Impala
Impalaistheopensource,nativeanalyticdatabaseforApacheHadoop.
 All Classes Namespaces Files Functions Variables Typedefs Enumerations Enumerator Friends Macros
SentryPolicyService.java
Go to the documentation of this file.
1 // Copyright 2014 Cloudera Inc.
2 //
3 // Licensed under the Apache License, Version 2.0 (the "License");
4 // you may not use this file except in compliance with the License.
5 // You may obtain a copy of the License at
6 //
7 // http://www.apache.org/licenses/LICENSE-2.0
8 //
9 // Unless required by applicable law or agreed to in writing, software
10 // distributed under the License is distributed on an "AS IS" BASIS,
11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 // See the License for the specific language governing permissions and
13 // limitations under the License.
14 
15 package com.cloudera.impala.util;
16 
17 import java.util.List;
18 
19 import org.apache.sentry.SentryUserException;
20 import org.apache.sentry.provider.db.SentryAccessDeniedException;
21 import org.apache.sentry.provider.db.SentryAlreadyExistsException;
22 import org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient;
23 import org.apache.sentry.provider.db.service.thrift.TSentryGrantOption;
24 import org.apache.sentry.provider.db.service.thrift.TSentryPrivilege;
25 import org.apache.sentry.provider.db.service.thrift.TSentryRole;
26 import org.apache.sentry.service.thrift.SentryServiceClientFactory;
27 import org.slf4j.Logger;
28 import org.slf4j.LoggerFactory;
29 
30 import com.cloudera.impala.authorization.SentryConfig;
31 import com.cloudera.impala.authorization.User;
32 import com.cloudera.impala.catalog.AuthorizationException;
33 import com.cloudera.impala.catalog.RolePrivilege;
34 import com.cloudera.impala.common.ImpalaException;
35 import com.cloudera.impala.common.InternalException;
36 import com.cloudera.impala.thrift.TPrivilege;
37 import com.cloudera.impala.thrift.TPrivilegeLevel;
38 import com.cloudera.impala.thrift.TPrivilegeScope;
39 import com.google.common.collect.Lists;
40 
44 public class SentryPolicyService {
45  private final static Logger LOG = LoggerFactory.getLogger(SentryPolicyService.class);
46  private final String ACCESS_DENIED_ERROR_MSG =
47  "User '%s' does not have privileges to execute: %s";
48  private final SentryConfig config_;
49 
55  class SentryServiceClient {
56  private final SentryPolicyServiceClient client_;
57 
61  public SentryServiceClient() throws InternalException {
62  client_ = createClient();
63  }
64 
68  public SentryPolicyServiceClient get() {
69  return client_;
70  }
71 
75  public void close() {
76  client_.close();
77  }
78 
82  private SentryPolicyServiceClient createClient() throws InternalException {
83  SentryPolicyServiceClient client;
84  try {
85  client = SentryServiceClientFactory.create(config_.getConfig());
86  } catch (Exception e) {
87  throw new InternalException("Error creating Sentry Service client: ", e);
88  }
89  return client;
90  }
91  }
92 
93  public SentryPolicyService(SentryConfig config) {
94  config_ = config;
95  }
96 
105  public void dropRole(User requestingUser, String roleName, boolean ifExists)
106  throws ImpalaException {
107  LOG.trace(String.format("Dropping role: %s on behalf of: %s", roleName,
108  requestingUser.getName()));
109  SentryServiceClient client = new SentryServiceClient();
110  try {
111  if (ifExists) {
112  client.get().dropRoleIfExists(requestingUser.getShortName(), roleName);
113  } else {
114  client.get().dropRole(requestingUser.getShortName(), roleName);
115  }
116  } catch (SentryAccessDeniedException e) {
117  throw new AuthorizationException(String.format(ACCESS_DENIED_ERROR_MSG,
118  requestingUser.getName(), "DROP_ROLE"));
119  } catch (SentryUserException e) {
120  throw new InternalException("Error dropping role: ", e);
121  } finally {
122  client.close();
123  }
124  }
125 
134  public void createRole(User requestingUser, String roleName, boolean ifNotExists)
135  throws ImpalaException {
136  LOG.trace(String.format("Creating role: %s on behalf of: %s", roleName,
137  requestingUser.getName()));
138  SentryServiceClient client = new SentryServiceClient();
139  try {
140  client.get().createRole(requestingUser.getShortName(), roleName);
141  } catch (SentryAccessDeniedException e) {
142  throw new AuthorizationException(String.format(ACCESS_DENIED_ERROR_MSG,
143  requestingUser.getName(), "CREATE_ROLE"));
144  } catch (SentryAlreadyExistsException e) {
145  if (ifNotExists) return;
146  throw new InternalException("Error creating role: ", e);
147  } catch (SentryUserException e) {
148  throw new InternalException("Error creating role: ", e);
149  } finally {
150  client.close();
151  }
152  }
153 
162  public void grantRoleToGroup(User requestingUser, String roleName, String groupName)
163  throws ImpalaException {
164  LOG.trace(String.format("Granting role '%s' to group '%s' on behalf of: %s",
165  roleName, groupName, requestingUser.getName()));
166  SentryServiceClient client = new SentryServiceClient();
167  try {
168  client.get().grantRoleToGroup(requestingUser.getShortName(), groupName, roleName);
169  } catch (SentryAccessDeniedException e) {
170  throw new AuthorizationException(String.format(ACCESS_DENIED_ERROR_MSG,
171  requestingUser.getName(), "GRANT_ROLE"));
172  } catch (SentryUserException e) {
173  throw new InternalException(
174  "Error making 'grantRoleToGroup' RPC to Sentry Service: ", e);
175  } finally {
176  client.close();
177  }
178  }
179 
180 
189  public void revokeRoleFromGroup(User requestingUser, String roleName, String groupName)
190  throws ImpalaException {
191  LOG.trace(String.format("Revoking role '%s' from group '%s' on behalf of: %s",
192  roleName, groupName, requestingUser.getName()));
193  SentryServiceClient client = new SentryServiceClient();
194  try {
195  client.get().revokeRoleFromGroup(requestingUser.getShortName(),
196  groupName, roleName);
197  } catch (SentryAccessDeniedException e) {
198  throw new AuthorizationException(String.format(ACCESS_DENIED_ERROR_MSG,
199  requestingUser.getName(), "REVOKE_ROLE"));
200  } catch (SentryUserException e) {
201  throw new InternalException(
202  "Error making 'revokeRoleFromGroup' RPC to Sentry Service: ", e);
203  } finally {
204  client.close();
205  }
206  }
207 
216  public void grantRolePrivilege(User requestingUser, String roleName,
217  TPrivilege privilege) throws ImpalaException {
218  LOG.trace(String.format("Granting role '%s' privilege '%s' on '%s' on behalf of: %s",
219  roleName, privilege.toString(), privilege.getScope().toString(),
220  requestingUser.getName()));
221  SentryServiceClient client = new SentryServiceClient();
222  try {
223  switch (privilege.getScope()) {
224  case SERVER:
225  client.get().grantServerPrivilege(requestingUser.getShortName(), roleName,
226  privilege.getServer_name(), privilege.isHas_grant_opt());
227  break;
228  case DATABASE:
229  client.get().grantDatabasePrivilege(requestingUser.getShortName(), roleName,
230  privilege.getServer_name(), privilege.getDb_name(),
231  privilege.getPrivilege_level().toString(),
232  privilege.isHas_grant_opt());
233  break;
234  case TABLE:
235  String tblName = privilege.getTable_name();
236  String dbName = privilege.getDb_name();
237  client.get().grantTablePrivilege(requestingUser.getShortName(), roleName,
238  privilege.getServer_name(), dbName, tblName,
239  privilege.getPrivilege_level().toString(),
240  privilege.isHas_grant_opt());
241  break;
242  case URI:
243  client.get().grantURIPrivilege(requestingUser.getShortName(),
244  roleName, privilege.getServer_name(), privilege.getUri(),
245  privilege.isHas_grant_opt());
246  break;
247  }
248  } catch (SentryAccessDeniedException e) {
249  throw new AuthorizationException(String.format(ACCESS_DENIED_ERROR_MSG,
250  requestingUser.getName(), "GRANT_PRIVILEGE"));
251  } catch (SentryUserException e) {
252  throw new InternalException(
253  "Error making 'grantPrivilege*' RPC to Sentry Service: ", e);
254  } finally {
255  client.close();
256  }
257  }
258 
267  public void revokeRolePrivilege(User requestingUser, String roleName,
268  TPrivilege privilege) throws ImpalaException {
269  LOG.trace(String.format("Revoking role '%s' privilege '%s' on '%s' on behalf of: %s",
270  roleName, privilege.toString(), privilege.getScope().toString(),
271  requestingUser.getName()));
272  SentryServiceClient client = new SentryServiceClient();
273  try {
274  switch (privilege.getScope()) {
275  case SERVER:
276  client.get().revokeServerPrivilege(requestingUser.getShortName(), roleName,
277  privilege.getServer_name(), null);
278  break;
279  case DATABASE:
280  client.get().revokeDatabasePrivilege(requestingUser.getShortName(), roleName,
281  privilege.getServer_name(), privilege.getDb_name(),
282  privilege.getPrivilege_level().toString(), null);
283  break;
284  case TABLE:
285  String tblName = privilege.getTable_name();
286  String dbName = privilege.getDb_name();
287  client.get().revokeTablePrivilege(requestingUser.getShortName(), roleName,
288  privilege.getServer_name(), dbName, tblName,
289  privilege.getPrivilege_level().toString(),
290  null);
291  break;
292  case URI:
293  client.get().revokeURIPrivilege(requestingUser.getShortName(),
294  roleName, privilege.getServer_name(), privilege.getUri(),
295  null);
296  break;
297  }
298  } catch (SentryAccessDeniedException e) {
299  throw new AuthorizationException(String.format(ACCESS_DENIED_ERROR_MSG,
300  requestingUser.getName(), "REVOKE_PRIVILEGE"));
301  } catch (SentryUserException e) {
302  throw new InternalException(
303  "Error making 'revokePrivilege*' RPC to Sentry Service: ", e);
304  } finally {
305  client.close();
306  }
307  }
308 
312  public List<TSentryRole> listUserRoles(User requestingUser)
313  throws ImpalaException {
314  SentryServiceClient client = new SentryServiceClient();
315  try {
316  return Lists.newArrayList(client.get().listUserRoles(
317  requestingUser.getShortName()));
318  } catch (SentryAccessDeniedException e) {
319  throw new AuthorizationException(String.format(ACCESS_DENIED_ERROR_MSG,
320  requestingUser.getName(), "LIST_USER_ROLES"));
321  } catch (SentryUserException e) {
322  throw new InternalException(
323  "Error making 'listUserRoles' RPC to Sentry Service: ", e);
324  } finally {
325  client.close();
326  }
327  }
328 
332  public List<TSentryRole> listAllRoles(User requestingUser) throws ImpalaException {
333  SentryServiceClient client = new SentryServiceClient();
334  try {
335  return Lists.newArrayList(client.get().listRoles(requestingUser.getShortName()));
336  } catch (SentryAccessDeniedException e) {
337  throw new AuthorizationException(String.format(ACCESS_DENIED_ERROR_MSG,
338  requestingUser.getName(), "LIST_ROLES"));
339  } catch (SentryUserException e) {
340  throw new InternalException("Error making 'listRoles' RPC to Sentry Service: ", e);
341  } finally {
342  client.close();
343  }
344  }
345 
349  public List<TSentryPrivilege> listRolePrivileges(User requestingUser, String roleName)
350  throws ImpalaException {
351  SentryServiceClient client = new SentryServiceClient();
352  try {
353  return Lists.newArrayList(client.get().listAllPrivilegesByRoleName(
354  requestingUser.getShortName(), roleName));
355  } catch (SentryAccessDeniedException e) {
356  throw new AuthorizationException(String.format(ACCESS_DENIED_ERROR_MSG,
357  requestingUser.getName(), "LIST_ROLE_PRIVILEGES"));
358  } catch (SentryUserException e) {
359  throw new InternalException("Error making 'listAllPrivilegesByRoleName' RPC to " +
360  "Sentry Service: ", e);
361  } finally {
362  client.close();
363  }
364  }
365 
369  public static TPrivilege sentryPrivilegeToTPrivilege(TSentryPrivilege sentryPriv) {
370  TPrivilege privilege = new TPrivilege();
371  privilege.setServer_name(sentryPriv.getServerName());
372  if (sentryPriv.isSetDbName()) privilege.setDb_name(sentryPriv.getDbName());
373  if (sentryPriv.isSetTableName()) privilege.setTable_name(sentryPriv.getTableName());
374  if (sentryPriv.isSetURI()) privilege.setUri(sentryPriv.getURI());
375  privilege.setScope(Enum.valueOf(TPrivilegeScope.class,
376  sentryPriv.getPrivilegeScope().toUpperCase()));
377  if (sentryPriv.getAction().equals("*")) {
378  privilege.setPrivilege_level(TPrivilegeLevel.ALL);
379  } else {
380  privilege.setPrivilege_level(Enum.valueOf(TPrivilegeLevel.class,
381  sentryPriv.getAction().toUpperCase()));
382  }
383  privilege.setPrivilege_name(RolePrivilege.buildRolePrivilegeName(privilege));
384  privilege.setCreate_time_ms(sentryPriv.getCreateTime());
385  if (sentryPriv.isSetGrantOption() &&
386  sentryPriv.getGrantOption() == TSentryGrantOption.TRUE) {
387  privilege.setHas_grant_opt(true);
388  } else {
389  privilege.setHas_grant_opt(false);
390  }
391  return privilege;
392  }
393 }
com.cloudera.impala.util.SentryPolicyService.sentryPrivilegeToTPrivilege
static TPrivilege sentryPrivilegeToTPrivilege(TSentryPrivilege sentryPriv)
Definition: SentryPolicyService.java:369
com.cloudera.impala.util.SentryPolicyService.dropRole
void dropRole(User requestingUser, String roleName, boolean ifExists)
Definition: SentryPolicyService.java:105
com.cloudera.impala.util.SentryPolicyService.listUserRoles
List< TSentryRole > listUserRoles(User requestingUser)
Definition: SentryPolicyService.java:312
impala_udf::ALL
Definition: uda-test-harness.h:33
com.cloudera.impala.util.SentryPolicyService.grantRoleToGroup
void grantRoleToGroup(User requestingUser, String roleName, String groupName)
Definition: SentryPolicyService.java:162
com.cloudera.impala.util.SentryPolicyService.listAllRoles
List< TSentryRole > listAllRoles(User requestingUser)
Definition: SentryPolicyService.java:332
com.cloudera.impala.util.SentryPolicyService.listRolePrivileges
List< TSentryPrivilege > listRolePrivileges(User requestingUser, String roleName)
Definition: SentryPolicyService.java:349
com.cloudera.impala.util.SentryPolicyService.revokeRoleFromGroup
void revokeRoleFromGroup(User requestingUser, String roleName, String groupName)
Definition: SentryPolicyService.java:189
com.cloudera.impala.util.SentryPolicyService.revokeRolePrivilege
void revokeRolePrivilege(User requestingUser, String roleName, TPrivilege privilege)
Definition: SentryPolicyService.java:267
com.cloudera.impala.util.SentryPolicyService.grantRolePrivilege
void grantRolePrivilege(User requestingUser, String roleName, TPrivilege privilege)
Definition: SentryPolicyService.java:216
com.cloudera.impala.util.SentryPolicyService.createRole
void createRole(User requestingUser, String roleName, boolean ifNotExists)
Definition: SentryPolicyService.java:134