String columnName = tSentryPrivilege.getColumnName(); String uri = tSentryPrivilege.getURI(); String action = tSentryPrivilege.getAction(); String grantOption = (tSentryPrivilege.getGrantOption() == TSentryGrantOption.TRUE ? "true" : "false");
String columnName = tSentryPrivilege.getColumnName(); String uri = tSentryPrivilege.getURI(); String action = tSentryPrivilege.getAction(); String grantOption = (tSentryPrivilege.getGrantOption() == TSentryGrantOption.TRUE ? "true" : "false");
private void onAlterSentryRoleGrantPrivilegeCore(String roleName, TSentryPrivilege privilege) throws SentryPluginException { String authzObj = getAuthzObj(privilege); if (authzObj != null) { PermissionsUpdate update = new PermissionsUpdate(permSeqNum.incrementAndGet(), false); update.addPrivilegeUpdate(authzObj).putToAddPrivileges( roleName, privilege.getAction().toUpperCase()); permsUpdater.handleUpdateNotification(update); LOGGER.debug("Authz Perm preUpdate [" + update.getSeqNum() + "].."); } }
private void onAlterSentryRoleRevokePrivilegeCore(String roleName, TSentryPrivilege privilege) throws SentryPluginException { String authzObj = getAuthzObj(privilege); if (authzObj != null) { PermissionsUpdate update = new PermissionsUpdate(permSeqNum.incrementAndGet(), false); update.addPrivilegeUpdate(authzObj).putToDelPrivileges( roleName, privilege.getAction().toUpperCase()); permsUpdater.handleUpdateNotification(update); LOGGER.debug("Authz Perm preUpdate [" + update.getSeqNum() + ", " + authzObj + "].."); } }
/** * Roles can be granted ALL, SELECT, and INSERT on tables. When * a role has ALL and SELECT or INSERT are revoked, we need to remove the ALL * privilege and add SELECT (INSERT was revoked) or INSERT (SELECT was revoked). */ private void revokePartial(PersistenceManager pm, TSentryPrivilege requestedPrivToRevoke, MSentryRole mRole, MSentryPrivilege currentPrivilege) throws SentryInvalidInputException { MSentryPrivilege persistedPriv = getMSentryPrivilege(convertToTSentryPrivilege(currentPrivilege), pm); if (persistedPriv == null) { persistedPriv = convertToMSentryPrivilege(convertToTSentryPrivilege(currentPrivilege)); } if (requestedPrivToRevoke.getAction().equalsIgnoreCase("ALL") || requestedPrivToRevoke.getAction().equalsIgnoreCase("*")) { persistedPriv.removeRole(mRole); privCleaner.incPrivRemoval(); pm.makePersistent(persistedPriv); } else if (requestedPrivToRevoke.getAction().equalsIgnoreCase(AccessConstants.SELECT) && !currentPrivilege.getAction().equalsIgnoreCase(AccessConstants.INSERT)) { revokeRolePartial(pm, mRole, currentPrivilege, persistedPriv, AccessConstants.INSERT); } else if (requestedPrivToRevoke.getAction().equalsIgnoreCase(AccessConstants.INSERT) && !currentPrivilege.getAction().equalsIgnoreCase(AccessConstants.SELECT)) { revokeRolePartial(pm, mRole, currentPrivilege, persistedPriv, AccessConstants.SELECT); } }
String action = privilege.getAction(); String privilegeScope = privilege.getPrivilegeScope(); if (AccessConstants.ALL.equalsIgnoreCase(action)) {
public Object getFieldValue(_Fields field) { switch (field) { case PRIVILEGE_SCOPE: return getPrivilegeScope(); case SERVER_NAME: return getServerName(); case DB_NAME: return getDbName(); case TABLE_NAME: return getTableName(); case URI: return getURI(); case ACTION: return getAction(); case CREATE_TIME: return Long.valueOf(getCreateTime()); case GRANT_OPTION: return getGrantOption(); case COLUMN_NAME: return getColumnName(); } throw new IllegalStateException(); }
@Override public void execute(SentryPolicyServiceClient client, String requestorName) throws Exception { TSentryPrivilege tSentryPrivilege = CommandUtil.convertToTSentryPrivilege(privilegeStr); boolean grantOption = tSentryPrivilege.getGrantOption().equals(TSentryGrantOption.TRUE) ? true : false; if (ServiceConstants.PrivilegeScope.SERVER.toString().equals(tSentryPrivilege.getPrivilegeScope())) { client.grantServerPrivilege(requestorName, roleName, tSentryPrivilege.getServerName(), tSentryPrivilege.getAction(), grantOption); } else if (ServiceConstants.PrivilegeScope.DATABASE.toString().equals(tSentryPrivilege.getPrivilegeScope())) { client.grantDatabasePrivilege(requestorName, roleName, tSentryPrivilege.getServerName(), tSentryPrivilege.getDbName(), tSentryPrivilege.getAction(), grantOption); } else if (ServiceConstants.PrivilegeScope.TABLE.toString().equals(tSentryPrivilege.getPrivilegeScope())) { client.grantTablePrivilege(requestorName, roleName, tSentryPrivilege.getServerName(), tSentryPrivilege.getDbName(), tSentryPrivilege.getTableName(), tSentryPrivilege.getAction(), grantOption); } else if (ServiceConstants.PrivilegeScope.COLUMN.toString().equals(tSentryPrivilege.getPrivilegeScope())) { client.grantColumnPrivilege(requestorName, roleName, tSentryPrivilege.getServerName(), tSentryPrivilege.getDbName(), tSentryPrivilege.getTableName(), tSentryPrivilege.getColumnName(), tSentryPrivilege.getAction(), grantOption); } else if (ServiceConstants.PrivilegeScope.URI.toString().equals(tSentryPrivilege.getPrivilegeScope())) { client.grantURIPrivilege(requestorName, roleName, tSentryPrivilege.getServerName(), tSentryPrivilege.getURI(), grantOption); } } }
msg.append(privilege.getURI()); msg.append(",action="); msg.append(privilege.getAction()); msg.append("] ");
@Override public void runTestAsSubject() throws Exception { String requestorUserName = ADMIN_USER; Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP); setLocalGroupMapping(requestorUserName, requestorUserGroupNames); writePolicyFile(); String roleName1 = "admin_r1"; client.dropRoleIfExists(requestorUserName, roleName1); client.createRole(requestorUserName, roleName1); client.grantServerPrivilege(requestorUserName, roleName1, "server", false); Set<TSentryPrivilege> listPrivs = client.listAllPrivilegesByRoleName(requestorUserName, roleName1); assertTrue("Privilege should be all:",listPrivs.iterator().next().getAction().equals("*")); client.revokeServerPrivilege(requestorUserName, roleName1, "server", false); listPrivs = client.listAllPrivilegesByRoleName(requestorUserName, roleName1); assertTrue("Privilege not correctly revoked !!", listPrivs.size() == 0); }}); }
@Override public void execute(SentryPolicyServiceClient client, String requestorName) throws Exception { TSentryPrivilege tSentryPrivilege = CommandUtil.convertToTSentryPrivilege(privilegeStr); boolean grantOption = tSentryPrivilege.getGrantOption().equals(TSentryGrantOption.TRUE) ? true : false; if (ServiceConstants.PrivilegeScope.SERVER.toString().equals(tSentryPrivilege.getPrivilegeScope())) { client.revokeServerPrivilege(requestorName, roleName, tSentryPrivilege.getServerName(), grantOption); } else if (ServiceConstants.PrivilegeScope.DATABASE.toString().equals(tSentryPrivilege.getPrivilegeScope())) { client.revokeDatabasePrivilege(requestorName, roleName, tSentryPrivilege.getServerName(), tSentryPrivilege.getDbName(), tSentryPrivilege.getAction(), grantOption); } else if (ServiceConstants.PrivilegeScope.TABLE.toString().equals(tSentryPrivilege.getPrivilegeScope())) { client.revokeTablePrivilege(requestorName, roleName, tSentryPrivilege.getServerName(), tSentryPrivilege.getDbName(), tSentryPrivilege.getTableName(), tSentryPrivilege.getAction(), grantOption); } else if (ServiceConstants.PrivilegeScope.COLUMN.toString().equals(tSentryPrivilege.getPrivilegeScope())) { client.revokeColumnPrivilege(requestorName, roleName, tSentryPrivilege.getServerName(), tSentryPrivilege.getDbName(), tSentryPrivilege.getTableName(), tSentryPrivilege.getColumnName(), tSentryPrivilege.getAction(), grantOption); } else if (ServiceConstants.PrivilegeScope.URI.toString().equals(tSentryPrivilege.getPrivilegeScope())) { client.revokeURIPrivilege(requestorName, roleName, tSentryPrivilege.getServerName(), tSentryPrivilege.getURI(), grantOption); } }
static String writeGrantInfo(Set<TSentryPrivilege> privileges, String roleName) { if (privileges == null || privileges.isEmpty()) { return ""; } StringBuilder builder = new StringBuilder(); for (TSentryPrivilege privilege : privileges) { if (PrivilegeScope.URI.name().equalsIgnoreCase( privilege.getPrivilegeScope())) { appendNonNull(builder, privilege.getURI(), true); } else if(PrivilegeScope.SERVER.name().equalsIgnoreCase( privilege.getPrivilegeScope())) { appendNonNull(builder, "*", true);//Db column would show * if it is a server level privilege } else { appendNonNull(builder, privilege.getDbName(), true); } appendNonNull(builder, privilege.getTableName()); appendNonNull(builder, null);//getPartValues() appendNonNull(builder, privilege.getColumnName());//getColumnName() appendNonNull(builder, roleName);//getPrincipalName() appendNonNull(builder, "ROLE");//getPrincipalType() appendNonNull(builder, privilege.getAction()); appendNonNull(builder, TSentryGrantOption.TRUE.equals(privilege.getGrantOption())); appendNonNull(builder, privilege.getCreateTime() * 1000L); appendNonNull(builder, "--"); } LOG.info("builder.toString(): " + builder.toString()); return builder.toString(); }
private List<MSentryPrivilege> getMSentryPrivileges(TSentryPrivilege tPriv, PersistenceManager pm) { Query query = pm.newQuery(MSentryPrivilege.class); StringBuilder filters = new StringBuilder("this.serverName == \"" + toNULLCol(safeTrimLower(tPriv.getServerName())) + "\" "); if (!isNULL(tPriv.getDbName())) { filters.append("&& this.dbName == \"" + toNULLCol(safeTrimLower(tPriv.getDbName())) + "\" "); if (!isNULL(tPriv.getTableName())) { filters.append("&& this.tableName == \"" + toNULLCol(safeTrimLower(tPriv.getTableName())) + "\" "); if (!isNULL(tPriv.getColumnName())) { filters.append("&& this.columnName == \"" + toNULLCol(safeTrimLower(tPriv.getColumnName())) + "\" "); } } } // if db is null, uri is not null else if (!isNULL(tPriv.getURI())){ filters.append("&& this.URI == \"" + toNULLCol(safeTrim(tPriv.getURI())) + "\" "); } filters.append("&& this.action == \"" + toNULLCol(safeTrimLower(tPriv.getAction())) + "\""); query.setFilter(filters.toString()); List<MSentryPrivilege> privileges = (List<MSentryPrivilege>) query.execute(); return privileges; }
/** * Converts thrift object to model object. Additionally does normalization * such as trimming whitespace and setting appropriate case. * @throws SentryInvalidInputException */ private MSentryPrivilege convertToMSentryPrivilege(TSentryPrivilege privilege) throws SentryInvalidInputException { MSentryPrivilege mSentryPrivilege = new MSentryPrivilege(); mSentryPrivilege.setServerName(toNULLCol(safeTrimLower(privilege.getServerName()))); mSentryPrivilege.setDbName(toNULLCol(safeTrimLower(privilege.getDbName()))); mSentryPrivilege.setTableName(toNULLCol(safeTrimLower(privilege.getTableName()))); mSentryPrivilege.setColumnName(toNULLCol(safeTrimLower(privilege.getColumnName()))); mSentryPrivilege.setPrivilegeScope(safeTrim(privilege.getPrivilegeScope())); mSentryPrivilege.setAction(toNULLCol(safeTrimLower(privilege.getAction()))); mSentryPrivilege.setCreateTime(System.currentTimeMillis()); mSentryPrivilege.setURI(toNULLCol(safeTrim(privilege.getURI()))); if ( !privilege.getGrantOption().equals(TSentryGrantOption.UNSET) ) { mSentryPrivilege.setGrantOption(Boolean.valueOf(privilege.getGrantOption().toString())); } else { mSentryPrivilege.setGrantOption(null); } return mSentryPrivilege; } private static String safeTrim(String s) {
private MSentryPrivilege getMSentryPrivilege(TSentryPrivilege tPriv, PersistenceManager pm) { Query query = pm.newQuery(MSentryPrivilege.class); query.setFilter("this.serverName == \"" + toNULLCol(safeTrimLower(tPriv.getServerName())) + "\" " + "&& this.dbName == \"" + toNULLCol(safeTrimLower(tPriv.getDbName())) + "\" " + "&& this.tableName == \"" + toNULLCol(safeTrimLower(tPriv.getTableName())) + "\" " + "&& this.columnName == \"" + toNULLCol(safeTrimLower(tPriv.getColumnName())) + "\" " + "&& this.URI == \"" + toNULLCol(safeTrim(tPriv.getURI())) + "\" " + "&& this.grantOption == grantOption " + "&& this.action == \"" + toNULLCol(safeTrimLower(tPriv.getAction())) + "\""); query.declareParameters("Boolean grantOption"); query.setUnique(true); Boolean grantOption = null; if (tPriv.getGrantOption().equals(TSentryGrantOption.TRUE)) { grantOption = true; } else if (tPriv.getGrantOption().equals(TSentryGrantOption.FALSE)) { grantOption = false; } Object obj = query.execute(grantOption); if (obj != null) { return (MSentryPrivilege) obj; } return null; }