sentry-tests/src/test/java/org/apache/sentry/tests/e2e/TestMovingToProduction.java - incubator-sentry - Git at Google

 /*
  * Licensed to the Apache Software Foundation (ASF) under one or more
  * contributor license agreements.  See the NOTICE file distributed with
  * this work for additional information regarding copyright ownership.
  * The ASF licenses this file to You under the Apache License, Version 2.0
  * (the "License"); you may not use this file except in compliance with
  * the License.  You may obtain a copy of the License at
  *
  *      http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */

 package org.apache.sentry.tests.e2e;

 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertTrue;

 import java.io.File;
 import java.io.FileOutputStream;
 import java.sql.Connection;
 import java.sql.ResultSet;
 import java.sql.Statement;

 import junit.framework.Assert;

 import org.junit.After;
 import org.junit.Before;
 import org.junit.Test;

 import com.google.common.io.Resources;

 public class TestMovingToProduction extends AbstractTestWithStaticLocalFS {
   private Context context;
   private final String SINGLE_TYPE_DATA_FILE_NAME = "kv1.dat";

   @Before
   public void setUp() throws Exception {
     context = createContext();
     File dataFile = new File(dataDir, SINGLE_TYPE_DATA_FILE_NAME);
     FileOutputStream to = new FileOutputStream(dataFile);
     Resources.copy(Resources.getResource(SINGLE_TYPE_DATA_FILE_NAME), to);
     to.close();
   }

   @After
   public void tearDown() throws Exception {
     if (context != null) {
       context.close();
     }
   }

   /**
    * Steps:
    * 1. admin create DB_1, admin create GROUP_1, GROUP_2
    * 2. admin grant all to GROUP_1 on DB_1
    * 3. user in GROUP_1 create table tb_1 and load data into
    * 4. admin create table production.tb_1.
    * 5. admin grant all to GROUP_1 on production.tb_1.
    *   positive test cases:
    *     a)verify user in GROUP_1 can load data from DB_1.tb_1 to production.tb_1
    *     b)verify user in GROUP_1 has proper privilege on production.tb_1
    *     (read and insert)
    *   negative test cases:
    *     c)verify user in GROUP_2 cannot load data from DB_1.tb_1
    *     to production.tb_1
    *     d)verify user in GROUP_1 cannot drop production.tb_1
    */
   @Test
   public void testMovingTable1() throws Exception {
     File policyFile = context.getPolicyFile();
     Assert.assertTrue(policyFile.delete() && policyFile.createNewFile());

     PolicyFileEditor editor = new PolicyFileEditor(policyFile);
     editor.addPolicy("admin = admin", "groups");
     editor.addPolicy("group1 = all_db1, load_data, select_proddb_tbl1, insert_proddb_tbl1", "groups");
     editor.addPolicy("all_db1 = server=server1->db=db_1", "roles");
     editor.addPolicy("load_data = server=server1->uri=file://" + dataDir.getPath(), "roles");
     editor.addPolicy("admin = server=server1", "roles");
     editor.addPolicy("admin1 = admin", "users");
     editor.addPolicy("user1 = group1", "users");
     editor.addPolicy("user2 = group2", "users");

     String dbName1 = "db_1";
     String dbName2 = "proddb";
     String tableName1 = "tb_1";
     Connection connection = context.createConnection("admin1", "foo");
     Statement statement = context.createStatement(connection);
     statement.execute("DROP DATABASE IF EXISTS " + dbName1 + " CASCADE");
     statement.execute("DROP DATABASE IF EXISTS " + dbName2 + " CASCADE");
     statement.execute("CREATE DATABASE " + dbName1);
     statement.execute("CREATE DATABASE " + dbName2);
     statement.execute("DROP TABLE IF EXISTS " + dbName2 + "." + tableName1);
     statement.execute("create table " + dbName2 + "." + tableName1
         + " (under_col int comment 'the under column', value string)");
     statement.close();
     connection.close();

     // a
     connection = context.createConnection("user1", "foo");
     statement = context.createStatement(connection);
     statement.execute("USE " + dbName1);
     statement.execute("DROP TABLE IF EXISTS " + tableName1);
     statement.execute("create table " + tableName1
         + " (under_col int comment 'the under column', value string)");
     statement.execute("LOAD DATA INPATH 'file://" + dataDir.getPath()
         + "' INTO TABLE " + tableName1);

     editor.addPolicy("insert_proddb_tbl1 = server=server1->db=proddb->table=tb_1->action=insert", "roles");
     statement.execute("USE " + dbName2);
     statement.execute("INSERT OVERWRITE TABLE "
         + tableName1 + " SELECT * FROM " + dbName1
         + "." + tableName1);

     // b
     editor.addPolicy("select_proddb_tbl1 = server=server1->db=proddb->table=tb_1->action=select", "roles");
     ResultSet resultSet = statement.executeQuery("SELECT * FROM " + tableName1 + " LIMIT 10");
     int count = 0;
     while(resultSet.next()) {
       count++;
     }
     assertEquals(10, count);
     statement.execute("DESCRIBE " + tableName1);

     // c
     connection = context.createConnection("user2", "foo");
     statement = context.createStatement(connection);
     context.assertAuthzException(statement, "USE " + dbName2);
     context.assertAuthzException(statement, "INSERT OVERWRITE TABLE "
         + dbName2 + "." + tableName1 + " SELECT * FROM " + dbName1
         + "." + tableName1);
     context.assertAuthzException(statement, "SELECT * FROM " + dbName2 + "." + tableName1 + " LIMIT 10");
     statement.close();
     connection.close();

     // d
     connection = context.createConnection("user1", "foo");
     statement = context.createStatement(connection);
     statement.execute("USE " + dbName2);
     context.assertAuthzException(statement, "DROP TABLE " + tableName1);
     statement.close();
     connection.close();
   }

   /**
    * repeat above tests, only difference is don't do 'USE <database>'
    * in this test. Instead, access table objects across database by
    * database.table
    * @throws Exception
    */
   @Test
   public void testMovingTable2() throws Exception {
     File policyFile = context.getPolicyFile();
     PolicyFileEditor editor = new PolicyFileEditor(policyFile);
     editor.addPolicy("admin = admin", "groups");
     editor.addPolicy("group1 = all_db1, load_data, select_proddb_tbl1, insert_proddb_tbl1", "groups");
     editor.addPolicy("all_db1 = server=server1->db=db_1", "roles");
     editor.addPolicy("load_data = server=server1->uri=file://" + dataDir.getPath(), "roles");
     editor.addPolicy("admin = server=server1", "roles");
     editor.addPolicy("admin1 = admin", "users");
     editor.addPolicy("user1 = group1", "users");
     editor.addPolicy("user2 = group2", "users");

     String dbName1 = "db_1";
     String dbName2 = "proddb";
     String tableName1 = "tb_1";
     Connection connection = context.createConnection("admin1", "foo");
     Statement statement = context.createStatement(connection);
     statement.execute("DROP DATABASE IF EXISTS " + dbName1 + " CASCADE");
     statement.execute("DROP DATABASE IF EXISTS " + dbName2 + " CASCADE");
     statement.execute("CREATE DATABASE " + dbName1);
     statement.execute("CREATE DATABASE " + dbName2);
     statement.execute("DROP TABLE IF EXISTS " + dbName2 + "." + tableName1);
     statement.execute("create table " + dbName2 + "." + tableName1
         + " (under_col int comment 'the under column', value string)");
     statement.close();
     connection.close();

     // a
     connection = context.createConnection("user1", "foo");
     statement = context.createStatement(connection);
     statement.execute("DROP TABLE IF EXISTS " + dbName1 + "." + tableName1);
     statement.execute("create table " + dbName1 + "." + tableName1
         + " (under_col int comment 'the under column', value string)");
     statement.execute("LOAD DATA INPATH 'file://" + dataDir.getPath()
         + "' INTO TABLE " + dbName1 + "." + tableName1);

     editor.addPolicy("insert_proddb_tbl1 = server=server1->db=proddb->table=tb_1->action=insert", "roles");
     statement.execute("INSERT OVERWRITE TABLE "
         + dbName2 + "." + tableName1 + " SELECT * FROM " + dbName1
         + "." + tableName1);

     // b
     editor.addPolicy("select_proddb_tbl1 = server=server1->db=proddb->table=tb_1->action=select", "roles");
     assertTrue("user1 should be able to select data from "
         + dbName2 + "." + dbName2 + "." + tableName1, statement.execute("SELECT * FROM "
             + dbName2 + "." + tableName1 + " LIMIT 10"));
     assertTrue("user1 should be able to describe table " + dbName2 + "." + tableName1,
         statement.execute("DESCRIBE " + dbName2 + "." + tableName1));

     // c
     connection = context.createConnection("user2", "foo");
     statement = context.createStatement(connection);

     context.assertAuthzException(statement, "INSERT OVERWRITE TABLE "
         + dbName2 + "." + tableName1 + " SELECT * FROM " + dbName1
         + "." + tableName1);

     context.assertAuthzException(statement, "SELECT * FROM "
         + dbName2 + "." + tableName1 + " LIMIT 10");
     statement.close();
     connection.close();

     // d
     connection = context.createConnection("user1", "foo");
     statement = context.createStatement(connection);
     statement.execute("USE " + dbName2);
     context.assertAuthzException(statement, "DROP TABLE " + tableName1);
     statement.close();
     connection.close();
   }
 }
	/*
	* Licensed to the Apache Software Foundation (ASF) under one or more
	* contributor license agreements. See the NOTICE file distributed with
	* this work for additional information regarding copyright ownership.
	* The ASF licenses this file to You under the Apache License, Version 2.0
	* (the "License"); you may not use this file except in compliance with
	* the License. You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing, software
	* distributed under the License is distributed on an "AS IS" BASIS,
	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	* See the License for the specific language governing permissions and
	* limitations under the License.
	*/

	package org.apache.sentry.tests.e2e;

	import static org.junit.Assert.assertEquals;
	import static org.junit.Assert.assertTrue;

	import java.io.File;
	import java.io.FileOutputStream;
	import java.sql.Connection;
	import java.sql.ResultSet;
	import java.sql.Statement;

	import junit.framework.Assert;

	import org.junit.After;
	import org.junit.Before;
	import org.junit.Test;

	import com.google.common.io.Resources;

	public class TestMovingToProduction extends AbstractTestWithStaticLocalFS {
	private Context context;
	private final String SINGLE_TYPE_DATA_FILE_NAME = "kv1.dat";

	@Before
	public void setUp() throws Exception {
	context = createContext();
	File dataFile = new File(dataDir, SINGLE_TYPE_DATA_FILE_NAME);
	FileOutputStream to = new FileOutputStream(dataFile);
	Resources.copy(Resources.getResource(SINGLE_TYPE_DATA_FILE_NAME), to);
	to.close();
	}

	@After
	public void tearDown() throws Exception {
	if (context != null) {
	context.close();
	}
	}

	/**
	* Steps:
	* 1. admin create DB_1, admin create GROUP_1, GROUP_2
	* 2. admin grant all to GROUP_1 on DB_1
	* 3. user in GROUP_1 create table tb_1 and load data into
	* 4. admin create table production.tb_1.
	* 5. admin grant all to GROUP_1 on production.tb_1.
	* positive test cases:
	* a)verify user in GROUP_1 can load data from DB_1.tb_1 to production.tb_1
	* b)verify user in GROUP_1 has proper privilege on production.tb_1
	* (read and insert)
	* negative test cases:
	* c)verify user in GROUP_2 cannot load data from DB_1.tb_1
	* to production.tb_1
	* d)verify user in GROUP_1 cannot drop production.tb_1
	*/
	@Test
	public void testMovingTable1() throws Exception {
	File policyFile = context.getPolicyFile();
	Assert.assertTrue(policyFile.delete() && policyFile.createNewFile());

	PolicyFileEditor editor = new PolicyFileEditor(policyFile);
	editor.addPolicy("admin = admin", "groups");
	editor.addPolicy("group1 = all_db1, load_data, select_proddb_tbl1, insert_proddb_tbl1", "groups");
	editor.addPolicy("all_db1 = server=server1->db=db_1", "roles");
	editor.addPolicy("load_data = server=server1->uri=file://" + dataDir.getPath(), "roles");
	editor.addPolicy("admin = server=server1", "roles");
	editor.addPolicy("admin1 = admin", "users");
	editor.addPolicy("user1 = group1", "users");
	editor.addPolicy("user2 = group2", "users");

	String dbName1 = "db_1";
	String dbName2 = "proddb";
	String tableName1 = "tb_1";
	Connection connection = context.createConnection("admin1", "foo");
	Statement statement = context.createStatement(connection);
	statement.execute("DROP DATABASE IF EXISTS " + dbName1 + " CASCADE");
	statement.execute("DROP DATABASE IF EXISTS " + dbName2 + " CASCADE");
	statement.execute("CREATE DATABASE " + dbName1);
	statement.execute("CREATE DATABASE " + dbName2);
	statement.execute("DROP TABLE IF EXISTS " + dbName2 + "." + tableName1);
	statement.execute("create table " + dbName2 + "." + tableName1
	+ " (under_col int comment 'the under column', value string)");
	statement.close();
	connection.close();

	// a
	connection = context.createConnection("user1", "foo");
	statement = context.createStatement(connection);
	statement.execute("USE " + dbName1);
	statement.execute("DROP TABLE IF EXISTS " + tableName1);
	statement.execute("create table " + tableName1
	+ " (under_col int comment 'the under column', value string)");
	statement.execute("LOAD DATA INPATH 'file://" + dataDir.getPath()
	+ "' INTO TABLE " + tableName1);

	editor.addPolicy("insert_proddb_tbl1 = server=server1->db=proddb->table=tb_1->action=insert", "roles");
	statement.execute("USE " + dbName2);
	statement.execute("INSERT OVERWRITE TABLE "
	+ tableName1 + " SELECT * FROM " + dbName1
	+ "." + tableName1);

	// b
	editor.addPolicy("select_proddb_tbl1 = server=server1->db=proddb->table=tb_1->action=select", "roles");
	ResultSet resultSet = statement.executeQuery("SELECT * FROM " + tableName1 + " LIMIT 10");
	int count = 0;
	while(resultSet.next()) {
	count++;
	}
	assertEquals(10, count);
	statement.execute("DESCRIBE " + tableName1);

	// c
	connection = context.createConnection("user2", "foo");
	statement = context.createStatement(connection);
	context.assertAuthzException(statement, "USE " + dbName2);
	context.assertAuthzException(statement, "INSERT OVERWRITE TABLE "
	+ dbName2 + "." + tableName1 + " SELECT * FROM " + dbName1
	+ "." + tableName1);
	context.assertAuthzException(statement, "SELECT * FROM " + dbName2 + "." + tableName1 + " LIMIT 10");
	statement.close();
	connection.close();

	// d
	connection = context.createConnection("user1", "foo");
	statement = context.createStatement(connection);
	statement.execute("USE " + dbName2);
	context.assertAuthzException(statement, "DROP TABLE " + tableName1);
	statement.close();
	connection.close();
	}

	/**
	* repeat above tests, only difference is don't do 'USE <database>'
	* in this test. Instead, access table objects across database by
	* database.table
	* @throws Exception
	*/
	@Test
	public void testMovingTable2() throws Exception {
	File policyFile = context.getPolicyFile();
	PolicyFileEditor editor = new PolicyFileEditor(policyFile);
	editor.addPolicy("admin = admin", "groups");
	editor.addPolicy("group1 = all_db1, load_data, select_proddb_tbl1, insert_proddb_tbl1", "groups");
	editor.addPolicy("all_db1 = server=server1->db=db_1", "roles");
	editor.addPolicy("load_data = server=server1->uri=file://" + dataDir.getPath(), "roles");
	editor.addPolicy("admin = server=server1", "roles");
	editor.addPolicy("admin1 = admin", "users");
	editor.addPolicy("user1 = group1", "users");
	editor.addPolicy("user2 = group2", "users");

	String dbName1 = "db_1";
	String dbName2 = "proddb";
	String tableName1 = "tb_1";
	Connection connection = context.createConnection("admin1", "foo");
	Statement statement = context.createStatement(connection);
	statement.execute("DROP DATABASE IF EXISTS " + dbName1 + " CASCADE");
	statement.execute("DROP DATABASE IF EXISTS " + dbName2 + " CASCADE");
	statement.execute("CREATE DATABASE " + dbName1);
	statement.execute("CREATE DATABASE " + dbName2);
	statement.execute("DROP TABLE IF EXISTS " + dbName2 + "." + tableName1);
	statement.execute("create table " + dbName2 + "." + tableName1
	+ " (under_col int comment 'the under column', value string)");
	statement.close();
	connection.close();

	// a
	connection = context.createConnection("user1", "foo");
	statement = context.createStatement(connection);
	statement.execute("DROP TABLE IF EXISTS " + dbName1 + "." + tableName1);
	statement.execute("create table " + dbName1 + "." + tableName1
	+ " (under_col int comment 'the under column', value string)");
	statement.execute("LOAD DATA INPATH 'file://" + dataDir.getPath()
	+ "' INTO TABLE " + dbName1 + "." + tableName1);

	editor.addPolicy("insert_proddb_tbl1 = server=server1->db=proddb->table=tb_1->action=insert", "roles");
	statement.execute("INSERT OVERWRITE TABLE "
	+ dbName2 + "." + tableName1 + " SELECT * FROM " + dbName1
	+ "." + tableName1);

	// b
	editor.addPolicy("select_proddb_tbl1 = server=server1->db=proddb->table=tb_1->action=select", "roles");
	assertTrue("user1 should be able to select data from "
	+ dbName2 + "." + dbName2 + "." + tableName1, statement.execute("SELECT * FROM "
	+ dbName2 + "." + tableName1 + " LIMIT 10"));
	assertTrue("user1 should be able to describe table " + dbName2 + "." + tableName1,
	statement.execute("DESCRIBE " + dbName2 + "." + tableName1));

	// c
	connection = context.createConnection("user2", "foo");
	statement = context.createStatement(connection);

	context.assertAuthzException(statement, "INSERT OVERWRITE TABLE "
	+ dbName2 + "." + tableName1 + " SELECT * FROM " + dbName1
	+ "." + tableName1);

	context.assertAuthzException(statement, "SELECT * FROM "
	+ dbName2 + "." + tableName1 + " LIMIT 10");
	statement.close();
	connection.close();

	// d
	connection = context.createConnection("user1", "foo");
	statement = context.createStatement(connection);
	statement.execute("USE " + dbName2);
	context.assertAuthzException(statement, "DROP TABLE " + tableName1);
	statement.close();
	connection.close();
	}
	}