Google Git
Sign in
apache / sentry / 6b070c55341a4a62ae2619d51ce87892056a7351 / . / sentry-service / sentry-service-server / src / test / java / org / apache / sentry / provider / db / service / persistent / TestSentryStoreImportExport.java
blob: 44548dc55b14101ee69c93c72b92356dce9e6923 [file] [log] [blame]
/**
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.apache.sentry.provider.db.service.persistent;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertTrue;
import java.io.File;
import java.util.List;
import java.util.Map;
import java.util.Set;
import org.apache.commons.io.FileUtils;
import org.apache.hadoop.conf.Configuration;
import org.apache.sentry.core.common.utils.SentryConstants;
import org.apache.sentry.core.model.db.AccessConstants;
import org.apache.sentry.provider.db.service.model.MSentryGroup;
import org.apache.sentry.provider.db.service.model.MSentryPrivilege;
import org.apache.sentry.provider.db.service.model.MSentryRole;
import org.apache.sentry.provider.db.service.model.MSentryUser;
import org.apache.sentry.api.common.ApiConstants.PrivilegeScope;
import org.apache.sentry.api.service.thrift.TSentryGrantOption;
import org.apache.sentry.api.service.thrift.TSentryMappingData;
import org.apache.sentry.api.service.thrift.TSentryPrivilege;
import org.apache.sentry.provider.file.PolicyFile;
import org.apache.sentry.api.common.SentryServiceUtil;
import org.apache.sentry.service.common.ServiceConstants.ServerConfig;
import org.junit.After;
import org.junit.AfterClass;
import org.junit.Before;
import org.junit.BeforeClass;
import org.junit.Test;
import com.google.common.collect.Maps;
import com.google.common.collect.Sets;
import com.google.common.io.Files;
/**
* This test verifies that the sentry store APIs for export/import are working as expected.
*/
public class TestSentryStoreImportExport {
private static File dataDir;
private static String[] adminGroups = { "adminGroup1" };
private static PolicyFile policyFile;
private static File policyFilePath;
private static SentryStore sentryStore;
private TSentryPrivilege tSentryPrivilege1;
private TSentryPrivilege tSentryPrivilege2;
private TSentryPrivilege tSentryPrivilege3;
private TSentryPrivilege tSentryPrivilege4;
private TSentryPrivilege tSentryPrivilege5;
private TSentryPrivilege tSentryPrivilege6;
private TSentryPrivilege tSentryPrivilege7;
private TSentryPrivilege tSentryPrivilege8;
private TSentryPrivilege tSentryPrivilege9;
@BeforeClass
public static void setupEnv() throws Exception {
dataDir = new File(Files.createTempDir(), "sentry_policy_db");
Configuration conf = new Configuration(true);
conf.set(ServerConfig.SENTRY_VERIFY_SCHEM_VERSION, "false");
conf.set(ServerConfig.SENTRY_STORE_JDBC_URL, "jdbc:derby:;databaseName=" + dataDir.getPath()
+ ";create=true");
conf.set(ServerConfig.SENTRY_STORE_JDBC_PASS, "sentry");
conf.setStrings(ServerConfig.ADMIN_GROUPS, adminGroups);
conf.set(ServerConfig.SENTRY_STORE_GROUP_MAPPING, ServerConfig.SENTRY_STORE_LOCAL_GROUP_MAPPING);
policyFilePath = new File(dataDir, "local_policy_file.ini");
conf.set(ServerConfig.SENTRY_STORE_GROUP_MAPPING_RESOURCE, policyFilePath.getPath());
policyFile = new PolicyFile();
boolean hdfsSyncEnabled = SentryServiceUtil.isHDFSSyncEnabled(conf);
sentryStore = new SentryStore(conf);
sentryStore.setPersistUpdateDeltas(hdfsSyncEnabled);
String adminUser = "g1";
addGroupsToUser(adminUser, adminGroups);
writePolicyFile();
}
@Before
public void setupPrivilege() {
preparePrivilege();
}
@After
public void clearStore() {
sentryStore.clearAllTables();
}
// create the privileges instance for test case:
// privilege1=[server=server1]
// privilege2=[server=server1, action=select, grantOption=false]
// privilege3=[server=server1, db=db2, action=insert, grantOption=true]
// privilege4=[server=server1, db=db1, table=tbl1, action=insert, grantOption=false]
// privilege5=[server=server1, db=db1, table=tbl2, column=col1, action=insert, grantOption=false]
// privilege6=[server=server1, db=db1, table=tbl3, column=col1, action=*, grantOption=true]
// privilege7=[server=server1, db=db1, table=tbl4, column=col1, action=all, grantOption=true]
// privilege8=[server=server1, uri=hdfs://testserver:9999/path1, action=insert, grantOption=false]
// privilege9=[server=server1, db=db2, table=tbl1, action=insert, grantOption=false]
private void preparePrivilege() {
tSentryPrivilege1 = createTSentryPrivilege(PrivilegeScope.SERVER.name(), "server1", "", "", "",
"", "", TSentryGrantOption.UNSET);
tSentryPrivilege2 = createTSentryPrivilege(PrivilegeScope.SERVER.name(), "server1", "", "", "",
"", AccessConstants.SELECT, TSentryGrantOption.FALSE);
tSentryPrivilege3 = createTSentryPrivilege(PrivilegeScope.DATABASE.name(), "server1", "db2",
"", "", "", AccessConstants.INSERT, TSentryGrantOption.TRUE);
tSentryPrivilege4 = createTSentryPrivilege(PrivilegeScope.TABLE.name(), "server1", "db1",
"tbl1", "", "", AccessConstants.INSERT, TSentryGrantOption.FALSE);
tSentryPrivilege5 = createTSentryPrivilege(PrivilegeScope.COLUMN.name(), "server1", "db1",
"tbl2", "col1", "", AccessConstants.INSERT, TSentryGrantOption.FALSE);
tSentryPrivilege6 = createTSentryPrivilege(PrivilegeScope.COLUMN.name(), "server1", "db1",
"tbl3", "col1", "", AccessConstants.ALL, TSentryGrantOption.TRUE);
tSentryPrivilege7 = createTSentryPrivilege(PrivilegeScope.COLUMN.name(), "server1", "db1",
"tbl4", "col1", "", AccessConstants.ACTION_ALL, TSentryGrantOption.TRUE);
tSentryPrivilege8 = createTSentryPrivilege(PrivilegeScope.URI.name(), "server1", "", "", "",
"hdfs://testserver:9999/path1", AccessConstants.INSERT, TSentryGrantOption.FALSE);
tSentryPrivilege9 = createTSentryPrivilege(PrivilegeScope.TABLE.name(), "server1", "db2",
"tbl1", "", "", AccessConstants.INSERT, TSentryGrantOption.FALSE);
}
@AfterClass
public static void teardown() {
if (sentryStore != null) {
sentryStore.stop();
}
if (dataDir != null) {
FileUtils.deleteQuietly(dataDir);
}
}
protected static void addGroupsToUser(String user, String... groupNames) {
policyFile.addGroupsToUser(user, groupNames);
}
protected static void writePolicyFile() throws Exception {
policyFile.write(policyFilePath);
}
// Befor import, database is empty.
// The following information is imported:
// group1=role1,role2,role3
// group2=role1,role2,role3
// group3=role1,role2,role3
// role1=privilege1,privilege2,privilege3,privilege4,privilege5,privilege6,privilege7,privilege8
// role2=privilege1,privilege2,privilege3,privilege4,privilege5,privilege6,privilege7,privilege8
// role3=privilege1,privilege2,privilege3,privilege4,privilege5,privilege6,privilege7,privilege8
// Both import API importSentryMetaData and export APIs getRolesMap, getGroupsMap,
// getPrivilegesList are tested.
@Test
public void testImportExportPolicy1() throws Exception {
TSentryMappingData tSentryMappingData = new TSentryMappingData();
Map<String, Set<String>> sentryGroupRolesMap = Maps.newHashMap();
Map<String, Set<TSentryPrivilege>> sentryRolePrivilegesMap = Maps.newHashMap();
sentryGroupRolesMap.put("group1", Sets.newHashSet("Role1", "role2", "role3"));
sentryGroupRolesMap.put("group2", Sets.newHashSet("Role1", "role2", "role3"));
sentryGroupRolesMap.put("group3", Sets.newHashSet("Role1", "role2", "role3"));
sentryRolePrivilegesMap.put("Role1", Sets.newHashSet(tSentryPrivilege1, tSentryPrivilege2,
tSentryPrivilege3, tSentryPrivilege4, tSentryPrivilege5, tSentryPrivilege6,
tSentryPrivilege7, tSentryPrivilege8));
sentryRolePrivilegesMap.put("role2", Sets.newHashSet(tSentryPrivilege1, tSentryPrivilege2,
tSentryPrivilege3, tSentryPrivilege4, tSentryPrivilege5, tSentryPrivilege6,
tSentryPrivilege7, tSentryPrivilege8));
sentryRolePrivilegesMap.put("role3", Sets.newHashSet(tSentryPrivilege1, tSentryPrivilege2,
tSentryPrivilege3, tSentryPrivilege4, tSentryPrivilege5, tSentryPrivilege6,
tSentryPrivilege7, tSentryPrivilege8));
tSentryMappingData.setGroupRolesMap(sentryGroupRolesMap);
tSentryMappingData.setRolePrivilegesMap(sentryRolePrivilegesMap);
sentryStore.importSentryMetaData(tSentryMappingData, false);
Map<String, MSentryRole> rolesMap = sentryStore.getRolesMap();
Map<String, MSentryGroup> groupsMap = sentryStore.getGroupNameToGroupMap();
List<MSentryPrivilege> privilegesList = sentryStore.getPrivilegesList();
// test the result data for the role
verifyRoles(rolesMap, Sets.newHashSet("role1", "role2", "role3"));
// test the result data for the group
verifyGroups(groupsMap, Sets.newHashSet("group1", "group2", "group3"));
// test the result data for the privilege
verifyPrivileges(privilegesList, Sets.newHashSet(tSentryPrivilege1, tSentryPrivilege2,
tSentryPrivilege3, tSentryPrivilege4, tSentryPrivilege5, tSentryPrivilege6,
tSentryPrivilege7, tSentryPrivilege8));
// test the mapping data for group and role
List<Map<String, Set<String>>> mapList = sentryStore.getGroupUserRoleMapList(null);
Map<String, Set<String>> actualGroupRolesMap = mapList.get(
SentryConstants.INDEX_GROUP_ROLES_MAP);
Map<String, Set<String>> exceptedGroupRolesMap = Maps.newHashMap();
exceptedGroupRolesMap.put("group1", Sets.newHashSet("role1", "role2", "role3"));
exceptedGroupRolesMap.put("group2", Sets.newHashSet("role1", "role2", "role3"));
exceptedGroupRolesMap.put("group3", Sets.newHashSet("role1", "role2", "role3"));
verifyUserGroupRolesMap(actualGroupRolesMap, exceptedGroupRolesMap);
// test the mapping data for role and privilege
Map<String, Set<TSentryPrivilege>> actualRolePrivilegesMap = sentryStore
.getRoleNameTPrivilegesMap();
Map<String, Set<TSentryPrivilege>> exceptedRolePrivilegesMap = Maps.newHashMap();
exceptedRolePrivilegesMap.put("role1", Sets.newHashSet(tSentryPrivilege1, tSentryPrivilege2,
tSentryPrivilege3, tSentryPrivilege4, tSentryPrivilege5, tSentryPrivilege6,
tSentryPrivilege7, tSentryPrivilege8));
exceptedRolePrivilegesMap.put("role2", Sets.newHashSet(tSentryPrivilege1, tSentryPrivilege2,
tSentryPrivilege3, tSentryPrivilege4, tSentryPrivilege5, tSentryPrivilege6,
tSentryPrivilege7, tSentryPrivilege8));
exceptedRolePrivilegesMap.put("role3", Sets.newHashSet(tSentryPrivilege1, tSentryPrivilege2,
tSentryPrivilege3, tSentryPrivilege4, tSentryPrivilege5, tSentryPrivilege6,
tSentryPrivilege7, tSentryPrivilege8));
verifyRolePrivilegesMap(actualRolePrivilegesMap, exceptedRolePrivilegesMap);
}
// call import twice, and there has no duplicate data:
// The data for 1st import:
// group1=role1
// role1=privilege1,privilege2,privilege3,privilege4
// The data for 2nd import:
// group2=role2,role3
// group3=role2,role3
// role2=privilege5,privilege6,privilege7,privilege8
// role3=privilege5,privilege6,privilege7,privilege8
// Both import API importSentryMetaData and export APIs getRolesMap, getGroupsMap,
// getPrivilegesList are tested.
@Test
public void testImportExportPolicy2() throws Exception {
TSentryMappingData tSentryMappingData1 = new TSentryMappingData();
Map<String, Set<String>> sentryGroupRolesMap1 = Maps.newHashMap();
Map<String, Set<TSentryPrivilege>> sentryRolePrivilegesMap1 = Maps.newHashMap();
sentryGroupRolesMap1.put("group1", Sets.newHashSet("role1"));
sentryRolePrivilegesMap1
.put("role1", Sets.newHashSet(tSentryPrivilege1, tSentryPrivilege2, tSentryPrivilege3,
tSentryPrivilege4));
tSentryMappingData1.setGroupRolesMap(sentryGroupRolesMap1);
tSentryMappingData1.setRolePrivilegesMap(sentryRolePrivilegesMap1);
sentryStore.importSentryMetaData(tSentryMappingData1, false);
TSentryMappingData tSentryMappingData2 = new TSentryMappingData();
Map<String, Set<String>> sentryGroupRolesMap2 = Maps.newHashMap();
Map<String, Set<TSentryPrivilege>> sentryRolePrivilegesMap2 = Maps.newHashMap();
sentryGroupRolesMap2.put("group2", Sets.newHashSet("role2", "role3"));
sentryGroupRolesMap2.put("group3", Sets.newHashSet("role2", "role3"));
sentryRolePrivilegesMap2
.put("role2", Sets.newHashSet(tSentryPrivilege5, tSentryPrivilege6, tSentryPrivilege7,
tSentryPrivilege8));
sentryRolePrivilegesMap2
.put("role3", Sets.newHashSet(tSentryPrivilege5, tSentryPrivilege6, tSentryPrivilege7,
tSentryPrivilege8));
tSentryMappingData2.setGroupRolesMap(sentryGroupRolesMap2);
tSentryMappingData2.setRolePrivilegesMap(sentryRolePrivilegesMap2);
sentryStore.importSentryMetaData(tSentryMappingData2, false);
Map<String, MSentryRole> rolesMap = sentryStore.getRolesMap();
Map<String, MSentryGroup> groupsMap = sentryStore.getGroupNameToGroupMap();
List<MSentryPrivilege> privilegesList = sentryStore.getPrivilegesList();
// test the result data for the role
verifyRoles(rolesMap, Sets.newHashSet("role1", "role2", "role3"));
// test the result data for the group
verifyGroups(groupsMap, Sets.newHashSet("group1", "group2", "group3"));
// test the result data for the privilege
verifyPrivileges(privilegesList, Sets.newHashSet(tSentryPrivilege1, tSentryPrivilege2,
tSentryPrivilege3, tSentryPrivilege4, tSentryPrivilege5, tSentryPrivilege6,
tSentryPrivilege7, tSentryPrivilege8));
// test the mapping data for group and role
List<Map<String, Set<String>>> mapList = sentryStore.getGroupUserRoleMapList(null);
Map<String, Set<String>> actualGroupRolesMap = mapList.get(
SentryConstants.INDEX_GROUP_ROLES_MAP);
Map<String, Set<String>> exceptedGroupRolesMap = Maps.newHashMap();
exceptedGroupRolesMap.put("group1", Sets.newHashSet("role1"));
exceptedGroupRolesMap.put("group2", Sets.newHashSet("role2", "role3"));
exceptedGroupRolesMap.put("group3", Sets.newHashSet("role2", "role3"));
verifyUserGroupRolesMap(actualGroupRolesMap, exceptedGroupRolesMap);
// test the mapping data for role and privilege
Map<String, Set<TSentryPrivilege>> actualRolePrivilegesMap = sentryStore
.getRoleNameTPrivilegesMap();
Map<String, Set<TSentryPrivilege>> exceptedRolePrivilegesMap = Maps.newHashMap();
exceptedRolePrivilegesMap
.put("role1", Sets.newHashSet(tSentryPrivilege1, tSentryPrivilege2, tSentryPrivilege3,
tSentryPrivilege4));
exceptedRolePrivilegesMap
.put("role2", Sets.newHashSet(tSentryPrivilege5, tSentryPrivilege6, tSentryPrivilege7,
tSentryPrivilege8));
exceptedRolePrivilegesMap
.put("role3", Sets.newHashSet(tSentryPrivilege5, tSentryPrivilege6, tSentryPrivilege7,
tSentryPrivilege8));
verifyRolePrivilegesMap(actualRolePrivilegesMap, exceptedRolePrivilegesMap);
}
// call import twice, and there has data overlap:
// The data for 1st import:
// group1=role1, role2
// group2=role1, role2
// group3=role1, role2
// role1=privilege1,privilege2,privilege3,privilege4,privilege5
// role2=privilege1,privilege2,privilege3,privilege4,privilege5
// The data for 2nd import:
// group1=role2,role3
// group2=role2,role3
// group3=role2,role3
// role2=privilege4,privilege5,privilege6,privilege7,privilege8
// role3=privilege4,privilege5,privilege6,privilege7,privilege8
// Both import API importSentryMetaData and export APIs getRolesMap, getGroupsMap,
// getPrivilegesList are tested.
@Test
public void testImportExportPolicy3() throws Exception {
TSentryMappingData tSentryMappingData1 = new TSentryMappingData();
Map<String, Set<String>> sentryGroupRolesMap1 = Maps.newHashMap();
Map<String, Set<TSentryPrivilege>> sentryRolePrivilegesMap1 = Maps.newHashMap();
sentryGroupRolesMap1.put("group1", Sets.newHashSet("role1", "role2"));
sentryGroupRolesMap1.put("group2", Sets.newHashSet("role1", "role2"));
sentryGroupRolesMap1.put("group3", Sets.newHashSet("role1", "role2"));
sentryRolePrivilegesMap1.put("role1", Sets.newHashSet(tSentryPrivilege1, tSentryPrivilege2,
tSentryPrivilege3, tSentryPrivilege4, tSentryPrivilege5));
sentryRolePrivilegesMap1.put("role2", Sets.newHashSet(tSentryPrivilege1, tSentryPrivilege2,
tSentryPrivilege3, tSentryPrivilege4, tSentryPrivilege5));
tSentryMappingData1.setGroupRolesMap(sentryGroupRolesMap1);
tSentryMappingData1.setRolePrivilegesMap(sentryRolePrivilegesMap1);
sentryStore.importSentryMetaData(tSentryMappingData1, false);
TSentryMappingData tSentryMappingData2 = new TSentryMappingData();
Map<String, Set<String>> sentryGroupRolesMap2 = Maps.newHashMap();
Map<String, Set<TSentryPrivilege>> sentryRolePrivilegesMap2 = Maps.newHashMap();
sentryGroupRolesMap2.put("group1", Sets.newHashSet("role2", "role3"));
sentryGroupRolesMap2.put("group2", Sets.newHashSet("role2", "role3"));
sentryGroupRolesMap2.put("group3", Sets.newHashSet("role2", "role3"));
sentryRolePrivilegesMap2.put("role2", Sets.newHashSet(tSentryPrivilege4, tSentryPrivilege5,
tSentryPrivilege6, tSentryPrivilege7, tSentryPrivilege8));
sentryRolePrivilegesMap2.put("role3", Sets.newHashSet(tSentryPrivilege4, tSentryPrivilege5,
tSentryPrivilege6, tSentryPrivilege7, tSentryPrivilege8));
tSentryMappingData2.setGroupRolesMap(sentryGroupRolesMap2);
tSentryMappingData2.setRolePrivilegesMap(sentryRolePrivilegesMap2);
sentryStore.importSentryMetaData(tSentryMappingData2, false);
Map<String, MSentryRole> rolesMap = sentryStore.getRolesMap();
Map<String, MSentryGroup> groupsMap = sentryStore.getGroupNameToGroupMap();
List<MSentryPrivilege> privilegesList = sentryStore.getPrivilegesList();
// test the result data for the role
verifyRoles(rolesMap, Sets.newHashSet("role1", "role2", "role3"));
// test the result data for the group
verifyGroups(groupsMap, Sets.newHashSet("group1", "group2", "group3"));
// test the result data for the privilege
verifyPrivileges(privilegesList, Sets.newHashSet(tSentryPrivilege1, tSentryPrivilege2,
tSentryPrivilege3, tSentryPrivilege4, tSentryPrivilege5, tSentryPrivilege6,
tSentryPrivilege7, tSentryPrivilege8));
// test the mapping data for group and role
List<Map<String, Set<String>>> mapList = sentryStore.getGroupUserRoleMapList(null);
Map<String, Set<String>> actualGroupRolesMap = mapList.get(
SentryConstants.INDEX_GROUP_ROLES_MAP);
Map<String, Set<String>> exceptedGroupRolesMap = Maps.newHashMap();
exceptedGroupRolesMap.put("group1", Sets.newHashSet("role1", "role2", "role3"));
exceptedGroupRolesMap.put("group2", Sets.newHashSet("role1", "role2", "role3"));
exceptedGroupRolesMap.put("group3", Sets.newHashSet("role1", "role2", "role3"));
verifyUserGroupRolesMap(actualGroupRolesMap, exceptedGroupRolesMap);
// test the mapping data for role and privilege
Map<String, Set<TSentryPrivilege>> actualRolePrivilegesMap = sentryStore
.getRoleNameTPrivilegesMap();
Map<String, Set<TSentryPrivilege>> exceptedRolePrivilegesMap = Maps.newHashMap();
exceptedRolePrivilegesMap.put("role1", Sets.newHashSet(tSentryPrivilege1, tSentryPrivilege2,
tSentryPrivilege3, tSentryPrivilege4, tSentryPrivilege5));
exceptedRolePrivilegesMap.put("role2", Sets.newHashSet(tSentryPrivilege1, tSentryPrivilege2,
tSentryPrivilege3, tSentryPrivilege4, tSentryPrivilege5, tSentryPrivilege6,
tSentryPrivilege7, tSentryPrivilege8));
exceptedRolePrivilegesMap.put("role3", Sets.newHashSet(tSentryPrivilege4, tSentryPrivilege5,
tSentryPrivilege6, tSentryPrivilege7, tSentryPrivilege8));
verifyRolePrivilegesMap(actualRolePrivilegesMap, exceptedRolePrivilegesMap);
}
// call import twice, and there has one role without group.
// The data for 1st import:
// group1=role1, role2
// role1=privilege1,privilege2
// role2=privilege3,privilege4
// The data for 2nd import:
// group2=role2
// role2=privilege5,privilege6
// role3=privilege7,privilege8
// role3 is without group, will be imported also
@Test
public void testImportExportPolicy4() throws Exception {
TSentryMappingData tSentryMappingData1 = new TSentryMappingData();
Map<String, Set<String>> sentryGroupRolesMap1 = Maps.newHashMap();
Map<String, Set<TSentryPrivilege>> sentryRolePrivilegesMap1 = Maps.newHashMap();
sentryGroupRolesMap1.put("group1", Sets.newHashSet("role1", "role2"));
sentryRolePrivilegesMap1.put("role1", Sets.newHashSet(tSentryPrivilege1, tSentryPrivilege2));
sentryRolePrivilegesMap1.put("role2", Sets.newHashSet(tSentryPrivilege3, tSentryPrivilege4));
tSentryMappingData1.setGroupRolesMap(sentryGroupRolesMap1);
tSentryMappingData1.setRolePrivilegesMap(sentryRolePrivilegesMap1);
sentryStore.importSentryMetaData(tSentryMappingData1, false);
TSentryMappingData tSentryMappingData2 = new TSentryMappingData();
Map<String, Set<String>> sentryGroupRolesMap2 = Maps.newHashMap();
Map<String, Set<TSentryPrivilege>> sentryRolePrivilegesMap2 = Maps.newHashMap();
sentryGroupRolesMap2.put("group2", Sets.newHashSet("role2"));
sentryRolePrivilegesMap2.put("role2", Sets.newHashSet(tSentryPrivilege5, tSentryPrivilege6));
sentryRolePrivilegesMap2.put("role3", Sets.newHashSet(tSentryPrivilege7, tSentryPrivilege8));
tSentryMappingData2.setGroupRolesMap(sentryGroupRolesMap2);
tSentryMappingData2.setRolePrivilegesMap(sentryRolePrivilegesMap2);
sentryStore.importSentryMetaData(tSentryMappingData2, false);
Map<String, MSentryRole> rolesMap = sentryStore.getRolesMap();
Map<String, MSentryGroup> groupsMap = sentryStore.getGroupNameToGroupMap();
List<MSentryPrivilege> privilegesList = sentryStore.getPrivilegesList();
// test the result data for the role
verifyRoles(rolesMap, Sets.newHashSet("role1", "role2", "role3"));
// test the result data for the group
verifyGroups(groupsMap, Sets.newHashSet("group1", "group2"));
// test the result data for the privilege
verifyPrivileges(privilegesList, Sets.newHashSet(tSentryPrivilege1, tSentryPrivilege2,
tSentryPrivilege3, tSentryPrivilege4, tSentryPrivilege5, tSentryPrivilege6,
tSentryPrivilege7, tSentryPrivilege8));
// test the mapping data for group and role
List<Map<String, Set<String>>> mapList = sentryStore.getGroupUserRoleMapList(null);
Map<String, Set<String>> actualGroupRolesMap = mapList.get(
SentryConstants.INDEX_GROUP_ROLES_MAP);
Map<String, Set<String>> exceptedGroupRolesMap = Maps.newHashMap();
exceptedGroupRolesMap.put("group1", Sets.newHashSet("role1", "role2"));
exceptedGroupRolesMap.put("group2", Sets.newHashSet("role2"));
verifyUserGroupRolesMap(actualGroupRolesMap, exceptedGroupRolesMap);
// test the mapping data for role and privilege
Map<String, Set<TSentryPrivilege>> actualRolePrivilegesMap = sentryStore
.getRoleNameTPrivilegesMap();
Map<String, Set<TSentryPrivilege>> exceptedRolePrivilegesMap = Maps.newHashMap();
exceptedRolePrivilegesMap.put("role1", Sets.newHashSet(tSentryPrivilege1, tSentryPrivilege2));
exceptedRolePrivilegesMap
.put("role2", Sets.newHashSet(tSentryPrivilege3, tSentryPrivilege4, tSentryPrivilege5,
tSentryPrivilege6));
exceptedRolePrivilegesMap.put("role3", Sets.newHashSet(tSentryPrivilege7, tSentryPrivilege8));
verifyRolePrivilegesMap(actualRolePrivilegesMap, exceptedRolePrivilegesMap);
}
// test for import mapping data for [group,role] only:
// group1=role1, role2
@Test
public void testImportExportPolicy5() throws Exception {
TSentryMappingData tSentryMappingData1 = new TSentryMappingData();
Map<String, Set<String>> sentryGroupRolesMap1 = Maps.newHashMap();
Map<String, Set<TSentryPrivilege>> sentryRolePrivilegesMap1 = Maps.newHashMap();
sentryGroupRolesMap1.put("group1", Sets.newHashSet("role1", "role2"));
tSentryMappingData1.setGroupRolesMap(sentryGroupRolesMap1);
tSentryMappingData1.setRolePrivilegesMap(sentryRolePrivilegesMap1);
sentryStore.importSentryMetaData(tSentryMappingData1, false);
Map<String, MSentryRole> rolesMap = sentryStore.getRolesMap();
Map<String, MSentryGroup> groupsMap = sentryStore.getGroupNameToGroupMap();
List<MSentryPrivilege> privilegesList = sentryStore.getPrivilegesList();
// test the result data for the role
verifyRoles(rolesMap, Sets.newHashSet("role1", "role2"));
// test the result data for the group
verifyGroups(groupsMap, Sets.newHashSet("group1"));
// test the result data for the privilege
assertTrue(privilegesList.isEmpty());
// test the mapping data for group and role
List<Map<String, Set<String>>> mapList = sentryStore.getGroupUserRoleMapList(null);
Map<String, Set<String>> actualGroupRolesMap = mapList.get(
SentryConstants.INDEX_GROUP_ROLES_MAP);
Map<String, Set<String>> exceptedGroupRolesMap = Maps.newHashMap();
exceptedGroupRolesMap.put("group1", Sets.newHashSet("role1", "role2"));
verifyUserGroupRolesMap(actualGroupRolesMap, exceptedGroupRolesMap);
// test the mapping data for role and privilege
Map<String, Set<TSentryPrivilege>> actualRolePrivilegesMap = sentryStore
.getRoleNameTPrivilegesMap();
assertTrue(actualRolePrivilegesMap.isEmpty());
}
// test for filter the orphaned group:
// group1=role1, role2
// group2=role2
@Test
public void testImportExportPolicy6() throws Exception {
TSentryMappingData tSentryMappingData1 = new TSentryMappingData();
Map<String, Set<String>> sentryGroupRolesMap1 = Maps.newHashMap();
Map<String, Set<TSentryPrivilege>> sentryRolePrivilegesMap1 = Maps.newHashMap();
sentryGroupRolesMap1.put("group1", Sets.newHashSet("role1", "role2"));
sentryGroupRolesMap1.put("group2", Sets.newHashSet("role2"));
tSentryMappingData1.setGroupRolesMap(sentryGroupRolesMap1);
tSentryMappingData1.setRolePrivilegesMap(sentryRolePrivilegesMap1);
sentryStore.importSentryMetaData(tSentryMappingData1, false);
// drop the role2, the group2 is orphaned group
sentryStore.dropSentryRole("role2");
Map<String, MSentryRole> rolesMap = sentryStore.getRolesMap();
Map<String, MSentryGroup> groupsMap = sentryStore.getGroupNameToGroupMap();
List<MSentryPrivilege> privilegesList = sentryStore.getPrivilegesList();
// test the result data for the role
verifyRoles(rolesMap, Sets.newHashSet("role1"));
// test the result data for the group
verifyGroups(groupsMap, Sets.newHashSet("group1", "group2"));
// test the result data for the privilege
assertTrue(privilegesList.isEmpty());
// test the mapping data for group and role
List<Map<String, Set<String>>> mapList = sentryStore.getGroupUserRoleMapList(null);
Map<String, Set<String>> actualGroupRolesMap = mapList.get(
SentryConstants.INDEX_GROUP_ROLES_MAP);
Map<String, Set<String>> exceptedGroupRolesMap = Maps.newHashMap();
exceptedGroupRolesMap.put("group1", Sets.newHashSet("role1"));
verifyUserGroupRolesMap(actualGroupRolesMap, exceptedGroupRolesMap);
// test the mapping data for role and privilege
Map<String, Set<TSentryPrivilege>> actualRolePrivilegesMap = sentryStore
.getRoleNameTPrivilegesMap();
assertTrue(actualRolePrivilegesMap.isEmpty());
}
// call import twice, and there has no duplicate data, the import will be with the overwrite mode:
// The data for 1st import:
// group1=role1
// role1=privilege1
// The data for 2nd import:
// group2=role2,role3
// group3=role2,role3
// role2=privilege2
// role3=privilege2
// Both import API importSentryMetaData and export APIs getRolesMap, getGroupsMap,
// getPrivilegesList are tested.
@Test
public void testImportExportPolicy7() throws Exception {
TSentryMappingData tSentryMappingData1 = new TSentryMappingData();
Map<String, Set<String>> sentryGroupRolesMap1 = Maps.newHashMap();
Map<String, Set<TSentryPrivilege>> sentryRolePrivilegesMap1 = Maps.newHashMap();
sentryGroupRolesMap1.put("group1", Sets.newHashSet("role1"));
sentryRolePrivilegesMap1.put("role1", Sets.newHashSet(tSentryPrivilege1));
tSentryMappingData1.setGroupRolesMap(sentryGroupRolesMap1);
tSentryMappingData1.setRolePrivilegesMap(sentryRolePrivilegesMap1);
// the import with overwrite mode
sentryStore.importSentryMetaData(tSentryMappingData1, true);
TSentryMappingData tSentryMappingData2 = new TSentryMappingData();
Map<String, Set<String>> sentryGroupRolesMap2 = Maps.newHashMap();
Map<String, Set<TSentryPrivilege>> sentryRolePrivilegesMap2 = Maps.newHashMap();
sentryGroupRolesMap2.put("group2", Sets.newHashSet("role2", "role3"));
sentryGroupRolesMap2.put("group3", Sets.newHashSet("role2", "role3"));
sentryRolePrivilegesMap2.put("role2", Sets.newHashSet(tSentryPrivilege2));
sentryRolePrivilegesMap2.put("role3", Sets.newHashSet(tSentryPrivilege2));
tSentryMappingData2.setGroupRolesMap(sentryGroupRolesMap2);
tSentryMappingData2.setRolePrivilegesMap(sentryRolePrivilegesMap2);
// the import with overwrite mode
sentryStore.importSentryMetaData(tSentryMappingData2, true);
Map<String, MSentryRole> rolesMap = sentryStore.getRolesMap();
Map<String, MSentryGroup> groupsMap = sentryStore.getGroupNameToGroupMap();
List<MSentryPrivilege> privilegesList = sentryStore.getPrivilegesList();
// test the result data for the role
verifyRoles(rolesMap, Sets.newHashSet("role1", "role2", "role3"));
// test the result data for the group
verifyGroups(groupsMap, Sets.newHashSet("group1", "group2", "group3"));
// test the result data for the privilege
verifyPrivileges(privilegesList, Sets.newHashSet(tSentryPrivilege1, tSentryPrivilege2));
// test the mapping data for group and role
List<Map<String, Set<String>>> mapList = sentryStore.getGroupUserRoleMapList(null);
Map<String, Set<String>> actualGroupRolesMap = mapList.get(
SentryConstants.INDEX_GROUP_ROLES_MAP);
Map<String, Set<String>> exceptedGroupRolesMap = Maps.newHashMap();
exceptedGroupRolesMap.put("group1", Sets.newHashSet("role1"));
exceptedGroupRolesMap.put("group2", Sets.newHashSet("role2", "role3"));
exceptedGroupRolesMap.put("group3", Sets.newHashSet("role2", "role3"));
verifyUserGroupRolesMap(actualGroupRolesMap, exceptedGroupRolesMap);
// test the mapping data for role and privilege
Map<String, Set<TSentryPrivilege>> actualRolePrivilegesMap = sentryStore
.getRoleNameTPrivilegesMap();
Map<String, Set<TSentryPrivilege>> exceptedRolePrivilegesMap = Maps.newHashMap();
exceptedRolePrivilegesMap.put("role1", Sets.newHashSet(tSentryPrivilege1));
exceptedRolePrivilegesMap.put("role2", Sets.newHashSet(tSentryPrivilege2));
exceptedRolePrivilegesMap.put("role3", Sets.newHashSet(tSentryPrivilege2));
verifyRolePrivilegesMap(actualRolePrivilegesMap, exceptedRolePrivilegesMap);
}
// call import twice, and there has data overlap, the import will be with the overwrite mode:
// The data for 1st import:
// group1=role1, role2
// group2=role1, role2
// group3=role1, role2
// role1=privilege1,privilege2,privilege3,privilege4,privilege5
// role2=privilege1,privilege2,privilege3,privilege4,privilege5
// The data for 2nd import:
// group1=role2,role3
// group2=role2,role3
// group3=role2,role3
// role2=privilege4,privilege5,privilege6,privilege7,privilege8
// role3=privilege4,privilege5,privilege6,privilege7,privilege8
// Both import API importSentryMetaData and export APIs getRolesMap, getGroupsMap,
// getPrivilegesList are tested.
@Test
public void testImportExportPolicy8() throws Exception {
TSentryMappingData tSentryMappingData1 = new TSentryMappingData();
Map<String, Set<String>> sentryGroupRolesMap1 = Maps.newHashMap();
Map<String, Set<TSentryPrivilege>> sentryRolePrivilegesMap1 = Maps.newHashMap();
sentryGroupRolesMap1.put("group1", Sets.newHashSet("role1", "role2"));
sentryGroupRolesMap1.put("group2", Sets.newHashSet("role1", "role2"));
sentryGroupRolesMap1.put("group3", Sets.newHashSet("role1", "role2"));
sentryRolePrivilegesMap1.put("role1", Sets.newHashSet(tSentryPrivilege1, tSentryPrivilege2,
tSentryPrivilege3, tSentryPrivilege4, tSentryPrivilege5));
sentryRolePrivilegesMap1.put("role2", Sets.newHashSet(tSentryPrivilege1, tSentryPrivilege2,
tSentryPrivilege3, tSentryPrivilege4, tSentryPrivilege5));
tSentryMappingData1.setGroupRolesMap(sentryGroupRolesMap1);
tSentryMappingData1.setRolePrivilegesMap(sentryRolePrivilegesMap1);
// the import with overwrite mode
sentryStore.importSentryMetaData(tSentryMappingData1, true);
TSentryMappingData tSentryMappingData2 = new TSentryMappingData();
Map<String, Set<String>> sentryGroupRolesMap2 = Maps.newHashMap();
Map<String, Set<TSentryPrivilege>> sentryRolePrivilegesMap2 = Maps.newHashMap();
sentryGroupRolesMap2.put("group1", Sets.newHashSet("role2", "role3"));
sentryGroupRolesMap2.put("group2", Sets.newHashSet("role2", "role3"));
sentryGroupRolesMap2.put("group3", Sets.newHashSet("role2", "role3"));
sentryRolePrivilegesMap2.put("role2", Sets.newHashSet(tSentryPrivilege4, tSentryPrivilege5,
tSentryPrivilege6, tSentryPrivilege7, tSentryPrivilege8));
sentryRolePrivilegesMap2.put("role3", Sets.newHashSet(tSentryPrivilege4, tSentryPrivilege5,
tSentryPrivilege6, tSentryPrivilege7, tSentryPrivilege8));
tSentryMappingData2.setGroupRolesMap(sentryGroupRolesMap2);
tSentryMappingData2.setRolePrivilegesMap(sentryRolePrivilegesMap2);
// the import with overwrite mode
sentryStore.importSentryMetaData(tSentryMappingData2, true);
Map<String, MSentryRole> rolesMap = sentryStore.getRolesMap();
Map<String, MSentryGroup> groupsMap = sentryStore.getGroupNameToGroupMap();
List<MSentryPrivilege> privilegesList = sentryStore.getPrivilegesList();
// test the result data for the role
verifyRoles(rolesMap, Sets.newHashSet("role1", "role2", "role3"));
// test the result data for the group
verifyGroups(groupsMap, Sets.newHashSet("group1", "group2", "group3"));
// test the result data for the privilege
verifyPrivileges(privilegesList, Sets.newHashSet(tSentryPrivilege1, tSentryPrivilege2,
tSentryPrivilege3, tSentryPrivilege4, tSentryPrivilege5, tSentryPrivilege6,
tSentryPrivilege7, tSentryPrivilege8));
// test the mapping data for group and role
List<Map<String, Set<String>>> mapList = sentryStore.getGroupUserRoleMapList(null);
Map<String, Set<String>> actualGroupRolesMap = mapList.get(
SentryConstants.INDEX_GROUP_ROLES_MAP);
Map<String, Set<String>> exceptedGroupRolesMap = Maps.newHashMap();
exceptedGroupRolesMap.put("group1", Sets.newHashSet("role1", "role2", "role3"));
exceptedGroupRolesMap.put("group2", Sets.newHashSet("role1", "role2", "role3"));
exceptedGroupRolesMap.put("group3", Sets.newHashSet("role1", "role2", "role3"));
verifyUserGroupRolesMap(actualGroupRolesMap, exceptedGroupRolesMap);
// test the mapping data for role and privilege
Map<String, Set<TSentryPrivilege>> actualRolePrivilegesMap = sentryStore
.getRoleNameTPrivilegesMap();
Map<String, Set<TSentryPrivilege>> exceptedRolePrivilegesMap = Maps.newHashMap();
exceptedRolePrivilegesMap.put("role1", Sets.newHashSet(tSentryPrivilege1, tSentryPrivilege2,
tSentryPrivilege3, tSentryPrivilege4, tSentryPrivilege5));
// role2 should be overwrite
exceptedRolePrivilegesMap.put("role2", Sets.newHashSet(tSentryPrivilege4, tSentryPrivilege5,
tSentryPrivilege6, tSentryPrivilege7, tSentryPrivilege8));
exceptedRolePrivilegesMap.put("role3", Sets.newHashSet(tSentryPrivilege4, tSentryPrivilege5,
tSentryPrivilege6, tSentryPrivilege7, tSentryPrivilege8));
verifyRolePrivilegesMap(actualRolePrivilegesMap, exceptedRolePrivilegesMap);
}
// test the import privileges with the action: All, *, select, insert
// All and * should replace the select and insert
// The data for import:
// group1=role1, role2
// role1=testPrivilege1,testPrivilege2,testPrivilege3,testPrivilege4
// role2=testPrivilege5, testPrivilege6,testPrivilege7,testPrivilege8
@Test
public void testImportExportPolicy9() throws Exception {
TSentryPrivilege testPrivilege1 = createTSentryPrivilege(PrivilegeScope.TABLE.name(),
"server1", "db1", "tbl1", "", "", AccessConstants.SELECT, TSentryGrantOption.TRUE);
TSentryPrivilege testPrivilege2 = createTSentryPrivilege(PrivilegeScope.TABLE.name(),
"server1", "db1", "tbl1", "", "", AccessConstants.INSERT, TSentryGrantOption.FALSE);
TSentryPrivilege testPrivilege3 = createTSentryPrivilege(PrivilegeScope.TABLE.name(),
"server1", "db1", "tbl1", "", "", AccessConstants.ACTION_ALL, TSentryGrantOption.TRUE);
TSentryPrivilege testPrivilege4 = createTSentryPrivilege(PrivilegeScope.TABLE.name(),
"server1", "db1", "tbl1", "", "", AccessConstants.INSERT, TSentryGrantOption.TRUE);
TSentryPrivilege testPrivilege5 = createTSentryPrivilege(PrivilegeScope.TABLE.name(),
"server1", "db1", "tbl2", "", "", AccessConstants.SELECT, TSentryGrantOption.TRUE);
TSentryPrivilege testPrivilege6 = createTSentryPrivilege(PrivilegeScope.TABLE.name(),
"server1", "db1", "tbl2", "", "", AccessConstants.INSERT, TSentryGrantOption.FALSE);
TSentryPrivilege testPrivilege7 = createTSentryPrivilege(PrivilegeScope.TABLE.name(),
"server1", "db1", "tbl2", "", "", AccessConstants.ALL, TSentryGrantOption.TRUE);
TSentryPrivilege testPrivilege8 = createTSentryPrivilege(PrivilegeScope.TABLE.name(),
"server1", "db1", "tbl2", "", "", AccessConstants.INSERT, TSentryGrantOption.TRUE);
TSentryMappingData tSentryMappingData1 = new TSentryMappingData();
Map<String, Set<String>> sentryGroupRolesMap1 = Maps.newHashMap();
Map<String, Set<TSentryPrivilege>> sentryRolePrivilegesMap1 = Maps.newHashMap();
sentryGroupRolesMap1.put("group1", Sets.newHashSet("role1", "role2"));
// after import there should be only testPrivilege2, testPrivilege3
sentryRolePrivilegesMap1.put("role1",
Sets.newHashSet(testPrivilege1, testPrivilege2, testPrivilege3, testPrivilege4));
// after import there should be only testPrivilege6,testPrivilege7
sentryRolePrivilegesMap1.put("role2",
Sets.newHashSet(testPrivilege5, testPrivilege6, testPrivilege7, testPrivilege8));
tSentryMappingData1.setGroupRolesMap(sentryGroupRolesMap1);
tSentryMappingData1.setRolePrivilegesMap(sentryRolePrivilegesMap1);
// the import with overwrite mode
sentryStore.importSentryMetaData(tSentryMappingData1, true);
Map<String, MSentryRole> rolesMap = sentryStore.getRolesMap();
Map<String, MSentryGroup> groupsMap = sentryStore.getGroupNameToGroupMap();
// test the result data for the role
verifyRoles(rolesMap, Sets.newHashSet("role1", "role2"));
// test the result data for the group
verifyGroups(groupsMap, Sets.newHashSet("group1"));
// test the mapping data for group and role
List<Map<String, Set<String>>> mapList = sentryStore.getGroupUserRoleMapList(null);
Map<String, Set<String>> actualGroupRolesMap = mapList.get(
SentryConstants.INDEX_GROUP_ROLES_MAP);
Map<String, Set<String>> exceptedGroupRolesMap = Maps.newHashMap();
exceptedGroupRolesMap.put("group1", Sets.newHashSet("role1", "role2"));
verifyUserGroupRolesMap(actualGroupRolesMap, exceptedGroupRolesMap);
// test the mapping data for role and privilege
Map<String, Set<TSentryPrivilege>> actualRolePrivilegesMap = sentryStore
.getRoleNameTPrivilegesMap();
Map<String, Set<TSentryPrivilege>> exceptedRolePrivilegesMap = Maps.newHashMap();
exceptedRolePrivilegesMap.put("role1", Sets.newHashSet(testPrivilege2, testPrivilege3));
exceptedRolePrivilegesMap.put("role2", Sets.newHashSet(testPrivilege6, testPrivilege7));
verifyRolePrivilegesMap(actualRolePrivilegesMap, exceptedRolePrivilegesMap);
}
// The following data is imported:
// group1=role1
// group2=role1,role2
// group3=role2,role3
// group4=role1,role2,role3
// role1=privilege3,privilege4,privilege9
// role2=privilege3,privilege4,privilege5,privilege6,privilege7
// role3=privilege4,privilege5,privilege6,privilege7,privilege8
// Export APIs getRoleNameTPrivilegesMap, getGroupNameRoleNamesMap are tested.
@Test
public void testExportPolicyWithSpecificObject() throws Exception {
// import the data for test
TSentryMappingData tSentryMappingData = new TSentryMappingData();
Map<String, Set<String>> sentryGroupRolesMap = Maps.newHashMap();
Map<String, Set<TSentryPrivilege>> sentryRolePrivilegesMap = Maps.newHashMap();
sentryGroupRolesMap.put("group1", Sets.newHashSet("role1"));
sentryGroupRolesMap.put("group2", Sets.newHashSet("role1", "role2"));
sentryGroupRolesMap.put("group3", Sets.newHashSet("role2", "role3"));
sentryGroupRolesMap.put("group4", Sets.newHashSet("role1", "role2", "role3"));
sentryRolePrivilegesMap.put("role1", Sets.newHashSet(
tSentryPrivilege3, tSentryPrivilege4, tSentryPrivilege9));
sentryRolePrivilegesMap.put("role2", Sets.newHashSet(
tSentryPrivilege3, tSentryPrivilege4, tSentryPrivilege5, tSentryPrivilege6,
tSentryPrivilege7));
sentryRolePrivilegesMap.put("role3", Sets.newHashSet(
tSentryPrivilege4, tSentryPrivilege5, tSentryPrivilege6,
tSentryPrivilege7, tSentryPrivilege8));
tSentryMappingData.setGroupRolesMap(sentryGroupRolesMap);
tSentryMappingData.setRolePrivilegesMap(sentryRolePrivilegesMap);
sentryStore.importSentryMetaData(tSentryMappingData, false);
// verify the rolePrivilegesMap and groupRolesMap for db=db1
Map<String, Set<TSentryPrivilege>> actualRolePrivilegesMap =
sentryStore.getRoleNameTPrivilegesMap("db1", "");
Map<String, Set<TSentryPrivilege>> exceptedRolePrivilegesMap = Maps.newHashMap();
exceptedRolePrivilegesMap.put("role1", Sets.newHashSet(tSentryPrivilege4));
exceptedRolePrivilegesMap.put("role2", Sets.newHashSet(tSentryPrivilege4,
tSentryPrivilege5, tSentryPrivilege6, tSentryPrivilege7));
exceptedRolePrivilegesMap.put("role3", Sets.newHashSet(tSentryPrivilege4,
tSentryPrivilege5, tSentryPrivilege6, tSentryPrivilege7));
verifyRolePrivilegesMap(actualRolePrivilegesMap, exceptedRolePrivilegesMap);
List<Map<String, Set<String>>> mapList = sentryStore.getGroupUserRoleMapList(
actualRolePrivilegesMap.keySet());
Map<String, Set<String>> actualGroupRolesMap = mapList.get(
SentryConstants.INDEX_GROUP_ROLES_MAP);
Map<String, Set<String>> exceptedGroupRolesMap = Maps.newHashMap();
exceptedGroupRolesMap.put("group1", Sets.newHashSet("role1"));
exceptedGroupRolesMap.put("group2", Sets.newHashSet("role1", "role2"));
exceptedGroupRolesMap.put("group3", Sets.newHashSet("role2", "role3"));
exceptedGroupRolesMap.put("group4", Sets.newHashSet("role1", "role2", "role3"));
verifyUserGroupRolesMap(actualGroupRolesMap, exceptedGroupRolesMap);
// verify the rolePrivilegesMap and groupRolesMap for db=db2
actualRolePrivilegesMap = sentryStore.getRoleNameTPrivilegesMap("db2", "");
exceptedRolePrivilegesMap = Maps.newHashMap();
exceptedRolePrivilegesMap.put("role1", Sets.newHashSet(tSentryPrivilege3, tSentryPrivilege9));
exceptedRolePrivilegesMap.put("role2", Sets.newHashSet(tSentryPrivilege3));
verifyRolePrivilegesMap(actualRolePrivilegesMap, exceptedRolePrivilegesMap);
mapList = sentryStore.getGroupUserRoleMapList(actualRolePrivilegesMap.keySet());
actualGroupRolesMap = mapList.get(SentryConstants.INDEX_GROUP_ROLES_MAP);
exceptedGroupRolesMap = Maps.newHashMap();
exceptedGroupRolesMap.put("group1", Sets.newHashSet("role1"));
exceptedGroupRolesMap.put("group2", Sets.newHashSet("role1", "role2"));
exceptedGroupRolesMap.put("group3", Sets.newHashSet("role2"));
exceptedGroupRolesMap.put("group4", Sets.newHashSet("role1", "role2"));
verifyUserGroupRolesMap(actualGroupRolesMap, exceptedGroupRolesMap);
// verify the rolePrivilegesMap and groupRolesMap for db=db1 and table=tbl1
actualRolePrivilegesMap = sentryStore.getRoleNameTPrivilegesMap("db1", "tbl1");
exceptedRolePrivilegesMap = Maps.newHashMap();
exceptedRolePrivilegesMap.put("role1", Sets.newHashSet(tSentryPrivilege4));
exceptedRolePrivilegesMap.put("role2", Sets.newHashSet(tSentryPrivilege4));
exceptedRolePrivilegesMap.put("role3", Sets.newHashSet(tSentryPrivilege4));
verifyRolePrivilegesMap(actualRolePrivilegesMap, exceptedRolePrivilegesMap);
mapList = sentryStore.getGroupUserRoleMapList(actualRolePrivilegesMap.keySet());
actualGroupRolesMap = mapList.get(SentryConstants.INDEX_GROUP_ROLES_MAP);
exceptedGroupRolesMap = Maps.newHashMap();
exceptedGroupRolesMap.put("group1", Sets.newHashSet("role1"));
exceptedGroupRolesMap.put("group2", Sets.newHashSet("role1", "role2"));
exceptedGroupRolesMap.put("group3", Sets.newHashSet("role2", "role3"));
exceptedGroupRolesMap.put("group4", Sets.newHashSet("role1", "role2", "role3"));
verifyUserGroupRolesMap(actualGroupRolesMap, exceptedGroupRolesMap);
// verify the rolePrivilegesMap and groupRolesMap for db=db1 and table=tbl2
actualRolePrivilegesMap = sentryStore.getRoleNameTPrivilegesMap("db1", "tbl2");
exceptedRolePrivilegesMap = Maps.newHashMap();
exceptedRolePrivilegesMap.put("role2", Sets.newHashSet(tSentryPrivilege5));
exceptedRolePrivilegesMap.put("role3", Sets.newHashSet(tSentryPrivilege5));
verifyRolePrivilegesMap(actualRolePrivilegesMap, exceptedRolePrivilegesMap);
mapList = sentryStore.getGroupUserRoleMapList(actualRolePrivilegesMap.keySet());
actualGroupRolesMap = mapList.get(SentryConstants.INDEX_GROUP_ROLES_MAP);
exceptedGroupRolesMap = Maps.newHashMap();
exceptedGroupRolesMap.put("group2", Sets.newHashSet("role2"));
exceptedGroupRolesMap.put("group3", Sets.newHashSet("role2", "role3"));
exceptedGroupRolesMap.put("group4", Sets.newHashSet("role2", "role3"));
verifyUserGroupRolesMap(actualGroupRolesMap, exceptedGroupRolesMap);
// verify the rolePrivilegesMap and groupRolesMap for table=tbl1
actualRolePrivilegesMap = sentryStore.getRoleNameTPrivilegesMap("", "tbl1");
exceptedRolePrivilegesMap = Maps.newHashMap();
exceptedRolePrivilegesMap.put("role1", Sets.newHashSet(tSentryPrivilege4, tSentryPrivilege9));
exceptedRolePrivilegesMap.put("role2", Sets.newHashSet(tSentryPrivilege4));
exceptedRolePrivilegesMap.put("role3", Sets.newHashSet(tSentryPrivilege4));
verifyRolePrivilegesMap(actualRolePrivilegesMap, exceptedRolePrivilegesMap);
mapList = sentryStore.getGroupUserRoleMapList(actualRolePrivilegesMap.keySet());
actualGroupRolesMap = mapList.get(SentryConstants.INDEX_GROUP_ROLES_MAP);
exceptedGroupRolesMap = Maps.newHashMap();
exceptedGroupRolesMap.put("group1", Sets.newHashSet("role1"));
exceptedGroupRolesMap.put("group2", Sets.newHashSet("role1", "role2"));
exceptedGroupRolesMap.put("group3", Sets.newHashSet("role2", "role3"));
exceptedGroupRolesMap.put("group4", Sets.newHashSet("role1", "role2", "role3"));
verifyUserGroupRolesMap(actualGroupRolesMap, exceptedGroupRolesMap);
// verify the rolePrivilegesMap and groupRolesMap for empty parameter
actualRolePrivilegesMap = sentryStore.getRoleNameTPrivilegesMap("", "");
exceptedRolePrivilegesMap = Maps.newHashMap();
exceptedRolePrivilegesMap.put("role1", Sets.newHashSet(tSentryPrivilege3,
tSentryPrivilege4, tSentryPrivilege9));
exceptedRolePrivilegesMap.put("role2", Sets.newHashSet(tSentryPrivilege3,
tSentryPrivilege4, tSentryPrivilege5, tSentryPrivilege6, tSentryPrivilege7));
exceptedRolePrivilegesMap.put("role3", Sets.newHashSet(tSentryPrivilege4,
tSentryPrivilege5, tSentryPrivilege6,
tSentryPrivilege7, tSentryPrivilege8));
verifyRolePrivilegesMap(actualRolePrivilegesMap, exceptedRolePrivilegesMap);
mapList = sentryStore.getGroupUserRoleMapList(actualRolePrivilegesMap.keySet());
actualGroupRolesMap = mapList.get(SentryConstants.INDEX_GROUP_ROLES_MAP);
exceptedGroupRolesMap = Maps.newHashMap();
exceptedGroupRolesMap.put("group1", Sets.newHashSet("role1"));
exceptedGroupRolesMap.put("group2", Sets.newHashSet("role1", "role2"));
exceptedGroupRolesMap.put("group3", Sets.newHashSet("role2", "role3"));
exceptedGroupRolesMap.put("group4", Sets.newHashSet("role1", "role2", "role3"));
verifyUserGroupRolesMap(actualGroupRolesMap, exceptedGroupRolesMap);
}
// Befor import, database is empty.
// The following information is imported:
// group1=role1,role2,role3
// user1=role1,role2
// user2=role2,role3
// role1=privilege1,privilege2,privilege3,privilege4
// role2=privilege5,privilege6,privilege7,privilege8
// role3=privilege3,privilege4,privilege5,privilege6
// Both import API importSentryMetaData and export APIs getRolesMap, getGroupsMap,
// getUsersMap getPrivilegesList are tested.
@Test
public void testImportExportWithUser() throws Exception {
TSentryMappingData tSentryMappingData = new TSentryMappingData();
Map<String, Set<String>> groupRolesMap = Maps.newHashMap();
Map<String, Set<String>> userRolesMap = Maps.newHashMap();
Map<String, Set<TSentryPrivilege>> sentryRolePrivilegesMap = Maps.newHashMap();
groupRolesMap.put("group1", Sets.newHashSet("Role1", "role2", "role3"));
userRolesMap.put("user1", Sets.newHashSet("Role1", "role2"));
userRolesMap.put("user2", Sets.newHashSet("role2", "role3"));
sentryRolePrivilegesMap.put("Role1", Sets.newHashSet(tSentryPrivilege1, tSentryPrivilege2,
tSentryPrivilege3, tSentryPrivilege4));
sentryRolePrivilegesMap.put("role2", Sets.newHashSet(tSentryPrivilege5, tSentryPrivilege6,
tSentryPrivilege7, tSentryPrivilege8));
sentryRolePrivilegesMap.put("role3", Sets.newHashSet(tSentryPrivilege3,
tSentryPrivilege4, tSentryPrivilege5, tSentryPrivilege6));
tSentryMappingData.setGroupRolesMap(groupRolesMap);
tSentryMappingData.setRolePrivilegesMap(sentryRolePrivilegesMap);
tSentryMappingData.setUserRolesMap(userRolesMap);
sentryStore.importSentryMetaData(tSentryMappingData, false);
Map<String, MSentryRole> rolesMap = sentryStore.getRolesMap();
Map<String, MSentryGroup> groupsMap = sentryStore.getGroupNameToGroupMap();
Map<String, MSentryUser> usersMap = sentryStore.getUserNameToUserMap();
List<MSentryPrivilege> privilegesList = sentryStore.getPrivilegesList();
// test the result data for the role
verifyRoles(rolesMap, Sets.newHashSet("role1", "role2", "role3"));
// test the result data for the group
verifyGroups(groupsMap, Sets.newHashSet("group1"));
// test the result data for the user
verifyUsers(usersMap, Sets.newHashSet("user1", "user2"));
// test the result data for the privilege
verifyPrivileges(privilegesList, Sets.newHashSet(tSentryPrivilege1, tSentryPrivilege2,
tSentryPrivilege3, tSentryPrivilege4, tSentryPrivilege5, tSentryPrivilege6,
tSentryPrivilege7, tSentryPrivilege8));
// test the mapping data for group and role
List<Map<String, Set<String>>> mapList = sentryStore.getGroupUserRoleMapList(null);
Map<String, Set<String>> actualGroupRolesMap = mapList.get(
SentryConstants.INDEX_GROUP_ROLES_MAP);
Map<String, Set<String>> exceptedGroupRolesMap = Maps.newHashMap();
exceptedGroupRolesMap.put("group1", Sets.newHashSet("role1", "role2", "role3"));
verifyUserGroupRolesMap(actualGroupRolesMap, exceptedGroupRolesMap);
Map<String, Set<String>> actualUserRolesMap = mapList.get(
SentryConstants.INDEX_USER_ROLES_MAP);
Map<String, Set<String>> exceptedUserRolesMap = Maps.newHashMap();
exceptedUserRolesMap.put("user1", Sets.newHashSet("role1", "role2"));
exceptedUserRolesMap.put("user2", Sets.newHashSet("role2", "role3"));
verifyUserGroupRolesMap(actualUserRolesMap, exceptedUserRolesMap);
// test the mapping data for role and privilege
Map<String, Set<TSentryPrivilege>> actualRolePrivilegesMap = sentryStore
.getRoleNameTPrivilegesMap();
Map<String, Set<TSentryPrivilege>> exceptedRolePrivilegesMap = Maps.newHashMap();
exceptedRolePrivilegesMap.put("role1", Sets.newHashSet(tSentryPrivilege1, tSentryPrivilege2,
tSentryPrivilege3, tSentryPrivilege4));
exceptedRolePrivilegesMap.put("role2", Sets.newHashSet(tSentryPrivilege5, tSentryPrivilege6,
tSentryPrivilege7, tSentryPrivilege8));
exceptedRolePrivilegesMap.put("role3", Sets.newHashSet(tSentryPrivilege3,
tSentryPrivilege4, tSentryPrivilege5, tSentryPrivilege6));
verifyRolePrivilegesMap(actualRolePrivilegesMap, exceptedRolePrivilegesMap);
}
private void verifyRoles(Map<String, MSentryRole> actualRoleMap, Set<String> expectedRoleNameSet) {
assertEquals(expectedRoleNameSet.size(), actualRoleMap.keySet().size());
for (String roleName : actualRoleMap.keySet()) {
assertTrue(expectedRoleNameSet.contains(roleName));
}
}
private void verifyGroups(Map<String, MSentryGroup> actualGroupsMap,
Set<String> expectedGroupNameSet) {
assertEquals(expectedGroupNameSet.size(), actualGroupsMap.keySet().size());
for (String groupName : actualGroupsMap.keySet()) {
assertTrue(expectedGroupNameSet.contains(groupName));
}
}
private void verifyUsers(Map<String, MSentryUser> actualUsersMap,
Set<String> expectedUserNameSet) {
assertEquals(expectedUserNameSet.size(), actualUsersMap.keySet().size());
for (String userName : actualUsersMap.keySet()) {
assertTrue(expectedUserNameSet.contains(userName));
}
}
private void verifyPrivileges(List<MSentryPrivilege> actualPrivileges,
Set<TSentryPrivilege> expectedTSentryPrivilegeSet) {
assertEquals(expectedTSentryPrivilegeSet.size(), actualPrivileges.size());
for (MSentryPrivilege mSentryPrivilege : actualPrivileges) {
boolean isFound = false;
for (TSentryPrivilege tSentryPrivilege : expectedTSentryPrivilegeSet) {
isFound = compareTSentryPrivilege(sentryStore.convertToTSentryPrivilege(mSentryPrivilege),
tSentryPrivilege);
if (isFound) {
break;
}
}
assertTrue(isFound);
}
}
private void verifyUserGroupRolesMap(Map<String, Set<String>> actualMap,
Map<String, Set<String>> exceptedMap) {
assertEquals(exceptedMap.keySet().size(), actualMap.keySet().size());
for (String name : actualMap.keySet()) {
Set<String> exceptedRoles = exceptedMap.get(name);
Set<String> actualRoles = actualMap.get(name);
assertEquals(actualRoles.size(), exceptedRoles.size());
assertTrue(actualRoles.equals(exceptedRoles));
}
}
private void verifyRolePrivilegesMap(Map<String, Set<TSentryPrivilege>> actualRolePrivilegesMap,
Map<String, Set<TSentryPrivilege>> expectedRolePrivilegesMap) {
assertEquals(expectedRolePrivilegesMap.keySet().size(), actualRolePrivilegesMap.keySet().size());
for (String roleName : expectedRolePrivilegesMap.keySet()) {
Set<TSentryPrivilege> exceptedTSentryPrivileges = expectedRolePrivilegesMap.get(roleName);
Set<TSentryPrivilege> actualTSentryPrivileges = actualRolePrivilegesMap.get(roleName);
assertEquals(exceptedTSentryPrivileges.size(), actualTSentryPrivileges.size());
for (TSentryPrivilege actualPrivilege : actualTSentryPrivileges) {
boolean isFound = false;
for (TSentryPrivilege expectedPrivilege : exceptedTSentryPrivileges) {
isFound = compareTSentryPrivilege(expectedPrivilege, actualPrivilege);
if (isFound) {
break;
}
}
assertTrue(isFound);
}
}
}
private TSentryPrivilege createTSentryPrivilege(String scope, String server, String dbName,
String tableName, String columnName, String uri, String action, TSentryGrantOption grantOption) {
TSentryPrivilege tSentryPrivilege = new TSentryPrivilege();
tSentryPrivilege.setPrivilegeScope(scope);
tSentryPrivilege.setServerName(server);
tSentryPrivilege.setDbName(dbName);
tSentryPrivilege.setTableName(tableName);
tSentryPrivilege.setColumnName(columnName);
tSentryPrivilege.setURI(uri);
tSentryPrivilege.setAction(action);
tSentryPrivilege.setGrantOption(grantOption);
return tSentryPrivilege;
}
// compare the TSentryPrivilege without the create time
private boolean compareTSentryPrivilege(TSentryPrivilege tSentryPrivilege1,
TSentryPrivilege tSentryPrivilege2) {
if (tSentryPrivilege1 == null) {
if (tSentryPrivilege2 == null) {
return true;
} else {
return false;
}
} else {
if (tSentryPrivilege2 == null) {
return false;
}
}
boolean this_present_privilegeScope = true && tSentryPrivilege1.isSetPrivilegeScope();
boolean that_present_privilegeScope = true && tSentryPrivilege2.isSetPrivilegeScope();
if (this_present_privilegeScope || that_present_privilegeScope) {
if (!(this_present_privilegeScope && that_present_privilegeScope)) {
return false;
}
if (!tSentryPrivilege1.getPrivilegeScope().equalsIgnoreCase(
tSentryPrivilege2.getPrivilegeScope())) {
return false;
}
}
boolean this_present_serverName = true && tSentryPrivilege1.isSetServerName();
boolean that_present_serverName = true && tSentryPrivilege2.isSetServerName();
if (this_present_serverName || that_present_serverName) {
if (!(this_present_serverName && that_present_serverName)) {
return false;
}
if (!tSentryPrivilege1.getServerName().equalsIgnoreCase(tSentryPrivilege2.getServerName())) {
return false;
}
}
boolean this_present_dbName = true && tSentryPrivilege1.isSetDbName();
boolean that_present_dbName = true && tSentryPrivilege2.isSetDbName();
if (this_present_dbName || that_present_dbName) {
if (!(this_present_dbName && that_present_dbName)) {
return false;
}
if (!tSentryPrivilege1.getDbName().equalsIgnoreCase(tSentryPrivilege2.getDbName())) {
return false;
}
}
boolean this_present_tableName = true && tSentryPrivilege1.isSetTableName();
boolean that_present_tableName = true && tSentryPrivilege2.isSetTableName();
if (this_present_tableName || that_present_tableName) {
if (!(this_present_tableName && that_present_tableName)) {
return false;
}
if (!tSentryPrivilege1.getTableName().equalsIgnoreCase(tSentryPrivilege2.getTableName())) {
return false;
}
}
boolean this_present_URI = true && tSentryPrivilege1.isSetURI();
boolean that_present_URI = true && tSentryPrivilege2.isSetURI();
if (this_present_URI || that_present_URI) {
if (!(this_present_URI && that_present_URI)) {
return false;
}
if (!tSentryPrivilege1.getURI().equalsIgnoreCase(tSentryPrivilege2.getURI())) {
return false;
}
}
boolean this_present_action = true && tSentryPrivilege1.isSetAction();
boolean that_present_action = true && tSentryPrivilege2.isSetAction();
if (this_present_action || that_present_action) {
if (!(this_present_action && that_present_action)) {
return false;
}
if (!tSentryPrivilege1.getAction().equalsIgnoreCase(tSentryPrivilege2.getAction())) {
return false;
}
}
boolean this_present_grantOption = true && tSentryPrivilege1.isSetGrantOption();
boolean that_present_grantOption = true && tSentryPrivilege2.isSetGrantOption();
if (this_present_grantOption || that_present_grantOption) {
if (!(this_present_grantOption && that_present_grantOption)) {
return false;
}
if (!tSentryPrivilege1.getGrantOption().equals(tSentryPrivilege2.getGrantOption())) {
return false;
}
}
boolean this_present_columnName = true && tSentryPrivilege1.isSetColumnName();
boolean that_present_columnName = true && tSentryPrivilege2.isSetColumnName();
if (this_present_columnName || that_present_columnName) {
if (!(this_present_columnName && that_present_columnName)) {
return false;
}
if (!tSentryPrivilege1.getColumnName().equalsIgnoreCase(tSentryPrivilege2.getColumnName())) {
return false;
}
}
return true;
}
}