http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/13e83d6e/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/log/entity/JsonLogEntityFactory.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/log/entity/JsonLogEntityFactory.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/log/entity/JsonLogEntityFactory.java index 2cc8194..90308f4 100644 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/log/entity/JsonLogEntityFactory.java +++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/log/entity/JsonLogEntityFactory.java @@ -18,6 +18,8 @@ package org.apache.sentry.provider.db.log.entity; +import java.util.Set; + import org.apache.hadoop.conf.Configuration; import org.apache.sentry.provider.db.log.util.CommandUtil; import org.apache.sentry.provider.db.log.util.Constants; @@ -38,6 +40,8 @@ import org.apache.sentry.service.thrift.ServiceConstants.ServerConfig; import org.apache.sentry.service.thrift.Status; import org.apache.sentry.service.thrift.TSentryResponseStatus; +import com.google.common.collect.ImmutableSet; + public class JsonLogEntityFactory { private static JsonLogEntityFactory factory = new JsonLogEntityFactory(); @@ -69,27 +73,50 @@ public class JsonLogEntityFactory { return amle; } - public JsonLogEntity createJsonLogEntity( + public Set<JsonLogEntity> createJsonLogEntitys( TAlterSentryRoleGrantPrivilegeRequest request, TAlterSentryRoleGrantPrivilegeResponse response, Configuration conf) { + ImmutableSet.Builder<JsonLogEntity> setBuilder = ImmutableSet.builder(); + if (request.isSetPrivileges()) { + for (TSentryPrivilege privilege : request.getPrivileges()) { + JsonLogEntity logEntity = createJsonLogEntity(request, privilege, response, conf); + setBuilder.add(logEntity); + } + } + return setBuilder.build(); + } + + private JsonLogEntity createJsonLogEntity( + TAlterSentryRoleGrantPrivilegeRequest request, TSentryPrivilege privilege, + TAlterSentryRoleGrantPrivilegeResponse response, Configuration conf) { AuditMetadataLogEntity amle = createCommonAMLE(conf, response.getStatus(), request.getRequestorUserName(), request.getClass().getName()); amle.setOperationText(CommandUtil.createCmdForGrantPrivilege(request)); - TSentryPrivilege privilege = request.getPrivilege(); amle.setDatabaseName(privilege.getDbName()); amle.setTableName(privilege.getTableName()); amle.setResourcePath(privilege.getURI()); - return amle; } - public JsonLogEntity createJsonLogEntity( + public Set<JsonLogEntity> createJsonLogEntitys( TAlterSentryRoleRevokePrivilegeRequest request, TAlterSentryRoleRevokePrivilegeResponse response, Configuration conf) { + ImmutableSet.Builder<JsonLogEntity> setBuilder = ImmutableSet.builder(); + if (request.isSetPrivileges()) { + for (TSentryPrivilege privilege : request.getPrivileges()) { + JsonLogEntity logEntity = createJsonLogEntity(request, privilege, response, conf); + setBuilder.add(logEntity); + } + } + return setBuilder.build(); + } + + private JsonLogEntity createJsonLogEntity( + TAlterSentryRoleRevokePrivilegeRequest request, TSentryPrivilege privilege, + TAlterSentryRoleRevokePrivilegeResponse response, Configuration conf) { AuditMetadataLogEntity amle = createCommonAMLE(conf, response.getStatus(), request.getRequestorUserName(), request.getClass().getName()); amle.setOperationText(CommandUtil.createCmdForRevokePrivilege(request)); - TSentryPrivilege privilege = request.getPrivilege(); amle.setDatabaseName(privilege.getDbName()); amle.setTableName(privilege.getTableName()); amle.setResourcePath(privilege.getURI());
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/13e83d6e/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/log/util/CommandUtil.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/log/util/CommandUtil.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/log/util/CommandUtil.java index 841eeb3..9beef83 100644 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/log/util/CommandUtil.java +++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/log/util/CommandUtil.java @@ -19,6 +19,7 @@ package org.apache.sentry.provider.db.log.util; import java.util.Iterator; +import java.util.Set; import org.apache.sentry.core.model.db.AccessConstants; import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleAddGroupsRequest; @@ -87,14 +88,25 @@ public class CommandUtil { public static String createCmdForGrantPrivilege( TAlterSentryRoleGrantPrivilegeRequest request) { - return createCmdForGrantOrRevokePrivilege(request.getRoleName(), - request.getPrivilege(), true); + return createCmdForGrantOrRevokePrivileges(request.getRoleName(), + request.getPrivileges(), true); } public static String createCmdForRevokePrivilege( TAlterSentryRoleRevokePrivilegeRequest request) { - return createCmdForGrantOrRevokePrivilege(request.getRoleName(), - request.getPrivilege(), false); + return createCmdForGrantOrRevokePrivileges(request.getRoleName(), + request.getPrivileges(), false); + } + + private static String createCmdForGrantOrRevokePrivileges(String roleName, + Set<TSentryPrivilege> privileges, boolean isGrant) { + StringBuilder sb = new StringBuilder(); + if (privileges != null) { + for (TSentryPrivilege privilege : privileges) { + sb.append(createCmdForGrantOrRevokePrivilege(roleName, privilege, isGrant)); + } + } + return sb.toString(); } private static String createCmdForGrantOrRevokePrivilege(String roleName, http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/13e83d6e/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/log/util/Constants.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/log/util/Constants.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/log/util/Constants.java index 9f16b73..072a0e8 100644 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/log/util/Constants.java +++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/log/util/Constants.java @@ -41,6 +41,7 @@ public class Constants { public final static String LOG_FIELD_ALLOWED = "allowed"; public final static String LOG_FIELD_DATABASE_NAME = "databaseName"; public final static String LOG_FIELD_TABLE_NAME = "tableName"; + public final static String LOG_FIELD_COLUMN_NAME = "column"; public final static String LOG_FIELD_RESOURCE_PATH = "resourcePath"; public final static String LOG_FIELD_OBJECT_TYPE = "objectType"; http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/13e83d6e/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/model/MSentryPrivilege.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/model/MSentryPrivilege.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/model/MSentryPrivilege.java index 1150e47..3c8777c 100644 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/model/MSentryPrivilege.java +++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/model/MSentryPrivilege.java @@ -41,6 +41,7 @@ public class MSentryPrivilege { private String serverName = ""; private String dbName = ""; private String tableName = ""; + private String columnName = ""; private String URI = ""; private String action = ""; private Boolean grantOption = false; @@ -53,12 +54,13 @@ public class MSentryPrivilege { } public MSentryPrivilege(String privilegeName, String privilegeScope, - String serverName, String dbName, String tableName, String URI, - String action, Boolean grantOption) { + String serverName, String dbName, String tableName, String columnName, + String URI, String action, Boolean grantOption) { this.privilegeScope = privilegeScope; this.serverName = serverName; this.dbName = SentryStore.toNULLCol(dbName); this.tableName = SentryStore.toNULLCol(tableName); + this.columnName = SentryStore.toNULLCol(columnName); this.URI = SentryStore.toNULLCol(URI); this.action = SentryStore.toNULLCol(action); this.grantOption = grantOption; @@ -66,10 +68,10 @@ public class MSentryPrivilege { } public MSentryPrivilege(String privilegeName, String privilegeScope, - String serverName, String dbName, String tableName, String URI, - String action) { + String serverName, String dbName, String tableName, String columnName, + String URI, String action) { this(privilegeName, privilegeScope, serverName, dbName, tableName, - URI, action, false); + columnName, URI, action, false); } public MSentryPrivilege(MSentryPrivilege other) { @@ -77,6 +79,7 @@ public class MSentryPrivilege { this.serverName = other.serverName; this.dbName = SentryStore.toNULLCol(other.dbName); this.tableName = SentryStore.toNULLCol(other.tableName); + this.columnName = SentryStore.toNULLCol(other.columnName); this.URI = SentryStore.toNULLCol(other.URI); this.action = SentryStore.toNULLCol(other.action); this.grantOption = other.grantOption; @@ -110,6 +113,14 @@ public class MSentryPrivilege { this.tableName = (tableName == null) ? "" : tableName; } + public String getColumnName() { + return columnName; + } + + public void setColumnName(String columnName) { + this.columnName = (columnName == null) ? "" : columnName; + } + public String getURI() { return URI; } @@ -167,67 +178,74 @@ public class MSentryPrivilege { public String toString() { return "MSentryPrivilege [privilegeScope=" + privilegeScope + ", serverName=" + serverName + ", dbName=" + dbName - + ", tableName=" + tableName + ", URI=" + URI - + ", action=" + action + ", roles=[...]" + ", createTime=" - + createTime - + ", grantOption=" + grantOption +"]"; + + ", tableName=" + tableName + ", columnName=" + columnName + + ", URI=" + URI + ", action=" + action + ", roles=[...]" + + ", createTime=" + createTime + ", grantOption=" + grantOption +"]"; } -@Override -public int hashCode() { - final int prime = 31; - int result = 1; - result = prime * result + ((URI == null) ? 0 : URI.hashCode()); - result = prime * result + ((action == null) ? 0 : action.hashCode()); - result = prime * result + ((dbName == null) ? 0 : dbName.hashCode()); - result = prime * result - + ((serverName == null) ? 0 : serverName.hashCode()); - result = prime * result + ((tableName == null) ? 0 : tableName.hashCode()); - result = prime * result + ((grantOption == null) ? 0 : grantOption.hashCode()); - return result; -} + @Override + public int hashCode() { + final int prime = 31; + int result = 1; + result = prime * result + ((URI == null) ? 0 : URI.hashCode()); + result = prime * result + ((action == null) ? 0 : action.hashCode()); + result = prime * result + ((dbName == null) ? 0 : dbName.hashCode()); + result = prime * result + + ((serverName == null) ? 0 : serverName.hashCode()); + result = prime * result + ((tableName == null) ? 0 : tableName.hashCode()); + result = prime * result + + ((columnName == null) ? 0 : columnName.hashCode()); + result = prime * result + + ((grantOption == null) ? 0 : grantOption.hashCode()); + return result; + } -@Override -public boolean equals(Object obj) { - if (this == obj) - return true; - if (obj == null) - return false; - if (getClass() != obj.getClass()) - return false; - MSentryPrivilege other = (MSentryPrivilege) obj; - if (URI == null) { - if (other.URI != null) - return false; - } else if (!URI.equals(other.URI)) - return false; - if (action == null) { - if (other.action != null) - return false; - } else if (!action.equals(other.action)) - return false; - if (dbName == null) { - if (other.dbName != null) - return false; - } else if (!dbName.equals(other.dbName)) - return false; - if (serverName == null) { - if (other.serverName != null) - return false; - } else if (!serverName.equals(other.serverName)) - return false; - if (tableName == null) { - if (other.tableName != null) - return false; - } else if (!tableName.equals(other.tableName)) - return false; - if (grantOption == null) { - if (other.grantOption != null) - return false; - } else if (!grantOption.equals(other.grantOption)) - return false; - return true; -} + @Override + public boolean equals(Object obj) { + if (this == obj) + return true; + if (obj == null) + return false; + if (getClass() != obj.getClass()) + return false; + MSentryPrivilege other = (MSentryPrivilege) obj; + if (URI == null) { + if (other.URI != null) + return false; + } else if (!URI.equals(other.URI)) + return false; + if (action == null) { + if (other.action != null) + return false; + } else if (!action.equals(other.action)) + return false; + if (dbName == null) { + if (other.dbName != null) + return false; + } else if (!dbName.equals(other.dbName)) + return false; + if (serverName == null) { + if (other.serverName != null) + return false; + } else if (!serverName.equals(other.serverName)) + return false; + if (tableName == null) { + if (other.tableName != null) + return false; + } else if (!tableName.equals(other.tableName)) + return false; + if (columnName == null) { + if (other.columnName != null) + return false; + } else if (!columnName.equals(other.columnName)) + return false; + if (grantOption == null) { + if (other.grantOption != null) + return false; + } else if (!grantOption.equals(other.grantOption)) + return false; + return true; + } /** * Return true if this privilege implies other privilege @@ -263,6 +281,13 @@ public boolean equals(Object obj) { return false; } } + if (!isNULL(columnName)) { + if (isNULL(other.columnName)) { + return false; + } else if (!columnName.equals(other.columnName)) { + return false; + } + } // if URI is not equals, return false } else { return false; http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/13e83d6e/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/model/package.jdo ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/model/package.jdo b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/model/package.jdo index 9abaab8..594201f 100644 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/model/package.jdo +++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/model/package.jdo @@ -85,6 +85,7 @@ <field name="serverName"/> <field name="dbName"/> <field name="tableName"/> + <field name="columnName"/> <field name="URI"/> <field name="action"/> <field name="grantOption"/> @@ -101,6 +102,9 @@ <field name="tableName"> <column name="TABLE_NAME" length="4000" jdbc-type="VARCHAR"/> </field> + <field name="columnName"> + <column name="COLUMN_NAME" length="4000" jdbc-type="VARCHAR"/> + </field> <field name="URI"> <column name="URI" length="4000" jdbc-type="VARCHAR"/> </field> http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/13e83d6e/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java index 743900b..d163418 100644 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java +++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java @@ -318,19 +318,27 @@ public class SentryStore { public CommitContext alterSentryRoleGrantPrivilege(String grantorPrincipal, String roleName, TSentryPrivilege privilege) throws SentryUserException { + return alterSentryRoleGrantPrivileges(grantorPrincipal, + roleName, Sets.newHashSet(privilege)); + } + + public CommitContext alterSentryRoleGrantPrivileges(String grantorPrincipal, + String roleName, Set<TSentryPrivilege> privileges) + throws SentryUserException { boolean rollbackTransaction = true; PersistenceManager pm = null; roleName = trimAndLower(roleName); try { pm = openTransaction(); - // first do grant check - grantOptionCheck(pm, grantorPrincipal, privilege); + for (TSentryPrivilege privilege : privileges) { + // first do grant check + grantOptionCheck(pm, grantorPrincipal, privilege); + + MSentryPrivilege mPrivilege = alterSentryRoleGrantPrivilegeCore(pm, roleName, privilege); - MSentryPrivilege mPrivilege = - alterSentryRoleGrantPrivilegeCore(pm, roleName, privilege); - // capture the new privilege - if (mPrivilege != null) { - convertToTSentryPrivilege(mPrivilege, privilege); + if (mPrivilege != null) { + convertToTSentryPrivilege(mPrivilege, privilege); + } } CommitContext commit = commitUpdateTransaction(pm); rollbackTransaction = false; @@ -351,7 +359,8 @@ public class SentryStore { throw new SentryNoSuchObjectException("Role: " + roleName); } else { - if ((!isNULL(privilege.getTableName())) || (!isNULL(privilege.getDbName()))) { + if ((!isNULL(privilege.getColumnName())) || (!isNULL(privilege.getTableName())) + || (!isNULL(privilege.getDbName()))) { // If Grant is for ALL and Either INSERT/SELECT already exists.. // need to remove it and GRANT ALL.. if (privilege.getAction().equalsIgnoreCase("*")) { @@ -391,17 +400,25 @@ public class SentryStore { return mPrivilege; } - public CommitContext alterSentryRoleRevokePrivilege(String grantorPrincipal, String roleName, - TSentryPrivilege tPrivilege) throws SentryUserException { + public CommitContext alterSentryRoleRevokePrivilege(String grantorPrincipal, + String roleName, TSentryPrivilege tPrivilege) throws SentryUserException { + return alterSentryRoleRevokePrivileges(grantorPrincipal, + roleName, Sets.newHashSet(tPrivilege)); + } + + public CommitContext alterSentryRoleRevokePrivileges(String grantorPrincipal, + String roleName, Set<TSentryPrivilege> tPrivileges) throws SentryUserException { boolean rollbackTransaction = true; PersistenceManager pm = null; roleName = safeTrimLower(roleName); try { pm = openTransaction(); - // first do revoke check - grantOptionCheck(pm, grantorPrincipal, tPrivilege); + for (TSentryPrivilege tPrivilege : tPrivileges) { + // first do revoke check + grantOptionCheck(pm, grantorPrincipal, tPrivilege); - alterSentryRoleRevokePrivilegeCore(pm, roleName, tPrivilege); + alterSentryRoleRevokePrivilegeCore(pm, roleName, tPrivilege); + } CommitContext commit = commitUpdateTransaction(pm); rollbackTransaction = false; @@ -508,12 +525,14 @@ public class SentryStore { */ private void populateChildren(Set<String> roleNames, MSentryPrivilege priv, Set<MSentryPrivilege> children) throws SentryInvalidInputException { - if ((!isNULL(priv.getServerName())) || (!isNULL(priv.getDbName()))) { - // Get all DBLevel Privs + if ((!isNULL(priv.getServerName())) || (!isNULL(priv.getDbName())) + || (!isNULL(priv.getTableName()))) { + // Get all TableLevel Privs Set<MSentryPrivilege> childPrivs = getChildPrivileges(roleNames, priv); for (MSentryPrivilege childPriv : childPrivs) { - // Only recurse for db level privs.. - if ((!isNULL(childPriv.getDbName())) && (!isNULL(childPriv.getTableName()))) { + // Only recurse for table level privs.. + if ((!isNULL(childPriv.getDbName())) && (!isNULL(childPriv.getTableName())) + && (!isNULL(childPriv.getColumnName()))) { populateChildren(roleNames, childPriv, children); } children.add(childPriv); @@ -523,8 +542,8 @@ public class SentryStore { private Set<MSentryPrivilege> getChildPrivileges(Set<String> roleNames, MSentryPrivilege parent) throws SentryInvalidInputException { - // Table and URI do not have children - if ((!isNULL(parent.getTableName()))||(!isNULL(parent.getURI()))) return new HashSet<MSentryPrivilege>(); + // Column and URI do not have children + if ((!isNULL(parent.getColumnName()))||(!isNULL(parent.getURI()))) return new HashSet<MSentryPrivilege>(); boolean rollbackTransaction = true; PersistenceManager pm = null; try { @@ -541,14 +560,20 @@ public class SentryStore { filters.append(" && serverName == \"" + parent.getServerName() + "\""); if (!isNULL(parent.getDbName())) { filters.append(" && dbName == \"" + parent.getDbName() + "\""); - filters.append(" && tableName != \"__NULL__\""); + if (!isNULL(parent.getTableName())) { + filters.append(" && tableName == \"" + parent.getTableName() + "\""); + filters.append(" && columnName != \"__NULL__\""); + } else { + filters.append(" && tableName != \"__NULL__\""); + } } else { filters.append(" && (dbName != \"__NULL__\" || URI != \"__NULL__\")"); } query.setFilter(filters.toString()); query - .setResult("privilegeScope, serverName, dbName, tableName, URI, action, grantOption"); + .setResult("privilegeScope, serverName, dbName, tableName, columnName," + + " URI, action, grantOption"); Set<MSentryPrivilege> privileges = new HashSet<MSentryPrivilege>(); for (Object[] privObj : (List<Object[]>) query.execute()) { MSentryPrivilege priv = new MSentryPrivilege(); @@ -556,9 +581,10 @@ public class SentryStore { priv.setServerName((String) privObj[1]); priv.setDbName((String) privObj[2]); priv.setTableName((String) privObj[3]); - priv.setURI((String) privObj[4]); - priv.setAction((String) privObj[5]); - priv.setGrantOption((Boolean) privObj[6]); + priv.setColumnName((String) privObj[4]); + priv.setURI((String) privObj[5]); + priv.setAction((String) privObj[6]); + priv.setGrantOption((Boolean) privObj[7]); privileges.add(priv); } rollbackTransaction = false; @@ -571,11 +597,35 @@ public class SentryStore { } } + private List<MSentryPrivilege> getMSentryPrivileges(TSentryPrivilege tPriv, PersistenceManager pm) { + Query query = pm.newQuery(MSentryPrivilege.class); + StringBuilder filters = new StringBuilder("this.serverName == \"" + toNULLCol(tPriv.getServerName()) + "\" "); + if (!isNULL(tPriv.getDbName())) { + filters.append("&& this.dbName == \"" + toNULLCol(tPriv.getDbName()) + "\" "); + if (!isNULL(tPriv.getTableName())) { + filters.append("&& this.tableName == \"" + toNULLCol(tPriv.getTableName()) + "\" "); + if (!isNULL(tPriv.getColumnName())) { + filters.append("&& this.columnName == \"" + toNULLCol(tPriv.getColumnName()) + "\" "); + } + } + } + // if db is null, uri is not null + else if (!isNULL(tPriv.getURI())){ + filters.append("&& this.URI == \"" + toNULLCol(tPriv.getURI()) + "\" "); + } + filters.append("&& this.action == \"" + toNULLCol(tPriv.getAction().toLowerCase()) + "\""); + + query.setFilter(filters.toString()); + List<MSentryPrivilege> privileges = (List<MSentryPrivilege>) query.execute(); + return privileges; + } + private MSentryPrivilege getMSentryPrivilege(TSentryPrivilege tPriv, PersistenceManager pm) { Query query = pm.newQuery(MSentryPrivilege.class); query.setFilter("this.serverName == \"" + toNULLCol(tPriv.getServerName()) + "\" " + "&& this.dbName == \"" + toNULLCol(tPriv.getDbName()) + "\" " + "&& this.tableName == \"" + toNULLCol(tPriv.getTableName()) + "\" " + + "&& this.columnName == \"" + toNULLCol(tPriv.getColumnName()) + "\" " + "&& this.URI == \"" + toNULLCol(tPriv.getURI()) + "\" " + "&& this.grantOption == grantOption " + "&& this.action == \"" + toNULLCol(tPriv.getAction().toLowerCase()) + "\""); @@ -786,6 +836,11 @@ public class SentryStore { && !AccessConstants.ALL .equalsIgnoreCase(authHierarchy.getTable())) { filters.append(" && ((tableName == \"" + authHierarchy.getTable().toLowerCase() + "\") || (tableName == \"__NULL__\")) && (URI == \"__NULL__\")"); + if ((authHierarchy.getColumn() != null) + && !AccessConstants.ALL + .equalsIgnoreCase(authHierarchy.getColumn())) { + filters.append(" && ((columnName == \"" + authHierarchy.getColumn().toLowerCase() + "\") || (columnName == \"__NULL__\")) && (URI == \"__NULL__\")"); + } } } if (authHierarchy.getUri() != null) { @@ -932,6 +987,9 @@ public class SentryStore { if ((authHierarchy.getTable() != null) && (authHierarchy.getDb() == null)) { throw new SentryInvalidInputException("dbName cannot be null when tableName is present !!"); } + if ((authHierarchy.getColumn() != null) && (authHierarchy.getTable() == null)) { + throw new SentryInvalidInputException("tableName cannot be null when columnName is present !!"); + } if ((authHierarchy.getUri() == null) && (authHierarchy.getDb() == null)) { throw new SentryInvalidInputException("One of uri or dbName must not be null !!"); } @@ -1091,6 +1149,10 @@ public class SentryStore { if (!isNULL(privilege.getTableName())) { authorizable.add(KV_JOINER.join(AuthorizableType.Table.name().toLowerCase(), privilege.getTableName())); + if (!isNULL(privilege.getColumnName())) { + authorizable.add(KV_JOINER.join(AuthorizableType.Column.name().toLowerCase(), + privilege.getColumnName())); + } } } } else { @@ -1174,6 +1236,7 @@ public class SentryStore { privilege.setServerName(fromNULLCol(mSentryPrivilege.getServerName())); privilege.setDbName(fromNULLCol(mSentryPrivilege.getDbName())); privilege.setTableName(fromNULLCol(mSentryPrivilege.getTableName())); + privilege.setColumnName(fromNULLCol(mSentryPrivilege.getColumnName())); privilege.setURI(fromNULLCol(mSentryPrivilege.getURI())); if (mSentryPrivilege.getGrantOption() != null) { privilege.setGrantOption(TSentryGrantOption.valueOf(mSentryPrivilege.getGrantOption().toString().toUpperCase())); @@ -1193,6 +1256,7 @@ public class SentryStore { mSentryPrivilege.setServerName(toNULLCol(safeTrimLower(privilege.getServerName()))); mSentryPrivilege.setDbName(toNULLCol(safeTrimLower(privilege.getDbName()))); mSentryPrivilege.setTableName(toNULLCol(safeTrimLower(privilege.getTableName()))); + mSentryPrivilege.setColumnName(toNULLCol(safeTrimLower(privilege.getColumnName()))); mSentryPrivilege.setPrivilegeScope(safeTrim(privilege.getPrivilegeScope())); mSentryPrivilege.setAction(toNULLCol(safeTrimLower(privilege.getAction()))); mSentryPrivilege.setCreateTime(System.currentTimeMillis()); @@ -1400,14 +1464,37 @@ public class SentryStore { SentryInvalidInputException { HashSet<MSentryRole> roleSet = Sets.newHashSet(); - MSentryPrivilege mPrivilege = getMSentryPrivilege(tPrivilege, pm); - if (mPrivilege != null) { - roleSet.addAll(ImmutableSet.copyOf((mPrivilege.getRoles()))); + List<MSentryPrivilege> mPrivileges = getMSentryPrivileges(tPrivilege, pm); + if (mPrivileges != null && !mPrivileges.isEmpty()) { + for (MSentryPrivilege mPrivilege : mPrivileges) { + roleSet.addAll(ImmutableSet.copyOf((mPrivilege.getRoles()))); + } } + + MSentryPrivilege parent = getMSentryPrivilege(tPrivilege, pm); for (MSentryRole role : roleSet) { + // 1. get privilege and child privileges + Set<MSentryPrivilege> privilegeGraph = Sets.newHashSet(); + if (parent != null) { + privilegeGraph.add(parent); + populateChildren(Sets.newHashSet(role.getRoleName()), parent, privilegeGraph); + } else { + populateChildren(Sets.newHashSet(role.getRoleName()), convertToMSentryPrivilege(tPrivilege), + privilegeGraph); + } + // 2. revoke privilege and child privileges alterSentryRoleRevokePrivilegeCore(pm, role.getRoleName(), tPrivilege); + // 3. add new privilege and child privileges with new tableName if (newTPrivilege != null) { - alterSentryRoleGrantPrivilegeCore(pm, role.getRoleName(), newTPrivilege); + for (MSentryPrivilege m : privilegeGraph) { + TSentryPrivilege t = convertToTSentryPrivilege(m); + if (newTPrivilege.getPrivilegeScope().equals(PrivilegeScope.DATABASE.name())) { + t.setDbName(newTPrivilege.getDbName()); + } else if (newTPrivilege.getPrivilegeScope().equals(PrivilegeScope.TABLE.name())) { + t.setTableName(newTPrivilege.getTableName()); + } + alterSentryRoleGrantPrivilegeCore(pm, role.getRoleName(), t); + } } } } @@ -1418,9 +1505,12 @@ public class SentryStore { tSentryPrivilege.setDbName(fromNULLCol(tAuthorizable.getDb())); tSentryPrivilege.setServerName(fromNULLCol(tAuthorizable.getServer())); tSentryPrivilege.setTableName(fromNULLCol(tAuthorizable.getTable())); + tSentryPrivilege.setColumnName(fromNULLCol(tAuthorizable.getColumn())); tSentryPrivilege.setURI(fromNULLCol(tAuthorizable.getUri())); PrivilegeScope scope; - if (!isNULL(tSentryPrivilege.getTableName())) { + if (!isNULL(tSentryPrivilege.getColumnName())) { + scope = PrivilegeScope.COLUMN; + } else if (!isNULL(tSentryPrivilege.getTableName())) { scope = PrivilegeScope.TABLE; } else if (!isNULL(tSentryPrivilege.getDbName())) { scope = PrivilegeScope.DATABASE; http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/13e83d6e/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClient.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClient.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClient.java index 39371b7..f5a6c8a 100644 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClient.java +++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClient.java @@ -55,6 +55,8 @@ import org.slf4j.LoggerFactory; import com.google.common.annotations.VisibleForTesting; import com.google.common.base.Preconditions; +import com.google.common.collect.ImmutableList; +import com.google.common.collect.ImmutableSet; import com.google.common.collect.Lists; import com.google.common.collect.Sets; @@ -281,57 +283,88 @@ public class SentryPolicyServiceClient { String roleName, String server, String uri) throws SentryUserException { return grantPrivilege(requestorUserName, roleName, - PrivilegeScope.URI, server, uri, null, null, AccessConstants.ALL); + PrivilegeScope.URI, server, uri, null, null, null, AccessConstants.ALL); } public TSentryPrivilege grantURIPrivilege(String requestorUserName, String roleName, String server, String uri, Boolean grantOption) throws SentryUserException { return grantPrivilege(requestorUserName, roleName, - PrivilegeScope.URI, server, uri, null, null, AccessConstants.ALL, grantOption); + PrivilegeScope.URI, server, uri, null, null, null, AccessConstants.ALL, grantOption); } public void grantServerPrivilege(String requestorUserName, String roleName, String server, String action) throws SentryUserException { grantPrivilege(requestorUserName, roleName, - PrivilegeScope.SERVER, server, null, null, null, action); + PrivilegeScope.SERVER, server, null, null, null, null, action); } public TSentryPrivilege grantServerPrivilege(String requestorUserName, String roleName, String server, String action, Boolean grantOption) throws SentryUserException { return grantPrivilege(requestorUserName, roleName, - PrivilegeScope.SERVER, server, null, null, null, action, grantOption); + PrivilegeScope.SERVER, server, null, null, null, null, action, grantOption); } public TSentryPrivilege grantDatabasePrivilege(String requestorUserName, String roleName, String server, String db, String action) throws SentryUserException { return grantPrivilege(requestorUserName, roleName, - PrivilegeScope.DATABASE, server, null, db, null, action); + PrivilegeScope.DATABASE, server, null, db, null, null, action); } public TSentryPrivilege grantDatabasePrivilege(String requestorUserName, String roleName, String server, String db, String action, Boolean grantOption) throws SentryUserException { return grantPrivilege(requestorUserName, roleName, - PrivilegeScope.DATABASE, server, null, db, null, action, grantOption); + PrivilegeScope.DATABASE, server, null, db, null, null, action, grantOption); } public TSentryPrivilege grantTablePrivilege(String requestorUserName, String roleName, String server, String db, String table, String action) throws SentryUserException { - return grantPrivilege(requestorUserName, roleName, PrivilegeScope.TABLE, - server, null, db, table, action); + return grantPrivilege(requestorUserName, roleName, PrivilegeScope.TABLE, server, + null, + db, table, null, action); } public TSentryPrivilege grantTablePrivilege(String requestorUserName, String roleName, String server, String db, String table, String action, Boolean grantOption) throws SentryUserException { - return grantPrivilege(requestorUserName, roleName, PrivilegeScope.TABLE, + return grantPrivilege(requestorUserName, roleName, PrivilegeScope.TABLE, server, + null, db, table, null, action, grantOption); + } + + public TSentryPrivilege grantColumnPrivilege(String requestorUserName, + String roleName, String server, String db, String table, String columnName, String action) + throws SentryUserException { + return grantPrivilege(requestorUserName, roleName, PrivilegeScope.COLUMN, server, + null, + db, table, columnName, action); + } + + public TSentryPrivilege grantColumnPrivilege(String requestorUserName, + String roleName, String server, String db, String table, String columnName, String action, Boolean grantOption) + throws SentryUserException { + return grantPrivilege(requestorUserName, roleName, PrivilegeScope.COLUMN, server, + null, db, table, columnName, action, grantOption); + } + + public Set<TSentryPrivilege> grantColumnsPrivileges(String requestorUserName, + String roleName, String server, String db, String table, List<String> columnNames, String action) + throws SentryUserException { + return grantPrivileges(requestorUserName, roleName, PrivilegeScope.COLUMN, server, + null, + db, table, columnNames, action); + } + + public Set<TSentryPrivilege> grantColumnsPrivileges(String requestorUserName, + String roleName, String server, String db, String table, List<String> columnNames, String action, Boolean grantOption) + throws SentryUserException { + return grantPrivileges(requestorUserName, roleName, PrivilegeScope.COLUMN, server, - null, db, table, action, grantOption); + null, db, table, columnNames, action, grantOption); } @VisibleForTesting @@ -352,6 +385,9 @@ public class SentryPolicyServiceClient { } else if (authzble.getTypeName().equalsIgnoreCase( DBModelAuthorizable.AuthorizableType.Table.toString())) { tSentryAuthorizable.setTable(authzble.getName()); + } else if (authzble.getTypeName().equalsIgnoreCase( + DBModelAuthorizable.AuthorizableType.Column.toString())) { + tSentryAuthorizable.setColumn(authzble.getName()); } } return tSentryAuthorizable; @@ -360,32 +396,59 @@ public class SentryPolicyServiceClient { private TSentryPrivilege grantPrivilege(String requestorUserName, String roleName, PrivilegeScope scope, String serverName, String uri, String db, - String table, String action) throws SentryUserException { + String table, String column, String action) throws SentryUserException { return grantPrivilege(requestorUserName, roleName, scope, serverName, uri, - db, table, action, false); + db, table, column, action, false); } private TSentryPrivilege grantPrivilege(String requestorUserName, - String roleName, PrivilegeScope scope, String serverName, String uri, String db, String table, String action, Boolean grantOption) + String roleName, PrivilegeScope scope, String serverName, String uri, String db, String table, + String column, String action, Boolean grantOption) throws SentryUserException { TAlterSentryRoleGrantPrivilegeRequest request = new TAlterSentryRoleGrantPrivilegeRequest(); request.setProtocol_version(ThriftConstants.TSENTRY_SERVICE_VERSION_CURRENT); request.setRequestorUserName(requestorUserName); request.setRoleName(roleName); - TSentryPrivilege privilege = new TSentryPrivilege(); - privilege.setPrivilegeScope(scope.toString()); - privilege.setServerName(serverName); - privilege.setURI(uri); - privilege.setDbName(db); - privilege.setTableName(table); - privilege.setAction(action); - privilege.setCreateTime(System.currentTimeMillis()); - privilege.setGrantOption(convertTSentryGrantOption(grantOption)); - request.setPrivilege(privilege); + Set<TSentryPrivilege> privileges = convertColumnPrivilege(requestorUserName, scope, + serverName, uri, db, table, column, action, grantOption); + request.setPrivileges(privileges); try { TAlterSentryRoleGrantPrivilegeResponse response = client.alter_sentry_role_grant_privilege(request); Status.throwIfNotOk(response.getStatus()); - return response.getPrivilege(); + if (response.isSetPrivileges() + && response.getPrivilegesSize()>0 ) { + return response.getPrivileges().iterator().next(); + } else { + return new TSentryPrivilege(); + } + } catch (TException e) { + throw new SentryUserException(THRIFT_EXCEPTION_MESSAGE, e); + } + } + + private Set<TSentryPrivilege> grantPrivileges(String requestorUserName, + String roleName, + PrivilegeScope scope, String serverName, String uri, String db, + String table, List<String> columns, String action) throws SentryUserException { + return grantPrivileges(requestorUserName, roleName, scope, serverName, uri, + db, table, columns, action, false); + } + + private Set<TSentryPrivilege> grantPrivileges(String requestorUserName, + String roleName, PrivilegeScope scope, String serverName, String uri, String db, String table, + List<String> columns, String action, Boolean grantOption) + throws SentryUserException { + TAlterSentryRoleGrantPrivilegeRequest request = new TAlterSentryRoleGrantPrivilegeRequest(); + request.setProtocol_version(ThriftConstants.TSENTRY_SERVICE_VERSION_CURRENT); + request.setRequestorUserName(requestorUserName); + request.setRoleName(roleName); + Set<TSentryPrivilege> privileges = convertColumnPrivileges(requestorUserName, scope, + serverName, uri, db, table, columns, action, grantOption); + request.setPrivileges(privileges); + try { + TAlterSentryRoleGrantPrivilegeResponse response = client.alter_sentry_role_grant_privilege(request); + Status.throwIfNotOk(response.getStatus()); + return response.getPrivileges(); } catch (TException e) { throw new SentryUserException(THRIFT_EXCEPTION_MESSAGE, e); } @@ -395,42 +458,42 @@ public class SentryPolicyServiceClient { String roleName, String server, String uri) throws SentryUserException { revokePrivilege(requestorUserName, roleName, - PrivilegeScope.URI, server, uri, null, null, AccessConstants.ALL); + PrivilegeScope.URI, server, uri, null, null, null, AccessConstants.ALL); } public void revokeURIPrivilege(String requestorUserName, String roleName, String server, String uri, Boolean grantOption) throws SentryUserException { revokePrivilege(requestorUserName, roleName, - PrivilegeScope.URI, server, uri, null, null, AccessConstants.ALL, grantOption); + PrivilegeScope.URI, server, uri, null, null, null, AccessConstants.ALL, grantOption); } public void revokeServerPrivilege(String requestorUserName, String roleName, String server) throws SentryUserException { revokePrivilege(requestorUserName, roleName, - PrivilegeScope.SERVER, server, null, null, null, AccessConstants.ALL); + PrivilegeScope.SERVER, server, null, null, null, null, AccessConstants.ALL); } public void revokeServerPrivilege(String requestorUserName, String roleName, String server, Boolean grantOption) throws SentryUserException { revokePrivilege(requestorUserName, roleName, - PrivilegeScope.SERVER, server, null, null, null, AccessConstants.ALL, grantOption); + PrivilegeScope.SERVER, server, null, null, null, null, AccessConstants.ALL, grantOption); } public void revokeDatabasePrivilege(String requestorUserName, String roleName, String server, String db, String action) throws SentryUserException { revokePrivilege(requestorUserName, roleName, - PrivilegeScope.DATABASE, server, null, db, null, action); + PrivilegeScope.DATABASE, server, null, db, null, null, action); } public void revokeDatabasePrivilege(String requestorUserName, String roleName, String server, String db, String action, Boolean grantOption) throws SentryUserException { revokePrivilege(requestorUserName, roleName, - PrivilegeScope.DATABASE, server, null, db, null, action, grantOption); + PrivilegeScope.DATABASE, server, null, db, null, null, action, grantOption); } public void revokeTablePrivilege(String requestorUserName, @@ -438,7 +501,7 @@ public class SentryPolicyServiceClient { throws SentryUserException { revokePrivilege(requestorUserName, roleName, PrivilegeScope.TABLE, server, null, - db, table, action); + db, table, null, action); } public void revokeTablePrivilege(String requestorUserName, @@ -446,38 +509,121 @@ public class SentryPolicyServiceClient { throws SentryUserException { revokePrivilege(requestorUserName, roleName, PrivilegeScope.TABLE, server, null, - db, table, action, grantOption); + db, table, null, action, grantOption); + } + + public void revokeColumnPrivilege(String requestorUserName, String roleName, + String server, String db, String table, String columnName, String action) + throws SentryUserException { + ImmutableList.Builder<String> listBuilder = ImmutableList.builder(); + listBuilder.add(columnName); + revokePrivilege(requestorUserName, roleName, + PrivilegeScope.TABLE, server, null, + db, table, listBuilder.build(), action); + } + + public void revokeColumnPrivilege(String requestorUserName, String roleName, + String server, String db, String table, String columnName, String action, Boolean grantOption) + throws SentryUserException { + ImmutableList.Builder<String> listBuilder = ImmutableList.builder(); + listBuilder.add(columnName); + revokePrivilege(requestorUserName, roleName, + PrivilegeScope.TABLE, server, null, + db, table, listBuilder.build(), action, grantOption); + } + + public void revokeColumnsPrivilege(String requestorUserName, String roleName, + String server, String db, String table, List<String> columns, String action) + throws SentryUserException { + revokePrivilege(requestorUserName, roleName, + PrivilegeScope.TABLE, server, null, + db, table, columns, action); + } + + public void revokeColumnsPrivilege(String requestorUserName, String roleName, + String server, String db, String table, List<String> columns, String action, Boolean grantOption) + throws SentryUserException { + revokePrivilege(requestorUserName, roleName, + PrivilegeScope.TABLE, server, null, + db, table, columns, action, grantOption); } private void revokePrivilege(String requestorUserName, - String roleName, PrivilegeScope scope, String serverName, String uri, String db, String table, String action) + String roleName, PrivilegeScope scope, String serverName, String uri, + String db, String table, List<String> columns, String action) throws SentryUserException { - this.revokePrivilege(requestorUserName, roleName, scope, serverName, uri, db, table, action, false); + this.revokePrivilege(requestorUserName, roleName, scope, serverName, uri, db, table, columns, action, false); } private void revokePrivilege(String requestorUserName, String roleName, - PrivilegeScope scope, String serverName, String uri, String db, String table, String action, Boolean grantOption) + PrivilegeScope scope, String serverName, String uri, String db, String table, List<String> columns, + String action, Boolean grantOption) throws SentryUserException { TAlterSentryRoleRevokePrivilegeRequest request = new TAlterSentryRoleRevokePrivilegeRequest(); request.setProtocol_version(ThriftConstants.TSENTRY_SERVICE_VERSION_CURRENT); request.setRequestorUserName(requestorUserName); request.setRoleName(roleName); + Set<TSentryPrivilege> privileges = convertColumnPrivileges(requestorUserName, scope, + serverName, uri, db, table, columns, action, grantOption); + request.setPrivileges(privileges); + try { + TAlterSentryRoleRevokePrivilegeResponse response = client.alter_sentry_role_revoke_privilege(request); + Status.throwIfNotOk(response.getStatus()); + } catch (TException e) { + throw new SentryUserException(THRIFT_EXCEPTION_MESSAGE, e); + } + } + + private Set<TSentryPrivilege> convertColumnPrivileges(String requestorUserName, + PrivilegeScope scope, String serverName, String uri, String db, String table, List<String> columns, + String action, Boolean grantOption) { + ImmutableSet.Builder<TSentryPrivilege> setBuilder = ImmutableSet.builder(); + if (columns == null || columns.isEmpty()) { + TSentryPrivilege privilege = new TSentryPrivilege(); + privilege.setPrivilegeScope(scope.toString()); + privilege.setServerName(serverName); + privilege.setURI(uri); + privilege.setDbName(db); + privilege.setTableName(table); + privilege.setColumnName(null); + privilege.setAction(action); + privilege.setCreateTime(System.currentTimeMillis()); + privilege.setGrantOption(convertTSentryGrantOption(grantOption)); + setBuilder.add(privilege); + } else { + for (String column : columns) { + TSentryPrivilege privilege = new TSentryPrivilege(); + privilege.setPrivilegeScope(scope.toString()); + privilege.setServerName(serverName); + privilege.setURI(uri); + privilege.setDbName(db); + privilege.setTableName(table); + privilege.setColumnName(column); + privilege.setAction(action); + privilege.setCreateTime(System.currentTimeMillis()); + privilege.setGrantOption(convertTSentryGrantOption(grantOption)); + setBuilder.add(privilege); + } + } + return setBuilder.build(); + } + + private Set<TSentryPrivilege> convertColumnPrivilege(String requestorUserName, + PrivilegeScope scope, String serverName, String uri, String db, String table, String column, + String action, Boolean grantOption) { + ImmutableSet.Builder<TSentryPrivilege> setBuilder = ImmutableSet.builder(); TSentryPrivilege privilege = new TSentryPrivilege(); privilege.setPrivilegeScope(scope.toString()); privilege.setServerName(serverName); privilege.setURI(uri); privilege.setDbName(db); privilege.setTableName(table); + privilege.setColumnName(column); privilege.setAction(action); privilege.setCreateTime(System.currentTimeMillis()); privilege.setGrantOption(convertTSentryGrantOption(grantOption)); - request.setPrivilege(privilege); - try { - TAlterSentryRoleRevokePrivilegeResponse response = client.alter_sentry_role_revoke_privilege(request); - Status.throwIfNotOk(response.getStatus()); - } catch (TException e) { - throw new SentryUserException(THRIFT_EXCEPTION_MESSAGE, e); - } + setBuilder.add(privilege); + return setBuilder.build(); } private TSentryGrantOption convertTSentryGrantOption(Boolean grantOption) { http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/13e83d6e/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessor.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessor.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessor.java index 4774b90..c3dbf78 100644 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessor.java +++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessor.java @@ -47,6 +47,7 @@ import org.apache.sentry.provider.db.SentryInvalidInputException; import org.apache.sentry.provider.db.SentryNoSuchObjectException; import org.apache.sentry.provider.db.SentryPolicyStorePlugin; import org.apache.sentry.provider.db.SentryPolicyStorePlugin.SentryPluginException; +import org.apache.sentry.provider.db.log.entity.JsonLogEntity; import org.apache.sentry.provider.db.log.entity.JsonLogEntityFactory; import org.apache.sentry.provider.db.log.util.Constants; import org.apache.sentry.provider.db.service.persistent.CommitContext; @@ -55,6 +56,7 @@ import org.apache.sentry.provider.db.service.thrift.PolicyStoreConstants.PolicyS import org.apache.sentry.service.thrift.ServiceConstants.ConfUtilties; import org.apache.sentry.service.thrift.ServiceConstants.ServerConfig; import org.apache.sentry.service.thrift.ProcessorFactory; +import org.apache.sentry.service.thrift.ServiceConstants.ThriftConstants; import org.apache.sentry.service.thrift.Status; import org.apache.sentry.service.thrift.TSentryResponseStatus; import org.apache.thrift.TException; @@ -245,10 +247,22 @@ public class SentryPolicyStoreProcessor implements SentryPolicyService.Iface { TAlterSentryRoleGrantPrivilegeResponse response = new TAlterSentryRoleGrantPrivilegeResponse(); try { - CommitContext commitContext = sentryStore.alterSentryRoleGrantPrivilege(request.getRequestorUserName(), - request.getRoleName(), request.getPrivilege()); + // There should only one field be set + if ( !(request.isSetPrivileges()^request.isSetPrivilege()) ) { + throw new SentryUserException("SENTRY API version is not right!"); + } + // Maintain compatibility for old API: Set privilege field to privileges field + if (request.isSetPrivilege()) { + request.setPrivileges(Sets.newHashSet(request.getPrivilege())); + } + CommitContext commitContext = sentryStore.alterSentryRoleGrantPrivileges(request.getRequestorUserName(), + request.getRoleName(), request.getPrivileges()); response.setStatus(Status.OK()); - response.setPrivilege(request.getPrivilege()); + response.setPrivileges(request.getPrivileges()); + // Maintain compatibility for old API: Set privilege field to response + if (response.isSetPrivileges() && response.getPrivileges().size() == 1) { + response.setPrivilege(response.getPrivileges().iterator().next()); + } notificationHandlerInvoker.alter_sentry_role_grant_privilege(commitContext, request, response); for (SentryPolicyStorePlugin plugin : sentryPlugins) { @@ -273,8 +287,11 @@ public class SentryPolicyStoreProcessor implements SentryPolicyService.Iface { timerContext.stop(); } - AUDIT_LOGGER.info(JsonLogEntityFactory.getInstance().createJsonLogEntity( - request, response, conf).toJsonFormatLog()); + Set<JsonLogEntity> jsonLogEntitys = JsonLogEntityFactory.getInstance().createJsonLogEntitys( + request, response, conf); + for (JsonLogEntity jsonLogEntity : jsonLogEntitys) { + AUDIT_LOGGER.info(jsonLogEntity.toJsonFormatLog()); + } return response; } @@ -284,8 +301,16 @@ public class SentryPolicyStoreProcessor implements SentryPolicyService.Iface { final Timer.Context timerContext = sentryMetrics.revokeTimer.time(); TAlterSentryRoleRevokePrivilegeResponse response = new TAlterSentryRoleRevokePrivilegeResponse(); try { - CommitContext commitContext = sentryStore.alterSentryRoleRevokePrivilege(request.getRequestorUserName(), - request.getRoleName(), request.getPrivilege()); + // There should only one field be set + if ( !(request.isSetPrivileges()^request.isSetPrivilege()) ) { + throw new SentryUserException("SENTRY API version is not right!"); + } + // Maintain compatibility for old API: Set privilege field to privileges field + if (request.isSetPrivilege()) { + request.setPrivileges(Sets.newHashSet(request.getPrivilege())); + } + CommitContext commitContext = sentryStore.alterSentryRoleRevokePrivileges(request.getRequestorUserName(), + request.getRoleName(), request.getPrivileges()); response.setStatus(Status.OK()); notificationHandlerInvoker.alter_sentry_role_revoke_privilege(commitContext, request, response); @@ -293,13 +318,25 @@ public class SentryPolicyStoreProcessor implements SentryPolicyService.Iface { plugin.onAlterSentryRoleRevokePrivilege(request); } } catch (SentryNoSuchObjectException e) { - String msg = "Privilege: [server=" + request.getPrivilege().getServerName() + - ",db=" + request.getPrivilege().getDbName() + - ",table=" + request.getPrivilege().getTableName() + - ",URI=" + request.getPrivilege().getURI() + - ",action=" + request.getPrivilege().getAction() + "] doesn't exist."; - LOGGER.error(msg, e); - response.setStatus(Status.NoSuchObject(msg, e)); + StringBuilder msg = new StringBuilder(); + if (request.getPrivileges().size() > 0) { + for (TSentryPrivilege privilege : request.getPrivileges()) { + msg.append("Privilege: [server="); + msg.append(privilege.getServerName()); + msg.append(",db="); + msg.append(privilege.getDbName()); + msg.append(",table="); + msg.append(privilege.getTableName()); + msg.append(",URI="); + msg.append(privilege.getURI()); + msg.append(",action="); + msg.append(privilege.getAction()); + msg.append("] "); + } + msg.append("doesn't exist."); + } + LOGGER.error(msg.toString(), e); + response.setStatus(Status.NoSuchObject(msg.toString(), e)); } catch (SentryInvalidInputException e) { String msg = "Invalid input privilege object"; LOGGER.error(msg, e); @@ -315,8 +352,11 @@ public class SentryPolicyStoreProcessor implements SentryPolicyService.Iface { timerContext.stop(); } - AUDIT_LOGGER.info(JsonLogEntityFactory.getInstance().createJsonLogEntity( - request, response, conf).toJsonFormatLog()); + Set<JsonLogEntity> jsonLogEntitys = JsonLogEntityFactory.getInstance().createJsonLogEntitys( + request, response, conf); + for (JsonLogEntity jsonLogEntity : jsonLogEntitys) { + AUDIT_LOGGER.info(jsonLogEntity.toJsonFormatLog()); + } return response; } http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/13e83d6e/sentry-provider/sentry-provider-db/src/main/resources/004-SENTRY-74.derby.sql ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/resources/004-SENTRY-74.derby.sql b/sentry-provider/sentry-provider-db/src/main/resources/004-SENTRY-74.derby.sql new file mode 100644 index 0000000..b82e97f --- /dev/null +++ b/sentry-provider/sentry-provider-db/src/main/resources/004-SENTRY-74.derby.sql @@ -0,0 +1,4 @@ +-- SENTRY-74 +ALTER TABLE SENTRY_DB_PRIVILEGE ADD COLUMN COLUMN_NAME VARCHAR(4000); +DROP INDEX SENTRYPRIVILEGENAME; +CREATE UNIQUE INDEX SENTRYPRIVILEGENAME ON SENTRY_DB_PRIVILEGE ("SERVER_NAME",DB_NAME,"TABLE_NAME","COLUMN_NAME",URI,"ACTION",WITH_GRANT_OPTION); http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/13e83d6e/sentry-provider/sentry-provider-db/src/main/resources/004-SENTRY-74.mysql.sql ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/resources/004-SENTRY-74.mysql.sql b/sentry-provider/sentry-provider-db/src/main/resources/004-SENTRY-74.mysql.sql new file mode 100644 index 0000000..c475a2c --- /dev/null +++ b/sentry-provider/sentry-provider-db/src/main/resources/004-SENTRY-74.mysql.sql @@ -0,0 +1,4 @@ +-- SENTRY-74 +ALTER TABLE `SENTRY_DB_PRIVILEGE` ADD `COLUMN_NAME` VARCHAR(128) DEFAULT NULL; +ALTER TABLE `SENTRY_DB_PRIVILEGE` DROP INDEX `SENTRY_DB_PRIV_PRIV_NAME_UNIQ`; +ALTER TABLE `SENTRY_DB_PRIVILEGE` ADD UNIQUE `SENTRY_DB_PRIV_PRIV_NAME_UNIQ` (`SERVER_NAME`,`DB_NAME`,`TABLE_NAME`,`COLUMN_NAME`,`URI`(250),`ACTION`,`WITH_GRANT_OPTION`); http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/13e83d6e/sentry-provider/sentry-provider-db/src/main/resources/004-SENTRY-74.oracle.sql ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/resources/004-SENTRY-74.oracle.sql b/sentry-provider/sentry-provider-db/src/main/resources/004-SENTRY-74.oracle.sql new file mode 100644 index 0000000..a78b76f --- /dev/null +++ b/sentry-provider/sentry-provider-db/src/main/resources/004-SENTRY-74.oracle.sql @@ -0,0 +1,4 @@ +-- SENTRY-74 +ALTER TABLE SENTRY_DB_PRIVILEGE ADD COLUMN_NAME VARCHAR2(128) DEFAULT NULL; +ALTER TABLE SENTRY_DB_PRIVILEGE DROP CONSTRAINT "SENTRY_DB_PRIV_PRIV_NAME_UNIQ"; +ALTER TABLE SENTRY_DB_PRIVILEGE ADD CONSTRAINT "SENTRY_DB_PRIV_PRIV_NAME_UNIQ" UNIQUE ("SERVER_NAME","DB_NAME","TABLE_NAME","COLUMN_NAME","URI","ACTION","WITH_GRANT_OPTION"); http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/13e83d6e/sentry-provider/sentry-provider-db/src/main/resources/004-SENTRY-74.postgres.sql ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/resources/004-SENTRY-74.postgres.sql b/sentry-provider/sentry-provider-db/src/main/resources/004-SENTRY-74.postgres.sql new file mode 100644 index 0000000..74ed9c3 --- /dev/null +++ b/sentry-provider/sentry-provider-db/src/main/resources/004-SENTRY-74.postgres.sql @@ -0,0 +1,4 @@ +-- SENTRY-74 +ALTER TABLE SENTRY_DB_PRIVILEGE ADD COLUMN COLUMN_NAME character varying(128) DEFAULT NULL; +ALTER TABLE SENTRY_DB_PRIVILEGE DROP CONSTRAINT "SENTRY_DB_PRIV_PRIV_NAME_UNIQ"; +ALTER TABLE SENTRY_DB_PRIVILEGE ADD CONSTRAINT "SENTRY_DB_PRIV_PRIV_NAME_UNIQ" UNIQUE ("SERVER_NAME","DB_NAME","TABLE_NAME","COLUMN_NAME","URI", "ACTION","WITH_GRANT_OPTION"); http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/13e83d6e/sentry-provider/sentry-provider-db/src/main/resources/sentry-db2-1.5.0.sql ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/resources/sentry-db2-1.5.0.sql b/sentry-provider/sentry-provider-db/src/main/resources/sentry-db2-1.5.0.sql index 4c5ae39..171adec 100644 --- a/sentry-provider/sentry-provider-db/src/main/resources/sentry-db2-1.5.0.sql +++ b/sentry-provider/sentry-provider-db/src/main/resources/sentry-db2-1.5.0.sql @@ -24,6 +24,7 @@ CREATE TABLE SENTRY_DB_PRIVILEGE PRIVILEGE_SCOPE VARCHAR(40), "SERVER_NAME" VARCHAR(4000), "TABLE_NAME" VARCHAR(4000), + "COLUMN_NAME" VARCHAR(4000), WITH_GRANT_OPTION CHAR(1) NOT NULL ); @@ -78,7 +79,7 @@ CREATE TABLE "SENTRY_VERSION" ( ALTER TABLE SENTRY_VERSION ADD CONSTRAINT SENTRY_VERSION_PK PRIMARY KEY (VER_ID); -- Constraints for table SENTRY_DB_PRIVILEGE for class(es) [org.apache.sentry.provider.db.service.model.MSentryPrivilege] -CREATE UNIQUE INDEX SENTRYPRIVILEGENAME ON SENTRY_DB_PRIVILEGE ("SERVER_NAME",DB_NAME,"TABLE_NAME",URI,"ACTION",WITH_GRANT_OPTION); +CREATE UNIQUE INDEX SENTRYPRIVILEGENAME ON SENTRY_DB_PRIVILEGE ("SERVER_NAME",DB_NAME,"TABLE_NAME","COLUMN_NAME",URI,"ACTION",WITH_GRANT_OPTION); -- Constraints for table SENTRY_ROLE for class(es) [org.apache.sentry.provider.db.service.model.MSentryRole] http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/13e83d6e/sentry-provider/sentry-provider-db/src/main/resources/sentry-derby-1.5.0.sql ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/resources/sentry-derby-1.5.0.sql b/sentry-provider/sentry-provider-db/src/main/resources/sentry-derby-1.5.0.sql index 4c5ae39..171adec 100644 --- a/sentry-provider/sentry-provider-db/src/main/resources/sentry-derby-1.5.0.sql +++ b/sentry-provider/sentry-provider-db/src/main/resources/sentry-derby-1.5.0.sql @@ -24,6 +24,7 @@ CREATE TABLE SENTRY_DB_PRIVILEGE PRIVILEGE_SCOPE VARCHAR(40), "SERVER_NAME" VARCHAR(4000), "TABLE_NAME" VARCHAR(4000), + "COLUMN_NAME" VARCHAR(4000), WITH_GRANT_OPTION CHAR(1) NOT NULL ); @@ -78,7 +79,7 @@ CREATE TABLE "SENTRY_VERSION" ( ALTER TABLE SENTRY_VERSION ADD CONSTRAINT SENTRY_VERSION_PK PRIMARY KEY (VER_ID); -- Constraints for table SENTRY_DB_PRIVILEGE for class(es) [org.apache.sentry.provider.db.service.model.MSentryPrivilege] -CREATE UNIQUE INDEX SENTRYPRIVILEGENAME ON SENTRY_DB_PRIVILEGE ("SERVER_NAME",DB_NAME,"TABLE_NAME",URI,"ACTION",WITH_GRANT_OPTION); +CREATE UNIQUE INDEX SENTRYPRIVILEGENAME ON SENTRY_DB_PRIVILEGE ("SERVER_NAME",DB_NAME,"TABLE_NAME","COLUMN_NAME",URI,"ACTION",WITH_GRANT_OPTION); -- Constraints for table SENTRY_ROLE for class(es) [org.apache.sentry.provider.db.service.model.MSentryRole] http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/13e83d6e/sentry-provider/sentry-provider-db/src/main/resources/sentry-mysql-1.5.0.sql ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/resources/sentry-mysql-1.5.0.sql b/sentry-provider/sentry-provider-db/src/main/resources/sentry-mysql-1.5.0.sql index bc0d0d8..01cd60d 100644 --- a/sentry-provider/sentry-provider-db/src/main/resources/sentry-mysql-1.5.0.sql +++ b/sentry-provider/sentry-provider-db/src/main/resources/sentry-mysql-1.5.0.sql @@ -31,6 +31,7 @@ CREATE TABLE `SENTRY_DB_PRIVILEGE` ( `SERVER_NAME` VARCHAR(128) CHARACTER SET utf8 COLLATE utf8_bin NOT NULL, `DB_NAME` VARCHAR(128) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT NULL, `TABLE_NAME` VARCHAR(128) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT NULL, + `COLUMN_NAME` VARCHAR(128) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT NULL, `URI` VARCHAR(4000) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT NULL, `ACTION` VARCHAR(128) CHARACTER SET utf8 COLLATE utf8_bin NOT NULL, `CREATE_TIME` BIGINT NOT NULL, @@ -80,7 +81,7 @@ ALTER TABLE `SENTRY_VERSION` ADD CONSTRAINT `SENTRY_VERSION` PRIMARY KEY (`VER_ID`); ALTER TABLE `SENTRY_DB_PRIVILEGE` - ADD UNIQUE `SENTRY_DB_PRIV_PRIV_NAME_UNIQ` (`SERVER_NAME`,`DB_NAME`,`TABLE_NAME`,`URI`(250),`ACTION`,`WITH_GRANT_OPTION`); + ADD UNIQUE `SENTRY_DB_PRIV_PRIV_NAME_UNIQ` (`SERVER_NAME`,`DB_NAME`,`TABLE_NAME`,`COLUMN_NAME`,`URI`(250),`ACTION`,`WITH_GRANT_OPTION`); ALTER TABLE `SENTRY_DB_PRIVILEGE` ADD INDEX `SENTRY_PRIV_SERV_IDX` (`SERVER_NAME`); @@ -92,6 +93,9 @@ ALTER TABLE `SENTRY_DB_PRIVILEGE` ADD INDEX `SENTRY_PRIV_TBL_IDX` (`TABLE_NAME`); ALTER TABLE `SENTRY_DB_PRIVILEGE` + ADD INDEX `SENTRY_PRIV_COL_IDX` (`COLUMN_NAME`); + +ALTER TABLE `SENTRY_DB_PRIVILEGE` ADD INDEX `SENTRY_PRIV_URI_IDX` (`URI`); ALTER TABLE `SENTRY_ROLE` http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/13e83d6e/sentry-provider/sentry-provider-db/src/main/resources/sentry-oracle-1.5.0.sql ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/resources/sentry-oracle-1.5.0.sql b/sentry-provider/sentry-provider-db/src/main/resources/sentry-oracle-1.5.0.sql index 5d8336c..5ff0081 100644 --- a/sentry-provider/sentry-provider-db/src/main/resources/sentry-oracle-1.5.0.sql +++ b/sentry-provider/sentry-provider-db/src/main/resources/sentry-oracle-1.5.0.sql @@ -19,6 +19,7 @@ CREATE TABLE "SENTRY_DB_PRIVILEGE" ( "SERVER_NAME" VARCHAR2(128) NOT NULL, "DB_NAME" VARCHAR2(128) NULL, "TABLE_NAME" VARCHAR2(128) NULL, + "COLUMN_NAME" VARCHAR2(128) NULL, "URI" VARCHAR2(4000) NULL, "ACTION" VARCHAR2(128) NOT NULL, "CREATE_TIME" NUMBER NOT NULL, @@ -67,7 +68,7 @@ ALTER TABLE "SENTRY_GROUP" ALTER TABLE "SENTRY_VERSION" ADD CONSTRAINT "SENTRY_VERSION_PK" PRIMARY KEY ("VER_ID"); ALTER TABLE "SENTRY_DB_PRIVILEGE" - ADD CONSTRAINT "SENTRY_DB_PRIV_PRIV_NAME_UNIQ" UNIQUE ("SERVER_NAME","DB_NAME","TABLE_NAME","URI","ACTION","WITH_GRANT_OPTION"); + ADD CONSTRAINT "SENTRY_DB_PRIV_PRIV_NAME_UNIQ" UNIQUE ("SERVER_NAME","DB_NAME","TABLE_NAME","COLUMN_NAME","URI","ACTION","WITH_GRANT_OPTION"); CREATE INDEX "SENTRY_SERV_PRIV_IDX" ON "SENTRY_DB_PRIVILEGE" ("SERVER_NAME"); @@ -75,6 +76,8 @@ CREATE INDEX "SENTRY_DB_PRIV_IDX" ON "SENTRY_DB_PRIVILEGE" ("DB_NAME"); CREATE INDEX "SENTRY_TBL_PRIV_IDX" ON "SENTRY_DB_PRIVILEGE" ("TABLE_NAME"); +CREATE INDEX "SENTRY_COL_PRIV_IDX" ON "SENTRY_DB_PRIVILEGE" ("COLUMN_NAME"); + CREATE INDEX "SENTRY_URI_PRIV_IDX" ON "SENTRY_DB_PRIVILEGE" ("URI"); ALTER TABLE "SENTRY_ROLE" http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/13e83d6e/sentry-provider/sentry-provider-db/src/main/resources/sentry-postgres-1.5.0.sql ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/resources/sentry-postgres-1.5.0.sql b/sentry-provider/sentry-provider-db/src/main/resources/sentry-postgres-1.5.0.sql index 24cac98..c451e33 100644 --- a/sentry-provider/sentry-provider-db/src/main/resources/sentry-postgres-1.5.0.sql +++ b/sentry-provider/sentry-provider-db/src/main/resources/sentry-postgres-1.5.0.sql @@ -31,6 +31,7 @@ CREATE TABLE "SENTRY_DB_PRIVILEGE" ( "SERVER_NAME" character varying(128) NOT NULL, "DB_NAME" character varying(128) DEFAULT NULL::character varying, "TABLE_NAME" character varying(128) DEFAULT NULL::character varying, + "COLUMN_NAME" character varying(128) DEFAULT NULL::character varying, "URI" character varying(4000) DEFAULT NULL::character varying, "ACTION" character varying(128) NOT NULL, "CREATE_TIME" BIGINT NOT NULL, @@ -80,7 +81,7 @@ ALTER TABLE ONLY "SENTRY_GROUP" ALTER TABLE ONLY "SENTRY_VERSION" ADD CONSTRAINT "SENTRY_VERSION_PK" PRIMARY KEY ("VER_ID"); ALTER TABLE ONLY "SENTRY_DB_PRIVILEGE" - ADD CONSTRAINT "SENTRY_DB_PRIV_PRIV_NAME_UNIQ" UNIQUE ("SERVER_NAME","DB_NAME","TABLE_NAME","URI", "ACTION","WITH_GRANT_OPTION"); + ADD CONSTRAINT "SENTRY_DB_PRIV_PRIV_NAME_UNIQ" UNIQUE ("SERVER_NAME","DB_NAME","TABLE_NAME","COLUMN_NAME","URI", "ACTION","WITH_GRANT_OPTION"); CREATE INDEX "SENTRY_PRIV_SERV_IDX" ON "SENTRY_DB_PRIVILEGE" USING btree ("SERVER_NAME"); @@ -88,6 +89,8 @@ CREATE INDEX "SENTRY_PRIV_DB_IDX" ON "SENTRY_DB_PRIVILEGE" USING btree ("DB_NAME CREATE INDEX "SENTRY_PRIV_TBL_IDX" ON "SENTRY_DB_PRIVILEGE" USING btree ("TABLE_NAME"); +CREATE INDEX "SENTRY_PRIV_COL_IDX" ON "SENTRY_DB_PRIVILEGE" USING btree ("COLUMN_NAME"); + CREATE INDEX "SENTRY_PRIV_URI_IDX" ON "SENTRY_DB_PRIVILEGE" USING btree ("URI"); ALTER TABLE ONLY "SENTRY_ROLE" http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/13e83d6e/sentry-provider/sentry-provider-db/src/main/resources/sentry-upgrade-db2-1.4.0-to-1.5.0.sql ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/resources/sentry-upgrade-db2-1.4.0-to-1.5.0.sql b/sentry-provider/sentry-provider-db/src/main/resources/sentry-upgrade-db2-1.4.0-to-1.5.0.sql index 866b22f..aa94ad1 100644 --- a/sentry-provider/sentry-provider-db/src/main/resources/sentry-upgrade-db2-1.4.0-to-1.5.0.sql +++ b/sentry-provider/sentry-provider-db/src/main/resources/sentry-upgrade-db2-1.4.0-to-1.5.0.sql @@ -14,5 +14,10 @@ ALTER TABLE `SENTRY_GROUP` DROP `GRANTOR_PRINCIPAL`; ALTER TABLE `SENTRY_ROLE_DB_PRIVILEGE_MAP` ADD `GRANTOR_PRINCIPAL` VARCHAR(128); ALTER TABLE `SENTRY_ROLE_GROUP_MAP` ADD `GRANTOR_PRINCIPAL` VARCHAR(128); +-- SENTRY-74 +ALTER TABLE `SENTRY_DB_PRIVILEGE` ADD `COLUMN_NAME` CHAR(4000); +DROP INDEX SENTRYPRIVILEGENAME; +CREATE UNIQUE INDEX SENTRYPRIVILEGENAME ON SENTRY_DB_PRIVILEGE ("SERVER_NAME",DB_NAME,"TABLE_NAME","COLUMN_NAME",URI,"ACTION",WITH_GRANT_OPTION); + -- Version update UPDATE SENTRY_VERSION SET SCHEMA_VERSION='1.5.0', VERSION_COMMENT='Sentry release version 1.5.0' WHERE VER_ID=1; http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/13e83d6e/sentry-provider/sentry-provider-db/src/main/resources/sentry-upgrade-derby-1.4.0-to-1.5.0.sql ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/resources/sentry-upgrade-derby-1.4.0-to-1.5.0.sql b/sentry-provider/sentry-provider-db/src/main/resources/sentry-upgrade-derby-1.4.0-to-1.5.0.sql index 027f45b..2499bd7 100644 --- a/sentry-provider/sentry-provider-db/src/main/resources/sentry-upgrade-derby-1.4.0-to-1.5.0.sql +++ b/sentry-provider/sentry-provider-db/src/main/resources/sentry-upgrade-derby-1.4.0-to-1.5.0.sql @@ -1,5 +1,7 @@ RUN '001-SENTRY-327.derby.sql'; RUN '002-SENTRY-339.derby.sql'; RUN '003-SENTRY-380.derby.sql'; +RUN '004-SENTRY-74.derby.sql'; + -- Version update UPDATE SENTRY_VERSION SET SCHEMA_VERSION='1.5.0', VERSION_COMMENT='Sentry release version 1.5.0' WHERE VER_ID=1; http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/13e83d6e/sentry-provider/sentry-provider-db/src/main/resources/sentry-upgrade-mysql-1.4.0-to-1.5.0.sql ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/resources/sentry-upgrade-mysql-1.4.0-to-1.5.0.sql b/sentry-provider/sentry-provider-db/src/main/resources/sentry-upgrade-mysql-1.4.0-to-1.5.0.sql index 95247d1..3fc90f3 100644 --- a/sentry-provider/sentry-provider-db/src/main/resources/sentry-upgrade-mysql-1.4.0-to-1.5.0.sql +++ b/sentry-provider/sentry-provider-db/src/main/resources/sentry-upgrade-mysql-1.4.0-to-1.5.0.sql @@ -2,6 +2,7 @@ SELECT 'Upgrading Sentry store schema from 1.4.0 to 1.5.0' AS ' '; SOURCE 001-SENTRY-327.mysql.sql; SOURCE 002-SENTRY-339.mysql.sql; SOURCE 003-SENTRY-380.mysql.sql; +SOURCE 004-SENTRY-74.mysql.sql; UPDATE SENTRY_VERSION SET SCHEMA_VERSION='1.5.0', VERSION_COMMENT='Sentry release version 1.5.0' WHERE VER_ID=1; SELECT 'Finish upgrading Sentry store schema from 1.4.0 to 1.5.0' AS ' '; http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/13e83d6e/sentry-provider/sentry-provider-db/src/main/resources/sentry-upgrade-oracle-1.4.0-to-1.5.0.sql ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/resources/sentry-upgrade-oracle-1.4.0-to-1.5.0.sql b/sentry-provider/sentry-provider-db/src/main/resources/sentry-upgrade-oracle-1.4.0-to-1.5.0.sql index 6195fc8..ded813d 100644 --- a/sentry-provider/sentry-provider-db/src/main/resources/sentry-upgrade-oracle-1.4.0-to-1.5.0.sql +++ b/sentry-provider/sentry-provider-db/src/main/resources/sentry-upgrade-oracle-1.4.0-to-1.5.0.sql @@ -2,6 +2,7 @@ SELECT 'Upgrading Sentry store schema from 1.4.0 to 1.5.0' AS Status from dual; @001-SENTRY-327.oracle.sql; @002-SENTRY-339.oracle.sql; @003-SENTRY-380.oracle.sql; [email protected]; UPDATE SENTRY_VERSION SET SCHEMA_VERSION='1.5.0', VERSION_COMMENT='Sentry release version 1.5.0' WHERE VER_ID=1; SELECT 'Finished upgrading Sentry store schema from 1.4.0 to 1.5.0' AS Status from dual; http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/13e83d6e/sentry-provider/sentry-provider-db/src/main/resources/sentry-upgrade-postgres-1.4.0-to-1.5.0.sql ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/resources/sentry-upgrade-postgres-1.4.0-to-1.5.0.sql b/sentry-provider/sentry-provider-db/src/main/resources/sentry-upgrade-postgres-1.4.0-to-1.5.0.sql index 0e48f21..2fbd2ca 100644 --- a/sentry-provider/sentry-provider-db/src/main/resources/sentry-upgrade-postgres-1.4.0-to-1.5.0.sql +++ b/sentry-provider/sentry-provider-db/src/main/resources/sentry-upgrade-postgres-1.4.0-to-1.5.0.sql @@ -2,6 +2,7 @@ SELECT 'Upgrading Sentry store schema from 1.4.0 to 1.5.0'; \i 001-SENTRY-327.postgres.sql; \i 002-SENTRY-339.postgres.sql; \i 003-SENTRY-380.postgres.sql; +\i 004-SENTRY-74.postgres.sql; UPDATE SENTRY_VERSION SET SCHEMA_VERSION='1.5.0', VERSION_COMMENT='Sentry release version 1.5.0' WHERE VER_ID=1; SELECT 'Finished upgrading Sentry store schema from 1.4.0 to 1.5.0'; http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/13e83d6e/sentry-provider/sentry-provider-db/src/main/resources/sentry_policy_service.thrift ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/resources/sentry_policy_service.thrift b/sentry-provider/sentry-provider-db/src/main/resources/sentry_policy_service.thrift index 7e6ade5..993ea46 100644 --- a/sentry-provider/sentry-provider-db/src/main/resources/sentry_policy_service.thrift +++ b/sentry-provider/sentry-provider-db/src/main/resources/sentry_policy_service.thrift @@ -49,6 +49,7 @@ struct TSentryPrivilege { 7: required string action = "", 8: optional i64 createTime, # Set on server side 9: optional TSentryGrantOption grantOption = TSentryGrantOption.FALSE +10: optional string columnName = "", } # TODO can this be deleted? it's not adding value to TAlterSentryRoleAddGroupsRequest @@ -104,11 +105,13 @@ struct TAlterSentryRoleGrantPrivilegeRequest { 1: required i32 protocol_version = sentry_common_service.TSENTRY_SERVICE_V1, 2: required string requestorUserName, # user on whose behalf the request is issued 3: required string roleName, -5: required TSentryPrivilege privilege +5: optional TSentryPrivilege privilege, +6: optional set<TSentryPrivilege> privileges } struct TAlterSentryRoleGrantPrivilegeResponse { 1: required sentry_common_service.TSentryResponseStatus status 2: optional TSentryPrivilege privilege +3: optional set<TSentryPrivilege> privileges } # REVOKE ... ON ... FROM ROLE ... @@ -116,7 +119,8 @@ struct TAlterSentryRoleRevokePrivilegeRequest { 1: required i32 protocol_version = sentry_common_service.TSENTRY_SERVICE_V1, 2: required string requestorUserName, # user on whose behalf the request is issued 3: required string roleName, -5: required TSentryPrivilege privilege +5: optional TSentryPrivilege privilege, +6: optional set<TSentryPrivilege> privileges } struct TAlterSentryRoleRevokePrivilegeResponse { 1: required sentry_common_service.TSentryResponseStatus status @@ -144,6 +148,7 @@ struct TSentryAuthorizable { 2: optional string uri, 3: optional string db, 4: optional string table, +5: optional string column, } # SHOW GRANT http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/13e83d6e/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/log/entity/TestAuditMetadataLogEntity.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/log/entity/TestAuditMetadataLogEntity.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/log/entity/TestAuditMetadataLogEntity.java index cd0a435..95b51e9 100644 --- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/log/entity/TestAuditMetadataLogEntity.java +++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/log/entity/TestAuditMetadataLogEntity.java @@ -31,7 +31,7 @@ public class TestAuditMetadataLogEntity extends TestCase { public void testToJsonFormatLog() throws Throwable { AuditMetadataLogEntity amle = new AuditMetadataLogEntity("serviceName", "userName", "impersonator", "ipAddress", "operation", "eventTime", - "operationText", "allowed", "databaseName", "tableName", + "operationText", "allowed", "databaseName", "tableName", "columnName", "resourcePath", "objectType"); String jsonAuditLog = amle.toJsonFormatLog(); ContainerNode rootNode = AuditMetadataLogEntity.parse(jsonAuditLog); @@ -48,6 +48,7 @@ public class TestAuditMetadataLogEntity extends TestCase { assertEntryEquals(rootNode, Constants.LOG_FIELD_DATABASE_NAME, "databaseName"); assertEntryEquals(rootNode, Constants.LOG_FIELD_TABLE_NAME, "tableName"); + assertEntryEquals(rootNode, Constants.LOG_FIELD_COLUMN_NAME, "columnName"); assertEntryEquals(rootNode, Constants.LOG_FIELD_RESOURCE_PATH, "resourcePath"); assertEntryEquals(rootNode, Constants.LOG_FIELD_OBJECT_TYPE, "objectType"); http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/13e83d6e/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/log/entity/TestJsonLogEntityFactory.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/log/entity/TestJsonLogEntityFactory.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/log/entity/TestJsonLogEntityFactory.java index fc9c716..bce4717 100644 --- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/log/entity/TestJsonLogEntityFactory.java +++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/log/entity/TestJsonLogEntityFactory.java @@ -20,6 +20,7 @@ package org.apache.sentry.provider.db.log.entity; import static junit.framework.Assert.assertEquals; +import java.util.HashSet; import java.util.LinkedHashSet; import java.util.Set; @@ -28,6 +29,7 @@ import org.apache.log4j.Logger; import org.apache.sentry.core.model.db.AccessConstants; import org.apache.sentry.provider.db.log.util.CommandUtil; import org.apache.sentry.provider.db.log.util.Constants; +import org.apache.sentry.provider.db.service.model.MSentryPrivilege; import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleAddGroupsRequest; import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleAddGroupsResponse; import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleDeleteGroupsRequest; @@ -48,6 +50,8 @@ import org.apache.sentry.service.thrift.Status; import org.junit.BeforeClass; import org.junit.Test; +import com.google.common.collect.Sets; + public class TestJsonLogEntityFactory { private static Configuration conf; @@ -122,10 +126,18 @@ public class TestJsonLogEntityFactory { TSentryPrivilege privilege = getPrivilege(AccessConstants.ALL, PrivilegeScope.DATABASE.name(), TEST_DATABASE_NAME, null, null, null); - request.setPrivilege(privilege); + Set<TSentryPrivilege> privileges = Sets.newHashSet(); + privileges.add(privilege); + request.setPrivileges(privileges); response.setStatus(Status.OK()); - AuditMetadataLogEntity amle = (AuditMetadataLogEntity) JsonLogEntityFactory - .getInstance().createJsonLogEntity(request, response, conf); + AuditMetadataLogEntity amle = new AuditMetadataLogEntity(); + Set<JsonLogEntity> amles = JsonLogEntityFactory + .getInstance().createJsonLogEntitys(request, response, conf); + assertEquals(amles.size(),1); + for (JsonLogEntity amle1 : amles) { + amle = (AuditMetadataLogEntity) amle1; + break; + } assertCommon(amle, Constants.TRUE, Constants.OPERATION_GRANT_PRIVILEGE, "GRANT ALL ON DATABASE testDB TO ROLE testRole", TEST_DATABASE_NAME, null, null, Constants.OBJECT_TYPE_PRINCIPAL); @@ -133,10 +145,17 @@ public class TestJsonLogEntityFactory { privilege = getPrivilege(AccessConstants.ALL, PrivilegeScope.TABLE.name(), null, TEST_TABLE_NAME, null, null); - request.setPrivilege(privilege); + privileges = Sets.newHashSet(); + privileges.add(privilege); + request.setPrivileges(privileges); response.setStatus(Status.InvalidInput("", null)); - amle = (AuditMetadataLogEntity) JsonLogEntityFactory.getInstance() - .createJsonLogEntity(request, response, conf); + amles = JsonLogEntityFactory.getInstance() + .createJsonLogEntitys(request, response, conf); + assertEquals(amles.size(),1); + for (JsonLogEntity amle1 : amles) { + amle = (AuditMetadataLogEntity) amle1; + break; + } assertCommon(amle, Constants.FALSE, Constants.OPERATION_GRANT_PRIVILEGE, "GRANT ALL ON TABLE testTable TO ROLE testRole", null, TEST_TABLE_NAME, null, Constants.OBJECT_TYPE_PRINCIPAL); @@ -152,10 +171,18 @@ public class TestJsonLogEntityFactory { TSentryPrivilege privilege = getPrivilege(AccessConstants.ALL, PrivilegeScope.DATABASE.name(), TEST_DATABASE_NAME, null, null, null); - request.setPrivilege(privilege); + Set<TSentryPrivilege> privileges = Sets.newHashSet(); + privileges.add(privilege); + request.setPrivileges(privileges); response.setStatus(Status.OK()); - AuditMetadataLogEntity amle = (AuditMetadataLogEntity) JsonLogEntityFactory - .getInstance().createJsonLogEntity(request, response, conf); + AuditMetadataLogEntity amle = new AuditMetadataLogEntity(); + Set<JsonLogEntity> amles = JsonLogEntityFactory + .getInstance().createJsonLogEntitys(request, response, conf); + assertEquals(amles.size(),1); + for (JsonLogEntity amle1 : amles) { + amle = (AuditMetadataLogEntity) amle1; + break; + } assertCommon(amle, Constants.TRUE, Constants.OPERATION_REVOKE_PRIVILEGE, "REVOKE ALL ON DATABASE testDB FROM ROLE testRole", TEST_DATABASE_NAME, null, null, Constants.OBJECT_TYPE_PRINCIPAL); @@ -163,10 +190,17 @@ public class TestJsonLogEntityFactory { privilege = getPrivilege(AccessConstants.ALL, PrivilegeScope.TABLE.name(), null, TEST_TABLE_NAME, null, null); - request.setPrivilege(privilege); + privileges = Sets.newHashSet(); + privileges.add(privilege); + request.setPrivileges(privileges); response.setStatus(Status.InvalidInput("", null)); - amle = (AuditMetadataLogEntity) JsonLogEntityFactory.getInstance() - .createJsonLogEntity(request, response, conf); + amles = JsonLogEntityFactory.getInstance() + .createJsonLogEntitys(request, response, conf); + assertEquals(amles.size(),1); + for (JsonLogEntity amle1 : amles) { + amle = (AuditMetadataLogEntity) amle1; + break; + } assertCommon(amle, Constants.FALSE, Constants.OPERATION_REVOKE_PRIVILEGE, "REVOKE ALL ON TABLE testTable FROM ROLE testRole", null, TEST_TABLE_NAME, null, Constants.OBJECT_TYPE_PRINCIPAL);
