public void grantPrivilege(PrivilegeObject privilege,MSentryRole role, PersistenceManager pm) throws SentryUserException { MSentryGMPrivilege mPrivilege = convertToPrivilege(privilege); grantRolePartial(mPrivilege, role, pm); }
public void grantPrivilege(PrivilegeObject privilege,MSentryRole role, PersistenceManager pm) throws SentryUserException { MSentryGMPrivilege mPrivilege = convertToPrivilege(privilege); grantRolePartial(mPrivilege, role, pm); }
public void revokePrivilege(PrivilegeObject privilege,MSentryRole role, PersistenceManager pm) throws SentryUserException { MSentryGMPrivilege mPrivilege = getPrivilege(convertToPrivilege(privilege), pm); if (mPrivilege == null) { mPrivilege = convertToPrivilege(privilege); } else { mPrivilege = (MSentryGMPrivilege) pm.detachCopy(mPrivilege); } Set<MSentryGMPrivilege> privilegeGraph = Sets.newHashSet(); privilegeGraph.addAll(populateIncludePrivileges(Sets.newHashSet(role), mPrivilege, pm)); /** * Get the privilege graph * populateIncludePrivileges will get the privileges that needed revoke */ for (MSentryGMPrivilege persistedPriv : privilegeGraph) { /** * force to load all roles related this privilege * avoid the lazy-loading risk,such as: * if the roles field of privilege aren't loaded, then the roles is a empty set * privilege.removeRole(role) and pm.makePersistent(privilege) * will remove other roles that shouldn't been removed */ revokeRolePartial(mPrivilege, persistedPriv, role, pm); } pm.makePersistent(role); }
public void revokePrivilege(PrivilegeObject privilege,MSentryRole role, PersistenceManager pm) throws SentryUserException { MSentryGMPrivilege mPrivilege = getPrivilege(convertToPrivilege(privilege), pm); if (mPrivilege == null) { mPrivilege = convertToPrivilege(privilege); } else { mPrivilege = pm.detachCopy(mPrivilege); } Set<MSentryGMPrivilege> privilegeGraph = Sets.newHashSet(); privilegeGraph.addAll(populateIncludePrivileges(Sets.newHashSet(role), mPrivilege, pm)); /* * Get the privilege graph * populateIncludePrivileges will get the privileges that needed revoke */ for (MSentryGMPrivilege persistedPriv : privilegeGraph) { /* * force to load all roles related this privilege * avoid the lazy-loading risk,such as: * if the roles field of privilege aren't loaded, then the roles is a empty set * privilege.removeRole(role) and pm.makePersistent(privilege) * will remove other roles that shouldn't been removed */ revokeRolePartial(mPrivilege, persistedPriv, role, pm); } pm.makePersistent(role); }
public boolean checkPrivilegeOption(Set<MSentryRole> roles, PrivilegeObject privilege, PersistenceManager pm) { MSentryGMPrivilege requestPrivilege = convertToPrivilege(privilege); boolean hasGrant = false; //get persistent privileges by roles Query query = pm.newQuery(MSentryGMPrivilege.class); StringBuilder filters = new StringBuilder(); if (roles != null && roles.size() > 0) { query.declareVariables("org.apache.sentry.provider.db.service.model.MSentryRole role"); List<String> rolesFiler = new LinkedList<String>(); for (MSentryRole role : roles) { rolesFiler.add("role.roleName == \"" + role.getRoleName() + "\" "); } filters.append("roles.contains(role) " + "&& (" + Joiner.on(" || ").join(rolesFiler) + ")"); } query.setFilter(filters.toString()); List<MSentryGMPrivilege> tPrivileges = (List<MSentryGMPrivilege>)query.execute(); for (MSentryGMPrivilege tPrivilege : tPrivileges) { if (tPrivilege.getGrantOption() && tPrivilege.implies(requestPrivilege)) { hasGrant = true; break; } } return hasGrant; } public void grantPrivilege(PrivilegeObject privilege,MSentryRole role, PersistenceManager pm) throws SentryUserException {
/** * Drop any role related to the requested privilege and its children privileges */ public void dropPrivilege(PrivilegeObject privilege,PersistenceManager pm) throws SentryUserException { MSentryGMPrivilege requestPrivilege = convertToPrivilege(privilege); if (Strings.isNullOrEmpty(privilege.getAction())) { requestPrivilege.setAction(getAction(privilege.getComponent(), Action.ALL).getValue()); } /* * Get the privilege graph * populateIncludePrivileges will get the privileges that need dropped, */ Set<MSentryGMPrivilege> privilegeGraph = Sets.newHashSet(); privilegeGraph.addAll(populateIncludePrivileges(null, requestPrivilege, pm)); for (MSentryGMPrivilege mPrivilege : privilegeGraph) { /* * force to load all roles related this privilege * avoid the lazy-loading */ pm.retrieve(mPrivilege); Set<MSentryRole> roles = mPrivilege.getRoles(); for (MSentryRole role : roles) { revokeRolePartial(requestPrivilege, mPrivilege, role, pm); } } }
/** * Drop any role related to the requested privilege and its children privileges */ public void dropPrivilege(PrivilegeObject privilege,PersistenceManager pm) { MSentryGMPrivilege requestPrivilege = convertToPrivilege(privilege); if (Strings.isNullOrEmpty(privilege.getAction())) { requestPrivilege.setAction(getAction(privilege.getComponent(), Action.ALL).getValue()); } /** * Get the privilege graph * populateIncludePrivileges will get the privileges that need dropped, */ Set<MSentryGMPrivilege> privilegeGraph = Sets.newHashSet(); privilegeGraph.addAll(populateIncludePrivileges(null, requestPrivilege, pm)); for (MSentryGMPrivilege mPrivilege : privilegeGraph) { /** * force to load all roles related this privilege * avoid the lazy-loading */ pm.retrieve(mPrivilege); Set<MSentryRole> roles = mPrivilege.getRoles(); for (MSentryRole role : roles) { revokeRolePartial(requestPrivilege, mPrivilege, role, pm); } } }
/** * Verify whether specified privilege can be granted * @param roles set of roles for the privilege * @param privilege privilege being checked * @param pm Persistentence manager instance * @return true iff at least one privilege within the role allows for the * requested privilege */ boolean checkPrivilegeOption(Set<MSentryRole> roles, PrivilegeObject privilege, PersistenceManager pm) { MSentryGMPrivilege requestPrivilege = convertToPrivilege(privilege); if (roles.isEmpty()) { return false; } // get persistent privileges by roles // Find all GM privileges for all the input roles Query query = pm.newQuery(MSentryGMPrivilege.class); QueryParamBuilder paramBuilder = QueryParamBuilder.addRolesFilter(query, null, SentryStore.rolesToRoleNames(roles)); query.setFilter(paramBuilder.toString()); List<MSentryGMPrivilege> tPrivileges = (List<MSentryGMPrivilege>)query.executeWithMap(paramBuilder.getArguments()); for (MSentryGMPrivilege tPrivilege : tPrivileges) { if (tPrivilege.getGrantOption() && tPrivilege.implies(requestPrivilege)) { return true; } } return false; }