From 1f25450db0b6f39fe532aef24570dc168d6cf597 Mon Sep 17 00:00:00 2001 From: Sun Dapeng Date: Thu, 10 Mar 2016 14:33:30 +0800 Subject: [PATCH 1/3] owner init --- .../exec/SentryHivePrivilegeObjectDesc.java | 8 + ...entryHiveAuthorizationTaskFactoryImpl.java | 16 +- .../db/service/persistent/SentryStore.java | 40 +++-- .../resources/sentry_policy_service.thrift | 1 + .../TestPrivilegeWithGrantOption.java | 1 + .../TestPrivilegeWithOwnerPermission.java | 157 ++++++++++++++++++ .../AbstractTestWithStaticConfiguration.java | 6 + 7 files changed, 207 insertions(+), 22 deletions(-) create mode 100644 sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestPrivilegeWithOwnerPermission.java diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/hadoop/hive/ql/exec/SentryHivePrivilegeObjectDesc.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/hadoop/hive/ql/exec/SentryHivePrivilegeObjectDesc.java index 4fa4221b4..096ae4c12 100644 --- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/hadoop/hive/ql/exec/SentryHivePrivilegeObjectDesc.java +++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/hadoop/hive/ql/exec/SentryHivePrivilegeObjectDesc.java @@ -22,6 +22,7 @@ public class SentryHivePrivilegeObjectDesc extends PrivilegeObjectDesc { private boolean isUri; private boolean isServer; + private String owner; public SentryHivePrivilegeObjectDesc() { // reset table type which is on by default @@ -48,4 +49,11 @@ public boolean isSentryPrivObjectDesc() { return isServer || isUri; } + public String getOwner() { + return owner; + } + + public void setOwner(String owner) { + this.owner = owner; + } } diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/SentryHiveAuthorizationTaskFactoryImpl.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/SentryHiveAuthorizationTaskFactoryImpl.java index caf32cfa3..6315f64ce 100644 --- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/SentryHiveAuthorizationTaskFactoryImpl.java +++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/SentryHiveAuthorizationTaskFactoryImpl.java @@ -32,6 +32,7 @@ import org.apache.hadoop.hive.ql.hooks.ReadEntity; import org.apache.hadoop.hive.ql.hooks.WriteEntity; import org.apache.hadoop.hive.ql.metadata.Hive; +import org.apache.hadoop.hive.ql.metadata.HiveException; import org.apache.hadoop.hive.ql.parse.ASTNode; import org.apache.hadoop.hive.ql.parse.BaseSemanticAnalyzer; import org.apache.hadoop.hive.ql.parse.HiveParser; @@ -60,8 +61,10 @@ public class SentryHiveAuthorizationTaskFactoryImpl implements HiveAuthorization private static final Logger LOG = LoggerFactory.getLogger(SentryHiveAuthorizationTaskFactoryImpl.class); - public SentryHiveAuthorizationTaskFactoryImpl(HiveConf conf, Hive db) { //NOPMD + private final Hive db; + public SentryHiveAuthorizationTaskFactoryImpl(HiveConf conf, Hive db) { //NOPMD + this.db = db; } @Override @@ -295,6 +298,17 @@ private SentryHivePrivilegeObjectDesc analyzePrivilegeObject(ASTNode ast) subject.setTable(true); String[] qualified = BaseSemanticAnalyzer.getQualifiedTableName(gchild); subject.setObject(qualified[1]); + try { + subject.setOwner(db.getTable(qualified[1]).getOwner()); + } catch (HiveException e) { + // Ignore the exception. + } + } else if (astChild.getToken().getType() == HiveParser.TOK_DB_TYPE) { + try { + subject.setOwner(db.getDatabase(privilegeObject).getOwnerName()); + } catch (HiveException e) { + // Ignore the exception. + } } for (int i = 1; i < astChild.getChildCount(); i++) { gchild = (ASTNode) astChild.getChild(i); diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java index c5c5ffbe2..db8a1e9b9 100644 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java +++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java @@ -405,25 +405,23 @@ void clearAllTables() { } } - public CommitContext alterSentryRoleGrantPrivilege(String grantorPrincipal, - String roleName, TSentryPrivilege privilege) - throws SentryUserException { - return alterSentryRoleGrantPrivileges(grantorPrincipal, - roleName, Sets.newHashSet(privilege)); + public CommitContext alterSentryRoleGrantPrivilege(String grantorPrincipal, String roleName, + TSentryPrivilege privilege, boolean checkGrantOption) throws SentryUserException { + return alterSentryRoleGrantPrivileges(grantorPrincipal, roleName, Sets.newHashSet(privilege)); } - public CommitContext alterSentryRoleGrantPrivileges(String grantorPrincipal, - String roleName, Set privileges) - throws SentryUserException { + public CommitContext alterSentryRoleGrantPrivileges(String grantorPrincipal, String roleName, + Set privileges) throws SentryUserException { boolean rollbackTransaction = true; PersistenceManager pm = null; roleName = trimAndLower(roleName); try { pm = openTransaction(); for (TSentryPrivilege privilege : privileges) { - // first do grant check - grantOptionCheck(pm, grantorPrincipal, privilege); - + if (privilege.isCheckGrantOperation()) { + // first do grant check + grantOptionCheck(pm, grantorPrincipal, privilege); + } MSentryPrivilege mPrivilege = alterSentryRoleGrantPrivilegeCore(pm, roleName, privilege); if (mPrivilege != null) { @@ -498,23 +496,23 @@ private MSentryPrivilege alterSentryRoleGrantPrivilegeCore(PersistenceManager pm return mPrivilege; } - public CommitContext alterSentryRoleRevokePrivilege(String grantorPrincipal, - String roleName, TSentryPrivilege tPrivilege) throws SentryUserException { - return alterSentryRoleRevokePrivileges(grantorPrincipal, - roleName, Sets.newHashSet(tPrivilege)); + public CommitContext alterSentryRoleRevokePrivilege(String grantorPrincipal, String roleName, + TSentryPrivilege tPrivilege) throws SentryUserException { + return alterSentryRoleRevokePrivileges(grantorPrincipal, roleName, Sets.newHashSet(tPrivilege)); } - public CommitContext alterSentryRoleRevokePrivileges(String grantorPrincipal, - String roleName, Set tPrivileges) throws SentryUserException { - boolean rollbackTransaction = true; + public CommitContext alterSentryRoleRevokePrivileges(String grantorPrincipal, String roleName, + Set tPrivileges) throws SentryUserException { + boolean rollbackTransaction = true; PersistenceManager pm = null; roleName = safeTrimLower(roleName); try { pm = openTransaction(); for (TSentryPrivilege tPrivilege : tPrivileges) { - // first do revoke check - grantOptionCheck(pm, grantorPrincipal, tPrivilege); - + if (tPrivilege.isCheckGrantOperation()) { + // first do revoke check + grantOptionCheck(pm, grantorPrincipal, tPrivilege); + } alterSentryRoleRevokePrivilegeCore(pm, roleName, tPrivilege); } diff --git a/sentry-provider/sentry-provider-db/src/main/resources/sentry_policy_service.thrift b/sentry-provider/sentry-provider-db/src/main/resources/sentry_policy_service.thrift index 40889e8fe..f15dc78d8 100644 --- a/sentry-provider/sentry-provider-db/src/main/resources/sentry_policy_service.thrift +++ b/sentry-provider/sentry-provider-db/src/main/resources/sentry_policy_service.thrift @@ -50,6 +50,7 @@ struct TSentryPrivilege { 8: optional i64 createTime, # Set on server side 9: optional TSentryGrantOption grantOption = TSentryGrantOption.FALSE 10: optional string columnName = "", +11: optional bool checkGrantOperation = true, } # TODO can this be deleted? it's not adding value to TAlterSentryRoleAddGroupsRequest diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestPrivilegeWithGrantOption.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestPrivilegeWithGrantOption.java index 90c69a3b3..616508536 100644 --- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestPrivilegeWithGrantOption.java +++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestPrivilegeWithGrantOption.java @@ -54,6 +54,7 @@ public static void setupTestStaticConfiguration() throws Exception { DummySentryOnFailureHook.class.getName()); isInternalServer = true; } + enableSessionAuthenticator = true; AbstractTestWithStaticConfiguration.setupTestStaticConfiguration(); } diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestPrivilegeWithOwnerPermission.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestPrivilegeWithOwnerPermission.java new file mode 100644 index 000000000..c8339c3a1 --- /dev/null +++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestPrivilegeWithOwnerPermission.java @@ -0,0 +1,157 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.sentry.tests.e2e.dbprovider; + +import static org.junit.Assert.assertFalse; +import static org.junit.Assert.assertTrue; + +import java.sql.Connection; +import java.sql.SQLException; +import java.sql.Statement; + +import junit.framework.Assert; + +import org.apache.hadoop.hive.ql.plan.HiveOperation; +import org.apache.sentry.binding.hive.conf.HiveAuthzConf; +import org.apache.sentry.provider.db.SentryAccessDeniedException; +import org.apache.sentry.tests.e2e.hive.AbstractTestWithStaticConfiguration; +import org.apache.sentry.tests.e2e.hive.DummySentryOnFailureHook; +import org.apache.sentry.tests.e2e.hive.hiveserver.HiveServerFactory; +import org.junit.Before; +import org.junit.BeforeClass; +import org.junit.Test; + +public class TestPrivilegeWithOwnerPermission extends AbstractTestWithStaticConfiguration { + + private static boolean isInternalServer = false; + + @BeforeClass + public static void setupTestStaticConfiguration() throws Exception { + useSentryService = true; + String hiveServer2Type = System + .getProperty(HiveServerFactory.HIVESERVER2_TYPE); + if ((hiveServer2Type == null) + || HiveServerFactory.isInternalServer(HiveServerFactory.HiveServer2Type + .valueOf(hiveServer2Type.trim()))) { + System.setProperty( + HiveAuthzConf.AuthzConfVars.AUTHZ_ONFAILURE_HOOKS.getVar(), + DummySentryOnFailureHook.class.getName()); + isInternalServer = true; + } + enableSessionAuthenticator = true; + AbstractTestWithStaticConfiguration.setupTestStaticConfiguration(); + } + + @Override + @Before + public void setup() throws Exception { + DummySentryOnFailureHook.invoked = false; + super.setupAdmin(); + super.setup(); + } + + /* + * Admin grant DB_1 user1 without grant option, grant user3 with grant option, + * user1 tries to grant it to user2, but failed. + * user3 can grant it to user2. + * user1 tries to revoke, but failed. + * user3 tries to revoke user2, user3 and user1, user3 revoke user1 will failed. + * permissions for DB_1. + */ + @Test + public void testOnGrantPrivilege() throws Exception { + + // setup db objects needed by the test + Connection connection = context.createConnection(ADMIN1); + Statement statement = context.createStatement(connection); + statement.execute("DROP DATABASE IF EXISTS db_1 CASCADE"); + statement.execute("DROP DATABASE IF EXISTS db_2 CASCADE"); + statement.execute("CREATE DATABASE db_1"); + statement.execute("CREATE ROLE group1_role"); + statement.execute("GRANT ALL ON DATABASE db_1 TO ROLE group1_role"); + statement.execute("GRANT ROLE group1_role TO GROUP " + USERGROUP1); + statement.execute("CREATE ROLE group3_grant_role"); + statement.execute("GRANT ALL ON DATABASE db_1 TO ROLE group3_grant_role WITH GRANT OPTION"); + statement.execute("GRANT ROLE group3_grant_role TO GROUP " + USERGROUP3); + statement.execute("CREATE ROLE group2_role"); + statement.execute("GRANT ROLE group2_role TO GROUP " + USERGROUP2); + + connection.close(); + + connection = context.createConnection(USER1_1); + statement = context.createStatement(connection); + + statement.execute("USE db_1"); + statement.execute("CREATE TABLE foo (id int)"); + runSQLWithError(statement, "GRANT ALL ON DATABASE db_1 TO ROLE group2_role", + HiveOperation.GRANT_PRIVILEGE, null, null, true); + runSQLWithError(statement, + "GRANT ALL ON DATABASE db_1 TO ROLE group2_role WITH GRANT OPTION", + HiveOperation.GRANT_PRIVILEGE, null, null, true); + statement.execute("GRANT ALL ON TABLE foo TO ROLE role2"); + + connection.close(); + context.close(); + } + + + // run the given statement and verify that failure hook is invoked as expected + private void runSQLWithError(Statement statement, String sqlStr, + HiveOperation expectedOp, String dbName, String tableName, + boolean checkSentryAccessDeniedException) throws Exception { + // negative test case: non admin user can't create role + assertFalse(DummySentryOnFailureHook.invoked); + try { + statement.execute(sqlStr); + Assert.fail("Expected SQL exception for " + sqlStr); + } catch (SQLException e) { + verifyFailureHook(expectedOp, dbName, tableName, checkSentryAccessDeniedException); + } finally { + DummySentryOnFailureHook.invoked = false; + } + + } + + // run the given statement and verify that failure hook is invoked as expected + private void verifyFailureHook(HiveOperation expectedOp, + String dbName, String tableName, boolean checkSentryAccessDeniedException) + throws Exception { + if (!isInternalServer) { + return; + } + + assertTrue(DummySentryOnFailureHook.invoked); + if (expectedOp != null) { + Assert.assertNotNull("Hive op is null for op: " + expectedOp, DummySentryOnFailureHook.hiveOp); + assertTrue(expectedOp.equals(DummySentryOnFailureHook.hiveOp)); + } + if (checkSentryAccessDeniedException) { + assertTrue("Expected SentryDeniedException for op: " + expectedOp, + DummySentryOnFailureHook.exception.getCause() instanceof SentryAccessDeniedException); + } + if(tableName != null) { + Assert.assertNotNull("Table object is null for op: " + expectedOp, DummySentryOnFailureHook.table); + assertTrue(tableName.equalsIgnoreCase(DummySentryOnFailureHook.table.getName())); + } + if(dbName != null) { + Assert.assertNotNull("Database object is null for op: " + expectedOp, DummySentryOnFailureHook.db); + assertTrue(dbName.equalsIgnoreCase(DummySentryOnFailureHook.db.getName())); + } + } + +} diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/AbstractTestWithStaticConfiguration.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/AbstractTestWithStaticConfiguration.java index 704bbeeb9..4141738f4 100644 --- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/AbstractTestWithStaticConfiguration.java +++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/AbstractTestWithStaticConfiguration.java @@ -45,6 +45,7 @@ import org.apache.hadoop.fs.permission.FsPermission; import org.apache.hadoop.hive.conf.HiveConf; import org.apache.hadoop.hive.conf.HiveConf.ConfVars; +import org.apache.hadoop.hive.ql.security.SessionStateUserAuthenticator; import org.apache.sentry.binding.hive.SentryHiveAuthorizationTaskFactoryImpl; import org.apache.sentry.binding.metastore.SentryMetastorePostEventListener; import org.apache.sentry.core.model.db.DBModelAction; @@ -127,6 +128,7 @@ public abstract class AbstractTestWithStaticConfiguration { protected static boolean enableHiveConcurrency = false; // indicate if the database need to be clear for every test case in one test class protected static boolean clearDbPerTest = true; + protected static boolean enableSessionAuthenticator = false; protected static File baseDir; protected static File logDir; @@ -239,6 +241,10 @@ public static void setupTestStaticConfiguration() throws Exception { if (testServerType != null) { properties.put("sentry.e2etest.hiveServer2Type", testServerType); } + if (enableSessionAuthenticator) { + properties.put(HiveConf.ConfVars.HIVE_AUTHENTICATOR_MANAGER.varname, + SessionStateUserAuthenticator.class.getName()); + } baseDir = Files.createTempDir(); LOGGER.info("BaseDir = " + baseDir); logDir = assertCreateDir(new File(baseDir, "log")); From ec925ee563352e518ce8254710bf1daae5854527 Mon Sep 17 00:00:00 2001 From: Colin Ma Date: Thu, 10 Mar 2016 14:12:44 +0800 Subject: [PATCH 2/3] add TSentryPrivilege --- .../db/service/thrift/TSentryPrivilege.java | 109 +++++++++++++++++- 1 file changed, 105 insertions(+), 4 deletions(-) diff --git a/sentry-provider/sentry-provider-db/src/gen/thrift/gen-javabean/org/apache/sentry/provider/db/service/thrift/TSentryPrivilege.java b/sentry-provider/sentry-provider-db/src/gen/thrift/gen-javabean/org/apache/sentry/provider/db/service/thrift/TSentryPrivilege.java index 1f75478f7..3c1b3027d 100644 --- a/sentry-provider/sentry-provider-db/src/gen/thrift/gen-javabean/org/apache/sentry/provider/db/service/thrift/TSentryPrivilege.java +++ b/sentry-provider/sentry-provider-db/src/gen/thrift/gen-javabean/org/apache/sentry/provider/db/service/thrift/TSentryPrivilege.java @@ -43,6 +43,7 @@ public class TSentryPrivilege implements org.apache.thrift.TBase, SchemeFactory> schemes = new HashMap, SchemeFactory>(); static { @@ -59,6 +60,7 @@ public class TSentryPrivilege implements org.apache.thrift.TBase byName = new HashMap(); @@ -107,6 +110,8 @@ public static _Fields findByThriftId(int fieldId) { return GRANT_OPTION; case 10: // COLUMN_NAME return COLUMN_NAME; + case 11: // CHECK_GRANT_OPERATION + return CHECK_GRANT_OPERATION; default: return null; } @@ -148,8 +153,9 @@ public String getFieldName() { // isset id assignments private static final int __CREATETIME_ISSET_ID = 0; + private static final int __CHECKGRANTOPERATION_ISSET_ID = 1; private byte __isset_bitfield = 0; - private _Fields optionals[] = {_Fields.DB_NAME,_Fields.TABLE_NAME,_Fields.URI,_Fields.CREATE_TIME,_Fields.GRANT_OPTION,_Fields.COLUMN_NAME}; + private _Fields optionals[] = {_Fields.DB_NAME,_Fields.TABLE_NAME,_Fields.URI,_Fields.CREATE_TIME,_Fields.GRANT_OPTION,_Fields.COLUMN_NAME,_Fields.CHECK_GRANT_OPERATION}; public static final Map<_Fields, org.apache.thrift.meta_data.FieldMetaData> metaDataMap; static { Map<_Fields, org.apache.thrift.meta_data.FieldMetaData> tmpMap = new EnumMap<_Fields, org.apache.thrift.meta_data.FieldMetaData>(_Fields.class); @@ -171,6 +177,8 @@ public String getFieldName() { new org.apache.thrift.meta_data.EnumMetaData(org.apache.thrift.protocol.TType.ENUM, TSentryGrantOption.class))); tmpMap.put(_Fields.COLUMN_NAME, new org.apache.thrift.meta_data.FieldMetaData("columnName", org.apache.thrift.TFieldRequirementType.OPTIONAL, new org.apache.thrift.meta_data.FieldValueMetaData(org.apache.thrift.protocol.TType.STRING))); + tmpMap.put(_Fields.CHECK_GRANT_OPERATION, new org.apache.thrift.meta_data.FieldMetaData("checkGrantOperation", org.apache.thrift.TFieldRequirementType.OPTIONAL, + new org.apache.thrift.meta_data.FieldValueMetaData(org.apache.thrift.protocol.TType.BOOL))); metaDataMap = Collections.unmodifiableMap(tmpMap); org.apache.thrift.meta_data.FieldMetaData.addStructMetaDataMap(TSentryPrivilege.class, metaDataMap); } @@ -188,6 +196,8 @@ public TSentryPrivilege() { this.columnName = ""; + this.checkGrantOperation = true; + } public TSentryPrivilege( @@ -231,6 +241,7 @@ public TSentryPrivilege(TSentryPrivilege other) { if (other.isSetColumnName()) { this.columnName = other.columnName; } + this.checkGrantOperation = other.checkGrantOperation; } public TSentryPrivilege deepCopy() { @@ -255,6 +266,8 @@ public void clear() { this.columnName = ""; + this.checkGrantOperation = true; + } public String getPrivilegeScope() { @@ -471,6 +484,28 @@ public void setColumnNameIsSet(boolean value) { } } + public boolean isCheckGrantOperation() { + return this.checkGrantOperation; + } + + public void setCheckGrantOperation(boolean checkGrantOperation) { + this.checkGrantOperation = checkGrantOperation; + setCheckGrantOperationIsSet(true); + } + + public void unsetCheckGrantOperation() { + __isset_bitfield = EncodingUtils.clearBit(__isset_bitfield, __CHECKGRANTOPERATION_ISSET_ID); + } + + /** Returns true if field checkGrantOperation is set (has been assigned a value) and false otherwise */ + public boolean isSetCheckGrantOperation() { + return EncodingUtils.testBit(__isset_bitfield, __CHECKGRANTOPERATION_ISSET_ID); + } + + public void setCheckGrantOperationIsSet(boolean value) { + __isset_bitfield = EncodingUtils.setBit(__isset_bitfield, __CHECKGRANTOPERATION_ISSET_ID, value); + } + public void setFieldValue(_Fields field, Object value) { switch (field) { case PRIVILEGE_SCOPE: @@ -545,6 +580,14 @@ public void setFieldValue(_Fields field, Object value) { } break; + case CHECK_GRANT_OPERATION: + if (value == null) { + unsetCheckGrantOperation(); + } else { + setCheckGrantOperation((Boolean)value); + } + break; + } } @@ -577,6 +620,9 @@ public Object getFieldValue(_Fields field) { case COLUMN_NAME: return getColumnName(); + case CHECK_GRANT_OPERATION: + return Boolean.valueOf(isCheckGrantOperation()); + } throw new IllegalStateException(); } @@ -606,6 +652,8 @@ public boolean isSet(_Fields field) { return isSetGrantOption(); case COLUMN_NAME: return isSetColumnName(); + case CHECK_GRANT_OPERATION: + return isSetCheckGrantOperation(); } throw new IllegalStateException(); } @@ -704,6 +752,15 @@ public boolean equals(TSentryPrivilege that) { return false; } + boolean this_present_checkGrantOperation = true && this.isSetCheckGrantOperation(); + boolean that_present_checkGrantOperation = true && that.isSetCheckGrantOperation(); + if (this_present_checkGrantOperation || that_present_checkGrantOperation) { + if (!(this_present_checkGrantOperation && that_present_checkGrantOperation)) + return false; + if (this.checkGrantOperation != that.checkGrantOperation) + return false; + } + return true; } @@ -756,6 +813,11 @@ public int hashCode() { if (present_columnName) builder.append(columnName); + boolean present_checkGrantOperation = true && (isSetCheckGrantOperation()); + builder.append(present_checkGrantOperation); + if (present_checkGrantOperation) + builder.append(checkGrantOperation); + return builder.toHashCode(); } @@ -857,6 +919,16 @@ public int compareTo(TSentryPrivilege other) { return lastComparison; } } + lastComparison = Boolean.valueOf(isSetCheckGrantOperation()).compareTo(typedOther.isSetCheckGrantOperation()); + if (lastComparison != 0) { + return lastComparison; + } + if (isSetCheckGrantOperation()) { + lastComparison = org.apache.thrift.TBaseHelper.compareTo(this.checkGrantOperation, typedOther.checkGrantOperation); + if (lastComparison != 0) { + return lastComparison; + } + } return 0; } @@ -956,6 +1028,12 @@ public String toString() { } first = false; } + if (isSetCheckGrantOperation()) { + if (!first) sb.append(", "); + sb.append("checkGrantOperation:"); + sb.append(this.checkGrantOperation); + first = false; + } sb.append(")"); return sb.toString(); } @@ -1085,6 +1163,14 @@ public void read(org.apache.thrift.protocol.TProtocol iprot, TSentryPrivilege st org.apache.thrift.protocol.TProtocolUtil.skip(iprot, schemeField.type); } break; + case 11: // CHECK_GRANT_OPERATION + if (schemeField.type == org.apache.thrift.protocol.TType.BOOL) { + struct.checkGrantOperation = iprot.readBool(); + struct.setCheckGrantOperationIsSet(true); + } else { + org.apache.thrift.protocol.TProtocolUtil.skip(iprot, schemeField.type); + } + break; default: org.apache.thrift.protocol.TProtocolUtil.skip(iprot, schemeField.type); } @@ -1153,6 +1239,11 @@ public void write(org.apache.thrift.protocol.TProtocol oprot, TSentryPrivilege s oprot.writeFieldEnd(); } } + if (struct.isSetCheckGrantOperation()) { + oprot.writeFieldBegin(CHECK_GRANT_OPERATION_FIELD_DESC); + oprot.writeBool(struct.checkGrantOperation); + oprot.writeFieldEnd(); + } oprot.writeFieldStop(); oprot.writeStructEnd(); } @@ -1192,7 +1283,10 @@ public void write(org.apache.thrift.protocol.TProtocol prot, TSentryPrivilege st if (struct.isSetColumnName()) { optionals.set(5); } - oprot.writeBitSet(optionals, 6); + if (struct.isSetCheckGrantOperation()) { + optionals.set(6); + } + oprot.writeBitSet(optionals, 7); if (struct.isSetDbName()) { oprot.writeString(struct.dbName); } @@ -1211,6 +1305,9 @@ public void write(org.apache.thrift.protocol.TProtocol prot, TSentryPrivilege st if (struct.isSetColumnName()) { oprot.writeString(struct.columnName); } + if (struct.isSetCheckGrantOperation()) { + oprot.writeBool(struct.checkGrantOperation); + } } @Override @@ -1222,7 +1319,7 @@ public void read(org.apache.thrift.protocol.TProtocol prot, TSentryPrivilege str struct.setServerNameIsSet(true); struct.action = iprot.readString(); struct.setActionIsSet(true); - BitSet incoming = iprot.readBitSet(6); + BitSet incoming = iprot.readBitSet(7); if (incoming.get(0)) { struct.dbName = iprot.readString(); struct.setDbNameIsSet(true); @@ -1247,6 +1344,10 @@ public void read(org.apache.thrift.protocol.TProtocol prot, TSentryPrivilege str struct.columnName = iprot.readString(); struct.setColumnNameIsSet(true); } + if (incoming.get(6)) { + struct.checkGrantOperation = iprot.readBool(); + struct.setCheckGrantOperationIsSet(true); + } } } From f7600cd8f90264bc319ad45cdd699ad0341f9632 Mon Sep 17 00:00:00 2001 From: Sun Dapeng Date: Thu, 10 Mar 2016 14:49:42 +0800 Subject: [PATCH 3/3] fix comi[ile --- .../sentry/provider/db/service/persistent/SentryStore.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java index db8a1e9b9..6c5629caf 100644 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java +++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java @@ -406,7 +406,7 @@ void clearAllTables() { } public CommitContext alterSentryRoleGrantPrivilege(String grantorPrincipal, String roleName, - TSentryPrivilege privilege, boolean checkGrantOption) throws SentryUserException { + TSentryPrivilege privilege) throws SentryUserException { return alterSentryRoleGrantPrivileges(grantorPrincipal, roleName, Sets.newHashSet(privilege)); }