Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 026E7200B5C for ; Mon, 27 Jun 2016 03:27:27 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id 00A49160A6D; Mon, 27 Jun 2016 01:27:27 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 9A5F2160A6E for ; Mon, 27 Jun 2016 03:27:24 +0200 (CEST) Received: (qmail 94514 invoked by uid 500); 27 Jun 2016 01:27:23 -0000 Mailing-List: contact commits-help@sentry.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@sentry.apache.org Delivered-To: mailing list commits@sentry.apache.org Received: (qmail 94337 invoked by uid 99); 27 Jun 2016 01:27:23 -0000 Received: from git1-us-west.apache.org (HELO git1-us-west.apache.org) (140.211.11.23) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 27 Jun 2016 01:27:23 +0000 Received: by git1-us-west.apache.org (ASF Mail Server at git1-us-west.apache.org, from userid 33) id 61001E2EF2; Mon, 27 Jun 2016 01:27:23 +0000 (UTC) Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: colin@apache.org To: commits@sentry.apache.org Date: Mon, 27 Jun 2016 01:27:27 -0000 Message-Id: <6abf6b8c03694c3d96e153d59aac2f88@git.apache.org> In-Reply-To: <174d7c8f381e4b85952fd6fe334e08a7@git.apache.org> References: <174d7c8f381e4b85952fd6fe334e08a7@git.apache.org> X-Mailer: ASF-Git Admin Mailer Subject: [5/6] sentry git commit: SENTRY-1288: Create sentry-service-client module(Colin Ma, reviewed by Dapeng Sun) archived-at: Mon, 27 Jun 2016 01:27:27 -0000 http://git-wip-us.apache.org/repos/asf/sentry/blob/01875092/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/command/Command.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/command/Command.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/command/Command.java deleted file mode 100644 index e824fb3..0000000 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/command/Command.java +++ /dev/null @@ -1,27 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.sentry.provider.db.generic.tools.command; - -import org.apache.sentry.provider.db.generic.service.thrift.SentryGenericServiceClient; - -/** - * The interface for all admin commands, eg, CreateRoleCmd. - */ -public interface Command { - void execute(SentryGenericServiceClient client, String requestorName) throws Exception; -} http://git-wip-us.apache.org/repos/asf/sentry/blob/01875092/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/command/CreateRoleCmd.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/command/CreateRoleCmd.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/command/CreateRoleCmd.java deleted file mode 100644 index da60a64..0000000 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/command/CreateRoleCmd.java +++ /dev/null @@ -1,39 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.sentry.provider.db.generic.tools.command; - -import org.apache.sentry.provider.db.generic.service.thrift.SentryGenericServiceClient; - -/** - * The class for admin command to create role. - */ -public class CreateRoleCmd implements Command { - - private String roleName; - private String component; - - public CreateRoleCmd(String roleName, String component) { - this.roleName = roleName; - this.component = component; - } - - @Override - public void execute(SentryGenericServiceClient client, String requestorName) throws Exception { - client.createRole(requestorName, roleName, component); - } -} http://git-wip-us.apache.org/repos/asf/sentry/blob/01875092/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/command/DeleteRoleFromGroupCmd.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/command/DeleteRoleFromGroupCmd.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/command/DeleteRoleFromGroupCmd.java deleted file mode 100644 index 95f39ea..0000000 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/command/DeleteRoleFromGroupCmd.java +++ /dev/null @@ -1,46 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.sentry.provider.db.generic.tools.command; - -import com.google.common.collect.Sets; -import org.apache.sentry.provider.db.generic.service.thrift.SentryGenericServiceClient; -import org.apache.sentry.provider.db.tools.SentryShellCommon; - -import java.util.Set; - -/** - * Command for deleting groups from a role. - */ -public class DeleteRoleFromGroupCmd implements Command { - - private String roleName; - private String groups; - private String component; - - public DeleteRoleFromGroupCmd(String roleName, String groups, String component) { - this.groups = groups; - this.roleName = roleName; - this.component = component; - } - - @Override - public void execute(SentryGenericServiceClient client, String requestorName) throws Exception { - Set groupSet = Sets.newHashSet(groups.split(SentryShellCommon.GROUP_SPLIT_CHAR)); - client.deleteRoleToGroups(requestorName, roleName, component, groupSet); - } -} http://git-wip-us.apache.org/repos/asf/sentry/blob/01875092/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/command/DropRoleCmd.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/command/DropRoleCmd.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/command/DropRoleCmd.java deleted file mode 100644 index ac2a328..0000000 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/command/DropRoleCmd.java +++ /dev/null @@ -1,39 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.sentry.provider.db.generic.tools.command; - -import org.apache.sentry.provider.db.generic.service.thrift.SentryGenericServiceClient; - -/** - * The class for admin command to drop role. - */ -public class DropRoleCmd implements Command { - - private String roleName; - private String component; - - public DropRoleCmd(String roleName, String component) { - this.roleName = roleName; - this.component = component; - } - - @Override - public void execute(SentryGenericServiceClient client, String requestorName) throws Exception { - client.dropRole(requestorName, roleName, component); - } -} http://git-wip-us.apache.org/repos/asf/sentry/blob/01875092/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/command/GrantPrivilegeToRoleCmd.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/command/GrantPrivilegeToRoleCmd.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/command/GrantPrivilegeToRoleCmd.java deleted file mode 100644 index 634bb42..0000000 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/command/GrantPrivilegeToRoleCmd.java +++ /dev/null @@ -1,47 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.sentry.provider.db.generic.tools.command; - -import org.apache.sentry.provider.db.generic.service.thrift.SentryGenericServiceClient; -import org.apache.sentry.provider.db.generic.service.thrift.TSentryPrivilege; - -/** - * The class for admin command to grant privilege to role. - */ -public class GrantPrivilegeToRoleCmd implements Command { - - private String roleName; - private String component; - private String privilegeStr; - private TSentryPrivilegeConverter converter; - - public GrantPrivilegeToRoleCmd(String roleName, String component, String privilegeStr, - TSentryPrivilegeConverter converter) { - this.roleName = roleName; - this.component = component; - this.privilegeStr = privilegeStr; - this.converter = converter; - } - - @Override - public void execute(SentryGenericServiceClient client, String requestorName) throws Exception { - TSentryPrivilege privilege = converter.fromString(privilegeStr); - client.grantPrivilege(requestorName, roleName, component, privilege); - - } -} http://git-wip-us.apache.org/repos/asf/sentry/blob/01875092/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/command/ListPrivilegesByRoleCmd.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/command/ListPrivilegesByRoleCmd.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/command/ListPrivilegesByRoleCmd.java deleted file mode 100644 index ce6db3a..0000000 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/command/ListPrivilegesByRoleCmd.java +++ /dev/null @@ -1,54 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.sentry.provider.db.generic.tools.command; - -import org.apache.sentry.provider.db.generic.service.thrift.SentryGenericServiceClient; -import org.apache.sentry.provider.db.generic.service.thrift.TSentryPrivilege; - -import java.util.Set; - -/** - * The class for admin command to list privileges by role. - */ -public class ListPrivilegesByRoleCmd implements Command { - - private String roleName; - private String component; - private String serviceName; - private TSentryPrivilegeConverter converter; - - public ListPrivilegesByRoleCmd(String roleName, String component, String serviceName, - TSentryPrivilegeConverter converter) { - this.roleName = roleName; - this.component = component; - this.serviceName = serviceName; - this.converter = converter; - } - - @Override - public void execute(SentryGenericServiceClient client, String requestorName) throws Exception { - Set privileges = client - .listPrivilegesByRoleName(requestorName, roleName, component, serviceName); - if (privileges != null) { - for (TSentryPrivilege privilege : privileges) { - String privilegeStr = converter.toString(privilege); - System.out.println(privilegeStr); - } - } - } -} http://git-wip-us.apache.org/repos/asf/sentry/blob/01875092/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/command/ListRolesCmd.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/command/ListRolesCmd.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/command/ListRolesCmd.java deleted file mode 100644 index 6b68d06..0000000 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/command/ListRolesCmd.java +++ /dev/null @@ -1,53 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.sentry.provider.db.generic.tools.command; - -import org.apache.commons.lang.StringUtils; -import org.apache.sentry.provider.db.generic.service.thrift.SentryGenericServiceClient; -import org.apache.sentry.provider.db.generic.service.thrift.TSentryRole; - -import java.util.Set; - -/** - * The class for admin command to list roles. - */ -public class ListRolesCmd implements Command { - - private String groupName; - private String component; - - public ListRolesCmd(String groupName, String component) { - this.groupName = groupName; - this.component = component; - } - - @Override - public void execute(SentryGenericServiceClient client, String requestorName) throws Exception { - Set roles; - if (StringUtils.isEmpty(groupName)) { - roles = client.listAllRoles(requestorName, component); - } else { - roles = client.listRolesByGroupName(requestorName, groupName, component); - } - if (roles != null) { - for (TSentryRole role : roles) { - System.out.println(role.getRoleName()); - } - } - } -} http://git-wip-us.apache.org/repos/asf/sentry/blob/01875092/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/command/RevokePrivilegeFromRoleCmd.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/command/RevokePrivilegeFromRoleCmd.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/command/RevokePrivilegeFromRoleCmd.java deleted file mode 100644 index 3e42e60..0000000 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/command/RevokePrivilegeFromRoleCmd.java +++ /dev/null @@ -1,47 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.sentry.provider.db.generic.tools.command; - -import org.apache.sentry.provider.db.generic.service.thrift.SentryGenericServiceClient; -import org.apache.sentry.provider.db.generic.service.thrift.TSentryPrivilege; - -/** - * The class for admin command to revoke privileges from role. - */ -public class RevokePrivilegeFromRoleCmd implements Command { - - private String roleName; - private String component; - private String privilegeStr; - private TSentryPrivilegeConverter converter; - - public RevokePrivilegeFromRoleCmd(String roleName, String component, String privilegeStr, - TSentryPrivilegeConverter converter) { - this.roleName = roleName; - this.component = component; - this.privilegeStr = privilegeStr; - this.converter = converter; - } - - @Override - public void execute(SentryGenericServiceClient client, String requestorName) throws Exception { - TSentryPrivilege privilege = converter.fromString(privilegeStr); - client.revokePrivilege(requestorName, roleName, component, privilege); - } - -} http://git-wip-us.apache.org/repos/asf/sentry/blob/01875092/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/command/TSentryPrivilegeConverter.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/command/TSentryPrivilegeConverter.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/command/TSentryPrivilegeConverter.java deleted file mode 100644 index ab44895..0000000 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/command/TSentryPrivilegeConverter.java +++ /dev/null @@ -1,33 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.sentry.provider.db.generic.tools.command; - -import org.apache.sentry.provider.db.generic.service.thrift.TSentryPrivilege; - -public interface TSentryPrivilegeConverter { - - /** - * Convert string to privilege - */ - TSentryPrivilege fromString(String privilegeStr) throws Exception; - - /** - * Convert privilege to string - */ - String toString(TSentryPrivilege tSentryPrivilege); -} http://git-wip-us.apache.org/repos/asf/sentry/blob/01875092/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/ServiceManager.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/ServiceManager.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/ServiceManager.java deleted file mode 100644 index 9f921d4..0000000 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/ServiceManager.java +++ /dev/null @@ -1,97 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package org.apache.sentry.provider.db.service.persistent; - -import java.io.IOException; -import java.net.InetSocketAddress; - -import org.apache.curator.x.discovery.ServiceDiscovery; -import org.apache.curator.x.discovery.ServiceDiscoveryBuilder; -import org.apache.curator.x.discovery.ServiceInstance; -import org.apache.curator.x.discovery.ServiceProvider; -import org.apache.curator.x.discovery.details.InstanceSerializer; -import org.apache.hadoop.net.NetUtils; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; - -/*** - * ServerManager handles registration of the Sentry service for Curator service - * discovery. Each server registers with ZK and add its host:port details which - * is used by the clients to discover available servers - */ -public class ServiceManager { - private static final Logger LOGGER = LoggerFactory - .getLogger(ServiceManager.class); - private HAContext haContext; - private ServiceProvider serviceProvider; - private ServiceDiscovery serviceDiscovery; - - public ServiceManager(HAContext haContext) throws IOException { - this.haContext = haContext; - init(); - } - - private void init() throws IOException { - try { - haContext.startCuratorFramework(); - InstanceSerializer instanceSerializer = new FixedJsonInstanceSerializer(Void.class); - serviceDiscovery = ServiceDiscoveryBuilder.builder(Void.class) - .basePath(HAContext.SENTRY_SERVICE_REGISTER_NAMESPACE) - .serializer(instanceSerializer) - .client(haContext.getCuratorFramework()) - .build(); - serviceDiscovery.start(); - serviceProvider = serviceDiscovery - .serviceProviderBuilder() - .serviceName(HAContext.SENTRY_SERVICE_REGISTER_NAMESPACE) - .build(); - serviceProvider.start(); - } catch (Exception e) { - throw new IOException(e); - } - } - - public ServiceInstance getServiceInstance() throws IOException { - ServiceInstance service; - try { - service = serviceProvider.getInstance(); - return service; - } catch (Exception e) { - throw new IOException(e); - } - } - - public void reportError(ServiceInstance instance) { - serviceProvider.noteError(instance); - } - - public static InetSocketAddress convertServiceInstance(ServiceInstance service) { - return NetUtils.createSocketAddr(service.getAddress(),service.getPort()); - } - - public void close() { - try { - serviceProvider.close(); - serviceDiscovery.close(); - LOGGER.debug("Closed ZK resources"); - } catch (IOException e) { - LOGGER.warn("Error closing the service manager", e); - } - } -} http://git-wip-us.apache.org/repos/asf/sentry/blob/01875092/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClient.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClient.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClient.java deleted file mode 100644 index 1e72b74..0000000 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClient.java +++ /dev/null @@ -1,207 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package org.apache.sentry.provider.db.service.thrift; - -import java.util.List; -import java.util.Map; -import java.util.Set; - -import org.apache.sentry.core.common.exception.SentryUserException; -import org.apache.sentry.core.common.ActiveRoleSet; -import org.apache.sentry.core.common.Authorizable; - -public interface SentryPolicyServiceClient { - - void createRole(String requestorUserName, String roleName) throws SentryUserException; - - void dropRole(String requestorUserName, String roleName) throws SentryUserException; - - void dropRoleIfExists(String requestorUserName, String roleName) - throws SentryUserException; - - Set listRolesByUserName(String requestorUserName, String userName) - throws SentryUserException; - - Set listRolesByGroupName(String requestorUserName, String groupName) - throws SentryUserException; - - Set listAllPrivilegesByRoleName(String requestorUserName, String roleName) - throws SentryUserException; - - /** - * Gets sentry privilege objects for a given roleName using the Sentry service - * - * @param requestorUserName : user on whose behalf the request is issued - * @param roleName : roleName to look up - * @param authorizable : authorizable Hierarchy (server->db->table etc) - * @return Set of thrift sentry privilege objects - * @throws SentryUserException - */ - Set listPrivilegesByRoleName(String requestorUserName, String roleName, - List authorizable) throws SentryUserException; - - Set listRoles(String requestorUserName) throws SentryUserException; - - Set listUserRoles(String requestorUserName) throws SentryUserException; - - TSentryPrivilege grantURIPrivilege(String requestorUserName, String roleName, - String server, String uri) throws SentryUserException; - - TSentryPrivilege grantURIPrivilege(String requestorUserName, String roleName, - String server, String uri, Boolean grantOption) throws SentryUserException; - - void grantServerPrivilege(String requestorUserName, String roleName, String server, - String action) throws SentryUserException; - - TSentryPrivilege grantServerPrivilege(String requestorUserName, String roleName, - String server, Boolean grantOption) throws SentryUserException; - - TSentryPrivilege grantServerPrivilege(String requestorUserName, String roleName, - String server, String action, Boolean grantOption) throws SentryUserException; - - TSentryPrivilege grantDatabasePrivilege(String requestorUserName, String roleName, - String server, String db, String action) throws SentryUserException; - - TSentryPrivilege grantDatabasePrivilege(String requestorUserName, String roleName, - String server, String db, String action, Boolean grantOption) throws SentryUserException; - - TSentryPrivilege grantTablePrivilege(String requestorUserName, String roleName, - String server, String db, String table, String action) throws SentryUserException; - - TSentryPrivilege grantTablePrivilege(String requestorUserName, String roleName, - String server, String db, String table, String action, Boolean grantOption) - throws SentryUserException; - - TSentryPrivilege grantColumnPrivilege(String requestorUserName, String roleName, - String server, String db, String table, String columnName, String action) - throws SentryUserException; - - TSentryPrivilege grantColumnPrivilege(String requestorUserName, String roleName, - String server, String db, String table, String columnName, String action, Boolean grantOption) - throws SentryUserException; - - Set grantColumnsPrivileges(String requestorUserName, String roleName, - String server, String db, String table, List columnNames, String action) - throws SentryUserException; - - Set grantColumnsPrivileges(String requestorUserName, String roleName, - String server, String db, String table, List columnNames, String action, - Boolean grantOption) throws SentryUserException; - - void revokeURIPrivilege(String requestorUserName, String roleName, String server, - String uri) throws SentryUserException; - - void revokeURIPrivilege(String requestorUserName, String roleName, String server, - String uri, Boolean grantOption) throws SentryUserException; - - void revokeServerPrivilege(String requestorUserName, String roleName, String server, - String action) throws SentryUserException; - - void revokeServerPrivilege(String requestorUserName, String roleName, String server, - String action, Boolean grantOption) throws SentryUserException; - - void revokeServerPrivilege(String requestorUserName, String roleName, String server, - boolean grantOption) throws SentryUserException; - - void revokeDatabasePrivilege(String requestorUserName, String roleName, String server, - String db, String action) throws SentryUserException; - - void revokeDatabasePrivilege(String requestorUserName, String roleName, String server, - String db, String action, Boolean grantOption) throws SentryUserException; - - void revokeTablePrivilege(String requestorUserName, String roleName, String server, - String db, String table, String action) throws SentryUserException; - - void revokeTablePrivilege(String requestorUserName, String roleName, String server, - String db, String table, String action, Boolean grantOption) throws SentryUserException; - - void revokeColumnPrivilege(String requestorUserName, String roleName, String server, - String db, String table, String columnName, String action) throws SentryUserException; - - void revokeColumnPrivilege(String requestorUserName, String roleName, String server, - String db, String table, String columnName, String action, Boolean grantOption) - throws SentryUserException; - - void revokeColumnsPrivilege(String requestorUserName, String roleName, String server, - String db, String table, List columns, String action) throws SentryUserException; - - void revokeColumnsPrivilege(String requestorUserName, String roleName, String server, - String db, String table, List columns, String action, Boolean grantOption) - throws SentryUserException; - - Set listPrivilegesForProvider(Set groups, Set users, - ActiveRoleSet roleSet, Authorizable... authorizable) throws SentryUserException; - - void grantRoleToGroup(String requestorUserName, String groupName, String roleName) - throws SentryUserException; - - void revokeRoleFromGroup(String requestorUserName, String groupName, String roleName) - throws SentryUserException; - - void grantRoleToGroups(String requestorUserName, String roleName, Set groups) - throws SentryUserException; - - void revokeRoleFromGroups(String requestorUserName, String roleName, Set groups) - throws SentryUserException; - - void grantRoleToUser(String requestorUserName, String userName, String roleName) - throws SentryUserException; - - void revokeRoleFromUser(String requestorUserName, String userName, String roleName) - throws SentryUserException; - - void grantRoleToUsers(String requestorUserName, String roleName, Set users) - throws SentryUserException; - - void revokeRoleFromUsers(String requestorUserName, String roleName, Set users) - throws SentryUserException; - - void dropPrivileges(String requestorUserName, - List authorizableObjects) throws SentryUserException; - - void renamePrivileges(String requestorUserName, - List oldAuthorizables, List newAuthorizables) - throws SentryUserException; - - Map listPrivilegsbyAuthorizable( - String requestorUserName, Set> authorizables, - Set groups, ActiveRoleSet roleSet) throws SentryUserException; - - /** - * Returns the configuration value in the sentry server associated with propertyName, or if - * propertyName does not exist, the defaultValue. There is no "requestorUserName" because this is - * regarded as an internal interface. - * - * @param propertyName Config attribute to search for - * @param defaultValue String to return if not found - * @return The value of the propertyName - * @throws SentryUserException - */ - String getConfigValue(String propertyName, String defaultValue) throws SentryUserException; - - void close(); - - // Import the sentry mapping data with map structure - void importPolicy(Map>> policyFileMappingData, - String requestorUserName, boolean isOverwriteRole) throws SentryUserException; - - // export the sentry mapping data with map structure - Map>> exportPolicy(String requestorUserName, String objectPath) - throws SentryUserException; -} http://git-wip-us.apache.org/repos/asf/sentry/blob/01875092/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClientDefaultImpl.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClientDefaultImpl.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClientDefaultImpl.java deleted file mode 100644 index ffa461a..0000000 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClientDefaultImpl.java +++ /dev/null @@ -1,1051 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package org.apache.sentry.provider.db.service.thrift; - -import java.io.IOException; -import java.net.InetSocketAddress; -import java.security.PrivilegedExceptionAction; -import java.util.List; -import java.util.Map; -import java.util.Set; - -import javax.security.auth.callback.CallbackHandler; - -import org.apache.commons.lang.StringUtils; -import org.apache.hadoop.conf.Configuration; -import org.apache.hadoop.net.NetUtils; -import org.apache.hadoop.security.SaslRpcServer; -import org.apache.hadoop.security.SaslRpcServer.AuthMethod; -import org.apache.hadoop.security.SecurityUtil; -import org.apache.hadoop.security.UserGroupInformation; -import org.apache.sentry.core.common.exception.SentryUserException; -import org.apache.sentry.core.common.ActiveRoleSet; -import org.apache.sentry.core.common.Authorizable; -import org.apache.sentry.core.model.db.AccessConstants; -import org.apache.sentry.core.model.db.DBModelAuthorizable; -import org.apache.sentry.core.common.utils.PolicyFileConstants; -import org.apache.sentry.service.thrift.SentryServiceUtil; -import org.apache.sentry.service.thrift.ServiceConstants; -import org.apache.sentry.service.thrift.ServiceConstants.ClientConfig; -import org.apache.sentry.service.thrift.ServiceConstants.PrivilegeScope; -import org.apache.sentry.service.thrift.ServiceConstants.ServerConfig; -import org.apache.sentry.service.thrift.ServiceConstants.ThriftConstants; -import org.apache.sentry.service.thrift.Status; -import org.apache.thrift.TException; -import org.apache.thrift.protocol.TBinaryProtocol; -import org.apache.thrift.protocol.TMultiplexedProtocol; -import org.apache.thrift.transport.TSaslClientTransport; -import org.apache.thrift.transport.TSocket; -import org.apache.thrift.transport.TTransport; -import org.apache.thrift.transport.TTransportException; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; - -import com.google.common.annotations.VisibleForTesting; -import com.google.common.base.Preconditions; -import com.google.common.collect.ImmutableList; -import com.google.common.collect.ImmutableSet; -import com.google.common.collect.Lists; -import com.google.common.collect.Maps; -import com.google.common.collect.Sets; - -/* - A Sentry Client in which all the operations are synchronized for thread safety - Note: When using this client, if there is an exception in RPC, socket can get into an inconsistent state. - So it is important to recreate the client, which uses a new socket. - */ -public class SentryPolicyServiceClientDefaultImpl implements SentryPolicyServiceClient { - - private final Configuration conf; - private final InetSocketAddress serverAddress; - private final boolean kerberos; - private final String[] serverPrincipalParts; - private SentryPolicyService.Client client; - private TTransport transport; - private int connectionTimeout; - private static final Logger LOGGER = LoggerFactory - .getLogger(SentryPolicyServiceClient.class); - private static final String THRIFT_EXCEPTION_MESSAGE = "Thrift exception occurred "; - - /** - * This transport wraps the Sasl transports to set up the right UGI context for open(). - */ - public static class UgiSaslClientTransport extends TSaslClientTransport { - protected UserGroupInformation ugi = null; - - public UgiSaslClientTransport(String mechanism, String authorizationId, - String protocol, String serverName, Map props, - CallbackHandler cbh, TTransport transport, boolean wrapUgi) - throws IOException { - super(mechanism, authorizationId, protocol, serverName, props, cbh, - transport); - if (wrapUgi) { - ugi = UserGroupInformation.getLoginUser(); - } - } - - // open the SASL transport with using the current UserGroupInformation - // This is needed to get the current login context stored - @Override - public synchronized void open() throws TTransportException { - if (ugi == null) { - baseOpen(); - } else { - try { - if (ugi.isFromKeytab()) { - ugi.checkTGTAndReloginFromKeytab(); - } - ugi.doAs(new PrivilegedExceptionAction() { - public Void run() throws TTransportException { - baseOpen(); - return null; - } - }); - } catch (IOException e) { - throw new TTransportException("Failed to open SASL transport", e); - } catch (InterruptedException e) { - throw new TTransportException( - "Interrupted while opening underlying transport", e); - } - } - } - - private void baseOpen() throws TTransportException { - super.open(); - } - } - - public SentryPolicyServiceClientDefaultImpl(Configuration conf) throws IOException { - this.conf = conf; - Preconditions.checkNotNull(this.conf, "Configuration object cannot be null"); - this.serverAddress = NetUtils.createSocketAddr(Preconditions.checkNotNull( - conf.get(ClientConfig.SERVER_RPC_ADDRESS), "Config key " - + ClientConfig.SERVER_RPC_ADDRESS + " is required"), conf.getInt( - ClientConfig.SERVER_RPC_PORT, ClientConfig.SERVER_RPC_PORT_DEFAULT)); - this.connectionTimeout = conf.getInt(ClientConfig.SERVER_RPC_CONN_TIMEOUT, - ClientConfig.SERVER_RPC_CONN_TIMEOUT_DEFAULT); - kerberos = ServerConfig.SECURITY_MODE_KERBEROS.equalsIgnoreCase( - conf.get(ServerConfig.SECURITY_MODE, ServerConfig.SECURITY_MODE_KERBEROS).trim()); - transport = new TSocket(serverAddress.getHostName(), - serverAddress.getPort(), connectionTimeout); - if (kerberos) { - String serverPrincipal = Preconditions.checkNotNull(conf.get(ServerConfig.PRINCIPAL), ServerConfig.PRINCIPAL + " is required"); - - // Resolve server host in the same way as we are doing on server side - serverPrincipal = SecurityUtil.getServerPrincipal(serverPrincipal, serverAddress.getAddress()); - LOGGER.debug("Using server kerberos principal: " + serverPrincipal); - - serverPrincipalParts = SaslRpcServer.splitKerberosName(serverPrincipal); - Preconditions.checkArgument(serverPrincipalParts.length == 3, - "Kerberos principal should have 3 parts: " + serverPrincipal); - boolean wrapUgi = "true".equalsIgnoreCase(conf - .get(ServerConfig.SECURITY_USE_UGI_TRANSPORT, "true")); - transport = new UgiSaslClientTransport(AuthMethod.KERBEROS.getMechanismName(), - null, serverPrincipalParts[0], serverPrincipalParts[1], - ClientConfig.SASL_PROPERTIES, null, transport, wrapUgi); - } else { - serverPrincipalParts = null; - } - try { - transport.open(); - } catch (TTransportException e) { - throw new IOException("Transport exception while opening transport: " + e.getMessage(), e); - } - LOGGER.debug("Successfully opened transport: " + transport + " to " + serverAddress); - long maxMessageSize = conf.getLong(ServiceConstants.ClientConfig.SENTRY_POLICY_CLIENT_THRIFT_MAX_MESSAGE_SIZE, - ServiceConstants.ClientConfig.SENTRY_POLICY_CLIENT_THRIFT_MAX_MESSAGE_SIZE_DEFAULT); - TMultiplexedProtocol protocol = new TMultiplexedProtocol( - new TBinaryProtocol(transport, maxMessageSize, maxMessageSize, true, true), - ServiceConstants.SENTRY_POLICY_SERVICE_NAME); - client = new SentryPolicyService.Client(protocol); - LOGGER.debug("Successfully created client"); - } - - public synchronized void createRole(String requestorUserName, String roleName) - throws SentryUserException { - TCreateSentryRoleRequest request = new TCreateSentryRoleRequest(); - request.setProtocol_version(ThriftConstants.TSENTRY_SERVICE_VERSION_CURRENT); - request.setRequestorUserName(requestorUserName); - request.setRoleName(roleName); - try { - TCreateSentryRoleResponse response = client.create_sentry_role(request); - Status.throwIfNotOk(response.getStatus()); - } catch (TException e) { - throw new SentryUserException(THRIFT_EXCEPTION_MESSAGE, e); - } - } - - public synchronized void dropRole(String requestorUserName, - String roleName) - throws SentryUserException { - dropRole(requestorUserName, roleName, false); - } - - public synchronized void dropRoleIfExists(String requestorUserName, - String roleName) - throws SentryUserException { - dropRole(requestorUserName, roleName, true); - } - - private synchronized void dropRole(String requestorUserName, - String roleName, boolean ifExists) - throws SentryUserException { - TDropSentryRoleRequest request = new TDropSentryRoleRequest(); - request.setProtocol_version(ThriftConstants.TSENTRY_SERVICE_VERSION_CURRENT); - request.setRequestorUserName(requestorUserName); - request.setRoleName(roleName); - try { - TDropSentryRoleResponse response = client.drop_sentry_role(request); - Status status = Status.fromCode(response.getStatus().getValue()); - if (ifExists && status == Status.NO_SUCH_OBJECT) { - return; - } - Status.throwIfNotOk(response.getStatus()); - } catch (TException e) { - throw new SentryUserException(THRIFT_EXCEPTION_MESSAGE, e); - } - } - - /** - * Gets sentry role objects for a given groupName using the Sentry service - * @param requestorUserName : user on whose behalf the request is issued - * @param groupName : groupName to look up ( if null returns all roles for all groups) - * @return Set of thrift sentry role objects - * @throws SentryUserException - */ - public synchronized Set listRolesByGroupName( - String requestorUserName, - String groupName) - throws SentryUserException { - TListSentryRolesRequest request = new TListSentryRolesRequest(); - request.setProtocol_version(ThriftConstants.TSENTRY_SERVICE_VERSION_CURRENT); - request.setRequestorUserName(requestorUserName); - request.setGroupName(groupName); - TListSentryRolesResponse response; - try { - response = client.list_sentry_roles_by_group(request); - Status.throwIfNotOk(response.getStatus()); - return response.getRoles(); - } catch (TException e) { - throw new SentryUserException(THRIFT_EXCEPTION_MESSAGE, e); - } - } - - /** - * Gets sentry role objects for a given userName using the Sentry service - * - * @param requestorUserName - * : user on whose behalf the request is issued - * @param userName - * : userName to look up (can't be empty) - * @return Set of thrift sentry role objects - * @throws SentryUserException - */ - public Set listRolesByUserName(String requestorUserName, String userName) - throws SentryUserException { - TListSentryRolesForUserRequest request = new TListSentryRolesForUserRequest(); - request.setProtocol_version(ThriftConstants.TSENTRY_SERVICE_VERSION_CURRENT); - request.setRequestorUserName(requestorUserName); - request.setUserName(userName); - TListSentryRolesResponse response; - try { - response = client.list_sentry_roles_by_user(request); - Status.throwIfNotOk(response.getStatus()); - return response.getRoles(); - } catch (TException e) { - throw new SentryUserException(THRIFT_EXCEPTION_MESSAGE, e); - } - } - - public synchronized Set listAllPrivilegesByRoleName(String requestorUserName, - String roleName) - throws SentryUserException { - return listPrivilegesByRoleName(requestorUserName, roleName, null); - } - - /** - * Gets sentry privilege objects for a given roleName using the Sentry service - * @param requestorUserName : user on whose behalf the request is issued - * @param roleName : roleName to look up - * @param authorizable : authorizable Hierarchy (server->db->table etc) - * @return Set of thrift sentry privilege objects - * @throws SentryUserException - */ - public synchronized Set listPrivilegesByRoleName(String requestorUserName, - String roleName, List authorizable) - throws SentryUserException { - TListSentryPrivilegesRequest request = new TListSentryPrivilegesRequest(); - request.setProtocol_version(ThriftConstants.TSENTRY_SERVICE_VERSION_CURRENT); - request.setRequestorUserName(requestorUserName); - request.setRoleName(roleName); - if (authorizable != null && !authorizable.isEmpty()) { - TSentryAuthorizable tSentryAuthorizable = setupSentryAuthorizable(authorizable); - request.setAuthorizableHierarchy(tSentryAuthorizable); - } - TListSentryPrivilegesResponse response; - try { - response = client.list_sentry_privileges_by_role(request); - Status.throwIfNotOk(response.getStatus()); - return response.getPrivileges(); - } catch (TException e) { - throw new SentryUserException(THRIFT_EXCEPTION_MESSAGE, e); - } - } - - public synchronized Set listRoles(String requestorUserName) - throws SentryUserException { - return listRolesByGroupName(requestorUserName, null); - } - - public synchronized Set listUserRoles(String requestorUserName) - throws SentryUserException { - Set tSentryRoles = Sets.newHashSet(); - tSentryRoles.addAll(listRolesByGroupName(requestorUserName, AccessConstants.ALL)); - tSentryRoles.addAll(listRolesByUserName(requestorUserName, requestorUserName)); - return tSentryRoles; - } - - public synchronized TSentryPrivilege grantURIPrivilege(String requestorUserName, - String roleName, String server, String uri) - throws SentryUserException { - return grantPrivilege(requestorUserName, roleName, - PrivilegeScope.URI, server, uri, null, null, null, AccessConstants.ALL); - } - - public synchronized TSentryPrivilege grantURIPrivilege(String requestorUserName, - String roleName, String server, String uri, Boolean grantOption) - throws SentryUserException { - return grantPrivilege(requestorUserName, roleName, - PrivilegeScope.URI, server, uri, null, null, null, AccessConstants.ALL, grantOption); - } - - public synchronized void grantServerPrivilege(String requestorUserName, - String roleName, String server, String action) - throws SentryUserException { - - // "ALL" and "*" should be synonyms for action and need to be unified with grantServerPrivilege without - // action explicitly specified. - if (AccessConstants.ACTION_ALL.equalsIgnoreCase(action) || AccessConstants.ALL.equals(action)) { - action = AccessConstants.ALL; - } - - grantPrivilege(requestorUserName, roleName, - PrivilegeScope.SERVER, server, null, null, null, null, action); - } - - @Deprecated - /*** - * Should use grantServerPrivilege(String requestorUserName, - * String roleName, String server, String action, Boolean grantOption) - */ - public synchronized TSentryPrivilege grantServerPrivilege(String requestorUserName, - String roleName, String server, Boolean grantOption) throws SentryUserException { - return grantServerPrivilege(requestorUserName, roleName, server, - AccessConstants.ALL, grantOption); - } - - public synchronized TSentryPrivilege grantServerPrivilege(String requestorUserName, - String roleName, String server, String action, Boolean grantOption) - throws SentryUserException { - - // "ALL" and "*" should be synonyms for action and need to be unified with grantServerPrivilege without - // action explicitly specified. - if (AccessConstants.ACTION_ALL.equalsIgnoreCase(action) || AccessConstants.ALL.equals(action)) { - action = AccessConstants.ALL; - } - - return grantPrivilege(requestorUserName, roleName, - PrivilegeScope.SERVER, server, null, null, null, null, action, grantOption); - } - - public synchronized TSentryPrivilege grantDatabasePrivilege(String requestorUserName, - String roleName, String server, String db, String action) - throws SentryUserException { - return grantPrivilege(requestorUserName, roleName, - PrivilegeScope.DATABASE, server, null, db, null, null, action); - } - - public synchronized TSentryPrivilege grantDatabasePrivilege(String requestorUserName, - String roleName, String server, String db, String action, Boolean grantOption) - throws SentryUserException { - return grantPrivilege(requestorUserName, roleName, - PrivilegeScope.DATABASE, server, null, db, null, null, action, grantOption); - } - - public synchronized TSentryPrivilege grantTablePrivilege(String requestorUserName, - String roleName, String server, String db, String table, String action) - throws SentryUserException { - return grantPrivilege(requestorUserName, roleName, PrivilegeScope.TABLE, server, - null, - db, table, null, action); - } - - public synchronized TSentryPrivilege grantTablePrivilege(String requestorUserName, - String roleName, String server, String db, String table, String action, Boolean grantOption) - throws SentryUserException { - return grantPrivilege(requestorUserName, roleName, PrivilegeScope.TABLE, server, - null, db, table, null, action, grantOption); - } - - public synchronized TSentryPrivilege grantColumnPrivilege(String requestorUserName, - String roleName, String server, String db, String table, String columnName, String action) - throws SentryUserException { - return grantPrivilege(requestorUserName, roleName, PrivilegeScope.COLUMN, server, - null, - db, table, columnName, action); - } - - public synchronized TSentryPrivilege grantColumnPrivilege(String requestorUserName, - String roleName, String server, String db, String table, String columnName, String action, Boolean grantOption) - throws SentryUserException { - return grantPrivilege(requestorUserName, roleName, PrivilegeScope.COLUMN, server, - null, db, table, columnName, action, grantOption); - } - - public synchronized Set grantColumnsPrivileges(String requestorUserName, - String roleName, String server, String db, String table, List columnNames, String action) - throws SentryUserException { - return grantPrivileges(requestorUserName, roleName, PrivilegeScope.COLUMN, server, - null, - db, table, columnNames, action); - } - - public synchronized Set grantColumnsPrivileges(String requestorUserName, - String roleName, String server, String db, String table, List columnNames, String action, Boolean grantOption) - throws SentryUserException { - return grantPrivileges(requestorUserName, roleName, PrivilegeScope.COLUMN, - server, - null, db, table, columnNames, action, grantOption); - } - - @VisibleForTesting - public static TSentryAuthorizable setupSentryAuthorizable( - List authorizable) { - TSentryAuthorizable tSentryAuthorizable = new TSentryAuthorizable(); - - for (Authorizable authzble : authorizable) { - if (authzble.getTypeName().equalsIgnoreCase( - DBModelAuthorizable.AuthorizableType.Server.toString())) { - tSentryAuthorizable.setServer(authzble.getName()); - } else if (authzble.getTypeName().equalsIgnoreCase( - DBModelAuthorizable.AuthorizableType.URI.toString())) { - tSentryAuthorizable.setUri(authzble.getName()); - } else if (authzble.getTypeName().equalsIgnoreCase( - DBModelAuthorizable.AuthorizableType.Db.toString())) { - tSentryAuthorizable.setDb(authzble.getName()); - } else if (authzble.getTypeName().equalsIgnoreCase( - DBModelAuthorizable.AuthorizableType.Table.toString())) { - tSentryAuthorizable.setTable(authzble.getName()); - } else if (authzble.getTypeName().equalsIgnoreCase( - DBModelAuthorizable.AuthorizableType.Column.toString())) { - tSentryAuthorizable.setColumn(authzble.getName()); - } - } - return tSentryAuthorizable; - } - - private TSentryPrivilege grantPrivilege(String requestorUserName, - String roleName, - PrivilegeScope scope, String serverName, String uri, String db, - String table, String column, String action) throws SentryUserException { - return grantPrivilege(requestorUserName, roleName, scope, serverName, uri, - db, table, column, action, false); - } - - private TSentryPrivilege grantPrivilege(String requestorUserName, - String roleName, PrivilegeScope scope, String serverName, String uri, String db, String table, - String column, String action, Boolean grantOption) - throws SentryUserException { - TAlterSentryRoleGrantPrivilegeRequest request = new TAlterSentryRoleGrantPrivilegeRequest(); - request.setProtocol_version(ThriftConstants.TSENTRY_SERVICE_VERSION_CURRENT); - request.setRequestorUserName(requestorUserName); - request.setRoleName(roleName); - Set privileges = convertColumnPrivilege(scope, - serverName, uri, db, table, column, action, grantOption); - request.setPrivileges(privileges); - try { - TAlterSentryRoleGrantPrivilegeResponse response = client.alter_sentry_role_grant_privilege(request); - Status.throwIfNotOk(response.getStatus()); - if (response.isSetPrivileges() - && response.getPrivilegesSize()>0 ) { - return response.getPrivileges().iterator().next(); - } else { - return new TSentryPrivilege(); - } - } catch (TException e) { - throw new SentryUserException(THRIFT_EXCEPTION_MESSAGE, e); - } - } - - private Set grantPrivileges(String requestorUserName, - String roleName, - PrivilegeScope scope, String serverName, String uri, String db, - String table, List columns, String action) throws SentryUserException { - return grantPrivileges(requestorUserName, roleName, scope, serverName, uri, - db, table, columns, action, false); - } - - private Set grantPrivileges(String requestorUserName, - String roleName, PrivilegeScope scope, String serverName, String uri, String db, String table, - List columns, String action, Boolean grantOption) - throws SentryUserException { - TAlterSentryRoleGrantPrivilegeRequest request = new TAlterSentryRoleGrantPrivilegeRequest(); - request.setProtocol_version(ThriftConstants.TSENTRY_SERVICE_VERSION_CURRENT); - request.setRequestorUserName(requestorUserName); - request.setRoleName(roleName); - Set privileges = convertColumnPrivileges(scope, - serverName, uri, db, table, columns, action, grantOption); - request.setPrivileges(privileges); - try { - TAlterSentryRoleGrantPrivilegeResponse response = client.alter_sentry_role_grant_privilege(request); - Status.throwIfNotOk(response.getStatus()); - return response.getPrivileges(); - } catch (TException e) { - throw new SentryUserException(THRIFT_EXCEPTION_MESSAGE, e); - } - } - - public synchronized void revokeURIPrivilege(String requestorUserName, - String roleName, String server, String uri) - throws SentryUserException { - revokePrivilege(requestorUserName, roleName, - PrivilegeScope.URI, server, uri, null, null, null, AccessConstants.ALL); - } - - public synchronized void revokeURIPrivilege(String requestorUserName, - String roleName, String server, String uri, Boolean grantOption) - throws SentryUserException { - revokePrivilege(requestorUserName, roleName, - PrivilegeScope.URI, server, uri, null, null, null, AccessConstants.ALL, grantOption); - } - - public synchronized void revokeServerPrivilege(String requestorUserName, - String roleName, String server, String action) - throws SentryUserException { - - // "ALL" and "*" should be synonyms for action and need to be unified with revokeServerPrivilege without - // action explicitly specified. - if (AccessConstants.ACTION_ALL.equalsIgnoreCase(action) || AccessConstants.ALL.equals(action)) { - action = AccessConstants.ALL; - } - - revokePrivilege(requestorUserName, roleName, - PrivilegeScope.SERVER, server, null, null, null, null, action); - } - - public synchronized void revokeServerPrivilege(String requestorUserName, - String roleName, String server, String action, Boolean grantOption) - throws SentryUserException { - - // "ALL" and "*" should be synonyms for action and need to be unified with revokeServerPrivilege without - // action explicitly specified. - if (AccessConstants.ACTION_ALL.equalsIgnoreCase(action) || AccessConstants.ALL.equals(action)) { - action = AccessConstants.ALL; - } - - revokePrivilege(requestorUserName, roleName, - PrivilegeScope.SERVER, server, null, null, null, null, action, grantOption); - } - - @Deprecated - /*** - * Should use revokeServerPrivilege(String requestorUserName, - * String roleName, String server, String action, Boolean grantOption) - */ - public synchronized void revokeServerPrivilege(String requestorUserName, - String roleName, String server, boolean grantOption) - throws SentryUserException { - revokePrivilege(requestorUserName, roleName, - PrivilegeScope.SERVER, server, null, null, null, null, AccessConstants.ALL, grantOption); - } - - public synchronized void revokeDatabasePrivilege(String requestorUserName, - String roleName, String server, String db, String action) - throws SentryUserException { - revokePrivilege(requestorUserName, roleName, - PrivilegeScope.DATABASE, server, null, db, null, null, action); - } - - public synchronized void revokeDatabasePrivilege(String requestorUserName, - String roleName, String server, String db, String action, Boolean grantOption) - throws SentryUserException { - revokePrivilege(requestorUserName, roleName, - PrivilegeScope.DATABASE, server, null, db, null, null, action, grantOption); - } - - public synchronized void revokeTablePrivilege(String requestorUserName, - String roleName, String server, String db, String table, String action) - throws SentryUserException { - revokePrivilege(requestorUserName, roleName, - PrivilegeScope.TABLE, server, null, - db, table, null, action); - } - - public synchronized void revokeTablePrivilege(String requestorUserName, - String roleName, String server, String db, String table, String action, Boolean grantOption) - throws SentryUserException { - revokePrivilege(requestorUserName, roleName, - PrivilegeScope.TABLE, server, null, - db, table, null, action, grantOption); - } - - public synchronized void revokeColumnPrivilege(String requestorUserName, String roleName, - String server, String db, String table, String columnName, String action) - throws SentryUserException { - ImmutableList.Builder listBuilder = ImmutableList.builder(); - listBuilder.add(columnName); - revokePrivilege(requestorUserName, roleName, - PrivilegeScope.COLUMN, server, null, - db, table, listBuilder.build(), action); - } - - public synchronized void revokeColumnPrivilege(String requestorUserName, String roleName, - String server, String db, String table, String columnName, String action, Boolean grantOption) - throws SentryUserException { - ImmutableList.Builder listBuilder = ImmutableList.builder(); - listBuilder.add(columnName); - revokePrivilege(requestorUserName, roleName, - PrivilegeScope.COLUMN, server, null, - db, table, listBuilder.build(), action, grantOption); - } - - public synchronized void revokeColumnsPrivilege(String requestorUserName, String roleName, - String server, String db, String table, List columns, String action) - throws SentryUserException { - revokePrivilege(requestorUserName, roleName, - PrivilegeScope.COLUMN, server, null, - db, table, columns, action); - } - - public synchronized void revokeColumnsPrivilege(String requestorUserName, String roleName, - String server, String db, String table, List columns, String action, Boolean grantOption) - throws SentryUserException { - revokePrivilege(requestorUserName, roleName, - PrivilegeScope.COLUMN, server, null, - db, table, columns, action, grantOption); - } - - private void revokePrivilege(String requestorUserName, - String roleName, PrivilegeScope scope, String serverName, String uri, - String db, String table, List columns, String action) - throws SentryUserException { - this.revokePrivilege(requestorUserName, roleName, scope, serverName, uri, db, table, columns, action, false); - } - - private void revokePrivilege(String requestorUserName, String roleName, - PrivilegeScope scope, String serverName, String uri, String db, String table, List columns, - String action, Boolean grantOption) - throws SentryUserException { - TAlterSentryRoleRevokePrivilegeRequest request = new TAlterSentryRoleRevokePrivilegeRequest(); - request.setProtocol_version(ThriftConstants.TSENTRY_SERVICE_VERSION_CURRENT); - request.setRequestorUserName(requestorUserName); - request.setRoleName(roleName); - Set privileges = convertColumnPrivileges(scope, - serverName, uri, db, table, columns, action, grantOption); - request.setPrivileges(privileges); - try { - TAlterSentryRoleRevokePrivilegeResponse response = client.alter_sentry_role_revoke_privilege(request); - Status.throwIfNotOk(response.getStatus()); - } catch (TException e) { - throw new SentryUserException(THRIFT_EXCEPTION_MESSAGE, e); - } - } - - private Set convertColumnPrivileges( - PrivilegeScope scope, String serverName, String uri, String db, String table, List columns, - String action, Boolean grantOption) { - ImmutableSet.Builder setBuilder = ImmutableSet.builder(); - if (columns == null || columns.isEmpty()) { - TSentryPrivilege privilege = new TSentryPrivilege(); - privilege.setPrivilegeScope(scope.toString()); - privilege.setServerName(serverName); - privilege.setURI(uri); - privilege.setDbName(db); - privilege.setTableName(table); - privilege.setColumnName(null); - privilege.setAction(action); - privilege.setCreateTime(System.currentTimeMillis()); - privilege.setGrantOption(convertTSentryGrantOption(grantOption)); - setBuilder.add(privilege); - } else { - for (String column : columns) { - TSentryPrivilege privilege = new TSentryPrivilege(); - privilege.setPrivilegeScope(scope.toString()); - privilege.setServerName(serverName); - privilege.setURI(uri); - privilege.setDbName(db); - privilege.setTableName(table); - privilege.setColumnName(column); - privilege.setAction(action); - privilege.setCreateTime(System.currentTimeMillis()); - privilege.setGrantOption(convertTSentryGrantOption(grantOption)); - setBuilder.add(privilege); - } - } - return setBuilder.build(); - } - - private Set convertColumnPrivilege( - PrivilegeScope scope, String serverName, String uri, String db, String table, String column, - String action, Boolean grantOption) { - ImmutableSet.Builder setBuilder = ImmutableSet.builder(); - TSentryPrivilege privilege = new TSentryPrivilege(); - privilege.setPrivilegeScope(scope.toString()); - privilege.setServerName(serverName); - privilege.setURI(uri); - privilege.setDbName(db); - privilege.setTableName(table); - privilege.setColumnName(column); - privilege.setAction(action); - privilege.setCreateTime(System.currentTimeMillis()); - privilege.setGrantOption(convertTSentryGrantOption(grantOption)); - setBuilder.add(privilege); - return setBuilder.build(); - } - - private TSentryGrantOption convertTSentryGrantOption(Boolean grantOption) { - if (grantOption == null) { - return TSentryGrantOption.UNSET; - } else if (grantOption.equals(true)) { - return TSentryGrantOption.TRUE; - } else if (grantOption.equals(false)) { - return TSentryGrantOption.FALSE; - } - return TSentryGrantOption.FALSE; - } - - public synchronized Set listPrivilegesForProvider(Set groups, Set users, - ActiveRoleSet roleSet, Authorizable... authorizable) throws SentryUserException { - TSentryActiveRoleSet thriftRoleSet = new TSentryActiveRoleSet(roleSet.isAll(), roleSet.getRoles()); - TListSentryPrivilegesForProviderRequest request = - new TListSentryPrivilegesForProviderRequest(ThriftConstants. - TSENTRY_SERVICE_VERSION_CURRENT, groups, thriftRoleSet); - if (authorizable != null && authorizable.length > 0) { - TSentryAuthorizable tSentryAuthorizable = setupSentryAuthorizable(Lists - .newArrayList(authorizable)); - request.setAuthorizableHierarchy(tSentryAuthorizable); - } - if (users != null) { - request.setUsers(users); - } - try { - TListSentryPrivilegesForProviderResponse response = client.list_sentry_privileges_for_provider(request); - Status.throwIfNotOk(response.getStatus()); - return response.getPrivileges(); - } catch (TException e) { - throw new SentryUserException(THRIFT_EXCEPTION_MESSAGE, e); - } - } - - @Override - public synchronized void grantRoleToGroup(String requestorUserName, - String groupName, String roleName) - throws SentryUserException { - grantRoleToGroups(requestorUserName, roleName, Sets.newHashSet(groupName)); - } - - @Override - public synchronized void revokeRoleFromGroup(String requestorUserName, - String groupName, String roleName) - throws SentryUserException { - revokeRoleFromGroups(requestorUserName, roleName, Sets.newHashSet(groupName)); - } - - @Override - public synchronized void grantRoleToGroups(String requestorUserName, - String roleName, Set groups) - throws SentryUserException { - TAlterSentryRoleAddGroupsRequest request = new TAlterSentryRoleAddGroupsRequest( - ThriftConstants.TSENTRY_SERVICE_VERSION_CURRENT, requestorUserName, - roleName, convert2TGroups(groups)); - try { - TAlterSentryRoleAddGroupsResponse response = client.alter_sentry_role_add_groups(request); - Status.throwIfNotOk(response.getStatus()); - } catch (TException e) { - throw new SentryUserException(THRIFT_EXCEPTION_MESSAGE, e); - } - } - - @Override - public synchronized void revokeRoleFromGroups(String requestorUserName, - String roleName, Set groups) - throws SentryUserException { - TAlterSentryRoleDeleteGroupsRequest request = new TAlterSentryRoleDeleteGroupsRequest( - ThriftConstants.TSENTRY_SERVICE_VERSION_CURRENT, requestorUserName, - roleName, convert2TGroups(groups)); - try { - TAlterSentryRoleDeleteGroupsResponse response = client.alter_sentry_role_delete_groups(request); - Status.throwIfNotOk(response.getStatus()); - } catch (TException e) { - throw new SentryUserException(THRIFT_EXCEPTION_MESSAGE, e); - } - } - - @Override - public synchronized void grantRoleToUser(String requestorUserName, String userName, - String roleName) throws SentryUserException { - grantRoleToUsers(requestorUserName, roleName, Sets.newHashSet(userName)); - } - - @Override - public synchronized void revokeRoleFromUser(String requestorUserName, String userName, - String roleName) throws SentryUserException { - revokeRoleFromUsers(requestorUserName, roleName, Sets.newHashSet(userName)); - } - - @Override - public synchronized void grantRoleToUsers(String requestorUserName, String roleName, - Set users) throws SentryUserException { - TAlterSentryRoleAddUsersRequest request = new TAlterSentryRoleAddUsersRequest( - ThriftConstants.TSENTRY_SERVICE_VERSION_CURRENT, requestorUserName, roleName, users); - try { - TAlterSentryRoleAddUsersResponse response = client.alter_sentry_role_add_users(request); - Status.throwIfNotOk(response.getStatus()); - } catch (TException e) { - throw new SentryUserException(THRIFT_EXCEPTION_MESSAGE, e); - } - } - - @Override - public synchronized void revokeRoleFromUsers(String requestorUserName, String roleName, - Set users) throws SentryUserException { - TAlterSentryRoleDeleteUsersRequest request = new TAlterSentryRoleDeleteUsersRequest( - ThriftConstants.TSENTRY_SERVICE_VERSION_CURRENT, requestorUserName, roleName, users); - try { - TAlterSentryRoleDeleteUsersResponse response = client.alter_sentry_role_delete_users(request); - Status.throwIfNotOk(response.getStatus()); - } catch (TException e) { - throw new SentryUserException(THRIFT_EXCEPTION_MESSAGE, e); - } - } - - private Set convert2TGroups(Set groups) { - Set tGroups = Sets.newHashSet(); - if (groups != null) { - for (String groupName : groups) { - tGroups.add(new TSentryGroup(groupName)); - } - } - return tGroups; - } - - public synchronized void dropPrivileges(String requestorUserName, - List authorizableObjects) - throws SentryUserException { - TSentryAuthorizable tSentryAuthorizable = setupSentryAuthorizable(authorizableObjects); - - TDropPrivilegesRequest request = new TDropPrivilegesRequest( - ThriftConstants.TSENTRY_SERVICE_VERSION_CURRENT, requestorUserName, - tSentryAuthorizable); - try { - TDropPrivilegesResponse response = client.drop_sentry_privilege(request); - Status.throwIfNotOk(response.getStatus()); - } catch (TException e) { - throw new SentryUserException(THRIFT_EXCEPTION_MESSAGE, e); - } - } - - public synchronized void renamePrivileges(String requestorUserName, - List oldAuthorizables, - List newAuthorizables) throws SentryUserException { - TSentryAuthorizable tOldSentryAuthorizable = setupSentryAuthorizable(oldAuthorizables); - TSentryAuthorizable tNewSentryAuthorizable = setupSentryAuthorizable(newAuthorizables); - - TRenamePrivilegesRequest request = new TRenamePrivilegesRequest( - ThriftConstants.TSENTRY_SERVICE_VERSION_CURRENT, requestorUserName, - tOldSentryAuthorizable, tNewSentryAuthorizable); - try { - TRenamePrivilegesResponse response = client - .rename_sentry_privilege(request); - Status.throwIfNotOk(response.getStatus()); - } catch (TException e) { - throw new SentryUserException(THRIFT_EXCEPTION_MESSAGE, e); - } - } - - public synchronized Map listPrivilegsbyAuthorizable( - String requestorUserName, - Set> authorizables, Set groups, - ActiveRoleSet roleSet) throws SentryUserException { - Set authSet = Sets.newTreeSet(); - - for (List authorizableHierarchy : authorizables) { - authSet.add(setupSentryAuthorizable(authorizableHierarchy)); - } - TListSentryPrivilegesByAuthRequest request = new TListSentryPrivilegesByAuthRequest( - ThriftConstants.TSENTRY_SERVICE_VERSION_CURRENT, requestorUserName, - authSet); - if (groups != null) { - request.setGroups(groups); - } - if (roleSet != null) { - request.setRoleSet(new TSentryActiveRoleSet(roleSet.isAll(), roleSet.getRoles())); - } - - try { - TListSentryPrivilegesByAuthResponse response = client - .list_sentry_privileges_by_authorizable(request); - Status.throwIfNotOk(response.getStatus()); - return response.getPrivilegesMapByAuth(); - } catch (TException e) { - throw new SentryUserException(THRIFT_EXCEPTION_MESSAGE, e); - } - } - - /** - * Returns the configuration value in the sentry server associated with - * propertyName, or if propertyName does not exist, the defaultValue. - * There is no "requestorUserName" because this is regarded as an - * internal interface. - * @param propertyName Config attribute to search for - * @param defaultValue String to return if not found - * @return The value of the propertyName - * @throws SentryUserException - */ - public synchronized String getConfigValue(String propertyName, String defaultValue) - throws SentryUserException { - TSentryConfigValueRequest request = new TSentryConfigValueRequest( - ThriftConstants.TSENTRY_SERVICE_VERSION_CURRENT, propertyName); - if (defaultValue != null) { - request.setDefaultValue(defaultValue); - } - try { - TSentryConfigValueResponse response = client.get_sentry_config_value(request); - Status.throwIfNotOk(response.getStatus()); - return response.getValue(); - } catch (TException e) { - throw new SentryUserException(THRIFT_EXCEPTION_MESSAGE, e); - } - } - - public synchronized void close() { - if (transport != null) { - transport.close(); - } - } - - /** - * Import the sentry mapping data, convert the mapping data from map structure to - * TSentryMappingData, and call the import API. - * - * @param policyFileMappingData - * Include 2 maps to save the mapping data, the following is the example of the data - * structure: - * for the following mapping data: - * group1=role1,role2 - * group2=role2,role3 - * role1=server=server1->db=db1 - * role2=server=server1->db=db1->table=tbl1,server=server1->db=db1->table=tbl2 - * role3=server=server1->url=hdfs://localhost/path - * - * The policyFileMappingData will be inputed as: - * { - * groups={[group1={role1, role2}], group2=[role2, role3]}, - * roles={role1=[server=server1->db=db1], - * role2=[server=server1->db=db1->table=tbl1,server=server1->db=db1->table=tbl2], - * role3=[server=server1->url=hdfs://localhost/path] - * } - * } - * @param requestorUserName - * The name of the request user - */ - public synchronized void importPolicy(Map>> policyFileMappingData, - String requestorUserName, boolean isOverwriteRole) - throws SentryUserException { - try { - TSentryMappingData tSentryMappingData = new TSentryMappingData(); - // convert the mapping data for [group,role] from map structure to - // TSentryMappingData.GroupRolesMap - tSentryMappingData.setGroupRolesMap(policyFileMappingData.get(PolicyFileConstants.GROUPS)); - tSentryMappingData.setUserRolesMap(policyFileMappingData.get(PolicyFileConstants.USER_ROLES)); - // convert the mapping data for [role,privilege] from map structure to - // TSentryMappingData.RolePrivilegesMap - tSentryMappingData - .setRolePrivilegesMap(convertRolePrivilegesMapForSentryDB(policyFileMappingData - .get(PolicyFileConstants.ROLES))); - TSentryImportMappingDataRequest request = new TSentryImportMappingDataRequest( - ThriftConstants.TSENTRY_SERVICE_VERSION_CURRENT, requestorUserName, isOverwriteRole, - tSentryMappingData); - TSentryImportMappingDataResponse response = client.import_sentry_mapping_data(request); - Status.throwIfNotOk(response.getStatus()); - } catch (TException e) { - throw new SentryUserException(THRIFT_EXCEPTION_MESSAGE, e); - } - } - - // convert the mapping data for [role,privilege] from map structure to - // TSentryMappingData.RolePrivilegesMap - private Map> convertRolePrivilegesMapForSentryDB( - Map> rolePrivilegesMap) { - Map> rolePrivilegesMapResult = Maps.newHashMap(); - if (rolePrivilegesMap != null) { - for (Map.Entry> entry : rolePrivilegesMap.entrySet()) { - Set tempTSentryPrivileges = Sets.newHashSet(); - Set tempPrivileges = entry.getValue(); - for (String tempPrivilege : tempPrivileges) { - tempTSentryPrivileges.add(SentryServiceUtil.convertToTSentryPrivilege(tempPrivilege)); - } - rolePrivilegesMapResult.put(entry.getKey(), tempTSentryPrivileges); - } - } - return rolePrivilegesMapResult; - } - - // export the sentry mapping data with map structure - public synchronized Map>> exportPolicy(String requestorUserName, - String objectPath) throws SentryUserException { - TSentryExportMappingDataRequest request = new TSentryExportMappingDataRequest( - ThriftConstants.TSENTRY_SERVICE_VERSION_CURRENT, requestorUserName); - request.setObjectPath(objectPath); - try { - TSentryExportMappingDataResponse response = client.export_sentry_mapping_data(request); - Status.throwIfNotOk(response.getStatus()); - TSentryMappingData tSentryMappingData = response.getMappingData(); - Map>> resultMap = Maps.newHashMap(); - resultMap.put(PolicyFileConstants.USER_ROLES, tSentryMappingData.getUserRolesMap()); - resultMap.put(PolicyFileConstants.GROUPS, tSentryMappingData.getGroupRolesMap()); - resultMap.put(PolicyFileConstants.ROLES, convertRolePrivilegesMapForPolicyFile(tSentryMappingData.getRolePrivilegesMap())); - return resultMap; - } catch (TException e) { - throw new SentryUserException(THRIFT_EXCEPTION_MESSAGE, e); - } - } - - // convert the mapping data for [roleName,privilege] from TSentryMappingData.RolePrivilegesMap to - // map structure - private Map> convertRolePrivilegesMapForPolicyFile( - Map> rolePrivilegesMap) { - Map> rolePrivilegesMapForFile = Maps.newHashMap(); - if (rolePrivilegesMap != null) { - for (Map.Entry> entry : rolePrivilegesMap.entrySet()) { - Set tempSentryPrivileges = entry.getValue(); - Set tempStrPrivileges = Sets.newHashSet(); - for (TSentryPrivilege tSentryPrivilege : tempSentryPrivileges) { - // convert TSentryPrivilege to privilege in string - String privilegeStr = SentryServiceUtil.convertTSentryPrivilegeToStr(tSentryPrivilege); - if (!StringUtils.isEmpty(privilegeStr)) { - tempStrPrivileges.add(privilegeStr); - } - } - rolePrivilegesMapForFile.put(entry.getKey(), tempStrPrivileges); - } - } - return rolePrivilegesMapForFile; - } -} \ No newline at end of file