Repository: incubator-sentry
Updated Branches:
refs/heads/master c643db28d -> a170f53bd
SENTRY-347: Generate the audit log in Json format (Colin Ma via Sravya Tirukkovalur)
Project: http://git-wip-us.apache.org/repos/asf/incubator-sentry/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-sentry/commit/a170f53b
Tree: http://git-wip-us.apache.org/repos/asf/incubator-sentry/tree/a170f53b
Diff: http://git-wip-us.apache.org/repos/asf/incubator-sentry/diff/a170f53b
Branch: refs/heads/master
Commit: a170f53bde4a3947243ca0439544b2769c9240ee
Parents: c643db2
Author: Sravya Tirukkovalur <sravya@clouera.com>
Authored: Fri Aug 1 14:14:17 2014 -0700
Committer: Sravya Tirukkovalur <sravya@clouera.com>
Committed: Fri Aug 1 14:14:17 2014 -0700
----------------------------------------------------------------------
pom.xml | 12 +
.../db/log/entity/AuditMetadataLogEntity.java | 227 ++++++++++++++
.../provider/db/log/entity/JsonLogEntity.java | 25 ++
.../db/log/entity/JsonLogEntityFactory.java | 143 +++++++++
.../provider/db/log/util/CommandUtil.java | 169 +++++++++++
.../sentry/provider/db/log/util/Constants.java | 98 ++++++
.../thrift/SentryPolicyStoreProcessor.java | 19 ++
.../SentryPolicyStoreProcessorFactory.java | 2 +-
.../service/thrift/SentryProcessorWrapper.java | 83 +++++
.../sentry/service/thrift/ServiceConstants.java | 3 +
.../log/entity/TestAuditMetadataLogEntity.java | 68 +++++
.../db/log/entity/TestJsonLogEntityFactory.java | 293 ++++++++++++++++++
.../provider/db/log/util/TestCommandUtil.java | 303 +++++++++++++++++++
13 files changed, 1444 insertions(+), 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/a170f53b/pom.xml
----------------------------------------------------------------------
diff --git a/pom.xml b/pom.xml
index 3d5492d..01c87f1 100644
--- a/pom.xml
+++ b/pom.xml
@@ -166,6 +166,18 @@ limitations under the License.
<artifactId>hive-metastore</artifactId>
<version>${hive.version}</version>
</dependency>
+
+ <dependency>
+ <groupId>org.codehaus.jackson</groupId>
+ <artifactId>jackson-core-asl</artifactId>
+ <version>${jackson.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>org.codehaus.jackson</groupId>
+ <artifactId>jackson-mapper-asl</artifactId>
+ <version>${jackson.version}</version>
+ </dependency>
+
<dependency>
<groupId>org.apache.hive</groupId>
<artifactId>hive-beeline</artifactId>
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/a170f53b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/log/entity/AuditMetadataLogEntity.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/log/entity/AuditMetadataLogEntity.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/log/entity/AuditMetadataLogEntity.java
new file mode 100644
index 0000000..e1d8a9e
--- /dev/null
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/log/entity/AuditMetadataLogEntity.java
@@ -0,0 +1,227 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.provider.db.log.entity;
+
+import java.io.IOException;
+import java.io.StringWriter;
+
+import org.apache.sentry.provider.db.log.util.Constants;
+import org.codehaus.jackson.JsonFactory;
+import org.codehaus.jackson.JsonGenerator;
+import org.codehaus.jackson.JsonNode;
+import org.codehaus.jackson.map.MappingJsonFactory;
+import org.codehaus.jackson.map.ObjectMapper;
+import org.codehaus.jackson.node.ContainerNode;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+public class AuditMetadataLogEntity implements JsonLogEntity {
+
+ private static final Logger LOGGER = LoggerFactory
+ .getLogger(AuditMetadataLogEntity.class);
+ private static final JsonFactory factory = new MappingJsonFactory();
+ private String serviceName;
+ private String userName;
+ private String impersonator;
+ private String ipAddress;
+ private String operation;
+ private String eventTime;
+ private String operationText;
+ private String allowed;
+ private String databaseName;
+ private String tableName;
+ private String resourcePath;
+ private String objectType;
+
+ public AuditMetadataLogEntity() {
+ }
+
+ public AuditMetadataLogEntity(String serviceName, String userName,
+ String impersonator, String ipAddress, String operation,
+ String eventTime, String operationText, String allowed,
+ String databaseName, String tableName, String resourcePath,
+ String objectType) {
+ this.serviceName = serviceName;
+ this.userName = userName;
+ this.impersonator = impersonator;
+ this.ipAddress = ipAddress;
+ this.operation = operation;
+ this.eventTime = eventTime;
+ this.operationText = operationText;
+ this.allowed = allowed;
+ this.databaseName = databaseName;
+ this.tableName = tableName;
+ this.resourcePath = resourcePath;
+ this.objectType = objectType;
+ }
+
+ @Override
+ public String toJsonFormatLog() {
+ StringWriter stringWriter = new StringWriter();
+ JsonGenerator json = null;
+ try {
+ json = factory.createJsonGenerator(stringWriter);
+ json.writeStartObject();
+ json.writeStringField(Constants.LOG_FIELD_SERVICE_NAME, serviceName);
+ json.writeStringField(Constants.LOG_FIELD_USER_NAME, userName);
+ json.writeStringField(Constants.LOG_FIELD_IMPERSONATOR, impersonator);
+ json.writeStringField(Constants.LOG_FIELD_IP_ADDRESS, ipAddress);
+ json.writeStringField(Constants.LOG_FIELD_OPERATION, operation);
+ json.writeStringField(Constants.LOG_FIELD_EVENT_TIME, eventTime);
+ json.writeStringField(Constants.LOG_FIELD_OPERATION_TEXT, operationText);
+ json.writeStringField(Constants.LOG_FIELD_ALLOWED, allowed);
+ json.writeStringField(Constants.LOG_FIELD_DATABASE_NAME, databaseName);
+ json.writeStringField(Constants.LOG_FIELD_TABLE_NAME, tableName);
+ json.writeStringField(Constants.LOG_FIELD_RESOURCE_PATH, resourcePath);
+ json.writeStringField(Constants.LOG_FIELD_OBJECT_TYPE, objectType);
+ json.writeEndObject();
+ json.flush();
+ } catch (IOException e) {
+ // if there has error when creating the audit log in json, set the audit
+ // log to empty.
+ stringWriter = new StringWriter();
+ String msg = "Error creating audit log in json format: " + e.getMessage();
+ LOGGER.error(msg, e);
+ } finally {
+ try {
+ if (json != null) {
+ json.close();
+ }
+ } catch (IOException e) {
+ LOGGER.error("Error closing JsonGenerator", e);
+ }
+ }
+
+ return stringWriter.toString();
+ }
+
+ public String getServiceName() {
+ return serviceName;
+ }
+
+ public void setServiceName(String serviceName) {
+ this.serviceName = serviceName;
+ }
+
+ public String getUserName() {
+ return userName;
+ }
+
+ public void setUserName(String userName) {
+ this.userName = userName;
+ }
+
+ public String getImpersonator() {
+ return impersonator;
+ }
+
+ public void setImpersonator(String impersonator) {
+ this.impersonator = impersonator;
+ }
+
+ public String getIpAddress() {
+ return ipAddress;
+ }
+
+ public void setIpAddress(String ipAddress) {
+ this.ipAddress = ipAddress;
+ }
+
+ public String getOperation() {
+ return operation;
+ }
+
+ public void setOperation(String operation) {
+ this.operation = operation;
+ }
+
+ public String getEventTime() {
+ return eventTime;
+ }
+
+ public void setEventTime(String eventTime) {
+ this.eventTime = eventTime;
+ }
+
+ public String getOperationText() {
+ return operationText;
+ }
+
+ public void setOperationText(String operationText) {
+ this.operationText = operationText;
+ }
+
+ public String getAllowed() {
+ return allowed;
+ }
+
+ public void setAllowed(String allowed) {
+ this.allowed = allowed;
+ }
+
+ public String getDatabaseName() {
+ return databaseName;
+ }
+
+ public void setDatabaseName(String databaseName) {
+ this.databaseName = databaseName;
+ }
+
+ public String getTableName() {
+ return tableName;
+ }
+
+ public void setTableName(String tableName) {
+ this.tableName = tableName;
+ }
+
+ public String getResourcePath() {
+ return resourcePath;
+ }
+
+ public void setResourcePath(String resourcePath) {
+ this.resourcePath = resourcePath;
+ }
+
+ public String getObjectType() {
+ return objectType;
+ }
+
+ public void setObjectType(String objectType) {
+ this.objectType = objectType;
+ }
+
+ /**
+ * For use in tests
+ *
+ * @param json
+ * incoming JSON to parse
+ * @return a node tree
+ * @throws IOException
+ * on any parsing problems
+ */
+ public static ContainerNode parse(String json) throws IOException {
+ ObjectMapper mapper = new ObjectMapper(factory);
+ JsonNode jsonNode = mapper.readTree(json);
+ if (!(jsonNode instanceof ContainerNode)) {
+ throw new IOException("Wrong JSON data: " + json);
+ }
+ return (ContainerNode) jsonNode;
+ }
+}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/a170f53b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/log/entity/JsonLogEntity.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/log/entity/JsonLogEntity.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/log/entity/JsonLogEntity.java
new file mode 100644
index 0000000..7ad6966
--- /dev/null
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/log/entity/JsonLogEntity.java
@@ -0,0 +1,25 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.provider.db.log.entity;
+
+public interface JsonLogEntity {
+
+ public String toJsonFormatLog();
+
+}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/a170f53b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/log/entity/JsonLogEntityFactory.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/log/entity/JsonLogEntityFactory.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/log/entity/JsonLogEntityFactory.java
new file mode 100644
index 0000000..2cc8194
--- /dev/null
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/log/entity/JsonLogEntityFactory.java
@@ -0,0 +1,143 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.provider.db.log.entity;
+
+import org.apache.hadoop.conf.Configuration;
+import org.apache.sentry.provider.db.log.util.CommandUtil;
+import org.apache.sentry.provider.db.log.util.Constants;
+import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleAddGroupsRequest;
+import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleAddGroupsResponse;
+import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleDeleteGroupsRequest;
+import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleDeleteGroupsResponse;
+import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleGrantPrivilegeRequest;
+import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleGrantPrivilegeResponse;
+import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleRevokePrivilegeRequest;
+import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleRevokePrivilegeResponse;
+import org.apache.sentry.provider.db.service.thrift.TCreateSentryRoleRequest;
+import org.apache.sentry.provider.db.service.thrift.TCreateSentryRoleResponse;
+import org.apache.sentry.provider.db.service.thrift.TDropSentryRoleRequest;
+import org.apache.sentry.provider.db.service.thrift.TDropSentryRoleResponse;
+import org.apache.sentry.provider.db.service.thrift.TSentryPrivilege;
+import org.apache.sentry.service.thrift.ServiceConstants.ServerConfig;
+import org.apache.sentry.service.thrift.Status;
+import org.apache.sentry.service.thrift.TSentryResponseStatus;
+
+public class JsonLogEntityFactory {
+
+ private static JsonLogEntityFactory factory = new JsonLogEntityFactory();
+
+ private JsonLogEntityFactory() {
+ };
+
+ public static JsonLogEntityFactory getInstance() {
+ return factory;
+ }
+
+ public JsonLogEntity createJsonLogEntity(TCreateSentryRoleRequest request,
+ TCreateSentryRoleResponse response, Configuration conf) {
+ AuditMetadataLogEntity amle = createCommonAMLE(conf, response.getStatus(),
+ request.getRequestorUserName(), request.getClass().getName());
+ amle.setOperationText(CommandUtil.createCmdForCreateOrDropRole(
+ request.getRoleName(), true));
+
+ return amle;
+ }
+
+ public JsonLogEntity createJsonLogEntity(TDropSentryRoleRequest request,
+ TDropSentryRoleResponse response, Configuration conf) {
+ AuditMetadataLogEntity amle = createCommonAMLE(conf, response.getStatus(),
+ request.getRequestorUserName(), request.getClass().getName());
+ amle.setOperationText(CommandUtil.createCmdForCreateOrDropRole(
+ request.getRoleName(), false));
+
+ return amle;
+ }
+
+ public JsonLogEntity createJsonLogEntity(
+ TAlterSentryRoleGrantPrivilegeRequest request,
+ TAlterSentryRoleGrantPrivilegeResponse response, Configuration conf) {
+ AuditMetadataLogEntity amle = createCommonAMLE(conf, response.getStatus(),
+ request.getRequestorUserName(), request.getClass().getName());
+ amle.setOperationText(CommandUtil.createCmdForGrantPrivilege(request));
+ TSentryPrivilege privilege = request.getPrivilege();
+ amle.setDatabaseName(privilege.getDbName());
+ amle.setTableName(privilege.getTableName());
+ amle.setResourcePath(privilege.getURI());
+
+ return amle;
+ }
+
+ public JsonLogEntity createJsonLogEntity(
+ TAlterSentryRoleRevokePrivilegeRequest request,
+ TAlterSentryRoleRevokePrivilegeResponse response, Configuration conf) {
+ AuditMetadataLogEntity amle = createCommonAMLE(conf, response.getStatus(),
+ request.getRequestorUserName(), request.getClass().getName());
+ amle.setOperationText(CommandUtil.createCmdForRevokePrivilege(request));
+ TSentryPrivilege privilege = request.getPrivilege();
+ amle.setDatabaseName(privilege.getDbName());
+ amle.setTableName(privilege.getTableName());
+ amle.setResourcePath(privilege.getURI());
+
+ return amle;
+ }
+
+ public JsonLogEntity createJsonLogEntity(
+ TAlterSentryRoleAddGroupsRequest request,
+ TAlterSentryRoleAddGroupsResponse response, Configuration conf) {
+ AuditMetadataLogEntity amle = createCommonAMLE(conf, response.getStatus(),
+ request.getRequestorUserName(), request.getClass().getName());
+ amle.setOperationText(CommandUtil.createCmdForRoleAddGroup(request));
+
+ return amle;
+ }
+
+ public JsonLogEntity createJsonLogEntity(
+ TAlterSentryRoleDeleteGroupsRequest request,
+ TAlterSentryRoleDeleteGroupsResponse response, Configuration conf) {
+ AuditMetadataLogEntity amle = createCommonAMLE(conf, response.getStatus(),
+ request.getRequestorUserName(), request.getClass().getName());
+ amle.setOperationText(CommandUtil.createCmdForRoleDeleteGroup(request));
+
+ return amle;
+ }
+
+ public String isAllowed(TSentryResponseStatus status) {
+ if (status.equals(Status.OK())) {
+ return Constants.TRUE;
+ }
+ return Constants.FALSE;
+ }
+
+ private AuditMetadataLogEntity createCommonAMLE(Configuration conf,
+ TSentryResponseStatus responseStatus, String userName,
+ String requestClassName) {
+ AuditMetadataLogEntity amle = new AuditMetadataLogEntity();
+ amle.setUserName(userName);
+ amle.setServiceName(conf.get(ServerConfig.SENTRY_SERVICE_NAME,
+ ServerConfig.SENTRY_SERVICE_NAME_DEFAULT).trim());
+ amle.setImpersonator(CommandUtil.getImpersonator());
+ amle.setIpAddress(CommandUtil.getIpAddress());
+ amle.setOperation(Constants.requestTypeToOperationMap.get(requestClassName));
+ amle.setEventTime(Long.toString(System.currentTimeMillis()));
+ amle.setAllowed(isAllowed(responseStatus));
+ amle.setObjectType(Constants.requestTypeToObjectTypeMap
+ .get(requestClassName));
+ return amle;
+ }
+}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/a170f53b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/log/util/CommandUtil.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/log/util/CommandUtil.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/log/util/CommandUtil.java
new file mode 100644
index 0000000..b2b5187
--- /dev/null
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/log/util/CommandUtil.java
@@ -0,0 +1,169 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.provider.db.log.util;
+
+import java.util.Iterator;
+
+import org.apache.sentry.core.model.db.AccessConstants;
+import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleAddGroupsRequest;
+import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleDeleteGroupsRequest;
+import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleGrantPrivilegeRequest;
+import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleRevokePrivilegeRequest;
+import org.apache.sentry.provider.db.service.thrift.TSentryGroup;
+import org.apache.sentry.provider.db.service.thrift.TSentryPrivilege;
+import org.apache.sentry.service.thrift.ServiceConstants.PrivilegeScope;
+
+public class CommandUtil {
+
+ public static String createCmdForCreateOrDropRole(String roleName,
+ boolean isCreate) {
+ if (isCreate) {
+ return "CREATE ROLE " + roleName;
+ }
+ return "DROP ROLE " + roleName;
+ }
+
+ public static String createCmdForRoleAddGroup(
+ TAlterSentryRoleAddGroupsRequest request) {
+ return createCmdForRoleAddOrDeleteGroup(request.getRoleName(),
+ request.getGroupsIterator(), true);
+ }
+
+ public static String createCmdForRoleDeleteGroup(
+ TAlterSentryRoleDeleteGroupsRequest request) {
+ return createCmdForRoleAddOrDeleteGroup(request.getRoleName(),
+ request.getGroupsIterator(), false);
+ }
+
+ private static String createCmdForRoleAddOrDeleteGroup(String roleName,
+ Iterator<TSentryGroup> iter, boolean isAddGroup) {
+ StringBuilder sb = new StringBuilder();
+ if (isAddGroup) {
+ sb.append("GRANT ROLE ");
+ } else {
+ sb.append("REVOKE ROLE ");
+ }
+ sb.append(roleName);
+ if (isAddGroup) {
+ sb.append(" TO ");
+ } else {
+ sb.append(" FROM ");
+ }
+
+ if (iter != null) {
+ sb.append("GROUP ");
+ boolean commaFlg = false;
+ while (iter.hasNext()) {
+ if (commaFlg) {
+ sb.append(", ");
+ } else {
+ commaFlg = true;
+ }
+ sb.append(iter.next().getGroupName());
+ }
+ } else {
+ sb = new StringBuilder("Missing group information.");
+ }
+
+ return sb.toString();
+ }
+
+ public static String createCmdForGrantPrivilege(
+ TAlterSentryRoleGrantPrivilegeRequest request) {
+ return createCmdForGrantOrRevokePrivilege(request.getRoleName(),
+ request.getPrivilege(), true);
+ }
+
+ public static String createCmdForRevokePrivilege(
+ TAlterSentryRoleRevokePrivilegeRequest request) {
+ return createCmdForGrantOrRevokePrivilege(request.getRoleName(),
+ request.getPrivilege(), false);
+ }
+
+ private static String createCmdForGrantOrRevokePrivilege(String roleName,
+ TSentryPrivilege privilege, boolean isGrant) {
+ StringBuilder sb = new StringBuilder();
+ if (isGrant) {
+ sb.append("GRANT ");
+ } else {
+ sb.append("REVOKE ");
+ }
+
+ String action = privilege.getAction();
+ String privilegeScope = privilege.getPrivilegeScope();
+ if (AccessConstants.ALL.equalsIgnoreCase(action)) {
+ sb.append("ALL");
+ } else {
+ if (action != null) {
+ action = action.toUpperCase();
+ }
+ sb.append(action);
+ }
+
+ sb.append(" ON ").append(privilege.getPrivilegeScope()).append(" ");
+ if (PrivilegeScope.DATABASE.name().equalsIgnoreCase(privilegeScope)) {
+ sb.append(privilege.getDbName());
+ } else if (PrivilegeScope.TABLE.name().equalsIgnoreCase(privilegeScope)) {
+ sb.append(privilege.getTableName());
+ } else if (PrivilegeScope.SERVER.name().equalsIgnoreCase(privilegeScope)) {
+ sb.append(privilege.getServerName());
+ } else if (PrivilegeScope.URI.name().equalsIgnoreCase(privilegeScope)) {
+ sb.append(privilege.getURI());
+ }
+
+ if (isGrant) {
+ sb.append(" TO ROLE ");
+ } else {
+ sb.append(" FROM ROLE ");
+ }
+ sb.append(roleName);
+
+ return sb.toString();
+ }
+
+ private static ThreadLocal<String> threadLocalIpAddress = new ThreadLocal<String>() {
+ @Override
+ protected synchronized String initialValue() {
+ return "";
+ }
+ };
+
+ public static void setIpAddress(String ipAddress) {
+ threadLocalIpAddress.set(ipAddress);
+ }
+
+ public static String getIpAddress() {
+ return threadLocalIpAddress.get();
+ }
+
+ private static ThreadLocal<String> threadLocalImpersonator = new ThreadLocal<String>() {
+ @Override
+ protected synchronized String initialValue() {
+ return "";
+ }
+ };
+
+ public static void setImpersonator(String impersonator) {
+ threadLocalImpersonator.set(impersonator);
+ }
+
+ public static String getImpersonator() {
+ return threadLocalImpersonator.get();
+ }
+}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/a170f53b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/log/util/Constants.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/log/util/Constants.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/log/util/Constants.java
new file mode 100644
index 0000000..4b1d7de
--- /dev/null
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/log/util/Constants.java
@@ -0,0 +1,98 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.provider.db.log.util;
+
+import java.util.HashMap;
+import java.util.Map;
+
+import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleAddGroupsRequest;
+import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleDeleteGroupsRequest;
+import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleGrantPrivilegeRequest;
+import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleRevokePrivilegeRequest;
+import org.apache.sentry.provider.db.service.thrift.TCreateSentryRoleRequest;
+import org.apache.sentry.provider.db.service.thrift.TDropSentryRoleRequest;
+
+public class Constants {
+ public final static String AUDIT_LOGGER_NAME = "sentry.hive.authorization.ddl.logger";
+
+ public final static String LOG_FIELD_SERVICE_NAME = "serviceName";
+ public final static String LOG_FIELD_USER_NAME = "userName";
+ public final static String LOG_FIELD_IMPERSONATOR = "impersonator";
+ public final static String LOG_FIELD_IP_ADDRESS = "ipAddress";
+ public final static String LOG_FIELD_OPERATION = "operation";
+ public final static String LOG_FIELD_EVENT_TIME = "eventTime";
+ public final static String LOG_FIELD_OPERATION_TEXT = "operationText";
+ public final static String LOG_FIELD_ALLOWED = "allowed";
+ public final static String LOG_FIELD_DATABASE_NAME = "databaseName";
+ public final static String LOG_FIELD_TABLE_NAME = "tableName";
+ public final static String LOG_FIELD_RESOURCE_PATH = "resourcePath";
+ public final static String LOG_FIELD_OBJECT_TYPE = "objectType";
+
+ public final static String OPERATION_CREATE_ROLE = "CREATE_ROLE";
+ public final static String OPERATION_DROP_ROLE = "DROP_ROLE";
+ public final static String OPERATION_ADD_ROLE = "ADD_ROLE_TO_GROUP";
+ public final static String OPERATION_DELETE_ROLE = "DELETE_ROLE_FROM_GROUP";
+ public final static String OPERATION_GRANT_PRIVILEGE = "GRANTE_PRIVILEGE";
+ public final static String OPERATION_REVOKE_PRIVILEGE = "REVOKE_PRIVILEGE";
+
+ public final static String OBJECT_TYPE_PRINCIPAL = "PRINCIPAL";
+ public final static String OBJECT_TYPE_ROLE = "ROLE";
+
+ public final static String TRUE = "true";
+ public final static String FALSE = "false";
+
+ public static final Map<String, String> requestTypeToOperationMap = new HashMap<String, String>();
+ public static final Map<String, String> requestTypeToObjectTypeMap = new HashMap<String, String>();
+
+ static {
+ requestTypeToOperationMap.put(TCreateSentryRoleRequest.class.getName(),
+ Constants.OPERATION_CREATE_ROLE);
+ requestTypeToOperationMap.put(
+ TAlterSentryRoleGrantPrivilegeRequest.class.getName(),
+ Constants.OPERATION_GRANT_PRIVILEGE);
+ requestTypeToOperationMap.put(
+ TAlterSentryRoleRevokePrivilegeRequest.class.getName(),
+ Constants.OPERATION_REVOKE_PRIVILEGE);
+ requestTypeToOperationMap.put(TDropSentryRoleRequest.class.getName(),
+ Constants.OPERATION_DROP_ROLE);
+ requestTypeToOperationMap.put(
+ TAlterSentryRoleAddGroupsRequest.class.getName(),
+ Constants.OPERATION_ADD_ROLE);
+ requestTypeToOperationMap.put(
+ TAlterSentryRoleDeleteGroupsRequest.class.getName(),
+ Constants.OPERATION_DELETE_ROLE);
+
+ requestTypeToObjectTypeMap.put(TCreateSentryRoleRequest.class.getName(),
+ Constants.OBJECT_TYPE_ROLE);
+ requestTypeToObjectTypeMap.put(TDropSentryRoleRequest.class.getName(),
+ Constants.OBJECT_TYPE_ROLE);
+ requestTypeToObjectTypeMap.put(
+ TAlterSentryRoleAddGroupsRequest.class.getName(),
+ Constants.OBJECT_TYPE_ROLE);
+ requestTypeToObjectTypeMap.put(
+ TAlterSentryRoleDeleteGroupsRequest.class.getName(),
+ Constants.OBJECT_TYPE_ROLE);
+ requestTypeToObjectTypeMap.put(
+ TAlterSentryRoleGrantPrivilegeRequest.class.getName(),
+ Constants.OBJECT_TYPE_PRINCIPAL);
+ requestTypeToObjectTypeMap.put(
+ TAlterSentryRoleRevokePrivilegeRequest.class.getName(),
+ Constants.OBJECT_TYPE_PRINCIPAL);
+ }
+}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/a170f53b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessor.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessor.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessor.java
index 1b05db3..5848e30 100644
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessor.java
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessor.java
@@ -32,6 +32,8 @@ import org.apache.sentry.provider.db.SentryAccessDeniedException;
import org.apache.sentry.provider.db.SentryAlreadyExistsException;
import org.apache.sentry.provider.db.SentryInvalidInputException;
import org.apache.sentry.provider.db.SentryNoSuchObjectException;
+import org.apache.sentry.provider.db.log.entity.JsonLogEntityFactory;
+import org.apache.sentry.provider.db.log.util.Constants;
import org.apache.sentry.provider.db.service.persistent.CommitContext;
import org.apache.sentry.provider.db.service.persistent.SentryStore;
import org.apache.sentry.provider.db.service.thrift.PolicyStoreConstants.PolicyStoreServerConfig;
@@ -52,6 +54,7 @@ import com.google.common.collect.Sets;
@SuppressWarnings("unused")
public class SentryPolicyStoreProcessor implements SentryPolicyService.Iface {
private static final Logger LOGGER = LoggerFactory.getLogger(SentryPolicyStoreProcessor.class);
+ private static final Logger AUDIT_LOGGER = LoggerFactory.getLogger(Constants.AUDIT_LOGGER_NAME);
public static final String SENTRY_POLICY_SERVICE_NAME = "SentryPolicyService";
@@ -158,6 +161,9 @@ public class SentryPolicyStoreProcessor implements SentryPolicyService.Iface {
LOGGER.error(msg, e);
response.setStatus(Status.RuntimeError(msg, e));
}
+
+ AUDIT_LOGGER.info(JsonLogEntityFactory.getInstance().createJsonLogEntity(
+ request, response, conf).toJsonFormatLog());
return response;
}
@@ -191,6 +197,8 @@ public class SentryPolicyStoreProcessor implements SentryPolicyService.Iface {
response.setStatus(Status.RuntimeError(msg, e));
}
+ AUDIT_LOGGER.info(JsonLogEntityFactory.getInstance().createJsonLogEntity(
+ request, response, conf).toJsonFormatLog());
return response;
}
@@ -227,6 +235,8 @@ public class SentryPolicyStoreProcessor implements SentryPolicyService.Iface {
response.setStatus(Status.RuntimeError(msg, e));
}
+ AUDIT_LOGGER.info(JsonLogEntityFactory.getInstance().createJsonLogEntity(
+ request, response, conf).toJsonFormatLog());
return response;
}
@@ -254,6 +264,9 @@ public class SentryPolicyStoreProcessor implements SentryPolicyService.Iface {
LOGGER.error(msg, e);
response.setStatus(Status.RuntimeError(msg, e));
}
+
+ AUDIT_LOGGER.info(JsonLogEntityFactory.getInstance().createJsonLogEntity(
+ request, response, conf).toJsonFormatLog());
return response;
}
@@ -281,6 +294,9 @@ public class SentryPolicyStoreProcessor implements SentryPolicyService.Iface {
LOGGER.error(msg, e);
response.setStatus(Status.RuntimeError(msg, e));
}
+
+ AUDIT_LOGGER.info(JsonLogEntityFactory.getInstance().createJsonLogEntity(
+ request, response, conf).toJsonFormatLog());
return response;
}
@@ -308,6 +324,9 @@ public class SentryPolicyStoreProcessor implements SentryPolicyService.Iface {
LOGGER.error(msg, e);
response.setStatus(Status.RuntimeError(msg, e));
}
+
+ AUDIT_LOGGER.info(JsonLogEntityFactory.getInstance().createJsonLogEntity(
+ request, response, conf).toJsonFormatLog());
return response;
}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/a170f53b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessorFactory.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessorFactory.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessorFactory.java
index b37db2b..691c1fb 100644
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessorFactory.java
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessorFactory.java
@@ -32,7 +32,7 @@ public class SentryPolicyStoreProcessorFactory extends ProcessorFactory {
new SentryPolicyStoreProcessor(SentryPolicyStoreProcessor.SENTRY_POLICY_SERVICE_NAME,
conf);
TProcessor processor =
- new SentryPolicyService.Processor<SentryPolicyService.Iface>(sentryServiceHandler);
+ new SentryProcessorWrapper<SentryPolicyService.Iface>(sentryServiceHandler);
multiplexedProcessor.registerProcessor(SentryPolicyStoreProcessor.SENTRY_POLICY_SERVICE_NAME, processor);
return true;
}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/a170f53b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryProcessorWrapper.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryProcessorWrapper.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryProcessorWrapper.java
new file mode 100644
index 0000000..33e741d
--- /dev/null
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryProcessorWrapper.java
@@ -0,0 +1,83 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.provider.db.service.thrift;
+
+import java.net.Socket;
+
+import org.apache.sentry.provider.db.log.util.CommandUtil;
+import org.apache.thrift.TException;
+import org.apache.thrift.protocol.TProtocol;
+import org.apache.thrift.transport.TSaslClientTransport;
+import org.apache.thrift.transport.TSaslServerTransport;
+import org.apache.thrift.transport.TSocket;
+import org.apache.thrift.transport.TTransport;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+public class SentryProcessorWrapper<I extends SentryPolicyService.Iface> extends
+ SentryPolicyService.Processor<SentryPolicyService.Iface> {
+
+ private static final Logger LOGGER = LoggerFactory.getLogger(SentryProcessorWrapper.class);
+
+ public SentryProcessorWrapper(I iface) {
+ super(iface);
+ }
+
+ @Override
+ public boolean process(TProtocol in, TProtocol out) throws TException {
+ setIpAddress(in);
+ setImpersonator(in);
+ return super.process(in, out);
+ }
+
+ private void setImpersonator(final TProtocol in) {
+ TTransport transport = in.getTransport();
+ if (transport instanceof TSaslServerTransport) {
+ String impersonator = ((TSaslServerTransport) transport).getSaslServer().getAuthorizationID();
+ CommandUtil.setImpersonator(impersonator);
+ }
+ }
+
+ private void setIpAddress(final TProtocol in) {
+ TTransport transport = in.getTransport();
+ TSocket tSocket = getUnderlyingSocketFromTransport(transport);
+ if (tSocket != null) {
+ setIpAddress(tSocket.getSocket());
+ } else {
+ LOGGER.warn("Unknown Transport, cannot determine ipAddress");
+ }
+ }
+
+ private void setIpAddress(Socket socket) {
+ CommandUtil.setIpAddress(socket.getInetAddress().toString());
+ }
+
+ private TSocket getUnderlyingSocketFromTransport(TTransport transport) {
+ if (transport != null) {
+ if (transport instanceof TSaslServerTransport) {
+ transport = ((TSaslServerTransport) transport).getUnderlyingTransport();
+ } else if (transport instanceof TSaslClientTransport) {
+ transport = ((TSaslClientTransport) transport).getUnderlyingTransport();
+ } else if (transport instanceof TSocket) {
+ return (TSocket) transport;
+ }
+ }
+ return null;
+ }
+}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/a170f53b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/ServiceConstants.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/ServiceConstants.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/ServiceConstants.java
index 111fabf..52eaeed 100644
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/ServiceConstants.java
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/ServiceConstants.java
@@ -89,6 +89,9 @@ public class ServiceConstants {
public static final String SENTRY_VERIFY_SCHEM_VERSION = "sentry.verify.schema.version";
public static final String SENTRY_VERIFY_SCHEM_VERSION_DEFAULT = "true";
+ public static final String SENTRY_SERVICE_NAME = "sentry.service.name";
+ public static final String SENTRY_SERVICE_NAME_DEFAULT = "Sentry-Service";
+
public static final String SENTRY_STORE_GROUP_MAPPING = "sentry.store.group.mapping";
public static final String SENTRY_STORE_GROUP_MAPPING_RESOURCE = "sentry.store.group.mapping.resource";
public static final String SENTRY_STORE_HADOOP_GROUP_MAPPING = "org.apache.sentry.provider.common.HadoopGroupMappingService";
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/a170f53b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/log/entity/TestAuditMetadataLogEntity.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/log/entity/TestAuditMetadataLogEntity.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/log/entity/TestAuditMetadataLogEntity.java
new file mode 100644
index 0000000..cd0a435
--- /dev/null
+++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/log/entity/TestAuditMetadataLogEntity.java
@@ -0,0 +1,68 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.provider.db.log.entity;
+
+import junit.framework.TestCase;
+
+import org.apache.sentry.provider.db.log.util.Constants;
+import org.codehaus.jackson.JsonNode;
+import org.codehaus.jackson.node.ContainerNode;
+import org.junit.Test;
+
+public class TestAuditMetadataLogEntity extends TestCase {
+
+ @Test
+ public void testToJsonFormatLog() throws Throwable {
+ AuditMetadataLogEntity amle = new AuditMetadataLogEntity("serviceName",
+ "userName", "impersonator", "ipAddress", "operation", "eventTime",
+ "operationText", "allowed", "databaseName", "tableName",
+ "resourcePath", "objectType");
+ String jsonAuditLog = amle.toJsonFormatLog();
+ ContainerNode rootNode = AuditMetadataLogEntity.parse(jsonAuditLog);
+ assertEntryEquals(rootNode, Constants.LOG_FIELD_SERVICE_NAME, "serviceName");
+ assertEntryEquals(rootNode, Constants.LOG_FIELD_USER_NAME, "userName");
+ assertEntryEquals(rootNode, Constants.LOG_FIELD_IMPERSONATOR,
+ "impersonator");
+ assertEntryEquals(rootNode, Constants.LOG_FIELD_IP_ADDRESS, "ipAddress");
+ assertEntryEquals(rootNode, Constants.LOG_FIELD_OPERATION, "operation");
+ assertEntryEquals(rootNode, Constants.LOG_FIELD_EVENT_TIME, "eventTime");
+ assertEntryEquals(rootNode, Constants.LOG_FIELD_OPERATION_TEXT,
+ "operationText");
+ assertEntryEquals(rootNode, Constants.LOG_FIELD_ALLOWED, "allowed");
+ assertEntryEquals(rootNode, Constants.LOG_FIELD_DATABASE_NAME,
+ "databaseName");
+ assertEntryEquals(rootNode, Constants.LOG_FIELD_TABLE_NAME, "tableName");
+ assertEntryEquals(rootNode, Constants.LOG_FIELD_RESOURCE_PATH,
+ "resourcePath");
+ assertEntryEquals(rootNode, Constants.LOG_FIELD_OBJECT_TYPE, "objectType");
+ }
+
+ void assertEntryEquals(ContainerNode rootNode, String key, String value) {
+ JsonNode node = assertNodeContains(rootNode, key);
+ assertEquals(value, node.getTextValue());
+ }
+
+ private JsonNode assertNodeContains(ContainerNode rootNode, String key) {
+ JsonNode node = rootNode.get(key);
+ if (node == null) {
+ fail("No entry of name \"" + key + "\" found in " + rootNode.toString());
+ }
+ return node;
+ }
+}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/a170f53b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/log/entity/TestJsonLogEntityFactory.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/log/entity/TestJsonLogEntityFactory.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/log/entity/TestJsonLogEntityFactory.java
new file mode 100644
index 0000000..fc9c716
--- /dev/null
+++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/log/entity/TestJsonLogEntityFactory.java
@@ -0,0 +1,293 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.provider.db.log.entity;
+
+import static junit.framework.Assert.assertEquals;
+
+import java.util.LinkedHashSet;
+import java.util.Set;
+
+import org.apache.hadoop.conf.Configuration;
+import org.apache.log4j.Logger;
+import org.apache.sentry.core.model.db.AccessConstants;
+import org.apache.sentry.provider.db.log.util.CommandUtil;
+import org.apache.sentry.provider.db.log.util.Constants;
+import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleAddGroupsRequest;
+import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleAddGroupsResponse;
+import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleDeleteGroupsRequest;
+import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleDeleteGroupsResponse;
+import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleGrantPrivilegeRequest;
+import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleGrantPrivilegeResponse;
+import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleRevokePrivilegeRequest;
+import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleRevokePrivilegeResponse;
+import org.apache.sentry.provider.db.service.thrift.TCreateSentryRoleRequest;
+import org.apache.sentry.provider.db.service.thrift.TCreateSentryRoleResponse;
+import org.apache.sentry.provider.db.service.thrift.TDropSentryRoleRequest;
+import org.apache.sentry.provider.db.service.thrift.TDropSentryRoleResponse;
+import org.apache.sentry.provider.db.service.thrift.TSentryGroup;
+import org.apache.sentry.provider.db.service.thrift.TSentryPrivilege;
+import org.apache.sentry.service.thrift.ServiceConstants.PrivilegeScope;
+import org.apache.sentry.service.thrift.ServiceConstants.ServerConfig;
+import org.apache.sentry.service.thrift.Status;
+import org.junit.BeforeClass;
+import org.junit.Test;
+
+public class TestJsonLogEntityFactory {
+
+ private static Configuration conf;
+ private Logger sentryLogger = Logger.getRootLogger();
+
+ private static String TEST_IP = "localhost/127.0.0.1";
+ private static String TEST_IMPERSONATOR = "impersonator";
+ private static String TEST_ROLE_NAME = "testRole";
+ private static String TEST_USER_NAME = "requestUser";
+ private static String TEST_DATABASE_NAME = "testDB";
+ private static String TEST_TABLE_NAME = "testTable";
+ private static String TEST_GROUP = "testGroup";
+
+ @BeforeClass
+ public static void init() {
+ conf = new Configuration();
+ conf.set(ServerConfig.SENTRY_SERVICE_NAME,
+ ServerConfig.SENTRY_SERVICE_NAME_DEFAULT);
+ CommandUtil.setIpAddress(TEST_IP);
+ CommandUtil.setImpersonator(TEST_IMPERSONATOR);
+ }
+
+ @Test
+ public void testCreateRole() {
+ TCreateSentryRoleRequest request = new TCreateSentryRoleRequest();
+ TCreateSentryRoleResponse response = new TCreateSentryRoleResponse();
+ request.setRequestorUserName(TEST_USER_NAME);
+ request.setRoleName(TEST_ROLE_NAME);
+ response.setStatus(Status.OK());
+ AuditMetadataLogEntity amle = (AuditMetadataLogEntity) JsonLogEntityFactory
+ .getInstance().createJsonLogEntity(request, response, conf);
+ assertCommon(amle, Constants.TRUE, Constants.OPERATION_CREATE_ROLE,
+ "CREATE ROLE testRole", null, null, null, Constants.OBJECT_TYPE_ROLE);
+ sentryLogger.debug(amle.toJsonFormatLog());
+
+ response.setStatus(Status.InvalidInput("", null));
+ amle = (AuditMetadataLogEntity) JsonLogEntityFactory.getInstance()
+ .createJsonLogEntity(request, response, conf);
+ assertCommon(amle, Constants.FALSE, Constants.OPERATION_CREATE_ROLE,
+ "CREATE ROLE testRole", null, null, null, Constants.OBJECT_TYPE_ROLE);
+ sentryLogger.debug(amle.toJsonFormatLog());
+ }
+
+ @Test
+ public void testDropRole() {
+ TDropSentryRoleRequest request = new TDropSentryRoleRequest();
+ TDropSentryRoleResponse response = new TDropSentryRoleResponse();
+ request.setRequestorUserName(TEST_USER_NAME);
+ request.setRoleName(TEST_ROLE_NAME);
+ response.setStatus(Status.OK());
+ AuditMetadataLogEntity amle = (AuditMetadataLogEntity) JsonLogEntityFactory
+ .getInstance().createJsonLogEntity(request, response, conf);
+ assertCommon(amle, Constants.TRUE, Constants.OPERATION_DROP_ROLE,
+ "DROP ROLE testRole", null, null, null, Constants.OBJECT_TYPE_ROLE);
+ sentryLogger.debug(amle.toJsonFormatLog());
+
+ response.setStatus(Status.InvalidInput("", null));
+ amle = (AuditMetadataLogEntity) JsonLogEntityFactory.getInstance()
+ .createJsonLogEntity(request, response, conf);
+ assertCommon(amle, Constants.FALSE, Constants.OPERATION_DROP_ROLE,
+ "DROP ROLE testRole", null, null, null, Constants.OBJECT_TYPE_ROLE);
+ sentryLogger.debug(amle.toJsonFormatLog());
+ }
+
+ @Test
+ public void testGrantRole() {
+ TAlterSentryRoleGrantPrivilegeRequest request = new TAlterSentryRoleGrantPrivilegeRequest();
+ request.setRequestorUserName(TEST_USER_NAME);
+ request.setRoleName(TEST_ROLE_NAME);
+
+ TAlterSentryRoleGrantPrivilegeResponse response = new TAlterSentryRoleGrantPrivilegeResponse();
+
+ TSentryPrivilege privilege = getPrivilege(AccessConstants.ALL,
+ PrivilegeScope.DATABASE.name(), TEST_DATABASE_NAME, null, null, null);
+ request.setPrivilege(privilege);
+ response.setStatus(Status.OK());
+ AuditMetadataLogEntity amle = (AuditMetadataLogEntity) JsonLogEntityFactory
+ .getInstance().createJsonLogEntity(request, response, conf);
+ assertCommon(amle, Constants.TRUE, Constants.OPERATION_GRANT_PRIVILEGE,
+ "GRANT ALL ON DATABASE testDB TO ROLE testRole", TEST_DATABASE_NAME,
+ null, null, Constants.OBJECT_TYPE_PRINCIPAL);
+ sentryLogger.debug(amle.toJsonFormatLog());
+
+ privilege = getPrivilege(AccessConstants.ALL, PrivilegeScope.TABLE.name(),
+ null, TEST_TABLE_NAME, null, null);
+ request.setPrivilege(privilege);
+ response.setStatus(Status.InvalidInput("", null));
+ amle = (AuditMetadataLogEntity) JsonLogEntityFactory.getInstance()
+ .createJsonLogEntity(request, response, conf);
+ assertCommon(amle, Constants.FALSE, Constants.OPERATION_GRANT_PRIVILEGE,
+ "GRANT ALL ON TABLE testTable TO ROLE testRole", null, TEST_TABLE_NAME,
+ null, Constants.OBJECT_TYPE_PRINCIPAL);
+ sentryLogger.debug(amle.toJsonFormatLog());
+ }
+
+ @Test
+ public void testRevokeRole() {
+ TAlterSentryRoleRevokePrivilegeRequest request = new TAlterSentryRoleRevokePrivilegeRequest();
+ TAlterSentryRoleRevokePrivilegeResponse response = new TAlterSentryRoleRevokePrivilegeResponse();
+ request.setRequestorUserName(TEST_USER_NAME);
+ request.setRoleName(TEST_ROLE_NAME);
+
+ TSentryPrivilege privilege = getPrivilege(AccessConstants.ALL,
+ PrivilegeScope.DATABASE.name(), TEST_DATABASE_NAME, null, null, null);
+ request.setPrivilege(privilege);
+ response.setStatus(Status.OK());
+ AuditMetadataLogEntity amle = (AuditMetadataLogEntity) JsonLogEntityFactory
+ .getInstance().createJsonLogEntity(request, response, conf);
+ assertCommon(amle, Constants.TRUE, Constants.OPERATION_REVOKE_PRIVILEGE,
+ "REVOKE ALL ON DATABASE testDB FROM ROLE testRole", TEST_DATABASE_NAME,
+ null, null, Constants.OBJECT_TYPE_PRINCIPAL);
+ sentryLogger.debug(amle.toJsonFormatLog());
+
+ privilege = getPrivilege(AccessConstants.ALL, PrivilegeScope.TABLE.name(),
+ null, TEST_TABLE_NAME, null, null);
+ request.setPrivilege(privilege);
+ response.setStatus(Status.InvalidInput("", null));
+ amle = (AuditMetadataLogEntity) JsonLogEntityFactory.getInstance()
+ .createJsonLogEntity(request, response, conf);
+ assertCommon(amle, Constants.FALSE, Constants.OPERATION_REVOKE_PRIVILEGE,
+ "REVOKE ALL ON TABLE testTable FROM ROLE testRole", null,
+ TEST_TABLE_NAME, null, Constants.OBJECT_TYPE_PRINCIPAL);
+ sentryLogger.debug(amle.toJsonFormatLog());
+ }
+
+ @Test
+ public void testAddRole() {
+ TAlterSentryRoleAddGroupsRequest request = new TAlterSentryRoleAddGroupsRequest();
+ TAlterSentryRoleAddGroupsResponse response = new TAlterSentryRoleAddGroupsResponse();
+ request.setRequestorUserName(TEST_USER_NAME);
+ request.setRoleName(TEST_ROLE_NAME);
+ request.setGroups(getGroups());
+ response.setStatus(Status.OK());
+ AuditMetadataLogEntity amle = (AuditMetadataLogEntity) JsonLogEntityFactory
+ .getInstance().createJsonLogEntity(request, response, conf);
+ assertCommon(amle, Constants.TRUE, Constants.OPERATION_ADD_ROLE,
+ "GRANT ROLE testRole TO GROUP testGroup", null, null, null,
+ Constants.OBJECT_TYPE_ROLE);
+ sentryLogger.debug(amle.toJsonFormatLog());
+
+ response.setStatus(Status.InvalidInput("", null));
+ amle = (AuditMetadataLogEntity) JsonLogEntityFactory.getInstance()
+ .createJsonLogEntity(request, response, conf);
+ assertCommon(amle, Constants.FALSE, Constants.OPERATION_ADD_ROLE,
+ "GRANT ROLE testRole TO GROUP testGroup", null, null, null,
+ Constants.OBJECT_TYPE_ROLE);
+ sentryLogger.debug(amle.toJsonFormatLog());
+ }
+
+ @Test
+ public void testDeleteRole() {
+ TAlterSentryRoleDeleteGroupsRequest request = new TAlterSentryRoleDeleteGroupsRequest();
+ TAlterSentryRoleDeleteGroupsResponse response = new TAlterSentryRoleDeleteGroupsResponse();
+ request.setRequestorUserName(TEST_USER_NAME);
+ request.setRoleName(TEST_ROLE_NAME);
+ request.setGroups(getGroups());
+ response.setStatus(Status.OK());
+ AuditMetadataLogEntity amle = (AuditMetadataLogEntity) JsonLogEntityFactory
+ .getInstance().createJsonLogEntity(request, response, conf);
+ assertCommon(amle, Constants.TRUE, Constants.OPERATION_DELETE_ROLE,
+ "REVOKE ROLE testRole FROM GROUP testGroup", null, null, null,
+ Constants.OBJECT_TYPE_ROLE);
+ sentryLogger.debug(amle.toJsonFormatLog());
+
+ response.setStatus(Status.InvalidInput("", null));
+ amle = (AuditMetadataLogEntity) JsonLogEntityFactory.getInstance()
+ .createJsonLogEntity(request, response, conf);
+ assertCommon(amle, Constants.FALSE, Constants.OPERATION_DELETE_ROLE,
+ "REVOKE ROLE testRole FROM GROUP testGroup", null, null, null,
+ Constants.OBJECT_TYPE_ROLE);
+ sentryLogger.debug(amle.toJsonFormatLog());
+ }
+
+ private void assertCommon(AuditMetadataLogEntity amle,
+ String allowedExcepted, String operationExcepted,
+ String operationTextExcepted, String databaseNameExcepted,
+ String tableNameExcepted, String resourcePathExcepted,
+ String objectTypeExcepted) {
+ assertEquals(ServerConfig.SENTRY_SERVICE_NAME_DEFAULT,
+ amle.getServiceName());
+ assertEquals(TEST_IP, amle.getIpAddress());
+ assertEquals(TEST_USER_NAME, amle.getUserName());
+ assertEquals(TEST_IMPERSONATOR, amle.getImpersonator());
+ assertEquals(allowedExcepted, amle.getAllowed());
+ assertEquals(operationExcepted, amle.getOperation());
+ assertEquals(operationTextExcepted, amle.getOperationText());
+ assertEquals(tableNameExcepted, amle.getTableName());
+ assertEquals(databaseNameExcepted, amle.getDatabaseName());
+ assertEquals(resourcePathExcepted, amle.getResourcePath());
+ assertEquals(objectTypeExcepted, amle.getObjectType());
+ }
+
+ // private TAlterSentryRoleGrantPrivilegeRequest getGrantPrivilegeRequest() {
+ // TAlterSentryRoleGrantPrivilegeRequest request = new
+ // TAlterSentryRoleGrantPrivilegeRequest();
+ // request.setRoleName(TEST_ROLE_NAME);
+ // return request;
+ // }
+ //
+ // private TAlterSentryRoleGrantPrivilegeResponse getGrantPrivilegeResponse(
+ // TSentryResponseStatus status) {
+ // TAlterSentryRoleGrantPrivilegeResponse response = new
+ // TAlterSentryRoleGrantPrivilegeResponse();
+ // response.setStatus(status);
+ // return response;
+ // }
+
+ // private TAlterSentryRoleRevokePrivilegeRequest getRevokePrivilegeRequest()
+ // {
+ // TAlterSentryRoleRevokePrivilegeRequest request = new
+ // TAlterSentryRoleRevokePrivilegeRequest();
+ // request.setRoleName(TEST_ROLE_NAME);
+ // return request;
+ // }
+ //
+ // private TAlterSentryRoleRevokePrivilegeResponse getRevokePrivilegeResponse(
+ // TSentryResponseStatus status) {
+ // TAlterSentryRoleRevokePrivilegeResponse response = new
+ // TAlterSentryRoleRevokePrivilegeResponse();
+ // response.setStatus(status);
+ // return response;
+ // }
+
+ private TSentryPrivilege getPrivilege(String action, String privilegeScope,
+ String dbName, String tableName, String serverName, String URI) {
+ TSentryPrivilege privilege = new TSentryPrivilege();
+ privilege.setAction(action);
+ privilege.setPrivilegeScope(privilegeScope);
+ privilege.setDbName(dbName);
+ privilege.setTableName(tableName);
+ privilege.setServerName(serverName);
+ privilege.setURI(URI);
+ return privilege;
+ }
+
+ private Set<TSentryGroup> getGroups() {
+ Set<TSentryGroup> groups = new LinkedHashSet<TSentryGroup>();
+ TSentryGroup group = new TSentryGroup();
+ group.setGroupName(TEST_GROUP);
+ groups.add(group);
+ return groups;
+ }
+}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/a170f53b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/log/util/TestCommandUtil.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/log/util/TestCommandUtil.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/log/util/TestCommandUtil.java
new file mode 100644
index 0000000..392289c
--- /dev/null
+++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/log/util/TestCommandUtil.java
@@ -0,0 +1,303 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.provider.db.log.util;
+
+import java.util.LinkedHashSet;
+import java.util.Set;
+
+import junit.framework.TestCase;
+
+import org.apache.sentry.core.model.db.AccessConstants;
+import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleAddGroupsRequest;
+import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleDeleteGroupsRequest;
+import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleGrantPrivilegeRequest;
+import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleRevokePrivilegeRequest;
+import org.apache.sentry.provider.db.service.thrift.TSentryGroup;
+import org.apache.sentry.provider.db.service.thrift.TSentryPrivilege;
+import org.apache.sentry.service.thrift.ServiceConstants.PrivilegeScope;
+import org.junit.Test;
+
+public class TestCommandUtil extends TestCase {
+
+ @Test
+ public void testCreateCmdForCreateOrDropRole() {
+ String roleName = "testRole";
+
+ String createRoleCmdResult = CommandUtil.createCmdForCreateOrDropRole(
+ roleName, true);
+ String dropRoleCmdResult = CommandUtil.createCmdForCreateOrDropRole(
+ roleName, false);
+ String createRoleCmdExcepted = "CREATE ROLE testRole";
+ String dropRoleCmdExcepted = "DROP ROLE testRole";
+
+ assertEquals(createRoleCmdExcepted, createRoleCmdResult);
+ assertEquals(dropRoleCmdResult, dropRoleCmdExcepted);
+ }
+
+ @Test
+ public void testCreateCmdForRoleAddOrDeleteGroup1() {
+
+ TAlterSentryRoleAddGroupsRequest requestAdd = getRoleAddGroupsRequest();
+ TAlterSentryRoleDeleteGroupsRequest requestDelete = getRoleDeleteGroupsRequest();
+
+ Set<TSentryGroup> groups = getGroups(1);
+ requestAdd.setGroups(groups);
+ requestDelete.setGroups(groups);
+
+ String createRoleAddGroupCmdResult = CommandUtil
+ .createCmdForRoleAddGroup(requestAdd);
+ String createRoleAddGroupCmdExcepted = "GRANT ROLE testRole TO GROUP testGroup1";
+ String createRoleDeleteGroupCmdResult = CommandUtil
+ .createCmdForRoleDeleteGroup(requestDelete);
+ String createRoleDeleteGroupCmdExcepted = "REVOKE ROLE testRole FROM GROUP testGroup1";
+
+ assertEquals(createRoleAddGroupCmdExcepted, createRoleAddGroupCmdResult);
+ assertEquals(createRoleDeleteGroupCmdExcepted,
+ createRoleDeleteGroupCmdResult);
+ }
+
+ @Test
+ public void testCreateCmdForRoleAddOrDeleteGroup2() {
+
+ TAlterSentryRoleAddGroupsRequest requestAdd = getRoleAddGroupsRequest();
+ TAlterSentryRoleDeleteGroupsRequest requestDelete = getRoleDeleteGroupsRequest();
+
+ Set<TSentryGroup> groups = getGroups(3);
+ requestAdd.setGroups(groups);
+ requestDelete.setGroups(groups);
+
+ String createRoleAddGroupCmdResult = CommandUtil
+ .createCmdForRoleAddGroup(requestAdd);
+ String createRoleAddGroupCmdExcepted = "GRANT ROLE testRole TO GROUP testGroup1, testGroup2, testGroup3";
+ String createRoleDeleteGroupCmdResult = CommandUtil
+ .createCmdForRoleDeleteGroup(requestDelete);
+ String createRoleDeleteGroupCmdExcepted = "REVOKE ROLE testRole FROM GROUP testGroup1, testGroup2, testGroup3";
+
+ assertEquals(createRoleAddGroupCmdExcepted, createRoleAddGroupCmdResult);
+ assertEquals(createRoleDeleteGroupCmdExcepted,
+ createRoleDeleteGroupCmdResult);
+ }
+
+ @Test
+ public void testCreateCmdForGrantOrRevokePrivilege1() {
+ TAlterSentryRoleGrantPrivilegeRequest grantRequest = getGrantPrivilegeRequest();
+ TAlterSentryRoleRevokePrivilegeRequest revokeRequest = getRevokePrivilegeRequest();
+
+ TSentryPrivilege privilege = getPrivilege(AccessConstants.ALL,
+ PrivilegeScope.DATABASE.name(), "dbTest", "tableTest", "serverTest",
+ "hdfs://namenode:port/path/to/dir");
+ grantRequest.setPrivilege(privilege);
+ revokeRequest.setPrivilege(privilege);
+
+ String createGrantPrivilegeCmdResult = CommandUtil
+ .createCmdForGrantPrivilege(grantRequest);
+ String createGrantPrivilegeCmdExcepted = "GRANT ALL ON DATABASE dbTest TO ROLE testRole";
+ String createRevokePrivilegeCmdResult = CommandUtil
+ .createCmdForRevokePrivilege(revokeRequest);
+ String createRevokePrivilegeCmdExcepted = "REVOKE ALL ON DATABASE dbTest FROM ROLE testRole";
+
+ assertEquals(createGrantPrivilegeCmdExcepted, createGrantPrivilegeCmdResult);
+ assertEquals(createRevokePrivilegeCmdExcepted,
+ createRevokePrivilegeCmdResult);
+ }
+
+ @Test
+ public void testCreateCmdForGrantOrRevokePrivilege2() {
+ TAlterSentryRoleGrantPrivilegeRequest grantRequest = getGrantPrivilegeRequest();
+ TAlterSentryRoleRevokePrivilegeRequest revokeRequest = getRevokePrivilegeRequest();
+
+ TSentryPrivilege privilege = getPrivilege(AccessConstants.INSERT,
+ PrivilegeScope.DATABASE.name(), "dbTest", "tableTest", "serverTest",
+ "hdfs://namenode:port/path/to/dir");
+ grantRequest.setPrivilege(privilege);
+ revokeRequest.setPrivilege(privilege);
+
+ String createGrantPrivilegeCmdResult = CommandUtil
+ .createCmdForGrantPrivilege(grantRequest);
+ String createGrantPrivilegeCmdExcepted = "GRANT INSERT ON DATABASE dbTest TO ROLE testRole";
+ String createRevokePrivilegeCmdResult = CommandUtil
+ .createCmdForRevokePrivilege(revokeRequest);
+ String createRevokePrivilegeCmdExcepted = "REVOKE INSERT ON DATABASE dbTest FROM ROLE testRole";
+
+ assertEquals(createGrantPrivilegeCmdExcepted, createGrantPrivilegeCmdResult);
+ assertEquals(createRevokePrivilegeCmdExcepted,
+ createRevokePrivilegeCmdResult);
+ }
+
+ @Test
+ public void testCreateCmdForGrantOrRevokePrivilege3() {
+ TAlterSentryRoleGrantPrivilegeRequest grantRequest = getGrantPrivilegeRequest();
+ TAlterSentryRoleRevokePrivilegeRequest revokeRequest = getRevokePrivilegeRequest();
+
+ TSentryPrivilege privilege = getPrivilege(AccessConstants.SELECT,
+ PrivilegeScope.DATABASE.name(), "dbTest", "tableTest", "serverTest",
+ "hdfs://namenode:port/path/to/dir");
+ grantRequest.setPrivilege(privilege);
+ revokeRequest.setPrivilege(privilege);
+
+ String createGrantPrivilegeCmdResult = CommandUtil
+ .createCmdForGrantPrivilege(grantRequest);
+ String createGrantPrivilegeCmdExcepted = "GRANT SELECT ON DATABASE dbTest TO ROLE testRole";
+ String createRevokePrivilegeCmdResult = CommandUtil
+ .createCmdForRevokePrivilege(revokeRequest);
+ String createRevokePrivilegeCmdExcepted = "REVOKE SELECT ON DATABASE dbTest FROM ROLE testRole";
+
+ assertEquals(createGrantPrivilegeCmdExcepted, createGrantPrivilegeCmdResult);
+ assertEquals(createRevokePrivilegeCmdExcepted,
+ createRevokePrivilegeCmdResult);
+ }
+
+ @Test
+ public void testCreateCmdForGrantOrRevokePrivilege4() {
+ TAlterSentryRoleGrantPrivilegeRequest grantRequest = getGrantPrivilegeRequest();
+ TAlterSentryRoleRevokePrivilegeRequest revokeRequest = getRevokePrivilegeRequest();
+
+ TSentryPrivilege privilege = getPrivilege(null,
+ PrivilegeScope.DATABASE.name(), "dbTest", "tableTest", "serverTest",
+ "hdfs://namenode:port/path/to/dir");
+ grantRequest.setPrivilege(privilege);
+ revokeRequest.setPrivilege(privilege);
+
+ String createGrantPrivilegeCmdResult = CommandUtil
+ .createCmdForGrantPrivilege(grantRequest);
+ String createGrantPrivilegeCmdExcepted = "GRANT null ON DATABASE dbTest TO ROLE testRole";
+ String createRevokePrivilegeCmdResult = CommandUtil
+ .createCmdForRevokePrivilege(revokeRequest);
+ String createRevokePrivilegeCmdExcepted = "REVOKE null ON DATABASE dbTest FROM ROLE testRole";
+
+ assertEquals(createGrantPrivilegeCmdExcepted, createGrantPrivilegeCmdResult);
+ assertEquals(createRevokePrivilegeCmdExcepted,
+ createRevokePrivilegeCmdResult);
+ }
+
+ @Test
+ public void testCreateCmdForGrantOrRevokePrivilege5() {
+ TAlterSentryRoleGrantPrivilegeRequest grantRequest = getGrantPrivilegeRequest();
+ TAlterSentryRoleRevokePrivilegeRequest revokeRequest = getRevokePrivilegeRequest();
+
+ TSentryPrivilege privilege = getPrivilege(AccessConstants.SELECT,
+ PrivilegeScope.TABLE.name(), "dbTest", "tableTest", "serverTest",
+ "hdfs://namenode:port/path/to/dir");
+ grantRequest.setPrivilege(privilege);
+ revokeRequest.setPrivilege(privilege);
+
+ String createGrantPrivilegeCmdResult = CommandUtil
+ .createCmdForGrantPrivilege(grantRequest);
+ String createGrantPrivilegeCmdExcepted = "GRANT SELECT ON TABLE tableTest TO ROLE testRole";
+ String createRevokePrivilegeCmdResult = CommandUtil
+ .createCmdForRevokePrivilege(revokeRequest);
+ String createRevokePrivilegeCmdExcepted = "REVOKE SELECT ON TABLE tableTest FROM ROLE testRole";
+
+ assertEquals(createGrantPrivilegeCmdExcepted, createGrantPrivilegeCmdResult);
+ assertEquals(createRevokePrivilegeCmdExcepted,
+ createRevokePrivilegeCmdResult);
+ }
+
+ @Test
+ public void testCreateCmdForGrantOrRevokePrivilege6() {
+ TAlterSentryRoleGrantPrivilegeRequest grantRequest = getGrantPrivilegeRequest();
+ TAlterSentryRoleRevokePrivilegeRequest revokeRequest = getRevokePrivilegeRequest();
+
+ TSentryPrivilege privilege = getPrivilege(AccessConstants.SELECT,
+ PrivilegeScope.SERVER.name(), "dbTest", "tableTest", "serverTest",
+ "hdfs://namenode:port/path/to/dir");
+ grantRequest.setPrivilege(privilege);
+ revokeRequest.setPrivilege(privilege);
+
+ String createGrantPrivilegeCmdResult = CommandUtil
+ .createCmdForGrantPrivilege(grantRequest);
+ String createGrantPrivilegeCmdExcepted = "GRANT SELECT ON SERVER serverTest TO ROLE testRole";
+ String createRevokePrivilegeCmdResult = CommandUtil
+ .createCmdForRevokePrivilege(revokeRequest);
+ String createRevokePrivilegeCmdExcepted = "REVOKE SELECT ON SERVER serverTest FROM ROLE testRole";
+
+ assertEquals(createGrantPrivilegeCmdExcepted, createGrantPrivilegeCmdResult);
+ assertEquals(createRevokePrivilegeCmdExcepted,
+ createRevokePrivilegeCmdResult);
+ }
+
+ @Test
+ public void testCreateCmdForGrantOrRevokePrivilege7() {
+ TAlterSentryRoleGrantPrivilegeRequest grantRequest = getGrantPrivilegeRequest();
+ TAlterSentryRoleRevokePrivilegeRequest revokeRequest = getRevokePrivilegeRequest();
+
+ TSentryPrivilege privilege = getPrivilege(AccessConstants.SELECT,
+ PrivilegeScope.URI.name(), "dbTest", "tableTest", "serverTest",
+ "hdfs://namenode:port/path/to/dir");
+ grantRequest.setPrivilege(privilege);
+ revokeRequest.setPrivilege(privilege);
+
+ String createGrantPrivilegeCmdResult = CommandUtil
+ .createCmdForGrantPrivilege(grantRequest);
+ String createGrantPrivilegeCmdExcepted = "GRANT SELECT ON URI hdfs://namenode:port/path/to/dir TO ROLE testRole";
+ String createRevokePrivilegeCmdResult = CommandUtil
+ .createCmdForRevokePrivilege(revokeRequest);
+ String createRevokePrivilegeCmdExcepted = "REVOKE SELECT ON URI hdfs://namenode:port/path/to/dir FROM ROLE testRole";
+
+ assertEquals(createGrantPrivilegeCmdExcepted, createGrantPrivilegeCmdResult);
+ assertEquals(createRevokePrivilegeCmdExcepted,
+ createRevokePrivilegeCmdResult);
+ }
+
+ private TAlterSentryRoleAddGroupsRequest getRoleAddGroupsRequest() {
+ TAlterSentryRoleAddGroupsRequest request = new TAlterSentryRoleAddGroupsRequest();
+ request.setRoleName("testRole");
+ return request;
+ }
+
+ private TAlterSentryRoleDeleteGroupsRequest getRoleDeleteGroupsRequest() {
+ TAlterSentryRoleDeleteGroupsRequest request = new TAlterSentryRoleDeleteGroupsRequest();
+ request.setRoleName("testRole");
+ return request;
+ }
+
+ private Set<TSentryGroup> getGroups(int num) {
+ Set<TSentryGroup> groups = new LinkedHashSet<TSentryGroup>();
+ for (int i = 0; i < num; i++) {
+ TSentryGroup group = new TSentryGroup();
+ group.setGroupName("testGroup" + (i + 1));
+ groups.add(group);
+ }
+ return groups;
+ }
+
+ private TAlterSentryRoleGrantPrivilegeRequest getGrantPrivilegeRequest() {
+ TAlterSentryRoleGrantPrivilegeRequest request = new TAlterSentryRoleGrantPrivilegeRequest();
+ request.setRoleName("testRole");
+ return request;
+ }
+
+ private TAlterSentryRoleRevokePrivilegeRequest getRevokePrivilegeRequest() {
+ TAlterSentryRoleRevokePrivilegeRequest request = new TAlterSentryRoleRevokePrivilegeRequest();
+ request.setRoleName("testRole");
+ return request;
+ }
+
+ private TSentryPrivilege getPrivilege(String action, String privilegeScope,
+ String dbName, String tableName, String serverName, String URI) {
+ TSentryPrivilege privilege = new TSentryPrivilege();
+ privilege.setAction(action);
+ privilege.setPrivilegeScope(privilegeScope);
+ privilege.setDbName(dbName);
+ privilege.setTableName(tableName);
+ privilege.setServerName(serverName);
+ privilege.setURI(URI);
+ return privilege;
+ }
+}
|