Google Git
Sign in
apache / incubator-sentry / c8c8878654c1946a5c2ab8d16a09e53fc18701ea / . / sentry-provider / sentry-provider-db / src / test / java / org / apache / sentry / provider / db / service / thrift / TestSentryServiceIntegration.java
blob: 815f1f848e049206a4bbd3688e8791a79d67f1c5 [file] [log] [blame]
/**
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless createRequired by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.apache.sentry.provider.db.service.thrift;
import static junit.framework.Assert.assertEquals;
import static org.junit.Assert.assertTrue;
import static org.junit.Assert.fail;
import java.util.Comparator;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.TreeMap;
import java.util.TreeSet;
import org.apache.sentry.SentryUserException;
import org.apache.sentry.core.common.ActiveRoleSet;
import org.apache.sentry.core.common.Authorizable;
import org.apache.sentry.core.model.db.AccessConstants;
import org.apache.sentry.core.model.db.AccessURI;
import org.apache.sentry.core.model.db.Database;
import org.apache.sentry.core.model.db.Server;
import org.apache.sentry.core.model.db.Table;
import org.apache.sentry.provider.db.SentryAccessDeniedException;
import org.apache.sentry.service.thrift.SentryServiceIntegrationBase;
import org.junit.Test;
import com.google.common.collect.Lists;
import com.google.common.collect.Maps;
import com.google.common.collect.Sets;
public class TestSentryServiceIntegration extends SentryServiceIntegrationBase {
@Test
public void testCreateDropShowRole() throws Exception {
String requestorUserName = ADMIN_USER;
Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
String roleName = "admin_r";
setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
writePolicyFile();
client.dropRoleIfExists(requestorUserName, roleName);
client.createRole(requestorUserName, roleName);
Set<TSentryRole> roles = client.listRoles(requestorUserName);
assertEquals("Incorrect number of roles", 1, roles.size());
for (TSentryRole role:roles) {
assertTrue(role.getRoleName(), role.getRoleName().equalsIgnoreCase(roleName));
}
client.dropRole(requestorUserName, roleName);
}
@Test
public void testGranRevokePrivilegeOnTableForRole() throws Exception {
String requestorUserName = ADMIN_USER;
Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
writePolicyFile();
String roleName1 = "admin_r1";
String roleName2 = "admin_r2";
client.dropRoleIfExists(requestorUserName, roleName1);
client.createRole(requestorUserName, roleName1);
client.grantTablePrivilege(requestorUserName, roleName1, "server", "db1", "table1", "ALL");
client.grantTablePrivilege(requestorUserName, roleName1, "server", "db1", "table2", "ALL");
client.grantTablePrivilege(requestorUserName, roleName1, "server", "db2", "table3", "ALL");
client.grantTablePrivilege(requestorUserName, roleName1, "server", "db2", "table4", "ALL");
client.dropRoleIfExists(requestorUserName, roleName2);
client.createRole(requestorUserName, roleName2);
client.grantTablePrivilege(requestorUserName, roleName2, "server", "db1", "table1", "ALL");
client.grantTablePrivilege(requestorUserName, roleName2, "server", "db1", "table2", "ALL");
client.grantTablePrivilege(requestorUserName, roleName2, "server", "db2", "table3", "ALL");
client.grantTablePrivilege(requestorUserName, roleName2, "server", "db2", "table4", "ALL");
Set<TSentryPrivilege> listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName1);
assertEquals("Privilege not assigned to role1 !!", 4, listPrivilegesByRoleName.size());
listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName2);
assertEquals("Privilege not assigned to role2 !!", 4, listPrivilegesByRoleName.size());
client.revokeTablePrivilege(requestorUserName, roleName1, "server", "db1", "table1", "ALL");
listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName1);
assertTrue("Privilege not correctly revoked !!", listPrivilegesByRoleName.size() == 3);
listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName2);
assertTrue("Privilege not correctly revoked !!", listPrivilegesByRoleName.size() == 4);
client.revokeTablePrivilege(requestorUserName, roleName2, "server", "db1", "table1", "ALL");
listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName2);
assertTrue("Privilege not correctly revoked !!", listPrivilegesByRoleName.size() == 3);
listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName1);
assertTrue("Privilege not correctly revoked !!", listPrivilegesByRoleName.size() == 3);
client.revokeTablePrivilege(requestorUserName, roleName1, "server", "db1", "table2", "ALL");
client.revokeTablePrivilege(requestorUserName, roleName1, "server", "db2", "table3", "ALL");
client.revokeTablePrivilege(requestorUserName, roleName1, "server", "db2", "table4", "ALL");
listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName1);
assertTrue("Privilege not correctly revoked !!", listPrivilegesByRoleName.size() == 0);
client.revokeTablePrivilege(requestorUserName, roleName2, "server", "db1", "table2", "ALL");
client.revokeTablePrivilege(requestorUserName, roleName2, "server", "db2", "table3", "ALL");
client.revokeTablePrivilege(requestorUserName, roleName2, "server", "db2", "table4", "ALL");
listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName2);
assertTrue("Privilege not correctly revoked !!", listPrivilegesByRoleName.size() == 0);
}
@Test
public void testMultipleRolesSamePrivilege() throws Exception {
String requestorUserName = ADMIN_USER;
Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
writePolicyFile();
String roleName1 = "admin_r1";
String roleName2 = "admin_r2";
client.dropRoleIfExists(requestorUserName, roleName1);
client.createRole(requestorUserName, roleName1);
client.dropRoleIfExists(requestorUserName, roleName2);
client.createRole(requestorUserName, roleName2);
client.grantTablePrivilege(requestorUserName, roleName1, "server", "db", "table", "ALL");
Set<TSentryPrivilege> listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName1);
assertTrue("Privilege not assigned to role1 !!", listPrivilegesByRoleName.size() == 1);
client.grantTablePrivilege(requestorUserName, roleName2, "server", "db", "table", "ALL");
listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName2);
assertTrue("Privilege not assigned to role2 !!", listPrivilegesByRoleName.size() == 1);
}
@Test
public void testShowRoleGrant() throws Exception {
String requestorUserName = ADMIN_USER;
Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
String roleName = "admin_testdb";
String groupName = "group1";
setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
writePolicyFile();
client.dropRoleIfExists(requestorUserName, roleName);
client.createRole(requestorUserName, roleName);
Set<TSentryRole> roles = client.listRoles(requestorUserName);
assertEquals("Incorrect number of roles", 1, roles.size());
client.grantRoleToGroup(requestorUserName, groupName, roleName);
Set<TSentryRole> groupRoles = client.listRolesByGroupName(requestorUserName, groupName);
assertTrue(groupRoles.size() == 1);
for (TSentryRole role:groupRoles) {
assertTrue(role.getRoleName(), role.getRoleName().equalsIgnoreCase(roleName));
assertTrue(role.getGroups().size() == 1);
for (TSentryGroup group :role.getGroups()) {
assertTrue(group.getGroupName(), group.getGroupName().equalsIgnoreCase(groupName));
}
}
client.dropRole(requestorUserName, roleName);
}
@Test
public void testShowGrant() throws Exception {
String requestorUserName = ADMIN_USER;
Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
String roleName = "admin_testdb";
String server = "server1";
String db = "testDB";
setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
writePolicyFile();
client.dropRoleIfExists(requestorUserName, roleName);
client.createRole(requestorUserName, roleName);
Set<TSentryRole> roles = client.listRoles(requestorUserName);
assertEquals("Incorrect number of roles", 1, roles.size());
client.grantDatabasePrivilege(requestorUserName, roleName, server, db, AccessConstants.ALL);
Set<TSentryPrivilege> privileges = client.listAllPrivilegesByRoleName(requestorUserName, roleName);
assertTrue(privileges.size() == 1);
client.revokeDatabasePrivilege(requestorUserName, roleName, server, db, AccessConstants.ALL);
client.dropRole(requestorUserName, roleName);
}
// See SENTRY-166
@Test
public void testUriWithEquals() throws Exception {
String requestorUserName = ADMIN_USER;
Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
String roleName = "admin_testdb";
String server = "server1";
String uri = "file://u/w/h/t/partition=value/";
setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
writePolicyFile();
// Creating associated role
client.dropRoleIfExists(requestorUserName, roleName);
client.createRole(requestorUserName, roleName);
Set<TSentryRole> roles = client.listRoles(requestorUserName);
assertEquals("Incorrect number of roles", 1, roles.size());
client.grantURIPrivilege(requestorUserName, roleName, server, uri);
Set<TSentryPrivilege> privileges = client.listAllPrivilegesByRoleName(requestorUserName, roleName);
assertTrue(privileges.size() == 1);
// Revoking the same privilege
client.revokeURIPrivilege(requestorUserName, roleName, server, uri);
privileges = client.listAllPrivilegesByRoleName(requestorUserName, roleName);
assertTrue(privileges.size() == 0);
// Clean up
client.dropRole(requestorUserName, roleName);
}
// See SENTRY-181
@Test
public void testSameGrantTwice() throws Exception {
String requestorUserName = ADMIN_USER;
Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
writePolicyFile();
String roleName = "admin_r1";
client.createRole(requestorUserName, roleName);
client.grantTablePrivilege(requestorUserName, roleName, "server", "db1", "table1", "ALL");
client.grantTablePrivilege(requestorUserName, roleName, "server", "db1", "table1", "ALL");
assertEquals(1, client.listAllPrivilegesByRoleName(requestorUserName, roleName).size());
}
@Test
public void testGrantRevokeWithGrantOption() throws Exception {
// Grant a privilege with Grant Option
String requestorUserName = ADMIN_USER;
Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
writePolicyFile();
String roleName = "admin_r1";
boolean grantOption = true;
boolean withoutGrantOption = false;
client.dropRoleIfExists(requestorUserName, roleName);
client.createRole(requestorUserName, roleName);
client.grantTablePrivilege(requestorUserName, roleName, "server", "db1", "table1", "ALL", grantOption);
assertEquals(1, client.listAllPrivilegesByRoleName(requestorUserName, roleName).size());
// // Try to revoke the privilege without grantOption and can't revoke the privilege.
client.revokeTablePrivilege(requestorUserName, roleName, "server", "db1", "table1", "ALL", withoutGrantOption);
assertEquals(1, client.listAllPrivilegesByRoleName(requestorUserName, roleName).size());
// Try to revoke the privilege with grantOption, the privilege will be revoked.
client.revokeTablePrivilege(requestorUserName, roleName, "server", "db1", "table1", "ALL", grantOption);
assertEquals(0, client.listAllPrivilegesByRoleName(requestorUserName, roleName).size());
}
@Test
public void testGrantTwoPrivilegeDiffInGrantOption() throws Exception {
// Grant a privilege with 'Grant Option'.
String requestorUserName = ADMIN_USER;
Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
writePolicyFile();
String roleName = "admin_r1";
boolean grantOption = true;
boolean withoutGrantOption = false;
client.dropRoleIfExists(requestorUserName, roleName);
client.createRole(requestorUserName, roleName);
client.grantTablePrivilege(requestorUserName, roleName, "server", "db1", "table1", "ALL", grantOption);
assertEquals(1, client.listAllPrivilegesByRoleName(requestorUserName, roleName).size());
// Grant a privilege without 'Grant Option'.
// TODO : Do not think this is correct.. It shouldnt make sense for a Role
// to have both TRUE and FALSE grantoption on the same Authorizable Object..
// client.grantTablePrivilege(requestorUserName, roleName, "server", "db1", "table1", "ALL", withoutGrantOption);
// Set<TSentryPrivilege> lst = client.listAllPrivilegesByRoleName(requestorUserName, roleName);
// assertEquals(2, lst.size());
// Use 'grantOption = null', the two privileges will be revoked.
client.revokeTablePrivilege(requestorUserName, roleName, "server", "db1", "table1", "ALL", null);
assertEquals(0, client.listAllPrivilegesByRoleName(requestorUserName, roleName).size());
}
@Test
public void testGranRevokePrivilegeOnColumnForRole() throws Exception {
String requestorUserName = ADMIN_USER;
Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
writePolicyFile();
String roleName1 = "admin_r1";
String roleName2 = "admin_r2";
client.dropRoleIfExists(requestorUserName, roleName1);
client.createRole(requestorUserName, roleName1);
client.grantColumnPrivilege(requestorUserName, roleName1, "server", "db1", "table1", "col1", "ALL");
client.grantColumnPrivilege(requestorUserName, roleName1, "server", "db1", "table1", "col2", "ALL");
client.grantColumnPrivilege(requestorUserName, roleName1, "server", "db1", "table2", "col1", "ALL");
client.grantColumnPrivilege(requestorUserName, roleName1, "server", "db1", "table2", "col2", "ALL");
client.grantColumnPrivilege(requestorUserName, roleName1, "server", "db2", "table1", "col1", "ALL");
client.grantColumnPrivilege(requestorUserName, roleName1, "server", "db2", "table2", "col1", "ALL");
client.dropRoleIfExists(requestorUserName, roleName2);
client.createRole(requestorUserName, roleName2);
client.grantColumnPrivilege(requestorUserName, roleName2, "server", "db1", "table1", "col1", "ALL");
client.grantColumnPrivilege(requestorUserName, roleName2, "server", "db1", "table1", "col2", "ALL");
client.grantColumnPrivilege(requestorUserName, roleName2, "server", "db1", "table2", "col1", "ALL");
client.grantColumnPrivilege(requestorUserName, roleName2, "server", "db1", "table2", "col2", "ALL");
client.grantColumnPrivilege(requestorUserName, roleName2, "server", "db2", "table1", "col1", "ALL");
client.grantColumnPrivilege(requestorUserName, roleName2, "server", "db2", "table2", "col1", "ALL");
Set<TSentryPrivilege> listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName1);
assertEquals("Privilege not assigned to role1 !!", 6, listPrivilegesByRoleName.size());
listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName2);
assertEquals("Privilege not assigned to role2 !!", 6, listPrivilegesByRoleName.size());
client.revokeColumnPrivilege(requestorUserName, roleName1, "server", "db1", "table1", "col1", "ALL");
listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName1);
assertTrue("Privilege not correctly revoked !!", listPrivilegesByRoleName.size() == 5);
listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName2);
assertTrue("Privilege not correctly revoked !!", listPrivilegesByRoleName.size() == 6);
client.revokeTablePrivilege(requestorUserName, roleName2, "server", "db1", "table1", "ALL");
listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName2);
assertTrue("Privilege not correctly revoked !!", listPrivilegesByRoleName.size() == 4);
listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName1);
assertTrue("Privilege not correctly revoked !!", listPrivilegesByRoleName.size() == 5);
client.revokeDatabasePrivilege(requestorUserName, roleName1, "server", "db1", "ALL");
listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName1);
assertTrue("Privilege not correctly revoked !!", listPrivilegesByRoleName.size() == 2);
client.revokeColumnPrivilege(requestorUserName, roleName1, "server", "db2", "table1", "col1", "ALL");
client.revokeColumnPrivilege(requestorUserName, roleName1, "server", "db2", "table2", "col1", "ALL");
listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName1);
assertTrue("Privilege not correctly revoked !!", listPrivilegesByRoleName.size() == 0);
client.revokeColumnPrivilege(requestorUserName, roleName2, "server", "db1", "table2", "col1", "ALL");
client.revokeColumnPrivilege(requestorUserName, roleName2, "server", "db1", "table2", "col2", "ALL");
client.revokeColumnPrivilege(requestorUserName, roleName2, "server", "db2", "table1", "col1", "ALL");
client.revokeColumnPrivilege(requestorUserName, roleName2, "server", "db2", "table2", "col1", "ALL");
listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName2);
assertTrue("Privilege not correctly revoked !!", listPrivilegesByRoleName.size() == 0);
}
public void testListByAuthDB() throws Exception {
String requestorUserName = ADMIN_USER;
Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
String roleName1 = "role1";
String roleName2 = "role2";
Set<String> testRoleSet = Sets.newHashSet(roleName1, roleName2);
String group1 = "group1";
String group2 = "group2";
Set<String> testGroupSet = Sets.newHashSet(group1, group2);
String server = "server1";
String db = "testDB";
String db2 = "testDB2";
String tab = "testTab";
setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
String group1user = "group1user";
setLocalGroupMapping(group1user, Sets.newHashSet(group1));
String group2user = "group2user";
setLocalGroupMapping(group2user, Sets.newHashSet(group2));
setLocalGroupMapping("random", Sets.newHashSet("foo"));
writePolicyFile();
client.dropRoleIfExists(requestorUserName, roleName1);
client.createRole(requestorUserName, roleName1);
client.dropRoleIfExists(requestorUserName, roleName2);
client.createRole(requestorUserName, roleName2);
TSentryPrivilege role1db1 = client.grantDatabasePrivilege(
requestorUserName, roleName1, server, db, AccessConstants.SELECT);
client.grantTablePrivilege(requestorUserName, roleName1, server, db, tab,
AccessConstants.ALL);
client.grantTablePrivilege(requestorUserName, roleName1, server, db2, tab,
AccessConstants.SELECT);
client.grantURIPrivilege(requestorUserName, roleName1, server, "hdfs:///fooUri");
client.grantRoleToGroup(requestorUserName, group1, roleName1);
TSentryPrivilege role2db1 = client.grantDatabasePrivilege(
requestorUserName, roleName2, server, db,
AccessConstants.ALL);
client.grantDatabasePrivilege(requestorUserName, roleName2, server, db2,
AccessConstants.SELECT);
client.grantTablePrivilege(requestorUserName, roleName2, server, db2, tab,
AccessConstants.ALL);
client.grantRoleToGroup(requestorUserName, group2, roleName2);
// build expected output
TSentryPrivilegeMap db1RoleToPrivMap = new TSentryPrivilegeMap(
new TreeMap<String, Set<TSentryPrivilege>>());
db1RoleToPrivMap.getPrivilegeMap()
.put(roleName1, Sets.newHashSet(role1db1));
db1RoleToPrivMap.getPrivilegeMap()
.put(roleName2, Sets.newHashSet(role2db1));
Map<TSentryAuthorizable, TSentryPrivilegeMap> expectedResults = Maps
.newTreeMap();
List<? extends Authorizable> db1Authrizable = Lists.newArrayList(
new Server(server), new Database(db));
expectedResults.put(
SentryPolicyServiceClientDefaultImpl.setupSentryAuthorizable(db1Authrizable),
db1RoleToPrivMap);
Set<List<? extends Authorizable>> authorizableSet = Sets.newHashSet();
authorizableSet.add(db1Authrizable);
// verify for null group and null roleset
Map<TSentryAuthorizable, TSentryPrivilegeMap> authPrivMap = client
.listPrivilegsbyAuthorizable(requestorUserName, authorizableSet, null, null);
assertEquals(expectedResults, authPrivMap);
// verify for null group and specific roleset
authPrivMap = client.listPrivilegsbyAuthorizable(requestorUserName, authorizableSet,
null, new ActiveRoleSet(testRoleSet));
assertEquals(expectedResults, authPrivMap);
// verify for null group and specific roleset
authPrivMap = client.listPrivilegsbyAuthorizable(requestorUserName, authorizableSet, null,
ActiveRoleSet.ALL);
assertEquals(expectedResults, authPrivMap);
// verify for specific group and null roleset
authPrivMap = client.listPrivilegsbyAuthorizable(requestorUserName, authorizableSet,
testGroupSet, null);
assertEquals(expectedResults, authPrivMap);
// verify for specific group and specific roleset
authPrivMap = client.listPrivilegsbyAuthorizable(requestorUserName, authorizableSet,
testGroupSet, new ActiveRoleSet(testRoleSet));
assertEquals(expectedResults, authPrivMap);
// verify for specific group and ALL roleset
authPrivMap = client.listPrivilegsbyAuthorizable(requestorUserName, authorizableSet,
testGroupSet, ActiveRoleSet.ALL);
assertEquals(expectedResults, authPrivMap);
// verify users not belonging to any group are not shown anything
authPrivMap = client
.listPrivilegsbyAuthorizable("random", authorizableSet,
new HashSet<String>(), ActiveRoleSet.ALL);
expectedResults.clear();
expectedResults.put(
SentryPolicyServiceClientDefaultImpl.setupSentryAuthorizable(db1Authrizable),
new TSentryPrivilegeMap(new HashMap<String, Set<TSentryPrivilege>>()));
assertEquals(expectedResults, authPrivMap);
}
@Test
public void testListByAuthTab() throws Exception {
String requestorUserName = ADMIN_USER;
Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
String roleName1 = "role1";
String roleName2 = "role2";
String server = "server1";
String db = "testDB";
String db2 = "testDB2";
String tab = "testTab";
setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
writePolicyFile();
client.dropRoleIfExists(requestorUserName, roleName1);
client.createRole(requestorUserName, roleName1);
client.dropRoleIfExists(requestorUserName, roleName2);
client.createRole(requestorUserName, roleName2);
client.grantDatabasePrivilege(
requestorUserName, roleName1, server, db, AccessConstants.SELECT);
client.grantTablePrivilege(requestorUserName, roleName1, server, db, tab,
AccessConstants.ALL);
TSentryPrivilege role1db2tab = client.grantTablePrivilege(
requestorUserName, roleName1, server, db2, tab,
AccessConstants.SELECT);
client.grantDatabasePrivilege(
requestorUserName, roleName2, server, db,
AccessConstants.ALL);
client.grantDatabasePrivilege(requestorUserName, roleName2, server, db2,
AccessConstants.SELECT);
TSentryPrivilege role2db2tab = client.grantTablePrivilege(
requestorUserName, roleName2, server, db2, tab,
AccessConstants.ALL);
client.grantURIPrivilege(requestorUserName, roleName1, server,
"hdfs:///fooUri");
// build expected output
TSentryPrivilegeMap db1RoleToPrivMap = new TSentryPrivilegeMap(
new TreeMap<String, Set<TSentryPrivilege>>());
db1RoleToPrivMap.getPrivilegeMap()
.put(roleName1,
Sets.newHashSet(role1db2tab));
db1RoleToPrivMap.getPrivilegeMap()
.put(roleName2,
Sets.newHashSet(role2db2tab));
Map<TSentryAuthorizable, TSentryPrivilegeMap> expectedResults = Maps
.newTreeMap();
List<? extends Authorizable> db2TabAuthrizable = Lists.newArrayList(
new Server(server), new Database(db2), new Table(tab));
expectedResults.put(
SentryPolicyServiceClientDefaultImpl.setupSentryAuthorizable(db2TabAuthrizable),
db1RoleToPrivMap);
Set<List<? extends Authorizable>> authorizableSet = Sets.newHashSet();
authorizableSet.add(db2TabAuthrizable);
Map<TSentryAuthorizable, TSentryPrivilegeMap> authPrivMap = client
.listPrivilegsbyAuthorizable(requestorUserName, authorizableSet, null, null);
fuzzyAssertEquals(expectedResults, authPrivMap);
}
@Test
public void testListByAuthUri() throws Exception {
String requestorUserName = ADMIN_USER;
Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
String roleName1 = "role1";
String roleName2 = "role2";
String server = "server1";
String db = "testDB";
String db2 = "testDB2";
String tab = "testTab";
String uri1 = "hdfs:///fooUri";
setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
writePolicyFile();
client.dropRoleIfExists(requestorUserName, roleName1);
client.createRole(requestorUserName, roleName1);
client.dropRoleIfExists(requestorUserName, roleName2);
client.createRole(requestorUserName, roleName2);
client.grantDatabasePrivilege(requestorUserName, roleName1, server, db,
AccessConstants.SELECT);
client.grantTablePrivilege(requestorUserName, roleName1, server, db, tab,
AccessConstants.ALL);
client.grantTablePrivilege(requestorUserName, roleName1, server, db2, tab,
AccessConstants.SELECT);
TSentryPrivilege role1uri1 = client.grantURIPrivilege(requestorUserName,
roleName1, server, uri1);
client.grantDatabasePrivilege(requestorUserName, roleName2, server, db,
AccessConstants.ALL);
client.grantDatabasePrivilege(requestorUserName, roleName2, server, db2,
AccessConstants.SELECT);
client.grantTablePrivilege(requestorUserName, roleName2, server, db2, tab,
AccessConstants.ALL);
TSentryPrivilege role2uri2 = client.grantURIPrivilege(requestorUserName,
roleName2, server, uri1);
// build expected output
TSentryPrivilegeMap db1RoleToPrivMap = new TSentryPrivilegeMap(
new TreeMap<String, Set<TSentryPrivilege>>());
db1RoleToPrivMap.getPrivilegeMap().put(roleName1,
Sets.newHashSet(role1uri1));
db1RoleToPrivMap.getPrivilegeMap().put(roleName2,
Sets.newHashSet(role2uri2));
Map<TSentryAuthorizable, TSentryPrivilegeMap> expectedResults = Maps
.newTreeMap();
List<? extends Authorizable> uri1Authrizable = Lists.newArrayList(
new Server(server), new AccessURI(uri1));
expectedResults.put(
SentryPolicyServiceClientDefaultImpl.setupSentryAuthorizable(uri1Authrizable),
db1RoleToPrivMap);
Set<List<? extends Authorizable>> authorizableSet = Sets.newHashSet();
authorizableSet.add(uri1Authrizable);
Map<TSentryAuthorizable, TSentryPrivilegeMap> authPrivMap = client
.listPrivilegsbyAuthorizable(requestorUserName, authorizableSet, null, null);
fuzzyAssertEquals(expectedResults, authPrivMap);
}
/**
* List privileges by authorizables executed by non-admin user
* Test various positive and negative cases for non-admin user
* @throws Exception
*/
@Test
public void testListByAuthTabForNonAdmin() throws Exception {
String requestorUserName = ADMIN_USER;
String user1 = "user1";
String group1 = "group1";
String group2 = "group2";
Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
Set<String> userGroupNames1 = Sets.newHashSet(group1);
Set<String> userGroupNames2 = Sets.newHashSet(group2);
String roleName1 = "role1";
String roleName2 = "role2";
String server = "server1";
String db = "testDB";
String db2 = "testDB2";
String tab = "testTab";
setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
setLocalGroupMapping(user1, userGroupNames1);
writePolicyFile();
client.dropRoleIfExists(requestorUserName, roleName1);
client.createRole(requestorUserName, roleName1);
client.dropRoleIfExists(requestorUserName, roleName2);
client.createRole(requestorUserName, roleName2);
client.grantDatabasePrivilege(requestorUserName, roleName1, server, db,
AccessConstants.SELECT);
client.grantTablePrivilege(requestorUserName, roleName1, server, db, tab,
AccessConstants.ALL);
TSentryPrivilege role1db2tab = client.grantTablePrivilege(
requestorUserName, roleName1, server, db2, tab, AccessConstants.SELECT);
client.grantRoleToGroup(requestorUserName, group1, roleName1);
client.grantDatabasePrivilege(requestorUserName, roleName2, server, db,
AccessConstants.ALL);
client.grantDatabasePrivilege(requestorUserName, roleName2, server, db2,
AccessConstants.SELECT);
client.grantTablePrivilege(requestorUserName, roleName2, server, db2, tab,
AccessConstants.ALL);
client.grantURIPrivilege(requestorUserName, roleName1, server,
"hdfs:///fooUri");
// build expected output. user1 should see privileges on tab1 from role1
TSentryPrivilegeMap db1RoleToPrivMap = new TSentryPrivilegeMap(
new TreeMap<String, Set<TSentryPrivilege>>());
db1RoleToPrivMap.getPrivilegeMap().put(roleName1, Sets.newHashSet(role1db2tab));
Map<TSentryAuthorizable, TSentryPrivilegeMap> expectedResults = Maps.newTreeMap();
List<? extends Authorizable> db2TabAuthorizable = Lists.newArrayList(
new Server(server), new Database(db2), new Table(tab));
expectedResults.put(
SentryPolicyServiceClientDefaultImpl.setupSentryAuthorizable(db2TabAuthorizable),
db1RoleToPrivMap);
Set<List<? extends Authorizable>> authorizableSet = Sets.newHashSet();
authorizableSet.add(db2TabAuthorizable);
// list privileges with null group and roles
Map<TSentryAuthorizable, TSentryPrivilegeMap> authPrivMap = client
.listPrivilegsbyAuthorizable(user1, authorizableSet, null, null);
fuzzyAssertEquals(expectedResults, authPrivMap);
// list privileges with empty group set and null roles
authPrivMap = client.listPrivilegsbyAuthorizable(user1, authorizableSet,
new HashSet<String>(), null);
fuzzyAssertEquals(expectedResults, authPrivMap);
// list privileges with null group set and ALL roleset
authPrivMap = client.listPrivilegsbyAuthorizable(user1, authorizableSet,
null, new ActiveRoleSet(true));
fuzzyAssertEquals(expectedResults, authPrivMap);
// list privileges with user1's group set and null roles
authPrivMap = client.listPrivilegsbyAuthorizable(user1, authorizableSet,
userGroupNames1, null);
fuzzyAssertEquals(expectedResults, authPrivMap);
// list privileges with user1's group set and ALL roles
authPrivMap = client.listPrivilegsbyAuthorizable(user1, authorizableSet,
userGroupNames1, new ActiveRoleSet(true));
fuzzyAssertEquals(expectedResults, authPrivMap);
// list privileges with null group and user's specific roles with uppercase name
authPrivMap = client.listPrivilegsbyAuthorizable(user1, authorizableSet,
null, new ActiveRoleSet(Sets.newHashSet(roleName1.toUpperCase())));
fuzzyAssertEquals(expectedResults, authPrivMap);
// verify that user1 can't query group2
try {
client.listPrivilegsbyAuthorizable(user1, authorizableSet, userGroupNames2, null);
fail("listPrivilegsbyAuthorizable() should fail for user1 accessing " + group2);
} catch (SentryAccessDeniedException e) {
// expected
}
// verify that user1 can't query role2
ActiveRoleSet roleSet2 = new ActiveRoleSet(Sets.newHashSet(roleName2));
try {
client.listPrivilegsbyAuthorizable(user1, authorizableSet, null, roleSet2);
fail("listPrivilegsbyAuthorizable() should fail for user1 accessing " + roleName2);
} catch (SentryAccessDeniedException e) {
// expected
}
}
/**
* Attempt to access a configuration value that is forbidden in getConfigVal
* @param configVal The banned value
* @param defaultVal A default to pass to getConfigValue
* @throws Exception
*/
private void checkBannedConfigVal(String configVal, String defaultVal)
throws Exception {
try {
client.getConfigValue(configVal, defaultVal);
fail("Attempt to access " + configVal + " succeeded");
} catch (SentryAccessDeniedException e) {
assertTrue(e.toString().contains("was denied"));
assertTrue(e.toString().contains(configVal));
}
}
@Test
public void testGetConfigVal() throws Exception {
String val;
// Basic success case
val = client.getConfigValue("sentry.service.admin.group", "xxx");
assertEquals(val, "admin_group");
// Undefined value gets the default back
val = client.getConfigValue("sentry.this.is.not.defined", "hello");
assertEquals(val, "hello");
// Undefined value and null default gets null back
val = client.getConfigValue("sentry.this.is.not.defined", null);
assertEquals(val, null);
// Known config value with null default works as expected
val = client.getConfigValue("sentry.service.admin.group", null);
assertEquals(val, "admin_group");
// Value that is forbidden (anything not starting with "sentry") dies
checkBannedConfigVal("notsentry", "xxx");
// Ditto with a null default
checkBannedConfigVal("notsentry", null);
// Values with .jdbc. are forbidden
checkBannedConfigVal("sentry.xxx.jdbc.xxx", null);
// Values with password are forbidden
checkBannedConfigVal("sentry.xxx.password", null);
// Attempt to get the location of the keytab also fails
checkBannedConfigVal("sentry.service.server.keytab", null);
// null parameter name fails
try {
val = client.getConfigValue(null, null);
fail("null parameter succeeded");
} catch (SentryUserException e) {
// expected
}
}
private void fuzzyAssertEquals(
Map<TSentryAuthorizable, TSentryPrivilegeMap> expectedResults,
Map<TSentryAuthorizable, TSentryPrivilegeMap> authPrivMap) {
assertEquals(expectedResults.size(), authPrivMap.size());
for (Object mKey : expectedResults.keySet()) {
assertEquals(expectedResults.get(mKey).getPrivilegeMap().size(),
authPrivMap.get(mKey).getPrivilegeMap().size());
for (Map.Entry<String, Set<TSentryPrivilege>> e :
expectedResults.get(mKey).getPrivilegeMap().entrySet()) {
assertTrue(authPrivMap.get(mKey).getPrivilegeMap().containsKey(e.getKey()));
Set<TSentryPrivilege> exp = createSpecialSet();
exp.addAll(e.getValue());
Set<TSentryPrivilege> act = createSpecialSet();
act.addAll(authPrivMap.get(mKey).getPrivilegeMap().get(e.getKey()));
assertEquals(exp, act);
}
}
}
private Set<TSentryPrivilege> createSpecialSet() {
return new TreeSet<TSentryPrivilege>(new Comparator<TSentryPrivilege>() {
@Override
public int compare(TSentryPrivilege o1, TSentryPrivilege o2) {
if (o1.getServerName().equalsIgnoreCase(o2.getServerName())
&&o1.getDbName().equalsIgnoreCase(o2.getDbName())
&&o1.getTableName().equalsIgnoreCase(o2.getTableName())
&&o1.getColumnName().equalsIgnoreCase(o2.getColumnName())
&&o1.getGrantOption().equals(o2.getGrantOption())
&&(o1.getAction().equalsIgnoreCase(o2.getAction())
||(o1.getAction().equals("*")&&o2.getAction().equalsIgnoreCase("all"))
||(o2.getAction().equals("*")&&o1.getAction().equalsIgnoreCase("all")))) {
return 0;
} else {
return o1.compareTo(o2);
}
}
});
}
}