public void removePrivilege(MSentryPrivilege privilege) { if (privileges.remove(privilege)) { privilege.removeRole(this); } }
public void removePrivileges() { // copy is required since privilege.removeRole will call remotePrivilege for (MSentryPrivilege privilege : ImmutableSet.copyOf(privileges)) { privilege.removeRole(this); } Preconditions.checkState(privileges.isEmpty(), "Privileges should be empty: " + privileges); }
/** * Revoke privilege from role */ private void revokePrivilegeFromRole(PersistenceManager pm, TSentryPrivilege tPrivilege, MSentryRole mRole, MSentryPrivilege mPrivilege) throws SentryInvalidInputException { if (PARTIAL_REVOKE_ACTIONS.contains(mPrivilege.getAction())) { // if this privilege is in {ALL,SELECT,INSERT} // we will do partial revoke revokePartial(pm, tPrivilege, mRole, mPrivilege); } else { // if this privilege is not ALL, SELECT nor INSERT, // we will revoke it from role directly MSentryPrivilege persistedPriv = getMSentryPrivilege(convertToTSentryPrivilege(mPrivilege), pm); if (persistedPriv != null) { mPrivilege.removeRole(mRole); privCleaner.incPrivRemoval(); pm.makePersistent(mPrivilege); } } }
/** * Roles can be granted ALL, SELECT, and INSERT on tables. When * a role has ALL and SELECT or INSERT are revoked, we need to remove the ALL * privilege and add SELECT (INSERT was revoked) or INSERT (SELECT was revoked). */ private void revokePartial(PersistenceManager pm, TSentryPrivilege requestedPrivToRevoke, MSentryRole mRole, MSentryPrivilege currentPrivilege) throws SentryInvalidInputException { MSentryPrivilege persistedPriv = getMSentryPrivilege(convertToTSentryPrivilege(currentPrivilege), pm); if (persistedPriv == null) { persistedPriv = convertToMSentryPrivilege(convertToTSentryPrivilege(currentPrivilege)); } if (requestedPrivToRevoke.getAction().equalsIgnoreCase("ALL") || requestedPrivToRevoke.getAction().equalsIgnoreCase("*")) { persistedPriv.removeRole(mRole); privCleaner.incPrivRemoval(); pm.makePersistent(persistedPriv); } else if (requestedPrivToRevoke.getAction().equalsIgnoreCase(AccessConstants.SELECT) && !currentPrivilege.getAction().equalsIgnoreCase(AccessConstants.INSERT)) { revokeRolePartial(pm, mRole, currentPrivilege, persistedPriv, AccessConstants.INSERT); } else if (requestedPrivToRevoke.getAction().equalsIgnoreCase(AccessConstants.INSERT) && !currentPrivilege.getAction().equalsIgnoreCase(AccessConstants.SELECT)) { revokeRolePartial(pm, mRole, currentPrivilege, persistedPriv, AccessConstants.SELECT); } }
private void revokeRolePartial(PersistenceManager pm, MSentryRole mRole, MSentryPrivilege currentPrivilege, MSentryPrivilege persistedPriv, String addAction) throws SentryInvalidInputException { // If table / URI, remove ALL persistedPriv.removeRole(mRole); privCleaner.incPrivRemoval(); pm.makePersistent(persistedPriv); currentPrivilege.setAction(AccessConstants.ALL); persistedPriv = getMSentryPrivilege(convertToTSentryPrivilege(currentPrivilege), pm); if (persistedPriv != null && mRole.getPrivileges().contains(persistedPriv)) { persistedPriv.removeRole(mRole); privCleaner.incPrivRemoval(); pm.makePersistent(persistedPriv); currentPrivilege.setAction(addAction); persistedPriv = getMSentryPrivilege(convertToTSentryPrivilege(currentPrivilege), pm); if (persistedPriv == null) { persistedPriv = convertToMSentryPrivilege(convertToTSentryPrivilege(currentPrivilege)); mRole.appendPrivilege(persistedPriv); } persistedPriv.appendRole(mRole); pm.makePersistent(persistedPriv); } }
MSentryPrivilege mInsert = getMSentryPrivilege(tNotAll, pm); if (mSelect != null && mRole.getPrivileges().contains(mSelect)) { mSelect.removeRole(mRole); privCleaner.incPrivRemoval(); pm.makePersistent(mSelect); mInsert.removeRole(mRole); privCleaner.incPrivRemoval(); pm.makePersistent(mInsert);
pm.retrieve(role); hivePrivilege = (MSentryPrivilege)role.getPrivileges().toArray()[0]; hivePrivilege.removeRole(role); pm.makePersistent(hivePrivilege); commitTransaction(pm);