public Object getFieldValue(_Fields field) { switch (field) { case PRIVILEGE_SCOPE: return getPrivilegeScope(); case SERVER_NAME: return getServerName(); case DB_NAME: return getDbName(); case TABLE_NAME: return getTableName(); case URI: return getURI(); case ACTION: return getAction(); case CREATE_TIME: return Long.valueOf(getCreateTime()); case GRANT_OPTION: return getGrantOption(); case COLUMN_NAME: return getColumnName(); } throw new IllegalStateException(); }
private Set<TSentryPrivilege> convertColumnPrivilege( PrivilegeScope scope, String serverName, String uri, String db, String table, String column, String action, Boolean grantOption) { ImmutableSet.Builder<TSentryPrivilege> setBuilder = ImmutableSet.builder(); TSentryPrivilege privilege = new TSentryPrivilege(); privilege.setPrivilegeScope(scope.toString()); privilege.setServerName(serverName); privilege.setURI(uri); privilege.setDbName(db); privilege.setTableName(table); privilege.setColumnName(column); privilege.setAction(action); privilege.setCreateTime(System.currentTimeMillis()); privilege.setGrantOption(convertTSentryGrantOption(grantOption)); setBuilder.add(privilege); return setBuilder.build(); }
public static String getPrivilegeScope(TSentryPrivilege tSentryPrivilege) { PrivilegeScope privilegeScope = PrivilegeScope.SERVER; if (!StringUtils.isEmpty(tSentryPrivilege.getURI())) { privilegeScope = PrivilegeScope.URI; } else if (!StringUtils.isEmpty(tSentryPrivilege.getColumnName())) { privilegeScope = PrivilegeScope.COLUMN; } else if (!StringUtils.isEmpty(tSentryPrivilege.getTableName())) { privilegeScope = PrivilegeScope.TABLE; } else if (!StringUtils.isEmpty(tSentryPrivilege.getDbName())) { privilegeScope = PrivilegeScope.DATABASE; } return privilegeScope.toString(); }
boolean this_present_privilegeScope = true && tSentryPrivilege1.isSetPrivilegeScope(); boolean that_present_privilegeScope = true && tSentryPrivilege2.isSetPrivilegeScope(); if (this_present_privilegeScope || that_present_privilegeScope) { if (!(this_present_privilegeScope && that_present_privilegeScope)) { return false; if (!tSentryPrivilege1.getPrivilegeScope().equalsIgnoreCase( tSentryPrivilege2.getPrivilegeScope())) { return false; boolean this_present_serverName = true && tSentryPrivilege1.isSetServerName(); boolean that_present_serverName = true && tSentryPrivilege2.isSetServerName(); if (this_present_serverName || that_present_serverName) { if (!(this_present_serverName && that_present_serverName)) { return false; if (!tSentryPrivilege1.getServerName().equalsIgnoreCase(tSentryPrivilege2.getServerName())) { return false; boolean this_present_dbName = true && tSentryPrivilege1.isSetDbName(); boolean that_present_dbName = true && tSentryPrivilege2.isSetDbName(); if (this_present_dbName || that_present_dbName) { if (!(this_present_dbName && that_present_dbName)) { return false; if (!tSentryPrivilege1.getDbName().equalsIgnoreCase(tSentryPrivilege2.getDbName())) { return false; boolean this_present_tableName = true && tSentryPrivilege1.isSetTableName();
private TSentryPrivilege toSentryPrivilege(TSentryAuthorizable tAuthorizable) throws SentryInvalidInputException { TSentryPrivilege tSentryPrivilege = new TSentryPrivilege(); tSentryPrivilege.setDbName(fromNULLCol(tAuthorizable.getDb())); tSentryPrivilege.setServerName(fromNULLCol(tAuthorizable.getServer())); tSentryPrivilege.setTableName(fromNULLCol(tAuthorizable.getTable())); tSentryPrivilege.setColumnName(fromNULLCol(tAuthorizable.getColumn())); tSentryPrivilege.setURI(fromNULLCol(tAuthorizable.getUri())); PrivilegeScope scope; if (!isNULL(tSentryPrivilege.getColumnName())) { scope = PrivilegeScope.COLUMN; } else if (!isNULL(tSentryPrivilege.getTableName())) { scope = PrivilegeScope.TABLE; } else if (!isNULL(tSentryPrivilege.getDbName())) { scope = PrivilegeScope.DATABASE; } else if (!isNULL(tSentryPrivilege.getURI())) { scope = PrivilegeScope.URI; } else { scope = PrivilegeScope.SERVER; } tSentryPrivilege.setPrivilegeScope(scope.name()); tSentryPrivilege.setAction(AccessConstants.ALL); return tSentryPrivilege; }
String column2 = "c2"; long seqId = sentryStore.createSentryRole(roleName).getSequenceId(); TSentryPrivilege privilegeCol1 = new TSentryPrivilege(); privilegeCol1.setPrivilegeScope("COLUMN"); privilegeCol1.setServerName(server); privilegeCol1.setDbName(db); privilegeCol1.setTableName(table); privilegeCol1.setColumnName(column1); privilegeCol1.setAction(AccessConstants.ALL); privilegeCol1.setCreateTime(System.currentTimeMillis()); TSentryPrivilege privilegeCol2 = privilegeCol1.deepCopy(); privilegeCol2.setColumnName(column2); privilegeCol2.setAction(AccessConstants.SELECT); assertEquals(seqId + 3, sentryStore.alterSentryRoleRevokePrivilege(grantor, roleName, privilegeCol2) .getSequenceId()); privilegeCol2.setAction(AccessConstants.INSERT); privilegeCol2.setPrivilegeScope("DATABASE"); privilegeCol2.unsetTableName(); privilegeCol2.unsetColumnName(); assertEquals(seqId + 4, sentryStore.alterSentryRoleRevokePrivilege(grantor, roleName, privilegeCol2) .getSequenceId());
private static void validatePrivilegeHierarchy(TSentryPrivilege tSentryPrivilege) throws Exception { String serverName = tSentryPrivilege.getServerName(); String dbName = tSentryPrivilege.getDbName(); String tableName = tSentryPrivilege.getTableName(); String columnName = tSentryPrivilege.getColumnName(); String uri = tSentryPrivilege.getURI(); if (ServiceConstants.PrivilegeScope.SERVER.toString().equals(tSentryPrivilege.getPrivilegeScope())) { if (StringUtils.isEmpty(serverName)) { throw new IllegalArgumentException("The hierarchy of privilege is not correct."); } } else if (ServiceConstants.PrivilegeScope.URI.toString().equals(tSentryPrivilege.getPrivilegeScope())) { if (StringUtils.isEmpty(serverName) || StringUtils.isEmpty(uri)) { throw new IllegalArgumentException("The hierarchy of privilege is not correct."); } } else if (ServiceConstants.PrivilegeScope.DATABASE.toString().equals(tSentryPrivilege.getPrivilegeScope())) { if (StringUtils.isEmpty(serverName) || StringUtils.isEmpty(dbName)) { throw new IllegalArgumentException("The hierarchy of privilege is not correct."); } } else if (ServiceConstants.PrivilegeScope.TABLE.toString().equals(tSentryPrivilege.getPrivilegeScope())) { if (StringUtils.isEmpty(serverName) || StringUtils.isEmpty(dbName) || StringUtils.isEmpty(tableName)) { throw new IllegalArgumentException("The hierarchy of privilege is not correct."); } } else if (ServiceConstants.PrivilegeScope.COLUMN.toString().equals(tSentryPrivilege.getPrivilegeScope()) && (StringUtils.isEmpty(serverName) || StringUtils.isEmpty(dbName) || StringUtils.isEmpty(tableName) || StringUtils.isEmpty(columnName))) { throw new IllegalArgumentException("The hierarchy of privilege is not correct."); } } }
} else { if (!isNULL(privilege.getColumnName()) || !isNULL(privilege.getTableName()) || !isNULL(privilege.getDbName())) { if (AccessConstants.ALL.equalsIgnoreCase(privilege.getAction()) || AccessConstants.ACTION_ALL.equalsIgnoreCase(privilege.getAction())) { TSentryPrivilege tNotAll = new TSentryPrivilege(privilege); tNotAll.setAction(AccessConstants.SELECT); MSentryPrivilege mSelect = getMSentryPrivilege(tNotAll, pm); tNotAll.setAction(AccessConstants.INSERT); MSentryPrivilege mInsert = getMSentryPrivilege(tNotAll, pm); if (mSelect != null && mRole.getPrivileges().contains(mSelect)) { TSentryPrivilege tAll = new TSentryPrivilege(privilege); tAll.setAction(AccessConstants.ALL); MSentryPrivilege mAll1 = getMSentryPrivilege(tAll, pm); tAll.setAction(AccessConstants.ACTION_ALL); MSentryPrivilege mAll2 = getMSentryPrivilege(tAll, pm); if (mAll1 != null && mRole.getPrivileges().contains(mAll1)) {
private TSentryPrivilege getPrivilege(String action, String privilegeScope, String dbName, String tableName, String serverName, String URI) { TSentryPrivilege privilege = new TSentryPrivilege(); privilege.setAction(action); privilege.setPrivilegeScope(privilegeScope); privilege.setDbName(dbName); privilege.setTableName(tableName); privilege.setServerName(serverName); privilege.setURI(URI); return privilege; }
for (MSentryPrivilege m : privilegeGraph) { TSentryPrivilege t = convertToTSentryPrivilege(m); if (newTPrivilege.getPrivilegeScope().equals(PrivilegeScope.DATABASE.name())) { t.setDbName(newTPrivilege.getDbName()); } else if (newTPrivilege.getPrivilegeScope().equals(PrivilegeScope.TABLE.name())) { t.setTableName(newTPrivilege.getTableName());
private JsonLogEntity createJsonLogEntity( TAlterSentryRoleRevokePrivilegeRequest request, TSentryPrivilege privilege, TAlterSentryRoleRevokePrivilegeResponse response, Configuration conf) { DBAuditMetadataLogEntity hamle = createCommonHAMLE(conf, response.getStatus(), request.getRequestorUserName(), request.getClass().getName()); hamle.setOperationText(CommandUtil.createCmdForRevokePrivilege(request)); hamle.setDatabaseName(privilege.getDbName()); hamle.setTableName(privilege.getTableName()); hamle.setResourcePath(privilege.getURI()); return hamle; }
@Override public void read(org.apache.thrift.protocol.TProtocol prot, TAlterSentryRoleGrantPrivilegeResponse struct) throws org.apache.thrift.TException { TTupleProtocol iprot = (TTupleProtocol) prot; struct.status = new org.apache.sentry.service.thrift.TSentryResponseStatus(); struct.status.read(iprot); struct.setStatusIsSet(true); BitSet incoming = iprot.readBitSet(2); if (incoming.get(0)) { struct.privilege = new TSentryPrivilege(); struct.privilege.read(iprot); struct.setPrivilegeIsSet(true); } if (incoming.get(1)) { { org.apache.thrift.protocol.TSet _set29 = new org.apache.thrift.protocol.TSet(org.apache.thrift.protocol.TType.STRUCT, iprot.readI32()); struct.privileges = new HashSet<TSentryPrivilege>(2*_set29.size); for (int _i30 = 0; _i30 < _set29.size; ++_i30) { TSentryPrivilege _elem31; // required _elem31 = new TSentryPrivilege(); _elem31.read(iprot); struct.privileges.add(_elem31); } } struct.setPrivilegesIsSet(true); } } }
private String getAuthzObj(TSentryPrivilege privilege) { String authzObj = null; if (!SentryStore.isNULL(privilege.getDbName())) { String dbName = privilege.getDbName(); String tblName = privilege.getTableName(); if (SentryStore.isNULL(tblName)) { authzObj = dbName; } else { authzObj = dbName + "." + tblName; } } return authzObj == null ? null : authzObj.toLowerCase(); }
String column = "col1"; sentryStore.createSentryRole(roleName); TSentryPrivilege tSentryPrivilege = new TSentryPrivilege("TABLE", "server1", "ALL"); tSentryPrivilege.setDbName(dbName); tSentryPrivilege.setTableName(table); tSentryPrivilege.setColumnName(column); sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName, tSentryPrivilege);
private void onAlterSentryRoleGrantPrivilegeCore(String roleName, TSentryPrivilege privilege) throws SentryPluginException { String authzObj = getAuthzObj(privilege); if (authzObj != null) { PermissionsUpdate update = new PermissionsUpdate(permSeqNum.incrementAndGet(), false); update.addPrivilegeUpdate(authzObj).putToAddPrivileges( roleName, privilege.getAction().toUpperCase()); permsUpdater.handleUpdateNotification(update); LOGGER.debug("Authz Perm preUpdate [" + update.getSeqNum() + "].."); } }
@Test public void testSentryTablePrivilegeSome() throws Exception { String roleName = "test-table-privilege-some"; String grantor = "g1"; String dbName = "db1"; String table = "tb1"; sentryStore.createSentryRole(roleName); TSentryPrivilege tSentryPrivilege = new TSentryPrivilege("TABLE", "server1", "ALL"); tSentryPrivilege.setDbName(dbName); tSentryPrivilege.setTableName(table); sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName, tSentryPrivilege); TSentryAuthorizable tSentryAuthorizable = new TSentryAuthorizable(); tSentryAuthorizable.setDb(dbName); tSentryAuthorizable.setTable(AccessConstants.SOME); tSentryAuthorizable.setServer("server1"); Set<TSentryPrivilege> privileges = sentryStore.getTSentryPrivileges(new HashSet<String>(Arrays.asList(roleName)), tSentryAuthorizable); assertTrue(privileges.size() == 1); Set<TSentryGroup> tSentryGroups = new HashSet<TSentryGroup>(); tSentryGroups.add(new TSentryGroup("group1")); sentryStore.alterSentryRoleAddGroups(grantor, roleName, tSentryGroups); TSentryActiveRoleSet thriftRoleSet = new TSentryActiveRoleSet(true, new HashSet<String>(Arrays.asList(roleName))); Set<String> privs = sentryStore.listSentryPrivilegesForProvider(new HashSet<String>(Arrays.asList("group1")), thriftRoleSet, tSentryAuthorizable); assertTrue(privs.size()==1); assertTrue(privs.contains("server=server1->db=" + dbName + "->table=" + table + "->action=all")); }
public TSentryPrivilege deepCopy() { return new TSentryPrivilege(this); }
@Override public void onAlterSentryRoleRevokePrivilege( TAlterSentryRoleRevokePrivilegeRequest request) throws SentryPluginException { if (request.isSetPrivileges()) { String roleName = request.getRoleName(); for (TSentryPrivilege privilege : request.getPrivileges()) { if(!("COLUMN".equalsIgnoreCase(privilege.getPrivilegeScope()))) { onAlterSentryRoleRevokePrivilegeCore(roleName, privilege); } } } }
private boolean isMultiActionsSupported(TSentryPrivilege tPrivilege) { return tPrivilege.getDbName() != null; } // wrapper for dropOrRename
/** * Drop given privilege from all roles */ public void dropPrivilege(TSentryAuthorizable tAuthorizable) throws SentryNoSuchObjectException, SentryInvalidInputException { PersistenceManager pm = null; boolean rollbackTransaction = true; TSentryPrivilege tPrivilege = toSentryPrivilege(tAuthorizable); try { pm = openTransaction(); if (isMultiActionsSupported(tPrivilege)) { for (String privilegeAction : ALL_ACTIONS) { tPrivilege.setAction(privilegeAction); dropPrivilegeForAllRoles(pm, new TSentryPrivilege(tPrivilege)); } } else { dropPrivilegeForAllRoles(pm, new TSentryPrivilege(tPrivilege)); } rollbackTransaction = false; commitTransaction(pm); } catch (JDODataStoreException e) { throw new SentryInvalidInputException("Failed to get privileges: " + e.getMessage()); } finally { if (rollbackTransaction) { rollbackTransaction(pm); } } }