[sentry] branch master updated: SENTRY-2503: Failed to revoke the privilege from impala-shell if the privilege added from beeline cli.

Tue, 05 Mar 2019 17:02:21 -0800 

This is an automated email from the ASF dual-hosted git repository.

linaataustin pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/sentry.git


The following commit(s) were added to refs/heads/master by this push:
     new f859446  SENTRY-2503: Failed to revoke the privilege from impala-shell 
if the privilege added from beeline cli.
f859446 is described below

commit f859446b65bbc274bc4899464892151eec8217c6
Author: lina.li <[email protected]>
AuthorDate: Wed Feb 27 13:23:25 2019 -0600

    SENTRY-2503: Failed to revoke the privilege from impala-shell if the 
privilege added from beeline cli.
---
 .../db/service/persistent/QueryParamBuilder.java   |  19 +++
 .../db/service/persistent/SentryStore.java         |  44 +++--
 .../db/service/persistent/TestSentryStore.java     | 181 +++++++++++++++++++++
 3 files changed, 233 insertions(+), 11 deletions(-)

diff --git 
a/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/persistent/QueryParamBuilder.java
 
b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/persistent/QueryParamBuilder.java
index 240120c..84da6e0 100644
--- 
a/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/persistent/QueryParamBuilder.java
+++ 
b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/persistent/QueryParamBuilder.java
@@ -365,6 +365,25 @@ public class QueryParamBuilder {
   }
 
   /**
+   * Add common filter for set of actions. This is used to simplify creating 
filters for
+   * a collections of actions
+   * @param paramBuilder paramBuilder for parameters
+   * @param actions set actions
+   * @return paramBuilder supplied or a new one if the supplied one is null.
+   */
+  public static QueryParamBuilder addActionFilter(QueryParamBuilder 
paramBuilder,
+      Collection<String> actions) {
+    if (paramBuilder == null) {
+      paramBuilder = new QueryParamBuilder();
+    }
+    if (actions == null || actions.isEmpty()) {
+      return paramBuilder;
+    }
+    paramBuilder.newChild().addSet("this.action == ", actions, false);
+    return paramBuilder;
+  }
+
+  /**
    * Add multiple conditions for set of values.
    * <p>
    * Example:
diff --git 
a/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java
 
b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java
index 1d97ff6..980c8ad 100644
--- 
a/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java
+++ 
b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java
@@ -1107,24 +1107,34 @@ public class SentryStore implements 
SentryStoreInterface {
       throw new SentryInvalidInputException("cannot revoke URI privileges from 
Null or EMPTY location");
     }
 
+    // make sure to drop all equivalent privileges
+    LOGGER.debug("tPrivilege to drop: {}", tPrivilege.toString());
     MSentryPrivilege mPrivilege = getMSentryPrivilege(tPrivilege, pm);
     if (mPrivilege == null) {
+      LOGGER.debug("mPrivilege is null");
       mPrivilege = convertToMSentryPrivilege(tPrivilege);
     } else {
+      LOGGER.debug("mPrivilege is found: {}", mPrivilege.toString());
       mPrivilege = pm.detachCopy(mPrivilege);
     }
 
     Set<MSentryPrivilege> privilegeGraph = new HashSet<>();
-    if (mPrivilege.getGrantOption() != null) {
-      privilegeGraph.add(mPrivilege);
-    } else {
-      MSentryPrivilege mTure = new MSentryPrivilege(mPrivilege);
-      mTure.setGrantOption(true);
-      privilegeGraph.add(mTure);
-      MSentryPrivilege mFalse = new MSentryPrivilege(mPrivilege);
-      mFalse.setGrantOption(false);
-      privilegeGraph.add(mFalse);
+    Set<String> allEquivalentActions = 
getAllEquivalentActions(mPrivilege.getAction());
+    for (String equivalentAction : allEquivalentActions) {
+      MSentryPrivilege newActionPrivilege = new MSentryPrivilege(mPrivilege);
+      newActionPrivilege.setAction(equivalentAction);
+      if (newActionPrivilege.getGrantOption() != null) {
+        privilegeGraph.add(newActionPrivilege);
+      } else {
+        MSentryPrivilege mTure = new MSentryPrivilege(newActionPrivilege);
+        mTure.setGrantOption(true);
+        privilegeGraph.add(mTure);
+        MSentryPrivilege mFalse = new MSentryPrivilege(newActionPrivilege);
+        mFalse.setGrantOption(false);
+        privilegeGraph.add(mFalse);
+      }
     }
+
     // Get the privilege graph
     populateChildren(pm, type, Sets.newHashSet(entityName), mPrivilege, 
privilegeGraph);
     for (MSentryPrivilege childPriv : privilegeGraph) {
@@ -1508,8 +1518,10 @@ public class SentryStore implements SentryStoreInterface 
{
             .add(TABLE_NAME, tPriv.getTableName())
             .add(COLUMN_NAME, tPriv.getColumnName())
             .add(URI, tPriv.getURI(), true)
-            .addObject(GRANT_OPTION, grantOption)
-            .add(ACTION, tPriv.getAction());
+            .add(ACTION, tPriv.getAction())
+            .addObject(GRANT_OPTION, grantOption);
+
+    LOGGER.debug("getMSentryPrivilege query filter: {}", 
paramBuilder.toString());
 
     Query query = pm.newQuery(MSentryPrivilege.class);
     query.setUnique(true);
@@ -1517,6 +1529,16 @@ public class SentryStore implements SentryStoreInterface 
{
     return (MSentryPrivilege)query.executeWithMap(paramBuilder.getArguments());
   }
 
+  private Set<String> getAllEquivalentActions(String inputAction) {
+    if (AccessConstants.ALL.equalsIgnoreCase(inputAction) ||
+        AccessConstants.ACTION_ALL.equalsIgnoreCase(inputAction)) {
+      return Sets.newHashSet(AccessConstants.ALL, AccessConstants.ACTION_ALL,
+          AccessConstants.ACTION_ALL.toLowerCase());
+    }
+
+    return Sets.newHashSet(inputAction);
+  }
+
   /**
    * Drop a given sentry role.
    *
diff --git 
a/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryStore.java
 
b/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryStore.java
index 38b4c87..fd14963 100644
--- 
a/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryStore.java
+++ 
b/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryStore.java
@@ -4465,6 +4465,187 @@ public class TestSentryStore extends org.junit.Assert {
     assertEquals(notificationID, savedNotificationID);
   }
 
+  @Test
+  public void testRevokeHiveAllPrivilegeFromImpalaUnset() throws Exception {
+
+    String roleName1 = "impala-r1";
+    String serverName = "server1";
+    String dbName = "db1";
+    String tableName = "tbl1";
+    String hiveAll = "*";
+    sentryStore.createSentryRole(roleName1);
+
+    TSentryPrivilege hive_privilege_tbl1 = new TSentryPrivilege();
+    hive_privilege_tbl1.setPrivilegeScope("TABLE");
+    hive_privilege_tbl1.setServerName(serverName);
+    hive_privilege_tbl1.setDbName(dbName);
+    hive_privilege_tbl1.setTableName(tableName);
+    hive_privilege_tbl1.setCreateTime(System.currentTimeMillis());
+    hive_privilege_tbl1.setAction(hiveAll);
+    hive_privilege_tbl1.setGrantOption(TSentryGrantOption.FALSE);
+
+    TSentryPrivilege impala_privilege_tbl1_unset = new TSentryPrivilege();
+    impala_privilege_tbl1_unset.setPrivilegeScope("TABLE");
+    impala_privilege_tbl1_unset.setServerName(serverName);
+    impala_privilege_tbl1_unset.setDbName(dbName);
+    impala_privilege_tbl1_unset.setTableName(tableName);
+    impala_privilege_tbl1_unset.setCreateTime(System.currentTimeMillis());
+    impala_privilege_tbl1_unset.setAction("ALL");
+    impala_privilege_tbl1_unset.setGrantOption(TSentryGrantOption.UNSET);
+
+    TSentryAuthorizable tSentryAuthorizable = new TSentryAuthorizable();
+    tSentryAuthorizable.setServer(serverName);
+    tSentryAuthorizable.setDb(dbName);
+    tSentryAuthorizable.setTable(tableName);
+
+    // grant hive ALL privilege to role roleName1
+    sentryStore.alterSentryGrantPrivileges(SentryPrincipalType.ROLE, 
roleName1, Sets.newHashSet(hive_privilege_tbl1), null);
+
+    // revoke impala ALL privilege to role roleName1
+    sentryStore.alterSentryRoleRevokePrivileges(roleName1, 
Sets.newHashSet(impala_privilege_tbl1_unset));
+    Map<String, Set<TSentryPrivilege>> rolePrivilegesMap = 
sentryStore.getRoleNameTPrivilegesMap(dbName, tableName);
+    assertNotNull(rolePrivilegesMap);
+    Set<TSentryPrivilege> rolePrivileges = rolePrivilegesMap.get(roleName1);
+    boolean privilegeRevoked = (rolePrivileges == null) || 
(rolePrivileges.size() == 0);
+    assertTrue(privilegeRevoked);
+  }
+
+  @Test
+  public void testRevokeHiveAllPrivilegeGrantOptionFromImpalaUnset() throws 
Exception {
+
+    String roleName1 = "impala-r1";
+    String serverName = "server1";
+    String dbName = "db1";
+    String tableName = "tbl1";
+    String hiveAll = "*";
+    sentryStore.createSentryRole(roleName1);
+
+    TSentryPrivilege hive_privilege_tbl1 = new TSentryPrivilege();
+    hive_privilege_tbl1.setPrivilegeScope("TABLE");
+    hive_privilege_tbl1.setServerName(serverName);
+    hive_privilege_tbl1.setDbName(dbName);
+    hive_privilege_tbl1.setTableName(tableName);
+    hive_privilege_tbl1.setCreateTime(System.currentTimeMillis());
+    hive_privilege_tbl1.setAction(hiveAll);
+    hive_privilege_tbl1.setGrantOption(TSentryGrantOption.FALSE);
+
+    TSentryPrivilege impala_privilege_tbl1_unset = new TSentryPrivilege();
+    impala_privilege_tbl1_unset.setPrivilegeScope("TABLE");
+    impala_privilege_tbl1_unset.setServerName(serverName);
+    impala_privilege_tbl1_unset.setDbName(dbName);
+    impala_privilege_tbl1_unset.setTableName(tableName);
+    impala_privilege_tbl1_unset.setCreateTime(System.currentTimeMillis());
+    impala_privilege_tbl1_unset.setAction("ALL");
+    impala_privilege_tbl1_unset.setGrantOption(TSentryGrantOption.UNSET);
+
+    TSentryAuthorizable tSentryAuthorizable = new TSentryAuthorizable();
+    tSentryAuthorizable.setServer(serverName);
+    tSentryAuthorizable.setDb(dbName);
+    tSentryAuthorizable.setTable(tableName);
+
+    // grant hive ALL privilege to role roleName1
+    hive_privilege_tbl1.setGrantOption(TSentryGrantOption.FALSE);
+    sentryStore.alterSentryGrantPrivileges(SentryPrincipalType.ROLE, 
roleName1, Sets.newHashSet(hive_privilege_tbl1), null);
+    hive_privilege_tbl1.setGrantOption(TSentryGrantOption.TRUE);
+    sentryStore.alterSentryGrantPrivileges(SentryPrincipalType.ROLE, 
roleName1, Sets.newHashSet(hive_privilege_tbl1), null);
+
+    // revoke impala ALL privilege to role roleName1
+    sentryStore.alterSentryRoleRevokePrivileges(roleName1, 
Sets.newHashSet(impala_privilege_tbl1_unset));
+    Map<String, Set<TSentryPrivilege>> rolePrivilegesMap = 
sentryStore.getRoleNameTPrivilegesMap(dbName, tableName);
+    assertNotNull(rolePrivilegesMap);
+    Set<TSentryPrivilege> rolePrivileges = rolePrivilegesMap.get(roleName1);
+    boolean privilegeRevoked = (rolePrivileges == null) || 
(rolePrivileges.size() == 0);
+    assertTrue(privilegeRevoked);
+  }
+
+  @Test
+  public void testRevokeHiveAllPrivilegeFromImpala() throws Exception {
+
+    String roleName1 = "impala-r1";
+    String serverName = "server1";
+    String dbName = "db1";
+    String tableName = "tbl1";
+    sentryStore.createSentryRole(roleName1);
+
+    TSentryPrivilege hive_privilege_tbl1 = new TSentryPrivilege();
+    hive_privilege_tbl1.setPrivilegeScope("TABLE");
+    hive_privilege_tbl1.setServerName(serverName);
+    hive_privilege_tbl1.setDbName(dbName);
+    hive_privilege_tbl1.setTableName(tableName);
+    hive_privilege_tbl1.setCreateTime(System.currentTimeMillis());
+    hive_privilege_tbl1.setAction("*");
+    hive_privilege_tbl1.setGrantOption(TSentryGrantOption.FALSE);
+
+    TSentryPrivilege impala_privilege_tbl1 = new TSentryPrivilege();
+    impala_privilege_tbl1.setPrivilegeScope("TABLE");
+    impala_privilege_tbl1.setServerName(serverName);
+    impala_privilege_tbl1.setDbName(dbName);
+    impala_privilege_tbl1.setTableName(tableName);
+    impala_privilege_tbl1.setCreateTime(System.currentTimeMillis());
+    impala_privilege_tbl1.setAction("ALL");
+    impala_privilege_tbl1.setGrantOption(TSentryGrantOption.FALSE);
+
+    TSentryAuthorizable tSentryAuthorizable = new TSentryAuthorizable();
+    tSentryAuthorizable.setServer(serverName);
+    tSentryAuthorizable.setDb(dbName);
+    tSentryAuthorizable.setTable(tableName);
+
+    // grant hive ALL privilege to role roleName1
+    sentryStore.alterSentryGrantPrivileges(SentryPrincipalType.ROLE, 
roleName1, Sets.newHashSet(hive_privilege_tbl1), null);
+
+    // revoke impala ALL privilege to role roleName1
+    sentryStore.alterSentryRoleRevokePrivileges(roleName1, 
Sets.newHashSet(impala_privilege_tbl1));
+    Map<String, Set<TSentryPrivilege>> rolePrivilegesMap = 
sentryStore.getRoleNameTPrivilegesMap(dbName, tableName);
+    assertNotNull(rolePrivilegesMap);
+    Set<TSentryPrivilege> rolePrivileges = rolePrivilegesMap.get(roleName1);
+    boolean privilegeRevoked = (rolePrivileges == null) || 
(rolePrivileges.size() == 0);
+    assertTrue(privilegeRevoked);
+  }
+
+  @Test
+  public void testRevokeImpalaAllPrivilegeFromHive() throws Exception {
+
+    String roleName1 = "impala-r1";
+    String serverName = "server1";
+    String dbName = "db1";
+    String tableName = "tbl1";
+    sentryStore.createSentryRole(roleName1);
+
+    TSentryPrivilege hive_privilege_tbl1 = new TSentryPrivilege();
+    hive_privilege_tbl1.setPrivilegeScope("TABLE");
+    hive_privilege_tbl1.setServerName(serverName);
+    hive_privilege_tbl1.setDbName(dbName);
+    hive_privilege_tbl1.setTableName(tableName);
+    hive_privilege_tbl1.setCreateTime(System.currentTimeMillis());
+    hive_privilege_tbl1.setAction("*");
+    hive_privilege_tbl1.setGrantOption(TSentryGrantOption.FALSE);
+
+    TSentryPrivilege impala_privilege_tbl1 = new TSentryPrivilege();
+    impala_privilege_tbl1.setPrivilegeScope("TABLE");
+    impala_privilege_tbl1.setServerName(serverName);
+    impala_privilege_tbl1.setDbName(dbName);
+    impala_privilege_tbl1.setTableName(tableName);
+    impala_privilege_tbl1.setCreateTime(System.currentTimeMillis());
+    impala_privilege_tbl1.setAction("ALL");
+    impala_privilege_tbl1.setGrantOption(TSentryGrantOption.FALSE);
+
+    TSentryAuthorizable tSentryAuthorizable = new TSentryAuthorizable();
+    tSentryAuthorizable.setServer(serverName);
+    tSentryAuthorizable.setDb(dbName);
+    tSentryAuthorizable.setTable(tableName);
+
+    // grant impala ALL privilege to role roleName1
+    sentryStore.alterSentryGrantPrivileges(SentryPrincipalType.ROLE, 
roleName1, Sets.newHashSet(impala_privilege_tbl1), null);
+
+    // revoke hive ALL privilege to role roleName1
+    sentryStore.alterSentryRoleRevokePrivileges(roleName1, 
Sets.newHashSet(hive_privilege_tbl1));
+    Map<String, Set<TSentryPrivilege>> rolePrivilegesMap = 
sentryStore.getRoleNameTPrivilegesMap(dbName, tableName);
+    assertNotNull(rolePrivilegesMap);
+    Set<TSentryPrivilege> rolePrivileges = rolePrivilegesMap.get(roleName1);
+    boolean privilegeRevoked = (rolePrivileges == null) || 
(rolePrivileges.size() == 0);
+    assertTrue(privilegeRevoked);
+  }
+
   private TSentryPrivilege toTSentryPrivilege(String action, String scope, 
String server,
     String dbName, String tableName) {
     TSentryPrivilege privilege = new TSentryPrivilege();

Reply via email to