Repository: sentry Updated Branches: refs/heads/master e0ae5400b -> a3f7510bb
SENTRY-1177: Update SentryStore for export with specific auth object(Colin Ma, reviewed by Dapeng Sun) Project: http://git-wip-us.apache.org/repos/asf/sentry/repo Commit: http://git-wip-us.apache.org/repos/asf/sentry/commit/a3f7510b Tree: http://git-wip-us.apache.org/repos/asf/sentry/tree/a3f7510b Diff: http://git-wip-us.apache.org/repos/asf/sentry/diff/a3f7510b Branch: refs/heads/master Commit: a3f7510bb57a85265ea1a6e829b857652ff95165 Parents: e0ae540 Author: Colin Ma <[email protected]> Authored: Wed Apr 13 15:17:20 2016 +0800 Committer: Colin Ma <[email protected]> Committed: Wed Apr 13 15:17:20 2016 +0800 ---------------------------------------------------------------------- .../db/service/persistent/SentryStore.java | 113 +++++++++++---- .../persistent/TestSentryStoreImportExport.java | 143 +++++++++++++++++++ 2 files changed, 227 insertions(+), 29 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/sentry/blob/a3f7510b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java index dbb5d8e..22162eb 100644 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java +++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java @@ -2014,31 +2014,34 @@ public class SentryStore { } } - // get all mapping data for [group,role] + // get mapping data for [group,role] public Map<String, Set<String>> getGroupNameRoleNamesMap() { + return getGroupNameRoleNamesMap(null); + } + + // get mapping data for [group,role] with the specific roles + public Map<String, Set<String>> getGroupNameRoleNamesMap(Set<String> roleNames) { boolean rollbackTransaction = true; PersistenceManager pm = null; try { pm = openTransaction(); - Query query = pm.newQuery(MSentryGroup.class); - List<MSentryGroup> mSentryGroups = (List<MSentryGroup>) query.execute(); - Map<String, Set<String>> sentryGroupNameRoleNamesMap = Maps.newHashMap(); - if (mSentryGroups != null) { - // change the List<MSentryGroup> -> Map<groupName, Set<roleName>> - for (MSentryGroup mSentryGroup : mSentryGroups) { - String groupName = mSentryGroup.getGroupName(); - Set<String> roleNames = Sets.newHashSet(); - for (MSentryRole mSentryRole : mSentryGroup.getRoles()) { - roleNames.add(mSentryRole.getRoleName()); - } - if (roleNames.size() > 0) { - sentryGroupNameRoleNamesMap.put(groupName, roleNames); - } + Query query = pm.newQuery(MSentryRole.class); + + List<String> rolesFiler = new LinkedList<String>(); + if (roleNames != null) { + for (String rName : roleNames) { + rolesFiler.add("(roleName == \"" + rName.trim().toLowerCase() + "\")"); } } + if (rolesFiler.size() > 0) { + query.setFilter(Joiner.on(" || ").join(rolesFiler)); + } + + List<MSentryRole> mSentryRoles = (List<MSentryRole>) query.execute(); + Map<String, Set<String>> groupRolesMap = getGroupRolesMap(mSentryRoles); commitTransaction(pm); rollbackTransaction = false; - return sentryGroupNameRoleNamesMap; + return groupRolesMap; } finally { if (rollbackTransaction) { rollbackTransaction(pm); @@ -2046,28 +2049,58 @@ public class SentryStore { } } + private Map<String, Set<String>> getGroupRolesMap(List<MSentryRole> mSentryRoles) { + Map<String, Set<String>> groupRolesMap = Maps.newHashMap(); + if (mSentryRoles == null) { + return groupRolesMap; + } + // change the List<MSentryRole> -> Map<groupName, Set<roleName>> + for (MSentryRole mSentryRole : mSentryRoles) { + Set<MSentryGroup> groups = mSentryRole.getGroups(); + for (MSentryGroup group : groups) { + String groupName = group.getGroupName(); + Set<String> rNames = groupRolesMap.get(groupName); + if (rNames == null) { + rNames = new HashSet<String>(); + } + rNames.add(mSentryRole.getRoleName()); + groupRolesMap.put(groupName, rNames); + } + } + return groupRolesMap; + } + // get all mapping data for [role,privilege] public Map<String, Set<TSentryPrivilege>> getRoleNameTPrivilegesMap() throws Exception { + return getRoleNameTPrivilegesMap(null, null); + } + + // get mapping data for [role,privilege] with the specific auth object + public Map<String, Set<TSentryPrivilege>> getRoleNameTPrivilegesMap(String dbName, + String tableName) throws Exception { boolean rollbackTransaction = true; PersistenceManager pm = null; try { pm = openTransaction(); - Query query = pm.newQuery(MSentryRole.class); - List<MSentryRole> mSentryRoles = (List<MSentryRole>) query.execute(); - Map<String, Set<TSentryPrivilege>> sentryRolePrivilegesMap = Maps.newHashMap(); - if (mSentryRoles != null) { - // change the List<MSentryRole> -> Map<roleName, Set<TSentryPrivilege>> - for (MSentryRole mSentryRole : mSentryRoles) { - Set<TSentryPrivilege> privilegeSet = convertToTSentryPrivileges(mSentryRole - .getPrivileges()); - if (privilegeSet != null && !privilegeSet.isEmpty()) { - sentryRolePrivilegesMap.put(mSentryRole.getRoleName(), privilegeSet); - } - } + Query query = pm.newQuery(MSentryPrivilege.class); + + List<String> privilegeFiler = new LinkedList<String>(); + if (!StringUtils.isEmpty(dbName)) { + privilegeFiler.add("(dbName == \"" + dbName.trim().toLowerCase() + "\") "); } + if (!StringUtils.isEmpty(tableName)) { + privilegeFiler.add("(tableName == \"" + tableName.trim().toLowerCase() + "\") "); + } + if (privilegeFiler.size() > 0) { + query.setFilter(Joiner.on(" && ").join(privilegeFiler)); + } + + List<MSentryPrivilege> mSentryPrivileges = (List<MSentryPrivilege>) query.execute(); + Map<String, Set<TSentryPrivilege>> rolePrivilegesMap = + getRolePrivilegesMap(mSentryPrivileges); commitTransaction(pm); rollbackTransaction = false; - return sentryRolePrivilegesMap; + return rolePrivilegesMap; } finally { if (rollbackTransaction) { rollbackTransaction(pm); @@ -2075,6 +2108,28 @@ public class SentryStore { } } + private Map<String, Set<TSentryPrivilege>> getRolePrivilegesMap( + List<MSentryPrivilege> mSentryPrivileges) { + Map<String, Set<TSentryPrivilege>> rolePrivilegesMap = Maps.newHashMap(); + if (mSentryPrivileges == null) { + return rolePrivilegesMap; + } + // change the List<MSentryPrivilege> -> Map<roleName, Set<TSentryPrivilege>> + for (MSentryPrivilege mSentryPrivilege : mSentryPrivileges) { + TSentryPrivilege privilege = convertToTSentryPrivilege(mSentryPrivilege); + for (MSentryRole mSentryRole : mSentryPrivilege.getRoles()) { + String roleName = mSentryRole.getRoleName(); + Set<TSentryPrivilege> privileges = rolePrivilegesMap.get(roleName); + if (privileges == null) { + privileges = new HashSet<TSentryPrivilege>(); + } + privileges.add(privilege); + rolePrivilegesMap.put(roleName, privileges); + } + } + return rolePrivilegesMap; + } + // Get the all exist role names, will return an empty set // if no role names exist. public Set<String> getAllRoleNames() { http://git-wip-us.apache.org/repos/asf/sentry/blob/a3f7510b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryStoreImportExport.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryStoreImportExport.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryStoreImportExport.java index a9e4ed6..8dadc2a 100644 --- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryStoreImportExport.java +++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryStoreImportExport.java @@ -63,6 +63,7 @@ public class TestSentryStoreImportExport { private TSentryPrivilege tSentryPrivilege6; private TSentryPrivilege tSentryPrivilege7; private TSentryPrivilege tSentryPrivilege8; + private TSentryPrivilege tSentryPrivilege9; @BeforeClass public static void setupEnv() throws Exception { @@ -103,6 +104,7 @@ public class TestSentryStoreImportExport { // privilege6=[server=server1, db=db1, table=tbl3, column=col1, action=*, grantOption=true] // privilege7=[server=server1, db=db1, table=tbl4, column=col1, action=all, grantOption=true] // privilege8=[server=server1, uri=hdfs://testserver:9999/path1, action=insert, grantOption=false] + // privilege9=[server=server1, db=db2, table=tbl1, action=insert, grantOption=false] private void preparePrivilege() { tSentryPrivilege1 = createTSentryPrivilege(PrivilegeScope.SERVER.name(), "server1", "", "", "", "", "", TSentryGrantOption.UNSET); @@ -120,6 +122,8 @@ public class TestSentryStoreImportExport { "tbl4", "col1", "", AccessConstants.ACTION_ALL, TSentryGrantOption.TRUE); tSentryPrivilege8 = createTSentryPrivilege(PrivilegeScope.URI.name(), "server1", "", "", "", "hdfs://testserver:9999/path1", AccessConstants.INSERT, TSentryGrantOption.FALSE); + tSentryPrivilege9 = createTSentryPrivilege(PrivilegeScope.TABLE.name(), "server1", "db2", + "tbl1", "", "", AccessConstants.INSERT, TSentryGrantOption.FALSE); } @AfterClass @@ -730,6 +734,145 @@ public class TestSentryStoreImportExport { verifyRolePrivilegesMap(actualRolePrivilegesMap, exceptedRolePrivilegesMap); } + // The following data is imported: + // group1=role1 + // group2=role1,role2 + // group3=role2,role3 + // group4=role1,role2,role3 + // role1=privilege3,privilege4,privilege9 + // role2=privilege3,privilege4,privilege5,privilege6,privilege7 + // role3=privilege4,privilege5,privilege6,privilege7,privilege8 + // Export APIs getRoleNameTPrivilegesMap, getGroupNameRoleNamesMap are tested. + @Test + public void testExportPolicyWithSpecificObject() throws Exception { + // import the data for test + TSentryMappingData tSentryMappingData = new TSentryMappingData(); + Map<String, Set<String>> sentryGroupRolesMap = Maps.newHashMap(); + Map<String, Set<TSentryPrivilege>> sentryRolePrivilegesMap = Maps.newHashMap(); + sentryGroupRolesMap.put("group1", Sets.newHashSet("role1")); + sentryGroupRolesMap.put("group2", Sets.newHashSet("role1", "role2")); + sentryGroupRolesMap.put("group3", Sets.newHashSet("role2", "role3")); + sentryGroupRolesMap.put("group4", Sets.newHashSet("role1", "role2", "role3")); + sentryRolePrivilegesMap.put("role1", Sets.newHashSet( + tSentryPrivilege3, tSentryPrivilege4, tSentryPrivilege9)); + sentryRolePrivilegesMap.put("role2", Sets.newHashSet( + tSentryPrivilege3, tSentryPrivilege4, tSentryPrivilege5, tSentryPrivilege6, + tSentryPrivilege7)); + sentryRolePrivilegesMap.put("role3", Sets.newHashSet( + tSentryPrivilege4, tSentryPrivilege5, tSentryPrivilege6, + tSentryPrivilege7, tSentryPrivilege8)); + tSentryMappingData.setGroupRolesMap(sentryGroupRolesMap); + tSentryMappingData.setRolePrivilegesMap(sentryRolePrivilegesMap); + sentryStore.importSentryMetaData(tSentryMappingData, false); + + // verify the rolePrivilegesMap and groupRolesMap for db=db1 + Map<String, Set<TSentryPrivilege>> actualRolePrivilegesMap = + sentryStore.getRoleNameTPrivilegesMap("db1", ""); + Map<String, Set<TSentryPrivilege>> exceptedRolePrivilegesMap = Maps.newHashMap(); + exceptedRolePrivilegesMap.put("role1", Sets.newHashSet(tSentryPrivilege4)); + exceptedRolePrivilegesMap.put("role2", Sets.newHashSet(tSentryPrivilege4, + tSentryPrivilege5, tSentryPrivilege6, tSentryPrivilege7)); + exceptedRolePrivilegesMap.put("role3", Sets.newHashSet(tSentryPrivilege4, + tSentryPrivilege5, tSentryPrivilege6, tSentryPrivilege7)); + verifyRolePrivilegesMap(actualRolePrivilegesMap, exceptedRolePrivilegesMap); + + Map<String, Set<String>> actualGroupRolesMap = sentryStore.getGroupNameRoleNamesMap( + actualRolePrivilegesMap.keySet()); + Map<String, Set<String>> exceptedGroupRolesMap = Maps.newHashMap(); + exceptedGroupRolesMap.put("group1", Sets.newHashSet("role1")); + exceptedGroupRolesMap.put("group2", Sets.newHashSet("role1", "role2")); + exceptedGroupRolesMap.put("group3", Sets.newHashSet("role2", "role3")); + exceptedGroupRolesMap.put("group4", Sets.newHashSet("role1", "role2", "role3")); + verifyGroupRolesMap(actualGroupRolesMap, exceptedGroupRolesMap); + + // verify the rolePrivilegesMap and groupRolesMap for db=db2 + actualRolePrivilegesMap = sentryStore.getRoleNameTPrivilegesMap("db2", ""); + exceptedRolePrivilegesMap = Maps.newHashMap(); + exceptedRolePrivilegesMap.put("role1", Sets.newHashSet(tSentryPrivilege3, tSentryPrivilege9)); + exceptedRolePrivilegesMap.put("role2", Sets.newHashSet(tSentryPrivilege3)); + verifyRolePrivilegesMap(actualRolePrivilegesMap, exceptedRolePrivilegesMap); + + actualGroupRolesMap = sentryStore.getGroupNameRoleNamesMap( + actualRolePrivilegesMap.keySet()); + exceptedGroupRolesMap = Maps.newHashMap(); + exceptedGroupRolesMap.put("group1", Sets.newHashSet("role1")); + exceptedGroupRolesMap.put("group2", Sets.newHashSet("role1", "role2")); + exceptedGroupRolesMap.put("group3", Sets.newHashSet("role2")); + exceptedGroupRolesMap.put("group4", Sets.newHashSet("role1", "role2")); + verifyGroupRolesMap(actualGroupRolesMap, exceptedGroupRolesMap); + + // verify the rolePrivilegesMap and groupRolesMap for db=db1 and table=tbl1 + actualRolePrivilegesMap = sentryStore.getRoleNameTPrivilegesMap("db1", "tbl1"); + exceptedRolePrivilegesMap = Maps.newHashMap(); + exceptedRolePrivilegesMap.put("role1", Sets.newHashSet(tSentryPrivilege4)); + exceptedRolePrivilegesMap.put("role2", Sets.newHashSet(tSentryPrivilege4)); + exceptedRolePrivilegesMap.put("role3", Sets.newHashSet(tSentryPrivilege4)); + verifyRolePrivilegesMap(actualRolePrivilegesMap, exceptedRolePrivilegesMap); + + actualGroupRolesMap = sentryStore.getGroupNameRoleNamesMap( + actualRolePrivilegesMap.keySet()); + exceptedGroupRolesMap = Maps.newHashMap(); + exceptedGroupRolesMap.put("group1", Sets.newHashSet("role1")); + exceptedGroupRolesMap.put("group2", Sets.newHashSet("role1", "role2")); + exceptedGroupRolesMap.put("group3", Sets.newHashSet("role2", "role3")); + exceptedGroupRolesMap.put("group4", Sets.newHashSet("role1", "role2", "role3")); + verifyGroupRolesMap(actualGroupRolesMap, exceptedGroupRolesMap); + + // verify the rolePrivilegesMap and groupRolesMap for db=db1 and table=tbl2 + actualRolePrivilegesMap = sentryStore.getRoleNameTPrivilegesMap("db1", "tbl2"); + exceptedRolePrivilegesMap = Maps.newHashMap(); + exceptedRolePrivilegesMap.put("role2", Sets.newHashSet(tSentryPrivilege5)); + exceptedRolePrivilegesMap.put("role3", Sets.newHashSet(tSentryPrivilege5)); + verifyRolePrivilegesMap(actualRolePrivilegesMap, exceptedRolePrivilegesMap); + + actualGroupRolesMap = sentryStore.getGroupNameRoleNamesMap( + actualRolePrivilegesMap.keySet()); + exceptedGroupRolesMap = Maps.newHashMap(); + exceptedGroupRolesMap.put("group2", Sets.newHashSet("role2")); + exceptedGroupRolesMap.put("group3", Sets.newHashSet("role2", "role3")); + exceptedGroupRolesMap.put("group4", Sets.newHashSet("role2", "role3")); + verifyGroupRolesMap(actualGroupRolesMap, exceptedGroupRolesMap); + + // verify the rolePrivilegesMap and groupRolesMap for table=tbl1 + actualRolePrivilegesMap = sentryStore.getRoleNameTPrivilegesMap("", "tbl1"); + exceptedRolePrivilegesMap = Maps.newHashMap(); + exceptedRolePrivilegesMap.put("role1", Sets.newHashSet(tSentryPrivilege4, tSentryPrivilege9)); + exceptedRolePrivilegesMap.put("role2", Sets.newHashSet(tSentryPrivilege4)); + exceptedRolePrivilegesMap.put("role3", Sets.newHashSet(tSentryPrivilege4)); + verifyRolePrivilegesMap(actualRolePrivilegesMap, exceptedRolePrivilegesMap); + + actualGroupRolesMap = sentryStore.getGroupNameRoleNamesMap( + actualRolePrivilegesMap.keySet()); + exceptedGroupRolesMap = Maps.newHashMap(); + exceptedGroupRolesMap.put("group1", Sets.newHashSet("role1")); + exceptedGroupRolesMap.put("group2", Sets.newHashSet("role1", "role2")); + exceptedGroupRolesMap.put("group3", Sets.newHashSet("role2", "role3")); + exceptedGroupRolesMap.put("group4", Sets.newHashSet("role1", "role2", "role3")); + verifyGroupRolesMap(actualGroupRolesMap, exceptedGroupRolesMap); + + // verify the rolePrivilegesMap and groupRolesMap for empty parameter + actualRolePrivilegesMap = sentryStore.getRoleNameTPrivilegesMap("", ""); + exceptedRolePrivilegesMap = Maps.newHashMap(); + exceptedRolePrivilegesMap.put("role1", Sets.newHashSet(tSentryPrivilege3, + tSentryPrivilege4, tSentryPrivilege9)); + exceptedRolePrivilegesMap.put("role2", Sets.newHashSet(tSentryPrivilege3, + tSentryPrivilege4, tSentryPrivilege5, tSentryPrivilege6, + tSentryPrivilege7)); + exceptedRolePrivilegesMap.put("role3", Sets.newHashSet(tSentryPrivilege4, + tSentryPrivilege5, tSentryPrivilege6, + tSentryPrivilege7, tSentryPrivilege8)); + verifyRolePrivilegesMap(actualRolePrivilegesMap, exceptedRolePrivilegesMap); + + actualGroupRolesMap = sentryStore.getGroupNameRoleNamesMap( + actualRolePrivilegesMap.keySet()); + exceptedGroupRolesMap = Maps.newHashMap(); + exceptedGroupRolesMap.put("group1", Sets.newHashSet("role1")); + exceptedGroupRolesMap.put("group2", Sets.newHashSet("role1", "role2")); + exceptedGroupRolesMap.put("group3", Sets.newHashSet("role2", "role3")); + exceptedGroupRolesMap.put("group4", Sets.newHashSet("role1", "role2", "role3")); + verifyGroupRolesMap(actualGroupRolesMap, exceptedGroupRolesMap); + } + private void verifyRoles(Map<String, MSentryRole> actualRoleMap, Set<String> expectedRoleNameSet) { assertEquals(expectedRoleNameSet.size(), actualRoleMap.keySet().size()); for (String roleName : actualRoleMap.keySet()) {
