Repository: incubator-sentry Updated Branches: refs/heads/master 8a669304b -> 5c2597de0
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/5c2597de/sentry-provider/sentry-provider-db/src/gen/thrift/gen-javabean/org/apache/sentry/provider/db/generic/service/thrift/TListSentryPrivilegesByAuthResponse.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/gen/thrift/gen-javabean/org/apache/sentry/provider/db/generic/service/thrift/TListSentryPrivilegesByAuthResponse.java b/sentry-provider/sentry-provider-db/src/gen/thrift/gen-javabean/org/apache/sentry/provider/db/generic/service/thrift/TListSentryPrivilegesByAuthResponse.java new file mode 100644 index 0000000..e1b8a78 --- /dev/null +++ b/sentry-provider/sentry-provider-db/src/gen/thrift/gen-javabean/org/apache/sentry/provider/db/generic/service/thrift/TListSentryPrivilegesByAuthResponse.java @@ -0,0 +1,565 @@ +/** + * Autogenerated by Thrift Compiler (0.9.0) + * + * DO NOT EDIT UNLESS YOU ARE SURE THAT YOU KNOW WHAT YOU ARE DOING + * @generated + */ +package org.apache.sentry.provider.db.generic.service.thrift; + +import org.apache.commons.lang.builder.HashCodeBuilder; +import org.apache.thrift.scheme.IScheme; +import org.apache.thrift.scheme.SchemeFactory; +import org.apache.thrift.scheme.StandardScheme; + +import org.apache.thrift.scheme.TupleScheme; +import org.apache.thrift.protocol.TTupleProtocol; +import org.apache.thrift.protocol.TProtocolException; +import org.apache.thrift.EncodingUtils; +import org.apache.thrift.TException; +import java.util.List; +import java.util.ArrayList; +import java.util.Map; +import java.util.HashMap; +import java.util.EnumMap; +import java.util.Set; +import java.util.HashSet; +import java.util.EnumSet; +import java.util.Collections; +import java.util.BitSet; +import java.nio.ByteBuffer; +import java.util.Arrays; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +public class TListSentryPrivilegesByAuthResponse implements org.apache.thrift.TBase<TListSentryPrivilegesByAuthResponse, TListSentryPrivilegesByAuthResponse._Fields>, java.io.Serializable, Cloneable { + private static final org.apache.thrift.protocol.TStruct STRUCT_DESC = new org.apache.thrift.protocol.TStruct("TListSentryPrivilegesByAuthResponse"); + + private static final org.apache.thrift.protocol.TField STATUS_FIELD_DESC = new org.apache.thrift.protocol.TField("status", org.apache.thrift.protocol.TType.STRUCT, (short)1); + private static final org.apache.thrift.protocol.TField PRIVILEGES_MAP_BY_AUTH_FIELD_DESC = new org.apache.thrift.protocol.TField("privilegesMapByAuth", org.apache.thrift.protocol.TType.MAP, (short)2); + + private static final Map<Class<? extends IScheme>, SchemeFactory> schemes = new HashMap<Class<? extends IScheme>, SchemeFactory>(); + static { + schemes.put(StandardScheme.class, new TListSentryPrivilegesByAuthResponseStandardSchemeFactory()); + schemes.put(TupleScheme.class, new TListSentryPrivilegesByAuthResponseTupleSchemeFactory()); + } + + private org.apache.sentry.service.thrift.TSentryResponseStatus status; // required + private Map<String,TSentryPrivilegeMap> privilegesMapByAuth; // optional + + /** The set of fields this struct contains, along with convenience methods for finding and manipulating them. */ + public enum _Fields implements org.apache.thrift.TFieldIdEnum { + STATUS((short)1, "status"), + PRIVILEGES_MAP_BY_AUTH((short)2, "privilegesMapByAuth"); + + private static final Map<String, _Fields> byName = new HashMap<String, _Fields>(); + + static { + for (_Fields field : EnumSet.allOf(_Fields.class)) { + byName.put(field.getFieldName(), field); + } + } + + /** + * Find the _Fields constant that matches fieldId, or null if its not found. + */ + public static _Fields findByThriftId(int fieldId) { + switch(fieldId) { + case 1: // STATUS + return STATUS; + case 2: // PRIVILEGES_MAP_BY_AUTH + return PRIVILEGES_MAP_BY_AUTH; + default: + return null; + } + } + + /** + * Find the _Fields constant that matches fieldId, throwing an exception + * if it is not found. + */ + public static _Fields findByThriftIdOrThrow(int fieldId) { + _Fields fields = findByThriftId(fieldId); + if (fields == null) throw new IllegalArgumentException("Field " + fieldId + " doesn't exist!"); + return fields; + } + + /** + * Find the _Fields constant that matches name, or null if its not found. + */ + public static _Fields findByName(String name) { + return byName.get(name); + } + + private final short _thriftId; + private final String _fieldName; + + _Fields(short thriftId, String fieldName) { + _thriftId = thriftId; + _fieldName = fieldName; + } + + public short getThriftFieldId() { + return _thriftId; + } + + public String getFieldName() { + return _fieldName; + } + } + + // isset id assignments + private _Fields optionals[] = {_Fields.PRIVILEGES_MAP_BY_AUTH}; + public static final Map<_Fields, org.apache.thrift.meta_data.FieldMetaData> metaDataMap; + static { + Map<_Fields, org.apache.thrift.meta_data.FieldMetaData> tmpMap = new EnumMap<_Fields, org.apache.thrift.meta_data.FieldMetaData>(_Fields.class); + tmpMap.put(_Fields.STATUS, new org.apache.thrift.meta_data.FieldMetaData("status", org.apache.thrift.TFieldRequirementType.REQUIRED, + new org.apache.thrift.meta_data.StructMetaData(org.apache.thrift.protocol.TType.STRUCT, org.apache.sentry.service.thrift.TSentryResponseStatus.class))); + tmpMap.put(_Fields.PRIVILEGES_MAP_BY_AUTH, new org.apache.thrift.meta_data.FieldMetaData("privilegesMapByAuth", org.apache.thrift.TFieldRequirementType.OPTIONAL, + new org.apache.thrift.meta_data.MapMetaData(org.apache.thrift.protocol.TType.MAP, + new org.apache.thrift.meta_data.FieldValueMetaData(org.apache.thrift.protocol.TType.STRING), + new org.apache.thrift.meta_data.StructMetaData(org.apache.thrift.protocol.TType.STRUCT, TSentryPrivilegeMap.class)))); + metaDataMap = Collections.unmodifiableMap(tmpMap); + org.apache.thrift.meta_data.FieldMetaData.addStructMetaDataMap(TListSentryPrivilegesByAuthResponse.class, metaDataMap); + } + + public TListSentryPrivilegesByAuthResponse() { + } + + public TListSentryPrivilegesByAuthResponse( + org.apache.sentry.service.thrift.TSentryResponseStatus status) + { + this(); + this.status = status; + } + + /** + * Performs a deep copy on <i>other</i>. + */ + public TListSentryPrivilegesByAuthResponse(TListSentryPrivilegesByAuthResponse other) { + if (other.isSetStatus()) { + this.status = new org.apache.sentry.service.thrift.TSentryResponseStatus(other.status); + } + if (other.isSetPrivilegesMapByAuth()) { + Map<String,TSentryPrivilegeMap> __this__privilegesMapByAuth = new HashMap<String,TSentryPrivilegeMap>(); + for (Map.Entry<String, TSentryPrivilegeMap> other_element : other.privilegesMapByAuth.entrySet()) { + + String other_element_key = other_element.getKey(); + TSentryPrivilegeMap other_element_value = other_element.getValue(); + + String __this__privilegesMapByAuth_copy_key = other_element_key; + + TSentryPrivilegeMap __this__privilegesMapByAuth_copy_value = new TSentryPrivilegeMap(other_element_value); + + __this__privilegesMapByAuth.put(__this__privilegesMapByAuth_copy_key, __this__privilegesMapByAuth_copy_value); + } + this.privilegesMapByAuth = __this__privilegesMapByAuth; + } + } + + public TListSentryPrivilegesByAuthResponse deepCopy() { + return new TListSentryPrivilegesByAuthResponse(this); + } + + @Override + public void clear() { + this.status = null; + this.privilegesMapByAuth = null; + } + + public org.apache.sentry.service.thrift.TSentryResponseStatus getStatus() { + return this.status; + } + + public void setStatus(org.apache.sentry.service.thrift.TSentryResponseStatus status) { + this.status = status; + } + + public void unsetStatus() { + this.status = null; + } + + /** Returns true if field status is set (has been assigned a value) and false otherwise */ + public boolean isSetStatus() { + return this.status != null; + } + + public void setStatusIsSet(boolean value) { + if (!value) { + this.status = null; + } + } + + public int getPrivilegesMapByAuthSize() { + return (this.privilegesMapByAuth == null) ? 0 : this.privilegesMapByAuth.size(); + } + + public void putToPrivilegesMapByAuth(String key, TSentryPrivilegeMap val) { + if (this.privilegesMapByAuth == null) { + this.privilegesMapByAuth = new HashMap<String,TSentryPrivilegeMap>(); + } + this.privilegesMapByAuth.put(key, val); + } + + public Map<String,TSentryPrivilegeMap> getPrivilegesMapByAuth() { + return this.privilegesMapByAuth; + } + + public void setPrivilegesMapByAuth(Map<String,TSentryPrivilegeMap> privilegesMapByAuth) { + this.privilegesMapByAuth = privilegesMapByAuth; + } + + public void unsetPrivilegesMapByAuth() { + this.privilegesMapByAuth = null; + } + + /** Returns true if field privilegesMapByAuth is set (has been assigned a value) and false otherwise */ + public boolean isSetPrivilegesMapByAuth() { + return this.privilegesMapByAuth != null; + } + + public void setPrivilegesMapByAuthIsSet(boolean value) { + if (!value) { + this.privilegesMapByAuth = null; + } + } + + public void setFieldValue(_Fields field, Object value) { + switch (field) { + case STATUS: + if (value == null) { + unsetStatus(); + } else { + setStatus((org.apache.sentry.service.thrift.TSentryResponseStatus)value); + } + break; + + case PRIVILEGES_MAP_BY_AUTH: + if (value == null) { + unsetPrivilegesMapByAuth(); + } else { + setPrivilegesMapByAuth((Map<String,TSentryPrivilegeMap>)value); + } + break; + + } + } + + public Object getFieldValue(_Fields field) { + switch (field) { + case STATUS: + return getStatus(); + + case PRIVILEGES_MAP_BY_AUTH: + return getPrivilegesMapByAuth(); + + } + throw new IllegalStateException(); + } + + /** Returns true if field corresponding to fieldID is set (has been assigned a value) and false otherwise */ + public boolean isSet(_Fields field) { + if (field == null) { + throw new IllegalArgumentException(); + } + + switch (field) { + case STATUS: + return isSetStatus(); + case PRIVILEGES_MAP_BY_AUTH: + return isSetPrivilegesMapByAuth(); + } + throw new IllegalStateException(); + } + + @Override + public boolean equals(Object that) { + if (that == null) + return false; + if (that instanceof TListSentryPrivilegesByAuthResponse) + return this.equals((TListSentryPrivilegesByAuthResponse)that); + return false; + } + + public boolean equals(TListSentryPrivilegesByAuthResponse that) { + if (that == null) + return false; + + boolean this_present_status = true && this.isSetStatus(); + boolean that_present_status = true && that.isSetStatus(); + if (this_present_status || that_present_status) { + if (!(this_present_status && that_present_status)) + return false; + if (!this.status.equals(that.status)) + return false; + } + + boolean this_present_privilegesMapByAuth = true && this.isSetPrivilegesMapByAuth(); + boolean that_present_privilegesMapByAuth = true && that.isSetPrivilegesMapByAuth(); + if (this_present_privilegesMapByAuth || that_present_privilegesMapByAuth) { + if (!(this_present_privilegesMapByAuth && that_present_privilegesMapByAuth)) + return false; + if (!this.privilegesMapByAuth.equals(that.privilegesMapByAuth)) + return false; + } + + return true; + } + + @Override + public int hashCode() { + HashCodeBuilder builder = new HashCodeBuilder(); + + boolean present_status = true && (isSetStatus()); + builder.append(present_status); + if (present_status) + builder.append(status); + + boolean present_privilegesMapByAuth = true && (isSetPrivilegesMapByAuth()); + builder.append(present_privilegesMapByAuth); + if (present_privilegesMapByAuth) + builder.append(privilegesMapByAuth); + + return builder.toHashCode(); + } + + public int compareTo(TListSentryPrivilegesByAuthResponse other) { + if (!getClass().equals(other.getClass())) { + return getClass().getName().compareTo(other.getClass().getName()); + } + + int lastComparison = 0; + TListSentryPrivilegesByAuthResponse typedOther = (TListSentryPrivilegesByAuthResponse)other; + + lastComparison = Boolean.valueOf(isSetStatus()).compareTo(typedOther.isSetStatus()); + if (lastComparison != 0) { + return lastComparison; + } + if (isSetStatus()) { + lastComparison = org.apache.thrift.TBaseHelper.compareTo(this.status, typedOther.status); + if (lastComparison != 0) { + return lastComparison; + } + } + lastComparison = Boolean.valueOf(isSetPrivilegesMapByAuth()).compareTo(typedOther.isSetPrivilegesMapByAuth()); + if (lastComparison != 0) { + return lastComparison; + } + if (isSetPrivilegesMapByAuth()) { + lastComparison = org.apache.thrift.TBaseHelper.compareTo(this.privilegesMapByAuth, typedOther.privilegesMapByAuth); + if (lastComparison != 0) { + return lastComparison; + } + } + return 0; + } + + public _Fields fieldForId(int fieldId) { + return _Fields.findByThriftId(fieldId); + } + + public void read(org.apache.thrift.protocol.TProtocol iprot) throws org.apache.thrift.TException { + schemes.get(iprot.getScheme()).getScheme().read(iprot, this); + } + + public void write(org.apache.thrift.protocol.TProtocol oprot) throws org.apache.thrift.TException { + schemes.get(oprot.getScheme()).getScheme().write(oprot, this); + } + + @Override + public String toString() { + StringBuilder sb = new StringBuilder("TListSentryPrivilegesByAuthResponse("); + boolean first = true; + + sb.append("status:"); + if (this.status == null) { + sb.append("null"); + } else { + sb.append(this.status); + } + first = false; + if (isSetPrivilegesMapByAuth()) { + if (!first) sb.append(", "); + sb.append("privilegesMapByAuth:"); + if (this.privilegesMapByAuth == null) { + sb.append("null"); + } else { + sb.append(this.privilegesMapByAuth); + } + first = false; + } + sb.append(")"); + return sb.toString(); + } + + public void validate() throws org.apache.thrift.TException { + // check for required fields + if (!isSetStatus()) { + throw new org.apache.thrift.protocol.TProtocolException("Required field 'status' is unset! Struct:" + toString()); + } + + // check for sub-struct validity + if (status != null) { + status.validate(); + } + } + + private void writeObject(java.io.ObjectOutputStream out) throws java.io.IOException { + try { + write(new org.apache.thrift.protocol.TCompactProtocol(new org.apache.thrift.transport.TIOStreamTransport(out))); + } catch (org.apache.thrift.TException te) { + throw new java.io.IOException(te); + } + } + + private void readObject(java.io.ObjectInputStream in) throws java.io.IOException, ClassNotFoundException { + try { + read(new org.apache.thrift.protocol.TCompactProtocol(new org.apache.thrift.transport.TIOStreamTransport(in))); + } catch (org.apache.thrift.TException te) { + throw new java.io.IOException(te); + } + } + + private static class TListSentryPrivilegesByAuthResponseStandardSchemeFactory implements SchemeFactory { + public TListSentryPrivilegesByAuthResponseStandardScheme getScheme() { + return new TListSentryPrivilegesByAuthResponseStandardScheme(); + } + } + + private static class TListSentryPrivilegesByAuthResponseStandardScheme extends StandardScheme<TListSentryPrivilegesByAuthResponse> { + + public void read(org.apache.thrift.protocol.TProtocol iprot, TListSentryPrivilegesByAuthResponse struct) throws org.apache.thrift.TException { + org.apache.thrift.protocol.TField schemeField; + iprot.readStructBegin(); + while (true) + { + schemeField = iprot.readFieldBegin(); + if (schemeField.type == org.apache.thrift.protocol.TType.STOP) { + break; + } + switch (schemeField.id) { + case 1: // STATUS + if (schemeField.type == org.apache.thrift.protocol.TType.STRUCT) { + struct.status = new org.apache.sentry.service.thrift.TSentryResponseStatus(); + struct.status.read(iprot); + struct.setStatusIsSet(true); + } else { + org.apache.thrift.protocol.TProtocolUtil.skip(iprot, schemeField.type); + } + break; + case 2: // PRIVILEGES_MAP_BY_AUTH + if (schemeField.type == org.apache.thrift.protocol.TType.MAP) { + { + org.apache.thrift.protocol.TMap _map138 = iprot.readMapBegin(); + struct.privilegesMapByAuth = new HashMap<String,TSentryPrivilegeMap>(2*_map138.size); + for (int _i139 = 0; _i139 < _map138.size; ++_i139) + { + String _key140; // required + TSentryPrivilegeMap _val141; // required + _key140 = iprot.readString(); + _val141 = new TSentryPrivilegeMap(); + _val141.read(iprot); + struct.privilegesMapByAuth.put(_key140, _val141); + } + iprot.readMapEnd(); + } + struct.setPrivilegesMapByAuthIsSet(true); + } else { + org.apache.thrift.protocol.TProtocolUtil.skip(iprot, schemeField.type); + } + break; + default: + org.apache.thrift.protocol.TProtocolUtil.skip(iprot, schemeField.type); + } + iprot.readFieldEnd(); + } + iprot.readStructEnd(); + struct.validate(); + } + + public void write(org.apache.thrift.protocol.TProtocol oprot, TListSentryPrivilegesByAuthResponse struct) throws org.apache.thrift.TException { + struct.validate(); + + oprot.writeStructBegin(STRUCT_DESC); + if (struct.status != null) { + oprot.writeFieldBegin(STATUS_FIELD_DESC); + struct.status.write(oprot); + oprot.writeFieldEnd(); + } + if (struct.privilegesMapByAuth != null) { + if (struct.isSetPrivilegesMapByAuth()) { + oprot.writeFieldBegin(PRIVILEGES_MAP_BY_AUTH_FIELD_DESC); + { + oprot.writeMapBegin(new org.apache.thrift.protocol.TMap(org.apache.thrift.protocol.TType.STRING, org.apache.thrift.protocol.TType.STRUCT, struct.privilegesMapByAuth.size())); + for (Map.Entry<String, TSentryPrivilegeMap> _iter142 : struct.privilegesMapByAuth.entrySet()) + { + oprot.writeString(_iter142.getKey()); + _iter142.getValue().write(oprot); + } + oprot.writeMapEnd(); + } + oprot.writeFieldEnd(); + } + } + oprot.writeFieldStop(); + oprot.writeStructEnd(); + } + + } + + private static class TListSentryPrivilegesByAuthResponseTupleSchemeFactory implements SchemeFactory { + public TListSentryPrivilegesByAuthResponseTupleScheme getScheme() { + return new TListSentryPrivilegesByAuthResponseTupleScheme(); + } + } + + private static class TListSentryPrivilegesByAuthResponseTupleScheme extends TupleScheme<TListSentryPrivilegesByAuthResponse> { + + @Override + public void write(org.apache.thrift.protocol.TProtocol prot, TListSentryPrivilegesByAuthResponse struct) throws org.apache.thrift.TException { + TTupleProtocol oprot = (TTupleProtocol) prot; + struct.status.write(oprot); + BitSet optionals = new BitSet(); + if (struct.isSetPrivilegesMapByAuth()) { + optionals.set(0); + } + oprot.writeBitSet(optionals, 1); + if (struct.isSetPrivilegesMapByAuth()) { + { + oprot.writeI32(struct.privilegesMapByAuth.size()); + for (Map.Entry<String, TSentryPrivilegeMap> _iter143 : struct.privilegesMapByAuth.entrySet()) + { + oprot.writeString(_iter143.getKey()); + _iter143.getValue().write(oprot); + } + } + } + } + + @Override + public void read(org.apache.thrift.protocol.TProtocol prot, TListSentryPrivilegesByAuthResponse struct) throws org.apache.thrift.TException { + TTupleProtocol iprot = (TTupleProtocol) prot; + struct.status = new org.apache.sentry.service.thrift.TSentryResponseStatus(); + struct.status.read(iprot); + struct.setStatusIsSet(true); + BitSet incoming = iprot.readBitSet(1); + if (incoming.get(0)) { + { + org.apache.thrift.protocol.TMap _map144 = new org.apache.thrift.protocol.TMap(org.apache.thrift.protocol.TType.STRING, org.apache.thrift.protocol.TType.STRUCT, iprot.readI32()); + struct.privilegesMapByAuth = new HashMap<String,TSentryPrivilegeMap>(2*_map144.size); + for (int _i145 = 0; _i145 < _map144.size; ++_i145) + { + String _key146; // required + TSentryPrivilegeMap _val147; // required + _key146 = iprot.readString(); + _val147 = new TSentryPrivilegeMap(); + _val147.read(iprot); + struct.privilegesMapByAuth.put(_key146, _val147); + } + } + struct.setPrivilegesMapByAuthIsSet(true); + } + } + } + +} + http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/5c2597de/sentry-provider/sentry-provider-db/src/gen/thrift/gen-javabean/org/apache/sentry/provider/db/generic/service/thrift/TSentryPrivilegeMap.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/gen/thrift/gen-javabean/org/apache/sentry/provider/db/generic/service/thrift/TSentryPrivilegeMap.java b/sentry-provider/sentry-provider-db/src/gen/thrift/gen-javabean/org/apache/sentry/provider/db/generic/service/thrift/TSentryPrivilegeMap.java new file mode 100644 index 0000000..97b96ef --- /dev/null +++ b/sentry-provider/sentry-provider-db/src/gen/thrift/gen-javabean/org/apache/sentry/provider/db/generic/service/thrift/TSentryPrivilegeMap.java @@ -0,0 +1,486 @@ +/** + * Autogenerated by Thrift Compiler (0.9.0) + * + * DO NOT EDIT UNLESS YOU ARE SURE THAT YOU KNOW WHAT YOU ARE DOING + * @generated + */ +package org.apache.sentry.provider.db.generic.service.thrift; + +import org.apache.commons.lang.builder.HashCodeBuilder; +import org.apache.thrift.scheme.IScheme; +import org.apache.thrift.scheme.SchemeFactory; +import org.apache.thrift.scheme.StandardScheme; + +import org.apache.thrift.scheme.TupleScheme; +import org.apache.thrift.protocol.TTupleProtocol; +import org.apache.thrift.protocol.TProtocolException; +import org.apache.thrift.EncodingUtils; +import org.apache.thrift.TException; +import java.util.List; +import java.util.ArrayList; +import java.util.Map; +import java.util.HashMap; +import java.util.EnumMap; +import java.util.Set; +import java.util.HashSet; +import java.util.EnumSet; +import java.util.Collections; +import java.util.BitSet; +import java.nio.ByteBuffer; +import java.util.Arrays; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +public class TSentryPrivilegeMap implements org.apache.thrift.TBase<TSentryPrivilegeMap, TSentryPrivilegeMap._Fields>, java.io.Serializable, Cloneable { + private static final org.apache.thrift.protocol.TStruct STRUCT_DESC = new org.apache.thrift.protocol.TStruct("TSentryPrivilegeMap"); + + private static final org.apache.thrift.protocol.TField PRIVILEGE_MAP_FIELD_DESC = new org.apache.thrift.protocol.TField("privilegeMap", org.apache.thrift.protocol.TType.MAP, (short)1); + + private static final Map<Class<? extends IScheme>, SchemeFactory> schemes = new HashMap<Class<? extends IScheme>, SchemeFactory>(); + static { + schemes.put(StandardScheme.class, new TSentryPrivilegeMapStandardSchemeFactory()); + schemes.put(TupleScheme.class, new TSentryPrivilegeMapTupleSchemeFactory()); + } + + private Map<String,Set<TSentryPrivilege>> privilegeMap; // required + + /** The set of fields this struct contains, along with convenience methods for finding and manipulating them. */ + public enum _Fields implements org.apache.thrift.TFieldIdEnum { + PRIVILEGE_MAP((short)1, "privilegeMap"); + + private static final Map<String, _Fields> byName = new HashMap<String, _Fields>(); + + static { + for (_Fields field : EnumSet.allOf(_Fields.class)) { + byName.put(field.getFieldName(), field); + } + } + + /** + * Find the _Fields constant that matches fieldId, or null if its not found. + */ + public static _Fields findByThriftId(int fieldId) { + switch(fieldId) { + case 1: // PRIVILEGE_MAP + return PRIVILEGE_MAP; + default: + return null; + } + } + + /** + * Find the _Fields constant that matches fieldId, throwing an exception + * if it is not found. + */ + public static _Fields findByThriftIdOrThrow(int fieldId) { + _Fields fields = findByThriftId(fieldId); + if (fields == null) throw new IllegalArgumentException("Field " + fieldId + " doesn't exist!"); + return fields; + } + + /** + * Find the _Fields constant that matches name, or null if its not found. + */ + public static _Fields findByName(String name) { + return byName.get(name); + } + + private final short _thriftId; + private final String _fieldName; + + _Fields(short thriftId, String fieldName) { + _thriftId = thriftId; + _fieldName = fieldName; + } + + public short getThriftFieldId() { + return _thriftId; + } + + public String getFieldName() { + return _fieldName; + } + } + + // isset id assignments + public static final Map<_Fields, org.apache.thrift.meta_data.FieldMetaData> metaDataMap; + static { + Map<_Fields, org.apache.thrift.meta_data.FieldMetaData> tmpMap = new EnumMap<_Fields, org.apache.thrift.meta_data.FieldMetaData>(_Fields.class); + tmpMap.put(_Fields.PRIVILEGE_MAP, new org.apache.thrift.meta_data.FieldMetaData("privilegeMap", org.apache.thrift.TFieldRequirementType.REQUIRED, + new org.apache.thrift.meta_data.MapMetaData(org.apache.thrift.protocol.TType.MAP, + new org.apache.thrift.meta_data.FieldValueMetaData(org.apache.thrift.protocol.TType.STRING), + new org.apache.thrift.meta_data.SetMetaData(org.apache.thrift.protocol.TType.SET, + new org.apache.thrift.meta_data.StructMetaData(org.apache.thrift.protocol.TType.STRUCT, TSentryPrivilege.class))))); + metaDataMap = Collections.unmodifiableMap(tmpMap); + org.apache.thrift.meta_data.FieldMetaData.addStructMetaDataMap(TSentryPrivilegeMap.class, metaDataMap); + } + + public TSentryPrivilegeMap() { + } + + public TSentryPrivilegeMap( + Map<String,Set<TSentryPrivilege>> privilegeMap) + { + this(); + this.privilegeMap = privilegeMap; + } + + /** + * Performs a deep copy on <i>other</i>. + */ + public TSentryPrivilegeMap(TSentryPrivilegeMap other) { + if (other.isSetPrivilegeMap()) { + Map<String,Set<TSentryPrivilege>> __this__privilegeMap = new HashMap<String,Set<TSentryPrivilege>>(); + for (Map.Entry<String, Set<TSentryPrivilege>> other_element : other.privilegeMap.entrySet()) { + + String other_element_key = other_element.getKey(); + Set<TSentryPrivilege> other_element_value = other_element.getValue(); + + String __this__privilegeMap_copy_key = other_element_key; + + Set<TSentryPrivilege> __this__privilegeMap_copy_value = new HashSet<TSentryPrivilege>(); + for (TSentryPrivilege other_element_value_element : other_element_value) { + __this__privilegeMap_copy_value.add(new TSentryPrivilege(other_element_value_element)); + } + + __this__privilegeMap.put(__this__privilegeMap_copy_key, __this__privilegeMap_copy_value); + } + this.privilegeMap = __this__privilegeMap; + } + } + + public TSentryPrivilegeMap deepCopy() { + return new TSentryPrivilegeMap(this); + } + + @Override + public void clear() { + this.privilegeMap = null; + } + + public int getPrivilegeMapSize() { + return (this.privilegeMap == null) ? 0 : this.privilegeMap.size(); + } + + public void putToPrivilegeMap(String key, Set<TSentryPrivilege> val) { + if (this.privilegeMap == null) { + this.privilegeMap = new HashMap<String,Set<TSentryPrivilege>>(); + } + this.privilegeMap.put(key, val); + } + + public Map<String,Set<TSentryPrivilege>> getPrivilegeMap() { + return this.privilegeMap; + } + + public void setPrivilegeMap(Map<String,Set<TSentryPrivilege>> privilegeMap) { + this.privilegeMap = privilegeMap; + } + + public void unsetPrivilegeMap() { + this.privilegeMap = null; + } + + /** Returns true if field privilegeMap is set (has been assigned a value) and false otherwise */ + public boolean isSetPrivilegeMap() { + return this.privilegeMap != null; + } + + public void setPrivilegeMapIsSet(boolean value) { + if (!value) { + this.privilegeMap = null; + } + } + + public void setFieldValue(_Fields field, Object value) { + switch (field) { + case PRIVILEGE_MAP: + if (value == null) { + unsetPrivilegeMap(); + } else { + setPrivilegeMap((Map<String,Set<TSentryPrivilege>>)value); + } + break; + + } + } + + public Object getFieldValue(_Fields field) { + switch (field) { + case PRIVILEGE_MAP: + return getPrivilegeMap(); + + } + throw new IllegalStateException(); + } + + /** Returns true if field corresponding to fieldID is set (has been assigned a value) and false otherwise */ + public boolean isSet(_Fields field) { + if (field == null) { + throw new IllegalArgumentException(); + } + + switch (field) { + case PRIVILEGE_MAP: + return isSetPrivilegeMap(); + } + throw new IllegalStateException(); + } + + @Override + public boolean equals(Object that) { + if (that == null) + return false; + if (that instanceof TSentryPrivilegeMap) + return this.equals((TSentryPrivilegeMap)that); + return false; + } + + public boolean equals(TSentryPrivilegeMap that) { + if (that == null) + return false; + + boolean this_present_privilegeMap = true && this.isSetPrivilegeMap(); + boolean that_present_privilegeMap = true && that.isSetPrivilegeMap(); + if (this_present_privilegeMap || that_present_privilegeMap) { + if (!(this_present_privilegeMap && that_present_privilegeMap)) + return false; + if (!this.privilegeMap.equals(that.privilegeMap)) + return false; + } + + return true; + } + + @Override + public int hashCode() { + HashCodeBuilder builder = new HashCodeBuilder(); + + boolean present_privilegeMap = true && (isSetPrivilegeMap()); + builder.append(present_privilegeMap); + if (present_privilegeMap) + builder.append(privilegeMap); + + return builder.toHashCode(); + } + + public int compareTo(TSentryPrivilegeMap other) { + if (!getClass().equals(other.getClass())) { + return getClass().getName().compareTo(other.getClass().getName()); + } + + int lastComparison = 0; + TSentryPrivilegeMap typedOther = (TSentryPrivilegeMap)other; + + lastComparison = Boolean.valueOf(isSetPrivilegeMap()).compareTo(typedOther.isSetPrivilegeMap()); + if (lastComparison != 0) { + return lastComparison; + } + if (isSetPrivilegeMap()) { + lastComparison = org.apache.thrift.TBaseHelper.compareTo(this.privilegeMap, typedOther.privilegeMap); + if (lastComparison != 0) { + return lastComparison; + } + } + return 0; + } + + public _Fields fieldForId(int fieldId) { + return _Fields.findByThriftId(fieldId); + } + + public void read(org.apache.thrift.protocol.TProtocol iprot) throws org.apache.thrift.TException { + schemes.get(iprot.getScheme()).getScheme().read(iprot, this); + } + + public void write(org.apache.thrift.protocol.TProtocol oprot) throws org.apache.thrift.TException { + schemes.get(oprot.getScheme()).getScheme().write(oprot, this); + } + + @Override + public String toString() { + StringBuilder sb = new StringBuilder("TSentryPrivilegeMap("); + boolean first = true; + + sb.append("privilegeMap:"); + if (this.privilegeMap == null) { + sb.append("null"); + } else { + sb.append(this.privilegeMap); + } + first = false; + sb.append(")"); + return sb.toString(); + } + + public void validate() throws org.apache.thrift.TException { + // check for required fields + if (!isSetPrivilegeMap()) { + throw new org.apache.thrift.protocol.TProtocolException("Required field 'privilegeMap' is unset! Struct:" + toString()); + } + + // check for sub-struct validity + } + + private void writeObject(java.io.ObjectOutputStream out) throws java.io.IOException { + try { + write(new org.apache.thrift.protocol.TCompactProtocol(new org.apache.thrift.transport.TIOStreamTransport(out))); + } catch (org.apache.thrift.TException te) { + throw new java.io.IOException(te); + } + } + + private void readObject(java.io.ObjectInputStream in) throws java.io.IOException, ClassNotFoundException { + try { + read(new org.apache.thrift.protocol.TCompactProtocol(new org.apache.thrift.transport.TIOStreamTransport(in))); + } catch (org.apache.thrift.TException te) { + throw new java.io.IOException(te); + } + } + + private static class TSentryPrivilegeMapStandardSchemeFactory implements SchemeFactory { + public TSentryPrivilegeMapStandardScheme getScheme() { + return new TSentryPrivilegeMapStandardScheme(); + } + } + + private static class TSentryPrivilegeMapStandardScheme extends StandardScheme<TSentryPrivilegeMap> { + + public void read(org.apache.thrift.protocol.TProtocol iprot, TSentryPrivilegeMap struct) throws org.apache.thrift.TException { + org.apache.thrift.protocol.TField schemeField; + iprot.readStructBegin(); + while (true) + { + schemeField = iprot.readFieldBegin(); + if (schemeField.type == org.apache.thrift.protocol.TType.STOP) { + break; + } + switch (schemeField.id) { + case 1: // PRIVILEGE_MAP + if (schemeField.type == org.apache.thrift.protocol.TType.MAP) { + { + org.apache.thrift.protocol.TMap _map104 = iprot.readMapBegin(); + struct.privilegeMap = new HashMap<String,Set<TSentryPrivilege>>(2*_map104.size); + for (int _i105 = 0; _i105 < _map104.size; ++_i105) + { + String _key106; // required + Set<TSentryPrivilege> _val107; // required + _key106 = iprot.readString(); + { + org.apache.thrift.protocol.TSet _set108 = iprot.readSetBegin(); + _val107 = new HashSet<TSentryPrivilege>(2*_set108.size); + for (int _i109 = 0; _i109 < _set108.size; ++_i109) + { + TSentryPrivilege _elem110; // required + _elem110 = new TSentryPrivilege(); + _elem110.read(iprot); + _val107.add(_elem110); + } + iprot.readSetEnd(); + } + struct.privilegeMap.put(_key106, _val107); + } + iprot.readMapEnd(); + } + struct.setPrivilegeMapIsSet(true); + } else { + org.apache.thrift.protocol.TProtocolUtil.skip(iprot, schemeField.type); + } + break; + default: + org.apache.thrift.protocol.TProtocolUtil.skip(iprot, schemeField.type); + } + iprot.readFieldEnd(); + } + iprot.readStructEnd(); + struct.validate(); + } + + public void write(org.apache.thrift.protocol.TProtocol oprot, TSentryPrivilegeMap struct) throws org.apache.thrift.TException { + struct.validate(); + + oprot.writeStructBegin(STRUCT_DESC); + if (struct.privilegeMap != null) { + oprot.writeFieldBegin(PRIVILEGE_MAP_FIELD_DESC); + { + oprot.writeMapBegin(new org.apache.thrift.protocol.TMap(org.apache.thrift.protocol.TType.STRING, org.apache.thrift.protocol.TType.SET, struct.privilegeMap.size())); + for (Map.Entry<String, Set<TSentryPrivilege>> _iter111 : struct.privilegeMap.entrySet()) + { + oprot.writeString(_iter111.getKey()); + { + oprot.writeSetBegin(new org.apache.thrift.protocol.TSet(org.apache.thrift.protocol.TType.STRUCT, _iter111.getValue().size())); + for (TSentryPrivilege _iter112 : _iter111.getValue()) + { + _iter112.write(oprot); + } + oprot.writeSetEnd(); + } + } + oprot.writeMapEnd(); + } + oprot.writeFieldEnd(); + } + oprot.writeFieldStop(); + oprot.writeStructEnd(); + } + + } + + private static class TSentryPrivilegeMapTupleSchemeFactory implements SchemeFactory { + public TSentryPrivilegeMapTupleScheme getScheme() { + return new TSentryPrivilegeMapTupleScheme(); + } + } + + private static class TSentryPrivilegeMapTupleScheme extends TupleScheme<TSentryPrivilegeMap> { + + @Override + public void write(org.apache.thrift.protocol.TProtocol prot, TSentryPrivilegeMap struct) throws org.apache.thrift.TException { + TTupleProtocol oprot = (TTupleProtocol) prot; + { + oprot.writeI32(struct.privilegeMap.size()); + for (Map.Entry<String, Set<TSentryPrivilege>> _iter113 : struct.privilegeMap.entrySet()) + { + oprot.writeString(_iter113.getKey()); + { + oprot.writeI32(_iter113.getValue().size()); + for (TSentryPrivilege _iter114 : _iter113.getValue()) + { + _iter114.write(oprot); + } + } + } + } + } + + @Override + public void read(org.apache.thrift.protocol.TProtocol prot, TSentryPrivilegeMap struct) throws org.apache.thrift.TException { + TTupleProtocol iprot = (TTupleProtocol) prot; + { + org.apache.thrift.protocol.TMap _map115 = new org.apache.thrift.protocol.TMap(org.apache.thrift.protocol.TType.STRING, org.apache.thrift.protocol.TType.SET, iprot.readI32()); + struct.privilegeMap = new HashMap<String,Set<TSentryPrivilege>>(2*_map115.size); + for (int _i116 = 0; _i116 < _map115.size; ++_i116) + { + String _key117; // required + Set<TSentryPrivilege> _val118; // required + _key117 = iprot.readString(); + { + org.apache.thrift.protocol.TSet _set119 = new org.apache.thrift.protocol.TSet(org.apache.thrift.protocol.TType.STRUCT, iprot.readI32()); + _val118 = new HashSet<TSentryPrivilege>(2*_set119.size); + for (int _i120 = 0; _i120 < _set119.size; ++_i120) + { + TSentryPrivilege _elem121; // required + _elem121 = new TSentryPrivilege(); + _elem121.read(iprot); + _val118.add(_elem121); + } + } + struct.privilegeMap.put(_key117, _val118); + } + } + struct.setPrivilegeMapIsSet(true); + } + } + +} + http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/5c2597de/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/persistent/DelegateSentryStore.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/persistent/DelegateSentryStore.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/persistent/DelegateSentryStore.java index e1c15fa..4c5ceca 100644 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/persistent/DelegateSentryStore.java +++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/persistent/DelegateSentryStore.java @@ -140,6 +140,11 @@ public class DelegateSentryStore implements SentryStoreLayer { } @Override + public Set<String> getAllRoleNames() { + return delegate.getAllRoleNames(); + } + + @Override public CommitContext alterRoleAddGroups(String component, String role, Set<String> groups, String requestor) throws SentryNoSuchObjectException { return delegate.alterSentryRoleAddGroups(requestor, role, toTSentryGroups(groups)); @@ -418,6 +423,41 @@ public class DelegateSentryStore implements SentryStoreLayer { } @Override + public Set<MSentryGMPrivilege> getPrivilegesByAuthorizable(String component, String service, + Set<String> validActiveRoles, List<? extends Authorizable> authorizables) + throws SentryUserException { + + Preconditions.checkNotNull(component); + Preconditions.checkNotNull(service); + + component = toTrimedLower(component); + service = toTrimedLower(service); + + Set<MSentryGMPrivilege> privileges = Sets.newHashSet(); + PersistenceManager pm = null; + try { + pm = openTransaction(); + + if (validActiveRoles == null || validActiveRoles.size() == 0) { + return privileges; + } + + Set<MSentryRole> mRoles = Sets.newHashSet(); + for (String role : validActiveRoles) { + MSentryRole mRole = getRole(role, pm); + if (mRole != null) { + mRoles.add(mRole); + } + } + //get the privileges + privileges.addAll(privilegeOperator.getPrivilegesByAuthorizable(component, service, mRoles, authorizables, pm)); + } finally { + commitTransaction(pm); + } + return privileges; + } + + @Override public void close() { delegate.stop(); } http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/5c2597de/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/persistent/PrivilegeOperatePersistence.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/persistent/PrivilegeOperatePersistence.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/persistent/PrivilegeOperatePersistence.java index c3b0be8..21e51cd 100644 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/persistent/PrivilegeOperatePersistence.java +++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/persistent/PrivilegeOperatePersistence.java @@ -363,6 +363,20 @@ public class PrivilegeOperatePersistence { return privileges; } + public Set<MSentryGMPrivilege> getPrivilegesByAuthorizable(String component, + String service, Set<MSentryRole> roles, + List<? extends Authorizable> authorizables, PersistenceManager pm) { + + Set<MSentryGMPrivilege> privilegeGraph = Sets.newHashSet(); + + if (roles == null || roles.isEmpty()) { + return privilegeGraph; + } + + MSentryGMPrivilege parentPrivilege = new MSentryGMPrivilege(component, service, authorizables, null, null); + privilegeGraph.addAll(populateIncludePrivileges(roles, parentPrivilege, pm)); + return privilegeGraph; + } public void renamePrivilege(String component, String service, List<? extends Authorizable> oldAuthorizables, List<? extends Authorizable> newAuthorizables, http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/5c2597de/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/persistent/SentryStoreLayer.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/persistent/SentryStoreLayer.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/persistent/SentryStoreLayer.java index f6d73e7..49a78ef 100644 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/persistent/SentryStoreLayer.java +++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/persistent/SentryStoreLayer.java @@ -24,6 +24,7 @@ import org.apache.sentry.SentryUserException; import org.apache.sentry.core.common.Authorizable; import org.apache.sentry.provider.db.SentryAlreadyExistsException; import org.apache.sentry.provider.db.SentryNoSuchObjectException; +import org.apache.sentry.provider.db.service.model.MSentryGMPrivilege; import org.apache.sentry.provider.db.service.persistent.CommitContext; /** @@ -164,9 +165,31 @@ public interface SentryStoreLayer { * @throws SentryUserException */ - Set<PrivilegeObject> getPrivilegesByProvider(String component, String service,Set<String> roles, + Set<PrivilegeObject> getPrivilegesByProvider(String component, String service, Set<String> roles, Set<String> groups, List<? extends Authorizable> authorizables) throws SentryUserException; + + /** + * Get all roles name. + * + * @returns The set of roles name, + */ + Set<String> getAllRoleNames(); + + /** + * Get sentry privileges based on valid active roles and the authorize objects. + * + * @param component: The request respond to which component + * @param service: The name of service + * @param validActiveRoles: The valid active roles + * @param authorizables: The list of authorize objects + * @returns The set of MSentryGMPrivilege + * @throws SentryUserException + */ + Set<MSentryGMPrivilege> getPrivilegesByAuthorizable(String component, String service, + Set<String> validActiveRoles, List<? extends Authorizable> authorizables) + throws SentryUserException; + /** * close sentryStore */ http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/5c2597de/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericPolicyProcessor.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericPolicyProcessor.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericPolicyProcessor.java index 78d3847..d07331e 100644 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericPolicyProcessor.java +++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericPolicyProcessor.java @@ -23,12 +23,15 @@ import static org.apache.sentry.policy.common.PolicyConstants.KV_JOINER; import java.lang.reflect.Constructor; import java.util.HashSet; import java.util.List; +import java.util.Map; import java.util.Set; import org.apache.hadoop.conf.Configuration; import org.apache.sentry.SentryUserException; import org.apache.sentry.core.common.Authorizable; import org.apache.sentry.core.model.db.AccessConstants; +import org.apache.sentry.policy.common.KeyValue; +import org.apache.sentry.policy.common.PolicyConstants; import org.apache.sentry.provider.common.AuthorizationComponent; import org.apache.sentry.provider.db.SentryAccessDeniedException; import org.apache.sentry.provider.db.SentryAlreadyExistsException; @@ -40,6 +43,8 @@ import org.apache.sentry.provider.db.generic.service.persistent.PrivilegeObject. import org.apache.sentry.provider.db.generic.service.persistent.SentryStoreLayer; import org.apache.sentry.provider.db.log.entity.JsonLogEntityFactory; import org.apache.sentry.provider.db.log.util.Constants; +import org.apache.sentry.provider.db.service.model.MSentryGMPrivilege; +import org.apache.sentry.provider.db.service.model.MSentryRole; import org.apache.sentry.provider.db.service.persistent.CommitContext; import org.apache.sentry.provider.db.service.thrift.PolicyStoreConstants; import org.apache.sentry.provider.db.service.thrift.SentryConfigurationException; @@ -58,6 +63,7 @@ import com.google.common.base.Splitter; import com.google.common.base.Strings; import com.google.common.collect.ImmutableSet; import com.google.common.collect.Lists; +import com.google.common.collect.Maps; import com.google.common.collect.Sets; public class SentryGenericPolicyProcessor implements SentryGenericPolicyService.Iface { @@ -70,6 +76,7 @@ public class SentryGenericPolicyProcessor implements SentryGenericPolicyService. private final NotificationHandlerInvoker handerInvoker; public static final String SENTRY_GENERIC_SERVICE_NAME = "SentryGenericPolicyService"; + private static final String ACCESS_DENIAL_MESSAGE = "Access denied to "; public SentryGenericPolicyProcessor(Configuration conf) throws Exception { this.store = createStore(conf); @@ -94,7 +101,7 @@ public class SentryGenericPolicyProcessor implements SentryGenericPolicyService. String msg = "User: " + requestorUser + " is part of " + requestorGroups + " which does not, intersect admin groups " + adminGroups; LOGGER.warn(msg); - throw new SentryAccessDeniedException("Access denied to " + requestorUser); + throw new SentryAccessDeniedException(ACCESS_DENIAL_MESSAGE + requestorUser); } } @@ -130,8 +137,7 @@ public class SentryGenericPolicyProcessor implements SentryGenericPolicyService. public static SentryStoreLayer createStore(Configuration conf) throws SentryConfigurationException { SentryStoreLayer storeLayer = null; - String Store = conf.get(PolicyStoreConstants.SENTRY_GENERIC_POLICY_STORE, - PolicyStoreConstants.SENTRY_GENERIC_POLICY_STORE_DEFAULT); + String Store = conf.get(PolicyStoreConstants.SENTRY_GENERIC_POLICY_STORE, PolicyStoreConstants.SENTRY_GENERIC_POLICY_STORE_DEFAULT); if (Strings.isNullOrEmpty(Store)) { throw new SentryConfigurationException("the parameter configuration for sentry.generic.policy.store can't be empty"); @@ -245,6 +251,22 @@ public class SentryGenericPolicyProcessor implements SentryGenericPolicyService. return tAuthorizables; } + private String fromAuthorizableToStr(List<? extends Authorizable> authorizables) { + if (authorizables != null && !authorizables.isEmpty()) { + List<String> privileges = Lists.newArrayList(); + + for (Authorizable authorizable : authorizables) { + + privileges.add(PolicyConstants.KV_JOINER.join(authorizable.getTypeName(), + authorizable.getName())); + } + + return PolicyConstants.AUTHORIZABLE_JOINER.join(privileges); + } else { + return ""; + } + } + private List<? extends Authorizable> toAuthorizables(List<TAuthorizable> tAuthorizables) { List<Authorizable> authorizables = Lists.newArrayList(); if (tAuthorizables == null) { @@ -265,6 +287,75 @@ public class SentryGenericPolicyProcessor implements SentryGenericPolicyService. return authorizables; } + private List<? extends Authorizable> toAuthorizables(String privilegeStr) { + List<Authorizable> authorizables = Lists.newArrayList(); + if (privilegeStr == null) { + return authorizables; + } + + for (String authorizable : PolicyConstants.AUTHORIZABLE_SPLITTER.split(privilegeStr)) { + KeyValue tempKV = new KeyValue(authorizable); + final String key = tempKV.getKey(); + final String value = tempKV.getValue(); + + authorizables.add(new Authorizable() { + @Override + public String getTypeName() { + return key; + } + + @Override + public String getName() { + return value; + } + }); + } + + return authorizables; + } + + // Construct the role to set of privileges mapping based on the + // MSentryGMPrivilege information. + private TSentryPrivilegeMap toTSentryPrivilegeMap(Set<MSentryGMPrivilege> mPrivileges) { + + // Mapping of <Role, Set<Privilege>>. + Map<String, Set<TSentryPrivilege>> tPrivilegeMap = Maps.newTreeMap(); + + for (MSentryGMPrivilege mPrivilege : mPrivileges) { + for (MSentryRole role : mPrivilege.getRoles()) { + + TSentryPrivilege tPrivilege = toTSentryPrivilege(mPrivilege); + + if (tPrivilegeMap.containsKey(role.getRoleName())) { + tPrivilegeMap.get(role.getRoleName()).add(tPrivilege); + } else { + Set<TSentryPrivilege> tPrivilegeSet = Sets.newTreeSet(); + tPrivilegeSet.add(tPrivilege); + tPrivilegeMap.put(role.getRoleName(), tPrivilegeSet); + } + } + } + + return new TSentryPrivilegeMap(tPrivilegeMap); + } + + // Construct TSentryPrivilege based on MSentryGMPrivilege information. + private TSentryPrivilege toTSentryPrivilege(MSentryGMPrivilege mPrivilege) { + + TSentryPrivilege tPrivilege = new TSentryPrivilege(mPrivilege.getComponentName(), + mPrivilege.getServiceName(), fromAuthorizable(mPrivilege.getAuthorizables()), mPrivilege.getAction()); + + if (mPrivilege.getGrantOption() == null) { + tPrivilege.setGrantOption(TSentryGrantOption.UNSET); + } else if (mPrivilege.getGrantOption()) { + tPrivilege.setGrantOption(TSentryGrantOption.TRUE); + } else { + tPrivilege.setGrantOption(TSentryGrantOption.FALSE); + } + + return tPrivilege; + } + private Set<String> buildPermissions(Set<PrivilegeObject> privileges) { Set<String> permissions = Sets.newHashSet(); for (PrivilegeObject privilege : privileges) { @@ -353,9 +444,7 @@ public class SentryGenericPolicyProcessor implements SentryGenericPolicyService. @Override public Response<Void> handle() throws Exception { validateClientVersion(request.getProtocol_version()); - CommitContext context = store.alterRoleGrantPrivilege(request.getComponent(), request.getRoleName(), - toPrivilegeObject(request.getPrivilege()), - request.getRequestorUserName()); + CommitContext context = store.alterRoleGrantPrivilege(request.getComponent(), request.getRoleName(), toPrivilegeObject(request.getPrivilege()), request.getRequestorUserName()); return new Response<Void>(Status.OK(), context); } }); @@ -383,9 +472,7 @@ public class SentryGenericPolicyProcessor implements SentryGenericPolicyService. @Override public Response<Void> handle() throws Exception { validateClientVersion(request.getProtocol_version()); - CommitContext context = store.alterRoleRevokePrivilege(request.getComponent(), request.getRoleName(), - toPrivilegeObject(request.getPrivilege()), - request.getRequestorUserName()); + CommitContext context = store.alterRoleRevokePrivilege(request.getComponent(), request.getRoleName(), toPrivilegeObject(request.getPrivilege()), request.getRequestorUserName()); return new Response<Void>(Status.OK(), context); } }); @@ -415,9 +502,7 @@ public class SentryGenericPolicyProcessor implements SentryGenericPolicyService. validateClientVersion(request.getProtocol_version()); authorize(request.getRequestorUserName(), getRequestorGroups(conf, request.getRequestorUserName())); - CommitContext context = store.alterRoleAddGroups( - request.getComponent(), request.getRoleName(), request.getGroups(), - request.getRequestorUserName()); + CommitContext context = store.alterRoleAddGroups(request.getComponent(), request.getRoleName(), request.getGroups(), request.getRequestorUserName()); return new Response<Void>(Status.OK(), context); } }); @@ -447,9 +532,7 @@ public class SentryGenericPolicyProcessor implements SentryGenericPolicyService. validateClientVersion(request.getProtocol_version()); authorize(request.getRequestorUserName(), getRequestorGroups(conf, request.getRequestorUserName())); - CommitContext context = store.alterRoleDeleteGroups( - request.getComponent(), request.getRoleName(), request.getGroups(), - request.getRequestorUserName()); + CommitContext context = store.alterRoleDeleteGroups(request.getComponent(), request.getRoleName(), request.getGroups(), request.getRequestorUserName()); return new Response<Void>(Status.OK(), context); } }); @@ -483,7 +566,7 @@ public class SentryGenericPolicyProcessor implements SentryGenericPolicyService. //Only admin users can list all roles in the system ( groupname = null) //Non admin users are only allowed to list only groups which they belong to if(!admin && (request.getGroupName() == null || !groups.contains(request.getGroupName()))) { - throw new SentryAccessDeniedException("Access denied to " + request.getRequestorUserName()); + throw new SentryAccessDeniedException(ACCESS_DENIAL_MESSAGE + request.getRequestorUserName()); } groups.clear(); groups.add(request.getGroupName()); @@ -515,14 +598,13 @@ public class SentryGenericPolicyProcessor implements SentryGenericPolicyService. if (!inAdminGroups(groups)) { Set<String> roleNamesForGroups = toTrimedLower(store.getRolesByGroups(request.getComponent(), groups)); if (!roleNamesForGroups.contains(toTrimedLower(request.getRoleName()))) { - throw new SentryAccessDeniedException("Access denied to " + request.getRequestorUserName()); + throw new SentryAccessDeniedException(ACCESS_DENIAL_MESSAGE + request.getRequestorUserName()); } } Set<PrivilegeObject> privileges = store.getPrivilegesByProvider(request.getComponent(), request.getServiceName(), Sets.newHashSet(request.getRoleName()), - null, - toAuthorizables(request.getAuthorizables())); + null, toAuthorizables(request.getAuthorizables())); Set<TSentryPrivilege> tSentryPrivileges = Sets.newHashSet(); for (PrivilegeObject privilege : privileges) { tSentryPrivileges.add(fromPrivilegeObject(privilege)); @@ -547,9 +629,9 @@ public class SentryGenericPolicyProcessor implements SentryGenericPolicyService. Set<String> roleNamesForGroups = store.getRolesByGroups(request.getComponent(), request.getGroups()); Set<String> rolesToQuery = request.getRoleSet().isAll() ? roleNamesForGroups : Sets.intersection(activeRoleNames, roleNamesForGroups); Set<PrivilegeObject> privileges = store.getPrivilegesByProvider(request.getComponent(), - request.getServiceName(), - rolesToQuery, null, - toAuthorizables(request.getAuthorizables())); + request.getServiceName(), + rolesToQuery, null, + toAuthorizables(request.getAuthorizables())); return new Response<Set<String>>(Status.OK(), buildPermissions(privileges)); } }); @@ -560,6 +642,97 @@ public class SentryGenericPolicyProcessor implements SentryGenericPolicyService. } @Override + public TListSentryPrivilegesByAuthResponse list_sentry_privileges_by_authorizable(TListSentryPrivilegesByAuthRequest request) throws TException { + + TListSentryPrivilegesByAuthResponse response = new TListSentryPrivilegesByAuthResponse(); + Map<String, TSentryPrivilegeMap> authRoleMap = Maps.newHashMap(); + + // Group names are case sensitive. + Set<String> requestedGroups = request.getGroups(); + String subject = request.getRequestorUserName(); + TSentryActiveRoleSet activeRoleSet = request.getRoleSet(); + Set<String> validActiveRoles = Sets.newHashSet(); + + try { + validateClientVersion(request.getProtocol_version()); + Set<String> memberGroups = getRequestorGroups(conf, subject); + + // Disallow non-admin users to lookup groups that + // they are not part of. + if(!inAdminGroups(memberGroups)) { + + if (requestedGroups != null && !requestedGroups.isEmpty()) { + for (String requestedGroup : requestedGroups) { + + // If user doesn't belong to one of the requested groups, + // then raise security exception. + if (!memberGroups.contains(requestedGroup)) { + throw new SentryAccessDeniedException(ACCESS_DENIAL_MESSAGE + subject); + } + } + } else { + // Non-admin's search is limited to its own groups. + requestedGroups = memberGroups; + } + + // Disallow non-admin to lookup roles that they are not part of + if (activeRoleSet != null && !activeRoleSet.isAll()) { + Set<String> grantedRoles = toTrimedLower(store.getRolesByGroups(request.getComponent(), requestedGroups)); + Set<String> activeRoleNames = toTrimedLower(activeRoleSet.getRoles()); + + for (String activeRole : activeRoleNames) { + if (!grantedRoles.contains(activeRole)) { + throw new SentryAccessDeniedException(ACCESS_DENIAL_MESSAGE + + subject); + } + } + + // For non-admin, valid active roles are intersection of active roles and granted roles. + validActiveRoles.addAll(activeRoleSet.isAll() ? grantedRoles : Sets.intersection(activeRoleNames, grantedRoles)); + } + } else { + Set<String> allRoles = toTrimedLower(store.getAllRoleNames()); + Set<String> activeRoleNames = toTrimedLower(activeRoleSet.getRoles()); + + // For admin, if requestedGroups are empty, valid active roles are intersection of active roles and all roles. + // Otherwise, valid active roles are intersection of active roles and the roles of requestedGroups. + if (requestedGroups == null || requestedGroups.isEmpty()) { + validActiveRoles.addAll(activeRoleSet.isAll() ? allRoles : Sets.intersection(activeRoleNames, allRoles)); + } else { + Set<String> requestedRoles = toTrimedLower(store.getRolesByGroups(request.getComponent(), requestedGroups)); + validActiveRoles.addAll(activeRoleSet.isAll() ? allRoles : Sets.intersection(activeRoleNames, requestedRoles)); + } + } + + // If user is not part of any group.. return empty response + if (request.getAuthorizablesSet() != null) { + for (String authorizablesStr : request.getAuthorizablesSet()) { + + List<? extends Authorizable> authorizables = toAuthorizables(authorizablesStr); + Set<MSentryGMPrivilege> sentryPrivileges = store.getPrivilegesByAuthorizable(request.getComponent(), request.getServiceName(), validActiveRoles, authorizables); + authRoleMap.put(fromAuthorizableToStr(authorizables), toTSentryPrivilegeMap(sentryPrivileges)); + } + } + + response.setPrivilegesMapByAuth(authRoleMap); + response.setStatus(Status.OK()); + } catch (SentryAccessDeniedException e) { + LOGGER.error(e.getMessage(), e); + response.setStatus(Status.AccessDenied(e.getMessage(), e)); + } catch (SentryThriftAPIMismatchException e) { + LOGGER.error(e.getMessage(), e); + response.setStatus(Status.THRIFT_VERSION_MISMATCH(e.getMessage(), e)); + } catch (Exception e) { + String msg = "Unknown error for request: " + request + ", message: " + + e.getMessage(); + LOGGER.error(msg, e); + response.setStatus(Status.RuntimeError(msg, e)); + } + + return response; + } + + @Override public TDropPrivilegesResponse drop_sentry_privilege( final TDropPrivilegesRequest request) throws TException { Response<Void> respose = requestHandle(new RequestHandler<Void>() { http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/5c2597de/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericServiceClientDefaultImpl.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericServiceClientDefaultImpl.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericServiceClientDefaultImpl.java index ce57513..e52b6ef 100644 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericServiceClientDefaultImpl.java +++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericServiceClientDefaultImpl.java @@ -20,13 +20,11 @@ package org.apache.sentry.provider.db.generic.service.thrift; import java.io.IOException; import java.net.InetSocketAddress; import java.security.PrivilegedExceptionAction; -import java.util.HashSet; -import java.util.List; -import java.util.Map; -import java.util.Set; +import java.util.*; import javax.security.auth.callback.CallbackHandler; +import com.google.common.collect.Sets; import org.apache.hadoop.conf.Configuration; import static org.apache.hadoop.fs.CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHENTICATION; import org.apache.hadoop.net.NetUtils; @@ -539,6 +537,64 @@ public class SentryGenericServiceClientDefaultImpl implements SentryGenericServi } } + private List<TAuthorizable> fromAuthorizable(List<? extends Authorizable> authorizables) { + List<TAuthorizable> tAuthorizables = Lists.newArrayList(); + for (Authorizable authorizable : authorizables) { + tAuthorizables.add(new TAuthorizable(authorizable.getTypeName(), authorizable.getName())); + } + return tAuthorizables; + } + + /** + * Get sentry privileges based on valid active roles and the authorize objects. Note that + * it is client responsibility to ensure the requestor username, etc. is not impersonated. + * + * @param component: The request respond to which component. + * @param serviceName: The name of service. + * @param requestorUserName: The requestor user name. + * @param authorizablesSet: The set of authorize objects. Represented as a string. e.g + * resourceType1=resourceName1->resourceType2=resourceName2->resourceType3=resourceName3. + * @param groups: The requested groups. + * @param roleSet: The active roles set. + * + * @returns The mapping of authorize objects and TSentryPrivilegeMap(<role, set<privileges>). + * @throws SentryUserException + */ + public Map<String, TSentryPrivilegeMap> listPrivilegsbyAuthorizable(String component, + String serviceName, String requestorUserName, Set<List<? extends Authorizable>> authorizablesSet, + Set<String> groups, ActiveRoleSet roleSet) throws SentryUserException { + + Set<List<TAuthorizable>> authSet = Sets.newHashSet(); + for (List<? extends Authorizable> authorizables : authorizablesSet) { + authSet.add(fromAuthorizable(authorizables)); + } + + TListSentryPrivilegesByAuthRequest request = new TListSentryPrivilegesByAuthRequest(); + + request.setProtocol_version(sentry_common_serviceConstants.TSENTRY_SERVICE_V2); + request.setComponent(component); + request.setServiceName(serviceName); + request.setRequestorUserName(requestorUserName); + + if (groups == null) { + request.setGroups(new HashSet<String>()); + } else { + request.setGroups(groups); + } + + if (roleSet != null) { + request.setRoleSet(new TSentryActiveRoleSet(roleSet.isAll(), roleSet.getRoles())); + } + + try { + TListSentryPrivilegesByAuthResponse response = client.list_sentry_privileges_by_authorizable(request); + Status.throwIfNotOk(response.getStatus()); + return response.getPrivilegesMapByAuth(); + } catch (TException e) { + throw new SentryUserException(THRIFT_EXCEPTION_MESSAGE, e); + } + } + @Override public void close() { if (transport != null) { http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/5c2597de/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java index 521d945..6a4d50d 100644 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java +++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java @@ -2069,6 +2069,29 @@ public class SentryStore { } } + // Get the all exist role names, will return an empty set + // if no role names exist. + public Set<String> getAllRoleNames() { + + boolean rollbackTransaction = true; + PersistenceManager pm = null; + + try { + pm = openTransaction(); + + Set<String> existRoleNames = getAllRoleNames(pm); + + commitTransaction(pm); + rollbackTransaction = false; + + return existRoleNames; + } finally { + if (rollbackTransaction) { + rollbackTransaction(pm); + } + } + } + // get the all exist role names private Set<String> getAllRoleNames(PersistenceManager pm) { Query query = pm.newQuery(MSentryRole.class); http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/5c2597de/sentry-provider/sentry-provider-db/src/main/resources/sentry_generic_policy_service.thrift ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/resources/sentry_generic_policy_service.thrift b/sentry-provider/sentry-provider-db/src/main/resources/sentry_generic_policy_service.thrift index 91ff672..db107bf 100644 --- a/sentry-provider/sentry-provider-db/src/main/resources/sentry_generic_policy_service.thrift +++ b/sentry-provider/sentry-provider-db/src/main/resources/sentry_generic_policy_service.thrift @@ -195,6 +195,7 @@ struct TSentryActiveRoleSet { 1: required bool all, 2: required set<string> roles, } + struct TListSentryPrivilegesForProviderRequest { 1: required i32 protocol_version = sentry_common_service.TSENTRY_SERVICE_V2, 2: required string component, # The request is issued to which component @@ -203,11 +204,56 @@ struct TListSentryPrivilegesForProviderRequest { 5: required TSentryActiveRoleSet roleSet, 6: optional list<TAuthorizable> authorizables # authorizable hierarchys } + struct TListSentryPrivilegesForProviderResponse { 1: required TSentryResponseStatus status 2: required set<string> privileges } +# Map of role:set<privileges> for the given authorizable +# Optionally use the set of groups to filter the roles +struct TSentryPrivilegeMap { +1: required map<string, set<TSentryPrivilege>> privilegeMap +} + +struct TListSentryPrivilegesByAuthRequest { +1: required i32 protocol_version = sentry_common_service.TSENTRY_SERVICE_V2, + +# User on whose behalf the request is issued +2: required string requestorUserName, + +# The request is issued to which component +3: required string component, + +# The privilege belongs to which service +4: required string serviceName, + +# The authorizable hierarchys, it is represented as a string. e.g +# resourceType1=resourceName1->resourceType2=resourceName2->resourceType3=resourceName3 +5: required set<string> authorizablesSet, + +# The requested groups. For admin, the requested groups can be empty, if so it is +# treated as a wildcard query. Otherwise, it is a query on this specifc groups. +# For non-admin user, the requested groups must be the groups they are part of. +6: optional set<string> groups, + +# The active role set. +7: optional TSentryActiveRoleSet roleSet +} + +struct TListSentryPrivilegesByAuthResponse { +1: required sentry_common_service.TSentryResponseStatus status, + +# Will not be set in case of an error. Otherwise it will be a +# <Authorizables, <Role, Set<Privileges>>> mapping. For non-admin +# requestor, the roles are intersection of active roles and granted roles. +# For admin requestor, the roles are filtered based on the active roles +# and requested group from TListSentryPrivilegesByAuthRequest. +# The authorizable hierarchys is represented as a string in the form +# of the request. +2: optional map<string, TSentryPrivilegeMap> privilegesMapByAuth +} + service SentryGenericPolicyService { TCreateSentryRoleResponse create_sentry_role(1:TCreateSentryRoleRequest request) @@ -225,6 +271,8 @@ service SentryGenericPolicyService TListSentryPrivilegesForProviderResponse list_sentry_privileges_for_provider(1:TListSentryPrivilegesForProviderRequest request) + TListSentryPrivilegesByAuthResponse list_sentry_privileges_by_authorizable(1:TListSentryPrivilegesByAuthRequest request); + TDropPrivilegesResponse drop_sentry_privilege(1:TDropPrivilegesRequest request); TRenamePrivilegesResponse rename_sentry_privilege(1:TRenamePrivilegesRequest request); http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/5c2597de/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/service/persistent/TestPrivilegeOperatePersistence.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/service/persistent/TestPrivilegeOperatePersistence.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/service/persistent/TestPrivilegeOperatePersistence.java index 189eabb..6b3a5e2 100644 --- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/service/persistent/TestPrivilegeOperatePersistence.java +++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/service/persistent/TestPrivilegeOperatePersistence.java @@ -952,4 +952,60 @@ public class TestPrivilegeOperatePersistence extends SentryStoreIntegrationBase sentryStore.getPrivilegesByProvider(SEARCH, service1, Sets.newHashSet(roleName1,roleName2), Sets.newHashSet(group), authorizables)); } + + @Test + public void testGetPrivilegesByAuthorizable() throws Exception { + String roleName1 = "r1"; + String roleName2 = "r2"; + String roleName3 = "r3"; + String grantor = ADMIN_USER; + + String service1 = "service1"; + + PrivilegeObject queryPrivilege1 = new Builder() + .setComponent(SEARCH) + .setAction(SearchConstants.QUERY) + .setService(service1) + .setAuthorizables(Arrays.asList(new Collection(COLLECTION_NAME))) + .build(); + + PrivilegeObject updatePrivilege1 = new Builder() + .setComponent(SEARCH) + .setAction(SearchConstants.UPDATE) + .setService(service1) + .setAuthorizables(Arrays.asList(new Collection(COLLECTION_NAME), new Field(FIELD_NAME))) + .build(); + + PrivilegeObject queryPrivilege2 = new Builder() + .setComponent(SEARCH) + .setAction(SearchConstants.QUERY) + .setService(service1) + .setAuthorizables(Arrays.asList(new Collection(COLLECTION_NAME))) + .build(); + + PrivilegeObject updatePrivilege2 = new Builder() + .setComponent(SEARCH) + .setAction(SearchConstants.UPDATE) + .setService(service1) + .setAuthorizables(Arrays.asList(new Collection(COLLECTION_NAME), new Field(FIELD_NAME))) + .build(); + + sentryStore.createRole(SEARCH, roleName1, grantor); + sentryStore.createRole(SEARCH, roleName2, grantor); + sentryStore.createRole(SEARCH, roleName3, grantor); + + sentryStore.alterRoleGrantPrivilege(SEARCH, roleName1, queryPrivilege1, grantor); + sentryStore.alterRoleGrantPrivilege(SEARCH, roleName1, updatePrivilege1, grantor); + sentryStore.alterRoleGrantPrivilege(SEARCH, roleName2, queryPrivilege2, grantor); + sentryStore.alterRoleGrantPrivilege(SEARCH, roleName3, updatePrivilege2, grantor); + + assertEquals(0, sentryStore.getPrivilegesByAuthorizable(SEARCH, service1, null, + Arrays.asList(new Collection(COLLECTION_NAME), new Field(FIELD_NAME))).size()); + assertEquals(2, sentryStore.getPrivilegesByAuthorizable(SEARCH, service1, + Sets.newHashSet(roleName1), null).size()); + assertEquals(2, sentryStore.getPrivilegesByAuthorizable(SEARCH, service1, + Sets.newHashSet(roleName1,roleName2), null).size()); + assertEquals(2, sentryStore.getPrivilegesByAuthorizable(SEARCH, service1, + Sets.newHashSet(roleName1,roleName2, roleName3), null).size()); + } } http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/5c2597de/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/service/thrift/TestSentryGenericPolicyProcessor.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/service/thrift/TestSentryGenericPolicyProcessor.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/service/thrift/TestSentryGenericPolicyProcessor.java index b86c6b2..6821cf9 100644 --- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/service/thrift/TestSentryGenericPolicyProcessor.java +++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/service/thrift/TestSentryGenericPolicyProcessor.java @@ -25,11 +25,9 @@ import static org.mockito.Matchers.anyString; import static org.mockito.Mockito.mock; import static org.mockito.Mockito.when; -import java.util.ArrayList; -import java.util.Arrays; -import java.util.Set; -import java.util.UUID; +import java.util.*; +import com.google.common.collect.Lists; import org.apache.hadoop.conf.Configuration; import org.apache.sentry.core.common.Authorizable; import org.apache.sentry.core.model.search.Collection; @@ -43,7 +41,8 @@ import org.apache.sentry.provider.db.SentryNoSuchObjectException; import org.apache.sentry.provider.db.generic.service.persistent.PrivilegeObject; import org.apache.sentry.provider.db.generic.service.persistent.SentryStoreLayer; import org.apache.sentry.provider.db.generic.service.persistent.PrivilegeObject.Builder; -import org.apache.sentry.provider.db.generic.service.thrift.SentryGenericPolicyProcessor; +import org.apache.sentry.provider.db.service.model.MSentryGMPrivilege; +import org.apache.sentry.provider.db.service.model.MSentryRole; import org.apache.sentry.provider.db.service.persistent.CommitContext; import org.apache.sentry.provider.db.service.thrift.PolicyStoreConstants; import org.apache.sentry.provider.db.service.thrift.SentryConfigurationException; @@ -254,6 +253,13 @@ public class TestSentryGenericPolicyProcessor { .setAction(SearchConstants.UPDATE) .build(); + MSentryGMPrivilege mSentryGMPrivilege = new MSentryGMPrivilege("SOLR", "service1", + Arrays.asList(new Collection("c1"), new Field("f1")), + SearchConstants.QUERY, true); + + MSentryRole role = new MSentryRole("r1", 290); + mSentryGMPrivilege.setRoles(Sets.newHashSet(role)); + when(mockStore.getRolesByGroups(anyString(), anySetOf(String.class))) .thenReturn(Sets.newHashSet(roleName)); @@ -264,6 +270,12 @@ public class TestSentryGenericPolicyProcessor { when(mockStore.getGroupsByRoles(anyString(), anySetOf(String.class))) .thenReturn(Sets.newHashSet(groupName)); + when(mockStore.getPrivilegesByAuthorizable(anyString(), anyString(), anySetOf(String.class), anyListOf(Authorizable.class))) + .thenReturn(Sets.newHashSet(mSentryGMPrivilege)); + + when(mockStore.getAllRoleNames()) + .thenReturn(Sets.newHashSet(roleName)); + TListSentryPrivilegesRequest request1 = new TListSentryPrivilegesRequest(); request1.setRoleName(roleName); request1.setRequestorUserName(ADMIN_USER); @@ -284,6 +296,18 @@ public class TestSentryGenericPolicyProcessor { TListSentryPrivilegesForProviderResponse response3 = processor.list_sentry_privileges_for_provider(request3); assertEquals(Status.OK, fromTSentryStatus(response3.getStatus())); assertEquals(2, response3.getPrivileges().size()); + + TListSentryPrivilegesByAuthRequest request4 = new TListSentryPrivilegesByAuthRequest(); + request4.setGroups(Sets.newHashSet(groupName)); + request4.setRoleSet(new TSentryActiveRoleSet(true, null)); + request4.setRequestorUserName(ADMIN_USER); + + Set<String> authorizablesSet = Sets.newHashSet("Collection=c1->Field=f1"); + request4.setAuthorizablesSet(authorizablesSet); + + TListSentryPrivilegesByAuthResponse response4 = processor.list_sentry_privileges_by_authorizable(request4); + assertEquals(Status.OK, fromTSentryStatus(response4.getStatus())); + assertEquals(1, response4.getPrivilegesMapByAuth().size()); } @Test(expected=SentryConfigurationException.class)
