def bulk_delete_privileges(request):
result = {'status': -1, 'message': 'Error'}
try:
checkedPaths = json.loads(request.POST.get('checkedPaths'))
authorizableHierarchy = json.loads(
request.POST.get('authorizableHierarchy'))
component = request.POST.get('component')
for path in [path['path'] for path in checkedPaths]:
db, table, column = _get_splitted_path(path)
authorizableHierarchy.update({
'db': db,
'table': table,
'column': column,
})
get_api(request.user,
component).drop_sentry_privileges(authorizableHierarchy)
result['message'] = _('Privileges deleted.')
result['status'] = 0
except Exception as e:
LOG.exception("could not bulk delete privileges")
result['message'] = str(e)
return JsonResponse(result)
def drop_sentry_role(request):
result = {'status': -1, 'message': 'Error'}
try:
roleName = request.POST['roleName']
component = request.POST['component']
get_api(request.user, component).drop_sentry_role(roleName)
result['message'] = _('Role and privileges deleted.')
result['status'] = 0
except Exception, e:
LOG.exception("could not drop role")
result['message'] = unicode(str(e), "utf8")
def create_sentry_role(request):
result = {'status': -1, 'message': 'Error'}
try:
roleName = request.POST['roleName']
component = json.loads(request.POST['component'])
get_api(request.user, component).create_sentry_role(roleName)
result['message'] = _('Role and privileges created.')
result['status'] = 0
except Exception, e:
LOG.exception("could not create role")
result['message'] = unicode(str(e), "utf8")
def create_sentry_role(request):
result = {'status': -1, 'message': 'Error'}
try:
roleName = request.POST.get('roleName')
component = request.POST.get('component')
get_api(request.user, component).create_sentry_role(roleName)
result['message'] = _('Role and privileges created.')
result['status'] = 0
except Exception, e:
LOG.exception("could not create role")
result['message'] = unicode(str(e), "utf8")
def drop_sentry_role(request):
result = {"status": -1, "message": "Error"}
try:
roleName = request.POST["roleName"]
component = request.POST["component"]
get_api(request.user, component).drop_sentry_role(roleName)
result["message"] = _("Role and privileges deleted.")
result["status"] = 0
except Exception, e:
LOG.exception("could not drop role")
result["message"] = unicode(str(e), "utf8")
def rename_sentry_privilege(request):
result = {"status": -1, "message": "Error"}
try:
oldAuthorizable = json.loads(request.POST["oldAuthorizable"])
newAuthorizable = json.loads(request.POST["newAuthorizable"])
component = request.POST["component"]
get_api(request.user, component).rename_sentry_privilege(oldAuthorizable, newAuthorizable)
result["message"] = _("Privilege deleted.")
result["status"] = 0
except Exception, e:
LOG.exception("could not rename privilege")
result["message"] = unicode(str(e), "utf8")
def rename_sentry_privilege(request):
result = {'status': -1, 'message': 'Error'}
try:
oldAuthorizable = json.loads(request.POST['oldAuthorizable'])
newAuthorizable = json.loads(request.POST['newAuthorizable'])
component = request.POST['component']
get_api(request.user, component).rename_sentry_privilege(oldAuthorizable, newAuthorizable)
result['message'] = _('Privilege deleted.')
result['status'] = 0
except Exception, e:
LOG.exception("could not rename privilege")
result['message'] = unicode(str(e), "utf8")
def update_role_groups(request):
result = {'status': -1, 'message': 'Error'}
try:
role = json.loads(request.POST.get('role'))
component = request.POST.get('component')
new_groups = set(role['groups']) - set(role['originalGroups'])
deleted_groups = set(role['originalGroups']) - set(role['groups'])
api = get_api(request.user, component)
if new_groups:
api.alter_sentry_role_add_groups(role['name'], new_groups)
if deleted_groups:
api.alter_sentry_role_delete_groups(role['name'], deleted_groups)
result['message'] = ''
result['status'] = 0
except Exception as e:
LOG.exception("could not update role groups")
result['message'] = str(e)
return JsonResponse(result)
def list_sentry_privileges_by_authorizable(request):
result = {'status': -1, 'message': 'Error'}
try:
groups = [request.POST.get('groupName')] if request.POST.get('groupName') else None
serviceName = request.POST.get('server')
authorizableSet = [json.loads(request.POST.get('authorizableHierarchy'))]
component = request.POST.get('component')
_privileges = []
for authorizable, roles in get_api(request.user, component).list_sentry_privileges_by_authorizable(serviceName=serviceName, authorizableSet=authorizableSet, groups=groups):
for role, privileges in roles.items():
for privilege in privileges:
privilege['roleName'] = role
_privileges.append(privilege)
result['privileges'] = sorted(_privileges, key=lambda privilege: privilege['roleName'])
result['message'] = ''
result['status'] = 0
except Exception as e:
LOG.exception("could not list privileges by authorizable")
result['message'] = str(e)
return JsonResponse(result)
def list_sentry_roles_by_group(request):
result = {'status': -1, 'message': 'Error'}
component = request.POST.get('component')
try:
if request.POST.get('groupName'):
groupName = request.POST.get('groupName')
else:
# Admins can see everything, other only the groups they belong too
groupName = None if request.user.groups.filter(
name__in=get_sentry_server_admin_groups()).exists() else '*'
roles = get_api(request.user,
component).list_sentry_roles_by_group(groupName)
result['roles'] = sorted(roles, key=lambda role: role['name'])
result['message'] = ''
result['status'] = 0
except Exception as e:
LOG.exception("could not retrieve roles")
if "couldn't be retrieved." in str(e):
result['roles'] = []
result['status'] = 0
else:
result['message'] = str(e)
return JsonResponse(result)
def list_sentry_privileges_by_authorizable(request):
result = {'status': -1, 'message': 'Error'}
try:
groups = [request.POST.get('groupName')] if request.POST.get('groupName') else None
serviceName = request.POST.get('server')
authorizableSet = [json.loads(request.POST.get('authorizableHierarchy'))]
component = request.POST.get('component')
_privileges = []
for authorizable, roles in get_api(request.user, component).list_sentry_privileges_by_authorizable(serviceName=serviceName, authorizableSet=authorizableSet, groups=groups):
for role, privileges in roles.iteritems():
for privilege in privileges:
privilege['roleName'] = role
_privileges.append(privilege)
result['privileges'] = sorted(_privileges, key=lambda privilege: privilege['roleName'])
result['message'] = ''
result['status'] = 0
except Exception, e:
LOG.exception("could not list privileges by authorizable")
result['message'] = unicode(str(e), "utf8")
def create_role(request):
result = {'status': -1, 'message': 'Error'}
try:
role = json.loads(request.POST['role'])
component = request.POST['component']
api = get_api(request.user, component)
api.create_sentry_role(role['name'])
privileges = [
privilege for privilege in role['privileges']
if privilege['status'] not in ('deleted', 'alreadydeleted')
]
result['privileges'] = _hive_add_privileges(request.user, role,
privileges, component)
api.alter_sentry_role_add_groups(role['name'], role['groups'])
result['role'] = {"name": role['name'], "groups": role['groups']}
result['message'] = _('Role created!')
result['status'] = 0
except Exception, e:
LOG.exception("could not create role")
result['message'] = unicode(str(e), "utf8")
def list_sentry_privileges_by_authorizable(request):
result = {"status": -1, "message": "Error"}
try:
groups = [request.POST["groupName"]] if request.POST["groupName"] else None
serviceName = request.POST["server"]
authorizableSet = [json.loads(request.POST["authorizableHierarchy"])]
component = request.POST["component"]
_privileges = []
for authorizable, roles in get_api(request.user, component).list_sentry_privileges_by_authorizable(
serviceName=serviceName, authorizableSet=authorizableSet, groups=groups
):
for role, privileges in roles.iteritems():
for privilege in privileges:
privilege["roleName"] = role
_privileges.append(privilege)
result["privileges"] = sorted(_privileges, key=lambda privilege: privilege["roleName"])
result["message"] = ""
result["status"] = 0
except Exception, e:
LOG.exception("could not list privileges by authorizable")
result["message"] = unicode(str(e), "utf8")
def create_role(request):
result = {"status": -1, "message": "Error"}
try:
role = json.loads(request.POST["role"])
component = request.POST["component"]
api = get_api(request.user, component)
api.create_sentry_role(role["name"])
privileges = [
privilege for privilege in role["privileges"] if privilege["status"] not in ("deleted", "alreadydeleted")
]
result["privileges"] = _hive_add_privileges(request.user, role, privileges, component)
api.alter_sentry_role_add_groups(role["name"], role["groups"])
result["role"] = {"name": role["name"], "groups": role["groups"]}
result["message"] = _("Role created!")
result["status"] = 0
except Exception, e:
LOG.exception("could not create role")
result["message"] = unicode(str(e), "utf8")
def list_sentry_privileges_by_authorizable(request):
result = {'status': -1, 'message': 'Error'}
try:
groups = [request.POST['groupName']
] if request.POST['groupName'] else None
authorizableSet = [json.loads(request.POST['authorizableHierarchy'])]
component = request.POST['component']
_privileges = []
for authorizable, roles in get_api(
request.user,
component).list_sentry_privileges_by_authorizable(
authorizableSet=authorizableSet, groups=groups):
for role, privileges in roles.iteritems():
for privilege in privileges:
privilege['roleName'] = role
_privileges.append(privilege)
result['privileges'] = sorted(
_privileges, key=lambda privilege: privilege['roleName'])
result['message'] = ''
result['status'] = 0
except Exception, e:
LOG.exception("could not list privileges by authorizable")
result['message'] = unicode(str(e), "utf8")
def drop_sentry_role(request):
result = {'status': -1, 'message': 'Error'}
try:
roleName = request.POST.get('roleName')
component = request.POST.get('component')
get_api(request.user, component).drop_sentry_role(roleName)
result['message'] = _('Role and privileges deleted.')
result['status'] = 0
except Exception as e:
LOG.exception("could not drop role")
result['message'] = str(e)
return JsonResponse(result)
def rename_sentry_privilege(request):
result = {'status': -1, 'message': 'Error'}
try:
oldAuthorizable = json.loads(request.POST.get('oldAuthorizable'))
newAuthorizable = json.loads(request.POST.get('newAuthorizable'))
component = request.POST.get('component')
get_api(request.user, component).rename_sentry_privilege(oldAuthorizable, newAuthorizable)
result['message'] = _('Privilege deleted.')
result['status'] = 0
except Exception as e:
LOG.exception("could not rename privilege")
result['message'] = str(e)
return JsonResponse(result)
def _get_sentry_api(user): """ Get the API helper class of sentry :param user: The user of the http request. Must be authorized to perform sentry operations (in sentry-site.xml) :return: API helper class of sentry. Defined in libsentry/api2.py """ # Here "cdap" stands for the component to be used in sentry. # Since here the CDAP plugin only deals with CDAP related ACLs, it is hard coded as "cdap" here return get_api(user, "cdap")
def bulk_delete_privileges(request):
result = {"status": -1, "message": "Error"}
try:
checkedPaths = json.loads(request.POST["checkedPaths"])
authorizableHierarchy = json.loads(request.POST["authorizableHierarchy"])
component = request.POST["component"]
for path in [path["path"] for path in checkedPaths]:
db, table, column = _get_splitted_path(path)
authorizableHierarchy.update({"db": db, "table": table, "column": column})
get_api(request.user, component).drop_sentry_privileges(authorizableHierarchy)
result["message"] = _("Privileges deleted.")
result["status"] = 0
except Exception, e:
LOG.exception("could not bulk delete privileges")
result["message"] = unicode(str(e), "utf8")
def bulk_delete_privileges(request):
result = {'status': -1, 'message': 'Error'}
try:
checkedPaths = json.loads(request.POST['checkedPaths'])
authorizableHierarchy = json.loads(request.POST['authorizableHierarchy'])
component = request.POST['component']
for path in [path['path'] for path in checkedPaths]:
db, table, column = _get_splitted_path(path)
authorizableHierarchy.update({
'db': db,
'table': table,
'column': column,
})
get_api(request.user, component).drop_sentry_privileges(authorizableHierarchy)
result['message'] = _('Privileges deleted.')
result['status'] = 0
except Exception, e:
LOG.exception("could not bulk delete privileges")
result['message'] = unicode(str(e), "utf8")
def list_sentry_privileges_for_provider(request):
result = {'status': -1, 'message': 'Error'}
try:
groups = json.loads(request.POST['groups'])
roleSet = json.loads(request.POST['roleSet'])
authorizableHierarchy = json.loads(request.POST['authorizableHierarchy'])
component = request.POST['component']
sentry_privileges = get_api(request.user, component).list_sentry_privileges_for_provider(groups=groups, roleSet=roleSet, authorizableHierarchy=authorizableHierarchy)
result['sentry_privileges'] = sentry_privileges
result['message'] = ''
result['status'] = 0
except Exception, e:
LOG.exception("could not list privileges for provider")
result['message'] = unicode(str(e), "utf8")
def list_sentry_privileges_by_role(request):
result = {'status': -1, 'message': 'Error'}
try:
serviceName = request.POST['server']
component = request.POST['component']
roleName = request.POST['roleName']
sentry_privileges = get_api(request.user, component).list_sentry_privileges_by_role(serviceName, roleName)
result['sentry_privileges'] = sorted(sentry_privileges, key=lambda privilege: '%s.%s.%s.%s' % (privilege['server'], privilege['database'], privilege['table'], privilege['URI']))
result['message'] = ''
result['status'] = 0
except Exception, e:
LOG.exception("could not list sentry privileges")
result['message'] = unicode(str(e), "utf8")
def list_sentry_privileges_by_role(request):
result = {'status': -1, 'message': 'Error'}
try:
serviceName = request.POST['server']
component = request.POST['component']
roleName = request.POST['roleName']
sentry_privileges = get_api(request.user, component).list_sentry_privileges_by_role(serviceName, roleName)
result['sentry_privileges'] = sorted(sentry_privileges, key=lambda privilege: '.'.join([auth['name'] for auth in privilege['authorizables']]))
result['message'] = ''
result['status'] = 0
except Exception, e:
LOG.exception("could not list sentry privileges")
result['message'] = unicode(str(e), "utf8")
def list_sentry_privileges_for_provider(request):
result = {"status": -1, "message": "Error"}
try:
groups = json.loads(request.POST["groups"])
roleSet = json.loads(request.POST["roleSet"])
authorizableHierarchy = json.loads(request.POST["authorizableHierarchy"])
component = request.POST["component"]
sentry_privileges = get_api(request.user, component).list_sentry_privileges_for_provider(
groups=groups, roleSet=roleSet, authorizableHierarchy=authorizableHierarchy
)
result["sentry_privileges"] = sentry_privileges
result["message"] = ""
result["status"] = 0
except Exception, e:
LOG.exception("could not list privileges for provider")
result["message"] = unicode(str(e), "utf8")
def list_sentry_privileges_for_provider(request):
result = {'status': -1, 'message': 'Error'}
try:
groups = json.loads(request.POST.get('groups'))
roleSet = json.loads(request.POST.get('roleSet'))
authorizableHierarchy = json.loads(request.POST.get('authorizableHierarchy'))
component = request.POST.get('component')
sentry_privileges = get_api(request.user, component).list_sentry_privileges_for_provider(groups=groups, roleSet=roleSet, authorizableHierarchy=authorizableHierarchy)
result['sentry_privileges'] = sentry_privileges
result['message'] = ''
result['status'] = 0
except Exception as e:
LOG.exception("could not list privileges for provider")
result['message'] = str(e)
return JsonResponse(result)
def list_sentry_privileges_by_role(request):
result = {"status": -1, "message": "Error"}
try:
serviceName = request.POST["server"]
component = request.POST["component"]
roleName = request.POST["roleName"]
sentry_privileges = get_api(request.user, component).list_sentry_privileges_by_role(serviceName, roleName)
result["sentry_privileges"] = sorted(
sentry_privileges, key=lambda privilege: ".".join([auth["name"] for auth in privilege["authorizables"]])
)
result["message"] = ""
result["status"] = 0
except Exception, e:
LOG.exception("could not list sentry privileges")
result["message"] = unicode(str(e), "utf8")
def list_sentry_privileges_by_role(request):
result = {'status': -1, 'message': 'Error'}
try:
serviceName = request.POST.get('server')
component = request.POST.get('component')
roleName = request.POST.get('roleName')
sentry_privileges = get_api(request.user, component).list_sentry_privileges_by_role(serviceName, roleName)
result['sentry_privileges'] = sorted(sentry_privileges, key=lambda privilege: '.'.join([auth['name'] for auth in privilege['authorizables']]))
result['message'] = ''
result['status'] = 0
except Exception as e:
LOG.exception("could not list sentry privileges")
result['message'] = str(e)
return JsonResponse(result)
def _hive_add_privileges(user, role, privileges, component):
api = get_api(user, component)
_privileges = []
for privilege in privileges:
if privilege['status'] not in ('deleted',):
api.alter_sentry_role_grant_privilege(role['name'], _to_sentry_privilege(privilege))
# Mocked until Sentry API returns the info. Not used currently as we refresh the whole role.
_privileges.append({
'timestamp': int(time.time()),
'database': privilege.get('dbName'),
'action': privilege.get('action'),
'scope': privilege.get('privilegeScope'),
'table': privilege.get('tableName'),
'column': privilege.get('columnName'),
'URI': privilege.get('URI'),
'server': privilege.get('serverName'),
'grantOption': privilege.get('grantOption') == 1
})
return _privileges
def list_sentry_roles_by_group(request):
result = {'status': -1, 'message': 'Error'}
component = request.POST['component']
try:
if request.POST['groupName']:
groupName = request.POST['groupName']
else:
# Admins can see everything, other only the groups they belong too
groupName = None if request.user.groups.filter(name__in=get_sentry_server_admin_groups()).exists() else '*'
roles = get_api(request.user, component).list_sentry_roles_by_group(groupName)
result['roles'] = sorted(roles, key=lambda role: role['name'])
result['message'] = ''
result['status'] = 0
except Exception, e:
LOG.exception("could not retrieve roles")
if "couldn't be retrieved." in str(e):
result['roles'] = []
result['status'] = 0
else:
result['message'] = unicode(str(e), "utf8")
def list_sentry_roles_by_group(request):
result = {"status": -1, "message": "Error"}
component = request.POST["component"]
try:
if request.POST["groupName"]:
groupName = request.POST["groupName"]
else:
# Admins can see everything, other only the groups they belong too
groupName = None if request.user.groups.filter(name__in=get_sentry_server_admin_groups()).exists() else "*"
roles = get_api(request.user, component).list_sentry_roles_by_group(groupName)
result["roles"] = sorted(roles, key=lambda role: role["name"])
result["message"] = ""
result["status"] = 0
except Exception, e:
LOG.exception("could not retrieve roles")
if "couldn't be retrieved." in str(e):
result["roles"] = []
result["status"] = 0
else:
result["message"] = unicode(str(e), "utf8")
def update_role_groups(request):
result = {"status": -1, "message": "Error"}
try:
role = json.loads(request.POST["role"])
component = request.POST["component"]
new_groups = set(role["groups"]) - set(role["originalGroups"])
deleted_groups = set(role["originalGroups"]) - set(role["groups"])
api = get_api(request.user, component)
if new_groups:
api.alter_sentry_role_add_groups(role["name"], new_groups)
if deleted_groups:
api.alter_sentry_role_delete_groups(role["name"], deleted_groups)
result["message"] = ""
result["status"] = 0
except Exception, e:
LOG.exception("could not update role groups")
result["message"] = unicode(str(e), "utf8")
def list_sentry_privileges_by_role(request):
result = {'status': -1, 'message': 'Error'}
try:
serviceName = request.POST['server']
component = request.POST['component']
roleName = request.POST['roleName']
sentry_privileges = get_api(request.user,
component).list_sentry_privileges_by_role(
serviceName, roleName)
result['sentry_privileges'] = sorted(
sentry_privileges,
key=lambda privilege: '%s.%s.%s.%s' %
(privilege['server'], privilege['database'], privilege['table'],
privilege['URI']))
result['message'] = ''
result['status'] = 0
except Exception, e:
LOG.exception("could not list sentry privileges")
result['message'] = unicode(str(e), "utf8")
def update_role_groups(request):
result = {'status': -1, 'message': 'Error'}
try:
role = json.loads(request.POST['role'])
component = request.POST['component']
new_groups = set(role['groups']) - set(role['originalGroups'])
deleted_groups = set(role['originalGroups']) - set(role['groups'])
api = get_api(request.user, component)
if new_groups:
api.alter_sentry_role_add_groups(role['name'], new_groups)
if deleted_groups:
api.alter_sentry_role_delete_groups(role['name'], deleted_groups)
result['message'] = ''
result['status'] = 0
except Exception, e:
LOG.exception("could not update role groups")
result['message'] = unicode(str(e), "utf8")
def create_role(request):
result = {'status': -1, 'message': 'Error'}
try:
role = json.loads(request.POST['role'])
component = request.POST['component']
api = get_api(request.user, component)
api.create_sentry_role(role['name'])
privileges = [privilege for privilege in role['privileges'] if privilege['status'] not in ('deleted', 'alreadydeleted')]
result['privileges'] = _hive_add_privileges(request.user, role, privileges, component)
api.alter_sentry_role_add_groups(role['name'], role['groups'])
result['role'] = {"name": role['name'], "groups": role['groups']}
result['message'] = _('Role created!')
result['status'] = 0
except Exception, e:
LOG.exception("could not create role")
result['message'] = unicode(str(e), "utf8")
def _hive_add_privileges(user, role, privileges, component):
api = get_api(user, component)
_privileges = []
for privilege in privileges:
if privilege["status"] not in ("deleted",):
api.alter_sentry_role_grant_privilege(role["name"], _to_sentry_privilege(privilege))
# Mocked until Sentry API returns the info. Not used currently as we refresh the whole role.
_privileges.append(
{
"timestamp": int(time.time()),
"database": privilege.get("dbName"),
"action": privilege.get("action"),
"scope": privilege.get("privilegeScope"),
"table": privilege.get("tableName"),
"column": privilege.get("columnName"),
"URI": privilege.get("URI"),
"server": privilege.get("serverName"),
"grantOption": privilege.get("grantOption") == 1,
}
)
return _privileges
def _drop_sentry_privilege(user, role, authorizable, component): return get_api(user, component).alter_sentry_role_revoke_privilege(role['name'], _to_sentry_privilege(authorizable))
