blob: fd95a1657c23fc1d89b543fd1a81796480a8460e [file] [log] [blame]
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership. The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.
import getpass
import logging
import os
import pytest
import re
import shutil
import unittest
from tempfile import mkdtemp
from time import sleep
from tests.common.custom_cluster_test_suite import CustomClusterTestSuite
from tests.common.file_utils import grep_file, assert_file_in_dir_contains,\
LOG = logging.getLogger(__name__)
# This class needs to inherit from unittest.TestCase otherwise py.test will ignore it
# because a __init__ method is used.
class TestRedaction(CustomClusterTestSuite, unittest.TestCase):
'''Test various redaction related functionality.
Redaction is about preventing sensitive data from leaking into logs, the web ui,
or any other place that is not a result set. The definition of sensitive data is
limited to table data and query text since queries may refer to table data.
def get_workload(cls):
return 'functional-query'
def __init__(self, *args, **kwargs):
super(TestRedaction, self).__init__(*args, **kwargs)
# Parent dir for various file output such as logging. The value is set to a new value
# just before each test run.
self.tmp_dir = None
def log_dir(self):
return os.path.join(self.tmp_dir, "logs")
def audit_dir(self):
return os.path.join(self.tmp_dir, "audits")
def profile_dir(self):
return os.path.join(self.tmp_dir, "profiles")
def rules_file(self):
return os.path.join(self.tmp_dir, "redaction_rules.json")
def setup_method(self, method):
# Override parent
def teardown_method(self, method):
# Parent method would fail, nothing needs to be done. The tests are responsible
# for deleting self.tmp_dir after tests pass.
def start_cluster_using_rules(self, redaction_rules, log_level=2, vmodule=""):
'''Start Impala with a custom log dir and redaction rules.'''
self.tmp_dir = mkdtemp(prefix="test_redaction_", dir=os.getenv("LOG_DIR"))
os.chmod(self.tmp_dir, 0o777)"tmp_dir is " + self.tmp_dir)
# Write the redaction rules as set in @using_redaction_rules.
with open(self.rules_file, 'w') as file:
% (self.audit_dir, self.profile_dir, self.rules_file, vmodule)],
self.client = self.create_impala_client()
def find_last_query_id(self):
'''Return the id of the most recent query. Usually the id can be obtained through
the API but if query analysis fails the id is not available.
# Scrape the web ui....
# TODO: The HS2 interface may be better about exposing the query handle even if a
# query fails. Maybe investigate that after the switch to HS2.
regex = re.compile(r'query_id=(\w+:\w+)')
match ='queries'))
if match:
raise Exception('Unable to find any query id')
def assert_server_fails_to_start(self, rules, start_options, expected_error_message):
self.start_cluster_using_rules(rules, **start_options)'Cluster should not have started but did')
except Exception:
if self.cluster.impalads:
raise Exception("No impalads should have started")
with open(os.path.join(self.log_dir, 'impalad-out.log')) as file:
result = grep_file(file, expected_error_message)
assert result, 'The expected error message was not found'
def assert_log_redaction(self, unredacted_value, redacted_value, expect_audit=True):
'''Asserts that the 'unredacted_value' is not present but the 'redacted_value' is.'''
# Logs should not contain the unredacted value.
assert_no_files_in_dir_contain(self.log_dir, unredacted_value)
assert_no_files_in_dir_contain(self.audit_dir, unredacted_value)
assert_no_files_in_dir_contain(self.profile_dir, unredacted_value)
# But the redacted value should be there except for the profile since that is
# encoded.
assert_file_in_dir_contains(self.log_dir, redacted_value)
if expect_audit:
assert_file_in_dir_contains(self.audit_dir, redacted_value)
def assert_web_ui_redaction(self, query_id, unredacted_value, redacted_value):
'''Asserts that the 'unredacted_value' is not present but the 'redacted_value' is.'''
impala_service = self.create_impala_service()
# The web ui should not show the unredacted value.
for page in ('queries', 'query_stmt', 'query_plan_text', 'query_summary',
'query_profile', 'query_plan'):
for response_format in ('html', 'json'):
# The 'html' param is actually ignored by the server.
url = page + '?query_id=' + query_id + "&" + response_format
assert unredacted_value not in impala_service.read_debug_webpage(url), \
"Web page %s should not contain '%s' but does" % (url, unredacted_value)
# But the redacted value should be shown.
self.assert_web_ui_contains(query_id, redacted_value)
def assert_web_ui_contains(self, query_id, search):
'''Asserts that the 'search' term is present in all the pages that show user queries.
impala_service = self.create_impala_service()
for page in ('queries', 'query_stmt', 'query_plan_text', 'query_profile'):
url = '%s?query_id=%s' % (page, query_id)
assert search in impala_service.read_debug_webpage(url), \
"Web page %s should contain '%s' but does not" % (url, search)
def assert_query_profile_contains(self, query_id, search):
''' Asserts that the query profile for 'query_id' contains 'search' string'''
impala_service = self.create_impala_service()
url = 'query_profile?query_id=%s' % query_id
assert search in impala_service.read_debug_webpage(url), \
"Query profile %s should contain '%s' but does not" % (url, search)
def test_bad_rules(self):
'''Check that the server fails to start if the redaction rules are bad.'''
if self.exploration_strategy() != 'exhaustive':
pytest.skip('runs only in exhaustive')
startup_options = dict()
self.assert_server_fails_to_start('{ "version": 100 }', startup_options,
'Error parsing redaction rules; only version 1 is supported')
# Since the tests passed, the log dir shouldn't be of interest and can be deleted.
def test_very_verbose_logging(self):
'''Check that the server fails to start if logging is configured at a level that
could dump table data. Row logging would be enabled with "-v=3" or could be
enabled with the -vmodule option. In either case the server should not start.
if self.exploration_strategy() != 'exhaustive':
pytest.skip('runs only in exhaustive')
rules = r"""
"version": 1,
"rules": [
"description": "Don't show emails",
"caseSensitive": false,
"search": "[a-z]+@[a-z]+.[a-z]{3}",
"replace": "*email*"
error_message = "Redaction cannot be used in combination with log level 3 or " \
"higher or the -vmodule option"
self.assert_server_fails_to_start(rules, {"log_level": 3}, error_message)
# Since the tests passed, the log dir shouldn't be of interest and can be deleted.
self.assert_server_fails_to_start(rules, {"vmodule": "foo"}, error_message)
rules, {"log_level": 3, "vmodule": "foo"}, error_message)
def test_unredacted(self):
'''Do a sanity check to verify that the system behaves as expected when no redaction
rules are set. The expectation is the full query text will show up in the logs
and the web ui.
if self.exploration_strategy() != 'exhaustive':
pytest.skip('runs only in exhaustive')
email = ''
"SELECT COUNT(*) FROM functional.alltypes WHERE string_col = '%s'" % email)
# The query should also be found in the web ui.
self.assert_web_ui_contains(self.find_last_query_id(), email)
# Wait for the audit logs to be written. 5 seconds is an arbitrary value, typically
# only a second is needed.
# The query should show up in both the audit and non-audit logs
assert_file_in_dir_contains(self.log_dir, email)
assert_file_in_dir_contains(self.audit_dir, email)
# The profile is encoded so the email won't be found.
assert_no_files_in_dir_contain(self.profile_dir, email)
# Since all the tests passed, the log dir shouldn't be of interest and can be
# deleted.
def test_redacted(self):
'''Check that redaction rules prevent 'sensitive' data from leaking into the
logs and web ui.
current_user = getpass.getuser()
"version": 1,
"rules": [
"description": "Don't show emails",
"caseSensitive": false,
"search": "[a-z]+@[a-z]+.[a-z]{3}",
"replace": "*email*"
"description": "Don't show credit cards numbers",
"search": "\\d{4}-\\d{4}-\\d{4}-\\d{4}",
"replace": "*credit card*"
"description": "Don't show current username in queries",
"search": "%s",
"replace": "redacted user"
}""" % current_user)
email = ''
# GROUP BY an expr containing the email so the expr will also be shown in the exec
# node summary, ie HASH(string_col = ...).
query_template =\
"SELECT string_col = '%s', COUNT(*) FROM functional.alltypes GROUP BY 1"
self.execute_query_expect_success(self.client, query_template % email)
user_profile_pattern = "User: %s" % current_user
# The email should be replaced with '*email*'.
self.assert_web_ui_redaction(self.find_last_query_id(), email, "*email*")
# User field should not be redacted from the query profile.
self.assert_query_profile_contains(self.find_last_query_id(), user_profile_pattern)
# Wait for the logs to be written.
self.assert_log_redaction(email, "\*email\*")
# Even if the query is invalid, redaction should still be applied.
credit_card = '1234-5678-1234-5678'
self.execute_query_expect_failure(self.client, credit_card)
# This assertion below relies on the fact that there is a syntax error be near
# the credit card number so the number would have appeared in the message.
self.assert_web_ui_redaction(self.find_last_query_id(), credit_card, "*credit card*")
# User field should not be redacted from the query profile.
self.assert_query_profile_contains(self.find_last_query_id(), user_profile_pattern)
# Apparently an invalid query doesn't generate an audit log entry.
self.assert_log_redaction(credit_card, "\*credit card\*", expect_audit=False)
# Assert that the username in the query stmt is redacted but not from the user fields.
self.execute_query_expect_success(self.client, query_template % current_user)
self.assert_query_profile_contains(self.find_last_query_id(), user_profile_pattern)
self.assert_query_profile_contains(self.find_last_query_id(), "redacted user")
# Since all the tests passed, the log dir shouldn't be of interest and can be
# deleted.