You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sentry.apache.org by sd...@apache.org on 2015/09/06 03:24:01 UTC

incubator-sentry git commit: SENTRY-841: Revoke on SERVER scope breaks Client API, allows any string to be passed in (Ryan P via Dapeng Sun, Reviewed by Colin Ma)

Repository: incubator-sentry
Updated Branches:
  refs/heads/branch-1.6.0 d4e6bbf7e -> 6aab61b33


SENTRY-841: Revoke on SERVER scope breaks Client API, allows any string to be passed in (Ryan P via Dapeng Sun, Reviewed by Colin Ma)


Project: http://git-wip-us.apache.org/repos/asf/incubator-sentry/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-sentry/commit/6aab61b3
Tree: http://git-wip-us.apache.org/repos/asf/incubator-sentry/tree/6aab61b3
Diff: http://git-wip-us.apache.org/repos/asf/incubator-sentry/diff/6aab61b3

Branch: refs/heads/branch-1.6.0
Commit: 6aab61b33abcbcac825979831c2de63ce8837d32
Parents: d4e6bbf
Author: Sun Dapeng <sd...@apache.org>
Authored: Sun Sep 6 09:17:25 2015 +0800
Committer: Sun Dapeng <sd...@apache.org>
Committed: Sun Sep 6 09:17:25 2015 +0800

----------------------------------------------------------------------
 .../thrift/SentryPolicyServiceClient.java       |  3 +++
 .../SentryPolicyServiceClientDefaultImpl.java   |  7 +++++
 .../thrift/TestSentryServiceIntegration.java    | 28 ++++++++++++++++++++
 3 files changed, 38 insertions(+)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/6aab61b3/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClient.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClient.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClient.java
index 3c2c7c6..cbc0aaf 100644
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClient.java
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClient.java
@@ -113,6 +113,9 @@ public interface SentryPolicyServiceClient {
   public void revokeServerPrivilege(String requestorUserName, String roleName, String server,
       String action, Boolean grantOption) throws SentryUserException;
 
+  public void revokeServerPrivilege(String requestorUserName, String roleName, String server,
+      boolean grantOption) throws SentryUserException;
+
   public void revokeDatabasePrivilege(String requestorUserName, String roleName, String server,
       String db, String action) throws SentryUserException;
 

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/6aab61b3/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClientDefaultImpl.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClientDefaultImpl.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClientDefaultImpl.java
index 4afe1b4..fe2fef7 100644
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClientDefaultImpl.java
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClientDefaultImpl.java
@@ -497,6 +497,13 @@ public class SentryPolicyServiceClientDefaultImpl implements SentryPolicyService
         PrivilegeScope.SERVER, server, null, null, null, null, action, grantOption);
   }
 
+  public void revokeServerPrivilege(String requestorUserName,
+      String roleName, String server, boolean grantOption)
+  throws SentryUserException {
+    revokePrivilege(requestorUserName, roleName,
+      PrivilegeScope.SERVER, server, null, null, null, null, AccessConstants.ALL, grantOption);
+  }
+
   public void revokeDatabasePrivilege(String requestorUserName,
       String roleName, String server, String db, String action)
   throws SentryUserException {

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/6aab61b3/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceIntegration.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceIntegration.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceIntegration.java
index 02c7535..0d35b7d 100644
--- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceIntegration.java
+++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceIntegration.java
@@ -820,4 +820,32 @@ public class TestSentryServiceIntegration extends SentryServiceIntegrationBase {
 
       }});
   }
+
+  /* SENTRY-841 */
+  @Test
+  public void testGranRevokePrivilegeOnServerForRole() throws Exception {
+    runTestAsSubject(new TestOperation(){
+      @Override
+      public void runTestAsSubject() throws Exception {
+        String requestorUserName = ADMIN_USER;
+        Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
+        setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
+        writePolicyFile();
+
+        String roleName1 = "admin_r1";
+
+        client.dropRoleIfExists(requestorUserName, roleName1);
+        client.createRole(requestorUserName, roleName1);
+
+        client.grantServerPrivilege(requestorUserName, roleName1, "server", false);
+
+        Set<TSentryPrivilege> listPrivs = client.listAllPrivilegesByRoleName(requestorUserName, roleName1);
+        assertTrue("Privilege should be all:",listPrivs.iterator().next().getAction().equals("*"));
+
+        client.revokeServerPrivilege(requestorUserName, roleName1, "server", false);
+        listPrivs = client.listAllPrivilegesByRoleName(requestorUserName, roleName1);
+        assertTrue("Privilege not correctly revoked !!", listPrivs.size() == 0);
+
+      }});
+  }
 }