This is an automated email from the ASF dual-hosted git repository. hahao pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/sentry.git
The following commit(s) were added to refs/heads/master by this push: new b71a78e SENTRY-2523: Fix response of list_sentry_privileges_by_authorizable_and_user API (Hao Hao reviewed by Arjun Mishra) b71a78e is described below commit b71a78ed960702536b35e1f048dc40dfc79992d4 Author: Hao Hao <hao....@cloudera.com> AuthorDate: Mon Jun 10 22:43:28 2019 -0700 SENTRY-2523: Fix response of list_sentry_privileges_by_authorizable_and_user API (Hao Hao reviewed by Arjun Mishra) Change-Id: Idba4cda1a78cf7468e1a0c9f6c1c3223984f00f2 --- .../TListSentryPrivilegesByAuthUserResponse.java | 111 +++++++++++---------- .../main/resources/sentry_policy_service.thrift | 2 +- .../thrift/TestSentryPolicyStoreProcessor.java | 12 ++- 3 files changed, 72 insertions(+), 53 deletions(-) diff --git a/sentry-service/sentry-service-api/src/gen/thrift/gen-javabean/org/apache/sentry/api/service/thrift/TListSentryPrivilegesByAuthUserResponse.java b/sentry-service/sentry-service-api/src/gen/thrift/gen-javabean/org/apache/sentry/api/service/thrift/TListSentryPrivilegesByAuthUserResponse.java index f9f0e64..9985be8 100644 --- a/sentry-service/sentry-service-api/src/gen/thrift/gen-javabean/org/apache/sentry/api/service/thrift/TListSentryPrivilegesByAuthUserResponse.java +++ b/sentry-service/sentry-service-api/src/gen/thrift/gen-javabean/org/apache/sentry/api/service/thrift/TListSentryPrivilegesByAuthUserResponse.java @@ -48,7 +48,7 @@ public class TListSentryPrivilegesByAuthUserResponse implements org.apache.thrif } private org.apache.sentry.service.thrift.TSentryResponseStatus status; // required - private Map<TSentryAuthorizable,Set<TSentryPrivilege>> privilegesMapByAuth; // required + private Map<TSentryAuthorizable,Set<TSentryPrivilege>> privilegesMapByAuth; // optional /** The set of fields this struct contains, along with convenience methods for finding and manipulating them. */ public enum _Fields implements org.apache.thrift.TFieldIdEnum { @@ -112,12 +112,13 @@ public class TListSentryPrivilegesByAuthUserResponse implements org.apache.thrif } // isset id assignments + private static final _Fields optionals[] = {_Fields.PRIVILEGES_MAP_BY_AUTH}; public static final Map<_Fields, org.apache.thrift.meta_data.FieldMetaData> metaDataMap; static { Map<_Fields, org.apache.thrift.meta_data.FieldMetaData> tmpMap = new EnumMap<_Fields, org.apache.thrift.meta_data.FieldMetaData>(_Fields.class); tmpMap.put(_Fields.STATUS, new org.apache.thrift.meta_data.FieldMetaData("status", org.apache.thrift.TFieldRequirementType.REQUIRED, new org.apache.thrift.meta_data.StructMetaData(org.apache.thrift.protocol.TType.STRUCT, org.apache.sentry.service.thrift.TSentryResponseStatus.class))); - tmpMap.put(_Fields.PRIVILEGES_MAP_BY_AUTH, new org.apache.thrift.meta_data.FieldMetaData("privilegesMapByAuth", org.apache.thrift.TFieldRequirementType.REQUIRED, + tmpMap.put(_Fields.PRIVILEGES_MAP_BY_AUTH, new org.apache.thrift.meta_data.FieldMetaData("privilegesMapByAuth", org.apache.thrift.TFieldRequirementType.OPTIONAL, new org.apache.thrift.meta_data.MapMetaData(org.apache.thrift.protocol.TType.MAP, new org.apache.thrift.meta_data.StructMetaData(org.apache.thrift.protocol.TType.STRUCT, TSentryAuthorizable.class), new org.apache.thrift.meta_data.SetMetaData(org.apache.thrift.protocol.TType.SET, @@ -130,12 +131,10 @@ public class TListSentryPrivilegesByAuthUserResponse implements org.apache.thrif } public TListSentryPrivilegesByAuthUserResponse( - org.apache.sentry.service.thrift.TSentryResponseStatus status, - Map<TSentryAuthorizable,Set<TSentryPrivilege>> privilegesMapByAuth) + org.apache.sentry.service.thrift.TSentryResponseStatus status) { this(); this.status = status; - this.privilegesMapByAuth = privilegesMapByAuth; } /** @@ -386,14 +385,16 @@ public class TListSentryPrivilegesByAuthUserResponse implements org.apache.thrif sb.append(this.status); } first = false; - if (!first) sb.append(", "); - sb.append("privilegesMapByAuth:"); - if (this.privilegesMapByAuth == null) { - sb.append("null"); - } else { - sb.append(this.privilegesMapByAuth); + if (isSetPrivilegesMapByAuth()) { + if (!first) sb.append(", "); + sb.append("privilegesMapByAuth:"); + if (this.privilegesMapByAuth == null) { + sb.append("null"); + } else { + sb.append(this.privilegesMapByAuth); + } + first = false; } - first = false; sb.append(")"); return sb.toString(); } @@ -404,10 +405,6 @@ public class TListSentryPrivilegesByAuthUserResponse implements org.apache.thrif throw new org.apache.thrift.protocol.TProtocolException("Required field 'status' is unset! Struct:" + toString()); } - if (!isSetPrivilegesMapByAuth()) { - throw new org.apache.thrift.protocol.TProtocolException("Required field 'privilegesMapByAuth' is unset! Struct:" + toString()); - } - // check for sub-struct validity if (status != null) { status.validate(); @@ -508,24 +505,26 @@ public class TListSentryPrivilegesByAuthUserResponse implements org.apache.thrif oprot.writeFieldEnd(); } if (struct.privilegesMapByAuth != null) { - oprot.writeFieldBegin(PRIVILEGES_MAP_BY_AUTH_FIELD_DESC); - { - oprot.writeMapBegin(new org.apache.thrift.protocol.TMap(org.apache.thrift.protocol.TType.STRUCT, org.apache.thrift.protocol.TType.SET, struct.privilegesMapByAuth.size())); - for (Map.Entry<TSentryAuthorizable, Set<TSentryPrivilege>> _iter189 : struct.privilegesMapByAuth.entrySet()) + if (struct.isSetPrivilegesMapByAuth()) { + oprot.writeFieldBegin(PRIVILEGES_MAP_BY_AUTH_FIELD_DESC); { - _iter189.getKey().write(oprot); + oprot.writeMapBegin(new org.apache.thrift.protocol.TMap(org.apache.thrift.protocol.TType.STRUCT, org.apache.thrift.protocol.TType.SET, struct.privilegesMapByAuth.size())); + for (Map.Entry<TSentryAuthorizable, Set<TSentryPrivilege>> _iter189 : struct.privilegesMapByAuth.entrySet()) { - oprot.writeSetBegin(new org.apache.thrift.protocol.TSet(org.apache.thrift.protocol.TType.STRUCT, _iter189.getValue().size())); - for (TSentryPrivilege _iter190 : _iter189.getValue()) + _iter189.getKey().write(oprot); { - _iter190.write(oprot); + oprot.writeSetBegin(new org.apache.thrift.protocol.TSet(org.apache.thrift.protocol.TType.STRUCT, _iter189.getValue().size())); + for (TSentryPrivilege _iter190 : _iter189.getValue()) + { + _iter190.write(oprot); + } + oprot.writeSetEnd(); } - oprot.writeSetEnd(); } + oprot.writeMapEnd(); } - oprot.writeMapEnd(); + oprot.writeFieldEnd(); } - oprot.writeFieldEnd(); } oprot.writeFieldStop(); oprot.writeStructEnd(); @@ -545,16 +544,23 @@ public class TListSentryPrivilegesByAuthUserResponse implements org.apache.thrif public void write(org.apache.thrift.protocol.TProtocol prot, TListSentryPrivilegesByAuthUserResponse struct) throws org.apache.thrift.TException { TTupleProtocol oprot = (TTupleProtocol) prot; struct.status.write(oprot); - { - oprot.writeI32(struct.privilegesMapByAuth.size()); - for (Map.Entry<TSentryAuthorizable, Set<TSentryPrivilege>> _iter191 : struct.privilegesMapByAuth.entrySet()) + BitSet optionals = new BitSet(); + if (struct.isSetPrivilegesMapByAuth()) { + optionals.set(0); + } + oprot.writeBitSet(optionals, 1); + if (struct.isSetPrivilegesMapByAuth()) { { - _iter191.getKey().write(oprot); + oprot.writeI32(struct.privilegesMapByAuth.size()); + for (Map.Entry<TSentryAuthorizable, Set<TSentryPrivilege>> _iter191 : struct.privilegesMapByAuth.entrySet()) { - oprot.writeI32(_iter191.getValue().size()); - for (TSentryPrivilege _iter192 : _iter191.getValue()) + _iter191.getKey().write(oprot); { - _iter192.write(oprot); + oprot.writeI32(_iter191.getValue().size()); + for (TSentryPrivilege _iter192 : _iter191.getValue()) + { + _iter192.write(oprot); + } } } } @@ -567,30 +573,33 @@ public class TListSentryPrivilegesByAuthUserResponse implements org.apache.thrif struct.status = new org.apache.sentry.service.thrift.TSentryResponseStatus(); struct.status.read(iprot); struct.setStatusIsSet(true); - { - org.apache.thrift.protocol.TMap _map193 = new org.apache.thrift.protocol.TMap(org.apache.thrift.protocol.TType.STRUCT, org.apache.thrift.protocol.TType.SET, iprot.readI32()); - struct.privilegesMapByAuth = new HashMap<TSentryAuthorizable,Set<TSentryPrivilege>>(2*_map193.size); - TSentryAuthorizable _key194; - Set<TSentryPrivilege> _val195; - for (int _i196 = 0; _i196 < _map193.size; ++_i196) + BitSet incoming = iprot.readBitSet(1); + if (incoming.get(0)) { { - _key194 = new TSentryAuthorizable(); - _key194.read(iprot); + org.apache.thrift.protocol.TMap _map193 = new org.apache.thrift.protocol.TMap(org.apache.thrift.protocol.TType.STRUCT, org.apache.thrift.protocol.TType.SET, iprot.readI32()); + struct.privilegesMapByAuth = new HashMap<TSentryAuthorizable,Set<TSentryPrivilege>>(2*_map193.size); + TSentryAuthorizable _key194; + Set<TSentryPrivilege> _val195; + for (int _i196 = 0; _i196 < _map193.size; ++_i196) { - org.apache.thrift.protocol.TSet _set197 = new org.apache.thrift.protocol.TSet(org.apache.thrift.protocol.TType.STRUCT, iprot.readI32()); - _val195 = new HashSet<TSentryPrivilege>(2*_set197.size); - TSentryPrivilege _elem198; - for (int _i199 = 0; _i199 < _set197.size; ++_i199) + _key194 = new TSentryAuthorizable(); + _key194.read(iprot); { - _elem198 = new TSentryPrivilege(); - _elem198.read(iprot); - _val195.add(_elem198); + org.apache.thrift.protocol.TSet _set197 = new org.apache.thrift.protocol.TSet(org.apache.thrift.protocol.TType.STRUCT, iprot.readI32()); + _val195 = new HashSet<TSentryPrivilege>(2*_set197.size); + TSentryPrivilege _elem198; + for (int _i199 = 0; _i199 < _set197.size; ++_i199) + { + _elem198 = new TSentryPrivilege(); + _elem198.read(iprot); + _val195.add(_elem198); + } } + struct.privilegesMapByAuth.put(_key194, _val195); } - struct.privilegesMapByAuth.put(_key194, _val195); } + struct.setPrivilegesMapByAuthIsSet(true); } - struct.setPrivilegesMapByAuthIsSet(true); } } diff --git a/sentry-service/sentry-service-api/src/main/resources/sentry_policy_service.thrift b/sentry-service/sentry-service-api/src/main/resources/sentry_policy_service.thrift index 953b96b..0656d4e 100644 --- a/sentry-service/sentry-service-api/src/main/resources/sentry_policy_service.thrift +++ b/sentry-service/sentry-service-api/src/main/resources/sentry_policy_service.thrift @@ -293,7 +293,7 @@ struct TListSentryPrivilegesByAuthUserRequest { struct TListSentryPrivilegesByAuthUserResponse { 1: required sentry_common_service.TSentryResponseStatus status, # Authorizable to set of privileges map -2: required map<TSentryAuthorizable, set<TSentryPrivilege>> privilegesMapByAuth, +2: optional map<TSentryAuthorizable, set<TSentryPrivilege>> privilegesMapByAuth, } # Obtain a config value from the Sentry service diff --git a/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/api/service/thrift/TestSentryPolicyStoreProcessor.java b/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/api/service/thrift/TestSentryPolicyStoreProcessor.java index e593870..a5cf364 100644 --- a/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/api/service/thrift/TestSentryPolicyStoreProcessor.java +++ b/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/api/service/thrift/TestSentryPolicyStoreProcessor.java @@ -36,6 +36,7 @@ import org.apache.sentry.api.common.ApiConstants; import org.apache.sentry.api.common.Status; import org.apache.sentry.api.common.ThriftConstants; import org.apache.sentry.core.common.exception.SentryInvalidInputException; +import org.apache.sentry.core.common.exception.SentryAccessDeniedException; import org.apache.sentry.core.model.db.AccessConstants; import org.apache.sentry.provider.common.GroupMappingService; import org.apache.sentry.provider.db.service.persistent.CounterWait; @@ -372,7 +373,6 @@ public class TestSentryPolicyStoreProcessor { Assert.assertEquals(expectedResp.getStatus().getValue(), returnedResp.getStatus().getValue()); - // Prepare request for getting privileges for user1 based on the given authorizables TSentryAuthorizable requestedAuthorizable = new TSentryAuthorizable(); requestedAuthorizable.setServer("server1"); requestedAuthorizable.setDb("db1"); @@ -384,6 +384,16 @@ public class TestSentryPolicyStoreProcessor { Set<String> groups = new HashSet<>(); groups.add(g1); + // Request privileges when user is unknown throw an access denied exception. + returnedResp = policyStoreProcessor.list_sentry_privileges_by_authorizable_and_user( + newAuthRequest("unknown_user", requestedAuthorizables, user1)); + expectedResp = new TListSentryPrivilegesByAuthUserResponse(); + expectedResp.setStatus(Status.AccessDenied("Access denied to unknown_user", + new SentryAccessDeniedException("Access denied to unknown_user"))); + Assert.assertEquals(expectedResp.getStatus().getValue(), + returnedResp.getStatus().getValue()); + + // Prepare request for getting privileges for user1 based on the given authorizables. Set<TSentryPrivilege> user1Privileges = Sets.newHashSet( newSentryPrivilege("database", "db1", "t1", "*"), newSentryPrivilege("database", "db1", "t2", "*"));