : groupRolePrivilegeTable.rowKeySet()) {
+ for (String roleName : groupRolePrivilegeTable.columnKeySet()) {
+ if (!roles.contains(roleName)) {
+ LOGGER.info(dryRunMessage(importPolicy) + "Creating role: " + roleName.toLowerCase(Locale.US));
+ if (importPolicy) {
+ client.createRoleIfNotExist(requestorName, roleName, component);
+ }
+ roles.add(roleName);
+ }
+
+ Set<String> privileges = groupRolePrivilegeTable.get(groupName, roleName);
+ if (privileges == null) {
+ continue;
+ }
+ LOGGER.info(dryRunMessage(importPolicy) + "Adding role: " + roleName.toLowerCase(Locale.US) + " to group: " + groupName);
+ if (importPolicy) {
+ client.addRoleToGroups(requestorName, roleName, component, Sets.newHashSet(groupName));
+ }
+
+ for (String permission : privileges) {
+ String action = null;
+
+ for (String authorizable : SentryConstants.AUTHORIZABLE_SPLITTER.
+ trimResults().split(permission)) {
+ KeyValue kv = new KeyValue(authorizable);
+ String key = kv.getKey();
+ String value = kv.getValue();
+ if ("action".equalsIgnoreCase(key)) {
+ action = value;
+ }
+ }
+
+ // Service doesn't support not specifying action
+ if (action == null) {
+ permission += "->action=" + Action.ALL;
+ }
+ LOGGER.info(dryRunMessage(importPolicy) + "Adding permission: " + permission + " to role: " + roleName.toLowerCase(Locale.US));
+ if (importPolicy) {
+ client.grantPrivilege(requestorName, roleName, component, converter.fromString(permission));
+ }
+ }
+ }
+ }
+ }
+
+ private void validatePolicy(ProviderBackend backend) throws Exception {
+ try {
+ backend.validatePolicy(true);
+ } catch (SentryConfigurationException e) {
+ printConfigErrorsWarnings(e);
+ throw e;
+ }
+ }
+
+ private void printConfigErrorsWarnings(SentryConfigurationException configException) {
+ System.out.println(" *** Found configuration problems *** ");
+ for (String errMsg : configException.getConfigErrors()) {
+ System.out.println("ERROR: " + errMsg);
+ }
+ for (String warnMsg : configException.getConfigWarnings()) {
+ System.out.println("Warning: " + warnMsg);
+ }
+ }
+
+ private void checkCompat(SimpleFileProviderBackend backend) throws Exception {
+ Map<String, Set<String>> rolesCaseMapping = new HashMap<String, Set<String>>();
+ Table<String, String, Set<String>> groupRolePrivilegeTable =
+ backend.getGroupRolePrivilegeTable();
+
+ for (String roleName : groupRolePrivilegeTable.columnKeySet()) {
+ String roleNameLower = roleName.toLowerCase(Locale.US);
+ if (!roleName.equals(roleNameLower)) {
+ if (!rolesCaseMapping.containsKey(roleNameLower)) {
+ rolesCaseMapping.put(roleNameLower, Sets.newHashSet(roleName));
+ } else {
+ rolesCaseMapping.get(roleNameLower).add(roleName);
+ }
+ }
+ }
+
+ List<String> errors = new LinkedList<String>();
+ StringBuilder warningString = new StringBuilder();
+ if (!rolesCaseMapping.isEmpty()) {
+ warningString.append("The following roles names will be lower cased when added to the Sentry Service.\n");
+ warningString.append("This will cause document-level security to fail to match the role tokens.\n");
+ warningString.append("Role names: ");
+ }
+ boolean firstWarning = true;
+
+ for (Map.Entry<String, Set<String>> entry : rolesCaseMapping.entrySet()) {
+ Set<String> caseMapping = entry.getValue();
+ if (caseMapping.size() > 1) {
+ StringBuilder errorString = new StringBuilder();
+ errorString.append("The following (cased) roles map to the same role in the sentry service: ");
+ boolean first = true;
+ for (String casedRole : caseMapping) {
+ errorString.append(first ? "" : ", ");
+ errorString.append(casedRole);
+ first = false;
+ }
+ errorString.append(". Role in service: ").append(entry.getKey());
+ errors.add(errorString.toString());
+ }
+
+ for (String casedRole : caseMapping) {
+ warningString.append(firstWarning? "" : ", ");
+ warningString.append(casedRole);
+ firstWarning = false;
+ }
+ }
+
+ for (String error : errors) {
+ System.out.println("ERROR: " + error);
+ }
+ System.out.println("\n");
+
+ System.out.println("Warning: " + warningString.toString());
+ if (errors.size() > 0) {
+ SentryConfigurationException ex =
+ new SentryConfigurationException("Compatibility check failure");
+ ex.setConfigErrors(errors);
+ ex.setConfigWarnings(Lists.<String>asList(warningString.toString(), new String[0]));
+ throw ex;
+ }
+ }
+
+ private String dryRunMessage(boolean importPolicy) {
+ if (importPolicy) {
+ return "";
+ } else {
+ return "[Dry Run] ";
+ }
+ }
+
+ public static void main(String[] args) throws Exception {
+ SentryConfigToolSolr solrTool = new SentryConfigToolSolr();
+ try {
+ solrTool.executeConfigTool(args);
+ } catch (Exception e) {
+ LOGGER.error(e.getMessage(), e);
+ Throwable current = e;
+ // find the first printable message;
+ while (current != null && current.getMessage() == null) {
+ current = current.getCause();
+ }
+ String error = "";
+ if (current != null && current.getMessage() != null) {
+ error = "Message: " + current.getMessage();
+ }
+ System.out.println("The operation failed. " + error);
+ System.exit(1);
+ }
+ }
+}
http://git-wip-us.apache.org/repos/asf/sentry/blob/01875092/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryShellKafka.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryShellKafka.java b/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryShellKafka.java
new file mode 100644
index 0000000..ea05db7
--- /dev/null
+++ b/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryShellKafka.java
@@ -0,0 +1,113 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.provider.db.generic.tools;
+
+import org.apache.commons.lang.StringUtils;
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.fs.Path;
+import org.apache.hadoop.security.UserGroupInformation;
+import org.apache.sentry.core.common.utils.AuthorizationComponent;
+import org.apache.sentry.provider.db.generic.service.thrift.SentryGenericServiceClient;
+import org.apache.sentry.provider.db.generic.service.thrift.SentryGenericServiceClientFactory;
+import org.apache.sentry.provider.db.generic.tools.command.*;
+import org.apache.sentry.provider.db.tools.SentryShellCommon;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/**
+ * SentryShellKafka is an admin tool, and responsible for the management of repository.
+ * The following commands are supported:
+ * create role, drop role, add group to role, grant privilege to role,
+ * revoke privilege from role, list roles, list privilege for role.
+ */
+public class SentryShellKafka extends SentryShellCommon {
+
+ private static final Logger LOGGER = LoggerFactory.getLogger(SentryShellKafka.class);
+ public static final String KAFKA_SERVICE_NAME = "sentry.service.client.kafka.service.name";
+
+ @Override
+ public void run() throws Exception {
+ Command command = null;
+ String component = AuthorizationComponent.KAFKA;
+ Configuration conf = getSentryConf();
+
+ String service = conf.get(KAFKA_SERVICE_NAME, "kafka1");
+ SentryGenericServiceClient client = SentryGenericServiceClientFactory.create(conf);
+ UserGroupInformation ugi = UserGroupInformation.getLoginUser();
+ String requestorName = ugi.getShortUserName();
+
+ if (isCreateRole) {
+ command = new CreateRoleCmd(roleName, component);
+ } else if (isDropRole) {
+ command = new DropRoleCmd(roleName, component);
+ } else if (isAddRoleGroup) {
+ command = new AddRoleToGroupCmd(roleName, groupName, component);
+ } else if (isDeleteRoleGroup) {
+ command = new DeleteRoleFromGroupCmd(roleName, groupName, component);
+ } else if (isGrantPrivilegeRole) {
+ command = new GrantPrivilegeToRoleCmd(roleName, component,
+ privilegeStr, new KafkaTSentryPrivilegeConverter(component, service));
+ } else if (isRevokePrivilegeRole) {
+ command = new RevokePrivilegeFromRoleCmd(roleName, component,
+ privilegeStr, new KafkaTSentryPrivilegeConverter(component, service));
+ } else if (isListRole) {
+ command = new ListRolesCmd(groupName, component);
+ } else if (isListPrivilege) {
+ command = new ListPrivilegesByRoleCmd(roleName, component,
+ service, new KafkaTSentryPrivilegeConverter(component, service));
+ }
+
+ // check the requestor name
+ if (StringUtils.isEmpty(requestorName)) {
+ // The exception message will be recorded in log file.
+ throw new Exception("The requestor name is empty.");
+ }
+
+ if (command != null) {
+ command.execute(client, requestorName);
+ }
+ }
+
+ private Configuration getSentryConf() {
+ Configuration conf = new Configuration();
+ conf.addResource(new Path(confPath));
+ return conf;
+ }
+
+ public static void main(String[] args) throws Exception {
+ SentryShellKafka sentryShell = new SentryShellKafka();
+ try {
+ sentryShell.executeShell(args);
+ } catch (Exception e) {
+ LOGGER.error(e.getMessage(), e);
+ Throwable current = e;
+ // find the first printable message;
+ while (current != null && current.getMessage() == null) {
+ current = current.getCause();
+ }
+ String error = "";
+ if (current != null && current.getMessage() != null) {
+ error = "Message: " + current.getMessage();
+ }
+ System.out.println("The operation failed. " + error);
+ System.exit(1);
+ }
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/sentry/blob/01875092/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryShellSolr.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryShellSolr.java b/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryShellSolr.java
new file mode 100644
index 0000000..695c008
--- /dev/null
+++ b/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryShellSolr.java
@@ -0,0 +1,112 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.provider.db.generic.tools;
+
+import org.apache.commons.lang.StringUtils;
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.fs.Path;
+import org.apache.hadoop.security.UserGroupInformation;
+import org.apache.sentry.provider.db.generic.service.thrift.SentryGenericServiceClient;
+import org.apache.sentry.provider.db.generic.service.thrift.SentryGenericServiceClientFactory;
+import org.apache.sentry.provider.db.generic.tools.command.*;
+import org.apache.sentry.provider.db.tools.SentryShellCommon;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/**
+ * SentryShellSolr is an admin tool, and responsible for the management of repository.
+ * The following commands are supported:
+ * create role, drop role, add group to role, grant privilege to role,
+ * revoke privilege from role, list roles, list privilege for role.
+ */
+public class SentryShellSolr extends SentryShellCommon {
+
+ private static final Logger LOGGER = LoggerFactory.getLogger(SentryShellSolr.class);
+ public static final String SOLR_SERVICE_NAME = "sentry.service.client.solr.service.name";
+
+ @Override
+ public void run() throws Exception {
+ Command command = null;
+ String component = "SOLR";
+ Configuration conf = getSentryConf();
+
+ String service = conf.get(SOLR_SERVICE_NAME, "service1");
+ SentryGenericServiceClient client = SentryGenericServiceClientFactory.create(conf);
+ UserGroupInformation ugi = UserGroupInformation.getLoginUser();
+ String requestorName = ugi.getShortUserName();
+
+ if (isCreateRole) {
+ command = new CreateRoleCmd(roleName, component);
+ } else if (isDropRole) {
+ command = new DropRoleCmd(roleName, component);
+ } else if (isAddRoleGroup) {
+ command = new AddRoleToGroupCmd(roleName, groupName, component);
+ } else if (isDeleteRoleGroup) {
+ command = new DeleteRoleFromGroupCmd(roleName, groupName, component);
+ } else if (isGrantPrivilegeRole) {
+ command = new GrantPrivilegeToRoleCmd(roleName, component,
+ privilegeStr, new SolrTSentryPrivilegeConverter(component, service));
+ } else if (isRevokePrivilegeRole) {
+ command = new RevokePrivilegeFromRoleCmd(roleName, component,
+ privilegeStr, new SolrTSentryPrivilegeConverter(component, service));
+ } else if (isListRole) {
+ command = new ListRolesCmd(groupName, component);
+ } else if (isListPrivilege) {
+ command = new ListPrivilegesByRoleCmd(roleName, component,
+ service, new SolrTSentryPrivilegeConverter(component, service));
+ }
+
+ // check the requestor name
+ if (StringUtils.isEmpty(requestorName)) {
+ // The exception message will be recorded in log file.
+ throw new Exception("The requestor name is empty.");
+ }
+
+ if (command != null) {
+ command.execute(client, requestorName);
+ }
+ }
+
+ private Configuration getSentryConf() {
+ Configuration conf = new Configuration();
+ conf.addResource(new Path(confPath));
+ return conf;
+ }
+
+ public static void main(String[] args) throws Exception {
+ SentryShellSolr sentryShell = new SentryShellSolr();
+ try {
+ sentryShell.executeShell(args);
+ } catch (Exception e) {
+ LOGGER.error(e.getMessage(), e);
+ Throwable current = e;
+ // find the first printable message;
+ while (current != null && current.getMessage() == null) {
+ current = current.getCause();
+ }
+ String error = "";
+ if (current != null && current.getMessage() != null) {
+ error = "Message: " + current.getMessage();
+ }
+ System.out.println("The operation failed. " + error);
+ System.exit(1);
+ }
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/sentry/blob/01875092/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/provider/db/generic/tools/SolrTSentryPrivilegeConverter.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/provider/db/generic/tools/SolrTSentryPrivilegeConverter.java b/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/provider/db/generic/tools/SolrTSentryPrivilegeConverter.java
new file mode 100644
index 0000000..92c6c59
--- /dev/null
+++ b/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/provider/db/generic/tools/SolrTSentryPrivilegeConverter.java
@@ -0,0 +1,137 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.provider.db.generic.tools;
+
+import com.google.common.collect.Lists;
+
+import org.apache.sentry.core.common.utils.SentryConstants;
+import org.apache.sentry.core.model.search.Collection;
+import org.apache.sentry.core.model.search.SearchModelAuthorizable;
+import org.apache.sentry.core.common.validator.PrivilegeValidator;
+import org.apache.sentry.core.common.validator.PrivilegeValidatorContext;
+import org.apache.sentry.core.model.search.SearchModelAuthorizables;
+import org.apache.sentry.core.model.search.SearchPrivilegeModel;
+import org.apache.sentry.core.common.utils.KeyValue;
+import org.apache.sentry.core.common.utils.PolicyFileConstants;
+import org.apache.sentry.provider.db.generic.service.thrift.TAuthorizable;
+import org.apache.sentry.provider.db.generic.service.thrift.TSentryGrantOption;
+import org.apache.sentry.provider.db.generic.service.thrift.TSentryPrivilege;
+import org.apache.sentry.provider.db.generic.tools.command.TSentryPrivilegeConverter;
+import org.apache.shiro.config.ConfigurationException;
+
+import java.util.Iterator;
+import java.util.LinkedList;
+import java.util.List;
+
+public class SolrTSentryPrivilegeConverter implements TSentryPrivilegeConverter {
+ private String component;
+ private String service;
+ private boolean validate;
+
+ public SolrTSentryPrivilegeConverter(String component, String service) {
+ this(component, service, true);
+ }
+
+ public SolrTSentryPrivilegeConverter(String component, String service, boolean validate) {
+ this.component = component;
+ this.service = service;
+ this.validate = validate;
+ }
+
+ public TSentryPrivilege fromString(String privilegeStr) throws Exception {
+ if (validate) {
+ validatePrivilegeHierarchy(privilegeStr);
+ }
+
+ TSentryPrivilege tSentryPrivilege = new TSentryPrivilege();
+ List<TAuthorizable> authorizables = new LinkedList<TAuthorizable>();
+ for (String authorizable : SentryConstants.AUTHORIZABLE_SPLITTER.split(privilegeStr)) {
+ KeyValue keyValue = new KeyValue(authorizable);
+ String key = keyValue.getKey();
+ String value = keyValue.getValue();
+
+ // is it an authorizable?
+ SearchModelAuthorizable authz = SearchModelAuthorizables.from(keyValue);
+ if (authz != null) {
+ if (authz instanceof Collection) {
+ Collection coll = (Collection)authz;
+ authorizables.add(new TAuthorizable(coll.getTypeName(), coll.getName()));
+ } else {
+ throw new IllegalArgumentException("Unknown authorizable type: " + authz.getTypeName());
+ }
+ } else if (PolicyFileConstants.PRIVILEGE_ACTION_NAME.equalsIgnoreCase(key)) {
+ tSentryPrivilege.setAction(value);
+ // Limitation: don't support grant at this time, since the existing solr use cases don't need it.
+ } else {
+ throw new IllegalArgumentException("Unknown key: " + key);
+ }
+ }
+
+ if (tSentryPrivilege.getAction() == null) {
+ throw new IllegalArgumentException("Privilege is invalid: action required but not specified.");
+ }
+ tSentryPrivilege.setComponent(component);
+ tSentryPrivilege.setServiceName(service);
+ tSentryPrivilege.setAuthorizables(authorizables);
+ return tSentryPrivilege;
+ }
+
+ public String toString(TSentryPrivilege tSentryPrivilege) {
+ List<String> privileges = Lists.newArrayList();
+ if (tSentryPrivilege != null) {
+ List<TAuthorizable> authorizables = tSentryPrivilege.getAuthorizables();
+ String action = tSentryPrivilege.getAction();
+ String grantOption = (tSentryPrivilege.getGrantOption() == TSentryGrantOption.TRUE ? "true"
+ : "false");
+
+ Iterator<TAuthorizable> it = authorizables.iterator();
+ if (it != null) {
+ while (it.hasNext()) {
+ TAuthorizable tAuthorizable = it.next();
+ privileges.add(SentryConstants.KV_JOINER.join(
+ tAuthorizable.getType(), tAuthorizable.getName()));
+ }
+ }
+
+ if (!authorizables.isEmpty()) {
+ privileges.add(SentryConstants.KV_JOINER.join(
+ PolicyFileConstants.PRIVILEGE_ACTION_NAME, action));
+ }
+
+ // only append the grant option to privilege string if it's true
+ if ("true".equals(grantOption)) {
+ privileges.add(SentryConstants.KV_JOINER.join(
+ PolicyFileConstants.PRIVILEGE_GRANT_OPTION_NAME, grantOption));
+ }
+ }
+ return SentryConstants.AUTHORIZABLE_JOINER.join(privileges);
+ }
+
+ private static void validatePrivilegeHierarchy(String privilegeStr) throws Exception {
+ List<PrivilegeValidator> validators = SearchPrivilegeModel.getInstance().getPrivilegeValidators();
+ PrivilegeValidatorContext context = new PrivilegeValidatorContext(null, privilegeStr);
+ for (PrivilegeValidator validator : validators) {
+ try {
+ validator.validate(context);
+ } catch (ConfigurationException e) {
+ throw new IllegalArgumentException(e);
+ }
+ }
+ }
+}
http://git-wip-us.apache.org/repos/asf/sentry/blob/01875092/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/provider/db/generic/tools/command/AddRoleToGroupCmd.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/provider/db/generic/tools/command/AddRoleToGroupCmd.java b/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/provider/db/generic/tools/command/AddRoleToGroupCmd.java
new file mode 100644
index 0000000..a45d7e4
--- /dev/null
+++ b/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/provider/db/generic/tools/command/AddRoleToGroupCmd.java
@@ -0,0 +1,46 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.provider.db.generic.tools.command;
+
+import com.google.common.collect.Sets;
+import org.apache.sentry.provider.db.generic.service.thrift.SentryGenericServiceClient;
+import org.apache.sentry.provider.db.tools.SentryShellCommon;
+
+import java.util.Set;
+
+/**
+ * Command for adding groups to a role.
+ */
+public class AddRoleToGroupCmd implements Command {
+
+ private String roleName;
+ private String groups;
+ private String component;
+
+ public AddRoleToGroupCmd(String roleName, String groups, String component) {
+ this.roleName = roleName;
+ this.groups = groups;
+ this.component = component;
+ }
+
+ @Override
+ public void execute(SentryGenericServiceClient client, String requestorName) throws Exception {
+ Set<String> groupSet = Sets.newHashSet(groups.split(SentryShellCommon.GROUP_SPLIT_CHAR));
+ client.addRoleToGroups(requestorName, roleName, component, groupSet);
+ }
+}
http://git-wip-us.apache.org/repos/asf/sentry/blob/01875092/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/provider/db/generic/tools/command/Command.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/provider/db/generic/tools/command/Command.java b/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/provider/db/generic/tools/command/Command.java
new file mode 100644
index 0000000..e824fb3
--- /dev/null
+++ b/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/provider/db/generic/tools/command/Command.java
@@ -0,0 +1,27 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.provider.db.generic.tools.command;
+
+import org.apache.sentry.provider.db.generic.service.thrift.SentryGenericServiceClient;
+
+/**
+ * The interface for all admin commands, eg, CreateRoleCmd.
+ */
+public interface Command {
+ void execute(SentryGenericServiceClient client, String requestorName) throws Exception;
+}
http://git-wip-us.apache.org/repos/asf/sentry/blob/01875092/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/provider/db/generic/tools/command/CreateRoleCmd.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/provider/db/generic/tools/command/CreateRoleCmd.java b/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/provider/db/generic/tools/command/CreateRoleCmd.java
new file mode 100644
index 0000000..da60a64
--- /dev/null
+++ b/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/provider/db/generic/tools/command/CreateRoleCmd.java
@@ -0,0 +1,39 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.provider.db.generic.tools.command;
+
+import org.apache.sentry.provider.db.generic.service.thrift.SentryGenericServiceClient;
+
+/**
+ * The class for admin command to create role.
+ */
+public class CreateRoleCmd implements Command {
+
+ private String roleName;
+ private String component;
+
+ public CreateRoleCmd(String roleName, String component) {
+ this.roleName = roleName;
+ this.component = component;
+ }
+
+ @Override
+ public void execute(SentryGenericServiceClient client, String requestorName) throws Exception {
+ client.createRole(requestorName, roleName, component);
+ }
+}
http://git-wip-us.apache.org/repos/asf/sentry/blob/01875092/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/provider/db/generic/tools/command/DeleteRoleFromGroupCmd.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/provider/db/generic/tools/command/DeleteRoleFromGroupCmd.java b/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/provider/db/generic/tools/command/DeleteRoleFromGroupCmd.java
new file mode 100644
index 0000000..95f39ea
--- /dev/null
+++ b/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/provider/db/generic/tools/command/DeleteRoleFromGroupCmd.java
@@ -0,0 +1,46 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.provider.db.generic.tools.command;
+
+import com.google.common.collect.Sets;
+import org.apache.sentry.provider.db.generic.service.thrift.SentryGenericServiceClient;
+import org.apache.sentry.provider.db.tools.SentryShellCommon;
+
+import java.util.Set;
+
+/**
+ * Command for deleting groups from a role.
+ */
+public class DeleteRoleFromGroupCmd implements Command {
+
+ private String roleName;
+ private String groups;
+ private String component;
+
+ public DeleteRoleFromGroupCmd(String roleName, String groups, String component) {
+ this.groups = groups;
+ this.roleName = roleName;
+ this.component = component;
+ }
+
+ @Override
+ public void execute(SentryGenericServiceClient client, String requestorName) throws Exception {
+ Set<String> groupSet = Sets.newHashSet(groups.split(SentryShellCommon.GROUP_SPLIT_CHAR));
+ client.deleteRoleToGroups(requestorName, roleName, component, groupSet);
+ }
+}
http://git-wip-us.apache.org/repos/asf/sentry/blob/01875092/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/provider/db/generic/tools/command/DropRoleCmd.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/provider/db/generic/tools/command/DropRoleCmd.java b/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/provider/db/generic/tools/command/DropRoleCmd.java
new file mode 100644
index 0000000..ac2a328
--- /dev/null
+++ b/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/provider/db/generic/tools/command/DropRoleCmd.java
@@ -0,0 +1,39 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.provider.db.generic.tools.command;
+
+import org.apache.sentry.provider.db.generic.service.thrift.SentryGenericServiceClient;
+
+/**
+ * The class for admin command to drop role.
+ */
+public class DropRoleCmd implements Command {
+
+ private String roleName;
+ private String component;
+
+ public DropRoleCmd(String roleName, String component) {
+ this.roleName = roleName;
+ this.component = component;
+ }
+
+ @Override
+ public void execute(SentryGenericServiceClient client, String requestorName) throws Exception {
+ client.dropRole(requestorName, roleName, component);
+ }
+}
http://git-wip-us.apache.org/repos/asf/sentry/blob/01875092/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/provider/db/generic/tools/command/GrantPrivilegeToRoleCmd.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/provider/db/generic/tools/command/GrantPrivilegeToRoleCmd.java b/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/provider/db/generic/tools/command/GrantPrivilegeToRoleCmd.java
new file mode 100644
index 0000000..634bb42
--- /dev/null
+++ b/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/provider/db/generic/tools/command/GrantPrivilegeToRoleCmd.java
@@ -0,0 +1,47 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.provider.db.generic.tools.command;
+
+import org.apache.sentry.provider.db.generic.service.thrift.SentryGenericServiceClient;
+import org.apache.sentry.provider.db.generic.service.thrift.TSentryPrivilege;
+
+/**
+ * The class for admin command to grant privilege to role.
+ */
+public class GrantPrivilegeToRoleCmd implements Command {
+
+ private String roleName;
+ private String component;
+ private String privilegeStr;
+ private TSentryPrivilegeConverter converter;
+
+ public GrantPrivilegeToRoleCmd(String roleName, String component, String privilegeStr,
+ TSentryPrivilegeConverter converter) {
+ this.roleName = roleName;
+ this.component = component;
+ this.privilegeStr = privilegeStr;
+ this.converter = converter;
+ }
+
+ @Override
+ public void execute(SentryGenericServiceClient client, String requestorName) throws Exception {
+ TSentryPrivilege privilege = converter.fromString(privilegeStr);
+ client.grantPrivilege(requestorName, roleName, component, privilege);
+
+ }
+}
http://git-wip-us.apache.org/repos/asf/sentry/blob/01875092/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/provider/db/generic/tools/command/ListPrivilegesByRoleCmd.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/provider/db/generic/tools/command/ListPrivilegesByRoleCmd.java b/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/provider/db/generic/tools/command/ListPrivilegesByRoleCmd.java
new file mode 100644
index 0000000..ce6db3a
--- /dev/null
+++ b/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/provider/db/generic/tools/command/ListPrivilegesByRoleCmd.java
@@ -0,0 +1,54 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.provider.db.generic.tools.command;
+
+import org.apache.sentry.provider.db.generic.service.thrift.SentryGenericServiceClient;
+import org.apache.sentry.provider.db.generic.service.thrift.TSentryPrivilege;
+
+import java.util.Set;
+
+/**
+ * The class for admin command to list privileges by role.
+ */
+public class ListPrivilegesByRoleCmd implements Command {
+
+ private String roleName;
+ private String component;
+ private String serviceName;
+ private TSentryPrivilegeConverter converter;
+
+ public ListPrivilegesByRoleCmd(String roleName, String component, String serviceName,
+ TSentryPrivilegeConverter converter) {
+ this.roleName = roleName;
+ this.component = component;
+ this.serviceName = serviceName;
+ this.converter = converter;
+ }
+
+ @Override
+ public void execute(SentryGenericServiceClient client, String requestorName) throws Exception {
+ Set<TSentryPrivilege> privileges = client
+ .listPrivilegesByRoleName(requestorName, roleName, component, serviceName);
+ if (privileges != null) {
+ for (TSentryPrivilege privilege : privileges) {
+ String privilegeStr = converter.toString(privilege);
+ System.out.println(privilegeStr);
+ }
+ }
+ }
+}
http://git-wip-us.apache.org/repos/asf/sentry/blob/01875092/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/provider/db/generic/tools/command/ListRolesCmd.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/provider/db/generic/tools/command/ListRolesCmd.java b/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/provider/db/generic/tools/command/ListRolesCmd.java
new file mode 100644
index 0000000..6b68d06
--- /dev/null
+++ b/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/provider/db/generic/tools/command/ListRolesCmd.java
@@ -0,0 +1,53 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.provider.db.generic.tools.command;
+
+import org.apache.commons.lang.StringUtils;
+import org.apache.sentry.provider.db.generic.service.thrift.SentryGenericServiceClient;
+import org.apache.sentry.provider.db.generic.service.thrift.TSentryRole;
+
+import java.util.Set;
+
+/**
+ * The class for admin command to list roles.
+ */
+public class ListRolesCmd implements Command {
+
+ private String groupName;
+ private String component;
+
+ public ListRolesCmd(String groupName, String component) {
+ this.groupName = groupName;
+ this.component = component;
+ }
+
+ @Override
+ public void execute(SentryGenericServiceClient client, String requestorName) throws Exception {
+ Set<TSentryRole> roles;
+ if (StringUtils.isEmpty(groupName)) {
+ roles = client.listAllRoles(requestorName, component);
+ } else {
+ roles = client.listRolesByGroupName(requestorName, groupName, component);
+ }
+ if (roles != null) {
+ for (TSentryRole role : roles) {
+ System.out.println(role.getRoleName());
+ }
+ }
+ }
+}
[2/6] sentry git commit: SENTRY-1288: Create sentry-service-client
module(Colin Ma, reviewed by Dapeng Sun)
Posted by co...@apache.org.
http://git-wip-us.apache.org/repos/asf/sentry/blob/01875092/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/provider/db/generic/tools/command/RevokePrivilegeFromRoleCmd.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/provider/db/generic/tools/command/RevokePrivilegeFromRoleCmd.java b/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/provider/db/generic/tools/command/RevokePrivilegeFromRoleCmd.java
new file mode 100644
index 0000000..3e42e60
--- /dev/null
+++ b/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/provider/db/generic/tools/command/RevokePrivilegeFromRoleCmd.java
@@ -0,0 +1,47 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.provider.db.generic.tools.command;
+
+import org.apache.sentry.provider.db.generic.service.thrift.SentryGenericServiceClient;
+import org.apache.sentry.provider.db.generic.service.thrift.TSentryPrivilege;
+
+/**
+ * The class for admin command to revoke privileges from role.
+ */
+public class RevokePrivilegeFromRoleCmd implements Command {
+
+ private String roleName;
+ private String component;
+ private String privilegeStr;
+ private TSentryPrivilegeConverter converter;
+
+ public RevokePrivilegeFromRoleCmd(String roleName, String component, String privilegeStr,
+ TSentryPrivilegeConverter converter) {
+ this.roleName = roleName;
+ this.component = component;
+ this.privilegeStr = privilegeStr;
+ this.converter = converter;
+ }
+
+ @Override
+ public void execute(SentryGenericServiceClient client, String requestorName) throws Exception {
+ TSentryPrivilege privilege = converter.fromString(privilegeStr);
+ client.revokePrivilege(requestorName, roleName, component, privilege);
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/sentry/blob/01875092/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/provider/db/generic/tools/command/TSentryPrivilegeConverter.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/provider/db/generic/tools/command/TSentryPrivilegeConverter.java b/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/provider/db/generic/tools/command/TSentryPrivilegeConverter.java
new file mode 100644
index 0000000..ab44895
--- /dev/null
+++ b/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/provider/db/generic/tools/command/TSentryPrivilegeConverter.java
@@ -0,0 +1,33 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.provider.db.generic.tools.command;
+
+import org.apache.sentry.provider.db.generic.service.thrift.TSentryPrivilege;
+
+public interface TSentryPrivilegeConverter {
+
+ /**
+ * Convert string to privilege
+ */
+ TSentryPrivilege fromString(String privilegeStr) throws Exception;
+
+ /**
+ * Convert privilege to string
+ */
+ String toString(TSentryPrivilege tSentryPrivilege);
+}
http://git-wip-us.apache.org/repos/asf/sentry/blob/01875092/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/provider/db/service/persistent/ServiceManager.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/provider/db/service/persistent/ServiceManager.java b/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/provider/db/service/persistent/ServiceManager.java
new file mode 100644
index 0000000..9f921d4
--- /dev/null
+++ b/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/provider/db/service/persistent/ServiceManager.java
@@ -0,0 +1,97 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.provider.db.service.persistent;
+
+import java.io.IOException;
+import java.net.InetSocketAddress;
+
+import org.apache.curator.x.discovery.ServiceDiscovery;
+import org.apache.curator.x.discovery.ServiceDiscoveryBuilder;
+import org.apache.curator.x.discovery.ServiceInstance;
+import org.apache.curator.x.discovery.ServiceProvider;
+import org.apache.curator.x.discovery.details.InstanceSerializer;
+import org.apache.hadoop.net.NetUtils;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/***
+ * ServerManager handles registration of the Sentry service for Curator service
+ * discovery. Each server registers with ZK and add its host:port details which
+ * is used by the clients to discover available servers
+ */
+public class ServiceManager {
+ private static final Logger LOGGER = LoggerFactory
+ .getLogger(ServiceManager.class);
+ private HAContext haContext;
+ private ServiceProvider<Void> serviceProvider;
+ private ServiceDiscovery<Void> serviceDiscovery;
+
+ public ServiceManager(HAContext haContext) throws IOException {
+ this.haContext = haContext;
+ init();
+ }
+
+ private void init() throws IOException {
+ try {
+ haContext.startCuratorFramework();
+ InstanceSerializer<Void> instanceSerializer = new FixedJsonInstanceSerializer<Void>(Void.class);
+ serviceDiscovery = ServiceDiscoveryBuilder.<Void>builder(Void.class)
+ .basePath(HAContext.SENTRY_SERVICE_REGISTER_NAMESPACE)
+ .serializer(instanceSerializer)
+ .client(haContext.getCuratorFramework())
+ .build();
+ serviceDiscovery.start();
+ serviceProvider = serviceDiscovery
+ .serviceProviderBuilder()
+ .serviceName(HAContext.SENTRY_SERVICE_REGISTER_NAMESPACE)
+ .build();
+ serviceProvider.start();
+ } catch (Exception e) {
+ throw new IOException(e);
+ }
+ }
+
+ public ServiceInstance<Void> getServiceInstance() throws IOException {
+ ServiceInstance<Void> service;
+ try {
+ service = serviceProvider.getInstance();
+ return service;
+ } catch (Exception e) {
+ throw new IOException(e);
+ }
+ }
+
+ public void reportError(ServiceInstance<Void> instance) {
+ serviceProvider.noteError(instance);
+ }
+
+ public static InetSocketAddress convertServiceInstance(ServiceInstance<?> service) {
+ return NetUtils.createSocketAddr(service.getAddress(),service.getPort());
+ }
+
+ public void close() {
+ try {
+ serviceProvider.close();
+ serviceDiscovery.close();
+ LOGGER.debug("Closed ZK resources");
+ } catch (IOException e) {
+ LOGGER.warn("Error closing the service manager", e);
+ }
+ }
+}
http://git-wip-us.apache.org/repos/asf/sentry/blob/01875092/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClient.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClient.java b/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClient.java
new file mode 100644
index 0000000..1e72b74
--- /dev/null
+++ b/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClient.java
@@ -0,0 +1,207 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.provider.db.service.thrift;
+
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+
+import org.apache.sentry.core.common.exception.SentryUserException;
+import org.apache.sentry.core.common.ActiveRoleSet;
+import org.apache.sentry.core.common.Authorizable;
+
+public interface SentryPolicyServiceClient {
+
+ void createRole(String requestorUserName, String roleName) throws SentryUserException;
+
+ void dropRole(String requestorUserName, String roleName) throws SentryUserException;
+
+ void dropRoleIfExists(String requestorUserName, String roleName)
+ throws SentryUserException;
+
+ Set<TSentryRole> listRolesByUserName(String requestorUserName, String userName)
+ throws SentryUserException;
+
+ Set<TSentryRole> listRolesByGroupName(String requestorUserName, String groupName)
+ throws SentryUserException;
+
+ Set<TSentryPrivilege> listAllPrivilegesByRoleName(String requestorUserName, String roleName)
+ throws SentryUserException;
+
+ /**
+ * Gets sentry privilege objects for a given roleName using the Sentry service
+ *
+ * @param requestorUserName : user on whose behalf the request is issued
+ * @param roleName : roleName to look up
+ * @param authorizable : authorizable Hierarchy (server->db->table etc)
+ * @return Set of thrift sentry privilege objects
+ * @throws SentryUserException
+ */
+ Set<TSentryPrivilege> listPrivilegesByRoleName(String requestorUserName, String roleName,
+ List<? extends Authorizable> authorizable) throws SentryUserException;
+
+ Set<TSentryRole> listRoles(String requestorUserName) throws SentryUserException;
+
+ Set<TSentryRole> listUserRoles(String requestorUserName) throws SentryUserException;
+
+ TSentryPrivilege grantURIPrivilege(String requestorUserName, String roleName,
+ String server, String uri) throws SentryUserException;
+
+ TSentryPrivilege grantURIPrivilege(String requestorUserName, String roleName,
+ String server, String uri, Boolean grantOption) throws SentryUserException;
+
+ void grantServerPrivilege(String requestorUserName, String roleName, String server,
+ String action) throws SentryUserException;
+
+ TSentryPrivilege grantServerPrivilege(String requestorUserName, String roleName,
+ String server, Boolean grantOption) throws SentryUserException;
+
+ TSentryPrivilege grantServerPrivilege(String requestorUserName, String roleName,
+ String server, String action, Boolean grantOption) throws SentryUserException;
+
+ TSentryPrivilege grantDatabasePrivilege(String requestorUserName, String roleName,
+ String server, String db, String action) throws SentryUserException;
+
+ TSentryPrivilege grantDatabasePrivilege(String requestorUserName, String roleName,
+ String server, String db, String action, Boolean grantOption) throws SentryUserException;
+
+ TSentryPrivilege grantTablePrivilege(String requestorUserName, String roleName,
+ String server, String db, String table, String action) throws SentryUserException;
+
+ TSentryPrivilege grantTablePrivilege(String requestorUserName, String roleName,
+ String server, String db, String table, String action, Boolean grantOption)
+ throws SentryUserException;
+
+ TSentryPrivilege grantColumnPrivilege(String requestorUserName, String roleName,
+ String server, String db, String table, String columnName, String action)
+ throws SentryUserException;
+
+ TSentryPrivilege grantColumnPrivilege(String requestorUserName, String roleName,
+ String server, String db, String table, String columnName, String action, Boolean grantOption)
+ throws SentryUserException;
+
+ Set<TSentryPrivilege> grantColumnsPrivileges(String requestorUserName, String roleName,
+ String server, String db, String table, List<String> columnNames, String action)
+ throws SentryUserException;
+
+ Set<TSentryPrivilege> grantColumnsPrivileges(String requestorUserName, String roleName,
+ String server, String db, String table, List<String> columnNames, String action,
+ Boolean grantOption) throws SentryUserException;
+
+ void revokeURIPrivilege(String requestorUserName, String roleName, String server,
+ String uri) throws SentryUserException;
+
+ void revokeURIPrivilege(String requestorUserName, String roleName, String server,
+ String uri, Boolean grantOption) throws SentryUserException;
+
+ void revokeServerPrivilege(String requestorUserName, String roleName, String server,
+ String action) throws SentryUserException;
+
+ void revokeServerPrivilege(String requestorUserName, String roleName, String server,
+ String action, Boolean grantOption) throws SentryUserException;
+
+ void revokeServerPrivilege(String requestorUserName, String roleName, String server,
+ boolean grantOption) throws SentryUserException;
+
+ void revokeDatabasePrivilege(String requestorUserName, String roleName, String server,
+ String db, String action) throws SentryUserException;
+
+ void revokeDatabasePrivilege(String requestorUserName, String roleName, String server,
+ String db, String action, Boolean grantOption) throws SentryUserException;
+
+ void revokeTablePrivilege(String requestorUserName, String roleName, String server,
+ String db, String table, String action) throws SentryUserException;
+
+ void revokeTablePrivilege(String requestorUserName, String roleName, String server,
+ String db, String table, String action, Boolean grantOption) throws SentryUserException;
+
+ void revokeColumnPrivilege(String requestorUserName, String roleName, String server,
+ String db, String table, String columnName, String action) throws SentryUserException;
+
+ void revokeColumnPrivilege(String requestorUserName, String roleName, String server,
+ String db, String table, String columnName, String action, Boolean grantOption)
+ throws SentryUserException;
+
+ void revokeColumnsPrivilege(String requestorUserName, String roleName, String server,
+ String db, String table, List<String> columns, String action) throws SentryUserException;
+
+ void revokeColumnsPrivilege(String requestorUserName, String roleName, String server,
+ String db, String table, List<String> columns, String action, Boolean grantOption)
+ throws SentryUserException;
+
+ Set<String> listPrivilegesForProvider(Set<String> groups, Set<String> users,
+ ActiveRoleSet roleSet, Authorizable... authorizable) throws SentryUserException;
+
+ void grantRoleToGroup(String requestorUserName, String groupName, String roleName)
+ throws SentryUserException;
+
+ void revokeRoleFromGroup(String requestorUserName, String groupName, String roleName)
+ throws SentryUserException;
+
+ void grantRoleToGroups(String requestorUserName, String roleName, Set<String> groups)
+ throws SentryUserException;
+
+ void revokeRoleFromGroups(String requestorUserName, String roleName, Set<String> groups)
+ throws SentryUserException;
+
+ void grantRoleToUser(String requestorUserName, String userName, String roleName)
+ throws SentryUserException;
+
+ void revokeRoleFromUser(String requestorUserName, String userName, String roleName)
+ throws SentryUserException;
+
+ void grantRoleToUsers(String requestorUserName, String roleName, Set<String> users)
+ throws SentryUserException;
+
+ void revokeRoleFromUsers(String requestorUserName, String roleName, Set<String> users)
+ throws SentryUserException;
+
+ void dropPrivileges(String requestorUserName,
+ List<? extends Authorizable> authorizableObjects) throws SentryUserException;
+
+ void renamePrivileges(String requestorUserName,
+ List<? extends Authorizable> oldAuthorizables, List<? extends Authorizable> newAuthorizables)
+ throws SentryUserException;
+
+ Map<TSentryAuthorizable, TSentryPrivilegeMap> listPrivilegsbyAuthorizable(
+ String requestorUserName, Set<List<? extends Authorizable>> authorizables,
+ Set<String> groups, ActiveRoleSet roleSet) throws SentryUserException;
+
+ /**
+ * Returns the configuration value in the sentry server associated with propertyName, or if
+ * propertyName does not exist, the defaultValue. There is no "requestorUserName" because this is
+ * regarded as an internal interface.
+ *
+ * @param propertyName Config attribute to search for
+ * @param defaultValue String to return if not found
+ * @return The value of the propertyName
+ * @throws SentryUserException
+ */
+ String getConfigValue(String propertyName, String defaultValue) throws SentryUserException;
+
+ void close();
+
+ // Import the sentry mapping data with map structure
+ void importPolicy(Map<String, Map<String, Set<String>>> policyFileMappingData,
+ String requestorUserName, boolean isOverwriteRole) throws SentryUserException;
+
+ // export the sentry mapping data with map structure
+ Map<String, Map<String, Set<String>>> exportPolicy(String requestorUserName, String objectPath)
+ throws SentryUserException;
+}
http://git-wip-us.apache.org/repos/asf/sentry/blob/01875092/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClientDefaultImpl.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClientDefaultImpl.java b/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClientDefaultImpl.java
new file mode 100644
index 0000000..cad39c1
--- /dev/null
+++ b/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClientDefaultImpl.java
@@ -0,0 +1,1054 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.provider.db.service.thrift;
+
+import java.io.IOException;
+import java.net.InetSocketAddress;
+import java.security.PrivilegedExceptionAction;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+
+import javax.security.auth.callback.CallbackHandler;
+
+import org.apache.commons.lang.StringUtils;
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.net.NetUtils;
+import org.apache.hadoop.security.SaslRpcServer;
+import org.apache.hadoop.security.SaslRpcServer.AuthMethod;
+import org.apache.hadoop.security.SecurityUtil;
+import org.apache.hadoop.security.UserGroupInformation;
+import org.apache.sentry.core.common.exception.SentryUserException;
+import org.apache.sentry.core.common.ActiveRoleSet;
+import org.apache.sentry.core.common.Authorizable;
+import org.apache.sentry.core.common.utils.SentryConstants;
+import org.apache.sentry.core.model.db.AccessConstants;
+import org.apache.sentry.core.model.db.DBModelAuthorizable;
+import org.apache.sentry.core.common.utils.PolicyFileConstants;
+import org.apache.sentry.service.thrift.SentryServiceUtil;
+import org.apache.sentry.service.thrift.ServiceConstants;
+import org.apache.sentry.service.thrift.ServiceConstants.ClientConfig;
+import org.apache.sentry.service.thrift.ServiceConstants.PrivilegeScope;
+import org.apache.sentry.service.thrift.ServiceConstants.ServerConfig;
+import org.apache.sentry.service.thrift.ServiceConstants.ThriftConstants;
+import org.apache.sentry.service.thrift.Status;
+import org.apache.thrift.TException;
+import org.apache.thrift.protocol.TBinaryProtocol;
+import org.apache.thrift.protocol.TMultiplexedProtocol;
+import org.apache.thrift.transport.TSaslClientTransport;
+import org.apache.thrift.transport.TSocket;
+import org.apache.thrift.transport.TTransport;
+import org.apache.thrift.transport.TTransportException;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import com.google.common.annotations.VisibleForTesting;
+import com.google.common.base.Preconditions;
+import com.google.common.collect.ImmutableList;
+import com.google.common.collect.ImmutableSet;
+import com.google.common.collect.Lists;
+import com.google.common.collect.Maps;
+import com.google.common.collect.Sets;
+
+/*
+ A Sentry Client in which all the operations are synchronized for thread safety
+ Note: When using this client, if there is an exception in RPC, socket can get into an inconsistent state.
+ So it is important to recreate the client, which uses a new socket.
+ */
+public class SentryPolicyServiceClientDefaultImpl implements SentryPolicyServiceClient {
+
+ private final Configuration conf;
+ private final InetSocketAddress serverAddress;
+ private final boolean kerberos;
+ private final String[] serverPrincipalParts;
+ private SentryPolicyService.Client client;
+ private TTransport transport;
+ private int connectionTimeout;
+ private static final Logger LOGGER = LoggerFactory
+ .getLogger(SentryPolicyServiceClient.class);
+ private static final String THRIFT_EXCEPTION_MESSAGE = "Thrift exception occurred ";
+
+ /**
+ * This transport wraps the Sasl transports to set up the right UGI context for open().
+ */
+ public static class UgiSaslClientTransport extends TSaslClientTransport {
+ protected UserGroupInformation ugi = null;
+
+ public UgiSaslClientTransport(String mechanism, String authorizationId,
+ String protocol, String serverName, Map<String, String> props,
+ CallbackHandler cbh, TTransport transport, boolean wrapUgi)
+ throws IOException {
+ super(mechanism, authorizationId, protocol, serverName, props, cbh,
+ transport);
+ if (wrapUgi) {
+ ugi = UserGroupInformation.getLoginUser();
+ }
+ }
+
+ // open the SASL transport with using the current UserGroupInformation
+ // This is needed to get the current login context stored
+ @Override
+ public synchronized void open() throws TTransportException {
+ if (ugi == null) {
+ baseOpen();
+ } else {
+ try {
+ if (ugi.isFromKeytab()) {
+ ugi.checkTGTAndReloginFromKeytab();
+ }
+ ugi.doAs(new PrivilegedExceptionAction<Void>() {
+ public Void run() throws TTransportException {
+ baseOpen();
+ return null;
+ }
+ });
+ } catch (IOException e) {
+ throw new TTransportException("Failed to open SASL transport", e);
+ } catch (InterruptedException e) {
+ throw new TTransportException(
+ "Interrupted while opening underlying transport", e);
+ }
+ }
+ }
+
+ private void baseOpen() throws TTransportException {
+ super.open();
+ }
+ }
+
+ public SentryPolicyServiceClientDefaultImpl(Configuration conf) throws IOException {
+ this.conf = conf;
+ Preconditions.checkNotNull(this.conf, "Configuration object cannot be null");
+ this.serverAddress = NetUtils.createSocketAddr(Preconditions.checkNotNull(
+ conf.get(ClientConfig.SERVER_RPC_ADDRESS), "Config key "
+ + ClientConfig.SERVER_RPC_ADDRESS + " is required"), conf.getInt(
+ ClientConfig.SERVER_RPC_PORT, ClientConfig.SERVER_RPC_PORT_DEFAULT));
+ this.connectionTimeout = conf.getInt(ClientConfig.SERVER_RPC_CONN_TIMEOUT,
+ ClientConfig.SERVER_RPC_CONN_TIMEOUT_DEFAULT);
+ kerberos = ServerConfig.SECURITY_MODE_KERBEROS.equalsIgnoreCase(
+ conf.get(ServerConfig.SECURITY_MODE, ServerConfig.SECURITY_MODE_KERBEROS).trim());
+ transport = new TSocket(serverAddress.getHostName(),
+ serverAddress.getPort(), connectionTimeout);
+ if (kerberos) {
+ String serverPrincipal = Preconditions.checkNotNull(conf.get(ServerConfig.PRINCIPAL), ServerConfig.PRINCIPAL + " is required");
+
+ // Resolve server host in the same way as we are doing on server side
+ serverPrincipal = SecurityUtil.getServerPrincipal(serverPrincipal, serverAddress.getAddress());
+ LOGGER.debug("Using server kerberos principal: " + serverPrincipal);
+
+ serverPrincipalParts = SaslRpcServer.splitKerberosName(serverPrincipal);
+ Preconditions.checkArgument(serverPrincipalParts.length == 3,
+ "Kerberos principal should have 3 parts: " + serverPrincipal);
+ boolean wrapUgi = "true".equalsIgnoreCase(conf
+ .get(ServerConfig.SECURITY_USE_UGI_TRANSPORT, "true"));
+ transport = new UgiSaslClientTransport(AuthMethod.KERBEROS.getMechanismName(),
+ null, serverPrincipalParts[0], serverPrincipalParts[1],
+ ClientConfig.SASL_PROPERTIES, null, transport, wrapUgi);
+ } else {
+ serverPrincipalParts = null;
+ }
+ try {
+ transport.open();
+ } catch (TTransportException e) {
+ throw new IOException("Transport exception while opening transport: " + e.getMessage(), e);
+ }
+ LOGGER.debug("Successfully opened transport: " + transport + " to " + serverAddress);
+ long maxMessageSize = conf.getLong(ServiceConstants.ClientConfig.SENTRY_POLICY_CLIENT_THRIFT_MAX_MESSAGE_SIZE,
+ ServiceConstants.ClientConfig.SENTRY_POLICY_CLIENT_THRIFT_MAX_MESSAGE_SIZE_DEFAULT);
+ TMultiplexedProtocol protocol = new TMultiplexedProtocol(
+ new TBinaryProtocol(transport, maxMessageSize, maxMessageSize, true, true),
+ ServiceConstants.SENTRY_POLICY_SERVICE_NAME);
+ client = new SentryPolicyService.Client(protocol);
+ LOGGER.debug("Successfully created client");
+ }
+
+ public synchronized void createRole(String requestorUserName, String roleName)
+ throws SentryUserException {
+ TCreateSentryRoleRequest request = new TCreateSentryRoleRequest();
+ request.setProtocol_version(ThriftConstants.TSENTRY_SERVICE_VERSION_CURRENT);
+ request.setRequestorUserName(requestorUserName);
+ request.setRoleName(roleName);
+ try {
+ TCreateSentryRoleResponse response = client.create_sentry_role(request);
+ Status.throwIfNotOk(response.getStatus());
+ } catch (TException e) {
+ throw new SentryUserException(THRIFT_EXCEPTION_MESSAGE, e);
+ }
+ }
+
+ public synchronized void dropRole(String requestorUserName,
+ String roleName)
+ throws SentryUserException {
+ dropRole(requestorUserName, roleName, false);
+ }
+
+ public synchronized void dropRoleIfExists(String requestorUserName,
+ String roleName)
+ throws SentryUserException {
+ dropRole(requestorUserName, roleName, true);
+ }
+
+ private synchronized void dropRole(String requestorUserName,
+ String roleName, boolean ifExists)
+ throws SentryUserException {
+ TDropSentryRoleRequest request = new TDropSentryRoleRequest();
+ request.setProtocol_version(ThriftConstants.TSENTRY_SERVICE_VERSION_CURRENT);
+ request.setRequestorUserName(requestorUserName);
+ request.setRoleName(roleName);
+ try {
+ TDropSentryRoleResponse response = client.drop_sentry_role(request);
+ Status status = Status.fromCode(response.getStatus().getValue());
+ if (ifExists && status == Status.NO_SUCH_OBJECT) {
+ return;
+ }
+ Status.throwIfNotOk(response.getStatus());
+ } catch (TException e) {
+ throw new SentryUserException(THRIFT_EXCEPTION_MESSAGE, e);
+ }
+ }
+
+ /**
+ * Gets sentry role objects for a given groupName using the Sentry service
+ * @param requestorUserName : user on whose behalf the request is issued
+ * @param groupName : groupName to look up ( if null returns all roles for all groups)
+ * @return Set of thrift sentry role objects
+ * @throws SentryUserException
+ */
+ public synchronized Set<TSentryRole> listRolesByGroupName(
+ String requestorUserName,
+ String groupName)
+ throws SentryUserException {
+ TListSentryRolesRequest request = new TListSentryRolesRequest();
+ request.setProtocol_version(ThriftConstants.TSENTRY_SERVICE_VERSION_CURRENT);
+ request.setRequestorUserName(requestorUserName);
+ request.setGroupName(groupName);
+ TListSentryRolesResponse response;
+ try {
+ response = client.list_sentry_roles_by_group(request);
+ Status.throwIfNotOk(response.getStatus());
+ return response.getRoles();
+ } catch (TException e) {
+ throw new SentryUserException(THRIFT_EXCEPTION_MESSAGE, e);
+ }
+ }
+
+ /**
+ * Gets sentry role objects for a given userName using the Sentry service
+ *
+ * @param requestorUserName
+ * : user on whose behalf the request is issued
+ * @param userName
+ * : userName to look up (can't be empty)
+ * @return Set of thrift sentry role objects
+ * @throws SentryUserException
+ */
+ public Set<TSentryRole> listRolesByUserName(String requestorUserName, String userName)
+ throws SentryUserException {
+ TListSentryRolesForUserRequest request = new TListSentryRolesForUserRequest();
+ request.setProtocol_version(ThriftConstants.TSENTRY_SERVICE_VERSION_CURRENT);
+ request.setRequestorUserName(requestorUserName);
+ request.setUserName(userName);
+ TListSentryRolesResponse response;
+ try {
+ response = client.list_sentry_roles_by_user(request);
+ Status.throwIfNotOk(response.getStatus());
+ return response.getRoles();
+ } catch (TException e) {
+ throw new SentryUserException(THRIFT_EXCEPTION_MESSAGE, e);
+ }
+ }
+
+ public synchronized Set<TSentryPrivilege> listAllPrivilegesByRoleName(String requestorUserName,
+ String roleName)
+ throws SentryUserException {
+ return listPrivilegesByRoleName(requestorUserName, roleName, null);
+ }
+
+ /**
+ * Gets sentry privilege objects for a given roleName using the Sentry service
+ * @param requestorUserName : user on whose behalf the request is issued
+ * @param roleName : roleName to look up
+ * @param authorizable : authorizable Hierarchy (server->db->table etc)
+ * @return Set of thrift sentry privilege objects
+ * @throws SentryUserException
+ */
+ public synchronized Set<TSentryPrivilege> listPrivilegesByRoleName(String requestorUserName,
+ String roleName, List<? extends Authorizable> authorizable)
+ throws SentryUserException {
+ TListSentryPrivilegesRequest request = new TListSentryPrivilegesRequest();
+ request.setProtocol_version(ThriftConstants.TSENTRY_SERVICE_VERSION_CURRENT);
+ request.setRequestorUserName(requestorUserName);
+ request.setRoleName(roleName);
+ if (authorizable != null && !authorizable.isEmpty()) {
+ TSentryAuthorizable tSentryAuthorizable = setupSentryAuthorizable(authorizable);
+ request.setAuthorizableHierarchy(tSentryAuthorizable);
+ }
+ TListSentryPrivilegesResponse response;
+ try {
+ response = client.list_sentry_privileges_by_role(request);
+ Status.throwIfNotOk(response.getStatus());
+ return response.getPrivileges();
+ } catch (TException e) {
+ throw new SentryUserException(THRIFT_EXCEPTION_MESSAGE, e);
+ }
+ }
+
+ public synchronized Set<TSentryRole> listRoles(String requestorUserName)
+ throws SentryUserException {
+ return listRolesByGroupName(requestorUserName, null);
+ }
+
+ public synchronized Set<TSentryRole> listUserRoles(String requestorUserName)
+ throws SentryUserException {
+ Set<TSentryRole> tSentryRoles = Sets.newHashSet();
+ tSentryRoles.addAll(listRolesByGroupName(requestorUserName, SentryConstants.RESOURCE_WILDCARD_VALUE));
+ tSentryRoles.addAll(listRolesByUserName(requestorUserName, requestorUserName));
+ return tSentryRoles;
+ }
+
+ public synchronized TSentryPrivilege grantURIPrivilege(String requestorUserName,
+ String roleName, String server, String uri)
+ throws SentryUserException {
+ return grantPrivilege(requestorUserName, roleName,
+ PrivilegeScope.URI, server, uri, null, null, null, SentryConstants.RESOURCE_WILDCARD_VALUE);
+ }
+
+ public synchronized TSentryPrivilege grantURIPrivilege(String requestorUserName,
+ String roleName, String server, String uri, Boolean grantOption)
+ throws SentryUserException {
+ return grantPrivilege(requestorUserName, roleName,
+ PrivilegeScope.URI, server, uri, null, null, null, SentryConstants.RESOURCE_WILDCARD_VALUE, grantOption);
+ }
+
+ public synchronized void grantServerPrivilege(String requestorUserName,
+ String roleName, String server, String action)
+ throws SentryUserException {
+
+ // "ALL" and "*" should be synonyms for action and need to be unified with grantServerPrivilege without
+ // action explicitly specified.
+ if (SentryConstants.RESOURCE_WILDCARD_VALUE_ALL.equalsIgnoreCase(action)
+ || SentryConstants.RESOURCE_WILDCARD_VALUE.equals(action)) {
+ action = SentryConstants.RESOURCE_WILDCARD_VALUE;
+ }
+
+ grantPrivilege(requestorUserName, roleName,
+ PrivilegeScope.SERVER, server, null, null, null, null, action);
+ }
+
+ @Deprecated
+ /***
+ * Should use grantServerPrivilege(String requestorUserName,
+ * String roleName, String server, String action, Boolean grantOption)
+ */
+ public synchronized TSentryPrivilege grantServerPrivilege(String requestorUserName,
+ String roleName, String server, Boolean grantOption) throws SentryUserException {
+ return grantServerPrivilege(requestorUserName, roleName, server,
+ SentryConstants.RESOURCE_WILDCARD_VALUE, grantOption);
+ }
+
+ public synchronized TSentryPrivilege grantServerPrivilege(String requestorUserName,
+ String roleName, String server, String action, Boolean grantOption)
+ throws SentryUserException {
+
+ // "ALL" and "*" should be synonyms for action and need to be unified with grantServerPrivilege without
+ // action explicitly specified.
+ if (SentryConstants.RESOURCE_WILDCARD_VALUE_ALL.equalsIgnoreCase(action)
+ || SentryConstants.RESOURCE_WILDCARD_VALUE.equals(action)) {
+ action = SentryConstants.RESOURCE_WILDCARD_VALUE;
+ }
+
+ return grantPrivilege(requestorUserName, roleName,
+ PrivilegeScope.SERVER, server, null, null, null, null, action, grantOption);
+ }
+
+ public synchronized TSentryPrivilege grantDatabasePrivilege(String requestorUserName,
+ String roleName, String server, String db, String action)
+ throws SentryUserException {
+ return grantPrivilege(requestorUserName, roleName,
+ PrivilegeScope.DATABASE, server, null, db, null, null, action);
+ }
+
+ public synchronized TSentryPrivilege grantDatabasePrivilege(String requestorUserName,
+ String roleName, String server, String db, String action, Boolean grantOption)
+ throws SentryUserException {
+ return grantPrivilege(requestorUserName, roleName,
+ PrivilegeScope.DATABASE, server, null, db, null, null, action, grantOption);
+ }
+
+ public synchronized TSentryPrivilege grantTablePrivilege(String requestorUserName,
+ String roleName, String server, String db, String table, String action)
+ throws SentryUserException {
+ return grantPrivilege(requestorUserName, roleName, PrivilegeScope.TABLE, server,
+ null,
+ db, table, null, action);
+ }
+
+ public synchronized TSentryPrivilege grantTablePrivilege(String requestorUserName,
+ String roleName, String server, String db, String table, String action, Boolean grantOption)
+ throws SentryUserException {
+ return grantPrivilege(requestorUserName, roleName, PrivilegeScope.TABLE, server,
+ null, db, table, null, action, grantOption);
+ }
+
+ public synchronized TSentryPrivilege grantColumnPrivilege(String requestorUserName,
+ String roleName, String server, String db, String table, String columnName, String action)
+ throws SentryUserException {
+ return grantPrivilege(requestorUserName, roleName, PrivilegeScope.COLUMN, server,
+ null,
+ db, table, columnName, action);
+ }
+
+ public synchronized TSentryPrivilege grantColumnPrivilege(String requestorUserName,
+ String roleName, String server, String db, String table, String columnName, String action, Boolean grantOption)
+ throws SentryUserException {
+ return grantPrivilege(requestorUserName, roleName, PrivilegeScope.COLUMN, server,
+ null, db, table, columnName, action, grantOption);
+ }
+
+ public synchronized Set<TSentryPrivilege> grantColumnsPrivileges(String requestorUserName,
+ String roleName, String server, String db, String table, List<String> columnNames, String action)
+ throws SentryUserException {
+ return grantPrivileges(requestorUserName, roleName, PrivilegeScope.COLUMN, server,
+ null,
+ db, table, columnNames, action);
+ }
+
+ public synchronized Set<TSentryPrivilege> grantColumnsPrivileges(String requestorUserName,
+ String roleName, String server, String db, String table, List<String> columnNames, String action, Boolean grantOption)
+ throws SentryUserException {
+ return grantPrivileges(requestorUserName, roleName, PrivilegeScope.COLUMN,
+ server,
+ null, db, table, columnNames, action, grantOption);
+ }
+
+ @VisibleForTesting
+ public static TSentryAuthorizable setupSentryAuthorizable(
+ List<? extends Authorizable> authorizable) {
+ TSentryAuthorizable tSentryAuthorizable = new TSentryAuthorizable();
+
+ for (Authorizable authzble : authorizable) {
+ if (authzble.getTypeName().equalsIgnoreCase(
+ DBModelAuthorizable.AuthorizableType.Server.toString())) {
+ tSentryAuthorizable.setServer(authzble.getName());
+ } else if (authzble.getTypeName().equalsIgnoreCase(
+ DBModelAuthorizable.AuthorizableType.URI.toString())) {
+ tSentryAuthorizable.setUri(authzble.getName());
+ } else if (authzble.getTypeName().equalsIgnoreCase(
+ DBModelAuthorizable.AuthorizableType.Db.toString())) {
+ tSentryAuthorizable.setDb(authzble.getName());
+ } else if (authzble.getTypeName().equalsIgnoreCase(
+ DBModelAuthorizable.AuthorizableType.Table.toString())) {
+ tSentryAuthorizable.setTable(authzble.getName());
+ } else if (authzble.getTypeName().equalsIgnoreCase(
+ DBModelAuthorizable.AuthorizableType.Column.toString())) {
+ tSentryAuthorizable.setColumn(authzble.getName());
+ }
+ }
+ return tSentryAuthorizable;
+ }
+
+ private TSentryPrivilege grantPrivilege(String requestorUserName,
+ String roleName,
+ PrivilegeScope scope, String serverName, String uri, String db,
+ String table, String column, String action) throws SentryUserException {
+ return grantPrivilege(requestorUserName, roleName, scope, serverName, uri,
+ db, table, column, action, false);
+ }
+
+ private TSentryPrivilege grantPrivilege(String requestorUserName,
+ String roleName, PrivilegeScope scope, String serverName, String uri, String db, String table,
+ String column, String action, Boolean grantOption)
+ throws SentryUserException {
+ TAlterSentryRoleGrantPrivilegeRequest request = new TAlterSentryRoleGrantPrivilegeRequest();
+ request.setProtocol_version(ThriftConstants.TSENTRY_SERVICE_VERSION_CURRENT);
+ request.setRequestorUserName(requestorUserName);
+ request.setRoleName(roleName);
+ Set<TSentryPrivilege> privileges = convertColumnPrivilege(scope,
+ serverName, uri, db, table, column, action, grantOption);
+ request.setPrivileges(privileges);
+ try {
+ TAlterSentryRoleGrantPrivilegeResponse response = client.alter_sentry_role_grant_privilege(request);
+ Status.throwIfNotOk(response.getStatus());
+ if (response.isSetPrivileges()
+ && response.getPrivilegesSize()>0 ) {
+ return response.getPrivileges().iterator().next();
+ } else {
+ return new TSentryPrivilege();
+ }
+ } catch (TException e) {
+ throw new SentryUserException(THRIFT_EXCEPTION_MESSAGE, e);
+ }
+ }
+
+ private Set<TSentryPrivilege> grantPrivileges(String requestorUserName,
+ String roleName,
+ PrivilegeScope scope, String serverName, String uri, String db,
+ String table, List<String> columns, String action) throws SentryUserException {
+ return grantPrivileges(requestorUserName, roleName, scope, serverName, uri,
+ db, table, columns, action, false);
+ }
+
+ private Set<TSentryPrivilege> grantPrivileges(String requestorUserName,
+ String roleName, PrivilegeScope scope, String serverName, String uri, String db, String table,
+ List<String> columns, String action, Boolean grantOption)
+ throws SentryUserException {
+ TAlterSentryRoleGrantPrivilegeRequest request = new TAlterSentryRoleGrantPrivilegeRequest();
+ request.setProtocol_version(ThriftConstants.TSENTRY_SERVICE_VERSION_CURRENT);
+ request.setRequestorUserName(requestorUserName);
+ request.setRoleName(roleName);
+ Set<TSentryPrivilege> privileges = convertColumnPrivileges(scope,
+ serverName, uri, db, table, columns, action, grantOption);
+ request.setPrivileges(privileges);
+ try {
+ TAlterSentryRoleGrantPrivilegeResponse response = client.alter_sentry_role_grant_privilege(request);
+ Status.throwIfNotOk(response.getStatus());
+ return response.getPrivileges();
+ } catch (TException e) {
+ throw new SentryUserException(THRIFT_EXCEPTION_MESSAGE, e);
+ }
+ }
+
+ public synchronized void revokeURIPrivilege(String requestorUserName,
+ String roleName, String server, String uri)
+ throws SentryUserException {
+ revokePrivilege(requestorUserName, roleName,
+ PrivilegeScope.URI, server, uri, null, null, null, AccessConstants.ALL);
+ }
+
+ public synchronized void revokeURIPrivilege(String requestorUserName,
+ String roleName, String server, String uri, Boolean grantOption)
+ throws SentryUserException {
+ revokePrivilege(requestorUserName, roleName,
+ PrivilegeScope.URI, server, uri, null, null, null, AccessConstants.ALL, grantOption);
+ }
+
+ public synchronized void revokeServerPrivilege(String requestorUserName,
+ String roleName, String server, String action)
+ throws SentryUserException {
+
+ // "ALL" and "*" should be synonyms for action and need to be unified with revokeServerPrivilege without
+ // action explicitly specified.
+ if (AccessConstants.ACTION_ALL.equalsIgnoreCase(action) || AccessConstants.ALL.equals(action)) {
+ action = AccessConstants.ALL;
+ }
+
+ revokePrivilege(requestorUserName, roleName,
+ PrivilegeScope.SERVER, server, null, null, null, null, action);
+ }
+
+ public synchronized void revokeServerPrivilege(String requestorUserName,
+ String roleName, String server, String action, Boolean grantOption)
+ throws SentryUserException {
+
+ // "ALL" and "*" should be synonyms for action and need to be unified with revokeServerPrivilege without
+ // action explicitly specified.
+ if (AccessConstants.ACTION_ALL.equalsIgnoreCase(action) || AccessConstants.ALL.equals(action)) {
+ action = AccessConstants.ALL;
+ }
+
+ revokePrivilege(requestorUserName, roleName,
+ PrivilegeScope.SERVER, server, null, null, null, null, action, grantOption);
+ }
+
+ @Deprecated
+ /***
+ * Should use revokeServerPrivilege(String requestorUserName,
+ * String roleName, String server, String action, Boolean grantOption)
+ */
+ public synchronized void revokeServerPrivilege(String requestorUserName,
+ String roleName, String server, boolean grantOption)
+ throws SentryUserException {
+ revokePrivilege(requestorUserName, roleName,
+ PrivilegeScope.SERVER, server, null, null, null, null, AccessConstants.ALL, grantOption);
+ }
+
+ public synchronized void revokeDatabasePrivilege(String requestorUserName,
+ String roleName, String server, String db, String action)
+ throws SentryUserException {
+ revokePrivilege(requestorUserName, roleName,
+ PrivilegeScope.DATABASE, server, null, db, null, null, action);
+ }
+
+ public synchronized void revokeDatabasePrivilege(String requestorUserName,
+ String roleName, String server, String db, String action, Boolean grantOption)
+ throws SentryUserException {
+ revokePrivilege(requestorUserName, roleName,
+ PrivilegeScope.DATABASE, server, null, db, null, null, action, grantOption);
+ }
+
+ public synchronized void revokeTablePrivilege(String requestorUserName,
+ String roleName, String server, String db, String table, String action)
+ throws SentryUserException {
+ revokePrivilege(requestorUserName, roleName,
+ PrivilegeScope.TABLE, server, null,
+ db, table, null, action);
+ }
+
+ public synchronized void revokeTablePrivilege(String requestorUserName,
+ String roleName, String server, String db, String table, String action, Boolean grantOption)
+ throws SentryUserException {
+ revokePrivilege(requestorUserName, roleName,
+ PrivilegeScope.TABLE, server, null,
+ db, table, null, action, grantOption);
+ }
+
+ public synchronized void revokeColumnPrivilege(String requestorUserName, String roleName,
+ String server, String db, String table, String columnName, String action)
+ throws SentryUserException {
+ ImmutableList.Builder<String> listBuilder = ImmutableList.builder();
+ listBuilder.add(columnName);
+ revokePrivilege(requestorUserName, roleName,
+ PrivilegeScope.COLUMN, server, null,
+ db, table, listBuilder.build(), action);
+ }
+
+ public synchronized void revokeColumnPrivilege(String requestorUserName, String roleName,
+ String server, String db, String table, String columnName, String action, Boolean grantOption)
+ throws SentryUserException {
+ ImmutableList.Builder<String> listBuilder = ImmutableList.builder();
+ listBuilder.add(columnName);
+ revokePrivilege(requestorUserName, roleName,
+ PrivilegeScope.COLUMN, server, null,
+ db, table, listBuilder.build(), action, grantOption);
+ }
+
+ public synchronized void revokeColumnsPrivilege(String requestorUserName, String roleName,
+ String server, String db, String table, List<String> columns, String action)
+ throws SentryUserException {
+ revokePrivilege(requestorUserName, roleName,
+ PrivilegeScope.COLUMN, server, null,
+ db, table, columns, action);
+ }
+
+ public synchronized void revokeColumnsPrivilege(String requestorUserName, String roleName,
+ String server, String db, String table, List<String> columns, String action, Boolean grantOption)
+ throws SentryUserException {
+ revokePrivilege(requestorUserName, roleName,
+ PrivilegeScope.COLUMN, server, null,
+ db, table, columns, action, grantOption);
+ }
+
+ private void revokePrivilege(String requestorUserName,
+ String roleName, PrivilegeScope scope, String serverName, String uri,
+ String db, String table, List<String> columns, String action)
+ throws SentryUserException {
+ this.revokePrivilege(requestorUserName, roleName, scope, serverName, uri, db, table, columns, action, false);
+ }
+
+ private void revokePrivilege(String requestorUserName, String roleName,
+ PrivilegeScope scope, String serverName, String uri, String db, String table, List<String> columns,
+ String action, Boolean grantOption)
+ throws SentryUserException {
+ TAlterSentryRoleRevokePrivilegeRequest request = new TAlterSentryRoleRevokePrivilegeRequest();
+ request.setProtocol_version(ThriftConstants.TSENTRY_SERVICE_VERSION_CURRENT);
+ request.setRequestorUserName(requestorUserName);
+ request.setRoleName(roleName);
+ Set<TSentryPrivilege> privileges = convertColumnPrivileges(scope,
+ serverName, uri, db, table, columns, action, grantOption);
+ request.setPrivileges(privileges);
+ try {
+ TAlterSentryRoleRevokePrivilegeResponse response = client.alter_sentry_role_revoke_privilege(request);
+ Status.throwIfNotOk(response.getStatus());
+ } catch (TException e) {
+ throw new SentryUserException(THRIFT_EXCEPTION_MESSAGE, e);
+ }
+ }
+
+ private Set<TSentryPrivilege> convertColumnPrivileges(
+ PrivilegeScope scope, String serverName, String uri, String db, String table, List<String> columns,
+ String action, Boolean grantOption) {
+ ImmutableSet.Builder<TSentryPrivilege> setBuilder = ImmutableSet.builder();
+ if (columns == null || columns.isEmpty()) {
+ TSentryPrivilege privilege = new TSentryPrivilege();
+ privilege.setPrivilegeScope(scope.toString());
+ privilege.setServerName(serverName);
+ privilege.setURI(uri);
+ privilege.setDbName(db);
+ privilege.setTableName(table);
+ privilege.setColumnName(null);
+ privilege.setAction(action);
+ privilege.setCreateTime(System.currentTimeMillis());
+ privilege.setGrantOption(convertTSentryGrantOption(grantOption));
+ setBuilder.add(privilege);
+ } else {
+ for (String column : columns) {
+ TSentryPrivilege privilege = new TSentryPrivilege();
+ privilege.setPrivilegeScope(scope.toString());
+ privilege.setServerName(serverName);
+ privilege.setURI(uri);
+ privilege.setDbName(db);
+ privilege.setTableName(table);
+ privilege.setColumnName(column);
+ privilege.setAction(action);
+ privilege.setCreateTime(System.currentTimeMillis());
+ privilege.setGrantOption(convertTSentryGrantOption(grantOption));
+ setBuilder.add(privilege);
+ }
+ }
+ return setBuilder.build();
+ }
+
+ private Set<TSentryPrivilege> convertColumnPrivilege(
+ PrivilegeScope scope, String serverName, String uri, String db, String table, String column,
+ String action, Boolean grantOption) {
+ ImmutableSet.Builder<TSentryPrivilege> setBuilder = ImmutableSet.builder();
+ TSentryPrivilege privilege = new TSentryPrivilege();
+ privilege.setPrivilegeScope(scope.toString());
+ privilege.setServerName(serverName);
+ privilege.setURI(uri);
+ privilege.setDbName(db);
+ privilege.setTableName(table);
+ privilege.setColumnName(column);
+ privilege.setAction(action);
+ privilege.setCreateTime(System.currentTimeMillis());
+ privilege.setGrantOption(convertTSentryGrantOption(grantOption));
+ setBuilder.add(privilege);
+ return setBuilder.build();
+ }
+
+ private TSentryGrantOption convertTSentryGrantOption(Boolean grantOption) {
+ if (grantOption == null) {
+ return TSentryGrantOption.UNSET;
+ } else if (grantOption.equals(true)) {
+ return TSentryGrantOption.TRUE;
+ } else if (grantOption.equals(false)) {
+ return TSentryGrantOption.FALSE;
+ }
+ return TSentryGrantOption.FALSE;
+ }
+
+ public synchronized Set<String> listPrivilegesForProvider(Set<String> groups, Set<String> users,
+ ActiveRoleSet roleSet, Authorizable... authorizable) throws SentryUserException {
+ TSentryActiveRoleSet thriftRoleSet = new TSentryActiveRoleSet(roleSet.isAll(), roleSet.getRoles());
+ TListSentryPrivilegesForProviderRequest request =
+ new TListSentryPrivilegesForProviderRequest(ThriftConstants.
+ TSENTRY_SERVICE_VERSION_CURRENT, groups, thriftRoleSet);
+ if (authorizable != null && authorizable.length > 0) {
+ TSentryAuthorizable tSentryAuthorizable = setupSentryAuthorizable(Lists
+ .newArrayList(authorizable));
+ request.setAuthorizableHierarchy(tSentryAuthorizable);
+ }
+ if (users != null) {
+ request.setUsers(users);
+ }
+ try {
+ TListSentryPrivilegesForProviderResponse response = client.list_sentry_privileges_for_provider(request);
+ Status.throwIfNotOk(response.getStatus());
+ return response.getPrivileges();
+ } catch (TException e) {
+ throw new SentryUserException(THRIFT_EXCEPTION_MESSAGE, e);
+ }
+ }
+
+ @Override
+ public synchronized void grantRoleToGroup(String requestorUserName,
+ String groupName, String roleName)
+ throws SentryUserException {
+ grantRoleToGroups(requestorUserName, roleName, Sets.newHashSet(groupName));
+ }
+
+ @Override
+ public synchronized void revokeRoleFromGroup(String requestorUserName,
+ String groupName, String roleName)
+ throws SentryUserException {
+ revokeRoleFromGroups(requestorUserName, roleName, Sets.newHashSet(groupName));
+ }
+
+ @Override
+ public synchronized void grantRoleToGroups(String requestorUserName,
+ String roleName, Set<String> groups)
+ throws SentryUserException {
+ TAlterSentryRoleAddGroupsRequest request = new TAlterSentryRoleAddGroupsRequest(
+ ThriftConstants.TSENTRY_SERVICE_VERSION_CURRENT, requestorUserName,
+ roleName, convert2TGroups(groups));
+ try {
+ TAlterSentryRoleAddGroupsResponse response = client.alter_sentry_role_add_groups(request);
+ Status.throwIfNotOk(response.getStatus());
+ } catch (TException e) {
+ throw new SentryUserException(THRIFT_EXCEPTION_MESSAGE, e);
+ }
+ }
+
+ @Override
+ public synchronized void revokeRoleFromGroups(String requestorUserName,
+ String roleName, Set<String> groups)
+ throws SentryUserException {
+ TAlterSentryRoleDeleteGroupsRequest request = new TAlterSentryRoleDeleteGroupsRequest(
+ ThriftConstants.TSENTRY_SERVICE_VERSION_CURRENT, requestorUserName,
+ roleName, convert2TGroups(groups));
+ try {
+ TAlterSentryRoleDeleteGroupsResponse response = client.alter_sentry_role_delete_groups(request);
+ Status.throwIfNotOk(response.getStatus());
+ } catch (TException e) {
+ throw new SentryUserException(THRIFT_EXCEPTION_MESSAGE, e);
+ }
+ }
+
+ @Override
+ public synchronized void grantRoleToUser(String requestorUserName, String userName,
+ String roleName) throws SentryUserException {
+ grantRoleToUsers(requestorUserName, roleName, Sets.newHashSet(userName));
+ }
+
+ @Override
+ public synchronized void revokeRoleFromUser(String requestorUserName, String userName,
+ String roleName) throws SentryUserException {
+ revokeRoleFromUsers(requestorUserName, roleName, Sets.newHashSet(userName));
+ }
+
+ @Override
+ public synchronized void grantRoleToUsers(String requestorUserName, String roleName,
+ Set<String> users) throws SentryUserException {
+ TAlterSentryRoleAddUsersRequest request = new TAlterSentryRoleAddUsersRequest(
+ ThriftConstants.TSENTRY_SERVICE_VERSION_CURRENT, requestorUserName, roleName, users);
+ try {
+ TAlterSentryRoleAddUsersResponse response = client.alter_sentry_role_add_users(request);
+ Status.throwIfNotOk(response.getStatus());
+ } catch (TException e) {
+ throw new SentryUserException(THRIFT_EXCEPTION_MESSAGE, e);
+ }
+ }
+
+ @Override
+ public synchronized void revokeRoleFromUsers(String requestorUserName, String roleName,
+ Set<String> users) throws SentryUserException {
+ TAlterSentryRoleDeleteUsersRequest request = new TAlterSentryRoleDeleteUsersRequest(
+ ThriftConstants.TSENTRY_SERVICE_VERSION_CURRENT, requestorUserName, roleName, users);
+ try {
+ TAlterSentryRoleDeleteUsersResponse response = client.alter_sentry_role_delete_users(request);
+ Status.throwIfNotOk(response.getStatus());
+ } catch (TException e) {
+ throw new SentryUserException(THRIFT_EXCEPTION_MESSAGE, e);
+ }
+ }
+
+ private Set<TSentryGroup> convert2TGroups(Set<String> groups) {
+ Set<TSentryGroup> tGroups = Sets.newHashSet();
+ if (groups != null) {
+ for (String groupName : groups) {
+ tGroups.add(new TSentryGroup(groupName));
+ }
+ }
+ return tGroups;
+ }
+
+ public synchronized void dropPrivileges(String requestorUserName,
+ List<? extends Authorizable> authorizableObjects)
+ throws SentryUserException {
+ TSentryAuthorizable tSentryAuthorizable = setupSentryAuthorizable(authorizableObjects);
+
+ TDropPrivilegesRequest request = new TDropPrivilegesRequest(
+ ThriftConstants.TSENTRY_SERVICE_VERSION_CURRENT, requestorUserName,
+ tSentryAuthorizable);
+ try {
+ TDropPrivilegesResponse response = client.drop_sentry_privilege(request);
+ Status.throwIfNotOk(response.getStatus());
+ } catch (TException e) {
+ throw new SentryUserException(THRIFT_EXCEPTION_MESSAGE, e);
+ }
+ }
+
+ public synchronized void renamePrivileges(String requestorUserName,
+ List<? extends Authorizable> oldAuthorizables,
+ List<? extends Authorizable> newAuthorizables) throws SentryUserException {
+ TSentryAuthorizable tOldSentryAuthorizable = setupSentryAuthorizable(oldAuthorizables);
+ TSentryAuthorizable tNewSentryAuthorizable = setupSentryAuthorizable(newAuthorizables);
+
+ TRenamePrivilegesRequest request = new TRenamePrivilegesRequest(
+ ThriftConstants.TSENTRY_SERVICE_VERSION_CURRENT, requestorUserName,
+ tOldSentryAuthorizable, tNewSentryAuthorizable);
+ try {
+ TRenamePrivilegesResponse response = client
+ .rename_sentry_privilege(request);
+ Status.throwIfNotOk(response.getStatus());
+ } catch (TException e) {
+ throw new SentryUserException(THRIFT_EXCEPTION_MESSAGE, e);
+ }
+ }
+
+ public synchronized Map<TSentryAuthorizable, TSentryPrivilegeMap> listPrivilegsbyAuthorizable(
+ String requestorUserName,
+ Set<List<? extends Authorizable>> authorizables, Set<String> groups,
+ ActiveRoleSet roleSet) throws SentryUserException {
+ Set<TSentryAuthorizable> authSet = Sets.newTreeSet();
+
+ for (List<? extends Authorizable> authorizableHierarchy : authorizables) {
+ authSet.add(setupSentryAuthorizable(authorizableHierarchy));
+ }
+ TListSentryPrivilegesByAuthRequest request = new TListSentryPrivilegesByAuthRequest(
+ ThriftConstants.TSENTRY_SERVICE_VERSION_CURRENT, requestorUserName,
+ authSet);
+ if (groups != null) {
+ request.setGroups(groups);
+ }
+ if (roleSet != null) {
+ request.setRoleSet(new TSentryActiveRoleSet(roleSet.isAll(), roleSet.getRoles()));
+ }
+
+ try {
+ TListSentryPrivilegesByAuthResponse response = client
+ .list_sentry_privileges_by_authorizable(request);
+ Status.throwIfNotOk(response.getStatus());
+ return response.getPrivilegesMapByAuth();
+ } catch (TException e) {
+ throw new SentryUserException(THRIFT_EXCEPTION_MESSAGE, e);
+ }
+ }
+
+ /**
+ * Returns the configuration value in the sentry server associated with
+ * propertyName, or if propertyName does not exist, the defaultValue.
+ * There is no "requestorUserName" because this is regarded as an
+ * internal interface.
+ * @param propertyName Config attribute to search for
+ * @param defaultValue String to return if not found
+ * @return The value of the propertyName
+ * @throws SentryUserException
+ */
+ public synchronized String getConfigValue(String propertyName, String defaultValue)
+ throws SentryUserException {
+ TSentryConfigValueRequest request = new TSentryConfigValueRequest(
+ ThriftConstants.TSENTRY_SERVICE_VERSION_CURRENT, propertyName);
+ if (defaultValue != null) {
+ request.setDefaultValue(defaultValue);
+ }
+ try {
+ TSentryConfigValueResponse response = client.get_sentry_config_value(request);
+ Status.throwIfNotOk(response.getStatus());
+ return response.getValue();
+ } catch (TException e) {
+ throw new SentryUserException(THRIFT_EXCEPTION_MESSAGE, e);
+ }
+ }
+
+ public synchronized void close() {
+ if (transport != null) {
+ transport.close();
+ }
+ }
+
+ /**
+ * Import the sentry mapping data, convert the mapping data from map structure to
+ * TSentryMappingData, and call the import API.
+ *
+ * @param policyFileMappingData
+ * Include 2 maps to save the mapping data, the following is the example of the data
+ * structure:
+ * for the following mapping data:
+ * group1=role1,role2
+ * group2=role2,role3
+ * role1=server=server1->db=db1
+ * role2=server=server1->db=db1->table=tbl1,server=server1->db=db1->table=tbl2
+ * role3=server=server1->url=hdfs://localhost/path
+ *
+ * The policyFileMappingData will be inputed as:
+ * {
+ * groups={[group1={role1, role2}], group2=[role2, role3]},
+ * roles={role1=[server=server1->db=db1],
+ * role2=[server=server1->db=db1->table=tbl1,server=server1->db=db1->table=tbl2],
+ * role3=[server=server1->url=hdfs://localhost/path]
+ * }
+ * }
+ * @param requestorUserName
+ * The name of the request user
+ */
+ public synchronized void importPolicy(Map<String, Map<String, Set<String>>> policyFileMappingData,
+ String requestorUserName, boolean isOverwriteRole)
+ throws SentryUserException {
+ try {
+ TSentryMappingData tSentryMappingData = new TSentryMappingData();
+ // convert the mapping data for [group,role] from map structure to
+ // TSentryMappingData.GroupRolesMap
+ tSentryMappingData.setGroupRolesMap(policyFileMappingData.get(PolicyFileConstants.GROUPS));
+ tSentryMappingData.setUserRolesMap(policyFileMappingData.get(PolicyFileConstants.USER_ROLES));
+ // convert the mapping data for [role,privilege] from map structure to
+ // TSentryMappingData.RolePrivilegesMap
+ tSentryMappingData
+ .setRolePrivilegesMap(convertRolePrivilegesMapForSentryDB(policyFileMappingData
+ .get(PolicyFileConstants.ROLES)));
+ TSentryImportMappingDataRequest request = new TSentryImportMappingDataRequest(
+ ThriftConstants.TSENTRY_SERVICE_VERSION_CURRENT, requestorUserName, isOverwriteRole,
+ tSentryMappingData);
+ TSentryImportMappingDataResponse response = client.import_sentry_mapping_data(request);
+ Status.throwIfNotOk(response.getStatus());
+ } catch (TException e) {
+ throw new SentryUserException(THRIFT_EXCEPTION_MESSAGE, e);
+ }
+ }
+
+ // convert the mapping data for [role,privilege] from map structure to
+ // TSentryMappingData.RolePrivilegesMap
+ private Map<String, Set<TSentryPrivilege>> convertRolePrivilegesMapForSentryDB(
+ Map<String, Set<String>> rolePrivilegesMap) {
+ Map<String, Set<TSentryPrivilege>> rolePrivilegesMapResult = Maps.newHashMap();
+ if (rolePrivilegesMap != null) {
+ for (Map.Entry<String, Set<String>> entry : rolePrivilegesMap.entrySet()) {
+ Set<TSentryPrivilege> tempTSentryPrivileges = Sets.newHashSet();
+ Set<String> tempPrivileges = entry.getValue();
+ for (String tempPrivilege : tempPrivileges) {
+ tempTSentryPrivileges.add(SentryServiceUtil.convertToTSentryPrivilege(tempPrivilege));
+ }
+ rolePrivilegesMapResult.put(entry.getKey(), tempTSentryPrivileges);
+ }
+ }
+ return rolePrivilegesMapResult;
+ }
+
+ // export the sentry mapping data with map structure
+ public synchronized Map<String, Map<String, Set<String>>> exportPolicy(String requestorUserName,
+ String objectPath) throws SentryUserException {
+ TSentryExportMappingDataRequest request = new TSentryExportMappingDataRequest(
+ ThriftConstants.TSENTRY_SERVICE_VERSION_CURRENT, requestorUserName);
+ request.setObjectPath(objectPath);
+ try {
+ TSentryExportMappingDataResponse response = client.export_sentry_mapping_data(request);
+ Status.throwIfNotOk(response.getStatus());
+ TSentryMappingData tSentryMappingData = response.getMappingData();
+ Map<String, Map<String, Set<String>>> resultMap = Maps.newHashMap();
+ resultMap.put(PolicyFileConstants.USER_ROLES, tSentryMappingData.getUserRolesMap());
+ resultMap.put(PolicyFileConstants.GROUPS, tSentryMappingData.getGroupRolesMap());
+ resultMap.put(PolicyFileConstants.ROLES, convertRolePrivilegesMapForPolicyFile(tSentryMappingData.getRolePrivilegesMap()));
+ return resultMap;
+ } catch (TException e) {
+ throw new SentryUserException(THRIFT_EXCEPTION_MESSAGE, e);
+ }
+ }
+
+ // convert the mapping data for [roleName,privilege] from TSentryMappingData.RolePrivilegesMap to
+ // map structure
+ private Map<String, Set<String>> convertRolePrivilegesMapForPolicyFile(
+ Map<String, Set<TSentryPrivilege>> rolePrivilegesMap) {
+ Map<String, Set<String>> rolePrivilegesMapForFile = Maps.newHashMap();
+ if (rolePrivilegesMap != null) {
+ for (Map.Entry<String, Set<TSentryPrivilege>> entry : rolePrivilegesMap.entrySet()) {
+ Set<TSentryPrivilege> tempSentryPrivileges = entry.getValue();
+ Set<String> tempStrPrivileges = Sets.newHashSet();
+ for (TSentryPrivilege tSentryPrivilege : tempSentryPrivileges) {
+ // convert TSentryPrivilege to privilege in string
+ String privilegeStr = SentryServiceUtil.convertTSentryPrivilegeToStr(tSentryPrivilege);
+ if (!StringUtils.isEmpty(privilegeStr)) {
+ tempStrPrivileges.add(privilegeStr);
+ }
+ }
+ rolePrivilegesMapForFile.put(entry.getKey(), tempStrPrivileges);
+ }
+ }
+ return rolePrivilegesMapForFile;
+ }
+}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/sentry/blob/01875092/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/provider/db/tools/SentryShellCommon.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/provider/db/tools/SentryShellCommon.java b/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/provider/db/tools/SentryShellCommon.java
new file mode 100644
index 0000000..6ddc1de
--- /dev/null
+++ b/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/provider/db/tools/SentryShellCommon.java
@@ -0,0 +1,247 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.provider.db.tools;
+
+import com.google.common.annotations.VisibleForTesting;
+
+import org.apache.commons.cli.CommandLine;
+import org.apache.commons.cli.GnuParser;
+import org.apache.commons.cli.HelpFormatter;
+import org.apache.commons.cli.Option;
+import org.apache.commons.cli.OptionGroup;
+import org.apache.commons.cli.Options;
+import org.apache.commons.cli.ParseException;
+import org.apache.commons.cli.Parser;
+import org.apache.commons.lang.StringUtils;
+
+/**
+ * SentryShellCommon provides the function for parsing the argument.
+ * For hive model and generic model, child class should be implemented as a sentry admin tool.
+ */
+abstract public class SentryShellCommon {
+
+ protected String roleName;
+ protected String groupName;
+ protected String privilegeStr;
+ protected String confPath;
+ // flag for the command
+ protected boolean isCreateRole = false;
+ protected boolean isDropRole = false;
+ protected boolean isAddRoleGroup = false;
+ protected boolean isDeleteRoleGroup = false;
+ protected boolean isGrantPrivilegeRole = false;
+ protected boolean isRevokePrivilegeRole = false;
+ protected boolean isListRole = false;
+ protected boolean isListPrivilege = false;
+ protected boolean isPrintHelp = false;
+ // flag for the parameter check
+ protected boolean roleNameRequired = false;
+ protected boolean groupNameRequired = false;
+ protected boolean privilegeStrRequired = false;
+
+ public final static String OPTION_DESC_HELP = "Shell usage";
+ public final static String OPTION_DESC_CONF = "sentry-site file path";
+ public final static String OPTION_DESC_ROLE_NAME = "Role name";
+ public final static String OPTION_DESC_GROUP_NAME = "Group name";
+ public final static String OPTION_DESC_PRIVILEGE = "Privilege string";
+ public final static String PREFIX_MESSAGE_MISSING_OPTION = "Missing required option: ";
+
+ public final static String GROUP_SPLIT_CHAR = ",";
+
+ /**
+ * parse arguments
+ *
+ * <pre>
+ * -conf,--sentry_conf <filepath> sentry config file path
+ * -cr,--create_role -r <rolename> create role
+ * -dr,--drop_role -r <rolename> drop role
+ * -arg,--add_role_group -r <rolename> -g <groupname> add role to group
+ * -drg,--delete_role_group -r <rolename> -g <groupname> delete role from group
+ * -gpr,--grant_privilege_role -r <rolename> -p <privilege> grant privilege to role
+ * -rpr,--revoke_privilege_role -r <rolename> -p <privilege> revoke privilege from role
+ * -lr,--list_role -g <groupname> list roles for group
+ * -lp,--list_privilege -r <rolename> list privilege for role
+ * -t,--type <typeame> the shell for hive model or generic model
+ * </pre>
+ *
+ * @param args
+ */
+ protected boolean parseArgs(String[] args) {
+ Options simpleShellOptions = new Options();
+
+ Option crOpt = new Option("cr", "create_role", false, "Create role");
+ crOpt.setRequired(false);
+
+ Option drOpt = new Option("dr", "drop_role", false, "Drop role");
+ drOpt.setRequired(false);
+
+ Option argOpt = new Option("arg", "add_role_group", false, "Add role to group");
+ argOpt.setRequired(false);
+
+ Option drgOpt = new Option("drg", "delete_role_group", false, "Delete role from group");
+ drgOpt.setRequired(false);
+
+ Option gprOpt = new Option("gpr", "grant_privilege_role", false, "Grant privilege to role");
+ gprOpt.setRequired(false);
+
+ Option rprOpt = new Option("rpr", "revoke_privilege_role", false, "Revoke privilege from role");
+ rprOpt.setRequired(false);
+
+ Option lrOpt = new Option("lr", "list_role", false, "List role");
+ lrOpt.setRequired(false);
+
+ Option lpOpt = new Option("lp", "list_privilege", false, "List privilege");
+ lpOpt.setRequired(false);
+
+ // required args group
+ OptionGroup simpleShellOptGroup = new OptionGroup();
+ simpleShellOptGroup.addOption(crOpt);
+ simpleShellOptGroup.addOption(drOpt);
+ simpleShellOptGroup.addOption(argOpt);
+ simpleShellOptGroup.addOption(drgOpt);
+ simpleShellOptGroup.addOption(gprOpt);
+ simpleShellOptGroup.addOption(rprOpt);
+ simpleShellOptGroup.addOption(lrOpt);
+ simpleShellOptGroup.addOption(lpOpt);
+ simpleShellOptGroup.setRequired(true);
+ simpleShellOptions.addOptionGroup(simpleShellOptGroup);
+
+ // optional args
+ Option pOpt = new Option("p", "privilege", true, OPTION_DESC_PRIVILEGE);
+ pOpt.setRequired(false);
+ simpleShellOptions.addOption(pOpt);
+
+ Option gOpt = new Option("g", "groupname", true, OPTION_DESC_GROUP_NAME);
+ gOpt.setRequired(false);
+ simpleShellOptions.addOption(gOpt);
+
+ Option rOpt = new Option("r", "rolename", true, OPTION_DESC_ROLE_NAME);
+ rOpt.setRequired(false);
+ simpleShellOptions.addOption(rOpt);
+
+ // this argument should be parsed in the bin/sentryShell
+ Option tOpt = new Option("t", "type", true, "[hive|solr|sqoop|.....]");
+ tOpt.setRequired(false);
+ simpleShellOptions.addOption(tOpt);
+
+ // file path of sentry-site
+ Option sentrySitePathOpt = new Option("conf", "sentry_conf", true, OPTION_DESC_CONF);
+ sentrySitePathOpt.setRequired(true);
+ simpleShellOptions.addOption(sentrySitePathOpt);
+
+ // help option
+ Option helpOpt = new Option("h", "help", false, OPTION_DESC_HELP);
+ helpOpt.setRequired(false);
+ simpleShellOptions.addOption(helpOpt);
+
+ // this Options is parsed first for help option
+ Options helpOptions = new Options();
+ helpOptions.addOption(helpOpt);
+
+ try {
+ Parser parser = new GnuParser();
+
+ // parse help option first
+ CommandLine cmd = parser.parse(helpOptions, args, true);
+ for (Option opt : cmd.getOptions()) {
+ if (opt.getOpt().equals("h")) {
+ // get the help option, print the usage and exit
+ usage(simpleShellOptions);
+ return false;
+ }
+ }
+
+ // without help option
+ cmd = parser.parse(simpleShellOptions, args);
+
+ for (Option opt : cmd.getOptions()) {
+ if (opt.getOpt().equals("p")) {
+ privilegeStr = opt.getValue();
+ } else if (opt.getOpt().equals("g")) {
+ groupName = opt.getValue();
+ } else if (opt.getOpt().equals("r")) {
+ roleName = opt.getValue();
+ } else if (opt.getOpt().equals("cr")) {
+ isCreateRole = true;
+ roleNameRequired = true;
+ } else if (opt.getOpt().equals("dr")) {
+ isDropRole = true;
+ roleNameRequired = true;
+ } else if (opt.getOpt().equals("arg")) {
+ isAddRoleGroup = true;
+ roleNameRequired = true;
+ groupNameRequired = true;
+ } else if (opt.getOpt().equals("drg")) {
+ isDeleteRoleGroup = true;
+ roleNameRequired = true;
+ groupNameRequired = true;
+ } else if (opt.getOpt().equals("gpr")) {
+ isGrantPrivilegeRole = true;
+ roleNameRequired = true;
+ privilegeStrRequired = true;
+ } else if (opt.getOpt().equals("rpr")) {
+ isRevokePrivilegeRole = true;
+ roleNameRequired = true;
+ privilegeStrRequired = true;
+ } else if (opt.getOpt().equals("lr")) {
+ isListRole = true;
+ } else if (opt.getOpt().equals("lp")) {
+ isListPrivilege = true;
+ roleNameRequired = true;
+ } else if (opt.getOpt().equals("conf")) {
+ confPath = opt.getValue();
+ }
+ }
+ checkRequiredParameter(roleNameRequired, roleName, OPTION_DESC_ROLE_NAME);
+ checkRequiredParameter(groupNameRequired, groupName, OPTION_DESC_GROUP_NAME);
+ checkRequiredParameter(privilegeStrRequired, privilegeStr, OPTION_DESC_PRIVILEGE);
+ } catch (ParseException pe) {
+ System.out.println(pe.getMessage());
+ usage(simpleShellOptions);
+ return false;
+ }
+ return true;
+ }
+
+ private void checkRequiredParameter(boolean isRequired, String paramValue, String paramName) throws ParseException {
+ if (isRequired && StringUtils.isEmpty(paramValue)) {
+ throw new ParseException(PREFIX_MESSAGE_MISSING_OPTION + paramName);
+ }
+ }
+
+ // print usage
+ private void usage(Options sentryOptions) {
+ HelpFormatter formatter = new HelpFormatter();
+ formatter.printHelp("sentryShell", sentryOptions);
+ }
+
+ // hive model and generic model should implement this method
+ public abstract void run() throws Exception;
+
+ @VisibleForTesting
+ public boolean executeShell(String[] args) throws Exception {
+ boolean result = true;
+ if (parseArgs(args)) {
+ run();
+ } else {
+ result = false;
+ }
+ return result;
+ }
+}
http://git-wip-us.apache.org/repos/asf/sentry/blob/01875092/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/provider/db/tools/SentryShellHive.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/provider/db/tools/SentryShellHive.java b/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/provider/db/tools/SentryShellHive.java
new file mode 100644
index 0000000..dc7f829
--- /dev/null
+++ b/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/provider/db/tools/SentryShellHive.java
@@ -0,0 +1,98 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.provider.db.tools;
+
+import org.apache.commons.lang.StringUtils;
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.fs.Path;
+import org.apache.hadoop.security.UserGroupInformation;
+import org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient;
+import org.apache.sentry.provider.db.tools.command.hive.*;
+import org.apache.sentry.service.thrift.SentryServiceClientFactory;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/**
+ * SentryShellHive is an admin tool, and responsible for the management of repository.
+ * The following function are supported:
+ * create role, drop role, add group to role, delete group from role, grant privilege to role,
+ * revoke privilege from role, list roles for group, list privilege for role.
+ */
+public class SentryShellHive extends SentryShellCommon {
+
+ private static final Logger LOGGER = LoggerFactory.getLogger(SentryShellHive.class);
+
+ public void run() throws Exception {
+ Command command = null;
+ SentryPolicyServiceClient client = SentryServiceClientFactory.create(getSentryConf());
+ UserGroupInformation ugi = UserGroupInformation.getLoginUser();
+ String requestorName = ugi.getShortUserName();
+
+ if (isCreateRole) {
+ command = new CreateRoleCmd(roleName);
+ } else if (isDropRole) {
+ command = new DropRoleCmd(roleName);
+ } else if (isAddRoleGroup) {
+ command = new GrantRoleToGroupsCmd(roleName, groupName);
+ } else if (isDeleteRoleGroup) {
+ command = new RevokeRoleFromGroupsCmd(roleName, groupName);
+ } else if (isGrantPrivilegeRole) {
+ command = new GrantPrivilegeToRoleCmd(roleName, privilegeStr);
+ } else if (isRevokePrivilegeRole) {
+ command = new RevokePrivilegeFromRoleCmd(roleName, privilegeStr);
+ } else if (isListRole) {
+ command = new ListRolesCmd(groupName);
+ } else if (isListPrivilege) {
+ command = new ListPrivilegesCmd(roleName);
+ }
+
+ // check the requestor name
+ if (StringUtils.isEmpty(requestorName)) {
+ // The exception message will be recoreded in log file.
+ throw new Exception("The requestor name is empty.");
+ }
+
+ if (command != null) {
+ command.execute(client, requestorName);
+ }
+ }
+
+ private Configuration getSentryConf() {
+ Configuration conf = new Configuration();
+ conf.addResource(new Path(confPath));
+ return conf;
+ }
+
+ public static void main(String[] args) throws Exception {
+ SentryShellHive sentryShell = new SentryShellHive();
+ try {
+ sentryShell.executeShell(args);
+ } catch (Exception e) {
+ LOGGER.error(e.getMessage(), e);
+ Throwable current = e;
+ // find the first printable message;
+ while (current != null && current.getMessage() == null) {
+ current = current.getCause();
+ }
+ System.out.println("The operation failed." +
+ (current.getMessage() == null ? "" : " Message: " + current.getMessage()));
+ }
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/sentry/blob/01875092/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/provider/db/tools/command/hive/Command.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/provider/db/tools/command/hive/Command.java b/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/provider/db/tools/command/hive/Command.java
new file mode 100644
index 0000000..79aed49
--- /dev/null
+++ b/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/provider/db/tools/command/hive/Command.java
@@ -0,0 +1,27 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.provider.db.tools.command.hive;
+
+import org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient;
+
+/**
+ * The interface for all admin commands, eg, CreateRoleCmd.
+ */
+public interface Command {
+ void execute(SentryPolicyServiceClient client, String requestorName) throws Exception;
+}