public DelegateSentryStore(Configuration conf) throws SentryNoSuchObjectException, SentryAccessDeniedException, SentryConfigurationException, IOException { this.privilegeOperator = new PrivilegeOperatePersistence(conf); // The generic model doesn't turn on the thread that cleans hive privileges conf.set(ServerConfig.SENTRY_STORE_ORPHANED_PRIVILEGE_REMOVAL,"false"); this.conf = conf; //delegated old sentryStore this.delegate = new SentryStore(conf); adminGroups = ImmutableSet.copyOf(toTrimmed(Sets.newHashSet(conf.getStrings( ServerConfig.ADMIN_GROUPS, new String[]{})))); }
public void revokePrivilege(PrivilegeObject privilege,MSentryRole role, PersistenceManager pm) throws SentryUserException { MSentryGMPrivilege mPrivilege = getPrivilege(convertToPrivilege(privilege), pm); if (mPrivilege == null) { mPrivilege = convertToPrivilege(privilege); } else { mPrivilege = (MSentryGMPrivilege) pm.detachCopy(mPrivilege); } Set<MSentryGMPrivilege> privilegeGraph = Sets.newHashSet(); privilegeGraph.addAll(populateIncludePrivileges(Sets.newHashSet(role), mPrivilege, pm)); /** * Get the privilege graph * populateIncludePrivileges will get the privileges that needed revoke */ for (MSentryGMPrivilege persistedPriv : privilegeGraph) { /** * force to load all roles related this privilege * avoid the lazy-loading risk,such as: * if the roles field of privilege aren't loaded, then the roles is a empty set * privilege.removeRole(role) and pm.makePersistent(privilege) * will remove other roles that shouldn't been removed */ revokeRolePartial(mPrivilege, persistedPriv, role, pm); } pm.makePersistent(role); }
private BitFieldActionFactory getActionFactory(String component) { String caseInsensitiveComponent = component.toLowerCase(); if (actionFactories.containsKey(caseInsensitiveComponent)) { return actionFactories.get(caseInsensitiveComponent); } BitFieldActionFactory actionFactory = createActionFactory(caseInsensitiveComponent); actionFactories.put(caseInsensitiveComponent, actionFactory); LOGGER.info("Action factory for component {} not found in cache. Loaded it from configuration as {}.", component, actionFactory.getClass().getName()); return actionFactory; }
public void grantPrivilege(PrivilegeObject privilege,MSentryRole role, PersistenceManager pm) throws SentryUserException { MSentryGMPrivilege mPrivilege = convertToPrivilege(privilege); grantRolePartial(mPrivilege, role, pm); }
BitFieldAction action = getAction(component, grantPrivilege.getAction()); BitFieldAction allAction = getAction(component, Action.ALL); List<? extends BitFieldAction> actions = getActionFactory(component).getActionsByCode(allAction.getActionCode()); for (BitFieldAction ac : actions) { grantPrivilege.setAction(ac.getValue()); MSentryGMPrivilege existPriv = getPrivilege(grantPrivilege, pm); if (existPriv != null && role.getGmPrivileges().contains(existPriv)) { MSentryGMPrivilege allPrivilege = getPrivilege(grantPrivilege, pm); if (allPrivilege != null && role.getGmPrivileges().contains(allPrivilege)) { return; MSentryGMPrivilege mPrivilege = getPrivilege(grantPrivilege, pm); if (mPrivilege == null) { mPrivilege = grantPrivilege;
/** * Drop any role related to the requested privilege and its children privileges */ public void dropPrivilege(PrivilegeObject privilege,PersistenceManager pm) { MSentryGMPrivilege requestPrivilege = convertToPrivilege(privilege); if (Strings.isNullOrEmpty(privilege.getAction())) { requestPrivilege.setAction(getAction(privilege.getComponent(), Action.ALL).getValue()); } /** * Get the privilege graph * populateIncludePrivileges will get the privileges that need dropped, */ Set<MSentryGMPrivilege> privilegeGraph = Sets.newHashSet(); privilegeGraph.addAll(populateIncludePrivileges(null, requestPrivilege, pm)); for (MSentryGMPrivilege mPrivilege : privilegeGraph) { /** * force to load all roles related this privilege * avoid the lazy-loading */ pm.retrieve(mPrivilege); Set<MSentryRole> roles = mPrivilege.getRoles(); for (MSentryRole role : roles) { revokeRolePartial(requestPrivilege, mPrivilege, role, pm); } } }
throws SentryUserException { MSentryGMPrivilege oldPrivilege = new MSentryGMPrivilege(component, service, oldAuthorizables, null, null); oldPrivilege.setAction(getAction(component,Action.ALL).getValue()); privilegeGraph.addAll(populateIncludePrivileges(null, oldPrivilege, pm)); revokeRolePartial(oldPrivilege, dropPrivilege, role, pm); grantRolePartial(newPrivilge, role, pm);
private BitFieldAction getAction(String component, String name) { BitFieldActionFactory actionFactory = getActionFactory(component); BitFieldAction action = actionFactory.getActionByName(name); if (action == null) { throw new RuntimeException("can't get BitFieldAction for name:" + name); } return action; }
@Override public Object dropPrivilege(final String component, final PrivilegeObject privilege, final String requestor) throws Exception { Preconditions.checkNotNull(requestor); delegate.getTransactionManager().executeTransactionWithRetry( pm -> { pm.setDetachAllOnCommit(false); // No need to detach objects privilegeOperator.dropPrivilege(privilege, pm); return null; }); return null; }
public boolean checkPrivilegeOption(Set<MSentryRole> roles, PrivilegeObject privilege, PersistenceManager pm) { MSentryGMPrivilege requestPrivilege = convertToPrivilege(privilege); boolean hasGrant = false; //get persistent privileges by roles Query query = pm.newQuery(MSentryGMPrivilege.class); StringBuilder filters = new StringBuilder(); if (roles != null && roles.size() > 0) { query.declareVariables("org.apache.sentry.provider.db.service.model.MSentryRole role"); List<String> rolesFiler = new LinkedList<String>(); for (MSentryRole role : roles) { rolesFiler.add("role.roleName == \"" + role.getRoleName() + "\" "); } filters.append("roles.contains(role) " + "&& (" + Joiner.on(" || ").join(rolesFiler) + ")"); } query.setFilter(filters.toString()); List<MSentryGMPrivilege> tPrivileges = (List<MSentryGMPrivilege>)query.execute(); for (MSentryGMPrivilege tPrivilege : tPrivileges) { if (tPrivilege.getGrantOption() && tPrivilege.implies(requestPrivilege)) { hasGrant = true; break; } } return hasGrant; } public void grantPrivilege(PrivilegeObject privilege,MSentryRole role, PersistenceManager pm) throws SentryUserException {
/** * Grant option check * @throws SentryUserException */ private void grantOptionCheck(PrivilegeObject requestPrivilege, String grantorPrincipal,PersistenceManager pm) throws SentryUserException { if (Strings.isNullOrEmpty(grantorPrincipal)) { throw new SentryInvalidInputException("grantorPrincipal should not be null or empty"); } Set<String> groups = getRequestorGroups(grantorPrincipal); if (groups == null || groups.isEmpty()) { throw new SentryGrantDeniedException(grantorPrincipal + " has no grant!"); } //admin group check if (!Sets.intersection(adminGroups, toTrimmed(groups)).isEmpty()) { return; } //privilege grant option check Set<MSentryRole> mRoles = delegate.getRolesForGroups(pm, groups); if (!privilegeOperator.checkPrivilegeOption(mRoles, requestPrivilege, pm)) { throw new SentryGrantDeniedException(grantorPrincipal + " has no grant!"); } }
getPrivilegesByProvider(trimmedComponent, trimmedService, mRoles, authorizables, pm)); return privileges;
@Override public Set<MSentryGMPrivilege> getPrivilegesByAuthorizable(String component, String service, Set<String> validActiveRoles, List<? extends Authorizable> authorizables) throws SentryUserException { Preconditions.checkNotNull(component); Preconditions.checkNotNull(service); component = toTrimmedLower(component); service = toTrimmedLower(service); Set<MSentryGMPrivilege> privileges = Sets.newHashSet(); PersistenceManager pm = null; try { pm = openTransaction(); if (validActiveRoles == null || validActiveRoles.size() == 0) { return privileges; } Set<MSentryRole> mRoles = Sets.newHashSet(); for (String role : validActiveRoles) { MSentryRole mRole = getRole(role, pm); if (mRole != null) { mRoles.add(mRole); } } //get the privileges privileges.addAll(privilegeOperator.getPrivilegesByAuthorizable(component, service, mRoles, authorizables, pm)); } finally { commitTransaction(pm); } return privileges; }
BitFieldAction action = getAction(component, grantPrivilege.getAction()); BitFieldAction allAction = getAction(component, Action.ALL); List<? extends BitFieldAction> actions = getActionFactory(component).getActionsByCode(allAction.getActionCode()); for (BitFieldAction ac : actions) { grantPrivilege.setAction(ac.getValue()); MSentryGMPrivilege existPriv = getPrivilege(grantPrivilege, pm); if (existPriv != null && role.getGmPrivileges().contains(existPriv)) { MSentryGMPrivilege allPrivilege = getPrivilege(grantPrivilege, pm); if (allPrivilege != null && role.getGmPrivileges().contains(allPrivilege)) { return; MSentryGMPrivilege mPrivilege = getPrivilege(grantPrivilege, pm); if (mPrivilege == null) { mPrivilege = grantPrivilege;
/** * Drop any role related to the requested privilege and its children privileges */ public void dropPrivilege(PrivilegeObject privilege,PersistenceManager pm) throws SentryUserException { MSentryGMPrivilege requestPrivilege = convertToPrivilege(privilege); if (Strings.isNullOrEmpty(privilege.getAction())) { requestPrivilege.setAction(getAction(privilege.getComponent(), Action.ALL).getValue()); } /* * Get the privilege graph * populateIncludePrivileges will get the privileges that need dropped, */ Set<MSentryGMPrivilege> privilegeGraph = Sets.newHashSet(); privilegeGraph.addAll(populateIncludePrivileges(null, requestPrivilege, pm)); for (MSentryGMPrivilege mPrivilege : privilegeGraph) { /* * force to load all roles related this privilege * avoid the lazy-loading */ pm.retrieve(mPrivilege); Set<MSentryRole> roles = mPrivilege.getRoles(); for (MSentryRole role : roles) { revokeRolePartial(requestPrivilege, mPrivilege, role, pm); } } }
throws SentryUserException { MSentryGMPrivilege oldPrivilege = new MSentryGMPrivilege(component, service, oldAuthorizables, null, null); oldPrivilege.setAction(getAction(component,Action.ALL).getValue()); privilegeGraph.addAll(populateIncludePrivileges(null, oldPrivilege, pm)); revokeRolePartial(oldPrivilege, dropPrivilege, role, pm); grantRolePartial(newPrivilge, role, pm);
public void grantPrivilege(PrivilegeObject privilege,MSentryRole role, PersistenceManager pm) throws SentryUserException { MSentryGMPrivilege mPrivilege = convertToPrivilege(privilege); grantRolePartial(mPrivilege, role, pm); }
private BitFieldAction getAction(String component, String name) throws SentryUserException { BitFieldActionFactory actionFactory = getActionFactory(component); BitFieldAction action = actionFactory.getActionByName(name); if (action == null) { throw new SentryUserException("Can not get BitFieldAction for name: " + name); } return action; }
@Override public CommitContext dropPrivilege(String component, PrivilegeObject privilege, String requestor) throws SentryUserException { Preconditions.checkNotNull(requestor); PersistenceManager pm = null; boolean rollbackTransaction = true; try { pm = openTransaction(); privilegeOperator.dropPrivilege(privilege, pm); CommitContext commitContext = commitUpdateTransaction(pm); rollbackTransaction = false; return commitContext; } finally { if (rollbackTransaction) { rollbackTransaction(pm); } } }
/** * Verify whether specified privilege can be granted * @param roles set of roles for the privilege * @param privilege privilege being checked * @param pm Persistentence manager instance * @return true iff at least one privilege within the role allows for the * requested privilege */ boolean checkPrivilegeOption(Set<MSentryRole> roles, PrivilegeObject privilege, PersistenceManager pm) { MSentryGMPrivilege requestPrivilege = convertToPrivilege(privilege); if (roles.isEmpty()) { return false; } // get persistent privileges by roles // Find all GM privileges for all the input roles Query query = pm.newQuery(MSentryGMPrivilege.class); QueryParamBuilder paramBuilder = QueryParamBuilder.addRolesFilter(query, null, SentryStore.rolesToRoleNames(roles)); query.setFilter(paramBuilder.toString()); List<MSentryGMPrivilege> tPrivileges = (List<MSentryGMPrivilege>)query.executeWithMap(paramBuilder.getArguments()); for (MSentryGMPrivilege tPrivilege : tPrivileges) { if (tPrivilege.getGrantOption() && tPrivilege.implies(requestPrivilege)) { return true; } } return false; }