sentry-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ak...@apache.org
Subject [09/13] sentry git commit: Support listing/removal of all privileges
Date Thu, 11 May 2017 06:45:14 GMT
Support listing/removal of all privileges


Project: http://git-wip-us.apache.org/repos/asf/sentry/repo
Commit: http://git-wip-us.apache.org/repos/asf/sentry/commit/820900ae
Tree: http://git-wip-us.apache.org/repos/asf/sentry/tree/820900ae
Diff: http://git-wip-us.apache.org/repos/asf/sentry/diff/820900ae

Branch: refs/heads/akolb-ha-cli
Commit: 820900aef18bb77bf7d6ed0528314d12812fe195
Parents: 6b679e6
Author: Alexander Kolbasov <akolb@cloudera.com>
Authored: Tue Dec 13 18:29:26 2016 -0800
Committer: Alexander Kolbasov <akolb@cloudera.com>
Committed: Wed May 10 23:28:29 2017 -0700

----------------------------------------------------------------------
 .../org/apache/sentry/shell/PrivsShell.java     |  9 ++
 .../java/org/apache/sentry/shell/ShellUtil.java | 97 +++++++++++++++++---
 .../org/apache/sentry/shell/TopLevelShell.java  | 20 ++++
 3 files changed, 112 insertions(+), 14 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/sentry/blob/820900ae/sentry-tools/src/main/java/org/apache/sentry/shell/PrivsShell.java
----------------------------------------------------------------------
diff --git a/sentry-tools/src/main/java/org/apache/sentry/shell/PrivsShell.java b/sentry-tools/src/main/java/org/apache/sentry/shell/PrivsShell.java
index cf2ebbd..82369cd 100644
--- a/sentry-tools/src/main/java/org/apache/sentry/shell/PrivsShell.java
+++ b/sentry-tools/src/main/java/org/apache/sentry/shell/PrivsShell.java
@@ -35,10 +35,19 @@ public class PrivsShell implements ShellDependent {
     }
 
     @Command
+    public String list() {
+        return tools.listPrivileges();
+    }
+
+    @Command
     public List<String> list(String roleName) {
         return tools.listPrivileges(roleName);
     }
 
+    @Command
+    public void revoke(String roleName, String privilege) {
+        tools.revokePrivilegeFromRole(roleName, privilege);
+    }
 
     public PrivsShell(SentryPolicyServiceClient sentryClient, String authUser) {
         this.tools = new ShellUtil(sentryClient, authUser);

http://git-wip-us.apache.org/repos/asf/sentry/blob/820900ae/sentry-tools/src/main/java/org/apache/sentry/shell/ShellUtil.java
----------------------------------------------------------------------
diff --git a/sentry-tools/src/main/java/org/apache/sentry/shell/ShellUtil.java b/sentry-tools/src/main/java/org/apache/sentry/shell/ShellUtil.java
index fbd382a..4decf28 100644
--- a/sentry-tools/src/main/java/org/apache/sentry/shell/ShellUtil.java
+++ b/sentry-tools/src/main/java/org/apache/sentry/shell/ShellUtil.java
@@ -22,7 +22,6 @@ import com.google.common.collect.Sets;
 import org.apache.commons.lang.StringUtils;
 import org.apache.sentry.core.common.exception.SentryUserException;
 import org.apache.sentry.provider.db.service.thrift.*;
-import org.apache.sentry.service.thrift.SentryServiceUtil;
 import org.apache.sentry.service.thrift.ServiceConstants;
 
 import java.util.*;
@@ -36,23 +35,13 @@ import static org.apache.sentry.service.thrift.SentryServiceUtil.convertToTSentr
 class ShellUtil {
 
     List<String> listRoles() {
-        Set<TSentryRole> roles = null;
+        List<String> roles = null;
         try {
-            roles = sentryClient.listRoles(authUser);
+            return getRoles();
         } catch (SentryUserException e) {
             System.out.println("Error listing roles: " + e.toString());
         }
-        List<String> result = new ArrayList<>();
-        if (roles == null || roles.isEmpty()) {
-            return result;
-        }
-
-        for(TSentryRole role: roles) {
-            result.add(role.getRoleName());
-        }
-
-        Collections.sort(result);
-        return result;
+        return new LinkedList<>();
     }
 
     List<String> listRoles(String group) {
@@ -252,6 +241,86 @@ class ShellUtil {
         return result;
     }
 
+    /**
+     * List all privileges
+     * @return string with privilege info for all roles
+     */
+    String listPrivileges() {
+        List<String> roles = null;
+        try {
+            roles = getRoles();
+        } catch (SentryUserException e) {
+            System.out.println("failed to get role names: " + e.toString());
+        }
+
+        if (roles == null || roles.isEmpty()) {
+            return "";
+        }
+
+        StringBuilder result = new StringBuilder();
+        for (String role: roles) {
+            List<String> privs = listPrivileges(role);
+            if (privs.isEmpty()) {
+                continue;
+            }
+            result.append(role).append(" = ");
+            result.append(StringUtils.join(listPrivileges(role), ",\n\t"));
+            result.append('\n');
+        }
+        return result.toString();
+    }
+
+    void revokePrivilegeFromRole(String roleName, String privilegeStr) {
+        TSentryPrivilege tSentryPrivilege = convertToTSentryPrivilege(privilegeStr);
+        boolean grantOption = tSentryPrivilege.getGrantOption().equals(TSentryGrantOption.TRUE)
? true : false;
+
+        try {
+            if (ServiceConstants.PrivilegeScope.SERVER.toString().equals(tSentryPrivilege.getPrivilegeScope()))
{
+                sentryClient.revokeServerPrivilege(authUser, roleName, tSentryPrivilege.getServerName(),
+                        grantOption);
+                return;
+            }
+            if (ServiceConstants.PrivilegeScope.DATABASE.toString().equals(tSentryPrivilege.getPrivilegeScope()))
{
+                sentryClient.revokeDatabasePrivilege(authUser, roleName, tSentryPrivilege.getServerName(),
+                        tSentryPrivilege.getDbName(), tSentryPrivilege.getAction(), grantOption);
+                return;
+            }
+            if (ServiceConstants.PrivilegeScope.TABLE.toString().equals(tSentryPrivilege.getPrivilegeScope()))
{
+                sentryClient.revokeTablePrivilege(authUser, roleName, tSentryPrivilege.getServerName(),
+                        tSentryPrivilege.getDbName(), tSentryPrivilege.getTableName(),
+                        tSentryPrivilege.getAction(), grantOption);
+                return;
+            }
+            if (ServiceConstants.PrivilegeScope.COLUMN.toString().equals(tSentryPrivilege.getPrivilegeScope()))
{
+                sentryClient.revokeColumnPrivilege(authUser, roleName, tSentryPrivilege.getServerName(),
+                        tSentryPrivilege.getDbName(), tSentryPrivilege.getTableName(),
+                        tSentryPrivilege.getColumnName(), tSentryPrivilege.getAction(), grantOption);
+                return;
+            }
+            if (ServiceConstants.PrivilegeScope.URI.toString().equals(tSentryPrivilege.getPrivilegeScope()))
{
+                sentryClient.revokeURIPrivilege(authUser, roleName, tSentryPrivilege.getServerName(),
+                        tSentryPrivilege.getURI(), grantOption);
+                return;
+            }
+        } catch (SentryUserException e) {
+            System.out.println("failed to revoke privilege: " + e.toString());
+        }
+    }
+
+
+    private List<String>getRoles() throws SentryUserException {
+        // Collect role names
+        Set<TSentryRole> roles = null;
+        roles = sentryClient.listRoles(authUser);
+        List<String> roleNames = new ArrayList<>();
+        for(TSentryRole role: roles) {
+            roleNames.add(role.getRoleName());
+        }
+
+        Collections.sort(roleNames);
+        return roleNames;
+    }
+
     ShellUtil(SentryPolicyServiceClient sentryClient, String authUser) {
         this.sentryClient = sentryClient;
         this.authUser = authUser;

http://git-wip-us.apache.org/repos/asf/sentry/blob/820900ae/sentry-tools/src/main/java/org/apache/sentry/shell/TopLevelShell.java
----------------------------------------------------------------------
diff --git a/sentry-tools/src/main/java/org/apache/sentry/shell/TopLevelShell.java b/sentry-tools/src/main/java/org/apache/sentry/shell/TopLevelShell.java
index b677f0f..d5d74b4 100644
--- a/sentry-tools/src/main/java/org/apache/sentry/shell/TopLevelShell.java
+++ b/sentry-tools/src/main/java/org/apache/sentry/shell/TopLevelShell.java
@@ -108,6 +108,26 @@ public class TopLevelShell implements ShellDependent, Runnable {
         tools.removeRoles(roles);
     }
 
+    @Command(description = "list Sentry privileges")
+    public String listPrivileges() {
+        return tools.listPrivileges();
+    }
+
+    @Command(description = "list Sentry privileges")
+    public List<String> listPrivileges(String roleName) {
+        return tools.listPrivileges(roleName);
+    }
+
+    @Command(description = "Grant privilege to role")
+    public void grantPrivilege(String roleName, String privilege) {
+        tools.grantPrivilegeToRole(roleName, privilege);
+    }
+
+    @Command
+    public void revokePrivilege(String roleName, String privilege) {
+        tools.revokePrivilegeFromRole(roleName, privilege);
+    }
+
     @Override
     public void cliSetShell(Shell theShell) {
         this.shell = theShell;


Mime
View raw message