You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sentry.apache.org by sd...@apache.org on 2015/09/06 03:24:01 UTC
incubator-sentry git commit: SENTRY-841: Revoke on SERVER scope
breaks Client API, allows any string to be passed in (Ryan P via Dapeng Sun,
Reviewed by Colin Ma)
Repository: incubator-sentry
Updated Branches:
refs/heads/branch-1.6.0 d4e6bbf7e -> 6aab61b33
SENTRY-841: Revoke on SERVER scope breaks Client API, allows any string to be passed in (Ryan P via Dapeng Sun, Reviewed by Colin Ma)
Project: http://git-wip-us.apache.org/repos/asf/incubator-sentry/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-sentry/commit/6aab61b3
Tree: http://git-wip-us.apache.org/repos/asf/incubator-sentry/tree/6aab61b3
Diff: http://git-wip-us.apache.org/repos/asf/incubator-sentry/diff/6aab61b3
Branch: refs/heads/branch-1.6.0
Commit: 6aab61b33abcbcac825979831c2de63ce8837d32
Parents: d4e6bbf
Author: Sun Dapeng <sd...@apache.org>
Authored: Sun Sep 6 09:17:25 2015 +0800
Committer: Sun Dapeng <sd...@apache.org>
Committed: Sun Sep 6 09:17:25 2015 +0800
----------------------------------------------------------------------
.../thrift/SentryPolicyServiceClient.java | 3 +++
.../SentryPolicyServiceClientDefaultImpl.java | 7 +++++
.../thrift/TestSentryServiceIntegration.java | 28 ++++++++++++++++++++
3 files changed, 38 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/6aab61b3/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClient.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClient.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClient.java
index 3c2c7c6..cbc0aaf 100644
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClient.java
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClient.java
@@ -113,6 +113,9 @@ public interface SentryPolicyServiceClient {
public void revokeServerPrivilege(String requestorUserName, String roleName, String server,
String action, Boolean grantOption) throws SentryUserException;
+ public void revokeServerPrivilege(String requestorUserName, String roleName, String server,
+ boolean grantOption) throws SentryUserException;
+
public void revokeDatabasePrivilege(String requestorUserName, String roleName, String server,
String db, String action) throws SentryUserException;
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/6aab61b3/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClientDefaultImpl.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClientDefaultImpl.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClientDefaultImpl.java
index 4afe1b4..fe2fef7 100644
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClientDefaultImpl.java
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClientDefaultImpl.java
@@ -497,6 +497,13 @@ public class SentryPolicyServiceClientDefaultImpl implements SentryPolicyService
PrivilegeScope.SERVER, server, null, null, null, null, action, grantOption);
}
+ public void revokeServerPrivilege(String requestorUserName,
+ String roleName, String server, boolean grantOption)
+ throws SentryUserException {
+ revokePrivilege(requestorUserName, roleName,
+ PrivilegeScope.SERVER, server, null, null, null, null, AccessConstants.ALL, grantOption);
+ }
+
public void revokeDatabasePrivilege(String requestorUserName,
String roleName, String server, String db, String action)
throws SentryUserException {
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/6aab61b3/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceIntegration.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceIntegration.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceIntegration.java
index 02c7535..0d35b7d 100644
--- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceIntegration.java
+++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceIntegration.java
@@ -820,4 +820,32 @@ public class TestSentryServiceIntegration extends SentryServiceIntegrationBase {
}});
}
+
+ /* SENTRY-841 */
+ @Test
+ public void testGranRevokePrivilegeOnServerForRole() throws Exception {
+ runTestAsSubject(new TestOperation(){
+ @Override
+ public void runTestAsSubject() throws Exception {
+ String requestorUserName = ADMIN_USER;
+ Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
+ setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
+ writePolicyFile();
+
+ String roleName1 = "admin_r1";
+
+ client.dropRoleIfExists(requestorUserName, roleName1);
+ client.createRole(requestorUserName, roleName1);
+
+ client.grantServerPrivilege(requestorUserName, roleName1, "server", false);
+
+ Set<TSentryPrivilege> listPrivs = client.listAllPrivilegesByRoleName(requestorUserName, roleName1);
+ assertTrue("Privilege should be all:",listPrivs.iterator().next().getAction().equals("*"));
+
+ client.revokeServerPrivilege(requestorUserName, roleName1, "server", false);
+ listPrivs = client.listAllPrivilegesByRoleName(requestorUserName, roleName1);
+ assertTrue("Privilege not correctly revoked !!", listPrivs.size() == 0);
+
+ }});
+ }
}