| /** |
| * Licensed to the Apache Software Foundation (ASF) under one |
| * or more contributor license agreements. See the NOTICE file |
| * distributed with this work for additional information |
| * regarding copyright ownership. The ASF licenses this file |
| * to you under the Apache License, Version 2.0 (the |
| * "License"); you may not use this file except in compliance |
| * with the License. You may obtain a copy of the License at |
| * |
| * http://www.apache.org/licenses/LICENSE-2.0 |
| * |
| * Unless createRequired by applicable law or agreed to in writing, software |
| * distributed under the License is distributed on an "AS IS" BASIS, |
| * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| * See the License for the specific language governing permissions and |
| * limitations under the License. |
| */ |
| |
| package org.apache.sentry.provider.db.service.thrift; |
| import static junit.framework.Assert.assertEquals; |
| |
| import java.io.IOException; |
| import java.util.HashSet; |
| import java.util.List; |
| import java.util.Set; |
| import java.util.concurrent.locks.Lock; |
| import java.util.concurrent.locks.ReadWriteLock; |
| import java.util.concurrent.locks.ReentrantReadWriteLock; |
| |
| import junit.framework.Assert; |
| |
| import org.apache.hadoop.fs.permission.AclEntry; |
| import org.apache.sentry.core.common.ActiveRoleSet; |
| import org.apache.sentry.core.model.db.AccessConstants; |
| import org.apache.sentry.core.model.db.Database; |
| import org.apache.sentry.core.model.db.Server; |
| import org.apache.sentry.core.model.db.Table; |
| import org.apache.sentry.hdfs.PermissionsUpdate; |
| import org.apache.sentry.hdfs.SentryServiceClient; |
| import org.apache.sentry.hdfs.SentryServiceClient.SentryAuthzUpdate; |
| import org.apache.sentry.hdfs.UpdateableAuthzPermissions; |
| import org.apache.sentry.service.thrift.SentryServiceIntegrationBase; |
| import org.junit.Test; |
| |
| import com.google.common.collect.Lists; |
| import com.google.common.collect.Sets; |
| |
| public class TestSentryServerWithoutKerberos extends SentryServiceIntegrationBase { |
| |
| public class SentryAdapter { |
| |
| private SentryServiceClient sentryClient; |
| private UpdateableAuthzPermissions perms; |
| private final ReadWriteLock lock = new ReentrantReadWriteLock(); |
| |
| public SentryAdapter(UpdateableAuthzPermissions perms, SentryPolicyServiceClient sentryClient) throws Exception { |
| this.perms = perms; |
| this.sentryClient = new SentryServiceClient(conf); |
| } |
| |
| public void pullUpdates() throws IOException { |
| SentryAuthzUpdate sentryUpdates = sentryClient.getAllUpdatesFrom( |
| perms.getLastUpdatedSeqNum() + 1, 0); |
| for (PermissionsUpdate update : sentryUpdates.getPermUpdates()) { |
| if (update.hasFullImage()) { |
| perms = perms.updateFull(update); |
| } |
| perms.updatePartial(Lists.newArrayList(update), lock); |
| } |
| } |
| |
| } |
| |
| @Override |
| public void beforeSetup() throws Exception { |
| this.kerberos = false; |
| } |
| |
| @Test |
| public void testCreateRole() throws Exception { |
| String requestorUserName = ADMIN_USER; |
| Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP); |
| setLocalGroupMapping(requestorUserName, requestorUserGroupNames); |
| writePolicyFile(); |
| String roleName = "admin_r"; |
| client.dropRoleIfExists(requestorUserName, roleName); |
| client.createRole(requestorUserName, roleName); |
| client.dropRole(requestorUserName, roleName); |
| } |
| |
| @Test |
| public void testQueryPushDown() throws Exception { |
| String requestorUserName = ADMIN_USER; |
| Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP); |
| setLocalGroupMapping(requestorUserName, requestorUserGroupNames); |
| writePolicyFile(); |
| |
| UpdateableAuthzPermissions authzPerms = new UpdateableAuthzPermissions(); |
| |
| String roleName1 = "admin_r1"; |
| String roleName2 = "admin_r2"; |
| |
| String group1 = "g1"; |
| String group2 = "g2"; |
| |
| client.dropRoleIfExists(requestorUserName, roleName1); |
| client.createRole(requestorUserName, roleName1); |
| client.grantRoleToGroup(requestorUserName, group1, roleName1); |
| |
| client.grantTablePrivilege(requestorUserName, roleName1, "server", "db1", "table1", "ALL"); |
| client.grantTablePrivilege(requestorUserName, roleName1, "server", "db1", "table2", "ALL"); |
| client.grantTablePrivilege(requestorUserName, roleName1, "server", "db2", "table3", "ALL"); |
| client.grantTablePrivilege(requestorUserName, roleName1, "server", "db2", "table4", "ALL"); |
| |
| SentryAdapter adapter = new SentryAdapter(authzPerms, client); |
| adapter.pullUpdates(); |
| // waitToCommit(authzPerms); |
| |
| List<AclEntry> sentryAcls = authzPerms.getAcls("db1.table1"); |
| System.out.println("1 : " + sentryAcls); |
| |
| client.dropRoleIfExists(requestorUserName, roleName2); |
| client.createRole(requestorUserName, roleName2); |
| client.grantRoleToGroup(requestorUserName, group1, roleName2); |
| client.grantRoleToGroup(requestorUserName, group2, roleName2); |
| |
| client.grantTablePrivilege(requestorUserName, roleName2, "server", "db1", "table1", "ALL"); |
| client.grantTablePrivilege(requestorUserName, roleName2, "server", "db1", "table2", "ALL"); |
| client.grantTablePrivilege(requestorUserName, roleName2, "server", "db2", "table3", "ALL"); |
| client.grantTablePrivilege(requestorUserName, roleName2, "server", "db2", "table4", "ALL"); |
| client.grantTablePrivilege(requestorUserName, roleName2, "server", "db3", "table5", "ALL"); |
| |
| adapter.pullUpdates(); |
| // waitToCommit(authzPermCache); |
| sentryAcls = authzPerms.getAcls("db1.table1"); |
| System.out.println("2 : " + sentryAcls); |
| |
| |
| Set<TSentryPrivilege> listPrivilegesByRoleName = client.listPrivilegesByRoleName(requestorUserName, roleName2, Lists.newArrayList(new Server("server"), new Database("db1"))); |
| assertEquals("Privilege not assigned to role2 !!", 2, listPrivilegesByRoleName.size()); |
| |
| listPrivilegesByRoleName = client.listPrivilegesByRoleName(requestorUserName, roleName2, Lists.newArrayList(new Server("server"), new Database("db2"), new Table("table1"))); |
| assertEquals("Privilege not assigned to role2 !!", 0, listPrivilegesByRoleName.size()); |
| |
| listPrivilegesByRoleName = client.listPrivilegesByRoleName(requestorUserName, roleName2, Lists.newArrayList(new Server("server"), new Database("db1"), new Table("table1"))); |
| assertEquals("Privilege not assigned to role2 !!", 1, listPrivilegesByRoleName.size()); |
| |
| listPrivilegesByRoleName = client.listPrivilegesByRoleName(requestorUserName, roleName2, Lists.newArrayList(new Server("server"), new Database("db3"))); |
| assertEquals("Privilege not assigned to role2 !!", 1, listPrivilegesByRoleName.size()); |
| |
| Set<String> listPrivilegesForProvider = client.listPrivilegesForProvider(Sets.newHashSet(group1, group2), ActiveRoleSet.ALL, new Server("server"), new Database("db2")); |
| Assert.assertEquals("Privilege not correctly assigned to roles !!", |
| Sets.newHashSet("server=server->db=db2->table=table4->action=all", "server=server->db=db2->table=table3->action=all"), |
| listPrivilegesForProvider); |
| |
| listPrivilegesForProvider = client.listPrivilegesForProvider(Sets.newHashSet(group1, group2), ActiveRoleSet.ALL, new Server("server"), new Database("db3")); |
| Assert.assertEquals("Privilege not correctly assigned to roles !!", Sets.newHashSet("server=server->db=db3->table=table5->action=all"), listPrivilegesForProvider); |
| |
| listPrivilegesForProvider = client.listPrivilegesForProvider(Sets.newHashSet(group1, group2), new ActiveRoleSet(Sets.newHashSet(roleName1)), new Server("server"), new Database("db3")); |
| Assert.assertEquals("Privilege not correctly assigned to roles !!", Sets.newHashSet("server=+"), listPrivilegesForProvider); |
| |
| listPrivilegesForProvider = client.listPrivilegesForProvider(Sets.newHashSet(group1, group2), new ActiveRoleSet(Sets.newHashSet(roleName1)), new Server("server1")); |
| Assert.assertEquals("Privilege not correctly assigned to roles !!", new HashSet<String>(), listPrivilegesForProvider); |
| } |
| |
| |
| |
| /** |
| * Create role, add privileges and grant it to a group drop the role and |
| * verify the privileges are no longer visible recreate the role with same |
| * name and verify the privileges again. |
| * @throws Exception |
| */ |
| @Test |
| public void testDropRole() throws Exception { |
| String requestorUserName = ADMIN_USER; |
| Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP); |
| setLocalGroupMapping(requestorUserName, requestorUserGroupNames); |
| writePolicyFile(); |
| String roleName = "admin_r"; |
| |
| // create role and add privileges |
| client.dropRoleIfExists(requestorUserName, roleName); |
| client.createRole(requestorUserName, roleName); |
| client.grantRoleToGroup(requestorUserName, ADMIN_GROUP, roleName); |
| client.grantDatabasePrivilege(requestorUserName, roleName, "server1", "db2", AccessConstants.ALL); |
| client.grantTablePrivilege(requestorUserName, roleName, "server1", "db3", "tab3", "ALL"); |
| assertEquals(2, client.listPrivilegesForProvider(requestorUserGroupNames, |
| ActiveRoleSet.ALL).size()); |
| |
| // drop role and verify privileges |
| client.dropRole(requestorUserName, roleName); |
| assertEquals(0, client.listPrivilegesForProvider(requestorUserGroupNames, |
| ActiveRoleSet.ALL).size()); |
| |
| // recreate the role |
| client.createRole(requestorUserName, roleName); |
| client.grantRoleToGroup(requestorUserName, ADMIN_GROUP, roleName); |
| assertEquals(0, client.listPrivilegesForProvider(requestorUserGroupNames, |
| ActiveRoleSet.ALL).size()); |
| |
| // grant different privileges and verify |
| client.grantDatabasePrivilege(requestorUserName, roleName, "server1", "db2", AccessConstants.ALL); |
| assertEquals(1, client.listPrivilegesForProvider(requestorUserGroupNames, |
| ActiveRoleSet.ALL).size()); |
| client.dropRole(requestorUserName, roleName); |
| assertEquals(0, client.listPrivilegesForProvider(requestorUserGroupNames, |
| ActiveRoleSet.ALL).size()); |
| assertEquals(0, client.listPrivilegesForProvider(requestorUserGroupNames, |
| ActiveRoleSet.ALL).size()); |
| } |
| |
| // private void waitToCommit(Update hmsCache) throws InterruptedException { |
| // int counter = 0; |
| // while(!hmsCache.areAllUpdatesCommited()) { |
| // Thread.sleep(200); |
| // counter++; |
| // if (counter > 10000) { |
| // fail("Updates taking too long to commit !!"); |
| // } |
| // } |
| // } |
| } |