SENTRY-2503: Failed to revoke the privilege from impala-shell if the privilege added from beeline cli.
diff --git a/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/persistent/QueryParamBuilder.java b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/persistent/QueryParamBuilder.java
index 240120c..84da6e0 100644
--- a/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/persistent/QueryParamBuilder.java
+++ b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/persistent/QueryParamBuilder.java
@@ -365,6 +365,25 @@
}
/**
+ * Add common filter for set of actions. This is used to simplify creating filters for
+ * a collections of actions
+ * @param paramBuilder paramBuilder for parameters
+ * @param actions set actions
+ * @return paramBuilder supplied or a new one if the supplied one is null.
+ */
+ public static QueryParamBuilder addActionFilter(QueryParamBuilder paramBuilder,
+ Collection<String> actions) {
+ if (paramBuilder == null) {
+ paramBuilder = new QueryParamBuilder();
+ }
+ if (actions == null || actions.isEmpty()) {
+ return paramBuilder;
+ }
+ paramBuilder.newChild().addSet("this.action == ", actions, false);
+ return paramBuilder;
+ }
+
+ /**
* Add multiple conditions for set of values.
* <p>
* Example:
diff --git a/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java
index 1d97ff6..980c8ad 100644
--- a/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java
+++ b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java
@@ -1107,24 +1107,34 @@
throw new SentryInvalidInputException("cannot revoke URI privileges from Null or EMPTY location");
}
+ // make sure to drop all equivalent privileges
+ LOGGER.debug("tPrivilege to drop: {}", tPrivilege.toString());
MSentryPrivilege mPrivilege = getMSentryPrivilege(tPrivilege, pm);
if (mPrivilege == null) {
+ LOGGER.debug("mPrivilege is null");
mPrivilege = convertToMSentryPrivilege(tPrivilege);
} else {
+ LOGGER.debug("mPrivilege is found: {}", mPrivilege.toString());
mPrivilege = pm.detachCopy(mPrivilege);
}
Set<MSentryPrivilege> privilegeGraph = new HashSet<>();
- if (mPrivilege.getGrantOption() != null) {
- privilegeGraph.add(mPrivilege);
- } else {
- MSentryPrivilege mTure = new MSentryPrivilege(mPrivilege);
- mTure.setGrantOption(true);
- privilegeGraph.add(mTure);
- MSentryPrivilege mFalse = new MSentryPrivilege(mPrivilege);
- mFalse.setGrantOption(false);
- privilegeGraph.add(mFalse);
+ Set<String> allEquivalentActions = getAllEquivalentActions(mPrivilege.getAction());
+ for (String equivalentAction : allEquivalentActions) {
+ MSentryPrivilege newActionPrivilege = new MSentryPrivilege(mPrivilege);
+ newActionPrivilege.setAction(equivalentAction);
+ if (newActionPrivilege.getGrantOption() != null) {
+ privilegeGraph.add(newActionPrivilege);
+ } else {
+ MSentryPrivilege mTure = new MSentryPrivilege(newActionPrivilege);
+ mTure.setGrantOption(true);
+ privilegeGraph.add(mTure);
+ MSentryPrivilege mFalse = new MSentryPrivilege(newActionPrivilege);
+ mFalse.setGrantOption(false);
+ privilegeGraph.add(mFalse);
+ }
}
+
// Get the privilege graph
populateChildren(pm, type, Sets.newHashSet(entityName), mPrivilege, privilegeGraph);
for (MSentryPrivilege childPriv : privilegeGraph) {
@@ -1508,8 +1518,10 @@
.add(TABLE_NAME, tPriv.getTableName())
.add(COLUMN_NAME, tPriv.getColumnName())
.add(URI, tPriv.getURI(), true)
- .addObject(GRANT_OPTION, grantOption)
- .add(ACTION, tPriv.getAction());
+ .add(ACTION, tPriv.getAction())
+ .addObject(GRANT_OPTION, grantOption);
+
+ LOGGER.debug("getMSentryPrivilege query filter: {}", paramBuilder.toString());
Query query = pm.newQuery(MSentryPrivilege.class);
query.setUnique(true);
@@ -1517,6 +1529,16 @@
return (MSentryPrivilege)query.executeWithMap(paramBuilder.getArguments());
}
+ private Set<String> getAllEquivalentActions(String inputAction) {
+ if (AccessConstants.ALL.equalsIgnoreCase(inputAction) ||
+ AccessConstants.ACTION_ALL.equalsIgnoreCase(inputAction)) {
+ return Sets.newHashSet(AccessConstants.ALL, AccessConstants.ACTION_ALL,
+ AccessConstants.ACTION_ALL.toLowerCase());
+ }
+
+ return Sets.newHashSet(inputAction);
+ }
+
/**
* Drop a given sentry role.
*
diff --git a/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryStore.java b/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryStore.java
index 38b4c87..fd14963 100644
--- a/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryStore.java
+++ b/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryStore.java
@@ -4465,6 +4465,187 @@
assertEquals(notificationID, savedNotificationID);
}
+ @Test
+ public void testRevokeHiveAllPrivilegeFromImpalaUnset() throws Exception {
+
+ String roleName1 = "impala-r1";
+ String serverName = "server1";
+ String dbName = "db1";
+ String tableName = "tbl1";
+ String hiveAll = "*";
+ sentryStore.createSentryRole(roleName1);
+
+ TSentryPrivilege hive_privilege_tbl1 = new TSentryPrivilege();
+ hive_privilege_tbl1.setPrivilegeScope("TABLE");
+ hive_privilege_tbl1.setServerName(serverName);
+ hive_privilege_tbl1.setDbName(dbName);
+ hive_privilege_tbl1.setTableName(tableName);
+ hive_privilege_tbl1.setCreateTime(System.currentTimeMillis());
+ hive_privilege_tbl1.setAction(hiveAll);
+ hive_privilege_tbl1.setGrantOption(TSentryGrantOption.FALSE);
+
+ TSentryPrivilege impala_privilege_tbl1_unset = new TSentryPrivilege();
+ impala_privilege_tbl1_unset.setPrivilegeScope("TABLE");
+ impala_privilege_tbl1_unset.setServerName(serverName);
+ impala_privilege_tbl1_unset.setDbName(dbName);
+ impala_privilege_tbl1_unset.setTableName(tableName);
+ impala_privilege_tbl1_unset.setCreateTime(System.currentTimeMillis());
+ impala_privilege_tbl1_unset.setAction("ALL");
+ impala_privilege_tbl1_unset.setGrantOption(TSentryGrantOption.UNSET);
+
+ TSentryAuthorizable tSentryAuthorizable = new TSentryAuthorizable();
+ tSentryAuthorizable.setServer(serverName);
+ tSentryAuthorizable.setDb(dbName);
+ tSentryAuthorizable.setTable(tableName);
+
+ // grant hive ALL privilege to role roleName1
+ sentryStore.alterSentryGrantPrivileges(SentryPrincipalType.ROLE, roleName1, Sets.newHashSet(hive_privilege_tbl1), null);
+
+ // revoke impala ALL privilege to role roleName1
+ sentryStore.alterSentryRoleRevokePrivileges(roleName1, Sets.newHashSet(impala_privilege_tbl1_unset));
+ Map<String, Set<TSentryPrivilege>> rolePrivilegesMap = sentryStore.getRoleNameTPrivilegesMap(dbName, tableName);
+ assertNotNull(rolePrivilegesMap);
+ Set<TSentryPrivilege> rolePrivileges = rolePrivilegesMap.get(roleName1);
+ boolean privilegeRevoked = (rolePrivileges == null) || (rolePrivileges.size() == 0);
+ assertTrue(privilegeRevoked);
+ }
+
+ @Test
+ public void testRevokeHiveAllPrivilegeGrantOptionFromImpalaUnset() throws Exception {
+
+ String roleName1 = "impala-r1";
+ String serverName = "server1";
+ String dbName = "db1";
+ String tableName = "tbl1";
+ String hiveAll = "*";
+ sentryStore.createSentryRole(roleName1);
+
+ TSentryPrivilege hive_privilege_tbl1 = new TSentryPrivilege();
+ hive_privilege_tbl1.setPrivilegeScope("TABLE");
+ hive_privilege_tbl1.setServerName(serverName);
+ hive_privilege_tbl1.setDbName(dbName);
+ hive_privilege_tbl1.setTableName(tableName);
+ hive_privilege_tbl1.setCreateTime(System.currentTimeMillis());
+ hive_privilege_tbl1.setAction(hiveAll);
+ hive_privilege_tbl1.setGrantOption(TSentryGrantOption.FALSE);
+
+ TSentryPrivilege impala_privilege_tbl1_unset = new TSentryPrivilege();
+ impala_privilege_tbl1_unset.setPrivilegeScope("TABLE");
+ impala_privilege_tbl1_unset.setServerName(serverName);
+ impala_privilege_tbl1_unset.setDbName(dbName);
+ impala_privilege_tbl1_unset.setTableName(tableName);
+ impala_privilege_tbl1_unset.setCreateTime(System.currentTimeMillis());
+ impala_privilege_tbl1_unset.setAction("ALL");
+ impala_privilege_tbl1_unset.setGrantOption(TSentryGrantOption.UNSET);
+
+ TSentryAuthorizable tSentryAuthorizable = new TSentryAuthorizable();
+ tSentryAuthorizable.setServer(serverName);
+ tSentryAuthorizable.setDb(dbName);
+ tSentryAuthorizable.setTable(tableName);
+
+ // grant hive ALL privilege to role roleName1
+ hive_privilege_tbl1.setGrantOption(TSentryGrantOption.FALSE);
+ sentryStore.alterSentryGrantPrivileges(SentryPrincipalType.ROLE, roleName1, Sets.newHashSet(hive_privilege_tbl1), null);
+ hive_privilege_tbl1.setGrantOption(TSentryGrantOption.TRUE);
+ sentryStore.alterSentryGrantPrivileges(SentryPrincipalType.ROLE, roleName1, Sets.newHashSet(hive_privilege_tbl1), null);
+
+ // revoke impala ALL privilege to role roleName1
+ sentryStore.alterSentryRoleRevokePrivileges(roleName1, Sets.newHashSet(impala_privilege_tbl1_unset));
+ Map<String, Set<TSentryPrivilege>> rolePrivilegesMap = sentryStore.getRoleNameTPrivilegesMap(dbName, tableName);
+ assertNotNull(rolePrivilegesMap);
+ Set<TSentryPrivilege> rolePrivileges = rolePrivilegesMap.get(roleName1);
+ boolean privilegeRevoked = (rolePrivileges == null) || (rolePrivileges.size() == 0);
+ assertTrue(privilegeRevoked);
+ }
+
+ @Test
+ public void testRevokeHiveAllPrivilegeFromImpala() throws Exception {
+
+ String roleName1 = "impala-r1";
+ String serverName = "server1";
+ String dbName = "db1";
+ String tableName = "tbl1";
+ sentryStore.createSentryRole(roleName1);
+
+ TSentryPrivilege hive_privilege_tbl1 = new TSentryPrivilege();
+ hive_privilege_tbl1.setPrivilegeScope("TABLE");
+ hive_privilege_tbl1.setServerName(serverName);
+ hive_privilege_tbl1.setDbName(dbName);
+ hive_privilege_tbl1.setTableName(tableName);
+ hive_privilege_tbl1.setCreateTime(System.currentTimeMillis());
+ hive_privilege_tbl1.setAction("*");
+ hive_privilege_tbl1.setGrantOption(TSentryGrantOption.FALSE);
+
+ TSentryPrivilege impala_privilege_tbl1 = new TSentryPrivilege();
+ impala_privilege_tbl1.setPrivilegeScope("TABLE");
+ impala_privilege_tbl1.setServerName(serverName);
+ impala_privilege_tbl1.setDbName(dbName);
+ impala_privilege_tbl1.setTableName(tableName);
+ impala_privilege_tbl1.setCreateTime(System.currentTimeMillis());
+ impala_privilege_tbl1.setAction("ALL");
+ impala_privilege_tbl1.setGrantOption(TSentryGrantOption.FALSE);
+
+ TSentryAuthorizable tSentryAuthorizable = new TSentryAuthorizable();
+ tSentryAuthorizable.setServer(serverName);
+ tSentryAuthorizable.setDb(dbName);
+ tSentryAuthorizable.setTable(tableName);
+
+ // grant hive ALL privilege to role roleName1
+ sentryStore.alterSentryGrantPrivileges(SentryPrincipalType.ROLE, roleName1, Sets.newHashSet(hive_privilege_tbl1), null);
+
+ // revoke impala ALL privilege to role roleName1
+ sentryStore.alterSentryRoleRevokePrivileges(roleName1, Sets.newHashSet(impala_privilege_tbl1));
+ Map<String, Set<TSentryPrivilege>> rolePrivilegesMap = sentryStore.getRoleNameTPrivilegesMap(dbName, tableName);
+ assertNotNull(rolePrivilegesMap);
+ Set<TSentryPrivilege> rolePrivileges = rolePrivilegesMap.get(roleName1);
+ boolean privilegeRevoked = (rolePrivileges == null) || (rolePrivileges.size() == 0);
+ assertTrue(privilegeRevoked);
+ }
+
+ @Test
+ public void testRevokeImpalaAllPrivilegeFromHive() throws Exception {
+
+ String roleName1 = "impala-r1";
+ String serverName = "server1";
+ String dbName = "db1";
+ String tableName = "tbl1";
+ sentryStore.createSentryRole(roleName1);
+
+ TSentryPrivilege hive_privilege_tbl1 = new TSentryPrivilege();
+ hive_privilege_tbl1.setPrivilegeScope("TABLE");
+ hive_privilege_tbl1.setServerName(serverName);
+ hive_privilege_tbl1.setDbName(dbName);
+ hive_privilege_tbl1.setTableName(tableName);
+ hive_privilege_tbl1.setCreateTime(System.currentTimeMillis());
+ hive_privilege_tbl1.setAction("*");
+ hive_privilege_tbl1.setGrantOption(TSentryGrantOption.FALSE);
+
+ TSentryPrivilege impala_privilege_tbl1 = new TSentryPrivilege();
+ impala_privilege_tbl1.setPrivilegeScope("TABLE");
+ impala_privilege_tbl1.setServerName(serverName);
+ impala_privilege_tbl1.setDbName(dbName);
+ impala_privilege_tbl1.setTableName(tableName);
+ impala_privilege_tbl1.setCreateTime(System.currentTimeMillis());
+ impala_privilege_tbl1.setAction("ALL");
+ impala_privilege_tbl1.setGrantOption(TSentryGrantOption.FALSE);
+
+ TSentryAuthorizable tSentryAuthorizable = new TSentryAuthorizable();
+ tSentryAuthorizable.setServer(serverName);
+ tSentryAuthorizable.setDb(dbName);
+ tSentryAuthorizable.setTable(tableName);
+
+ // grant impala ALL privilege to role roleName1
+ sentryStore.alterSentryGrantPrivileges(SentryPrincipalType.ROLE, roleName1, Sets.newHashSet(impala_privilege_tbl1), null);
+
+ // revoke hive ALL privilege to role roleName1
+ sentryStore.alterSentryRoleRevokePrivileges(roleName1, Sets.newHashSet(hive_privilege_tbl1));
+ Map<String, Set<TSentryPrivilege>> rolePrivilegesMap = sentryStore.getRoleNameTPrivilegesMap(dbName, tableName);
+ assertNotNull(rolePrivilegesMap);
+ Set<TSentryPrivilege> rolePrivileges = rolePrivilegesMap.get(roleName1);
+ boolean privilegeRevoked = (rolePrivileges == null) || (rolePrivileges.size() == 0);
+ assertTrue(privilegeRevoked);
+ }
+
private TSentryPrivilege toTSentryPrivilege(String action, String scope, String server,
String dbName, String tableName) {
TSentryPrivilege privilege = new TSentryPrivilege();