sentry-tests/src/test/java/org/apache/sentry/tests/e2e/TestPrivilegesAtFunctionScope.java - incubator-sentry - Git at Google

 /*
 printf_test_3 * Licensed to the Apache Software Foundation (ASF) under one or more
  * contributor license agreements.  See the NOTICE file distributed with
  * this work for additional information regarding copyright ownership.
  * The ASF licenses this file to You under the Apache License, Version 2.0
  * (the "License"); you may not use this file except in compliance with
  * the License.  You may obtain a copy of the License at
  *
  *      http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */

 package org.apache.sentry.tests.e2e;

 import static org.junit.Assert.assertFalse;

 import java.io.File;
 import java.io.FileOutputStream;
 import java.sql.Connection;
 import java.sql.SQLException;
 import java.sql.Statement;

 import org.junit.After;
 import org.junit.Before;
 import org.junit.Test;

 import com.google.common.io.Resources;

 public class TestPrivilegesAtFunctionScope extends AbstractTestWithStaticLocalFS {
   private Context context;
   private final String SINGLE_TYPE_DATA_FILE_NAME = "kv1.dat";
   private File dataDir;
   private File dataFile;

   @Before
   public void setup() throws Exception {
     context = createContext();
     dataDir = context.getDataDir();
     dataFile = new File(dataDir, SINGLE_TYPE_DATA_FILE_NAME);
     FileOutputStream to = new FileOutputStream(dataFile);
     Resources.copy(Resources.getResource(SINGLE_TYPE_DATA_FILE_NAME), to);
     to.close();
   }

   @After
   public void tearDown() throws Exception {
     if (context != null) {
       context.close();
     }
   }

   /**
    * admin should be able to create/drop temp functions
    * user with db level access should be able to create/drop temp functions
    * user with table level access should be able to create/drop temp functions
    * user with no privilege should NOT be able to create/drop temp functions
    */
   @Test
   public void testFuncPrivileges1() throws Exception {
     String dbName1 = "db_1";
     String tableName1 = "tb_1";
     // edit policy file
     File policyFile = context.getPolicyFile();
     PolicyFileEditor editor = new PolicyFileEditor(policyFile);
     editor.addPolicy("admin = admin", "groups");
     editor.addPolicy("group1 = db1_all,UDF_JAR", "groups");
     editor.addPolicy("group2 = db1_tab1,UDF_JAR", "groups");
     editor.addPolicy("group3 = db1_tab1", "groups");
     editor.addPolicy("admin = server=server1", "roles");
     editor.addPolicy("db1_all = server=server1->db=" + dbName1, "roles");
     editor.addPolicy("db1_tab1 = server=server1->db=" + dbName1 + "->table=" + tableName1, "roles");
     editor.addPolicy("UDF_JAR = server=server1->uri=file://${user.home}/.m2", "roles");
     editor.addPolicy("admin1 = admin", "users");
     editor.addPolicy("user1 = group1", "users");
     editor.addPolicy("user2 = group2", "users");
     editor.addPolicy("user3 = group3", "users");

     Connection connection = context.createConnection("admin1", "foo");
     Statement statement = context.createStatement(connection);
     statement.execute("DROP DATABASE IF EXISTS " + dbName1 + " CASCADE");
     statement.execute("CREATE DATABASE " + dbName1);
     statement.execute("USE " + dbName1);
     statement.execute("DROP TABLE IF EXISTS " + dbName1 + "." + tableName1);
     statement.execute("create table " + dbName1 + "." + tableName1
         + " (under_col int comment 'the under column', value string)");
     statement.execute("LOAD DATA INPATH '" + dataFile.getPath() + "' INTO TABLE "
         + dbName1 + "." + tableName1);
     statement.execute("DROP TEMPORARY FUNCTION IF EXISTS printf_test");
     statement.execute("DROP TEMPORARY FUNCTION IF EXISTS printf_test_2");
     context.close();

     // user1 should be able create/drop temp functions
     connection = context.createConnection("user1", "foo");
     statement = context.createStatement(connection);
     statement.execute("USE " + dbName1);
     statement.execute(
         "CREATE TEMPORARY FUNCTION printf_test AS 'org.apache.hadoop.hive.ql.udf.generic.GenericUDFPrintf'");
     statement.execute("DROP TEMPORARY FUNCTION printf_test");
     context.close();

     // user2 has select privilege on one of the tables in db2, should be able create/drop temp functions
     connection = context.createConnection("user2", "foo");
     statement = context.createStatement(connection);
     statement.execute("USE " + dbName1);
     statement.execute(
         "CREATE TEMPORARY FUNCTION printf_test_2 AS 'org.apache.hadoop.hive.ql.udf.generic.GenericUDFPrintf'");
     statement.execute("DROP TEMPORARY FUNCTION printf_test");
     context.close();

     // user3 shouldn't be able to create/drop temp functions since it doesn't have permission for jar
     connection = context.createConnection("user3", "foo");
     statement = context.createStatement(connection);
     try {
       statement.execute("USE " + dbName1);
       statement.execute(
       "CREATE TEMPORARY FUNCTION printf_test_bad AS 'org.apache.hadoop.hive.ql.udf.generic.GenericUDFPrintf'");
       assertFalse("CREATE TEMPORARY FUNCTION should fail for user3", true);
     } catch (SQLException e) {
       context.verifyAuthzException(e);
     }
     context.close();

     // user4 (not part of any group ) shouldn't be able to create/drop temp functions
     connection = context.createConnection("user4", "foo");
     statement = context.createStatement(connection);
     try {
       statement.execute("USE default");
       statement.execute(
       "CREATE TEMPORARY FUNCTION printf_test_bad AS 'org.apache.hadoop.hive.ql.udf.generic.GenericUDFPrintf'");
       assertFalse("CREATE TEMPORARY FUNCTION should fail for user4", true);
     } catch (SQLException e) {
       context.verifyAuthzException(e);
     }
     context.close();

   }

   @Test
   public void testUdfWhiteList () throws Exception {
     String dbName1 = "db1";
     String tableName1 = "tab1";

     File policyFile = context.getPolicyFile();
     PolicyFileEditor editor = new PolicyFileEditor(policyFile);
     editor.addPolicy("admin = admin", "groups");
     editor.addPolicy("group1 = db1_all,UDF_JAR", "groups");
     editor.addPolicy("group2 = db1_tab1,UDF_JAR", "groups");
     editor.addPolicy("group3 = db1_tab1", "groups");
     editor.addPolicy("admin = server=server1", "roles");
     editor.addPolicy("db1_all = server=server1->db=" + dbName1, "roles");
     editor.addPolicy("db1_tab1 = server=server1->db=" + dbName1 + "->table=" + tableName1, "roles");
     editor.addPolicy("UDF_JAR = server=server1->uri=file://${user.home}/.m2", "roles");
     editor.addPolicy("admin1 = admin", "users");
     editor.addPolicy("user1 = group1", "users");

     Connection connection = context.createConnection("admin1", "password");
     Statement statement = connection.createStatement();
     statement.execute("DROP DATABASE IF EXISTS " + dbName1 + " CASCADE");
     statement.execute("CREATE DATABASE " + dbName1);
     statement.execute("USE " + dbName1);
     statement.execute("create table " + tableName1
         + " (under_col int comment 'the under column', value string)");
     statement.execute("LOAD DATA INPATH '" + dataFile.getPath() + "' INTO TABLE "
         + dbName1 + "." + tableName1);
     statement.execute("SELECT rand(), concat(value, '_foo') FROM " + tableName1);

     context.assertAuthzException(statement,
         "SELECT  reflect('java.net.URLDecoder', 'decode', 'http://www.apache.org', 'utf-8'), value FROM " + tableName1);
     context.assertAuthzException(statement,
         "SELECT  java_method('java.net.URLDecoder', 'decode', 'http://www.apache.org', 'utf-8'), value FROM " + tableName1);
     statement.close();
     connection.close();
   }
 }
	/*
	printf_test_3 * Licensed to the Apache Software Foundation (ASF) under one or more
	* contributor license agreements. See the NOTICE file distributed with
	* this work for additional information regarding copyright ownership.
	* The ASF licenses this file to You under the Apache License, Version 2.0
	* (the "License"); you may not use this file except in compliance with
	* the License. You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing, software
	* distributed under the License is distributed on an "AS IS" BASIS,
	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	* See the License for the specific language governing permissions and
	* limitations under the License.
	*/

	package org.apache.sentry.tests.e2e;

	import static org.junit.Assert.assertFalse;

	import java.io.File;
	import java.io.FileOutputStream;
	import java.sql.Connection;
	import java.sql.SQLException;
	import java.sql.Statement;

	import org.junit.After;
	import org.junit.Before;
	import org.junit.Test;

	import com.google.common.io.Resources;

	public class TestPrivilegesAtFunctionScope extends AbstractTestWithStaticLocalFS {
	private Context context;
	private final String SINGLE_TYPE_DATA_FILE_NAME = "kv1.dat";
	private File dataDir;
	private File dataFile;

	@Before
	public void setup() throws Exception {
	context = createContext();
	dataDir = context.getDataDir();
	dataFile = new File(dataDir, SINGLE_TYPE_DATA_FILE_NAME);
	FileOutputStream to = new FileOutputStream(dataFile);
	Resources.copy(Resources.getResource(SINGLE_TYPE_DATA_FILE_NAME), to);
	to.close();
	}

	@After
	public void tearDown() throws Exception {
	if (context != null) {
	context.close();
	}
	}

	/**
	* admin should be able to create/drop temp functions
	* user with db level access should be able to create/drop temp functions
	* user with table level access should be able to create/drop temp functions
	* user with no privilege should NOT be able to create/drop temp functions
	*/
	@Test
	public void testFuncPrivileges1() throws Exception {
	String dbName1 = "db_1";
	String tableName1 = "tb_1";
	// edit policy file
	File policyFile = context.getPolicyFile();
	PolicyFileEditor editor = new PolicyFileEditor(policyFile);
	editor.addPolicy("admin = admin", "groups");
	editor.addPolicy("group1 = db1_all,UDF_JAR", "groups");
	editor.addPolicy("group2 = db1_tab1,UDF_JAR", "groups");
	editor.addPolicy("group3 = db1_tab1", "groups");
	editor.addPolicy("admin = server=server1", "roles");
	editor.addPolicy("db1_all = server=server1->db=" + dbName1, "roles");
	editor.addPolicy("db1_tab1 = server=server1->db=" + dbName1 + "->table=" + tableName1, "roles");
	editor.addPolicy("UDF_JAR = server=server1->uri=file://${user.home}/.m2", "roles");
	editor.addPolicy("admin1 = admin", "users");
	editor.addPolicy("user1 = group1", "users");
	editor.addPolicy("user2 = group2", "users");
	editor.addPolicy("user3 = group3", "users");

	Connection connection = context.createConnection("admin1", "foo");
	Statement statement = context.createStatement(connection);
	statement.execute("DROP DATABASE IF EXISTS " + dbName1 + " CASCADE");
	statement.execute("CREATE DATABASE " + dbName1);
	statement.execute("USE " + dbName1);
	statement.execute("DROP TABLE IF EXISTS " + dbName1 + "." + tableName1);
	statement.execute("create table " + dbName1 + "." + tableName1
	+ " (under_col int comment 'the under column', value string)");
	statement.execute("LOAD DATA INPATH '" + dataFile.getPath() + "' INTO TABLE "
	+ dbName1 + "." + tableName1);
	statement.execute("DROP TEMPORARY FUNCTION IF EXISTS printf_test");
	statement.execute("DROP TEMPORARY FUNCTION IF EXISTS printf_test_2");
	context.close();

	// user1 should be able create/drop temp functions
	connection = context.createConnection("user1", "foo");
	statement = context.createStatement(connection);
	statement.execute("USE " + dbName1);
	statement.execute(
	"CREATE TEMPORARY FUNCTION printf_test AS 'org.apache.hadoop.hive.ql.udf.generic.GenericUDFPrintf'");
	statement.execute("DROP TEMPORARY FUNCTION printf_test");
	context.close();

	// user2 has select privilege on one of the tables in db2, should be able create/drop temp functions
	connection = context.createConnection("user2", "foo");
	statement = context.createStatement(connection);
	statement.execute("USE " + dbName1);
	statement.execute(
	"CREATE TEMPORARY FUNCTION printf_test_2 AS 'org.apache.hadoop.hive.ql.udf.generic.GenericUDFPrintf'");
	statement.execute("DROP TEMPORARY FUNCTION printf_test");
	context.close();

	// user3 shouldn't be able to create/drop temp functions since it doesn't have permission for jar
	connection = context.createConnection("user3", "foo");
	statement = context.createStatement(connection);
	try {
	statement.execute("USE " + dbName1);
	statement.execute(
	"CREATE TEMPORARY FUNCTION printf_test_bad AS 'org.apache.hadoop.hive.ql.udf.generic.GenericUDFPrintf'");
	assertFalse("CREATE TEMPORARY FUNCTION should fail for user3", true);
	} catch (SQLException e) {
	context.verifyAuthzException(e);
	}
	context.close();

	// user4 (not part of any group ) shouldn't be able to create/drop temp functions
	connection = context.createConnection("user4", "foo");
	statement = context.createStatement(connection);
	try {
	statement.execute("USE default");
	statement.execute(
	"CREATE TEMPORARY FUNCTION printf_test_bad AS 'org.apache.hadoop.hive.ql.udf.generic.GenericUDFPrintf'");
	assertFalse("CREATE TEMPORARY FUNCTION should fail for user4", true);
	} catch (SQLException e) {
	context.verifyAuthzException(e);
	}
	context.close();

	}

	@Test
	public void testUdfWhiteList () throws Exception {
	String dbName1 = "db1";
	String tableName1 = "tab1";

	File policyFile = context.getPolicyFile();
	PolicyFileEditor editor = new PolicyFileEditor(policyFile);
	editor.addPolicy("admin = admin", "groups");
	editor.addPolicy("group1 = db1_all,UDF_JAR", "groups");
	editor.addPolicy("group2 = db1_tab1,UDF_JAR", "groups");
	editor.addPolicy("group3 = db1_tab1", "groups");
	editor.addPolicy("admin = server=server1", "roles");
	editor.addPolicy("db1_all = server=server1->db=" + dbName1, "roles");
	editor.addPolicy("db1_tab1 = server=server1->db=" + dbName1 + "->table=" + tableName1, "roles");
	editor.addPolicy("UDF_JAR = server=server1->uri=file://${user.home}/.m2", "roles");
	editor.addPolicy("admin1 = admin", "users");
	editor.addPolicy("user1 = group1", "users");

	Connection connection = context.createConnection("admin1", "password");
	Statement statement = connection.createStatement();
	statement.execute("DROP DATABASE IF EXISTS " + dbName1 + " CASCADE");
	statement.execute("CREATE DATABASE " + dbName1);
	statement.execute("USE " + dbName1);
	statement.execute("create table " + tableName1
	+ " (under_col int comment 'the under column', value string)");
	statement.execute("LOAD DATA INPATH '" + dataFile.getPath() + "' INTO TABLE "
	+ dbName1 + "." + tableName1);
	statement.execute("SELECT rand(), concat(value, '_foo') FROM " + tableName1);

	context.assertAuthzException(statement,
	"SELECT reflect('java.net.URLDecoder', 'decode', 'http://www.apache.org', 'utf-8'), value FROM " + tableName1);
	context.assertAuthzException(statement,
	"SELECT java_method('java.net.URLDecoder', 'decode', 'http://www.apache.org', 'utf-8'), value FROM " + tableName1);
	statement.close();
	connection.close();
	}
	}