@Override public void runTestAsSubject() throws Exception { String requestorUserName = ADMIN_USER; Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP); setLocalGroupMapping(requestorUserName, requestorUserGroupNames); writePolicyFile(); String roleName1 = "admin_r1"; String roleName2 = "admin_r2"; client.dropRoleIfExists(requestorUserName, roleName1); client.createRole(requestorUserName, roleName1); client.dropRoleIfExists(requestorUserName, roleName2); client.createRole(requestorUserName, roleName2); client.grantTablePrivilege(requestorUserName, roleName1, "server", "db", "table", "ALL"); Set<TSentryPrivilege> listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName1); assertTrue("Privilege not assigned to role1 !!", listPrivilegesByRoleName.size() == 1); client.grantTablePrivilege(requestorUserName, roleName2, "server", "db", "table", "ALL"); listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName2); assertTrue("Privilege not assigned to role2 !!", listPrivilegesByRoleName.size() == 1); }}); }
@Override public void runTestAsSubject() throws Exception { String requestorUserName = ADMIN_USER; Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP); String roleName = "admin_testdb"; String server = "server1"; String db = "testDB"; setLocalGroupMapping(requestorUserName, requestorUserGroupNames); writePolicyFile(); client.dropRoleIfExists(requestorUserName, roleName); client.createRole(requestorUserName, roleName); Set<TSentryRole> roles = client.listRoles(requestorUserName); assertEquals("Incorrect number of roles", 1, roles.size()); client.grantDatabasePrivilege(requestorUserName, roleName, server, db, AccessConstants.ALL); Set<TSentryPrivilege> privileges = client.listAllPrivilegesByRoleName(requestorUserName, roleName); assertTrue(privileges.size() == 1); client.revokeDatabasePrivilege(requestorUserName, roleName, server, db, AccessConstants.ALL); client.dropRole(requestorUserName, roleName); }}); }
private void dropSentryPrivileges( List<? extends Authorizable> authorizableTable) throws SentryUserException, IOException, MetaException { String requestorUserName = UserGroupInformation.getCurrentUser() .getShortUserName(); SentryPolicyServiceClient sentryClient = getSentryServiceClient(); sentryClient.dropPrivileges(requestorUserName, authorizableTable); // Close the connection after dropping privileges is done. sentryClient.close(); }
@Override public void execute(SentryPolicyServiceClient client, String requestorName) throws Exception { Set<TSentryRole> roles; if (StringUtils.isEmpty(groupName)) { roles = client.listRoles(requestorName); } else { roles = client.listRolesByGroupName(requestorName, groupName); } if (roles != null) { for (TSentryRole role : roles) { System.out.println(role.getRoleName()); } } } }
@Override public void runTestAsSubject() throws Exception { String requestorUserName = ADMIN_USER; Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP); setLocalGroupMapping(requestorUserName, requestorUserGroupNames); writePolicyFile(); String roleName = "admin_r"; client.dropRoleIfExists(requestorUserName, roleName); client.createRole(requestorUserName, roleName); client.dropRole(requestorUserName, roleName); } });
writePolicyFile(); client.dropRoleIfExists(requestorUserName, roleName1); client.createRole(requestorUserName, roleName1); client.dropRoleIfExists(requestorUserName, roleName2); client.createRole(requestorUserName, roleName2); client.grantDatabasePrivilege(requestorUserName, roleName1, server, db, AccessConstants.SELECT); client.grantTablePrivilege(requestorUserName, roleName1, server, db, tab, AccessConstants.ALL); client.grantTablePrivilege(requestorUserName, roleName1, server, db2, tab, AccessConstants.SELECT); TSentryPrivilege role1uri1 = client.grantURIPrivilege(requestorUserName, roleName1, server, uri1); client.grantDatabasePrivilege(requestorUserName, roleName2, server, db, AccessConstants.ALL); client.grantDatabasePrivilege(requestorUserName, roleName2, server, db2, AccessConstants.SELECT); client.grantTablePrivilege(requestorUserName, roleName2, server, db2, tab, AccessConstants.ALL); TSentryPrivilege role2uri2 = client.grantURIPrivilege(requestorUserName, roleName2, server, uri1); authorizableSet.add(uri1Authrizable); Map<TSentryAuthorizable, TSentryPrivilegeMap> authPrivMap = client .listPrivilegsbyAuthorizable(requestorUserName, authorizableSet, null, null);
if (isGrant) { if (serverName != null) { sentryClient.grantServerPrivilege(subject, princ.getName(), serverName, toSentryAction(privDesc.getPrivilege().getPriv()), grantOption); } else if (uriPath != null) { sentryClient.grantURIPrivilege(subject, princ.getName(), server, uriPath, grantOption); } else if (tableName == null) { sentryClient.grantDatabasePrivilege(subject, princ.getName(), server, dbName, toDbSentryAction(privDesc.getPrivilege().getPriv()), grantOption); } else if (columnNames == null) { sentryClient.grantTablePrivilege(subject, princ.getName(), server, dbName, tableName, toSentryAction(privDesc.getPrivilege().getPriv()), grantOption); } else { sentryClient.grantColumnsPrivileges(subject, princ.getName(), server, dbName, tableName, columnNames, toSentryAction(privDesc.getPrivilege().getPriv()), grantOption); sentryClient.revokeServerPrivilege(subject, princ.getName(), serverName, toSentryAction(privDesc.getPrivilege().getPriv()), grantOption); } else if (uriPath != null) { sentryClient.revokeURIPrivilege(subject, princ.getName(), server, uriPath, grantOption); } else if (tableName == null) { sentryClient.revokeDatabasePrivilege(subject, princ.getName(), server, dbName, toDbSentryAction(privDesc.getPrivilege().getPriv()), grantOption); } else if (columnNames == null) { sentryClient.revokeTablePrivilege(subject, princ.getName(), server, dbName, tableName, toSentryAction(privDesc.getPrivilege().getPriv()), grantOption); } else { sentryClient.revokeColumnsPrivilege(subject, princ.getName(), server, dbName, tableName, columnNames, toSentryAction(privDesc.getPrivilege().getPriv()), grantOption);
client.dropRoleIfExists(requestorUserName, roleName); client.createRole(requestorUserName, roleName); client.grantRoleToGroup(requestorUserName, ADMIN_GROUP, roleName); client.grantDatabasePrivilege(requestorUserName, roleName, "server1", "db2", AccessConstants.ALL); client.grantTablePrivilege(requestorUserName, roleName, "server1", "db3", "tab3", "ALL"); assertEquals(2, client.listPrivilegesForProvider(requestorUserGroupNames, ActiveRoleSet.ALL).size()); client.dropRole(requestorUserName, roleName); assertEquals(0, client.listPrivilegesForProvider(requestorUserGroupNames, ActiveRoleSet.ALL).size()); client.createRole(requestorUserName, roleName); client.grantRoleToGroup(requestorUserName, ADMIN_GROUP, roleName); assertEquals(0, client.listPrivilegesForProvider(requestorUserGroupNames, ActiveRoleSet.ALL).size()); client.grantDatabasePrivilege(requestorUserName, roleName, "server1", "db2", AccessConstants.ALL); assertEquals(1, client.listPrivilegesForProvider(requestorUserGroupNames, ActiveRoleSet.ALL).size()); client.dropRole(requestorUserName, roleName); assertEquals(0, client.listPrivilegesForProvider(requestorUserGroupNames, ActiveRoleSet.ALL).size()); assertEquals(0, client.listPrivilegesForProvider(requestorUserGroupNames, ActiveRoleSet.ALL).size());
client.createRole(requestorUserName, roleName); fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_CREATE_ROLE); fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT, "CREATE ROLE " + roleName); client.grantRoleToGroup(requestorUserName, groupName, roleName); fieldValueMap.clear(); fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_ADD_ROLE); client.grantDatabasePrivilege(requestorUserName, roleName, serverName, dbName, "ALL"); fieldValueMap.clear(); fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_GRANT_PRIVILEGE); client.grantTablePrivilege(requestorUserName, roleName, serverName, dbName, tableName, "SELECT", true); fieldValueMap.clear(); client.createRole(requestorUserName, roleName); fail("Exception should have been thrown"); } catch (Exception e) { client.grantRoleToGroup(requestorUserName, groupName, errorRoleName); fail("Exception should have been thrown"); } catch (Exception e) { .grantDatabasePrivilege(requestorUserName, errorRoleName, serverName, dbName, "ALL"); fail("Exception should have been thrown"); } catch (Exception e) { client.grantDatabasePrivilege(requestorUserName, errorRoleName, serverName, dbName,
@Override public void runTestAsSubject() throws Exception { String requestorUserName = ADMIN_USER; Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP); String roleName = "admin_testdb"; String server = "server1"; String uri = "file://u/w/h/t/partition=value/"; setLocalGroupMapping(requestorUserName, requestorUserGroupNames); writePolicyFile(); // Creating associated role client.dropRoleIfExists(requestorUserName, roleName); client.createRole(requestorUserName, roleName); Set<TSentryRole> roles = client.listRoles(requestorUserName); assertEquals("Incorrect number of roles", 1, roles.size()); client.grantURIPrivilege(requestorUserName, roleName, server, uri); Set<TSentryPrivilege> privileges = client.listAllPrivilegesByRoleName(requestorUserName, roleName); assertTrue(privileges.size() == 1); // Revoking the same privilege client.revokeURIPrivilege(requestorUserName, roleName, server, uri); privileges = client.listAllPrivilegesByRoleName(requestorUserName, roleName); assertTrue(privileges.size() == 0); // Clean up client.dropRole(requestorUserName, roleName); }}); }
client.dropRoleIfExists(requestorUserName, roleName1); client.createRole(requestorUserName, roleName1); client.grantColumnPrivilege(requestorUserName, roleName1, "server", "db1", "table1", "col1", "ALL"); client.grantColumnPrivilege(requestorUserName, roleName1, "server", "db1", "table1", "col2", "ALL"); client.grantColumnPrivilege(requestorUserName, roleName1, "server", "db1", "table2", "col1", "ALL"); client.grantColumnPrivilege(requestorUserName, roleName1, "server", "db1", "table2", "col2", "ALL"); client.grantColumnPrivilege(requestorUserName, roleName1, "server", "db2", "table1", "col1", "ALL"); client.grantColumnPrivilege(requestorUserName, roleName1, "server", "db2", "table2", "col1", "ALL"); client.dropRoleIfExists(requestorUserName, roleName2); client.createRole(requestorUserName, roleName2); client.grantColumnPrivilege(requestorUserName, roleName2, "server", "db1", "table1", "col1", "ALL"); client.grantColumnPrivilege(requestorUserName, roleName2, "server", "db1", "table1", "col2", "ALL"); client.grantColumnPrivilege(requestorUserName, roleName2, "server", "db1", "table2", "col1", "ALL"); client.grantColumnPrivilege(requestorUserName, roleName2, "server", "db1", "table2", "col2", "ALL"); client.grantColumnPrivilege(requestorUserName, roleName2, "server", "db2", "table1", "col1", "ALL"); client.grantColumnPrivilege(requestorUserName, roleName2, "server", "db2", "table2", "col1", "ALL"); Set<TSentryPrivilege> listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName1); assertEquals("Privilege not assigned to role1 !!", 6, listPrivilegesByRoleName.size()); listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName2); assertEquals("Privilege not assigned to role2 !!", 6, listPrivilegesByRoleName.size()); client.revokeColumnPrivilege(requestorUserName, roleName1, "server", "db1", "table1", "col1", "ALL"); listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName1); assertTrue("Privilege not correctly revoked !!", listPrivilegesByRoleName.size() == 5);
client.dropRoleIfExists(requestorUserName, roleName1); client.createRole(requestorUserName, roleName1); client.grantRoleToGroup(requestorUserName, group1, roleName1); client.grantTablePrivilege(requestorUserName, roleName1, "server", "db1", "table1", "ALL"); client.grantTablePrivilege(requestorUserName, roleName1, "server", "db1", "table2", "ALL"); client.grantTablePrivilege(requestorUserName, roleName1, "server", "db2", "table3", "ALL"); client.grantTablePrivilege(requestorUserName, roleName1, "server", "db2", "table4", "ALL"); client.dropRoleIfExists(requestorUserName, roleName2); client.createRole(requestorUserName, roleName2); client.grantRoleToGroup(requestorUserName, group1, roleName2); client.grantRoleToGroup(requestorUserName, group2, roleName2); client.grantTablePrivilege(requestorUserName, roleName2, "server", "db1", "table1", "ALL"); client.grantTablePrivilege(requestorUserName, roleName2, "server", "db1", "table2", "ALL"); client.grantTablePrivilege(requestorUserName, roleName2, "server", "db2", "table3", "ALL"); client.grantTablePrivilege(requestorUserName, roleName2, "server", "db2", "table4", "ALL"); client.grantTablePrivilege(requestorUserName, roleName2, "server", "db3", "table5", "ALL"); Set<TSentryPrivilege> listPrivilegesByRoleName = client.listPrivilegesByRoleName(requestorUserName, roleName2, Lists.newArrayList(new Server("server"), new Database("db1"))); assertEquals("Privilege not assigned to role2 !!", 2, listPrivilegesByRoleName.size()); listPrivilegesByRoleName = client.listPrivilegesByRoleName(requestorUserName, roleName2, Lists.newArrayList(new Server("server"), new Database("db2"), new Table("table1"))); assertEquals("Privilege not assigned to role2 !!", 0, listPrivilegesByRoleName.size()); listPrivilegesByRoleName = client.listPrivilegesByRoleName(requestorUserName, roleName2, Lists.newArrayList(new Server("server"), new Database("db1"), new Table("table1"))); assertEquals("Privilege not assigned to role2 !!", 1, listPrivilegesByRoleName.size());
@Override public void execute(SentryPolicyServiceClient client, String requestorName) throws Exception { TSentryPrivilege tSentryPrivilege = CommandUtil.convertToTSentryPrivilege(privilegeStr); boolean grantOption = tSentryPrivilege.getGrantOption().equals(TSentryGrantOption.TRUE) ? true : false; if (ServiceConstants.PrivilegeScope.SERVER.toString().equals(tSentryPrivilege.getPrivilegeScope())) { client.revokeServerPrivilege(requestorName, roleName, tSentryPrivilege.getServerName(), grantOption); } else if (ServiceConstants.PrivilegeScope.DATABASE.toString().equals(tSentryPrivilege.getPrivilegeScope())) { client.revokeDatabasePrivilege(requestorName, roleName, tSentryPrivilege.getServerName(), tSentryPrivilege.getDbName(), tSentryPrivilege.getAction(), grantOption); } else if (ServiceConstants.PrivilegeScope.TABLE.toString().equals(tSentryPrivilege.getPrivilegeScope())) { client.revokeTablePrivilege(requestorName, roleName, tSentryPrivilege.getServerName(), tSentryPrivilege.getDbName(), tSentryPrivilege.getTableName(), tSentryPrivilege.getAction(), grantOption); } else if (ServiceConstants.PrivilegeScope.COLUMN.toString().equals(tSentryPrivilege.getPrivilegeScope())) { client.revokeColumnPrivilege(requestorName, roleName, tSentryPrivilege.getServerName(), tSentryPrivilege.getDbName(), tSentryPrivilege.getTableName(), tSentryPrivilege.getColumnName(), tSentryPrivilege.getAction(), grantOption); } else if (ServiceConstants.PrivilegeScope.URI.toString().equals(tSentryPrivilege.getPrivilegeScope())) { client.revokeURIPrivilege(requestorName, roleName, tSentryPrivilege.getServerName(), tSentryPrivilege.getURI(), grantOption); } }
@Override public void runTestAsSubject() throws Exception { String requestorUserName = ADMIN_USER; Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP); String roleName = "admin_testdb"; String groupName = "group1"; setLocalGroupMapping(requestorUserName, requestorUserGroupNames); writePolicyFile(); client.dropRoleIfExists(requestorUserName, roleName); client.createRole(requestorUserName, roleName); Set<TSentryRole> roles = client.listRoles(requestorUserName); assertEquals("Incorrect number of roles", 1, roles.size()); client.grantRoleToGroup(requestorUserName, groupName, roleName); Set<TSentryRole> groupRoles = client.listRolesByGroupName(requestorUserName, groupName); assertTrue(groupRoles.size() == 1); for (TSentryRole role:groupRoles) { assertTrue(role.getRoleName(), role.getRoleName().equalsIgnoreCase(roleName)); assertTrue(role.getGroups().size() == 1); for (TSentryGroup group :role.getGroups()) { assertTrue(group.getGroupName(), group.getGroupName().equalsIgnoreCase(groupName)); } } client.dropRole(requestorUserName, roleName); }}); }
@Override public void execute(SentryPolicyServiceClient client, String requestorName) throws Exception { TSentryPrivilege tSentryPrivilege = CommandUtil.convertToTSentryPrivilege(privilegeStr); boolean grantOption = tSentryPrivilege.getGrantOption().equals(TSentryGrantOption.TRUE) ? true : false; if (ServiceConstants.PrivilegeScope.SERVER.toString().equals(tSentryPrivilege.getPrivilegeScope())) { client.grantServerPrivilege(requestorName, roleName, tSentryPrivilege.getServerName(), tSentryPrivilege.getAction(), grantOption); } else if (ServiceConstants.PrivilegeScope.DATABASE.toString().equals(tSentryPrivilege.getPrivilegeScope())) { client.grantDatabasePrivilege(requestorName, roleName, tSentryPrivilege.getServerName(), tSentryPrivilege.getDbName(), tSentryPrivilege.getAction(), grantOption); } else if (ServiceConstants.PrivilegeScope.TABLE.toString().equals(tSentryPrivilege.getPrivilegeScope())) { client.grantTablePrivilege(requestorName, roleName, tSentryPrivilege.getServerName(), tSentryPrivilege.getDbName(), tSentryPrivilege.getTableName(), tSentryPrivilege.getAction(), grantOption); } else if (ServiceConstants.PrivilegeScope.COLUMN.toString().equals(tSentryPrivilege.getPrivilegeScope())) { client.grantColumnPrivilege(requestorName, roleName, tSentryPrivilege.getServerName(), tSentryPrivilege.getDbName(), tSentryPrivilege.getTableName(), tSentryPrivilege.getColumnName(), tSentryPrivilege.getAction(), grantOption); } else if (ServiceConstants.PrivilegeScope.URI.toString().equals(tSentryPrivilege.getPrivilegeScope())) { client.grantURIPrivilege(requestorName, roleName, tSentryPrivilege.getServerName(), tSentryPrivilege.getURI(), grantOption); } } }
@Override public void runTestAsSubject() throws Exception { String requestorUserName = ADMIN_USER; Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP); String roleName = "admin_r"; setLocalGroupMapping(requestorUserName, requestorUserGroupNames); writePolicyFile(); client.dropRoleIfExists(requestorUserName, roleName); client.createRole(requestorUserName, roleName); client.listRoles(requestorUserName); stopSentryService(); server = new SentryServiceFactory().create(conf); startSentryService(); client.listRoles(requestorUserName); client.dropRole(requestorUserName, roleName); } });
try { if (operation.equals(RoleDDLDesc.RoleOperation.SET_ROLE)) { hiveAuthzBinding.setActiveRoleSet(name, sentryClient.listUserRoles(subject)); return RETURN_CODE_SUCCESS; } else if (operation.equals(RoleDDLDesc.RoleOperation.CREATE_ROLE)) { sentryClient.createRole(subject, name); return RETURN_CODE_SUCCESS; } else if (operation.equals(RoleDDLDesc.RoleOperation.DROP_ROLE)) { sentryClient.dropRole(subject, name); return RETURN_CODE_SUCCESS; } else if (operation.equals(RoleDDLDesc.RoleOperation.SHOW_ROLE_GRANT)) { throw new HiveException(msg); roles = sentryClient.listRolesByGroupName(subject, desc.getName() ); writeToFile(writeRoleGrantsInfo(roles), desc.getResFile()); return RETURN_CODE_SUCCESS; } else if(operation.equals(RoleDDLDesc.RoleOperation.SHOW_ROLES)) { Set<TSentryRole> roles = sentryClient.listRoles(subject); writeToFile(writeRolesInfo(roles), desc.getResFile()); return RETURN_CODE_SUCCESS; ActiveRoleSet roleSet = hiveAuthzBinding.getActiveRoleSet(); if( roleSet.isAll()) { Set<TSentryRole> roles = sentryClient.listUserRoles(subject); writeToFile(writeRolesInfo(roles), desc.getResFile()); return RETURN_CODE_SUCCESS;
@Override public void runTestAsSubject() throws Exception { String requestorUserName = ADMIN_USER; Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP); setLocalGroupMapping(requestorUserName, requestorUserGroupNames); writePolicyFile(); String roleName1 = "admin_r1"; client.dropRoleIfExists(requestorUserName, roleName1); client.createRole(requestorUserName, roleName1); client.grantServerPrivilege(requestorUserName, roleName1, "server", false); Set<TSentryPrivilege> listPrivs = client.listAllPrivilegesByRoleName(requestorUserName, roleName1); assertTrue("Privilege should be all:",listPrivs.iterator().next().getAction().equals("*")); client.revokeServerPrivilege(requestorUserName, roleName1, "server", false); listPrivs = client.listAllPrivilegesByRoleName(requestorUserName, roleName1); assertTrue("Privilege not correctly revoked !!", listPrivs.size() == 0); }}); }
client.createRole(requestorName, TEST_ROLE_NAME_1); client.createRole(requestorName, TEST_ROLE_NAME_2); confPath.getAbsolutePath() }; SentryShellHive.main(args); Set<TSentryPrivilege> privileges = client.listAllPrivilegesByRoleName(requestorName, TEST_ROLE_NAME_1); assertEquals("Incorrect number of privileges", 5, privileges.size()); "-conf", confPath.getAbsolutePath() }; SentryShellHive.main(args); privileges = client.listAllPrivilegesByRoleName(requestorName, TEST_ROLE_NAME_1); assertEquals("Incorrect number of privileges", 4, privileges.size()); "server=server1->uri=hdfs://path/testuri", "-conf", confPath.getAbsolutePath() }; SentryShellHive.main(args); privileges = client.listAllPrivilegesByRoleName(requestorName, TEST_ROLE_NAME_1); assertEquals("Incorrect number of privileges", 3, privileges.size()); confPath.getAbsolutePath() }; SentryShellHive.main(args); privileges = client.listAllPrivilegesByRoleName(requestorName, TEST_ROLE_NAME_1); assertEquals("Incorrect number of privileges", 2, privileges.size()); "server=server1->db=db1->action=select", "-conf", confPath.getAbsolutePath() }; SentryShellHive.main(args); privileges = client.listAllPrivilegesByRoleName(requestorName, TEST_ROLE_NAME_1); assertEquals("Incorrect number of privileges", 1, privileges.size());