Repository: sentry Updated Branches: refs/heads/master 260d11abf -> f0f9d620a
SENTRY-2296: Add PermissionsUpdate for adding owner privilege on owner transfer. (Kalyan Kumar Kalvagadda reviewed by Lina li) Project: http://git-wip-us.apache.org/repos/asf/sentry/repo Commit: http://git-wip-us.apache.org/repos/asf/sentry/commit/f0f9d620 Tree: http://git-wip-us.apache.org/repos/asf/sentry/tree/f0f9d620 Diff: http://git-wip-us.apache.org/repos/asf/sentry/diff/f0f9d620 Branch: refs/heads/master Commit: f0f9d620af09013e6ce6ab97db944ab73a6e4ef9 Parents: 260d11a Author: Kalyan Kumar Kalvagadda <[email protected]> Authored: Fri Aug 17 11:41:28 2018 -0500 Committer: Kalyan Kumar Kalvagadda <[email protected]> Committed: Fri Aug 17 11:41:28 2018 -0500 ---------------------------------------------------------------------- .../thrift/SentryPolicyStoreProcessor.java | 56 +++++++++++++------- 1 file changed, 36 insertions(+), 20 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/sentry/blob/f0f9d620/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/api/service/thrift/SentryPolicyStoreProcessor.java ---------------------------------------------------------------------- diff --git a/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/api/service/thrift/SentryPolicyStoreProcessor.java b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/api/service/thrift/SentryPolicyStoreProcessor.java index 07221af..0ac19a7 100644 --- a/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/api/service/thrift/SentryPolicyStoreProcessor.java +++ b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/api/service/thrift/SentryPolicyStoreProcessor.java @@ -1459,20 +1459,7 @@ public class SentryPolicyStoreProcessor implements SentryPolicyService.Iface { Preconditions.checkState(sentryPlugins.size() <= 1); Set<TSentryPrivilege> privSet = Collections.singleton(ownerPrivilege); Map<TSentryPrivilege, Update> privilegesUpdateMap = new HashMap<>(); - switch (request.getOwnerType()) { - case ROLE: - for (SentryPolicyStorePlugin plugin : sentryPlugins) { - plugin.onAlterSentryRoleGrantPrivilege(request.getOwnerName(), privSet, privilegesUpdateMap); - } - break; - case USER: - for (SentryPolicyStorePlugin plugin : sentryPlugins) { - plugin.onAlterSentryUserGrantPrivilege(request.getOwnerName(), privSet, privilegesUpdateMap); - } - break; - default: - LOGGER.error("Invalid owner Type"); - } + getOwnerPrivilegeUpdateForGrant(request.getOwnerName(), request.getOwnerType(), privSet, privilegesUpdateMap); // Grants owner privilege to the principal try { @@ -1529,19 +1516,21 @@ public class SentryPolicyStoreProcessor implements SentryPolicyService.Iface { // There should only one owner privilege for an authorizable but the current schema // doesn't have constraints to limit it. It is possible to have multiple owners for an authorizable (which is unlikely) // This logic makes sure of revoking all the owner privilege. - for (SentryOwnerInfo ownerInfo : ownerInfoList) { - if (ownerInfo.getOwnerType() == SentryPrincipalType.USER) { - for (SentryPolicyStorePlugin plugin : sentryPlugins) { + for (SentryPolicyStorePlugin plugin : sentryPlugins) { + for (SentryOwnerInfo ownerInfo : ownerInfoList) { + if (ownerInfo.getOwnerType().equals(SentryPrincipalType.USER)) { plugin.onAlterSentryUserRevokePrivilege(ownerInfo.getOwnerName(), privSet, privilegesUpdateMap); updateList.add(privilegesUpdateMap.get(ownerPrivilege)); - } - } else if (ownerInfo.getOwnerType() == SentryPrincipalType.ROLE) { - for (SentryPolicyStorePlugin plugin : sentryPlugins) { + privilegesUpdateMap.clear(); + } else if (ownerInfo.getOwnerType().equals(SentryPrincipalType.ROLE)) { plugin.onAlterSentryRoleRevokePrivilege(request.getOwnerName(), privSet, privilegesUpdateMap); updateList.add(privilegesUpdateMap.get(ownerPrivilege)); + privilegesUpdateMap.clear(); } } } + getOwnerPrivilegeUpdateForGrant(request.getOwnerName(), request.getOwnerType(), privSet, privilegesUpdateMap); + updateList.add(privilegesUpdateMap.get(ownerPrivilege)); // Revokes old owner privileges and grants owner privilege for new owner. try { @@ -1563,6 +1552,33 @@ public class SentryPolicyStoreProcessor implements SentryPolicyService.Iface { } /** + * Adds privilege update for grant into the privilegesUpdateMap provided. + * @param ownerName + * @param ownerType + * @param privSet + * @param privilegesUpdateMap + * @throws Exception + */ + private void getOwnerPrivilegeUpdateForGrant(String ownerName, TSentryPrincipalType ownerType, + Set<TSentryPrivilege> privSet, + Map<TSentryPrivilege, Update> privilegesUpdateMap) throws Exception { + for (SentryPolicyStorePlugin plugin : sentryPlugins) { + switch (ownerType) { + case ROLE: + plugin.onAlterSentryRoleGrantPrivilege(ownerName, privSet, privilegesUpdateMap); + break; + case USER: + plugin.onAlterSentryUserGrantPrivilege(ownerName, privSet, privilegesUpdateMap); + break; + default: + String error = "Invalid owner type : " + ownerType; + LOGGER.error(error); + throw new SentryInvalidInputException(error); + } + } + } + + /** * This API constructs (@Link TSentryPrivilege} for authorizable provided * based on the configurations. *
