sentry-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From pras...@apache.org
Subject [1/2] git commit: SENTRY-488: Sentry list_sentry_privileges_by_authorizable API does not filter out roles/privileges for some cases. (Arun Suresh via Prasad Mujumdar)
Date Sat, 04 Oct 2014 08:47:53 GMT
Repository: incubator-sentry
Updated Branches:
  refs/heads/master 642037105 -> af221d152


SENTRY-488: Sentry list_sentry_privileges_by_authorizable API does not filter out roles/privileges
for some cases. (Arun Suresh via Prasad Mujumdar)


Project: http://git-wip-us.apache.org/repos/asf/incubator-sentry/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-sentry/commit/561b3c8a
Tree: http://git-wip-us.apache.org/repos/asf/incubator-sentry/tree/561b3c8a
Diff: http://git-wip-us.apache.org/repos/asf/incubator-sentry/diff/561b3c8a

Branch: refs/heads/master
Commit: 561b3c8a9620aa070030440ebdce045c9c23fd33
Parents: 6420371
Author: Prasad Mujumdar <prasadm@cloudera.com>
Authored: Sat Oct 4 01:38:02 2014 -0700
Committer: Prasad Mujumdar <prasadm@cloudera.com>
Committed: Sat Oct 4 01:38:02 2014 -0700

----------------------------------------------------------------------
 .../db/service/persistent/SentryStore.java      | 33 ++++++++++++--------
 .../thrift/SentryPolicyStoreProcessor.java      |  3 +-
 .../thrift/TestSentryServiceIntegration.java    | 16 ++++++++++
 3 files changed, 38 insertions(+), 14 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/561b3c8a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java
b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java
index 350eb32..85a4947 100644
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java
@@ -820,7 +820,7 @@ public class SentryStore {
 
   public TSentryPrivilegeMap listSentryPrivilegesByAuthorizable(
       Set<String> groups, TSentryActiveRoleSet activeRoles,
-      TSentryAuthorizable authHierarchy)
+      TSentryAuthorizable authHierarchy, boolean isAdmin)
       throws SentryInvalidInputException {
     Map<String, Set<TSentryPrivilege>> resultPrivilegeMap = Maps.newTreeMap();
     Set<String> roles = Sets.newHashSet();
@@ -828,20 +828,27 @@ public class SentryStore {
       roles = getRolesToQuery(groups, new TSentryActiveRoleSet(true, null));
     }
     if (activeRoles != null && !activeRoles.isAll()) {
-      roles.addAll(activeRoles.getRoles());
+      // need to check/convert to lowercase here since this is from user input
+      for (String aRole : activeRoles.getRoles()) {
+        roles.add(aRole.toLowerCase());
+      }
     }
 
-    List<MSentryPrivilege> mSentryPrivileges = getMSentryPrivilegesByAuth(roles,
-        authHierarchy);
-    for (MSentryPrivilege priv : mSentryPrivileges) {
-      for (MSentryRole role : priv.getRoles()) {
-        TSentryPrivilege tPriv = convertToTSentryPrivilege(priv);
-        if (resultPrivilegeMap.containsKey(role.getRoleName())) {
-          resultPrivilegeMap.get(role.getRoleName()).add(tPriv);
-        } else {
-          Set<TSentryPrivilege> tPrivSet = Sets.newTreeSet();
-          tPrivSet.add(tPriv);
-          resultPrivilegeMap.put(role.getRoleName(), tPrivSet);
+    // An empty 'roles' is a treated as a wildcard (in case of admin role)..
+    // so if not admin, don't return anything if 'roles' is empty..
+    if (isAdmin || !roles.isEmpty()) {
+      List<MSentryPrivilege> mSentryPrivileges = getMSentryPrivilegesByAuth(roles,
+          authHierarchy);
+      for (MSentryPrivilege priv : mSentryPrivileges) {
+        for (MSentryRole role : priv.getRoles()) {
+          TSentryPrivilege tPriv = convertToTSentryPrivilege(priv);
+          if (resultPrivilegeMap.containsKey(role.getRoleName())) {
+            resultPrivilegeMap.get(role.getRoleName()).add(tPriv);
+          } else {
+            Set<TSentryPrivilege> tPrivSet = Sets.newTreeSet();
+            tPrivSet.add(tPriv);
+            resultPrivilegeMap.put(role.getRoleName(), tPrivSet);
+          }
         }
       }
     }

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/561b3c8a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessor.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessor.java
b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessor.java
index 67dc1f8..b54e12e 100644
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessor.java
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessor.java
@@ -569,10 +569,11 @@ public class SentryPolicyStoreProcessor implements SentryPolicyService.Iface
{
         }
       }
 
+      // If user is not part of any group.. return empty response
       for (TSentryAuthorizable authorizable : request.getAuthorizableSet()) {
         authRoleMap.put(authorizable, sentryStore
             .listSentryPrivilegesByAuthorizable(requestedGroups,
-                request.getRoleSet(), authorizable));
+                request.getRoleSet(), authorizable, inAdminGroups(memberGroups)));
       }
       response.setPrivilegesMapByAuth(authRoleMap);
       response.setStatus(Status.OK());

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/561b3c8a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceIntegration.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceIntegration.java
b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceIntegration.java
index 95c908f..ff6cff4 100644
--- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceIntegration.java
+++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceIntegration.java
@@ -22,6 +22,7 @@ import static junit.framework.Assert.assertEquals;
 import static org.junit.Assert.assertTrue;
 import static org.junit.Assert.fail;
 
+import java.util.HashMap;
 import java.util.HashSet;
 import java.util.List;
 import java.util.Map;
@@ -317,6 +318,11 @@ public class TestSentryServiceIntegration extends SentryServiceIntegrationBase
{
     String db2 = "testDB2";
     String tab = "testTab";
     setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
+    String group1user = "group1user";
+    setLocalGroupMapping(group1user, Sets.newHashSet(group1));
+    String group2user = "group2user";
+    setLocalGroupMapping(group2user, Sets.newHashSet(group2));
+    setLocalGroupMapping("random", Sets.newHashSet("foo"));
     writePolicyFile();
 
     client.dropRoleIfExists(requestorUserName, roleName1);
@@ -389,6 +395,16 @@ public class TestSentryServiceIntegration extends SentryServiceIntegrationBase
{
     authPrivMap = client.listPrivilegsbyAuthorizable(requestorUserName, authorizableSet,
         testGroupSet, ActiveRoleSet.ALL);
     assertEquals(expectedResults, authPrivMap);
+
+    // verify users not belonging to any group are not shown anything
+    authPrivMap = client
+        .listPrivilegsbyAuthorizable("random", authorizableSet,
+            new HashSet<String>(), ActiveRoleSet.ALL);
+    expectedResults.clear();
+    expectedResults.put(
+        SentryPolicyServiceClient.setupSentryAuthorizable(db1Authrizable),
+        new TSentryPrivilegeMap(new HashMap<String, Set<TSentryPrivilege>>()));
+    assertEquals(expectedResults, authPrivMap);
   }
 
   @Test


Mime
View raw message