private static void validateClientVersion(int protocolVersion) throws SentryThriftAPIMismatchException { if (ThriftConstants.TSENTRY_SERVICE_VERSION_CURRENT != protocolVersion) { String msg = "Sentry thrift API protocol version mismatch: Client thrift version " + "is: " + protocolVersion + " , server thrift version " + "is " + ThriftConstants.TSENTRY_SERVICE_VERSION_CURRENT; throw new SentryThriftAPIMismatchException(msg); } } }
/** * Return exception for nonexistent role * @param roleName Role name * @return SentryNoSuchObjectException with appropriate message */ private static SentryNoSuchObjectException noSuchRole(String roleName) { return new SentryNoSuchObjectException("Role " + roleName); }
/** * @throws MissingConfigurationException */ @Override public String getSentryServerRpcAddress(Configuration conf) { String serverAddress = conf.get(SERVER_RPC_ADDRESS); if ((serverAddress != null) && !serverAddress.isEmpty()) { return serverAddress; } throw new MissingConfigurationException(SERVER_RPC_ADDRESS); }
public static void throwIfNotOk(TSentryResponseStatus thriftStatus) throws SentryUserException { Status status = Status.fromCode(thriftStatus.getValue()); switch(status) { case OK: break; case ALREADY_EXISTS: throw new SentryAlreadyExistsException(serverErrorToString(thriftStatus), thriftStatus.getMessage()); case NO_SUCH_OBJECT: throw new SentryNoSuchObjectException(serverErrorToString(thriftStatus), thriftStatus.getMessage()); case RUNTIME_ERROR: throw new RuntimeException(serverErrorToString(thriftStatus)); case INVALID_INPUT: throw new SentryInvalidInputException(serverErrorToString(thriftStatus), thriftStatus.getMessage()); case ACCESS_DENIED: throw new SentryAccessDeniedException(serverErrorToString(thriftStatus), thriftStatus.getMessage()); case THRIFT_VERSION_MISMATCH: throw new SentryThriftAPIMismatchException(serverErrorToString(thriftStatus), thriftStatus.getMessage()); case UNKNOWN: throw new AssertionError(serverErrorToString(thriftStatus)); default: throw new AssertionError("Unknown status code: " + status + ". Msg: " + serverErrorToString(thriftStatus)); } }
response = handler.handle(); } catch (SentryAccessDeniedException e) { String msg = "Sentry access denied: " + e.getMessage(); LOGGER.error(msg, e); response.status = Status.AccessDenied(e.getMessage(), e); } catch (SentryAlreadyExistsException e) { String msg = "Sentry object already exists: " + e.getMessage(); LOGGER.error(msg, e); response.status = Status.AlreadyExists(e.getMessage(), e); } catch (SentryNoSuchObjectException e) { String msg = "Sentry object doesn't exist: " + e.getMessage(); LOGGER.error(msg, e); response.status = Status.NoSuchObject(e.getMessage(), e); } catch (SentryInvalidInputException e) { String msg = "Invalid input privilege object: " + e.getMessage(); LOGGER.error(msg, e); response.status = Status.InvalidInput(msg, e); } catch (SentryThriftAPIMismatchException e) { String msg = "Sentry thrift API mismatch error: " + e.getMessage(); LOGGER.error(msg, e); response.status = Status.THRIFT_VERSION_MISMATCH(e.getMessage(), e); } catch (Exception e) { String msg = "Unknown error:" + e.getMessage();
private BitFieldAction getAction(String component, String name) throws SentryUserException { BitFieldActionFactory actionFactory = getActionFactory(component); BitFieldAction action = actionFactory.getActionByName(name); if (action == null) { throw new SentryUserException("Can not get BitFieldAction for name: " + name); } return action; }
/** * Validates grant option in all the privileges. * * @param privileges Set of privileges to be validated * @throws SentryInvalidInputException If the validation for grant option fails for any * of the privileges. */ private static void validateGrantOptionInprivileges(Set<TSentryPrivilege> privileges) throws SentryInvalidInputException { for (TSentryPrivilege privilege : privileges) { if (privilege.getGrantOption() == TSentryGrantOption.UNSET) { throw new SentryInvalidInputException("Invalid Privilege input," + " UNSET option for GRANT <PRIVILEGE> is not valid"); } } } }
private void authorize(String requestorUser, Set<String> requestorGroups) throws SentryAccessDeniedException { if (!inAdminGroups(requestorGroups)) { String msg = "User: " + requestorUser + " is part of " + requestorGroups + " which does not, intersect admin groups " + adminGroups; LOGGER.warn(msg); throw new SentryAccessDeniedException(ACCESS_DENIAL_MESSAGE + requestorUser); } }
@Override public void validate(PrivilegeValidatorContext context) throws SentryConfigurationException { String privilege = context.getPrivilege(); Iterable<IndexerModelAuthorizable> authorizables = parsePrivilege(privilege); boolean foundIndexerInAuthorizables = false; for(IndexerModelAuthorizable authorizable : authorizables) { if(authorizable instanceof Indexer) { foundIndexerInAuthorizables = true; break; } } if(!foundIndexerInAuthorizables) { String msg = "Missing indexer object in " + privilege; throw new SentryConfigurationException(msg); } } }
@Override public void runTestAsSubject() throws Exception { try { client.getConfigValue(configVal, defaultVal); fail("Attempt to access " + configVal + " succeeded"); } catch (SentryAccessDeniedException e) { assertTrue(e.toString().contains("was denied")); assertTrue(e.toString().contains(configVal)); } }}); }
/** * Return exception for nonexistent user * @param userName User name * @return SentryNoSuchObjectException with appropriate message */ private static SentryNoSuchObjectException noSuchUser(String userName) { return new SentryNoSuchObjectException("nonexistent user " + userName); }
/** * This method is used to check that required parameters marked as optional in thrift are * not null. * * @param param The object parameter marked as optional to check. * @param message The warning message to log and return to the client. * @return Null if the parameter is not null, otherwise a InvalidInput status that can be * used to return to the client. */ private TSentryResponseStatus checkRequiredParameter(Object param, String message) { if (param == null) { LOGGER.warn(message); return Status.InvalidInput(message, new SentryInvalidInputException(message)); } return null; }
@VisibleForTesting static void validateClientVersion(int protocolVersion) throws SentryThriftAPIMismatchException { if (ThriftConstants.TSENTRY_SERVICE_VERSION_CURRENT != protocolVersion) { String msg = "Sentry thrift API protocol version mismatch: Client thrift version " + "is: " + protocolVersion + " , server thrift verion " + "is " + ThriftConstants.TSENTRY_SERVICE_VERSION_CURRENT; throw new SentryThriftAPIMismatchException(msg); } }
private void authorize(String requestorUser, Set<String> requestorGroups) throws SentryAccessDeniedException { if (!inAdminGroups(requestorGroups)) { String msg = "User: " + requestorUser + " is part of " + requestorGroups + " which does not, intersect admin groups " + adminGroups; LOGGER.warn(msg); throw new SentryAccessDeniedException("Access denied to " + requestorUser); } }
/** * @throws MissingConfigurationException */ @Override public String getSentryServerRpcAddress(Configuration conf) { String serverAddress = conf.get(SERVER_RPC_ADDRESS); if ((serverAddress != null) && !serverAddress.isEmpty()) { return serverAddress; } throw new MissingConfigurationException(SERVER_RPC_ADDRESS); }
/** * Return exception for nonexistent update * @param changeID change ID * @return SentryNoSuchObjectException with appropriate message */ private SentryNoSuchObjectException noSuchUpdate(final long changeID) { return new SentryNoSuchObjectException("nonexistent update + " + changeID); }
/** * Derives object name from database and table names by concatenating them * * @param dbName * @param tblName * @return authorizable name * @throws SentryInvalidInputException if argument provided does not have all the * required fields set. */ public static String getAuthzObj(String dbName, String tblName) throws SentryInvalidInputException { if (isNULL(dbName)) { throw new SentryInvalidInputException("Invalif input, DB name is missing"); } return isNULL(tblName) ? dbName.toLowerCase() : (dbName + "." + tblName).toLowerCase(); }
/** * @throws MissingConfigurationException */ @Override public String getSentryPrincipal(Configuration conf) { String principle = conf.get(PRINCIPAL); if ((principle != null) && !principle.isEmpty()) { return principle; } throw new MissingConfigurationException(PRINCIPAL); }
/** * Return exception for nonexistent group * @param groupName Group name * @return SentryNoSuchObjectException with appropriate message */ private static SentryNoSuchObjectException noSuchGroup(String groupName) { return new SentryNoSuchObjectException("Group " + groupName); }
/** * @throws MissingConfigurationException */ @Override public String getSentryPrincipal(Configuration conf) { String principle = conf.get(PRINCIPAL); if ((principle != null) && !principle.isEmpty()) { return principle; } throw new MissingConfigurationException(PRINCIPAL); }