public TPrivilegePrincipal deepCopy() { return new TPrivilegePrincipal(this); }
private static Map<TPrivilegePrincipal, String> addPrivilegeEntry(MSentryPrivilege mPriv, TPrivilegePrincipalType tEntityType, String principal, Map<TPrivilegePrincipal, String> update) { TPrivilegePrincipal tPrivilegePrincipal = new TPrivilegePrincipal(tEntityType, principal); String existingPriv = update.get(tPrivilegePrincipal); String action = mPriv.getAction().toUpperCase(); String newAction = mPriv.getAction().toUpperCase(); if(action.equals(AccessConstants.OWNER)) { // Translate owner privilege to actual privilege. newAction = AccessConstants.ACTION_ALL; } if (existingPriv == null) { update.put(tPrivilegePrincipal, newAction); } else { update.put(tPrivilegePrincipal, existingPriv + "," + newAction); } return update; }
/** * Constructs permission update to be persisted for rename event that can be persisted from thrift * object. * * @param oldAuthorizable old thrift object * @param newAuthorizable new thrift object * @return update to be persisted * @throws SentryInvalidInputException if the required fields are set in arguments provided */ @VisibleForTesting static Update getPermUpdatableOnRename(TSentryAuthorizable oldAuthorizable, TSentryAuthorizable newAuthorizable) throws SentryInvalidInputException { String oldAuthz = SentryServiceUtil.getAuthzObj(oldAuthorizable); String newAuthz = SentryServiceUtil.getAuthzObj(newAuthorizable); PermissionsUpdate update = new PermissionsUpdate(SentryConstants.INIT_CHANGE_ID, false); TPrivilegeChanges privUpdate = update.addPrivilegeUpdate(PermissionsUpdate.RENAME_PRIVS); privUpdate.putToAddPrivileges(new TPrivilegePrincipal(TPrivilegePrincipalType.AUTHZ_OBJ, newAuthz), newAuthz); privUpdate.putToDelPrivileges(new TPrivilegePrincipal(TPrivilegePrincipalType.AUTHZ_OBJ, oldAuthz), oldAuthz); return update; }
/** * Constructs permission update to be persisted for drop event that can be persisted * from thrift object. * * @param authorizable thrift object that is dropped. * @return update to be persisted * @throws SentryInvalidInputException if the required fields are set in argument provided */ @VisibleForTesting static Update getPermUpdatableOnDrop(TSentryAuthorizable authorizable) throws SentryInvalidInputException { PermissionsUpdate update = new PermissionsUpdate(SentryConstants.INIT_CHANGE_ID, false); String authzObj = SentryServiceUtil.getAuthzObj(authorizable); // The value of TPrivilegePrincipal being PermissionsUpdate.ALL_PRIVS indicates that all privileges // associated with this authorizable should be deleted, including both role and user, i.e., // the key value of TPrivilegePrincipalType.ROLE is ignored. update.addPrivilegeUpdate(authzObj) .putToDelPrivileges(new TPrivilegePrincipal(TPrivilegePrincipalType.ROLE, PermissionsUpdate.ALL_PRIVS), PermissionsUpdate.ALL_PRIVS); return update; }
assertEquals("ALL", privs.get("db3.tbl1").get(new TPrivilegePrincipal(TPrivilegePrincipalType.ROLE, roleName1))); assertEquals("ALL", privs.get("db3.tbl1").get(new TPrivilegePrincipal(TPrivilegePrincipalType.ROLE, roleName2)));
Map<String, Map<TPrivilegePrincipal, String>> privs = permImage.getPrivilegeImage(); assertEquals(1, privs.get("db1.tbl1").size()); assertEquals("REFRESH,INSERT,SELECT", privs.get("db1.tbl1").get(new TPrivilegePrincipal(TPrivilegePrincipalType.ROLE, roleName1)));
new TPrivilegePrincipal(TPrivilegePrincipalType.ROLE, roleName), privilege.getAction().toUpperCase()); new TPrivilegePrincipal(TPrivilegePrincipalType.ROLE, roleName), privilege.getAction().toUpperCase());
PermissionsUpdate renameUpdate = new PermissionsUpdate(0, false); TPrivilegeChanges privUpdate = renameUpdate.addPrivilegeUpdate(PermissionsUpdate.RENAME_PRIVS); privUpdate.putToAddPrivileges(new TPrivilegePrincipal(TPrivilegePrincipalType.AUTHZ_OBJ, newAuthz), newAuthz); privUpdate.putToDelPrivileges(new TPrivilegePrincipal(TPrivilegePrincipalType.AUTHZ_OBJ, oldAuthz), oldAuthz);
@Test public void testDropObjWithPermUpdate() throws Exception { String roleName1 = "list-privs-r1", roleName2 = "list-privs-r2"; sentryStore.createSentryRole(roleName1); sentryStore.createSentryRole(roleName2); String authzObj = "db1.tbl1"; TSentryPrivilege privilege_tbl1 = new TSentryPrivilege(); privilege_tbl1.setPrivilegeScope("TABLE"); privilege_tbl1.setServerName("server1"); privilege_tbl1.setDbName("db1"); privilege_tbl1.setTableName("tbl1"); privilege_tbl1.setCreateTime(System.currentTimeMillis()); privilege_tbl1.setAction("SELECT"); sentryStore.alterSentryGrantPrivileges(SentryPrincipalType.ROLE, roleName1, Sets.newHashSet(privilege_tbl1), null); // Generate the permission drop update for dropping privilege for "db1.tbl1" PermissionsUpdate dropUpdate = new PermissionsUpdate(0, false); dropUpdate.addPrivilegeUpdate(authzObj).putToDelPrivileges(new TPrivilegePrincipal(TPrivilegePrincipalType.ROLE, PermissionsUpdate.ALL_ROLES), PermissionsUpdate.ALL_ROLES); // Drop the privilege and verify. sentryStore.dropPrivilege(toTSentryAuthorizable(privilege_tbl1), dropUpdate); assertEquals(0, sentryStore.getAllTSentryPrivilegesByRoleName(roleName1).size()); assertEquals(0, sentryStore.getAllTSentryPrivilegesByRoleName(roleName2).size()); // Query the persisted perm change and ensure it equals to the original one long lastChangeID = sentryStore.getLastProcessedPermChangeID(); MSentryPermChange dropPermChange = sentryStore.getMSentryPermChangeByID(lastChangeID); assertEquals(dropUpdate.JSONSerialize(), dropPermChange.getPermChange()); }
@Test public void testCreateDropRoleWithPermUpdate() throws Exception { String roleName = "test-drop-role"; createRole(roleName); // Generate the permission del update for dropping role "test-drop-role" PermissionsUpdate delUpdate = new PermissionsUpdate(0, false); delUpdate.addPrivilegeUpdate(PermissionsUpdate.ALL_AUTHZ_OBJ).putToDelPrivileges( new TPrivilegePrincipal(TPrivilegePrincipalType.ROLE, roleName), PermissionsUpdate.ALL_AUTHZ_OBJ); delUpdate.addRoleUpdate(roleName).addToDelGroups(PermissionsUpdate.ALL_GROUPS); // Drop the role and verify. sentryStore.dropSentryRole(roleName, delUpdate); checkRoleDoesNotExist(roleName); // Query the persisted perm change and ensure it equals to the original one long lastChangeID = sentryStore.getLastProcessedPermChangeID(); MSentryPermChange delPermChange = sentryStore.getMSentryPermChangeByID(lastChangeID); assertEquals(delUpdate.JSONSerialize(), delPermChange.getPermChange()); }