public boolean register(TMultiplexedProcessor multiplexedProcessor) throws Exception { SentryPolicyStoreProcessor sentryServiceHandler = new SentryPolicyStoreProcessor(SentryPolicyStoreProcessor.SENTRY_POLICY_SERVICE_NAME, conf); TProcessor processor = new SentryProcessorWrapper<SentryPolicyService.Iface>(sentryServiceHandler); multiplexedProcessor.registerProcessor(SentryPolicyStoreProcessor.SENTRY_POLICY_SERVICE_NAME, processor); return true; } }
private Set<String> getRequestorGroups(String userName) throws SentryUserException { return SentryPolicyStoreProcessor.getGroupsFromUserName(this.conf, userName); }
private void authorize(String requestorUser, Set<String> requestorGroups) throws SentryAccessDeniedException { if (!inAdminGroups(requestorGroups)) { String msg = "User: " + requestorUser + " is part of " + requestorGroups + " which does not, intersect admin groups " + adminGroups; LOGGER.warn(msg); throw new SentryAccessDeniedException("Access denied to " + requestorUser); } }
TCreateSentryRoleResponse response = new TCreateSentryRoleResponse(); try { validateClientVersion(request.getProtocol_version()); authorize(request.getRequestorUserName(), getRequestorGroups(request.getRequestorUserName())); CommitContext commitContext = sentryStore.createSentryRole(request.getRoleName()); response.setStatus(Status.OK());
TSentryActiveRoleSet requestedRoleSet = request.getRoleSet(); try { validateClientVersion(request.getProtocol_version()); Set<String> memberGroups = getRequestorGroups(subject); if(!inAdminGroups(memberGroups)) { Set<String> roles = toTrimedLower(sentryStore .getRoleNamesForGroups(memberGroups)); for (String role : toTrimedLower(requestedRoleSet.getRoles())) { if (!roles.contains(role)) { throw new SentryAccessDeniedException("Access denied to " authRoleMap.put(authorizable, sentryStore .listSentryPrivilegesByAuthorizable(requestedGroups, request.getRoleSet(), authorizable, inAdminGroups(memberGroups)));
@Test(expected=SentryThriftAPIMismatchException.class) public void testSentryThriftAPIMismatch() throws Exception { SentryPolicyStoreProcessor.validateClientVersion(ServiceConstants.ThriftConstants.TSENTRY_SERVICE_VERSION_CURRENT -1); } @Test
this.conf = conf; this.notificationHandlerInvoker = new NotificationHandlerInvoker(conf, createHandlers(conf)); isReady = false; if (conf.getBoolean(ServerConfig.SENTRY_HA_ENABLED, adminGroups = ImmutableSet.copyOf(toTrimedLower(Sets.newHashSet(conf.getStrings( ServerConfig.ADMIN_GROUPS, new String[]{})))); Iterable<String> pluginClasses = ConfUtilties.CLASS_SPLITTER instance = this; initMetrics();
boolean checkAllGroups = false; try { validateClientVersion(request.getProtocol_version()); Set<String> groups = getRequestorGroups(subject); boolean admin = inAdminGroups(groups);
@Override public TDropPrivilegesResponse drop_sentry_privilege( TDropPrivilegesRequest request) throws TException { final Timer.Context timerContext = sentryMetrics.dropPrivilegeTimer.time(); TDropPrivilegesResponse response = new TDropPrivilegesResponse(); try { validateClientVersion(request.getProtocol_version()); authorize(request.getRequestorUserName(), adminGroups); sentryStore.dropPrivilege(request.getAuthorizable()); for (SentryPolicyStorePlugin plugin : sentryPlugins) { plugin.onDropSentryPrivilege(request); } response.setStatus(Status.OK()); } catch (SentryAccessDeniedException e) { LOGGER.error(e.getMessage(), e); response.setStatus(Status.AccessDenied(e.getMessage(), e)); } catch (SentryThriftAPIMismatchException e) { LOGGER.error(e.getMessage(), e); response.setStatus(Status.THRIFT_VERSION_MISMATCH(e.getMessage(), e)); } catch (Exception e) { String msg = "Unknown error for request: " + request + ", message: " + e.getMessage(); LOGGER.error(msg, e); response.setStatus(Status.RuntimeError(msg, e)); } finally { timerContext.stop(); } return response; }
@Test(expected=SentryConfigurationException.class) public void testConfigNotAClassNotificationHandler() throws Exception { conf.set(PolicyStoreServerConfig.NOTIFICATION_HANDLERS, "junk"); SentryPolicyStoreProcessor.createHandlers(conf); } @Test
@Override public TSentryImportMappingDataResponse import_sentry_mapping_data( TSentryImportMappingDataRequest request) throws TException { TSentryImportMappingDataResponse response = new TSentryImportMappingDataResponse(); try { String requestor = request.getRequestorUserName(); Set<String> memberGroups = getRequestorGroups(requestor); if (!inAdminGroups(memberGroups)) { // disallow non-admin to import the metadata of sentry throw new SentryAccessDeniedException("Access denied to " + requestor + " for import the metadata of sentry."); } sentryStore.importSentryMetaData(request.getMappingData(), request.isOverwriteRole()); response.setStatus(Status.OK()); } catch (SentryInvalidInputException e) { String msg = "Invalid input privilege object"; LOGGER.error(msg, e); response.setStatus(Status.InvalidInput(msg, e)); } catch (Exception e) { String msg = "Unknown error for request: " + request + ", message: " + e.getMessage(); LOGGER.error(msg, e); response.setStatus(Status.RuntimeError(msg, e)); } return response; } }
private boolean inAdminGroups(Set<String> requestorGroups) { requestorGroups = toTrimedLower(requestorGroups); if (Sets.intersection(adminGroups, requestorGroups).isEmpty()) { return false; } return true; } private void authorize(String requestorUser, Set<String> requestorGroups)
TSentryResponseStatus status; try { validateClientVersion(request.getProtocol_version()); authorize(request.getRequestorUserName(), getRequestorGroups(request.getRequestorUserName())); CommitContext commitContext = sentryStore.dropSentryRole(request.getRoleName()); response.setStatus(Status.OK());
String subject = request.getRequestorUserName(); try { validateClientVersion(request.getProtocol_version()); Set<String> groups = getRequestorGroups(subject); Boolean admin = inAdminGroups(groups); if(!admin) { Set<String> roleNamesForGroups = toTrimedLower(sentryStore.getRoleNamesForGroups(groups)); if(!roleNamesForGroups.contains(request.getRoleName().trim().toLowerCase())) { throw new SentryAccessDeniedException("Access denied to " + subject);
@Test public void testSentryThriftAPIMatchVersion() throws Exception { SentryPolicyStoreProcessor.validateClientVersion(ServiceConstants.ThriftConstants.TSENTRY_SERVICE_VERSION_CURRENT); } }
@Override public TRenamePrivilegesResponse rename_sentry_privilege( TRenamePrivilegesRequest request) throws TException { final Timer.Context timerContext = sentryMetrics.renamePrivilegeTimer.time(); TRenamePrivilegesResponse response = new TRenamePrivilegesResponse(); try { validateClientVersion(request.getProtocol_version()); authorize(request.getRequestorUserName(), adminGroups); sentryStore.renamePrivilege(request.getOldAuthorizable(), request.getNewAuthorizable()); for (SentryPolicyStorePlugin plugin : sentryPlugins) { plugin.onRenameSentryPrivilege(request); } response.setStatus(Status.OK()); } catch (SentryAccessDeniedException e) { LOGGER.error(e.getMessage(), e); response.setStatus(Status.AccessDenied(e.getMessage(), e)); } catch (SentryThriftAPIMismatchException e) { LOGGER.error(e.getMessage(), e); response.setStatus(Status.THRIFT_VERSION_MISMATCH(e.getMessage(), e)); } catch (Exception e) { String msg = "Unknown error for request: " + request + ", message: " + e.getMessage(); LOGGER.error(msg, e); response.setStatus(Status.RuntimeError(msg, e)); } finally { timerContext.close(); } return response; }
@Test(expected=SentryConfigurationException.class) public void testConfigNotNotificationHandler() throws Exception { conf.set(PolicyStoreServerConfig.NOTIFICATION_HANDLERS, Object.class.getName()); SentryPolicyStoreProcessor.createHandlers(conf); } @Test(expected=SentryConfigurationException.class)
@Override public TSentryExportMappingDataResponse export_sentry_mapping_data( TSentryExportMappingDataRequest request) throws TException { TSentryExportMappingDataResponse response = new TSentryExportMappingDataResponse(); try { String requestor = request.getRequestorUserName(); Set<String> memberGroups = getRequestorGroups(requestor); if (!inAdminGroups(memberGroups)) { // disallow non-admin to import the metadata of sentry throw new SentryAccessDeniedException("Access denied to " + requestor + " for export the metadata of sentry."); } TSentryMappingData tSentryMappingData = new TSentryMappingData(); tSentryMappingData.setGroupRolesMap(sentryStore.getGroupNameRoleNamesMap()); tSentryMappingData.setRolePrivilegesMap(sentryStore.getRoleNameTPrivilegesMap()); response.setMappingData(tSentryMappingData); response.setStatus(Status.OK()); } catch (Exception e) { String msg = "Unknown error for request: " + request + ", message: " + e.getMessage(); LOGGER.error(msg, e); response.setMappingData(new TSentryMappingData()); response.setStatus(Status.RuntimeError(msg, e)); } return response; }
TAlterSentryRoleDeleteGroupsResponse response = new TAlterSentryRoleDeleteGroupsResponse(); try { validateClientVersion(request.getProtocol_version()); authorize(request.getRequestorUserName(), getRequestorGroups(request.getRequestorUserName())); CommitContext commitContext = sentryStore.alterSentryRoleDeleteGroups(request.getRoleName(), request.getGroups());
TAlterSentryRoleRevokePrivilegeResponse response = new TAlterSentryRoleRevokePrivilegeResponse(); try { validateClientVersion(request.getProtocol_version());