@Override public Void run(SentryGenericServiceClient client) throws Exception { client.dropRole(subject.getName(), role, COMPONENT_TYPE); return null; } });
@Override public Void run(SentryGenericServiceClient client) throws Exception { client.grantPrivilege(subject.getName(), role, COMPONENT_TYPE, toTSentryPrivilege(privilege)); return null; } });
@Override public Set<TSentryRole> run(SentryGenericServiceClient client) throws Exception { return client.listAllRoles(subject.getName(), COMPONENT_TYPE); } });
@Override public Void run(SentryGenericServiceClient client) throws Exception { client.revokePrivilege(subject.getName(), role, COMPONENT_TYPE, toTSentryPrivilege(privilege)); return null; } });
@Override public Void run(SentryGenericServiceClient client) throws Exception { client.createRole(subject.getName(), role, COMPONENT_TYPE); return null; } });
@Override public Set<TSentryRole> run(SentryGenericServiceClient client) throws Exception { return client.listRolesByGroupName(subject.getName(), groupName, COMPONENT_TYPE); } });
private Set<String> getGroups(Subject subject) { return groupService.getGroups(subject.getName()); }
@Override public Void run(SentryGenericServiceClient client) throws Exception { client.deleteRoleToGroups(subject.getName(), role.getName(), COMPONENT_TYPE, Sets.newHashSet(group)); return null; } });
@Override public Void run(SentryGenericServiceClient client) throws Exception { client.addRoleToGroups(subject.getName(), role.getName(), COMPONENT_TYPE, Sets.newHashSet(group)); return null; } });
@Override public Void run(SentryGenericServiceClient client) throws Exception { client.renamePrivilege(subject.getName(), COMPONENT_TYPE, sqoopServer.getName(), toAuthorizable(srcResource), toAuthorizable(dstResource)); return null; } });
/** * Authorize access to an index/collection * @param subject * @param collection * @param actions * @throws SentrySolrAuthorizationException */ public void authorizeCollection(Subject subject, Collection collection, Set<SearchModelAction> actions) throws SentrySolrAuthorizationException { boolean isDebug = LOG.isDebugEnabled(); if(isDebug) { LOG.debug("Going to authorize collection " + collection.getName() + " for subject " + subject.getName()); LOG.debug("Actions: " + actions); } if (!authProvider.hasAccess(subject, Arrays.asList(new Collection[] {collection}), actions, ActiveRoleSet.ALL)) { throw new SentrySolrAuthorizationException("User " + subject.getName() + " does not have privileges for " + collection.getName()); } }
public Set<String> getGroups(Subject subject) throws SentryUserException { return authProvider.getGroupMapping().getGroups(subject.getName()); }
public Set<String> getGroups(Subject subject) { return authProvider.getGroupMapping().getGroups(subject.getName()); }
@Override public Set<TSentryPrivilege> run(SentryGenericServiceClient client) throws Exception { if (resource == null) { return client.listPrivilegesByRoleName(subject.getName(), role, COMPONENT_TYPE, sqoopServer.getName()); } else if (resource.getType().equalsIgnoreCase(MResource.TYPE.SERVER.name())) { return client.listPrivilegesByRoleName(subject.getName(), role, COMPONENT_TYPE, resource.getName()); } else { return client.listPrivilegesByRoleName(subject.getName(), role, COMPONENT_TYPE, sqoopServer.getName(), toAuthorizable(resource)); } } });
+ "no SolrCore attached to request"; if (errorIfNoCollection) { auditLogger.log(userName.getName(), impersonator, ipAddress, operation, paramString, eventTime, AuditLogger.UNAUTHORIZED, ""); throw new SolrException(SolrException.ErrorCode.UNAUTHORIZED, msg); } else { // just warn log.warn(msg); auditLogger.log(userName.getName(), impersonator, ipAddress, operation, paramString, eventTime, AuditLogger.ALLOWED, ""); return; if (!superUser.getName().equals(userName.getName())) { binding.authorizeCollection(userName, collection, actions); auditLogger.log(userName.getName(), impersonator, ipAddress, operation, paramString, eventTime, AuditLogger.UNAUTHORIZED, collectionName); throw new SolrException(SolrException.ErrorCode.UNAUTHORIZED, ex); auditLogger.log(userName.getName(), impersonator, ipAddress, operation, paramString, eventTime, AuditLogger.ALLOWED, collectionName);
try { if (work.getRoleDDLDesc() != null) { return processRoleDDL(console, sentryClient, subject.getName(), hiveAuthzBinding, work.getRoleDDLDesc()); subject.getName(), server, work.getGrantDesc()); subject.getName(), server, work.getRevokeDesc()); return processShowGrantDDL(console, sentryClient, subject.getName(), work.getShowGrantDesc()); subject.getName(), work.getGrantRevokeRoleDDL()); queryPlan.getQueryString(), new HashSet<ReadEntity>(), new HashSet<WriteEntity>(), stmtOperation, null, null, null, null, subject.getName(), ipAddress, new AuthorizationException(e), conf); HiveAuthzBindingHook.runFailureHook(hookContext, csHooks); String msg = "Error processing Sentry command: " + e.getReason() + "."; if (e instanceof SentryAccessDeniedException) { msg += "Please grant admin privilege to " + subject.getName() + ".";
private List<FieldSchema> fiterColumns(List<FieldSchema> cols, Table table) throws HiveException { // filter some columns that the subject has privilege on return HiveAuthzBindingHook.filterShowColumns(getHiveAuthzBinding(), cols, getStmtOperation(), getSubject().getName(), table.getTableName(), table.getDbName()); } }
if(isDebug) { LOG.debug("Going to authorize statement " + hiveOp.name() + " for subject " + subject.getName()); found = true; if (!authProvider.hasAccess(subject, inputHierarchy, entry.getValue(), activeRoleSet)) { throw new AuthorizationException("User " + subject.getName() + " does not have privileges for " + hiveOp.name()); found = true; if (!authProvider.hasAccess(subject, outputHierarchy, requiredOutputPrivileges.get(key), activeRoleSet)) { throw new AuthorizationException("User " + subject.getName() + " does not have privileges for " + hiveOp.name());
@Override public Void run(SentryGenericServiceClient client) throws Exception { TSentryPrivilege privilege = new TSentryPrivilege(); privilege.setComponent(COMPONENT_TYPE); privilege.setServiceName(sqoopServer.getName()); privilege.setAuthorizables(toTSentryAuthorizable(resource)); privilege.setAction(SqoopActionConstant.ALL); client.dropPrivilege(bindingSubject.getName(), COMPONENT_TYPE, privilege); return null; } });
collection)); tPrivilege.setAuthorizables(authorizables); client.dropPrivilege(bindingSubject.getName(), AuthorizationComponent.Search, tPrivilege); } catch (SentryUserException ex) { throw new SentrySolrAuthorizationException("User " + bindingSubject.getName() + " can't delete privileges for collection " + collection); } catch (Exception ex) {