com.cloudera.impala.util.SentryProxy Class Reference

Collaboration diagram for com.cloudera.impala.util.SentryProxy:

Classes
class	PolicyReader

Public Member Functions
	SentryProxy (SentryConfig sentryConfig, CatalogServiceCatalog catalog)
void	checkUserSentryAdmin (User requestingUser) throws AuthorizationException
synchronized Role	createRole (User user, String roleName) throws ImpalaException
synchronized Role	dropRole (User user, String roleName) throws ImpalaException
synchronized Role	grantRoleGroup (User user, String roleName, String groupName) throws ImpalaException
synchronized Role	revokeRoleGroup (User user, String roleName, String groupName) throws ImpalaException
synchronized RolePrivilege	grantRolePrivilege (User user, String roleName, TPrivilege privilege) throws ImpalaException
synchronized RolePrivilege	revokeRolePrivilege (User user, String roleName, TPrivilege privilege) throws ImpalaException
void	refresh () throws ImpalaRuntimeException

Private Attributes
final ScheduledExecutorService	policyReader_
final CatalogServiceCatalog	catalog_
final SentryPolicyService	sentryPolicyService_
final User	processUser_ = new User(System.getProperty("user.name"))

Static Private Attributes
static final Logger	LOG = Logger.getLogger(SentryProxy.class)

Detailed Description

Thread safe class that acts as a link between the Sentry Service and the Catalog to ensure both places are updated consistently. More specifically, this class synchronizes updates to the Sentry Service and the Impala catalog to ensure they are applied atomically (in Impala's view) and only if reading/writing the policy via the Sentry Service succeeds. Note that there may be external updates to the Sentry Service that cannot be protected against. It also periodically refreshes the authorization policy metadata and updates the catalog with any changes. Because any catalog updates need to be synchronized with updates from GRANT/REVOKE statements, it makes sense for this class to synchronize all modifications.

Definition at line 52 of file SentryProxy.java.

Constructor & Destructor Documentation

com.cloudera.impala.util.SentryProxy.SentryProxy ( SentryConfig  sentryConfig, CatalogServiceCatalog  catalog  )

inline

Definition at line 70 of file SentryProxy.java.

References com.cloudera.impala.util.SentryProxy.catalog_, and com.cloudera.impala.util.SentryProxy.sentryPolicyService_.

Member Function Documentation

void com.cloudera.impala.util.SentryProxy.checkUserSentryAdmin ( User  requestingUser ) throws AuthorizationException

inline

Checks whether this user is an admin on the Sentry Service. Throws an AuthorizationException if the user does not have admin privileges or if there are any issues communicating with the Sentry Service..

Parameters

requestingUser

- The requesting user.

Definition at line 174 of file SentryProxy.java.

synchronized Role com.cloudera.impala.util.SentryProxy.createRole ( User  user, String  roleName  ) throws ImpalaException

inline

Creates a new role using the Sentry Service and updates the Impala catalog. If the RPC to the Sentry Service fails the Impala catalog will not be modified. Returns the new Role. Throws exception if there was any error updating the Sentry Service or if a role with the same name already exists in the catalog. This includes the case where a role was added externally (eg. via Hive). If the role was added externally, Impala will load it during the next refresh of the policy. TODO: Consider adding the role to the policy if we find it was created externally.

Definition at line 200 of file SentryProxy.java.

References com.cloudera.impala.util.SentryProxy.catalog_, and com.cloudera.impala.catalog.CatalogServiceCatalog.getAuthPolicy().

synchronized Role com.cloudera.impala.util.SentryProxy.dropRole ( User  user, String  roleName  ) throws ImpalaException

inline

Drops the given role using the Sentry Service and updates the Impala catalog. If the RPC to the Sentry Service fails the Impala catalog will not be modified. Returns the removed Role or null if the role did not exist in the Catalog. Throws exception if there was any error updating the Sentry Service.

Definition at line 219 of file SentryProxy.java.

synchronized Role com.cloudera.impala.util.SentryProxy.grantRoleGroup ( User  user, String  roleName, String  groupName  ) throws ImpalaException

inline

Removes the role grant group using the Sentry Service and updates the Impala catalog. If the RPC to the Sentry Service fails the Impala catalog will not be modified. Returns the updated Role. Throws exception if there was any error updating the Sentry Service or if the Impala catalog does not contain the given role name.

Definition at line 231 of file SentryProxy.java.

synchronized RolePrivilege com.cloudera.impala.util.SentryProxy.grantRolePrivilege ( User  user, String  roleName, TPrivilege  privilege  ) throws ImpalaException

inline

Grants the privileges on a role using the Sentry Service and updates the Impala catalog. If the RPC to the Sentry Service fails the Impala catalog will not be modified. Returns the new privilege. Throws exception if there was any error updating the Sentry Service or if the Impala catalog does not contain the given role name.

Definition at line 257 of file SentryProxy.java.

void com.cloudera.impala.util.SentryProxy.refresh ( ) throws ImpalaRuntimeException

inline

Perfoms a synchronous refresh of all authorization policy metadata and updates the Catalog with any changes. Throws an ImpalaRuntimeException if there are any errors executing the refresh job.

Definition at line 300 of file SentryProxy.java.

synchronized Role com.cloudera.impala.util.SentryProxy.revokeRoleGroup ( User  user, String  roleName, String  groupName  ) throws ImpalaException

inline

Removes the role grant group using the Sentry Service and updates the Impala catalog. If the RPC to the Sentry Service fails the Impala catalog will not be modified. Returns the updated Role. Throws exception if there was any error updating the Sentry Service or if the Impala catalog does not contain the given role name.

Definition at line 244 of file SentryProxy.java.

synchronized RolePrivilege com.cloudera.impala.util.SentryProxy.revokeRolePrivilege ( User  user, String  roleName, TPrivilege  privilege  ) throws ImpalaException

inline

Revokes a privileges on a role using the Sentry Service and updates the Impala catalog. If the RPC to the Sentry Service fails the Impala catalog will not be modified. Returns the removed privilege, or null if the privilege did not exist. Throws an exception if there was any error updating the Sentry Service or if the Impala catalog does not contain the given role name.

Definition at line 271 of file SentryProxy.java.

References com.cloudera.impala.catalog.RolePrivilege.toThrift().

Member Data Documentation

final CatalogServiceCatalog com.cloudera.impala.util.SentryProxy.catalog_

private

Definition at line 61 of file SentryProxy.java.

Referenced by com.cloudera.impala.util.SentryProxy.createRole(), and com.cloudera.impala.util.SentryProxy.SentryProxy().

final Logger com.cloudera.impala.util.SentryProxy.LOG = Logger.getLogger(SentryProxy.class)

staticprivate

Definition at line 53 of file SentryProxy.java.

final ScheduledExecutorService com.cloudera.impala.util.SentryProxy.policyReader_

private

Initial value:

=
      Executors.newScheduledThreadPool(1)

Definition at line 57 of file SentryProxy.java.

final User com.cloudera.impala.util.SentryProxy.processUser_ = new User(System.getProperty("user.name"))

private

Definition at line 68 of file SentryProxy.java.

Referenced by com.cloudera.impala.util.SentryProxy.PolicyReader.run().

final SentryPolicyService com.cloudera.impala.util.SentryProxy.sentryPolicyService_

private

Definition at line 64 of file SentryProxy.java.

Referenced by com.cloudera.impala.util.SentryProxy.PolicyReader.run(), and com.cloudera.impala.util.SentryProxy.SentryProxy().

---

The documentation for this class was generated from the following file:

• fe/src/main/java/com/cloudera/impala/util/SentryProxy.java