Set<PrivilegeObject> getPrivilegesByProvider(String component, String service, Set<MSentryRole> roles, List<? extends Authorizable> authorizables, PersistenceManager pm) { Set<PrivilegeObject> privileges = Sets.newHashSet(); if (roles == null || roles.isEmpty()) { return privileges; } MSentryGMPrivilege parentPrivilege = new MSentryGMPrivilege(component, service, authorizables, null, null); Set<MSentryGMPrivilege> privilegeGraph = Sets.newHashSet(); privilegeGraph.addAll(populateIncludePrivileges(roles, parentPrivilege, pm)); for (MSentryGMPrivilege mPrivilege : privilegeGraph) { privileges.add(new Builder() .setComponent(mPrivilege.getComponentName()) .setService(mPrivilege.getServiceName()) .setAction(mPrivilege.getAction()) .setAuthorizables(mPrivilege.getAuthorizables()) .withGrantOption(mPrivilege.getGrantOption()) .build()); } return privileges; }
public void appendGMPrivilege(MSentryGMPrivilege gmPrivilege) { if (gmPrivileges.add(gmPrivilege)) { gmPrivilege.appendRole(this); } }
public void removeGMPrivilege(MSentryGMPrivilege gmPrivilege) { if (gmPrivileges.remove(gmPrivilege)) { gmPrivilege.removeRole(this); } }
public MSentryGMPrivilege(MSentryGMPrivilege copy) { this.action = copy.action; this.componentName = copy.componentName; this.serviceName = copy.serviceName; this.grantOption = copy.grantOption; this.scope = copy.scope; this.createTime = copy.createTime; setAuthorizables(copy.getAuthorizables()); this.roles = new HashSet<MSentryRole>(); roles.addAll(copy.roles); }
public List<? extends Authorizable> getAuthorizables() { List<Authorizable> authorizables = Lists.newArrayList(); //construct atuhorizable lists for (int i = 0; i < AUTHORIZABLE_LEVEL; i++) { final String resourceName = (String) getField(this, PREFIX_RESOURCE_NAME + String.valueOf(i)); final String resourceTYpe = (String) getField(this, PREFIX_RESOURCE_TYPE + String.valueOf(i)); if (notNULL(resourceName) && notNULL(resourceTYpe)) { authorizables.add(new Authorizable() { @Override public String getTypeName() { return resourceTYpe; } @Override public String getName() { return resourceName; } }); } } return authorizables; }
private TSentryPrivilege toTSentryPrivilege(MSentryGMPrivilege mPrivilege) { TSentryPrivilege tPrivilege = new TSentryPrivilege(mPrivilege.getComponentName(), mPrivilege.getServiceName(), fromAuthorizable(mPrivilege.getAuthorizables()), mPrivilege.getAction()); if (mPrivilege.getGrantOption() == null) { tPrivilege.setGrantOption(TSentryGrantOption.UNSET); } else if (mPrivilege.getGrantOption()) { tPrivilege.setGrantOption(TSentryGrantOption.TRUE); } else { tPrivilege.setGrantOption(TSentryGrantOption.FALSE); } return tPrivilege; }
MSentryGMPrivilege solrPrivilege = new MSentryGMPrivilege(); solrPrivilege.setComponentName("solr"); solrPrivilege.setServiceName("solr.server1"); solrPrivilege.setAuthorizables(Arrays.asList(new Collection("c1"))); solrPrivilege.setAction("query"); solrPrivilege.setGrantOption(true); MSentryGMPrivilege solrPrivilege2 = new MSentryGMPrivilege(solrPrivilege); solrPrivilege.appendRole(role); hivePrivilege.appendRole(role); pm.makePersistent(solrPrivilege);
MSentryGMPrivilege persistedPriv, MSentryRole role, PersistenceManager pm) { String component = revokePrivilege.getComponentName(); BitFieldAction revokeaction = getAction(component, revokePrivilege.getAction()); BitFieldAction persistedAction = getAction(component, persistedPriv.getAction()); BitFieldAction allAction = getAction(component, Action.ALL); persistedPriv.removeRole(role); pm.makePersistent(persistedPriv); } else { persistedPriv.removeRole(role); pm.makePersistent(persistedPriv); MSentryGMPrivilege tmpPriv = new MSentryGMPrivilege(persistedPriv); tmpPriv.setAction(ac.getValue()); MSentryGMPrivilege leftPersistedPriv = getPrivilege(tmpPriv, pm); if (leftPersistedPriv == null) { role.appendGMPrivilege(leftPersistedPriv); leftPersistedPriv.appendRole(role); pm.makePersistent(leftPersistedPriv); persistedPriv.removeRole(role); pm.makePersistent(persistedPriv);
@Test public void testImpliesWithServerScope() throws Exception { //The persistent privilege is server scope MSentryGMPrivilege serverPrivilege = new MSentryGMPrivilege("solr", "service1", null,SolrConstants.QUERY, false); MSentryGMPrivilege collectionPrivilege = new MSentryGMPrivilege("solr", "service1", Arrays.asList(new Collection("c1")), SolrConstants.QUERY, false); assertTrue(serverPrivilege.implies(collectionPrivilege)); MSentryGMPrivilege fieldPrivilege = new MSentryGMPrivilege("solr", "service1", Arrays.asList(new Collection("c1"), new Field("f1")), SolrConstants.QUERY, false); assertTrue(serverPrivilege.implies(fieldPrivilege)); assertTrue(collectionPrivilege.implies(fieldPrivilege)); serverPrivilege.setAction(SolrConstants.UPDATE); assertFalse(serverPrivilege.implies(collectionPrivilege)); assertFalse(serverPrivilege.implies(fieldPrivilege)); serverPrivilege.setAction(SolrConstants.ALL); assertTrue(serverPrivilege.implies(collectionPrivilege)); assertTrue(serverPrivilege.implies(fieldPrivilege)); } /**
String grantorPrincipal, PersistenceManager pm) throws SentryUserException { MSentryGMPrivilege oldPrivilege = new MSentryGMPrivilege(component, service, oldAuthorizables, null, null); oldPrivilege.setAction(getAction(component,Action.ALL).getValue()); dropPrivilege.getAuthorizables()); for (int i = 0; i < newAuthorizables.size(); i++) { authorizables.set(i, newAuthorizables.get(i)); MSentryGMPrivilege newPrivilge = new MSentryGMPrivilege( component,service, authorizables, dropPrivilege.getAction(), dropPrivilege.getGrantOption()); Set<MSentryRole> roles = dropPrivilege.getRoles(); for (MSentryRole role : roles) { revokeRolePartial(oldPrivilege, dropPrivilege, role, pm);
MSentryGMPrivilege serverPrivilege1 = new MSentryGMPrivilege("solr", "service1", null,SolrConstants.QUERY, false); MSentryGMPrivilege serverPrivilege2 = new MSentryGMPrivilege("solr", "service2", null,SolrConstants.QUERY, false); assertFalse(serverPrivilege1.implies(serverPrivilege2)); MSentryGMPrivilege collectionPrivilege1 = new MSentryGMPrivilege("solr", "service1", Arrays.asList(new Collection("c1")), SolrConstants.QUERY, false); MSentryGMPrivilege collectionPrivilege2 = new MSentryGMPrivilege("solr", "service1", Arrays.asList(new Collection("c2")), SolrConstants.QUERY, false); assertFalse(collectionPrivilege1.implies(collectionPrivilege2)); MSentryGMPrivilege fieldPrivilege1 = new MSentryGMPrivilege("solr", "service1", Arrays.asList(new Collection("c1"), new Field("f1")), SolrConstants.QUERY, false); MSentryGMPrivilege fieldPrivilege2 = new MSentryGMPrivilege("solr", "service1", Arrays.asList(new Collection("c1"), new Field("f2")), SolrConstants.QUERY, false); assertFalse(fieldPrivilege1.implies(fieldPrivilege2)); collectionPrivilege2.setAuthorizables(Arrays.asList(new Collection(AccessConstants.ALL)));
MSentryGMPrivilege serverPrivilege = new MSentryGMPrivilege("solr", "service1", null, SolrConstants.QUERY, false); MSentryGMPrivilege collectionPrivilege = new MSentryGMPrivilege("solr", "service1", Arrays.asList(new Collection("c1")), SolrConstants.QUERY, false); MSentryGMPrivilege fieldPrivilege = new MSentryGMPrivilege("solr", "service1", Arrays.asList(new Collection("c1"), new Field("f1")), SolrConstants.QUERY, false); assertTrue(serverPrivilege.implies(collectionPrivilege)); assertTrue(serverPrivilege.implies(fieldPrivilege)); assertTrue(collectionPrivilege.implies(fieldPrivilege)); assertFalse(fieldPrivilege.implies(collectionPrivilege)); assertFalse(fieldPrivilege.implies(serverPrivilege)); assertFalse(collectionPrivilege.implies(serverPrivilege)); MSentryGMPrivilege fieldAllPrivilege = new MSentryGMPrivilege("solr", "service1", Arrays.asList(new Collection("c1"), new Field(AccessConstants.ALL)), SolrConstants.QUERY, false); assertTrue(fieldAllPrivilege.implies(collectionPrivilege)); MSentryGMPrivilege fieldPrivilege1 = new MSentryGMPrivilege("solr", "service1", Arrays.asList(new Collection("c1"), new Field("f1")), SolrConstants.QUERY, false); MSentryGMPrivilege fieldPrivilege2 = new MSentryGMPrivilege("solr",
/** * Get the query to execute in the JDO deducing privileges include the scope of according to the given privilege * The query was used in three privilege operations: * 1.revoking privilege * 2.renaming privilege * 3.dropping privilege * Take the Solr for example, if there exists three privileges such as p1:Collection=c1->action=query, * p2:Collection=c1->Field=f1->action=query and p3:Collection=c1->Field=f2->action=query. * When the revoking operation happens, the request privilege is p4:Collection=c1->action=query. * The result is that not only p1 should be revoked, but also p2 and p3 should be revoked together. * So the populateIncludePrivilegesQuery should be Collection=c1 * @param privilege * @return query */ public static String populateIncludePrivilegesQuery(MSentryGMPrivilege privilege) { StringBuilder query = new StringBuilder(); query.append("serviceName == \"" + toNULLCol(privilege.getServiceName()) + "\" "); query.append("&& componentName == \"" + toNULLCol(privilege.getComponentName()) + "\" "); List<? extends Authorizable> authorizables = privilege.getAuthorizables(); for (int i= 0 ; i < authorizables.size(); i++) { String resourceName = PREFIX_RESOURCE_NAME + String.valueOf(i); String resourceType = PREFIX_RESOURCE_TYPE + String.valueOf(i); query.append("&& " + resourceName + " == \"" + authorizables.get(i).getName() + "\" "); query.append("&& " + resourceType + " == \"" + authorizables.get(i).getTypeName() + "\" "); } return query.toString(); } }
Set<MSentryGMPrivilege> getPrivilegesByAuthorizable(String component, String service, Set<MSentryRole> roles, List<? extends Authorizable> authorizables, PersistenceManager pm) { Set<MSentryGMPrivilege> privilegeGraph = Sets.newHashSet(); if (roles == null || roles.isEmpty()) { return privilegeGraph; } MSentryGMPrivilege parentPrivilege = new MSentryGMPrivilege(component, service, authorizables, null, null); privilegeGraph.addAll(populateIncludePrivileges(roles, parentPrivilege, pm)); return privilegeGraph; }
public boolean checkPrivilegeOption(Set<MSentryRole> roles, PrivilegeObject privilege, PersistenceManager pm) { MSentryGMPrivilege requestPrivilege = convertToPrivilege(privilege); boolean hasGrant = false; //get persistent privileges by roles Query query = pm.newQuery(MSentryGMPrivilege.class); StringBuilder filters = new StringBuilder(); if (roles != null && roles.size() > 0) { query.declareVariables("org.apache.sentry.provider.db.service.model.MSentryRole role"); List<String> rolesFiler = new LinkedList<String>(); for (MSentryRole role : roles) { rolesFiler.add("role.roleName == \"" + role.getRoleName() + "\" "); } filters.append("roles.contains(role) " + "&& (" + Joiner.on(" || ").join(rolesFiler) + ")"); } query.setFilter(filters.toString()); List<MSentryGMPrivilege> tPrivileges = (List<MSentryGMPrivilege>)query.execute(); for (MSentryGMPrivilege tPrivilege : tPrivileges) { if (tPrivilege.getGrantOption() && tPrivilege.implies(requestPrivilege)) { hasGrant = true; break; } } return hasGrant; } public void grantPrivilege(PrivilegeObject privilege,MSentryRole role, PersistenceManager pm) throws SentryUserException {
/** * Drop any role related to the requested privilege and its children privileges */ public void dropPrivilege(PrivilegeObject privilege,PersistenceManager pm) { MSentryGMPrivilege requestPrivilege = convertToPrivilege(privilege); if (Strings.isNullOrEmpty(privilege.getAction())) { requestPrivilege.setAction(getAction(privilege.getComponent(), Action.ALL).getValue()); } /** * Get the privilege graph * populateIncludePrivileges will get the privileges that need dropped, */ Set<MSentryGMPrivilege> privilegeGraph = Sets.newHashSet(); privilegeGraph.addAll(populateIncludePrivileges(null, requestPrivilege, pm)); for (MSentryGMPrivilege mPrivilege : privilegeGraph) { /** * force to load all roles related this privilege * avoid the lazy-loading */ pm.retrieve(mPrivilege); Set<MSentryRole> roles = mPrivilege.getRoles(); for (MSentryRole role : roles) { revokeRolePartial(requestPrivilege, mPrivilege, role, pm); } } }
.build(); MSentryGMPrivilege mSentryGMPrivilege = new MSentryGMPrivilege("SOLR", "service1", Arrays.asList(new Collection("c1"), new Field("f1")), SolrConstants.QUERY, true); mSentryGMPrivilege.setRoles(Sets.newHashSet(role));
paramBuilder.add(SERVICE_NAME, SentryStore.toNULLCol(privilege.getServiceName()), true); paramBuilder.add(COMPONENT_NAME, SentryStore.toNULLCol(privilege.getComponentName()), true); List<? extends Authorizable> authorizables = privilege.getAuthorizables(); int i = 0; for(Authorizable auth: authorizables) {
public MSentryGMPrivilege(String componentName, String serviceName, List<? extends Authorizable> authorizables, String action, Boolean grantOption) { this.componentName = componentName; this.serviceName = serviceName; this.action = action; this.grantOption = grantOption; this.roles = new HashSet<MSentryRole>(); this.createTime = System.currentTimeMillis(); setAuthorizables(authorizables); }
@Override public String toString() { List<String> unifiedNames = Lists.newArrayList(); for (Authorizable auth : getAuthorizables()) { unifiedNames.add(KV_JOINER.join(auth.getTypeName(),auth.getName())); } return "MSentryGMPrivilege [" + "serverName=" + serviceName + ", componentName=" + componentName + ", authorizables=" + AUTHORIZABLE_JOINER.join(unifiedNames)+ ", scope=" + scope + ", action=" + action + ", roles=[...]" + ", createTime=" + createTime + ", grantOption=" + grantOption +"]"; }