sentry-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ak...@apache.org
Subject sentry git commit: SENTRY-1548: Setting GrantOption to UNSET upsets Sentry (Kalyan Kumar Kalvagadda, Reviewed by: Alex Kolbasov)
Date Mon, 06 Mar 2017 20:04:17 GMT
Repository: sentry
Updated Branches:
  refs/heads/master c2013f236 -> 5f850cc8a


SENTRY-1548: Setting GrantOption to UNSET upsets Sentry (Kalyan Kumar Kalvagadda, Reviewed
by: Alex Kolbasov)


Project: http://git-wip-us.apache.org/repos/asf/sentry/repo
Commit: http://git-wip-us.apache.org/repos/asf/sentry/commit/5f850cc8
Tree: http://git-wip-us.apache.org/repos/asf/sentry/tree/5f850cc8
Diff: http://git-wip-us.apache.org/repos/asf/sentry/diff/5f850cc8

Branch: refs/heads/master
Commit: 5f850cc8ac4800995bb31ed2fc61d8341d8efcdc
Parents: c2013f2
Author: Alexander Kolbasov <akolb@cloudera.com>
Authored: Mon Mar 6 12:03:51 2017 -0800
Committer: Alexander Kolbasov <akolb@cloudera.com>
Committed: Mon Mar 6 12:03:51 2017 -0800

----------------------------------------------------------------------
 .../thrift/SentryPolicyStoreProcessor.java      | 15 ++--
 .../GrantPrivilegeRequestValidator.java         | 91 ++++++++++++++++++++
 .../RevokePrivilegeRequestValidator.java        | 46 ++++++++++
 3 files changed, 145 insertions(+), 7 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/sentry/blob/5f850cc8/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessor.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessor.java
b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessor.java
index b10c2f2..2ebdf81 100644
--- a/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessor.java
+++ b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessor.java
@@ -49,6 +49,8 @@ import org.apache.sentry.provider.db.service.persistent.HAContext;
 import org.apache.sentry.provider.db.service.persistent.SentryStore;
 import org.apache.sentry.provider.db.service.persistent.ServiceRegister;
 import org.apache.sentry.provider.db.service.thrift.PolicyStoreConstants.PolicyStoreServerConfig;
+import org.apache.sentry.provider.db.service.thrift.validator.GrantPrivilegeRequestValidator;
+import org.apache.sentry.provider.db.service.thrift.validator.RevokePrivilegeRequestValidator;
 import org.apache.sentry.service.thrift.SentryServiceUtil;
 import org.apache.sentry.service.thrift.ServiceConstants;
 import org.apache.sentry.service.thrift.ServiceConstants.ConfUtilties;
@@ -253,7 +255,6 @@ public class SentryPolicyStoreProcessor implements SentryPolicyService.Iface
{
   public TAlterSentryRoleGrantPrivilegeResponse alter_sentry_role_grant_privilege
   (TAlterSentryRoleGrantPrivilegeRequest request) throws TException {
     final Timer.Context timerContext = sentryMetrics.grantTimer.time();
-
     TAlterSentryRoleGrantPrivilegeResponse response = new TAlterSentryRoleGrantPrivilegeResponse();
     try {
       validateClientVersion(request.getProtocol_version());
@@ -265,6 +266,7 @@ public class SentryPolicyStoreProcessor implements SentryPolicyService.Iface
{
       if (request.isSetPrivilege()) {
         request.setPrivileges(Sets.newHashSet(request.getPrivilege()));
       }
+      GrantPrivilegeRequestValidator.validate(request);
       sentryStore.alterSentryRoleGrantPrivileges(request.getRequestorUserName(),
           request.getRoleName(), request.getPrivileges());
       response.setStatus(Status.OK());
@@ -283,9 +285,8 @@ public class SentryPolicyStoreProcessor implements SentryPolicyService.Iface
{
       LOGGER.error(msg, e);
       response.setStatus(Status.NoSuchObject(msg, e));
     } catch (SentryInvalidInputException e) {
-      String msg = "Invalid input privilege object";
-      LOGGER.error(msg, e);
-      response.setStatus(Status.InvalidInput(msg, e));
+      LOGGER.error(e.getMessage(), e);
+      response.setStatus(Status.InvalidInput(e.getMessage(), e));
     } catch (SentryAccessDeniedException e) {
       LOGGER.error(e.getMessage(), e);
       response.setStatus(Status.AccessDenied(e.getMessage(), e));
@@ -329,6 +330,7 @@ public class SentryPolicyStoreProcessor implements SentryPolicyService.Iface
{
       if (request.isSetPrivilege()) {
         request.setPrivileges(Sets.newHashSet(request.getPrivilege()));
       }
+      RevokePrivilegeRequestValidator.validate(request);
       sentryStore.alterSentryRoleRevokePrivileges(request.getRequestorUserName(),
           request.getRoleName(), request.getPrivileges());
       response.setStatus(Status.OK());
@@ -358,9 +360,8 @@ public class SentryPolicyStoreProcessor implements SentryPolicyService.Iface
{
       LOGGER.error(msg.toString(), e);
       response.setStatus(Status.NoSuchObject(msg.toString(), e));
     } catch (SentryInvalidInputException e) {
-      String msg = "Invalid input privilege object";
-      LOGGER.error(msg, e);
-      response.setStatus(Status.InvalidInput(msg, e));
+      LOGGER.error(e.getMessage(), e);
+      response.setStatus(Status.InvalidInput(e.getMessage(), e));
     } catch (SentryAccessDeniedException e) {
       LOGGER.error(e.getMessage(), e);
       response.setStatus(Status.AccessDenied(e.getMessage(), e));

http://git-wip-us.apache.org/repos/asf/sentry/blob/5f850cc8/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/thrift/validator/GrantPrivilegeRequestValidator.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/thrift/validator/GrantPrivilegeRequestValidator.java
b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/thrift/validator/GrantPrivilegeRequestValidator.java
new file mode 100644
index 0000000..f714d5d
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/thrift/validator/GrantPrivilegeRequestValidator.java
@@ -0,0 +1,91 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.provider.db.service.thrift.validator;
+
+import java.util.Set;
+
+import org.apache.sentry.core.common.exception.SentryInvalidInputException;
+import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleGrantPrivilegeRequest;
+import org.apache.sentry.provider.db.service.thrift.TSentryGrantOption;
+import org.apache.sentry.provider.db.service.thrift.TSentryPrivilege;
+
+/**
+ * Check's for mandatory fields in the privileges and
+ * checks to see if the UNSET option is present.
+ */
+public final class GrantPrivilegeRequestValidator {
+  private GrantPrivilegeRequestValidator() {
+  }
+
+  /**
+   * Validates privileges in input request by making sure mandatory fields like
+   * server name and action in the privileges are not empty and see all the values in the
+   * request are valid.
+   *
+   * @param request to be validated.
+   * @throws SentryInvalidInputException If all the mandatory fields in the privileges are
+   *                                     not present [OR] invalid fields a provided in request.
+   */
+  public static void validate(TAlterSentryRoleGrantPrivilegeRequest request)
+    throws SentryInvalidInputException {
+    if (request.isSetPrivileges() && (!request.getPrivileges().isEmpty())) {
+      checkForMandatoryFieldsInPrivileges(request.getPrivileges());
+      validateGrantOptionInprivileges(request.getPrivileges());
+    }
+  }
+
+  /**
+   * Checks for mandatory fields "serverName" and "action" in all the privileges
+   * in the set are not empty.
+   *
+   * @param privileges Set of <code>TSentryPrivileges</code> to be inspected
+   * @throws SentryInvalidInputException If all the mandatory fields in the privileges are
+   *                                     not present
+   */
+  static void checkForMandatoryFieldsInPrivileges(Set<TSentryPrivilege> privileges)
+    throws SentryInvalidInputException {
+    for (TSentryPrivilege privilege : privileges) {
+      if (privilege.getServerName() == null ||
+        privilege.getServerName().trim().isEmpty()) {
+        throw new SentryInvalidInputException("Invalid Privilege input: Server Name is missing");
+      }
+      if (privilege.getAction() == null ||
+        privilege.getAction().trim().isEmpty()) {
+        throw new SentryInvalidInputException("Invalid Privilege input: Action is missing");
+      }
+    }
+  }
+
+  /**
+   * Validates grant option in all the privileges.
+   *
+   * @param privileges Set of privileges to be validated
+   * @throws SentryInvalidInputException If the validation for grant option fails for any
+   *                                     of the privileges.
+   */
+  private static void validateGrantOptionInprivileges(Set<TSentryPrivilege> privileges)
+    throws SentryInvalidInputException {
+    for (TSentryPrivilege privilege : privileges) {
+      if (privilege.getGrantOption() == TSentryGrantOption.UNSET) {
+        throw new SentryInvalidInputException("Invalid Privilege input," +
+          " UNSET option for GRANT <PRIVILEGE> is not valid");
+      }
+    }
+  }
+}

http://git-wip-us.apache.org/repos/asf/sentry/blob/5f850cc8/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/thrift/validator/RevokePrivilegeRequestValidator.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/thrift/validator/RevokePrivilegeRequestValidator.java
b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/thrift/validator/RevokePrivilegeRequestValidator.java
new file mode 100644
index 0000000..da4f0e9
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/thrift/validator/RevokePrivilegeRequestValidator.java
@@ -0,0 +1,46 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ * <p>
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * <p>
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.provider.db.service.thrift.validator;
+
+import org.apache.sentry.core.common.exception.SentryInvalidInputException;
+import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleRevokePrivilegeRequest;
+
+/**
+ * Check's for mandatory fields in the privileges
+ */
+public final class RevokePrivilegeRequestValidator {
+  private RevokePrivilegeRequestValidator() {
+  }
+
+  /**
+   * Validates privileges in input request by making sure mandatory fields like
+   * server name and action in the privileges are not empty and see all the values in the
+   * request are valid.
+   *
+   * @param request to be validated.
+   * @throws SentryInvalidInputException If all the mandatory fields in the privileges are
+   *                                     not present [OR] invalid fields a provided in request.
+   */
+  public static void validate(TAlterSentryRoleRevokePrivilegeRequest request)
+    throws SentryInvalidInputException {
+    if (request.isSetPrivileges() && (!request.getPrivileges().isEmpty())) {
+      GrantPrivilegeRequestValidator.checkForMandatoryFieldsInPrivileges(request.getPrivileges());
+    }
+  }
+}


Mime
View raw message