String msg = "Sentry access denied: " + e.getMessage(); LOGGER.error(msg, e); response.status = Status.AccessDenied(e.getMessage(), e); } catch (SentryAlreadyExistsException e) { String msg = "Sentry object already exists: " + e.getMessage(); LOGGER.error(msg, e); response.status = Status.AlreadyExists(e.getMessage(), e); } catch (SentryNoSuchObjectException e) { String msg = "Sentry object doesn't exist: " + e.getMessage(); LOGGER.error(msg, e); response.status = Status.NoSuchObject(e.getMessage(), e); } catch (SentryInvalidInputException e) { String msg = "Invalid input privilege object: " + e.getMessage(); LOGGER.error(msg, e); response.status = Status.InvalidInput(msg, e); } catch (SentryThriftAPIMismatchException e) { String msg = "Sentry thrift API mismatch error: " + e.getMessage(); LOGGER.error(msg, e); response.status = Status.THRIFT_VERSION_MISMATCH(e.getMessage(), e); } catch (Exception e) { String msg = "Unknown error:" + e.getMessage(); LOGGER.error(msg, e); response.status = Status.RuntimeError(msg, e);
public String isAllowed(TSentryResponseStatus status) { if (status.equals(Status.OK())) { return Constants.TRUE; } return Constants.FALSE; }
public static void throwIfNotOk(TSentryResponseStatus thriftStatus) throws SentryUserException { Status status = Status.fromCode(thriftStatus.getValue()); switch(status) { case OK: break; case ALREADY_EXISTS: throw new SentryAlreadyExistsException(serverErrorToString(thriftStatus), thriftStatus.getMessage()); case NO_SUCH_OBJECT: throw new SentryNoSuchObjectException(serverErrorToString(thriftStatus), thriftStatus.getMessage()); case RUNTIME_ERROR: throw new RuntimeException(serverErrorToString(thriftStatus)); case INVALID_INPUT: throw new SentryInvalidInputException(serverErrorToString(thriftStatus), thriftStatus.getMessage()); case ACCESS_DENIED: throw new SentryAccessDeniedException(serverErrorToString(thriftStatus), thriftStatus.getMessage()); case THRIFT_VERSION_MISMATCH: throw new SentryThriftAPIMismatchException(serverErrorToString(thriftStatus), thriftStatus.getMessage()); case UNKNOWN: throw new AssertionError(serverErrorToString(thriftStatus)); default: throw new AssertionError("Unknown status code: " + status + ". Msg: " + serverErrorToString(thriftStatus)); } }
@Override public TDropPrivilegesResponse drop_sentry_privilege( TDropPrivilegesRequest request) throws TException { final Timer.Context timerContext = sentryMetrics.dropPrivilegeTimer.time(); TDropPrivilegesResponse response = new TDropPrivilegesResponse(); try { validateClientVersion(request.getProtocol_version()); authorize(request.getRequestorUserName(), adminGroups); sentryStore.dropPrivilege(request.getAuthorizable()); for (SentryPolicyStorePlugin plugin : sentryPlugins) { plugin.onDropSentryPrivilege(request); } response.setStatus(Status.OK()); } catch (SentryAccessDeniedException e) { LOGGER.error(e.getMessage(), e); response.setStatus(Status.AccessDenied(e.getMessage(), e)); } catch (SentryThriftAPIMismatchException e) { LOGGER.error(e.getMessage(), e); response.setStatus(Status.THRIFT_VERSION_MISMATCH(e.getMessage(), e)); } catch (Exception e) { String msg = "Unknown error for request: " + request + ", message: " + e.getMessage(); LOGGER.error(msg, e); response.setStatus(Status.RuntimeError(msg, e)); } finally { timerContext.stop(); } return response; }
@Test public void testCreateRole() { TCreateSentryRoleRequest request = new TCreateSentryRoleRequest(); TCreateSentryRoleResponse response = new TCreateSentryRoleResponse(); request.setRequestorUserName(TEST_USER_NAME); request.setRoleName(TEST_ROLE_NAME); response.setStatus(Status.OK()); GMAuditMetadataLogEntity amle = (GMAuditMetadataLogEntity) JsonLogEntityFactory.getInstance() .createJsonLogEntity(request, response, conf); assertCommon(amle, Constants.TRUE, Constants.OPERATION_CREATE_ROLE, "CREATE ROLE testRole", Constants.OBJECT_TYPE_ROLE, new HashMap<String, String>()); response.setStatus(Status.InvalidInput("", null)); amle = (GMAuditMetadataLogEntity) JsonLogEntityFactory.getInstance().createJsonLogEntity( request, response, conf); assertCommon(amle, Constants.FALSE, Constants.OPERATION_CREATE_ROLE, "CREATE ROLE testRole", Constants.OBJECT_TYPE_ROLE, new HashMap<String, String>()); }
public static TSentryResponseStatus Create(Status value, String message, @Nullable Throwable t) { TSentryResponseStatus status = new TSentryResponseStatus(); status.setValue(value.getCode()); status.setMessage(message); if (t != null) { StringWriter stringWriter = new StringWriter(); PrintWriter printWriter = new PrintWriter(stringWriter); t.printStackTrace(printWriter); printWriter.close(); status.setStack(stringWriter.toString()); } return status; } public static void throwIfNotOk(TSentryResponseStatus thriftStatus)
@Override public TSentryImportMappingDataResponse import_sentry_mapping_data( TSentryImportMappingDataRequest request) throws TException { TSentryImportMappingDataResponse response = new TSentryImportMappingDataResponse(); try { String requestor = request.getRequestorUserName(); Set<String> memberGroups = getRequestorGroups(requestor); if (!inAdminGroups(memberGroups)) { // disallow non-admin to import the metadata of sentry throw new SentryAccessDeniedException("Access denied to " + requestor + " for import the metadata of sentry."); } sentryStore.importSentryMetaData(request.getMappingData(), request.isOverwriteRole()); response.setStatus(Status.OK()); } catch (SentryInvalidInputException e) { String msg = "Invalid input privilege object"; LOGGER.error(msg, e); response.setStatus(Status.InvalidInput(msg, e)); } catch (Exception e) { String msg = "Unknown error for request: " + request + ", message: " + e.getMessage(); LOGGER.error(msg, e); response.setStatus(Status.RuntimeError(msg, e)); } return response; } }
private synchronized void dropRole(String requestorUserName, String roleName, boolean ifExists) throws SentryUserException { TDropSentryRoleRequest request = new TDropSentryRoleRequest(); request.setProtocol_version(ThriftConstants.TSENTRY_SERVICE_VERSION_CURRENT); request.setRequestorUserName(requestorUserName); request.setRoleName(roleName); try { TDropSentryRoleResponse response = client.drop_sentry_role(request); Status status = Status.fromCode(response.getStatus().getValue()); if (ifExists && status == Status.NO_SUCH_OBJECT) { return; } Status.throwIfNotOk(response.getStatus()); } catch (TException e) { throw new SentryUserException(THRIFT_EXCEPTION_MESSAGE, e); } }
} catch (SentryThriftAPIMismatchException e) { LOGGER.error(e.getMessage(), e); response.setStatus(Status.THRIFT_VERSION_MISMATCH(e.getMessage(), e)); " was denied"; LOGGER.error(msg); response.setStatus(Status.AccessDenied(msg, new SentryAccessDeniedException(msg))); return response; response.setStatus(Status.OK()); return response;
protected static void assertStatus(Status status, TSentryResponseStatus resp) { if (resp.getValue() != status.getCode()) { String message = "Expected: " + status + ", Response: " + Status.fromCode(resp.getValue()) + ", Code: " + resp.getValue() + ", Message: " + resp.getMessage(); String stackTrace = Strings.nullToEmpty(resp.getStack()).trim(); if (!stackTrace.isEmpty()) { message += ", StackTrace: " + stackTrace; } Assert.fail(message); } }
response.setPrivileges(serverPriv); response.setStatus(Status.OK()); } catch (SentryThriftAPIMismatchException e) { LOGGER.error(e.getMessage(), e); response.setStatus(Status.THRIFT_VERSION_MISMATCH(e.getMessage(), e)); } catch (Exception e) { String msg = "Unknown error for request: " + request + ", message: " + e.getMessage(); LOGGER.error(msg, e); response.setStatus(Status.RuntimeError(msg, e)); } finally { timerContext.stop();
@Override public TSentryExportMappingDataResponse export_sentry_mapping_data( TSentryExportMappingDataRequest request) throws TException { TSentryExportMappingDataResponse response = new TSentryExportMappingDataResponse(); try { String requestor = request.getRequestorUserName(); Set<String> memberGroups = getRequestorGroups(requestor); if (!inAdminGroups(memberGroups)) { // disallow non-admin to import the metadata of sentry throw new SentryAccessDeniedException("Access denied to " + requestor + " for export the metadata of sentry."); } TSentryMappingData tSentryMappingData = new TSentryMappingData(); tSentryMappingData.setGroupRolesMap(sentryStore.getGroupNameRoleNamesMap()); tSentryMappingData.setRolePrivilegesMap(sentryStore.getRoleNameTPrivilegesMap()); response.setMappingData(tSentryMappingData); response.setStatus(Status.OK()); } catch (Exception e) { String msg = "Unknown error for request: " + request + ", message: " + e.getMessage(); LOGGER.error(msg, e); response.setMappingData(new TSentryMappingData()); response.setStatus(Status.RuntimeError(msg, e)); } return response; }
public static TSentryResponseStatus AlreadyExists(String message, Throwable t) { return Create(Status.ALREADY_EXISTS, message, t); } public static TSentryResponseStatus NoSuchObject(String message, Throwable t) {
private Status fromTSentryStatus(TSentryResponseStatus status) { return Status.fromCode(status.getValue()); }
getRequestorGroups(request.getRequestorUserName())); CommitContext commitContext = sentryStore.createSentryRole(request.getRoleName()); response.setStatus(Status.OK()); notificationHandlerInvoker.create_sentry_role(commitContext, request, response); String msg = "Role: " + request + " already exists."; LOGGER.error(msg, e); response.setStatus(Status.AlreadyExists(msg, e)); } catch (SentryAccessDeniedException e) { LOGGER.error(e.getMessage(), e); response.setStatus(Status.AccessDenied(e.getMessage(), e)); } catch (SentryThriftAPIMismatchException e) { LOGGER.error(e.getMessage(), e); response.setStatus(Status.THRIFT_VERSION_MISMATCH(e.getMessage(), e)); } catch (Exception e) { String msg = "Unknown error for request: " + request + ", message: " + e.getMessage(); LOGGER.error(msg, e); response.setStatus(Status.RuntimeError(msg, e)); } finally { timerContext.stop();
@Test public void testDropRole() { TDropSentryRoleRequest request = new TDropSentryRoleRequest(); TDropSentryRoleResponse response = new TDropSentryRoleResponse(); request.setRequestorUserName(TEST_USER_NAME); request.setRoleName(TEST_ROLE_NAME); response.setStatus(Status.OK()); GMAuditMetadataLogEntity amle = (GMAuditMetadataLogEntity) JsonLogEntityFactory .getInstance().createJsonLogEntity(request, response, conf); assertCommon(amle, Constants.TRUE, Constants.OPERATION_DROP_ROLE, "DROP ROLE testRole", Constants.OBJECT_TYPE_ROLE, new HashMap<String, String>()); response.setStatus(Status.InvalidInput("", null)); amle = (GMAuditMetadataLogEntity) JsonLogEntityFactory.getInstance().createJsonLogEntity( request, response, conf); assertCommon(amle, Constants.FALSE, Constants.OPERATION_DROP_ROLE, "DROP ROLE testRole", Constants.OBJECT_TYPE_ROLE, new HashMap<String, String>()); }
@Override public TAlterSentryRoleGrantPrivilegeResponse alter_sentry_role_grant_privilege( final TAlterSentryRoleGrantPrivilegeRequest request) throws TException { Response<Void> respose = requestHandle(new RequestHandler<Void>() { @Override public Response<Void> handle() throws Exception { validateClientVersion(request.getProtocol_version()); CommitContext context = store.alterRoleGrantPrivilege(request.getComponent(), request.getRoleName(), toPrivilegeObject(request.getPrivilege()), request.getRequestorUserName()); return new Response<Void>(Status.OK(), context); } }); TAlterSentryRoleGrantPrivilegeResponse tResponse = new TAlterSentryRoleGrantPrivilegeResponse(respose.status); if (Status.OK.getCode() == respose.status.getValue()) { handerInvoker.alter_sentry_role_grant_privilege(respose.context, request, tResponse); } try { AUDIT_LOGGER.info(JsonLogEntityFactory.getInstance() .createJsonLogEntity(request, tResponse, conf).toJsonFormatLog()); } catch (Exception e) { // if any exception, log the exception. String msg = "Error creating audit log for grant privilege to role: " + e.getMessage(); LOGGER.error(msg, e); } return tResponse; }
public void createRoleIfNotExist(String requestorUserName, String roleName, String component) throws SentryUserException { TCreateSentryRoleRequest request = new TCreateSentryRoleRequest(); request.setProtocol_version(sentry_common_serviceConstants.TSENTRY_SERVICE_V2); request.setRequestorUserName(requestorUserName); request.setRoleName(roleName); request.setComponent(component); try { TCreateSentryRoleResponse response = client.create_sentry_role(request); Status status = Status.fromCode(response.getStatus().getValue()); if (status == Status.ALREADY_EXISTS) { return; } Status.throwIfNotOk(response.getStatus()); } catch (TException e) { throw new SentryUserException(THRIFT_EXCEPTION_MESSAGE, e); } }
public static TSentryResponseStatus NoSuchObject(String message, Throwable t) { return Create(Status.NO_SUCH_OBJECT, message, t); } public static TSentryResponseStatus RuntimeError(String message, Throwable t) {