Google Git
Sign in
apache / incubator-sentry / bf3eb482e55f8cf29f9b87a190ee585e3e5f7e2f / . / sentry-provider / sentry-provider-db / src / test / java / org / apache / sentry / provider / db / generic / service / thrift / TestSentryGenericServiceIntegration.java
blob: 596a8c7a7fd2e61089ec23a041c6ddf593c5a060 [file] [log] [blame]
/**
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.apache.sentry.provider.db.generic.service.thrift;
import static junit.framework.Assert.assertEquals;
import static org.junit.Assert.assertTrue;
import static org.junit.Assert.fail;
import java.security.PrivilegedExceptionAction;
import java.util.Arrays;
import java.util.HashSet;
import java.util.List;
import java.util.Set;
import javax.security.auth.Subject;
import javax.security.auth.kerberos.KerberosPrincipal;
import javax.security.auth.login.LoginContext;
import org.apache.sentry.SentryUserException;
import org.apache.sentry.core.common.ActiveRoleSet;
import org.apache.sentry.core.common.Authorizable;
import org.apache.sentry.core.model.search.Collection;
import org.apache.sentry.core.model.search.Field;
import org.apache.sentry.core.model.search.SearchConstants;
import org.apache.sentry.provider.db.generic.service.thrift.SentryGenericServiceClient;
import org.apache.sentry.service.thrift.KerberosConfiguration;
import org.apache.sentry.service.thrift.SentryServiceIntegrationBase;
import org.apache.sentry.service.thrift.ServiceConstants.ServerConfig;
import org.junit.Test;
import com.google.common.collect.Lists;
import com.google.common.collect.Sets;
public class TestSentryGenericServiceIntegration extends SentryServiceIntegrationBase {
private static final String SOLR = "SOLR";
private SentryGenericServiceClient client;
/**
* use the generic client to connect sentry service
*/
@Override
public void connectToSentryService() throws Exception {
// The client should already be logged in when running in solr
// therefore we must manually login in the integration tests
if (kerberos) {
conf.set(ServerConfig.SECURITY_USE_UGI_TRANSPORT, "false");
clientSubject = new Subject(false, Sets.newHashSet(
new KerberosPrincipal(CLIENT_KERBEROS_NAME)), new HashSet<Object>(),
new HashSet<Object>());
clientLoginContext = new LoginContext("", clientSubject, null,
KerberosConfiguration.createClientConfig(CLIENT_KERBEROS_NAME, clientKeytab));
clientLoginContext.login();
clientSubject = clientLoginContext.getSubject();
this.client = Subject.doAs(clientSubject, new PrivilegedExceptionAction<SentryGenericServiceClient>() {
@Override
public SentryGenericServiceClient run() throws Exception {
return new SentryGenericServiceClient(conf);
}
});
} else {
this.client = new SentryGenericServiceClient(conf);
}
}
@Test
public void testCreateDropShowRole() throws Exception {
String requestorUserName = ADMIN_USER;
Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
String roleName = "admin_r";
setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
writePolicyFile();
client.dropRoleIfExists(requestorUserName, roleName, SOLR);
client.createRole(requestorUserName, roleName, SOLR);
client.addRoleToGroups(requestorUserName, roleName, SOLR, Sets.newHashSet(requestorUserGroupNames));
Set<TSentryRole> roles = client.listUserRoles(requestorUserName,SOLR);
assertEquals("Incorrect number of roles", 1, roles.size());
for (TSentryRole role:roles) {
assertTrue(role.getRoleName(), role.getRoleName().equalsIgnoreCase(roleName));
}
client.dropRole(requestorUserName, roleName, SOLR);
}
@Test
public void testAddDeleteRoleToGroup() throws Exception {
String requestorUserName = ADMIN_USER;
Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
String testGroupName = "g1";
String roleName = "admin_r";
setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
setLocalGroupMapping(requestorUserName, Sets.newHashSet(testGroupName));
writePolicyFile();
client.dropRoleIfExists(requestorUserName, roleName, SOLR);
client.createRole(requestorUserName, roleName, SOLR);
client.addRoleToGroups(requestorUserName, roleName, SOLR, Sets.newHashSet(testGroupName));
Set<TSentryRole> roles = client.listUserRoles(requestorUserName,SOLR);
assertEquals("Incorrect number of roles", 1, roles.size());
for (TSentryRole role:roles) {
assertTrue(role.getRoleName(), role.getRoleName().equalsIgnoreCase(roleName));
assertTrue(role.getGroups().size() == 1);
for (String group :role.getGroups()) {
assertEquals(testGroupName, group);
}
}
client.deleteRoleToGroups(requestorUserName, roleName, SOLR, Sets.newHashSet(testGroupName));
roles = client.listUserRoles(requestorUserName,SOLR);
assertEquals("Incorrect number of roles", 0, roles.size());
client.dropRole(requestorUserName, roleName, SOLR);
}
@Test
public void testGranRevokePrivilege() throws Exception {
String requestorUserName = ADMIN_USER;
Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
writePolicyFile();
String roleName1 = "admin_r1";
String roleName2 = "admin_r2";
client.dropRoleIfExists(requestorUserName, roleName1, SOLR);
client.createRole(requestorUserName, roleName1, SOLR);
client.dropRoleIfExists(requestorUserName, roleName2, SOLR);
client.createRole(requestorUserName, roleName2, SOLR);
TSentryPrivilege queryPrivilege = new TSentryPrivilege(SOLR, "service1",
fromAuthorizable(Arrays.asList(new Collection("c1"), new Field("f1"))),
SearchConstants.QUERY);
TSentryPrivilege updatePrivilege = new TSentryPrivilege(SOLR, "service1",
fromAuthorizable(Arrays.asList(new Collection("c1"), new Field("f1"))),
SearchConstants.UPDATE);
client.grantPrivilege(requestorUserName, roleName1, SOLR, queryPrivilege);
client.grantPrivilege(requestorUserName, roleName2, SOLR, updatePrivilege);
client.revokePrivilege(requestorUserName, roleName1, SOLR, queryPrivilege);
client.revokePrivilege(requestorUserName, roleName2, SOLR, updatePrivilege);
}
@Test
public void testMultipleRolesSamePrivilege() throws Exception {
String requestorUserName = ADMIN_USER;
Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
writePolicyFile();
String roleName1 = "admin_r1";
String roleName2 = "admin_r2";
client.dropRoleIfExists(requestorUserName, roleName1, SOLR);
client.createRole(requestorUserName, roleName1, SOLR);
client.dropRoleIfExists(requestorUserName, roleName2, SOLR);
client.createRole(requestorUserName, roleName2, SOLR);
TSentryPrivilege queryPrivilege = new TSentryPrivilege(SOLR, "service1",
fromAuthorizable(Arrays.asList(new Collection("c1"), new Field("f1"))),
SearchConstants.QUERY);
client.grantPrivilege(requestorUserName, roleName1, SOLR, queryPrivilege);
Set<TSentryPrivilege> listPrivilegesByRoleName = client.listPrivilegesByRoleName(requestorUserName, roleName1, SOLR, "service1");
assertTrue("Privilege not assigned to role1 !!", listPrivilegesByRoleName.size() == 1);
client.grantPrivilege(requestorUserName, roleName2, SOLR, queryPrivilege);
listPrivilegesByRoleName = client.listPrivilegesByRoleName(requestorUserName, roleName2, SOLR, "service1");
assertTrue("Privilege not assigned to role2 !!", listPrivilegesByRoleName.size() == 1);
}
@Test
public void testShowRoleGrant() throws Exception {
String requestorUserName = ADMIN_USER;
Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
String roleName = "admin_r1";
String groupName = "group1";
setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
setLocalGroupMapping(requestorUserName, Sets.newHashSet(groupName));
writePolicyFile();
client.dropRoleIfExists(requestorUserName, roleName, SOLR);
client.createRole(requestorUserName, roleName, SOLR);
client.addRoleToGroups(requestorUserName, roleName, SOLR, Sets.newHashSet(groupName));
Set<TSentryRole> groupRoles = client.listRolesByGroupName(requestorUserName, groupName,SOLR);
assertTrue(groupRoles.size() == 1);
for (TSentryRole role:groupRoles) {
assertTrue(role.getRoleName(), role.getRoleName().equalsIgnoreCase(roleName));
assertTrue(role.getGroups().size() == 1);
for (String group :role.getGroups()) {
assertEquals(groupName, group);
}
}
client.dropRole(requestorUserName, roleName, SOLR);
}
@Test
public void testShowGrant() throws Exception {
String requestorUserName = ADMIN_USER;
Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
String roleName = "admin_r1";
setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
writePolicyFile();
client.dropRoleIfExists(requestorUserName, roleName, SOLR);
client.createRole(requestorUserName, roleName, SOLR);
TSentryPrivilege queryPrivilege = new TSentryPrivilege(SOLR, "service1",
fromAuthorizable(Arrays.asList(new Collection("c1"), new Field("f1"))),
SearchConstants.QUERY);
TSentryPrivilege updatePrivilege = new TSentryPrivilege(SOLR, "service1",
fromAuthorizable(Arrays.asList(new Collection("c1"), new Field("f1"))),
SearchConstants.UPDATE);
client.grantPrivilege(requestorUserName, roleName, SOLR, updatePrivilege);
client.grantPrivilege(requestorUserName, roleName, SOLR, queryPrivilege);
Set<TSentryPrivilege> privileges = client.listPrivilegesByRoleName(requestorUserName, roleName, SOLR, "service1");
assertTrue(privileges.size() == 2);
client.revokePrivilege(requestorUserName, roleName, SOLR, updatePrivilege);
privileges = client.listPrivilegesByRoleName(requestorUserName, roleName, SOLR, "service1");
assertTrue(privileges.size() == 1);
}
@Test
public void testSameGrantTwice() throws Exception {
String requestorUserName = ADMIN_USER;
Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
writePolicyFile();
String roleName = "admin_r1";
client.createRole(requestorUserName, roleName, SOLR);
TSentryPrivilege queryPrivilege = new TSentryPrivilege(SOLR, "service1",
fromAuthorizable(Arrays.asList(new Collection("c1"), new Field("f1"))),
SearchConstants.QUERY);
client.grantPrivilege(requestorUserName, roleName, SOLR, queryPrivilege);
assertEquals(1, client.listPrivilegesByRoleName(requestorUserName, roleName, SOLR, "service1").size());
}
@Test
public void testGrantRevokeWithGrantOption() throws Exception {
String adminUser = ADMIN_USER;
Set<String> adminGroup = Sets.newHashSet(ADMIN_GROUP);
String grantOptionUser = "user1";
Set<String> grantOptionGroup = Sets.newHashSet("group1");
String noGrantOptionUser = "user2";
Set<String> noGrantOptionGroup = Sets.newHashSet("group2");
setLocalGroupMapping(adminUser, adminGroup);
setLocalGroupMapping(grantOptionUser, grantOptionGroup);
setLocalGroupMapping(noGrantOptionUser, noGrantOptionGroup);
writePolicyFile();
String grantRole = "grant_r";
String noGrantRole = "no_grant_r";
String testRole = "test_role";
client.createRole(adminUser, grantRole, SOLR);
client.createRole(adminUser, noGrantRole, SOLR);
client.createRole(adminUser, testRole, SOLR);
TSentryPrivilege grantPrivilege = new TSentryPrivilege(SOLR, "service1",
fromAuthorizable(Arrays.asList(new Collection("c1"))),
SearchConstants.QUERY);
grantPrivilege.setGrantOption(TSentryGrantOption.TRUE);
TSentryPrivilege noGrantPrivilege = new TSentryPrivilege(SOLR, "service1",
fromAuthorizable(Arrays.asList(new Collection("c1"))),
SearchConstants.QUERY);
noGrantPrivilege.setGrantOption(TSentryGrantOption.FALSE);
TSentryPrivilege testPrivilege = new TSentryPrivilege(SOLR, "service1",
fromAuthorizable(Arrays.asList(new Collection("c1"), new Field("f1"))),
SearchConstants.QUERY);
testPrivilege.setGrantOption(TSentryGrantOption.FALSE);
client.grantPrivilege(adminUser, grantRole, SOLR, grantPrivilege);
client.grantPrivilege(adminUser, noGrantRole, SOLR, noGrantPrivilege);
client.addRoleToGroups(adminUser, grantRole, SOLR, grantOptionGroup);
client.addRoleToGroups(adminUser, noGrantRole, SOLR, noGrantOptionGroup);
try {
client.grantPrivilege(grantOptionUser,testRole,SOLR, testPrivilege);
} catch (SentryUserException e) {
fail("grantOptionUser failed grant privilege to user");
}
try {
client.grantPrivilege(noGrantOptionUser, testRole, SOLR, testPrivilege);
fail("noGrantOptionUser can't grant privilege to user");
} catch (SentryUserException e) {
}
try {
client.revokePrivilege(grantOptionUser, testRole, SOLR, testPrivilege);
} catch(SentryUserException e) {
fail("grantOptionUser failed revoke privilege to user");
}
try {
client.revokePrivilege(noGrantOptionUser, testRole, SOLR, testPrivilege);
fail("noGrantOptionUser can't revoke privilege to user");
} catch (SentryUserException e) {
}
}
@Test
public void testGetPrivilegeByHierarchy() throws Exception {
String adminUser = ADMIN_USER;
Set<String> adminGroup = Sets.newHashSet(ADMIN_GROUP);
String testRole = "role1";
Set<String> testGroup = Sets.newHashSet("group1");
String testUser = "user1";
setLocalGroupMapping(adminUser, adminGroup);
setLocalGroupMapping(testUser, testGroup);
writePolicyFile();
client.createRole(adminUser, testRole, SOLR);
client.addRoleToGroups(adminUser, testRole, SOLR, testGroup);
TSentryPrivilege queryPrivilege = new TSentryPrivilege(SOLR, "service1",
fromAuthorizable(Arrays.asList(new Collection("c1"), new Field("f1"))),
SearchConstants.QUERY);
TSentryPrivilege updatePrivilege = new TSentryPrivilege(SOLR, "service1",
fromAuthorizable(Arrays.asList(new Collection("c2"), new Field("f2"))),
SearchConstants.UPDATE);
client.grantPrivilege(adminUser, testRole, SOLR, queryPrivilege);
client.grantPrivilege(adminUser, testRole, SOLR, updatePrivilege);
assertEquals(2, client.listPrivilegesByRoleName(testUser, testRole, SOLR, "service1").size());
assertEquals(1, client.listPrivilegesByRoleName(testUser, testRole,
SOLR, "service1", Arrays.asList(new Collection("c1"))).size());
assertEquals(1, client.listPrivilegesByRoleName(testUser, testRole,
SOLR, "service1", Arrays.asList(new Collection("c2"))).size());
assertEquals(1, client.listPrivilegesByRoleName(testUser, testRole,
SOLR, "service1", Arrays.asList(new Collection("c1"), new Field("f1"))).size());
assertEquals(1, client.listPrivilegesByRoleName(testUser, testRole,
SOLR, "service1", Arrays.asList(new Collection("c2"), new Field("f2"))).size());
//test listPrivilegesForProvider by group(testGroup)
ActiveRoleSet roleSet = ActiveRoleSet.ALL;
assertEquals(1, client.listPrivilegesForProvider(SOLR, "service1", roleSet,
testGroup, Arrays.asList(new Collection("c1"))).size());
assertEquals(1, client.listPrivilegesForProvider(SOLR, "service1", roleSet,
testGroup, Arrays.asList(new Collection("c2"))).size());
assertEquals(1, client.listPrivilegesForProvider(SOLR, "service1", roleSet,
testGroup, Arrays.asList(new Collection("c1"), new Field("f1"))).size());
assertEquals(1, client.listPrivilegesForProvider(SOLR, "service1", roleSet,
testGroup, Arrays.asList(new Collection("c2"), new Field("f2"))).size());
}
@Test
public void testDropAndRenamePrivilege() throws Exception {
String requestorUserName = ADMIN_USER;
Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
writePolicyFile();
String roleName = "admin_r1";
client.createRole(requestorUserName, roleName, SOLR);
TSentryPrivilege queryPrivilege = new TSentryPrivilege(SOLR, "service1",
fromAuthorizable(Arrays.asList(new Collection("c1"), new Field("f1"))),
SearchConstants.QUERY);
client.grantPrivilege(requestorUserName, roleName, SOLR, queryPrivilege);
assertEquals(1, client.listPrivilegesByRoleName(requestorUserName, roleName,
SOLR, "service1", Arrays.asList(new Collection("c1"), new Field("f1"))).size());
assertEquals(0, client.listPrivilegesByRoleName(requestorUserName, roleName,
SOLR, "service1", Arrays.asList(new Collection("c2"), new Field("f2"))).size());
client.renamePrivilege(requestorUserName, SOLR, "service1", Arrays.asList(new Collection("c1"), new Field("f1")),
Arrays.asList(new Collection("c2"), new Field("f2")));
assertEquals(0, client.listPrivilegesByRoleName(requestorUserName, roleName,
SOLR, "service1", Arrays.asList(new Collection("c1"), new Field("f1"))).size());
assertEquals(1, client.listPrivilegesByRoleName(requestorUserName, roleName,
SOLR, "service1", Arrays.asList(new Collection("c2"), new Field("f2"))).size());
TSentryPrivilege dropPrivilege = new TSentryPrivilege(SOLR, "service1",
fromAuthorizable(Arrays.asList(new Collection("c2"), new Field("f2"))),
SearchConstants.QUERY);
client.dropPrivilege(requestorUserName, SOLR, dropPrivilege);
assertEquals(0, client.listPrivilegesByRoleName(requestorUserName, roleName,
SOLR, "service1", Arrays.asList(new Collection("c2"), new Field("f2"))).size());
}
private List<TAuthorizable> fromAuthorizable(List<? extends Authorizable> authorizables) {
List<TAuthorizable> tAuthorizables = Lists.newArrayList();
for (Authorizable authorizable : authorizables) {
tAuthorizables.add(new TAuthorizable(authorizable.getTypeName(), authorizable.getName()));
}
return tAuthorizables;
}
}