/** * Converts thrift object to model object. Additionally does normalization * such as trimming whitespace and setting appropriate case. * @throws SentryInvalidInputException */ private MSentryPrivilege convertToMSentryPrivilege(TSentryPrivilege privilege) throws SentryInvalidInputException { MSentryPrivilege mSentryPrivilege = new MSentryPrivilege(); mSentryPrivilege.setServerName(toNULLCol(safeTrimLower(privilege.getServerName()))); mSentryPrivilege.setDbName(toNULLCol(safeTrimLower(privilege.getDbName()))); mSentryPrivilege.setTableName(toNULLCol(safeTrimLower(privilege.getTableName()))); mSentryPrivilege.setColumnName(toNULLCol(safeTrimLower(privilege.getColumnName()))); mSentryPrivilege.setPrivilegeScope(safeTrim(privilege.getPrivilegeScope())); mSentryPrivilege.setAction(toNULLCol(safeTrimLower(privilege.getAction()))); mSentryPrivilege.setCreateTime(System.currentTimeMillis()); mSentryPrivilege.setURI(toNULLCol(safeTrim(privilege.getURI()))); if ( !privilege.getGrantOption().equals(TSentryGrantOption.UNSET) ) { mSentryPrivilege.setGrantOption(Boolean.valueOf(privilege.getGrantOption().toString())); } else { mSentryPrivilege.setGrantOption(null); } return mSentryPrivilege; }
@VisibleForTesting static String toAuthorizable(MSentryPrivilege privilege) { List<String> authorizable = new ArrayList<String>(4); authorizable.add(KV_JOINER.join(AuthorizableType.Server.name().toLowerCase(), privilege.getServerName())); if (isNULL(privilege.getURI())) { if (!isNULL(privilege.getDbName())) { authorizable.add(KV_JOINER.join(AuthorizableType.Db.name().toLowerCase(), privilege.getDbName())); if (!isNULL(privilege.getTableName())) { authorizable.add(KV_JOINER.join(AuthorizableType.Table.name().toLowerCase(), privilege.getTableName())); if (!isNULL(privilege.getColumnName())) { authorizable.add(KV_JOINER.join(AuthorizableType.Column.name().toLowerCase(), privilege.getColumnName())); } } } } else { authorizable.add(KV_JOINER.join(AuthorizableType.URI.name().toLowerCase(), privilege.getURI())); } if (!isNULL(privilege.getAction()) && !privilege.getAction().equalsIgnoreCase(AccessConstants.ALL)) { authorizable .add(KV_JOINER.join(PolicyConstants.PRIVILEGE_NAME.toLowerCase(), privilege.getAction())); } return AUTHORIZABLE_JOINER.join(authorizable); }
private void convertToTSentryPrivilege(MSentryPrivilege mSentryPrivilege, TSentryPrivilege privilege) { privilege.setCreateTime(mSentryPrivilege.getCreateTime()); privilege.setAction(fromNULLCol(mSentryPrivilege.getAction())); privilege.setPrivilegeScope(mSentryPrivilege.getPrivilegeScope()); privilege.setServerName(fromNULLCol(mSentryPrivilege.getServerName())); privilege.setDbName(fromNULLCol(mSentryPrivilege.getDbName())); privilege.setTableName(fromNULLCol(mSentryPrivilege.getTableName())); privilege.setColumnName(fromNULLCol(mSentryPrivilege.getColumnName())); privilege.setURI(fromNULLCol(mSentryPrivilege.getURI())); if (mSentryPrivilege.getGrantOption() != null) { privilege.setGrantOption(TSentryGrantOption.valueOf(mSentryPrivilege.getGrantOption().toString().toUpperCase())); } else { privilege.setGrantOption(TSentryGrantOption.UNSET); } }
Collection<MSentryPrivilege> children) throws SentryInvalidInputException { Preconditions.checkNotNull(pm); if (!isNULL(priv.getServerName()) || !isNULL(priv.getDbName()) || !isNULL(priv.getTableName())) { if (!isNULL(childPriv.getDbName()) && !isNULL(childPriv.getTableName()) && !isNULL(childPriv.getColumnName())) { populateChildren(pm, entityType, entityNames, childPriv, children); if (!priv.isActionALL()) { if (childPriv.isActionALL()) { childPriv.setAction(priv.getAction()); if (!priv.implies(childPriv)) { continue;
private Set<MSentryPrivilege> getChildPrivileges(PersistenceManager pm, Set<String> roleNames, MSentryPrivilege parent) throws SentryInvalidInputException { if (!isNULL(parent.getColumnName()) || !isNULL(parent.getURI())) { return new HashSet<MSentryPrivilege>(); filters.append(" && serverName == \"" + parent.getServerName() + "\""); if (!isNULL(parent.getDbName())) { filters.append(" && dbName == \"" + parent.getDbName() + "\""); if (!isNULL(parent.getTableName())) { filters.append(" && tableName == \"" + parent.getTableName() + "\""); filters.append(" && columnName != \"__NULL__\""); } else { Set<MSentryPrivilege> privileges = new HashSet<MSentryPrivilege>(); for (Object[] privObj : (List<Object[]>) query.execute()) { MSentryPrivilege priv = new MSentryPrivilege(); priv.setPrivilegeScope((String) privObj[0]); priv.setServerName((String) privObj[1]); priv.setDbName((String) privObj[2]); priv.setTableName((String) privObj[3]); priv.setColumnName((String) privObj[4]); priv.setURI((String) privObj[5]); priv.setAction((String) privObj[6]); priv.setGrantOption((Boolean) privObj[7]); privileges.add(priv);
@Test public void testImpliesPrivilegePositiveWithColumn() throws Exception { // 1.test server+database+table+column+action MSentryPrivilege my = new MSentryPrivilege(); MSentryPrivilege your = new MSentryPrivilege(); my.setServerName("server1"); my.setAction(AccessConstants.SELECT); your.setServerName("server1"); your.setDbName("db1"); your.setTableName("tb1"); your.setColumnName("c1"); your.setAction(AccessConstants.SELECT); assertTrue(my.implies(your)); my.setDbName("db1"); assertTrue(my.implies(your)); my.setTableName("tb1"); assertTrue(my.implies(your)); my.setColumnName("c1"); assertTrue(my.implies(your)); }
MSentryPrivilege my = new MSentryPrivilege(); MSentryPrivilege your = new MSentryPrivilege(); my.setServerName("server1"); my.setDbName("db1"); my.setTableName("tb1"); my.setAction(AccessConstants.SELECT); your.setServerName("server1"); your.setDbName("db1"); your.setTableName("tb1"); your.setAction(AccessConstants.SELECT); assertTrue(my.implies(your)); my.setAction(AccessConstants.ALL); assertTrue(my.implies(your)); my.setTableName(""); assertTrue(my.implies(your)); my.setDbName(""); assertTrue(my.implies(your)); my.setAction(AccessConstants.ACTION_ALL); assertTrue(my.implies(your)); my.setTableName(""); assertTrue(my.implies(your)); my.setDbName(""); assertTrue(my.implies(your));
private Set<MSentryPrivilege> getChildPrivileges(PersistenceManager pm, SentryPrincipalType entityType, Set<String> entityNames, MSentryPrivilege parent) throws SentryInvalidInputException { if (!isNULL(parent.getColumnName()) || !isNULL(parent.getURI())) { return Collections.emptySet(); QueryParamBuilder paramBuilder = null; if (entityType == SentryPrincipalType.ROLE) { paramBuilder = QueryParamBuilder.addRolesFilter(query, null, entityNames).add(SERVER_NAME, parent.getServerName()); } else if (entityType == SentryPrincipalType.USER) { paramBuilder = QueryParamBuilder.addUsersFilter(query, null, entityNames).add(SERVER_NAME, parent.getServerName()); } else { throw new SentryInvalidInputException("entityType" + entityType + " is not valid"); if (!isNULL(parent.getDbName())) { paramBuilder.add(DB_NAME, parent.getDbName()); if (!isNULL(parent.getTableName())) { paramBuilder.add(TABLE_NAME, parent.getTableName()) .addNotNull(COLUMN_NAME); } else { Boolean grantOption = (Boolean) privObj[7]; MSentryPrivilege priv = new MSentryPrivilege(scope, serverName, dbName, tableName, columnName, URI, action, grantOption); privileges.add(priv);
rollbackTransaction = false; for (MSentryPrivilege mPriv : privileges) { String authzObj = mPriv.getDbName(); if (!isNULL(mPriv.getTableName())) { authzObj = authzObj + "." + mPriv.getTableName(); retVal.put(authzObj, pUpdate); for (MSentryRole mRole : mPriv.getRoles()) { String existingPriv = pUpdate.get(mRole.getRoleName()); if (existingPriv == null) { pUpdate.put(mRole.getRoleName(), mPriv.getAction().toUpperCase()); } else { pUpdate.put(mRole.getRoleName(), existingPriv + "," + mPriv.getAction().toUpperCase());
if (mPrivilege.getGrantOption() != null) { privilegeGraph.add(mPrivilege); } else { MSentryPrivilege mTure = new MSentryPrivilege(mPrivilege); mTure.setGrantOption(true); privilegeGraph.add(mTure); MSentryPrivilege mFalse = new MSentryPrivilege(mPrivilege); mFalse.setGrantOption(false); privilegeGraph.add(mFalse);
(List<MSentryPrivilege>) query.executeWithMap(paramBuilder.getArguments()); for (MSentryPrivilege mPriv : privileges) { String authzObj = mPriv.getDbName(); if (!isNULL(mPriv.getTableName())) { authzObj = authzObj + "." + mPriv.getTableName(); retVal.put(authzObj, pUpdate); for (MSentryRole mRole : mPriv.getRoles()) { pUpdate = addPrivilegeEntry (mPriv, TPrivilegePrincipalType.ROLE, mRole.getRoleName(), pUpdate); for (MSentryUser mUser : mPriv.getUsers()) { pUpdate = addPrivilegeEntry (mPriv, TPrivilegePrincipalType.USER, mUser.getUserName(), pUpdate);
if ((!persistedPriv.getRoles().isEmpty() || !persistedPriv.getUsers().isEmpty()) && mEntity != null) { persistedPriv.removePrincipal(mEntity); persistPrivilege(pm, persistedPriv); for (String actionToAdd : PARTIAL_REVOKE_ACTIONS) { if( !requestedPrivToRevoke.getAction().equalsIgnoreCase(actionToAdd) && !currentPrivilege.getAction().equalsIgnoreCase(actionToAdd) && !AccessConstants.ALL.equalsIgnoreCase(actionToAdd) && !AccessConstants.ACTION_ALL.equalsIgnoreCase(actionToAdd)) {
@Test public void testServer() { privilege = new MSentryPrivilege(null, "server1", null, null, null, null, null); assertEquals("server=server1", SentryStore.toAuthorizable(privilege)); privilege = new MSentryPrivilege(null, "server1", null, null, null, null, AccessConstants.ALL); assertEquals("server=server1", SentryStore.toAuthorizable(privilege)); }
private void revokeRolePartial(PersistenceManager pm, MSentryRole mRole, MSentryPrivilege currentPrivilege, MSentryPrivilege persistedPriv, String addAction) throws SentryInvalidInputException { // If table / URI, remove ALL persistedPriv.removeRole(mRole); privCleaner.incPrivRemoval(); pm.makePersistent(persistedPriv); currentPrivilege.setAction(AccessConstants.ALL); persistedPriv = getMSentryPrivilege(convertToTSentryPrivilege(currentPrivilege), pm); if (persistedPriv != null && mRole.getPrivileges().contains(persistedPriv)) { persistedPriv.removeRole(mRole); privCleaner.incPrivRemoval(); pm.makePersistent(persistedPriv); currentPrivilege.setAction(addAction); persistedPriv = getMSentryPrivilege(convertToTSentryPrivilege(currentPrivilege), pm); if (persistedPriv == null) { persistedPriv = convertToMSentryPrivilege(convertToTSentryPrivilege(currentPrivilege)); mRole.appendPrivilege(persistedPriv); } persistedPriv.appendRole(mRole); pm.makePersistent(persistedPriv); } }
private void revokePrivilegeAndGrantPartial(PersistenceManager pm, PrivilegePrincipal mEntity, MSentryPrivilege currentPrivilege, MSentryPrivilege persistedPriv, Set<String> addActions) throws SentryInvalidInputException { // If table / URI, remove ALL persistedPriv = getMSentryPrivilege(convertToTSentryPrivilege(persistedPriv), pm); if (persistedPriv != null) { persistedPriv.removePrincipal(mEntity); persistPrivilege(pm, persistedPriv); } currentPrivilege.setAction(AccessConstants.ALL); persistedPriv = getMSentryPrivilege(convertToTSentryPrivilege(currentPrivilege), pm); if (persistedPriv != null && mEntity.getPrivileges().contains(persistedPriv)) { persistedPriv.removePrincipal(mEntity); persistPrivilege(pm, persistedPriv); // add decomposed actions for (String addAction : addActions) { currentPrivilege.setAction(addAction); TSentryPrivilege tSentryPrivilege = convertToTSentryPrivilege(currentPrivilege); persistedPriv = getMSentryPrivilege(tSentryPrivilege, pm); if (persistedPriv == null) { persistedPriv = convertToMSentryPrivilege(tSentryPrivilege); } mEntity.appendPrivilege(persistedPriv); } persistedPriv.appendPrincipal(mEntity); pm.makePersistent(persistedPriv); } }
if (p.getGrantOption() && p.implies(mPrivilege)) { hasGrant = true; break;
/** * Revoke privilege from role */ private void revokePrivilegeFromRole(PersistenceManager pm, TSentryPrivilege tPrivilege, MSentryRole mRole, MSentryPrivilege mPrivilege) throws SentryInvalidInputException { if (PARTIAL_REVOKE_ACTIONS.contains(mPrivilege.getAction())) { // if this privilege is in {ALL,SELECT,INSERT} // we will do partial revoke revokePartial(pm, tPrivilege, mRole, mPrivilege); } else { // if this privilege is not ALL, SELECT nor INSERT, // we will revoke it from role directly MSentryPrivilege persistedPriv = getMSentryPrivilege(convertToTSentryPrivilege(mPrivilege), pm); if (persistedPriv != null) { mPrivilege.removeRole(mRole); privCleaner.incPrivRemoval(); pm.makePersistent(mPrivilege); } } }
/** * Revoke privilege from role */ private void revokePrivilege(PersistenceManager pm, TSentryPrivilege tPrivilege, PrivilegePrincipal mEntity, MSentryPrivilege mPrivilege) throws SentryInvalidInputException { if (PARTIAL_REVOKE_ACTIONS.contains(mPrivilege.getAction())) { // if this privilege is in partial revoke actions // we will do partial revoke revokePartial(pm, tPrivilege, mEntity, mPrivilege); } else { // otherwise, // we will revoke it from role directly MSentryPrivilege persistedPriv = getMSentryPrivilege(convertToTSentryPrivilege(mPrivilege), pm); if (persistedPriv != null) { persistedPriv.removePrincipal(mEntity); persistPrivilege(pm, persistedPriv); } } }
private static Map<TPrivilegePrincipal, String> addPrivilegeEntry(MSentryPrivilege mPriv, TPrivilegePrincipalType tEntityType, String principal, Map<TPrivilegePrincipal, String> update) { TPrivilegePrincipal tPrivilegePrincipal = new TPrivilegePrincipal(tEntityType, principal); String existingPriv = update.get(tPrivilegePrincipal); String action = mPriv.getAction().toUpperCase(); String newAction = mPriv.getAction().toUpperCase(); if(action.equals(AccessConstants.OWNER)) { // Translate owner privilege to actual privilege. newAction = AccessConstants.ACTION_ALL; } if (existingPriv == null) { update.put(tPrivilegePrincipal, newAction); } else { update.put(tPrivilegePrincipal, existingPriv + "," + newAction); } return update; }
@Test public void testImpliesPrivilegeNegativeWithColumn() throws Exception { // 1.test server+database+table+column+action MSentryPrivilege my = new MSentryPrivilege(); MSentryPrivilege your = new MSentryPrivilege(); // bad column my.setServerName("server1"); my.setDbName("db1"); my.setTableName("tb1"); my.setColumnName("c1"); my.setAction(AccessConstants.SELECT); your.setServerName("server1"); your.setDbName("db1"); your.setTableName("tb1"); your.setColumnName("c2"); your.setAction(AccessConstants.SELECT); assertFalse(my.implies(your)); // bad scope your.setColumnName(""); assertFalse(my.implies(your)); } }