org.apache.sentry.provider.db.service.thrift.SentryPolicyStoreProcessor.java Source code

Java tutorial

Introduction

Here is the source code for org.apache.sentry.provider.db.service.thrift.SentryPolicyStoreProcessor.java

Source

/**
 * Licensed to the Apache Software Foundation (ASF) under one
 * or more contributor license agreements.  See the NOTICE file
 * distributed with this work for additional information
 * regarding copyright ownership.  The ASF licenses this file
 * to you under the Apache License, Version 2.0 (the
 * "License"); you may not use this file except in compliance
 * with the License.  You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

package org.apache.sentry.provider.db.service.thrift;

import java.lang.reflect.Constructor;
import java.lang.reflect.InvocationTargetException;
import java.util.HashSet;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.regex.Pattern;

import org.apache.hadoop.conf.Configuration;
import org.apache.sentry.SentryUserException;
import org.apache.sentry.core.model.db.AccessConstants;
import org.apache.sentry.provider.common.GroupMappingService;
import org.apache.sentry.provider.db.SentryAccessDeniedException;
import org.apache.sentry.provider.db.SentryAlreadyExistsException;
import org.apache.sentry.provider.db.SentryInvalidInputException;
import org.apache.sentry.provider.db.SentryNoSuchObjectException;
import org.apache.sentry.provider.db.SentryPolicyStorePlugin;
import org.apache.sentry.provider.db.SentryPolicyStorePlugin.SentryPluginException;
import org.apache.sentry.provider.db.SentryThriftAPIMismatchException;
import org.apache.sentry.provider.db.log.entity.JsonLogEntity;
import org.apache.sentry.provider.db.log.entity.JsonLogEntityFactory;
import org.apache.sentry.provider.db.log.util.Constants;
import org.apache.sentry.provider.db.service.persistent.CommitContext;
import org.apache.sentry.provider.db.service.persistent.HAContext;
import org.apache.sentry.provider.db.service.persistent.SentryStore;
import org.apache.sentry.provider.db.service.persistent.ServiceRegister;
import org.apache.sentry.provider.db.service.thrift.PolicyStoreConstants.PolicyStoreServerConfig;
import org.apache.sentry.service.thrift.ServiceConstants;
import org.apache.sentry.service.thrift.ServiceConstants.ConfUtilties;
import org.apache.sentry.service.thrift.ServiceConstants.ServerConfig;
import org.apache.sentry.service.thrift.ServiceConstants.ThriftConstants;
import org.apache.sentry.service.thrift.Status;
import org.apache.sentry.service.thrift.TSentryResponseStatus;
import org.apache.thrift.TException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

import com.codahale.metrics.Timer;
import com.google.common.annotations.VisibleForTesting;
import com.google.common.base.Preconditions;
import com.google.common.base.Splitter;
import com.google.common.collect.ImmutableSet;
import com.google.common.collect.Lists;
import com.google.common.collect.Maps;
import com.google.common.collect.Sets;

@SuppressWarnings("unused")
public class SentryPolicyStoreProcessor implements SentryPolicyService.Iface {
    private static final Logger LOGGER = LoggerFactory.getLogger(SentryPolicyStoreProcessor.class);
    private static final Logger AUDIT_LOGGER = LoggerFactory.getLogger(Constants.AUDIT_LOGGER_NAME);

    public static final String SENTRY_POLICY_SERVICE_NAME = "SentryPolicyService";

    public static volatile SentryPolicyStoreProcessor instance;

    private final String name;
    private final Configuration conf;
    private final SentryStore sentryStore;
    private final NotificationHandlerInvoker notificationHandlerInvoker;
    private final ImmutableSet<String> adminGroups;
    private boolean isReady;
    SentryMetrics sentryMetrics;
    private HAContext haContext;

    private List<SentryPolicyStorePlugin> sentryPlugins = new LinkedList<SentryPolicyStorePlugin>();

    public SentryPolicyStoreProcessor(String name, Configuration conf) throws Exception {
        super();
        this.name = name;
        this.conf = conf;
        this.notificationHandlerInvoker = new NotificationHandlerInvoker(conf, createHandlers(conf));
        isReady = false;
        if (conf.getBoolean(ServerConfig.SENTRY_HA_ENABLED, ServerConfig.SENTRY_HA_ENABLED_DEFAULT)) {
            haContext = HAContext.getHAServerContext(conf);
            sentryStore = new SentryStore(conf);
            ServiceRegister reg = new ServiceRegister(haContext);
            reg.regService(conf.get(ServerConfig.RPC_ADDRESS),
                    conf.getInt(ServerConfig.RPC_PORT, ServerConfig.RPC_PORT_DEFAULT));
        } else {
            sentryStore = new SentryStore(conf);
        }
        isReady = true;
        adminGroups = ImmutableSet.copyOf(
                toTrimedLower(Sets.newHashSet(conf.getStrings(ServerConfig.ADMIN_GROUPS, new String[] {}))));
        Iterable<String> pluginClasses = ConfUtilties.CLASS_SPLITTER.split(
                conf.get(ServerConfig.SENTRY_POLICY_STORE_PLUGINS, ServerConfig.SENTRY_POLICY_STORE_PLUGINS_DEFAULT)
                        .trim());
        for (String pluginClassStr : pluginClasses) {
            Class<?> clazz = conf.getClassByName(pluginClassStr);
            if (!SentryPolicyStorePlugin.class.isAssignableFrom(clazz)) {
                throw new IllegalArgumentException("Sentry Plugin [" + pluginClassStr + "] is not a "
                        + SentryPolicyStorePlugin.class.getName());
            }
            SentryPolicyStorePlugin plugin = (SentryPolicyStorePlugin) clazz.newInstance();
            plugin.initialize(conf, sentryStore);
            sentryPlugins.add(plugin);
        }
        if (instance == null) {
            instance = this;
        }
        initMetrics();
    }

    private void initMetrics() {
        sentryMetrics = SentryMetrics.getInstance();
        sentryMetrics.addSentryStoreGauges(sentryStore);

        String sentryReporting = conf.get(ServerConfig.SENTRY_REPORTER);
        if (sentryReporting != null) {
            SentryMetrics.Reporting reporting;
            try {
                reporting = SentryMetrics.Reporting.valueOf(sentryReporting.toUpperCase());
                sentryMetrics.initReporting(reporting);

            } catch (IllegalArgumentException e) {
                LOGGER.warn("Metrics reporting not configured correctly, please set " + ServerConfig.SENTRY_REPORTER
                        + " to: " + ServerConfig.SENTRY_REPORTER_CONSOLE + "/" + ServerConfig.SENTRY_REPORTER_JMX);
            }
        }
    }

    public void stop() {
        if (isReady) {
            sentryStore.stop();
        }
        if (haContext != null) {
            try {
                haContext.getCuratorFramework().close();
            } catch (Exception e) {
            }
        }
    }

    public void registerPlugin(SentryPolicyStorePlugin plugin) throws SentryPluginException {
        plugin.initialize(conf, sentryStore);
        sentryPlugins.add(plugin);
    }

    @VisibleForTesting
    static List<NotificationHandler> createHandlers(Configuration conf) throws SentryConfigurationException {
        List<NotificationHandler> handlers = Lists.newArrayList();
        Iterable<String> notificationHandlers = Splitter.onPattern("[\\s,]").trimResults().omitEmptyStrings()
                .split(conf.get(PolicyStoreServerConfig.NOTIFICATION_HANDLERS, ""));
        for (String notificationHandler : notificationHandlers) {
            Class<?> clazz = null;
            try {
                clazz = Class.forName(notificationHandler);
                if (!NotificationHandler.class.isAssignableFrom(clazz)) {
                    throw new SentryConfigurationException(
                            "Class " + notificationHandler + " is not a " + NotificationHandler.class.getName());
                }
            } catch (ClassNotFoundException e) {
                throw new SentryConfigurationException("Value " + notificationHandler + " is not a class", e);
            }
            Preconditions.checkNotNull(clazz, "Error class cannot be null");
            try {
                Constructor<?> constructor = clazz.getConstructor(Configuration.class);
                handlers.add((NotificationHandler) constructor.newInstance(conf));
            } catch (Exception e) {
                throw new SentryConfigurationException("Error attempting to create " + notificationHandler, e);
            }
        }
        return handlers;
    }

    @VisibleForTesting
    public Configuration getSentryStoreConf() {
        return conf;
    }

    private static Set<String> toTrimedLower(Set<String> s) {
        Set<String> result = Sets.newHashSet();
        for (String v : s) {
            result.add(v.trim().toLowerCase());
        }
        return result;
    }

    private boolean inAdminGroups(Set<String> requestorGroups) {
        requestorGroups = toTrimedLower(requestorGroups);
        if (Sets.intersection(adminGroups, requestorGroups).isEmpty()) {
            return false;
        } else
            return true;
    }

    private void authorize(String requestorUser, Set<String> requestorGroups) throws SentryAccessDeniedException {
        if (!inAdminGroups(requestorGroups)) {
            String msg = "User: " + requestorUser + " is part of " + requestorGroups
                    + " which does not, intersect admin groups " + adminGroups;
            LOGGER.warn(msg);
            throw new SentryAccessDeniedException("Access denied to " + requestorUser);
        }
    }

    @Override
    public TCreateSentryRoleResponse create_sentry_role(TCreateSentryRoleRequest request) throws TException {
        final Timer.Context timerContext = sentryMetrics.createRoleTimer.time();
        TCreateSentryRoleResponse response = new TCreateSentryRoleResponse();
        try {
            validateClientVersion(request.getProtocol_version());
            authorize(request.getRequestorUserName(), getRequestorGroups(request.getRequestorUserName()));
            CommitContext commitContext = sentryStore.createSentryRole(request.getRoleName());
            response.setStatus(Status.OK());
            notificationHandlerInvoker.create_sentry_role(commitContext, request, response);
        } catch (SentryAlreadyExistsException e) {
            String msg = "Role: " + request + " already exists.";
            LOGGER.error(msg, e);
            response.setStatus(Status.AlreadyExists(msg, e));
        } catch (SentryAccessDeniedException e) {
            LOGGER.error(e.getMessage(), e);
            response.setStatus(Status.AccessDenied(e.getMessage(), e));
        } catch (SentryThriftAPIMismatchException e) {
            LOGGER.error(e.getMessage(), e);
            response.setStatus(Status.THRIFT_VERSION_MISMATCH(e.getMessage(), e));
        } catch (Exception e) {
            String msg = "Unknown error for request: " + request + ", message: " + e.getMessage();
            LOGGER.error(msg, e);
            response.setStatus(Status.RuntimeError(msg, e));
        } finally {
            timerContext.stop();
        }

        try {
            AUDIT_LOGGER.info(JsonLogEntityFactory.getInstance().createJsonLogEntity(request, response, conf)
                    .toJsonFormatLog());
        } catch (Exception e) {
            // if any exception, log the exception.
            String msg = "Error creating audit log for create role: " + e.getMessage();
            LOGGER.error(msg, e);
        }
        return response;
    }

    @Override
    public TAlterSentryRoleGrantPrivilegeResponse alter_sentry_role_grant_privilege(
            TAlterSentryRoleGrantPrivilegeRequest request) throws TException {
        final Timer.Context timerContext = sentryMetrics.grantTimer.time();

        TAlterSentryRoleGrantPrivilegeResponse response = new TAlterSentryRoleGrantPrivilegeResponse();
        try {
            validateClientVersion(request.getProtocol_version());
            // There should only one field be set
            if (!(request.isSetPrivileges() ^ request.isSetPrivilege())) {
                throw new SentryUserException("SENTRY API version is not right!");
            }
            // Maintain compatibility for old API: Set privilege field to privileges field
            if (request.isSetPrivilege()) {
                request.setPrivileges(Sets.newHashSet(request.getPrivilege()));
            }
            CommitContext commitContext = sentryStore.alterSentryRoleGrantPrivileges(request.getRequestorUserName(),
                    request.getRoleName(), request.getPrivileges());
            response.setStatus(Status.OK());
            response.setPrivileges(request.getPrivileges());
            // Maintain compatibility for old API: Set privilege field to response
            if (response.isSetPrivileges() && response.getPrivileges().size() == 1) {
                response.setPrivilege(response.getPrivileges().iterator().next());
            }
            notificationHandlerInvoker.alter_sentry_role_grant_privilege(commitContext, request, response);
            for (SentryPolicyStorePlugin plugin : sentryPlugins) {
                plugin.onAlterSentryRoleGrantPrivilege(request);
            }
        } catch (SentryNoSuchObjectException e) {
            String msg = "Role: " + request.getRoleName() + " doesn't exist.";
            LOGGER.error(msg, e);
            response.setStatus(Status.NoSuchObject(msg, e));
        } catch (SentryInvalidInputException e) {
            String msg = "Invalid input privilege object";
            LOGGER.error(msg, e);
            response.setStatus(Status.InvalidInput(msg, e));
        } catch (SentryAccessDeniedException e) {
            LOGGER.error(e.getMessage(), e);
            response.setStatus(Status.AccessDenied(e.getMessage(), e));
        } catch (SentryThriftAPIMismatchException e) {
            LOGGER.error(e.getMessage(), e);
            response.setStatus(Status.THRIFT_VERSION_MISMATCH(e.getMessage(), e));
        } catch (Exception e) {
            String msg = "Unknown error for request: " + request + ", message: " + e.getMessage();
            LOGGER.error(msg, e);
            response.setStatus(Status.RuntimeError(msg, e));
        } finally {
            timerContext.stop();
        }

        try {
            Set<JsonLogEntity> jsonLogEntitys = JsonLogEntityFactory.getInstance().createJsonLogEntitys(request,
                    response, conf);
            for (JsonLogEntity jsonLogEntity : jsonLogEntitys) {
                AUDIT_LOGGER.info(jsonLogEntity.toJsonFormatLog());
            }
        } catch (Exception e) {
            // if any exception, log the exception.
            String msg = "Error creating audit log for grant privilege to role: " + e.getMessage();
            LOGGER.error(msg, e);
        }
        return response;
    }

    @Override
    public TAlterSentryRoleRevokePrivilegeResponse alter_sentry_role_revoke_privilege(
            TAlterSentryRoleRevokePrivilegeRequest request) throws TException {
        final Timer.Context timerContext = sentryMetrics.revokeTimer.time();
        TAlterSentryRoleRevokePrivilegeResponse response = new TAlterSentryRoleRevokePrivilegeResponse();
        try {
            validateClientVersion(request.getProtocol_version());
            // There should only one field be set
            if (!(request.isSetPrivileges() ^ request.isSetPrivilege())) {
                throw new SentryUserException("SENTRY API version is not right!");
            }
            // Maintain compatibility for old API: Set privilege field to privileges field
            if (request.isSetPrivilege()) {
                request.setPrivileges(Sets.newHashSet(request.getPrivilege()));
            }
            CommitContext commitContext = sentryStore.alterSentryRoleRevokePrivileges(
                    request.getRequestorUserName(), request.getRoleName(), request.getPrivileges());
            response.setStatus(Status.OK());
            notificationHandlerInvoker.alter_sentry_role_revoke_privilege(commitContext, request, response);
            for (SentryPolicyStorePlugin plugin : sentryPlugins) {
                plugin.onAlterSentryRoleRevokePrivilege(request);
            }
        } catch (SentryNoSuchObjectException e) {
            StringBuilder msg = new StringBuilder();
            if (request.getPrivileges().size() > 0) {
                for (TSentryPrivilege privilege : request.getPrivileges()) {
                    msg.append("Privilege: [server=");
                    msg.append(privilege.getServerName());
                    msg.append(",db=");
                    msg.append(privilege.getDbName());
                    msg.append(",table=");
                    msg.append(privilege.getTableName());
                    msg.append(",URI=");
                    msg.append(privilege.getURI());
                    msg.append(",action=");
                    msg.append(privilege.getAction());
                    msg.append("] ");
                }
                msg.append("doesn't exist.");
            }
            LOGGER.error(msg.toString(), e);
            response.setStatus(Status.NoSuchObject(msg.toString(), e));
        } catch (SentryInvalidInputException e) {
            String msg = "Invalid input privilege object";
            LOGGER.error(msg, e);
            response.setStatus(Status.InvalidInput(msg, e));
        } catch (SentryAccessDeniedException e) {
            LOGGER.error(e.getMessage(), e);
            response.setStatus(Status.AccessDenied(e.getMessage(), e));
        } catch (SentryThriftAPIMismatchException e) {
            LOGGER.error(e.getMessage(), e);
            response.setStatus(Status.THRIFT_VERSION_MISMATCH(e.getMessage(), e));
        } catch (Exception e) {
            String msg = "Unknown error for request: " + request + ", message: " + e.getMessage();
            LOGGER.error(msg, e);
            response.setStatus(Status.RuntimeError(msg, e));
        } finally {
            timerContext.stop();
        }

        try {
            Set<JsonLogEntity> jsonLogEntitys = JsonLogEntityFactory.getInstance().createJsonLogEntitys(request,
                    response, conf);
            for (JsonLogEntity jsonLogEntity : jsonLogEntitys) {
                AUDIT_LOGGER.info(jsonLogEntity.toJsonFormatLog());
            }
        } catch (Exception e) {
            // if any exception, log the exception.
            String msg = "Error creating audit log for revoke privilege from role: " + e.getMessage();
            LOGGER.error(msg, e);
        }
        return response;
    }

    @Override
    public TDropSentryRoleResponse drop_sentry_role(TDropSentryRoleRequest request) throws TException {
        final Timer.Context timerContext = sentryMetrics.dropRoleTimer.time();
        TDropSentryRoleResponse response = new TDropSentryRoleResponse();
        TSentryResponseStatus status;
        try {
            validateClientVersion(request.getProtocol_version());
            authorize(request.getRequestorUserName(), getRequestorGroups(request.getRequestorUserName()));
            CommitContext commitContext = sentryStore.dropSentryRole(request.getRoleName());
            response.setStatus(Status.OK());
            notificationHandlerInvoker.drop_sentry_role(commitContext, request, response);
            for (SentryPolicyStorePlugin plugin : sentryPlugins) {
                plugin.onDropSentryRole(request);
            }
        } catch (SentryNoSuchObjectException e) {
            String msg = "Role :" + request + " does not exist.";
            LOGGER.error(msg, e);
            response.setStatus(Status.NoSuchObject(msg, e));
        } catch (SentryAccessDeniedException e) {
            LOGGER.error(e.getMessage(), e);
            response.setStatus(Status.AccessDenied(e.getMessage(), e));
        } catch (SentryThriftAPIMismatchException e) {
            LOGGER.error(e.getMessage(), e);
            response.setStatus(Status.THRIFT_VERSION_MISMATCH(e.getMessage(), e));
        } catch (Exception e) {
            String msg = "Unknown error for request: " + request + ", message: " + e.getMessage();
            LOGGER.error(msg, e);
            response.setStatus(Status.RuntimeError(msg, e));
        } finally {
            timerContext.stop();
        }

        try {
            AUDIT_LOGGER.info(JsonLogEntityFactory.getInstance().createJsonLogEntity(request, response, conf)
                    .toJsonFormatLog());
        } catch (Exception e) {
            // if any exception, log the exception.
            String msg = "Error creating audit log for drop role: " + e.getMessage();
            LOGGER.error(msg, e);
        }
        return response;
    }

    @Override
    public TAlterSentryRoleAddGroupsResponse alter_sentry_role_add_groups(TAlterSentryRoleAddGroupsRequest request)
            throws TException {
        final Timer.Context timerContext = sentryMetrics.grantRoleTimer.time();
        TAlterSentryRoleAddGroupsResponse response = new TAlterSentryRoleAddGroupsResponse();
        try {
            validateClientVersion(request.getProtocol_version());
            authorize(request.getRequestorUserName(), getRequestorGroups(request.getRequestorUserName()));
            CommitContext commitContext = sentryStore.alterSentryRoleAddGroups(request.getRequestorUserName(),
                    request.getRoleName(), request.getGroups());
            response.setStatus(Status.OK());
            notificationHandlerInvoker.alter_sentry_role_add_groups(commitContext, request, response);
            for (SentryPolicyStorePlugin plugin : sentryPlugins) {
                plugin.onAlterSentryRoleAddGroups(request);
            }
        } catch (SentryNoSuchObjectException e) {
            String msg = "Role: " + request + " does not exist.";
            LOGGER.error(msg, e);
            response.setStatus(Status.NoSuchObject(msg, e));
        } catch (SentryAccessDeniedException e) {
            LOGGER.error(e.getMessage(), e);
            response.setStatus(Status.AccessDenied(e.getMessage(), e));
        } catch (SentryThriftAPIMismatchException e) {
            LOGGER.error(e.getMessage(), e);
            response.setStatus(Status.THRIFT_VERSION_MISMATCH(e.getMessage(), e));
        } catch (Exception e) {
            String msg = "Unknown error for request: " + request + ", message: " + e.getMessage();
            LOGGER.error(msg, e);
            response.setStatus(Status.RuntimeError(msg, e));
        } finally {
            timerContext.stop();
        }

        try {
            AUDIT_LOGGER.info(JsonLogEntityFactory.getInstance().createJsonLogEntity(request, response, conf)
                    .toJsonFormatLog());
        } catch (Exception e) {
            // if any exception, log the exception.
            String msg = "Error creating audit log for add role to group: " + e.getMessage();
            LOGGER.error(msg, e);
        }
        return response;
    }

    @Override
    public TAlterSentryRoleDeleteGroupsResponse alter_sentry_role_delete_groups(
            TAlterSentryRoleDeleteGroupsRequest request) throws TException {
        final Timer.Context timerContext = sentryMetrics.revokeRoleTimer.time();
        TAlterSentryRoleDeleteGroupsResponse response = new TAlterSentryRoleDeleteGroupsResponse();
        try {
            validateClientVersion(request.getProtocol_version());
            authorize(request.getRequestorUserName(), getRequestorGroups(request.getRequestorUserName()));
            CommitContext commitContext = sentryStore.alterSentryRoleDeleteGroups(request.getRoleName(),
                    request.getGroups());
            response.setStatus(Status.OK());
            notificationHandlerInvoker.alter_sentry_role_delete_groups(commitContext, request, response);
            for (SentryPolicyStorePlugin plugin : sentryPlugins) {
                plugin.onAlterSentryRoleDeleteGroups(request);
            }
        } catch (SentryNoSuchObjectException e) {
            String msg = "Role: " + request + " does not exist.";
            LOGGER.error(msg, e);
            response.setStatus(Status.NoSuchObject(msg, e));
        } catch (SentryAccessDeniedException e) {
            LOGGER.error(e.getMessage(), e);
            response.setStatus(Status.AccessDenied(e.getMessage(), e));
        } catch (SentryThriftAPIMismatchException e) {
            LOGGER.error(e.getMessage(), e);
            response.setStatus(Status.THRIFT_VERSION_MISMATCH(e.getMessage(), e));
        } catch (Exception e) {
            String msg = "Unknown error adding groups to role: " + request;
            LOGGER.error(msg, e);
            response.setStatus(Status.RuntimeError(msg, e));
        } finally {
            timerContext.stop();
        }

        try {
            AUDIT_LOGGER.info(JsonLogEntityFactory.getInstance().createJsonLogEntity(request, response, conf)
                    .toJsonFormatLog());
        } catch (Exception e) {
            // if any exception, log the exception.
            String msg = "Error creating audit log for delete role from group: " + e.getMessage();
            LOGGER.error(msg, e);
        }
        return response;
    }

    @Override
    public TListSentryRolesResponse list_sentry_roles_by_group(TListSentryRolesRequest request) throws TException {
        final Timer.Context timerContext = sentryMetrics.listRolesByGroupTimer.time();
        TListSentryRolesResponse response = new TListSentryRolesResponse();
        TSentryResponseStatus status;
        Set<TSentryRole> roleSet = new HashSet<TSentryRole>();
        String subject = request.getRequestorUserName();
        boolean checkAllGroups = false;
        try {
            validateClientVersion(request.getProtocol_version());
            Set<String> groups = getRequestorGroups(subject);
            // Don't check admin permissions for listing requestor's own roles
            if (AccessConstants.ALL.equalsIgnoreCase(request.getGroupName())) {
                checkAllGroups = true;
            } else {
                boolean admin = inAdminGroups(groups);
                //Only admin users can list all roles in the system ( groupname = null)
                //Non admin users are only allowed to list only groups which they belong to
                if (!admin && (request.getGroupName() == null || !groups.contains(request.getGroupName()))) {
                    throw new SentryAccessDeniedException("Access denied to " + subject);
                } else {
                    groups.clear();
                    groups.add(request.getGroupName());
                }
            }
            roleSet = sentryStore.getTSentryRolesByGroupName(groups, checkAllGroups);
            response.setRoles(roleSet);
            response.setStatus(Status.OK());
        } catch (SentryNoSuchObjectException e) {
            response.setRoles(roleSet);
            String msg = "Role: " + request + " couldn't be retrieved.";
            LOGGER.error(msg, e);
            response.setStatus(Status.NoSuchObject(msg, e));
        } catch (SentryAccessDeniedException e) {
            LOGGER.error(e.getMessage(), e);
            response.setStatus(Status.AccessDenied(e.getMessage(), e));
        } catch (SentryThriftAPIMismatchException e) {
            LOGGER.error(e.getMessage(), e);
            response.setStatus(Status.THRIFT_VERSION_MISMATCH(e.getMessage(), e));
        } catch (Exception e) {
            String msg = "Unknown error for request: " + request + ", message: " + e.getMessage();
            LOGGER.error(msg, e);
            response.setStatus(Status.RuntimeError(msg, e));
        } finally {
            timerContext.stop();
        }
        return response;
    }

    @Override
    public TListSentryPrivilegesResponse list_sentry_privileges_by_role(TListSentryPrivilegesRequest request)
            throws TException {
        final Timer.Context timerContext = sentryMetrics.listPrivilegesByRoleTimer.time();
        TListSentryPrivilegesResponse response = new TListSentryPrivilegesResponse();
        TSentryResponseStatus status;
        Set<TSentryPrivilege> privilegeSet = new HashSet<TSentryPrivilege>();
        String subject = request.getRequestorUserName();
        try {
            validateClientVersion(request.getProtocol_version());
            Set<String> groups = getRequestorGroups(subject);
            Boolean admin = inAdminGroups(groups);
            if (!admin) {
                Set<String> roleNamesForGroups = toTrimedLower(sentryStore.getRoleNamesForGroups(groups));
                if (!roleNamesForGroups.contains(request.getRoleName().trim().toLowerCase())) {
                    throw new SentryAccessDeniedException("Access denied to " + subject);
                }
            }
            if (request.isSetAuthorizableHierarchy()) {
                TSentryAuthorizable authorizableHierarchy = request.getAuthorizableHierarchy();
                privilegeSet = sentryStore.getTSentryPrivileges(Sets.newHashSet(request.getRoleName()),
                        authorizableHierarchy);
            } else {
                privilegeSet = sentryStore.getAllTSentryPrivilegesByRoleName(request.getRoleName());
            }
            response.setPrivileges(privilegeSet);
            response.setStatus(Status.OK());
        } catch (SentryNoSuchObjectException e) {
            response.setPrivileges(privilegeSet);
            String msg = "Privilege: " + request + " couldn't be retrieved.";
            LOGGER.error(msg, e);
            response.setStatus(Status.NoSuchObject(msg, e));
        } catch (SentryAccessDeniedException e) {
            LOGGER.error(e.getMessage(), e);
            response.setStatus(Status.AccessDenied(e.getMessage(), e));
        } catch (SentryThriftAPIMismatchException e) {
            LOGGER.error(e.getMessage(), e);
            response.setStatus(Status.THRIFT_VERSION_MISMATCH(e.getMessage(), e));
        } catch (Exception e) {
            String msg = "Unknown error for request: " + request + ", message: " + e.getMessage();
            LOGGER.error(msg, e);
            response.setStatus(Status.RuntimeError(msg, e));
        } finally {
            timerContext.stop();
        }
        return response;
    }

    /**
     * This method was created specifically for ProviderBackend.getPrivileges() and is not meant
     * to be used for general privilege retrieval. More details in the .thrift file.
     */
    @Override
    public TListSentryPrivilegesForProviderResponse list_sentry_privileges_for_provider(
            TListSentryPrivilegesForProviderRequest request) throws TException {
        final Timer.Context timerContext = sentryMetrics.listPrivilegesForProviderTimer.time();
        TListSentryPrivilegesForProviderResponse response = new TListSentryPrivilegesForProviderResponse();
        response.setPrivileges(new HashSet<String>());
        try {
            validateClientVersion(request.getProtocol_version());
            Set<String> privilegesForProvider = sentryStore.listSentryPrivilegesForProvider(request.getGroups(),
                    request.getRoleSet(), request.getAuthorizableHierarchy());
            response.setPrivileges(privilegesForProvider);
            if (((privilegesForProvider == null) || (privilegesForProvider.size() == 0))
                    && (request.getAuthorizableHierarchy() != null)) {
                if (sentryStore.hasAnyServerPrivileges(request.getGroups(), request.getRoleSet(),
                        request.getAuthorizableHierarchy().getServer())) {

                    // REQUIRED for ensuring 'default' Db is accessible by any user
                    // with privileges to atleast 1 object with the specific server as root

                    // Need some way to specify that even though user has no privilege
                    // For the specific AuthorizableHierarchy.. he has privilege on
                    // atleast 1 object in the server hierarchy
                    HashSet<String> serverPriv = Sets.newHashSet("server=+");
                    response.setPrivileges(serverPriv);
                }
            }
            response.setStatus(Status.OK());
        } catch (SentryThriftAPIMismatchException e) {
            LOGGER.error(e.getMessage(), e);
            response.setStatus(Status.THRIFT_VERSION_MISMATCH(e.getMessage(), e));
        } catch (Exception e) {
            String msg = "Unknown error for request: " + request + ", message: " + e.getMessage();
            LOGGER.error(msg, e);
            response.setStatus(Status.RuntimeError(msg, e));
        } finally {
            timerContext.stop();
        }
        return response;
    }

    // retrieve the group mapping for the given user name
    private Set<String> getRequestorGroups(String userName) throws SentryUserException {
        return getGroupsFromUserName(this.conf, userName);
    }

    public static Set<String> getGroupsFromUserName(Configuration conf, String userName)
            throws SentryUserException {
        String groupMapping = conf.get(ServerConfig.SENTRY_STORE_GROUP_MAPPING,
                ServerConfig.SENTRY_STORE_GROUP_MAPPING_DEFAULT);
        String authResoruce = conf.get(ServerConfig.SENTRY_STORE_GROUP_MAPPING_RESOURCE);

        // load the group mapping provider class
        GroupMappingService groupMappingService;
        try {
            Constructor<?> constrctor = Class.forName(groupMapping).getDeclaredConstructor(Configuration.class,
                    String.class);
            constrctor.setAccessible(true);
            groupMappingService = (GroupMappingService) constrctor.newInstance(new Object[] { conf, authResoruce });
        } catch (NoSuchMethodException e) {
            throw new SentryUserException("Unable to instantiate group mapping", e);
        } catch (SecurityException e) {
            throw new SentryUserException("Unable to instantiate group mapping", e);
        } catch (ClassNotFoundException e) {
            throw new SentryUserException("Unable to instantiate group mapping", e);
        } catch (InstantiationException e) {
            throw new SentryUserException("Unable to instantiate group mapping", e);
        } catch (IllegalAccessException e) {
            throw new SentryUserException("Unable to instantiate group mapping", e);
        } catch (IllegalArgumentException e) {
            throw new SentryUserException("Unable to instantiate group mapping", e);
        } catch (InvocationTargetException e) {
            throw new SentryUserException("Unable to instantiate group mapping", e);
        }
        return groupMappingService.getGroups(userName);
    }

    @Override
    public TDropPrivilegesResponse drop_sentry_privilege(TDropPrivilegesRequest request) throws TException {
        final Timer.Context timerContext = sentryMetrics.dropPrivilegeTimer.time();
        TDropPrivilegesResponse response = new TDropPrivilegesResponse();
        try {
            validateClientVersion(request.getProtocol_version());
            authorize(request.getRequestorUserName(), adminGroups);
            sentryStore.dropPrivilege(request.getAuthorizable());
            for (SentryPolicyStorePlugin plugin : sentryPlugins) {
                plugin.onDropSentryPrivilege(request);
            }
            response.setStatus(Status.OK());
        } catch (SentryAccessDeniedException e) {
            LOGGER.error(e.getMessage(), e);
            response.setStatus(Status.AccessDenied(e.getMessage(), e));
        } catch (SentryThriftAPIMismatchException e) {
            LOGGER.error(e.getMessage(), e);
            response.setStatus(Status.THRIFT_VERSION_MISMATCH(e.getMessage(), e));
        } catch (Exception e) {
            String msg = "Unknown error for request: " + request + ", message: " + e.getMessage();
            LOGGER.error(msg, e);
            response.setStatus(Status.RuntimeError(msg, e));
        } finally {
            timerContext.stop();
        }
        return response;
    }

    @Override
    public TRenamePrivilegesResponse rename_sentry_privilege(TRenamePrivilegesRequest request) throws TException {
        final Timer.Context timerContext = sentryMetrics.renamePrivilegeTimer.time();
        TRenamePrivilegesResponse response = new TRenamePrivilegesResponse();
        try {
            validateClientVersion(request.getProtocol_version());
            authorize(request.getRequestorUserName(), adminGroups);
            sentryStore.renamePrivilege(request.getOldAuthorizable(), request.getNewAuthorizable());
            for (SentryPolicyStorePlugin plugin : sentryPlugins) {
                plugin.onRenameSentryPrivilege(request);
            }
            response.setStatus(Status.OK());
        } catch (SentryAccessDeniedException e) {
            LOGGER.error(e.getMessage(), e);
            response.setStatus(Status.AccessDenied(e.getMessage(), e));
        } catch (SentryThriftAPIMismatchException e) {
            LOGGER.error(e.getMessage(), e);
            response.setStatus(Status.THRIFT_VERSION_MISMATCH(e.getMessage(), e));
        } catch (Exception e) {
            String msg = "Unknown error for request: " + request + ", message: " + e.getMessage();
            LOGGER.error(msg, e);
            response.setStatus(Status.RuntimeError(msg, e));
        } finally {
            timerContext.close();
        }
        return response;
    }

    @Override
    public TListSentryPrivilegesByAuthResponse list_sentry_privileges_by_authorizable(
            TListSentryPrivilegesByAuthRequest request) throws TException {
        final Timer.Context timerContext = sentryMetrics.listPrivilegesByAuthorizableTimer.time();
        TListSentryPrivilegesByAuthResponse response = new TListSentryPrivilegesByAuthResponse();
        Map<TSentryAuthorizable, TSentryPrivilegeMap> authRoleMap = Maps.newHashMap();
        String subject = request.getRequestorUserName();
        Set<String> requestedGroups = request.getGroups();
        TSentryActiveRoleSet requestedRoleSet = request.getRoleSet();
        try {
            validateClientVersion(request.getProtocol_version());
            Set<String> memberGroups = getRequestorGroups(subject);
            if (!inAdminGroups(memberGroups)) {
                // disallow non-admin to lookup groups that they are not part of
                if (requestedGroups != null && !requestedGroups.isEmpty()) {
                    for (String requestedGroup : requestedGroups) {
                        if (!memberGroups.contains(requestedGroup)) {
                            // if user doesn't belong to one of the requested group then raise error
                            throw new SentryAccessDeniedException("Access denied to " + subject);
                        }
                    }
                } else {
                    // non-admin's search is limited to it's own groups
                    requestedGroups = memberGroups;
                }

                // disallow non-admin to lookup roles that they are not part of
                if (requestedRoleSet != null && !requestedRoleSet.isAll()) {
                    Set<String> roles = toTrimedLower(sentryStore.getRoleNamesForGroups(memberGroups));
                    for (String role : toTrimedLower(requestedRoleSet.getRoles())) {
                        if (!roles.contains(role)) {
                            throw new SentryAccessDeniedException("Access denied to " + subject);
                        }
                    }
                }
            }

            // If user is not part of any group.. return empty response
            for (TSentryAuthorizable authorizable : request.getAuthorizableSet()) {
                authRoleMap.put(authorizable, sentryStore.listSentryPrivilegesByAuthorizable(requestedGroups,
                        request.getRoleSet(), authorizable, inAdminGroups(memberGroups)));
            }
            response.setPrivilegesMapByAuth(authRoleMap);
            response.setStatus(Status.OK());
            // TODO : Sentry - HDFS : Have to handle this
        } catch (SentryAccessDeniedException e) {
            LOGGER.error(e.getMessage(), e);
            response.setStatus(Status.AccessDenied(e.getMessage(), e));
        } catch (SentryThriftAPIMismatchException e) {
            LOGGER.error(e.getMessage(), e);
            response.setStatus(Status.THRIFT_VERSION_MISMATCH(e.getMessage(), e));
        } catch (Exception e) {
            String msg = "Unknown error for request: " + request + ", message: " + e.getMessage();
            LOGGER.error(msg, e);
            response.setStatus(Status.RuntimeError(msg, e));
        } finally {
            timerContext.stop();
        }
        return response;
    }

    /**
     * Respond to a request for a config value in the sentry server.  The client
     * can request any config value that starts with "sentry." and doesn't contain
     * "keytab".
     * @param request Contains config parameter sought and default if not found
     * @return The response, containing the value and status
     * @throws TException
     */
    @Override
    public TSentryConfigValueResponse get_sentry_config_value(TSentryConfigValueRequest request) throws TException {

        final String requirePattern = "^sentry\\..*";
        final String excludePattern = ".*keytab.*|.*\\.jdbc\\..*|.*password.*";

        TSentryConfigValueResponse response = new TSentryConfigValueResponse();
        String attr = request.getPropertyName();

        try {
            validateClientVersion(request.getProtocol_version());
        } catch (SentryThriftAPIMismatchException e) {
            LOGGER.error(e.getMessage(), e);
            response.setStatus(Status.THRIFT_VERSION_MISMATCH(e.getMessage(), e));
        }
        // Only allow config parameters like...
        if (!Pattern.matches(requirePattern, attr) || Pattern.matches(excludePattern, attr)) {
            String msg = "Attempted access of the configuration property " + attr + " was denied";
            LOGGER.error(msg);
            response.setStatus(Status.AccessDenied(msg, new SentryAccessDeniedException(msg)));
            return response;
        }

        response.setValue(conf.get(attr, request.getDefaultValue()));
        response.setStatus(Status.OK());
        return response;
    }

    @VisibleForTesting
    static void validateClientVersion(int protocol_version) throws SentryThriftAPIMismatchException {
        if (ServiceConstants.ThriftConstants.TSENTRY_SERVICE_VERSION_CURRENT != protocol_version) {
            String msg = "Sentry thrift API protocol version mismatch: Client thrift version " + "is: "
                    + protocol_version + " , server thrift verion " + "is "
                    + ThriftConstants.TSENTRY_SERVICE_VERSION_CURRENT;
            throw new SentryThriftAPIMismatchException(msg);
        }
    }

    // get the sentry mapping data and return the data with map structure
    @Override
    public TSentryExportMappingDataResponse export_sentry_mapping_data(TSentryExportMappingDataRequest request)
            throws TException {
        TSentryExportMappingDataResponse response = new TSentryExportMappingDataResponse();
        try {
            String requestor = request.getRequestorUserName();
            Set<String> memberGroups = getRequestorGroups(requestor);
            if (!inAdminGroups(memberGroups)) {
                // disallow non-admin to import the metadata of sentry
                throw new SentryAccessDeniedException(
                        "Access denied to " + requestor + " for export the metadata of sentry.");
            }
            TSentryMappingData tSentryMappingData = new TSentryMappingData();
            tSentryMappingData.setGroupRolesMap(sentryStore.getGroupNameRoleNamesMap());
            tSentryMappingData.setRolePrivilegesMap(sentryStore.getRoleNameTPrivilegesMap());
            response.setMappingData(tSentryMappingData);
            response.setStatus(Status.OK());
        } catch (Exception e) {
            String msg = "Unknown error for request: " + request + ", message: " + e.getMessage();
            LOGGER.error(msg, e);
            response.setMappingData(new TSentryMappingData());
            response.setStatus(Status.RuntimeError(msg, e));
        }
        return response;
    }

    // import the sentry mapping data
    @Override
    public TSentryImportMappingDataResponse import_sentry_mapping_data(TSentryImportMappingDataRequest request)
            throws TException {
        TSentryImportMappingDataResponse response = new TSentryImportMappingDataResponse();
        try {
            String requestor = request.getRequestorUserName();
            Set<String> memberGroups = getRequestorGroups(requestor);
            if (!inAdminGroups(memberGroups)) {
                // disallow non-admin to import the metadata of sentry
                throw new SentryAccessDeniedException(
                        "Access denied to " + requestor + " for import the metadata of sentry.");
            }
            sentryStore.importSentryMetaData(request.getMappingData(), request.isOverwriteRole());
            response.setStatus(Status.OK());
        } catch (SentryInvalidInputException e) {
            String msg = "Invalid input privilege object";
            LOGGER.error(msg, e);
            response.setStatus(Status.InvalidInput(msg, e));
        } catch (Exception e) {
            String msg = "Unknown error for request: " + request + ", message: " + e.getMessage();
            LOGGER.error(msg, e);
            response.setStatus(Status.RuntimeError(msg, e));
        }
        return response;
    }
}