private static ActiveRoleSet parseActiveRoleSet(String name, Set<TSentryRole> allowedRoles) throws SentryUserException { // if unset, then we choose the default of ALL if (name.isEmpty()) { return ActiveRoleSet.ALL; } else if (AccessConstants.NONE_ROLE.equalsIgnoreCase(name)) { return new ActiveRoleSet(new HashSet<String>()); } else if (AccessConstants.ALL_ROLE.equalsIgnoreCase(name)) { return ActiveRoleSet.ALL; } else if (AccessConstants.RESERVED_ROLE_NAMES.contains(name.toUpperCase())) { String msg = "Role " + name + " is reserved"; throw new IllegalArgumentException(msg); } else { if (allowedRoles != null) { // check if the user has been granted the role boolean foundRole = false; for (TSentryRole role : allowedRoles) { if (role.getRoleName().equalsIgnoreCase(name)) { foundRole = true; break; } } if (!foundRole) { //Set the reason for hive binding to pick up throw new SentryUserException("Not authorized to set role " + name, "Not authorized to set role " + name); } } return new ActiveRoleSet(Sets.newHashSet(ROLE_SET_SPLITTER.split(name))); } }
/** * {@inheritDoc} */ @Override public ImmutableSet<String> getPrivileges(Set<String> groups, ActiveRoleSet roleSet, Authorizable... authorizableHierarchy) { if (!initialized) { throw new IllegalStateException("Backend has not been properly initialized"); } ImmutableSet.Builder<String> resultBuilder = ImmutableSet.builder(); for (String groupName : groups) { for (Map.Entry<String, Set<String>> row : groupRolePrivilegeTable.row(groupName) .entrySet()) { if (roleSet.containsRole(row.getKey())) { resultBuilder.addAll(row.getValue()); } } } return resultBuilder.build(); }
public synchronized Set<String> listPrivilegesForProvider(Set<String> groups, ActiveRoleSet roleSet, Authorizable... authorizable) throws SentryUserException { TSentryActiveRoleSet thriftRoleSet = new TSentryActiveRoleSet(roleSet.isAll(), roleSet.getRoles()); TListSentryPrivilegesForProviderRequest request = new TListSentryPrivilegesForProviderRequest(ThriftConstants. TSENTRY_SERVICE_VERSION_CURRENT, groups, thriftRoleSet); if (authorizable != null && authorizable.length > 0) { TSentryAuthorizable tSentryAuthorizable = setupSentryAuthorizable(Lists .newArrayList(authorizable)); request.setAuthorizableHierarchy(tSentryAuthorizable); } try { TListSentryPrivilegesForProviderResponse response = client.list_sentry_privileges_for_provider(request); Status.throwIfNotOk(response.getStatus()); return response.getPrivileges(); } catch (TException e) { throw new SentryUserException(THRIFT_EXCEPTION_MESSAGE, e); } }
private static ActiveRoleSet parseActiveRoleSet(String name, Set<TSentryRole> allowedRoles) throws SentryUserException { // if unset, then we choose the default of ALL if (name.isEmpty()) { return ActiveRoleSet.ALL; } else if (AccessConstants.NONE_ROLE.equalsIgnoreCase(name)) { return new ActiveRoleSet(new HashSet<String>()); } else if (AccessConstants.ALL_ROLE.equalsIgnoreCase(name)) { return ActiveRoleSet.ALL; } else if (AccessConstants.RESERVED_ROLE_NAMES.contains(name.toUpperCase())) { String msg = "Role " + name + " is reserved"; throw new IllegalArgumentException(msg); } else { if (allowedRoles != null) { // check if the user has been granted the role boolean foundRole = false; for (TSentryRole role : allowedRoles) { if (role.getRoleName().equalsIgnoreCase(name)) { foundRole = true; break; } } if (!foundRole) { //Set the reason for hive binding to pick up throw new SentryUserException("Not authorized to set role " + name, "Not authorized to set role " + name); } } return new ActiveRoleSet(Sets.newHashSet(ROLE_SET_SPLITTER.split(name))); } }
public ImmutableSet<String> getPrivileges(Set<String> groups, ActiveRoleSet roleSet, Authorizable... authorizableHierarchy) { if (!initialized) { throw new IllegalStateException("CacheProvider has not been properly initialized"); } ImmutableSet.Builder<String> resultBuilder = ImmutableSet.builder(); for (String groupName : groups) { for (Map.Entry<String, Set<String>> row : cache.getCache().row(groupName).entrySet()) { if (roleSet.containsRole(row.getKey())) { // TODO: SENTRY-1245: Filter by Authorizables, if provided resultBuilder.addAll(row.getValue()); } } } return resultBuilder.build(); }
public synchronized Map<TSentryAuthorizable, TSentryPrivilegeMap> listPrivilegsbyAuthorizable( String requestorUserName, Set<List<? extends Authorizable>> authorizables, Set<String> groups, ActiveRoleSet roleSet) throws SentryUserException { Set<TSentryAuthorizable> authSet = Sets.newTreeSet(); for (List<? extends Authorizable> authorizableHierarchy : authorizables) { authSet.add(setupSentryAuthorizable(authorizableHierarchy)); } TListSentryPrivilegesByAuthRequest request = new TListSentryPrivilegesByAuthRequest( ThriftConstants.TSENTRY_SERVICE_VERSION_CURRENT, requestorUserName, authSet); if (groups != null) { request.setGroups(groups); } if (roleSet != null) { request.setRoleSet(new TSentryActiveRoleSet(roleSet.isAll(), roleSet.getRoles())); } try { TListSentryPrivilegesByAuthResponse response = client .list_sentry_privileges_by_authorizable(request); Status.throwIfNotOk(response.getStatus()); return response.getPrivilegesMapByAuth(); } catch (TException e) { throw new SentryUserException(THRIFT_EXCEPTION_MESSAGE, e); } }
null, new ActiveRoleSet(true)); assertEquals(expectedResults, authPrivMap); userGroupNames1, new ActiveRoleSet(true)); assertEquals(expectedResults, authPrivMap); null, new ActiveRoleSet(Sets.newHashSet(roleName1.toUpperCase()))); assertEquals(expectedResults, authPrivMap); ActiveRoleSet roleSet2 = new ActiveRoleSet(Sets.newHashSet(roleName2)); try { client.listPrivilegsbyAuthorizable(user1, authorizableSet, null, roleSet2);
/** * {@inheritDoc} */ @Override public ImmutableSet<String> getRoles(Set<String> groups, ActiveRoleSet roleSet) { if (!initialized) { throw new IllegalStateException("Backend has not been properly initialized"); } ImmutableSet.Builder<String> resultBuilder = ImmutableSet.builder(); if (groups != null) { for (String groupName : groups) { for (Map.Entry<String, Set<String>> row : groupRolePrivilegeTable.row(groupName) .entrySet()) { if (roleSet.containsRole(row.getKey())) { resultBuilder.add(row.getKey()); } } } } return resultBuilder.build(); }
@Override public Set<String> listPrivilegesForProvider (Set<String> groups, Set<String> users, ActiveRoleSet roleSet, Authorizable... authorizable) throws SentryUserException { TSentryActiveRoleSet thriftRoleSet = new TSentryActiveRoleSet(roleSet.isAll(), roleSet.getRoles()); TListSentryPrivilegesForProviderRequest request = new TListSentryPrivilegesForProviderRequest(ThriftConstants. TSENTRY_SERVICE_VERSION_CURRENT, groups, thriftRoleSet); if (authorizable != null && authorizable.length > 0) { TSentryAuthorizable tSentryAuthorizable = setupSentryAuthorizable(Lists .newArrayList(authorizable)); request.setAuthorizableHierarchy(tSentryAuthorizable); } if (users != null) { request.setUsers(users); } try { TListSentryPrivilegesForProviderResponse response = client.list_sentry_privileges_for_provider(request); Status.throwIfNotOk(response.getStatus()); return response.getPrivileges(); } catch (TException e) { throw new SentryUserException(THRIFT_EXCEPTION_MESSAGE, e); } }
null, new ActiveRoleSet(true)); assertEquals(expectedResults, authPrivMap); userGroupNames1, new ActiveRoleSet(true)); assertEquals(expectedResults, authPrivMap); null, new ActiveRoleSet(Sets.newHashSet(roleName1.toUpperCase()))); assertEquals(expectedResults, authPrivMap); ActiveRoleSet roleSet2 = new ActiveRoleSet(Sets.newHashSet(roleName2)); try { client.listPrivilegesbyAuthorizable(user1, authorizableSet, null, roleSet2);
public ImmutableSet<String> getRoles(Set<String> groups, ActiveRoleSet roleSet) { if (!initialized) { throw new IllegalStateException("CacheProvider has not been properly initialized"); } ImmutableSet.Builder<String> resultBuilder = ImmutableSet.builder(); if (groups != null) { for (String groupName : groups) { for (Map.Entry<String, Set<String>> row : cache.getCache().row(groupName) .entrySet()) { if (roleSet.containsRole(row.getKey())) { resultBuilder.add(row.getKey()); } } } } return resultBuilder.build(); } }
null, new ActiveRoleSet(testRoleSet)); assertEquals(expectedResults, authPrivMap); testGroupSet, new ActiveRoleSet(testRoleSet)); assertEquals(expectedResults, authPrivMap);
String serviceName, ActiveRoleSet roleSet, Set<String> groups, List<? extends Authorizable> authorizables) throws SentryUserException { TSentryActiveRoleSet thriftRoleSet = new TSentryActiveRoleSet(roleSet.isAll(), roleSet.getRoles()); TListSentryPrivilegesForProviderRequest request = new TListSentryPrivilegesForProviderRequest(); request.setProtocol_version(sentry_common_serviceConstants.TSENTRY_SERVICE_V2);
null, new ActiveRoleSet(testRoleSet)); assertEquals(expectedResults, authPrivMap); testGroupSet, new ActiveRoleSet(testRoleSet)); assertEquals(expectedResults, authPrivMap);
assertEquals("Privilege not correctly assigned to roles !!", Sets.newHashSet("server=server->db=db3->table=table5->action=all"), listPrivilegesForProvider); listPrivilegesForProvider = client.listPrivilegesForProvider(Sets.newHashSet(group1, group2), null, new ActiveRoleSet(Sets.newHashSet(roleName1)), new Server("server"), new Database("db3")); assertEquals("Privilege not correctly assigned to roles !!", Sets.newHashSet("server=+"), listPrivilegesForProvider); listPrivilegesForProvider = client.listPrivilegesForProvider(Sets.newHashSet(group1, group2), null, new ActiveRoleSet(Sets.newHashSet(roleName1)), new Server("server1")); assertEquals("Privilege not correctly assigned to roles !!", new HashSet<String>(), listPrivilegesForProvider);
String serviceName, ActiveRoleSet roleSet, Set<String> groups, List<? extends Authorizable> authorizables) throws SentryUserException { TSentryActiveRoleSet thriftRoleSet = new TSentryActiveRoleSet(roleSet.isAll(), roleSet.getRoles()); TListSentryPrivilegesForProviderRequest request = new TListSentryPrivilegesForProviderRequest(); request.setProtocol_version(sentry_common_serviceConstants.TSENTRY_SERVICE_V2);
assertEquals("Privilege not correctly assigned to roles !!", Sets.newHashSet("server=server->db=db3->table=table5->action=all"), listPrivilegesForProvider); listPrivilegesForProvider = client.listPrivilegesForProvider(Sets.newHashSet(group1, group2), new ActiveRoleSet(Sets.newHashSet(roleName1)), new Server("server"), new Database("db3")); assertEquals("Privilege not correctly assigned to roles !!", Sets.newHashSet("server=+"), listPrivilegesForProvider); listPrivilegesForProvider = client.listPrivilegesForProvider(Sets.newHashSet(group1, group2), new ActiveRoleSet(Sets.newHashSet(roleName1)), new Server("server1")); assertEquals("Privilege not correctly assigned to roles !!", new HashSet<String>(), listPrivilegesForProvider);