itests/hive-unit/src/test/java/org/apache/hadoop/hive/ql/security/TestHDFSPermissionPolicyProvider.java - hive - Git at Google

 /*
  * Licensed to the Apache Software Foundation (ASF) under one
  * or more contributor license agreements.  See the NOTICE file
  * distributed with this work for additional information
  * regarding copyright ownership.  The ASF licenses this file
  * to you under the Apache License, Version 2.0 (the
  * "License"); you may not use this file except in compliance
  * with the License.  You may obtain a copy of the License at
  *
  *     http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
 package org.apache.hadoop.hive.ql.security;

 import java.util.ArrayList;
 import java.util.HashMap;
 import java.util.List;

 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertTrue;

 import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.fs.FileSystem;
 import org.apache.hadoop.fs.Path;
 import org.apache.hadoop.fs.permission.FsPermission;
 import org.apache.hadoop.hdfs.MiniDFSCluster;
 import org.apache.hadoop.hive.metastore.IMetaStoreClient;
 import org.apache.hadoop.hive.metastore.TableType;
 import org.apache.hadoop.hive.metastore.api.Database;
 import org.apache.hadoop.hive.metastore.api.FieldSchema;
 import org.apache.hadoop.hive.metastore.api.SerDeInfo;
 import org.apache.hadoop.hive.metastore.api.StorageDescriptor;
 import org.apache.hadoop.hive.metastore.api.Table;
 import org.apache.hadoop.hive.metastore.conf.MetastoreConf;
 import org.apache.hadoop.hive.ql.metadata.Hive;
 import org.apache.hadoop.hive.ql.security.authorization.HDFSPermissionPolicyProvider;
 import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject;
 import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject.HivePrivilegeObjectType;
 import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveResourceACLs;
 import org.junit.BeforeClass;
 import org.junit.Test;

 /**
  * Test cases for privilege synchronizer for storage based authorizer
  */
 public class TestHDFSPermissionPolicyProvider {
   private static MiniDFSCluster mDfs;
   private static IMetaStoreClient client;
   private static Configuration conf;
   private static String defaultTbl1Loc, defaultTbl2Loc, db1Loc, db1Tbl1Loc;

   @BeforeClass
   public static void setup() throws Exception {
     mDfs = new MiniDFSCluster.Builder(new Configuration()).numDataNodes(1).format(true).build();
     conf = new Configuration();
     conf.set("fs.defaultFS", "hdfs://" + mDfs.getNameNode().getHostAndPort());
     String warehouseLocation = "hdfs://" + mDfs.getNameNode().getHostAndPort()
         + MetastoreConf.ConfVars.WAREHOUSE.getDefaultVal();
     conf.set(MetastoreConf.ConfVars.WAREHOUSE.getVarname(), warehouseLocation);
     conf.set(MetastoreConf.ConfVars.AUTO_CREATE_ALL.getVarname(), "true");
     conf.set(MetastoreConf.ConfVars.SCHEMA_VERIFICATION.getVarname(), "false");
     client = Hive.get(conf, TestHDFSPermissionPolicyProvider.class).getMSC();

     try {
       client.dropTable("default", "tbl1");
     } catch (Exception e) {
     }
     try {
       client.dropTable("default", "tbl2");
     } catch (Exception e) {
     }
     try {
       client.dropTable("db1", "tbl1");
     } catch (Exception e) {
     }
     try {
       client.dropDatabase("db1");
     } catch (Exception e) {
     }

     defaultTbl1Loc = warehouseLocation + "/tbl1";
     defaultTbl2Loc = warehouseLocation + "/tbl2";
     db1Loc = warehouseLocation + "/db1";
     db1Tbl1Loc = warehouseLocation + "/db1/tbl1";

     int now = (int)System.currentTimeMillis() / 1000;
     FieldSchema col1 = new FieldSchema("col1", "int", "no comment");
     List<FieldSchema> cols = new ArrayList<FieldSchema>();
     cols.add(col1);
     SerDeInfo serde = new SerDeInfo("serde", "seriallib", null);
     StorageDescriptor sd =
         new StorageDescriptor(cols, defaultTbl1Loc, "input", "output", false, 0, serde, null, null,
             new HashMap<String, String>());
     Table tbl =
         new Table("tbl1", "default", "foo", now, now, 0, sd, null,
             new HashMap<String, String>(), null, null, TableType.MANAGED_TABLE.toString());
     client.createTable(tbl);

     sd = new StorageDescriptor(cols, defaultTbl2Loc, "input", "output", false, 0, serde,
         null, null, new HashMap<String, String>());
     tbl = new Table("tbl2", "default", "foo", now, now, 0, sd, null,
             new HashMap<String, String>(), null, null, TableType.MANAGED_TABLE.toString());
     client.createTable(tbl);

     Database db = new Database("db1", "no description", db1Loc, new HashMap<String, String>());
     client.createDatabase(db);

     sd = new StorageDescriptor(cols, db1Tbl1Loc, "input", "output", false, 0, serde, null, null,
             new HashMap<String, String>());
     tbl = new Table("tbl1", "db1", "foo", now, now, 0, sd, null,
             new HashMap<String, String>(), null, null, TableType.MANAGED_TABLE.toString());
     client.createTable(tbl);
   }

   @Test
   public void testPolicyProvider() throws Exception {
     HDFSPermissionPolicyProvider policyProvider = new HDFSPermissionPolicyProvider(conf);
     FileSystem fs = FileSystem.get(conf);
     fs.setOwner(new Path(defaultTbl1Loc), "user1", "group1");
     fs.setOwner(new Path(defaultTbl2Loc), "user1", "group1");
     fs.setOwner(new Path(db1Loc), "user1", "group1");
     fs.setOwner(new Path(db1Tbl1Loc), "user1", "group1");
     fs.setPermission(new Path(defaultTbl1Loc), new FsPermission("444")); // r--r--r--
     HiveResourceACLs acls = policyProvider.getResourceACLs(
         new HivePrivilegeObject(HivePrivilegeObjectType.TABLE_OR_VIEW, "default", "tbl1"));
     assertEquals(acls.getUserPermissions().size(), 1);
     assertTrue(acls.getUserPermissions().keySet().contains("user1"));
     assertEquals(acls.getGroupPermissions().size(), 2);
     assertTrue(acls.getGroupPermissions().keySet().contains("group1"));
     assertTrue(acls.getGroupPermissions().keySet().contains("public"));

     fs.setPermission(new Path(defaultTbl1Loc), new FsPermission("440")); // r--r-----
     acls = policyProvider.getResourceACLs(
         new HivePrivilegeObject(HivePrivilegeObjectType.TABLE_OR_VIEW, "default", "tbl1"));
     assertEquals(acls.getUserPermissions().size(), 1);
     assertEquals(acls.getUserPermissions().keySet().iterator().next(), "user1");
     assertEquals(acls.getGroupPermissions().size(), 1);
     assertTrue(acls.getGroupPermissions().keySet().contains("group1"));

     fs.setPermission(new Path(defaultTbl1Loc), new FsPermission("404")); // r-----r--
     acls = policyProvider.getResourceACLs(
         new HivePrivilegeObject(HivePrivilegeObjectType.TABLE_OR_VIEW, "default", "tbl1"));
     assertEquals(acls.getUserPermissions().size(), 1);
     assertTrue(acls.getUserPermissions().keySet().contains("user1"));
     assertEquals(acls.getGroupPermissions().size(), 1);
     assertTrue(acls.getGroupPermissions().keySet().contains("public"));

     fs.setPermission(new Path(defaultTbl1Loc), new FsPermission("400")); // r--------
     acls = policyProvider.getResourceACLs(
         new HivePrivilegeObject(HivePrivilegeObjectType.TABLE_OR_VIEW, "default", "tbl1"));
     assertEquals(acls.getUserPermissions().size(), 1);
     assertTrue(acls.getUserPermissions().keySet().contains("user1"));
     assertEquals(acls.getGroupPermissions().size(), 0);

     fs.setPermission(new Path(defaultTbl1Loc), new FsPermission("004")); // ------r--
     fs.setPermission(new Path(defaultTbl2Loc), new FsPermission("777")); // rwxrwxrwx
     acls = policyProvider.getResourceACLs(
         new HivePrivilegeObject(HivePrivilegeObjectType.TABLE_OR_VIEW, "default", "tbl1"));
     assertEquals(acls.getUserPermissions().size(), 0);
     assertEquals(acls.getGroupPermissions().size(), 1);
     assertTrue(acls.getGroupPermissions().keySet().contains("public"));
     acls = policyProvider.getResourceACLs(
         new HivePrivilegeObject(HivePrivilegeObjectType.TABLE_OR_VIEW, "default", "tbl2"));
     assertEquals(acls.getUserPermissions().size(), 1);
     assertTrue(acls.getUserPermissions().keySet().contains("user1"));
     assertEquals(acls.getGroupPermissions().size(), 2);
     assertTrue(acls.getGroupPermissions().keySet().contains("group1"));
     assertTrue(acls.getGroupPermissions().keySet().contains("public"));

     fs.setPermission(new Path(db1Loc), new FsPermission("400")); // ------r--
     fs.delete(new Path(db1Tbl1Loc), true);
     acls = policyProvider.getResourceACLs(
         new HivePrivilegeObject(HivePrivilegeObjectType.DATABASE, "db1", null));
     assertEquals(acls.getUserPermissions().size(), 1);
     assertTrue(acls.getUserPermissions().keySet().contains("user1"));
     assertEquals(acls.getGroupPermissions().size(), 0);
     acls = policyProvider.getResourceACLs(
         new HivePrivilegeObject(HivePrivilegeObjectType.TABLE_OR_VIEW, "db1", "tbl1"));
     assertEquals(acls.getUserPermissions().size(), 1);
     assertTrue(acls.getUserPermissions().keySet().contains("user1"));
     assertEquals(acls.getGroupPermissions().size(), 0);

   }
 }
	/*
	* Licensed to the Apache Software Foundation (ASF) under one
	* or more contributor license agreements. See the NOTICE file
	* distributed with this work for additional information
	* regarding copyright ownership. The ASF licenses this file
	* to you under the Apache License, Version 2.0 (the
	* "License"); you may not use this file except in compliance
	* with the License. You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing, software
	* distributed under the License is distributed on an "AS IS" BASIS,
	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	* See the License for the specific language governing permissions and
	* limitations under the License.
	*/
	package org.apache.hadoop.hive.ql.security;

	import java.util.ArrayList;
	import java.util.HashMap;
	import java.util.List;

	import static org.junit.Assert.assertEquals;
	import static org.junit.Assert.assertTrue;

	import org.apache.hadoop.conf.Configuration;
	import org.apache.hadoop.fs.FileSystem;
	import org.apache.hadoop.fs.Path;
	import org.apache.hadoop.fs.permission.FsPermission;
	import org.apache.hadoop.hdfs.MiniDFSCluster;
	import org.apache.hadoop.hive.metastore.IMetaStoreClient;
	import org.apache.hadoop.hive.metastore.TableType;
	import org.apache.hadoop.hive.metastore.api.Database;
	import org.apache.hadoop.hive.metastore.api.FieldSchema;
	import org.apache.hadoop.hive.metastore.api.SerDeInfo;
	import org.apache.hadoop.hive.metastore.api.StorageDescriptor;
	import org.apache.hadoop.hive.metastore.api.Table;
	import org.apache.hadoop.hive.metastore.conf.MetastoreConf;
	import org.apache.hadoop.hive.ql.metadata.Hive;
	import org.apache.hadoop.hive.ql.security.authorization.HDFSPermissionPolicyProvider;
	import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject;
	import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject.HivePrivilegeObjectType;
	import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveResourceACLs;
	import org.junit.BeforeClass;
	import org.junit.Test;

	/**
	* Test cases for privilege synchronizer for storage based authorizer
	*/
	public class TestHDFSPermissionPolicyProvider {
	private static MiniDFSCluster mDfs;
	private static IMetaStoreClient client;
	private static Configuration conf;
	private static String defaultTbl1Loc, defaultTbl2Loc, db1Loc, db1Tbl1Loc;

	@BeforeClass
	public static void setup() throws Exception {
	mDfs = new MiniDFSCluster.Builder(new Configuration()).numDataNodes(1).format(true).build();
	conf = new Configuration();
	conf.set("fs.defaultFS", "hdfs://" + mDfs.getNameNode().getHostAndPort());
	String warehouseLocation = "hdfs://" + mDfs.getNameNode().getHostAndPort()
	+ MetastoreConf.ConfVars.WAREHOUSE.getDefaultVal();
	conf.set(MetastoreConf.ConfVars.WAREHOUSE.getVarname(), warehouseLocation);
	conf.set(MetastoreConf.ConfVars.AUTO_CREATE_ALL.getVarname(), "true");
	conf.set(MetastoreConf.ConfVars.SCHEMA_VERIFICATION.getVarname(), "false");
	client = Hive.get(conf, TestHDFSPermissionPolicyProvider.class).getMSC();

	try {
	client.dropTable("default", "tbl1");
	} catch (Exception e) {
	}
	try {
	client.dropTable("default", "tbl2");
	} catch (Exception e) {
	}
	try {
	client.dropTable("db1", "tbl1");
	} catch (Exception e) {
	}
	try {
	client.dropDatabase("db1");
	} catch (Exception e) {
	}

	defaultTbl1Loc = warehouseLocation + "/tbl1";
	defaultTbl2Loc = warehouseLocation + "/tbl2";
	db1Loc = warehouseLocation + "/db1";
	db1Tbl1Loc = warehouseLocation + "/db1/tbl1";

	int now = (int)System.currentTimeMillis() / 1000;
	FieldSchema col1 = new FieldSchema("col1", "int", "no comment");
	List<FieldSchema> cols = new ArrayList<FieldSchema>();
	cols.add(col1);
	SerDeInfo serde = new SerDeInfo("serde", "seriallib", null);
	StorageDescriptor sd =
	new StorageDescriptor(cols, defaultTbl1Loc, "input", "output", false, 0, serde, null, null,
	new HashMap<String, String>());
	Table tbl =
	new Table("tbl1", "default", "foo", now, now, 0, sd, null,
	new HashMap<String, String>(), null, null, TableType.MANAGED_TABLE.toString());
	client.createTable(tbl);

	sd = new StorageDescriptor(cols, defaultTbl2Loc, "input", "output", false, 0, serde,
	null, null, new HashMap<String, String>());
	tbl = new Table("tbl2", "default", "foo", now, now, 0, sd, null,
	new HashMap<String, String>(), null, null, TableType.MANAGED_TABLE.toString());
	client.createTable(tbl);

	Database db = new Database("db1", "no description", db1Loc, new HashMap<String, String>());
	client.createDatabase(db);

	sd = new StorageDescriptor(cols, db1Tbl1Loc, "input", "output", false, 0, serde, null, null,
	new HashMap<String, String>());
	tbl = new Table("tbl1", "db1", "foo", now, now, 0, sd, null,
	new HashMap<String, String>(), null, null, TableType.MANAGED_TABLE.toString());
	client.createTable(tbl);
	}

	@Test
	public void testPolicyProvider() throws Exception {
	HDFSPermissionPolicyProvider policyProvider = new HDFSPermissionPolicyProvider(conf);
	FileSystem fs = FileSystem.get(conf);
	fs.setOwner(new Path(defaultTbl1Loc), "user1", "group1");
	fs.setOwner(new Path(defaultTbl2Loc), "user1", "group1");
	fs.setOwner(new Path(db1Loc), "user1", "group1");
	fs.setOwner(new Path(db1Tbl1Loc), "user1", "group1");
	fs.setPermission(new Path(defaultTbl1Loc), new FsPermission("444")); // r--r--r--
	HiveResourceACLs acls = policyProvider.getResourceACLs(
	new HivePrivilegeObject(HivePrivilegeObjectType.TABLE_OR_VIEW, "default", "tbl1"));
	assertEquals(acls.getUserPermissions().size(), 1);
	assertTrue(acls.getUserPermissions().keySet().contains("user1"));
	assertEquals(acls.getGroupPermissions().size(), 2);
	assertTrue(acls.getGroupPermissions().keySet().contains("group1"));
	assertTrue(acls.getGroupPermissions().keySet().contains("public"));

	fs.setPermission(new Path(defaultTbl1Loc), new FsPermission("440")); // r--r-----
	acls = policyProvider.getResourceACLs(
	new HivePrivilegeObject(HivePrivilegeObjectType.TABLE_OR_VIEW, "default", "tbl1"));
	assertEquals(acls.getUserPermissions().size(), 1);
	assertEquals(acls.getUserPermissions().keySet().iterator().next(), "user1");
	assertEquals(acls.getGroupPermissions().size(), 1);
	assertTrue(acls.getGroupPermissions().keySet().contains("group1"));

	fs.setPermission(new Path(defaultTbl1Loc), new FsPermission("404")); // r-----r--
	acls = policyProvider.getResourceACLs(
	new HivePrivilegeObject(HivePrivilegeObjectType.TABLE_OR_VIEW, "default", "tbl1"));
	assertEquals(acls.getUserPermissions().size(), 1);
	assertTrue(acls.getUserPermissions().keySet().contains("user1"));
	assertEquals(acls.getGroupPermissions().size(), 1);
	assertTrue(acls.getGroupPermissions().keySet().contains("public"));

	fs.setPermission(new Path(defaultTbl1Loc), new FsPermission("400")); // r--------
	acls = policyProvider.getResourceACLs(
	new HivePrivilegeObject(HivePrivilegeObjectType.TABLE_OR_VIEW, "default", "tbl1"));
	assertEquals(acls.getUserPermissions().size(), 1);
	assertTrue(acls.getUserPermissions().keySet().contains("user1"));
	assertEquals(acls.getGroupPermissions().size(), 0);

	fs.setPermission(new Path(defaultTbl1Loc), new FsPermission("004")); // ------r--
	fs.setPermission(new Path(defaultTbl2Loc), new FsPermission("777")); // rwxrwxrwx
	acls = policyProvider.getResourceACLs(
	new HivePrivilegeObject(HivePrivilegeObjectType.TABLE_OR_VIEW, "default", "tbl1"));
	assertEquals(acls.getUserPermissions().size(), 0);
	assertEquals(acls.getGroupPermissions().size(), 1);
	assertTrue(acls.getGroupPermissions().keySet().contains("public"));
	acls = policyProvider.getResourceACLs(
	new HivePrivilegeObject(HivePrivilegeObjectType.TABLE_OR_VIEW, "default", "tbl2"));
	assertEquals(acls.getUserPermissions().size(), 1);
	assertTrue(acls.getUserPermissions().keySet().contains("user1"));
	assertEquals(acls.getGroupPermissions().size(), 2);
	assertTrue(acls.getGroupPermissions().keySet().contains("group1"));
	assertTrue(acls.getGroupPermissions().keySet().contains("public"));

	fs.setPermission(new Path(db1Loc), new FsPermission("400")); // ------r--
	fs.delete(new Path(db1Tbl1Loc), true);
	acls = policyProvider.getResourceACLs(
	new HivePrivilegeObject(HivePrivilegeObjectType.DATABASE, "db1", null));
	assertEquals(acls.getUserPermissions().size(), 1);
	assertTrue(acls.getUserPermissions().keySet().contains("user1"));
	assertEquals(acls.getGroupPermissions().size(), 0);
	acls = policyProvider.getResourceACLs(
	new HivePrivilegeObject(HivePrivilegeObjectType.TABLE_OR_VIEW, "db1", "tbl1"));
	assertEquals(acls.getUserPermissions().size(), 1);
	assertTrue(acls.getUserPermissions().keySet().contains("user1"));
	assertEquals(acls.getGroupPermissions().size(), 0);

	}
	}