.newInstance(new Object[] { conf, authResoruce }); } catch (NoSuchMethodException e) { throw new SentryUserException("Unable to instantiate group mapping", e); } catch (SecurityException e) { throw new SentryUserException("Unable to instantiate group mapping", e); } catch (ClassNotFoundException e) { throw new SentryUserException("Unable to instantiate group mapping", e); } catch (InstantiationException e) { throw new SentryUserException("Unable to instantiate group mapping", e); } catch (IllegalAccessException e) { throw new SentryUserException("Unable to instantiate group mapping", e); } catch (IllegalArgumentException e) { throw new SentryUserException("Unable to instantiate group mapping", e); } catch (InvocationTargetException e) { throw new SentryUserException("Unable to instantiate group mapping", e);
@Override public void runTestAsSubject() throws Exception { SentryServiceClientFactory oldFactory = SentryServiceClientFactory.factoryReset(null); Configuration confWithSmallMaxMsgSize = new Configuration(SentryServiceIntegrationBase.conf); confWithSmallMaxMsgSize.setLong(ApiConstants.ClientConfig.SENTRY_POLICY_CLIENT_THRIFT_MAX_MESSAGE_SIZE, 20); // create a client with a small thrift max message size SentryPolicyServiceClient clientWithSmallMaxMsgSize = SentryServiceClientFactory.create(confWithSmallMaxMsgSize); setLocalGroupMapping(SentryServiceIntegrationBase.ADMIN_USER, REQUESTER_USER_GROUP_NAMES); writePolicyFile(); boolean exceptionThrown = false; try { // client throws exception when message size is larger than the client's thrift max message size. clientWithSmallMaxMsgSize.listAllRoles(SentryServiceIntegrationBase.ADMIN_USER); } catch (SentryUserException e) { exceptionThrown = true; Assert.assertTrue(e.getMessage().contains("Thrift exception occurred")); Assert.assertTrue(e.getCause().getMessage().contains("Length exceeded max allowed")); } finally { Assert.assertEquals(true, exceptionThrown); clientWithSmallMaxMsgSize.close(); SentryServiceClientFactory.factoryReset(oldFactory); } // client can still talk with sentry server when message size is smaller. client.dropRoleIfExists(SentryServiceIntegrationBase.ADMIN_USER, ROLE_NAME); client.listAllRoles(SentryServiceIntegrationBase.ADMIN_USER); client.createRole(SentryServiceIntegrationBase.ADMIN_USER, ROLE_NAME); client.listAllRoles(SentryServiceIntegrationBase.ADMIN_USER); } });
@Override public TSentryPrivilegesResponse list_roles_privileges(TSentryPrivilegesRequest request) throws TException { TSentryPrivilegesResponse response = new TSentryPrivilegesResponse(); String requestor = request.getRequestorUserName(); try (Timer.Context timerContext = sentryMetrics.listRolesPrivilegesTimer.time()) { // Throws SentryThriftAPIMismatchException if protocol version mismatch validateClientVersion(request.getProtocol_version()); // Throws SentryUserException with the Status.ACCESS_DENIED status if the requestor // is not an admin. Only admins can request all roles and privileges of the system. authorize(requestor, getRequestorGroups(requestor)); response.setPrivilegesMap(sentryStore.getAllRolesPrivileges()); response.setStatus(Status.OK()); } catch (SentryThriftAPIMismatchException e) { LOGGER.error(e.getMessage(), e); response.setStatus(Status.THRIFT_VERSION_MISMATCH(e.getMessage(), e)); } catch (SentryAccessDeniedException e) { LOGGER.error(e.getMessage(), e); response.setStatus(Status.AccessDenied(e.getMessage(), e)); } catch (SentryUserException e) { LOGGER.error(e.getMessage(), e); response.setStatus(Status.AccessDenied(e.getMessage(), e)); } catch (Exception e) { String msg = "Could not read roles and privileges from the database: " + e.getMessage(); LOGGER.error(msg, e); response.setStatus(Status.RuntimeError(msg, e)); } return response; }
@Override public void runTestAsSubject() throws Exception { Configuration confWithSmallMaxMsgSize = new Configuration(SentryServiceIntegrationBase.conf); confWithSmallMaxMsgSize.setLong(ServiceConstants.ServerConfig.SENTRY_POLICY_SERVER_THRIFT_MAX_MESSAGE_SIZE, 50); stopSentryService(); // create a server with a small max thrift message size SentryServiceIntegrationBase.server = SentryServiceFactory.create(confWithSmallMaxMsgSize); SentryServiceIntegrationBase.startSentryService(); setLocalGroupMapping(SentryServiceIntegrationBase.ADMIN_USER, REQUESTER_USER_GROUP_NAMES); writePolicyFile(); // client can talk with server when message size is smaller. client.listAllRoles(SentryServiceIntegrationBase.ADMIN_USER); client.createRole(SentryServiceIntegrationBase.ADMIN_USER, ROLE_NAME); boolean exceptionThrown = false; try { // client throws exception when message size is larger than the server's thrift max message size. client.grantServerPrivilege(SentryServiceIntegrationBase.ADMIN_USER, ROLE_NAME, "server", false); } catch (SentryUserException e) { exceptionThrown = true; Assert.assertTrue(e.getCause().getMessage().contains("org.apache.thrift.transport.TTransportException")); } finally { Assert.assertEquals(true, exceptionThrown); } // client can still talk with sentry server when message size is smaller. Set<TSentryRole> roles = client.listAllRoles(SentryServiceIntegrationBase.ADMIN_USER); Assert.assertTrue(roles.size() == 1); Assert.assertEquals(ROLE_NAME, roles.iterator().next().getRoleName()); } });
@Override public TSentryPrivilegesResponse list_users_privileges(TSentryPrivilegesRequest request) throws TException { TSentryPrivilegesResponse response = new TSentryPrivilegesResponse(); String requestor = request.getRequestorUserName(); try (Timer.Context timerContext = sentryMetrics.listUsersPrivilegesTimer.time()) { // Throws SentryThriftAPIMismatchException if protocol version mismatch validateClientVersion(request.getProtocol_version()); // Throws SentryUserException with the Status.ACCESS_DENIED status if the requestor // is not an admin. Only admins can request all users and privileges of the system. authorize(requestor, getRequestorGroups(requestor)); response.setPrivilegesMap(sentryStore.getAllUsersPrivileges()); response.setStatus(Status.OK()); } catch (SentryThriftAPIMismatchException e) { LOGGER.error(e.getMessage(), e); response.setStatus(Status.THRIFT_VERSION_MISMATCH(e.getMessage(), e)); } catch (SentryAccessDeniedException e) { LOGGER.error(e.getMessage(), e); response.setStatus(Status.AccessDenied(e.getMessage(), e)); } catch (SentryUserException e) { LOGGER.error(e.getMessage(), e); response.setStatus(Status.AccessDenied(e.getMessage(), e)); } catch (Exception e) { String msg = "Could not read users and privileges from the database: " + e.getMessage(); LOGGER.error(msg, e); response.setStatus(Status.RuntimeError(msg, e)); } return response; }
private BitFieldActionFactory createActionFactory(String component) throws SentryUserException { String actionFactoryClassName = conf.get(String.format(ServiceConstants.ServerConfig.SENTRY_COMPONENT_ACTION_FACTORY_FORMAT, component)); if (actionFactoryClassName == null) { throw new SentryUserException("ActionFactory not defined for component " + component + ". Please define the parameter " + "sentry." + component + ".action.factory in configuration"); } Class<?> actionFactoryClass; try { actionFactoryClass = Class.forName(actionFactoryClassName); } catch (ClassNotFoundException e) { throw new SentryUserException("ActionFactory class " + actionFactoryClassName + " not found."); } if (!BitFieldActionFactory.class.isAssignableFrom(actionFactoryClass)) { throw new SentryUserException("ActionFactory class " + actionFactoryClassName + " must extend " + BitFieldActionFactory.class.getName()); } BitFieldActionFactory actionFactory; try { Constructor<?> actionFactoryConstructor = actionFactoryClass.getDeclaredConstructor(); actionFactoryConstructor.setAccessible(true); actionFactory = (BitFieldActionFactory) actionFactoryClass.newInstance(); } catch (NoSuchMethodException | InstantiationException | IllegalAccessException e) { throw new SentryUserException("Could not instantiate actionFactory " + actionFactoryClassName + " for component: " + component, e); } return actionFactory; } }
response.setStatus(Status.InvalidInput(e.getMessage(), e)); } catch (SentryUserException e) { LOGGER.error(e.getMessage(), e); response.setStatus(Status.AccessDenied(e.getMessage(), e)); } catch (Exception e) { String msg = "Unknown error for request: " + request + ", message: " + e.getMessage();
public SentryStoreSchemaInfo(String sentryScriptDir, String dbType) throws SentryUserException { this.sentryScriptDir = sentryScriptDir; this.dbType = dbType; // load upgrade order for the given dbType String upgradeListFile = getSentryStoreScriptDir() + File.separator + VERSION_UPGRADE_LIST + "." + dbType; try { sentrySchemaVersions = SentryUpgradeOrder.readUpgradeGraph(new FileReader(upgradeListFile)); } catch (FileNotFoundException e) { throw new SentryUserException("File " + upgradeListFile + " not found ", e); } catch (IOException e) { throw new SentryUserException("Error reading " + upgradeListFile, e); } }
if (!(causeException instanceof TTransportException)) { LOGGER.error("Failed to connect to Sentry Server", failure); throw new SentryUserException(failure.getMessage(), causeException); throw new SentryUserException (lastExc.getMessage(), lastExc);
protected Authorizable getAuthorizable(KeyValue keyValue) throws SentryUserException { if (AuthorizationComponent.KAFKA.equals(component)) { return KafkaModelAuthorizables.from(keyValue); } else if ("SOLR".equals(component)) { return SolrModelAuthorizables.from(keyValue); } else if (AuthorizationComponent.SQOOP.equals(component)) { return SqoopModelAuthorizables.from(keyValue); } else if (AuthorizationComponent.HBASE_INDEXER.equals(component)) { return IndexerModelAuthorizables.from(keyValue); } throw new SentryUserException("Invalid component specified for GenericPrivilegeCoverter: " + component); }
protected Authorizable getAuthorizable(KeyValue keyValue) throws SentryUserException { if (AuthorizationComponent.KAFKA.equals(component)) { return KafkaModelAuthorizables.from(keyValue); } else if ("SOLR".equals(component)) { return SolrModelAuthorizables.from(keyValue); } else if (AuthorizationComponent.SQOOP.equals(component)) { return SqoopModelAuthorizables.from(keyValue); } else if (AuthorizationComponent.HBASE_INDEXER.equals(component)) { return IndexerModelAuthorizables.from(keyValue); } throw new SentryUserException("Invalid component specified for GenericPrivilegeCoverter: " + component); }
private BitFieldAction getAction(String component, String name) throws SentryUserException { BitFieldActionFactory actionFactory = getActionFactory(component); BitFieldAction action = actionFactory.getActionByName(name); if (action == null) { throw new SentryUserException("Can not get BitFieldAction for name: " + name); } return action; }
private static ActiveRoleSet parseActiveRoleSet(String name, Set<TSentryRole> allowedRoles) throws SentryUserException { // if unset, then we choose the default of ALL if (name.isEmpty()) { return ActiveRoleSet.ALL; } else if (AccessConstants.NONE_ROLE.equalsIgnoreCase(name)) { return new ActiveRoleSet(new HashSet<String>()); } else if (AccessConstants.ALL_ROLE.equalsIgnoreCase(name)) { return ActiveRoleSet.ALL; } else if (AccessConstants.RESERVED_ROLE_NAMES.contains(name.toUpperCase())) { String msg = "Role " + name + " is reserved"; throw new IllegalArgumentException(msg); } else { if (allowedRoles != null) { // check if the user has been granted the role boolean foundRole = false; for (TSentryRole role : allowedRoles) { if (role.getRoleName().equalsIgnoreCase(name)) { foundRole = true; break; } } if (!foundRole) { //Set the reason for hive binding to pick up throw new SentryUserException("Not authorized to set role " + name, "Not authorized to set role " + name); } } return new ActiveRoleSet(Sets.newHashSet(ROLE_SET_SPLITTER.split(name))); } }
public List<String> getUpgradeScripts(String fromSchemaVer) throws SentryUserException { // check if we are already at current schema level if (getSentryVersion().equals(fromSchemaVer)) { return Collections.emptyList(); } List<String> upgradePathList = SentryUpgradeOrder.getUpgradePath(sentrySchemaVersions, fromSchemaVer, getSentrySchemaVersion()); if (upgradePathList.isEmpty()) { throw new SentryUserException("Unknown version specified for upgrade " + fromSchemaVer + " Sentry schema may be too old or newer"); } // Create a new list with the script file paths of the upgrade order path obtained before List<String> upgradeScriptList = new LinkedList<>(); for (String upgradePath : upgradePathList) { upgradeScriptList.add(generateUpgradeFileName(upgradePath)); } return upgradeScriptList; }
/*** * Get the name of the script to initialize the schema for given version * * @param toVersion * Target version. If it's null, then the current server version is * used * @return * @throws SentryUserException */ public String generateInitFileName(String toVersion) throws SentryUserException { String version = toVersion; if (version == null) { version = getSentryVersion(); } String initScriptName = INIT_FILE_PREFIX + dbType + "-" + version + SQL_FILE_EXTENSION; // check if the file exists if (!(new File(getSentryStoreScriptDir() + File.separatorChar + initScriptName).exists())) { throw new SentryUserException( "Unknown version specified for initialization: " + version); } return initScriptName; }
value = kv.getValue(); } catch (Exception exception) { throw new SentryUserException("Wrongly formatted authorizable " + objectTrimmed); throw new SentryUserException("Wrongly formatted authorizable " + objectTrimmed); } else { LOGGER.error("Wrongly formatted authorizable " + objectTrimmed ); throw new SentryUserException("Wrongly formatted authorizable " + objectTrimmed);
throw new SentryUserException(error, lastExc);
protected List<PrivilegeValidator> getPrivilegeValidators() throws SentryUserException { if (AuthorizationComponent.KAFKA.equals(component)) { return KafkaPrivilegeModel.getInstance().getPrivilegeValidators(); } else if ("SOLR".equals(component)) { return SolrPrivilegeModel.getInstance().getPrivilegeValidators(); } else if (AuthorizationComponent.SQOOP.equals(component)) { return SqoopPrivilegeModel.getInstance().getPrivilegeValidators(service); } else if (AuthorizationComponent.HBASE_INDEXER.equals(component)) { return IndexerPrivilegeModel.getInstance().getPrivilegeValidators(); } throw new SentryUserException("Invalid component specified for GenericPrivilegeCoverter: " + component); }
protected List<PrivilegeValidator> getPrivilegeValidators() throws SentryUserException { if (AuthorizationComponent.KAFKA.equals(component)) { return KafkaPrivilegeModel.getInstance().getPrivilegeValidators(); } else if ("SOLR".equals(component)) { return SolrPrivilegeModel.getInstance().getPrivilegeValidators(); } else if (AuthorizationComponent.SQOOP.equals(component)) { return SqoopPrivilegeModel.getInstance().getPrivilegeValidators(service); } else if (AuthorizationComponent.HBASE_INDEXER.equals(component)) { return IndexerPrivilegeModel.getInstance().getPrivilegeValidators(); } throw new SentryUserException("Invalid component specified for GenericPrivilegeCoverter: " + component); }
private Subject getSubject(SecurityContext securityContext) throws SentryUserException { String princ = securityContext.getUserPrincipal() != null ? securityContext.getUserPrincipal().getName() : null; KerberosName kerbName = new KerberosName(princ); try { return new Subject(kerbName.getShortName()); } catch (IOException e) { throw new SentryUserException("Unable to get subject", e); } }