Repository: incubator-sentry Updated Branches: refs/heads/master 52ec19483 -> 9615cc58b
SENTRY-936: getGroup and getUser should always return orginal hdfs values for paths in prefix which are not sentry managed (Sravya Tirukkovalur, Reviewed by Lenni Kuff) Project: http://git-wip-us.apache.org/repos/asf/incubator-sentry/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-sentry/commit/9615cc58 Tree: http://git-wip-us.apache.org/repos/asf/incubator-sentry/tree/9615cc58 Diff: http://git-wip-us.apache.org/repos/asf/incubator-sentry/diff/9615cc58 Branch: refs/heads/master Commit: 9615cc58b680e1153bd475e8549438d460c90f05 Parents: 52ec194 Author: Sravya Tirukkovalur <[email protected]> Authored: Thu Oct 29 18:33:32 2015 -0700 Committer: Sravya Tirukkovalur <[email protected]> Committed: Fri Oct 30 22:54:32 2015 -0700 ---------------------------------------------------------------------- .../hdfs/SentryAuthorizationProvider.java | 51 ++++++-------------- .../sentry/hdfs/SentryAuthorizationInfoX.java | 4 +- .../hdfs/TestSentryAuthorizationProvider.java | 14 +++++- 3 files changed, 31 insertions(+), 38 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/9615cc58/sentry-hdfs/sentry-hdfs-namenode-plugin/src/main/java/org/apache/sentry/hdfs/SentryAuthorizationProvider.java ---------------------------------------------------------------------- diff --git a/sentry-hdfs/sentry-hdfs-namenode-plugin/src/main/java/org/apache/sentry/hdfs/SentryAuthorizationProvider.java b/sentry-hdfs/sentry-hdfs-namenode-plugin/src/main/java/org/apache/sentry/hdfs/SentryAuthorizationProvider.java index d167183..419ab68 100644 --- a/sentry-hdfs/sentry-hdfs-namenode-plugin/src/main/java/org/apache/sentry/hdfs/SentryAuthorizationProvider.java +++ b/sentry-hdfs/sentry-hdfs-namenode-plugin/src/main/java/org/apache/sentry/hdfs/SentryAuthorizationProvider.java @@ -204,16 +204,10 @@ public class SentryAuthorizationProvider String[] pathElements = getPathElements(node); if (!authzInfo.isManaged(pathElements)) { user = defaultAuthzProvider.getUser(node, snapshotId); + } else if (!authzInfo.doesBelongToAuthzObject(pathElements)) { + user = defaultAuthzProvider.getUser(node, snapshotId); } else { - if (!authzInfo.isStale()) { - if (authzInfo.doesBelongToAuthzObject(pathElements)) { - user = this.user; - } else { - user = defaultAuthzProvider.getUser(node, snapshotId); - } - } else { user = this.user; - } } return user; } @@ -229,16 +223,10 @@ public class SentryAuthorizationProvider String[] pathElements = getPathElements(node); if (!authzInfo.isManaged(pathElements)) { group = getDefaultProviderGroup(node, snapshotId); + } else if (!authzInfo.doesBelongToAuthzObject(pathElements)) { + group = getDefaultProviderGroup(node, snapshotId); } else { - if (!authzInfo.isStale()) { - if (authzInfo.doesBelongToAuthzObject(pathElements)) { - group = this.group; - } else { - group = getDefaultProviderGroup(node, snapshotId); - } - } else { - group = this.group; - } + group = this.group; } return group; } @@ -256,7 +244,10 @@ public class SentryAuthorizationProvider String[] pathElements = getPathElements(node); if (!authzInfo.isManaged(pathElements)) { permission = defaultAuthzProvider.getFsPermission(node, snapshotId); - } else { + } else if (!authzInfo.doesBelongToAuthzObject(pathElements)) { + permission = defaultAuthzProvider.getFsPermission(node, snapshotId); + } + else { FsPermission returnPerm = this.permission; // Handle case when prefix directory is itself associated with an // authorizable object (default db directory in hive) @@ -269,15 +260,7 @@ public class SentryAuthorizationProvider break; } } - if (!authzInfo.isStale()) { - if (authzInfo.doesBelongToAuthzObject(pathElements)) { - permission = returnPerm; - } else { - permission = defaultAuthzProvider.getFsPermission(node, snapshotId); - } - } else { - permission = returnPerm; - } + permission = returnPerm; } return permission; } @@ -321,8 +304,12 @@ public class SentryAuthorizationProvider if (!authzInfo.isManaged(pathElements)) { isManaged = false; f = defaultAuthzProvider.getAclFeature(node, snapshotId); + } else if (!authzInfo.doesBelongToAuthzObject(pathElements)) { + isManaged = true; + f = defaultAuthzProvider.getAclFeature(node, snapshotId); } else { isManaged = true; + hasAuthzObj = true; aclMap = new HashMap<String, AclEntry>(); if (originalAuthzAsAcl) { String user = defaultAuthzProvider.getUser(node, snapshotId); @@ -335,14 +322,8 @@ public class SentryAuthorizationProvider } if (!authzInfo.isStale()) { isStale = false; - if (authzInfo.doesBelongToAuthzObject(pathElements)) { - hasAuthzObj = true; - addToACLMap(aclMap, authzInfo.getAclEntries(pathElements)); - f = new SentryAclFeature(ImmutableList.copyOf(aclMap.values())); - } else { - hasAuthzObj = false; - f = defaultAuthzProvider.getAclFeature(node, snapshotId); - } + addToACLMap(aclMap, authzInfo.getAclEntries(pathElements)); + f = new SentryAclFeature(ImmutableList.copyOf(aclMap.values())); } else { isStale = true; f = new SentryAclFeature(ImmutableList.copyOf(aclMap.values())); http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/9615cc58/sentry-hdfs/sentry-hdfs-namenode-plugin/src/test/java/org/apache/sentry/hdfs/SentryAuthorizationInfoX.java ---------------------------------------------------------------------- diff --git a/sentry-hdfs/sentry-hdfs-namenode-plugin/src/test/java/org/apache/sentry/hdfs/SentryAuthorizationInfoX.java b/sentry-hdfs/sentry-hdfs-namenode-plugin/src/test/java/org/apache/sentry/hdfs/SentryAuthorizationInfoX.java index 4cebed2..0ed290d 100644 --- a/sentry-hdfs/sentry-hdfs-namenode-plugin/src/test/java/org/apache/sentry/hdfs/SentryAuthorizationInfoX.java +++ b/sentry-hdfs/sentry-hdfs-namenode-plugin/src/test/java/org/apache/sentry/hdfs/SentryAuthorizationInfoX.java @@ -29,6 +29,7 @@ public class SentryAuthorizationInfoX extends SentryAuthorizationInfo { public SentryAuthorizationInfoX() { super(new String[]{"/user/authz"}); + System.setProperty("test.stale", "false"); } @Override @@ -48,7 +49,8 @@ public class SentryAuthorizationInfoX extends SentryAuthorizationInfo { @Override public boolean isStale() { - return false; + String stale = System.getProperty("test.stale"); + return stale.equalsIgnoreCase("true"); } private static final String[] MANAGED = {"user", "authz"}; http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/9615cc58/sentry-hdfs/sentry-hdfs-namenode-plugin/src/test/java/org/apache/sentry/hdfs/TestSentryAuthorizationProvider.java ---------------------------------------------------------------------- diff --git a/sentry-hdfs/sentry-hdfs-namenode-plugin/src/test/java/org/apache/sentry/hdfs/TestSentryAuthorizationProvider.java b/sentry-hdfs/sentry-hdfs-namenode-plugin/src/test/java/org/apache/sentry/hdfs/TestSentryAuthorizationProvider.java index 40b803e..fd5146f 100644 --- a/sentry-hdfs/sentry-hdfs-namenode-plugin/src/test/java/org/apache/sentry/hdfs/TestSentryAuthorizationProvider.java +++ b/sentry-hdfs/sentry-hdfs-namenode-plugin/src/test/java/org/apache/sentry/hdfs/TestSentryAuthorizationProvider.java @@ -133,7 +133,7 @@ public class TestSentryAuthorizationProvider { path = new Path("/user/authz/obj"); Assert.assertEquals("hive", fs.getFileStatus(path).getOwner()); Assert.assertEquals("hive", fs.getFileStatus(path).getGroup()); - Assert.assertEquals(new FsPermission((short) 0770), fs.getFileStatus(path).getPermission()); + Assert.assertEquals(new FsPermission((short) 0771), fs.getFileStatus(path).getPermission()); Assert.assertFalse(fs.getAclStatus(path).getEntries().isEmpty()); List<AclEntry> acls = new ArrayList<AclEntry>(); @@ -146,7 +146,7 @@ public class TestSentryAuthorizationProvider { path = new Path("/user/authz/obj/xxx"); Assert.assertEquals("hive", fs.getFileStatus(path).getOwner()); Assert.assertEquals("hive", fs.getFileStatus(path).getGroup()); - Assert.assertEquals(new FsPermission((short) 0770), fs.getFileStatus(path).getPermission()); + Assert.assertEquals(new FsPermission((short) 0771), fs.getFileStatus(path).getPermission()); Assert.assertFalse(fs.getAclStatus(path).getEntries().isEmpty()); Path path2 = new Path("/user/authz/obj/path2"); @@ -159,6 +159,16 @@ public class TestSentryAuthorizationProvider { Assert.assertEquals("supergroup", fs.getFileStatus(path).getGroup()); Assert.assertEquals(new FsPermission((short) 0755), fs.getFileStatus(path).getPermission()); Assert.assertTrue(fs.getAclStatus(path).getEntries().isEmpty()); + + //stale and dir inside of prefix, obj + System.setProperty("test.stale", "true"); + path = new Path("/user/authz/xxx"); + status = fs.getFileStatus(path); + Assert.assertEquals(sysUser, status.getOwner()); + Assert.assertEquals("supergroup", status.getGroup()); + Assert.assertEquals(new FsPermission((short) 0755), status.getPermission()); + Assert.assertTrue(fs.getAclStatus(path).getEntries().isEmpty()); + return null; } });
