sentry-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From s..@apache.org
Subject [25/25] incubator-sentry git commit: SENTRY-936: getGroup and getUser should always return orginal hdfs values for paths in prefix which are not sentry managed (Sravya Tirukkovalur, Reviewed by Lenni Kuff)
Date Thu, 05 Nov 2015 01:44:53 GMT
SENTRY-936: getGroup and getUser should always return orginal hdfs values for paths in prefix
which are not sentry managed (Sravya Tirukkovalur, Reviewed by Lenni Kuff)


Project: http://git-wip-us.apache.org/repos/asf/incubator-sentry/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-sentry/commit/df4d8ec5
Tree: http://git-wip-us.apache.org/repos/asf/incubator-sentry/tree/df4d8ec5
Diff: http://git-wip-us.apache.org/repos/asf/incubator-sentry/diff/df4d8ec5

Branch: refs/heads/hive_plugin_v2
Commit: df4d8ec5f856889ef20f51809e34924e2869895e
Parents: 32f7c24
Author: Sravya Tirukkovalur <sravya@cloudera.com>
Authored: Thu Oct 29 18:33:32 2015 -0700
Committer: Sun Dapeng <sdp@apache.org>
Committed: Mon Nov 2 16:37:41 2015 +0800

----------------------------------------------------------------------
 .../hdfs/SentryAuthorizationProvider.java       | 51 ++++++--------------
 .../sentry/hdfs/SentryAuthorizationInfoX.java   |  4 +-
 .../hdfs/TestSentryAuthorizationProvider.java   | 14 +++++-
 3 files changed, 31 insertions(+), 38 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/df4d8ec5/sentry-hdfs/sentry-hdfs-namenode-plugin/src/main/java/org/apache/sentry/hdfs/SentryAuthorizationProvider.java
----------------------------------------------------------------------
diff --git a/sentry-hdfs/sentry-hdfs-namenode-plugin/src/main/java/org/apache/sentry/hdfs/SentryAuthorizationProvider.java
b/sentry-hdfs/sentry-hdfs-namenode-plugin/src/main/java/org/apache/sentry/hdfs/SentryAuthorizationProvider.java
index d167183..419ab68 100644
--- a/sentry-hdfs/sentry-hdfs-namenode-plugin/src/main/java/org/apache/sentry/hdfs/SentryAuthorizationProvider.java
+++ b/sentry-hdfs/sentry-hdfs-namenode-plugin/src/main/java/org/apache/sentry/hdfs/SentryAuthorizationProvider.java
@@ -204,16 +204,10 @@ public class SentryAuthorizationProvider
     String[] pathElements = getPathElements(node);
     if (!authzInfo.isManaged(pathElements)) {
       user = defaultAuthzProvider.getUser(node, snapshotId);
+    } else if (!authzInfo.doesBelongToAuthzObject(pathElements)) {
+      user = defaultAuthzProvider.getUser(node, snapshotId);
     } else {
-      if (!authzInfo.isStale()) {
-        if (authzInfo.doesBelongToAuthzObject(pathElements)) {
-          user = this.user;
-        } else {
-          user = defaultAuthzProvider.getUser(node, snapshotId);
-        }
-      } else {
         user = this.user;
-      }
     }
     return user;
   }
@@ -229,16 +223,10 @@ public class SentryAuthorizationProvider
     String[] pathElements = getPathElements(node);
     if (!authzInfo.isManaged(pathElements)) {
       group = getDefaultProviderGroup(node, snapshotId);
+    } else if (!authzInfo.doesBelongToAuthzObject(pathElements)) {
+      group = getDefaultProviderGroup(node, snapshotId);
     } else {
-      if (!authzInfo.isStale()) {
-        if (authzInfo.doesBelongToAuthzObject(pathElements)) {
-          group = this.group;
-        } else {
-          group = getDefaultProviderGroup(node, snapshotId);
-        }
-      } else {
-        group = this.group;
-      }
+      group = this.group;
     }
     return group;
   }
@@ -256,7 +244,10 @@ public class SentryAuthorizationProvider
     String[] pathElements = getPathElements(node);
     if (!authzInfo.isManaged(pathElements)) {
       permission = defaultAuthzProvider.getFsPermission(node, snapshotId);
-    } else {
+    } else if (!authzInfo.doesBelongToAuthzObject(pathElements)) {
+      permission = defaultAuthzProvider.getFsPermission(node, snapshotId);
+    }
+     else {
       FsPermission returnPerm = this.permission;
       // Handle case when prefix directory is itself associated with an
       // authorizable object (default db directory in hive)
@@ -269,15 +260,7 @@ public class SentryAuthorizationProvider
           break;
         }
       }
-      if (!authzInfo.isStale()) {
-        if (authzInfo.doesBelongToAuthzObject(pathElements)) {
-          permission = returnPerm;
-        } else {
-          permission = defaultAuthzProvider.getFsPermission(node, snapshotId);
-        }
-      } else {
-        permission = returnPerm;
-      }
+      permission = returnPerm;
     }
     return permission;
   }
@@ -321,8 +304,12 @@ public class SentryAuthorizationProvider
     if (!authzInfo.isManaged(pathElements)) {
       isManaged = false;
       f = defaultAuthzProvider.getAclFeature(node, snapshotId);
+    } else if (!authzInfo.doesBelongToAuthzObject(pathElements)) {
+      isManaged = true;
+      f = defaultAuthzProvider.getAclFeature(node, snapshotId);
     } else {
       isManaged = true;
+      hasAuthzObj = true;
       aclMap = new HashMap<String, AclEntry>();
       if (originalAuthzAsAcl) {
         String user = defaultAuthzProvider.getUser(node, snapshotId);
@@ -335,14 +322,8 @@ public class SentryAuthorizationProvider
       }
       if (!authzInfo.isStale()) {
         isStale = false;
-        if (authzInfo.doesBelongToAuthzObject(pathElements)) {
-          hasAuthzObj = true;
-          addToACLMap(aclMap, authzInfo.getAclEntries(pathElements));
-          f = new SentryAclFeature(ImmutableList.copyOf(aclMap.values()));
-        } else {
-          hasAuthzObj = false;
-          f = defaultAuthzProvider.getAclFeature(node, snapshotId);
-        }
+        addToACLMap(aclMap, authzInfo.getAclEntries(pathElements));
+        f = new SentryAclFeature(ImmutableList.copyOf(aclMap.values()));
       } else {
         isStale = true;
         f = new SentryAclFeature(ImmutableList.copyOf(aclMap.values()));

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/df4d8ec5/sentry-hdfs/sentry-hdfs-namenode-plugin/src/test/java/org/apache/sentry/hdfs/SentryAuthorizationInfoX.java
----------------------------------------------------------------------
diff --git a/sentry-hdfs/sentry-hdfs-namenode-plugin/src/test/java/org/apache/sentry/hdfs/SentryAuthorizationInfoX.java
b/sentry-hdfs/sentry-hdfs-namenode-plugin/src/test/java/org/apache/sentry/hdfs/SentryAuthorizationInfoX.java
index 4cebed2..0ed290d 100644
--- a/sentry-hdfs/sentry-hdfs-namenode-plugin/src/test/java/org/apache/sentry/hdfs/SentryAuthorizationInfoX.java
+++ b/sentry-hdfs/sentry-hdfs-namenode-plugin/src/test/java/org/apache/sentry/hdfs/SentryAuthorizationInfoX.java
@@ -29,6 +29,7 @@ public class SentryAuthorizationInfoX extends SentryAuthorizationInfo {
 
   public SentryAuthorizationInfoX() {
     super(new String[]{"/user/authz"});
+    System.setProperty("test.stale", "false");
   }
 
   @Override
@@ -48,7 +49,8 @@ public class SentryAuthorizationInfoX extends SentryAuthorizationInfo {
 
   @Override
   public boolean isStale() {
-    return false;
+    String stale = System.getProperty("test.stale");
+    return stale.equalsIgnoreCase("true");
   }
 
   private static final String[] MANAGED = {"user", "authz"};

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/df4d8ec5/sentry-hdfs/sentry-hdfs-namenode-plugin/src/test/java/org/apache/sentry/hdfs/TestSentryAuthorizationProvider.java
----------------------------------------------------------------------
diff --git a/sentry-hdfs/sentry-hdfs-namenode-plugin/src/test/java/org/apache/sentry/hdfs/TestSentryAuthorizationProvider.java
b/sentry-hdfs/sentry-hdfs-namenode-plugin/src/test/java/org/apache/sentry/hdfs/TestSentryAuthorizationProvider.java
index 40b803e..fd5146f 100644
--- a/sentry-hdfs/sentry-hdfs-namenode-plugin/src/test/java/org/apache/sentry/hdfs/TestSentryAuthorizationProvider.java
+++ b/sentry-hdfs/sentry-hdfs-namenode-plugin/src/test/java/org/apache/sentry/hdfs/TestSentryAuthorizationProvider.java
@@ -133,7 +133,7 @@ public class TestSentryAuthorizationProvider {
         path = new Path("/user/authz/obj");
         Assert.assertEquals("hive", fs.getFileStatus(path).getOwner());
         Assert.assertEquals("hive", fs.getFileStatus(path).getGroup());
-        Assert.assertEquals(new FsPermission((short) 0770), fs.getFileStatus(path).getPermission());
+        Assert.assertEquals(new FsPermission((short) 0771), fs.getFileStatus(path).getPermission());
         Assert.assertFalse(fs.getAclStatus(path).getEntries().isEmpty());
 
         List<AclEntry> acls = new ArrayList<AclEntry>();
@@ -146,7 +146,7 @@ public class TestSentryAuthorizationProvider {
         path = new Path("/user/authz/obj/xxx");
         Assert.assertEquals("hive", fs.getFileStatus(path).getOwner());
         Assert.assertEquals("hive", fs.getFileStatus(path).getGroup());
-        Assert.assertEquals(new FsPermission((short) 0770), fs.getFileStatus(path).getPermission());
+        Assert.assertEquals(new FsPermission((short) 0771), fs.getFileStatus(path).getPermission());
         Assert.assertFalse(fs.getAclStatus(path).getEntries().isEmpty());
         
         Path path2 = new Path("/user/authz/obj/path2");
@@ -159,6 +159,16 @@ public class TestSentryAuthorizationProvider {
         Assert.assertEquals("supergroup", fs.getFileStatus(path).getGroup());
         Assert.assertEquals(new FsPermission((short) 0755), fs.getFileStatus(path).getPermission());
         Assert.assertTrue(fs.getAclStatus(path).getEntries().isEmpty());
+
+        //stale and dir inside of prefix, obj
+        System.setProperty("test.stale", "true");
+        path = new Path("/user/authz/xxx");
+        status = fs.getFileStatus(path);
+        Assert.assertEquals(sysUser, status.getOwner());
+        Assert.assertEquals("supergroup", status.getGroup());
+        Assert.assertEquals(new FsPermission((short) 0755), status.getPermission());
+        Assert.assertTrue(fs.getAclStatus(path).getEntries().isEmpty());
+
         return null;
       }
     });


Mime
View raw message