SENTRY-2171: Permission full snapshot should include owner privileges. (Kalyan Kumar kalvagadda, reviewed-by Na Li)
diff --git a/sentry-core/sentry-core-model-db/src/main/java/org/apache/sentry/core/model/db/AccessConstants.java b/sentry-core/sentry-core-model-db/src/main/java/org/apache/sentry/core/model/db/AccessConstants.java
index a8e8bb1..a4fa226 100644
--- a/sentry-core/sentry-core-model-db/src/main/java/org/apache/sentry/core/model/db/AccessConstants.java
+++ b/sentry-core/sentry-core-model-db/src/main/java/org/apache/sentry/core/model/db/AccessConstants.java
@@ -34,6 +34,7 @@
public static final String ALTER = "alter";
public static final String CREATE = "create";
public static final String DROP = "drop";
+ public static final String OWNER = "OWNER";
public static final String INDEX = "index";
public static final String LOCK = "lock";
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java
index b640f59..cafe2b5 100644
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java
@@ -2526,20 +2526,38 @@
retVal.put(authzObj, pUpdate);
}
for (MSentryRole mRole : mPriv.getRoles()) {
- String existingPriv = pUpdate.get(mRole.getRoleName());
- if (existingPriv == null) {
- pUpdate.put(new TPrivilegeEntity(TPrivilegeEntityType.ROLE, mRole.getRoleName()),
- mPriv.getAction().toUpperCase());
- } else {
- pUpdate.put(new TPrivilegeEntity(TPrivilegeEntityType.ROLE, mRole.getRoleName()), existingPriv + "," +
- mPriv.getAction().toUpperCase());
- }
+ pUpdate = addPrivilegeEntry (mPriv, TPrivilegeEntityType.ROLE, mRole.getRoleName(), pUpdate);
+ }
+ for (MSentryUser mUser : mPriv.getUsers()) {
+ pUpdate = addPrivilegeEntry (mPriv, TPrivilegeEntityType.USER, mUser.getUserName(), pUpdate);
}
}
query.closeAll();
return retVal;
}
+ private static Map<TPrivilegeEntity, String> addPrivilegeEntry(MSentryPrivilege mPriv, TPrivilegeEntityType tEntityType,
+ String entity, Map<TPrivilegeEntity, String> update) {
+ String action;
+ String newAction;
+ String existingPriv = update.get(entity);
+ action = mPriv.getAction().toUpperCase();
+ newAction = mPriv.getAction().toUpperCase();
+ if(action.equals(AccessConstants.OWNER)) {
+ // Translate owner privilege to actual privilege.
+ newAction = AccessConstants.ACTION_ALL;
+ }
+
+ if (existingPriv == null) {
+ update.put(new TPrivilegeEntity(tEntityType, entity),
+ newAction);
+ } else {
+ update.put(new TPrivilegeEntity(tEntityType, entity), existingPriv + "," +
+ newAction);
+ }
+ return update;
+ }
+
/**
* Retrieves an up-to-date sentry role snapshot from {@code MSentryGroup} table.
* The snapshot is represented by a role to groups map.
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryStore.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryStore.java
index 152c0ce..0322cc3 100644
--- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryStore.java
+++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryStore.java
@@ -2466,11 +2466,27 @@
sentryStore.alterSentryRoleAddGroups(grantor, roleName1, groups);
sentryStore.alterSentryRoleAddGroups(grantor, roleName2, groups);
+ //Grant owner privilege to role
+ TSentryPrivilege privilege3 = new TSentryPrivilege();
+ privilege3.setPrivilegeScope("TABLE");
+ privilege3.setServerName("server1");
+ privilege3.setDbName("db3");
+ privilege3.setTableName("tbl1");
+ privilege3.setAction("OWNER");
+ privilege3.setCreateTime(System.currentTimeMillis());
+ sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName1, privilege3);
+ sentryStore.alterSentryRoleGrantPrivilege(grantor, roleName2, privilege3);
+
PermissionsImage permImage = sentryStore.retrieveFullPermssionsImage();
Map<String, Map<TPrivilegeEntity, String>> privs = permImage.getPrivilegeImage();
Map<String, List<String>> roles = permImage.getRoleImage();
assertEquals(2, privs.get("db1.tbl1").size());
assertEquals(2, roles.size());
+
+ assertEquals(2, privs.get("db3.tbl1").size());
+ assertEquals("ALL", privs.get("db3.tbl1").get(new TPrivilegeEntity(TPrivilegeEntityType.ROLE, roleName1)));
+ assertEquals("ALL", privs.get("db3.tbl1").get(new TPrivilegeEntity(TPrivilegeEntityType.ROLE, roleName2)));
+
}
/**