sentry-tests/src/test/java/org/apache/sentry/tests/e2e/TestUriPermissions.java - incubator-sentry - Git at Google

 /*
  * Licensed to the Apache Software Foundation (ASF) under one or more
  * contributor license agreements.  See the NOTICE file distributed with
  * this work for additional information regarding copyright ownership.
  * The ASF licenses this file to You under the Apache License, Version 2.0
  * (the "License"); you may not use this file except in compliance with
  * the License.  You may obtain a copy of the License at
  *
  *      http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
 package org.apache.sentry.tests.e2e;

 import java.sql.Connection;
 import java.sql.ResultSet;
 import java.sql.Statement;

 import junit.framework.Assert;

 import org.apache.sentry.tests.e2e.hiveserver.HiveServerFactory;
 import org.junit.After;
 import org.junit.Before;
 import org.junit.Test;

 public class TestUriPermissions extends AbstractTestWithStaticLocalFS {
   private Context context;
   private static final String dataFile = "/kv1.dat";
   private String dataFilePath = this.getClass().getResource(dataFile).getFile();

   @Before
   public void setup() throws Exception {
     context = createContext();
   }

   @After
   public void tearDown() throws Exception {
     if (context != null) {
       context.close();
     }
   }

   // test load data into table
   @Test
   public void testLoadPrivileges() throws Exception {
     String dbName = "db1";
     String tabName = "tab1";
     Connection userConn = null;
     Statement userStmt = null;

     String testPolicies[] = {
         "[groups]",
         "admin_group = admin_role",
         "user_group1  = db1_read, db1_write, data_read",
         "user_group2  = db1_write",
         "[roles]",
         "db1_write = server=server1->db=" + dbName + "->table=" + tabName + "->action=INSERT",
         "db1_read = server=server1->db=" + dbName + "->table=" + tabName + "->action=SELECT",
         // role below has duplicate privilege for ACCESS-178
         "data_read = server=server1->URI=file://" + dataFilePath + ", server=server1->URI=file://" + dataFilePath,
         "admin_role = server=server1",
         "[users]",
         "user1 = user_group1",
         "user2 = user_group2",
         "admin = admin_group"
         };
     context.makeNewPolicy(testPolicies);

     // create dbs
     Connection adminCon = context.createConnection("admin", "foo");
     Statement adminStmt = context.createStatement(adminCon);
     adminStmt.execute("use default");
     adminStmt.execute("DROP DATABASE IF EXISTS " + dbName + " CASCADE");
     adminStmt.execute("CREATE DATABASE " + dbName);
     adminStmt.execute("use " + dbName);
     adminStmt.execute("CREATE TABLE " + tabName + "(id int)");
     context.close();

     // positive test, user1 has access to file being loaded
     userConn = context.createConnection("user1", "foo");
     userStmt = context.createStatement(userConn);
     userStmt.execute("use " + dbName);
     userStmt.execute("load data local inpath '" + dataFilePath +
         "' into table " + tabName);
     userStmt.execute("select * from " + tabName + " limit 1");
     ResultSet res = userStmt.getResultSet();
     Assert.assertTrue("Table should have data after load", res.next());
     res.close();
     context.close();

     // Negative test, user2 doesn't have access to the file being loaded
     userConn = context.createConnection("user2", "foo");
     userStmt = context.createStatement(userConn);
     userStmt.execute("use " + dbName);
     context.assertAuthzException(userStmt, "load data local inpath '" + dataFilePath +
         "' into table " + tabName);
     userStmt.close();
     userConn.close();
   }

   // Test alter partition location
   @Test
   public void testAlterPartitionLocationPrivileges() throws Exception {
     String dbName = "db1";
     String tabName = "tab1";
     String newPartitionDir = "foo";
     String tabDir = "file://" + hiveServer.getProperty(HiveServerFactory.WAREHOUSE_DIR) +
       "/" + tabName + "/" + newPartitionDir;
     Connection userConn = null;
     Statement userStmt = null;

     String testPolicies[] = {
         "[groups]",
         "admin_group = admin_role",
         "user_group1  = db1_all, data_read",
         "user_group2  = db1_all",
         "user_group3  = db1_tab1_all, data_read",
         "[roles]",
         "db1_all = server=server1->db=" + dbName,
         "db1_tab1_all = server=server1->db=" + dbName + "->table=" + tabName,
         "data_read = server=server1->URI=" + tabDir,
         "admin_role = server=server1",
         "[users]",
         "user1 = user_group1",
         "user2 = user_group2",
         "user3 = user_group3",
         "admin = admin_group"
         };
     context.makeNewPolicy(testPolicies);

     // create dbs
     Connection adminCon = context.createConnection("admin", "foo");
     Statement adminStmt = context.createStatement(adminCon);
     adminStmt.execute("use default");
     adminStmt.execute("DROP DATABASE IF EXISTS " + dbName + " CASCADE");
     adminStmt.execute("CREATE DATABASE " + dbName);
     adminStmt.execute("use " + dbName);
     adminStmt.execute("CREATE TABLE " + tabName + " (id int) PARTITIONED BY (dt string)");
     adminCon.close();

     // positive test: user1 has privilege to alter table add partition but not set location
     userConn = context.createConnection("user1", "foo");
     userStmt = context.createStatement(userConn);
     userStmt.execute("use " + dbName);
     userStmt.execute("ALTER TABLE " + tabName + " ADD PARTITION (dt = '21-Dec-2012') " +
             " LOCATION '" + tabDir + "'");
     // negative test user1 cannot alter partition location
     context.assertAuthzException(userStmt,
         "ALTER TABLE " + tabName + " PARTITION (dt = '21-Dec-2012') " + " SET LOCATION '" + tabDir + "'");
     userConn.close();

     // negative test: user2 doesn't have privilege to alter table add partition
     userConn = context.createConnection("user2", "foo");
     userStmt = context.createStatement(userConn);
     userStmt.execute("use " + dbName);
     context.assertAuthzException(userStmt,
         "ALTER TABLE " + tabName + " ADD PARTITION (dt = '22-Dec-2012') " +
           " LOCATION '" + tabDir + "/foo'");
     // positive test, user2 can alter managed partitions
     userStmt.execute("ALTER TABLE " + tabName + " ADD PARTITION (dt = '22-Dec-2012')");
     userStmt.execute("ALTER TABLE " + tabName + " DROP PARTITION (dt = '22-Dec-2012')");
     userConn.close();

     // negative test: user3 doesn't have privilege to add/drop partitions
     userConn = context.createConnection("user3", "foo");
     userStmt = context.createStatement(userConn);
     userStmt.execute("use " + dbName);
     context.assertAuthzException(userStmt,
         "ALTER TABLE " + tabName + " ADD PARTITION (dt = '22-Dec-2012') " +
           " LOCATION '" + tabDir + "/foo'");
     context.assertAuthzException(userStmt,
         "ALTER TABLE " + tabName + " DROP PARTITION (dt = '21-Dec-2012')");
     userConn.close();

     // positive test: user1 has privilege to alter drop partition
     userConn = context.createConnection("user1", "foo");
     userStmt = context.createStatement(userConn);
     userStmt.execute("use " + dbName);
     userStmt.execute("ALTER TABLE " + tabName + " DROP PARTITION (dt = '21-Dec-2012')");
     userStmt.close();
     userConn.close();
   }

   // test alter table set location
   @Test
   public void testAlterTableLocationPrivileges() throws Exception {
     String dbName = "db1";
     String tabName = "tab1";
     String tabDir = "file://" + hiveServer.getProperty(HiveServerFactory.WAREHOUSE_DIR) + "/" + tabName;
     Connection userConn = null;
     Statement userStmt = null;

     String testPolicies[] = {
         "[groups]",
         "admin_group = admin_role",
         "user_group1  = server1_all",
         "user_group2  = db1_all, data_read",
         "[roles]",
         "db1_all = server=server1->db=" + dbName,
         "data_read = server=server1->URI=" + tabDir,
         "admin_role = server=server1",
         "server1_all = server=server1",
         "[users]",
         "user1 = user_group1",
         "user2 = user_group2",
         "admin = admin_group"
         };
     context.makeNewPolicy(testPolicies);

     // create dbs
     Connection adminCon = context.createConnection("admin", "foo");
     Statement adminStmt = context.createStatement(adminCon);
     adminStmt.execute("use default");
     adminStmt.execute("DROP DATABASE IF EXISTS " + dbName + " CASCADE");
     adminStmt.execute("CREATE DATABASE " + dbName);
     adminStmt.execute("use " + dbName);
     adminStmt.execute("CREATE TABLE " + tabName + " (id int)  PARTITIONED BY (dt string)");
     adminCon.close();

     // negative test: user2 doesn't have privilege to alter table set partition
     userConn = context.createConnection("user2", "foo");
     userStmt = context.createStatement(userConn);
     userStmt.execute("use " + dbName);
     context.assertAuthzException(userStmt,
         "ALTER TABLE " + tabName + " SET LOCATION '" + tabDir +  "'");
     userConn.close();

     // positive test: user1 has privilege to alter table set partition
     userConn = context.createConnection("user1", "foo");
     userStmt = context.createStatement(userConn);
     userStmt.execute("use " + dbName);
     userStmt.execute("ALTER TABLE " + tabName + " SET LOCATION '" + tabDir + "'");
     userConn.close();
   }

   // Test external table
   @Test
   public void testExternalTablePrivileges() throws Exception {
     String dbName = "db1";
     Connection userConn = null;
     Statement userStmt = null;
     String tableDir = "file://" + context.getDataDir();
     String testPolicies[] = {
         "[groups]",
         "admin_group = admin_role",
         "user_group1  = db1_all, data_read",
         "user_group2  = db1_all",
         "[roles]",
         "db1_all = server=server1->db=" + dbName,
         "data_read = server=server1->URI=" + tableDir,
         "admin_role = server=server1",
         "[users]",
         "user1 = user_group1",
         "user2 = user_group2",
         "admin = admin_group"
         };
     context.makeNewPolicy(testPolicies);

     // create dbs
     Connection adminCon = context.createConnection("admin", "foo");
     Statement adminStmt = context.createStatement(adminCon);
     adminStmt.execute("use default");
     adminStmt.execute("DROP DATABASE IF EXISTS " + dbName + " CASCADE");
     adminStmt.execute("CREATE DATABASE " + dbName);
     adminStmt.close();
     adminCon.close();

     // negative test: user2 doesn't have privilege to create external table in given path
     userConn = context.createConnection("user2", "foo");
     userStmt = context.createStatement(userConn);
     userStmt.execute("use " + dbName);
     context.assertAuthzException(userStmt,
         "CREATE EXTERNAL TABLE extab1(id INT) LOCATION '" + tableDir + "'");
     context.assertAuthzException(userStmt, "CREATE TABLE extab1(id INT) LOCATION '" + tableDir + "'");
     userStmt.close();
     userConn.close();

     // positive test: user1 has privilege to create external table in given path
     userConn = context.createConnection("user1", "foo");
     userStmt = context.createStatement(userConn);
     userStmt.execute("use " + dbName);
     userStmt.execute("CREATE EXTERNAL TABLE extab1(id INT) LOCATION '" + tableDir + "'");
     userStmt.execute("DROP TABLE extab1");
     userStmt.execute("CREATE TABLE extab1(id INT) LOCATION '" + tableDir + "'");
     userStmt.close();
     userConn.close();
   }

 }
	/*
	* Licensed to the Apache Software Foundation (ASF) under one or more
	* contributor license agreements. See the NOTICE file distributed with
	* this work for additional information regarding copyright ownership.
	* The ASF licenses this file to You under the Apache License, Version 2.0
	* (the "License"); you may not use this file except in compliance with
	* the License. You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing, software
	* distributed under the License is distributed on an "AS IS" BASIS,
	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	* See the License for the specific language governing permissions and
	* limitations under the License.
	*/
	package org.apache.sentry.tests.e2e;

	import java.sql.Connection;
	import java.sql.ResultSet;
	import java.sql.Statement;

	import junit.framework.Assert;

	import org.apache.sentry.tests.e2e.hiveserver.HiveServerFactory;
	import org.junit.After;
	import org.junit.Before;
	import org.junit.Test;

	public class TestUriPermissions extends AbstractTestWithStaticLocalFS {
	private Context context;
	private static final String dataFile = "/kv1.dat";
	private String dataFilePath = this.getClass().getResource(dataFile).getFile();

	@Before
	public void setup() throws Exception {
	context = createContext();
	}

	@After
	public void tearDown() throws Exception {
	if (context != null) {
	context.close();
	}
	}

	// test load data into table
	@Test
	public void testLoadPrivileges() throws Exception {
	String dbName = "db1";
	String tabName = "tab1";
	Connection userConn = null;
	Statement userStmt = null;

	String testPolicies[] = {
	"[groups]",
	"admin_group = admin_role",
	"user_group1 = db1_read, db1_write, data_read",
	"user_group2 = db1_write",
	"[roles]",
	"db1_write = server=server1->db=" + dbName + "->table=" + tabName + "->action=INSERT",
	"db1_read = server=server1->db=" + dbName + "->table=" + tabName + "->action=SELECT",
	// role below has duplicate privilege for ACCESS-178
	"data_read = server=server1->URI=file://" + dataFilePath + ", server=server1->URI=file://" + dataFilePath,
	"admin_role = server=server1",
	"[users]",
	"user1 = user_group1",
	"user2 = user_group2",
	"admin = admin_group"
	};
	context.makeNewPolicy(testPolicies);

	// create dbs
	Connection adminCon = context.createConnection("admin", "foo");
	Statement adminStmt = context.createStatement(adminCon);
	adminStmt.execute("use default");
	adminStmt.execute("DROP DATABASE IF EXISTS " + dbName + " CASCADE");
	adminStmt.execute("CREATE DATABASE " + dbName);
	adminStmt.execute("use " + dbName);
	adminStmt.execute("CREATE TABLE " + tabName + "(id int)");
	context.close();

	// positive test, user1 has access to file being loaded
	userConn = context.createConnection("user1", "foo");
	userStmt = context.createStatement(userConn);
	userStmt.execute("use " + dbName);
	userStmt.execute("load data local inpath '" + dataFilePath +
	"' into table " + tabName);
	userStmt.execute("select * from " + tabName + " limit 1");
	ResultSet res = userStmt.getResultSet();
	Assert.assertTrue("Table should have data after load", res.next());
	res.close();
	context.close();

	// Negative test, user2 doesn't have access to the file being loaded
	userConn = context.createConnection("user2", "foo");
	userStmt = context.createStatement(userConn);
	userStmt.execute("use " + dbName);
	context.assertAuthzException(userStmt, "load data local inpath '" + dataFilePath +
	"' into table " + tabName);
	userStmt.close();
	userConn.close();
	}

	// Test alter partition location
	@Test
	public void testAlterPartitionLocationPrivileges() throws Exception {
	String dbName = "db1";
	String tabName = "tab1";
	String newPartitionDir = "foo";
	String tabDir = "file://" + hiveServer.getProperty(HiveServerFactory.WAREHOUSE_DIR) +
	"/" + tabName + "/" + newPartitionDir;
	Connection userConn = null;
	Statement userStmt = null;

	String testPolicies[] = {
	"[groups]",
	"admin_group = admin_role",
	"user_group1 = db1_all, data_read",
	"user_group2 = db1_all",
	"user_group3 = db1_tab1_all, data_read",
	"[roles]",
	"db1_all = server=server1->db=" + dbName,
	"db1_tab1_all = server=server1->db=" + dbName + "->table=" + tabName,
	"data_read = server=server1->URI=" + tabDir,
	"admin_role = server=server1",
	"[users]",
	"user1 = user_group1",
	"user2 = user_group2",
	"user3 = user_group3",
	"admin = admin_group"
	};
	context.makeNewPolicy(testPolicies);

	// create dbs
	Connection adminCon = context.createConnection("admin", "foo");
	Statement adminStmt = context.createStatement(adminCon);
	adminStmt.execute("use default");
	adminStmt.execute("DROP DATABASE IF EXISTS " + dbName + " CASCADE");
	adminStmt.execute("CREATE DATABASE " + dbName);
	adminStmt.execute("use " + dbName);
	adminStmt.execute("CREATE TABLE " + tabName + " (id int) PARTITIONED BY (dt string)");
	adminCon.close();

	// positive test: user1 has privilege to alter table add partition but not set location
	userConn = context.createConnection("user1", "foo");
	userStmt = context.createStatement(userConn);
	userStmt.execute("use " + dbName);
	userStmt.execute("ALTER TABLE " + tabName + " ADD PARTITION (dt = '21-Dec-2012') " +
	" LOCATION '" + tabDir + "'");
	// negative test user1 cannot alter partition location
	context.assertAuthzException(userStmt,
	"ALTER TABLE " + tabName + " PARTITION (dt = '21-Dec-2012') " + " SET LOCATION '" + tabDir + "'");
	userConn.close();

	// negative test: user2 doesn't have privilege to alter table add partition
	userConn = context.createConnection("user2", "foo");
	userStmt = context.createStatement(userConn);
	userStmt.execute("use " + dbName);
	context.assertAuthzException(userStmt,
	"ALTER TABLE " + tabName + " ADD PARTITION (dt = '22-Dec-2012') " +
	" LOCATION '" + tabDir + "/foo'");
	// positive test, user2 can alter managed partitions
	userStmt.execute("ALTER TABLE " + tabName + " ADD PARTITION (dt = '22-Dec-2012')");
	userStmt.execute("ALTER TABLE " + tabName + " DROP PARTITION (dt = '22-Dec-2012')");
	userConn.close();

	// negative test: user3 doesn't have privilege to add/drop partitions
	userConn = context.createConnection("user3", "foo");
	userStmt = context.createStatement(userConn);
	userStmt.execute("use " + dbName);
	context.assertAuthzException(userStmt,
	"ALTER TABLE " + tabName + " ADD PARTITION (dt = '22-Dec-2012') " +
	" LOCATION '" + tabDir + "/foo'");
	context.assertAuthzException(userStmt,
	"ALTER TABLE " + tabName + " DROP PARTITION (dt = '21-Dec-2012')");
	userConn.close();

	// positive test: user1 has privilege to alter drop partition
	userConn = context.createConnection("user1", "foo");
	userStmt = context.createStatement(userConn);
	userStmt.execute("use " + dbName);
	userStmt.execute("ALTER TABLE " + tabName + " DROP PARTITION (dt = '21-Dec-2012')");
	userStmt.close();
	userConn.close();
	}

	// test alter table set location
	@Test
	public void testAlterTableLocationPrivileges() throws Exception {
	String dbName = "db1";
	String tabName = "tab1";
	String tabDir = "file://" + hiveServer.getProperty(HiveServerFactory.WAREHOUSE_DIR) + "/" + tabName;
	Connection userConn = null;
	Statement userStmt = null;

	String testPolicies[] = {
	"[groups]",
	"admin_group = admin_role",
	"user_group1 = server1_all",
	"user_group2 = db1_all, data_read",
	"[roles]",
	"db1_all = server=server1->db=" + dbName,
	"data_read = server=server1->URI=" + tabDir,
	"admin_role = server=server1",
	"server1_all = server=server1",
	"[users]",
	"user1 = user_group1",
	"user2 = user_group2",
	"admin = admin_group"
	};
	context.makeNewPolicy(testPolicies);

	// create dbs
	Connection adminCon = context.createConnection("admin", "foo");
	Statement adminStmt = context.createStatement(adminCon);
	adminStmt.execute("use default");
	adminStmt.execute("DROP DATABASE IF EXISTS " + dbName + " CASCADE");
	adminStmt.execute("CREATE DATABASE " + dbName);
	adminStmt.execute("use " + dbName);
	adminStmt.execute("CREATE TABLE " + tabName + " (id int) PARTITIONED BY (dt string)");
	adminCon.close();

	// negative test: user2 doesn't have privilege to alter table set partition
	userConn = context.createConnection("user2", "foo");
	userStmt = context.createStatement(userConn);
	userStmt.execute("use " + dbName);
	context.assertAuthzException(userStmt,
	"ALTER TABLE " + tabName + " SET LOCATION '" + tabDir + "'");
	userConn.close();

	// positive test: user1 has privilege to alter table set partition
	userConn = context.createConnection("user1", "foo");
	userStmt = context.createStatement(userConn);
	userStmt.execute("use " + dbName);
	userStmt.execute("ALTER TABLE " + tabName + " SET LOCATION '" + tabDir + "'");
	userConn.close();
	}

	// Test external table
	@Test
	public void testExternalTablePrivileges() throws Exception {
	String dbName = "db1";
	Connection userConn = null;
	Statement userStmt = null;
	String tableDir = "file://" + context.getDataDir();
	String testPolicies[] = {
	"[groups]",
	"admin_group = admin_role",
	"user_group1 = db1_all, data_read",
	"user_group2 = db1_all",
	"[roles]",
	"db1_all = server=server1->db=" + dbName,
	"data_read = server=server1->URI=" + tableDir,
	"admin_role = server=server1",
	"[users]",
	"user1 = user_group1",
	"user2 = user_group2",
	"admin = admin_group"
	};
	context.makeNewPolicy(testPolicies);

	// create dbs
	Connection adminCon = context.createConnection("admin", "foo");
	Statement adminStmt = context.createStatement(adminCon);
	adminStmt.execute("use default");
	adminStmt.execute("DROP DATABASE IF EXISTS " + dbName + " CASCADE");
	adminStmt.execute("CREATE DATABASE " + dbName);
	adminStmt.close();
	adminCon.close();

	// negative test: user2 doesn't have privilege to create external table in given path
	userConn = context.createConnection("user2", "foo");
	userStmt = context.createStatement(userConn);
	userStmt.execute("use " + dbName);
	context.assertAuthzException(userStmt,
	"CREATE EXTERNAL TABLE extab1(id INT) LOCATION '" + tableDir + "'");
	context.assertAuthzException(userStmt, "CREATE TABLE extab1(id INT) LOCATION '" + tableDir + "'");
	userStmt.close();
	userConn.close();

	// positive test: user1 has privilege to create external table in given path
	userConn = context.createConnection("user1", "foo");
	userStmt = context.createStatement(userConn);
	userStmt.execute("use " + dbName);
	userStmt.execute("CREATE EXTERNAL TABLE extab1(id INT) LOCATION '" + tableDir + "'");
	userStmt.execute("DROP TABLE extab1");
	userStmt.execute("CREATE TABLE extab1(id INT) LOCATION '" + tableDir + "'");
	userStmt.close();
	userConn.close();
	}

	}