SENTRY-355: Support metadata read privilege enforcement for Metastore pluging (Colin Ma via Prasad Mujumdar)
diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/metastore/AuthorizingObjectStore.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/metastore/AuthorizingObjectStore.java
new file mode 100644
index 0000000..fcd7292
--- /dev/null
+++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/metastore/AuthorizingObjectStore.java
@@ -0,0 +1,413 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.binding.metastore;
+
+import java.io.IOException;
+import java.net.MalformedURLException;
+import java.net.URL;
+import java.util.List;
+import java.util.Set;
+
+import javax.security.auth.login.LoginException;
+
+import org.apache.hadoop.hive.conf.HiveConf;
+import org.apache.hadoop.hive.metastore.ObjectStore;
+import org.apache.hadoop.hive.metastore.api.ColumnStatistics;
+import org.apache.hadoop.hive.metastore.api.Database;
+import org.apache.hadoop.hive.metastore.api.Index;
+import org.apache.hadoop.hive.metastore.api.InvalidObjectException;
+import org.apache.hadoop.hive.metastore.api.MetaException;
+import org.apache.hadoop.hive.metastore.api.NoSuchObjectException;
+import org.apache.hadoop.hive.metastore.api.Partition;
+import org.apache.hadoop.hive.metastore.api.Table;
+import org.apache.hadoop.hive.metastore.api.UnknownDBException;
+import org.apache.hadoop.hive.ql.parse.SemanticException;
+import org.apache.hadoop.hive.ql.plan.HiveOperation;
+import org.apache.hadoop.hive.shims.ShimLoader;
+import org.apache.sentry.binding.hive.HiveAuthzBindingHook;
+import org.apache.sentry.binding.hive.authz.HiveAuthzBinding;
+import org.apache.sentry.binding.hive.conf.HiveAuthzConf;
+import org.apache.sentry.binding.hive.conf.HiveAuthzConf.AuthzConfVars;
+
+import com.google.common.collect.ImmutableSet;
+import com.google.common.collect.Lists;
+import com.google.common.collect.Sets;
+
+/***
+ * This class is the wrapper of ObjectStore which is the interface between the
+ * application logic and the database store. Do the authorization or filter the
+ * result when processing the metastore request.
+ * eg:
+ * Callers will only receive the objects back which they have privileges to
+ * access.
+ * If there is a request for the object list(like getAllTables()), the result
+ * will be filtered to exclude object the requestor doesn't have privilege to
+ * access.
+ */
+public class AuthorizingObjectStore extends ObjectStore {
+ private static ImmutableSet<String> serviceUsers;
+ private static HiveConf hiveConf;
+ private static HiveAuthzConf authzConf;
+ private static HiveAuthzBinding hiveAuthzBinding;
+ private static String NO_ACCESS_MESSAGE_TABLE = "Table does not exist or insufficient privileges to access: ";
+ private static String NO_ACCESS_MESSAGE_DATABASE = "Database does not exist or insufficient privileges to access: ";
+
+ @Override
+ public List<String> getDatabases(String pattern) throws MetaException {
+ return filterDatabases(super.getDatabases(pattern));
+ }
+
+ @Override
+ public List<String> getAllDatabases() throws MetaException {
+ return filterDatabases(super.getAllDatabases());
+ }
+
+ @Override
+ public Database getDatabase(String name) throws NoSuchObjectException {
+ Database db = super.getDatabase(name);
+ try {
+ if (filterDatabases(Lists.newArrayList(name)).isEmpty()) {
+ throw new NoSuchObjectException(getNoAccessMessageForDB(name));
+ }
+ } catch (MetaException e) {
+ throw new NoSuchObjectException("Failed to authorized access to " + name
+ + " : " + e.getMessage());
+ }
+ return db;
+ }
+
+ @Override
+ public Table getTable(String dbName, String tableName) throws MetaException {
+ Table table = super.getTable(dbName, tableName);
+ if (table == null
+ || filterTables(dbName, Lists.newArrayList(tableName)).isEmpty()) {
+ return null;
+ }
+ return table;
+ }
+
+ @Override
+ public Partition getPartition(String dbName, String tableName,
+ List<String> part_vals) throws MetaException, NoSuchObjectException {
+ if (filterTables(dbName, Lists.newArrayList(tableName)).isEmpty()) {
+ throw new NoSuchObjectException(getNoAccessMessageForTable(dbName, tableName));
+ }
+ return super.getPartition(dbName, tableName, part_vals);
+ }
+
+ @Override
+ public List<Partition> getPartitions(String dbName, String tableName,
+ int maxParts) throws MetaException, NoSuchObjectException {
+ if (filterTables(dbName, Lists.newArrayList(tableName)).isEmpty()) {
+ throw new MetaException(getNoAccessMessageForTable(dbName, tableName));
+ }
+ return super.getPartitions(dbName, tableName, maxParts);
+ }
+
+ @Override
+ public List<String> getTables(String dbName, String pattern)
+ throws MetaException {
+ return filterTables(dbName, super.getTables(dbName, pattern));
+ }
+
+ @Override
+ public List<Table> getTableObjectsByName(String dbname, List<String> tableNames)
+ throws MetaException, UnknownDBException {
+ return super.getTableObjectsByName(dbname, filterTables(dbname, tableNames));
+ }
+
+ @Override
+ public List<String> getAllTables(String dbName) throws MetaException {
+ return filterTables(dbName, super.getAllTables(dbName));
+ }
+
+ @Override
+ public List<String> listTableNamesByFilter(String dbName, String filter,
+ short maxTables) throws MetaException {
+ return filterTables(dbName,
+ super.listTableNamesByFilter(dbName, filter, maxTables));
+ }
+
+ @Override
+ public List<String> listPartitionNames(String dbName, String tableName,
+ short max_parts) throws MetaException {
+ if (filterTables(dbName, Lists.newArrayList(tableName)).isEmpty()) {
+ throw new MetaException(getNoAccessMessageForTable(dbName, tableName));
+ }
+ return super.listPartitionNames(dbName, tableName, max_parts);
+ }
+
+ @Override
+ public List<String> listPartitionNamesByFilter(String dbName,
+ String tableName, String filter, short max_parts) throws MetaException {
+ if (filterTables(dbName, Lists.newArrayList(tableName)).isEmpty()) {
+ throw new MetaException(getNoAccessMessageForTable(dbName, tableName));
+ }
+ return super.listPartitionNamesByFilter(dbName, tableName, filter,
+ max_parts);
+ }
+
+ @Override
+ public Index getIndex(String dbName, String origTableName, String indexName)
+ throws MetaException {
+ if (filterTables(dbName, Lists.newArrayList(origTableName)).isEmpty()) {
+ throw new MetaException(getNoAccessMessageForTable(dbName, origTableName));
+ }
+ return super.getIndex(dbName, origTableName, indexName);
+ }
+
+ @Override
+ public List<Index> getIndexes(String dbName, String origTableName, int max)
+ throws MetaException {
+ if (filterTables(dbName, Lists.newArrayList(origTableName)).isEmpty()) {
+ throw new MetaException(getNoAccessMessageForTable(dbName, origTableName));
+ }
+ return super.getIndexes(dbName, origTableName, max);
+ }
+
+ @Override
+ public List<String> listIndexNames(String dbName, String origTableName,
+ short max) throws MetaException {
+ if (filterTables(dbName, Lists.newArrayList(origTableName)).isEmpty()) {
+ throw new MetaException(getNoAccessMessageForTable(dbName, origTableName));
+ }
+ return super.listIndexNames(dbName, origTableName, max);
+ }
+
+ @Override
+ public List<Partition> getPartitionsByFilter(String dbName,
+ String tblName, String filter, short maxParts) throws MetaException,
+ NoSuchObjectException {
+ if (filterTables(dbName, Lists.newArrayList(tblName)).isEmpty()) {
+ throw new MetaException(getNoAccessMessageForTable(dbName, tblName));
+ }
+ return super.getPartitionsByFilter(dbName, tblName, filter, maxParts);
+ }
+
+ @Override
+ public List<Partition> getPartitionsByNames(String dbName, String tblName,
+ List<String> partNames) throws MetaException, NoSuchObjectException {
+ if (filterTables(dbName, Lists.newArrayList(tblName)).isEmpty()) {
+ throw new MetaException(getNoAccessMessageForTable(dbName, tblName));
+ }
+ return super.getPartitionsByNames(dbName, tblName, partNames);
+ }
+
+ @Override
+ public Partition getPartitionWithAuth(String dbName, String tblName,
+ List<String> partVals, String user_name, List<String> group_names)
+ throws MetaException, NoSuchObjectException, InvalidObjectException {
+ if (filterTables(dbName, Lists.newArrayList(tblName)).isEmpty()) {
+ throw new MetaException(getNoAccessMessageForTable(dbName, tblName));
+ }
+ return super.getPartitionWithAuth(dbName, tblName, partVals, user_name,
+ group_names);
+ }
+
+ @Override
+ public List<Partition> getPartitionsWithAuth(String dbName, String tblName,
+ short maxParts, String userName, List<String> groupNames)
+ throws MetaException, NoSuchObjectException, InvalidObjectException {
+ if (filterTables(dbName, Lists.newArrayList(tblName)).isEmpty()) {
+ throw new MetaException(getNoAccessMessageForTable(dbName, tblName));
+ }
+ return super.getPartitionsWithAuth(dbName, tblName, maxParts, userName,
+ groupNames);
+ }
+
+ @Override
+ public List<String> listPartitionNamesPs(String dbName, String tblName,
+ List<String> part_vals, short max_parts) throws MetaException,
+ NoSuchObjectException {
+ if (filterTables(dbName, Lists.newArrayList(tblName)).isEmpty()) {
+ throw new MetaException(getNoAccessMessageForTable(dbName, tblName));
+ }
+ return super.listPartitionNamesPs(dbName, tblName, part_vals, max_parts);
+ }
+
+ @Override
+ public List<Partition> listPartitionsPsWithAuth(String dbName,
+ String tblName, List<String> part_vals, short max_parts, String userName,
+ List<String> groupNames) throws MetaException, InvalidObjectException,
+ NoSuchObjectException {
+ if (filterTables(dbName, Lists.newArrayList(tblName)).isEmpty()) {
+ throw new MetaException(getNoAccessMessageForTable(dbName, tblName));
+ }
+ return super.listPartitionsPsWithAuth(dbName, tblName, part_vals,
+ max_parts, userName, groupNames);
+ }
+
+ @Override
+ public ColumnStatistics getTableColumnStatistics(String dbName,
+ String tableName, List<String> colNames) throws MetaException,
+ NoSuchObjectException {
+ if (filterTables(dbName, Lists.newArrayList(tableName)).isEmpty()) {
+ throw new MetaException(getNoAccessMessageForTable(dbName, tableName));
+ }
+ return super.getTableColumnStatistics(dbName, tableName, colNames);
+ }
+
+ @Override
+ public List<ColumnStatistics> getPartitionColumnStatistics(
+ String dbName, String tblName, List<String> partNames,
+ List<String> colNames) throws MetaException, NoSuchObjectException {
+ if (filterTables(dbName, Lists.newArrayList(tblName)).isEmpty()) {
+ throw new MetaException(getNoAccessMessageForTable(dbName, tblName));
+ }
+ return super.getPartitionColumnStatistics(dbName, tblName, partNames,
+ colNames);
+ }
+
+ /**
+ * Invoke Hive database filtering that removes the entries which use has no
+ * privileges to access
+ * @param dbList
+ * @return
+ * @throws MetaException
+ */
+ private List<String> filterDatabases(List<String> dbList)
+ throws MetaException {
+ if (needsAuthorization(getUserName())) {
+ try {
+ return HiveAuthzBindingHook.filterShowDatabases(getHiveAuthzBinding(),
+ dbList, HiveOperation.SHOWDATABASES, getUserName());
+ } catch (SemanticException e) {
+ throw new MetaException("Error getting DB list " + e.getMessage());
+ }
+ } else {
+ return dbList;
+ }
+ }
+
+ /**
+ * Invoke Hive table filtering that removes the entries which use has no
+ * privileges to access
+ * @param dbList
+ * @return
+ * @throws MetaException
+ */
+ private List<String> filterTables(String dbName, List<String> tabList)
+ throws MetaException {
+ if (needsAuthorization(getUserName())) {
+ try {
+ return HiveAuthzBindingHook.filterShowTables(getHiveAuthzBinding(),
+ tabList, HiveOperation.SHOWTABLES, getUserName(), dbName);
+ } catch (SemanticException e) {
+ throw new MetaException("Error getting Table list " + e.getMessage());
+ }
+ } else {
+ return tabList;
+ }
+ }
+
+ /**
+ * load Hive auth provider
+ *
+ * @return
+ * @throws MetaException
+ */
+ private HiveAuthzBinding getHiveAuthzBinding() throws MetaException {
+ if (hiveAuthzBinding == null) {
+ try {
+ hiveAuthzBinding = new HiveAuthzBinding(HiveAuthzBinding.HiveHook.HiveMetaStore,
+ getHiveConf(), getAuthzConf());
+ } catch (Exception e) {
+ throw new MetaException("Failed to load Hive binding " + e.getMessage());
+ }
+ }
+ return hiveAuthzBinding;
+ }
+
+ private ImmutableSet<String> getServiceUsers() throws MetaException {
+ if (serviceUsers == null) {
+ serviceUsers = ImmutableSet.copyOf(toTrimed(Sets.newHashSet(getAuthzConf().getStrings(
+ AuthzConfVars.AUTHZ_METASTORE_SERVICE_USERS.getVar(), new String[] { "" }))));
+ }
+ return serviceUsers;
+ }
+
+ private HiveConf getHiveConf() {
+ if (hiveConf == null) {
+ hiveConf = new HiveConf(getConf(), this.getClass());
+ }
+ return hiveConf;
+ }
+
+ private HiveAuthzConf getAuthzConf() throws MetaException {
+ if (authzConf == null) {
+ String hiveAuthzConf = getConf().get(HiveAuthzConf.HIVE_SENTRY_CONF_URL);
+ if (hiveAuthzConf == null
+ || (hiveAuthzConf = hiveAuthzConf.trim()).isEmpty()) {
+ throw new MetaException("Configuration key "
+ + HiveAuthzConf.HIVE_SENTRY_CONF_URL + " value '" + hiveAuthzConf
+ + "' is invalid.");
+ }
+ try {
+ authzConf = new HiveAuthzConf(new URL(hiveAuthzConf));
+ } catch (MalformedURLException e) {
+ throw new MetaException("Configuration key "
+ + HiveAuthzConf.HIVE_SENTRY_CONF_URL
+ + " specifies a malformed URL '" + hiveAuthzConf + "' "
+ + e.getMessage());
+ }
+ }
+ return authzConf;
+ }
+
+ /**
+ * Extract the user from underlying auth subsystem
+ * @return
+ * @throws MetaException
+ */
+ private String getUserName() throws MetaException {
+ try {
+ return ShimLoader.getHadoopShims().getUGIForConf(getHiveConf())
+ .getShortUserName();
+ } catch (LoginException e) {
+ throw new MetaException("Failed to get username " + e.getMessage());
+ } catch (IOException e) {
+ throw new MetaException("Failed to get username " + e.getMessage());
+ }
+ }
+
+ /**
+ * Check if the give user needs to be validated.
+ * @param userName
+ * @return
+ */
+ private boolean needsAuthorization(String userName) throws MetaException {
+ return !getServiceUsers().contains(userName.trim());
+ }
+
+ private static Set<String> toTrimed(Set<String> s) {
+ Set<String> result = Sets.newHashSet();
+ for (String v : s) {
+ result.add(v.trim());
+ }
+ return result;
+ }
+
+ private String getNoAccessMessageForTable(String dbName, String tableName) {
+ return NO_ACCESS_MESSAGE_TABLE + "<" + dbName + ">.<" + tableName + ">";
+ }
+
+ private String getNoAccessMessageForDB(String dbName) {
+ return NO_ACCESS_MESSAGE_DATABASE + "<" + dbName + ">";
+ }
+}
diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/hiveserver/HiveServerFactory.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/hiveserver/HiveServerFactory.java
index 4c66ffe..b178f35 100644
--- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/hiveserver/HiveServerFactory.java
+++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/hiveserver/HiveServerFactory.java
@@ -67,6 +67,7 @@
public static final String METASTORE_BYPASS = AuthzConfVars.AUTHZ_METASTORE_SERVICE_USERS.getVar();
public static final String METASTORE_CLIENT_TIMEOUT = HiveConf.ConfVars.METASTORE_CLIENT_SOCKET_TIMEOUT.varname;
public static final String METASTORE_CLIENT_IMPL = HiveConf.ConfVars.METASTORE_CLIENT_IMPL.varname;
+ public static final String METASTORE_RAW_STORE_IMPL = HiveConf.ConfVars.METASTORE_RAW_STORE_IMPL.varname;
static {
try {
@@ -140,6 +141,11 @@
}
if (!properties.containsKey(METASTORE_URI)) {
if (HiveServer2Type.InternalMetastore.equals(type)) {
+ properties.put(METASTORE_RAW_STORE_IMPL,
+ "org.apache.sentry.binding.metastore.AuthorizingObjectStore");
+ // The configuration sentry.metastore.service.users is for the user who
+ // has all access to get the metadata.
+ properties.put(METASTORE_BYPASS, "accessAllMetaUser");
properties.put(METASTORE_URI,
"thrift://localhost:" + String.valueOf(findPort()));
if (!properties.containsKey(METASTORE_HOOK)) {
@@ -150,8 +156,11 @@
}
}
if (!properties.containsKey(METASTORE_BYPASS)) {
- properties.put(METASTORE_BYPASS,
- "hive,impala," + System.getProperty("user.name", ""));
+ properties.put(METASTORE_BYPASS, "hive,impala," + System.getProperty("user.name", ""));
+ } else {
+ String tempByPass = properties.get(METASTORE_BYPASS);
+ tempByPass = "hive,impala," + System.getProperty("user.name", "") + "," + tempByPass;
+ properties.put(METASTORE_BYPASS, tempByPass);
}
properties.put(METASTORE_SETUGI, "true");
@@ -195,6 +204,7 @@
// points hive-site.xml at access-site.xml
hiveConf.set(HiveAuthzConf.HIVE_SENTRY_CONF_URL, accessSite.toURI().toURL()
.toExternalForm());
+
if(!properties.containsKey(HiveConf.ConfVars.HIVE_SERVER2_SESSION_HOOK.varname)) {
hiveConf.set(HiveConf.ConfVars.HIVE_SERVER2_SESSION_HOOK.varname,
"org.apache.sentry.binding.hive.HiveAuthzBindingSessionHook");
@@ -217,7 +227,7 @@
LOGGER.info("Creating InternalHiveServer");
return new InternalHiveServer(hiveConf);
case InternalMetastore:
- LOGGER.info("Creating InternalHiveServer");
+ LOGGER.info("Creating InternalMetastoreServer");
return new InternalMetastoreServer(hiveConf);
case ExternalHiveServer2:
LOGGER.info("Creating ExternalHiveServer");
diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/metastore/AbstractMetastoreTestWithStaticConfiguration.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/metastore/AbstractMetastoreTestWithStaticConfiguration.java
index 45d24f9..c9a414e 100644
--- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/metastore/AbstractMetastoreTestWithStaticConfiguration.java
+++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/metastore/AbstractMetastoreTestWithStaticConfiguration.java
@@ -17,6 +17,7 @@
*/
package org.apache.sentry.tests.e2e.metastore;
+import java.io.IOException;
import java.security.PrivilegedExceptionAction;
import java.util.ArrayList;
import java.util.HashMap;
@@ -33,6 +34,7 @@
import org.apache.hadoop.hive.metastore.api.StorageDescriptor;
import org.apache.hadoop.hive.metastore.api.Table;
import org.apache.hadoop.hive.ql.Driver;
+import org.apache.hadoop.hive.ql.processors.CommandProcessorResponse;
import org.apache.hadoop.hive.ql.session.SessionState;
import org.apache.hadoop.hive.serde.serdeConstants;
import org.apache.hadoop.hive.shims.ShimLoader;
@@ -178,9 +180,13 @@
public void execHiveSQL(String sqlStmt, String userName) throws Exception {
HiveConf hiveConf = new HiveConf();
- Driver driver = new Driver(hiveConf);
+ Driver driver = new Driver(hiveConf, userName);
SessionState.start(new CliSessionState(hiveConf));
- driver.run(sqlStmt);
+ CommandProcessorResponse cpr = driver.run(sqlStmt);
+ if (cpr.getResponseCode() != 0) {
+ throw new IOException("Failed to execute \"" + sqlStmt + "\". Driver returned "
+ + cpr.getResponseCode() + " Error: " + cpr.getErrorMessage());
+ }
driver.close();
SessionState.get().close();
}
diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/metastore/TestAuthorizingObjectStore.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/metastore/TestAuthorizingObjectStore.java
new file mode 100644
index 0000000..618b7f2
--- /dev/null
+++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/metastore/TestAuthorizingObjectStore.java
@@ -0,0 +1,1098 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.tests.e2e.metastore;
+
+import static org.hamcrest.Matchers.equalTo;
+import static org.hamcrest.core.IsNull.notNullValue;
+import static org.junit.Assert.assertThat;
+import static org.junit.Assert.fail;
+
+import java.util.ArrayList;
+import java.util.Arrays;
+
+import org.apache.hadoop.hive.metastore.HiveMetaStoreClient;
+import org.apache.hadoop.hive.metastore.api.FieldSchema;
+import org.apache.hadoop.hive.metastore.api.MetaException;
+import org.apache.hadoop.hive.metastore.api.NoSuchObjectException;
+import org.apache.hadoop.hive.metastore.api.Table;
+import org.apache.sentry.provider.file.PolicyFile;
+import org.apache.sentry.tests.e2e.hive.StaticUserGroup;
+import org.junit.Before;
+import org.junit.Test;
+
+import com.google.common.collect.Lists;
+
+public class TestAuthorizingObjectStore extends
+ AbstractMetastoreTestWithStaticConfiguration {
+ private PolicyFile policyFile;
+ private static final String dbName1 = "db_1";
+ private static final String dbName2 = "db_2";
+ private static final String tabName1 = "tab1";
+ private static final String tabName2 = "tab2";
+ private static final String tabName3 = "tab3";
+ private static final String tabName4 = "tab4";
+ private static final String all_role = "all_role";
+ private static final String db1_t1_role = "db1_t1_role";
+ private static final String partitionVal = "part1";
+ private static final String colName1 = "col1";
+ // this user is configured for sentry.metastore.service.users,
+ // for this test, the value is set when creating the HiveServer.
+ private static final String userWithoutAccess = "accessAllMetaUser";
+ private boolean isSetup = false;
+
+ @Before
+ public void setup() throws Exception {
+ if (isSetup) {
+ return;
+ }
+ isSetup = true;
+ policyFile = setAdminOnServer1(ADMINGROUP);
+ policyFile
+ .addRolesToGroup(USERGROUP1, all_role)
+ .addRolesToGroup(USERGROUP2, db1_t1_role)
+ .addPermissionsToRole(all_role, "server=server1->db=" + dbName1)
+ .addPermissionsToRole(all_role, "server=server1->db=" + dbName2)
+ .addPermissionsToRole(
+ all_role,
+ "server=server1->db=" + dbName1 + "->table=" + tabName1
+ + "->action=SELECT")
+ .addPermissionsToRole(
+ all_role,
+ "server=server1->db=" + dbName1 + "->table=" + tabName2
+ + "->action=SELECT")
+ .addPermissionsToRole(
+ all_role,
+ "server=server1->db=" + dbName2 + "->table=" + tabName3
+ + "->action=SELECT")
+ .addPermissionsToRole(
+ all_role,
+ "server=server1->db=" + dbName2 + "->table=" + tabName4
+ + "->action=SELECT")
+ .addPermissionsToRole(
+ db1_t1_role,
+ "server=server1->db=" + dbName1 + "->table=" + tabName1
+ + "->action=SELECT")
+ .setUserGroupMapping(StaticUserGroup.getStaticMapping());
+ writePolicyFile(policyFile);
+
+ HiveMetaStoreClient client = context.getMetaStoreClient(ADMIN1);
+ client.dropDatabase(dbName1, true, true, true);
+ client.dropDatabase(dbName2, true, true, true);
+ createMetastoreDB(client, dbName1);
+ createMetastoreDB(client, dbName2);
+
+ Table tbl1 = createMetastoreTableWithPartition(client, dbName1, tabName1,
+ Lists.newArrayList(new FieldSchema("col1", "int", "")),
+ Lists.newArrayList(new FieldSchema("part_col1", "string", "")));
+ addPartition(client, dbName1, tabName1, Lists.newArrayList(partitionVal), tbl1);
+
+ Table tbl2 = createMetastoreTableWithPartition(client, dbName1, tabName2,
+ Lists.newArrayList(new FieldSchema("col1", "int", "")),
+ Lists.newArrayList(new FieldSchema("part_col1", "string", "")));
+ addPartition(client, dbName1, tabName2, Lists.newArrayList(partitionVal), tbl2);
+
+ Table tbl3 = createMetastoreTableWithPartition(client, dbName2, tabName3,
+ Lists.newArrayList(new FieldSchema("col1", "int", "")),
+ Lists.newArrayList(new FieldSchema("part_col1", "string", "")));
+ addPartition(client, dbName2, tabName3, Lists.newArrayList(partitionVal), tbl3);
+
+ Table tbl4 = createMetastoreTableWithPartition(client, dbName2, tabName4,
+ Lists.newArrayList(new FieldSchema("col1", "int", "")),
+ Lists.newArrayList(new FieldSchema("part_col1", "string", "")));
+ addPartition(client, dbName2, tabName4, Lists.newArrayList(partitionVal), tbl4);
+
+ client.close();
+ }
+
+ /**
+ * The configuration "sentry.metastore.service.users" is for user who has all
+ * access to metadata, and the value should be case-sensitive.
+ *
+ * @throws Exception
+ */
+ @Test
+ public void testPrivilegesForUserNameCaseSensitive() throws Exception {
+ // The value of "sentry.metastore.service.users" is "accessAllMetaUser", and
+ // the value is case-sensitive.
+ // The input name is "ACCESSALLMEATAUSER", and the client should has no
+ // access to metadata.
+ HiveMetaStoreClient client = context.getMetaStoreClient(userWithoutAccess.toUpperCase());
+ try {
+ client.getDatabase(dbName1);
+ fail("NoSuchObjectException should have been thrown");
+ } catch (NoSuchObjectException noe) {
+ // ignore, just make sure the authorization is failed.
+ }
+ }
+
+ /**
+ * User accessAllMetaUser is configured as the value of
+ * "sentry.metastore.service.users" and has all access to databases and
+ * tables.
+ *
+ * @throws Exception
+ */
+ @Test
+ public void testPrivilegesForUserWithoutAccess() throws Exception {
+ HiveMetaStoreClient client = context.getMetaStoreClient(userWithoutAccess);
+ assertThat(client.getDatabase(dbName1), notNullValue());
+ assertThat(client.getDatabase(dbName2), notNullValue());
+ // including the "default" db
+ assertThat(client.getAllDatabases().size(), equalTo(3));
+ // including the "default" db
+ assertThat(client.getDatabases("*").size(), equalTo(3));
+ assertThat(client.getTable(dbName1, tabName1), notNullValue());
+ assertThat(client.getTable(dbName1, tabName2), notNullValue());
+ assertThat(client.getTable(dbName2, tabName3), notNullValue());
+ assertThat(client.getTable(dbName2, tabName4), notNullValue());
+ assertThat(client.listPartitions(dbName1, tabName1, (short) 1).size(), equalTo(1));
+ assertThat(client.listPartitions(dbName1, tabName2, (short) 1).size(), equalTo(1));
+ assertThat(client.listPartitions(dbName2, tabName3, (short) 1).size(), equalTo(1));
+ assertThat(client.listPartitions(dbName2, tabName4, (short) 1).size(), equalTo(1));
+
+ assertThat(
+ client.listPartitions(dbName1, tabName1,
+ new ArrayList<String>(Arrays.asList(partitionVal)), (short) 1).size(), equalTo(1));
+ assertThat(
+ client.listPartitions(dbName1, tabName2,
+ new ArrayList<String>(Arrays.asList(partitionVal)), (short) 1).size(), equalTo(1));
+ assertThat(
+ client.listPartitions(dbName2, tabName3,
+ new ArrayList<String>(Arrays.asList(partitionVal)), (short) 1).size(), equalTo(1));
+ assertThat(
+ client.listPartitions(dbName2, tabName4,
+ new ArrayList<String>(Arrays.asList(partitionVal)), (short) 1).size(), equalTo(1));
+
+ assertThat(
+ client.getPartition(dbName1, tabName1, new ArrayList<String>(Arrays.asList(partitionVal))),
+ notNullValue());
+ assertThat(
+ client.getPartition(dbName1, tabName2, new ArrayList<String>(Arrays.asList(partitionVal))),
+ notNullValue());
+ assertThat(
+ client.getPartition(dbName2, tabName3, new ArrayList<String>(Arrays.asList(partitionVal))),
+ notNullValue());
+ assertThat(
+ client.getPartition(dbName2, tabName4, new ArrayList<String>(Arrays.asList(partitionVal))),
+ notNullValue());
+ assertThat(client.getTables(dbName1, "tab*").size(), equalTo(2));
+ assertThat(client.getTables(dbName2, "tab*").size(), equalTo(2));
+ assertThat(
+ client.getTableObjectsByName(dbName1,
+ new ArrayList<String>(Arrays.asList(tabName1, tabName2))).size(), equalTo(2));
+ assertThat(
+ client.getTableObjectsByName(dbName2,
+ new ArrayList<String>(Arrays.asList(tabName3, tabName4))).size(), equalTo(2));
+ assertThat(client.getAllTables(dbName1).size(), equalTo(2));
+ assertThat(client.getAllTables(dbName2).size(), equalTo(2));
+ assertThat(client.listPartitionNames(dbName1, tabName1, (short) 2).size(), equalTo(1));
+ assertThat(client.listPartitionNames(dbName1, tabName2, (short) 2).size(), equalTo(1));
+ assertThat(client.listPartitionNames(dbName2, tabName3, (short) 2).size(), equalTo(1));
+ assertThat(client.listPartitionNames(dbName2, tabName4, (short) 2).size(), equalTo(1));
+ assertThat(
+ client.listPartitionNames(dbName1, tabName1,
+ new ArrayList<String>(Arrays.asList(partitionVal)), (short) 2).size(), equalTo(1));
+ assertThat(
+ client.listPartitionNames(dbName1, tabName2,
+ new ArrayList<String>(Arrays.asList(partitionVal)), (short) 2).size(), equalTo(1));
+ assertThat(
+ client.listPartitionNames(dbName2, tabName3,
+ new ArrayList<String>(Arrays.asList(partitionVal)), (short) 2).size(), equalTo(1));
+ assertThat(
+ client.listPartitionNames(dbName2, tabName4,
+ new ArrayList<String>(Arrays.asList(partitionVal)), (short) 2).size(), equalTo(1));
+ assertThat(
+ client.getPartitionsByNames(dbName1, tabName1, new ArrayList<String>(Arrays.asList("")))
+ .size(), equalTo(0));
+ assertThat(
+ client.getPartitionsByNames(dbName1, tabName2, new ArrayList<String>(Arrays.asList("")))
+ .size(), equalTo(0));
+ assertThat(
+ client.getPartitionsByNames(dbName2, tabName3, new ArrayList<String>(Arrays.asList("")))
+ .size(), equalTo(0));
+ assertThat(
+ client.getPartitionsByNames(dbName2, tabName4, new ArrayList<String>(Arrays.asList("")))
+ .size(), equalTo(0));
+ try {
+ client.getIndex(dbName1, tabName1, "empty");
+ fail("NoSuchObjectException should have been thrown");
+ } catch (NoSuchObjectException noe) {
+ // ignore, just make sure the authorization is successful.
+ }
+ try {
+ client.getIndex(dbName1, tabName2, "empty");
+ fail("NoSuchObjectException should have been thrown");
+ } catch (NoSuchObjectException noe) {
+ // ignore, just make sure the authorization is successful.
+ }
+ try {
+ client.getIndex(dbName2, tabName3, "empty");
+ fail("NoSuchObjectException should have been thrown");
+ } catch (NoSuchObjectException noe) {
+ // ignore, just make sure the authorization is successful.
+ }
+ try {
+ client.getIndex(dbName2, tabName3, "empty");
+ fail("NoSuchObjectException should have been thrown");
+ } catch (NoSuchObjectException noe) {
+ // ignore, just make sure the authorization is successful.
+ }
+
+ assertThat(client.listIndexes(dbName1, tabName1, (short) 1).size(), equalTo(0));
+ assertThat(client.listIndexes(dbName1, tabName2, (short) 1).size(), equalTo(0));
+ assertThat(client.listIndexes(dbName2, tabName3, (short) 1).size(), equalTo(0));
+ assertThat(client.listIndexes(dbName2, tabName4, (short) 1).size(), equalTo(0));
+ assertThat(client.listIndexNames(dbName1, tabName1, (short) 1).size(), equalTo(0));
+ assertThat(client.listIndexNames(dbName1, tabName2, (short) 1).size(), equalTo(0));
+ assertThat(client.listIndexNames(dbName2, tabName3, (short) 1).size(), equalTo(0));
+ assertThat(client.listIndexNames(dbName2, tabName4, (short) 1).size(), equalTo(0));
+ assertThat(client.getPartitionWithAuthInfo(dbName1, tabName1,
+ new ArrayList<String>(Arrays.asList(partitionVal)), "tempuser", new ArrayList<String>(
+ Arrays.asList("tempgroup"))), notNullValue());
+ assertThat(client.getPartitionWithAuthInfo(dbName1, tabName2,
+ new ArrayList<String>(Arrays.asList(partitionVal)), "tempuser", new ArrayList<String>(
+ Arrays.asList("tempgroup"))), notNullValue());
+ assertThat(client.getPartitionWithAuthInfo(dbName2, tabName3,
+ new ArrayList<String>(Arrays.asList(partitionVal)), "tempuser", new ArrayList<String>(
+ Arrays.asList("tempgroup"))), notNullValue());
+ assertThat(client.getPartitionWithAuthInfo(dbName2, tabName4,
+ new ArrayList<String>(Arrays.asList(partitionVal)), "tempuser", new ArrayList<String>(
+ Arrays.asList("tempgroup"))), notNullValue());
+ assertThat(
+ client.getTableColumnStatistics(dbName1, tabName1,
+ new ArrayList<String>(Arrays.asList(colName1))).size(), equalTo(0));
+ assertThat(
+ client.getTableColumnStatistics(dbName1, tabName2,
+ new ArrayList<String>(Arrays.asList(colName1))).size(), equalTo(0));
+ assertThat(
+ client.getTableColumnStatistics(dbName2, tabName3,
+ new ArrayList<String>(Arrays.asList(colName1))).size(), equalTo(0));
+ assertThat(
+ client.getTableColumnStatistics(dbName2, tabName4,
+ new ArrayList<String>(Arrays.asList(colName1))).size(), equalTo(0));
+ client.close();
+ }
+
+ /**
+ * The group of USER1_1 is USERGROUP1, and has all access to databases and
+ * tables.
+ *
+ * @throws Exception
+ */
+ @Test
+ public void testPrivilegesForFullAccess() throws Exception {
+ HiveMetaStoreClient client = context.getMetaStoreClient(USER1_1);
+ assertThat(client.getDatabase(dbName1), notNullValue());
+ assertThat(client.getDatabase(dbName2), notNullValue());
+ // including the "default" db
+ assertThat(client.getAllDatabases().size(), equalTo(3));
+ // including the "default" db
+ assertThat(client.getDatabases("*").size(), equalTo(3));
+ assertThat(client.getTable(dbName1, tabName1), notNullValue());
+ assertThat(client.getTable(dbName1, tabName2), notNullValue());
+ assertThat(client.getTable(dbName2, tabName3), notNullValue());
+ assertThat(client.getTable(dbName2, tabName4), notNullValue());
+ assertThat(client.listPartitions(dbName1, tabName1, (short) 1).size(), equalTo(1));
+ assertThat(client.listPartitions(dbName1, tabName2, (short) 1).size(), equalTo(1));
+ assertThat(client.listPartitions(dbName2, tabName3, (short) 1).size(), equalTo(1));
+ assertThat(client.listPartitions(dbName2, tabName4, (short) 1).size(), equalTo(1));
+
+ assertThat(
+ client.listPartitions(dbName1, tabName1,
+ new ArrayList<String>(Arrays.asList(partitionVal)), (short) 1).size(), equalTo(1));
+ assertThat(
+ client.listPartitions(dbName1, tabName2,
+ new ArrayList<String>(Arrays.asList(partitionVal)), (short) 1).size(), equalTo(1));
+ assertThat(
+ client.listPartitions(dbName2, tabName3,
+ new ArrayList<String>(Arrays.asList(partitionVal)), (short) 1).size(), equalTo(1));
+ assertThat(
+ client.listPartitions(dbName2, tabName4,
+ new ArrayList<String>(Arrays.asList(partitionVal)), (short) 1).size(), equalTo(1));
+
+ assertThat(
+ client.getPartition(dbName1, tabName1, new ArrayList<String>(Arrays.asList(partitionVal))),
+ notNullValue());
+ assertThat(
+ client.getPartition(dbName1, tabName2, new ArrayList<String>(Arrays.asList(partitionVal))),
+ notNullValue());
+ assertThat(
+ client.getPartition(dbName2, tabName3, new ArrayList<String>(Arrays.asList(partitionVal))),
+ notNullValue());
+ assertThat(
+ client.getPartition(dbName2, tabName4, new ArrayList<String>(Arrays.asList(partitionVal))),
+ notNullValue());
+ assertThat(client.getTables(dbName1, "tab*").size(), equalTo(2));
+ assertThat(client.getTables(dbName2, "tab*").size(), equalTo(2));
+ assertThat(
+ client.getTableObjectsByName(dbName1,
+ new ArrayList<String>(Arrays.asList(tabName1, tabName2))).size(), equalTo(2));
+ assertThat(
+ client.getTableObjectsByName(dbName2,
+ new ArrayList<String>(Arrays.asList(tabName3, tabName4))).size(), equalTo(2));
+ assertThat(client.getAllTables(dbName1).size(), equalTo(2));
+ assertThat(client.getAllTables(dbName2).size(), equalTo(2));
+ assertThat(client.listPartitionNames(dbName1, tabName1, (short) 2).size(), equalTo(1));
+ assertThat(client.listPartitionNames(dbName1, tabName2, (short) 2).size(), equalTo(1));
+ assertThat(client.listPartitionNames(dbName2, tabName3, (short) 2).size(), equalTo(1));
+ assertThat(client.listPartitionNames(dbName2, tabName4, (short) 2).size(), equalTo(1));
+ assertThat(
+ client.listPartitionNames(dbName1, tabName1,
+ new ArrayList<String>(Arrays.asList(partitionVal)), (short) 2).size(), equalTo(1));
+ assertThat(
+ client.listPartitionNames(dbName1, tabName2,
+ new ArrayList<String>(Arrays.asList(partitionVal)), (short) 2).size(), equalTo(1));
+ assertThat(
+ client.listPartitionNames(dbName2, tabName3,
+ new ArrayList<String>(Arrays.asList(partitionVal)), (short) 2).size(), equalTo(1));
+ assertThat(
+ client.listPartitionNames(dbName2, tabName4,
+ new ArrayList<String>(Arrays.asList(partitionVal)), (short) 2).size(), equalTo(1));
+ assertThat(
+ client.getPartitionsByNames(dbName1, tabName1, new ArrayList<String>(Arrays.asList("")))
+ .size(), equalTo(0));
+ assertThat(
+ client.getPartitionsByNames(dbName1, tabName2, new ArrayList<String>(Arrays.asList("")))
+ .size(), equalTo(0));
+ assertThat(
+ client.getPartitionsByNames(dbName2, tabName3, new ArrayList<String>(Arrays.asList("")))
+ .size(), equalTo(0));
+ assertThat(
+ client.getPartitionsByNames(dbName2, tabName4, new ArrayList<String>(Arrays.asList("")))
+ .size(), equalTo(0));
+ try {
+ client.getIndex(dbName1, tabName1, "empty");
+ fail("NoSuchObjectException should have been thrown");
+ } catch (NoSuchObjectException noe) {
+ // ignore, just make sure the authorization is successful.
+ }
+ try {
+ client.getIndex(dbName1, tabName2, "empty");
+ fail("NoSuchObjectException should have been thrown");
+ } catch (NoSuchObjectException noe) {
+ // ignore, just make sure the authorization is successful.
+ }
+ try {
+ client.getIndex(dbName2, tabName3, "empty");
+ fail("NoSuchObjectException should have been thrown");
+ } catch (NoSuchObjectException noe) {
+ // ignore, just make sure the authorization is successful.
+ }
+ try {
+ client.getIndex(dbName2, tabName3, "empty");
+ fail("NoSuchObjectException should have been thrown");
+ } catch (NoSuchObjectException noe) {
+ // ignore, just make sure the authorization is successful.
+ }
+
+ assertThat(client.listIndexes(dbName1, tabName1, (short) 1).size(), equalTo(0));
+ assertThat(client.listIndexes(dbName1, tabName2, (short) 1).size(), equalTo(0));
+ assertThat(client.listIndexes(dbName2, tabName3, (short) 1).size(), equalTo(0));
+ assertThat(client.listIndexes(dbName2, tabName4, (short) 1).size(), equalTo(0));
+ assertThat(client.listIndexNames(dbName1, tabName1, (short) 1).size(), equalTo(0));
+ assertThat(client.listIndexNames(dbName1, tabName2, (short) 1).size(), equalTo(0));
+ assertThat(client.listIndexNames(dbName2, tabName3, (short) 1).size(), equalTo(0));
+ assertThat(client.listIndexNames(dbName2, tabName4, (short) 1).size(), equalTo(0));
+ assertThat(client.getPartitionWithAuthInfo(dbName1, tabName1,
+ new ArrayList<String>(Arrays.asList(partitionVal)), "tempuser", new ArrayList<String>(
+ Arrays.asList("tempgroup"))), notNullValue());
+ assertThat(client.getPartitionWithAuthInfo(dbName1, tabName2,
+ new ArrayList<String>(Arrays.asList(partitionVal)), "tempuser", new ArrayList<String>(
+ Arrays.asList("tempgroup"))), notNullValue());
+ assertThat(client.getPartitionWithAuthInfo(dbName2, tabName3,
+ new ArrayList<String>(Arrays.asList(partitionVal)), "tempuser", new ArrayList<String>(
+ Arrays.asList("tempgroup"))), notNullValue());
+ assertThat(client.getPartitionWithAuthInfo(dbName2, tabName4,
+ new ArrayList<String>(Arrays.asList(partitionVal)), "tempuser", new ArrayList<String>(
+ Arrays.asList("tempgroup"))), notNullValue());
+ assertThat(
+ client.getTableColumnStatistics(dbName1, tabName1,
+ new ArrayList<String>(Arrays.asList(colName1))).size(), equalTo(0));
+ assertThat(
+ client.getTableColumnStatistics(dbName1, tabName2,
+ new ArrayList<String>(Arrays.asList(colName1))).size(), equalTo(0));
+ assertThat(
+ client.getTableColumnStatistics(dbName2, tabName3,
+ new ArrayList<String>(Arrays.asList(colName1))).size(), equalTo(0));
+ assertThat(
+ client.getTableColumnStatistics(dbName2, tabName4,
+ new ArrayList<String>(Arrays.asList(colName1))).size(), equalTo(0));
+ client.close();
+ }
+
+ /**
+ * The group of USER2_1 is USERGROUP2, and has the access to db1 and t1.
+ *
+ * @throws Exception
+ */
+ @Test
+ public void testPrivilegesForPartialAccess() throws Exception {
+ HiveMetaStoreClient client = context.getMetaStoreClient(USER2_1);
+ assertThat(client.getDatabase(dbName1), notNullValue());
+ try {
+ client.getDatabase(dbName2);
+ fail("NoSuchObjectException should have been thrown");
+ } catch (NoSuchObjectException noe) {
+ // ignore, just make sure the authorization is failed.
+ }
+ // including the "default" db
+ assertThat(client.getAllDatabases().size(), equalTo(2));
+ // including the "default" db
+ assertThat(client.getDatabases("*").size(), equalTo(2));
+ assertThat(client.getTable(dbName1, tabName1), notNullValue());
+ try {
+ client.getTable(dbName1, tabName2);
+ fail("NoSuchObjectException should have been thrown");
+ } catch (NoSuchObjectException noe) {
+ // ignore, just make sure the authorization is failed.
+ }
+ try {
+ client.getTable(dbName2, tabName3);
+ fail("NoSuchObjectException should have been thrown");
+ } catch (NoSuchObjectException noe) {
+ // ignore, just make sure the authorization is failed.
+ }
+ try {
+ client.getTable(dbName2, tabName4);
+ fail("NoSuchObjectException should have been thrown");
+ } catch (NoSuchObjectException noe) {
+ // ignore, just make sure the authorization is failed.
+ }
+
+ assertThat(client.listPartitions(dbName1, tabName1, (short) 1).size(), equalTo(1));
+ try {
+ client.listPartitions(dbName1, tabName2, (short) 1);
+ fail("MetaException should have been thrown");
+ } catch (MetaException noe) {
+ // ignore, just make sure the authorization is failed.
+ }
+ try {
+ client.listPartitions(dbName2, tabName3, (short) 1);
+ fail("MetaException should have been thrown");
+ } catch (MetaException noe) {
+ // ignore, just make sure the authorization is failed.
+ }
+ try {
+ client.listPartitions(dbName2, tabName4, (short) 1);
+ fail("MetaException should have been thrown");
+ } catch (MetaException noe) {
+ // ignore, just make sure the authorization is failed.
+ }
+
+ assertThat(
+ client.listPartitions(dbName1, tabName1,
+ new ArrayList<String>(Arrays.asList(partitionVal)), (short) 1).size(), equalTo(1));
+ try {
+ client.listPartitions(dbName1, tabName2, new ArrayList<String>(Arrays.asList(partitionVal)),
+ (short) 1);
+ fail("MetaException should have been thrown");
+ } catch (MetaException noe) {
+ // ignore, just make sure the authorization is failed.
+ }
+ try {
+ client.listPartitions(dbName2, tabName3, new ArrayList<String>(Arrays.asList(partitionVal)),
+ (short) 1);
+ fail("MetaException should have been thrown");
+ } catch (MetaException noe) {
+ // ignore, just make sure the authorization is failed.
+ }
+ try {
+ client.listPartitions(dbName2, tabName4, new ArrayList<String>(Arrays.asList(partitionVal)),
+ (short) 1);
+ fail("MetaException should have been thrown");
+ } catch (MetaException noe) {
+ // ignore, just make sure the authorization is failed.
+ }
+
+ assertThat(
+ client.getPartition(dbName1, tabName1, new ArrayList<String>(Arrays.asList(partitionVal))),
+ notNullValue());
+ try {
+ client.getPartition(dbName1, tabName2, new ArrayList<String>(Arrays.asList(partitionVal)));
+ fail("NoSuchObjectException should have been thrown");
+ } catch (NoSuchObjectException noe) {
+ // ignore, just make sure the authorization is failed.
+ }
+ try {
+ client.getPartition(dbName2, tabName3, new ArrayList<String>(Arrays.asList(partitionVal)));
+ fail("NoSuchObjectException should have been thrown");
+ } catch (NoSuchObjectException noe) {
+ // ignore, just make sure the authorization is failed.
+ }
+ try {
+ client.getPartition(dbName2, tabName4, new ArrayList<String>(Arrays.asList(partitionVal)));
+ fail("NoSuchObjectException should have been thrown");
+ } catch (NoSuchObjectException noe) {
+ // ignore, just make sure the authorization is failed.
+ }
+
+ assertThat(client.getTables(dbName1, "tab*").size(), equalTo(1));
+ assertThat(client.getTables(dbName2, "tab*").size(), equalTo(0));
+ assertThat(
+ client.getTableObjectsByName(dbName1,
+ new ArrayList<String>(Arrays.asList(tabName1, tabName2))).size(), equalTo(1));
+ assertThat(
+ client.getTableObjectsByName(dbName2,
+ new ArrayList<String>(Arrays.asList(tabName3, tabName4))).size(), equalTo(0));
+ assertThat(client.getAllTables(dbName1).size(), equalTo(1));
+ assertThat(client.getAllTables(dbName2).size(), equalTo(0));
+
+ assertThat(client.listPartitionNames(dbName1, tabName1, (short) 2).size(), equalTo(1));
+ try {
+ client.listPartitionNames(dbName1, tabName2, (short) 2);
+ fail("MetaException should have been thrown");
+ } catch (MetaException noe) {
+ // ignore, just make sure the authorization is failed.
+ }
+ try {
+ client.listPartitionNames(dbName2, tabName3, (short) 2);
+ fail("MetaException should have been thrown");
+ } catch (MetaException noe) {
+ // ignore, just make sure the authorization is failed.
+ }
+ try {
+ client.listPartitionNames(dbName2, tabName4, (short) 2);
+ fail("MetaException should have been thrown");
+ } catch (MetaException noe) {
+ // ignore, just make sure the authorization is failed.
+ }
+
+ assertThat(
+ client.listPartitionNames(dbName1, tabName1,
+ new ArrayList<String>(Arrays.asList(partitionVal)), (short) 2).size(), equalTo(1));
+ try {
+ client.listPartitionNames(dbName1, tabName2,
+ new ArrayList<String>(Arrays.asList(partitionVal)), (short) 2);
+ fail("MetaException should have been thrown");
+ } catch (MetaException noe) {
+ // ignore, just make sure the authorization is failed.
+ }
+ try {
+ client.listPartitionNames(dbName2, tabName3,
+ new ArrayList<String>(Arrays.asList(partitionVal)), (short) 2);
+ fail("MetaException should have been thrown");
+ } catch (MetaException noe) {
+ // ignore, just make sure the authorization is failed.
+ }
+ try {
+ client.listPartitionNames(dbName2, tabName4,
+ new ArrayList<String>(Arrays.asList(partitionVal)), (short) 2);
+ fail("MetaException should have been thrown");
+ } catch (MetaException noe) {
+ // ignore, just make sure the authorization is failed.
+ }
+
+ assertThat(
+ client.getPartitionsByNames(dbName1, tabName1, new ArrayList<String>(Arrays.asList("")))
+ .size(), equalTo(0));
+ try {
+ client.getPartitionsByNames(dbName1, tabName2, new ArrayList<String>(Arrays.asList("")));
+ fail("MetaException should have been thrown");
+ } catch (MetaException noe) {
+ // ignore, just make sure the authorization is failed.
+ }
+ try {
+ client.getPartitionsByNames(dbName2, tabName3, new ArrayList<String>(Arrays.asList("")));
+ fail("MetaException should have been thrown");
+ } catch (MetaException noe) {
+ // ignore, just make sure the authorization is failed.
+ }
+ try {
+ client.getPartitionsByNames(dbName2, tabName4, new ArrayList<String>(Arrays.asList("")));
+ fail("MetaException should have been thrown");
+ } catch (MetaException noe) {
+ // ignore, just make sure the authorization is failed.
+ }
+
+ try {
+ client.getIndex(dbName1, tabName1, "empty");
+ fail("NoSuchObjectException should have been thrown");
+ } catch (NoSuchObjectException noe) {
+ // ignore, just make sure the authorization is successful.
+ }
+ try {
+ client.getIndex(dbName1, tabName2, "empty");
+ fail("MetaException should have been thrown");
+ } catch (MetaException noe) {
+ // ignore, just make sure the authorization is failed.
+ }
+ try {
+ client.getIndex(dbName2, tabName3, "empty");
+ fail("MetaException should have been thrown");
+ } catch (MetaException noe) {
+ // ignore, just make sure the authorization is failed.
+ }
+ try {
+ client.getIndex(dbName2, tabName3, "empty");
+ fail("MetaException should have been thrown");
+ } catch (MetaException noe) {
+ // ignore, just make sure the authorization is failed.
+ }
+
+ assertThat(client.listIndexes(dbName1, tabName1, (short) 1).size(), equalTo(0));
+ try {
+ client.listIndexes(dbName1, tabName2, (short) 1);
+ fail("MetaException should have been thrown");
+ } catch (MetaException noe) {
+ // ignore, just make sure the authorization is failed.
+ }
+ try {
+ client.listIndexes(dbName2, tabName3, (short) 1);
+ fail("MetaException should have been thrown");
+ } catch (MetaException noe) {
+ // ignore, just make sure the authorization is failed.
+ }
+ try {
+ client.listIndexes(dbName2, tabName4, (short) 1);
+ fail("MetaException should have been thrown");
+ } catch (MetaException noe) {
+ // ignore, just make sure the authorization is failed.
+ }
+
+ assertThat(client.listIndexNames(dbName1, tabName1, (short) 1).size(), equalTo(0));
+ try {
+ client.listIndexNames(dbName1, tabName2, (short) 1);
+ fail("MetaException should have been thrown");
+ } catch (MetaException noe) {
+ // ignore, just make sure the authorization is failed.
+ }
+ try {
+ client.listIndexNames(dbName2, tabName3, (short) 1);
+ fail("MetaException should have been thrown");
+ } catch (MetaException noe) {
+ // ignore, just make sure the authorization is failed.
+ }
+ try {
+ client.listIndexNames(dbName2, tabName4, (short) 1);
+ fail("MetaException should have been thrown");
+ } catch (MetaException noe) {
+ // ignore, just make sure the authorization is failed.
+ }
+
+ assertThat(client.getPartitionWithAuthInfo(dbName1, tabName1,
+ new ArrayList<String>(Arrays.asList(partitionVal)), "tempuser", new ArrayList<String>(
+ Arrays.asList("tempgroup"))), notNullValue());
+ try {
+ client.getPartitionWithAuthInfo(dbName1, tabName2,
+ new ArrayList<String>(Arrays.asList(partitionVal)), "tempuser", new ArrayList<String>(
+ Arrays.asList("tempgroup")));
+ fail("MetaException should have been thrown");
+ } catch (MetaException noe) {
+ // ignore, just make sure the authorization is failed.
+ }
+ try {
+ client.getPartitionWithAuthInfo(dbName2, tabName3,
+ new ArrayList<String>(Arrays.asList(partitionVal)), "tempuser", new ArrayList<String>(
+ Arrays.asList("tempgroup")));
+ fail("MetaException should have been thrown");
+ } catch (MetaException noe) {
+ // ignore, just make sure the authorization is failed.
+ }
+ try {
+ client.getPartitionWithAuthInfo(dbName2, tabName4,
+ new ArrayList<String>(Arrays.asList(partitionVal)), "tempuser", new ArrayList<String>(
+ Arrays.asList("tempgroup")));
+ fail("MetaException should have been thrown");
+ } catch (MetaException noe) {
+ // ignore, just make sure the authorization is failed.
+ }
+
+ assertThat(
+ client.getTableColumnStatistics(dbName1, tabName1,
+ new ArrayList<String>(Arrays.asList(colName1))).size(), equalTo(0));
+ try {
+ client.getTableColumnStatistics(dbName1, tabName2,
+ new ArrayList<String>(Arrays.asList(colName1)));
+ fail("MetaException should have been thrown");
+ } catch (MetaException noe) {
+ // ignore, just make sure the authorization is failed.
+ }
+ try {
+ client.getTableColumnStatistics(dbName2, tabName3,
+ new ArrayList<String>(Arrays.asList(colName1)));
+ fail("MetaException should have been thrown");
+ } catch (MetaException noe) {
+ // ignore, just make sure the authorization is failed.
+ }
+ try {
+ client.getTableColumnStatistics(dbName2, tabName4,
+ new ArrayList<String>(Arrays.asList(colName1)));
+ fail("MetaException should have been thrown");
+ } catch (MetaException noe) {
+ // ignore, just make sure the authorization is failed.
+ }
+ client.close();
+ }
+
+ /**
+ * The group of USER3_1 is USERGROUP3, and has no access to database and
+ * table.
+ *
+ * @throws Exception
+ */
+ @Test
+ public void testPrivilegesForNoAccess() throws Exception {
+ HiveMetaStoreClient client = context.getMetaStoreClient(USER3_1);
+ try {
+ client.getDatabase(dbName1);
+ fail("NoSuchObjectException should have been thrown");
+ } catch (NoSuchObjectException noe) {
+ // ignore, just make sure the authorization is failed.
+ }
+ try {
+ client.getDatabase(dbName2);
+ fail("NoSuchObjectException should have been thrown");
+ } catch (NoSuchObjectException noe) {
+ // ignore, just make sure the authorization is failed.
+ }
+ // including the "default" db
+ assertThat(client.getAllDatabases().size(), equalTo(1));
+ // including the "default" db
+ assertThat(client.getDatabases("*").size(), equalTo(1));
+ try {
+ client.getTable(dbName1, tabName1);
+ fail("NoSuchObjectException should have been thrown");
+ } catch (NoSuchObjectException noe) {
+ // ignore, just make sure the authorization is failed.
+ }
+ try {
+ client.getTable(dbName1, tabName2);
+ fail("NoSuchObjectException should have been thrown");
+ } catch (NoSuchObjectException noe) {
+ // ignore, just make sure the authorization is failed.
+ }
+ try {
+ client.getTable(dbName2, tabName3);
+ fail("NoSuchObjectException should have been thrown");
+ } catch (NoSuchObjectException noe) {
+ // ignore, just make sure the authorization is failed.
+ }
+ try {
+ client.getTable(dbName2, tabName4);
+ fail("NoSuchObjectException should have been thrown");
+ } catch (NoSuchObjectException noe) {
+ // ignore, just make sure the authorization is failed.
+ }
+
+ try {
+ client.listPartitions(dbName1, tabName1, (short) 1);
+ fail("MetaException should have been thrown");
+ } catch (MetaException noe) {
+ // ignore, just make sure the authorization is failed.
+ }
+ try {
+ client.listPartitions(dbName1, tabName2, (short) 1);
+ fail("MetaException should have been thrown");
+ } catch (MetaException noe) {
+ // ignore, just make sure the authorization is failed.
+ }
+ try {
+ client.listPartitions(dbName2, tabName3, (short) 1);
+ fail("MetaException should have been thrown");
+ } catch (MetaException noe) {
+ // ignore, just make sure the authorization is failed.
+ }
+ try {
+ client.listPartitions(dbName2, tabName4, (short) 1);
+ fail("MetaException should have been thrown");
+ } catch (MetaException noe) {
+ // ignore, just make sure the authorization is failed.
+ }
+
+ try {
+ client.listPartitions(dbName1, tabName1, new ArrayList<String>(Arrays.asList(partitionVal)),
+ (short) 1);
+ fail("MetaException should have been thrown");
+ } catch (MetaException noe) {
+ // ignore, just make sure the authorization is failed.
+ }
+ try {
+ client.listPartitions(dbName1, tabName2, new ArrayList<String>(Arrays.asList(partitionVal)),
+ (short) 1);
+ fail("MetaException should have been thrown");
+ } catch (MetaException noe) {
+ // ignore, just make sure the authorization is failed.
+ }
+ try {
+ client.listPartitions(dbName2, tabName3, new ArrayList<String>(Arrays.asList(partitionVal)),
+ (short) 1);
+ fail("MetaException should have been thrown");
+ } catch (MetaException noe) {
+ // ignore, just make sure the authorization is failed.
+ }
+ try {
+ client.listPartitions(dbName2, tabName4, new ArrayList<String>(Arrays.asList(partitionVal)),
+ (short) 1);
+ fail("MetaException should have been thrown");
+ } catch (MetaException noe) {
+ // ignore, just make sure the authorization is failed.
+ }
+
+ try {
+ client.getPartition(dbName1, tabName1, new ArrayList<String>(Arrays.asList(partitionVal)));
+ fail("NoSuchObjectException should have been thrown");
+ } catch (NoSuchObjectException noe) {
+ // ignore, just make sure the authorization is failed.
+ }
+ try {
+ client.getPartition(dbName1, tabName2, new ArrayList<String>(Arrays.asList(partitionVal)));
+ fail("NoSuchObjectException should have been thrown");
+ } catch (NoSuchObjectException noe) {
+ // ignore, just make sure the authorization is failed.
+ }
+ try {
+ client.getPartition(dbName2, tabName3, new ArrayList<String>(Arrays.asList(partitionVal)));
+ fail("NoSuchObjectException should have been thrown");
+ } catch (NoSuchObjectException noe) {
+ // ignore, just make sure the authorization is failed.
+ }
+ try {
+ client.getPartition(dbName2, tabName4, new ArrayList<String>(Arrays.asList(partitionVal)));
+ fail("NoSuchObjectException should have been thrown");
+ } catch (NoSuchObjectException noe) {
+ // ignore, just make sure the authorization is failed.
+ }
+
+ assertThat(client.getTables(dbName1, "tab*").size(), equalTo(0));
+ assertThat(client.getTables(dbName2, "tab*").size(), equalTo(0));
+ assertThat(
+ client.getTableObjectsByName(dbName1,
+ new ArrayList<String>(Arrays.asList(tabName1, tabName2))).size(), equalTo(0));
+ assertThat(
+ client.getTableObjectsByName(dbName2,
+ new ArrayList<String>(Arrays.asList(tabName3, tabName4))).size(), equalTo(0));
+ assertThat(client.getAllTables(dbName1).size(), equalTo(0));
+ assertThat(client.getAllTables(dbName2).size(), equalTo(0));
+
+ try {
+ client.listPartitionNames(dbName1, tabName1, (short) 2);
+ fail("MetaException should have been thrown");
+ } catch (MetaException noe) {
+ // ignore, just make sure the authorization is failed.
+ }
+ try {
+ client.listPartitionNames(dbName1, tabName2, (short) 2);
+ fail("MetaException should have been thrown");
+ } catch (MetaException noe) {
+ // ignore, just make sure the authorization is failed.
+ }
+ try {
+ client.listPartitionNames(dbName2, tabName3, (short) 2);
+ fail("MetaException should have been thrown");
+ } catch (MetaException noe) {
+ // ignore, just make sure the authorization is failed.
+ }
+ try {
+ client.listPartitionNames(dbName2, tabName4, (short) 2);
+ fail("MetaException should have been thrown");
+ } catch (MetaException noe) {
+ // ignore, just make sure the authorization is failed.
+ }
+
+ try {
+ client.listPartitionNames(dbName1, tabName1,
+ new ArrayList<String>(Arrays.asList(partitionVal)), (short) 2);
+ fail("MetaException should have been thrown");
+ } catch (MetaException noe) {
+ // ignore, just make sure the authorization is failed.
+ }
+ try {
+ client.listPartitionNames(dbName1, tabName2,
+ new ArrayList<String>(Arrays.asList(partitionVal)), (short) 2);
+ fail("MetaException should have been thrown");
+ } catch (MetaException noe) {
+ // ignore, just make sure the authorization is failed.
+ }
+ try {
+ client.listPartitionNames(dbName2, tabName3,
+ new ArrayList<String>(Arrays.asList(partitionVal)), (short) 2);
+ fail("MetaException should have been thrown");
+ } catch (MetaException noe) {
+ // ignore, just make sure the authorization is failed.
+ }
+ try {
+ client.listPartitionNames(dbName2, tabName4,
+ new ArrayList<String>(Arrays.asList(partitionVal)), (short) 2);
+ fail("MetaException should have been thrown");
+ } catch (MetaException noe) {
+ // ignore, just make sure the authorization is failed.
+ }
+
+ try {
+ client.getPartitionsByNames(dbName1, tabName1, new ArrayList<String>(Arrays.asList("")));
+ fail("MetaException should have been thrown");
+ } catch (MetaException noe) {
+ // ignore, just make sure the authorization is failed.
+ }
+ try {
+ client.getPartitionsByNames(dbName1, tabName2, new ArrayList<String>(Arrays.asList("")));
+ fail("MetaException should have been thrown");
+ } catch (MetaException noe) {
+ // ignore, just make sure the authorization is failed.
+ }
+ try {
+ client.getPartitionsByNames(dbName2, tabName3, new ArrayList<String>(Arrays.asList("")));
+ fail("MetaException should have been thrown");
+ } catch (MetaException noe) {
+ // ignore, just make sure the authorization is failed.
+ }
+ try {
+ client.getPartitionsByNames(dbName2, tabName4, new ArrayList<String>(Arrays.asList("")));
+ fail("MetaException should have been thrown");
+ } catch (MetaException noe) {
+ // ignore, just make sure the authorization is failed.
+ }
+
+ try {
+ client.getIndex(dbName1, tabName1, "empty");
+ fail("MetaException should have been thrown");
+ } catch (MetaException noe) {
+ // ignore, just make sure the authorization is failed.
+ }
+ try {
+ client.getIndex(dbName1, tabName2, "empty");
+ fail("MetaException should have been thrown");
+ } catch (MetaException noe) {
+ // ignore, just make sure the authorization is failed.
+ }
+ try {
+ client.getIndex(dbName2, tabName3, "empty");
+ fail("MetaException should have been thrown");
+ } catch (MetaException noe) {
+ // ignore, just make sure the authorization is failed.
+ }
+ try {
+ client.getIndex(dbName2, tabName3, "empty");
+ fail("MetaException should have been thrown");
+ } catch (MetaException noe) {
+ // ignore, just make sure the authorization is failed.
+ }
+
+ try {
+ client.listIndexes(dbName1, tabName1, (short) 1);
+ fail("MetaException should have been thrown");
+ } catch (MetaException noe) {
+ // ignore, just make sure the authorization is failed.
+ }
+ try {
+ client.listIndexes(dbName1, tabName2, (short) 1);
+ fail("MetaException should have been thrown");
+ } catch (MetaException noe) {
+ // ignore, just make sure the authorization is failed.
+ }
+ try {
+ client.listIndexes(dbName2, tabName3, (short) 1);
+ fail("MetaException should have been thrown");
+ } catch (MetaException noe) {
+ // ignore, just make sure the authorization is failed.
+ }
+ try {
+ client.listIndexes(dbName2, tabName4, (short) 1);
+ fail("MetaException should have been thrown");
+ } catch (MetaException noe) {
+ // ignore, just make sure the authorization is failed.
+ }
+
+ try {
+ client.listIndexNames(dbName1, tabName1, (short) 1);
+ fail("MetaException should have been thrown");
+ } catch (MetaException noe) {
+ // ignore, just make sure the authorization is failed.
+ }
+ try {
+ client.listIndexNames(dbName1, tabName2, (short) 1);
+ fail("MetaException should have been thrown");
+ } catch (MetaException noe) {
+ // ignore, just make sure the authorization is failed.
+ }
+ try {
+ client.listIndexNames(dbName2, tabName3, (short) 1);
+ fail("MetaException should have been thrown");
+ } catch (MetaException noe) {
+ // ignore, just make sure the authorization is failed.
+ }
+ try {
+ client.listIndexNames(dbName2, tabName4, (short) 1);
+ fail("MetaException should have been thrown");
+ } catch (MetaException noe) {
+ // ignore, just make sure the authorization is failed.
+ }
+
+ try {
+ client.getPartitionWithAuthInfo(dbName1, tabName1,
+ new ArrayList<String>(Arrays.asList(partitionVal)), "tempuser", new ArrayList<String>(
+ Arrays.asList("tempgroup")));
+ fail("MetaException should have been thrown");
+ } catch (MetaException noe) {
+ // ignore, just make sure the authorization is failed.
+ }
+ try {
+ client.getPartitionWithAuthInfo(dbName1, tabName2,
+ new ArrayList<String>(Arrays.asList(partitionVal)), "tempuser", new ArrayList<String>(
+ Arrays.asList("tempgroup")));
+ fail("MetaException should have been thrown");
+ } catch (MetaException noe) {
+ // ignore, just make sure the authorization is failed.
+ }
+ try {
+ client.getPartitionWithAuthInfo(dbName2, tabName3,
+ new ArrayList<String>(Arrays.asList(partitionVal)), "tempuser", new ArrayList<String>(
+ Arrays.asList("tempgroup")));
+ fail("MetaException should have been thrown");
+ } catch (MetaException noe) {
+ // ignore, just make sure the authorization is failed.
+ }
+ try {
+ client.getPartitionWithAuthInfo(dbName2, tabName4,
+ new ArrayList<String>(Arrays.asList(partitionVal)), "tempuser", new ArrayList<String>(
+ Arrays.asList("tempgroup")));
+ fail("MetaException should have been thrown");
+ } catch (MetaException noe) {
+ // ignore, just make sure the authorization is failed.
+ }
+
+ try {
+ client.getTableColumnStatistics(dbName1, tabName1,
+ new ArrayList<String>(Arrays.asList(colName1)));
+ fail("MetaException should have been thrown");
+ } catch (MetaException noe) {
+ // ignore, just make sure the authorization is failed.
+ }
+ try {
+ client.getTableColumnStatistics(dbName1, tabName2,
+ new ArrayList<String>(Arrays.asList(colName1)));
+ fail("MetaException should have been thrown");
+ } catch (MetaException noe) {
+ // ignore, just make sure the authorization is failed.
+ }
+ try {
+ client.getTableColumnStatistics(dbName2, tabName3,
+ new ArrayList<String>(Arrays.asList(colName1)));
+ fail("MetaException should have been thrown");
+ } catch (MetaException noe) {
+ // ignore, just make sure the authorization is failed.
+ }
+ try {
+ client.getTableColumnStatistics(dbName2, tabName4,
+ new ArrayList<String>(Arrays.asList(colName1)));
+ fail("MetaException should have been thrown");
+ } catch (MetaException noe) {
+ // ignore, just make sure the authorization is failed.
+ }
+ client.close();
+ }
+}
diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/metastore/TestMetaStoreWithPigHCat.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/metastore/TestMetaStoreWithPigHCat.java
index 00d0492..bb5444e 100644
--- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/metastore/TestMetaStoreWithPigHCat.java
+++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/metastore/TestMetaStoreWithPigHCat.java
@@ -18,8 +18,8 @@
package org.apache.sentry.tests.e2e.metastore;
-import org.apache.sentry.provider.file.PolicyFile;
import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.fail;
import java.io.File;
import java.io.FileOutputStream;
@@ -29,7 +29,7 @@
import org.apache.hive.hcatalog.pig.HCatStorer;
import org.apache.pig.ExecType;
import org.apache.pig.PigServer;
-import org.apache.sentry.tests.e2e.hive.Context;
+import org.apache.sentry.provider.file.PolicyFile;
import org.apache.sentry.tests.e2e.hive.StaticUserGroup;
import org.junit.Before;
import org.junit.Test;
@@ -93,18 +93,11 @@
execPigLatin(USER2_1, pigServer, "A = load '" + dataFile.getPath()
+ "' as (id:int);");
try {
- execPigLatin(USER2_1, pigServer, "store A into '" + dbName + "."
- + tabName
- + "' using " + HCatStorer.class.getName() + " ('part_col=part2');");
- // TODO: The HCatStore seems to be swallowing the exception. Thus we
- // manually verify that partition is not created by above call.
- client = context.getMetaStoreClient(ADMIN1);
- assertEquals(1, client.listPartitionNames(dbName, tabName, (short)10).size());
- client.close();
- // fail("HCatStore should fail for non-privilege user");
-
+ execPigLatin(USER2_1, pigServer, "store A into '" + dbName + "." + tabName + "' using "
+ + HCatStorer.class.getName() + " ('part_col=part2');");
+ fail("USER2_1 has no access to the metadata, exception will be thrown.");
} catch (IOException e) {
- Context.verifyMetastoreAuthException(e.getCause());
+ // ignore the exception
}
}
