public boolean checkPrivilegeOption(Set<MSentryRole> roles, PrivilegeObject privilege, PersistenceManager pm) { MSentryGMPrivilege requestPrivilege = convertToPrivilege(privilege); boolean hasGrant = false; //get persistent privileges by roles Query query = pm.newQuery(MSentryGMPrivilege.class); StringBuilder filters = new StringBuilder(); if (roles != null && roles.size() > 0) { query.declareVariables("org.apache.sentry.provider.db.service.model.MSentryRole role"); List<String> rolesFiler = new LinkedList<String>(); for (MSentryRole role : roles) { rolesFiler.add("role.roleName == \"" + role.getRoleName() + "\" "); } filters.append("roles.contains(role) " + "&& (" + Joiner.on(" || ").join(rolesFiler) + ")"); } query.setFilter(filters.toString()); List<MSentryGMPrivilege> tPrivileges = (List<MSentryGMPrivilege>)query.execute(); for (MSentryGMPrivilege tPrivilege : tPrivileges) { if (tPrivilege.getGrantOption() && tPrivilege.implies(requestPrivilege)) { hasGrant = true; break; } } return hasGrant; } public void grantPrivilege(PrivilegeObject privilege,MSentryRole role, PersistenceManager pm) throws SentryUserException {
@Test public void testImpliesWithServerScope() throws Exception { //The persistent privilege is server scope MSentryGMPrivilege serverPrivilege = new MSentryGMPrivilege("solr", "service1", null,SolrConstants.QUERY, false); MSentryGMPrivilege collectionPrivilege = new MSentryGMPrivilege("solr", "service1", Arrays.asList(new Collection("c1")), SolrConstants.QUERY, false); assertTrue(serverPrivilege.implies(collectionPrivilege)); MSentryGMPrivilege fieldPrivilege = new MSentryGMPrivilege("solr", "service1", Arrays.asList(new Collection("c1"), new Field("f1")), SolrConstants.QUERY, false); assertTrue(serverPrivilege.implies(fieldPrivilege)); assertTrue(collectionPrivilege.implies(fieldPrivilege)); serverPrivilege.setAction(SolrConstants.UPDATE); assertFalse(serverPrivilege.implies(collectionPrivilege)); assertFalse(serverPrivilege.implies(fieldPrivilege)); serverPrivilege.setAction(SolrConstants.ALL); assertTrue(serverPrivilege.implies(collectionPrivilege)); assertTrue(serverPrivilege.implies(fieldPrivilege)); } /**
@Test public void testImpliesWithServerScope() throws Exception { //The persistent privilege is server scope MSentryGMPrivilege serverPrivilege = new MSentryGMPrivilege("solr", "service1", null,SearchConstants.QUERY, false); MSentryGMPrivilege collectionPrivilege = new MSentryGMPrivilege("solr", "service1", Arrays.asList(new Collection("c1")), SearchConstants.QUERY, false); assertTrue(serverPrivilege.implies(collectionPrivilege)); MSentryGMPrivilege fieldPrivilege = new MSentryGMPrivilege("solr", "service1", Arrays.asList(new Collection("c1"), new Field("f1")), SearchConstants.QUERY, false); assertTrue(serverPrivilege.implies(fieldPrivilege)); assertTrue(collectionPrivilege.implies(fieldPrivilege)); serverPrivilege.setAction(SearchConstants.UPDATE); assertFalse(serverPrivilege.implies(collectionPrivilege)); assertFalse(serverPrivilege.implies(fieldPrivilege)); serverPrivilege.setAction(SearchConstants.ALL); assertTrue(serverPrivilege.implies(collectionPrivilege)); assertTrue(serverPrivilege.implies(fieldPrivilege)); } /**
/** * Verify whether specified privilege can be granted * @param roles set of roles for the privilege * @param privilege privilege being checked * @param pm Persistentence manager instance * @return true iff at least one privilege within the role allows for the * requested privilege */ boolean checkPrivilegeOption(Set<MSentryRole> roles, PrivilegeObject privilege, PersistenceManager pm) { MSentryGMPrivilege requestPrivilege = convertToPrivilege(privilege); if (roles.isEmpty()) { return false; } // get persistent privileges by roles // Find all GM privileges for all the input roles Query query = pm.newQuery(MSentryGMPrivilege.class); QueryParamBuilder paramBuilder = QueryParamBuilder.addRolesFilter(query, null, SentryStore.rolesToRoleNames(roles)); query.setFilter(paramBuilder.toString()); List<MSentryGMPrivilege> tPrivileges = (List<MSentryGMPrivilege>)query.executeWithMap(paramBuilder.getArguments()); for (MSentryGMPrivilege tPrivilege : tPrivileges) { if (tPrivilege.getGrantOption() && tPrivilege.implies(requestPrivilege)) { return true; } } return false; }
"service2", null,SolrConstants.QUERY, false); assertFalse(serverPrivilege1.implies(serverPrivilege2)); SolrConstants.QUERY, false); assertFalse(collectionPrivilege1.implies(collectionPrivilege2)); SolrConstants.QUERY, false); assertFalse(fieldPrivilege1.implies(fieldPrivilege2)); collectionPrivilege2.implies(collectionPrivilege1); fieldPrivilege2.implies(fieldPrivilege1);
@Test public void testSearchImpliesAction() throws Exception { /** * action is equal */ MSentryGMPrivilege fieldPrivilege1 = new MSentryGMPrivilege("solr", "service1", Arrays.asList(new Collection("c1"), new Field("f2")), SolrConstants.QUERY, false); MSentryGMPrivilege fieldPrivilege2 = new MSentryGMPrivilege("solr", "service1", Arrays.asList(new Collection("c1"), new Field("f2")), SolrConstants.QUERY, false); assertTrue(fieldPrivilege1.implies(fieldPrivilege2)); /** * action isn't equal */ fieldPrivilege2.setAction(SolrConstants.UPDATE); assertFalse(fieldPrivilege1.implies(fieldPrivilege2)); /** * action isn't equal,but the persistent privilege has the ALL action */ fieldPrivilege1.setAction(SolrConstants.ALL); assertTrue(fieldPrivilege1.implies(fieldPrivilege2)); } }
"service2", null,SearchConstants.QUERY, false); assertFalse(serverPrivilege1.implies(serverPrivilege2)); SearchConstants.QUERY, false); assertFalse(collectionPrivilege1.implies(collectionPrivilege2)); SearchConstants.QUERY, false); assertFalse(fieldPrivilege1.implies(fieldPrivilege2)); collectionPrivilege2.implies(collectionPrivilege1); fieldPrivilege2.implies(fieldPrivilege1);
@Test public void testSearchImpliesAction() throws Exception { /** * action is equal */ MSentryGMPrivilege fieldPrivilege1 = new MSentryGMPrivilege("solr", "service1", Arrays.asList(new Collection("c1"), new Field("f2")), SearchConstants.QUERY, false); MSentryGMPrivilege fieldPrivilege2 = new MSentryGMPrivilege("solr", "service1", Arrays.asList(new Collection("c1"), new Field("f2")), SearchConstants.QUERY, false); assertTrue(fieldPrivilege1.implies(fieldPrivilege2)); /** * action isn't equal */ fieldPrivilege2.setAction(SearchConstants.UPDATE); assertFalse(fieldPrivilege1.implies(fieldPrivilege2)); /** * action isn't equal,but the persistent privilege has the ALL action */ fieldPrivilege1.setAction(SearchConstants.ALL); assertTrue(fieldPrivilege1.implies(fieldPrivilege2)); } }
"service1", Arrays.asList(new Collection("c1"), new Field("f1")), SearchConstants.QUERY, false); assertTrue(serverPrivilege.implies(collectionPrivilege)); assertTrue(serverPrivilege.implies(fieldPrivilege)); assertTrue(collectionPrivilege.implies(fieldPrivilege)); assertFalse(fieldPrivilege.implies(collectionPrivilege)); assertFalse(fieldPrivilege.implies(serverPrivilege)); assertFalse(collectionPrivilege.implies(serverPrivilege)); SearchConstants.QUERY, false); assertTrue(fieldAllPrivilege.implies(collectionPrivilege)); "service1", Arrays.asList(new Collection("c2"), new Field("f2")), SearchConstants.QUERY, false); assertFalse(fieldPrivilege1.implies(fieldPrivilege2));
"service1", Arrays.asList(new Collection("c1"), new Field("f1")), SolrConstants.QUERY, false); assertTrue(serverPrivilege.implies(collectionPrivilege)); assertTrue(serverPrivilege.implies(fieldPrivilege)); assertTrue(collectionPrivilege.implies(fieldPrivilege)); assertFalse(fieldPrivilege.implies(collectionPrivilege)); assertFalse(fieldPrivilege.implies(serverPrivilege)); assertFalse(collectionPrivilege.implies(serverPrivilege)); SolrConstants.QUERY, false); assertTrue(fieldAllPrivilege.implies(collectionPrivilege)); "service1", Arrays.asList(new Collection("c2"), new Field("f2")), SolrConstants.QUERY, false); assertFalse(fieldPrivilege1.implies(fieldPrivilege2));