def config_validator(user): from libsentry.api import get_api from libsentry.api2 import get_api as get_api2 res = [] try: get_api(user).list_sentry_roles_by_group('*') except Exception, e: res.append(('%s: Sentry Service' % NICE_NAME, _("Failed to connect to Sentry API (version 1).")))
def drop_sentry_role(request): result = {'status': -1, 'message': 'Error'} try: roleName = request.POST['roleName'] get_api(request.user).drop_sentry_role(roleName) result['message'] = _('Role and privileges deleted.') result['status'] = 0 except Exception, e: result['message'] = unicode(str(e), "utf8")
def rename_sentry_privilege(request): result = {'status': -1, 'message': 'Error'} try: oldAuthorizable = json.loads(request.POST['oldAuthorizable']) newAuthorizable = json.loads(request.POST['newAuthorizable']) get_api(request.user).rename_sentry_privilege(oldAuthorizable, newAuthorizable) result['message'] = _('Privilege deleted.') result['status'] = 0 except Exception, e: result['message'] = unicode(str(e), "utf8")
def create_sentry_role(request): result = {'status': -1, 'message': 'Error'} try: roleName = request.POST['roleName'] get_api(request.user).create_sentry_role(roleName) result['message'] = _('Role and privileges created.') result['status'] = 0 except Exception, e: LOG.exception("could not create role") result['message'] = unicode(str(e), "utf8")
def drop_sentry_role(request): result = {"status": -1, "message": "Error"} try: roleName = request.POST["roleName"] get_api(request.user).drop_sentry_role(roleName) result["message"] = _("Role and privileges deleted.") result["status"] = 0 except Exception, e: LOG.exception("could not drop role") result["message"] = unicode(str(e), "utf8")
def rename_sentry_privilege(request): result = {"status": -1, "message": "Error"} try: oldAuthorizable = json.loads(request.POST["oldAuthorizable"]) newAuthorizable = json.loads(request.POST["newAuthorizable"]) get_api(request.user).rename_sentry_privilege(oldAuthorizable, newAuthorizable) result["message"] = _("Privilege deleted.") result["status"] = 0 except Exception, e: LOG.exception("could not rename privilege") result["message"] = unicode(str(e), "utf8")
def drop_sentry_role(request): result = {'status': -1, 'message': 'Error'} try: roleName = request.POST.get('roleName') get_api(request.user).drop_sentry_role(roleName) result['message'] = _('Role and privileges deleted.') result['status'] = 0 except Exception as e: LOG.exception("could not drop role") result['message'] = str(e) return JsonResponse(result)
def rename_sentry_privilege(request): result = {'status': -1, 'message': 'Error'} try: oldAuthorizable = json.loads(request.POST.get('oldAuthorizable')) newAuthorizable = json.loads(request.POST.get('newAuthorizable')) get_api(request.user).rename_sentry_privilege(oldAuthorizable, newAuthorizable) result['message'] = _('Privilege deleted.') result['status'] = 0 except Exception as e: LOG.exception("could not rename privilege") result['message'] = str(e) return JsonResponse(result)
def list_sentry_privileges_by_authorizable(request): result = {"status": -1, "message": "Error"} try: groups = [request.POST["groupName"]] if request.POST["groupName"] else None authorizableSet = [json.loads(request.POST["authorizableHierarchy"])] _privileges = [] for authorizable, roles in get_api(request.user).list_sentry_privileges_by_authorizable( authorizableSet=authorizableSet, groups=groups ): for role, privileges in roles.iteritems(): for privilege in privileges: privilege["roleName"] = role _privileges.append(privilege) result["privileges"] = sorted(_privileges, key=lambda privilege: privilege["roleName"]) result["message"] = "" result["status"] = 0 except Exception, e: LOG.exception("could not list privileges by authorizable") result["message"] = unicode(str(e), "utf8")
def create_role(request): result = {'status': -1, 'message': 'Error'} try: role = json.loads(request.POST.get('role')) api = get_api(request.user) api.create_sentry_role(role['name']) privileges = [ privilege for privilege in role['privileges'] if privilege['status'] not in ('deleted', 'alreadydeleted') ] result['privileges'] = _hive_add_privileges(request.user, role, privileges) api.alter_sentry_role_add_groups(role['name'], role['groups']) result['role'] = {"name": role['name'], "groups": role['groups']} result['message'] = _('Role created!') result['status'] = 0 except Exception, e: LOG.exception("could not create role") result['message'] = unicode(str(e), "utf8")
def list_sentry_privileges_by_authorizable(request): result = {'status': -1, 'message': 'Error'} try: groups = [request.POST.get('groupName') ] if request.POST.get('groupName') else None authorizableSet = [ json.loads(request.POST.get('authorizableHierarchy')) ] _privileges = [] for authorizable, roles in get_api( request.user).list_sentry_privileges_by_authorizable( authorizableSet=authorizableSet, groups=groups): for role, privileges in roles.iteritems(): for privilege in privileges: privilege['roleName'] = role _privileges.append(privilege) result['privileges'] = sorted( _privileges, key=lambda privilege: privilege['roleName']) result['message'] = '' result['status'] = 0 except Exception, e: LOG.exception("could not list privileges by authorizable") result['message'] = unicode(str(e), "utf8")
def bulk_delete_privileges(request): result = {"status": -1, "message": "Error"} try: checkedPaths = json.loads(request.POST["checkedPaths"]) authorizableHierarchy = json.loads(request.POST["authorizableHierarchy"]) for path in [path["path"] for path in checkedPaths]: db, table, column = _get_splitted_path(path) authorizableHierarchy.update({"db": db, "table": table, "column": column}) get_api(request.user).drop_sentry_privileges(authorizableHierarchy) result["message"] = _("Privileges deleted.") result["status"] = 0 except Exception, e: LOG.exception("could not bulk delete privileges") result["message"] = unicode(str(e), "utf8")
def config_validator(user): from libsentry.api import get_api from libsentry.api2 import get_api as get_api2 res = [] try: get_api(user).list_sentry_roles_by_group('*') except Exception as e: res.append(('%s: Sentry Service' % NICE_NAME, _("Failed to connect to Sentry API (version 1)."))) try: get_api2(user).list_sentry_roles_by_group('*') except Exception as e: res.append(('%s: Sentry Service' % NICE_NAME, _("Failed to connect to Sentry API (version 2)."))) return res
def setUp(self): self.client = make_logged_in_client(username="******", groupname="test", recreate=True, is_superuser=False) self.user = User.objects.get(username="******") grant_access("test", "test", "libsentry") self.api = get_api(self.user) self.checker = PrivilegeChecker(user=self.user, api=self.api)
def list_sentry_privileges_by_role(request): result = {'status': -1, 'message': 'Error'} try: roleName = request.POST['roleName'] sentry_privileges = get_api(request.user).list_sentry_privileges_by_role(roleName) result['sentry_privileges'] = sorted(sentry_privileges, key=lambda privilege: '%s.%s' % (privilege['database'], privilege['table'])) result['message'] = '' result['status'] = 0 except Exception, e: result['message'] = unicode(str(e), "utf8")
def list_sentry_roles_by_group(request): result = {'status': -1, 'message': 'Error'} try: groupName = request.POST['groupName'] if request.POST['groupName'] else None roles = get_api(request.user).list_sentry_roles_by_group(groupName) result['roles'] = sorted(roles, key= lambda role: role['name']) result['message'] = '' result['status'] = 0 except Exception, e: result['message'] = unicode(str(e), "utf8")
def bulk_delete_privileges(request): result = {'status': -1, 'message': 'Error'} try: checkedPaths = json.loads(request.POST['checkedPaths']) authorizableHierarchy = json.loads(request.POST['authorizableHierarchy']) for path in [path['path'] for path in checkedPaths]: db, table, column = _get_splitted_path(path) authorizableHierarchy.update({ 'db': db, 'table': table, 'column': column, }) get_api(request.user).drop_sentry_privileges(authorizableHierarchy) result['message'] = _('Privileges deleted.') result['status'] = 0 except Exception, e: LOG.exception("could not bulk delete privileges") result['message'] = unicode(str(e), "utf8")
def test_ha_failover_all_bad(self): # Test with all bad hosts xml = self._sentry_site_xml(rpc_addresses='bad-host-1:8039,bad-host-2', rpc_port=self.rpc_port) file(os.path.join(self.tmpdir, 'sentry-site.xml'), 'w').write(xml) sentry_site.reset() api = get_api(self.user) assert_equal('bad-host-1:8039,bad-host-2', ','.join(sentry_site.get_sentry_server_rpc_addresses())) assert_raises(PopupException, api.list_sentry_roles_by_group, '*') api2 = get_api2(self.user, 'solr') assert_raises(PopupException, api2.list_sentry_roles_by_group, '*')
def bulk_delete_privileges(request): result = {'status': -1, 'message': 'Error'} try: checkedPaths = json.loads(request.POST['checkedPaths']) authorizableHierarchy = json.loads(request.POST['authorizableHierarchy']) for path in [path['path'] for path in checkedPaths]: if '.' in path: db, table = path.split('.') else: db, table = path, '' authorizableHierarchy.update({ 'db': db, 'table': table, }) get_api(request.user).drop_sentry_privileges(authorizableHierarchy) result['message'] = _('Privileges deleted.') result['status'] = 0 except Exception, e: result['message'] = unicode(str(e), "utf8")
def list_sentry_privileges_by_authorizable(request): result = {'status': -1, 'message': 'Error'} try: groupName = request.POST['groupName'] if request.POST['groupName'] else None roleSet = json.loads(request.POST['roleSet']) authorizableHierarchy = json.loads(request.POST['authorizableHierarchy']) privileges = [] roles = get_api(request.user).list_sentry_roles_by_group(groupName=groupName) for role in roles: for privilege in get_api(request.user).list_sentry_privileges_by_role(role['name'], authorizableHierarchy=authorizableHierarchy): privilege['roleName'] = role['name'] privileges.append(privilege) result['privileges'] = sorted(privileges, key=lambda privilege: privilege['roleName']) result['message'] = '' result['status'] = 0 except Exception, e: result['message'] = unicode(str(e), "utf8")
def list_sentry_privileges_for_provider(request): result = {'status': -1, 'message': 'Error'} try: groups = json.loads(request.POST['groups']) roleSet = json.loads(request.POST['roleSet']) authorizableHierarchy = json.loads(request.POST['authorizableHierarchy']) sentry_privileges = get_api(request.user).list_sentry_privileges_for_provider(groups=groups, roleSet=roleSet, authorizableHierarchy=authorizableHierarchy) result['sentry_privileges'] = sentry_privileges result['message'] = '' result['status'] = 0 except Exception, e: result['message'] = unicode(str(e), "utf8")
def list_sentry_privileges_by_authorizable(request): result = {'status': -1, 'message': 'Error'} try: groups = json.loads(request.POST['groups']) roleSet = json.loads(request.POST['roleSet']) authorizableHierarchy = json.loads(request.POST['authorizableHierarchy']) privileges = [] roles = get_api(request.user).list_sentry_roles_by_group() for role in roles: for privilege in get_api(request.user).list_sentry_privileges_by_role(role['name']): # authorizableHierarchy not working here? if privilege['database'] == authorizableHierarchy['db'] and ('table' not in authorizableHierarchy or privilege['table'] == authorizableHierarchy['table']): privilege['roleName'] = role['name'] privileges.append(privilege) result['privileges'] = privileges result['message'] = '' result['status'] = 0 except Exception, e: result['message'] = unicode(str(e), "utf8")
def list_sentry_roles_by_group(request): result = {'status': -1, 'message': 'Error'} try: if request.POST['groupName']: groupName = request.POST['groupName'] else: # Admins can see everything, other only the groups they belong too groupName = None if request.user.groups.filter(name__in=get_sentry_server_admin_groups()).exists() else '*' roles = get_api(request.user).list_sentry_roles_by_group(groupName) result['roles'] = sorted(roles, key=lambda role: role['name']) result['message'] = '' result['status'] = 0 except Exception, e: result['message'] = unicode(str(e), "utf8")
def test_no_rpc_hosts(self): # Test with no rpc hosts and fallback to hostname and port xml = self._sentry_site_xml(rpc_addresses='') file(os.path.join(self.tmpdir, 'sentry-site.xml'), 'w').write(xml) sentry_site.reset() api = get_api(self.user) assert_false(sentry_site.is_ha_enabled(), sentry_site.get_sentry_server_rpc_addresses()) assert_true(is_enabled() and HOSTNAME.get() and HOSTNAME.get() != 'localhost') resp = api.list_sentry_roles_by_group(groupName='*') assert_true(isinstance(resp, list)) api2 = get_api2(self.user, 'solr') resp = api2.list_sentry_roles_by_group(groupName='*') assert_true(isinstance(resp, list))
def list_sentry_privileges_by_role(request): result = {'status': -1, 'message': 'Error'} try: roleName = request.POST.get('roleName') sentry_privileges = get_api(request.user).list_sentry_privileges_by_role(roleName) result['sentry_privileges'] = sorted(sentry_privileges, key=lambda privilege: '%s.%s.%s.%s' % (privilege['server'], privilege['database'], privilege['table'], privilege['URI'])) result['message'] = '' result['status'] = 0 except Exception as e: LOG.exception("could not list sentry privileges") result['message'] = str(e) return JsonResponse(result)
def test_ha_failover_good_bad_bad(self): # Test with good-host,bad-host-1,bad-host-2 xml = self._sentry_site_xml(rpc_addresses='%s,bad-host-1,bad-host-2' % self.rpc_addresses) file(os.path.join(self.tmpdir, 'sentry-site.xml'), 'w').write(xml) sentry_site.reset() api = get_api(self.user) assert_equal('%s,bad-host-1,bad-host-2' % self.rpc_addresses, ','.join(sentry_site.get_sentry_server_rpc_addresses())) resp = api.list_sentry_roles_by_group(groupName='*') assert_true(isinstance(resp, list)) api2 = get_api2(self.user, 'solr') resp = api2.list_sentry_roles_by_group(groupName='*') assert_true(isinstance(resp, list))
def list_sentry_privileges_by_role(request): result = {"status": -1, "message": "Error"} try: roleName = request.POST["roleName"] sentry_privileges = get_api(request.user).list_sentry_privileges_by_role(roleName) result["sentry_privileges"] = sorted( sentry_privileges, key=lambda privilege: "%s.%s.%s.%s" % (privilege["server"], privilege["database"], privilege["table"], privilege["URI"]), ) result["message"] = "" result["status"] = 0 except Exception, e: LOG.exception("could not list sentry privileges") result["message"] = unicode(str(e), "utf8")
def create_role(request): result = {'status': -1, 'message': 'Error'} try: role = json.loads(request.POST['role']) api = get_api(request.user) api.create_sentry_role(role['name']) result['privileges'] = _hive_add_privileges(request.user, role, role['privileges']) api.alter_sentry_role_add_groups(role['name'], role['groups']) result['role'] = {"name": role['name'], "groups": role['groups'], "grantorPrincipal": request.user.username} result['message'] = _('Role created!') result['status'] = 0 except Exception, e: result['message'] = unicode(str(e), "utf8")
def list_sentry_privileges_for_provider(request): result = {"status": -1, "message": "Error"} try: groups = json.loads(request.POST["groups"]) roleSet = json.loads(request.POST["roleSet"]) authorizableHierarchy = json.loads(request.POST["authorizableHierarchy"]) sentry_privileges = get_api(request.user).list_sentry_privileges_for_provider( groups=groups, roleSet=roleSet, authorizableHierarchy=authorizableHierarchy ) result["sentry_privileges"] = sentry_privileges result["message"] = "" result["status"] = 0 except Exception, e: LOG.exception("could not list privileges for provider") result["message"] = unicode(str(e), "utf8")
def list_sentry_privileges_for_provider(request): result = {'status': -1, 'message': 'Error'} try: groups = json.loads(request.POST.get('groups')) roleSet = json.loads(request.POST.get('roleSet')) authorizableHierarchy = json.loads(request.POST.get('authorizableHierarchy')) sentry_privileges = get_api(request.user).list_sentry_privileges_for_provider(groups=groups, roleSet=roleSet, authorizableHierarchy=authorizableHierarchy) result['sentry_privileges'] = sentry_privileges result['message'] = '' result['status'] = 0 except Exception as e: LOG.exception("could not list privileges for provider") result['message'] = str(e) return JsonResponse(result)
def update_role_groups(request): result = {'status': -1, 'message': 'Error'} try: role = json.loads(request.POST['role']) new_groups = set(role['groups']) - set(role['originalGroups']) deleted_groups = set(role['originalGroups']) - set(role['groups']) api = get_api(request.user) if new_groups: api.alter_sentry_role_add_groups(role['name'], new_groups) if deleted_groups: api.alter_sentry_role_delete_groups(role['name'], deleted_groups) result['message'] = '' result['status'] = 0 except Exception, e: result['message'] = unicode(str(e), "utf8")
def create_role(request): result = {'status': -1, 'message': 'Error'} try: role = json.loads(request.POST['role']) api = get_api(request.user) api.create_sentry_role(role['name']) privileges = [privilege for privilege in role['privileges'] if privilege['status'] != 'deleted'] result['privileges'] = _hive_add_privileges(request.user, role, privileges) api.alter_sentry_role_add_groups(role['name'], role['groups']) result['role'] = {"name": role['name'], "groups": role['groups']} result['message'] = _('Role created!') result['status'] = 0 except Exception, e: result['message'] = unicode(str(e), "utf8")
def list_sentry_roles_by_group(request): result = {"status": -1, "message": "Error"} try: if request.POST["groupName"]: groupName = request.POST["groupName"] else: # Admins can see everything, other only the groups they belong too groupName = None if request.user.groups.filter(name__in=get_sentry_server_admin_groups()).exists() else "*" roles = get_api(request.user).list_sentry_roles_by_group(groupName) result["roles"] = sorted(roles, key=lambda role: role["name"]) result["message"] = "" result["status"] = 0 except Exception, e: LOG.exception("could not retrieve roles") if "couldn't be retrieved." in str(e): result["roles"] = [] result["status"] = 0 else: result["message"] = unicode(str(e), "utf8")
def _hive_add_privileges(user, role, privileges): api = get_api(user) _privileges = [] for privilege in privileges: if privilege['status'] not in ('deleted',): api.alter_sentry_role_grant_privilege(role['name'], _to_sentry_privilege(privilege)) # Mocked until Sentry API returns the info. Not used currently as we refresh the whole role. _privileges.append({ 'timestamp': int(time.time()), 'grantor': user.username, 'database': privilege.get('dbName'), 'action': privilege.get('action'), 'scope': privilege.get('privilegeScope'), 'table': privilege.get('tableName'), 'URI': privilege.get('URI'), 'server': privilege.get('serverName') }) return _privileges
def list_sentry_privileges_by_authorizable(request): result = {'status': -1, 'message': 'Error'} try: groups = [request.POST['groupName']] if request.POST['groupName'] else None authorizableSet = [json.loads(request.POST['authorizableHierarchy'])] _privileges = [] for authorizable, roles in get_api(request.user).list_sentry_privileges_by_authorizable(authorizableSet=authorizableSet, groups=groups): for role, privileges in roles.iteritems(): for privilege in privileges: privilege['roleName'] = role _privileges.append(privilege) result['privileges'] = sorted(_privileges, key=lambda privilege: privilege['roleName']) result['message'] = '' result['status'] = 0 except Exception, e: result['message'] = unicode(str(e), "utf8")
def _hive_add_privileges(user, role, privileges): api = get_api(user) _privileges = [] for privilege in privileges: if privilege['status'] not in ('deleted',): api.alter_sentry_role_grant_privilege(role['name'], _to_sentry_privilege(privilege)) # Mocked until Sentry API returns the info. Not used currently as we refresh the whole role. _privileges.append({ 'timestamp': int(time.time()), 'database': privilege.get('dbName'), 'action': privilege.get('action'), 'scope': privilege.get('privilegeScope'), 'table': privilege.get('tableName'), 'URI': privilege.get('URI'), 'server': privilege.get('serverName'), 'grantOption': privilege.get('grantOption') == 1 }) return _privileges
def update_role_groups(request): result = {"status": -1, "message": "Error"} try: role = json.loads(request.POST["role"]) new_groups = set(role["groups"]) - set(role["originalGroups"]) deleted_groups = set(role["originalGroups"]) - set(role["groups"]) api = get_api(request.user) if new_groups: api.alter_sentry_role_add_groups(role["name"], new_groups) if deleted_groups: api.alter_sentry_role_delete_groups(role["name"], deleted_groups) result["message"] = "" result["status"] = 0 except Exception, e: LOG.exception("could not update role groups") result["message"] = unicode(str(e), "utf8")
def list_sentry_roles_by_group(request): result = {'status': -1, 'message': 'Error'} try: if request.POST.get('groupName'): groupName = request.POST.get('groupName') else: # Admins can see everything, other only the groups they belong too groupName = None if request.user.groups.filter(name__in=get_sentry_server_admin_groups()).exists() else '*' roles = get_api(request.user).list_sentry_roles_by_group(groupName) result['roles'] = sorted(roles, key=lambda role: role['name']) result['message'] = '' result['status'] = 0 except Exception as e: LOG.exception("could not retrieve roles") if "couldn't be retrieved." in str(e): result['roles'] = [] result['status'] = 0 else: result['message'] = str(e) return JsonResponse(result)
def update_role_groups(request): result = {'status': -1, 'message': 'Error'} try: role = json.loads(request.POST.get('role')) new_groups = set(role['groups']) - set(role['originalGroups']) deleted_groups = set(role['originalGroups']) - set(role['groups']) api = get_api(request.user) if new_groups: api.alter_sentry_role_add_groups(role['name'], new_groups) if deleted_groups: api.alter_sentry_role_delete_groups(role['name'], deleted_groups) result['message'] = '' result['status'] = 0 except Exception as e: LOG.exception("could not update role groups") result['message'] = str(e) return JsonResponse(result)
def _hive_add_privileges(user, role, privileges): api = get_api(user) _privileges = [] for privilege in privileges: if privilege["status"] not in ("deleted",): api.alter_sentry_role_grant_privilege(role["name"], _to_sentry_privilege(privilege)) # Mocked until Sentry API returns the info. Not used currently as we refresh the whole role. _privileges.append( { "timestamp": int(time.time()), "database": privilege.get("dbName"), "action": privilege.get("action"), "scope": privilege.get("privilegeScope"), "table": privilege.get("tableName"), "column": privilege.get("columnName"), "URI": privilege.get("URI"), "server": privilege.get("serverName"), "grantOption": privilege.get("grantOption") == 1, } ) return _privileges
def create_role(request): result = {"status": -1, "message": "Error"} try: role = json.loads(request.POST["role"]) api = get_api(request.user) api.create_sentry_role(role["name"]) privileges = [ privilege for privilege in role["privileges"] if privilege["status"] not in ("deleted", "alreadydeleted") ] result["privileges"] = _hive_add_privileges(request.user, role, privileges) api.alter_sentry_role_add_groups(role["name"], role["groups"]) result["role"] = {"name": role["name"], "groups": role["groups"]} result["message"] = _("Role created!") result["status"] = 0 except Exception, e: LOG.exception("could not create role") result["message"] = unicode(str(e), "utf8")
def _drop_sentry_privilege(user, role, authorizable): return get_api(user).alter_sentry_role_revoke_privilege( role['name'], _to_sentry_privilege(authorizable))
def __init__(self, user, api=None): self.user = user self.api = api if api else get_api(self.user)
def _drop_sentry_privilege(user, role, authorizable): return get_api(user).alter_sentry_role_revoke_privilege(role["name"], _to_sentry_privilege(authorizable))