public DelegateSentryStore(Configuration conf) throws SentryNoSuchObjectException, SentryAccessDeniedException, SentryConfigurationException, IOException { this.privilegeOperator = new PrivilegeOperatePersistence(conf); // The generic model doesn't turn on the thread that cleans hive privileges conf.set(ServerConfig.SENTRY_STORE_ORPHANED_PRIVILEGE_REMOVAL,"false"); this.conf = conf; //delegated old sentryStore this.delegate = new SentryStore(conf); adminGroups = ImmutableSet.copyOf(toTrimmed(Sets.newHashSet(conf.getStrings( ServerConfig.ADMIN_GROUPS, new String[]{})))); }
public DelegateSentryStore(Configuration conf) throws Exception { this.privilegeOperator = new PrivilegeOperatePersistence(conf); this.conf = conf; //delegated old sentryStore this.delegate = new SentryStore(conf); adminGroups = ImmutableSet.copyOf(toTrimmed(Sets.newHashSet(conf.getStrings( ServerConfig.ADMIN_GROUPS, new String[]{})))); }
/** * Grant option check * @throws SentryUserException */ private void grantOptionCheck(PrivilegeObject requestPrivilege, String grantorPrincipal,PersistenceManager pm) throws SentryUserException { if (Strings.isNullOrEmpty(grantorPrincipal)) { throw new SentryInvalidInputException("grantorPrincipal should not be null or empty"); } Set<String> groups = getRequestorGroups(grantorPrincipal); if (groups == null || groups.isEmpty()) { throw new SentryGrantDeniedException(grantorPrincipal + " has no grant!"); } //admin group check if (!Sets.intersection(adminGroups, toTrimmed(groups)).isEmpty()) { return; } //privilege grant option check Set<MSentryRole> mRoles = delegate.getRolesForGroups(pm, groups); if (!privilegeOperator.checkPrivilegeOption(mRoles, requestPrivilege, pm)) { throw new SentryGrantDeniedException(grantorPrincipal + " has no grant!"); } }
/** * Grant option check * @param component * @param pm * @param privilegeReader * @throws SentryUserException */ private void grantOptionCheck(PrivilegeObject requestPrivilege, String grantorPrincipal,PersistenceManager pm) throws SentryUserException { if (Strings.isNullOrEmpty(grantorPrincipal)) { throw new SentryInvalidInputException("grantorPrincipal should not be null or empty"); } Set<String> groups = getRequestorGroups(grantorPrincipal); if (groups == null || groups.isEmpty()) { throw new SentryGrantDeniedException(grantorPrincipal + " has no grant!"); } //admin group check if (!Sets.intersection(adminGroups, toTrimmed(groups)).isEmpty()) { return; } //privilege grant option check Set<MSentryRole> mRoles = delegate.getRolesForGroups(pm, groups); if (!privilegeOperator.checkPrivilegeOption(mRoles, requestPrivilege, pm)) { throw new SentryGrantDeniedException(grantorPrincipal + " has no grant!"); } }