sentry-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From s..@apache.org
Subject [6/6] sentry git commit: SENTRY-711: Implement grant user to role (Colin Ma, reviewed by Dapeng Sun)
Date Thu, 14 Apr 2016 01:58:02 GMT
SENTRY-711: Implement grant user to role (Colin Ma, reviewed by Dapeng Sun)


Project: http://git-wip-us.apache.org/repos/asf/sentry/repo
Commit: http://git-wip-us.apache.org/repos/asf/sentry/commit/68949951
Tree: http://git-wip-us.apache.org/repos/asf/sentry/tree/68949951
Diff: http://git-wip-us.apache.org/repos/asf/sentry/diff/68949951

Branch: refs/heads/master
Commit: 68949951e97b206766bf3e07d24399d80799e7af
Parents: 04881fa
Author: Colin Ma <colin@apache.org>
Authored: Wed Apr 13 15:03:56 2016 +0800
Committer: Colin Ma <colin@apache.org>
Committed: Thu Apr 14 09:21:55 2016 +0800

----------------------------------------------------------------------
 .../binding/hive/HiveAuthzBindingHookBase.java  |    8 +-
 .../hive/ql/exec/SentryGrantRevokeTask.java     |   29 +-
 .../SentryHiveAuthorizationTaskFactoryImpl.java |    4 +-
 .../TestSentryHiveAuthorizationTaskFactory.java |   50 +-
 .../sentry/policy/common/PolicyEngine.java      |   29 +
 .../sentry/policy/db/SimpleDBPolicyEngine.java  |   21 +
 .../indexer/SimpleIndexerPolicyEngine.java      |   21 +-
 .../policy/kafka/SimpleKafkaPolicyEngine.java   |   20 +
 .../policy/search/SimpleSearchPolicyEngine.java |   21 +-
 .../policy/sqoop/SimpleSqoopPolicyEngine.java   |   19 +
 .../sentry/provider/cache/PrivilegeCache.java   |    7 +
 .../cache/SimpleCacheProviderBackend.java       |   11 +
 .../provider/cache/SimplePrivilegeCache.java    |    8 +
 .../provider/cache/PrivilegeCacheTestImpl.java  |    5 +
 .../sentry/provider/common/ProviderBackend.java |    8 +-
 .../common/ResourceAuthorizationProvider.java   |   13 +-
 .../provider/common/TestGetGroupMapping.java    |   19 +-
 .../db/service/thrift/SentryPolicyService.java  | 2564 +++++++++++++++++-
 .../thrift/TAlterSentryRoleAddUsersRequest.java |  740 +++++
 .../TAlterSentryRoleAddUsersResponse.java       |  390 +++
 .../TAlterSentryRoleDeleteGroupsRequest.java    |   36 +-
 .../TAlterSentryRoleDeleteUsersRequest.java     |  740 +++++
 .../TAlterSentryRoleDeleteUsersResponse.java    |  390 +++
 .../TAlterSentryRoleGrantPrivilegeRequest.java  |   36 +-
 .../TAlterSentryRoleGrantPrivilegeResponse.java |   36 +-
 .../TAlterSentryRoleRevokePrivilegeRequest.java |   36 +-
 .../TListSentryPrivilegesByAuthRequest.java     |   68 +-
 .../TListSentryPrivilegesByAuthResponse.java    |   52 +-
 ...TListSentryPrivilegesForProviderRequest.java |  198 +-
 ...ListSentryPrivilegesForProviderResponse.java |   32 +-
 .../thrift/TListSentryPrivilegesResponse.java   |   36 +-
 .../thrift/TListSentryRolesForUserRequest.java  |  587 ++++
 .../thrift/TListSentryRolesResponse.java        |   36 +-
 .../db/service/thrift/TSentryActiveRoleSet.java |   32 +-
 .../db/service/thrift/TSentryMappingData.java   |  148 +-
 .../db/service/thrift/TSentryPrivilegeMap.java  |   76 +-
 .../provider/db/service/thrift/TSentryRole.java |   36 +-
 .../provider/db/SimpleDBProviderBackend.java    |   15 +-
 .../generic/SentryGenericProviderBackend.java   |    7 +
 .../db/log/entity/JsonLogEntityFactory.java     |   40 +
 .../provider/db/log/util/CommandUtil.java       |   28 +-
 .../sentry/provider/db/log/util/Constants.java  |   22 +-
 .../provider/db/service/model/MSentryRole.java  |   29 +-
 .../provider/db/service/model/MSentryUser.java  |  116 +
 .../provider/db/service/model/package.jdo       |   78 +-
 .../db/service/persistent/SentryStore.java      |  254 +-
 .../db/service/thrift/NotificationHandler.java  |    8 +
 .../thrift/NotificationHandlerInvoker.java      |   30 +
 .../thrift/SentryPolicyServiceClient.java       |   19 +-
 .../SentryPolicyServiceClientDefaultImpl.java   |   79 +-
 .../thrift/SentryPolicyStoreProcessor.java      |  155 +-
 .../main/resources/sentry_policy_service.thrift |   37 +-
 .../provider/db/log/util/TestCommandUtil.java   |   42 +-
 .../db/service/persistent/TestSentryStore.java  |  461 +++-
 .../TestSentryServerForHaWithoutKerberos.java   |   60 +-
 .../thrift/TestSentryServerWithoutKerberos.java |   59 +-
 .../thrift/TestSentryServiceIntegration.java    |  226 ++
 .../file/SimpleFileProviderBackend.java         |    7 +
 .../tests/e2e/dbprovider/TestDbDDLAuditLog.java |   18 +
 .../e2e/dbprovider/TestGrantUserToRole.java     |  237 ++
 60 files changed, 7938 insertions(+), 651 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/sentry/blob/68949951/sentry-binding/sentry-binding-hive-common/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHookBase.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-hive-common/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHookBase.java
b/sentry-binding/sentry-binding-hive-common/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHookBase.java
index 6df939f..a00f2d5 100644
--- a/sentry-binding/sentry-binding-hive-common/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHookBase.java
+++ b/sentry-binding/sentry-binding-hive-common/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHookBase.java
@@ -75,6 +75,7 @@ import org.slf4j.LoggerFactory;
 import com.google.common.annotations.VisibleForTesting;
 import com.google.common.base.Splitter;
 import com.google.common.collect.ImmutableList;
+import com.google.common.collect.Sets;
 
 public abstract class HiveAuthzBindingHookBase extends AbstractSemanticAnalyzerHook {
   private static final Logger LOG = LoggerFactory
@@ -747,9 +748,10 @@ public abstract class HiveAuthzBindingHookBase extends AbstractSemanticAnalyzerH
       String userName) throws SemanticException {
     // get the original HiveAuthzBinding, and get the user's privileges by AuthorizationProvider
     AuthorizationProvider authProvider = hiveAuthzBinding.getCurrentAuthProvider();
-    Set<String> userPrivileges = authProvider.getPolicyEngine().getPrivileges(
-            authProvider.getGroupMapping().getGroups(userName), hiveAuthzBinding.getActiveRoleSet(),
-            hiveAuthzBinding.getAuthServer());
+    Set<String> userPrivileges =
+        authProvider.getPolicyEngine().getPrivileges(
+            authProvider.getGroupMapping().getGroups(userName), Sets.newHashSet(userName),
+            hiveAuthzBinding.getActiveRoleSet(), hiveAuthzBinding.getAuthServer());
 
     // create PrivilegeCache using user's privileges
     PrivilegeCache privilegeCache = new SimplePrivilegeCache(userPrivileges);

http://git-wip-us.apache.org/repos/asf/sentry/blob/68949951/sentry-binding/sentry-binding-hive/src/main/java/org/apache/hadoop/hive/ql/exec/SentryGrantRevokeTask.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/hadoop/hive/ql/exec/SentryGrantRevokeTask.java
b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/hadoop/hive/ql/exec/SentryGrantRevokeTask.java
index cd8352a..217b7b3 100644
--- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/hadoop/hive/ql/exec/SentryGrantRevokeTask.java
+++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/hadoop/hive/ql/exec/SentryGrantRevokeTask.java
@@ -237,11 +237,14 @@ public class SentryGrantRevokeTask extends Task<DDLWork> implements
Serializable
       } else if (operation.equals(RoleDDLDesc.RoleOperation.SHOW_ROLE_GRANT)) {
         Set<TSentryRole> roles;
         PrincipalType principalType = desc.getPrincipalType();
-        if (principalType != PrincipalType.GROUP) {
+        if (principalType == PrincipalType.GROUP) {
+          roles = sentryClient.listRolesByGroupName(subject, name);
+        } else if (principalType == PrincipalType.USER) {
+          roles = sentryClient.listRolesByUserName(subject, name);
+        } else {
           String msg = SentryHiveConstants.GRANT_REVOKE_NOT_SUPPORTED_FOR_PRINCIPAL + principalType;
           throw new HiveException(msg);
         }
-        roles = sentryClient.listRolesByGroupName(subject, desc.getName() );
         writeToFile(writeRoleGrantsInfo(roles), desc.getResFile());
         return RETURN_CODE_SUCCESS;
       } else if(operation.equals(RoleDDLDesc.RoleOperation.SHOW_ROLES)) {
@@ -407,21 +410,35 @@ public class SentryGrantRevokeTask extends Task<DDLWork> implements
Serializable
       List<String> roles = desc.getRoles();
       // get principals
       Set<String> groups = Sets.newHashSet();
+      Set<String> users = Sets.newHashSet();
       for (PrincipalDesc principal : principals) {
-        if (principal.getType() != PrincipalType.GROUP) {
+        if (principal.getType() == PrincipalType.GROUP) {
+          groups.add(principal.getName());
+        } else if (principal.getType() == PrincipalType.USER) {
+          users.add(principal.getName());
+        } else {
           String msg = SentryHiveConstants.GRANT_REVOKE_NOT_SUPPORTED_FOR_PRINCIPAL +
               principal.getType();
           throw new HiveException(msg);
         }
-        groups.add(principal.getName());
       }
 
       // grant/revoke role to/from principals
       for (String roleName : roles) {
         if (grantRole) {
-          sentryClient.grantRoleToGroups(subject, roleName, groups);
+          if (groups.size() > 0) {
+            sentryClient.grantRoleToGroups(subject, roleName, groups);
+          }
+          if (users.size() > 0) {
+            sentryClient.grantRoleToUsers(subject, roleName, users);
+          }
         } else {
-          sentryClient.revokeRoleFromGroups(subject, roleName, groups);
+          if (groups.size() > 0) {
+            sentryClient.revokeRoleFromGroups(subject, roleName, groups);
+          }
+          if (users.size() > 0) {
+            sentryClient.revokeRoleFromUsers(subject, roleName, users);
+          }
         }
       }
 

http://git-wip-us.apache.org/repos/asf/sentry/blob/68949951/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/SentryHiveAuthorizationTaskFactoryImpl.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/SentryHiveAuthorizationTaskFactoryImpl.java
b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/SentryHiveAuthorizationTaskFactoryImpl.java
index caf32cf..0d1db89 100644
--- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/SentryHiveAuthorizationTaskFactoryImpl.java
+++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/SentryHiveAuthorizationTaskFactoryImpl.java
@@ -102,7 +102,7 @@ public class SentryHiveAuthorizationTaskFactoryImpl implements HiveAuthorization
       principalType = PrincipalType.ROLE;
       break;
     }
-    if (principalType != PrincipalType.GROUP) {
+    if (principalType != PrincipalType.GROUP  && principalType != PrincipalType.USER)
{
       String msg = SentryHiveConstants.GRANT_REVOKE_NOT_SUPPORTED_FOR_PRINCIPAL + principalType;
       throw new SemanticException(msg);
     }
@@ -241,7 +241,7 @@ public class SentryHiveAuthorizationTaskFactoryImpl implements HiveAuthorization
       roleOwnerName = SessionState.get().getAuthenticator().getUserName();
     }
     for (PrincipalDesc princ : principalDesc) {
-      if (princ.getType() != PrincipalType.GROUP) {
+      if (princ.getType() != PrincipalType.GROUP && princ.getType() != PrincipalType.USER)
{
         String msg = SentryHiveConstants.GRANT_REVOKE_NOT_SUPPORTED_ON_OBJECT + princ.getType();
         throw new SemanticException(msg);
       }

http://git-wip-us.apache.org/repos/asf/sentry/blob/68949951/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/binding/hive/TestSentryHiveAuthorizationTaskFactory.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/binding/hive/TestSentryHiveAuthorizationTaskFactory.java
b/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/binding/hive/TestSentryHiveAuthorizationTaskFactory.java
index dfe93a5..4fcb71c 100644
--- a/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/binding/hive/TestSentryHiveAuthorizationTaskFactory.java
+++ b/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/binding/hive/TestSentryHiveAuthorizationTaskFactory.java
@@ -17,6 +17,11 @@
  */
 package org.apache.sentry.binding.hive;
 
+import java.io.File;
+import java.io.Serializable;
+import java.util.HashMap;
+import java.util.List;
+
 import org.junit.Assert;
 
 import org.apache.commons.io.FileUtils;
@@ -54,11 +59,6 @@ import org.mockito.Mockito;
 
 import com.google.common.io.Files;
 
-import java.io.File;
-import java.io.Serializable;
-import java.util.HashMap;
-import java.util.List;
-
 public class TestSentryHiveAuthorizationTaskFactory {
 
   private static final String ALL = "ALL";
@@ -237,8 +237,20 @@ public class TestSentryHiveAuthorizationTaskFactory {
    */
   @Test
   public void testGrantRoleUser() throws Exception {
-    expectSemanticException("GRANT ROLE " + ROLE + " TO USER " + USER,
-        SentryHiveConstants.GRANT_REVOKE_NOT_SUPPORTED_ON_OBJECT + "USER");
+    DDLWork work = analyze(parse("GRANT ROLE " + ROLE + " TO USER " + USER));
+    GrantRevokeRoleDDL grantDesc = work.getGrantRevokeRoleDDL();
+    Assert.assertNotNull("Grant should not be null", grantDesc);
+    Assert.assertTrue("Expected grant ", grantDesc.getGrant());
+    Assert.assertFalse("Grant option should be false", grantDesc.isGrantOption());
+    Assert.assertEquals(currentUser, grantDesc.getGrantor());
+    Assert.assertEquals(PrincipalType.USER, grantDesc.getGrantorType());
+    for (String role : assertSize(1, grantDesc.getRoles())) {
+      Assert.assertEquals(ROLE, role);
+    }
+    for (PrincipalDesc principal : assertSize(1, grantDesc.getPrincipalDesc())) {
+      Assert.assertEquals(PrincipalType.USER, principal.getType());
+      Assert.assertEquals(USER, principal.getName());
+    }
   }
 
   /**
@@ -277,8 +289,20 @@ public class TestSentryHiveAuthorizationTaskFactory {
    */
   @Test
   public void testRevokeRoleUser() throws Exception {
-    expectSemanticException("REVOKE ROLE " + ROLE + " FROM USER " + USER,
-        SentryHiveConstants.GRANT_REVOKE_NOT_SUPPORTED_ON_OBJECT + "USER");
+    DDLWork work = analyze(parse("REVOKE ROLE " + ROLE + " FROM USER " + USER));
+    GrantRevokeRoleDDL grantDesc = work.getGrantRevokeRoleDDL();
+    Assert.assertNotNull("Grant should not be null", grantDesc);
+    Assert.assertFalse("Did not expect grant ", grantDesc.getGrant());
+    Assert.assertFalse("Grant option is always true ", grantDesc.isGrantOption());
+    Assert.assertEquals(currentUser, grantDesc.getGrantor());
+    Assert.assertEquals(PrincipalType.USER, grantDesc.getGrantorType());
+    for (String role : assertSize(1, grantDesc.getRoles())) {
+      Assert.assertEquals(ROLE, role);
+    }
+    for (PrincipalDesc principal : assertSize(1, grantDesc.getPrincipalDesc())) {
+      Assert.assertEquals(PrincipalType.USER, principal.getType());
+      Assert.assertEquals(USER, principal.getName());
+    }
   }
 
   /**
@@ -316,8 +340,12 @@ public class TestSentryHiveAuthorizationTaskFactory {
    */
   @Test
   public void testShowRoleGrantUser() throws Exception {
-    expectSemanticException("SHOW ROLE GRANT USER " + USER,
-        SentryHiveConstants.GRANT_REVOKE_NOT_SUPPORTED_FOR_PRINCIPAL + "USER");
+    DDLWork work = analyze(parse("SHOW ROLE GRANT USER " + USER));
+    RoleDDLDesc roleDesc = work.getRoleDDLDesc();
+    Assert.assertNotNull("Role should not be null", roleDesc);
+    Assert.assertEquals(RoleOperation.SHOW_ROLE_GRANT, roleDesc.getOperation());
+    Assert.assertEquals(PrincipalType.USER, roleDesc.getPrincipalType());
+    Assert.assertEquals(USER, roleDesc.getName());
   }
 
   /**

http://git-wip-us.apache.org/repos/asf/sentry/blob/68949951/sentry-policy/sentry-policy-common/src/main/java/org/apache/sentry/policy/common/PolicyEngine.java
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-common/src/main/java/org/apache/sentry/policy/common/PolicyEngine.java
b/sentry-policy/sentry-policy-common/src/main/java/org/apache/sentry/policy/common/PolicyEngine.java
index bbb009c..b7d8c32 100644
--- a/sentry-policy/sentry-policy-common/src/main/java/org/apache/sentry/policy/common/PolicyEngine.java
+++ b/sentry-policy/sentry-policy-common/src/main/java/org/apache/sentry/policy/common/PolicyEngine.java
@@ -53,6 +53,20 @@ public interface PolicyEngine {
       throws SentryConfigurationException;
 
   /**
+   * Get privileges associated with groups and users. Returns Strings which can be resolved
by the
+   * caller. Strings are returned to separate the PolicyFile class from the type of privileges
used
+   * in a policy file. Additionally it is possible further processing of the privileges is
needed
+   * before resolving to a privilege object.
+   *
+   * @param group name
+   * @param user name
+   * @param active role-set
+   * @return non-null immutable set of privileges
+   */
+  ImmutableSet<String> getAllPrivileges(Set<String> groups, Set<String>
users, ActiveRoleSet roleSet)
+      throws SentryConfigurationException;
+
+  /**
    * Get privileges associated with a group. Returns Strings which can be resolved
    * by the caller. Strings are returned to separate the PolicyFile class from the
    * type of privileges used in a policy file. Additionally it is possible further
@@ -65,6 +79,21 @@ public interface PolicyEngine {
   ImmutableSet<String> getPrivileges(Set<String> groups, ActiveRoleSet roleSet,
Authorizable... authorizableHierarchy)
       throws SentryConfigurationException;
 
+  /**
+   * Get privileges associated with groups and users. Returns Strings which can be resolved
by the
+   * caller. Strings are returned to separate the PolicyFile class from the type of privileges
used
+   * in a policy file. Additionally it is possible further processing of the privileges is
needed
+   * before resolving to a privilege object.
+   *
+   * @param group name
+   * @param user name
+   * @param active role-set
+   * @param authorizable Hierarchy (Can be null)
+   * @return non-null immutable set of privileges
+   */
+  ImmutableSet<String> getPrivileges(Set<String> groups, Set<String> users,
ActiveRoleSet roleSet,
+      Authorizable... authorizableHierarchy) throws SentryConfigurationException;
+
   void close();
 
   void validatePolicy(boolean strictValidation) throws SentryConfigurationException;

http://git-wip-us.apache.org/repos/asf/sentry/blob/68949951/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/SimpleDBPolicyEngine.java
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/SimpleDBPolicyEngine.java
b/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/SimpleDBPolicyEngine.java
index b5b584f..9d25592 100644
--- a/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/SimpleDBPolicyEngine.java
+++ b/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/SimpleDBPolicyEngine.java
@@ -65,6 +65,12 @@ public class SimpleDBPolicyEngine implements PolicyEngine {
     return getPrivileges(groups, roleSet);
   }
 
+  @Override
+  public ImmutableSet<String> getAllPrivileges(Set<String> groups, Set<String>
users,
+      ActiveRoleSet roleSet) throws SentryConfigurationException {
+    return getPrivileges(groups, users, roleSet);
+  }
+
   /**
    * {@inheritDoc}
    */
@@ -82,6 +88,21 @@ public class SimpleDBPolicyEngine implements PolicyEngine {
   }
 
   @Override
+  public ImmutableSet<String> getPrivileges(Set<String> groups, Set<String>
users,
+      ActiveRoleSet roleSet, Authorizable... authorizableHierarchy)
+      throws SentryConfigurationException {
+    if (LOGGER.isDebugEnabled()) {
+      LOGGER.debug("Getting permissions for groups: {}, users: {}", groups, users);
+    }
+    ImmutableSet<String> result = providerBackend.getPrivileges(groups, users, roleSet,
+        authorizableHierarchy);
+    if (LOGGER.isDebugEnabled()) {
+      LOGGER.debug("result = " + result);
+    }
+    return result;
+  }
+
+  @Override
   public void validatePolicy(boolean strictValidation) throws SentryConfigurationException
{
     this.providerBackend.validatePolicy(strictValidation);
   }

http://git-wip-us.apache.org/repos/asf/sentry/blob/68949951/sentry-policy/sentry-policy-indexer/src/main/java/org/apache/sentry/policy/indexer/SimpleIndexerPolicyEngine.java
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-indexer/src/main/java/org/apache/sentry/policy/indexer/SimpleIndexerPolicyEngine.java
b/sentry-policy/sentry-policy-indexer/src/main/java/org/apache/sentry/policy/indexer/SimpleIndexerPolicyEngine.java
index 2f4bc1d..8914319 100644
--- a/sentry-policy/sentry-policy-indexer/src/main/java/org/apache/sentry/policy/indexer/SimpleIndexerPolicyEngine.java
+++ b/sentry-policy/sentry-policy-indexer/src/main/java/org/apache/sentry/policy/indexer/SimpleIndexerPolicyEngine.java
@@ -21,8 +21,8 @@ import java.util.Set;
 import org.apache.sentry.core.common.ActiveRoleSet;
 import org.apache.sentry.core.common.Authorizable;
 import org.apache.sentry.core.common.SentryConfigurationException;
-import org.apache.sentry.policy.common.PrivilegeFactory;
 import org.apache.sentry.policy.common.PolicyEngine;
+import org.apache.sentry.policy.common.PrivilegeFactory;
 import org.apache.sentry.policy.common.PrivilegeValidator;
 import org.apache.sentry.provider.common.ProviderBackend;
 import org.apache.sentry.provider.common.ProviderBackendContext;
@@ -67,6 +67,12 @@ public class SimpleIndexerPolicyEngine implements PolicyEngine {
     return getPrivileges(groups, roleSet);
   }
 
+  @Override
+  public ImmutableSet<String> getAllPrivileges(Set<String> groups, Set<String>
users,
+      ActiveRoleSet roleSet) throws SentryConfigurationException {
+    return getPrivileges(groups, users, roleSet);
+  }
+
   /**
    * {@inheritDoc}
    */
@@ -83,6 +89,19 @@ public class SimpleIndexerPolicyEngine implements PolicyEngine {
   }
 
   @Override
+  public ImmutableSet<String> getPrivileges(Set<String> groups, Set<String>
users,
+      ActiveRoleSet roleSet, Authorizable... authorizationHierarchy) {
+    if(LOGGER.isDebugEnabled()) {
+      LOGGER.debug("Getting permissions for groups: {}, users: {}", groups, users);
+    }
+    ImmutableSet<String> result = providerBackend.getPrivileges(groups, users, roleSet);
+    if(LOGGER.isDebugEnabled()) {
+      LOGGER.debug("result = " + result);
+    }
+    return result;
+  }
+
+  @Override
   public void validatePolicy(boolean strictValidation)
       throws SentryConfigurationException {
     throw new SentryConfigurationException("Not implemented yet");

http://git-wip-us.apache.org/repos/asf/sentry/blob/68949951/sentry-policy/sentry-policy-kafka/src/main/java/org/apache/sentry/policy/kafka/SimpleKafkaPolicyEngine.java
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-kafka/src/main/java/org/apache/sentry/policy/kafka/SimpleKafkaPolicyEngine.java
b/sentry-policy/sentry-policy-kafka/src/main/java/org/apache/sentry/policy/kafka/SimpleKafkaPolicyEngine.java
index 7e043e1..4d90544 100644
--- a/sentry-policy/sentry-policy-kafka/src/main/java/org/apache/sentry/policy/kafka/SimpleKafkaPolicyEngine.java
+++ b/sentry-policy/sentry-policy-kafka/src/main/java/org/apache/sentry/policy/kafka/SimpleKafkaPolicyEngine.java
@@ -84,4 +84,24 @@ public class SimpleKafkaPolicyEngine implements PolicyEngine {
     }
   }
 
+  @Override
+  public ImmutableSet<String> getAllPrivileges(Set<String> groups, Set<String>
users,
+      ActiveRoleSet roleSet) throws SentryConfigurationException {
+    return getPrivileges(groups, users, roleSet);
+  }
+
+  @Override
+  public ImmutableSet<String> getPrivileges(Set<String> groups, Set<String>
users,
+      ActiveRoleSet roleSet, Authorizable... authorizableHierarchy)
+      throws SentryConfigurationException {
+    if(LOGGER.isDebugEnabled()) {
+      LOGGER.debug("Getting permissions for groups: {}, users: {}", groups, users);
+    }
+    ImmutableSet<String> result = providerBackend.getPrivileges(groups, users, roleSet);
+    if(LOGGER.isDebugEnabled()) {
+      LOGGER.debug("result = " + result);
+    }
+    return result;
+  }
+
 }

http://git-wip-us.apache.org/repos/asf/sentry/blob/68949951/sentry-policy/sentry-policy-search/src/main/java/org/apache/sentry/policy/search/SimpleSearchPolicyEngine.java
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-search/src/main/java/org/apache/sentry/policy/search/SimpleSearchPolicyEngine.java
b/sentry-policy/sentry-policy-search/src/main/java/org/apache/sentry/policy/search/SimpleSearchPolicyEngine.java
index bc518fb..c71036e 100644
--- a/sentry-policy/sentry-policy-search/src/main/java/org/apache/sentry/policy/search/SimpleSearchPolicyEngine.java
+++ b/sentry-policy/sentry-policy-search/src/main/java/org/apache/sentry/policy/search/SimpleSearchPolicyEngine.java
@@ -21,8 +21,8 @@ import java.util.Set;
 import org.apache.sentry.core.common.ActiveRoleSet;
 import org.apache.sentry.core.common.Authorizable;
 import org.apache.sentry.core.common.SentryConfigurationException;
-import org.apache.sentry.policy.common.PrivilegeFactory;
 import org.apache.sentry.policy.common.PolicyEngine;
+import org.apache.sentry.policy.common.PrivilegeFactory;
 import org.apache.sentry.policy.common.PrivilegeValidator;
 import org.apache.sentry.provider.common.ProviderBackend;
 import org.apache.sentry.provider.common.ProviderBackendContext;
@@ -83,6 +83,25 @@ public class SimpleSearchPolicyEngine implements PolicyEngine {
   }
 
   @Override
+  public ImmutableSet<String> getAllPrivileges(Set<String> groups, Set<String>
users,
+      ActiveRoleSet roleSet) throws SentryConfigurationException {
+    return getPrivileges(groups, users, roleSet);
+  }
+
+  @Override
+  public ImmutableSet<String> getPrivileges(Set<String> groups, Set<String>
users,
+      ActiveRoleSet roleSet, Authorizable... authorizationHierarchy) {
+    if (LOGGER.isDebugEnabled()) {
+      LOGGER.debug("Getting permissions for groups: {}, users: {}", groups, users);
+    }
+    ImmutableSet<String> result = providerBackend.getPrivileges(groups, users, roleSet);
+    if (LOGGER.isDebugEnabled()) {
+      LOGGER.debug("result = " + result);
+    }
+    return result;
+  }
+
+  @Override
   public void validatePolicy(boolean strictValidation)
       throws SentryConfigurationException {
     providerBackend.validatePolicy(strictValidation);

http://git-wip-us.apache.org/repos/asf/sentry/blob/68949951/sentry-policy/sentry-policy-sqoop/src/main/java/org/apache/sentry/policy/sqoop/SimpleSqoopPolicyEngine.java
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-sqoop/src/main/java/org/apache/sentry/policy/sqoop/SimpleSqoopPolicyEngine.java
b/sentry-policy/sentry-policy-sqoop/src/main/java/org/apache/sentry/policy/sqoop/SimpleSqoopPolicyEngine.java
index e8615a0..13f78c6 100644
--- a/sentry-policy/sentry-policy-sqoop/src/main/java/org/apache/sentry/policy/sqoop/SimpleSqoopPolicyEngine.java
+++ b/sentry-policy/sentry-policy-sqoop/src/main/java/org/apache/sentry/policy/sqoop/SimpleSqoopPolicyEngine.java
@@ -69,6 +69,25 @@ public class SimpleSqoopPolicyEngine implements PolicyEngine {
   }
 
   @Override
+  public ImmutableSet<String> getAllPrivileges(Set<String> groups, Set<String>
users,
+      ActiveRoleSet roleSet) throws SentryConfigurationException {
+    return getPrivileges(groups, users, roleSet);
+  }
+
+  @Override
+  public ImmutableSet<String> getPrivileges(Set<String> groups, Set<String>
users,
+      ActiveRoleSet roleSet, Authorizable... authorizationHierarchy) {
+    if(LOGGER.isDebugEnabled()) {
+      LOGGER.debug("Getting permissions for groups: {}, users: {}", groups, users);
+    }
+    ImmutableSet<String> result = providerBackend.getPrivileges(groups, users, roleSet);
+    if(LOGGER.isDebugEnabled()) {
+      LOGGER.debug("result = " + result);
+    }
+    return result;
+  }
+
+  @Override
   public void close() {
     if (providerBackend != null) {
       providerBackend.close();

http://git-wip-us.apache.org/repos/asf/sentry/blob/68949951/sentry-provider/sentry-provider-cache/src/main/java/org/apache/sentry/provider/cache/PrivilegeCache.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-cache/src/main/java/org/apache/sentry/provider/cache/PrivilegeCache.java
b/sentry-provider/sentry-provider-cache/src/main/java/org/apache/sentry/provider/cache/PrivilegeCache.java
index 811b931..28c5b76 100644
--- a/sentry-provider/sentry-provider-cache/src/main/java/org/apache/sentry/provider/cache/PrivilegeCache.java
+++ b/sentry-provider/sentry-provider-cache/src/main/java/org/apache/sentry/provider/cache/PrivilegeCache.java
@@ -29,5 +29,12 @@ public interface PrivilegeCache {
   Set<String> listPrivileges(Set<String> groups,
       ActiveRoleSet roleSet);
 
+  /**
+   * Get the privileges for the give set of groups and users with the give active
+   * roles from the cache.
+   */
+  Set<String> listPrivileges(Set<String> groups, Set<String> users,
+      ActiveRoleSet roleSet);
+
   void close();
 }

http://git-wip-us.apache.org/repos/asf/sentry/blob/68949951/sentry-provider/sentry-provider-cache/src/main/java/org/apache/sentry/provider/cache/SimpleCacheProviderBackend.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-cache/src/main/java/org/apache/sentry/provider/cache/SimpleCacheProviderBackend.java
b/sentry-provider/sentry-provider-cache/src/main/java/org/apache/sentry/provider/cache/SimpleCacheProviderBackend.java
index 73ed6c2..d8b9063 100644
--- a/sentry-provider/sentry-provider-cache/src/main/java/org/apache/sentry/provider/cache/SimpleCacheProviderBackend.java
+++ b/sentry-provider/sentry-provider-cache/src/main/java/org/apache/sentry/provider/cache/SimpleCacheProviderBackend.java
@@ -66,6 +66,17 @@ public class SimpleCacheProviderBackend implements ProviderBackend {
   }
 
   @Override
+  public ImmutableSet<String> getPrivileges(Set<String> groups, Set<String>
users,
+      ActiveRoleSet roleSet, Authorizable... authorizableHierarchy) {
+    if (!initialized()) {
+      throw new IllegalStateException(
+          "Backend has not been properly initialized");
+    }
+    return ImmutableSet.copyOf(cacheHandle.listPrivileges(groups, users,
+        roleSet));
+  }
+
+  @Override
   public ImmutableSet<String> getRoles(Set<String> groups, ActiveRoleSet roleSet)
{
     if (!initialized()) {
       throw new IllegalStateException(

http://git-wip-us.apache.org/repos/asf/sentry/blob/68949951/sentry-provider/sentry-provider-cache/src/main/java/org/apache/sentry/provider/cache/SimplePrivilegeCache.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-cache/src/main/java/org/apache/sentry/provider/cache/SimplePrivilegeCache.java
b/sentry-provider/sentry-provider-cache/src/main/java/org/apache/sentry/provider/cache/SimplePrivilegeCache.java
index 2643a32..dd0c39a 100644
--- a/sentry-provider/sentry-provider-cache/src/main/java/org/apache/sentry/provider/cache/SimplePrivilegeCache.java
+++ b/sentry-provider/sentry-provider-cache/src/main/java/org/apache/sentry/provider/cache/SimplePrivilegeCache.java
@@ -48,4 +48,12 @@ public class SimplePrivilegeCache implements PrivilegeCache {
       cachedPrivileges.clear();
     }
   }
+
+  @Override
+  public Set<String> listPrivileges(Set<String> groups, Set<String> users,
ActiveRoleSet roleSet) {
+    if (cachedPrivileges == null) {
+      cachedPrivileges = new HashSet<String>();
+    }
+    return cachedPrivileges;
+  }
 }

http://git-wip-us.apache.org/repos/asf/sentry/blob/68949951/sentry-provider/sentry-provider-cache/src/test/java/org/apache/sentry/provider/cache/PrivilegeCacheTestImpl.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-cache/src/test/java/org/apache/sentry/provider/cache/PrivilegeCacheTestImpl.java
b/sentry-provider/sentry-provider-cache/src/test/java/org/apache/sentry/provider/cache/PrivilegeCacheTestImpl.java
index a7566e7..79e047e 100644
--- a/sentry-provider/sentry-provider-cache/src/test/java/org/apache/sentry/provider/cache/PrivilegeCacheTestImpl.java
+++ b/sentry-provider/sentry-provider-cache/src/test/java/org/apache/sentry/provider/cache/PrivilegeCacheTestImpl.java
@@ -60,4 +60,9 @@ public class PrivilegeCacheTestImpl implements PrivilegeCache {
       FileUtils.deleteQuietly(baseDir);
     }
   }
+
+  @Override
+  public Set<String> listPrivileges(Set<String> groups, Set<String> users,
ActiveRoleSet roleSet) {
+    return backend.getPrivileges(groups, users, roleSet);
+  }
 }

http://git-wip-us.apache.org/repos/asf/sentry/blob/68949951/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/ProviderBackend.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/ProviderBackend.java
b/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/ProviderBackend.java
index b19a170..ffd3af4 100644
--- a/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/ProviderBackend.java
+++ b/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/ProviderBackend.java
@@ -45,11 +45,17 @@ public interface ProviderBackend {
   void initialize(ProviderBackendContext context);
 
   /**
-   * Get the privileges from the backend.
+   * Get the privileges from the backend for groups.
    */
   ImmutableSet<String> getPrivileges(Set<String> groups, ActiveRoleSet roleSet,
Authorizable... authorizableHierarchy);
 
   /**
+   * Get the privileges from the backend for users and groups.
+   */
+  ImmutableSet<String> getPrivileges(Set<String> groups, Set<String> users,
+      ActiveRoleSet roleSet, Authorizable... authorizableHierarchy);
+
+  /**
    * Get the roles associated with the groups from the backend.
    */
   ImmutableSet<String> getRoles(Set<String> groups, ActiveRoleSet roleSet);

http://git-wip-us.apache.org/repos/asf/sentry/blob/68949951/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/ResourceAuthorizationProvider.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/ResourceAuthorizationProvider.java
b/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/ResourceAuthorizationProvider.java
index 0cf0b5d..b023c9a 100644
--- a/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/ResourceAuthorizationProvider.java
+++ b/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/ResourceAuthorizationProvider.java
@@ -95,12 +95,14 @@ public abstract class ResourceAuthorizationProvider implements AuthorizationProv
       List<? extends Authorizable> authorizables, Set<? extends Action> actions,
       ActiveRoleSet roleSet) {
     Set<String> groups =  getGroups(subject);
+    Set<String> users = Sets.newHashSet(subject.getName());
     Set<String> hierarchy = new HashSet<String>();
     for (Authorizable authorizable : authorizables) {
       hierarchy.add(KV_JOINER.join(authorizable.getTypeName(), authorizable.getName()));
     }
     List<String> requestPrivileges = buildPermissions(authorizables, actions);
-    Iterable<Privilege> privileges = getPrivileges(groups, roleSet, authorizables.toArray(new
Authorizable[0]));
+    Iterable<Privilege> privileges = getPrivileges(groups, users, roleSet,
+        authorizables.toArray(new Authorizable[0]));
     lastFailedPrivileges.get().clear();
 
     for (String requestPrivilege : requestPrivileges) {
@@ -123,8 +125,10 @@ public abstract class ResourceAuthorizationProvider implements AuthorizationProv
     return false;
   }
 
-  private Iterable<Privilege> getPrivileges(Set<String> groups, ActiveRoleSet
roleSet, Authorizable[] authorizables) {
-    return Iterables.transform(appendDefaultDBPriv(policy.getPrivileges(groups, roleSet,
authorizables), authorizables),
+  private Iterable<Privilege> getPrivileges(Set<String> groups, Set<String>
users,
+      ActiveRoleSet roleSet, Authorizable[] authorizables) {
+    ImmutableSet<String> privileges = policy.getPrivileges(groups, users, roleSet,
authorizables);
+    return Iterables.transform(appendDefaultDBPriv(privileges, authorizables),
         new Function<String, Privilege>() {
       @Override
       public Privilege apply(String privilege) {
@@ -172,7 +176,8 @@ public abstract class ResourceAuthorizationProvider implements AuthorizationProv
 
   @Override
   public Set<String> listPrivilegesForSubject(Subject subject) throws SentryConfigurationException
{
-    return policy.getPrivileges(getGroups(subject), ActiveRoleSet.ALL);
+    return policy.getPrivileges(getGroups(subject), Sets.newHashSet(subject.getName()),
+        ActiveRoleSet.ALL, (Authorizable[]) null);
   }
 
   @Override

http://git-wip-us.apache.org/repos/asf/sentry/blob/68949951/sentry-provider/sentry-provider-common/src/test/java/org/apache/sentry/provider/common/TestGetGroupMapping.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-common/src/test/java/org/apache/sentry/provider/common/TestGetGroupMapping.java
b/sentry-provider/sentry-provider-common/src/test/java/org/apache/sentry/provider/common/TestGetGroupMapping.java
index 14af2d4..402574e 100644
--- a/sentry-provider/sentry-provider-common/src/test/java/org/apache/sentry/provider/common/TestGetGroupMapping.java
+++ b/sentry-provider/sentry-provider-common/src/test/java/org/apache/sentry/provider/common/TestGetGroupMapping.java
@@ -20,11 +20,11 @@ import static org.junit.Assert.assertSame;
 
 import java.util.Set;
 
+import org.apache.sentry.core.common.ActiveRoleSet;
 import org.apache.sentry.core.common.Authorizable;
 import org.apache.sentry.core.common.SentryConfigurationException;
-import org.apache.sentry.core.common.ActiveRoleSet;
-import org.apache.sentry.policy.common.PrivilegeFactory;
 import org.apache.sentry.policy.common.PolicyEngine;
+import org.apache.sentry.policy.common.PrivilegeFactory;
 import org.junit.Test;
 
 import com.google.common.collect.ImmutableSet;
@@ -53,7 +53,7 @@ public class TestGetGroupMapping {
       @Override
       public ImmutableSet<String> getAllPrivileges(Set<String> groups,
           ActiveRoleSet roleSet) throws SentryConfigurationException {
-        return getPrivileges(groups, roleSet, null);
+        return getPrivileges(groups, roleSet);
       }
 
       @Override
@@ -67,6 +67,19 @@ public class TestGetGroupMapping {
       }
 
       @Override
+      public ImmutableSet<String> getAllPrivileges(Set<String> groups, Set<String>
users,
+          ActiveRoleSet roleSet) throws SentryConfigurationException {
+        return getPrivileges(groups, users, roleSet);
+      }
+
+      @Override
+      public ImmutableSet<String> getPrivileges(Set<String> groups, Set<String>
users,
+          ActiveRoleSet roleSet, Authorizable... authorizableHierarchy)
+          throws SentryConfigurationException {
+        return ImmutableSet.of();
+      }
+
+      @Override
       public void close() {}
     };
 


Mime
View raw message