sentry-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ak...@apache.org
Subject sentry git commit: SENTRY-1358: Implement Grant role_name To User user_name in V2 (Ke Jia via Dapeng Sun)
Date Sat, 11 Mar 2017 07:42:20 GMT
Repository: sentry
Updated Branches:
  refs/heads/sentry-ha-redesign 0bec6c728 -> b15b95ed6


SENTRY-1358: Implement Grant role_name To User user_name in V2 (Ke Jia via Dapeng Sun)


Project: http://git-wip-us.apache.org/repos/asf/sentry/repo
Commit: http://git-wip-us.apache.org/repos/asf/sentry/commit/b15b95ed
Tree: http://git-wip-us.apache.org/repos/asf/sentry/tree/b15b95ed
Diff: http://git-wip-us.apache.org/repos/asf/sentry/diff/b15b95ed

Branch: refs/heads/sentry-ha-redesign
Commit: b15b95ed6e6920225db0b077b197aa2baeabcd07
Parents: 0bec6c7
Author: Alexander Kolbasov <akolb@cloudera.com>
Authored: Fri Mar 10 23:41:59 2017 -0800
Committer: Alexander Kolbasov <akolb@cloudera.com>
Committed: Fri Mar 10 23:41:59 2017 -0800

----------------------------------------------------------------------
 .../DefaultSentryAccessController.java          | 24 ++++++++++++++++----
 .../TestPrivilegeWithGrantOption.java           | 15 ++++++++++++
 2 files changed, 34 insertions(+), 5 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/sentry/blob/b15b95ed/sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/v2/authorizer/DefaultSentryAccessController.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/v2/authorizer/DefaultSentryAccessController.java
b/sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/v2/authorizer/DefaultSentryAccessController.java
index 391841f..c63cf64 100644
--- a/sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/v2/authorizer/DefaultSentryAccessController.java
+++ b/sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/v2/authorizer/DefaultSentryAccessController.java
@@ -468,7 +468,6 @@ public class DefaultSentryAccessController extends SentryHiveAccessController
{
       }
     }
   }
-
   /**
    * Grant(isGrant is true) or revoke(isGrant is false) role to/from group via sentryClient,
which
    * is a instance of SentryPolicyServiceClientV2
@@ -485,21 +484,36 @@ public class DefaultSentryAccessController extends SentryHiveAccessController
{
       sentryClient = getSentryClient();
       // get principals
       Set<String> groups = Sets.newHashSet();
+      Set<String> users = Sets.newHashSet();
       for (HivePrincipal principal : hivePrincipals) {
-        if (principal.getType() != HivePrincipalType.GROUP) {
+        if (principal.getType() == HivePrincipalType.GROUP) {
+          groups.add(principal.getName());
+        } else if (principal.getType() == HivePrincipalType.USER) {
+          users.add(principal.getName());
+        } else {
           String msg =
               SentryHiveConstants.GRANT_REVOKE_NOT_SUPPORTED_FOR_PRINCIPAL + principal.getType();
           throw new HiveAuthzPluginException(msg);
+
         }
-        groups.add(principal.getName());
       }
 
       // grant/revoke role to/from principals
       for (String roleName : roles) {
         if (isGrant) {
-          sentryClient.grantRoleToGroups(grantorPrinc.getName(), roleName, groups);
+          if (groups.size() > 0) {
+            sentryClient.grantRoleToGroups(grantorPrinc.getName(), roleName, groups);
+          }
+          if (users.size() > 0) {
+            sentryClient.grantRoleToUsers(grantorPrinc.getName(), roleName, users);
+          }
         } else {
-          sentryClient.revokeRoleFromGroups(grantorPrinc.getName(), roleName, groups);
+          if (groups.size() > 0) {
+            sentryClient.revokeRoleFromGroups(grantorPrinc.getName(), roleName, groups);
+          }
+          if (users.size() > 0) {
+            sentryClient.revokeRoleFromUsers(grantorPrinc.getName(), roleName, users);
+          }
         }
       }
 

http://git-wip-us.apache.org/repos/asf/sentry/blob/b15b95ed/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestPrivilegeWithGrantOption.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestPrivilegeWithGrantOption.java
b/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestPrivilegeWithGrantOption.java
index 8e18422..b25fa2f 100644
--- a/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestPrivilegeWithGrantOption.java
+++ b/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestPrivilegeWithGrantOption.java
@@ -133,6 +133,21 @@ public class TestPrivilegeWithGrantOption extends AbstractTestWithStaticConfigur
 
   }
 
+  @Test
+  public void testOnGrantOrRevokeRoleToUser() throws Exception {
+    // setup db objects needed by the test
+    Connection connection = context.createConnection(ADMIN1);
+    Statement statement = context.createStatement(connection);
+    statement.execute("DROP DATABASE IF EXISTS db_1 CASCADE");
+    statement.execute("DROP DATABASE IF EXISTS db_2 CASCADE");
+    statement.execute("CREATE DATABASE db_1");
+    statement.execute("CREATE ROLE group1_role");
+    statement.execute("GRANT ROLE group1_role TO USER " + USER1_1);
+    statement.execute("REVOKE ROLE group1_role FROM USER " + USER1_1);
+
+    connection.close();
+  }
+
   /*
    * Admin grant DB_1 user1 without grant option, grant user3 with grant option,
    * user1 tries to grant it to user2, but failed.


Mime
View raw message