def bulk_delete_privileges(request): result = {'status': -1, 'message': 'Error'} try: checkedPaths = json.loads(request.POST.get('checkedPaths')) authorizableHierarchy = json.loads( request.POST.get('authorizableHierarchy')) component = request.POST.get('component') for path in [path['path'] for path in checkedPaths]: db, table, column = _get_splitted_path(path) authorizableHierarchy.update({ 'db': db, 'table': table, 'column': column, }) get_api(request.user, component).drop_sentry_privileges(authorizableHierarchy) result['message'] = _('Privileges deleted.') result['status'] = 0 except Exception as e: LOG.exception("could not bulk delete privileges") result['message'] = str(e) return JsonResponse(result)
def drop_sentry_role(request): result = {'status': -1, 'message': 'Error'} try: roleName = request.POST['roleName'] component = request.POST['component'] get_api(request.user, component).drop_sentry_role(roleName) result['message'] = _('Role and privileges deleted.') result['status'] = 0 except Exception, e: LOG.exception("could not drop role") result['message'] = unicode(str(e), "utf8")
def create_sentry_role(request): result = {'status': -1, 'message': 'Error'} try: roleName = request.POST['roleName'] component = json.loads(request.POST['component']) get_api(request.user, component).create_sentry_role(roleName) result['message'] = _('Role and privileges created.') result['status'] = 0 except Exception, e: LOG.exception("could not create role") result['message'] = unicode(str(e), "utf8")
def create_sentry_role(request): result = {'status': -1, 'message': 'Error'} try: roleName = request.POST.get('roleName') component = request.POST.get('component') get_api(request.user, component).create_sentry_role(roleName) result['message'] = _('Role and privileges created.') result['status'] = 0 except Exception, e: LOG.exception("could not create role") result['message'] = unicode(str(e), "utf8")
def drop_sentry_role(request): result = {"status": -1, "message": "Error"} try: roleName = request.POST["roleName"] component = request.POST["component"] get_api(request.user, component).drop_sentry_role(roleName) result["message"] = _("Role and privileges deleted.") result["status"] = 0 except Exception, e: LOG.exception("could not drop role") result["message"] = unicode(str(e), "utf8")
def rename_sentry_privilege(request): result = {"status": -1, "message": "Error"} try: oldAuthorizable = json.loads(request.POST["oldAuthorizable"]) newAuthorizable = json.loads(request.POST["newAuthorizable"]) component = request.POST["component"] get_api(request.user, component).rename_sentry_privilege(oldAuthorizable, newAuthorizable) result["message"] = _("Privilege deleted.") result["status"] = 0 except Exception, e: LOG.exception("could not rename privilege") result["message"] = unicode(str(e), "utf8")
def rename_sentry_privilege(request): result = {'status': -1, 'message': 'Error'} try: oldAuthorizable = json.loads(request.POST['oldAuthorizable']) newAuthorizable = json.loads(request.POST['newAuthorizable']) component = request.POST['component'] get_api(request.user, component).rename_sentry_privilege(oldAuthorizable, newAuthorizable) result['message'] = _('Privilege deleted.') result['status'] = 0 except Exception, e: LOG.exception("could not rename privilege") result['message'] = unicode(str(e), "utf8")
def update_role_groups(request): result = {'status': -1, 'message': 'Error'} try: role = json.loads(request.POST.get('role')) component = request.POST.get('component') new_groups = set(role['groups']) - set(role['originalGroups']) deleted_groups = set(role['originalGroups']) - set(role['groups']) api = get_api(request.user, component) if new_groups: api.alter_sentry_role_add_groups(role['name'], new_groups) if deleted_groups: api.alter_sentry_role_delete_groups(role['name'], deleted_groups) result['message'] = '' result['status'] = 0 except Exception as e: LOG.exception("could not update role groups") result['message'] = str(e) return JsonResponse(result)
def list_sentry_privileges_by_authorizable(request): result = {'status': -1, 'message': 'Error'} try: groups = [request.POST.get('groupName')] if request.POST.get('groupName') else None serviceName = request.POST.get('server') authorizableSet = [json.loads(request.POST.get('authorizableHierarchy'))] component = request.POST.get('component') _privileges = [] for authorizable, roles in get_api(request.user, component).list_sentry_privileges_by_authorizable(serviceName=serviceName, authorizableSet=authorizableSet, groups=groups): for role, privileges in roles.items(): for privilege in privileges: privilege['roleName'] = role _privileges.append(privilege) result['privileges'] = sorted(_privileges, key=lambda privilege: privilege['roleName']) result['message'] = '' result['status'] = 0 except Exception as e: LOG.exception("could not list privileges by authorizable") result['message'] = str(e) return JsonResponse(result)
def list_sentry_roles_by_group(request): result = {'status': -1, 'message': 'Error'} component = request.POST.get('component') try: if request.POST.get('groupName'): groupName = request.POST.get('groupName') else: # Admins can see everything, other only the groups they belong too groupName = None if request.user.groups.filter( name__in=get_sentry_server_admin_groups()).exists() else '*' roles = get_api(request.user, component).list_sentry_roles_by_group(groupName) result['roles'] = sorted(roles, key=lambda role: role['name']) result['message'] = '' result['status'] = 0 except Exception as e: LOG.exception("could not retrieve roles") if "couldn't be retrieved." in str(e): result['roles'] = [] result['status'] = 0 else: result['message'] = str(e) return JsonResponse(result)
def list_sentry_privileges_by_authorizable(request): result = {'status': -1, 'message': 'Error'} try: groups = [request.POST.get('groupName')] if request.POST.get('groupName') else None serviceName = request.POST.get('server') authorizableSet = [json.loads(request.POST.get('authorizableHierarchy'))] component = request.POST.get('component') _privileges = [] for authorizable, roles in get_api(request.user, component).list_sentry_privileges_by_authorizable(serviceName=serviceName, authorizableSet=authorizableSet, groups=groups): for role, privileges in roles.iteritems(): for privilege in privileges: privilege['roleName'] = role _privileges.append(privilege) result['privileges'] = sorted(_privileges, key=lambda privilege: privilege['roleName']) result['message'] = '' result['status'] = 0 except Exception, e: LOG.exception("could not list privileges by authorizable") result['message'] = unicode(str(e), "utf8")
def create_role(request): result = {'status': -1, 'message': 'Error'} try: role = json.loads(request.POST['role']) component = request.POST['component'] api = get_api(request.user, component) api.create_sentry_role(role['name']) privileges = [ privilege for privilege in role['privileges'] if privilege['status'] not in ('deleted', 'alreadydeleted') ] result['privileges'] = _hive_add_privileges(request.user, role, privileges, component) api.alter_sentry_role_add_groups(role['name'], role['groups']) result['role'] = {"name": role['name'], "groups": role['groups']} result['message'] = _('Role created!') result['status'] = 0 except Exception, e: LOG.exception("could not create role") result['message'] = unicode(str(e), "utf8")
def list_sentry_privileges_by_authorizable(request): result = {"status": -1, "message": "Error"} try: groups = [request.POST["groupName"]] if request.POST["groupName"] else None serviceName = request.POST["server"] authorizableSet = [json.loads(request.POST["authorizableHierarchy"])] component = request.POST["component"] _privileges = [] for authorizable, roles in get_api(request.user, component).list_sentry_privileges_by_authorizable( serviceName=serviceName, authorizableSet=authorizableSet, groups=groups ): for role, privileges in roles.iteritems(): for privilege in privileges: privilege["roleName"] = role _privileges.append(privilege) result["privileges"] = sorted(_privileges, key=lambda privilege: privilege["roleName"]) result["message"] = "" result["status"] = 0 except Exception, e: LOG.exception("could not list privileges by authorizable") result["message"] = unicode(str(e), "utf8")
def create_role(request): result = {"status": -1, "message": "Error"} try: role = json.loads(request.POST["role"]) component = request.POST["component"] api = get_api(request.user, component) api.create_sentry_role(role["name"]) privileges = [ privilege for privilege in role["privileges"] if privilege["status"] not in ("deleted", "alreadydeleted") ] result["privileges"] = _hive_add_privileges(request.user, role, privileges, component) api.alter_sentry_role_add_groups(role["name"], role["groups"]) result["role"] = {"name": role["name"], "groups": role["groups"]} result["message"] = _("Role created!") result["status"] = 0 except Exception, e: LOG.exception("could not create role") result["message"] = unicode(str(e), "utf8")
def list_sentry_privileges_by_authorizable(request): result = {'status': -1, 'message': 'Error'} try: groups = [request.POST['groupName'] ] if request.POST['groupName'] else None authorizableSet = [json.loads(request.POST['authorizableHierarchy'])] component = request.POST['component'] _privileges = [] for authorizable, roles in get_api( request.user, component).list_sentry_privileges_by_authorizable( authorizableSet=authorizableSet, groups=groups): for role, privileges in roles.iteritems(): for privilege in privileges: privilege['roleName'] = role _privileges.append(privilege) result['privileges'] = sorted( _privileges, key=lambda privilege: privilege['roleName']) result['message'] = '' result['status'] = 0 except Exception, e: LOG.exception("could not list privileges by authorizable") result['message'] = unicode(str(e), "utf8")
def drop_sentry_role(request): result = {'status': -1, 'message': 'Error'} try: roleName = request.POST.get('roleName') component = request.POST.get('component') get_api(request.user, component).drop_sentry_role(roleName) result['message'] = _('Role and privileges deleted.') result['status'] = 0 except Exception as e: LOG.exception("could not drop role") result['message'] = str(e) return JsonResponse(result)
def rename_sentry_privilege(request): result = {'status': -1, 'message': 'Error'} try: oldAuthorizable = json.loads(request.POST.get('oldAuthorizable')) newAuthorizable = json.loads(request.POST.get('newAuthorizable')) component = request.POST.get('component') get_api(request.user, component).rename_sentry_privilege(oldAuthorizable, newAuthorizable) result['message'] = _('Privilege deleted.') result['status'] = 0 except Exception as e: LOG.exception("could not rename privilege") result['message'] = str(e) return JsonResponse(result)
def _get_sentry_api(user): """ Get the API helper class of sentry :param user: The user of the http request. Must be authorized to perform sentry operations (in sentry-site.xml) :return: API helper class of sentry. Defined in libsentry/api2.py """ # Here "cdap" stands for the component to be used in sentry. # Since here the CDAP plugin only deals with CDAP related ACLs, it is hard coded as "cdap" here return get_api(user, "cdap")
def bulk_delete_privileges(request): result = {"status": -1, "message": "Error"} try: checkedPaths = json.loads(request.POST["checkedPaths"]) authorizableHierarchy = json.loads(request.POST["authorizableHierarchy"]) component = request.POST["component"] for path in [path["path"] for path in checkedPaths]: db, table, column = _get_splitted_path(path) authorizableHierarchy.update({"db": db, "table": table, "column": column}) get_api(request.user, component).drop_sentry_privileges(authorizableHierarchy) result["message"] = _("Privileges deleted.") result["status"] = 0 except Exception, e: LOG.exception("could not bulk delete privileges") result["message"] = unicode(str(e), "utf8")
def bulk_delete_privileges(request): result = {'status': -1, 'message': 'Error'} try: checkedPaths = json.loads(request.POST['checkedPaths']) authorizableHierarchy = json.loads(request.POST['authorizableHierarchy']) component = request.POST['component'] for path in [path['path'] for path in checkedPaths]: db, table, column = _get_splitted_path(path) authorizableHierarchy.update({ 'db': db, 'table': table, 'column': column, }) get_api(request.user, component).drop_sentry_privileges(authorizableHierarchy) result['message'] = _('Privileges deleted.') result['status'] = 0 except Exception, e: LOG.exception("could not bulk delete privileges") result['message'] = unicode(str(e), "utf8")
def list_sentry_privileges_for_provider(request): result = {'status': -1, 'message': 'Error'} try: groups = json.loads(request.POST['groups']) roleSet = json.loads(request.POST['roleSet']) authorizableHierarchy = json.loads(request.POST['authorizableHierarchy']) component = request.POST['component'] sentry_privileges = get_api(request.user, component).list_sentry_privileges_for_provider(groups=groups, roleSet=roleSet, authorizableHierarchy=authorizableHierarchy) result['sentry_privileges'] = sentry_privileges result['message'] = '' result['status'] = 0 except Exception, e: LOG.exception("could not list privileges for provider") result['message'] = unicode(str(e), "utf8")
def list_sentry_privileges_by_role(request): result = {'status': -1, 'message': 'Error'} try: serviceName = request.POST['server'] component = request.POST['component'] roleName = request.POST['roleName'] sentry_privileges = get_api(request.user, component).list_sentry_privileges_by_role(serviceName, roleName) result['sentry_privileges'] = sorted(sentry_privileges, key=lambda privilege: '%s.%s.%s.%s' % (privilege['server'], privilege['database'], privilege['table'], privilege['URI'])) result['message'] = '' result['status'] = 0 except Exception, e: LOG.exception("could not list sentry privileges") result['message'] = unicode(str(e), "utf8")
def list_sentry_privileges_by_role(request): result = {'status': -1, 'message': 'Error'} try: serviceName = request.POST['server'] component = request.POST['component'] roleName = request.POST['roleName'] sentry_privileges = get_api(request.user, component).list_sentry_privileges_by_role(serviceName, roleName) result['sentry_privileges'] = sorted(sentry_privileges, key=lambda privilege: '.'.join([auth['name'] for auth in privilege['authorizables']])) result['message'] = '' result['status'] = 0 except Exception, e: LOG.exception("could not list sentry privileges") result['message'] = unicode(str(e), "utf8")
def list_sentry_privileges_for_provider(request): result = {"status": -1, "message": "Error"} try: groups = json.loads(request.POST["groups"]) roleSet = json.loads(request.POST["roleSet"]) authorizableHierarchy = json.loads(request.POST["authorizableHierarchy"]) component = request.POST["component"] sentry_privileges = get_api(request.user, component).list_sentry_privileges_for_provider( groups=groups, roleSet=roleSet, authorizableHierarchy=authorizableHierarchy ) result["sentry_privileges"] = sentry_privileges result["message"] = "" result["status"] = 0 except Exception, e: LOG.exception("could not list privileges for provider") result["message"] = unicode(str(e), "utf8")
def list_sentry_privileges_for_provider(request): result = {'status': -1, 'message': 'Error'} try: groups = json.loads(request.POST.get('groups')) roleSet = json.loads(request.POST.get('roleSet')) authorizableHierarchy = json.loads(request.POST.get('authorizableHierarchy')) component = request.POST.get('component') sentry_privileges = get_api(request.user, component).list_sentry_privileges_for_provider(groups=groups, roleSet=roleSet, authorizableHierarchy=authorizableHierarchy) result['sentry_privileges'] = sentry_privileges result['message'] = '' result['status'] = 0 except Exception as e: LOG.exception("could not list privileges for provider") result['message'] = str(e) return JsonResponse(result)
def list_sentry_privileges_by_role(request): result = {"status": -1, "message": "Error"} try: serviceName = request.POST["server"] component = request.POST["component"] roleName = request.POST["roleName"] sentry_privileges = get_api(request.user, component).list_sentry_privileges_by_role(serviceName, roleName) result["sentry_privileges"] = sorted( sentry_privileges, key=lambda privilege: ".".join([auth["name"] for auth in privilege["authorizables"]]) ) result["message"] = "" result["status"] = 0 except Exception, e: LOG.exception("could not list sentry privileges") result["message"] = unicode(str(e), "utf8")
def list_sentry_privileges_by_role(request): result = {'status': -1, 'message': 'Error'} try: serviceName = request.POST.get('server') component = request.POST.get('component') roleName = request.POST.get('roleName') sentry_privileges = get_api(request.user, component).list_sentry_privileges_by_role(serviceName, roleName) result['sentry_privileges'] = sorted(sentry_privileges, key=lambda privilege: '.'.join([auth['name'] for auth in privilege['authorizables']])) result['message'] = '' result['status'] = 0 except Exception as e: LOG.exception("could not list sentry privileges") result['message'] = str(e) return JsonResponse(result)
def _hive_add_privileges(user, role, privileges, component): api = get_api(user, component) _privileges = [] for privilege in privileges: if privilege['status'] not in ('deleted',): api.alter_sentry_role_grant_privilege(role['name'], _to_sentry_privilege(privilege)) # Mocked until Sentry API returns the info. Not used currently as we refresh the whole role. _privileges.append({ 'timestamp': int(time.time()), 'database': privilege.get('dbName'), 'action': privilege.get('action'), 'scope': privilege.get('privilegeScope'), 'table': privilege.get('tableName'), 'column': privilege.get('columnName'), 'URI': privilege.get('URI'), 'server': privilege.get('serverName'), 'grantOption': privilege.get('grantOption') == 1 }) return _privileges
def list_sentry_roles_by_group(request): result = {'status': -1, 'message': 'Error'} component = request.POST['component'] try: if request.POST['groupName']: groupName = request.POST['groupName'] else: # Admins can see everything, other only the groups they belong too groupName = None if request.user.groups.filter(name__in=get_sentry_server_admin_groups()).exists() else '*' roles = get_api(request.user, component).list_sentry_roles_by_group(groupName) result['roles'] = sorted(roles, key=lambda role: role['name']) result['message'] = '' result['status'] = 0 except Exception, e: LOG.exception("could not retrieve roles") if "couldn't be retrieved." in str(e): result['roles'] = [] result['status'] = 0 else: result['message'] = unicode(str(e), "utf8")
def list_sentry_roles_by_group(request): result = {"status": -1, "message": "Error"} component = request.POST["component"] try: if request.POST["groupName"]: groupName = request.POST["groupName"] else: # Admins can see everything, other only the groups they belong too groupName = None if request.user.groups.filter(name__in=get_sentry_server_admin_groups()).exists() else "*" roles = get_api(request.user, component).list_sentry_roles_by_group(groupName) result["roles"] = sorted(roles, key=lambda role: role["name"]) result["message"] = "" result["status"] = 0 except Exception, e: LOG.exception("could not retrieve roles") if "couldn't be retrieved." in str(e): result["roles"] = [] result["status"] = 0 else: result["message"] = unicode(str(e), "utf8")
def update_role_groups(request): result = {"status": -1, "message": "Error"} try: role = json.loads(request.POST["role"]) component = request.POST["component"] new_groups = set(role["groups"]) - set(role["originalGroups"]) deleted_groups = set(role["originalGroups"]) - set(role["groups"]) api = get_api(request.user, component) if new_groups: api.alter_sentry_role_add_groups(role["name"], new_groups) if deleted_groups: api.alter_sentry_role_delete_groups(role["name"], deleted_groups) result["message"] = "" result["status"] = 0 except Exception, e: LOG.exception("could not update role groups") result["message"] = unicode(str(e), "utf8")
def list_sentry_privileges_by_role(request): result = {'status': -1, 'message': 'Error'} try: serviceName = request.POST['server'] component = request.POST['component'] roleName = request.POST['roleName'] sentry_privileges = get_api(request.user, component).list_sentry_privileges_by_role( serviceName, roleName) result['sentry_privileges'] = sorted( sentry_privileges, key=lambda privilege: '%s.%s.%s.%s' % (privilege['server'], privilege['database'], privilege['table'], privilege['URI'])) result['message'] = '' result['status'] = 0 except Exception, e: LOG.exception("could not list sentry privileges") result['message'] = unicode(str(e), "utf8")
def update_role_groups(request): result = {'status': -1, 'message': 'Error'} try: role = json.loads(request.POST['role']) component = request.POST['component'] new_groups = set(role['groups']) - set(role['originalGroups']) deleted_groups = set(role['originalGroups']) - set(role['groups']) api = get_api(request.user, component) if new_groups: api.alter_sentry_role_add_groups(role['name'], new_groups) if deleted_groups: api.alter_sentry_role_delete_groups(role['name'], deleted_groups) result['message'] = '' result['status'] = 0 except Exception, e: LOG.exception("could not update role groups") result['message'] = unicode(str(e), "utf8")
def create_role(request): result = {'status': -1, 'message': 'Error'} try: role = json.loads(request.POST['role']) component = request.POST['component'] api = get_api(request.user, component) api.create_sentry_role(role['name']) privileges = [privilege for privilege in role['privileges'] if privilege['status'] not in ('deleted', 'alreadydeleted')] result['privileges'] = _hive_add_privileges(request.user, role, privileges, component) api.alter_sentry_role_add_groups(role['name'], role['groups']) result['role'] = {"name": role['name'], "groups": role['groups']} result['message'] = _('Role created!') result['status'] = 0 except Exception, e: LOG.exception("could not create role") result['message'] = unicode(str(e), "utf8")
def _hive_add_privileges(user, role, privileges, component): api = get_api(user, component) _privileges = [] for privilege in privileges: if privilege["status"] not in ("deleted",): api.alter_sentry_role_grant_privilege(role["name"], _to_sentry_privilege(privilege)) # Mocked until Sentry API returns the info. Not used currently as we refresh the whole role. _privileges.append( { "timestamp": int(time.time()), "database": privilege.get("dbName"), "action": privilege.get("action"), "scope": privilege.get("privilegeScope"), "table": privilege.get("tableName"), "column": privilege.get("columnName"), "URI": privilege.get("URI"), "server": privilege.get("serverName"), "grantOption": privilege.get("grantOption") == 1, } ) return _privileges
def _drop_sentry_privilege(user, role, authorizable, component): return get_api(user, component).alter_sentry_role_revoke_privilege(role['name'], _to_sentry_privilege(authorizable))