SENTRY-2371: Add a new thrift API for getting all privileges a user has (Hao Hao, reviewed by Na Li, Sergio Pena)
diff --git a/sentry-service/sentry-service-api/src/gen/thrift/gen-javabean/org/apache/sentry/api/service/thrift/SentryPolicyService.java b/sentry-service/sentry-service-api/src/gen/thrift/gen-javabean/org/apache/sentry/api/service/thrift/SentryPolicyService.java
index 0cbd8ab..7025653 100644
--- a/sentry-service/sentry-service-api/src/gen/thrift/gen-javabean/org/apache/sentry/api/service/thrift/SentryPolicyService.java
+++ b/sentry-service/sentry-service-api/src/gen/thrift/gen-javabean/org/apache/sentry/api/service/thrift/SentryPolicyService.java
@@ -63,6 +63,8 @@
public TListSentryPrivilegesResponse list_sentry_privileges_by_user(TListSentryPrivilegesRequest request) throws org.apache.thrift.TException;
+ public TListSentryPrivilegesResponse list_sentry_privileges_by_user_and_itsgroups(TListSentryPrivilegesRequest request) throws org.apache.thrift.TException;
+
public TListSentryPrivilegesForProviderResponse list_sentry_privileges_for_provider(TListSentryPrivilegesForProviderRequest request) throws org.apache.thrift.TException;
public TDropPrivilegesResponse drop_sentry_privilege(TDropPrivilegesRequest request) throws org.apache.thrift.TException;
@@ -113,6 +115,8 @@
public void list_sentry_privileges_by_user(TListSentryPrivilegesRequest request, org.apache.thrift.async.AsyncMethodCallback resultHandler) throws org.apache.thrift.TException;
+ public void list_sentry_privileges_by_user_and_itsgroups(TListSentryPrivilegesRequest request, org.apache.thrift.async.AsyncMethodCallback resultHandler) throws org.apache.thrift.TException;
+
public void list_sentry_privileges_for_provider(TListSentryPrivilegesForProviderRequest request, org.apache.thrift.async.AsyncMethodCallback resultHandler) throws org.apache.thrift.TException;
public void drop_sentry_privilege(TDropPrivilegesRequest request, org.apache.thrift.async.AsyncMethodCallback resultHandler) throws org.apache.thrift.TException;
@@ -433,6 +437,29 @@
throw new org.apache.thrift.TApplicationException(org.apache.thrift.TApplicationException.MISSING_RESULT, "list_sentry_privileges_by_user failed: unknown result");
}
+ public TListSentryPrivilegesResponse list_sentry_privileges_by_user_and_itsgroups(TListSentryPrivilegesRequest request) throws org.apache.thrift.TException
+ {
+ send_list_sentry_privileges_by_user_and_itsgroups(request);
+ return recv_list_sentry_privileges_by_user_and_itsgroups();
+ }
+
+ public void send_list_sentry_privileges_by_user_and_itsgroups(TListSentryPrivilegesRequest request) throws org.apache.thrift.TException
+ {
+ list_sentry_privileges_by_user_and_itsgroups_args args = new list_sentry_privileges_by_user_and_itsgroups_args();
+ args.setRequest(request);
+ sendBase("list_sentry_privileges_by_user_and_itsgroups", args);
+ }
+
+ public TListSentryPrivilegesResponse recv_list_sentry_privileges_by_user_and_itsgroups() throws org.apache.thrift.TException
+ {
+ list_sentry_privileges_by_user_and_itsgroups_result result = new list_sentry_privileges_by_user_and_itsgroups_result();
+ receiveBase(result, "list_sentry_privileges_by_user_and_itsgroups");
+ if (result.isSetSuccess()) {
+ return result.success;
+ }
+ throw new org.apache.thrift.TApplicationException(org.apache.thrift.TApplicationException.MISSING_RESULT, "list_sentry_privileges_by_user_and_itsgroups failed: unknown result");
+ }
+
public TListSentryPrivilegesForProviderResponse list_sentry_privileges_for_provider(TListSentryPrivilegesForProviderRequest request) throws org.apache.thrift.TException
{
send_list_sentry_privileges_for_provider(request);
@@ -1088,6 +1115,38 @@
}
}
+ public void list_sentry_privileges_by_user_and_itsgroups(TListSentryPrivilegesRequest request, org.apache.thrift.async.AsyncMethodCallback resultHandler) throws org.apache.thrift.TException {
+ checkReady();
+ list_sentry_privileges_by_user_and_itsgroups_call method_call = new list_sentry_privileges_by_user_and_itsgroups_call(request, resultHandler, this, ___protocolFactory, ___transport);
+ this.___currentMethod = method_call;
+ ___manager.call(method_call);
+ }
+
+ public static class list_sentry_privileges_by_user_and_itsgroups_call extends org.apache.thrift.async.TAsyncMethodCall {
+ private TListSentryPrivilegesRequest request;
+ public list_sentry_privileges_by_user_and_itsgroups_call(TListSentryPrivilegesRequest request, org.apache.thrift.async.AsyncMethodCallback resultHandler, org.apache.thrift.async.TAsyncClient client, org.apache.thrift.protocol.TProtocolFactory protocolFactory, org.apache.thrift.transport.TNonblockingTransport transport) throws org.apache.thrift.TException {
+ super(client, protocolFactory, transport, resultHandler, false);
+ this.request = request;
+ }
+
+ public void write_args(org.apache.thrift.protocol.TProtocol prot) throws org.apache.thrift.TException {
+ prot.writeMessageBegin(new org.apache.thrift.protocol.TMessage("list_sentry_privileges_by_user_and_itsgroups", org.apache.thrift.protocol.TMessageType.CALL, 0));
+ list_sentry_privileges_by_user_and_itsgroups_args args = new list_sentry_privileges_by_user_and_itsgroups_args();
+ args.setRequest(request);
+ args.write(prot);
+ prot.writeMessageEnd();
+ }
+
+ public TListSentryPrivilegesResponse getResult() throws org.apache.thrift.TException {
+ if (getState() != org.apache.thrift.async.TAsyncMethodCall.State.RESPONSE_READ) {
+ throw new IllegalStateException("Method call not finished!");
+ }
+ org.apache.thrift.transport.TMemoryInputTransport memoryTransport = new org.apache.thrift.transport.TMemoryInputTransport(getFrameBuffer().array());
+ org.apache.thrift.protocol.TProtocol prot = client.getProtocolFactory().getProtocol(memoryTransport);
+ return (new Client(prot)).recv_list_sentry_privileges_by_user_and_itsgroups();
+ }
+ }
+
public void list_sentry_privileges_for_provider(TListSentryPrivilegesForProviderRequest request, org.apache.thrift.async.AsyncMethodCallback resultHandler) throws org.apache.thrift.TException {
checkReady();
list_sentry_privileges_for_provider_call method_call = new list_sentry_privileges_for_provider_call(request, resultHandler, this, ___protocolFactory, ___transport);
@@ -1465,6 +1524,7 @@
processMap.put("list_sentry_roles_by_user", new list_sentry_roles_by_user());
processMap.put("list_sentry_privileges_by_role", new list_sentry_privileges_by_role());
processMap.put("list_sentry_privileges_by_user", new list_sentry_privileges_by_user());
+ processMap.put("list_sentry_privileges_by_user_and_itsgroups", new list_sentry_privileges_by_user_and_itsgroups());
processMap.put("list_sentry_privileges_for_provider", new list_sentry_privileges_for_provider());
processMap.put("drop_sentry_privilege", new drop_sentry_privilege());
processMap.put("rename_sentry_privilege", new rename_sentry_privilege());
@@ -1719,6 +1779,26 @@
}
}
+ public static class list_sentry_privileges_by_user_and_itsgroups<I extends Iface> extends org.apache.thrift.ProcessFunction<I, list_sentry_privileges_by_user_and_itsgroups_args> {
+ public list_sentry_privileges_by_user_and_itsgroups() {
+ super("list_sentry_privileges_by_user_and_itsgroups");
+ }
+
+ public list_sentry_privileges_by_user_and_itsgroups_args getEmptyArgsInstance() {
+ return new list_sentry_privileges_by_user_and_itsgroups_args();
+ }
+
+ protected boolean isOneway() {
+ return false;
+ }
+
+ public list_sentry_privileges_by_user_and_itsgroups_result getResult(I iface, list_sentry_privileges_by_user_and_itsgroups_args args) throws org.apache.thrift.TException {
+ list_sentry_privileges_by_user_and_itsgroups_result result = new list_sentry_privileges_by_user_and_itsgroups_result();
+ result.success = iface.list_sentry_privileges_by_user_and_itsgroups(args.request);
+ return result;
+ }
+ }
+
public static class list_sentry_privileges_for_provider<I extends Iface> extends org.apache.thrift.ProcessFunction<I, list_sentry_privileges_for_provider_args> {
public list_sentry_privileges_for_provider() {
super("list_sentry_privileges_for_provider");
@@ -1964,6 +2044,7 @@
processMap.put("list_sentry_roles_by_user", new list_sentry_roles_by_user());
processMap.put("list_sentry_privileges_by_role", new list_sentry_privileges_by_role());
processMap.put("list_sentry_privileges_by_user", new list_sentry_privileges_by_user());
+ processMap.put("list_sentry_privileges_by_user_and_itsgroups", new list_sentry_privileges_by_user_and_itsgroups());
processMap.put("list_sentry_privileges_for_provider", new list_sentry_privileges_for_provider());
processMap.put("drop_sentry_privilege", new drop_sentry_privilege());
processMap.put("rename_sentry_privilege", new rename_sentry_privilege());
@@ -2590,6 +2671,57 @@
}
}
+ public static class list_sentry_privileges_by_user_and_itsgroups<I extends AsyncIface> extends org.apache.thrift.AsyncProcessFunction<I, list_sentry_privileges_by_user_and_itsgroups_args, TListSentryPrivilegesResponse> {
+ public list_sentry_privileges_by_user_and_itsgroups() {
+ super("list_sentry_privileges_by_user_and_itsgroups");
+ }
+
+ public list_sentry_privileges_by_user_and_itsgroups_args getEmptyArgsInstance() {
+ return new list_sentry_privileges_by_user_and_itsgroups_args();
+ }
+
+ public AsyncMethodCallback<TListSentryPrivilegesResponse> getResultHandler(final AsyncFrameBuffer fb, final int seqid) {
+ final org.apache.thrift.AsyncProcessFunction fcall = this;
+ return new AsyncMethodCallback<TListSentryPrivilegesResponse>() {
+ public void onComplete(TListSentryPrivilegesResponse o) {
+ list_sentry_privileges_by_user_and_itsgroups_result result = new list_sentry_privileges_by_user_and_itsgroups_result();
+ result.success = o;
+ try {
+ fcall.sendResponse(fb,result, org.apache.thrift.protocol.TMessageType.REPLY,seqid);
+ return;
+ } catch (Exception e) {
+ LOGGER.error("Exception writing to internal frame buffer", e);
+ }
+ fb.close();
+ }
+ public void onError(Exception e) {
+ byte msgType = org.apache.thrift.protocol.TMessageType.REPLY;
+ org.apache.thrift.TBase msg;
+ list_sentry_privileges_by_user_and_itsgroups_result result = new list_sentry_privileges_by_user_and_itsgroups_result();
+ {
+ msgType = org.apache.thrift.protocol.TMessageType.EXCEPTION;
+ msg = (org.apache.thrift.TBase)new org.apache.thrift.TApplicationException(org.apache.thrift.TApplicationException.INTERNAL_ERROR, e.getMessage());
+ }
+ try {
+ fcall.sendResponse(fb,msg,msgType,seqid);
+ return;
+ } catch (Exception ex) {
+ LOGGER.error("Exception writing to internal frame buffer", ex);
+ }
+ fb.close();
+ }
+ };
+ }
+
+ protected boolean isOneway() {
+ return false;
+ }
+
+ public void start(I iface, list_sentry_privileges_by_user_and_itsgroups_args args, org.apache.thrift.async.AsyncMethodCallback<TListSentryPrivilegesResponse> resultHandler) throws TException {
+ iface.list_sentry_privileges_by_user_and_itsgroups(args.request,resultHandler);
+ }
+ }
+
public static class list_sentry_privileges_for_provider<I extends AsyncIface> extends org.apache.thrift.AsyncProcessFunction<I, list_sentry_privileges_for_provider_args, TListSentryPrivilegesForProviderResponse> {
public list_sentry_privileges_for_provider() {
super("list_sentry_privileges_for_provider");
@@ -11865,6 +11997,732 @@
}
+ public static class list_sentry_privileges_by_user_and_itsgroups_args implements org.apache.thrift.TBase<list_sentry_privileges_by_user_and_itsgroups_args, list_sentry_privileges_by_user_and_itsgroups_args._Fields>, java.io.Serializable, Cloneable, Comparable<list_sentry_privileges_by_user_and_itsgroups_args> {
+ private static final org.apache.thrift.protocol.TStruct STRUCT_DESC = new org.apache.thrift.protocol.TStruct("list_sentry_privileges_by_user_and_itsgroups_args");
+
+ private static final org.apache.thrift.protocol.TField REQUEST_FIELD_DESC = new org.apache.thrift.protocol.TField("request", org.apache.thrift.protocol.TType.STRUCT, (short)1);
+
+ private static final Map<Class<? extends IScheme>, SchemeFactory> schemes = new HashMap<Class<? extends IScheme>, SchemeFactory>();
+ static {
+ schemes.put(StandardScheme.class, new list_sentry_privileges_by_user_and_itsgroups_argsStandardSchemeFactory());
+ schemes.put(TupleScheme.class, new list_sentry_privileges_by_user_and_itsgroups_argsTupleSchemeFactory());
+ }
+
+ private TListSentryPrivilegesRequest request; // required
+
+ /** The set of fields this struct contains, along with convenience methods for finding and manipulating them. */
+ public enum _Fields implements org.apache.thrift.TFieldIdEnum {
+ REQUEST((short)1, "request");
+
+ private static final Map<String, _Fields> byName = new HashMap<String, _Fields>();
+
+ static {
+ for (_Fields field : EnumSet.allOf(_Fields.class)) {
+ byName.put(field.getFieldName(), field);
+ }
+ }
+
+ /**
+ * Find the _Fields constant that matches fieldId, or null if its not found.
+ */
+ public static _Fields findByThriftId(int fieldId) {
+ switch(fieldId) {
+ case 1: // REQUEST
+ return REQUEST;
+ default:
+ return null;
+ }
+ }
+
+ /**
+ * Find the _Fields constant that matches fieldId, throwing an exception
+ * if it is not found.
+ */
+ public static _Fields findByThriftIdOrThrow(int fieldId) {
+ _Fields fields = findByThriftId(fieldId);
+ if (fields == null) throw new IllegalArgumentException("Field " + fieldId + " doesn't exist!");
+ return fields;
+ }
+
+ /**
+ * Find the _Fields constant that matches name, or null if its not found.
+ */
+ public static _Fields findByName(String name) {
+ return byName.get(name);
+ }
+
+ private final short _thriftId;
+ private final String _fieldName;
+
+ _Fields(short thriftId, String fieldName) {
+ _thriftId = thriftId;
+ _fieldName = fieldName;
+ }
+
+ public short getThriftFieldId() {
+ return _thriftId;
+ }
+
+ public String getFieldName() {
+ return _fieldName;
+ }
+ }
+
+ // isset id assignments
+ public static final Map<_Fields, org.apache.thrift.meta_data.FieldMetaData> metaDataMap;
+ static {
+ Map<_Fields, org.apache.thrift.meta_data.FieldMetaData> tmpMap = new EnumMap<_Fields, org.apache.thrift.meta_data.FieldMetaData>(_Fields.class);
+ tmpMap.put(_Fields.REQUEST, new org.apache.thrift.meta_data.FieldMetaData("request", org.apache.thrift.TFieldRequirementType.DEFAULT,
+ new org.apache.thrift.meta_data.StructMetaData(org.apache.thrift.protocol.TType.STRUCT, TListSentryPrivilegesRequest.class)));
+ metaDataMap = Collections.unmodifiableMap(tmpMap);
+ org.apache.thrift.meta_data.FieldMetaData.addStructMetaDataMap(list_sentry_privileges_by_user_and_itsgroups_args.class, metaDataMap);
+ }
+
+ public list_sentry_privileges_by_user_and_itsgroups_args() {
+ }
+
+ public list_sentry_privileges_by_user_and_itsgroups_args(
+ TListSentryPrivilegesRequest request)
+ {
+ this();
+ this.request = request;
+ }
+
+ /**
+ * Performs a deep copy on <i>other</i>.
+ */
+ public list_sentry_privileges_by_user_and_itsgroups_args(list_sentry_privileges_by_user_and_itsgroups_args other) {
+ if (other.isSetRequest()) {
+ this.request = new TListSentryPrivilegesRequest(other.request);
+ }
+ }
+
+ public list_sentry_privileges_by_user_and_itsgroups_args deepCopy() {
+ return new list_sentry_privileges_by_user_and_itsgroups_args(this);
+ }
+
+ @Override
+ public void clear() {
+ this.request = null;
+ }
+
+ public TListSentryPrivilegesRequest getRequest() {
+ return this.request;
+ }
+
+ public void setRequest(TListSentryPrivilegesRequest request) {
+ this.request = request;
+ }
+
+ public void unsetRequest() {
+ this.request = null;
+ }
+
+ /** Returns true if field request is set (has been assigned a value) and false otherwise */
+ public boolean isSetRequest() {
+ return this.request != null;
+ }
+
+ public void setRequestIsSet(boolean value) {
+ if (!value) {
+ this.request = null;
+ }
+ }
+
+ public void setFieldValue(_Fields field, Object value) {
+ switch (field) {
+ case REQUEST:
+ if (value == null) {
+ unsetRequest();
+ } else {
+ setRequest((TListSentryPrivilegesRequest)value);
+ }
+ break;
+
+ }
+ }
+
+ public Object getFieldValue(_Fields field) {
+ switch (field) {
+ case REQUEST:
+ return getRequest();
+
+ }
+ throw new IllegalStateException();
+ }
+
+ /** Returns true if field corresponding to fieldID is set (has been assigned a value) and false otherwise */
+ public boolean isSet(_Fields field) {
+ if (field == null) {
+ throw new IllegalArgumentException();
+ }
+
+ switch (field) {
+ case REQUEST:
+ return isSetRequest();
+ }
+ throw new IllegalStateException();
+ }
+
+ @Override
+ public boolean equals(Object that) {
+ if (that == null)
+ return false;
+ if (that instanceof list_sentry_privileges_by_user_and_itsgroups_args)
+ return this.equals((list_sentry_privileges_by_user_and_itsgroups_args)that);
+ return false;
+ }
+
+ public boolean equals(list_sentry_privileges_by_user_and_itsgroups_args that) {
+ if (that == null)
+ return false;
+
+ boolean this_present_request = true && this.isSetRequest();
+ boolean that_present_request = true && that.isSetRequest();
+ if (this_present_request || that_present_request) {
+ if (!(this_present_request && that_present_request))
+ return false;
+ if (!this.request.equals(that.request))
+ return false;
+ }
+
+ return true;
+ }
+
+ @Override
+ public int hashCode() {
+ List<Object> list = new ArrayList<Object>();
+
+ boolean present_request = true && (isSetRequest());
+ list.add(present_request);
+ if (present_request)
+ list.add(request);
+
+ return list.hashCode();
+ }
+
+ @Override
+ public int compareTo(list_sentry_privileges_by_user_and_itsgroups_args other) {
+ if (!getClass().equals(other.getClass())) {
+ return getClass().getName().compareTo(other.getClass().getName());
+ }
+
+ int lastComparison = 0;
+
+ lastComparison = Boolean.valueOf(isSetRequest()).compareTo(other.isSetRequest());
+ if (lastComparison != 0) {
+ return lastComparison;
+ }
+ if (isSetRequest()) {
+ lastComparison = org.apache.thrift.TBaseHelper.compareTo(this.request, other.request);
+ if (lastComparison != 0) {
+ return lastComparison;
+ }
+ }
+ return 0;
+ }
+
+ public _Fields fieldForId(int fieldId) {
+ return _Fields.findByThriftId(fieldId);
+ }
+
+ public void read(org.apache.thrift.protocol.TProtocol iprot) throws org.apache.thrift.TException {
+ schemes.get(iprot.getScheme()).getScheme().read(iprot, this);
+ }
+
+ public void write(org.apache.thrift.protocol.TProtocol oprot) throws org.apache.thrift.TException {
+ schemes.get(oprot.getScheme()).getScheme().write(oprot, this);
+ }
+
+ @Override
+ public String toString() {
+ StringBuilder sb = new StringBuilder("list_sentry_privileges_by_user_and_itsgroups_args(");
+ boolean first = true;
+
+ sb.append("request:");
+ if (this.request == null) {
+ sb.append("null");
+ } else {
+ sb.append(this.request);
+ }
+ first = false;
+ sb.append(")");
+ return sb.toString();
+ }
+
+ public void validate() throws org.apache.thrift.TException {
+ // check for required fields
+ // check for sub-struct validity
+ if (request != null) {
+ request.validate();
+ }
+ }
+
+ private void writeObject(java.io.ObjectOutputStream out) throws java.io.IOException {
+ try {
+ write(new org.apache.thrift.protocol.TCompactProtocol(new org.apache.thrift.transport.TIOStreamTransport(out)));
+ } catch (org.apache.thrift.TException te) {
+ throw new java.io.IOException(te);
+ }
+ }
+
+ private void readObject(java.io.ObjectInputStream in) throws java.io.IOException, ClassNotFoundException {
+ try {
+ read(new org.apache.thrift.protocol.TCompactProtocol(new org.apache.thrift.transport.TIOStreamTransport(in)));
+ } catch (org.apache.thrift.TException te) {
+ throw new java.io.IOException(te);
+ }
+ }
+
+ private static class list_sentry_privileges_by_user_and_itsgroups_argsStandardSchemeFactory implements SchemeFactory {
+ public list_sentry_privileges_by_user_and_itsgroups_argsStandardScheme getScheme() {
+ return new list_sentry_privileges_by_user_and_itsgroups_argsStandardScheme();
+ }
+ }
+
+ private static class list_sentry_privileges_by_user_and_itsgroups_argsStandardScheme extends StandardScheme<list_sentry_privileges_by_user_and_itsgroups_args> {
+
+ public void read(org.apache.thrift.protocol.TProtocol iprot, list_sentry_privileges_by_user_and_itsgroups_args struct) throws org.apache.thrift.TException {
+ org.apache.thrift.protocol.TField schemeField;
+ iprot.readStructBegin();
+ while (true)
+ {
+ schemeField = iprot.readFieldBegin();
+ if (schemeField.type == org.apache.thrift.protocol.TType.STOP) {
+ break;
+ }
+ switch (schemeField.id) {
+ case 1: // REQUEST
+ if (schemeField.type == org.apache.thrift.protocol.TType.STRUCT) {
+ struct.request = new TListSentryPrivilegesRequest();
+ struct.request.read(iprot);
+ struct.setRequestIsSet(true);
+ } else {
+ org.apache.thrift.protocol.TProtocolUtil.skip(iprot, schemeField.type);
+ }
+ break;
+ default:
+ org.apache.thrift.protocol.TProtocolUtil.skip(iprot, schemeField.type);
+ }
+ iprot.readFieldEnd();
+ }
+ iprot.readStructEnd();
+ struct.validate();
+ }
+
+ public void write(org.apache.thrift.protocol.TProtocol oprot, list_sentry_privileges_by_user_and_itsgroups_args struct) throws org.apache.thrift.TException {
+ struct.validate();
+
+ oprot.writeStructBegin(STRUCT_DESC);
+ if (struct.request != null) {
+ oprot.writeFieldBegin(REQUEST_FIELD_DESC);
+ struct.request.write(oprot);
+ oprot.writeFieldEnd();
+ }
+ oprot.writeFieldStop();
+ oprot.writeStructEnd();
+ }
+
+ }
+
+ private static class list_sentry_privileges_by_user_and_itsgroups_argsTupleSchemeFactory implements SchemeFactory {
+ public list_sentry_privileges_by_user_and_itsgroups_argsTupleScheme getScheme() {
+ return new list_sentry_privileges_by_user_and_itsgroups_argsTupleScheme();
+ }
+ }
+
+ private static class list_sentry_privileges_by_user_and_itsgroups_argsTupleScheme extends TupleScheme<list_sentry_privileges_by_user_and_itsgroups_args> {
+
+ @Override
+ public void write(org.apache.thrift.protocol.TProtocol prot, list_sentry_privileges_by_user_and_itsgroups_args struct) throws org.apache.thrift.TException {
+ TTupleProtocol oprot = (TTupleProtocol) prot;
+ BitSet optionals = new BitSet();
+ if (struct.isSetRequest()) {
+ optionals.set(0);
+ }
+ oprot.writeBitSet(optionals, 1);
+ if (struct.isSetRequest()) {
+ struct.request.write(oprot);
+ }
+ }
+
+ @Override
+ public void read(org.apache.thrift.protocol.TProtocol prot, list_sentry_privileges_by_user_and_itsgroups_args struct) throws org.apache.thrift.TException {
+ TTupleProtocol iprot = (TTupleProtocol) prot;
+ BitSet incoming = iprot.readBitSet(1);
+ if (incoming.get(0)) {
+ struct.request = new TListSentryPrivilegesRequest();
+ struct.request.read(iprot);
+ struct.setRequestIsSet(true);
+ }
+ }
+ }
+
+ }
+
+ public static class list_sentry_privileges_by_user_and_itsgroups_result implements org.apache.thrift.TBase<list_sentry_privileges_by_user_and_itsgroups_result, list_sentry_privileges_by_user_and_itsgroups_result._Fields>, java.io.Serializable, Cloneable, Comparable<list_sentry_privileges_by_user_and_itsgroups_result> {
+ private static final org.apache.thrift.protocol.TStruct STRUCT_DESC = new org.apache.thrift.protocol.TStruct("list_sentry_privileges_by_user_and_itsgroups_result");
+
+ private static final org.apache.thrift.protocol.TField SUCCESS_FIELD_DESC = new org.apache.thrift.protocol.TField("success", org.apache.thrift.protocol.TType.STRUCT, (short)0);
+
+ private static final Map<Class<? extends IScheme>, SchemeFactory> schemes = new HashMap<Class<? extends IScheme>, SchemeFactory>();
+ static {
+ schemes.put(StandardScheme.class, new list_sentry_privileges_by_user_and_itsgroups_resultStandardSchemeFactory());
+ schemes.put(TupleScheme.class, new list_sentry_privileges_by_user_and_itsgroups_resultTupleSchemeFactory());
+ }
+
+ private TListSentryPrivilegesResponse success; // required
+
+ /** The set of fields this struct contains, along with convenience methods for finding and manipulating them. */
+ public enum _Fields implements org.apache.thrift.TFieldIdEnum {
+ SUCCESS((short)0, "success");
+
+ private static final Map<String, _Fields> byName = new HashMap<String, _Fields>();
+
+ static {
+ for (_Fields field : EnumSet.allOf(_Fields.class)) {
+ byName.put(field.getFieldName(), field);
+ }
+ }
+
+ /**
+ * Find the _Fields constant that matches fieldId, or null if its not found.
+ */
+ public static _Fields findByThriftId(int fieldId) {
+ switch(fieldId) {
+ case 0: // SUCCESS
+ return SUCCESS;
+ default:
+ return null;
+ }
+ }
+
+ /**
+ * Find the _Fields constant that matches fieldId, throwing an exception
+ * if it is not found.
+ */
+ public static _Fields findByThriftIdOrThrow(int fieldId) {
+ _Fields fields = findByThriftId(fieldId);
+ if (fields == null) throw new IllegalArgumentException("Field " + fieldId + " doesn't exist!");
+ return fields;
+ }
+
+ /**
+ * Find the _Fields constant that matches name, or null if its not found.
+ */
+ public static _Fields findByName(String name) {
+ return byName.get(name);
+ }
+
+ private final short _thriftId;
+ private final String _fieldName;
+
+ _Fields(short thriftId, String fieldName) {
+ _thriftId = thriftId;
+ _fieldName = fieldName;
+ }
+
+ public short getThriftFieldId() {
+ return _thriftId;
+ }
+
+ public String getFieldName() {
+ return _fieldName;
+ }
+ }
+
+ // isset id assignments
+ public static final Map<_Fields, org.apache.thrift.meta_data.FieldMetaData> metaDataMap;
+ static {
+ Map<_Fields, org.apache.thrift.meta_data.FieldMetaData> tmpMap = new EnumMap<_Fields, org.apache.thrift.meta_data.FieldMetaData>(_Fields.class);
+ tmpMap.put(_Fields.SUCCESS, new org.apache.thrift.meta_data.FieldMetaData("success", org.apache.thrift.TFieldRequirementType.DEFAULT,
+ new org.apache.thrift.meta_data.StructMetaData(org.apache.thrift.protocol.TType.STRUCT, TListSentryPrivilegesResponse.class)));
+ metaDataMap = Collections.unmodifiableMap(tmpMap);
+ org.apache.thrift.meta_data.FieldMetaData.addStructMetaDataMap(list_sentry_privileges_by_user_and_itsgroups_result.class, metaDataMap);
+ }
+
+ public list_sentry_privileges_by_user_and_itsgroups_result() {
+ }
+
+ public list_sentry_privileges_by_user_and_itsgroups_result(
+ TListSentryPrivilegesResponse success)
+ {
+ this();
+ this.success = success;
+ }
+
+ /**
+ * Performs a deep copy on <i>other</i>.
+ */
+ public list_sentry_privileges_by_user_and_itsgroups_result(list_sentry_privileges_by_user_and_itsgroups_result other) {
+ if (other.isSetSuccess()) {
+ this.success = new TListSentryPrivilegesResponse(other.success);
+ }
+ }
+
+ public list_sentry_privileges_by_user_and_itsgroups_result deepCopy() {
+ return new list_sentry_privileges_by_user_and_itsgroups_result(this);
+ }
+
+ @Override
+ public void clear() {
+ this.success = null;
+ }
+
+ public TListSentryPrivilegesResponse getSuccess() {
+ return this.success;
+ }
+
+ public void setSuccess(TListSentryPrivilegesResponse success) {
+ this.success = success;
+ }
+
+ public void unsetSuccess() {
+ this.success = null;
+ }
+
+ /** Returns true if field success is set (has been assigned a value) and false otherwise */
+ public boolean isSetSuccess() {
+ return this.success != null;
+ }
+
+ public void setSuccessIsSet(boolean value) {
+ if (!value) {
+ this.success = null;
+ }
+ }
+
+ public void setFieldValue(_Fields field, Object value) {
+ switch (field) {
+ case SUCCESS:
+ if (value == null) {
+ unsetSuccess();
+ } else {
+ setSuccess((TListSentryPrivilegesResponse)value);
+ }
+ break;
+
+ }
+ }
+
+ public Object getFieldValue(_Fields field) {
+ switch (field) {
+ case SUCCESS:
+ return getSuccess();
+
+ }
+ throw new IllegalStateException();
+ }
+
+ /** Returns true if field corresponding to fieldID is set (has been assigned a value) and false otherwise */
+ public boolean isSet(_Fields field) {
+ if (field == null) {
+ throw new IllegalArgumentException();
+ }
+
+ switch (field) {
+ case SUCCESS:
+ return isSetSuccess();
+ }
+ throw new IllegalStateException();
+ }
+
+ @Override
+ public boolean equals(Object that) {
+ if (that == null)
+ return false;
+ if (that instanceof list_sentry_privileges_by_user_and_itsgroups_result)
+ return this.equals((list_sentry_privileges_by_user_and_itsgroups_result)that);
+ return false;
+ }
+
+ public boolean equals(list_sentry_privileges_by_user_and_itsgroups_result that) {
+ if (that == null)
+ return false;
+
+ boolean this_present_success = true && this.isSetSuccess();
+ boolean that_present_success = true && that.isSetSuccess();
+ if (this_present_success || that_present_success) {
+ if (!(this_present_success && that_present_success))
+ return false;
+ if (!this.success.equals(that.success))
+ return false;
+ }
+
+ return true;
+ }
+
+ @Override
+ public int hashCode() {
+ List<Object> list = new ArrayList<Object>();
+
+ boolean present_success = true && (isSetSuccess());
+ list.add(present_success);
+ if (present_success)
+ list.add(success);
+
+ return list.hashCode();
+ }
+
+ @Override
+ public int compareTo(list_sentry_privileges_by_user_and_itsgroups_result other) {
+ if (!getClass().equals(other.getClass())) {
+ return getClass().getName().compareTo(other.getClass().getName());
+ }
+
+ int lastComparison = 0;
+
+ lastComparison = Boolean.valueOf(isSetSuccess()).compareTo(other.isSetSuccess());
+ if (lastComparison != 0) {
+ return lastComparison;
+ }
+ if (isSetSuccess()) {
+ lastComparison = org.apache.thrift.TBaseHelper.compareTo(this.success, other.success);
+ if (lastComparison != 0) {
+ return lastComparison;
+ }
+ }
+ return 0;
+ }
+
+ public _Fields fieldForId(int fieldId) {
+ return _Fields.findByThriftId(fieldId);
+ }
+
+ public void read(org.apache.thrift.protocol.TProtocol iprot) throws org.apache.thrift.TException {
+ schemes.get(iprot.getScheme()).getScheme().read(iprot, this);
+ }
+
+ public void write(org.apache.thrift.protocol.TProtocol oprot) throws org.apache.thrift.TException {
+ schemes.get(oprot.getScheme()).getScheme().write(oprot, this);
+ }
+
+ @Override
+ public String toString() {
+ StringBuilder sb = new StringBuilder("list_sentry_privileges_by_user_and_itsgroups_result(");
+ boolean first = true;
+
+ sb.append("success:");
+ if (this.success == null) {
+ sb.append("null");
+ } else {
+ sb.append(this.success);
+ }
+ first = false;
+ sb.append(")");
+ return sb.toString();
+ }
+
+ public void validate() throws org.apache.thrift.TException {
+ // check for required fields
+ // check for sub-struct validity
+ if (success != null) {
+ success.validate();
+ }
+ }
+
+ private void writeObject(java.io.ObjectOutputStream out) throws java.io.IOException {
+ try {
+ write(new org.apache.thrift.protocol.TCompactProtocol(new org.apache.thrift.transport.TIOStreamTransport(out)));
+ } catch (org.apache.thrift.TException te) {
+ throw new java.io.IOException(te);
+ }
+ }
+
+ private void readObject(java.io.ObjectInputStream in) throws java.io.IOException, ClassNotFoundException {
+ try {
+ read(new org.apache.thrift.protocol.TCompactProtocol(new org.apache.thrift.transport.TIOStreamTransport(in)));
+ } catch (org.apache.thrift.TException te) {
+ throw new java.io.IOException(te);
+ }
+ }
+
+ private static class list_sentry_privileges_by_user_and_itsgroups_resultStandardSchemeFactory implements SchemeFactory {
+ public list_sentry_privileges_by_user_and_itsgroups_resultStandardScheme getScheme() {
+ return new list_sentry_privileges_by_user_and_itsgroups_resultStandardScheme();
+ }
+ }
+
+ private static class list_sentry_privileges_by_user_and_itsgroups_resultStandardScheme extends StandardScheme<list_sentry_privileges_by_user_and_itsgroups_result> {
+
+ public void read(org.apache.thrift.protocol.TProtocol iprot, list_sentry_privileges_by_user_and_itsgroups_result struct) throws org.apache.thrift.TException {
+ org.apache.thrift.protocol.TField schemeField;
+ iprot.readStructBegin();
+ while (true)
+ {
+ schemeField = iprot.readFieldBegin();
+ if (schemeField.type == org.apache.thrift.protocol.TType.STOP) {
+ break;
+ }
+ switch (schemeField.id) {
+ case 0: // SUCCESS
+ if (schemeField.type == org.apache.thrift.protocol.TType.STRUCT) {
+ struct.success = new TListSentryPrivilegesResponse();
+ struct.success.read(iprot);
+ struct.setSuccessIsSet(true);
+ } else {
+ org.apache.thrift.protocol.TProtocolUtil.skip(iprot, schemeField.type);
+ }
+ break;
+ default:
+ org.apache.thrift.protocol.TProtocolUtil.skip(iprot, schemeField.type);
+ }
+ iprot.readFieldEnd();
+ }
+ iprot.readStructEnd();
+ struct.validate();
+ }
+
+ public void write(org.apache.thrift.protocol.TProtocol oprot, list_sentry_privileges_by_user_and_itsgroups_result struct) throws org.apache.thrift.TException {
+ struct.validate();
+
+ oprot.writeStructBegin(STRUCT_DESC);
+ if (struct.success != null) {
+ oprot.writeFieldBegin(SUCCESS_FIELD_DESC);
+ struct.success.write(oprot);
+ oprot.writeFieldEnd();
+ }
+ oprot.writeFieldStop();
+ oprot.writeStructEnd();
+ }
+
+ }
+
+ private static class list_sentry_privileges_by_user_and_itsgroups_resultTupleSchemeFactory implements SchemeFactory {
+ public list_sentry_privileges_by_user_and_itsgroups_resultTupleScheme getScheme() {
+ return new list_sentry_privileges_by_user_and_itsgroups_resultTupleScheme();
+ }
+ }
+
+ private static class list_sentry_privileges_by_user_and_itsgroups_resultTupleScheme extends TupleScheme<list_sentry_privileges_by_user_and_itsgroups_result> {
+
+ @Override
+ public void write(org.apache.thrift.protocol.TProtocol prot, list_sentry_privileges_by_user_and_itsgroups_result struct) throws org.apache.thrift.TException {
+ TTupleProtocol oprot = (TTupleProtocol) prot;
+ BitSet optionals = new BitSet();
+ if (struct.isSetSuccess()) {
+ optionals.set(0);
+ }
+ oprot.writeBitSet(optionals, 1);
+ if (struct.isSetSuccess()) {
+ struct.success.write(oprot);
+ }
+ }
+
+ @Override
+ public void read(org.apache.thrift.protocol.TProtocol prot, list_sentry_privileges_by_user_and_itsgroups_result struct) throws org.apache.thrift.TException {
+ TTupleProtocol iprot = (TTupleProtocol) prot;
+ BitSet incoming = iprot.readBitSet(1);
+ if (incoming.get(0)) {
+ struct.success = new TListSentryPrivilegesResponse();
+ struct.success.read(iprot);
+ struct.setSuccessIsSet(true);
+ }
+ }
+ }
+
+ }
+
public static class list_sentry_privileges_for_provider_args implements org.apache.thrift.TBase<list_sentry_privileges_for_provider_args, list_sentry_privileges_for_provider_args._Fields>, java.io.Serializable, Cloneable, Comparable<list_sentry_privileges_for_provider_args> {
private static final org.apache.thrift.protocol.TStruct STRUCT_DESC = new org.apache.thrift.protocol.TStruct("list_sentry_privileges_for_provider_args");
diff --git a/sentry-service/sentry-service-api/src/main/resources/sentry_policy_service.thrift b/sentry-service/sentry-service-api/src/main/resources/sentry_policy_service.thrift
index 2e79e56..3364648 100644
--- a/sentry-service/sentry-service-api/src/main/resources/sentry_policy_service.thrift
+++ b/sentry-service/sentry-service-api/src/main/resources/sentry_policy_service.thrift
@@ -196,7 +196,7 @@
4: required string roleName, # get privileges assigned for this role
5: optional TSentryAuthorizable authorizableHierarchy, # get privileges assigned for this role
-# Get privileges assigned for this principal name. This principalName should be set to a a role name
+# Get privileges assigned for this principal name. This principalName should be set to a role name
# or user name depending of which function you call, either list_sentry_privileges_by_role or
# list_sentry_privileges_by_user
6: optional string principalName
@@ -407,8 +407,16 @@
TListSentryRolesResponse list_sentry_roles_by_group(1:TListSentryRolesRequest request)
TListSentryRolesResponse list_sentry_roles_by_user(1:TListSentryRolesForUserRequest request)
+ # List sentry privileges granted to the given role, filterted
+ # based on authorization hierarchy if present.
TListSentryPrivilegesResponse list_sentry_privileges_by_role(1:TListSentryPrivilegesRequest request)
+ # List sentry privileges granted to the given user, filterted
+ # based on authorization hierarchy if present.
TListSentryPrivilegesResponse list_sentry_privileges_by_user(1:TListSentryPrivilegesRequest request)
+ # List sentry privileges granted to the given user and the groups
+ # the user associated with, filterted based on authorization
+ # hierarchy if present.
+ TListSentryPrivilegesResponse list_sentry_privileges_by_user_and_itsgroups(1:TListSentryPrivilegesRequest request)
# For use with ProviderBackend.getPrivileges only
TListSentryPrivilegesForProviderResponse list_sentry_privileges_for_provider(1:TListSentryPrivilegesForProviderRequest request)
diff --git a/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/api/service/thrift/SentryMetrics.java b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/api/service/thrift/SentryMetrics.java
index 236a07b..d34340c 100644
--- a/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/api/service/thrift/SentryMetrics.java
+++ b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/api/service/thrift/SentryMetrics.java
@@ -109,6 +109,8 @@
name(SentryPolicyStoreProcessor.class, "list-privileges-by-role"));
final Timer listPrivilegesByUserTimer = METRIC_REGISTRY.timer(
name(SentryPolicyStoreProcessor.class, "list-privileges-by-user"));
+ final Timer listPrivilegesForUserTimer = METRIC_REGISTRY.timer(
+ name(SentryPolicyStoreProcessor.class, "list-sentry-privileges-by-user-and-itsgroups"));
final Timer listPrivilegesForProviderTimer = METRIC_REGISTRY.timer(
name(SentryPolicyStoreProcessor.class, "list-privileges-for-provider"));
final Timer listPrivilegesByAuthorizableTimer = METRIC_REGISTRY.timer(
diff --git a/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/api/service/thrift/SentryPolicyStoreProcessor.java b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/api/service/thrift/SentryPolicyStoreProcessor.java
index 3087529..709434c 100644
--- a/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/api/service/thrift/SentryPolicyStoreProcessor.java
+++ b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/api/service/thrift/SentryPolicyStoreProcessor.java
@@ -825,10 +825,11 @@
Set<TSentryPrivilege> privilegeSet = new HashSet<TSentryPrivilege>();
String subject = request.getRequestorUserName();
- // The 'entityName' parameter is made optional in thrift, so we need to check that is not
+ // The 'principalName' parameter is made optional in thrift, so we need to check that is not
// null before proceed.
TSentryResponseStatus status =
- checkRequiredParameter(request.getPrincipalName(), "entityName parameter must not be null");
+ checkRequiredParameter(request.getPrincipalName(),
+ "principalName parameter must not be null");
if (status != null) {
response.setStatus(status);
return response;
@@ -880,6 +881,74 @@
return response;
}
+ @Override
+ public TListSentryPrivilegesResponse list_sentry_privileges_by_user_and_itsgroups(
+ TListSentryPrivilegesRequest request) throws TException {
+ final Timer.Context timerContext = sentryMetrics.listPrivilegesForUserTimer.time();
+ TListSentryPrivilegesResponse response = new TListSentryPrivilegesResponse();
+
+ // The 'principalName' parameter is made optional in thrift, so we need to
+ // check that is not null before proceed.
+ TSentryResponseStatus status = checkRequiredParameter(request.getPrincipalName(),
+ "principalName parameter must not be null");
+ if (status != null) {
+ response.setStatus(status);
+ return response;
+ }
+
+ String requestor = request.getRequestorUserName();
+ String principalName = request.getPrincipalName().trim();
+ Set<TSentryPrivilege> privilegeSet = new HashSet<>();
+
+ try {
+ validateClientVersion(request.getProtocol_version());
+
+ // To allow listing the privileges, the requestor user must be part of
+ // the admins group, or the requestor user must be the same user requesting
+ // privileges for.
+ Set<String> requestorGroups = getRequestorGroups(requestor);
+ Boolean admin = inAdminGroups(requestorGroups);
+ if(!admin && !principalName.equalsIgnoreCase(requestor)) {
+ throw new SentryAccessDeniedException("Access denied to " + requestor);
+ }
+
+ // Get the groups the user is associated with.
+ Set<String> principalGroups;
+ if (principalName.equals(requestor)) {
+ principalGroups = requestorGroups;
+ } else {
+ principalGroups = getRequestorGroups(principalName);
+ }
+ Set<String> principalUsers = new HashSet<>();
+ principalUsers.add(principalName);
+ privilegeSet.addAll(sentryStore.listSentryPrivilegesByUsersAndGroups(
+ principalGroups, principalUsers,
+ new TSentryActiveRoleSet(true, null),
+ request.getAuthorizableHierarchy()));
+ response.setPrivileges(privilegeSet);
+ response.setStatus(Status.OK());
+ } catch (SentryThriftAPIMismatchException e) {
+ LOGGER.error(e.getMessage(), e);
+ response.setStatus(Status.THRIFT_VERSION_MISMATCH(e.getMessage(), e));
+ } catch (SentryAccessDeniedException e) {
+ LOGGER.error(e.getMessage(), e);
+ response.setStatus(Status.AccessDenied(e.getMessage(), e));
+ } catch (SentryInvalidInputException e) {
+ LOGGER.error(e.getMessage(), e);
+ response.setStatus(Status.InvalidInput(e.getMessage(), e));
+ } catch (SentryUserException e) {
+ LOGGER.error(e.getMessage(), e);
+ response.setStatus(Status.AccessDenied(e.getMessage(), e));
+ } catch (Exception e) {
+ String msg = "Unknown error for request: " + request + ", message: " + e.getMessage();
+ LOGGER.error(msg, e);
+ response.setStatus(Status.RuntimeError(msg, e));
+ } finally {
+ timerContext.stop();
+ }
+ return response;
+ }
+
/**
* This method was created specifically for ProviderBackend.getPrivileges() and is not meant
* to be used for general privilege retrieval. More details in the .thrift file.
diff --git a/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java
index 1eda41b..1722109 100644
--- a/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java
+++ b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java
@@ -2400,29 +2400,40 @@
return result;
}
- Set<String> listAllSentryPrivilegesForProvider(Set<String> groups, Set<String> users,
+ public Set<TSentryPrivilege> listSentryPrivilegesByUsersAndGroups(
+ Set<String> groups, Set<String> users, TSentryActiveRoleSet roleSet,
+ TSentryAuthorizable authHierarchy) throws Exception {
+ return convertToTSentryPrivileges(listSentryPrivilegesForProviderCore(
+ groups, users, roleSet, authHierarchy));
+ }
+
+ Set<String> listAllSentryPrivilegesForProvider(
+ Set<String> groups, Set<String> users,
TSentryActiveRoleSet roleSet) throws Exception {
return listSentryPrivilegesForProvider(groups, users, roleSet, null);
}
-
- public Set<String> listSentryPrivilegesForProvider(Set<String> groups, Set<String> users,
- TSentryActiveRoleSet roleSet, TSentryAuthorizable authHierarchy) throws Exception {
+ public Set<String> listSentryPrivilegesForProvider(
+ Set<String> groups, Set<String> users, TSentryActiveRoleSet roleSet,
+ TSentryAuthorizable authHierarchy) throws Exception {
Set<String> result = Sets.newHashSet();
- Set<String> rolesToQuery = getRolesToQuery(groups, users, roleSet);
- List<MSentryPrivilege> mSentryPrivileges = getMSentryPrivileges(SentryPrincipalType.ROLE, rolesToQuery, authHierarchy);
+ Set<MSentryPrivilege> mSentryPrivileges = listSentryPrivilegesForProviderCore(
+ groups, users, roleSet, authHierarchy);
for (MSentryPrivilege priv : mSentryPrivileges) {
result.add(toAuthorizable(priv));
}
-
- mSentryPrivileges = getMSentryPrivileges(SentryPrincipalType.USER, users, authHierarchy);
- for (MSentryPrivilege priv : mSentryPrivileges) {
- result.add(toAuthorizable(priv));
- }
-
return result;
}
+ private Set<MSentryPrivilege> listSentryPrivilegesForProviderCore(Set<String> groups, Set<String> users,
+ TSentryActiveRoleSet roleSet, TSentryAuthorizable authHierarchy) throws Exception {
+ Set<MSentryPrivilege> privilegeSet = Sets.newHashSet();
+ Set<String> rolesToQuery = getRolesToQuery(groups, users, roleSet);
+ privilegeSet.addAll(getMSentryPrivileges(SentryPrincipalType.ROLE, rolesToQuery, authHierarchy));
+ privilegeSet.addAll(getMSentryPrivileges(SentryPrincipalType.USER, users, authHierarchy));
+ return privilegeSet;
+ }
+
public boolean hasAnyServerPrivileges(Set<String> groups, Set<String> users,
TSentryActiveRoleSet roleSet, String server) throws Exception {
Set<String> rolesToQuery = getRolesToQuery(groups, users, roleSet);
diff --git a/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStoreInterface.java b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStoreInterface.java
index 0b4f4aa..3a68eb6 100644
--- a/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStoreInterface.java
+++ b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStoreInterface.java
@@ -216,12 +216,14 @@
Set<TSentryPrivilege> getAllTSentryPrivilegesByUserName(String userName) throws Exception;
/**
- * Set of Sentry Privileges for provider.
- * @param groups
- * @param users
- * @param roleSet
- * @param authHierarchy
- * @return
+ * Gets sentry privileges granted to the given user and groups from the
+ * persistence layer. This method is only intent to be used for provider.
+ * @param groups the set of group names
+ * @param users the set of user names
+ * @param roleSet the active roleSet
+ * @param authHierarchy filter push down based on auth hierarchy (optional)
+ * @return a set of sentry privilege string belongs to the given users
+ * and groups.
* @throws Exception
*/
Set<String> listSentryPrivilegesForProvider(Set<String> groups,
@@ -231,6 +233,24 @@
throws Exception;
/**
+ * Similar to {@link SentryStoreInterface#listSentryPrivilegesForProvider(Set, Set,
+ * TSentryActiveRoleSet, TSentryAuthorizable)}, but returns a set of thrift sentry
+ * privilege objects instead.
+ * @param groups the set of group names
+ * @param users the set of user names
+ * @param roleSet the active roleSet
+ * @param authHierarchy filter push down based on auth hierarchy (optional)
+ * @return a set of thrift sentry privilege objects belongs to the given
+ * users and groups.
+ * @throws Exception
+ */
+ Set<TSentryPrivilege> listSentryPrivilegesByUsersAndGroups(Set<String> groups,
+ Set<String> users,
+ TSentryActiveRoleSet roleSet,
+ TSentryAuthorizable authHierarchy)
+ throws Exception;
+
+ /**
* True if the given set of group
* @param groups
* @param users
diff --git a/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryStore.java b/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryStore.java
index d8c0ab4..a299e00 100644
--- a/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryStore.java
+++ b/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryStore.java
@@ -4273,6 +4273,49 @@
}
@Test
+ public void testListSentryPrivilegesForUsersAndGroups() throws Exception {
+ String roleName = "role1";
+ String groupName = "list-privs-g1";
+ String userName = "u1";
+ String grantor = "g1";
+ sentryStore.createSentryRole(roleName);
+
+ TSentryPrivilege privilege1 = new TSentryPrivilege();
+ privilege1.setPrivilegeScope("TABLE");
+ privilege1.setServerName("server1");
+ privilege1.setDbName("db1");
+ privilege1.setTableName("tbl1");
+ privilege1.setAction("SELECT");
+ privilege1.setCreateTime(System.currentTimeMillis());
+ sentryStore.alterSentryGrantPrivilege(grantor, SentryPrincipalType.ROLE, roleName, privilege1, null);
+
+ TSentryPrivilege privilege2 = new TSentryPrivilege();
+ privilege2.setPrivilegeScope("SERVER");
+ privilege2.setServerName("server1");
+ privilege2.setCreateTime(System.currentTimeMillis());
+ sentryStore.alterSentryGrantPrivilege(grantor, SentryPrincipalType.USER, userName, privilege2, null);
+
+ Set<TSentryGroup> groups = Sets.newHashSet();
+ TSentryGroup group = new TSentryGroup();
+ group.setGroupName(groupName);
+ groups.add(group);
+ sentryStore.alterSentryRoleAddGroups(grantor, roleName, groups);
+
+ // list-privs-g1 has privilege1
+ // u1 has privilege2
+ Set<TSentryPrivilege> expectedPrivs = new HashSet<>();
+ expectedPrivs.add(privilege1);
+ expectedPrivs.add(privilege2);
+
+ assertEquals(expectedPrivs,
+ sentryStore.listSentryPrivilegesByUsersAndGroups(
+ Sets.newHashSet(groupName),
+ Sets.newHashSet(userName),
+ new TSentryActiveRoleSet(true, new HashSet<>()),
+ null));
+ }
+
+ @Test
public void testListSentryPrivilegesForProviderForUser() throws Exception {
String userName1 = "list-privs-user1";
String userName2 = "list-privs-user2";