From de499c4986d11ae8c2294676c8bec17cf046d0a5 Mon Sep 17 00:00:00 2001 From: hahao Date: Tue, 12 Apr 2016 15:24:24 -0700 Subject: [PATCH 01/18] SENTRY-1196: Remove SNAPSHOT from branch-1.7.0 (Hao Hao, Reviewed by: Sravya Tirukkovalur) --- pom.xml | 2 +- sentry-binding/pom.xml | 2 +- sentry-binding/sentry-binding-hive-common/pom.xml | 2 +- sentry-binding/sentry-binding-hive-v2/pom.xml | 2 +- sentry-binding/sentry-binding-hive/pom.xml | 2 +- sentry-binding/sentry-binding-kafka/pom.xml | 2 +- sentry-binding/sentry-binding-solr/pom.xml | 2 +- sentry-binding/sentry-binding-sqoop/pom.xml | 2 +- sentry-core/pom.xml | 2 +- sentry-core/sentry-core-common/pom.xml | 2 +- sentry-core/sentry-core-model-db/pom.xml | 2 +- sentry-core/sentry-core-model-indexer/pom.xml | 2 +- sentry-core/sentry-core-model-kafka/pom.xml | 2 +- sentry-core/sentry-core-model-search/pom.xml | 2 +- sentry-core/sentry-core-model-sqoop/pom.xml | 2 +- sentry-dist/pom.xml | 2 +- sentry-hdfs/pom.xml | 2 +- sentry-hdfs/sentry-hdfs-common/pom.xml | 2 +- sentry-hdfs/sentry-hdfs-dist/pom.xml | 2 +- sentry-hdfs/sentry-hdfs-namenode-plugin/pom.xml | 4 ++-- sentry-hdfs/sentry-hdfs-service/pom.xml | 2 +- sentry-policy/pom.xml | 2 +- sentry-policy/sentry-policy-common/pom.xml | 2 +- sentry-policy/sentry-policy-db/pom.xml | 2 +- sentry-policy/sentry-policy-indexer/pom.xml | 2 +- sentry-policy/sentry-policy-kafka/pom.xml | 2 +- sentry-policy/sentry-policy-search/pom.xml | 2 +- sentry-policy/sentry-policy-sqoop/pom.xml | 2 +- sentry-provider/pom.xml | 2 +- sentry-provider/sentry-provider-cache/pom.xml | 2 +- sentry-provider/sentry-provider-common/pom.xml | 2 +- sentry-provider/sentry-provider-db/pom.xml | 2 +- sentry-provider/sentry-provider-file/pom.xml | 2 +- sentry-solr/pom.xml | 2 +- sentry-solr/solr-sentry-core/pom.xml | 2 +- sentry-solr/solr-sentry-handlers/pom.xml | 2 +- sentry-tests/pom.xml | 2 +- sentry-tests/sentry-tests-hive-v2/pom.xml | 2 +- sentry-tests/sentry-tests-hive/pom.xml | 2 +- sentry-tests/sentry-tests-kafka/pom.xml | 2 +- sentry-tests/sentry-tests-solr/pom.xml | 2 +- sentry-tests/sentry-tests-sqoop/pom.xml | 2 +- 42 files changed, 43 insertions(+), 43 deletions(-) diff --git a/pom.xml b/pom.xml index 37db00795..e8508bfbd 100644 --- a/pom.xml +++ b/pom.xml @@ -25,7 +25,7 @@ limitations under the License. org.apache.sentry sentry - 1.7.0-incubating-SNAPSHOT + 1.7.0 Sentry component Sentry pom diff --git a/sentry-binding/pom.xml b/sentry-binding/pom.xml index 830f0b180..cd4d4e0f7 100644 --- a/sentry-binding/pom.xml +++ b/sentry-binding/pom.xml @@ -22,7 +22,7 @@ limitations under the License. org.apache.sentry sentry - 1.7.0-incubating-SNAPSHOT + 1.7.0 sentry-binding diff --git a/sentry-binding/sentry-binding-hive-common/pom.xml b/sentry-binding/sentry-binding-hive-common/pom.xml index 37485229d..4c30a345a 100644 --- a/sentry-binding/sentry-binding-hive-common/pom.xml +++ b/sentry-binding/sentry-binding-hive-common/pom.xml @@ -22,7 +22,7 @@ limitations under the License. org.apache.sentry sentry-binding - 1.7.0-incubating-SNAPSHOT + 1.7.0 sentry-binding-hive-common diff --git a/sentry-binding/sentry-binding-hive-v2/pom.xml b/sentry-binding/sentry-binding-hive-v2/pom.xml index f633b6b08..12d0e63f7 100644 --- a/sentry-binding/sentry-binding-hive-v2/pom.xml +++ b/sentry-binding/sentry-binding-hive-v2/pom.xml @@ -22,7 +22,7 @@ limitations under the License. org.apache.sentry sentry-binding - 1.7.0-incubating-SNAPSHOT + 1.7.0 sentry-binding-hive-v2 diff --git a/sentry-binding/sentry-binding-hive/pom.xml b/sentry-binding/sentry-binding-hive/pom.xml index 1a6e42020..bf87d7c6c 100644 --- a/sentry-binding/sentry-binding-hive/pom.xml +++ b/sentry-binding/sentry-binding-hive/pom.xml @@ -22,7 +22,7 @@ limitations under the License. org.apache.sentry sentry-binding - 1.7.0-incubating-SNAPSHOT + 1.7.0 sentry-binding-hive diff --git a/sentry-binding/sentry-binding-kafka/pom.xml b/sentry-binding/sentry-binding-kafka/pom.xml index 27422067a..967eeddbe 100644 --- a/sentry-binding/sentry-binding-kafka/pom.xml +++ b/sentry-binding/sentry-binding-kafka/pom.xml @@ -23,7 +23,7 @@ limitations under the License. org.apache.sentry sentry-binding - 1.7.0-incubating-SNAPSHOT + 1.7.0 sentry-binding-kafka diff --git a/sentry-binding/sentry-binding-solr/pom.xml b/sentry-binding/sentry-binding-solr/pom.xml index e8e3013ac..16a460366 100644 --- a/sentry-binding/sentry-binding-solr/pom.xml +++ b/sentry-binding/sentry-binding-solr/pom.xml @@ -22,7 +22,7 @@ limitations under the License. org.apache.sentry sentry-binding - 1.7.0-incubating-SNAPSHOT + 1.7.0 sentry-binding-solr diff --git a/sentry-binding/sentry-binding-sqoop/pom.xml b/sentry-binding/sentry-binding-sqoop/pom.xml index 20cbda037..25a2e5992 100644 --- a/sentry-binding/sentry-binding-sqoop/pom.xml +++ b/sentry-binding/sentry-binding-sqoop/pom.xml @@ -22,7 +22,7 @@ limitations under the License. org.apache.sentry sentry-binding - 1.7.0-incubating-SNAPSHOT + 1.7.0 sentry-binding-sqoop diff --git a/sentry-core/pom.xml b/sentry-core/pom.xml index 06d92dea8..725762dde 100644 --- a/sentry-core/pom.xml +++ b/sentry-core/pom.xml @@ -21,7 +21,7 @@ limitations under the License. org.apache.sentry sentry - 1.7.0-incubating-SNAPSHOT + 1.7.0 sentry-core diff --git a/sentry-core/sentry-core-common/pom.xml b/sentry-core/sentry-core-common/pom.xml index 21a167745..26b069ed9 100644 --- a/sentry-core/sentry-core-common/pom.xml +++ b/sentry-core/sentry-core-common/pom.xml @@ -21,7 +21,7 @@ limitations under the License. org.apache.sentry sentry-core - 1.7.0-incubating-SNAPSHOT + 1.7.0 sentry-core-common diff --git a/sentry-core/sentry-core-model-db/pom.xml b/sentry-core/sentry-core-model-db/pom.xml index 902b129a6..93b01e6ac 100644 --- a/sentry-core/sentry-core-model-db/pom.xml +++ b/sentry-core/sentry-core-model-db/pom.xml @@ -21,7 +21,7 @@ limitations under the License. org.apache.sentry sentry-core - 1.7.0-incubating-SNAPSHOT + 1.7.0 sentry-core-model-db diff --git a/sentry-core/sentry-core-model-indexer/pom.xml b/sentry-core/sentry-core-model-indexer/pom.xml index 68069f4a4..47b7be88e 100644 --- a/sentry-core/sentry-core-model-indexer/pom.xml +++ b/sentry-core/sentry-core-model-indexer/pom.xml @@ -21,7 +21,7 @@ limitations under the License. org.apache.sentry sentry-core - 1.7.0-incubating-SNAPSHOT + 1.7.0 sentry-core-model-indexer diff --git a/sentry-core/sentry-core-model-kafka/pom.xml b/sentry-core/sentry-core-model-kafka/pom.xml index cadd4ac8e..85648ca35 100644 --- a/sentry-core/sentry-core-model-kafka/pom.xml +++ b/sentry-core/sentry-core-model-kafka/pom.xml @@ -21,7 +21,7 @@ limitations under the License. org.apache.sentry sentry-core - 1.7.0-incubating-SNAPSHOT + 1.7.0 sentry-core-model-kafka diff --git a/sentry-core/sentry-core-model-search/pom.xml b/sentry-core/sentry-core-model-search/pom.xml index 5f0adc393..6111fb4a2 100644 --- a/sentry-core/sentry-core-model-search/pom.xml +++ b/sentry-core/sentry-core-model-search/pom.xml @@ -21,7 +21,7 @@ limitations under the License. org.apache.sentry sentry-core - 1.7.0-incubating-SNAPSHOT + 1.7.0 sentry-core-model-search diff --git a/sentry-core/sentry-core-model-sqoop/pom.xml b/sentry-core/sentry-core-model-sqoop/pom.xml index b5000590a..3c5609e3a 100644 --- a/sentry-core/sentry-core-model-sqoop/pom.xml +++ b/sentry-core/sentry-core-model-sqoop/pom.xml @@ -21,7 +21,7 @@ limitations under the License. org.apache.sentry sentry-core - 1.7.0-incubating-SNAPSHOT + 1.7.0 sentry-core-model-sqoop diff --git a/sentry-dist/pom.xml b/sentry-dist/pom.xml index 4e078f08b..69c86262a 100644 --- a/sentry-dist/pom.xml +++ b/sentry-dist/pom.xml @@ -20,7 +20,7 @@ limitations under the License. org.apache.sentry sentry - 1.7.0-incubating-SNAPSHOT + 1.7.0 sentry-dist Sentry Distribution diff --git a/sentry-hdfs/pom.xml b/sentry-hdfs/pom.xml index 06081c5e8..475edf595 100644 --- a/sentry-hdfs/pom.xml +++ b/sentry-hdfs/pom.xml @@ -22,7 +22,7 @@ limitations under the License. org.apache.sentry sentry - 1.7.0-incubating-SNAPSHOT + 1.7.0 sentry-hdfs diff --git a/sentry-hdfs/sentry-hdfs-common/pom.xml b/sentry-hdfs/sentry-hdfs-common/pom.xml index c748e5670..28bfd04a4 100644 --- a/sentry-hdfs/sentry-hdfs-common/pom.xml +++ b/sentry-hdfs/sentry-hdfs-common/pom.xml @@ -21,7 +21,7 @@ limitations under the License. org.apache.sentry sentry-hdfs - 1.7.0-incubating-SNAPSHOT + 1.7.0 sentry-hdfs-common diff --git a/sentry-hdfs/sentry-hdfs-dist/pom.xml b/sentry-hdfs/sentry-hdfs-dist/pom.xml index 37350c515..2f2d399ba 100644 --- a/sentry-hdfs/sentry-hdfs-dist/pom.xml +++ b/sentry-hdfs/sentry-hdfs-dist/pom.xml @@ -22,7 +22,7 @@ limitations under the License. org.apache.sentry sentry-hdfs - 1.7.0-incubating-SNAPSHOT + 1.7.0 sentry-hdfs-dist diff --git a/sentry-hdfs/sentry-hdfs-namenode-plugin/pom.xml b/sentry-hdfs/sentry-hdfs-namenode-plugin/pom.xml index 8d3bdc9fc..25658a3c6 100644 --- a/sentry-hdfs/sentry-hdfs-namenode-plugin/pom.xml +++ b/sentry-hdfs/sentry-hdfs-namenode-plugin/pom.xml @@ -21,7 +21,7 @@ limitations under the License. org.apache.sentry sentry-hdfs - 1.7.0-incubating-SNAPSHOT + 1.7.0 sentry-hdfs-namenode-plugin @@ -32,7 +32,7 @@ limitations under the License. org.apache.sentry sentry-hdfs-common - 1.7.0-incubating-SNAPSHOT + 1.7.0 junit diff --git a/sentry-hdfs/sentry-hdfs-service/pom.xml b/sentry-hdfs/sentry-hdfs-service/pom.xml index 78f9da716..67332c043 100644 --- a/sentry-hdfs/sentry-hdfs-service/pom.xml +++ b/sentry-hdfs/sentry-hdfs-service/pom.xml @@ -21,7 +21,7 @@ limitations under the License. org.apache.sentry sentry-hdfs - 1.7.0-incubating-SNAPSHOT + 1.7.0 sentry-hdfs-service diff --git a/sentry-policy/pom.xml b/sentry-policy/pom.xml index 45dc675a0..d8d8311e5 100644 --- a/sentry-policy/pom.xml +++ b/sentry-policy/pom.xml @@ -22,7 +22,7 @@ limitations under the License. org.apache.sentry sentry - 1.7.0-incubating-SNAPSHOT + 1.7.0 sentry-policy diff --git a/sentry-policy/sentry-policy-common/pom.xml b/sentry-policy/sentry-policy-common/pom.xml index fbec06f07..6c2cd41f3 100644 --- a/sentry-policy/sentry-policy-common/pom.xml +++ b/sentry-policy/sentry-policy-common/pom.xml @@ -21,7 +21,7 @@ limitations under the License. org.apache.sentry sentry-policy - 1.7.0-incubating-SNAPSHOT + 1.7.0 sentry-policy-common diff --git a/sentry-policy/sentry-policy-db/pom.xml b/sentry-policy/sentry-policy-db/pom.xml index 1b1ae43cc..e4a366747 100644 --- a/sentry-policy/sentry-policy-db/pom.xml +++ b/sentry-policy/sentry-policy-db/pom.xml @@ -21,7 +21,7 @@ limitations under the License. org.apache.sentry sentry-policy - 1.7.0-incubating-SNAPSHOT + 1.7.0 sentry-policy-db diff --git a/sentry-policy/sentry-policy-indexer/pom.xml b/sentry-policy/sentry-policy-indexer/pom.xml index 1a5058163..e9961991e 100644 --- a/sentry-policy/sentry-policy-indexer/pom.xml +++ b/sentry-policy/sentry-policy-indexer/pom.xml @@ -21,7 +21,7 @@ limitations under the License. org.apache.sentry sentry-policy - 1.7.0-incubating-SNAPSHOT + 1.7.0 sentry-policy-indexer diff --git a/sentry-policy/sentry-policy-kafka/pom.xml b/sentry-policy/sentry-policy-kafka/pom.xml index 21d34eb40..97047c9fc 100644 --- a/sentry-policy/sentry-policy-kafka/pom.xml +++ b/sentry-policy/sentry-policy-kafka/pom.xml @@ -21,7 +21,7 @@ limitations under the License. org.apache.sentry sentry-policy - 1.7.0-incubating-SNAPSHOT + 1.7.0 sentry-policy-kafka diff --git a/sentry-policy/sentry-policy-search/pom.xml b/sentry-policy/sentry-policy-search/pom.xml index 673c615ed..c619b8890 100644 --- a/sentry-policy/sentry-policy-search/pom.xml +++ b/sentry-policy/sentry-policy-search/pom.xml @@ -21,7 +21,7 @@ limitations under the License. org.apache.sentry sentry-policy - 1.7.0-incubating-SNAPSHOT + 1.7.0 sentry-policy-search diff --git a/sentry-policy/sentry-policy-sqoop/pom.xml b/sentry-policy/sentry-policy-sqoop/pom.xml index 13112bfa8..0a4c5fcf5 100644 --- a/sentry-policy/sentry-policy-sqoop/pom.xml +++ b/sentry-policy/sentry-policy-sqoop/pom.xml @@ -21,7 +21,7 @@ limitations under the License. org.apache.sentry sentry-policy - 1.7.0-incubating-SNAPSHOT + 1.7.0 sentry-policy-sqoop diff --git a/sentry-provider/pom.xml b/sentry-provider/pom.xml index f26f4d3fa..5e7d8abc3 100644 --- a/sentry-provider/pom.xml +++ b/sentry-provider/pom.xml @@ -22,7 +22,7 @@ limitations under the License. org.apache.sentry sentry - 1.7.0-incubating-SNAPSHOT + 1.7.0 sentry-provider diff --git a/sentry-provider/sentry-provider-cache/pom.xml b/sentry-provider/sentry-provider-cache/pom.xml index c67f09429..8f5b8328d 100644 --- a/sentry-provider/sentry-provider-cache/pom.xml +++ b/sentry-provider/sentry-provider-cache/pom.xml @@ -21,7 +21,7 @@ limitations under the License. org.apache.sentry sentry-provider - 1.7.0-incubating-SNAPSHOT + 1.7.0 sentry-provider-cache diff --git a/sentry-provider/sentry-provider-common/pom.xml b/sentry-provider/sentry-provider-common/pom.xml index de5a2c9bb..119e05746 100644 --- a/sentry-provider/sentry-provider-common/pom.xml +++ b/sentry-provider/sentry-provider-common/pom.xml @@ -21,7 +21,7 @@ limitations under the License. org.apache.sentry sentry-provider - 1.7.0-incubating-SNAPSHOT + 1.7.0 sentry-provider-common diff --git a/sentry-provider/sentry-provider-db/pom.xml b/sentry-provider/sentry-provider-db/pom.xml index b6efd1f2b..eb6160ffb 100644 --- a/sentry-provider/sentry-provider-db/pom.xml +++ b/sentry-provider/sentry-provider-db/pom.xml @@ -21,7 +21,7 @@ limitations under the License. org.apache.sentry sentry-provider - 1.7.0-incubating-SNAPSHOT + 1.7.0 sentry-provider-db diff --git a/sentry-provider/sentry-provider-file/pom.xml b/sentry-provider/sentry-provider-file/pom.xml index 1f3f7e67e..04096e3ee 100644 --- a/sentry-provider/sentry-provider-file/pom.xml +++ b/sentry-provider/sentry-provider-file/pom.xml @@ -21,7 +21,7 @@ limitations under the License. org.apache.sentry sentry-provider - 1.7.0-incubating-SNAPSHOT + 1.7.0 sentry-provider-file diff --git a/sentry-solr/pom.xml b/sentry-solr/pom.xml index 43798c974..cf8a8a53f 100644 --- a/sentry-solr/pom.xml +++ b/sentry-solr/pom.xml @@ -22,7 +22,7 @@ limitations under the License. org.apache.sentry sentry - 1.7.0-incubating-SNAPSHOT + 1.7.0 sentry-solr diff --git a/sentry-solr/solr-sentry-core/pom.xml b/sentry-solr/solr-sentry-core/pom.xml index 44fbb864a..d599ab293 100644 --- a/sentry-solr/solr-sentry-core/pom.xml +++ b/sentry-solr/solr-sentry-core/pom.xml @@ -22,7 +22,7 @@ limitations under the License. org.apache.sentry sentry-solr - 1.7.0-incubating-SNAPSHOT + 1.7.0 solr-sentry-core diff --git a/sentry-solr/solr-sentry-handlers/pom.xml b/sentry-solr/solr-sentry-handlers/pom.xml index 07d95faf1..95f45e35d 100644 --- a/sentry-solr/solr-sentry-handlers/pom.xml +++ b/sentry-solr/solr-sentry-handlers/pom.xml @@ -22,7 +22,7 @@ limitations under the License. org.apache.sentry sentry-solr - 1.7.0-incubating-SNAPSHOT + 1.7.0 solr-sentry-handlers diff --git a/sentry-tests/pom.xml b/sentry-tests/pom.xml index 86a1409af..cbdb3912d 100644 --- a/sentry-tests/pom.xml +++ b/sentry-tests/pom.xml @@ -20,7 +20,7 @@ limitations under the License. org.apache.sentry sentry - 1.7.0-incubating-SNAPSHOT + 1.7.0 sentry-tests Sentry Tests diff --git a/sentry-tests/sentry-tests-hive-v2/pom.xml b/sentry-tests/sentry-tests-hive-v2/pom.xml index b6590bd71..6873d8c3f 100644 --- a/sentry-tests/sentry-tests-hive-v2/pom.xml +++ b/sentry-tests/sentry-tests-hive-v2/pom.xml @@ -21,7 +21,7 @@ limitations under the License. org.apache.sentry sentry-tests - 1.7.0-incubating-SNAPSHOT + 1.7.0 sentry-tests-hive-v2 Sentry Hive Tests v2 diff --git a/sentry-tests/sentry-tests-hive/pom.xml b/sentry-tests/sentry-tests-hive/pom.xml index 7a32ba37c..6c9e88879 100644 --- a/sentry-tests/sentry-tests-hive/pom.xml +++ b/sentry-tests/sentry-tests-hive/pom.xml @@ -21,7 +21,7 @@ limitations under the License. org.apache.sentry sentry-tests - 1.7.0-incubating-SNAPSHOT + 1.7.0 sentry-tests-hive Sentry Hive Tests diff --git a/sentry-tests/sentry-tests-kafka/pom.xml b/sentry-tests/sentry-tests-kafka/pom.xml index 58dc0b081..99c1ca6ba 100644 --- a/sentry-tests/sentry-tests-kafka/pom.xml +++ b/sentry-tests/sentry-tests-kafka/pom.xml @@ -21,7 +21,7 @@ limitations under the License. sentry-tests org.apache.sentry - 1.7.0-incubating-SNAPSHOT + 1.7.0 4.0.0 diff --git a/sentry-tests/sentry-tests-solr/pom.xml b/sentry-tests/sentry-tests-solr/pom.xml index c88ca8549..83715ea79 100644 --- a/sentry-tests/sentry-tests-solr/pom.xml +++ b/sentry-tests/sentry-tests-solr/pom.xml @@ -22,7 +22,7 @@ limitations under the License. org.apache.sentry sentry-tests - 1.7.0-incubating-SNAPSHOT + 1.7.0 sentry-tests-solr diff --git a/sentry-tests/sentry-tests-sqoop/pom.xml b/sentry-tests/sentry-tests-sqoop/pom.xml index 34fe83146..9e327082c 100644 --- a/sentry-tests/sentry-tests-sqoop/pom.xml +++ b/sentry-tests/sentry-tests-sqoop/pom.xml @@ -22,7 +22,7 @@ limitations under the License. org.apache.sentry sentry-tests - 1.7.0-incubating-SNAPSHOT + 1.7.0 sentry-tests-sqoop From a0b9682e4a728be89a6c3afdfc34986055165269 Mon Sep 17 00:00:00 2001 From: hahao Date: Tue, 12 Apr 2016 15:32:49 -0700 Subject: [PATCH 02/18] SENTRY-1195: Update change log for 1.7.0 release (Hao Hao, Reviewed by: Sravya Tirukkovalur) --- CHANGELOG.txt | 239 +++++++++++++++++++++++++++++++++++++++++--------- NOTICE.txt | 2 +- 2 files changed, 197 insertions(+), 44 deletions(-) diff --git a/CHANGELOG.txt b/CHANGELOG.txt index 759ea942e..d90132824 100644 --- a/CHANGELOG.txt +++ b/CHANGELOG.txt @@ -1,53 +1,206 @@ -Release Notes - Sentry - Version v1.2.0 +Release Notes - Sentry - Version 1.7.0 + +** Sub-task + * [SENTRY-505] - Default implementation of SentryAuthorizationValidator to do authorization + * [SENTRY-506] - Default implementation of SentryAccessController to do grant/revoke role/privlege + * [SENTRY-514] - Enable e2e tests for authorization V2 + * [SENTRY-532] - Add unit tests for DefaultSentryAuthorizationValidator + * [SENTRY-542] - Extend SentryPolicyServiceClient to implement grant wrapped privilege info for V2 + * [SENTRY-568] - Implement taskFactory V2 to handle special privilege for Sentry + * [SENTRY-569] - Workaround some operations for Authorization V2 + * [SENTRY-592] - Support column level security for V2 + * [SENTRY-603] - Execute on failure hooks for V2 + * [SENTRY-813] - Refactor the AuditMetadataLogEntity to support the audit log for generic mdoel + * [SENTRY-814] - Add new log entity for generic model + * [SENTRY-815] - Update the util to generate the command for audit log + * [SENTRY-816] - Update the util to manage the log entity for audit log + * [SENTRY-817] - Update processor for generic model to generate audit log + * [SENTRY-916] - Improve TestPrivilegesAtTableScope for keep consistent with Hive metadata. + * [SENTRY-917] - Improve TestRuntimeMetadataRetrieval for keeping database policies consistent with Hive metadata + * [SENTRY-925] - Improve TestMetadataPermissions for keep consistent with Hive metadata. + * [SENTRY-926] - Improve TestMetadataObjectRetrieval for keep consistent with Hive metadata. + * [SENTRY-928] - Improve TestDbSentryOnFailureHookLoading for keeping database policies consistent with Hive metadata + * [SENTRY-929] - Improve TestDbEndToEnd for keep consistent with Hive metadata. + * [SENTRY-930] - Improve TestDbDDLAuditLog for keep consistent with Hive metadata. + * [SENTRY-931] - Improve TestDatabaseProvider for keep consistent with Hive metadata. + * [SENTRY-987] - Move general (non specific handler) solr-sentry code to solr-sentry-core package + * [SENTRY-1004] - Create CommonPrivilege for external component + * [SENTRY-1011] - Add Kafka binding + * [SENTRY-1012] - Add core model for Kafka + * [SENTRY-1013] - Add policy engine for Kafka + * [SENTRY-1014] - Add end-to-end tests for Kafka + * [SENTRY-1023] - Create an initial branch for CI + * [SENTRY-1029] - Address review comments for Kafka model that came after patch got committed. + * [SENTRY-1030] - Restrict Kafka Cluster authorizable to only have "kafka-cluster" as authorizable's name. + * [SENTRY-1042] - Create CommonPolicy for external component + * [SENTRY-1056] - Get service name from Kafka's server properties. + * [SENTRY-1057] - Add implementations for acls' CRUD + * [SENTRY-1089] - Move validator from sentry-policy-xxx to sentry-core-model-xxx + * [SENTRY-1090] - Improvement for CommonPrivilege + * [SENTRY-1091] - Create Model for specific components + * [SENTRY-1092] - Move Class KeyValue and PolicyConstants to sentry-core-common + * [SENTRY-1093] - Refactor the constructor of PolicyEngine + * [SENTRY-1098] - Make Kafka dependency as provided + * [SENTRY-1102] - Merge kafka branch into trunk + * [SENTRY-1103] - Authorizable names' case sensitivity must be decided by plugins + * [SENTRY-1104] - Add method in Privilege model to create privilege validators + * [SENTRY-1113] - Fix test failures due to missing files. + * [SENTRY-1126] - Create a email list for jira updates (issues@) + * [SENTRY-1137] - Update hive dependence to 2.0.0 + * [SENTRY-1138] - Extract common classes for binding-hive-v1 and binding-hive-v2 + * [SENTRY-1142] - Rebase on master + * [SENTRY-1143] - Sentry TLP: Update the builds with new git repo + * [SENTRY-1144] - Sentry TLP: Update status page + * [SENTRY-1147] - Update Home page of Sentry Web + * [SENTRY-1148] - Update the maillist of Sentry + * [SENTRY-1149] - Update committer list of Sentry + * [SENTRY-1150] - Update the website svn directory + * [SENTRY-1151] - Update source code host at sentry website + * [SENTRY-1159] - Decouple datanucleus dependences for hive-binding V1 and V2 + * [SENTRY-1163] - Enable Jenkins for Hive Authz2 + * [SENTRY-1172] - Update mailing lists page with new issues@ list + * [SENTRY-1186] - Sentry TLP: Update release download links on website + * [SENTRY-1191] - update history page of Sentry release + * [SENTRY-1192] - Add SQL upgrade script for 1.7.0 + ** Bug - * [SENTRY-15] - log4j.properties file under sentry-tests references the old access package - * [SENTRY-1] - use default on HiveServer2 fails with invalid privileges exception - * [SENTRY-2] - Code cleanup in various poms - * [ACCESS-8] - Log warning if authorization is not used with strong authentication - * [ACCESS-49] - Modify test cases to restrict LOAD from specific locations - * [ACCESS-140] - malformatted policy is permitted conditionally - * [ACCESS-164] - policy file doesn't check non-exist entity mapping - * [ACCESS-174] - access only throw first error message in HiveServer2 log, and ignore the rest - * [ACCESS-180] - per DB policy file usability issues - * [ACCESS-197] - Child authorizeable objects are not inheriting permissions from parent - * [ACCESS-201] - Bad error message in HiveAuthzBinding - * [ACCESS-203] - Update trunk version to 1.1 and update dependencies - * [ACCESS-230] - CREATE TABLE AS works even if user does not have DB-level access - * [ACCESS-231] - ALTER TABLE SET TBLPROPERTIES allows updates to tables even when the user doesn't have the right privileges - * [ACCESS-232] - The per-db policy fies can't be accessed if they are not in the same file system as the global policy file. - * [ACCESS-233] - The URI permission checks should append path separator before checking the parent path - * [ACCESS-235] - Format unqualified URI as DFS uri by default + * [SENTRY-677] - Make the Sentry DB provider RPC methods synchronized + * [SENTRY-768] - [Improve error handling] Handle cases when getGroups throws an exception + * [SENTRY-769] - [Improve error handling] Make sure groups in list_sentry_privileges_for_provider is not empty + * [SENTRY-826] - TRUNCATE on empty partitioned table in Hive fails + * [SENTRY-835] - Drop table leaves a connection open when using metastorelistener + * [SENTRY-837] - Distributed path update counters in Sentry are indefinitely incremented + * [SENTRY-878] - collect_list missing from HIVE_UDF_WHITE_LIST + * [SENTRY-881] - Allow some metadata operations with column-level privileges + * [SENTRY-884] - Give execute permission by default to paths managed by sentry + * [SENTRY-885] - DB name should be case insensitive in HDFS sync plugin + * [SENTRY-886] - HDFSIntegration test testAccessToTableDirectory should wait for cache refresh before verification + * [SENTRY-888] - Exceptions in Callable tasks in MetaStoreCacheInitializer are being dropped + * [SENTRY-890] - Fix TestDbOperations.testAllOnTable on real clusters + * [SENTRY-892] - parsePath should handle empty paths well + * [SENTRY-893] - Synchronize calls in SentryClient and create sentry client once per request in SimpleDBProvider + * [SENTRY-900] - User could access sentry metric info by curl without authorization + * [SENTRY-904] - Set max message size for thrift messages + * [SENTRY-914] - Sentry default webserver port needs to change out of ephemeral port range + * [SENTRY-922] - INSERT OVERWRITE DIRECTORY permission not working correctly + * [SENTRY-923] - Fix SentryStore getPrivileges when table require "some" + * [SENTRY-932] - TestColumnEndToEnd error check should non-case sensitive + * [SENTRY-936] - getGroup and getUser should always return orginal hdfs values for paths in prefix which are not sentry managed + * [SENTRY-944] - Setting HDFS rules on Sentry managed hdfs paths should not affect original hdfs rules + * [SENTRY-945] - Avoid logging all DataNucleus queries when debug logging is enabled + * [SENTRY-953] - External Partitions which are referenced by more than one table can cause some unexpected behavior with Sentry HDFS sync + * [SENTRY-960] - Use hive.server2.builtin.udf.blacklist + * [SENTRY-962] - Fix SentryStore getPrivileges when column require "some" + * [SENTRY-965] - Solr /terms request handler broken because of components declaration + * [SENTRY-966] - SqoopAuthBindingSingleton uses bad double check locking idiom + * [SENTRY-968] - Uri check needs to be case sensitive + * [SENTRY-971] - Add profile to enable Hive AuthZ v2 + * [SENTRY-974] - create a sentry test data dump to facilite sentry scale tests + * [SENTRY-981] - Fix the error in integration tests + * [SENTRY-988] - It's better to let SentryAuthorization setter path always fall through and update HDFS + * [SENTRY-989] - RealTimeGet with explicit ids can bypass document level authorization + * [SENTRY-991] - Roles of Sentry Permission needs to be case insensitive + * [SENTRY-994] - SentryAuthorizationInfoX should override isSentryManaged + * [SENTRY-997] - Update HiveAuthorizer of Sentry after HiveAuthorizer interface changes + * [SENTRY-998] - TestSentryShellHive test failure with JDK 8 + * [SENTRY-1002] - PathsUpdate.parsePath(path) will throw an NPE when parsing relative paths + * [SENTRY-1003] - Support "reload" by updating the classpath of Sentry function aux jar path during runtime + * [SENTRY-1007] - Sentry column-level performance for wide tables + * [SENTRY-1008] - Path should be not be updated if the create/drop table/partition event fails + * [SENTRY-1009] - Improve TestDatabaseProvider to validate test object names instead of validating vague numbers. + * [SENTRY-1010] - Sentry column-level performance for wide tables for 1.5.1 + * [SENTRY-1018] - HiveServer is not properly shutdown cause BindException in TestServerConfiguration + * [SENTRY-1027] - Fix PMD error for unused field when enable Hive authz V2 + * [SENTRY-1035] - Generic service does not handle group name casing correctly + * [SENTRY-1037] - Set "hadoop.security.authentication" to "kerberos" in the Generic Client + * [SENTRY-1039] - Sentry shell tests assume order of option group privileges + * [SENTRY-1044] - Tables with non-hdfs locations breaks HMS startup + * [SENTRY-1046] - Hive Auxiliary JARs Directory is not working when Sentry is enabled: Caused by: java.lang.ClassNotFoundException + * [SENTRY-1050] - Improve clearAll method to avoid throwing exceptions because of deleting objects created outside of tests. + * [SENTRY-1054] - Updated Apache Shiro dependency + * [SENTRY-1055] - Sentry service solr constants refer to clusters rather than services + * [SENTRY-1058] - Duplicate junit versions in the root pom + * [SENTRY-1059] - 'dependencies.dependency.version' for org.apache.sentry:sentry-core-model-kafka:jar is missing. @ line 42, column 17 + * [SENTRY-1060] - Improve the SentryAuthFilter error message when authentication failure + * [SENTRY-1064] - Fix TestDbOperations#testCaseSensitivity + * [SENTRY-1066] - Sentry oracle upgrade script failed with ORA-0955 duplicate name issue + * [SENTRY-1071] - Update thrift gen-file with maven plugin + * [SENTRY-1077] - create a wiki to describe how to run scale script to prepare data and how to run sentry hive e2e tests on the cluster + * [SENTRY-1087] - Capture URI when using Hive Serdes + * [SENTRY-1095] - Insert into requires URI privilege on partition location under table. + * [SENTRY-1096] - Fix TestDbOperations#testCaseSensitivity failure on a real cluster + * [SENTRY-1097] - Fix compilation errors from SentryGenericPolicyProcessor + * [SENTRY-1099] - JDK8 autoboxing compilation failure + * [SENTRY-1105] - Fix unittest TestMetastoreEndToEnd.testAddPartion + * [SENTRY-1111] - Apache Sentry should depend on the same version of metrics-core as hadoop + * [SENTRY-1112] - Change default value of "sentry.hive.server" to empty string + * [SENTRY-1114] - Wrong classname and incorrect _CMD_JAR var in sentryShell + * [SENTRY-1116] - Fix PMD violation for Sentry tests after missing commits + * [SENTRY-1122] - Allow Solr Audit Log to Read Impersonator Info + * [SENTRY-1128] - Add metastore_db to .gitignore + * [SENTRY-1155] - Add waiting time for getMetastoreClient for avoiding metastore isn't ready + * [SENTRY-1156] - TestDbColumnLevelMetaDataOps should add `use database` for user session created + * [SENTRY-1157] - Fix Unit Tests TestAclsCrud&TestAuthorize failed + * [SENTRY-1164] - Fix testCaseSensitivity test failure on a real cluster + * [SENTRY-1169] - MetastorePlugin#renameAuthzObject log message prints oldpathname as newpathname ** Improvement - * [SENTRY-5] - Normalize the usernames used in the end to end tests - * [ACCESS-100] - ResourceAuthzProvider should ensure the subject name is non-null before doing the group lookup - * [ACCESS-157] - Access hard codes hive authentication method none - * [ACCESS-211] - Add maven profile for compiling access with upstream Apache hadoop/hive - * [ACCESS-221] - Restrict the URI access granted from a per-database policy file + * [SENTRY-520] - Use the twitter Bootstrap kit (or similar) to beautify the Sentry Service webpage + * [SENTRY-565] - Improve performance of filtering Hive SHOW commands + * [SENTRY-685] - Refactor Sentry HDFS plugin to work with new Hadoop interface + * [SENTRY-832] - Clean dependences of sentry-provider-db + * [SENTRY-870] - Create UpdateForwarders for paths and permissions + * [SENTRY-913] - Thread safe improvement for sqoop binding singleton + * [SENTRY-934] - Update plugin versions + * [SENTRY-952] - Update source to JDK 7 + * [SENTRY-957] - Exceptions in MetastoreCacheInitializer should probably not prevent HMS from starting up + * [SENTRY-970] - Use random free port for Sqoop tests + * [SENTRY-972] - Include sentry-tests-hive hadoop test script in maven project + * [SENTRY-973] - Bump hamcrest version + * [SENTRY-979] - Speed up the build (a bit) + * [SENTRY-986] - Apply PMD plugin to Sentry source + * [SENTRY-993] - list_sentry_privileges_by_authorizable() gone in API v2 + * [SENTRY-1006] - Add user manual for simple shell + * [SENTRY-1015] - Improve Sentry + Hive error message when user does not have sufficient privileges to perform an operation + * [SENTRY-1021] - Add PMD to Sentry tests + * [SENTRY-1036] - Move ProviderConstants from sentry-provider-common to sentry-policy-common + * [SENTRY-1048] - Fix "Critical" issues identified by analysis.apache.org + * [SENTRY-1051] - The policy Privilege implementations could be consolidated + * [SENTRY-1052] - Sentry shell should use kerberos requestor and give better error messages for kerberos failures + * [SENTRY-1065] - Make SentryNoSuchObjectException exception error message consistent across all files + * [SENTRY-1078] - Add servlet for dumping configurations + * [SENTRY-1088] - PathsUpdate should log invalid paths to make troubleshooting easier + * [SENTRY-1119] - Allow data engines to specify the ActionFactory from configuration + * [SENTRY-1135] - Remove deprecated junit.framework dependencies + * [SENTRY-1136] - Remove /Ping and /HealthCheck from Sentry Service Webpage +** New Feature + * [SENTRY-749] - Create simple shell for sentry + * [SENTRY-812] - Generate audit trail for Sentry generic model when authorization metadata change + * [SENTRY-906] - Add concurrency sentry client tests + * [SENTRY-995] - Simple Solr Shell + ** Task - * [ACCESS-16] - Implement the test cases in the test plan - * [ACCESS-34] - Analyze Path Security - * [ACCESS-115] - Format all files using a consistent code style formatter for the project - * [ACCESS-122] - Remove context.close() mid-test - * [ACCESS-123] - Fix confusing communication mechanism to request if ANY access is exists - * [ACCESS-125] - TestUserManagement major issues - * [ACCESS-127] - TestSandboxOps Major issues - * [ACCESS-130] - TestMovingToProduction major issues - * [ACCESS-136] - TestCrossDbOps major issues - * [ACCESS-145] - TestMetadataObjectRetrieval major issues - * [ACCESS-147] - TestPrivilegeAtTransform major issues - * [ACCESS-149] - TestPrivilegesAtDatabaseScope major issues - * [ACCESS-152] - TestPrivilegesAtTableScope minor issues - * [ACCESS-166] - Policy Engine should do expanded validation of policy file - * [ACCESS-194] - Explore options for metastore access restriction - * [ACCESS-195] - Support username mapping at access level + * [SENTRY-510] - Metrics collection for Sentry HDFS plugin + * [SENTRY-742] - Add describe, show/compute stats tests for column level privileges + * [SENTRY-984] - add sentry into analysis.apache.org + * [SENTRY-1016] - Update incubator status page with new committer news (Anne) and new resolution (Committer == PPMC during graduation) + * [SENTRY-1017] - Update Sentry website "people (commiters)" section with new committer (Anne) and PPMC section with a note on new resolution + * [SENTRY-1032] - Implement group/role commands in solr shell + * [SENTRY-1038] - More strict checking of SOLR actions in shell + * [SENTRY-1047] - Use existing validators in SentryShellSolr -** Sub-task - * [ACCESS-101] - Implement more test cases regarding subquery - * [ACCESS-209] - be able to run e2e test in cluster mode - * [ACCESS-225] - Update master branch version to 1.2.0-SNAPSHOT + +** Test + * [SENTRY-570] - Bug fixing for the test case "TestMetaStoreWithPigHCat" + * [SENTRY-748] - Improve test coverage of Sentry + Hive using complex views + * [SENTRY-869] - Add a test where we have multiple column level privileges for a given role + * [SENTRY-915] - Improve Hive E2E tests for keep consistent with Hive metadata. + * [SENTRY-927] - Improve AbstractTestWithStaticConfiguration for keep consistent with Hive metadata. + * [SENTRY-955] - Add more meta data operation tests for column level privilege + * [SENTRY-958] - TestGrantPrivilege fails on JDK8 + * [SENTRY-1109] - mvn clean install fails with PMD validation: Unnecessary use of fully qualified name 'org.apache.hadoop.hive.metastore.api.Partition' due to existing import 'org.apache.hadoop.hive.metastore.api.Partition' diff --git a/NOTICE.txt b/NOTICE.txt index 14fe33daf..cb168ac1a 100644 --- a/NOTICE.txt +++ b/NOTICE.txt @@ -1,5 +1,5 @@ Apache Sentry -Copyright 2014 The Apache Software Foundation +Copyright 2016 The Apache Software Foundation This product includes software developed at The Apache Software Foundation (http://www.apache.org/). From 6141aa503941aab25193d55a6104d224dd2e3222 Mon Sep 17 00:00:00 2001 From: Anne Yu Date: Tue, 12 Apr 2016 18:09:38 -0700 Subject: [PATCH 03/18] SENTRY-1192: Add SQL upgrade script for 1.7.0. (Dapeng Sun, reviewed by Anne Yu). --- .../persistent/SentryStoreSchemaInfo.java | 2 +- .../src/main/resources/sentry-db2-1.7.0.sql | 155 ++++++++++++++ .../src/main/resources/sentry-derby-1.7.0.sql | 155 ++++++++++++++ .../src/main/resources/sentry-mysql-1.7.0.sql | 193 ++++++++++++++++++ .../main/resources/sentry-oracle-1.7.0.sql | 168 +++++++++++++++ .../main/resources/sentry-postgres-1.7.0.sql | 182 +++++++++++++++++ .../sentry-upgrade-db2-1.6.0-to-1.7.0.sql | 2 + .../sentry-upgrade-derby-1.6.0-to-1.7.0.sql | 2 + .../sentry-upgrade-mysql-1.6.0-to-1.7.0.sql | 5 + .../sentry-upgrade-oracle-1.6.0-to-1.7.0.sql | 5 + ...sentry-upgrade-postgres-1.6.0-to-1.7.0.sql | 5 + .../src/main/resources/upgrade.order.db2 | 1 + .../src/main/resources/upgrade.order.derby | 1 + .../src/main/resources/upgrade.order.mysql | 1 + .../src/main/resources/upgrade.order.oracle | 1 + .../src/main/resources/upgrade.order.postgres | 1 + 16 files changed, 878 insertions(+), 1 deletion(-) create mode 100644 sentry-provider/sentry-provider-db/src/main/resources/sentry-db2-1.7.0.sql create mode 100644 sentry-provider/sentry-provider-db/src/main/resources/sentry-derby-1.7.0.sql create mode 100644 sentry-provider/sentry-provider-db/src/main/resources/sentry-mysql-1.7.0.sql create mode 100644 sentry-provider/sentry-provider-db/src/main/resources/sentry-oracle-1.7.0.sql create mode 100644 sentry-provider/sentry-provider-db/src/main/resources/sentry-postgres-1.7.0.sql create mode 100644 sentry-provider/sentry-provider-db/src/main/resources/sentry-upgrade-db2-1.6.0-to-1.7.0.sql create mode 100644 sentry-provider/sentry-provider-db/src/main/resources/sentry-upgrade-derby-1.6.0-to-1.7.0.sql create mode 100644 sentry-provider/sentry-provider-db/src/main/resources/sentry-upgrade-mysql-1.6.0-to-1.7.0.sql create mode 100644 sentry-provider/sentry-provider-db/src/main/resources/sentry-upgrade-oracle-1.6.0-to-1.7.0.sql create mode 100644 sentry-provider/sentry-provider-db/src/main/resources/sentry-upgrade-postgres-1.6.0-to-1.7.0.sql diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStoreSchemaInfo.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStoreSchemaInfo.java index fdadcb8ec..a86500de1 100644 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStoreSchemaInfo.java +++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStoreSchemaInfo.java @@ -37,7 +37,7 @@ public class SentryStoreSchemaInfo { private final String sentrySchemaVersions[]; private final String sentryScriptDir; - private static final String SENTRY_VERSION = "1.6.0"; + private static final String SENTRY_VERSION = "1.7.0"; public SentryStoreSchemaInfo(String sentryScriptDir, String dbType) throws SentryUserException { diff --git a/sentry-provider/sentry-provider-db/src/main/resources/sentry-db2-1.7.0.sql b/sentry-provider/sentry-provider-db/src/main/resources/sentry-db2-1.7.0.sql new file mode 100644 index 000000000..b1e86492b --- /dev/null +++ b/sentry-provider/sentry-provider-db/src/main/resources/sentry-db2-1.7.0.sql @@ -0,0 +1,155 @@ +--Licensed to the Apache Software Foundation (ASF) under one or more +--contributor license agreements. See the NOTICE file distributed with +--this work for additional information regarding copyright ownership. +--The ASF licenses this file to You under the Apache License, Version 2.0 +--(the "License"); you may not use this file except in compliance with +--the License. You may obtain a copy of the License at +-- +-- http://www.apache.org/licenses/LICENSE-2.0 +-- +--Unless required by applicable law or agreed to in writing, software +--distributed under the License is distributed on an "AS IS" BASIS, +--WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +--See the License for the specific language governing permissions and +--limitations under the License. + +-- Table SENTRY_DB_PRIVILEGE for classes [org.apache.sentry.provider.db.service.model.MSentryPrivilege] +CREATE TABLE SENTRY_DB_PRIVILEGE +( + DB_PRIVILEGE_ID BIGINT NOT NULL generated always as identity (start with 1), + URI VARCHAR(4000), + "ACTION" VARCHAR(40), + CREATE_TIME BIGINT NOT NULL, + DB_NAME VARCHAR(4000), + PRIVILEGE_SCOPE VARCHAR(40), + "SERVER_NAME" VARCHAR(4000), + "TABLE_NAME" VARCHAR(4000), + "COLUMN_NAME" VARCHAR(4000), + WITH_GRANT_OPTION CHAR(1) NOT NULL +); + +ALTER TABLE SENTRY_DB_PRIVILEGE ADD CONSTRAINT SENTRY_DB_PRIVILEGE_PK PRIMARY KEY (DB_PRIVILEGE_ID); + +-- Table SENTRY_ROLE for classes [org.apache.sentry.provider.db.service.model.MSentryRole] +CREATE TABLE SENTRY_ROLE +( + ROLE_ID BIGINT NOT NULL generated always as identity (start with 1), + CREATE_TIME BIGINT NOT NULL, + ROLE_NAME VARCHAR(128) +); + +ALTER TABLE SENTRY_ROLE ADD CONSTRAINT SENTRY_ROLE_PK PRIMARY KEY (ROLE_ID); + +-- Table SENTRY_GROUP for classes [org.apache.sentry.provider.db.service.model.MSentryGroup] +CREATE TABLE SENTRY_GROUP +( + GROUP_ID BIGINT NOT NULL generated always as identity (start with 1), + CREATE_TIME BIGINT NOT NULL, + GROUP_NAME VARCHAR(128) +); + +ALTER TABLE SENTRY_GROUP ADD CONSTRAINT SENTRY_GROUP_PK PRIMARY KEY (GROUP_ID); + +-- Table SENTRY_ROLE_GROUP_MAP for join relationship +CREATE TABLE SENTRY_ROLE_GROUP_MAP +( + GROUP_ID BIGINT NOT NULL, + ROLE_ID BIGINT NOT NULL, + GRANTOR_PRINCIPAL VARCHAR(128) +); + +ALTER TABLE SENTRY_ROLE_GROUP_MAP ADD CONSTRAINT SENTRY_ROLE_GROUP_MAP_PK PRIMARY KEY (GROUP_ID,ROLE_ID); + +-- Table SENTRY_ROLE_DB_PRIVILEGE_MAP for join relationship +CREATE TABLE SENTRY_ROLE_DB_PRIVILEGE_MAP +( + ROLE_ID BIGINT NOT NULL, + DB_PRIVILEGE_ID BIGINT NOT NULL, + GRANTOR_PRINCIPAL VARCHAR(128) +); + +ALTER TABLE SENTRY_ROLE_DB_PRIVILEGE_MAP ADD CONSTRAINT SENTRY_ROLE_DB_PRIVILEGE_MAP_PK PRIMARY KEY (ROLE_ID,DB_PRIVILEGE_ID); + +CREATE TABLE "SENTRY_VERSION" ( + VER_ID BIGINT NOT NULL, + SCHEMA_VERSION VARCHAR(127), + VERSION_COMMENT VARCHAR(255) +); + +ALTER TABLE SENTRY_VERSION ADD CONSTRAINT SENTRY_VERSION_PK PRIMARY KEY (VER_ID); + +-- Constraints for table SENTRY_DB_PRIVILEGE for class(es) [org.apache.sentry.provider.db.service.model.MSentryPrivilege] +CREATE UNIQUE INDEX SENTRYPRIVILEGENAME ON SENTRY_DB_PRIVILEGE ("SERVER_NAME",DB_NAME,"TABLE_NAME","COLUMN_NAME",URI,"ACTION",WITH_GRANT_OPTION); + + +-- Constraints for table SENTRY_ROLE for class(es) [org.apache.sentry.provider.db.service.model.MSentryRole] +CREATE UNIQUE INDEX SENTRYROLENAME ON SENTRY_ROLE (ROLE_NAME); + + +-- Constraints for table SENTRY_GROUP for class(es) [org.apache.sentry.provider.db.service.model.MSentryGroup] +CREATE UNIQUE INDEX SENTRYGROUPNAME ON SENTRY_GROUP (GROUP_NAME); + + +-- Constraints for table SENTRY_ROLE_GROUP_MAP +CREATE INDEX SENTRY_ROLE_GROUP_MAP_N49 ON SENTRY_ROLE_GROUP_MAP (GROUP_ID); + +CREATE INDEX SENTRY_ROLE_GROUP_MAP_N50 ON SENTRY_ROLE_GROUP_MAP (ROLE_ID); + +ALTER TABLE SENTRY_ROLE_GROUP_MAP ADD CONSTRAINT SENTRY_ROLE_GROUP_MAP_FK2 FOREIGN KEY (ROLE_ID) REFERENCES SENTRY_ROLE (ROLE_ID) ; + +ALTER TABLE SENTRY_ROLE_GROUP_MAP ADD CONSTRAINT SENTRY_ROLE_GROUP_MAP_FK1 FOREIGN KEY (GROUP_ID) REFERENCES SENTRY_GROUP (GROUP_ID) ; + + +-- Constraints for table SENTRY_ROLE_DB_PRIVILEGE_MAP +CREATE INDEX SENTRY_ROLE_DB_PRIVILEGE_MAP_N50 ON SENTRY_ROLE_DB_PRIVILEGE_MAP (ROLE_ID); + +CREATE INDEX SENTRY_ROLE_DB_PRIVILEGE_MAP_N49 ON SENTRY_ROLE_DB_PRIVILEGE_MAP (DB_PRIVILEGE_ID); + +ALTER TABLE SENTRY_ROLE_DB_PRIVILEGE_MAP ADD CONSTRAINT SENTRY_ROLE_DB_PRIVILEGE_MAP_FK2 FOREIGN KEY (DB_PRIVILEGE_ID) REFERENCES SENTRY_DB_PRIVILEGE (DB_PRIVILEGE_ID) ; + +ALTER TABLE SENTRY_ROLE_DB_PRIVILEGE_MAP ADD CONSTRAINT SENTRY_ROLE_DB_PRIVILEGE_MAP_FK1 FOREIGN KEY (ROLE_ID) REFERENCES SENTRY_ROLE (ROLE_ID) ; + +INSERT INTO SENTRY_VERSION (VER_ID, SCHEMA_VERSION, VERSION_COMMENT) VALUES (1, '1.7.0', 'Sentry release version 1.7.0'); + +-- Generic model +-- Table SENTRY_GM_PRIVILEGE for classes [org.apache.sentry.provider.db.service.model.MSentryGMPrivilege] +CREATE TABLE SENTRY_GM_PRIVILEGE +( + GM_PRIVILEGE_ID BIGINT NOT NULL, + "ACTION" VARCHAR(40), + COMPONENT_NAME VARCHAR(400), + CREATE_TIME BIGINT NOT NULL, + WITH_GRANT_OPTION CHAR(1), + RESOURCE_NAME_0 VARCHAR(400), + RESOURCE_NAME_1 VARCHAR(400), + RESOURCE_NAME_2 VARCHAR(400), + RESOURCE_NAME_3 VARCHAR(400), + RESOURCE_TYPE_0 VARCHAR(400), + RESOURCE_TYPE_1 VARCHAR(400), + RESOURCE_TYPE_2 VARCHAR(400), + RESOURCE_TYPE_3 VARCHAR(400), + "SCOPE" VARCHAR(40), + SERVICE_NAME VARCHAR(400) +); +-- Primary key(GM_PRIVILEGE_ID) +ALTER TABLE SENTRY_GM_PRIVILEGE ADD CONSTRAINT SENTRY_GM_PRIVILEGE_PK PRIMARY KEY (GM_PRIVILEGE_ID); + +-- Constraints for table SENTRY_GM_PRIVILEGE for class(es) [org.apache.sentry.provider.db.service.model.MSentryGMPrivilege] +CREATE UNIQUE INDEX GM_PRIVILEGE_INDEX ON SENTRY_GM_PRIVILEGE (COMPONENT_NAME,SERVICE_NAME,RESOURCE_NAME_0,RESOURCE_TYPE_0,RESOURCE_NAME_1,RESOURCE_TYPE_1,RESOURCE_NAME_2,RESOURCE_TYPE_2,RESOURCE_NAME_3,RESOURCE_TYPE_3,"ACTION",WITH_GRANT_OPTION); + +-- Table SENTRY_ROLE_GM_PRIVILEGE_MAP for join relationship +CREATE TABLE SENTRY_ROLE_GM_PRIVILEGE_MAP +( + ROLE_ID BIGINT NOT NULL, + GM_PRIVILEGE_ID BIGINT NOT NULL +); +ALTER TABLE SENTRY_ROLE_GM_PRIVILEGE_MAP ADD CONSTRAINT SENTRY_ROLE_GM_PRIVILEGE_MAP_PK PRIMARY KEY (ROLE_ID,GM_PRIVILEGE_ID); + +-- Constraints for table SENTRY_ROLE_GM_PRIVILEGE_MAP +CREATE INDEX SENTRY_ROLE_GM_PRIVILEGE_MAP_N50 ON SENTRY_ROLE_GM_PRIVILEGE_MAP (ROLE_ID); + +CREATE INDEX SENTRY_ROLE_GM_PRIVILEGE_MAP_N49 ON SENTRY_ROLE_GM_PRIVILEGE_MAP (GM_PRIVILEGE_ID); + +ALTER TABLE SENTRY_ROLE_GM_PRIVILEGE_MAP ADD CONSTRAINT SENTRY_ROLE_GM_PRIVILEGE_MAP_FK2 FOREIGN KEY (GM_PRIVILEGE_ID) REFERENCES SENTRY_GM_PRIVILEGE (GM_PRIVILEGE_ID); + +ALTER TABLE SENTRY_ROLE_GM_PRIVILEGE_MAP ADD CONSTRAINT SENTRY_ROLE_GM_PRIVILEGE_MAP_FK1 FOREIGN KEY (ROLE_ID) REFERENCES SENTRY_ROLE (ROLE_ID); diff --git a/sentry-provider/sentry-provider-db/src/main/resources/sentry-derby-1.7.0.sql b/sentry-provider/sentry-provider-db/src/main/resources/sentry-derby-1.7.0.sql new file mode 100644 index 000000000..b06fc4ac5 --- /dev/null +++ b/sentry-provider/sentry-provider-db/src/main/resources/sentry-derby-1.7.0.sql @@ -0,0 +1,155 @@ +--Licensed to the Apache Software Foundation (ASF) under one or more +--contributor license agreements. See the NOTICE file distributed with +--this work for additional information regarding copyright ownership. +--The ASF licenses this file to You under the Apache License, Version 2.0 +--(the "License"); you may not use this file except in compliance with +--the License. You may obtain a copy of the License at +-- +-- http://www.apache.org/licenses/LICENSE-2.0 +-- +--Unless required by applicable law or agreed to in writing, software +--distributed under the License is distributed on an "AS IS" BASIS, +--WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +--See the License for the specific language governing permissions and +--limitations under the License. + +-- Table SENTRY_DB_PRIVILEGE for classes [org.apache.sentry.provider.db.service.model.MSentryPrivilege] +CREATE TABLE SENTRY_DB_PRIVILEGE +( + DB_PRIVILEGE_ID BIGINT NOT NULL generated always as identity (start with 1), + URI VARCHAR(4000) DEFAULT '__NULL__', + "ACTION" VARCHAR(40), + CREATE_TIME BIGINT NOT NULL, + DB_NAME VARCHAR(4000) DEFAULT '__NULL__', + PRIVILEGE_SCOPE VARCHAR(40), + "SERVER_NAME" VARCHAR(4000), + "TABLE_NAME" VARCHAR(4000) DEFAULT '__NULL__', + "COLUMN_NAME" VARCHAR(4000) DEFAULT '__NULL__', + WITH_GRANT_OPTION CHAR(1) NOT NULL +); + +ALTER TABLE SENTRY_DB_PRIVILEGE ADD CONSTRAINT SENTRY_DB_PRIVILEGE_PK PRIMARY KEY (DB_PRIVILEGE_ID); + +-- Table SENTRY_ROLE for classes [org.apache.sentry.provider.db.service.model.MSentryRole] +CREATE TABLE SENTRY_ROLE +( + ROLE_ID BIGINT NOT NULL generated always as identity (start with 1), + CREATE_TIME BIGINT NOT NULL, + ROLE_NAME VARCHAR(128) +); + +ALTER TABLE SENTRY_ROLE ADD CONSTRAINT SENTRY_ROLE_PK PRIMARY KEY (ROLE_ID); + +-- Table SENTRY_GROUP for classes [org.apache.sentry.provider.db.service.model.MSentryGroup] +CREATE TABLE SENTRY_GROUP +( + GROUP_ID BIGINT NOT NULL generated always as identity (start with 1), + CREATE_TIME BIGINT NOT NULL, + GROUP_NAME VARCHAR(128) +); + +ALTER TABLE SENTRY_GROUP ADD CONSTRAINT SENTRY_GROUP_PK PRIMARY KEY (GROUP_ID); + +-- Table SENTRY_ROLE_GROUP_MAP for join relationship +CREATE TABLE SENTRY_ROLE_GROUP_MAP +( + GROUP_ID BIGINT NOT NULL, + ROLE_ID BIGINT NOT NULL, + GRANTOR_PRINCIPAL VARCHAR(128) +); + +ALTER TABLE SENTRY_ROLE_GROUP_MAP ADD CONSTRAINT SENTRY_ROLE_GROUP_MAP_PK PRIMARY KEY (GROUP_ID,ROLE_ID); + +-- Table SENTRY_ROLE_DB_PRIVILEGE_MAP for join relationship +CREATE TABLE SENTRY_ROLE_DB_PRIVILEGE_MAP +( + ROLE_ID BIGINT NOT NULL, + DB_PRIVILEGE_ID BIGINT NOT NULL, + GRANTOR_PRINCIPAL VARCHAR(128) +); + +ALTER TABLE SENTRY_ROLE_DB_PRIVILEGE_MAP ADD CONSTRAINT SENTRY_ROLE_DB_PRIVILEGE_MAP_PK PRIMARY KEY (ROLE_ID,DB_PRIVILEGE_ID); + +CREATE TABLE "SENTRY_VERSION" ( + VER_ID BIGINT NOT NULL, + SCHEMA_VERSION VARCHAR(127), + VERSION_COMMENT VARCHAR(255) +); + +ALTER TABLE SENTRY_VERSION ADD CONSTRAINT SENTRY_VERSION_PK PRIMARY KEY (VER_ID); + +-- Constraints for table SENTRY_DB_PRIVILEGE for class(es) [org.apache.sentry.provider.db.service.model.MSentryPrivilege] +CREATE UNIQUE INDEX SENTRYPRIVILEGENAME ON SENTRY_DB_PRIVILEGE ("SERVER_NAME",DB_NAME,"TABLE_NAME","COLUMN_NAME",URI,"ACTION",WITH_GRANT_OPTION); + + +-- Constraints for table SENTRY_ROLE for class(es) [org.apache.sentry.provider.db.service.model.MSentryRole] +CREATE UNIQUE INDEX SENTRYROLENAME ON SENTRY_ROLE (ROLE_NAME); + + +-- Constraints for table SENTRY_GROUP for class(es) [org.apache.sentry.provider.db.service.model.MSentryGroup] +CREATE UNIQUE INDEX SENTRYGROUPNAME ON SENTRY_GROUP (GROUP_NAME); + + +-- Constraints for table SENTRY_ROLE_GROUP_MAP +CREATE INDEX SENTRY_ROLE_GROUP_MAP_N49 ON SENTRY_ROLE_GROUP_MAP (GROUP_ID); + +CREATE INDEX SENTRY_ROLE_GROUP_MAP_N50 ON SENTRY_ROLE_GROUP_MAP (ROLE_ID); + +ALTER TABLE SENTRY_ROLE_GROUP_MAP ADD CONSTRAINT SENTRY_ROLE_GROUP_MAP_FK2 FOREIGN KEY (ROLE_ID) REFERENCES SENTRY_ROLE (ROLE_ID) ; + +ALTER TABLE SENTRY_ROLE_GROUP_MAP ADD CONSTRAINT SENTRY_ROLE_GROUP_MAP_FK1 FOREIGN KEY (GROUP_ID) REFERENCES SENTRY_GROUP (GROUP_ID) ; + + +-- Constraints for table SENTRY_ROLE_DB_PRIVILEGE_MAP +CREATE INDEX SENTRY_ROLE_DB_PRIVILEGE_MAP_N50 ON SENTRY_ROLE_DB_PRIVILEGE_MAP (ROLE_ID); + +CREATE INDEX SENTRY_ROLE_DB_PRIVILEGE_MAP_N49 ON SENTRY_ROLE_DB_PRIVILEGE_MAP (DB_PRIVILEGE_ID); + +ALTER TABLE SENTRY_ROLE_DB_PRIVILEGE_MAP ADD CONSTRAINT SENTRY_ROLE_DB_PRIVILEGE_MAP_FK2 FOREIGN KEY (DB_PRIVILEGE_ID) REFERENCES SENTRY_DB_PRIVILEGE (DB_PRIVILEGE_ID) ; + +ALTER TABLE SENTRY_ROLE_DB_PRIVILEGE_MAP ADD CONSTRAINT SENTRY_ROLE_DB_PRIVILEGE_MAP_FK1 FOREIGN KEY (ROLE_ID) REFERENCES SENTRY_ROLE (ROLE_ID) ; + +INSERT INTO SENTRY_VERSION (VER_ID, SCHEMA_VERSION, VERSION_COMMENT) VALUES (1, '1.7.0', 'Sentry release version 1.7.0'); + +-- Generic Model +-- Table SENTRY_GM_PRIVILEGE for classes [org.apache.sentry.provider.db.service.model.MSentryGMPrivilege] +CREATE TABLE SENTRY_GM_PRIVILEGE +( + GM_PRIVILEGE_ID BIGINT NOT NULL, + "ACTION" VARCHAR(40), + COMPONENT_NAME VARCHAR(400), + CREATE_TIME BIGINT NOT NULL, + WITH_GRANT_OPTION CHAR(1), + RESOURCE_NAME_0 VARCHAR(400) DEFAULT '__NULL__', + RESOURCE_NAME_1 VARCHAR(400) DEFAULT '__NULL__', + RESOURCE_NAME_2 VARCHAR(400) DEFAULT '__NULL__', + RESOURCE_NAME_3 VARCHAR(400) DEFAULT '__NULL__', + RESOURCE_TYPE_0 VARCHAR(400) DEFAULT '__NULL__', + RESOURCE_TYPE_1 VARCHAR(400) DEFAULT '__NULL__', + RESOURCE_TYPE_2 VARCHAR(400) DEFAULT '__NULL__', + RESOURCE_TYPE_3 VARCHAR(400) DEFAULT '__NULL__', + "SCOPE" VARCHAR(40), + SERVICE_NAME VARCHAR(400) +); +-- Primary key(GM_PRIVILEGE_ID) +ALTER TABLE SENTRY_GM_PRIVILEGE ADD CONSTRAINT SENTRY_GM_PRIVILEGE_PK PRIMARY KEY (GM_PRIVILEGE_ID); + +-- Constraints for table SENTRY_GM_PRIVILEGE for class(es) [org.apache.sentry.provider.db.service.model.MSentryGMPrivilege] +CREATE UNIQUE INDEX GM_PRIVILEGE_INDEX ON SENTRY_GM_PRIVILEGE (COMPONENT_NAME,SERVICE_NAME,RESOURCE_NAME_0,RESOURCE_TYPE_0,RESOURCE_NAME_1,RESOURCE_TYPE_1,RESOURCE_NAME_2,RESOURCE_TYPE_2,RESOURCE_NAME_3,RESOURCE_TYPE_3,"ACTION",WITH_GRANT_OPTION); + +-- Table SENTRY_ROLE_GM_PRIVILEGE_MAP for join relationship +CREATE TABLE SENTRY_ROLE_GM_PRIVILEGE_MAP +( + ROLE_ID BIGINT NOT NULL, + GM_PRIVILEGE_ID BIGINT NOT NULL +); +ALTER TABLE SENTRY_ROLE_GM_PRIVILEGE_MAP ADD CONSTRAINT SENTRY_ROLE_GM_PRIVILEGE_MAP_PK PRIMARY KEY (ROLE_ID,GM_PRIVILEGE_ID); + +-- Constraints for table SENTRY_ROLE_GM_PRIVILEGE_MAP +CREATE INDEX SENTRY_ROLE_GM_PRIVILEGE_MAP_N50 ON SENTRY_ROLE_GM_PRIVILEGE_MAP (ROLE_ID); + +CREATE INDEX SENTRY_ROLE_GM_PRIVILEGE_MAP_N49 ON SENTRY_ROLE_GM_PRIVILEGE_MAP (GM_PRIVILEGE_ID); + +ALTER TABLE SENTRY_ROLE_GM_PRIVILEGE_MAP ADD CONSTRAINT SENTRY_ROLE_GM_PRIVILEGE_MAP_FK2 FOREIGN KEY (GM_PRIVILEGE_ID) REFERENCES SENTRY_GM_PRIVILEGE (GM_PRIVILEGE_ID); + +ALTER TABLE SENTRY_ROLE_GM_PRIVILEGE_MAP ADD CONSTRAINT SENTRY_ROLE_GM_PRIVILEGE_MAP_FK1 FOREIGN KEY (ROLE_ID) REFERENCES SENTRY_ROLE (ROLE_ID); diff --git a/sentry-provider/sentry-provider-db/src/main/resources/sentry-mysql-1.7.0.sql b/sentry-provider/sentry-provider-db/src/main/resources/sentry-mysql-1.7.0.sql new file mode 100644 index 000000000..faff34895 --- /dev/null +++ b/sentry-provider/sentry-provider-db/src/main/resources/sentry-mysql-1.7.0.sql @@ -0,0 +1,193 @@ +-- Licensed to the Apache Software Foundation (ASF) under one or more +-- contributor license agreements. See the NOTICE file distributed with +-- this work for additional information regarding copyright ownership. +-- The ASF licenses this file to You under the Apache License, Version 2.0 +-- (the "License"); you may not use this file except in compliance with +-- the License. You may obtain a copy of the License at +-- +-- http://www.apache.org/licenses/LICENSE-2.0 +-- +-- Unless required by applicable law or agreed to in writing, software +-- distributed under the License is distributed on an "AS IS" BASIS, +-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +-- See the License for the specific language governing permissions and +-- limitations under the License. + + +/*!40101 SET @OLD_CHARACTER_SET_CLIENT=@@CHARACTER_SET_CLIENT */; +/*!40101 SET @OLD_CHARACTER_SET_RESULTS=@@CHARACTER_SET_RESULTS */; +/*!40101 SET @OLD_COLLATION_CONNECTION=@@COLLATION_CONNECTION */; +/*!40101 SET NAMES utf8 */; +/*!40103 SET @OLD_TIME_ZONE=@@TIME_ZONE */; +/*!40103 SET TIME_ZONE='+00:00' */; +/*!40014 SET @OLD_UNIQUE_CHECKS=@@UNIQUE_CHECKS, UNIQUE_CHECKS=0 */; +/*!40014 SET @OLD_FOREIGN_KEY_CHECKS=@@FOREIGN_KEY_CHECKS, FOREIGN_KEY_CHECKS=0 */; +/*!40101 SET @OLD_SQL_MODE=@@SQL_MODE, SQL_MODE='NO_AUTO_VALUE_ON_ZERO' */; +/*!40111 SET @OLD_SQL_NOTES=@@SQL_NOTES, SQL_NOTES=0 */; + +CREATE TABLE `SENTRY_DB_PRIVILEGE` ( + `DB_PRIVILEGE_ID` BIGINT NOT NULL, + `PRIVILEGE_SCOPE` VARCHAR(32) CHARACTER SET utf8 COLLATE utf8_bin NOT NULL, + `SERVER_NAME` VARCHAR(128) CHARACTER SET utf8 COLLATE utf8_bin NOT NULL, + `DB_NAME` VARCHAR(128) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT '__NULL__', + `TABLE_NAME` VARCHAR(128) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT '__NULL__', + `COLUMN_NAME` VARCHAR(128) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT '__NULL__', + `URI` VARCHAR(4000) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT '__NULL__', + `ACTION` VARCHAR(128) CHARACTER SET utf8 COLLATE utf8_bin NOT NULL, + `CREATE_TIME` BIGINT NOT NULL, + `WITH_GRANT_OPTION` CHAR(1) NOT NULL +) ENGINE=InnoDB DEFAULT CHARSET=utf8; + +CREATE TABLE `SENTRY_ROLE` ( + `ROLE_ID` BIGINT NOT NULL, + `ROLE_NAME` VARCHAR(128) CHARACTER SET utf8 COLLATE utf8_bin NOT NULL, + `CREATE_TIME` BIGINT NOT NULL +) ENGINE=InnoDB DEFAULT CHARSET=utf8; + +CREATE TABLE `SENTRY_GROUP` ( + `GROUP_ID` BIGINT NOT NULL, + `GROUP_NAME` VARCHAR(128) CHARACTER SET utf8 COLLATE utf8_bin NOT NULL, + `CREATE_TIME` BIGINT NOT NULL +) ENGINE=InnoDB DEFAULT CHARSET=utf8; + +CREATE TABLE `SENTRY_ROLE_DB_PRIVILEGE_MAP` ( + `ROLE_ID` BIGINT NOT NULL, + `DB_PRIVILEGE_ID` BIGINT NOT NULL, + `GRANTOR_PRINCIPAL` VARCHAR(128) CHARACTER SET utf8 COLLATE utf8_bin +) ENGINE=InnoDB DEFAULT CHARSET=utf8; + +CREATE TABLE `SENTRY_ROLE_GROUP_MAP` ( + `ROLE_ID` BIGINT NOT NULL, + `GROUP_ID` BIGINT NOT NULL, + `GRANTOR_PRINCIPAL` VARCHAR(128) CHARACTER SET utf8 COLLATE utf8_bin +) ENGINE=InnoDB DEFAULT CHARSET=utf8; + +CREATE TABLE IF NOT EXISTS `SENTRY_VERSION` ( + `VER_ID` BIGINT NOT NULL, + `SCHEMA_VERSION` VARCHAR(127) NOT NULL, + `VERSION_COMMENT` VARCHAR(255) NOT NULL +) ENGINE=InnoDB DEFAULT CHARSET=utf8; + +ALTER TABLE `SENTRY_DB_PRIVILEGE` + ADD CONSTRAINT `SENTRY_DB_PRIV_PK` PRIMARY KEY (`DB_PRIVILEGE_ID`); + +ALTER TABLE `SENTRY_ROLE` + ADD CONSTRAINT `SENTRY_ROLE_PK` PRIMARY KEY (`ROLE_ID`); + +ALTER TABLE `SENTRY_GROUP` + ADD CONSTRAINT `SENTRY_GROUP_PK` PRIMARY KEY (`GROUP_ID`); + +ALTER TABLE `SENTRY_VERSION` + ADD CONSTRAINT `SENTRY_VERSION` PRIMARY KEY (`VER_ID`); + +ALTER TABLE `SENTRY_DB_PRIVILEGE` + ADD UNIQUE `SENTRY_DB_PRIV_PRIV_NAME_UNIQ` (`SERVER_NAME`,`DB_NAME`,`TABLE_NAME`,`COLUMN_NAME`,`URI`(250),`ACTION`,`WITH_GRANT_OPTION`); + +ALTER TABLE `SENTRY_DB_PRIVILEGE` + ADD INDEX `SENTRY_PRIV_SERV_IDX` (`SERVER_NAME`); + +ALTER TABLE `SENTRY_DB_PRIVILEGE` + ADD INDEX `SENTRY_PRIV_DB_IDX` (`DB_NAME`); + +ALTER TABLE `SENTRY_DB_PRIVILEGE` + ADD INDEX `SENTRY_PRIV_TBL_IDX` (`TABLE_NAME`); + +ALTER TABLE `SENTRY_DB_PRIVILEGE` + ADD INDEX `SENTRY_PRIV_COL_IDX` (`COLUMN_NAME`); + +ALTER TABLE `SENTRY_DB_PRIVILEGE` + ADD INDEX `SENTRY_PRIV_URI_IDX` (`URI`); + +ALTER TABLE `SENTRY_ROLE` + ADD CONSTRAINT `SENTRY_ROLE_ROLE_NAME_UNIQUE` UNIQUE (`ROLE_NAME`); + +ALTER TABLE `SENTRY_GROUP` + ADD CONSTRAINT `SENTRY_GRP_GRP_NAME_UNIQUE` UNIQUE (`GROUP_NAME`); + +ALTER TABLE `SENTRY_ROLE_DB_PRIVILEGE_MAP` + ADD CONSTRAINT `SENTRY_ROLE_DB_PRIVILEGE_MAP_PK` PRIMARY KEY (`ROLE_ID`,`DB_PRIVILEGE_ID`); + +ALTER TABLE `SENTRY_ROLE_GROUP_MAP` + ADD CONSTRAINT `SENTRY_ROLE_GROUP_MAP_PK` PRIMARY KEY (`ROLE_ID`,`GROUP_ID`); + +ALTER TABLE `SENTRY_ROLE_DB_PRIVILEGE_MAP` + ADD CONSTRAINT `SEN_RLE_DB_PRV_MAP_SN_RLE_FK` + FOREIGN KEY (`ROLE_ID`) REFERENCES `SENTRY_ROLE`(`ROLE_ID`); + +ALTER TABLE `SENTRY_ROLE_DB_PRIVILEGE_MAP` + ADD CONSTRAINT `SEN_RL_DB_PRV_MAP_SN_DB_PRV_FK` + FOREIGN KEY (`DB_PRIVILEGE_ID`) REFERENCES `SENTRY_DB_PRIVILEGE`(`DB_PRIVILEGE_ID`); + +ALTER TABLE `SENTRY_ROLE_GROUP_MAP` + ADD CONSTRAINT `SEN_ROLE_GROUP_MAP_SEN_ROLE_FK` + FOREIGN KEY (`ROLE_ID`) REFERENCES `SENTRY_ROLE`(`ROLE_ID`); + +ALTER TABLE `SENTRY_ROLE_GROUP_MAP` + ADD CONSTRAINT `SEN_ROLE_GROUP_MAP_SEN_GRP_FK` + FOREIGN KEY (`GROUP_ID`) REFERENCES `SENTRY_GROUP`(`GROUP_ID`); + +INSERT INTO SENTRY_VERSION (VER_ID, SCHEMA_VERSION, VERSION_COMMENT) VALUES (1, '1.7.0', 'Sentry release version 1.7.0'); + +-- Generic Model +-- Table SENTRY_GM_PRIVILEGE for classes [org.apache.sentry.provider.db.service.model.MSentryGMPrivilege] +CREATE TABLE `SENTRY_GM_PRIVILEGE` +( + `GM_PRIVILEGE_ID` BIGINT NOT NULL, + `ACTION` VARCHAR(32) CHARACTER SET utf8 COLLATE utf8_bin NOT NULL, + `COMPONENT_NAME` VARCHAR(32) CHARACTER SET utf8 COLLATE utf8_bin NOT NULL, + `CREATE_TIME` BIGINT NOT NULL, + `WITH_GRANT_OPTION` CHAR(1) NOT NULL, + `RESOURCE_NAME_0` VARCHAR(64) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT '__NULL__', + `RESOURCE_NAME_1` VARCHAR(64) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT '__NULL__', + `RESOURCE_NAME_2` VARCHAR(64) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT '__NULL__', + `RESOURCE_NAME_3` VARCHAR(64) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT '__NULL__', + `RESOURCE_TYPE_0` VARCHAR(64) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT '__NULL__', + `RESOURCE_TYPE_1` VARCHAR(64) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT '__NULL__', + `RESOURCE_TYPE_2` VARCHAR(64) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT '__NULL__', + `RESOURCE_TYPE_3` VARCHAR(64) CHARACTER SET utf8 COLLATE utf8_bin DEFAULT '__NULL__', + `SCOPE` VARCHAR(128) CHARACTER SET utf8 COLLATE utf8_bin NOT NULL, + `SERVICE_NAME` VARCHAR(64) BINARY CHARACTER SET utf8 COLLATE utf8_bin NOT NULL +) ENGINE=InnoDB DEFAULT CHARSET=utf8; + +ALTER TABLE `SENTRY_GM_PRIVILEGE` + ADD CONSTRAINT `SENTRY_GM_PRIVILEGE_PK` PRIMARY KEY (`GM_PRIVILEGE_ID`); +-- Constraints for table SENTRY_GM_PRIVILEGE for class(es) [org.apache.sentry.provider.db.service.model.MSentryGMPrivilege] +ALTER TABLE `SENTRY_GM_PRIVILEGE` + ADD UNIQUE `GM_PRIVILEGE_UNIQUE` (`COMPONENT_NAME`,`SERVICE_NAME`,`RESOURCE_NAME_0`,`RESOURCE_TYPE_0`,`RESOURCE_NAME_1`,`RESOURCE_TYPE_1`,`RESOURCE_NAME_2`,`RESOURCE_TYPE_2`,`RESOURCE_NAME_3`,`RESOURCE_TYPE_3`,`ACTION`,`WITH_GRANT_OPTION`); + +ALTER TABLE `SENTRY_GM_PRIVILEGE` + ADD INDEX `SENTRY_GM_PRIV_COMP_IDX` (`COMPONENT_NAME`); + +ALTER TABLE `SENTRY_GM_PRIVILEGE` + ADD INDEX `SENTRY_GM_PRIV_SERV_IDX` (`SERVICE_NAME`); + +ALTER TABLE `SENTRY_GM_PRIVILEGE` + ADD INDEX `SENTRY_GM_PRIV_RES0_IDX` (`RESOURCE_NAME_0`,`RESOURCE_TYPE_0`); + +ALTER TABLE `SENTRY_GM_PRIVILEGE` + ADD INDEX `SENTRY_GM_PRIV_RES1_IDX` (`RESOURCE_NAME_1`,`RESOURCE_TYPE_1`); + +ALTER TABLE `SENTRY_GM_PRIVILEGE` + ADD INDEX `SENTRY_GM_PRIV_RES2_IDX` (`RESOURCE_NAME_2`,`RESOURCE_TYPE_2`); + +ALTER TABLE `SENTRY_GM_PRIVILEGE` + ADD INDEX `SENTRY_GM_PRIV_RES3_IDX` (`RESOURCE_NAME_3`,`RESOURCE_TYPE_3`); + +-- Table SENTRY_ROLE_GM_PRIVILEGE_MAP for join relationship +CREATE TABLE `SENTRY_ROLE_GM_PRIVILEGE_MAP` +( + `ROLE_ID` BIGINT NOT NULL, + `GM_PRIVILEGE_ID` BIGINT NOT NULL +) ENGINE=INNODB DEFAULT CHARSET=utf8; + +ALTER TABLE `SENTRY_ROLE_GM_PRIVILEGE_MAP` + ADD CONSTRAINT `SENTRY_ROLE_GM_PRIVILEGE_MAP_PK` PRIMARY KEY (`ROLE_ID`,`GM_PRIVILEGE_ID`); + +-- Constraints for table SENTRY_ROLE_GM_PRIVILEGE_MAP +ALTER TABLE `SENTRY_ROLE_GM_PRIVILEGE_MAP` + ADD CONSTRAINT `SEN_RLE_GM_PRV_MAP_SN_RLE_FK` + FOREIGN KEY (`ROLE_ID`) REFERENCES `SENTRY_ROLE`(`ROLE_ID`); + +ALTER TABLE `SENTRY_ROLE_GM_PRIVILEGE_MAP` + ADD CONSTRAINT `SEN_RL_GM_PRV_MAP_SN_DB_PRV_FK` + FOREIGN KEY (`GM_PRIVILEGE_ID`) REFERENCES `SENTRY_GM_PRIVILEGE`(`GM_PRIVILEGE_ID`); diff --git a/sentry-provider/sentry-provider-db/src/main/resources/sentry-oracle-1.7.0.sql b/sentry-provider/sentry-provider-db/src/main/resources/sentry-oracle-1.7.0.sql new file mode 100644 index 000000000..ae9cd0626 --- /dev/null +++ b/sentry-provider/sentry-provider-db/src/main/resources/sentry-oracle-1.7.0.sql @@ -0,0 +1,168 @@ +--Licensed to the Apache Software Foundation (ASF) under one or more +--contributor license agreements. See the NOTICE file distributed with +--this work for additional information regarding copyright ownership. +--The ASF licenses this file to You under the Apache License, Version 2.0 +--(the "License"); you may not use this file except in compliance with +--the License. You may obtain a copy of the License at +-- +-- http://www.apache.org/licenses/LICENSE-2.0 +-- +--Unless required by applicable law or agreed to in writing, software +--distributed under the License is distributed on an "AS IS" BASIS, +--WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +--See the License for the specific language governing permissions and +--limitations under the License. + +CREATE TABLE "SENTRY_DB_PRIVILEGE" ( + "DB_PRIVILEGE_ID" NUMBER NOT NULL, + "PRIVILEGE_SCOPE" VARCHAR2(32) NOT NULL, + "SERVER_NAME" VARCHAR2(128) NOT NULL, + "DB_NAME" VARCHAR2(128) DEFAULT '__NULL__', + "TABLE_NAME" VARCHAR2(128) DEFAULT '__NULL__', + "COLUMN_NAME" VARCHAR2(128) DEFAULT '__NULL__', + "URI" VARCHAR2(4000) DEFAULT '__NULL__', + "ACTION" VARCHAR2(128) NOT NULL, + "CREATE_TIME" NUMBER NOT NULL, + "WITH_GRANT_OPTION" CHAR(1) DEFAULT 'N' NOT NULL +); + +CREATE TABLE "SENTRY_ROLE" ( + "ROLE_ID" NUMBER NOT NULL, + "ROLE_NAME" VARCHAR2(128) NOT NULL, + "CREATE_TIME" NUMBER NOT NULL +); + +CREATE TABLE "SENTRY_GROUP" ( + "GROUP_ID" NUMBER NOT NULL, + "GROUP_NAME" VARCHAR2(128) NOT NULL, + "CREATE_TIME" NUMBER NOT NULL +); + +CREATE TABLE "SENTRY_ROLE_DB_PRIVILEGE_MAP" ( + "ROLE_ID" NUMBER NOT NULL, + "DB_PRIVILEGE_ID" NUMBER NOT NULL, + "GRANTOR_PRINCIPAL" VARCHAR2(128) +); + +CREATE TABLE "SENTRY_ROLE_GROUP_MAP" ( + "ROLE_ID" NUMBER NOT NULL, + "GROUP_ID" NUMBER NOT NULL, + "GRANTOR_PRINCIPAL" VARCHAR2(128) +); + +CREATE TABLE "SENTRY_VERSION" ( + "VER_ID" NUMBER NOT NULL, + "SCHEMA_VERSION" VARCHAR(127) NOT NULL, + "VERSION_COMMENT" VARCHAR(255) NOT NULL +); + +ALTER TABLE "SENTRY_DB_PRIVILEGE" + ADD CONSTRAINT "SENTRY_DB_PRIV_PK" PRIMARY KEY ("DB_PRIVILEGE_ID"); + +ALTER TABLE "SENTRY_ROLE" + ADD CONSTRAINT "SENTRY_ROLE_PK" PRIMARY KEY ("ROLE_ID"); + +ALTER TABLE "SENTRY_GROUP" + ADD CONSTRAINT "SENTRY_GROUP_PK" PRIMARY KEY ("GROUP_ID"); + +ALTER TABLE "SENTRY_VERSION" ADD CONSTRAINT "SENTRY_VERSION_PK" PRIMARY KEY ("VER_ID"); + +ALTER TABLE "SENTRY_DB_PRIVILEGE" + ADD CONSTRAINT "SENTRY_DB_PRIV_PRIV_NAME_UNIQ" UNIQUE ("SERVER_NAME","DB_NAME","TABLE_NAME","COLUMN_NAME","URI","ACTION","WITH_GRANT_OPTION"); + +CREATE INDEX "SENTRY_SERV_PRIV_IDX" ON "SENTRY_DB_PRIVILEGE" ("SERVER_NAME"); + +CREATE INDEX "SENTRY_DB_PRIV_IDX" ON "SENTRY_DB_PRIVILEGE" ("DB_NAME"); + +CREATE INDEX "SENTRY_TBL_PRIV_IDX" ON "SENTRY_DB_PRIVILEGE" ("TABLE_NAME"); + +CREATE INDEX "SENTRY_COL_PRIV_IDX" ON "SENTRY_DB_PRIVILEGE" ("COLUMN_NAME"); + +CREATE INDEX "SENTRY_URI_PRIV_IDX" ON "SENTRY_DB_PRIVILEGE" ("URI"); + +ALTER TABLE "SENTRY_ROLE" + ADD CONSTRAINT "SENTRY_ROLE_ROLE_NAME_UNIQUE" UNIQUE ("ROLE_NAME"); + +ALTER TABLE "SENTRY_GROUP" + ADD CONSTRAINT "SENTRY_GRP_GRP_NAME_UNIQUE" UNIQUE ("GROUP_NAME"); + +ALTER TABLE "SENTRY_ROLE_DB_PRIVILEGE_MAP" + ADD CONSTRAINT "SEN_RLE_PRIV_MAP_PK" PRIMARY KEY ("ROLE_ID","DB_PRIVILEGE_ID"); + +ALTER TABLE "SENTRY_ROLE_GROUP_MAP" + ADD CONSTRAINT "SENTRY_ROLE_GROUP_MAP_PK" PRIMARY KEY ("ROLE_ID","GROUP_ID"); + +ALTER TABLE "SENTRY_ROLE_DB_PRIVILEGE_MAP" + ADD CONSTRAINT "SEN_RLE_DB_PRV_MAP_SN_RLE_FK" + FOREIGN KEY ("ROLE_ID") REFERENCES "SENTRY_ROLE"("ROLE_ID") INITIALLY DEFERRED; + +ALTER TABLE "SENTRY_ROLE_DB_PRIVILEGE_MAP" + ADD CONSTRAINT "SEN_RL_DB_PRV_MAP_SN_DB_PRV_FK" + FOREIGN KEY ("DB_PRIVILEGE_ID") REFERENCES "SENTRY_DB_PRIVILEGE"("DB_PRIVILEGE_ID") INITIALLY DEFERRED; + +ALTER TABLE "SENTRY_ROLE_GROUP_MAP" + ADD CONSTRAINT "SEN_ROLE_GROUP_MAP_SEN_ROLE_FK" + FOREIGN KEY ("ROLE_ID") REFERENCES "SENTRY_ROLE"("ROLE_ID") INITIALLY DEFERRED; + +ALTER TABLE "SENTRY_ROLE_GROUP_MAP" + ADD CONSTRAINT "SEN_ROLE_GROUP_MAP_SEN_GRP_FK" + FOREIGN KEY ("GROUP_ID") REFERENCES "SENTRY_GROUP"("GROUP_ID") INITIALLY DEFERRED; + +INSERT INTO SENTRY_VERSION (VER_ID, SCHEMA_VERSION, VERSION_COMMENT) VALUES (1, '1.7.0', 'Sentry release version 1.7.0'); + +-- Generic Model +-- Table SENTRY_GM_PRIVILEGE for classes [org.apache.sentry.provider.db.service.model.MSentryGMPrivilege] +CREATE TABLE "SENTRY_GM_PRIVILEGE" ( + "GM_PRIVILEGE_ID" NUMBER NOT NULL, + "COMPONENT_NAME" VARCHAR2(32) NOT NULL, + "SERVICE_NAME" VARCHAR2(64) NOT NULL, + "RESOURCE_NAME_0" VARCHAR2(64) DEFAULT '__NULL__', + "RESOURCE_NAME_1" VARCHAR2(64) DEFAULT '__NULL__', + "RESOURCE_NAME_2" VARCHAR2(64) DEFAULT '__NULL__', + "RESOURCE_NAME_3" VARCHAR2(64) DEFAULT '__NULL__', + "RESOURCE_TYPE_0" VARCHAR2(64) DEFAULT '__NULL__', + "RESOURCE_TYPE_1" VARCHAR2(64) DEFAULT '__NULL__', + "RESOURCE_TYPE_2" VARCHAR2(64) DEFAULT '__NULL__', + "RESOURCE_TYPE_3" VARCHAR2(64) DEFAULT '__NULL__', + "ACTION" VARCHAR2(32) NOT NULL, + "SCOPE" VARCHAR2(128) NOT NULL, + "CREATE_TIME" NUMBER NOT NULL, + "WITH_GRANT_OPTION" CHAR(1) DEFAULT 'N' NOT NULL +); + +ALTER TABLE "SENTRY_GM_PRIVILEGE" + ADD CONSTRAINT "SENTRY_GM_PRIV_PK" PRIMARY KEY ("GM_PRIVILEGE_ID"); +-- Constraints for table SENTRY_GM_PRIVILEGE for class(es) [org.apache.sentry.provider.db.service.model.MSentryGMPrivilege] +ALTER TABLE "SENTRY_GM_PRIVILEGE" + ADD CONSTRAINT "SENTRY_GM_PRIV_PRIV_NAME_UNIQ" UNIQUE ("COMPONENT_NAME","SERVICE_NAME","RESOURCE_NAME_0","RESOURCE_NAME_1","RESOURCE_NAME_2", + "RESOURCE_NAME_3","RESOURCE_TYPE_0","RESOURCE_TYPE_1","RESOURCE_TYPE_2","RESOURCE_TYPE_3","ACTION","WITH_GRANT_OPTION"); + +CREATE INDEX "SENTRY_GM_PRIV_COMP_IDX" ON "SENTRY_GM_PRIVILEGE" ("COMPONENT_NAME"); + +CREATE INDEX "SENTRY_GM_PRIV_SERV_IDX" ON "SENTRY_GM_PRIVILEGE" ("SERVICE_NAME"); + +CREATE INDEX "SENTRY_GM_PRIV_RES0_IDX" ON "SENTRY_GM_PRIVILEGE" ("RESOURCE_NAME_0","RESOURCE_TYPE_0"); + +CREATE INDEX "SENTRY_GM_PRIV_RES1_IDX" ON "SENTRY_GM_PRIVILEGE" ("RESOURCE_NAME_1","RESOURCE_TYPE_1"); + +CREATE INDEX "SENTRY_GM_PRIV_RES2_IDX" ON "SENTRY_GM_PRIVILEGE" ("RESOURCE_NAME_2","RESOURCE_TYPE_2"); + +CREATE INDEX "SENTRY_GM_PRIV_RES3_IDX" ON "SENTRY_GM_PRIVILEGE" ("RESOURCE_NAME_3","RESOURCE_TYPE_3"); + +-- Table SENTRY_ROLE_GM_PRIVILEGE_MAP for join relationship +CREATE TABLE "SENTRY_ROLE_GM_PRIVILEGE_MAP" ( + "ROLE_ID" NUMBER NOT NULL, + "GM_PRIVILEGE_ID" NUMBER NOT NULL +); + +ALTER TABLE "SENTRY_ROLE_GM_PRIVILEGE_MAP" + ADD CONSTRAINT "SEN_RLE_GM_PRIV_MAP_PK" PRIMARY KEY ("ROLE_ID","GM_PRIVILEGE_ID"); + +-- Constraints for table SENTRY_ROLE_GM_PRIVILEGE_MAP +ALTER TABLE "SENTRY_ROLE_GM_PRIVILEGE_MAP" + ADD CONSTRAINT "SEN_RLE_GM_PRV_MAP_SN_RLE_FK" + FOREIGN KEY ("ROLE_ID") REFERENCES "SENTRY_ROLE"("ROLE_ID") INITIALLY DEFERRED; + +ALTER TABLE "SENTRY_ROLE_GM_PRIVILEGE_MAP" + ADD CONSTRAINT "SEN_RL_GM_PRV_MAP_SN_DB_PRV_FK" + FOREIGN KEY ("GM_PRIVILEGE_ID") REFERENCES "SENTRY_GM_PRIVILEGE"("GM_PRIVILEGE_ID") INITIALLY DEFERRED; diff --git a/sentry-provider/sentry-provider-db/src/main/resources/sentry-postgres-1.7.0.sql b/sentry-provider/sentry-provider-db/src/main/resources/sentry-postgres-1.7.0.sql new file mode 100644 index 000000000..9f4f85b02 --- /dev/null +++ b/sentry-provider/sentry-provider-db/src/main/resources/sentry-postgres-1.7.0.sql @@ -0,0 +1,182 @@ +--Licensed to the Apache Software Foundation (ASF) under one or more +--contributor license agreements. See the NOTICE file distributed with +--this work for additional information regarding copyright ownership. +--The ASF licenses this file to You under the Apache License, Version 2.0 +--(the "License"); you may not use this file except in compliance with +--the License. You may obtain a copy of the License at +-- +-- http://www.apache.org/licenses/LICENSE-2.0 +-- +--Unless required by applicable law or agreed to in writing, software +--distributed under the License is distributed on an "AS IS" BASIS, +--WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +--See the License for the specific language governing permissions and +--limitations under the License. + +START TRANSACTION; + +SET statement_timeout = 0; +SET client_encoding = 'UTF8'; +SET standard_conforming_strings = off; +SET check_function_bodies = false; +SET client_min_messages = warning; +SET escape_string_warning = off; +SET search_path = public, pg_catalog; +SET default_tablespace = ''; +SET default_with_oids = false; + +CREATE TABLE "SENTRY_DB_PRIVILEGE" ( + "DB_PRIVILEGE_ID" BIGINT NOT NULL, + "PRIVILEGE_SCOPE" character varying(32) NOT NULL, + "SERVER_NAME" character varying(128) NOT NULL, + "DB_NAME" character varying(128) DEFAULT '__NULL__', + "TABLE_NAME" character varying(128) DEFAULT '__NULL__', + "COLUMN_NAME" character varying(128) DEFAULT '__NULL__', + "URI" character varying(4000) DEFAULT '__NULL__', + "ACTION" character varying(128) NOT NULL, + "CREATE_TIME" BIGINT NOT NULL, + "WITH_GRANT_OPTION" CHAR(1) NOT NULL +); + +CREATE TABLE "SENTRY_ROLE" ( + "ROLE_ID" BIGINT NOT NULL, + "ROLE_NAME" character varying(128) NOT NULL, + "CREATE_TIME" BIGINT NOT NULL +); + +CREATE TABLE "SENTRY_GROUP" ( + "GROUP_ID" BIGINT NOT NULL, + "GROUP_NAME" character varying(128) NOT NULL, + "CREATE_TIME" BIGINT NOT NULL +); + +CREATE TABLE "SENTRY_ROLE_DB_PRIVILEGE_MAP" ( + "ROLE_ID" BIGINT NOT NULL, + "DB_PRIVILEGE_ID" BIGINT NOT NULL, + "GRANTOR_PRINCIPAL" character varying(128) +); + +CREATE TABLE "SENTRY_ROLE_GROUP_MAP" ( + "ROLE_ID" BIGINT NOT NULL, + "GROUP_ID" BIGINT NOT NULL, + "GRANTOR_PRINCIPAL" character varying(128) +); + +CREATE TABLE "SENTRY_VERSION" ( + "VER_ID" bigint, + "SCHEMA_VERSION" character varying(127) NOT NULL, + "VERSION_COMMENT" character varying(255) NOT NULL +); + + +ALTER TABLE ONLY "SENTRY_DB_PRIVILEGE" + ADD CONSTRAINT "SENTRY_DB_PRIV_PK" PRIMARY KEY ("DB_PRIVILEGE_ID"); + +ALTER TABLE ONLY "SENTRY_ROLE" + ADD CONSTRAINT "SENTRY_ROLE_PK" PRIMARY KEY ("ROLE_ID"); + +ALTER TABLE ONLY "SENTRY_GROUP" + ADD CONSTRAINT "SENTRY_GROUP_PK" PRIMARY KEY ("GROUP_ID"); + +ALTER TABLE ONLY "SENTRY_VERSION" ADD CONSTRAINT "SENTRY_VERSION_PK" PRIMARY KEY ("VER_ID"); + +ALTER TABLE ONLY "SENTRY_DB_PRIVILEGE" + ADD CONSTRAINT "SENTRY_DB_PRIV_PRIV_NAME_UNIQ" UNIQUE ("SERVER_NAME","DB_NAME","TABLE_NAME","COLUMN_NAME","URI", "ACTION","WITH_GRANT_OPTION"); + +CREATE INDEX "SENTRY_PRIV_SERV_IDX" ON "SENTRY_DB_PRIVILEGE" USING btree ("SERVER_NAME"); + +CREATE INDEX "SENTRY_PRIV_DB_IDX" ON "SENTRY_DB_PRIVILEGE" USING btree ("DB_NAME"); + +CREATE INDEX "SENTRY_PRIV_TBL_IDX" ON "SENTRY_DB_PRIVILEGE" USING btree ("TABLE_NAME"); + +CREATE INDEX "SENTRY_PRIV_COL_IDX" ON "SENTRY_DB_PRIVILEGE" USING btree ("COLUMN_NAME"); + +CREATE INDEX "SENTRY_PRIV_URI_IDX" ON "SENTRY_DB_PRIVILEGE" USING btree ("URI"); + +ALTER TABLE ONLY "SENTRY_ROLE" + ADD CONSTRAINT "SENTRY_ROLE_ROLE_NAME_UNIQUE" UNIQUE ("ROLE_NAME"); + +ALTER TABLE ONLY "SENTRY_GROUP" + ADD CONSTRAINT "SENTRY_GRP_GRP_NAME_UNIQUE" UNIQUE ("GROUP_NAME"); + +ALTER TABLE "SENTRY_ROLE_DB_PRIVILEGE_MAP" + ADD CONSTRAINT "SENTRY_ROLE_DB_PRIVILEGE_MAP_PK" PRIMARY KEY ("ROLE_ID","DB_PRIVILEGE_ID"); + +ALTER TABLE "SENTRY_ROLE_GROUP_MAP" + ADD CONSTRAINT "SENTRY_ROLE_GROUP_MAP_PK" PRIMARY KEY ("ROLE_ID","GROUP_ID"); + +ALTER TABLE ONLY "SENTRY_ROLE_DB_PRIVILEGE_MAP" + ADD CONSTRAINT "SEN_RLE_DB_PRV_MAP_SN_RLE_FK" + FOREIGN KEY ("ROLE_ID") REFERENCES "SENTRY_ROLE"("ROLE_ID") DEFERRABLE; + +ALTER TABLE ONLY "SENTRY_ROLE_DB_PRIVILEGE_MAP" + ADD CONSTRAINT "SEN_RL_DB_PRV_MAP_SN_DB_PRV_FK" + FOREIGN KEY ("DB_PRIVILEGE_ID") REFERENCES "SENTRY_DB_PRIVILEGE"("DB_PRIVILEGE_ID") DEFERRABLE; + +ALTER TABLE ONLY "SENTRY_ROLE_GROUP_MAP" + ADD CONSTRAINT "SEN_ROLE_GROUP_MAP_SEN_ROLE_FK" + FOREIGN KEY ("ROLE_ID") REFERENCES "SENTRY_ROLE"("ROLE_ID") DEFERRABLE; + +ALTER TABLE ONLY "SENTRY_ROLE_GROUP_MAP" + ADD CONSTRAINT "SEN_ROLE_GROUP_MAP_SEN_GRP_FK" + FOREIGN KEY ("GROUP_ID") REFERENCES "SENTRY_GROUP"("GROUP_ID") DEFERRABLE; + +INSERT INTO "SENTRY_VERSION" ("VER_ID", "SCHEMA_VERSION", "VERSION_COMMENT") VALUES (1, '1.7.0', 'Sentry release version 1.7.0'); + +-- Generic Model +-- Table SENTRY_GM_PRIVILEGE for classes [org.apache.sentry.provider.db.service.model.MSentryGMPrivilege] +CREATE TABLE "SENTRY_GM_PRIVILEGE" ( + "GM_PRIVILEGE_ID" BIGINT NOT NULL, + "COMPONENT_NAME" character varying(32) NOT NULL, + "SERVICE_NAME" character varying(64) NOT NULL, + "RESOURCE_NAME_0" character varying(64) DEFAULT '__NULL__', + "RESOURCE_NAME_1" character varying(64) DEFAULT '__NULL__', + "RESOURCE_NAME_2" character varying(64) DEFAULT '__NULL__', + "RESOURCE_NAME_3" character varying(64) DEFAULT '__NULL__', + "RESOURCE_TYPE_0" character varying(64) DEFAULT '__NULL__', + "RESOURCE_TYPE_1" character varying(64) DEFAULT '__NULL__', + "RESOURCE_TYPE_2" character varying(64) DEFAULT '__NULL__', + "RESOURCE_TYPE_3" character varying(64) DEFAULT '__NULL__', + "ACTION" character varying(32) NOT NULL, + "SCOPE" character varying(128) NOT NULL, + "CREATE_TIME" BIGINT NOT NULL, + "WITH_GRANT_OPTION" CHAR(1) NOT NULL +); +ALTER TABLE ONLY "SENTRY_GM_PRIVILEGE" + ADD CONSTRAINT "SENTRY_GM_PRIV_PK" PRIMARY KEY ("GM_PRIVILEGE_ID"); +-- Constraints for table SENTRY_GM_PRIVILEGE for class(es) [org.apache.sentry.provider.db.service.model.MSentryGMPrivilege] +ALTER TABLE ONLY "SENTRY_GM_PRIVILEGE" + ADD CONSTRAINT "SENTRY_GM_PRIV_PRIV_NAME_UNIQ" UNIQUE ("COMPONENT_NAME","SERVICE_NAME","RESOURCE_NAME_0","RESOURCE_NAME_1","RESOURCE_NAME_2", + "RESOURCE_NAME_3","RESOURCE_TYPE_0","RESOURCE_TYPE_1","RESOURCE_TYPE_2","RESOURCE_TYPE_3","ACTION","WITH_GRANT_OPTION"); + +CREATE INDEX "SENTRY_GM_PRIV_COMP_IDX" ON "SENTRY_GM_PRIVILEGE" USING btree ("COMPONENT_NAME"); + +CREATE INDEX "SENTRY_GM_PRIV_SERV_IDX" ON "SENTRY_GM_PRIVILEGE" USING btree ("SERVICE_NAME"); + +CREATE INDEX "SENTRY_GM_PRIV_RES0_IDX" ON "SENTRY_GM_PRIVILEGE" USING btree ("RESOURCE_NAME_0","RESOURCE_TYPE_0"); + +CREATE INDEX "SENTRY_GM_PRIV_RES1_IDX" ON "SENTRY_GM_PRIVILEGE" USING btree ("RESOURCE_NAME_1","RESOURCE_TYPE_1"); + +CREATE INDEX "SENTRY_GM_PRIV_RES2_IDX" ON "SENTRY_GM_PRIVILEGE" USING btree ("RESOURCE_NAME_2","RESOURCE_TYPE_2"); + +CREATE INDEX "SENTRY_GM_PRIV_RES3_IDX" ON "SENTRY_GM_PRIVILEGE" USING btree ("RESOURCE_NAME_3","RESOURCE_TYPE_3"); + +-- Table SENTRY_ROLE_GM_PRIVILEGE_MAP for join relationship +CREATE TABLE "SENTRY_ROLE_GM_PRIVILEGE_MAP" ( + "ROLE_ID" BIGINT NOT NULL, + "GM_PRIVILEGE_ID" BIGINT NOT NULL +); + +ALTER TABLE "SENTRY_ROLE_GM_PRIVILEGE_MAP" + ADD CONSTRAINT "SENTRY_ROLE_GM_PRIVILEGE_MAP_PK" PRIMARY KEY ("ROLE_ID","GM_PRIVILEGE_ID"); + +-- Constraints for table SENTRY_ROLE_GM_PRIVILEGE_MAP +ALTER TABLE ONLY "SENTRY_ROLE_GM_PRIVILEGE_MAP" + ADD CONSTRAINT "SEN_RLE_GM_PRV_MAP_SN_RLE_FK" + FOREIGN KEY ("ROLE_ID") REFERENCES "SENTRY_ROLE"("ROLE_ID") DEFERRABLE; + +ALTER TABLE ONLY "SENTRY_ROLE_GM_PRIVILEGE_MAP" + ADD CONSTRAINT "SEN_RL_GM_PRV_MAP_SN_DB_PRV_FK" + FOREIGN KEY ("GM_PRIVILEGE_ID") REFERENCES "SENTRY_GM_PRIVILEGE"("GM_PRIVILEGE_ID") DEFERRABLE; + +COMMIT; diff --git a/sentry-provider/sentry-provider-db/src/main/resources/sentry-upgrade-db2-1.6.0-to-1.7.0.sql b/sentry-provider/sentry-provider-db/src/main/resources/sentry-upgrade-db2-1.6.0-to-1.7.0.sql new file mode 100644 index 000000000..e2494a26f --- /dev/null +++ b/sentry-provider/sentry-provider-db/src/main/resources/sentry-upgrade-db2-1.6.0-to-1.7.0.sql @@ -0,0 +1,2 @@ +-- Version update +UPDATE SENTRY_VERSION SET SCHEMA_VERSION='1.7.0', VERSION_COMMENT='Sentry release version 1.7.0' WHERE VER_ID=1; \ No newline at end of file diff --git a/sentry-provider/sentry-provider-db/src/main/resources/sentry-upgrade-derby-1.6.0-to-1.7.0.sql b/sentry-provider/sentry-provider-db/src/main/resources/sentry-upgrade-derby-1.6.0-to-1.7.0.sql new file mode 100644 index 000000000..e2494a26f --- /dev/null +++ b/sentry-provider/sentry-provider-db/src/main/resources/sentry-upgrade-derby-1.6.0-to-1.7.0.sql @@ -0,0 +1,2 @@ +-- Version update +UPDATE SENTRY_VERSION SET SCHEMA_VERSION='1.7.0', VERSION_COMMENT='Sentry release version 1.7.0' WHERE VER_ID=1; \ No newline at end of file diff --git a/sentry-provider/sentry-provider-db/src/main/resources/sentry-upgrade-mysql-1.6.0-to-1.7.0.sql b/sentry-provider/sentry-provider-db/src/main/resources/sentry-upgrade-mysql-1.6.0-to-1.7.0.sql new file mode 100644 index 000000000..3413edee7 --- /dev/null +++ b/sentry-provider/sentry-provider-db/src/main/resources/sentry-upgrade-mysql-1.6.0-to-1.7.0.sql @@ -0,0 +1,5 @@ +SELECT 'Upgrading Sentry store schema from 1.6.0 to 1.7.0' AS ' '; + +UPDATE SENTRY_VERSION SET SCHEMA_VERSION='1.7.0', VERSION_COMMENT='Sentry release version 1.7.0' WHERE VER_ID=1; + +SELECT 'Finish upgrading Sentry store schema from 1.6.0 to 1.7.0' AS ' '; \ No newline at end of file diff --git a/sentry-provider/sentry-provider-db/src/main/resources/sentry-upgrade-oracle-1.6.0-to-1.7.0.sql b/sentry-provider/sentry-provider-db/src/main/resources/sentry-upgrade-oracle-1.6.0-to-1.7.0.sql new file mode 100644 index 000000000..fa82c87ae --- /dev/null +++ b/sentry-provider/sentry-provider-db/src/main/resources/sentry-upgrade-oracle-1.6.0-to-1.7.0.sql @@ -0,0 +1,5 @@ +SELECT 'Upgrading Sentry store schema from 1.6.0 to 1.7.0' AS Status from dual; + +UPDATE SENTRY_VERSION SET SCHEMA_VERSION='1.7.0', VERSION_COMMENT='Sentry release version 1.7.0' WHERE VER_ID=1; + +SELECT 'Finished upgrading Sentry store schema from 1.6.0 to 1.7.0' AS Status from dual; \ No newline at end of file diff --git a/sentry-provider/sentry-provider-db/src/main/resources/sentry-upgrade-postgres-1.6.0-to-1.7.0.sql b/sentry-provider/sentry-provider-db/src/main/resources/sentry-upgrade-postgres-1.6.0-to-1.7.0.sql new file mode 100644 index 000000000..ff10e106b --- /dev/null +++ b/sentry-provider/sentry-provider-db/src/main/resources/sentry-upgrade-postgres-1.6.0-to-1.7.0.sql @@ -0,0 +1,5 @@ +SELECT 'Upgrading Sentry store schema from 1.6.0 to 1.7.0'; + +UPDATE "SENTRY_VERSION" SET "SCHEMA_VERSION"='1.7.0', "VERSION_COMMENT"='Sentry release version 1.7.0' WHERE "VER_ID"=1; + +SELECT 'Finished upgrading Sentry store schema from 1.6.0 to 1.7.0'; \ No newline at end of file diff --git a/sentry-provider/sentry-provider-db/src/main/resources/upgrade.order.db2 b/sentry-provider/sentry-provider-db/src/main/resources/upgrade.order.db2 index 8473c4cdc..789a8ca61 100644 --- a/sentry-provider/sentry-provider-db/src/main/resources/upgrade.order.db2 +++ b/sentry-provider/sentry-provider-db/src/main/resources/upgrade.order.db2 @@ -1,2 +1,3 @@ 1.4.0-to-1.5.0 1.5.0-to-1.6.0 +1.6.0-to-1.7.0 diff --git a/sentry-provider/sentry-provider-db/src/main/resources/upgrade.order.derby b/sentry-provider/sentry-provider-db/src/main/resources/upgrade.order.derby index 8473c4cdc..789a8ca61 100644 --- a/sentry-provider/sentry-provider-db/src/main/resources/upgrade.order.derby +++ b/sentry-provider/sentry-provider-db/src/main/resources/upgrade.order.derby @@ -1,2 +1,3 @@ 1.4.0-to-1.5.0 1.5.0-to-1.6.0 +1.6.0-to-1.7.0 diff --git a/sentry-provider/sentry-provider-db/src/main/resources/upgrade.order.mysql b/sentry-provider/sentry-provider-db/src/main/resources/upgrade.order.mysql index 8473c4cdc..789a8ca61 100644 --- a/sentry-provider/sentry-provider-db/src/main/resources/upgrade.order.mysql +++ b/sentry-provider/sentry-provider-db/src/main/resources/upgrade.order.mysql @@ -1,2 +1,3 @@ 1.4.0-to-1.5.0 1.5.0-to-1.6.0 +1.6.0-to-1.7.0 diff --git a/sentry-provider/sentry-provider-db/src/main/resources/upgrade.order.oracle b/sentry-provider/sentry-provider-db/src/main/resources/upgrade.order.oracle index 8473c4cdc..789a8ca61 100644 --- a/sentry-provider/sentry-provider-db/src/main/resources/upgrade.order.oracle +++ b/sentry-provider/sentry-provider-db/src/main/resources/upgrade.order.oracle @@ -1,2 +1,3 @@ 1.4.0-to-1.5.0 1.5.0-to-1.6.0 +1.6.0-to-1.7.0 diff --git a/sentry-provider/sentry-provider-db/src/main/resources/upgrade.order.postgres b/sentry-provider/sentry-provider-db/src/main/resources/upgrade.order.postgres index 8473c4cdc..789a8ca61 100644 --- a/sentry-provider/sentry-provider-db/src/main/resources/upgrade.order.postgres +++ b/sentry-provider/sentry-provider-db/src/main/resources/upgrade.order.postgres @@ -1,2 +1,3 @@ 1.4.0-to-1.5.0 1.5.0-to-1.6.0 +1.6.0-to-1.7.0 From 265f52935822fdb13bf0508892daa710dc4f68c9 Mon Sep 17 00:00:00 2001 From: hahao Date: Wed, 13 Apr 2016 00:00:46 -0700 Subject: [PATCH 04/18] SENTRY-589: Enable dist for authorization V2 (Dapeng Sun, Reviewed by: Colin Ma) --- sentry-dist/pom.xml | 31 ++++++++++++++++++++++++++----- 1 file changed, 26 insertions(+), 5 deletions(-) diff --git a/sentry-dist/pom.xml b/sentry-dist/pom.xml index 69c86262a..827d165c1 100644 --- a/sentry-dist/pom.xml +++ b/sentry-dist/pom.xml @@ -46,10 +46,6 @@ limitations under the License. org.apache.sentry sentry-core-model-sqoop - - org.apache.sentry - sentry-binding-hive - org.apache.sentry sentry-binding-solr @@ -103,9 +99,34 @@ limitations under the License. sentry-policy-sqoop + + + hive-authz1 + + true + + + + org.apache.sentry + sentry-binding-hive + + + + + hive-authz2 + + false + + + + org.apache.sentry + sentry-binding-hive-v2 + + + + - org.apache.maven.plugins maven-assembly-plugin From d78fc2c0cc92e39173dcd3cdfc653f7a455d25e6 Mon Sep 17 00:00:00 2001 From: hahao Date: Fri, 15 Apr 2016 17:23:26 -0700 Subject: [PATCH 05/18] SENTRY-1173: Sentry TLP: Update pom.xml to new git location (Sravya Tirukkovalur, Reviewed by: Hao Hao) --- CHANGELOG.txt | 2 ++ DISCLAIMER.txt | 16 ---------------- LICENSE.txt | 2 +- pom.xml | 6 +++--- 4 files changed, 6 insertions(+), 20 deletions(-) delete mode 100644 DISCLAIMER.txt diff --git a/CHANGELOG.txt b/CHANGELOG.txt index d90132824..3639f0568 100644 --- a/CHANGELOG.txt +++ b/CHANGELOG.txt @@ -8,6 +8,7 @@ Release Notes - Sentry - Version 1.7.0 * [SENTRY-542] - Extend SentryPolicyServiceClient to implement grant wrapped privilege info for V2 * [SENTRY-568] - Implement taskFactory V2 to handle special privilege for Sentry * [SENTRY-569] - Workaround some operations for Authorization V2 + * [SENTRY-589] - Enable dist for authorization V2 * [SENTRY-592] - Support column level security for V2 * [SENTRY-603] - Execute on failure hooks for V2 * [SENTRY-813] - Refactor the AuditMetadataLogEntity to support the audit log for generic mdoel @@ -182,6 +183,7 @@ Release Notes - Sentry - Version 1.7.0 * [SENTRY-812] - Generate audit trail for Sentry generic model when authorization metadata change * [SENTRY-906] - Add concurrency sentry client tests * [SENTRY-995] - Simple Solr Shell + * [SENTRY-1130] - Upgrade Hive plugin v2 for hive 2.0.0 ** Task diff --git a/DISCLAIMER.txt b/DISCLAIMER.txt deleted file mode 100644 index ce4c59c23..000000000 --- a/DISCLAIMER.txt +++ /dev/null @@ -1,16 +0,0 @@ -Apache Sentry is an effort undergoing incubation at the Apache Software -Foundation (ASF), sponsored by the Apache Incubator Project Management -Committee. - -Incubation is required for all newly accepted projects until a further review -indicates that the infrastructure, communications, and decisions making process -have stabilized in a manner consistent with other successful ASF projects. - -While incubation status is not necessarily a reflection of the completeness or -stability of the code, it does indicate that the project has yet to be fully -endorsed by the ASF. - -For more information about the incubation status of the Sentry project you can -go to the following page: - -http://incubator.apache.org/projects/sentry.html diff --git a/LICENSE.txt b/LICENSE.txt index c29b59dda..e6be7872c 100644 --- a/LICENSE.txt +++ b/LICENSE.txt @@ -203,7 +203,7 @@ ================================================================================ -The Apache Sentry (incubating) distribution includes the following sources/binaries. +The Apache Sentry distribution includes the following sources/binaries. The use of these sources/binaries is subject to the terms and conditions of their respective licenses. diff --git a/pom.xml b/pom.xml index e8508bfbd..9ac4cdded 100644 --- a/pom.xml +++ b/pom.xml @@ -43,9 +43,9 @@ limitations under the License. - scm:git:https://git-wip-us.apache.org/repos/asf/incubator-sentry.git - scm:git:https://git-wip-us.apache.org/repos/asf/incubator-sentry.git - https://git-wip-us.apache.org/repos/asf/incubator-sentry + scm:git:https://git-wip-us.apache.org/repos/asf/sentry.git + scm:git:https://git-wip-us.apache.org/repos/asf/sentry.git + https://git-wip-us.apache.org/repos/asf/sentry From 39d38a5c17dab1ccb52f46d46e0a3dc63d20c6fb Mon Sep 17 00:00:00 2001 From: hahao Date: Fri, 15 Apr 2016 17:30:31 -0700 Subject: [PATCH 06/18] SENTRY-1162: Add shell for Sentry Kafka integration (Ashish K Singh, Reviewed by:Hao Hao) --- sentry-provider/sentry-provider-db/pom.xml | 4 + .../tools/KafkaTSentryPrivilegeConvertor.java | 109 ++++ .../db/generic/tools/SentryShellKafka.java | 112 ++++ .../generic/tools/TestSentryShellKafka.java | 540 ++++++++++++++++++ 4 files changed, 765 insertions(+) create mode 100644 sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/KafkaTSentryPrivilegeConvertor.java create mode 100644 sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryShellKafka.java create mode 100644 sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/tools/TestSentryShellKafka.java diff --git a/sentry-provider/sentry-provider-db/pom.xml b/sentry-provider/sentry-provider-db/pom.xml index eb6160ffb..7193711ab 100644 --- a/sentry-provider/sentry-provider-db/pom.xml +++ b/sentry-provider/sentry-provider-db/pom.xml @@ -107,6 +107,10 @@ limitations under the License. org.apache.sentry sentry-policy-search + + org.apache.sentry + sentry-policy-kafka + org.apache.hive hive-shims diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/KafkaTSentryPrivilegeConvertor.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/KafkaTSentryPrivilegeConvertor.java new file mode 100644 index 000000000..ca88c251c --- /dev/null +++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/KafkaTSentryPrivilegeConvertor.java @@ -0,0 +1,109 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.sentry.provider.db.generic.tools; + +import com.google.common.collect.Lists; +import org.apache.sentry.core.model.kafka.KafkaAuthorizable; +import org.apache.sentry.policy.common.KeyValue; +import org.apache.sentry.policy.common.PolicyConstants; +import org.apache.sentry.policy.common.PrivilegeValidatorContext; +import org.apache.sentry.policy.kafka.KafkaModelAuthorizables; +import org.apache.sentry.policy.kafka.KafkaPrivilegeValidator; +import org.apache.sentry.provider.common.PolicyFileConstants; +import org.apache.sentry.provider.db.generic.service.thrift.TAuthorizable; +import org.apache.sentry.provider.db.generic.service.thrift.TSentryGrantOption; +import org.apache.sentry.provider.db.generic.service.thrift.TSentryPrivilege; +import org.apache.sentry.provider.db.generic.tools.command.TSentryPrivilegeConvertor; + +import java.util.Iterator; +import java.util.LinkedList; +import java.util.List; + +public class KafkaTSentryPrivilegeConvertor implements TSentryPrivilegeConvertor { + private String component; + private String service; + + public KafkaTSentryPrivilegeConvertor(String component, String service) { + this.component = component; + this.service = service; + } + + public TSentryPrivilege fromString(String privilegeStr) throws Exception { + validatePrivilegeHierarchy(privilegeStr); + TSentryPrivilege tSentryPrivilege = new TSentryPrivilege(); + List authorizables = new LinkedList(); + for (String authorizable : PolicyConstants.AUTHORIZABLE_SPLITTER.split(privilegeStr)) { + KeyValue keyValue = new KeyValue(authorizable); + String key = keyValue.getKey(); + String value = keyValue.getValue(); + + // is it an authorizable? + KafkaAuthorizable authz = KafkaModelAuthorizables.from(keyValue); + if (authz != null) { + authorizables.add(new TAuthorizable(authz.getTypeName(), authz.getName())); + + } else if (PolicyFileConstants.PRIVILEGE_ACTION_NAME.equalsIgnoreCase(key)) { + tSentryPrivilege.setAction(value); + } + } + + if (tSentryPrivilege.getAction() == null) { + throw new IllegalArgumentException("Privilege is invalid: action required but not specified."); + } + tSentryPrivilege.setComponent(component); + tSentryPrivilege.setServiceName(service); + tSentryPrivilege.setAuthorizables(authorizables); + return tSentryPrivilege; + } + + public String toString(TSentryPrivilege tSentryPrivilege) { + List privileges = Lists.newArrayList(); + if (tSentryPrivilege != null) { + List authorizables = tSentryPrivilege.getAuthorizables(); + String action = tSentryPrivilege.getAction(); + String grantOption = (tSentryPrivilege.getGrantOption() == TSentryGrantOption.TRUE ? "true" + : "false"); + + Iterator it = authorizables.iterator(); + if (it != null) { + while (it.hasNext()) { + TAuthorizable tAuthorizable = it.next(); + privileges.add(PolicyConstants.KV_JOINER.join( + tAuthorizable.getType(), tAuthorizable.getName())); + } + } + + if (!authorizables.isEmpty()) { + privileges.add(PolicyConstants.KV_JOINER.join( + PolicyFileConstants.PRIVILEGE_ACTION_NAME, action)); + } + + // only append the grant option to privilege string if it's true + if ("true".equals(grantOption)) { + privileges.add(PolicyConstants.KV_JOINER.join( + PolicyFileConstants.PRIVILEGE_GRANT_OPTION_NAME, grantOption)); + } + } + return PolicyConstants.AUTHORIZABLE_JOINER.join(privileges); + } + + private static void validatePrivilegeHierarchy(String privilegeStr) throws Exception { + new KafkaPrivilegeValidator().validate(new PrivilegeValidatorContext(privilegeStr)); + } +} diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryShellKafka.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryShellKafka.java new file mode 100644 index 000000000..e15d8d298 --- /dev/null +++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryShellKafka.java @@ -0,0 +1,112 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.sentry.provider.db.generic.tools; + +import org.apache.commons.lang.StringUtils; +import org.apache.hadoop.conf.Configuration; +import org.apache.hadoop.fs.Path; +import org.apache.hadoop.security.UserGroupInformation; +import org.apache.sentry.provider.db.generic.service.thrift.SentryGenericServiceClient; +import org.apache.sentry.provider.db.generic.service.thrift.SentryGenericServiceClientFactory; +import org.apache.sentry.provider.db.generic.tools.command.*; +import org.apache.sentry.provider.db.tools.SentryShellCommon; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +/** + * SentryShellKafka is an admin tool, and responsible for the management of repository. + * The following commands are supported: + * create role, drop role, add group to role, grant privilege to role, + * revoke privilege from role, list roles, list privilege for role. + */ +public class SentryShellKafka extends SentryShellCommon { + + private static final Logger LOGGER = LoggerFactory.getLogger(SentryShellKafka.class); + public static final String KAFKA_SERVICE_NAME = "sentry.service.client.kafka.service.name"; + + @Override + public void run() throws Exception { + Command command = null; + String component = "KAFKA"; + Configuration conf = getSentryConf(); + + String service = conf.get(KAFKA_SERVICE_NAME, "kafka1"); + SentryGenericServiceClient client = SentryGenericServiceClientFactory.create(conf); + UserGroupInformation ugi = UserGroupInformation.getLoginUser(); + String requestorName = ugi.getShortUserName(); + + if (isCreateRole) { + command = new CreateRoleCmd(roleName, component); + } else if (isDropRole) { + command = new DropRoleCmd(roleName, component); + } else if (isAddRoleGroup) { + command = new AddRoleToGroupCmd(roleName, groupName, component); + } else if (isDeleteRoleGroup) { + command = new DeleteRoleFromGroupCmd(roleName, groupName, component); + } else if (isGrantPrivilegeRole) { + command = new GrantPrivilegeToRoleCmd(roleName, component, + privilegeStr, new KafkaTSentryPrivilegeConvertor(component, service)); + } else if (isRevokePrivilegeRole) { + command = new RevokePrivilegeFromRoleCmd(roleName, component, + privilegeStr, new KafkaTSentryPrivilegeConvertor(component, service)); + } else if (isListRole) { + command = new ListRolesCmd(groupName, component); + } else if (isListPrivilege) { + command = new ListPrivilegesByRoleCmd(roleName, component, + service, new KafkaTSentryPrivilegeConvertor(component, service)); + } + + // check the requestor name + if (StringUtils.isEmpty(requestorName)) { + // The exception message will be recorded in log file. + throw new Exception("The requestor name is empty."); + } + + if (command != null) { + command.execute(client, requestorName); + } + } + + private Configuration getSentryConf() { + Configuration conf = new Configuration(); + conf.addResource(new Path(confPath)); + return conf; + } + + public static void main(String[] args) throws Exception { + SentryShellKafka sentryShell = new SentryShellKafka(); + try { + sentryShell.executeShell(args); + } catch (Exception e) { + LOGGER.error(e.getMessage(), e); + Throwable current = e; + // find the first printable message; + while (current != null && current.getMessage() == null) { + current = current.getCause(); + } + String error = ""; + if (current != null && current.getMessage() != null) { + error = "Message: " + current.getMessage(); + } + System.out.println("The operation failed. " + error); + System.exit(1); + } + } + +} diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/tools/TestSentryShellKafka.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/tools/TestSentryShellKafka.java new file mode 100644 index 000000000..7d25ae11c --- /dev/null +++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/tools/TestSentryShellKafka.java @@ -0,0 +1,540 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.sentry.provider.db.generic.tools; + +import com.google.common.collect.Sets; +import com.google.common.io.Files; +import org.apache.commons.io.FileUtils; +import org.apache.sentry.SentryUserException; +import org.apache.sentry.policy.kafka.KafkaPrivilegeValidator; +import org.apache.sentry.provider.db.generic.service.thrift.SentryGenericServiceIntegrationBase; +import org.apache.sentry.provider.db.generic.service.thrift.TSentryPrivilege; +import org.apache.sentry.provider.db.generic.service.thrift.TSentryRole; +import org.apache.sentry.provider.db.tools.SentryShellCommon; +import org.apache.shiro.config.ConfigurationException; +import org.junit.After; +import org.junit.Before; +import org.junit.Test; + +import java.io.ByteArrayOutputStream; +import java.io.File; +import java.io.FileOutputStream; +import java.io.PrintStream; +import java.util.Arrays; +import java.util.HashSet; +import java.util.Iterator; +import java.util.Set; + +import static org.junit.Assert.*; + +public class TestSentryShellKafka extends SentryGenericServiceIntegrationBase { + private File confDir; + private File confPath; + private static String TEST_ROLE_NAME_1 = "testRole1"; + private static String TEST_ROLE_NAME_2 = "testRole2"; + private static String KAFKA = "KAFKA"; + private String requestorName = ""; + private String service = "kafka1"; + + @Before + public void prepareForTest() throws Exception { + confDir = Files.createTempDir(); + confPath = new File(confDir, "sentry-site.xml"); + if (confPath.createNewFile()) { + FileOutputStream to = new FileOutputStream(confPath); + conf.writeXml(to); + to.close(); + } + requestorName = System.getProperty("user.name", ""); + Set requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP); + setLocalGroupMapping(requestorName, requestorUserGroupNames); + // add ADMIN_USER for the after() in SentryServiceIntegrationBase + setLocalGroupMapping(ADMIN_USER, requestorUserGroupNames); + writePolicyFile(); + } + + @After + public void clearTestData() throws Exception { + FileUtils.deleteQuietly(confDir); + } + + @Test + public void testCreateDropRole() throws Exception { + runTestAsSubject(new TestOperation() { + @Override + public void runTestAsSubject() throws Exception { + // test: create role with -cr + String[] args = { "-cr", "-r", TEST_ROLE_NAME_1, "-conf", confPath.getAbsolutePath() }; + SentryShellKafka.main(args); + // test: create role with --create_role + args = new String[] { "--create_role", "-r", TEST_ROLE_NAME_2, "-conf", + confPath.getAbsolutePath() }; + SentryShellKafka.main(args); + + // validate the result, list roles with -lr + args = new String[] { "-lr", "-conf", confPath.getAbsolutePath() }; + SentryShellKafka sentryShell = new SentryShellKafka(); + Set roleNames = getShellResultWithOSRedirect(sentryShell, args, true); + validateRoleNames(roleNames, TEST_ROLE_NAME_1, TEST_ROLE_NAME_2); + + // validate the result, list roles with --list_role + args = new String[] { "--list_role", "-conf", confPath.getAbsolutePath() }; + sentryShell = new SentryShellKafka(); + roleNames = getShellResultWithOSRedirect(sentryShell, args, true); + validateRoleNames(roleNames, TEST_ROLE_NAME_1, TEST_ROLE_NAME_2); + + // test: drop role with -dr + args = new String[] { "-dr", "-r", TEST_ROLE_NAME_1, "-conf", confPath.getAbsolutePath() }; + SentryShellKafka.main(args); + // test: drop role with --drop_role + args = new String[] { "--drop_role", "-r", TEST_ROLE_NAME_2, "-conf", + confPath.getAbsolutePath() }; + SentryShellKafka.main(args); + + // validate the result + Set roles = client.listAllRoles(requestorName, KAFKA); + assertEquals("Incorrect number of roles", 0, roles.size()); + } + }); + } + + @Test + public void testAddDeleteRoleForGroup() throws Exception { + runTestAsSubject(new TestOperation() { + @Override + public void runTestAsSubject() throws Exception { + // Group names are case sensitive - mixed case names should work + String TEST_GROUP_1 = "testGroup1"; + String TEST_GROUP_2 = "testGroup2"; + String TEST_GROUP_3 = "testGroup3"; + + // create the role for test + client.createRole(requestorName, TEST_ROLE_NAME_1, KAFKA); + client.createRole(requestorName, TEST_ROLE_NAME_2, KAFKA); + // test: add role to group with -arg + String[] args = { "-arg", "-r", TEST_ROLE_NAME_1, "-g", TEST_GROUP_1, "-conf", + confPath.getAbsolutePath() }; + SentryShellKafka.main(args); + // test: add role to multiple groups + args = new String[] { "-arg", "-r", TEST_ROLE_NAME_1, "-g", TEST_GROUP_2 + "," + TEST_GROUP_3, + "-conf", + confPath.getAbsolutePath() }; + SentryShellKafka.main(args); + // test: add role to group with --add_role_group + args = new String[] { "--add_role_group", "-r", TEST_ROLE_NAME_2, "-g", TEST_GROUP_1, + "-conf", + confPath.getAbsolutePath() }; + SentryShellKafka.main(args); + + // validate the result list roles with -lr and -g + args = new String[] { "-lr", "-g", TEST_GROUP_1, "-conf", confPath.getAbsolutePath() }; + SentryShellKafka sentryShell = new SentryShellKafka(); + Set roleNames = getShellResultWithOSRedirect(sentryShell, args, true); + validateRoleNames(roleNames, TEST_ROLE_NAME_1, TEST_ROLE_NAME_2); + + // list roles with --list_role and -g + args = new String[] { "--list_role", "-g", TEST_GROUP_2, "-conf", + confPath.getAbsolutePath() }; + sentryShell = new SentryShellKafka(); + roleNames = getShellResultWithOSRedirect(sentryShell, args, true); + validateRoleNames(roleNames, TEST_ROLE_NAME_1); + + args = new String[] { "--list_role", "-g", TEST_GROUP_3, "-conf", + confPath.getAbsolutePath() }; + sentryShell = new SentryShellKafka(); + roleNames = getShellResultWithOSRedirect(sentryShell, args, true); + validateRoleNames(roleNames, TEST_ROLE_NAME_1); + + // test: delete role from group with -drg + args = new String[] { "-drg", "-r", TEST_ROLE_NAME_1, "-g", TEST_GROUP_1, "-conf", + confPath.getAbsolutePath() }; + SentryShellKafka.main(args); + // test: delete role to multiple groups + args = new String[] { "-drg", "-r", TEST_ROLE_NAME_1, "-g", TEST_GROUP_2 + "," + TEST_GROUP_3, + "-conf", + confPath.getAbsolutePath() }; + SentryShellKafka.main(args); + // test: delete role from group with --delete_role_group + args = new String[] { "--delete_role_group", "-r", TEST_ROLE_NAME_2, "-g", TEST_GROUP_1, + "-conf", confPath.getAbsolutePath() }; + SentryShellKafka.main(args); + + // validate the result + Set roles = client.listRolesByGroupName(requestorName, TEST_GROUP_1, KAFKA); + assertEquals("Incorrect number of roles", 0, roles.size()); + roles = client.listRolesByGroupName(requestorName, TEST_GROUP_2, KAFKA); + assertEquals("Incorrect number of roles", 0, roles.size()); + roles = client.listRolesByGroupName(requestorName, TEST_GROUP_3, KAFKA); + assertEquals("Incorrect number of roles", 0, roles.size()); + // clear the test data + client.dropRole(requestorName, TEST_ROLE_NAME_1, KAFKA); + client.dropRole(requestorName, TEST_ROLE_NAME_2, KAFKA); + } + }); + } + + @Test + public void testCaseSensitiveGroupName() throws Exception { + runTestAsSubject(new TestOperation() { + @Override + public void runTestAsSubject() throws Exception { + + // create the role for test + client.createRole(requestorName, TEST_ROLE_NAME_1, KAFKA); + // add role to a group (lower case) + String[] args = {"-arg", "-r", TEST_ROLE_NAME_1, "-g", "group1", "-conf", + confPath.getAbsolutePath()}; + SentryShellKafka.main(args); + + // validate the roles when group name is same case as above + args = new String[]{"-lr", "-g", "group1", "-conf", confPath.getAbsolutePath()}; + SentryShellKafka sentryShell = new SentryShellKafka(); + Set roleNames = getShellResultWithOSRedirect(sentryShell, args, true); + validateRoleNames(roleNames, TEST_ROLE_NAME_1); + + // roles should be empty when group name is different case than above + args = new String[]{"-lr", "-g", "GROUP1", "-conf", confPath.getAbsolutePath()}; + roleNames = getShellResultWithOSRedirect(sentryShell, args, true); + validateRoleNames(roleNames); + } + }); + } + + public static String grant(boolean shortOption) { + return shortOption ? "-gpr" : "--grant_privilege_role"; + } + + public static String revoke(boolean shortOption) { + return shortOption ? "-rpr" : "--revoke_privilege_role"; + } + + public static String list(boolean shortOption) { + return shortOption ? "-lp" : "--list_privilege"; + } + + private void assertGrantRevokePrivilege(final boolean shortOption) throws Exception { + runTestAsSubject(new TestOperation() { + @Override + public void runTestAsSubject() throws Exception { + // create the role for test + client.createRole(requestorName, TEST_ROLE_NAME_1, KAFKA); + client.createRole(requestorName, TEST_ROLE_NAME_2, KAFKA); + + String [] privs = { + "HOST=*->CLUSTER=kafka-cluster->action=read", + "HOST=h1->TOPIC=t1->action=write", + "HOST=*->CONSUMERGROUP=cg1->action=read", + }; + for (int i = 0; i < privs.length; ++i) { + // test: grant privilege to role + String [] args = new String [] { grant(shortOption), "-r", TEST_ROLE_NAME_1, "-p", + privs[ i ], + "-conf", confPath.getAbsolutePath() }; + SentryShellKafka.main(args); + } + + // test the list privilege + String [] args = new String[] { list(shortOption), "-r", TEST_ROLE_NAME_1, "-conf", confPath.getAbsolutePath() }; + SentryShellKafka sentryShell = new SentryShellKafka(); + Set privilegeStrs = getShellResultWithOSRedirect(sentryShell, args, true); + + assertEquals("Incorrect number of privileges", privs.length, privilegeStrs.size()); + for (int i = 0; i < privs.length; ++i) { + assertTrue("Expected privilege: " + privs[i] + " in " + Arrays.toString(privilegeStrs.toArray()), privilegeStrs.contains(privs[i])); + } + + for (int i = 0; i < privs.length; ++i) { + args = new String[] { revoke(shortOption), "-r", TEST_ROLE_NAME_1, "-p", + privs[ i ], "-conf", + confPath.getAbsolutePath() }; + SentryShellKafka.main(args); + Set privileges = client.listPrivilegesByRoleName(requestorName, + TEST_ROLE_NAME_1, KAFKA, service); + assertEquals("Incorrect number of privileges. Received privileges: " + Arrays.toString(privileges.toArray()), privs.length - (i + 1), privileges.size()); + } + + // clear the test data + client.dropRole(requestorName, TEST_ROLE_NAME_1, KAFKA); + client.dropRole(requestorName, TEST_ROLE_NAME_2, KAFKA); + } + }); + } + + + @Test + public void testGrantRevokePrivilegeWithShortOption() throws Exception { + assertGrantRevokePrivilege(true); + } + + @Test + public void testGrantRevokePrivilegeWithLongOption() throws Exception { + assertGrantRevokePrivilege(false); + } + + + @Test + public void testNegativeCaseWithInvalidArgument() throws Exception { + runTestAsSubject(new TestOperation() { + @Override + public void runTestAsSubject() throws Exception { + client.createRole(requestorName, TEST_ROLE_NAME_1, KAFKA); + // test: create duplicate role with -cr + String[] args = { "-cr", "-r", TEST_ROLE_NAME_1, "-conf", confPath.getAbsolutePath() }; + SentryShellKafka sentryShell = new SentryShellKafka(); + try { + sentryShell.executeShell(args); + fail("Exception should be thrown for creating duplicate role"); + } catch (SentryUserException e) { + // expected exception + } catch (Exception e) { + fail ("Unexpected exception received. " + e); + } + + // test: drop non-exist role with -dr + args = new String[] { "-dr", "-r", TEST_ROLE_NAME_2, "-conf", confPath.getAbsolutePath() }; + sentryShell = new SentryShellKafka(); + try { + sentryShell.executeShell(args); + fail("Exception should be thrown for dropping non-exist role"); + } catch (SentryUserException e) { + // excepted exception + } catch (Exception e) { + fail ("Unexpected exception received. " + e); + } + + // test: add non-exist role to group with -arg + args = new String[] { "-arg", "-r", TEST_ROLE_NAME_2, "-g", "testGroup1", "-conf", + confPath.getAbsolutePath() }; + sentryShell = new SentryShellKafka(); + try { + sentryShell.executeShell(args); + fail("Exception should be thrown for granting non-exist role to group"); + } catch (SentryUserException e) { + // excepted exception + } catch (Exception e) { + fail ("Unexpected exception received. " + e); + } + + // test: drop group from non-exist role with -drg + args = new String[] { "-drg", "-r", TEST_ROLE_NAME_2, "-g", "testGroup1", "-conf", + confPath.getAbsolutePath() }; + sentryShell = new SentryShellKafka(); + try { + sentryShell.executeShell(args); + fail("Exception should be thrown for drop group from non-exist role"); + } catch (SentryUserException e) { + // excepted exception + } catch (Exception e) { + fail ("Unexpected exception received. " + e); + } + + // test: grant privilege to role with the error privilege format + args = new String[] { "-gpr", "-r", TEST_ROLE_NAME_1, "-p", "serverserver1->action=all", + "-conf", confPath.getAbsolutePath() }; + sentryShell = new SentryShellKafka(); + try { + sentryShell.executeShell(args); + fail("Exception should be thrown for the error privilege format, invalid key value."); + } catch (IllegalArgumentException e) { + // excepted exception + } catch (Exception e) { + fail ("Unexpected exception received. " + e); + } + + // test: grant privilege to role with the error privilege hierarchy + args = new String[] { "-gpr", "-r", TEST_ROLE_NAME_1, "-p", + "consumergroup=cg1->host=h1->action=create", "-conf", + confPath.getAbsolutePath() }; + sentryShell = new SentryShellKafka(); + try { + sentryShell.executeShell(args); + fail("Exception should be thrown for the error privilege format, invalid key value."); + } catch (ConfigurationException e) { + // expected exception + } catch (Exception e) { + fail ("Unexpected exception received. " + e); + } + + // clear the test data + client.dropRole(requestorName, TEST_ROLE_NAME_1, KAFKA); + } + }); + } + + @Test + public void testNegativeCaseWithoutRequiredArgument() throws Exception { + runTestAsSubject(new TestOperation() { + @Override + public void runTestAsSubject() throws Exception { + String strOptionConf = "conf"; + client.createRole(requestorName, TEST_ROLE_NAME_1, KAFKA); + // test: the conf is required argument + String[] args = { "-cr", "-r", TEST_ROLE_NAME_1 }; + SentryShellKafka sentryShell = new SentryShellKafka(); + validateMissingParameterMsg(sentryShell, args, + SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + strOptionConf); + + // test: -r is required when create role + args = new String[] { "-cr", "-conf", confPath.getAbsolutePath() }; + sentryShell = new SentryShellKafka(); + validateMissingParameterMsg(sentryShell, args, + SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_ROLE_NAME); + + // test: -r is required when drop role + args = new String[] { "-dr", "-conf", confPath.getAbsolutePath() }; + sentryShell = new SentryShellKafka(); + validateMissingParameterMsg(sentryShell, args, + SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_ROLE_NAME); + + // test: -r is required when add role to group + args = new String[] { "-arg", "-g", "testGroup1", "-conf", confPath.getAbsolutePath() }; + sentryShell = new SentryShellKafka(); + validateMissingParameterMsg(sentryShell, args, + SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_ROLE_NAME); + + // test: -g is required when add role to group + args = new String[] { "-arg", "-r", TEST_ROLE_NAME_2, "-conf", confPath.getAbsolutePath() }; + sentryShell = new SentryShellKafka(); + validateMissingParameterMsg(sentryShell, args, + SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_GROUP_NAME); + + // test: -r is required when delete role from group + args = new String[] { "-drg", "-g", "testGroup1", "-conf", confPath.getAbsolutePath() }; + sentryShell = new SentryShellKafka(); + validateMissingParameterMsg(sentryShell, args, + SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_ROLE_NAME); + + // test: -g is required when delete role from group + args = new String[] { "-drg", "-r", TEST_ROLE_NAME_2, "-conf", confPath.getAbsolutePath() }; + sentryShell = new SentryShellKafka(); + validateMissingParameterMsg(sentryShell, args, + SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_GROUP_NAME); + + // test: -r is required when grant privilege to role + args = new String[] { "-gpr", "-p", "server=server1", "-conf", confPath.getAbsolutePath() }; + sentryShell = new SentryShellKafka(); + validateMissingParameterMsg(sentryShell, args, + SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_ROLE_NAME); + + // test: -p is required when grant privilege to role + args = new String[] { "-gpr", "-r", TEST_ROLE_NAME_1, "-conf", confPath.getAbsolutePath() }; + sentryShell = new SentryShellKafka(); + validateMissingParameterMsg(sentryShell, args, + SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_PRIVILEGE); + + // test: action is required in privilege + args = new String[] { "-gpr", "-r", TEST_ROLE_NAME_1, "-conf", confPath.getAbsolutePath(), "-p", "host=*->topic=t1" }; + sentryShell = new SentryShellKafka(); + try { + getShellResultWithOSRedirect(sentryShell, args, false); + fail("Expected IllegalArgumentException"); + } catch (ConfigurationException e) { + assert(("Kafka privilege must end with a valid action.\n" + KafkaPrivilegeValidator.KafkaPrivilegeHelpMsg).equals(e.getMessage())); + } catch (Exception e) { + fail ("Unexpected exception received. " + e); + } + + // test: -r is required when revoke privilege from role + args = new String[] { "-rpr", "-p", "host=h1", "-conf", confPath.getAbsolutePath() }; + sentryShell = new SentryShellKafka(); + validateMissingParameterMsg(sentryShell, args, + SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_ROLE_NAME); + + // test: -p is required when revoke privilege from role + args = new String[] { "-rpr", "-r", TEST_ROLE_NAME_1, "-conf", confPath.getAbsolutePath() }; + sentryShell = new SentryShellKafka(); + validateMissingParameterMsg(sentryShell, args, + SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_PRIVILEGE); + + // test: command option is required for shell + args = new String[] {"-conf", confPath.getAbsolutePath() }; + sentryShell = new SentryShellKafka(); + validateMissingParameterMsgsContains(sentryShell, args, + SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + "[", + "-arg Add role to group", + "-cr Create role", + "-rpr Revoke privilege from role", + "-drg Delete role from group", + "-lr List role", + "-lp List privilege", + "-gpr Grant privilege to role", + "-dr Drop role"); + + // clear the test data + client.dropRole(requestorName, TEST_ROLE_NAME_1, KAFKA); + } + }); + } + + // redirect the System.out to ByteArrayOutputStream, then execute the command and parse the result. + private Set getShellResultWithOSRedirect(SentryShellKafka sentryShell, + String[] args, boolean expectedExecuteResult) throws Exception { + PrintStream oldOut = System.out; + ByteArrayOutputStream outContent = new ByteArrayOutputStream(); + System.setOut(new PrintStream(outContent)); + assertEquals(expectedExecuteResult, sentryShell.executeShell(args)); + Set resultSet = Sets.newHashSet(outContent.toString().split("\n")); + System.setOut(oldOut); + return resultSet; + } + + private void validateRoleNames(Set roleNames, String ... expectedRoleNames) { + if (expectedRoleNames != null && expectedRoleNames.length > 0) { + assertEquals("Found: " + roleNames.size() + " roles, expected: " + expectedRoleNames.length, + expectedRoleNames.length, roleNames.size()); + Set lowerCaseRoles = new HashSet(); + for (String role : roleNames) { + lowerCaseRoles.add(role.toLowerCase()); + } + + for (String expectedRole : expectedRoleNames) { + assertTrue("Expected role: " + expectedRole, + lowerCaseRoles.contains(expectedRole.toLowerCase())); + } + } + } + + private void validateMissingParameterMsg(SentryShellKafka sentryShell, String[] args, + String expectedErrorMsg) throws Exception { + Set errorMsgs = getShellResultWithOSRedirect(sentryShell, args, false); + assertTrue("Expected error message: " + expectedErrorMsg, errorMsgs.contains(expectedErrorMsg)); + } + + private void validateMissingParameterMsgsContains(SentryShellKafka sentryShell, String[] args, + String ... expectedErrorMsgsContains) throws Exception { + Set errorMsgs = getShellResultWithOSRedirect(sentryShell, args, false); + boolean foundAllMessages = false; + Iterator it = errorMsgs.iterator(); + while (it.hasNext()) { + String errorMessage = it.next(); + boolean missingExpected = false; + for (String expectedContains : expectedErrorMsgsContains) { + if (!errorMessage.contains(expectedContains)) { + missingExpected = true; + break; + } + } + if (!missingExpected) { + foundAllMessages = true; + break; + } + } + assertTrue(foundAllMessages); + } +} From 00951b4774ee34c1eaf1a88fab02a866e6c1cf19 Mon Sep 17 00:00:00 2001 From: hahao Date: Fri, 15 Apr 2016 17:35:19 -0700 Subject: [PATCH 07/18] SENTRY-1188: Fixes to get kerberos auth work. (Ashish K Singh, Reviewed by: Hao Hao) --- .../authorizer/SentryKafkaAuthorizer.java | 2 +- .../kafka/binding/KafkaAuthBinding.java | 66 ++++++++++++++++++- .../binding/KafkaAuthBindingSingleton.java | 5 +- .../sentry/kafka/conf/KafkaAuthConf.java | 8 ++- .../policy/kafka/KafkaWildcardPrivilege.java | 2 +- 5 files changed, 77 insertions(+), 6 deletions(-) diff --git a/sentry-binding/sentry-binding-kafka/src/main/java/org/apache/sentry/kafka/authorizer/SentryKafkaAuthorizer.java b/sentry-binding/sentry-binding-kafka/src/main/java/org/apache/sentry/kafka/authorizer/SentryKafkaAuthorizer.java index 3bce6cc40..03f7b7f5a 100644 --- a/sentry-binding/sentry-binding-kafka/src/main/java/org/apache/sentry/kafka/authorizer/SentryKafkaAuthorizer.java +++ b/sentry-binding/sentry-binding-kafka/src/main/java/org/apache/sentry/kafka/authorizer/SentryKafkaAuthorizer.java @@ -117,7 +117,7 @@ public void configure(java.util.Map configs) { } LOG.info("Configuring Sentry KafkaAuthorizer: " + sentry_site); final KafkaAuthBindingSingleton instance = KafkaAuthBindingSingleton.getInstance(); - instance.configure(this.kafkaServiceInstanceName, this.requestorName, sentry_site); + instance.configure(this.kafkaServiceInstanceName, this.requestorName, sentry_site, configs); this.binding = instance.getAuthBinding(); } diff --git a/sentry-binding/sentry-binding-kafka/src/main/java/org/apache/sentry/kafka/binding/KafkaAuthBinding.java b/sentry-binding/sentry-binding-kafka/src/main/java/org/apache/sentry/kafka/binding/KafkaAuthBinding.java index 8f4a8c484..c6600a019 100644 --- a/sentry-binding/sentry-binding-kafka/src/main/java/org/apache/sentry/kafka/binding/KafkaAuthBinding.java +++ b/sentry-binding/sentry-binding-kafka/src/main/java/org/apache/sentry/kafka/binding/KafkaAuthBinding.java @@ -16,6 +16,7 @@ */ package org.apache.sentry.kafka.binding; +import java.io.IOException; import java.lang.reflect.Constructor; import java.util.ArrayList; import java.util.HashMap; @@ -34,6 +35,8 @@ import kafka.network.RequestChannel; import kafka.security.auth.Operation; import kafka.security.auth.Resource; +import org.apache.hadoop.security.SecurityUtil; +import org.apache.hadoop.security.UserGroupInformation; import org.apache.kafka.common.KafkaException; import org.apache.kafka.common.security.auth.KafkaPrincipal; import org.apache.sentry.SentryUserException; @@ -55,6 +58,7 @@ import org.apache.sentry.provider.db.generic.service.thrift.TAuthorizable; import org.apache.sentry.provider.db.generic.service.thrift.TSentryPrivilege; import org.apache.sentry.provider.db.generic.service.thrift.TSentryRole; +import org.apache.sentry.service.thrift.ServiceConstants; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import scala.Option; @@ -64,12 +68,16 @@ import scala.collection.JavaConversions; import scala.collection.immutable.Map; +import static org.apache.hadoop.fs.CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHENTICATION; + public class KafkaAuthBinding { private static final Logger LOG = LoggerFactory.getLogger(KafkaAuthBinding.class); private static final String COMPONENT_TYPE = AuthorizationComponent.KAFKA; private static final String COMPONENT_NAME = COMPONENT_TYPE; + private static Boolean kerberosInit; + private final Configuration authConf; private final AuthorizationProvider authProvider; private final KafkaActionFactory actionFactory = KafkaActionFactory.getInstance(); @@ -77,12 +85,14 @@ public class KafkaAuthBinding { private ProviderBackend providerBackend; private String instanceName; private String requestorName; + private java.util.Map kafkaConfigs; - public KafkaAuthBinding(String instanceName, String requestorName, Configuration authConf) throws Exception { + public KafkaAuthBinding(String instanceName, String requestorName, Configuration authConf, java.util.Map kafkaConfigs) throws Exception { this.instanceName = instanceName; this.requestorName = requestorName; this.authConf = authConf; + this.kafkaConfigs = kafkaConfigs; this.authProvider = createAuthProvider(); } @@ -118,6 +128,28 @@ private AuthorizationProvider createAuthProvider() throws Exception { + providerBackendName); } + // Initiate kerberos via UserGroupInformation if required + if (ServiceConstants.ServerConfig.SECURITY_MODE_KERBEROS.equals(authConf.get(ServiceConstants.ServerConfig.SECURITY_MODE)) + && kafkaConfigs != null) { + String keytabProp = kafkaConfigs.get(AuthzConfVars.AUTHZ_KEYTAB_FILE_NAME.getVar()).toString(); + String principalProp = kafkaConfigs.get(AuthzConfVars.AUTHZ_PRINCIPAL_NAME.getVar()).toString(); + if (keytabProp != null && principalProp != null) { + String actualHost = kafkaConfigs.get(AuthzConfVars.AUTHZ_PRINCIPAL_HOSTNAME.getVar()).toString(); + if (actualHost != null) { + principalProp = SecurityUtil.getServerPrincipal(principalProp, actualHost); + } + initKerberos(keytabProp, principalProp); + } else { + LOG.debug("Could not initialize Kerberos.\n" + + AuthzConfVars.AUTHZ_KEYTAB_FILE_NAME.getVar() + " set to " + kafkaConfigs.get(AuthzConfVars.AUTHZ_KEYTAB_FILE_NAME.getVar()).toString() + "\n" + + AuthzConfVars.AUTHZ_PRINCIPAL_NAME.getVar() + " set to " + kafkaConfigs.get(AuthzConfVars.AUTHZ_PRINCIPAL_NAME.getVar()).toString()); + } + } else { + LOG.debug("Could not initialize Kerberos as no kafka config provided. " + + AuthzConfVars.AUTHZ_KEYTAB_FILE_NAME.getVar() + " and " + AuthzConfVars.AUTHZ_PRINCIPAL_NAME.getVar() + + " are required configs to be able to initialize Kerberos"); + } + // Instantiate the configured providerBackend Constructor providerBackendConstructor = Class.forName(providerBackendName) @@ -495,4 +527,36 @@ private String getName(RequestChannel.Session session) { return principalName; } } + + /** + * Initialize kerberos via UserGroupInformation. Will only attempt to login + * during the first request, subsequent calls will have no effect. + */ + private void initKerberos(String keytabFile, String principal) { + if (keytabFile == null || keytabFile.length() == 0) { + throw new IllegalArgumentException("keytabFile required because kerberos is enabled"); + } + if (principal == null || principal.length() == 0) { + throw new IllegalArgumentException("principal required because kerberos is enabled"); + } + synchronized (KafkaAuthBinding.class) { + if (kerberosInit == null) { + kerberosInit = new Boolean(true); + // let's avoid modifying the supplied configuration, just to be conservative + final Configuration ugiConf = new Configuration(); + ugiConf.set(HADOOP_SECURITY_AUTHENTICATION, ServiceConstants.ServerConfig.SECURITY_MODE_KERBEROS); + UserGroupInformation.setConfiguration(ugiConf); + LOG.info( + "Attempting to acquire kerberos ticket with keytab: {}, principal: {} ", + keytabFile, principal); + try { + UserGroupInformation.loginUserFromKeytab(principal, keytabFile); + } catch (IOException ioe) { + throw new RuntimeException("Failed to login user with Principal: " + principal + + " and Keytab file: " + keytabFile, ioe); + } + LOG.info("Got Kerberos ticket"); + } + } + } } diff --git a/sentry-binding/sentry-binding-kafka/src/main/java/org/apache/sentry/kafka/binding/KafkaAuthBindingSingleton.java b/sentry-binding/sentry-binding-kafka/src/main/java/org/apache/sentry/kafka/binding/KafkaAuthBindingSingleton.java index a0007a3e3..6555dae39 100644 --- a/sentry-binding/sentry-binding-kafka/src/main/java/org/apache/sentry/kafka/binding/KafkaAuthBindingSingleton.java +++ b/sentry-binding/sentry-binding-kafka/src/main/java/org/apache/sentry/kafka/binding/KafkaAuthBindingSingleton.java @@ -18,6 +18,7 @@ import java.net.MalformedURLException; import java.net.URL; +import java.util.Map; import org.apache.sentry.kafka.conf.KafkaAuthConf; import org.slf4j.Logger; @@ -56,10 +57,10 @@ private KafkaAuthConf loadAuthzConf(String sentry_site) { return kafkaAuthConf; } - public void configure(String instanceName, String requestorName, String sentry_site) { + public void configure(String instanceName, String requestorName, String sentry_site, Map kafkaConfigs) { try { kafkaAuthConf = loadAuthzConf(sentry_site); - binding = new KafkaAuthBinding(instanceName, requestorName, kafkaAuthConf); + binding = new KafkaAuthBinding(instanceName, requestorName, kafkaAuthConf, kafkaConfigs); log.info("KafkaAuthBinding created successfully"); } catch (Exception ex) { log.error("Unable to create KafkaAuthBinding", ex); diff --git a/sentry-binding/sentry-binding-kafka/src/main/java/org/apache/sentry/kafka/conf/KafkaAuthConf.java b/sentry-binding/sentry-binding-kafka/src/main/java/org/apache/sentry/kafka/conf/KafkaAuthConf.java index e0d767ec3..0a57e2e00 100644 --- a/sentry-binding/sentry-binding-kafka/src/main/java/org/apache/sentry/kafka/conf/KafkaAuthConf.java +++ b/sentry-binding/sentry-binding-kafka/src/main/java/org/apache/sentry/kafka/conf/KafkaAuthConf.java @@ -30,6 +30,9 @@ public class KafkaAuthConf extends Configuration { public static final String KAFKA_SUPER_USERS = "kafka.superusers"; public static final String KAFKA_SERVICE_INSTANCE_NAME = "sentry.kafka.service.instance"; public static final String KAFKA_SERVICE_USER_NAME = "sentry.kafka.service.user.name"; + public static final String KAFKA_PRINCIPAL_HOSTNAME = "sentry.kafka.principal.hostname"; + public static final String KAFKA_PRINCIPAL_NAME = "sentry.kafka.kerberos.principal"; + public static final String KAFKA_KEYTAB_FILE_NAME = "sentry.kafka.keytab.file"; /** * Config setting definitions @@ -40,7 +43,10 @@ public static enum AuthzConfVars { AUTHZ_PROVIDER_BACKEND("sentry.kafka.provider.backend", SentryGenericProviderBackend.class.getName()), AUTHZ_POLICY_ENGINE("sentry.kafka.policy.engine", SimpleKafkaPolicyEngine.class.getName()), AUTHZ_INSTANCE_NAME(KAFKA_SERVICE_INSTANCE_NAME, "kafka"), - AUTHZ_SERVICE_USER_NAME(KAFKA_SERVICE_USER_NAME, "kafka"); + AUTHZ_SERVICE_USER_NAME(KAFKA_SERVICE_USER_NAME, "kafka"), + AUTHZ_PRINCIPAL_HOSTNAME(KAFKA_PRINCIPAL_HOSTNAME, null), + AUTHZ_PRINCIPAL_NAME(KAFKA_PRINCIPAL_NAME, null), + AUTHZ_KEYTAB_FILE_NAME(KAFKA_KEYTAB_FILE_NAME, null); private final String varName; private final String defaultVal; diff --git a/sentry-policy/sentry-policy-kafka/src/main/java/org/apache/sentry/policy/kafka/KafkaWildcardPrivilege.java b/sentry-policy/sentry-policy-kafka/src/main/java/org/apache/sentry/policy/kafka/KafkaWildcardPrivilege.java index bc299b02e..6803a4656 100644 --- a/sentry-policy/sentry-policy-kafka/src/main/java/org/apache/sentry/policy/kafka/KafkaWildcardPrivilege.java +++ b/sentry-policy/sentry-policy-kafka/src/main/java/org/apache/sentry/policy/kafka/KafkaWildcardPrivilege.java @@ -121,7 +121,7 @@ private boolean impliesKeyValue(KeyValue policyPart, KeyValue requestPart) { if (KafkaActionConstant.actionName.equalsIgnoreCase(policyPart.getKey())) { // is action return policyPart.getValue().equalsIgnoreCase(KafkaActionConstant.ALL) || - policyPart.equals(requestPart); + policyPart.getValue().equalsIgnoreCase(requestPart.getValue()); } else { return policyPart.getValue().equals(requestPart.getValue()); } From 9d175cef62233108c60a0c17f7868c53a1a4b0f3 Mon Sep 17 00:00:00 2001 From: hahao Date: Tue, 26 Apr 2016 18:02:29 -0700 Subject: [PATCH 08/18] SENTRY-1217: NPE for list_sentry_privileges_by_authorizable when activeRoleSet is not set (Hao Hao, Reviewed by: Lenni Kuff) --- .../thrift/SentryGenericPolicyProcessor.java | 25 ++++++++++++++----- .../TestPrivilegeOperatePersistence.java | 2 ++ .../TestSentryGenericPolicyProcessor.java | 12 ++++++++- 3 files changed, 32 insertions(+), 7 deletions(-) diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericPolicyProcessor.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericPolicyProcessor.java index 58be24dd3..bff97ab8d 100644 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericPolicyProcessor.java +++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericPolicyProcessor.java @@ -689,11 +689,12 @@ public TListSentryPrivilegesByAuthResponse list_sentry_privileges_by_authorizabl requestedGroups = memberGroups; } - // Disallow non-admin to lookup roles that they are not part of + Set grantedRoles = toTrimmedLower(store.getRolesByGroups(request.getComponent(), requestedGroups)); + + // If activeRoleSet is not null, disallow non-admin to lookup roles that they are not part of. if (activeRoleSet != null && !activeRoleSet.isAll()) { - Set grantedRoles = toTrimmedLower(store.getRolesByGroups(request.getComponent(), requestedGroups)); - Set activeRoleNames = toTrimmedLower(activeRoleSet.getRoles()); + Set activeRoleNames = toTrimmedLower(activeRoleSet.getRoles()); for (String activeRole : activeRoleNames) { if (!grantedRoles.contains(activeRole)) { throw new SentryAccessDeniedException(ACCESS_DENIAL_MESSAGE @@ -703,18 +704,30 @@ public TListSentryPrivilegesByAuthResponse list_sentry_privileges_by_authorizabl // For non-admin, valid active roles are intersection of active roles and granted roles. validActiveRoles.addAll(activeRoleSet.isAll() ? grantedRoles : Sets.intersection(activeRoleNames, grantedRoles)); + } else { + // For non-admin, if activeRoleSet is null, valid active roles would be the granted roles. + validActiveRoles.addAll(grantedRoles); } } else { Set allRoles = toTrimmedLower(store.getAllRoleNames()); - Set activeRoleNames = toTrimmedLower(activeRoleSet.getRoles()); + Set activeRoleNames = Sets.newHashSet(); + boolean isAllRoleSet = false; + + // If activeRoleSet (which is optional) is null, valid active role will be all roles. + if (activeRoleSet != null) { + activeRoleNames = toTrimmedLower(activeRoleSet.getRoles()); + isAllRoleSet = activeRoleSet.isAll(); + } else { + isAllRoleSet = true; + } // For admin, if requestedGroups are empty, valid active roles are intersection of active roles and all roles. // Otherwise, valid active roles are intersection of active roles and the roles of requestedGroups. if (requestedGroups == null || requestedGroups.isEmpty()) { - validActiveRoles.addAll(activeRoleSet.isAll() ? allRoles : Sets.intersection(activeRoleNames, allRoles)); + validActiveRoles.addAll(isAllRoleSet ? allRoles : Sets.intersection(activeRoleNames, allRoles)); } else { Set requestedRoles = toTrimmedLower(store.getRolesByGroups(request.getComponent(), requestedGroups)); - validActiveRoles.addAll(activeRoleSet.isAll() ? allRoles : Sets.intersection(activeRoleNames, requestedRoles)); + validActiveRoles.addAll(isAllRoleSet ? allRoles : Sets.intersection(activeRoleNames, requestedRoles)); } } diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/service/persistent/TestPrivilegeOperatePersistence.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/service/persistent/TestPrivilegeOperatePersistence.java index 9cbd1bd98..deefefa72 100644 --- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/service/persistent/TestPrivilegeOperatePersistence.java +++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/service/persistent/TestPrivilegeOperatePersistence.java @@ -966,6 +966,8 @@ public void testGetPrivilegesByAuthorizable() throws Exception { assertEquals(0, sentryStore.getPrivilegesByAuthorizable(SEARCH, service1, null, Arrays.asList(new Collection(COLLECTION_NAME), new Field(FIELD_NAME))).size()); + assertEquals(1, sentryStore.getPrivilegesByAuthorizable(SEARCH, service1, Sets.newHashSet(roleName1), + Arrays.asList(new Collection(COLLECTION_NAME), new Field(FIELD_NAME))).size()); assertEquals(2, sentryStore.getPrivilegesByAuthorizable(SEARCH, service1, Sets.newHashSet(roleName1), null).size()); assertEquals(2, sentryStore.getPrivilegesByAuthorizable(SEARCH, service1, diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/service/thrift/TestSentryGenericPolicyProcessor.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/service/thrift/TestSentryGenericPolicyProcessor.java index 84eeb8216..cc0b28ecd 100644 --- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/service/thrift/TestSentryGenericPolicyProcessor.java +++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/service/thrift/TestSentryGenericPolicyProcessor.java @@ -300,17 +300,27 @@ public void testGetRolesAndPrivileges() throws Exception { assertEquals(Status.OK, fromTSentryStatus(response3.getStatus())); assertEquals(2, response3.getPrivileges().size()); + // Optional parameters activeRoleSet and requested group name are both provided. TListSentryPrivilegesByAuthRequest request4 = new TListSentryPrivilegesByAuthRequest(); request4.setGroups(Sets.newHashSet(groupName)); request4.setRoleSet(new TSentryActiveRoleSet(true, null)); request4.setRequestorUserName(ADMIN_USER); - Set authorizablesSet = Sets.newHashSet("Collection=c1->Field=f1"); request4.setAuthorizablesSet(authorizablesSet); TListSentryPrivilegesByAuthResponse response4 = processor.list_sentry_privileges_by_authorizable(request4); assertEquals(Status.OK, fromTSentryStatus(response4.getStatus())); assertEquals(1, response4.getPrivilegesMapByAuth().size()); + + // Optional parameters activeRoleSet and requested group name are both not provided. + TListSentryPrivilegesByAuthRequest request5 = new TListSentryPrivilegesByAuthRequest(); + request5.setRequestorUserName("not_" + ADMIN_USER); + authorizablesSet = Sets.newHashSet("Collection=c1->Field=f2"); + request5.setAuthorizablesSet(authorizablesSet); + + TListSentryPrivilegesByAuthResponse response5 = processor.list_sentry_privileges_by_authorizable(request5); + assertEquals(Status.OK, fromTSentryStatus(response5.getStatus())); + assertEquals(1, response5.getPrivilegesMapByAuth().size()); } @Test(expected=SentryConfigurationException.class) From 03d9f1775a7f7affb3716a079bd14d7b41ea74fd Mon Sep 17 00:00:00 2001 From: hahao Date: Tue, 26 Apr 2016 18:08:21 -0700 Subject: [PATCH 09/18] SENTRY-1198: Cherry-pick Sentry-589,1162,1188,1160,1217,1173 and update the change log --- CHANGELOG.txt | 16 +++++++--------- 1 file changed, 7 insertions(+), 9 deletions(-) diff --git a/CHANGELOG.txt b/CHANGELOG.txt index 3639f0568..dd67022a0 100644 --- a/CHANGELOG.txt +++ b/CHANGELOG.txt @@ -25,7 +25,6 @@ Release Notes - Sentry - Version 1.7.0 * [SENTRY-930] - Improve TestDbDDLAuditLog for keep consistent with Hive metadata. * [SENTRY-931] - Improve TestDatabaseProvider for keep consistent with Hive metadata. * [SENTRY-987] - Move general (non specific handler) solr-sentry code to solr-sentry-core package - * [SENTRY-1004] - Create CommonPrivilege for external component * [SENTRY-1011] - Add Kafka binding * [SENTRY-1012] - Add core model for Kafka * [SENTRY-1013] - Add policy engine for Kafka @@ -33,18 +32,10 @@ Release Notes - Sentry - Version 1.7.0 * [SENTRY-1023] - Create an initial branch for CI * [SENTRY-1029] - Address review comments for Kafka model that came after patch got committed. * [SENTRY-1030] - Restrict Kafka Cluster authorizable to only have "kafka-cluster" as authorizable's name. - * [SENTRY-1042] - Create CommonPolicy for external component * [SENTRY-1056] - Get service name from Kafka's server properties. * [SENTRY-1057] - Add implementations for acls' CRUD - * [SENTRY-1089] - Move validator from sentry-policy-xxx to sentry-core-model-xxx - * [SENTRY-1090] - Improvement for CommonPrivilege - * [SENTRY-1091] - Create Model for specific components - * [SENTRY-1092] - Move Class KeyValue and PolicyConstants to sentry-core-common - * [SENTRY-1093] - Refactor the constructor of PolicyEngine * [SENTRY-1098] - Make Kafka dependency as provided * [SENTRY-1102] - Merge kafka branch into trunk - * [SENTRY-1103] - Authorizable names' case sensitivity must be decided by plugins - * [SENTRY-1104] - Add method in Privilege model to create privilege validators * [SENTRY-1113] - Fix test failures due to missing files. * [SENTRY-1126] - Create a email list for jira updates (issues@) * [SENTRY-1137] - Update hive dependence to 2.0.0 @@ -57,12 +48,17 @@ Release Notes - Sentry - Version 1.7.0 * [SENTRY-1149] - Update committer list of Sentry * [SENTRY-1150] - Update the website svn directory * [SENTRY-1151] - Update source code host at sentry website + * [SENTRY-1152] - Update Sentry wiki after graduation * [SENTRY-1159] - Decouple datanucleus dependences for hive-binding V1 and V2 + * [SENTRY-1162] - Add shell for Sentry Kafka integration * [SENTRY-1163] - Enable Jenkins for Hive Authz2 * [SENTRY-1172] - Update mailing lists page with new issues@ list + * [SENTRY-1173] - Sentry TLP: Update pom.xml to new git location * [SENTRY-1186] - Sentry TLP: Update release download links on website + * [SENTRY-1188] - Fixes to get kerberos auth work. * [SENTRY-1191] - update history page of Sentry release * [SENTRY-1192] - Add SQL upgrade script for 1.7.0 + * [SENTRY-1202] - Sentry TLP: Other Common post graduation tasks ** Bug @@ -145,6 +141,7 @@ Release Notes - Sentry - Version 1.7.0 * [SENTRY-1157] - Fix Unit Tests TestAclsCrud&TestAuthorize failed * [SENTRY-1164] - Fix testCaseSensitivity test failure on a real cluster * [SENTRY-1169] - MetastorePlugin#renameAuthzObject log message prints oldpathname as newpathname + * [SENTRY-1217] - NPE for list_sentry_privileges_by_authorizable when activeRoleSet is not set ** Improvement @@ -179,6 +176,7 @@ Release Notes - Sentry - Version 1.7.0 ** New Feature + * [SENTRY-498] - Sentry integration with Hive authorization framework V2 * [SENTRY-749] - Create simple shell for sentry * [SENTRY-812] - Generate audit trail for Sentry generic model when authorization metadata change * [SENTRY-906] - Add concurrency sentry client tests From 23d7272c5dd2422c14b8efeca94d3a729a67a087 Mon Sep 17 00:00:00 2001 From: Sun Dapeng Date: Wed, 13 Apr 2016 10:05:17 +0800 Subject: [PATCH 10/18] SENTRY-1160: Enable dist for kafka-binding. (Dapeng Sun, reviewed by Hao Hao) --- sentry-dist/pom.xml | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/sentry-dist/pom.xml b/sentry-dist/pom.xml index 827d165c1..449040bb1 100644 --- a/sentry-dist/pom.xml +++ b/sentry-dist/pom.xml @@ -46,6 +46,10 @@ limitations under the License. org.apache.sentry sentry-core-model-sqoop + + org.apache.sentry + sentry-core-model-kafka + org.apache.sentry sentry-binding-solr @@ -54,6 +58,10 @@ limitations under the License. org.apache.sentry sentry-binding-sqoop + + org.apache.sentry + sentry-binding-kafka + org.apache.sentry solr-sentry-core @@ -98,6 +106,10 @@ limitations under the License. org.apache.sentry sentry-policy-sqoop + + org.apache.sentry + sentry-policy-kafka + From 0f6b31b1a055c170032fa5b2e0f8369960fa0a02 Mon Sep 17 00:00:00 2001 From: hahao Date: Mon, 2 May 2016 13:34:37 -0700 Subject: [PATCH 11/18] SENTRY-1121: Update Jetty version (Colm O hEigeartaigh, Reviewed by:Sravya Tirukkovalur) --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 9ac4cdded..02c36f5be 100644 --- a/pom.xml +++ b/pom.xml @@ -74,7 +74,7 @@ limitations under the License. 1.1.0 1.8.8 3.0.1 - 7.6.16.v20140903 + 8.1.19.v20160209 2.5 4.10 0.9.2 From 40d387d1e8ac4cbe2af5ca874a7bc3d562966ddd Mon Sep 17 00:00:00 2001 From: hahao Date: Thu, 5 May 2016 13:26:54 -0700 Subject: [PATCH 12/18] SENTRY-1234: JDO exception for list_sentry_privileges_by_authorizable (Hao Hao, Reviewed by: Anne Yu) Change-Id: Ifb1d9810577bf687ba83be8d0807aee64550742a --- .../persistent/DelegateSentryStore.java | 22 +++++-- .../thrift/SentryGenericPolicyProcessor.java | 25 +++----- .../thrift/SentryGenericServiceClient.java | 20 ++++++ ...SentryGenericServiceClientDefaultImpl.java | 21 ++---- .../TestSentryGenericServiceIntegration.java | 64 +++++++++++++++++++ 5 files changed, 114 insertions(+), 38 deletions(-) diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/persistent/DelegateSentryStore.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/persistent/DelegateSentryStore.java index d51b3baf5..23f6a2ded 100644 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/persistent/DelegateSentryStore.java +++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/persistent/DelegateSentryStore.java @@ -440,14 +440,15 @@ public Set getPrivilegesByAuthorizable(String component, Str service = toTrimmedLower(service); Set privileges = Sets.newHashSet(); + + if (validActiveRoles == null || validActiveRoles.isEmpty()) { + return privileges; + } + PersistenceManager pm = null; try { pm = openTransaction(); - if (validActiveRoles == null || validActiveRoles.size() == 0) { - return privileges; - } - Set mRoles = Sets.newHashSet(); for (String role : validActiveRoles) { MSentryRole mRole = getRole(role, pm); @@ -455,8 +456,19 @@ public Set getPrivilegesByAuthorizable(String component, Str mRoles.add(mRole); } } + //get the privileges - privileges.addAll(privilegeOperator.getPrivilegesByAuthorizable(component, service, mRoles, authorizables, pm)); + Set mSentryGMPrivileges = privilegeOperator.getPrivilegesByAuthorizable(component, service, mRoles, authorizables, pm); + + for (MSentryGMPrivilege mSentryGMPrivilege : mSentryGMPrivileges) { + /** + * force to load all roles related this privilege + * avoid the lazy-loading + */ + pm.retrieve(mSentryGMPrivilege); + privileges.add(mSentryGMPrivilege); + } + } finally { commitTransaction(pm); } diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericPolicyProcessor.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericPolicyProcessor.java index bff97ab8d..295228037 100644 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericPolicyProcessor.java +++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericPolicyProcessor.java @@ -709,25 +709,18 @@ public TListSentryPrivilegesByAuthResponse list_sentry_privileges_by_authorizabl validActiveRoles.addAll(grantedRoles); } } else { - Set allRoles = toTrimmedLower(store.getAllRoleNames()); - Set activeRoleNames = Sets.newHashSet(); - boolean isAllRoleSet = false; - - // If activeRoleSet (which is optional) is null, valid active role will be all roles. - if (activeRoleSet != null) { - activeRoleNames = toTrimmedLower(activeRoleSet.getRoles()); - isAllRoleSet = activeRoleSet.isAll(); - } else { - isAllRoleSet = true; + // For admin, if requestedGroups are empty, requested roles will be all roles. + Set requestedRoles = toTrimmedLower(store.getAllRoleNames()); + if (requestedGroups != null && !requestedGroups.isEmpty()) { + requestedRoles = toTrimmedLower(store.getRolesByGroups(request.getComponent(), requestedGroups)); } - // For admin, if requestedGroups are empty, valid active roles are intersection of active roles and all roles. - // Otherwise, valid active roles are intersection of active roles and the roles of requestedGroups. - if (requestedGroups == null || requestedGroups.isEmpty()) { - validActiveRoles.addAll(isAllRoleSet ? allRoles : Sets.intersection(activeRoleNames, allRoles)); + // If activeRoleSet (which is optional) is not null, valid active role will be intersection + // of active roles and requested roles. Otherwise, valid active roles are the requested roles. + if (activeRoleSet != null && !activeRoleSet.isAll()) { + validActiveRoles.addAll(Sets.intersection(toTrimmedLower(activeRoleSet.getRoles()), requestedRoles)); } else { - Set requestedRoles = toTrimmedLower(store.getRolesByGroups(request.getComponent(), requestedGroups)); - validActiveRoles.addAll(isAllRoleSet ? allRoles : Sets.intersection(activeRoleNames, requestedRoles)); + validActiveRoles.addAll(requestedRoles); } } diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericServiceClient.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericServiceClient.java index 60502895a..76ff15b91 100644 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericServiceClient.java +++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericServiceClient.java @@ -18,6 +18,7 @@ package org.apache.sentry.provider.db.generic.service.thrift; import java.util.List; +import java.util.Map; import java.util.Set; import org.apache.sentry.SentryUserException; @@ -173,5 +174,24 @@ Set listPrivilegesForProvider(String component, String serviceName, ActiveRoleSet roleSet, Set groups, List authorizables) throws SentryUserException; + /** + * Get sentry privileges based on valid active roles and the authorize objects. Note that + * it is client responsibility to ensure the requestor username, etc. is not impersonated. + * + * @param component: The request respond to which component. + * @param serviceName: The name of service. + * @param requestorUserName: The requestor user name. + * @param authorizablesSet: The set of authorize objects. One authorize object is represented + * as a string. e.g resourceType1=resourceName1->resourceType2=resourceName2->resourceType3=resourceName3. + * @param groups: The requested groups. + * @param roleSet: The active roles set. + * + * @returns The mapping of authorize objects and TSentryPrivilegeMap(). + * @throws SentryUserException + */ + Map listPrivilegsbyAuthorizable(String component, + String serviceName, String requestorUserName, Set authorizablesSet, + Set groups, ActiveRoleSet roleSet) throws SentryUserException; + void close(); } diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericServiceClientDefaultImpl.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericServiceClientDefaultImpl.java index dce3dade7..74b6963ab 100644 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericServiceClientDefaultImpl.java +++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericServiceClientDefaultImpl.java @@ -24,7 +24,6 @@ import javax.security.auth.callback.CallbackHandler; -import com.google.common.collect.Sets; import org.apache.hadoop.conf.Configuration; import static org.apache.hadoop.fs.CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHENTICATION; import org.apache.hadoop.net.NetUtils; @@ -537,14 +536,6 @@ public Set listPrivilegesForProvider(String component, } } - private List fromAuthorizable(List authorizables) { - List tAuthorizables = Lists.newArrayList(); - for (Authorizable authorizable : authorizables) { - tAuthorizables.add(new TAuthorizable(authorizable.getTypeName(), authorizable.getName())); - } - return tAuthorizables; - } - /** * Get sentry privileges based on valid active roles and the authorize objects. Note that * it is client responsibility to ensure the requestor username, etc. is not impersonated. @@ -552,8 +543,8 @@ private List fromAuthorizable(List author * @param component: The request respond to which component. * @param serviceName: The name of service. * @param requestorUserName: The requestor user name. - * @param authorizablesSet: The set of authorize objects. Represented as a string. e.g - * resourceType1=resourceName1->resourceType2=resourceName2->resourceType3=resourceName3. + * @param authorizablesSet: The set of authorize objects. One authorize object is represented + * as a string. e.g resourceType1=resourceName1->resourceType2=resourceName2->resourceType3=resourceName3. * @param groups: The requested groups. * @param roleSet: The active roles set. * @@ -561,20 +552,16 @@ private List fromAuthorizable(List author * @throws SentryUserException */ public Map listPrivilegsbyAuthorizable(String component, - String serviceName, String requestorUserName, Set> authorizablesSet, + String serviceName, String requestorUserName, Set authorizablesSet, Set groups, ActiveRoleSet roleSet) throws SentryUserException { - Set> authSet = Sets.newHashSet(); - for (List authorizables : authorizablesSet) { - authSet.add(fromAuthorizable(authorizables)); - } - TListSentryPrivilegesByAuthRequest request = new TListSentryPrivilegesByAuthRequest(); request.setProtocol_version(sentry_common_serviceConstants.TSENTRY_SERVICE_V2); request.setComponent(component); request.setServiceName(serviceName); request.setRequestorUserName(requestorUserName); + request.setAuthorizablesSet(authorizablesSet); if (groups == null) { request.setGroups(new HashSet()); diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/service/thrift/TestSentryGenericServiceIntegration.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/service/thrift/TestSentryGenericServiceIntegration.java index fcf0e7b9d..e23050573 100644 --- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/service/thrift/TestSentryGenericServiceIntegration.java +++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/service/thrift/TestSentryGenericServiceIntegration.java @@ -23,6 +23,7 @@ import java.util.Arrays; import java.util.List; +import java.util.Map; import java.util.Set; import org.apache.sentry.SentryUserException; @@ -385,6 +386,69 @@ public void runTestAsSubject() throws Exception { }}); } + @Test + public void testGetPrivilegeByAuthorizable() throws Exception { + runTestAsSubject(new TestOperation(){ + @Override + public void runTestAsSubject() throws Exception { + String adminUser = ADMIN_USER; + Set adminGroup = Sets.newHashSet(ADMIN_GROUP); + String testRole = "role1"; + Set testGroup = Sets.newHashSet("group1"); + String testUser = "user1"; + setLocalGroupMapping(adminUser, adminGroup); + setLocalGroupMapping(testUser, testGroup); + writePolicyFile(); + + client.createRole(adminUser, testRole, SOLR); + client.addRoleToGroups(adminUser, testRole, SOLR, adminGroup); + + TSentryPrivilege queryPrivilege = new TSentryPrivilege(SOLR, "service1", + fromAuthorizable(Arrays.asList(new Collection("c1"), new Field("f1"))), + SearchConstants.QUERY); + + TSentryPrivilege updatePrivilege = new TSentryPrivilege(SOLR, "service1", + fromAuthorizable(Arrays.asList(new Collection("c1"), new Field("f2"))), + SearchConstants.UPDATE); + + client.grantPrivilege(adminUser, testRole, SOLR, queryPrivilege); + client.grantPrivilege(adminUser, testRole, SOLR, updatePrivilege); + + //test listPrivilegsbyAuthorizable without requested group and active role set. + assertEquals(1, client.listPrivilegsbyAuthorizable(SOLR, "service1", adminUser, + Sets.newHashSet(new String("Collection=c1->Field=f1")), null, null).size()); + + //test listPrivilegsbyAuthorizable with requested group (testGroup) + Map privilegeMap = client.listPrivilegsbyAuthorizable(SOLR, + "service1", adminUser, Sets.newHashSet(new String("Collection=c1->Field=f1")), testGroup, null); + TSentryPrivilegeMap actualMap = privilegeMap.get(new String("Collection=c1->Field=f1")); + assertEquals(0, actualMap.getPrivilegeMap().size()); + + //test listPrivilegsbyAuthorizable with active role set. + ActiveRoleSet roleSet = ActiveRoleSet.ALL; + assertEquals(1, client.listPrivilegsbyAuthorizable(SOLR, "service1", adminUser, + Sets.newHashSet(new String("Collection=c1->Field=f1")), null, roleSet).size()); + privilegeMap = client.listPrivilegsbyAuthorizable(SOLR, + "service1", adminUser, Sets.newHashSet(new String("Collection=c1->Field=f1")), null, roleSet); + actualMap = privilegeMap.get(new String("Collection=c1->Field=f1")); + assertEquals(1, actualMap.getPrivilegeMap().size()); + + privilegeMap = client.listPrivilegsbyAuthorizable(SOLR, + "service1", testUser, Sets.newHashSet(new String("Collection=c1->Field=f1")), null, roleSet); + actualMap = privilegeMap.get(new String("Collection=c1->Field=f1")); + assertEquals(0, actualMap.getPrivilegeMap().size()); + + // grant tesRole to testGroup. + client.addRoleToGroups(adminUser, testRole, SOLR, testGroup); + + privilegeMap = client.listPrivilegsbyAuthorizable(SOLR, + "service1", testUser, Sets.newHashSet(new String("Collection=c1")), null, roleSet); + actualMap = privilegeMap.get(new String("Collection=c1")); + assertEquals(1, actualMap.getPrivilegeMap().size()); + assertEquals(2, actualMap.getPrivilegeMap().get(testRole).size()); + }}); + } + @Test public void testDropAndRenamePrivilege() throws Exception { runTestAsSubject(new TestOperation(){ From 735543e71d478f5bcd6be2b991ed26fc95abbb1b Mon Sep 17 00:00:00 2001 From: hahao Date: Wed, 1 Jun 2016 17:34:02 -0700 Subject: [PATCH 13/18] SENTRY-1227: Cherry-pick Sentry-1121, Sentry-1234 and updated the change log --- CHANGELOG.txt | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/CHANGELOG.txt b/CHANGELOG.txt index dd67022a0..9736115ea 100644 --- a/CHANGELOG.txt +++ b/CHANGELOG.txt @@ -59,6 +59,7 @@ Release Notes - Sentry - Version 1.7.0 * [SENTRY-1191] - update history page of Sentry release * [SENTRY-1192] - Add SQL upgrade script for 1.7.0 * [SENTRY-1202] - Sentry TLP: Other Common post graduation tasks + * [SENTRY-1211] - Home page still has Incubator logo in footer ** Bug @@ -142,6 +143,7 @@ Release Notes - Sentry - Version 1.7.0 * [SENTRY-1164] - Fix testCaseSensitivity test failure on a real cluster * [SENTRY-1169] - MetastorePlugin#renameAuthzObject log message prints oldpathname as newpathname * [SENTRY-1217] - NPE for list_sentry_privileges_by_authorizable when activeRoleSet is not set + * [SENTRY-1234] - JDO exception for list_sentry_privileges_by_authorizable ** Improvement @@ -171,6 +173,7 @@ Release Notes - Sentry - Version 1.7.0 * [SENTRY-1078] - Add servlet for dumping configurations * [SENTRY-1088] - PathsUpdate should log invalid paths to make troubleshooting easier * [SENTRY-1119] - Allow data engines to specify the ActionFactory from configuration + * [SENTRY-1121] - Update Jetty version * [SENTRY-1135] - Remove deprecated junit.framework dependencies * [SENTRY-1136] - Remove /Ping and /HealthCheck from Sentry Service Webpage @@ -193,6 +196,7 @@ Release Notes - Sentry - Version 1.7.0 * [SENTRY-1032] - Implement group/role commands in solr shell * [SENTRY-1038] - More strict checking of SOLR actions in shell * [SENTRY-1047] - Use existing validators in SentryShellSolr + * [SENTRY-1110] - Apache Sentry 1.7.0 Release ** Test From 88de7174b6ec9efb57ca72d61c4cb811313a69a9 Mon Sep 17 00:00:00 2001 From: Colm O hEigeartaigh Date: Wed, 13 Dec 2017 12:45:38 +0000 Subject: [PATCH 14/18] Updating versions to 1.7.1 --- pom.xml | 2 +- sentry-binding/pom.xml | 2 +- sentry-binding/sentry-binding-hive-common/pom.xml | 2 +- sentry-binding/sentry-binding-hive-v2/pom.xml | 2 +- sentry-binding/sentry-binding-hive/pom.xml | 2 +- sentry-binding/sentry-binding-kafka/pom.xml | 2 +- sentry-binding/sentry-binding-solr/pom.xml | 2 +- sentry-binding/sentry-binding-sqoop/pom.xml | 2 +- sentry-core/pom.xml | 2 +- sentry-core/sentry-core-common/pom.xml | 2 +- sentry-core/sentry-core-model-db/pom.xml | 2 +- sentry-core/sentry-core-model-indexer/pom.xml | 2 +- sentry-core/sentry-core-model-kafka/pom.xml | 2 +- sentry-core/sentry-core-model-search/pom.xml | 2 +- sentry-core/sentry-core-model-sqoop/pom.xml | 2 +- sentry-dist/pom.xml | 2 +- sentry-hdfs/pom.xml | 2 +- sentry-hdfs/sentry-hdfs-common/pom.xml | 2 +- sentry-hdfs/sentry-hdfs-dist/pom.xml | 2 +- sentry-hdfs/sentry-hdfs-namenode-plugin/pom.xml | 4 ++-- sentry-hdfs/sentry-hdfs-service/pom.xml | 2 +- sentry-policy/pom.xml | 2 +- sentry-policy/sentry-policy-common/pom.xml | 2 +- sentry-policy/sentry-policy-db/pom.xml | 2 +- sentry-policy/sentry-policy-indexer/pom.xml | 2 +- sentry-policy/sentry-policy-kafka/pom.xml | 2 +- sentry-policy/sentry-policy-search/pom.xml | 2 +- sentry-policy/sentry-policy-sqoop/pom.xml | 2 +- sentry-provider/pom.xml | 2 +- sentry-provider/sentry-provider-cache/pom.xml | 2 +- sentry-provider/sentry-provider-common/pom.xml | 2 +- sentry-provider/sentry-provider-db/pom.xml | 2 +- sentry-provider/sentry-provider-file/pom.xml | 2 +- sentry-solr/pom.xml | 2 +- sentry-solr/solr-sentry-core/pom.xml | 2 +- sentry-solr/solr-sentry-handlers/pom.xml | 2 +- sentry-tests/pom.xml | 2 +- sentry-tests/sentry-tests-hive-v2/pom.xml | 2 +- sentry-tests/sentry-tests-hive/pom.xml | 2 +- sentry-tests/sentry-tests-kafka/pom.xml | 2 +- sentry-tests/sentry-tests-solr/pom.xml | 2 +- sentry-tests/sentry-tests-sqoop/pom.xml | 2 +- 42 files changed, 43 insertions(+), 43 deletions(-) diff --git a/pom.xml b/pom.xml index 02c36f5be..f901819e9 100644 --- a/pom.xml +++ b/pom.xml @@ -25,7 +25,7 @@ limitations under the License. org.apache.sentry sentry - 1.7.0 + 1.7.1 Sentry component Sentry pom diff --git a/sentry-binding/pom.xml b/sentry-binding/pom.xml index cd4d4e0f7..35ec26b72 100644 --- a/sentry-binding/pom.xml +++ b/sentry-binding/pom.xml @@ -22,7 +22,7 @@ limitations under the License. org.apache.sentry sentry - 1.7.0 + 1.7.1 sentry-binding diff --git a/sentry-binding/sentry-binding-hive-common/pom.xml b/sentry-binding/sentry-binding-hive-common/pom.xml index 4c30a345a..00472a809 100644 --- a/sentry-binding/sentry-binding-hive-common/pom.xml +++ b/sentry-binding/sentry-binding-hive-common/pom.xml @@ -22,7 +22,7 @@ limitations under the License. org.apache.sentry sentry-binding - 1.7.0 + 1.7.1 sentry-binding-hive-common diff --git a/sentry-binding/sentry-binding-hive-v2/pom.xml b/sentry-binding/sentry-binding-hive-v2/pom.xml index 12d0e63f7..c7a9b9d70 100644 --- a/sentry-binding/sentry-binding-hive-v2/pom.xml +++ b/sentry-binding/sentry-binding-hive-v2/pom.xml @@ -22,7 +22,7 @@ limitations under the License. org.apache.sentry sentry-binding - 1.7.0 + 1.7.1 sentry-binding-hive-v2 diff --git a/sentry-binding/sentry-binding-hive/pom.xml b/sentry-binding/sentry-binding-hive/pom.xml index bf87d7c6c..838734dcf 100644 --- a/sentry-binding/sentry-binding-hive/pom.xml +++ b/sentry-binding/sentry-binding-hive/pom.xml @@ -22,7 +22,7 @@ limitations under the License. org.apache.sentry sentry-binding - 1.7.0 + 1.7.1 sentry-binding-hive diff --git a/sentry-binding/sentry-binding-kafka/pom.xml b/sentry-binding/sentry-binding-kafka/pom.xml index 967eeddbe..1133dd348 100644 --- a/sentry-binding/sentry-binding-kafka/pom.xml +++ b/sentry-binding/sentry-binding-kafka/pom.xml @@ -23,7 +23,7 @@ limitations under the License. org.apache.sentry sentry-binding - 1.7.0 + 1.7.1 sentry-binding-kafka diff --git a/sentry-binding/sentry-binding-solr/pom.xml b/sentry-binding/sentry-binding-solr/pom.xml index 16a460366..54ed7f110 100644 --- a/sentry-binding/sentry-binding-solr/pom.xml +++ b/sentry-binding/sentry-binding-solr/pom.xml @@ -22,7 +22,7 @@ limitations under the License. org.apache.sentry sentry-binding - 1.7.0 + 1.7.1 sentry-binding-solr diff --git a/sentry-binding/sentry-binding-sqoop/pom.xml b/sentry-binding/sentry-binding-sqoop/pom.xml index 25a2e5992..a1d53e471 100644 --- a/sentry-binding/sentry-binding-sqoop/pom.xml +++ b/sentry-binding/sentry-binding-sqoop/pom.xml @@ -22,7 +22,7 @@ limitations under the License. org.apache.sentry sentry-binding - 1.7.0 + 1.7.1 sentry-binding-sqoop diff --git a/sentry-core/pom.xml b/sentry-core/pom.xml index 725762dde..fa3ed9cf7 100644 --- a/sentry-core/pom.xml +++ b/sentry-core/pom.xml @@ -21,7 +21,7 @@ limitations under the License. org.apache.sentry sentry - 1.7.0 + 1.7.1 sentry-core diff --git a/sentry-core/sentry-core-common/pom.xml b/sentry-core/sentry-core-common/pom.xml index 26b069ed9..9fc4e0f87 100644 --- a/sentry-core/sentry-core-common/pom.xml +++ b/sentry-core/sentry-core-common/pom.xml @@ -21,7 +21,7 @@ limitations under the License. org.apache.sentry sentry-core - 1.7.0 + 1.7.1 sentry-core-common diff --git a/sentry-core/sentry-core-model-db/pom.xml b/sentry-core/sentry-core-model-db/pom.xml index 93b01e6ac..ad0338b1c 100644 --- a/sentry-core/sentry-core-model-db/pom.xml +++ b/sentry-core/sentry-core-model-db/pom.xml @@ -21,7 +21,7 @@ limitations under the License. org.apache.sentry sentry-core - 1.7.0 + 1.7.1 sentry-core-model-db diff --git a/sentry-core/sentry-core-model-indexer/pom.xml b/sentry-core/sentry-core-model-indexer/pom.xml index 47b7be88e..6244dfcf2 100644 --- a/sentry-core/sentry-core-model-indexer/pom.xml +++ b/sentry-core/sentry-core-model-indexer/pom.xml @@ -21,7 +21,7 @@ limitations under the License. org.apache.sentry sentry-core - 1.7.0 + 1.7.1 sentry-core-model-indexer diff --git a/sentry-core/sentry-core-model-kafka/pom.xml b/sentry-core/sentry-core-model-kafka/pom.xml index 85648ca35..51024f5dc 100644 --- a/sentry-core/sentry-core-model-kafka/pom.xml +++ b/sentry-core/sentry-core-model-kafka/pom.xml @@ -21,7 +21,7 @@ limitations under the License. org.apache.sentry sentry-core - 1.7.0 + 1.7.1 sentry-core-model-kafka diff --git a/sentry-core/sentry-core-model-search/pom.xml b/sentry-core/sentry-core-model-search/pom.xml index 6111fb4a2..757564255 100644 --- a/sentry-core/sentry-core-model-search/pom.xml +++ b/sentry-core/sentry-core-model-search/pom.xml @@ -21,7 +21,7 @@ limitations under the License. org.apache.sentry sentry-core - 1.7.0 + 1.7.1 sentry-core-model-search diff --git a/sentry-core/sentry-core-model-sqoop/pom.xml b/sentry-core/sentry-core-model-sqoop/pom.xml index 3c5609e3a..24ebde3cf 100644 --- a/sentry-core/sentry-core-model-sqoop/pom.xml +++ b/sentry-core/sentry-core-model-sqoop/pom.xml @@ -21,7 +21,7 @@ limitations under the License. org.apache.sentry sentry-core - 1.7.0 + 1.7.1 sentry-core-model-sqoop diff --git a/sentry-dist/pom.xml b/sentry-dist/pom.xml index 449040bb1..a3a7c968c 100644 --- a/sentry-dist/pom.xml +++ b/sentry-dist/pom.xml @@ -20,7 +20,7 @@ limitations under the License. org.apache.sentry sentry - 1.7.0 + 1.7.1 sentry-dist Sentry Distribution diff --git a/sentry-hdfs/pom.xml b/sentry-hdfs/pom.xml index 475edf595..f14cbfbae 100644 --- a/sentry-hdfs/pom.xml +++ b/sentry-hdfs/pom.xml @@ -22,7 +22,7 @@ limitations under the License. org.apache.sentry sentry - 1.7.0 + 1.7.1 sentry-hdfs diff --git a/sentry-hdfs/sentry-hdfs-common/pom.xml b/sentry-hdfs/sentry-hdfs-common/pom.xml index 28bfd04a4..451ed1fce 100644 --- a/sentry-hdfs/sentry-hdfs-common/pom.xml +++ b/sentry-hdfs/sentry-hdfs-common/pom.xml @@ -21,7 +21,7 @@ limitations under the License. org.apache.sentry sentry-hdfs - 1.7.0 + 1.7.1 sentry-hdfs-common diff --git a/sentry-hdfs/sentry-hdfs-dist/pom.xml b/sentry-hdfs/sentry-hdfs-dist/pom.xml index 2f2d399ba..ac537bd69 100644 --- a/sentry-hdfs/sentry-hdfs-dist/pom.xml +++ b/sentry-hdfs/sentry-hdfs-dist/pom.xml @@ -22,7 +22,7 @@ limitations under the License. org.apache.sentry sentry-hdfs - 1.7.0 + 1.7.1 sentry-hdfs-dist diff --git a/sentry-hdfs/sentry-hdfs-namenode-plugin/pom.xml b/sentry-hdfs/sentry-hdfs-namenode-plugin/pom.xml index 25658a3c6..270c43edb 100644 --- a/sentry-hdfs/sentry-hdfs-namenode-plugin/pom.xml +++ b/sentry-hdfs/sentry-hdfs-namenode-plugin/pom.xml @@ -21,7 +21,7 @@ limitations under the License. org.apache.sentry sentry-hdfs - 1.7.0 + 1.7.1 sentry-hdfs-namenode-plugin @@ -32,7 +32,7 @@ limitations under the License. org.apache.sentry sentry-hdfs-common - 1.7.0 + 1.7.1 junit diff --git a/sentry-hdfs/sentry-hdfs-service/pom.xml b/sentry-hdfs/sentry-hdfs-service/pom.xml index 67332c043..6a9b20092 100644 --- a/sentry-hdfs/sentry-hdfs-service/pom.xml +++ b/sentry-hdfs/sentry-hdfs-service/pom.xml @@ -21,7 +21,7 @@ limitations under the License. org.apache.sentry sentry-hdfs - 1.7.0 + 1.7.1 sentry-hdfs-service diff --git a/sentry-policy/pom.xml b/sentry-policy/pom.xml index d8d8311e5..7fa331a7b 100644 --- a/sentry-policy/pom.xml +++ b/sentry-policy/pom.xml @@ -22,7 +22,7 @@ limitations under the License. org.apache.sentry sentry - 1.7.0 + 1.7.1 sentry-policy diff --git a/sentry-policy/sentry-policy-common/pom.xml b/sentry-policy/sentry-policy-common/pom.xml index 6c2cd41f3..6d8ffd720 100644 --- a/sentry-policy/sentry-policy-common/pom.xml +++ b/sentry-policy/sentry-policy-common/pom.xml @@ -21,7 +21,7 @@ limitations under the License. org.apache.sentry sentry-policy - 1.7.0 + 1.7.1 sentry-policy-common diff --git a/sentry-policy/sentry-policy-db/pom.xml b/sentry-policy/sentry-policy-db/pom.xml index e4a366747..a4ff22af1 100644 --- a/sentry-policy/sentry-policy-db/pom.xml +++ b/sentry-policy/sentry-policy-db/pom.xml @@ -21,7 +21,7 @@ limitations under the License. org.apache.sentry sentry-policy - 1.7.0 + 1.7.1 sentry-policy-db diff --git a/sentry-policy/sentry-policy-indexer/pom.xml b/sentry-policy/sentry-policy-indexer/pom.xml index e9961991e..59c0f9062 100644 --- a/sentry-policy/sentry-policy-indexer/pom.xml +++ b/sentry-policy/sentry-policy-indexer/pom.xml @@ -21,7 +21,7 @@ limitations under the License. org.apache.sentry sentry-policy - 1.7.0 + 1.7.1 sentry-policy-indexer diff --git a/sentry-policy/sentry-policy-kafka/pom.xml b/sentry-policy/sentry-policy-kafka/pom.xml index 97047c9fc..b95624ad6 100644 --- a/sentry-policy/sentry-policy-kafka/pom.xml +++ b/sentry-policy/sentry-policy-kafka/pom.xml @@ -21,7 +21,7 @@ limitations under the License. org.apache.sentry sentry-policy - 1.7.0 + 1.7.1 sentry-policy-kafka diff --git a/sentry-policy/sentry-policy-search/pom.xml b/sentry-policy/sentry-policy-search/pom.xml index c619b8890..19448a939 100644 --- a/sentry-policy/sentry-policy-search/pom.xml +++ b/sentry-policy/sentry-policy-search/pom.xml @@ -21,7 +21,7 @@ limitations under the License. org.apache.sentry sentry-policy - 1.7.0 + 1.7.1 sentry-policy-search diff --git a/sentry-policy/sentry-policy-sqoop/pom.xml b/sentry-policy/sentry-policy-sqoop/pom.xml index 0a4c5fcf5..14fad8cea 100644 --- a/sentry-policy/sentry-policy-sqoop/pom.xml +++ b/sentry-policy/sentry-policy-sqoop/pom.xml @@ -21,7 +21,7 @@ limitations under the License. org.apache.sentry sentry-policy - 1.7.0 + 1.7.1 sentry-policy-sqoop diff --git a/sentry-provider/pom.xml b/sentry-provider/pom.xml index 5e7d8abc3..04eaa0a52 100644 --- a/sentry-provider/pom.xml +++ b/sentry-provider/pom.xml @@ -22,7 +22,7 @@ limitations under the License. org.apache.sentry sentry - 1.7.0 + 1.7.1 sentry-provider diff --git a/sentry-provider/sentry-provider-cache/pom.xml b/sentry-provider/sentry-provider-cache/pom.xml index 8f5b8328d..9922b0647 100644 --- a/sentry-provider/sentry-provider-cache/pom.xml +++ b/sentry-provider/sentry-provider-cache/pom.xml @@ -21,7 +21,7 @@ limitations under the License. org.apache.sentry sentry-provider - 1.7.0 + 1.7.1 sentry-provider-cache diff --git a/sentry-provider/sentry-provider-common/pom.xml b/sentry-provider/sentry-provider-common/pom.xml index 119e05746..da2f5fc96 100644 --- a/sentry-provider/sentry-provider-common/pom.xml +++ b/sentry-provider/sentry-provider-common/pom.xml @@ -21,7 +21,7 @@ limitations under the License. org.apache.sentry sentry-provider - 1.7.0 + 1.7.1 sentry-provider-common diff --git a/sentry-provider/sentry-provider-db/pom.xml b/sentry-provider/sentry-provider-db/pom.xml index 7193711ab..2aa6e91bf 100644 --- a/sentry-provider/sentry-provider-db/pom.xml +++ b/sentry-provider/sentry-provider-db/pom.xml @@ -21,7 +21,7 @@ limitations under the License. org.apache.sentry sentry-provider - 1.7.0 + 1.7.1 sentry-provider-db diff --git a/sentry-provider/sentry-provider-file/pom.xml b/sentry-provider/sentry-provider-file/pom.xml index 04096e3ee..3b84884bf 100644 --- a/sentry-provider/sentry-provider-file/pom.xml +++ b/sentry-provider/sentry-provider-file/pom.xml @@ -21,7 +21,7 @@ limitations under the License. org.apache.sentry sentry-provider - 1.7.0 + 1.7.1 sentry-provider-file diff --git a/sentry-solr/pom.xml b/sentry-solr/pom.xml index cf8a8a53f..c86d6adba 100644 --- a/sentry-solr/pom.xml +++ b/sentry-solr/pom.xml @@ -22,7 +22,7 @@ limitations under the License. org.apache.sentry sentry - 1.7.0 + 1.7.1 sentry-solr diff --git a/sentry-solr/solr-sentry-core/pom.xml b/sentry-solr/solr-sentry-core/pom.xml index d599ab293..168ca1c2d 100644 --- a/sentry-solr/solr-sentry-core/pom.xml +++ b/sentry-solr/solr-sentry-core/pom.xml @@ -22,7 +22,7 @@ limitations under the License. org.apache.sentry sentry-solr - 1.7.0 + 1.7.1 solr-sentry-core diff --git a/sentry-solr/solr-sentry-handlers/pom.xml b/sentry-solr/solr-sentry-handlers/pom.xml index 95f45e35d..a8e3aa9e0 100644 --- a/sentry-solr/solr-sentry-handlers/pom.xml +++ b/sentry-solr/solr-sentry-handlers/pom.xml @@ -22,7 +22,7 @@ limitations under the License. org.apache.sentry sentry-solr - 1.7.0 + 1.7.1 solr-sentry-handlers diff --git a/sentry-tests/pom.xml b/sentry-tests/pom.xml index cbdb3912d..ca63223ac 100644 --- a/sentry-tests/pom.xml +++ b/sentry-tests/pom.xml @@ -20,7 +20,7 @@ limitations under the License. org.apache.sentry sentry - 1.7.0 + 1.7.1 sentry-tests Sentry Tests diff --git a/sentry-tests/sentry-tests-hive-v2/pom.xml b/sentry-tests/sentry-tests-hive-v2/pom.xml index 6873d8c3f..4706fcb0e 100644 --- a/sentry-tests/sentry-tests-hive-v2/pom.xml +++ b/sentry-tests/sentry-tests-hive-v2/pom.xml @@ -21,7 +21,7 @@ limitations under the License. org.apache.sentry sentry-tests - 1.7.0 + 1.7.1 sentry-tests-hive-v2 Sentry Hive Tests v2 diff --git a/sentry-tests/sentry-tests-hive/pom.xml b/sentry-tests/sentry-tests-hive/pom.xml index 6c9e88879..0ed217045 100644 --- a/sentry-tests/sentry-tests-hive/pom.xml +++ b/sentry-tests/sentry-tests-hive/pom.xml @@ -21,7 +21,7 @@ limitations under the License. org.apache.sentry sentry-tests - 1.7.0 + 1.7.1 sentry-tests-hive Sentry Hive Tests diff --git a/sentry-tests/sentry-tests-kafka/pom.xml b/sentry-tests/sentry-tests-kafka/pom.xml index 99c1ca6ba..89db14c6f 100644 --- a/sentry-tests/sentry-tests-kafka/pom.xml +++ b/sentry-tests/sentry-tests-kafka/pom.xml @@ -21,7 +21,7 @@ limitations under the License. sentry-tests org.apache.sentry - 1.7.0 + 1.7.1 4.0.0 diff --git a/sentry-tests/sentry-tests-solr/pom.xml b/sentry-tests/sentry-tests-solr/pom.xml index 83715ea79..18673930d 100644 --- a/sentry-tests/sentry-tests-solr/pom.xml +++ b/sentry-tests/sentry-tests-solr/pom.xml @@ -22,7 +22,7 @@ limitations under the License. org.apache.sentry sentry-tests - 1.7.0 + 1.7.1 sentry-tests-solr diff --git a/sentry-tests/sentry-tests-sqoop/pom.xml b/sentry-tests/sentry-tests-sqoop/pom.xml index 9e327082c..5e8471fb9 100644 --- a/sentry-tests/sentry-tests-sqoop/pom.xml +++ b/sentry-tests/sentry-tests-sqoop/pom.xml @@ -22,7 +22,7 @@ limitations under the License. org.apache.sentry sentry-tests - 1.7.0 + 1.7.1 sentry-tests-sqoop From 4022de1ab31ee7dfca7bcc4798b8940db39a78f8 Mon Sep 17 00:00:00 2001 From: Colm O hEigeartaigh Date: Mon, 18 Dec 2017 10:55:54 +0000 Subject: [PATCH 15/18] SENTRY-2101 - Upgrade 1.7 branch to use libthrift 0.9.3. Colm O hEigeartaigh, reviewed by Sergio Pena. --- pom.xml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pom.xml b/pom.xml index f901819e9..bfe592acb 100644 --- a/pom.xml +++ b/pom.xml @@ -77,8 +77,8 @@ limitations under the License. 8.1.19.v20160209 2.5 4.10 - 0.9.2 - 0.9.2 + 0.9.3 + 0.9.3 1.2.16 1.7 2.9 From c95c8719719b570609d1a2b830f5284f7ee7ed9c Mon Sep 17 00:00:00 2001 From: Colm O hEigeartaigh Date: Mon, 18 Dec 2017 12:44:37 +0000 Subject: [PATCH 16/18] Updating year in NOTICE --- NOTICE.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/NOTICE.txt b/NOTICE.txt index cb168ac1a..4b8c3b75d 100644 --- a/NOTICE.txt +++ b/NOTICE.txt @@ -1,5 +1,5 @@ Apache Sentry -Copyright 2016 The Apache Software Foundation +Copyright 2017 The Apache Software Foundation This product includes software developed at The Apache Software Foundation (http://www.apache.org/). From 81d094dd05c4527a0f1ef4f143d5be6835593466 Mon Sep 17 00:00:00 2001 From: Colm O hEigeartaigh Date: Mon, 18 Dec 2017 15:00:41 +0000 Subject: [PATCH 17/18] Adding release notes --- CHANGELOG.txt | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/CHANGELOG.txt b/CHANGELOG.txt index 9736115ea..274b02ff3 100644 --- a/CHANGELOG.txt +++ b/CHANGELOG.txt @@ -1,3 +1,10 @@ +Release Notes - Sentry - Version 1.7.1 + +** Improvement + + * [SENTRY-2101] - Upgrade 1.7 branch to use libthrift 0.9.3 + + Release Notes - Sentry - Version 1.7.0 ** Sub-task From e98bc77ca150c1e38a84384cec62a3c6a97837e2 Mon Sep 17 00:00:00 2001 From: Colm O hEigeartaigh Date: Sun, 24 Dec 2017 13:40:22 +0000 Subject: [PATCH 18/18] Adding signing configuration --- pom.xml | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/pom.xml b/pom.xml index bfe592acb..4356fea60 100644 --- a/pom.xml +++ b/pom.xml @@ -888,6 +888,33 @@ limitations under the License. ${basedir}/../../build-tools + + sign-artifacts + + + sign-artifacts + true + + + + + + org.apache.maven.plugins + maven-gpg-plugin + 1.6 + + + sign-artifacts + verify + + sign + + + + + + +