| # Licensed to the Apache Software Foundation (ASF) under one |
| # or more contributor license agreements. See the NOTICE file |
| # distributed with this work for additional information |
| # regarding copyright ownership. The ASF licenses this file |
| # to you under the Apache License, Version 2.0 (the |
| # "License"); you may not use this file except in compliance |
| # with the License. You may obtain a copy of the License at |
| # |
| # http://www.apache.org/licenses/LICENSE-2.0 |
| # |
| # Unless required by applicable law or agreed to in writing, |
| # software distributed under the License is distributed on an |
| # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY |
| # KIND, either express or implied. See the License for the |
| # specific language governing permissions and limitations |
| # under the License. |
| # |
| import getpass |
| import pytest |
| from tests.hs2.hs2_test_suite import HS2TestSuite, needs_session |
| from TCLIService import TCLIService |
| from tests.common.custom_cluster_test_suite import CustomClusterTestSuite |
| |
| USER_NAME = getpass.getuser() |
| PROXY_USER = "proxy_user_name" |
| PROXY_USER_WITH_COMMA = "proxy_user,name_2" |
| PROXY_USERS_ALL = "proxy_user_name/proxy_user,name_2" |
| PROXY_USER_DELIMITER = "/" |
| |
| class TestDelegation(CustomClusterTestSuite, HS2TestSuite): |
| |
| def check_user_and_effective_user(self, proxy_user): |
| execute_statement_req = TCLIService.TExecuteStatementReq() |
| execute_statement_req.sessionHandle = self.session_handle |
| execute_statement_req.confOverlay = dict() |
| execute_statement_req.statement = \ |
| "SELECT effective_user(), current_user(), user(), session_user()"; |
| execute_statement_resp = self.hs2_client.ExecuteStatement(execute_statement_req) |
| HS2TestSuite.check_response(execute_statement_resp) |
| |
| fetch_results_req = TCLIService.TFetchResultsReq() |
| fetch_results_req.operationHandle = execute_statement_resp.operationHandle |
| fetch_results_req.maxRows = 1 |
| fetch_results_resp = self.hs2_client.FetchResults(fetch_results_req) |
| HS2TestSuite.check_response(fetch_results_resp) |
| assert (self.column_results_to_string(fetch_results_resp.results.columns) == |
| (1, "%s, %s, %s, %s\n" % (proxy_user, proxy_user, |
| USER_NAME, USER_NAME))) |
| |
| @pytest.mark.execute_serially |
| @CustomClusterTestSuite.with_args( |
| "--authorized_proxy_user_config=\"%s=%s\"" % (USER_NAME, PROXY_USER)) |
| @needs_session(TCLIService.TProtocolVersion.HIVE_CLI_SERVICE_PROTOCOL_V6, |
| conf_overlay = {"impala.doas.user": PROXY_USER}) |
| def test_effective_user_single_proxy(self): |
| '''Test that the effective user is correctly set when impala.doas.user is correct, and |
| that the effective_user() builtin returns the right thing''' |
| self.check_user_and_effective_user(PROXY_USER) |
| |
| @pytest.mark.execute_serially |
| @CustomClusterTestSuite.with_args( |
| "--authorized_proxy_user_config=\"%s=%s\"\ |
| --authorized_proxy_user_config_delimiter=%c" % (USER_NAME, PROXY_USERS_ALL, |
| PROXY_USER_DELIMITER)) |
| @needs_session(TCLIService.TProtocolVersion.HIVE_CLI_SERVICE_PROTOCOL_V6, |
| conf_overlay = {"impala.doas.user": PROXY_USER_WITH_COMMA}) |
| def test_effective_user_multiple_proxies(self): |
| '''Test that the effective user is correctly set when there are multiple proxy users |
| seperated with the authorized_user_proxy_config_delimiter and when impala.doas.user |
| is correct, and that the effective_user() builtin returns the right thing''' |
| self.check_user_and_effective_user(PROXY_USER_WITH_COMMA) |
| |
| @pytest.mark.execute_serially |
| @CustomClusterTestSuite.with_args( |
| "--authorized_proxy_user_config=\"%s=%s\"\ |
| --authorized_proxy_user_config_delimiter=" % (USER_NAME, PROXY_USER_WITH_COMMA)) |
| @needs_session(TCLIService.TProtocolVersion.HIVE_CLI_SERVICE_PROTOCOL_V6, |
| conf_overlay = {"impala.doas.user": PROXY_USER_WITH_COMMA}) |
| def test_effective_user_empty_delimiter(self): |
| '''Test that the effective user is correctly set when the |
| authorized_user_proxy_config_delimiter is set to the empty string and |
| impala.doas.user is correct, and that the effective_user() builtin returns the |
| right thing''' |
| self.check_user_and_effective_user(PROXY_USER_WITH_COMMA) |