query.append("&& scope == \"" + toNULLCol(privilege.getScope()) + "\" "); query.append("&& action == \"" + toNULLCol(privilege.getAction()) + "\""); if (privilege.getGrantOption() == null) { query.append("&& this.grantOption == null "); } else if (privilege.getGrantOption()) { query.append("&& grantOption "); } else {
public boolean checkPrivilegeOption(Set<MSentryRole> roles, PrivilegeObject privilege, PersistenceManager pm) { MSentryGMPrivilege requestPrivilege = convertToPrivilege(privilege); boolean hasGrant = false; //get persistent privileges by roles Query query = pm.newQuery(MSentryGMPrivilege.class); StringBuilder filters = new StringBuilder(); if (roles != null && roles.size() > 0) { query.declareVariables("org.apache.sentry.provider.db.service.model.MSentryRole role"); List<String> rolesFiler = new LinkedList<String>(); for (MSentryRole role : roles) { rolesFiler.add("role.roleName == \"" + role.getRoleName() + "\" "); } filters.append("roles.contains(role) " + "&& (" + Joiner.on(" || ").join(rolesFiler) + ")"); } query.setFilter(filters.toString()); List<MSentryGMPrivilege> tPrivileges = (List<MSentryGMPrivilege>)query.execute(); for (MSentryGMPrivilege tPrivilege : tPrivileges) { if (tPrivilege.getGrantOption() && tPrivilege.implies(requestPrivilege)) { hasGrant = true; break; } } return hasGrant; } public void grantPrivilege(PrivilegeObject privilege,MSentryRole role, PersistenceManager pm) throws SentryUserException {
private TSentryPrivilege toTSentryPrivilege(MSentryGMPrivilege mPrivilege) { TSentryPrivilege tPrivilege = new TSentryPrivilege(mPrivilege.getComponentName(), mPrivilege.getServiceName(), fromAuthorizable(mPrivilege.getAuthorizables()), mPrivilege.getAction()); if (mPrivilege.getGrantOption() == null) { tPrivilege.setGrantOption(TSentryGrantOption.UNSET); } else if (mPrivilege.getGrantOption()) { tPrivilege.setGrantOption(TSentryGrantOption.TRUE); } else { tPrivilege.setGrantOption(TSentryGrantOption.FALSE); } return tPrivilege; }
private TSentryPrivilege toTSentryPrivilege(MSentryGMPrivilege mPrivilege) { TSentryPrivilege tPrivilege = new TSentryPrivilege(mPrivilege.getComponentName(), mPrivilege.getServiceName(), fromAuthorizable(mPrivilege.getAuthorizables()), mPrivilege.getAction()); if (mPrivilege.getGrantOption() == null) { tPrivilege.setGrantOption(TSentryGrantOption.UNSET); } else if (mPrivilege.getGrantOption()) { tPrivilege.setGrantOption(TSentryGrantOption.TRUE); } else { tPrivilege.setGrantOption(TSentryGrantOption.FALSE); } return tPrivilege; }
.setAction(mPrivilege.getAction()) .setAuthorizables(mPrivilege.getAuthorizables()) .withGrantOption(mPrivilege.getGrantOption()) .build());
Set<PrivilegeObject> getPrivilegesByProvider(String component, String service, Set<MSentryRole> roles, List<? extends Authorizable> authorizables, PersistenceManager pm) { Set<PrivilegeObject> privileges = Sets.newHashSet(); if (roles == null || roles.isEmpty()) { return privileges; } MSentryGMPrivilege parentPrivilege = new MSentryGMPrivilege(component, service, authorizables, null, null); Set<MSentryGMPrivilege> privilegeGraph = Sets.newHashSet(); privilegeGraph.addAll(populateIncludePrivileges(roles, parentPrivilege, pm)); for (MSentryGMPrivilege mPrivilege : privilegeGraph) { privileges.add(new Builder() .setComponent(mPrivilege.getComponentName()) .setService(mPrivilege.getServiceName()) .setAction(mPrivilege.getAction()) .setAuthorizables(mPrivilege.getAuthorizables()) .withGrantOption(mPrivilege.getGrantOption()) .build()); } return privileges; }
public Set<PrivilegeObject> getPrivilegesByProvider(String component, String service, Set<MSentryRole> roles, List<? extends Authorizable> authorizables, PersistenceManager pm) { Set<PrivilegeObject> privileges = Sets.newHashSet(); if (roles == null || roles.isEmpty()) { return privileges; } MSentryGMPrivilege parentPrivilege = new MSentryGMPrivilege(component, service, authorizables, null, null); Set<MSentryGMPrivilege> privilegeGraph = Sets.newHashSet(); privilegeGraph.addAll(populateIncludePrivileges(roles, parentPrivilege, pm)); for (MSentryGMPrivilege mPrivilege : privilegeGraph) { privileges.add(new Builder() .setComponent(mPrivilege.getComponentName()) .setService(mPrivilege.getServiceName()) .setAction(mPrivilege.getAction()) .setAuthorizables(mPrivilege.getAuthorizables()) .withGrantOption(mPrivilege.getGrantOption()) .build()); } return privileges; }
dropPrivilege.getGrantOption());
dropPrivilege.getGrantOption());
.setAction(mPrivilege.getAction()) .setAuthorizables(mPrivilege.getAuthorizables()) .withGrantOption(mPrivilege.getGrantOption()) .build());
/** * Verify whether specified privilege can be granted * @param roles set of roles for the privilege * @param privilege privilege being checked * @param pm Persistentence manager instance * @return true iff at least one privilege within the role allows for the * requested privilege */ boolean checkPrivilegeOption(Set<MSentryRole> roles, PrivilegeObject privilege, PersistenceManager pm) { MSentryGMPrivilege requestPrivilege = convertToPrivilege(privilege); if (roles.isEmpty()) { return false; } // get persistent privileges by roles // Find all GM privileges for all the input roles Query query = pm.newQuery(MSentryGMPrivilege.class); QueryParamBuilder paramBuilder = QueryParamBuilder.addRolesFilter(query, null, SentryStore.rolesToRoleNames(roles)); query.setFilter(paramBuilder.toString()); List<MSentryGMPrivilege> tPrivileges = (List<MSentryGMPrivilege>)query.executeWithMap(paramBuilder.getArguments()); for (MSentryGMPrivilege tPrivilege : tPrivileges) { if (tPrivilege.getGrantOption() && tPrivilege.implies(requestPrivilege)) { return true; } } return false; }
/** * Return query builder to execute in JDO for search the given privilege * @param privilege Privilege to extract * @return query builder suitable for executing the query */ private static QueryParamBuilder toQueryParam(MSentryGMPrivilege privilege) { QueryParamBuilder paramBuilder = QueryParamBuilder.newQueryParamBuilder(); paramBuilder.add(SERVICE_NAME, SentryStore.toNULLCol(privilege.getServiceName()), true) .add(COMPONENT_NAME, SentryStore.toNULLCol(privilege.getComponentName()), true) .add(SCOPE, SentryStore.toNULLCol(privilege.getScope()), true) .add(ACTION, SentryStore.toNULLCol(privilege.getAction()), true); Boolean grantOption = privilege.getGrantOption(); paramBuilder.addObject(SentryConstants.GRANT_OPTION, grantOption); List<? extends Authorizable> authorizables = privilege.getAuthorizables(); int nAuthorizables = authorizables.size(); for (int i = 0; i < MSentryGMPrivilege.AUTHORIZABLE_LEVEL; i++) { String resourceName = MSentryGMPrivilege.PREFIX_RESOURCE_NAME + String.valueOf(i); String resourceType = MSentryGMPrivilege.PREFIX_RESOURCE_TYPE + String.valueOf(i); if (i >= nAuthorizables) { paramBuilder.addNull(resourceName); paramBuilder.addNull(resourceType); } else { paramBuilder.add(resourceName, authorizables.get(i).getName(), true); paramBuilder.add(resourceType, authorizables.get(i).getTypeName(), true); } } return paramBuilder; }