Google Git
Sign in
apache / impala / asf-site / . / doc / html / SentryProxy_8java_source.html
blob: b982d6116fed28eb5a70f08dca2ccd26be458841 [file] [log] [blame]
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/xhtml;charset=UTF-8"/>
<meta http-equiv="X-UA-Compatible" content="IE=9"/>
<meta name="generator" content="Doxygen 1.8.6"/>
<title>Impala: fe/src/main/java/com/cloudera/impala/util/SentryProxy.java Source File</title>
<link href="tabs.css" rel="stylesheet" type="text/css"/>
<script type="text/javascript" src="jquery.js"></script>
<script type="text/javascript" src="dynsections.js"></script>
<link href="navtree.css" rel="stylesheet" type="text/css"/>
<script type="text/javascript" src="resize.js"></script>
<script type="text/javascript" src="navtree.js"></script>
<script type="text/javascript">
$(document).ready(initResizable);
$(window).load(resizeHeight);
</script>
<link href="search/search.css" rel="stylesheet" type="text/css"/>
<script type="text/javascript" src="search/search.js"></script>
<script type="text/javascript">
$(document).ready(function() { searchBox.OnSelectItem(0); });
</script>
<link href="doxygen.css" rel="stylesheet" type="text/css" />
</head>
<body>
<div id="top"><!-- do not remove this div, it is closed by doxygen! -->
<div id="titlearea">
<table cellspacing="0" cellpadding="0">
<tbody>
<tr style="height: 56px;">
<td style="padding-left: 0.5em;">
<div id="projectname">Impala
</div>
<div id="projectbrief">Impalaistheopensource,nativeanalyticdatabaseforApacheHadoop.</div>
</td>
</tr>
</tbody>
</table>
</div>
<!-- end header part -->
<!-- Generated by Doxygen 1.8.6 -->
<script type="text/javascript">
var searchBox = new SearchBox("searchBox", "search",false,'Search');
</script>
<div id="navrow1" class="tabs">
<ul class="tablist">
<li><a href="index.html"><span>Main&#160;Page</span></a></li>
<li><a href="namespaces.html"><span>Namespaces</span></a></li>
<li><a href="annotated.html"><span>Classes</span></a></li>
<li class="current"><a href="files.html"><span>Files</span></a></li>
<li>
<div id="MSearchBox" class="MSearchBoxInactive">
<span class="left">
<img id="MSearchSelect" src="search/mag_sel.png"
onmouseover="return searchBox.OnSearchSelectShow()"
onmouseout="return searchBox.OnSearchSelectHide()"
alt=""/>
<input type="text" id="MSearchField" value="Search" accesskey="S"
onfocus="searchBox.OnSearchFieldFocus(true)"
onblur="searchBox.OnSearchFieldFocus(false)"
onkeyup="searchBox.OnSearchFieldChange(event)"/>
</span><span class="right">
<a id="MSearchClose" href="javascript:searchBox.CloseResultsWindow()"><img id="MSearchCloseImg" border="0" src="search/close.png" alt=""/></a>
</span>
</div>
</li>
</ul>
</div>
<div id="navrow2" class="tabs2">
<ul class="tablist">
<li><a href="files.html"><span>File&#160;List</span></a></li>
<li><a href="globals.html"><span>File&#160;Members</span></a></li>
</ul>
</div>
</div><!-- top -->
<div id="side-nav" class="ui-resizable side-nav-resizable">
<div id="nav-tree">
<div id="nav-tree-contents">
<div id="nav-sync" class="sync"></div>
</div>
</div>
<div id="splitbar" style="-moz-user-select:none;"
class="ui-resizable-handle">
</div>
</div>
<script type="text/javascript">
$(document).ready(function(){initNavTree('SentryProxy_8java_source.html','');});
</script>
<div id="doc-content">
<!-- window showing the filter options -->
<div id="MSearchSelectWindow"
onmouseover="return searchBox.OnSearchSelectShow()"
onmouseout="return searchBox.OnSearchSelectHide()"
onkeydown="return searchBox.OnSearchSelectKey(event)">
<a class="SelectItem" href="javascript:void(0)" onclick="searchBox.OnSelectItem(0)"><span class="SelectionMark">&#160;</span>All</a><a class="SelectItem" href="javascript:void(0)" onclick="searchBox.OnSelectItem(1)"><span class="SelectionMark">&#160;</span>Classes</a><a class="SelectItem" href="javascript:void(0)" onclick="searchBox.OnSelectItem(2)"><span class="SelectionMark">&#160;</span>Namespaces</a><a class="SelectItem" href="javascript:void(0)" onclick="searchBox.OnSelectItem(3)"><span class="SelectionMark">&#160;</span>Files</a><a class="SelectItem" href="javascript:void(0)" onclick="searchBox.OnSelectItem(4)"><span class="SelectionMark">&#160;</span>Functions</a><a class="SelectItem" href="javascript:void(0)" onclick="searchBox.OnSelectItem(5)"><span class="SelectionMark">&#160;</span>Variables</a><a class="SelectItem" href="javascript:void(0)" onclick="searchBox.OnSelectItem(6)"><span class="SelectionMark">&#160;</span>Typedefs</a><a class="SelectItem" href="javascript:void(0)" onclick="searchBox.OnSelectItem(7)"><span class="SelectionMark">&#160;</span>Enumerations</a><a class="SelectItem" href="javascript:void(0)" onclick="searchBox.OnSelectItem(8)"><span class="SelectionMark">&#160;</span>Enumerator</a><a class="SelectItem" href="javascript:void(0)" onclick="searchBox.OnSelectItem(9)"><span class="SelectionMark">&#160;</span>Friends</a><a class="SelectItem" href="javascript:void(0)" onclick="searchBox.OnSelectItem(10)"><span class="SelectionMark">&#160;</span>Macros</a></div>
<!-- iframe showing the search results (closed by default) -->
<div id="MSearchResultsWindow">
<iframe src="javascript:void(0)" frameborder="0"
name="MSearchResults" id="MSearchResults">
</iframe>
</div>
<div class="header">
<div class="headertitle">
<div class="title">SentryProxy.java</div> </div>
</div><!--header-->
<div class="contents">
<a href="SentryProxy_8java.html">Go to the documentation of this file.</a><div class="fragment"><div class="line"><a name="l00001"></a><span class="lineno"> 1</span>&#160;<span class="comment">// Copyright 2014 Cloudera Inc.</span></div>
<div class="line"><a name="l00002"></a><span class="lineno"> 2</span>&#160;<span class="comment">//</span></div>
<div class="line"><a name="l00003"></a><span class="lineno"> 3</span>&#160;<span class="comment">// Licensed under the Apache License, Version 2.0 (the &quot;License&quot;);</span></div>
<div class="line"><a name="l00004"></a><span class="lineno"> 4</span>&#160;<span class="comment">// you may not use this file except in compliance with the License.</span></div>
<div class="line"><a name="l00005"></a><span class="lineno"> 5</span>&#160;<span class="comment">// You may obtain a copy of the License at</span></div>
<div class="line"><a name="l00006"></a><span class="lineno"> 6</span>&#160;<span class="comment">//</span></div>
<div class="line"><a name="l00007"></a><span class="lineno"> 7</span>&#160;<span class="comment">// http://www.apache.org/licenses/LICENSE-2.0</span></div>
<div class="line"><a name="l00008"></a><span class="lineno"> 8</span>&#160;<span class="comment">//</span></div>
<div class="line"><a name="l00009"></a><span class="lineno"> 9</span>&#160;<span class="comment">// Unless required by applicable law or agreed to in writing, software</span></div>
<div class="line"><a name="l00010"></a><span class="lineno"> 10</span>&#160;<span class="comment">// distributed under the License is distributed on an &quot;AS IS&quot; BASIS,</span></div>
<div class="line"><a name="l00011"></a><span class="lineno"> 11</span>&#160;<span class="comment">// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.</span></div>
<div class="line"><a name="l00012"></a><span class="lineno"> 12</span>&#160;<span class="comment">// See the License for the specific language governing permissions and</span></div>
<div class="line"><a name="l00013"></a><span class="lineno"> 13</span>&#160;<span class="comment">// limitations under the License.</span></div>
<div class="line"><a name="l00014"></a><span class="lineno"> 14</span>&#160;</div>
<div class="line"><a name="l00015"></a><span class="lineno"> 15</span>&#160;<span class="keyword">package </span>com.cloudera.impala.util;</div>
<div class="line"><a name="l00016"></a><span class="lineno"> 16</span>&#160;</div>
<div class="line"><a name="l00017"></a><span class="lineno"> 17</span>&#160;<span class="keyword">import</span> java.util.Set;</div>
<div class="line"><a name="l00018"></a><span class="lineno"> 18</span>&#160;<span class="keyword">import</span> java.util.concurrent.Executors;</div>
<div class="line"><a name="l00019"></a><span class="lineno"> 19</span>&#160;<span class="keyword">import</span> java.util.concurrent.ScheduledExecutorService;</div>
<div class="line"><a name="l00020"></a><span class="lineno"> 20</span>&#160;<span class="keyword">import</span> java.util.concurrent.TimeUnit;</div>
<div class="line"><a name="l00021"></a><span class="lineno"> 21</span>&#160;</div>
<div class="line"><a name="l00022"></a><span class="lineno"> 22</span>&#160;<span class="keyword">import</span> org.apache.log4j.Logger;</div>
<div class="line"><a name="l00023"></a><span class="lineno"> 23</span>&#160;<span class="keyword">import</span> org.apache.sentry.provider.db.service.thrift.TSentryGroup;</div>
<div class="line"><a name="l00024"></a><span class="lineno"> 24</span>&#160;<span class="keyword">import</span> org.apache.sentry.provider.db.service.thrift.TSentryPrivilege;</div>
<div class="line"><a name="l00025"></a><span class="lineno"> 25</span>&#160;<span class="keyword">import</span> org.apache.sentry.provider.db.service.thrift.TSentryRole;</div>
<div class="line"><a name="l00026"></a><span class="lineno"> 26</span>&#160;</div>
<div class="line"><a name="l00027"></a><span class="lineno"> 27</span>&#160;<span class="keyword">import</span> <a class="code" href="classcom_1_1cloudera_1_1impala_1_1authorization_1_1SentryConfig.html">com.cloudera.impala.authorization.SentryConfig</a>;</div>
<div class="line"><a name="l00028"></a><span class="lineno"> 28</span>&#160;<span class="keyword">import</span> <a class="code" href="classcom_1_1cloudera_1_1impala_1_1authorization_1_1User.html">com.cloudera.impala.authorization.User</a>;</div>
<div class="line"><a name="l00029"></a><span class="lineno"> 29</span>&#160;<span class="keyword">import</span> <a class="code" href="classcom_1_1cloudera_1_1impala_1_1catalog_1_1AuthorizationException.html">com.cloudera.impala.catalog.AuthorizationException</a>;</div>
<div class="line"><a name="l00030"></a><span class="lineno"> 30</span>&#160;<span class="keyword">import</span> <a class="code" href="classcom_1_1cloudera_1_1impala_1_1catalog_1_1CatalogException.html">com.cloudera.impala.catalog.CatalogException</a>;</div>
<div class="line"><a name="l00031"></a><span class="lineno"> 31</span>&#160;<span class="keyword">import</span> <a class="code" href="classcom_1_1cloudera_1_1impala_1_1catalog_1_1CatalogServiceCatalog.html">com.cloudera.impala.catalog.CatalogServiceCatalog</a>;</div>
<div class="line"><a name="l00032"></a><span class="lineno"> 32</span>&#160;<span class="keyword">import</span> <a class="code" href="classcom_1_1cloudera_1_1impala_1_1catalog_1_1Role.html">com.cloudera.impala.catalog.Role</a>;</div>
<div class="line"><a name="l00033"></a><span class="lineno"> 33</span>&#160;<span class="keyword">import</span> <a class="code" href="classcom_1_1cloudera_1_1impala_1_1catalog_1_1RolePrivilege.html">com.cloudera.impala.catalog.RolePrivilege</a>;</div>
<div class="line"><a name="l00034"></a><span class="lineno"> 34</span>&#160;<span class="keyword">import</span> <a class="code" href="classcom_1_1cloudera_1_1impala_1_1common_1_1ImpalaException.html">com.cloudera.impala.common.ImpalaException</a>;</div>
<div class="line"><a name="l00035"></a><span class="lineno"> 35</span>&#160;<span class="keyword">import</span> <a class="code" href="classcom_1_1cloudera_1_1impala_1_1common_1_1ImpalaRuntimeException.html">com.cloudera.impala.common.ImpalaRuntimeException</a>;</div>
<div class="line"><a name="l00036"></a><span class="lineno"> 36</span>&#160;<span class="keyword">import</span> com.cloudera.impala.thrift.TPrivilege;</div>
<div class="line"><a name="l00037"></a><span class="lineno"> 37</span>&#160;<span class="keyword">import</span> com.google.common.base.Preconditions;</div>
<div class="line"><a name="l00038"></a><span class="lineno"> 38</span>&#160;<span class="keyword">import</span> com.google.common.collect.Sets;</div>
<div class="line"><a name="l00039"></a><span class="lineno"> 39</span>&#160;</div>
<div class="line"><a name="l00052"></a><span class="lineno"><a class="line" href="classcom_1_1cloudera_1_1impala_1_1util_1_1SentryProxy.html"> 52</a></span>&#160;<span class="keyword">public</span> <span class="keyword">class </span><a class="code" href="classcom_1_1cloudera_1_1impala_1_1util_1_1SentryProxy.html">SentryProxy</a> {</div>
<div class="line"><a name="l00053"></a><span class="lineno"><a class="line" href="classcom_1_1cloudera_1_1impala_1_1util_1_1SentryProxy.html#a20d6fd3e598e510f5a0d2164af7e5777"> 53</a></span>&#160; <span class="keyword">private</span> <span class="keyword">static</span> <span class="keyword">final</span> Logger <a class="code" href="classcom_1_1cloudera_1_1impala_1_1util_1_1SentryProxy.html#a20d6fd3e598e510f5a0d2164af7e5777">LOG</a> = Logger.getLogger(SentryProxy.class);</div>
<div class="line"><a name="l00054"></a><span class="lineno"> 54</span>&#160;</div>
<div class="line"><a name="l00055"></a><span class="lineno"> 55</span>&#160; <span class="comment">// Used to periodically poll the Sentry service and updates the catalog with any</span></div>
<div class="line"><a name="l00056"></a><span class="lineno"> 56</span>&#160; <span class="comment">// changes.</span></div>
<div class="line"><a name="l00057"></a><span class="lineno"><a class="line" href="classcom_1_1cloudera_1_1impala_1_1util_1_1SentryProxy.html#a1c9d14a7a9369663eeecd6edd273a4ea"> 57</a></span>&#160; <span class="keyword">private</span> <span class="keyword">final</span> ScheduledExecutorService <a class="code" href="classcom_1_1cloudera_1_1impala_1_1util_1_1SentryProxy.html#a1c9d14a7a9369663eeecd6edd273a4ea">policyReader_</a> =</div>
<div class="line"><a name="l00058"></a><span class="lineno"> 58</span>&#160; Executors.newScheduledThreadPool(1);</div>
<div class="line"><a name="l00059"></a><span class="lineno"> 59</span>&#160;</div>
<div class="line"><a name="l00060"></a><span class="lineno"> 60</span>&#160; <span class="comment">// The Catalog the SentryPolicyUpdater is associated with.</span></div>
<div class="line"><a name="l00061"></a><span class="lineno"><a class="line" href="classcom_1_1cloudera_1_1impala_1_1util_1_1SentryProxy.html#a7917e37560bd150b2bb597605e170197"> 61</a></span>&#160; <span class="keyword">private</span> <span class="keyword">final</span> <a class="code" href="classcom_1_1cloudera_1_1impala_1_1catalog_1_1CatalogServiceCatalog.html">CatalogServiceCatalog</a> <a class="code" href="classcom_1_1cloudera_1_1impala_1_1util_1_1SentryProxy.html#a7917e37560bd150b2bb597605e170197">catalog_</a>;</div>
<div class="line"><a name="l00062"></a><span class="lineno"> 62</span>&#160;</div>
<div class="line"><a name="l00063"></a><span class="lineno"> 63</span>&#160; <span class="comment">// The interface to access the Sentry Policy Service to read policy metadata.</span></div>
<div class="line"><a name="l00064"></a><span class="lineno"><a class="line" href="classcom_1_1cloudera_1_1impala_1_1util_1_1SentryProxy.html#adf81571eea1731f09950deffae0b9c25"> 64</a></span>&#160; <span class="keyword">private</span> <span class="keyword">final</span> <a class="code" href="classcom_1_1cloudera_1_1impala_1_1util_1_1SentryPolicyService.html">SentryPolicyService</a> <a class="code" href="classcom_1_1cloudera_1_1impala_1_1util_1_1SentryProxy.html#adf81571eea1731f09950deffae0b9c25">sentryPolicyService_</a>;</div>
<div class="line"><a name="l00065"></a><span class="lineno"> 65</span>&#160;</div>
<div class="line"><a name="l00066"></a><span class="lineno"> 66</span>&#160; <span class="comment">// This is user that the Catalog Service is running as. This user should always be a</span></div>
<div class="line"><a name="l00067"></a><span class="lineno"> 67</span>&#160; <span class="comment">// Sentry Service admin =&gt; have full rights to read/update the Sentry Service.</span></div>
<div class="line"><a name="l00068"></a><span class="lineno"><a class="line" href="classcom_1_1cloudera_1_1impala_1_1util_1_1SentryProxy.html#aeac61757d371d489ab58f2a71eb195e6"> 68</a></span>&#160; <span class="keyword">private</span> <span class="keyword">final</span> <a class="code" href="classcom_1_1cloudera_1_1impala_1_1authorization_1_1User.html">User</a> <a class="code" href="classcom_1_1cloudera_1_1impala_1_1util_1_1SentryProxy.html#aeac61757d371d489ab58f2a71eb195e6">processUser_</a> = <span class="keyword">new</span> <a class="code" href="classcom_1_1cloudera_1_1impala_1_1authorization_1_1User.html">User</a>(System.getProperty(<span class="stringliteral">&quot;user.name&quot;</span>));</div>
<div class="line"><a name="l00069"></a><span class="lineno"> 69</span>&#160;</div>
<div class="line"><a name="l00070"></a><span class="lineno"><a class="line" href="classcom_1_1cloudera_1_1impala_1_1util_1_1SentryProxy.html#a8a4af78ab335a1184781c2144fd3b0bc"> 70</a></span>&#160; <span class="keyword">public</span> <a class="code" href="classcom_1_1cloudera_1_1impala_1_1util_1_1SentryProxy.html#a8a4af78ab335a1184781c2144fd3b0bc">SentryProxy</a>(<a class="code" href="classcom_1_1cloudera_1_1impala_1_1authorization_1_1SentryConfig.html">SentryConfig</a> sentryConfig, <a class="code" href="classcom_1_1cloudera_1_1impala_1_1catalog_1_1CatalogServiceCatalog.html">CatalogServiceCatalog</a> catalog) {</div>
<div class="line"><a name="l00071"></a><span class="lineno"> 71</span>&#160; Preconditions.checkNotNull(catalog);</div>
<div class="line"><a name="l00072"></a><span class="lineno"> 72</span>&#160; Preconditions.checkNotNull(sentryConfig);</div>
<div class="line"><a name="l00073"></a><span class="lineno"> 73</span>&#160; <a class="code" href="classcom_1_1cloudera_1_1impala_1_1util_1_1SentryProxy.html#a7917e37560bd150b2bb597605e170197">catalog_</a> = catalog;</div>
<div class="line"><a name="l00074"></a><span class="lineno"> 74</span>&#160; <a class="code" href="classcom_1_1cloudera_1_1impala_1_1util_1_1SentryProxy.html#adf81571eea1731f09950deffae0b9c25">sentryPolicyService_</a> = <span class="keyword">new</span> <a class="code" href="classcom_1_1cloudera_1_1impala_1_1util_1_1SentryPolicyService.html">SentryPolicyService</a>(sentryConfig);</div>
<div class="line"><a name="l00075"></a><span class="lineno"> 75</span>&#160; <span class="comment">// Sentry Service is enabled.</span></div>
<div class="line"><a name="l00076"></a><span class="lineno"> 76</span>&#160; <span class="comment">// TODO: Make this configurable</span></div>
<div class="line"><a name="l00077"></a><span class="lineno"> 77</span>&#160; policyReader_.scheduleAtFixedRate(<span class="keyword">new</span> <a class="code" href="classcom_1_1cloudera_1_1impala_1_1util_1_1SentryProxy_1_1PolicyReader.html">PolicyReader</a>(), 0, 60,</div>
<div class="line"><a name="l00078"></a><span class="lineno"> 78</span>&#160; TimeUnit.SECONDS);</div>
<div class="line"><a name="l00079"></a><span class="lineno"> 79</span>&#160; }</div>
<div class="line"><a name="l00080"></a><span class="lineno"> 80</span>&#160;</div>
<div class="line"><a name="l00095"></a><span class="lineno"><a class="line" href="classcom_1_1cloudera_1_1impala_1_1util_1_1SentryProxy_1_1PolicyReader.html"> 95</a></span>&#160; <span class="keyword">private</span> <span class="keyword">class </span><a class="code" href="classcom_1_1cloudera_1_1impala_1_1util_1_1SentryProxy_1_1PolicyReader.html">PolicyReader</a> <span class="keyword">implements</span> <a class="code" href="classRunnable.html">Runnable</a> {</div>
<div class="line"><a name="l00096"></a><span class="lineno"><a class="line" href="classcom_1_1cloudera_1_1impala_1_1util_1_1SentryProxy_1_1PolicyReader.html#ae8f32b880defda46427b07162a734499"> 96</a></span>&#160; <span class="keyword">public</span> <span class="keywordtype">void</span> <a class="code" href="classcom_1_1cloudera_1_1impala_1_1util_1_1SentryProxy_1_1PolicyReader.html#ae8f32b880defda46427b07162a734499">run</a>() {</div>
<div class="line"><a name="l00097"></a><span class="lineno"> 97</span>&#160; <span class="keyword">synchronized</span> (SentryProxy.this) {</div>
<div class="line"><a name="l00098"></a><span class="lineno"> 98</span>&#160; <span class="comment">// Assume all roles should be removed. Then query the Policy Service and remove</span></div>
<div class="line"><a name="l00099"></a><span class="lineno"> 99</span>&#160; <span class="comment">// roles from this set that actually exist.</span></div>
<div class="line"><a name="l00100"></a><span class="lineno"> 100</span>&#160; Set&lt;String&gt; rolesToRemove = catalog_.getAuthPolicy().getAllRoleNames();</div>
<div class="line"><a name="l00101"></a><span class="lineno"> 101</span>&#160; <span class="keywordflow">try</span> {</div>
<div class="line"><a name="l00102"></a><span class="lineno"> 102</span>&#160; <span class="comment">// Read the full policy, adding new/modified roles to &quot;updatedRoles&quot;.</span></div>
<div class="line"><a name="l00103"></a><span class="lineno"> 103</span>&#160; <span class="keywordflow">for</span> (TSentryRole sentryRole:</div>
<div class="line"><a name="l00104"></a><span class="lineno"> 104</span>&#160; <a class="code" href="classcom_1_1cloudera_1_1impala_1_1util_1_1SentryProxy.html#adf81571eea1731f09950deffae0b9c25">sentryPolicyService_</a>.<a class="code" href="classcom_1_1cloudera_1_1impala_1_1util_1_1SentryPolicyService.html#a7db607c32570b618330de6e8917a2f2e">listAllRoles</a>(<a class="code" href="classcom_1_1cloudera_1_1impala_1_1util_1_1SentryProxy.html#aeac61757d371d489ab58f2a71eb195e6">processUser_</a>)) {</div>
<div class="line"><a name="l00105"></a><span class="lineno"> 105</span>&#160; <span class="comment">// This role exists and should not be removed, delete it from the</span></div>
<div class="line"><a name="l00106"></a><span class="lineno"> 106</span>&#160; <span class="comment">// rolesToRemove set.</span></div>
<div class="line"><a name="l00107"></a><span class="lineno"> 107</span>&#160; rolesToRemove.remove(sentryRole.getRoleName().toLowerCase());</div>
<div class="line"><a name="l00108"></a><span class="lineno"> 108</span>&#160;</div>
<div class="line"><a name="l00109"></a><span class="lineno"> 109</span>&#160; Set&lt;String&gt; grantGroups = Sets.newHashSet();</div>
<div class="line"><a name="l00110"></a><span class="lineno"> 110</span>&#160; <span class="keywordflow">for</span> (TSentryGroup group: sentryRole.getGroups()) {</div>
<div class="line"><a name="l00111"></a><span class="lineno"> 111</span>&#160; grantGroups.add(group.getGroupName());</div>
<div class="line"><a name="l00112"></a><span class="lineno"> 112</span>&#160; }</div>
<div class="line"><a name="l00113"></a><span class="lineno"> 113</span>&#160; <a class="code" href="classcom_1_1cloudera_1_1impala_1_1catalog_1_1Role.html">Role</a> existingRole =</div>
<div class="line"><a name="l00114"></a><span class="lineno"> 114</span>&#160; catalog_.getAuthPolicy().getRole(sentryRole.getRoleName());</div>
<div class="line"><a name="l00115"></a><span class="lineno"> 115</span>&#160; <a class="code" href="classcom_1_1cloudera_1_1impala_1_1catalog_1_1Role.html">Role</a> role;</div>
<div class="line"><a name="l00116"></a><span class="lineno"> 116</span>&#160; <span class="comment">// These roles are the same, use the current role.</span></div>
<div class="line"><a name="l00117"></a><span class="lineno"> 117</span>&#160; <span class="keywordflow">if</span> (existingRole != null &amp;&amp;</div>
<div class="line"><a name="l00118"></a><span class="lineno"> 118</span>&#160; existingRole.<a class="code" href="classcom_1_1cloudera_1_1impala_1_1catalog_1_1Role.html#ab21b41c9a467f3b3ae751ce84db98981">getGrantGroups</a>().equals(grantGroups)) {</div>
<div class="line"><a name="l00119"></a><span class="lineno"> 119</span>&#160; role = existingRole;</div>
<div class="line"><a name="l00120"></a><span class="lineno"> 120</span>&#160; } <span class="keywordflow">else</span> {</div>
<div class="line"><a name="l00121"></a><span class="lineno"> 121</span>&#160; role = catalog_.addRole(sentryRole.getRoleName(), grantGroups);</div>
<div class="line"><a name="l00122"></a><span class="lineno"> 122</span>&#160; }</div>
<div class="line"><a name="l00123"></a><span class="lineno"> 123</span>&#160;</div>
<div class="line"><a name="l00124"></a><span class="lineno"> 124</span>&#160; <span class="comment">// Assume all privileges should be removed. Privileges that still exist are</span></div>
<div class="line"><a name="l00125"></a><span class="lineno"> 125</span>&#160; <span class="comment">// deleted from this set and we are left with the set of privileges that need</span></div>
<div class="line"><a name="l00126"></a><span class="lineno"> 126</span>&#160; <span class="comment">// to be removed.</span></div>
<div class="line"><a name="l00127"></a><span class="lineno"> 127</span>&#160; Set&lt;String&gt; privilegesToRemove = role.getPrivilegeNames();</div>
<div class="line"><a name="l00128"></a><span class="lineno"> 128</span>&#160;</div>
<div class="line"><a name="l00129"></a><span class="lineno"> 129</span>&#160; <span class="comment">// Check all the privileges that are part of this role.</span></div>
<div class="line"><a name="l00130"></a><span class="lineno"> 130</span>&#160; <span class="keywordflow">for</span> (TSentryPrivilege sentryPriv:</div>
<div class="line"><a name="l00131"></a><span class="lineno"> 131</span>&#160; <a class="code" href="classcom_1_1cloudera_1_1impala_1_1util_1_1SentryProxy.html#adf81571eea1731f09950deffae0b9c25">sentryPolicyService_</a>.<a class="code" href="classcom_1_1cloudera_1_1impala_1_1util_1_1SentryPolicyService.html#ab2d8bf7fd3deb408309ecd27b6e7cc34">listRolePrivileges</a>(<a class="code" href="classcom_1_1cloudera_1_1impala_1_1util_1_1SentryProxy.html#aeac61757d371d489ab58f2a71eb195e6">processUser_</a>, role.<a class="code" href="classcom_1_1cloudera_1_1impala_1_1authorization_1_1User.html#a973cec0d33eca38e7004f3225fafef2c">getName</a>())) {</div>
<div class="line"><a name="l00132"></a><span class="lineno"> 132</span>&#160; TPrivilege thriftPriv =</div>
<div class="line"><a name="l00133"></a><span class="lineno"> 133</span>&#160; SentryPolicyService.sentryPrivilegeToTPrivilege(sentryPriv);</div>
<div class="line"><a name="l00134"></a><span class="lineno"> 134</span>&#160; thriftPriv.setRole_id(role.getId());</div>
<div class="line"><a name="l00135"></a><span class="lineno"> 135</span>&#160; privilegesToRemove.remove(thriftPriv.getPrivilege_name().toLowerCase());</div>
<div class="line"><a name="l00136"></a><span class="lineno"> 136</span>&#160;</div>
<div class="line"><a name="l00137"></a><span class="lineno"> 137</span>&#160; <a class="code" href="classcom_1_1cloudera_1_1impala_1_1catalog_1_1RolePrivilege.html">RolePrivilege</a> existingPriv =</div>
<div class="line"><a name="l00138"></a><span class="lineno"> 138</span>&#160; role.getPrivilege(thriftPriv.getPrivilege_name());</div>
<div class="line"><a name="l00139"></a><span class="lineno"> 139</span>&#160; <span class="comment">// We already know about this privilege (privileges cannot be modified).</span></div>
<div class="line"><a name="l00140"></a><span class="lineno"> 140</span>&#160; <span class="keywordflow">if</span> (existingPriv != null &amp;&amp;</div>
<div class="line"><a name="l00141"></a><span class="lineno"> 141</span>&#160; existingPriv.getCreateTimeMs() == sentryPriv.getCreateTime()) {</div>
<div class="line"><a name="l00142"></a><span class="lineno"> 142</span>&#160; <span class="keywordflow">continue</span>;</div>
<div class="line"><a name="l00143"></a><span class="lineno"> 143</span>&#160; }</div>
<div class="line"><a name="l00144"></a><span class="lineno"> 144</span>&#160; catalog_.addRolePrivilege(role.getName(), thriftPriv);</div>
<div class="line"><a name="l00145"></a><span class="lineno"> 145</span>&#160; }</div>
<div class="line"><a name="l00146"></a><span class="lineno"> 146</span>&#160;</div>
<div class="line"><a name="l00147"></a><span class="lineno"> 147</span>&#160; <span class="comment">// Remove the privileges that no longer exist.</span></div>
<div class="line"><a name="l00148"></a><span class="lineno"> 148</span>&#160; <span class="keywordflow">for</span> (String privilegeName: privilegesToRemove) {</div>
<div class="line"><a name="l00149"></a><span class="lineno"> 149</span>&#160; TPrivilege privilege = <span class="keyword">new</span> TPrivilege();</div>
<div class="line"><a name="l00150"></a><span class="lineno"> 150</span>&#160; privilege.setPrivilege_name(privilegeName);</div>
<div class="line"><a name="l00151"></a><span class="lineno"> 151</span>&#160; catalog_.removeRolePrivilege(role.getName(), privilege);</div>
<div class="line"><a name="l00152"></a><span class="lineno"> 152</span>&#160; }</div>
<div class="line"><a name="l00153"></a><span class="lineno"> 153</span>&#160; }</div>
<div class="line"><a name="l00154"></a><span class="lineno"> 154</span>&#160; } <span class="keywordflow">catch</span> (Exception e) {</div>
<div class="line"><a name="l00155"></a><span class="lineno"> 155</span>&#160; LOG.error(<span class="stringliteral">&quot;Error refreshing Sentry policy: &quot;</span>, e);</div>
<div class="line"><a name="l00156"></a><span class="lineno"> 156</span>&#160; <span class="keywordflow">return</span>;</div>
<div class="line"><a name="l00157"></a><span class="lineno"> 157</span>&#160; }</div>
<div class="line"><a name="l00158"></a><span class="lineno"> 158</span>&#160;</div>
<div class="line"><a name="l00159"></a><span class="lineno"> 159</span>&#160; <span class="comment">// Remove all the roles, incrementing the catalog version to indicate</span></div>
<div class="line"><a name="l00160"></a><span class="lineno"> 160</span>&#160; <span class="comment">// a change.</span></div>
<div class="line"><a name="l00161"></a><span class="lineno"> 161</span>&#160; <span class="keywordflow">for</span> (String roleName: rolesToRemove) {</div>
<div class="line"><a name="l00162"></a><span class="lineno"> 162</span>&#160; catalog_.removeRole(roleName);</div>
<div class="line"><a name="l00163"></a><span class="lineno"> 163</span>&#160; }</div>
<div class="line"><a name="l00164"></a><span class="lineno"> 164</span>&#160; }</div>
<div class="line"><a name="l00165"></a><span class="lineno"> 165</span>&#160; }</div>
<div class="line"><a name="l00166"></a><span class="lineno"> 166</span>&#160; }</div>
<div class="line"><a name="l00167"></a><span class="lineno"> 167</span>&#160;</div>
<div class="line"><a name="l00174"></a><span class="lineno"><a class="line" href="classcom_1_1cloudera_1_1impala_1_1util_1_1SentryProxy.html#ab3033da3193164faeb497d86ccefac03"> 174</a></span>&#160; <span class="keyword">public</span> <span class="keywordtype">void</span> <a class="code" href="classcom_1_1cloudera_1_1impala_1_1util_1_1SentryProxy.html#ab3033da3193164faeb497d86ccefac03">checkUserSentryAdmin</a>(<a class="code" href="classcom_1_1cloudera_1_1impala_1_1authorization_1_1User.html">User</a> requestingUser)</div>
<div class="line"><a name="l00175"></a><span class="lineno"> 175</span>&#160; <span class="keywordflow">throws</span> <a class="code" href="classcom_1_1cloudera_1_1impala_1_1catalog_1_1AuthorizationException.html">AuthorizationException</a> {</div>
<div class="line"><a name="l00176"></a><span class="lineno"> 176</span>&#160; <span class="comment">// Check if the user has access by issuing a read-only RPC.</span></div>
<div class="line"><a name="l00177"></a><span class="lineno"> 177</span>&#160; <span class="comment">// TODO: This is not an elegant way to verify whether the user has privileges to</span></div>
<div class="line"><a name="l00178"></a><span class="lineno"> 178</span>&#160; <span class="comment">// access Sentry. This should be modified in the future when Sentry has</span></div>
<div class="line"><a name="l00179"></a><span class="lineno"> 179</span>&#160; <span class="comment">// a more robust mechanism to perform these checks.</span></div>
<div class="line"><a name="l00180"></a><span class="lineno"> 180</span>&#160; <span class="keywordflow">try</span> {</div>
<div class="line"><a name="l00181"></a><span class="lineno"> 181</span>&#160; sentryPolicyService_.listAllRoles(requestingUser);</div>
<div class="line"><a name="l00182"></a><span class="lineno"> 182</span>&#160; } <span class="keywordflow">catch</span> (<a class="code" href="classcom_1_1cloudera_1_1impala_1_1common_1_1ImpalaException.html">ImpalaException</a> e) {</div>
<div class="line"><a name="l00183"></a><span class="lineno"> 183</span>&#160; <span class="keywordflow">throw</span> <span class="keyword">new</span> <a class="code" href="classcom_1_1cloudera_1_1impala_1_1catalog_1_1AuthorizationException.html">AuthorizationException</a>(String.format(<span class="stringliteral">&quot;User &#39;%s&#39; does not have &quot;</span> +</div>
<div class="line"><a name="l00184"></a><span class="lineno"> 184</span>&#160; <span class="stringliteral">&quot;privileges to access the requested policy metadata or Sentry Service is &quot;</span> +</div>
<div class="line"><a name="l00185"></a><span class="lineno"> 185</span>&#160; <span class="stringliteral">&quot;unavailable.&quot;</span>, requestingUser.getName()));</div>
<div class="line"><a name="l00186"></a><span class="lineno"> 186</span>&#160; }</div>
<div class="line"><a name="l00187"></a><span class="lineno"> 187</span>&#160; }</div>
<div class="line"><a name="l00188"></a><span class="lineno"> 188</span>&#160;</div>
<div class="line"><a name="l00200"></a><span class="lineno"><a class="line" href="classcom_1_1cloudera_1_1impala_1_1util_1_1SentryProxy.html#af22f5e48aea92bb3b54f370eae8275e1"> 200</a></span>&#160; <span class="keyword">public</span> <span class="keyword">synchronized</span> <a class="code" href="classcom_1_1cloudera_1_1impala_1_1catalog_1_1Role.html">Role</a> <a class="code" href="classcom_1_1cloudera_1_1impala_1_1util_1_1SentryProxy.html#af22f5e48aea92bb3b54f370eae8275e1">createRole</a>(<a class="code" href="classcom_1_1cloudera_1_1impala_1_1authorization_1_1User.html">User</a> user, String roleName)</div>
<div class="line"><a name="l00201"></a><span class="lineno"> 201</span>&#160; <span class="keywordflow">throws</span> <a class="code" href="classcom_1_1cloudera_1_1impala_1_1common_1_1ImpalaException.html">ImpalaException</a> {</div>
<div class="line"><a name="l00202"></a><span class="lineno"> 202</span>&#160; <a class="code" href="classcom_1_1cloudera_1_1impala_1_1catalog_1_1Role.html">Role</a> role = null;</div>
<div class="line"><a name="l00203"></a><span class="lineno"> 203</span>&#160; <span class="keywordflow">if</span> (<a class="code" href="classcom_1_1cloudera_1_1impala_1_1util_1_1SentryProxy.html#a7917e37560bd150b2bb597605e170197">catalog_</a>.<a class="code" href="classcom_1_1cloudera_1_1impala_1_1catalog_1_1CatalogServiceCatalog.html#aa42ee0a998bad3d81fb8887fc162ab55">getAuthPolicy</a>().getRole(roleName) != null) {</div>
<div class="line"><a name="l00204"></a><span class="lineno"> 204</span>&#160; <span class="keywordflow">throw</span> <span class="keyword">new</span> <a class="code" href="classcom_1_1cloudera_1_1impala_1_1catalog_1_1CatalogException.html">CatalogException</a>(<span class="stringliteral">&quot;Role already exists: &quot;</span> + roleName);</div>
<div class="line"><a name="l00205"></a><span class="lineno"> 205</span>&#160; }</div>
<div class="line"><a name="l00206"></a><span class="lineno"> 206</span>&#160; sentryPolicyService_.createRole(user, roleName, <span class="keyword">false</span>);</div>
<div class="line"><a name="l00207"></a><span class="lineno"> 207</span>&#160; <span class="comment">// Initially the role has no grant groups (empty set).</span></div>
<div class="line"><a name="l00208"></a><span class="lineno"> 208</span>&#160; role = catalog_.addRole(roleName, Sets.&lt;String&gt;newHashSet());</div>
<div class="line"><a name="l00209"></a><span class="lineno"> 209</span>&#160; <span class="keywordflow">return</span> role;</div>
<div class="line"><a name="l00210"></a><span class="lineno"> 210</span>&#160; }</div>
<div class="line"><a name="l00211"></a><span class="lineno"> 211</span>&#160;</div>
<div class="line"><a name="l00219"></a><span class="lineno"><a class="line" href="classcom_1_1cloudera_1_1impala_1_1util_1_1SentryProxy.html#a5559029b98b1a2ed7570ae57e47c125a"> 219</a></span>&#160; <span class="keyword">public</span> <span class="keyword">synchronized</span> <a class="code" href="classcom_1_1cloudera_1_1impala_1_1catalog_1_1Role.html">Role</a> <a class="code" href="classcom_1_1cloudera_1_1impala_1_1util_1_1SentryProxy.html#a5559029b98b1a2ed7570ae57e47c125a">dropRole</a>(<a class="code" href="classcom_1_1cloudera_1_1impala_1_1authorization_1_1User.html">User</a> user, String roleName) <span class="keywordflow">throws</span> <a class="code" href="classcom_1_1cloudera_1_1impala_1_1common_1_1ImpalaException.html">ImpalaException</a> {</div>
<div class="line"><a name="l00220"></a><span class="lineno"> 220</span>&#160; sentryPolicyService_.dropRole(user, roleName, <span class="keyword">false</span>);</div>
<div class="line"><a name="l00221"></a><span class="lineno"> 221</span>&#160; <span class="keywordflow">return</span> catalog_.removeRole(roleName);</div>
<div class="line"><a name="l00222"></a><span class="lineno"> 222</span>&#160; }</div>
<div class="line"><a name="l00223"></a><span class="lineno"> 223</span>&#160;</div>
<div class="line"><a name="l00231"></a><span class="lineno"><a class="line" href="classcom_1_1cloudera_1_1impala_1_1util_1_1SentryProxy.html#aef372453e9eac74c2d19f94c210c2c3e"> 231</a></span>&#160; <span class="keyword">public</span> <span class="keyword">synchronized</span> <a class="code" href="classcom_1_1cloudera_1_1impala_1_1catalog_1_1Role.html">Role</a> <a class="code" href="classcom_1_1cloudera_1_1impala_1_1util_1_1SentryProxy.html#aef372453e9eac74c2d19f94c210c2c3e">grantRoleGroup</a>(<a class="code" href="classcom_1_1cloudera_1_1impala_1_1authorization_1_1User.html">User</a> user, String roleName, String groupName)</div>
<div class="line"><a name="l00232"></a><span class="lineno"> 232</span>&#160; <span class="keywordflow">throws</span> <a class="code" href="classcom_1_1cloudera_1_1impala_1_1common_1_1ImpalaException.html">ImpalaException</a> {</div>
<div class="line"><a name="l00233"></a><span class="lineno"> 233</span>&#160; sentryPolicyService_.grantRoleToGroup(user, roleName, groupName);</div>
<div class="line"><a name="l00234"></a><span class="lineno"> 234</span>&#160; <span class="keywordflow">return</span> catalog_.addRoleGrantGroup(roleName, groupName);</div>
<div class="line"><a name="l00235"></a><span class="lineno"> 235</span>&#160; }</div>
<div class="line"><a name="l00236"></a><span class="lineno"> 236</span>&#160;</div>
<div class="line"><a name="l00244"></a><span class="lineno"><a class="line" href="classcom_1_1cloudera_1_1impala_1_1util_1_1SentryProxy.html#aae3bc162a3787d6661221bb890d1bf64"> 244</a></span>&#160; <span class="keyword">public</span> <span class="keyword">synchronized</span> <a class="code" href="classcom_1_1cloudera_1_1impala_1_1catalog_1_1Role.html">Role</a> <a class="code" href="classcom_1_1cloudera_1_1impala_1_1util_1_1SentryProxy.html#aae3bc162a3787d6661221bb890d1bf64">revokeRoleGroup</a>(<a class="code" href="classcom_1_1cloudera_1_1impala_1_1authorization_1_1User.html">User</a> user, String roleName, String groupName)</div>
<div class="line"><a name="l00245"></a><span class="lineno"> 245</span>&#160; <span class="keywordflow">throws</span> <a class="code" href="classcom_1_1cloudera_1_1impala_1_1common_1_1ImpalaException.html">ImpalaException</a> {</div>
<div class="line"><a name="l00246"></a><span class="lineno"> 246</span>&#160; sentryPolicyService_.revokeRoleFromGroup(user, roleName, groupName);</div>
<div class="line"><a name="l00247"></a><span class="lineno"> 247</span>&#160; <span class="keywordflow">return</span> catalog_.removeRoleGrantGroup(roleName, groupName);</div>
<div class="line"><a name="l00248"></a><span class="lineno"> 248</span>&#160; }</div>
<div class="line"><a name="l00249"></a><span class="lineno"> 249</span>&#160;</div>
<div class="line"><a name="l00257"></a><span class="lineno"><a class="line" href="classcom_1_1cloudera_1_1impala_1_1util_1_1SentryProxy.html#a8dde66b618d735736e43f5d089db6d64"> 257</a></span>&#160; <span class="keyword">public</span> <span class="keyword">synchronized</span> <a class="code" href="classcom_1_1cloudera_1_1impala_1_1catalog_1_1RolePrivilege.html">RolePrivilege</a> <a class="code" href="classcom_1_1cloudera_1_1impala_1_1util_1_1SentryProxy.html#a8dde66b618d735736e43f5d089db6d64">grantRolePrivilege</a>(<a class="code" href="classcom_1_1cloudera_1_1impala_1_1authorization_1_1User.html">User</a> user, String roleName,</div>
<div class="line"><a name="l00258"></a><span class="lineno"> 258</span>&#160; TPrivilege privilege) <span class="keywordflow">throws</span> <a class="code" href="classcom_1_1cloudera_1_1impala_1_1common_1_1ImpalaException.html">ImpalaException</a> {</div>
<div class="line"><a name="l00259"></a><span class="lineno"> 259</span>&#160; sentryPolicyService_.grantRolePrivilege(user, roleName, privilege);</div>
<div class="line"><a name="l00260"></a><span class="lineno"> 260</span>&#160; <span class="keywordflow">return</span> catalog_.addRolePrivilege(roleName, privilege);</div>
<div class="line"><a name="l00261"></a><span class="lineno"> 261</span>&#160; }</div>
<div class="line"><a name="l00262"></a><span class="lineno"> 262</span>&#160;</div>
<div class="line"><a name="l00271"></a><span class="lineno"><a class="line" href="classcom_1_1cloudera_1_1impala_1_1util_1_1SentryProxy.html#a0030c74700e0580e01e01aa9adeffe44"> 271</a></span>&#160; <span class="keyword">public</span> <span class="keyword">synchronized</span> <a class="code" href="classcom_1_1cloudera_1_1impala_1_1catalog_1_1RolePrivilege.html">RolePrivilege</a> <a class="code" href="classcom_1_1cloudera_1_1impala_1_1util_1_1SentryProxy.html#a0030c74700e0580e01e01aa9adeffe44">revokeRolePrivilege</a>(<a class="code" href="classcom_1_1cloudera_1_1impala_1_1authorization_1_1User.html">User</a> user, String roleName,</div>
<div class="line"><a name="l00272"></a><span class="lineno"> 272</span>&#160; TPrivilege privilege) <span class="keywordflow">throws</span> <a class="code" href="classcom_1_1cloudera_1_1impala_1_1common_1_1ImpalaException.html">ImpalaException</a> {</div>
<div class="line"><a name="l00273"></a><span class="lineno"> 273</span>&#160; <span class="keywordflow">if</span> (!privilege.isHas_grant_opt()) {</div>
<div class="line"><a name="l00274"></a><span class="lineno"> 274</span>&#160; sentryPolicyService_.revokeRolePrivilege(user, roleName, privilege);</div>
<div class="line"><a name="l00275"></a><span class="lineno"> 275</span>&#160; <span class="keywordflow">return</span> catalog_.removeRolePrivilege(roleName, privilege);</div>
<div class="line"><a name="l00276"></a><span class="lineno"> 276</span>&#160; } <span class="keywordflow">else</span> {</div>
<div class="line"><a name="l00277"></a><span class="lineno"> 277</span>&#160; <span class="comment">// If the REVOKE GRANT OPTION has been specified the privilege should not be</span></div>
<div class="line"><a name="l00278"></a><span class="lineno"> 278</span>&#160; <span class="comment">// removed, it should just be updated to clear the GRANT OPTION flag.</span></div>
<div class="line"><a name="l00279"></a><span class="lineno"> 279</span>&#160; <a class="code" href="classcom_1_1cloudera_1_1impala_1_1catalog_1_1RolePrivilege.html">RolePrivilege</a> existingPriv = catalog_.getRolePrivilege(roleName, privilege);</div>
<div class="line"><a name="l00280"></a><span class="lineno"> 280</span>&#160; <span class="keywordflow">if</span> (existingPriv == null || !existingPriv.<a class="code" href="classcom_1_1cloudera_1_1impala_1_1catalog_1_1RolePrivilege.html#a92bfcbec4a462ad5d18b7515aad8da4d">toThrift</a>().isHas_grant_opt()) {</div>
<div class="line"><a name="l00281"></a><span class="lineno"> 281</span>&#160; <span class="comment">// Nothing to do. The privilege doesn&#39;t exist or the grant option flag is not set</span></div>
<div class="line"><a name="l00282"></a><span class="lineno"> 282</span>&#160; <span class="keywordflow">return</span> existingPriv;</div>
<div class="line"><a name="l00283"></a><span class="lineno"> 283</span>&#160; }</div>
<div class="line"><a name="l00284"></a><span class="lineno"> 284</span>&#160;</div>
<div class="line"><a name="l00285"></a><span class="lineno"> 285</span>&#160; <span class="comment">// Sentry does not yet provide an &quot;alter privilege&quot; API so we need to remove the</span></div>
<div class="line"><a name="l00286"></a><span class="lineno"> 286</span>&#160; <span class="comment">// privilege and re-add it.</span></div>
<div class="line"><a name="l00287"></a><span class="lineno"> 287</span>&#160; sentryPolicyService_.revokeRolePrivilege(user, roleName, privilege);</div>
<div class="line"><a name="l00288"></a><span class="lineno"> 288</span>&#160; TPrivilege updatedPriv = existingPriv.toThrift();</div>
<div class="line"><a name="l00289"></a><span class="lineno"> 289</span>&#160; updatedPriv.setHas_grant_opt(<span class="keyword">false</span>);</div>
<div class="line"><a name="l00290"></a><span class="lineno"> 290</span>&#160; sentryPolicyService_.grantRolePrivilege(user, roleName, updatedPriv);</div>
<div class="line"><a name="l00291"></a><span class="lineno"> 291</span>&#160; <span class="keywordflow">return</span> catalog_.addRolePrivilege(roleName, updatedPriv);</div>
<div class="line"><a name="l00292"></a><span class="lineno"> 292</span>&#160; }</div>
<div class="line"><a name="l00293"></a><span class="lineno"> 293</span>&#160; }</div>
<div class="line"><a name="l00294"></a><span class="lineno"> 294</span>&#160;</div>
<div class="line"><a name="l00300"></a><span class="lineno"><a class="line" href="classcom_1_1cloudera_1_1impala_1_1util_1_1SentryProxy.html#acd1d2f16c573caedb944e7407b15b83e"> 300</a></span>&#160; <span class="keyword">public</span> <span class="keywordtype">void</span> <a class="code" href="classcom_1_1cloudera_1_1impala_1_1util_1_1SentryProxy.html#acd1d2f16c573caedb944e7407b15b83e">refresh</a>() throws <a class="code" href="classcom_1_1cloudera_1_1impala_1_1common_1_1ImpalaRuntimeException.html">ImpalaRuntimeException</a> {</div>
<div class="line"><a name="l00301"></a><span class="lineno"> 301</span>&#160; <span class="keywordflow">try</span> {</div>
<div class="line"><a name="l00302"></a><span class="lineno"> 302</span>&#160; policyReader_.submit(<span class="keyword">new</span> <a class="code" href="classcom_1_1cloudera_1_1impala_1_1util_1_1SentryProxy_1_1PolicyReader.html">PolicyReader</a>()).<span class="keyword">get</span>();</div>
<div class="line"><a name="l00303"></a><span class="lineno"> 303</span>&#160; } <span class="keywordflow">catch</span> (Exception e) {</div>
<div class="line"><a name="l00304"></a><span class="lineno"> 304</span>&#160; <span class="comment">// We shouldn&#39;t make it here. It means an exception leaked from the</span></div>
<div class="line"><a name="l00305"></a><span class="lineno"> 305</span>&#160; <span class="comment">// AuthorizationPolicyReader.</span></div>
<div class="line"><a name="l00306"></a><span class="lineno"> 306</span>&#160; <span class="keywordflow">throw</span> <span class="keyword">new</span> ImpalaRuntimeException(<span class="stringliteral">&quot;Error refreshing authorization policy, &quot;</span> +</div>
<div class="line"><a name="l00307"></a><span class="lineno"> 307</span>&#160; <span class="stringliteral">&quot;current policy state may be inconsistent. Running &#39;invalidate metadata&#39; &quot;</span> +</div>
<div class="line"><a name="l00308"></a><span class="lineno"> 308</span>&#160; <span class="stringliteral">&quot;may resolve this problem: &quot;</span>, e);</div>
<div class="line"><a name="l00309"></a><span class="lineno"> 309</span>&#160; }</div>
<div class="line"><a name="l00310"></a><span class="lineno"> 310</span>&#160; }</div>
<div class="line"><a name="l00311"></a><span class="lineno"> 311</span>&#160;}</div>
<div class="ttc" id="classcom_1_1cloudera_1_1impala_1_1util_1_1SentryProxy_1_1PolicyReader_html"><div class="ttname"><a href="classcom_1_1cloudera_1_1impala_1_1util_1_1SentryProxy_1_1PolicyReader.html">com.cloudera.impala.util.SentryProxy.PolicyReader</a></div><div class="ttdef"><b>Definition:</b> <a href="SentryProxy_8java_source.html#l00095">SentryProxy.java:95</a></div></div>
<div class="ttc" id="classcom_1_1cloudera_1_1impala_1_1authorization_1_1User_html"><div class="ttname"><a href="classcom_1_1cloudera_1_1impala_1_1authorization_1_1User.html">com.cloudera.impala.authorization.User</a></div><div class="ttdef"><b>Definition:</b> <a href="User_8java_source.html#l00022">User.java:22</a></div></div>
<div class="ttc" id="classcom_1_1cloudera_1_1impala_1_1catalog_1_1CatalogServiceCatalog_html"><div class="ttname"><a href="classcom_1_1cloudera_1_1impala_1_1catalog_1_1CatalogServiceCatalog.html">com.cloudera.impala.catalog.CatalogServiceCatalog</a></div><div class="ttdef"><b>Definition:</b> <a href="CatalogServiceCatalog_8java_source.html#l00081">CatalogServiceCatalog.java:81</a></div></div>
<div class="ttc" id="classcom_1_1cloudera_1_1impala_1_1util_1_1SentryProxy_html_aef372453e9eac74c2d19f94c210c2c3e"><div class="ttname"><a href="classcom_1_1cloudera_1_1impala_1_1util_1_1SentryProxy.html#aef372453e9eac74c2d19f94c210c2c3e">com.cloudera.impala.util.SentryProxy.grantRoleGroup</a></div><div class="ttdeci">synchronized Role grantRoleGroup(User user, String roleName, String groupName)</div><div class="ttdef"><b>Definition:</b> <a href="SentryProxy_8java_source.html#l00231">SentryProxy.java:231</a></div></div>
<div class="ttc" id="classcom_1_1cloudera_1_1impala_1_1catalog_1_1Role_html"><div class="ttname"><a href="classcom_1_1cloudera_1_1impala_1_1catalog_1_1Role.html">com.cloudera.impala.catalog.Role</a></div><div class="ttdef"><b>Definition:</b> <a href="Role_8java_source.html#l00030">Role.java:30</a></div></div>
<div class="ttc" id="classcom_1_1cloudera_1_1impala_1_1authorization_1_1User_html_a973cec0d33eca38e7004f3225fafef2c"><div class="ttname"><a href="classcom_1_1cloudera_1_1impala_1_1authorization_1_1User.html#a973cec0d33eca38e7004f3225fafef2c">com.cloudera.impala.authorization.User.getName</a></div><div class="ttdeci">String getName()</div><div class="ttdef"><b>Definition:</b> <a href="User_8java_source.html#l00030">User.java:30</a></div></div>
<div class="ttc" id="classcom_1_1cloudera_1_1impala_1_1common_1_1ImpalaRuntimeException_html"><div class="ttname"><a href="classcom_1_1cloudera_1_1impala_1_1common_1_1ImpalaRuntimeException.html">com.cloudera.impala.common.ImpalaRuntimeException</a></div><div class="ttdef"><b>Definition:</b> <a href="ImpalaRuntimeException_8java_source.html#l00021">ImpalaRuntimeException.java:21</a></div></div>
<div class="ttc" id="classcom_1_1cloudera_1_1impala_1_1authorization_1_1SentryConfig_html"><div class="ttname"><a href="classcom_1_1cloudera_1_1impala_1_1authorization_1_1SentryConfig.html">com.cloudera.impala.authorization.SentryConfig</a></div><div class="ttdef"><b>Definition:</b> <a href="SentryConfig_8java_source.html#l00028">SentryConfig.java:28</a></div></div>
<div class="ttc" id="classcom_1_1cloudera_1_1impala_1_1util_1_1SentryProxy_1_1PolicyReader_html_ae8f32b880defda46427b07162a734499"><div class="ttname"><a href="classcom_1_1cloudera_1_1impala_1_1util_1_1SentryProxy_1_1PolicyReader.html#ae8f32b880defda46427b07162a734499">com.cloudera.impala.util.SentryProxy.PolicyReader.run</a></div><div class="ttdeci">void run()</div><div class="ttdef"><b>Definition:</b> <a href="SentryProxy_8java_source.html#l00096">SentryProxy.java:96</a></div></div>
<div class="ttc" id="classcom_1_1cloudera_1_1impala_1_1catalog_1_1RolePrivilege_html_a92bfcbec4a462ad5d18b7515aad8da4d"><div class="ttname"><a href="classcom_1_1cloudera_1_1impala_1_1catalog_1_1RolePrivilege.html#a92bfcbec4a462ad5d18b7515aad8da4d">com.cloudera.impala.catalog.RolePrivilege.toThrift</a></div><div class="ttdeci">TPrivilege toThrift()</div><div class="ttdef"><b>Definition:</b> <a href="RolePrivilege_8java_source.html#l00048">RolePrivilege.java:48</a></div></div>
<div class="ttc" id="classcom_1_1cloudera_1_1impala_1_1util_1_1SentryProxy_html_adf81571eea1731f09950deffae0b9c25"><div class="ttname"><a href="classcom_1_1cloudera_1_1impala_1_1util_1_1SentryProxy.html#adf81571eea1731f09950deffae0b9c25">com.cloudera.impala.util.SentryProxy.sentryPolicyService_</a></div><div class="ttdeci">final SentryPolicyService sentryPolicyService_</div><div class="ttdef"><b>Definition:</b> <a href="SentryProxy_8java_source.html#l00064">SentryProxy.java:64</a></div></div>
<div class="ttc" id="classcom_1_1cloudera_1_1impala_1_1util_1_1SentryProxy_html_ab3033da3193164faeb497d86ccefac03"><div class="ttname"><a href="classcom_1_1cloudera_1_1impala_1_1util_1_1SentryProxy.html#ab3033da3193164faeb497d86ccefac03">com.cloudera.impala.util.SentryProxy.checkUserSentryAdmin</a></div><div class="ttdeci">void checkUserSentryAdmin(User requestingUser)</div><div class="ttdef"><b>Definition:</b> <a href="SentryProxy_8java_source.html#l00174">SentryProxy.java:174</a></div></div>
<div class="ttc" id="classcom_1_1cloudera_1_1impala_1_1util_1_1SentryProxy_html_acd1d2f16c573caedb944e7407b15b83e"><div class="ttname"><a href="classcom_1_1cloudera_1_1impala_1_1util_1_1SentryProxy.html#acd1d2f16c573caedb944e7407b15b83e">com.cloudera.impala.util.SentryProxy.refresh</a></div><div class="ttdeci">void refresh()</div><div class="ttdef"><b>Definition:</b> <a href="SentryProxy_8java_source.html#l00300">SentryProxy.java:300</a></div></div>
<div class="ttc" id="classcom_1_1cloudera_1_1impala_1_1util_1_1SentryPolicyService_html_a7db607c32570b618330de6e8917a2f2e"><div class="ttname"><a href="classcom_1_1cloudera_1_1impala_1_1util_1_1SentryPolicyService.html#a7db607c32570b618330de6e8917a2f2e">com.cloudera.impala.util.SentryPolicyService.listAllRoles</a></div><div class="ttdeci">List&lt; TSentryRole &gt; listAllRoles(User requestingUser)</div><div class="ttdef"><b>Definition:</b> <a href="SentryPolicyService_8java_source.html#l00332">SentryPolicyService.java:332</a></div></div>
<div class="ttc" id="classcom_1_1cloudera_1_1impala_1_1util_1_1SentryPolicyService_html_ab2d8bf7fd3deb408309ecd27b6e7cc34"><div class="ttname"><a href="classcom_1_1cloudera_1_1impala_1_1util_1_1SentryPolicyService.html#ab2d8bf7fd3deb408309ecd27b6e7cc34">com.cloudera.impala.util.SentryPolicyService.listRolePrivileges</a></div><div class="ttdeci">List&lt; TSentryPrivilege &gt; listRolePrivileges(User requestingUser, String roleName)</div><div class="ttdef"><b>Definition:</b> <a href="SentryPolicyService_8java_source.html#l00349">SentryPolicyService.java:349</a></div></div>
<div class="ttc" id="classcom_1_1cloudera_1_1impala_1_1util_1_1SentryProxy_html_a1c9d14a7a9369663eeecd6edd273a4ea"><div class="ttname"><a href="classcom_1_1cloudera_1_1impala_1_1util_1_1SentryProxy.html#a1c9d14a7a9369663eeecd6edd273a4ea">com.cloudera.impala.util.SentryProxy.policyReader_</a></div><div class="ttdeci">final ScheduledExecutorService policyReader_</div><div class="ttdef"><b>Definition:</b> <a href="SentryProxy_8java_source.html#l00057">SentryProxy.java:57</a></div></div>
<div class="ttc" id="classcom_1_1cloudera_1_1impala_1_1util_1_1SentryProxy_html_a7917e37560bd150b2bb597605e170197"><div class="ttname"><a href="classcom_1_1cloudera_1_1impala_1_1util_1_1SentryProxy.html#a7917e37560bd150b2bb597605e170197">com.cloudera.impala.util.SentryProxy.catalog_</a></div><div class="ttdeci">final CatalogServiceCatalog catalog_</div><div class="ttdef"><b>Definition:</b> <a href="SentryProxy_8java_source.html#l00061">SentryProxy.java:61</a></div></div>
<div class="ttc" id="classcom_1_1cloudera_1_1impala_1_1catalog_1_1CatalogException_html"><div class="ttname"><a href="classcom_1_1cloudera_1_1impala_1_1catalog_1_1CatalogException.html">com.cloudera.impala.catalog.CatalogException</a></div><div class="ttdef"><b>Definition:</b> <a href="CatalogException_8java_source.html#l00022">CatalogException.java:22</a></div></div>
<div class="ttc" id="classcom_1_1cloudera_1_1impala_1_1util_1_1SentryProxy_html"><div class="ttname"><a href="classcom_1_1cloudera_1_1impala_1_1util_1_1SentryProxy.html">com.cloudera.impala.util.SentryProxy</a></div><div class="ttdef"><b>Definition:</b> <a href="SentryProxy_8java_source.html#l00052">SentryProxy.java:52</a></div></div>
<div class="ttc" id="classcom_1_1cloudera_1_1impala_1_1util_1_1SentryPolicyService_html"><div class="ttname"><a href="classcom_1_1cloudera_1_1impala_1_1util_1_1SentryPolicyService.html">com.cloudera.impala.util.SentryPolicyService</a></div><div class="ttdef"><b>Definition:</b> <a href="SentryPolicyService_8java_source.html#l00044">SentryPolicyService.java:44</a></div></div>
<div class="ttc" id="classRunnable_html"><div class="ttname"><a href="classRunnable.html">Runnable</a></div></div>
<div class="ttc" id="classcom_1_1cloudera_1_1impala_1_1catalog_1_1Role_html_ab21b41c9a467f3b3ae751ce84db98981"><div class="ttname"><a href="classcom_1_1cloudera_1_1impala_1_1catalog_1_1Role.html#ab21b41c9a467f3b3ae751ce84db98981">com.cloudera.impala.catalog.Role.getGrantGroups</a></div><div class="ttdeci">Set&lt; String &gt; getGrantGroups()</div><div class="ttdef"><b>Definition:</b> <a href="Role_8java_source.html#l00125">Role.java:125</a></div></div>
<div class="ttc" id="classcom_1_1cloudera_1_1impala_1_1catalog_1_1CatalogServiceCatalog_html_aa42ee0a998bad3d81fb8887fc162ab55"><div class="ttname"><a href="classcom_1_1cloudera_1_1impala_1_1catalog_1_1CatalogServiceCatalog.html#aa42ee0a998bad3d81fb8887fc162ab55">com.cloudera.impala.catalog.CatalogServiceCatalog.getAuthPolicy</a></div><div class="ttdeci">AuthorizationPolicy getAuthPolicy()</div><div class="ttdef"><b>Definition:</b> <a href="CatalogServiceCatalog_8java_source.html#l00967">CatalogServiceCatalog.java:967</a></div></div>
<div class="ttc" id="classcom_1_1cloudera_1_1impala_1_1util_1_1SentryProxy_html_a8a4af78ab335a1184781c2144fd3b0bc"><div class="ttname"><a href="classcom_1_1cloudera_1_1impala_1_1util_1_1SentryProxy.html#a8a4af78ab335a1184781c2144fd3b0bc">com.cloudera.impala.util.SentryProxy.SentryProxy</a></div><div class="ttdeci">SentryProxy(SentryConfig sentryConfig, CatalogServiceCatalog catalog)</div><div class="ttdef"><b>Definition:</b> <a href="SentryProxy_8java_source.html#l00070">SentryProxy.java:70</a></div></div>
<div class="ttc" id="classcom_1_1cloudera_1_1impala_1_1util_1_1SentryProxy_html_af22f5e48aea92bb3b54f370eae8275e1"><div class="ttname"><a href="classcom_1_1cloudera_1_1impala_1_1util_1_1SentryProxy.html#af22f5e48aea92bb3b54f370eae8275e1">com.cloudera.impala.util.SentryProxy.createRole</a></div><div class="ttdeci">synchronized Role createRole(User user, String roleName)</div><div class="ttdef"><b>Definition:</b> <a href="SentryProxy_8java_source.html#l00200">SentryProxy.java:200</a></div></div>
<div class="ttc" id="classcom_1_1cloudera_1_1impala_1_1util_1_1SentryProxy_html_a5559029b98b1a2ed7570ae57e47c125a"><div class="ttname"><a href="classcom_1_1cloudera_1_1impala_1_1util_1_1SentryProxy.html#a5559029b98b1a2ed7570ae57e47c125a">com.cloudera.impala.util.SentryProxy.dropRole</a></div><div class="ttdeci">synchronized Role dropRole(User user, String roleName)</div><div class="ttdef"><b>Definition:</b> <a href="SentryProxy_8java_source.html#l00219">SentryProxy.java:219</a></div></div>
<div class="ttc" id="classcom_1_1cloudera_1_1impala_1_1catalog_1_1RolePrivilege_html"><div class="ttname"><a href="classcom_1_1cloudera_1_1impala_1_1catalog_1_1RolePrivilege.html">com.cloudera.impala.catalog.RolePrivilege</a></div><div class="ttdef"><b>Definition:</b> <a href="RolePrivilege_8java_source.html#l00033">RolePrivilege.java:33</a></div></div>
<div class="ttc" id="classcom_1_1cloudera_1_1impala_1_1util_1_1SentryProxy_html_a0030c74700e0580e01e01aa9adeffe44"><div class="ttname"><a href="classcom_1_1cloudera_1_1impala_1_1util_1_1SentryProxy.html#a0030c74700e0580e01e01aa9adeffe44">com.cloudera.impala.util.SentryProxy.revokeRolePrivilege</a></div><div class="ttdeci">synchronized RolePrivilege revokeRolePrivilege(User user, String roleName, TPrivilege privilege)</div><div class="ttdef"><b>Definition:</b> <a href="SentryProxy_8java_source.html#l00271">SentryProxy.java:271</a></div></div>
<div class="ttc" id="classcom_1_1cloudera_1_1impala_1_1catalog_1_1AuthorizationException_html"><div class="ttname"><a href="classcom_1_1cloudera_1_1impala_1_1catalog_1_1AuthorizationException.html">com.cloudera.impala.catalog.AuthorizationException</a></div><div class="ttdef"><b>Definition:</b> <a href="AuthorizationException_8java_source.html#l00021">AuthorizationException.java:21</a></div></div>
<div class="ttc" id="classcom_1_1cloudera_1_1impala_1_1util_1_1SentryProxy_html_a20d6fd3e598e510f5a0d2164af7e5777"><div class="ttname"><a href="classcom_1_1cloudera_1_1impala_1_1util_1_1SentryProxy.html#a20d6fd3e598e510f5a0d2164af7e5777">com.cloudera.impala.util.SentryProxy.LOG</a></div><div class="ttdeci">static final Logger LOG</div><div class="ttdef"><b>Definition:</b> <a href="SentryProxy_8java_source.html#l00053">SentryProxy.java:53</a></div></div>
<div class="ttc" id="classcom_1_1cloudera_1_1impala_1_1util_1_1SentryProxy_html_aae3bc162a3787d6661221bb890d1bf64"><div class="ttname"><a href="classcom_1_1cloudera_1_1impala_1_1util_1_1SentryProxy.html#aae3bc162a3787d6661221bb890d1bf64">com.cloudera.impala.util.SentryProxy.revokeRoleGroup</a></div><div class="ttdeci">synchronized Role revokeRoleGroup(User user, String roleName, String groupName)</div><div class="ttdef"><b>Definition:</b> <a href="SentryProxy_8java_source.html#l00244">SentryProxy.java:244</a></div></div>
<div class="ttc" id="classcom_1_1cloudera_1_1impala_1_1common_1_1ImpalaException_html"><div class="ttname"><a href="classcom_1_1cloudera_1_1impala_1_1common_1_1ImpalaException.html">com.cloudera.impala.common.ImpalaException</a></div><div class="ttdef"><b>Definition:</b> <a href="ImpalaException_8java_source.html#l00022">ImpalaException.java:22</a></div></div>
<div class="ttc" id="classcom_1_1cloudera_1_1impala_1_1util_1_1SentryProxy_html_a8dde66b618d735736e43f5d089db6d64"><div class="ttname"><a href="classcom_1_1cloudera_1_1impala_1_1util_1_1SentryProxy.html#a8dde66b618d735736e43f5d089db6d64">com.cloudera.impala.util.SentryProxy.grantRolePrivilege</a></div><div class="ttdeci">synchronized RolePrivilege grantRolePrivilege(User user, String roleName, TPrivilege privilege)</div><div class="ttdef"><b>Definition:</b> <a href="SentryProxy_8java_source.html#l00257">SentryProxy.java:257</a></div></div>
<div class="ttc" id="classcom_1_1cloudera_1_1impala_1_1util_1_1SentryProxy_html_aeac61757d371d489ab58f2a71eb195e6"><div class="ttname"><a href="classcom_1_1cloudera_1_1impala_1_1util_1_1SentryProxy.html#aeac61757d371d489ab58f2a71eb195e6">com.cloudera.impala.util.SentryProxy.processUser_</a></div><div class="ttdeci">final User processUser_</div><div class="ttdef"><b>Definition:</b> <a href="SentryProxy_8java_source.html#l00068">SentryProxy.java:68</a></div></div>
</div><!-- fragment --></div><!-- contents -->
</div><!-- doc-content -->
<!-- start footer part -->
<div id="nav-path" class="navpath"><!-- id is needed for treeview function! -->
<ul>
<li class="navelem"><a class="el" href="dir_ca2797c59c2e868cd2eca72571423f6a.html">fe</a></li><li class="navelem"><a class="el" href="dir_9456c03c9c6e5a96e843b28fc5c6395b.html">src</a></li><li class="navelem"><a class="el" href="dir_31c8d7a6e8855be2d8d6fa4227c487c3.html">main</a></li><li class="navelem"><a class="el" href="dir_d2615d3423c50009d0fa2801d3e0150c.html">java</a></li><li class="navelem"><a class="el" href="dir_df2af9fb37a2f3aedd0dd3e7b116eedc.html">com</a></li><li class="navelem"><a class="el" href="dir_48ee7e70be44cce637301d7ac948c4e1.html">cloudera</a></li><li class="navelem"><a class="el" href="dir_c062777d65f1b5dc463ca31df638b83a.html">impala</a></li><li class="navelem"><a class="el" href="dir_55acf30de45c8553de4bfb3dd9bc2eef.html">util</a></li><li class="navelem"><a class="el" href="SentryProxy_8java.html">SentryProxy.java</a></li>
<li class="footer">Generated on Thu May 7 2015 16:10:39 for Impala by
<a href="http://www.doxygen.org/index.html">
<img class="footer" src="doxygen.png" alt="doxygen"/></a> 1.8.6 </li>
</ul>
</div>
</body>
</html>