private static Map<TPrivilegePrincipal, String> addPrivilegeEntry(MSentryPrivilege mPriv, TPrivilegePrincipalType tEntityType, String principal, Map<TPrivilegePrincipal, String> update) { TPrivilegePrincipal tPrivilegePrincipal = new TPrivilegePrincipal(tEntityType, principal); String existingPriv = update.get(tPrivilegePrincipal); String action = mPriv.getAction().toUpperCase(); String newAction = mPriv.getAction().toUpperCase(); if(action.equals(AccessConstants.OWNER)) { // Translate owner privilege to actual privilege. newAction = AccessConstants.ACTION_ALL; } if (existingPriv == null) { update.put(tPrivilegePrincipal, newAction); } else { update.put(tPrivilegePrincipal, existingPriv + "," + newAction); } return update; }
@VisibleForTesting static String toAuthorizable(MSentryPrivilege privilege) { List<String> authorizable = new ArrayList<String>(4); authorizable.add(KV_JOINER.join(AuthorizableType.Server.name().toLowerCase(), privilege.getServerName())); if (isNULL(privilege.getURI())) { if (!isNULL(privilege.getDbName())) { authorizable.add(KV_JOINER.join(AuthorizableType.Db.name().toLowerCase(), privilege.getDbName())); if (!isNULL(privilege.getTableName())) { authorizable.add(KV_JOINER.join(AuthorizableType.Table.name().toLowerCase(), privilege.getTableName())); if (!isNULL(privilege.getColumnName())) { authorizable.add(KV_JOINER.join(AuthorizableType.Column.name().toLowerCase(), privilege.getColumnName())); } } } } else { authorizable.add(KV_JOINER.join(AuthorizableType.URI.name().toLowerCase(), privilege.getURI())); } if (!isNULL(privilege.getAction()) && !privilege.getAction().equalsIgnoreCase(AccessConstants.ALL)) { authorizable .add(KV_JOINER.join(PolicyConstants.PRIVILEGE_NAME.toLowerCase(), privilege.getAction())); } return AUTHORIZABLE_JOINER.join(authorizable); }
/** * Roles can be granted ALL, SELECT, and INSERT on tables. When * a role has ALL and SELECT or INSERT are revoked, we need to remove the ALL * privilege and add SELECT (INSERT was revoked) or INSERT (SELECT was revoked). */ private void revokePartial(PersistenceManager pm, TSentryPrivilege requestedPrivToRevoke, MSentryRole mRole, MSentryPrivilege currentPrivilege) throws SentryInvalidInputException { MSentryPrivilege persistedPriv = getMSentryPrivilege(convertToTSentryPrivilege(currentPrivilege), pm); if (persistedPriv == null) { persistedPriv = convertToMSentryPrivilege(convertToTSentryPrivilege(currentPrivilege)); } if (requestedPrivToRevoke.getAction().equalsIgnoreCase("ALL") || requestedPrivToRevoke.getAction().equalsIgnoreCase("*")) { persistedPriv.removeRole(mRole); privCleaner.incPrivRemoval(); pm.makePersistent(persistedPriv); } else if (requestedPrivToRevoke.getAction().equalsIgnoreCase(AccessConstants.SELECT) && !currentPrivilege.getAction().equalsIgnoreCase(AccessConstants.INSERT)) { revokeRolePartial(pm, mRole, currentPrivilege, persistedPriv, AccessConstants.INSERT); } else if (requestedPrivToRevoke.getAction().equalsIgnoreCase(AccessConstants.INSERT) && !currentPrivilege.getAction().equalsIgnoreCase(AccessConstants.SELECT)) { revokeRolePartial(pm, mRole, currentPrivilege, persistedPriv, AccessConstants.SELECT); } }
/** * Revoke privilege from role */ private void revokePrivilege(PersistenceManager pm, TSentryPrivilege tPrivilege, PrivilegePrincipal mEntity, MSentryPrivilege mPrivilege) throws SentryInvalidInputException { if (PARTIAL_REVOKE_ACTIONS.contains(mPrivilege.getAction())) { // if this privilege is in partial revoke actions // we will do partial revoke revokePartial(pm, tPrivilege, mEntity, mPrivilege); } else { // otherwise, // we will revoke it from role directly MSentryPrivilege persistedPriv = getMSentryPrivilege(convertToTSentryPrivilege(mPrivilege), pm); if (persistedPriv != null) { persistedPriv.removePrincipal(mEntity); persistPrivilege(pm, persistedPriv); } } }
for (String actionToAdd : PARTIAL_REVOKE_ACTIONS) { if( !requestedPrivToRevoke.getAction().equalsIgnoreCase(actionToAdd) && !currentPrivilege.getAction().equalsIgnoreCase(actionToAdd) && !AccessConstants.ALL.equalsIgnoreCase(actionToAdd) && !AccessConstants.ACTION_ALL.equalsIgnoreCase(actionToAdd)) {
/** * Revoke privilege from role */ private void revokePrivilegeFromRole(PersistenceManager pm, TSentryPrivilege tPrivilege, MSentryRole mRole, MSentryPrivilege mPrivilege) throws SentryInvalidInputException { if (PARTIAL_REVOKE_ACTIONS.contains(mPrivilege.getAction())) { // if this privilege is in {ALL,SELECT,INSERT} // we will do partial revoke revokePartial(pm, tPrivilege, mRole, mPrivilege); } else { // if this privilege is not ALL, SELECT nor INSERT, // we will revoke it from role directly MSentryPrivilege persistedPriv = getMSentryPrivilege(convertToTSentryPrivilege(mPrivilege), pm); if (persistedPriv != null) { mPrivilege.removeRole(mRole); privCleaner.incPrivRemoval(); pm.makePersistent(mPrivilege); } } }
childPriv.setAction(priv.getAction());
childPriv.setAction(priv.getAction());
private void convertToTSentryPrivilege(MSentryPrivilege mSentryPrivilege, TSentryPrivilege privilege) { privilege.setCreateTime(mSentryPrivilege.getCreateTime()); privilege.setAction(fromNULLCol(mSentryPrivilege.getAction())); privilege.setPrivilegeScope(mSentryPrivilege.getPrivilegeScope()); privilege.setServerName(fromNULLCol(mSentryPrivilege.getServerName())); privilege.setDbName(fromNULLCol(mSentryPrivilege.getDbName())); privilege.setTableName(fromNULLCol(mSentryPrivilege.getTableName())); privilege.setColumnName(fromNULLCol(mSentryPrivilege.getColumnName())); privilege.setURI(fromNULLCol(mSentryPrivilege.getURI())); if (mSentryPrivilege.getGrantOption() != null) { privilege.setGrantOption(TSentryGrantOption.valueOf(mSentryPrivilege.getGrantOption().toString().toUpperCase())); } else { privilege.setGrantOption(TSentryGrantOption.UNSET); } }
private void convertToTSentryPrivilege(MSentryPrivilege mSentryPrivilege, TSentryPrivilege privilege) { privilege.setCreateTime(mSentryPrivilege.getCreateTime()); privilege.setAction(fromNULLCol(mSentryPrivilege.getAction())); privilege.setPrivilegeScope(mSentryPrivilege.getPrivilegeScope()); privilege.setServerName(fromNULLCol(mSentryPrivilege.getServerName())); privilege.setDbName(fromNULLCol(mSentryPrivilege.getDbName())); privilege.setTableName(fromNULLCol(mSentryPrivilege.getTableName())); privilege.setColumnName(fromNULLCol(mSentryPrivilege.getColumnName())); privilege.setURI(fromNULLCol(mSentryPrivilege.getURI())); if (mSentryPrivilege.getGrantOption() != null) { privilege.setGrantOption(TSentryGrantOption.valueOf(mSentryPrivilege.getGrantOption().toString().toUpperCase())); } else { privilege.setGrantOption(TSentryGrantOption.UNSET); } }
assertFalse(mPrivilege.getGrantOption()); if (mPrivilege.getTableName().equals(table1)) { assertEquals(AccessConstants.ALL, mPrivilege.getAction()); } else if (mPrivilege.getTableName().equals(table2)) { assertNotSame(AccessConstants.SELECT, mPrivilege.getAction()); assertNotSame(AccessConstants.ALL, mPrivilege.getAction()); } else { fail("Unexpected table name: " + mPrivilege.getTableName()); assertEquals(db, mPrivilege.getDbName()); if (table1.equals(mPrivilege.getTableName())) { assertNotSame(AccessConstants.INSERT, mPrivilege.getAction()); assertNotSame(AccessConstants.ALL, mPrivilege.getAction()); } else if (table2.equals(mPrivilege.getTableName())) { assertNotSame(AccessConstants.INSERT, mPrivilege.getAction()); assertNotSame(AccessConstants.SELECT, mPrivilege.getAction()); assertNotSame(AccessConstants.ALL, mPrivilege.getAction());
assertEquals(db, mPrivilege.getDbName()); assertEquals(table, mPrivilege.getTableName()); assertNotSame(AccessConstants.SELECT, mPrivilege.getAction()); assertFalse(mPrivilege.getGrantOption());
assertEquals(server, mPrivilege.getServerName()); assertEquals(db, mPrivilege.getDbName()); assertNotSame(AccessConstants.SELECT, mPrivilege.getAction());
assertEquals(db, mPrivilege.getDbName()); assertEquals(table, mPrivilege.getTableName()); assertNotSame(AccessConstants.SELECT, mPrivilege.getAction()); assertFalse(mPrivilege.getGrantOption());
assertEquals(privileges.toString(), i+1, privileges.size()); MSentryPrivilege mPrivilege = Iterables.get(privileges, 0); assertEquals(AccessConstants.INSERT, mPrivilege.getAction());
assertEquals(db, mPrivilege.getDbName()); assertEquals(table, mPrivilege.getTableName()); assertEquals(AccessConstants.INSERT, mPrivilege.getAction()); assertFalse(mPrivilege.getGrantOption());
assertEquals(server, mPrivilege.getServerName()); assertEquals(db, mPrivilege.getDbName()); assertEquals(AccessConstants.INSERT, mPrivilege.getAction());