SENTRY-821: Add thrift protocol version check for generic model (Dapeng Sun, reviewed by Guoquan Shen)
Project: http://git-wip-us.apache.org/repos/asf/incubator-sentry/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-sentry/commit/4622aa4b Tree: http://git-wip-us.apache.org/repos/asf/incubator-sentry/tree/4622aa4b Diff: http://git-wip-us.apache.org/repos/asf/incubator-sentry/diff/4622aa4b Branch: refs/heads/hive_plugin_v2 Commit: 4622aa4bd946a9cfcc9fe21740c00c87d0fca9b4 Parents: 92cde11 Author: Sun Dapeng <[email protected]> Authored: Thu Jul 30 09:14:51 2015 +0800 Committer: Sun Dapeng <[email protected]> Committed: Thu Jul 30 09:15:03 2015 +0800 ---------------------------------------------------------------------- .../thrift/SentryGenericPolicyProcessor.java | 28 +++++++++++++++++++- 1 file changed, 27 insertions(+), 1 deletion(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/4622aa4b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericPolicyProcessor.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericPolicyProcessor.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericPolicyProcessor.java index 62f36b4..94049d8 100644 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericPolicyProcessor.java +++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericPolicyProcessor.java @@ -34,6 +34,7 @@ import org.apache.sentry.provider.db.SentryAccessDeniedException; import org.apache.sentry.provider.db.SentryAlreadyExistsException; import org.apache.sentry.provider.db.SentryInvalidInputException; import org.apache.sentry.provider.db.SentryNoSuchObjectException; +import org.apache.sentry.provider.db.SentryThriftAPIMismatchException; import org.apache.sentry.provider.db.generic.service.persistent.PrivilegeObject; import org.apache.sentry.provider.db.generic.service.persistent.SentryStoreLayer; import org.apache.sentry.provider.db.generic.service.persistent.PrivilegeObject.Builder; @@ -42,6 +43,8 @@ import org.apache.sentry.provider.db.service.thrift.PolicyStoreConstants; import org.apache.sentry.provider.db.service.thrift.SentryConfigurationException; import org.apache.sentry.provider.db.service.thrift.SentryPolicyStoreProcessor; import org.apache.sentry.service.thrift.ServiceConstants.ServerConfig; +import org.apache.sentry.service.thrift.ServiceConstants.ThriftConstants; +import org.apache.sentry.service.thrift.ServiceConstants; import org.apache.sentry.service.thrift.Status; import org.apache.sentry.service.thrift.TSentryResponseStatus; import org.apache.thrift.TException; @@ -184,6 +187,9 @@ public class SentryGenericPolicyProcessor implements SentryGenericPolicyService. String msg = "Invalid input privilege object"; LOGGER.error(msg, e); response.status = Status.InvalidInput(msg, e); + } catch (SentryThriftAPIMismatchException e) { + LOGGER.error(e.getMessage(), e); + response.status = Status.THRIFT_VERSION_MISMATCH(e.getMessage(), e); } catch (Exception e) { String msg = "Unknown error:" + e.getMessage(); LOGGER.error(msg, e); @@ -279,6 +285,7 @@ public class SentryGenericPolicyProcessor implements SentryGenericPolicyService. Response<Void> respose = requestHandle(new RequestHandler<Void>() { @Override public Response<Void> handle() throws Exception { + validateClientVersion(request.getProtocol_version()); authorize(request.getRequestorUserName(), getRequestorGroups(conf, request.getRequestorUserName())); CommitContext context = store.createRole(request.getComponent(), request.getRoleName(), request.getRequestorUserName()); @@ -299,6 +306,7 @@ public class SentryGenericPolicyProcessor implements SentryGenericPolicyService. Response<Void> respose = requestHandle(new RequestHandler<Void>() { @Override public Response<Void> handle() throws Exception { + validateClientVersion(request.getProtocol_version()); authorize(request.getRequestorUserName(), getRequestorGroups(conf, request.getRequestorUserName())); CommitContext context = store.dropRole(request.getComponent(), request.getRoleName(), request.getRequestorUserName()); @@ -319,6 +327,7 @@ public class SentryGenericPolicyProcessor implements SentryGenericPolicyService. Response<Void> respose = requestHandle(new RequestHandler<Void>() { @Override public Response<Void> handle() throws Exception { + validateClientVersion(request.getProtocol_version()); CommitContext context = store.alterRoleGrantPrivilege(request.getComponent(), request.getRoleName(), toPrivilegeObject(request.getPrivilege()), request.getRequestorUserName()); @@ -339,6 +348,7 @@ public class SentryGenericPolicyProcessor implements SentryGenericPolicyService. Response<Void> respose = requestHandle(new RequestHandler<Void>() { @Override public Response<Void> handle() throws Exception { + validateClientVersion(request.getProtocol_version()); CommitContext context = store.alterRoleRevokePrivilege(request.getComponent(), request.getRoleName(), toPrivilegeObject(request.getPrivilege()), request.getRequestorUserName()); @@ -359,6 +369,7 @@ public class SentryGenericPolicyProcessor implements SentryGenericPolicyService. Response<Void> respose = requestHandle(new RequestHandler<Void>() { @Override public Response<Void> handle() throws Exception { + validateClientVersion(request.getProtocol_version()); authorize(request.getRequestorUserName(), getRequestorGroups(conf, request.getRequestorUserName())); CommitContext context = store.alterRoleAddGroups( @@ -381,6 +392,7 @@ public class SentryGenericPolicyProcessor implements SentryGenericPolicyService. Response<Void> respose = requestHandle(new RequestHandler<Void>() { @Override public Response<Void> handle() throws Exception { + validateClientVersion(request.getProtocol_version()); authorize(request.getRequestorUserName(), getRequestorGroups(conf, request.getRequestorUserName())); CommitContext context = store.alterRoleDeleteGroups( @@ -403,6 +415,7 @@ public class SentryGenericPolicyProcessor implements SentryGenericPolicyService. Response<Set<TSentryRole>> respose = requestHandle(new RequestHandler<Set<TSentryRole>>() { @Override public Response<Set<TSentryRole>> handle() throws Exception { + validateClientVersion(request.getProtocol_version()); Set<String> groups = getRequestorGroups(conf, request.getRequestorUserName()); if (AccessConstants.ALL.equalsIgnoreCase(request.getGroupName())) { //check all groups which requestorUserName belongs to @@ -438,6 +451,7 @@ public class SentryGenericPolicyProcessor implements SentryGenericPolicyService. Response<Set<TSentryPrivilege>> respose = requestHandle(new RequestHandler<Set<TSentryPrivilege>>() { @Override public Response<Set<TSentryPrivilege>> handle() throws Exception { + validateClientVersion(request.getProtocol_version()); Set<String> groups = getRequestorGroups(conf, request.getRequestorUserName()); if (!inAdminGroups(groups)) { Set<String> roleNamesForGroups = toTrimedLower(store.getRolesByGroups(request.getComponent(), groups)); @@ -469,6 +483,7 @@ public class SentryGenericPolicyProcessor implements SentryGenericPolicyService. Response<Set<String>> respose = requestHandle(new RequestHandler<Set<String>>() { @Override public Response<Set<String>> handle() throws Exception { + validateClientVersion(request.getProtocol_version()); Set<String> activeRoleNames = toTrimedLower(request.getRoleSet().getRoles()); Set<String> roleNamesForGroups = store.getRolesByGroups(request.getComponent(), request.getGroups()); Set<String> rolesToQuery = request.getRoleSet().isAll() ? roleNamesForGroups : Sets.intersection(activeRoleNames, roleNamesForGroups); @@ -491,6 +506,7 @@ public class SentryGenericPolicyProcessor implements SentryGenericPolicyService. Response<Void> respose = requestHandle(new RequestHandler<Void>() { @Override public Response<Void> handle() throws Exception { + validateClientVersion(request.getProtocol_version()); authorize(request.getRequestorUserName(), getRequestorGroups(conf, request.getRequestorUserName())); CommitContext context = store.dropPrivilege(request.getComponent(), @@ -513,6 +529,7 @@ public class SentryGenericPolicyProcessor implements SentryGenericPolicyService. Response<Void> respose = requestHandle(new RequestHandler<Void>() { @Override public Response<Void> handle() throws Exception { + validateClientVersion(request.getProtocol_version()); authorize(request.getRequestorUserName(), getRequestorGroups(conf, request.getRequestorUserName())); CommitContext context = store.renamePrivilege(request.getComponent(), request.getServiceName(), @@ -555,4 +572,13 @@ public class SentryGenericPolicyProcessor implements SentryGenericPolicyService. private interface RequestHandler <T>{ public Response<T> handle() throws Exception ; } -} \ No newline at end of file + + private static void validateClientVersion(int protocol_version) throws SentryThriftAPIMismatchException { + if (ServiceConstants.ThriftConstants.TSENTRY_SERVICE_VERSION_CURRENT != protocol_version) { + String msg = "Sentry thrift API protocol version mismatch: Client thrift version " + + "is: " + protocol_version + " , server thrift verion " + + "is " + ThriftConstants.TSENTRY_SERVICE_VERSION_CURRENT; + throw new SentryThriftAPIMismatchException(msg); + } + } +}
