SENTRY-2355: Merge the DB owner privileges configurations into one enum configuration (Sergio Pena, reviewed by Na Li)
diff --git a/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/service/common/SentryOwnerPrivilegeType.java b/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/service/common/SentryOwnerPrivilegeType.java
new file mode 100644
index 0000000..69309b9
--- /dev/null
+++ b/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/service/common/SentryOwnerPrivilegeType.java
@@ -0,0 +1,52 @@
+/**
+ * Autogenerated by Thrift Compiler (0.9.3)
+ *
+ * DO NOT EDIT UNLESS YOU ARE SURE THAT YOU KNOW WHAT YOU ARE DOING
+ * @generated
+ */
+package org.apache.sentry.service.common;
+
+import static org.apache.sentry.service.common.ServiceConstants.ServerConfig.SENTRY_DB_POLICY_STORE_OWNER_AS_PRIVILEGE;
+import static org.apache.sentry.service.common.ServiceConstants.ServerConfig.SENTRY_DB_POLICY_STORE_OWNER_AS_PRIVILEGE_DEFAULT;
+
+import org.apache.hadoop.conf.Configuration;
+
+/**
+ * Controls the owner privileges feature for DB policies.
+ */
+public enum SentryOwnerPrivilegeType {
+ NONE, // New DB objects do not get owner privileges
+ ALL, // New DB objects will get owner privileges as 'all'
+ ALL_WITH_GRANT; // New DB objects will get owner privileges as 'all with grant'
+
+ /**
+ * Checks if the Configuration object has the owner privilege type configuration set.
+ *
+ * @param conf The Configuration object where to check if the config is set.
+ * @return True if it is set; False otherwise.
+ */
+ public boolean isConfSet(Configuration conf) {
+ return (this == get(conf));
+ }
+
+ /**
+ * Returns the owner privilege type from the Configuration object.
+ *
+ * @param conf The Configuration object where to search for the owner privilege type.
+ * @return The SentryOwnerPrivilegeType object.
+ */
+ public static SentryOwnerPrivilegeType get(Configuration conf) {
+ return SentryOwnerPrivilegeType.valueOf(getConfigValue(conf).toUpperCase());
+ }
+
+ /**
+ * Returns the owner privilege string type from the Configuration object.
+ *
+ * @param conf The Configuration object where to search for the owner privilege type.
+ * @return The string value of the owner privilege type.
+ */
+ private static String getConfigValue(Configuration conf) {
+ return conf.get(SENTRY_DB_POLICY_STORE_OWNER_AS_PRIVILEGE,
+ SENTRY_DB_POLICY_STORE_OWNER_AS_PRIVILEGE_DEFAULT.toString());
+ }
+}
diff --git a/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/service/common/ServiceConstants.java b/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/service/common/ServiceConstants.java
index 9a2091a..adc1947 100644
--- a/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/service/common/ServiceConstants.java
+++ b/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/service/common/ServiceConstants.java
@@ -248,18 +248,8 @@
public static final String SENTRY_HMS_NOTIFICATION_ID_KEEP_COUNT = "sentry.server.delta.keep.count";
public static final int SENTRY_HMS_NOTIFICATION_ID_KEEP_COUNT_DEFAULT = 100;
- /**
- * Controls the owner privileges feature.
- */
- public static final String SENTRY_ENABLE_OWNER_PRIVILEGES = "sentry.enable.owner.privileges";
- public static final Boolean SENTRY_ENABLE_OWNER_PRIVILEGES_DEFAULT = false;
-
- /**
- * This value is used to decide if a owner privilege created by sentry server
- * should have grant option.
- */
- public static final String SENTRY_OWNER_PRIVILEGE_WITH_GRANT = "sentry.grant.owner.privileges.with.grant";
- public static final Boolean SENTRY_OWNER_PRIVILEGE_WITH_GRANT_DEFAULT = false;
+ public static final String SENTRY_DB_POLICY_STORE_OWNER_AS_PRIVILEGE = "sentry.db.policy.store.owner.as.privilege";
+ public static final SentryOwnerPrivilegeType SENTRY_DB_POLICY_STORE_OWNER_AS_PRIVILEGE_DEFAULT = SentryOwnerPrivilegeType.NONE;
}
public static final String SENTRY_ZK_JAAS_NAME = "Sentry";
diff --git a/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/api/service/thrift/SentryPolicyStoreProcessor.java b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/api/service/thrift/SentryPolicyStoreProcessor.java
index 0ac19a7..36b635a 100644
--- a/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/api/service/thrift/SentryPolicyStoreProcessor.java
+++ b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/api/service/thrift/SentryPolicyStoreProcessor.java
@@ -58,6 +58,7 @@
import org.apache.sentry.api.service.thrift.validator.GrantPrivilegeRequestValidator;
import org.apache.sentry.api.service.thrift.validator.RevokePrivilegeRequestValidator;
import org.apache.sentry.api.common.SentryServiceUtil;
+import org.apache.sentry.service.common.SentryOwnerPrivilegeType;
import org.apache.sentry.service.common.ServiceConstants.ConfUtilties;
import org.apache.sentry.service.common.ServiceConstants.SentryPrincipalType;
import org.apache.sentry.service.common.ServiceConstants.ServerConfig;
@@ -1586,17 +1587,15 @@
* @return null if owner privilege can not be constructed, else instance of {@Link TSentryPrivilege}
*/
TSentryPrivilege constructOwnerPrivilege(TSentryAuthorizable authorizable) {
- Boolean isOwnerPrivEnabled = conf.getBoolean(ServerConfig.SENTRY_ENABLE_OWNER_PRIVILEGES,
- ServerConfig.SENTRY_ENABLE_OWNER_PRIVILEGES_DEFAULT);
- if(!isOwnerPrivEnabled) {
+ SentryOwnerPrivilegeType ownerPrivilegeType = SentryOwnerPrivilegeType.get(conf);
+ if(ownerPrivilegeType == SentryOwnerPrivilegeType.NONE) {
return null;
}
+
if(Strings.isNullOrEmpty(authorizable.getDb())) {
LOGGER.error("Received authorizable with out DB Name");
return null;
}
- Boolean privilegeWithGrantOption = conf.getBoolean(ServerConfig.SENTRY_OWNER_PRIVILEGE_WITH_GRANT,
- ServerConfig.SENTRY_OWNER_PRIVILEGE_WITH_GRANT_DEFAULT);
TSentryPrivilege ownerPrivilege = new TSentryPrivilege();
ownerPrivilege.setServerName(authorizable.getServer());
@@ -1607,7 +1606,7 @@
} else {
ownerPrivilege.setPrivilegeScope("DATABASE");
}
- if(privilegeWithGrantOption) {
+ if(ownerPrivilegeType == SentryOwnerPrivilegeType.ALL_WITH_GRANT) {
ownerPrivilege.setGrantOption(TSentryGrantOption.TRUE);
}
ownerPrivilege.setAction(AccessConstants.OWNER);
diff --git a/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java
index 6455597..0ef6a20 100644
--- a/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java
+++ b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java
@@ -92,6 +92,7 @@
import org.apache.sentry.api.service.thrift.TSentryPrivilege;
import org.apache.sentry.api.service.thrift.TSentryPrivilegeMap;
import org.apache.sentry.api.service.thrift.TSentryRole;
+import org.apache.sentry.service.common.SentryOwnerPrivilegeType;
import org.apache.sentry.service.common.ServiceConstants.SentryPrincipalType;
import org.apache.sentry.service.common.ServiceConstants.ServerConfig;
import org.datanucleus.store.rdbms.exceptions.MissingTableException;
@@ -273,8 +274,8 @@
long notificationTimeout = conf.getInt(ServerConfig.SENTRY_NOTIFICATION_SYNC_TIMEOUT_MS,
ServerConfig.SENTRY_NOTIFICATION_SYNC_TIMEOUT_DEFAULT);
counterWait = new CounterWait(notificationTimeout, TimeUnit.MILLISECONDS);
- ownerPrivilegeWithGrant = conf.getBoolean(ServerConfig.SENTRY_OWNER_PRIVILEGE_WITH_GRANT,
- ServerConfig.SENTRY_OWNER_PRIVILEGE_WITH_GRANT_DEFAULT);
+
+ ownerPrivilegeWithGrant = SentryOwnerPrivilegeType.ALL_WITH_GRANT.isConfSet(conf);
}
public void setPersistUpdateDeltas(boolean persistUpdateDeltas) {
diff --git a/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/api/service/thrift/TestSentryPolicyStoreProcessor.java b/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/api/service/thrift/TestSentryPolicyStoreProcessor.java
index 94dbd70..2de6253 100644
--- a/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/api/service/thrift/TestSentryPolicyStoreProcessor.java
+++ b/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/api/service/thrift/TestSentryPolicyStoreProcessor.java
@@ -17,6 +17,7 @@
*/
package org.apache.sentry.api.service.thrift;
+import static org.apache.sentry.service.common.ServiceConstants.ServerConfig.SENTRY_DB_POLICY_STORE_OWNER_AS_PRIVILEGE;
import static org.junit.Assert.assertNull;
import static org.junit.Assert.assertTrue;
@@ -34,7 +35,7 @@
import org.apache.sentry.core.model.db.AccessConstants;
import org.apache.sentry.provider.common.GroupMappingService;
import org.apache.sentry.provider.db.service.persistent.CounterWait;
-import org.apache.sentry.service.common.ServiceConstants;
+import org.apache.sentry.service.common.SentryOwnerPrivilegeType;
import org.apache.sentry.core.common.exception.SentrySiteConfigurationException;
import org.apache.sentry.provider.db.service.persistent.SentryStore;
import org.apache.sentry.service.common.ServiceConstants.SentryPrincipalType;
@@ -81,7 +82,7 @@
public void setup() throws Exception{
conf = new Configuration(true);
//Check behaviour when DB name is not set
- conf.setBoolean(ServiceConstants.ServerConfig.SENTRY_ENABLE_OWNER_PRIVILEGES, true);
+ conf.set(SENTRY_DB_POLICY_STORE_OWNER_AS_PRIVILEGE, SentryOwnerPrivilegeType.ALL.toString());
conf.set(ServerConfig.ADMIN_GROUPS, ADMIN_GROUP);
conf.set(ServerConfig.SENTRY_STORE_GROUP_MAPPING,
MockGroupMapping.class.getName());
@@ -195,7 +196,7 @@
@Test
public void testConstructOwnerPrivilege() throws Exception {
- conf.setBoolean(ServiceConstants.ServerConfig.SENTRY_ENABLE_OWNER_PRIVILEGES, false);
+ conf.set(SENTRY_DB_POLICY_STORE_OWNER_AS_PRIVILEGE, SentryOwnerPrivilegeType.NONE.toString());
SentryPolicyStoreProcessor sentryServiceHandler =
new SentryPolicyStoreProcessor(ApiConstants.SentryPolicyServiceConstants.SENTRY_POLICY_SERVICE_NAME,
conf, sentryStore);
@@ -209,7 +210,7 @@
//Check behaviour when DB name is not set
- conf.setBoolean(ServiceConstants.ServerConfig.SENTRY_ENABLE_OWNER_PRIVILEGES, true);
+ conf.set(SENTRY_DB_POLICY_STORE_OWNER_AS_PRIVILEGE, SentryOwnerPrivilegeType.ALL.toString());
sentryServiceHandler =
new SentryPolicyStoreProcessor(ApiConstants.SentryPolicyServiceConstants.SENTRY_POLICY_SERVICE_NAME,
conf, sentryStore);
@@ -237,8 +238,7 @@
Assert.assertEquals(privilege, sentryServiceHandler.constructOwnerPrivilege(authorizable));
//Check the behavior when grant option is configured.
- conf.setBoolean(ServiceConstants.ServerConfig.SENTRY_OWNER_PRIVILEGE_WITH_GRANT,
- true);
+ conf.set(SENTRY_DB_POLICY_STORE_OWNER_AS_PRIVILEGE, SentryOwnerPrivilegeType.ALL_WITH_GRANT.toString());
sentryServiceHandler =
new SentryPolicyStoreProcessor(ApiConstants.SentryPolicyServiceConstants.SENTRY_POLICY_SERVICE_NAME,
conf, sentryStore);
@@ -421,7 +421,7 @@
@Test
public void testAlterTableEventProcessing() throws Exception {
- conf.setBoolean(ServiceConstants.ServerConfig.SENTRY_ENABLE_OWNER_PRIVILEGES, true);
+ conf.set(SENTRY_DB_POLICY_STORE_OWNER_AS_PRIVILEGE, SentryOwnerPrivilegeType.ALL.toString());
SentryPolicyStoreProcessor sentryServiceHandler =
new SentryPolicyStoreProcessor(ApiConstants.SentryPolicyServiceConstants.SENTRY_POLICY_SERVICE_NAME,
diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hdfs/TestHDFSIntegrationBase.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hdfs/TestHDFSIntegrationBase.java
index becdc52..f0cf960 100644
--- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hdfs/TestHDFSIntegrationBase.java
+++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hdfs/TestHDFSIntegrationBase.java
@@ -73,6 +73,7 @@
import org.apache.sentry.core.common.exception.SentryAlreadyExistsException;
import org.apache.sentry.provider.file.LocalGroupResourceAuthorizationProvider;
import org.apache.sentry.provider.file.PolicyFile;
+import org.apache.sentry.service.common.SentryOwnerPrivilegeType;
import org.apache.sentry.service.thrift.SentryServiceClientFactory;
import org.apache.sentry.tests.e2e.hive.StaticUserGroup;
import org.apache.sentry.tests.e2e.hive.fs.MiniDFS;
@@ -97,6 +98,7 @@
import com.google.common.io.Resources;
import static org.apache.sentry.hdfs.ServiceConstants.ServerConfig.SENTRY_HDFS_INTEGRATION_PATH_PREFIXES;
+import static org.apache.sentry.service.common.ServiceConstants.ServerConfig.SENTRY_DB_POLICY_STORE_OWNER_AS_PRIVILEGE;
import static org.junit.Assert.assertFalse;
/**
@@ -882,12 +884,18 @@
"org.apache.sentry.api.service.thrift.SentryPolicyStoreProcessorFactory,org.apache.sentry.hdfs.SentryHDFSServiceProcessorFactory");
sentryProperties.put("sentry.policy.store.plugins", "org.apache.sentry.hdfs.SentryPlugin");
}
- if(ownerPrivilegeEnabled) {
- sentryProperties.put("sentry.enable.owner.privileges", "true");
+ if (ownerPrivilegeEnabled) {
if(ownerPrivilegeGrantEnabled) {
- sentryProperties.put("sentry.grant.owner.privileges.with.grant", "true");
+ sentryProperties.put(SENTRY_DB_POLICY_STORE_OWNER_AS_PRIVILEGE,
+ SentryOwnerPrivilegeType.ALL_WITH_GRANT.toString());
+ } else {
+ sentryProperties.put(SENTRY_DB_POLICY_STORE_OWNER_AS_PRIVILEGE,
+ SentryOwnerPrivilegeType.ALL.toString());
}
+ } else {
+ sentryProperties.put(SENTRY_DB_POLICY_STORE_OWNER_AS_PRIVILEGE,
+ SentryOwnerPrivilegeType.NONE.toString());
}
for (Map.Entry<String, String> entry : sentryProperties.entrySet()) {