public static String getPrivilegeScope(TSentryPrivilege tSentryPrivilege) { PrivilegeScope privilegeScope = PrivilegeScope.SERVER; if (!StringUtils.isEmpty(tSentryPrivilege.getURI())) { privilegeScope = PrivilegeScope.URI; } else if (!StringUtils.isEmpty(tSentryPrivilege.getColumnName())) { privilegeScope = PrivilegeScope.COLUMN; } else if (!StringUtils.isEmpty(tSentryPrivilege.getTableName())) { privilegeScope = PrivilegeScope.TABLE; } else if (!StringUtils.isEmpty(tSentryPrivilege.getDbName())) { privilegeScope = PrivilegeScope.DATABASE; } return privilegeScope.toString(); }
private static String getPrivilegeScope(TSentryPrivilege tSentryPrivilege) { ServiceConstants.PrivilegeScope privilegeScope = ServiceConstants.PrivilegeScope.SERVER; if (!StringUtils.isEmpty(tSentryPrivilege.getURI())) { privilegeScope = ServiceConstants.PrivilegeScope.URI; } else if (!StringUtils.isEmpty(tSentryPrivilege.getColumnName())) { privilegeScope = ServiceConstants.PrivilegeScope.COLUMN; } else if (!StringUtils.isEmpty(tSentryPrivilege.getTableName())) { privilegeScope = ServiceConstants.PrivilegeScope.TABLE; } else if (!StringUtils.isEmpty(tSentryPrivilege.getDbName())) { privilegeScope = ServiceConstants.PrivilegeScope.DATABASE; } return privilegeScope.toString(); }
String serverName = tSentryPrivilege.getServerName(); String dbName = tSentryPrivilege.getDbName(); String tableName = tSentryPrivilege.getTableName(); String columnName = tSentryPrivilege.getColumnName(); String uri = tSentryPrivilege.getURI();
String serverName = tSentryPrivilege.getServerName(); String dbName = tSentryPrivilege.getDbName(); String tableName = tSentryPrivilege.getTableName(); String columnName = tSentryPrivilege.getColumnName(); String uri = tSentryPrivilege.getURI();
private String getAuthzObj(TSentryPrivilege privilege) { String authzObj = null; if (!SentryStore.isNULL(privilege.getDbName())) { String dbName = privilege.getDbName(); String tblName = privilege.getTableName(); if (SentryStore.isNULL(tblName)) { authzObj = dbName; } else { authzObj = dbName + "." + tblName; } } return authzObj == null ? null : authzObj.toLowerCase(); }
sb.append(privilege.getDbName()); } else if (PrivilegeScope.TABLE.name().equalsIgnoreCase(privilegeScope)) { sb.append(privilege.getTableName()); } else if (PrivilegeScope.SERVER.name().equalsIgnoreCase(privilegeScope)) { sb.append(privilege.getServerName());
private static void validatePrivilegeHierarchy(TSentryPrivilege tSentryPrivilege) throws Exception { String serverName = tSentryPrivilege.getServerName(); String dbName = tSentryPrivilege.getDbName(); String tableName = tSentryPrivilege.getTableName(); String columnName = tSentryPrivilege.getColumnName(); String uri = tSentryPrivilege.getURI(); if (ServiceConstants.PrivilegeScope.SERVER.toString().equals(tSentryPrivilege.getPrivilegeScope())) { if (StringUtils.isEmpty(serverName)) { throw new IllegalArgumentException("The hierarchy of privilege is not correct."); } } else if (ServiceConstants.PrivilegeScope.URI.toString().equals(tSentryPrivilege.getPrivilegeScope())) { if (StringUtils.isEmpty(serverName) || StringUtils.isEmpty(uri)) { throw new IllegalArgumentException("The hierarchy of privilege is not correct."); } } else if (ServiceConstants.PrivilegeScope.DATABASE.toString().equals(tSentryPrivilege.getPrivilegeScope())) { if (StringUtils.isEmpty(serverName) || StringUtils.isEmpty(dbName)) { throw new IllegalArgumentException("The hierarchy of privilege is not correct."); } } else if (ServiceConstants.PrivilegeScope.TABLE.toString().equals(tSentryPrivilege.getPrivilegeScope())) { if (StringUtils.isEmpty(serverName) || StringUtils.isEmpty(dbName) || StringUtils.isEmpty(tableName)) { throw new IllegalArgumentException("The hierarchy of privilege is not correct."); } } else if (ServiceConstants.PrivilegeScope.COLUMN.toString().equals(tSentryPrivilege.getPrivilegeScope()) && (StringUtils.isEmpty(serverName) || StringUtils.isEmpty(dbName) || StringUtils.isEmpty(tableName) || StringUtils.isEmpty(columnName))) { throw new IllegalArgumentException("The hierarchy of privilege is not correct."); } } }
private JsonLogEntity createJsonLogEntity( TAlterSentryRoleRevokePrivilegeRequest request, TSentryPrivilege privilege, TAlterSentryRoleRevokePrivilegeResponse response, Configuration conf) { DBAuditMetadataLogEntity hamle = createCommonHAMLE(conf, response.getStatus(), request.getRequestorUserName(), request.getClass().getName()); hamle.setOperationText(CommandUtil.createCmdForRevokePrivilege(request)); hamle.setDatabaseName(privilege.getDbName()); hamle.setTableName(privilege.getTableName()); hamle.setResourcePath(privilege.getURI()); return hamle; }
private JsonLogEntity createJsonLogEntity( TAlterSentryRoleGrantPrivilegeRequest request, TSentryPrivilege privilege, TAlterSentryRoleGrantPrivilegeResponse response, Configuration conf) { DBAuditMetadataLogEntity hamle = createCommonHAMLE(conf, response.getStatus(), request.getRequestorUserName(), request.getClass().getName()); hamle.setOperationText(CommandUtil.createCmdForGrantPrivilege(request)); hamle.setDatabaseName(privilege.getDbName()); hamle.setTableName(privilege.getTableName()); hamle.setResourcePath(privilege.getURI()); return hamle; }
public Object getFieldValue(_Fields field) { switch (field) { case PRIVILEGE_SCOPE: return getPrivilegeScope(); case SERVER_NAME: return getServerName(); case DB_NAME: return getDbName(); case TABLE_NAME: return getTableName(); case URI: return getURI(); case ACTION: return getAction(); case CREATE_TIME: return Long.valueOf(getCreateTime()); case GRANT_OPTION: return getGrantOption(); case COLUMN_NAME: return getColumnName(); } throw new IllegalStateException(); }
private List<MSentryPrivilege> getMSentryPrivileges(TSentryPrivilege tPriv, PersistenceManager pm) { Query query = pm.newQuery(MSentryPrivilege.class); StringBuilder filters = new StringBuilder("this.serverName == \"" + toNULLCol(safeTrimLower(tPriv.getServerName())) + "\" "); if (!isNULL(tPriv.getDbName())) { filters.append("&& this.dbName == \"" + toNULLCol(safeTrimLower(tPriv.getDbName())) + "\" "); if (!isNULL(tPriv.getTableName())) { filters.append("&& this.tableName == \"" + toNULLCol(safeTrimLower(tPriv.getTableName())) + "\" "); if (!isNULL(tPriv.getColumnName())) { filters.append("&& this.columnName == \"" + toNULLCol(safeTrimLower(tPriv.getColumnName())) + "\" "); } } } // if db is null, uri is not null else if (!isNULL(tPriv.getURI())){ filters.append("&& this.URI == \"" + toNULLCol(safeTrim(tPriv.getURI())) + "\" "); } filters.append("&& this.action == \"" + toNULLCol(safeTrimLower(tPriv.getAction())) + "\""); query.setFilter(filters.toString()); List<MSentryPrivilege> privileges = (List<MSentryPrivilege>) query.execute(); return privileges; }
static String writeGrantInfo(Set<TSentryPrivilege> privileges, String roleName) { if (privileges == null || privileges.isEmpty()) { return ""; } StringBuilder builder = new StringBuilder(); for (TSentryPrivilege privilege : privileges) { if (PrivilegeScope.URI.name().equalsIgnoreCase( privilege.getPrivilegeScope())) { appendNonNull(builder, privilege.getURI(), true); } else if(PrivilegeScope.SERVER.name().equalsIgnoreCase( privilege.getPrivilegeScope())) { appendNonNull(builder, "*", true);//Db column would show * if it is a server level privilege } else { appendNonNull(builder, privilege.getDbName(), true); } appendNonNull(builder, privilege.getTableName()); appendNonNull(builder, null);//getPartValues() appendNonNull(builder, privilege.getColumnName());//getColumnName() appendNonNull(builder, roleName);//getPrincipalName() appendNonNull(builder, "ROLE");//getPrincipalType() appendNonNull(builder, privilege.getAction()); appendNonNull(builder, TSentryGrantOption.TRUE.equals(privilege.getGrantOption())); appendNonNull(builder, privilege.getCreateTime() * 1000L); appendNonNull(builder, "--"); } LOG.info("builder.toString(): " + builder.toString()); return builder.toString(); }
@Override public void execute(SentryPolicyServiceClient client, String requestorName) throws Exception { TSentryPrivilege tSentryPrivilege = CommandUtil.convertToTSentryPrivilege(privilegeStr); boolean grantOption = tSentryPrivilege.getGrantOption().equals(TSentryGrantOption.TRUE) ? true : false; if (ServiceConstants.PrivilegeScope.SERVER.toString().equals(tSentryPrivilege.getPrivilegeScope())) { client.revokeServerPrivilege(requestorName, roleName, tSentryPrivilege.getServerName(), grantOption); } else if (ServiceConstants.PrivilegeScope.DATABASE.toString().equals(tSentryPrivilege.getPrivilegeScope())) { client.revokeDatabasePrivilege(requestorName, roleName, tSentryPrivilege.getServerName(), tSentryPrivilege.getDbName(), tSentryPrivilege.getAction(), grantOption); } else if (ServiceConstants.PrivilegeScope.TABLE.toString().equals(tSentryPrivilege.getPrivilegeScope())) { client.revokeTablePrivilege(requestorName, roleName, tSentryPrivilege.getServerName(), tSentryPrivilege.getDbName(), tSentryPrivilege.getTableName(), tSentryPrivilege.getAction(), grantOption); } else if (ServiceConstants.PrivilegeScope.COLUMN.toString().equals(tSentryPrivilege.getPrivilegeScope())) { client.revokeColumnPrivilege(requestorName, roleName, tSentryPrivilege.getServerName(), tSentryPrivilege.getDbName(), tSentryPrivilege.getTableName(), tSentryPrivilege.getColumnName(), tSentryPrivilege.getAction(), grantOption); } else if (ServiceConstants.PrivilegeScope.URI.toString().equals(tSentryPrivilege.getPrivilegeScope())) { client.revokeURIPrivilege(requestorName, roleName, tSentryPrivilege.getServerName(), tSentryPrivilege.getURI(), grantOption); } }
@Override public void execute(SentryPolicyServiceClient client, String requestorName) throws Exception { TSentryPrivilege tSentryPrivilege = CommandUtil.convertToTSentryPrivilege(privilegeStr); boolean grantOption = tSentryPrivilege.getGrantOption().equals(TSentryGrantOption.TRUE) ? true : false; if (ServiceConstants.PrivilegeScope.SERVER.toString().equals(tSentryPrivilege.getPrivilegeScope())) { client.grantServerPrivilege(requestorName, roleName, tSentryPrivilege.getServerName(), tSentryPrivilege.getAction(), grantOption); } else if (ServiceConstants.PrivilegeScope.DATABASE.toString().equals(tSentryPrivilege.getPrivilegeScope())) { client.grantDatabasePrivilege(requestorName, roleName, tSentryPrivilege.getServerName(), tSentryPrivilege.getDbName(), tSentryPrivilege.getAction(), grantOption); } else if (ServiceConstants.PrivilegeScope.TABLE.toString().equals(tSentryPrivilege.getPrivilegeScope())) { client.grantTablePrivilege(requestorName, roleName, tSentryPrivilege.getServerName(), tSentryPrivilege.getDbName(), tSentryPrivilege.getTableName(), tSentryPrivilege.getAction(), grantOption); } else if (ServiceConstants.PrivilegeScope.COLUMN.toString().equals(tSentryPrivilege.getPrivilegeScope())) { client.grantColumnPrivilege(requestorName, roleName, tSentryPrivilege.getServerName(), tSentryPrivilege.getDbName(), tSentryPrivilege.getTableName(), tSentryPrivilege.getColumnName(), tSentryPrivilege.getAction(), grantOption); } else if (ServiceConstants.PrivilegeScope.URI.toString().equals(tSentryPrivilege.getPrivilegeScope())) { client.grantURIPrivilege(requestorName, roleName, tSentryPrivilege.getServerName(), tSentryPrivilege.getURI(), grantOption); } } }
private TSentryAuthorizable toTSentryAuthorizable( TSentryPrivilege tSentryPrivilege) { TSentryAuthorizable tSentryAuthorizable = new TSentryAuthorizable(); tSentryAuthorizable.setServer(tSentryPrivilege.getServerName()); tSentryAuthorizable.setDb(tSentryPrivilege.getDbName()); tSentryAuthorizable.setTable(tSentryPrivilege.getTableName()); tSentryAuthorizable.setUri(tSentryPrivilege.getURI()); return tSentryAuthorizable; }
/** * Converts thrift object to model object. Additionally does normalization * such as trimming whitespace and setting appropriate case. * @throws SentryInvalidInputException */ private MSentryPrivilege convertToMSentryPrivilege(TSentryPrivilege privilege) throws SentryInvalidInputException { MSentryPrivilege mSentryPrivilege = new MSentryPrivilege(); mSentryPrivilege.setServerName(toNULLCol(safeTrimLower(privilege.getServerName()))); mSentryPrivilege.setDbName(toNULLCol(safeTrimLower(privilege.getDbName()))); mSentryPrivilege.setTableName(toNULLCol(safeTrimLower(privilege.getTableName()))); mSentryPrivilege.setColumnName(toNULLCol(safeTrimLower(privilege.getColumnName()))); mSentryPrivilege.setPrivilegeScope(safeTrim(privilege.getPrivilegeScope())); mSentryPrivilege.setAction(toNULLCol(safeTrimLower(privilege.getAction()))); mSentryPrivilege.setCreateTime(System.currentTimeMillis()); mSentryPrivilege.setURI(toNULLCol(safeTrim(privilege.getURI()))); if ( !privilege.getGrantOption().equals(TSentryGrantOption.UNSET) ) { mSentryPrivilege.setGrantOption(Boolean.valueOf(privilege.getGrantOption().toString())); } else { mSentryPrivilege.setGrantOption(null); } return mSentryPrivilege; } private static String safeTrim(String s) {
assertEquals(2, privilegeSet.size()); for (TSentryPrivilege privilege : privilegeSet) { assertTrue(table2.equalsIgnoreCase(privilege.getTableName()));
private MSentryPrivilege getMSentryPrivilege(TSentryPrivilege tPriv, PersistenceManager pm) { Query query = pm.newQuery(MSentryPrivilege.class); query.setFilter("this.serverName == \"" + toNULLCol(safeTrimLower(tPriv.getServerName())) + "\" " + "&& this.dbName == \"" + toNULLCol(safeTrimLower(tPriv.getDbName())) + "\" " + "&& this.tableName == \"" + toNULLCol(safeTrimLower(tPriv.getTableName())) + "\" " + "&& this.columnName == \"" + toNULLCol(safeTrimLower(tPriv.getColumnName())) + "\" " + "&& this.URI == \"" + toNULLCol(safeTrim(tPriv.getURI())) + "\" " + "&& this.grantOption == grantOption " + "&& this.action == \"" + toNULLCol(safeTrimLower(tPriv.getAction())) + "\""); query.declareParameters("Boolean grantOption"); query.setUnique(true); Boolean grantOption = null; if (tPriv.getGrantOption().equals(TSentryGrantOption.TRUE)) { grantOption = true; } else if (tPriv.getGrantOption().equals(TSentryGrantOption.FALSE)) { grantOption = false; } Object obj = query.execute(grantOption); if (obj != null) { return (MSentryPrivilege) obj; } return null; }
private TSentryPrivilege toSentryPrivilege(TSentryAuthorizable tAuthorizable) throws SentryInvalidInputException { TSentryPrivilege tSentryPrivilege = new TSentryPrivilege(); tSentryPrivilege.setDbName(fromNULLCol(tAuthorizable.getDb())); tSentryPrivilege.setServerName(fromNULLCol(tAuthorizable.getServer())); tSentryPrivilege.setTableName(fromNULLCol(tAuthorizable.getTable())); tSentryPrivilege.setColumnName(fromNULLCol(tAuthorizable.getColumn())); tSentryPrivilege.setURI(fromNULLCol(tAuthorizable.getUri())); PrivilegeScope scope; if (!isNULL(tSentryPrivilege.getColumnName())) { scope = PrivilegeScope.COLUMN; } else if (!isNULL(tSentryPrivilege.getTableName())) { scope = PrivilegeScope.TABLE; } else if (!isNULL(tSentryPrivilege.getDbName())) { scope = PrivilegeScope.DATABASE; } else if (!isNULL(tSentryPrivilege.getURI())) { scope = PrivilegeScope.URI; } else { scope = PrivilegeScope.SERVER; } tSentryPrivilege.setPrivilegeScope(scope.name()); tSentryPrivilege.setAction(AccessConstants.ALL); return tSentryPrivilege; }
assertEquals(4, privilegeSet.size()); for (TSentryPrivilege privilege : privilegeSet) { assertTrue(table2.equalsIgnoreCase(privilege.getTableName()));