sentry-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From br...@apache.org
Subject git commit: SENTRY-137 - Validate privilege scope in sentry service (Prasad via Brock)
Date Wed, 26 Mar 2014 04:13:55 GMT
Repository: incubator-sentry
Updated Branches:
  refs/heads/master 63c134f36 -> 4247d21fa


SENTRY-137 - Validate privilege scope in sentry service (Prasad via Brock)


Project: http://git-wip-us.apache.org/repos/asf/incubator-sentry/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-sentry/commit/4247d21f
Tree: http://git-wip-us.apache.org/repos/asf/incubator-sentry/tree/4247d21f
Diff: http://git-wip-us.apache.org/repos/asf/incubator-sentry/diff/4247d21f

Branch: refs/heads/master
Commit: 4247d21fa036685a098baac84262aa08693d1d82
Parents: 63c134f
Author: Brock Noland <brock@apache.org>
Authored: Tue Mar 25 21:13:15 2014 -0700
Committer: Brock Noland <brock@apache.org>
Committed: Tue Mar 25 21:13:15 2014 -0700

----------------------------------------------------------------------
 .../thrift/SentryPolicyServiceClient.java       | 38 ++++++++++----------
 .../thrift/SentryPolicyStoreProcessor.java      | 38 +++++++++++++++++---
 .../sentry/service/thrift/ServiceConstants.java |  9 +++++
 3 files changed, 63 insertions(+), 22 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/4247d21f/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClient.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClient.java
b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClient.java
index 464569c..7e73b2c 100644
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClient.java
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClient.java
@@ -30,6 +30,7 @@ import org.apache.sentry.SentryUserException;
 import org.apache.sentry.core.common.ActiveRoleSet;
 import org.apache.sentry.core.model.db.AccessConstants;
 import org.apache.sentry.service.thrift.ServiceConstants.ClientConfig;
+import org.apache.sentry.service.thrift.ServiceConstants.PrivilegeScope;
 import org.apache.sentry.service.thrift.ServiceConstants.ServerConfig;
 import org.apache.sentry.service.thrift.ServiceConstants.ThriftConstants;
 import org.apache.sentry.service.thrift.Status;
@@ -154,33 +155,33 @@ public class SentryPolicyServiceClient {
   public void grantURIPrivilege(String requestorUserName, Set<String> requestorUserGroupNames,
       String roleName, String server, String uri)
   throws SentryUserException {
-    grantPrivilege(requestorUserName, requestorUserGroupNames, roleName, "SERVER", server,
uri,
-        null, null, AccessConstants.ALL);
+    grantPrivilege(requestorUserName, requestorUserGroupNames, roleName,
+        PrivilegeScope.URI, server, uri, null, null, AccessConstants.ALL);
   }
 
   public void grantServerPrivilege(String requestorUserName, Set<String> requestorUserGroupNames,
       String roleName, String server)
   throws SentryUserException {
-    grantPrivilege(requestorUserName, requestorUserGroupNames, roleName, "SERVER", server,
null,
-        null, null, AccessConstants.ALL);
+    grantPrivilege(requestorUserName, requestorUserGroupNames, roleName,
+        PrivilegeScope.SERVER, server, null, null, null, AccessConstants.ALL);
   }
 
   public void grantDatabasePrivilege(String requestorUserName, Set<String> requestorUserGroupNames,
       String roleName, String server, String db)
   throws SentryUserException {
-    grantPrivilege(requestorUserName, requestorUserGroupNames, roleName, "DATABASE", server,
null,
-        db, null, AccessConstants.ALL);
+    grantPrivilege(requestorUserName, requestorUserGroupNames, roleName,
+        PrivilegeScope.DATABASE, server, null, db, null, AccessConstants.ALL);
   }
 
   public void grantTablePrivilege(String requestorUserName, Set<String> requestorUserGroupNames,
       String roleName, String server, String db, String table, String action)
   throws SentryUserException {
-    grantPrivilege(requestorUserName, requestorUserGroupNames, roleName, "TABLE", server,
null,
+    grantPrivilege(requestorUserName, requestorUserGroupNames, roleName, PrivilegeScope.TABLE,
server, null,
         db, table, action);
   }
 
   private void grantPrivilege(String requestorUserName, Set<String> requestorUserGroupNames,
-      String roleName, String scope, String serverName, String uri, String db, String table,
String action)
+      String roleName, PrivilegeScope scope, String serverName, String uri, String db, String
table, String action)
   throws SentryUserException {
     TAlterSentryRoleGrantPrivilegeRequest request = new TAlterSentryRoleGrantPrivilegeRequest();
     request.setProtocol_version(ThriftConstants.TSENTRY_SERVICE_VERSION_CURRENT);
@@ -188,7 +189,7 @@ public class SentryPolicyServiceClient {
     request.setRequestorGroupNames(requestorUserGroupNames);
     request.setRoleName(roleName);
     TSentryPrivilege privilege = new TSentryPrivilege();
-    privilege.setPrivilegeScope(scope);
+    privilege.setPrivilegeScope(scope.toString());
     privilege.setServerName(serverName);
     privilege.setURI(uri);
     privilege.setDbName(db);
@@ -209,33 +210,34 @@ public class SentryPolicyServiceClient {
   public void revokeURIPrivilege(String requestorUserName, Set<String> requestorUserGroupNames,
       String roleName, String server, String uri)
   throws SentryUserException {
-    revokePrivilege(requestorUserName, requestorUserGroupNames, roleName, "SERVER", server,
uri,
-        null, null, AccessConstants.ALL);
+    revokePrivilege(requestorUserName, requestorUserGroupNames, roleName,
+        PrivilegeScope.URI, server, uri, null, null, AccessConstants.ALL);
   }
 
   public void revokeServerPrivilege(String requestorUserName, Set<String> requestorUserGroupNames,
       String roleName, String server)
   throws SentryUserException {
-    revokePrivilege(requestorUserName, requestorUserGroupNames, roleName, "SERVER", server,
null,
-        null, null, AccessConstants.ALL);
+    revokePrivilege(requestorUserName, requestorUserGroupNames, roleName,
+        PrivilegeScope.SERVER, server, null, null, null, AccessConstants.ALL);
   }
 
   public void revokeDatabasePrivilege(String requestorUserName, Set<String> requestorUserGroupNames,
       String roleName, String server, String db)
   throws SentryUserException {
-    revokePrivilege(requestorUserName, requestorUserGroupNames, roleName, "DATABASE", server,
null,
-        db, null, AccessConstants.ALL);
+    revokePrivilege(requestorUserName, requestorUserGroupNames, roleName,
+        PrivilegeScope.DATABASE, server, null, db, null, AccessConstants.ALL);
   }
 
   public void revokeTablePrivilege(String requestorUserName, Set<String> requestorUserGroupNames,
       String roleName, String server, String db, String table, String action)
   throws SentryUserException {
-    revokePrivilege(requestorUserName, requestorUserGroupNames, roleName, "TABLE", server,
null,
+    revokePrivilege(requestorUserName, requestorUserGroupNames, roleName,
+        PrivilegeScope.TABLE, server, null,
         db, table, action);
   }
 
   private void revokePrivilege(String requestorUserName, Set<String> requestorUserGroupNames,
-      String roleName, String scope, String serverName, String uri, String db, String table,
String action)
+      String roleName, PrivilegeScope scope, String serverName, String uri, String db, String
table, String action)
   throws SentryUserException {
     TAlterSentryRoleRevokePrivilegeRequest request = new TAlterSentryRoleRevokePrivilegeRequest();
     request.setProtocol_version(ThriftConstants.TSENTRY_SERVICE_VERSION_CURRENT);
@@ -243,7 +245,7 @@ public class SentryPolicyServiceClient {
     request.setRequestorGroupNames(requestorUserGroupNames);
     request.setRoleName(roleName);
     TSentryPrivilege privilege = new TSentryPrivilege();
-    privilege.setPrivilegeScope(scope);
+    privilege.setPrivilegeScope(scope.toString());
     privilege.setServerName(serverName);
     privilege.setURI(uri);
     privilege.setDbName(db);

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/4247d21f/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessor.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessor.java
b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessor.java
index 9562783..9793ab4 100644
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessor.java
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessor.java
@@ -23,6 +23,7 @@ import java.util.HashSet;
 import java.util.List;
 import java.util.Set;
 
+import org.apache.commons.lang.StringUtils;
 import org.apache.hadoop.conf.Configuration;
 import org.apache.sentry.provider.db.SentryAccessDeniedException;
 import org.apache.sentry.provider.db.SentryAlreadyExistsException;
@@ -31,6 +32,7 @@ import org.apache.sentry.provider.db.SentryNoSuchObjectException;
 import org.apache.sentry.provider.db.service.persistent.CommitContext;
 import org.apache.sentry.provider.db.service.persistent.SentryStore;
 import org.apache.sentry.provider.db.service.thrift.PolicyStoreConstants.PolicyStoreServerConfig;
+import org.apache.sentry.service.thrift.ServiceConstants.PrivilegeScope;
 import org.apache.sentry.service.thrift.Status;
 import org.apache.sentry.service.thrift.TSentryResponseStatus;
 import org.apache.sentry.service.thrift.ServiceConstants.ServerConfig;
@@ -106,7 +108,6 @@ public class SentryPolicyStoreProcessor implements SentryPolicyService.Iface
{
     return handlers;
   }
 
-  //TODO:Validate privilege scope?
   @VisibleForTesting
   public static String constructPrivilegeName(TSentryPrivilege privilege) throws SentryInvalidInputException
{
     StringBuilder privilegeName = new StringBuilder();
@@ -115,6 +116,7 @@ public class SentryPolicyStoreProcessor implements SentryPolicyService.Iface
{
     String tableName = privilege.getTableName();
     String uri = privilege.getURI();
     String action = privilege.getAction();
+    PrivilegeScope scope;
 
     if (serverName == null) {
       throw new SentryInvalidInputException("Server name is null");
@@ -126,10 +128,38 @@ public class SentryPolicyStoreProcessor implements SentryPolicyService.Iface
{
       }
     }
 
-    if (dbName == null || dbName.equals("")) {
-      if (tableName != null && !tableName.equals("")) {
-        throw new SentryInvalidInputException("Db name can't be null");
+    // Validate privilege scope
+    try {
+      scope = Enum.valueOf(PrivilegeScope.class, privilege.getPrivilegeScope());
+    } catch (IllegalArgumentException e) {
+      throw new SentryInvalidInputException("Invalid Privilege scope: " +
+          privilege.getPrivilegeScope());
+    }
+    if (PrivilegeScope.SERVER.equals(scope)) {
+      if (StringUtils.isNotEmpty(dbName) || StringUtils.isNotEmpty(tableName)) {
+        throw new SentryInvalidInputException("DB and TABLE names should not be "
+            + "set for SERVER scope");
+      }
+    } else if (PrivilegeScope.DATABASE.equals(scope)) {
+      if (StringUtils.isEmpty(dbName)) {
+        throw new SentryInvalidInputException("DB name not set for DB scope");
+      }
+      if (StringUtils.isNotEmpty(tableName)) {
+        StringUtils.isNotEmpty("TABLE names should not be set for DB scope");
       }
+    } else if (PrivilegeScope.TABLE.equals(scope)) {
+      if (StringUtils.isEmpty(dbName) || StringUtils.isEmpty(tableName)) {
+        throw new SentryInvalidInputException("TABLE or DB name not set for TABLE scope");
+      }
+    } else if (PrivilegeScope.URI.equals(scope)){
+      if (StringUtils.isEmpty(uri)) {
+        throw new SentryInvalidInputException("URI path not set for URI scope");
+      }
+      if (StringUtils.isNotEmpty(tableName)) {
+        throw new SentryInvalidInputException("TABLE should not be set for URI scope");
+      }
+    } else {
+      throw new SentryInvalidInputException("Unsupported operation scope: " + scope);
     }
 
     if (uri == null || uri.equals("")) {

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/4247d21f/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/ServiceConstants.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/ServiceConstants.java
b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/ServiceConstants.java
index 1b36690..6258471 100644
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/ServiceConstants.java
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/ServiceConstants.java
@@ -122,4 +122,13 @@ public class ServiceConstants {
   public static class ThriftConstants extends org.apache.sentry.service.thrift.sentry_common_serviceConstants
{
     public static final int TSENTRY_SERVICE_VERSION_CURRENT = TSENTRY_SERVICE_V1;
   }
+
+  /* Privilege operation scope */
+  public static enum PrivilegeScope {
+    SERVER,
+    URI,
+    DATABASE,
+    TABLE,
+    COLUMN
+  }
 }


Mime
View raw message