You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sentry.apache.org by pr...@apache.org on 2014/09/30 20:20:23 UTC

git commit: SENTRY-445: WITH GRANT OPTION does not allow delegated user to grant less permissive privileges (Prasad Mujumdar, reviewed by Linni Kuff

Repository: incubator-sentry
Updated Branches:
  refs/heads/master 977d69f22 -> f31450c93


SENTRY-445: WITH GRANT OPTION does not allow delegated user to grant less permissive privileges (Prasad Mujumdar, reviewed by Linni Kuff


Project: http://git-wip-us.apache.org/repos/asf/incubator-sentry/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-sentry/commit/f31450c9
Tree: http://git-wip-us.apache.org/repos/asf/incubator-sentry/tree/f31450c9
Diff: http://git-wip-us.apache.org/repos/asf/incubator-sentry/diff/f31450c9

Branch: refs/heads/master
Commit: f31450c93e564cbcbc7f9a2c264887d056b2aecf
Parents: 977d69f
Author: Prasad Mujumdar <pr...@cloudera.com>
Authored: Tue Sep 30 11:20:10 2014 -0700
Committer: Prasad Mujumdar <pr...@cloudera.com>
Committed: Tue Sep 30 11:20:10 2014 -0700

----------------------------------------------------------------------
 .../sentry/core/model/db/AccessConstants.java   |  1 +
 .../db/service/model/MSentryPrivilege.java      |  6 ++-
 .../service/persistent/TestSentryPrivilege.java | 49 +++++++++++++-------
 3 files changed, 38 insertions(+), 18 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/f31450c9/sentry-core/sentry-core-model-db/src/main/java/org/apache/sentry/core/model/db/AccessConstants.java
----------------------------------------------------------------------
diff --git a/sentry-core/sentry-core-model-db/src/main/java/org/apache/sentry/core/model/db/AccessConstants.java b/sentry-core/sentry-core-model-db/src/main/java/org/apache/sentry/core/model/db/AccessConstants.java
index 26007d9..99cefb7 100644
--- a/sentry-core/sentry-core-model-db/src/main/java/org/apache/sentry/core/model/db/AccessConstants.java
+++ b/sentry-core/sentry-core-model-db/src/main/java/org/apache/sentry/core/model/db/AccessConstants.java
@@ -26,6 +26,7 @@ public class AccessConstants {
    */
   public static final String ALL = "*";
   public static final String SOME = "+";
+  public static final String ACTION_ALL = "ALL";
 
   public static final String SELECT = "select";
   public static final String INSERT = "insert";

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/f31450c9/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/model/MSentryPrivilege.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/model/MSentryPrivilege.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/model/MSentryPrivilege.java
index 0667cb5..1150e47 100644
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/model/MSentryPrivilege.java
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/model/MSentryPrivilege.java
@@ -24,6 +24,7 @@ import java.util.Set;
 import javax.jdo.annotations.PersistenceCapable;
 
 import org.apache.sentry.core.common.utils.PathUtils;
+import org.apache.sentry.core.model.db.AccessConstants;
 import org.apache.sentry.provider.db.service.persistent.SentryStore;
 
 /**
@@ -268,8 +269,9 @@ public boolean equals(Object obj) {
     }
 
     // check action implies
-    if (!action.equalsIgnoreCase("*") &&
-        !action.equalsIgnoreCase(other.action)) {
+    if (!action.equalsIgnoreCase(AccessConstants.ALL)
+        && !action.equalsIgnoreCase(other.action)
+        && !action.equalsIgnoreCase(AccessConstants.ACTION_ALL)) {
       return false;
     }
 

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/f31450c9/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryPrivilege.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryPrivilege.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryPrivilege.java
index 91d3171..47caf07 100644
--- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryPrivilege.java
+++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryPrivilege.java
@@ -50,28 +50,45 @@ public class TestSentryPrivilege {
     my.setDbName("");
     assertTrue(my.implies(your));
 
-    // 2.test server+URI+action
-    my = new MSentryPrivilege();
-    your = new MSentryPrivilege();
-    my.setServerName("server1");
-    my.setAction(AccessConstants.ALL);
-    your.setServerName("server1");
-    your.setAction(AccessConstants.ALL);
-    my.setURI("hdfs://namenode:9000/path");
-    your.setURI("hdfs://namenode:9000/path");
+    my.setAction(AccessConstants.ACTION_ALL);
     assertTrue(my.implies(your));
 
-    my.setURI("hdfs://namenode:9000/path");
-    your.setURI("hdfs://namenode:9000/path/to/some/dir");
+    my.setTableName("");
     assertTrue(my.implies(your));
 
-    my.setURI("file:///path");
-    your.setURI("file:///path");
+    my.setDbName("");
     assertTrue(my.implies(your));
 
-    my.setURI("file:///path");
-    your.setURI("file:///path/to/some/dir");
-    assertTrue(my.implies(your));
+    // 2.test server+URI+action using all combinations of * and ALL for action
+    String[][] actionMap = new String[][] {
+        { AccessConstants.ALL, AccessConstants.ALL },
+        { AccessConstants.ALL, AccessConstants.ACTION_ALL },
+        { AccessConstants.ACTION_ALL, AccessConstants.ALL },
+        { AccessConstants.ACTION_ALL, AccessConstants.ACTION_ALL } };
+
+    for (int actions = 0; actions < actionMap.length; actions++) {
+      my = new MSentryPrivilege();
+      your = new MSentryPrivilege();
+      my.setServerName("server1");
+      my.setAction(actionMap[actions][0]);
+      your.setServerName("server1");
+      your.setAction(actionMap[actions][1]);
+      my.setURI("hdfs://namenode:9000/path");
+      your.setURI("hdfs://namenode:9000/path");
+      assertTrue(my.implies(your));
+
+      my.setURI("hdfs://namenode:9000/path");
+      your.setURI("hdfs://namenode:9000/path/to/some/dir");
+      assertTrue(my.implies(your));
+
+      my.setURI("file:///path");
+      your.setURI("file:///path");
+      assertTrue(my.implies(your));
+
+      my.setURI("file:///path");
+      your.setURI("file:///path/to/some/dir");
+      assertTrue(my.implies(your));
+    }
   }
 
   @Test