sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/binding/solr/TestSolrAuthzBinding.java - sentry - Git at Google

 /*
  * Licensed to the Apache Software Foundation (ASF) under one or more
  * contributor license agreements.  See the NOTICE file distributed with
  * this work for additional information regarding copyright ownership.
  * The ASF licenses this file to You under the Apache License, Version 2.0
  * (the "License"); you may not use this file except in compliance with
  * the License.  You may obtain a copy of the License at
  *
  *      http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
 package org.apache.sentry.binding.solr;

 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertTrue;

 import java.io.File;
 import java.io.FileNotFoundException;
 import java.io.IOException;
 import java.lang.reflect.InvocationTargetException;
 import java.util.Arrays;
 import java.util.Collections;
 import java.util.EnumSet;
 import java.util.List;
 import java.util.Set;
 import java.util.UUID;

 import org.junit.Assert;

 import org.apache.commons.io.FileUtils;
 import org.apache.hadoop.fs.Path;
 import org.apache.hadoop.hdfs.MiniDFSCluster;
 import org.apache.hadoop.security.GroupMappingServiceProvider;
 import org.apache.sentry.binding.solr.authz.SentrySolrAuthorizationException;
 import org.apache.sentry.binding.solr.authz.SolrAuthzBinding;
 import org.apache.sentry.binding.solr.conf.SolrAuthzConf;
 import org.apache.sentry.binding.solr.conf.SolrAuthzConf.AuthzConfVars;
 import org.apache.sentry.core.common.Subject;
 import org.apache.sentry.core.model.search.Collection;
 import org.apache.sentry.core.model.search.SearchModelAction;
 import org.apache.sentry.core.common.exception.SentryGroupNotFoundException;
 import org.apache.sentry.core.common.utils.PolicyFiles;
 import org.junit.After;
 import org.junit.Before;
 import org.junit.Test;

 import com.google.common.collect.Sets;
 import com.google.common.io.Files;
 import com.google.common.io.Resources;

 /**
  * Test for solr authz binding
  */
 public class TestSolrAuthzBinding {
   private static final String RESOURCE_PATH = "test-authz-provider.ini";
   private SolrAuthzConf authzConf = new SolrAuthzConf(Resources.getResource("sentry-site.xml"));
   private File baseDir;

   private Collection infoCollection = new Collection("info");
   private Collection generalInfoCollection = new Collection("generalInfo");

   private Subject corporal1 = new Subject("corporal1");
   private Subject sergeant1 = new Subject("sergeant1");
   private Subject general1 = new Subject("general1");

   private EnumSet<SearchModelAction> querySet = EnumSet.of(SearchModelAction.QUERY);
   private EnumSet<SearchModelAction> updateSet = EnumSet.of(SearchModelAction.UPDATE);
   private EnumSet<SearchModelAction> allSet = EnumSet.of(SearchModelAction.ALL);
   private EnumSet<SearchModelAction> allOfSet = EnumSet.allOf(SearchModelAction.class);
   private EnumSet<SearchModelAction> emptySet = EnumSet.noneOf(SearchModelAction.class);

   @Before
   public void setUp() throws Exception {
     baseDir = Files.createTempDir();
     PolicyFiles.copyToDir(baseDir, RESOURCE_PATH);
     authzConf.set(AuthzConfVars.AUTHZ_PROVIDER_RESOURCE.getVar(), new File(baseDir, RESOURCE_PATH).getPath());
   }

   @After
   public void teardown() {
     if(baseDir != null) {
       FileUtils.deleteQuietly(baseDir);
     }
   }

   private void setUsableAuthzConf(SolrAuthzConf conf) {
     conf.set(AuthzConfVars.AUTHZ_PROVIDER.getVar(), "org.apache.sentry.provider.file.LocalGroupResourceAuthorizationProvider");
     conf.set(AuthzConfVars.AUTHZ_PROVIDER_RESOURCE.getVar(), new File(baseDir, RESOURCE_PATH).getPath());
     conf.set(AuthzConfVars.AUTHZ_PROVIDER_BACKEND.getVar(), AuthzConfVars.AUTHZ_PROVIDER_BACKEND.getDefault());
     conf.set(AuthzConfVars.AUTHZ_POLICY_ENGINE.getVar(), AuthzConfVars.AUTHZ_POLICY_ENGINE.getDefault());
   }

   /**
    * Test that incorrect specification of classes for
    * AUTHZ_PROVIDER, AUTHZ_PROVIDER_BACKEND, and AUTHZ_POLICY_ENGINE
    * correctly throw ClassNotFoundExceptions
    */
   @Test
   public void testClassNotFound() throws Exception {
     SolrAuthzConf solrAuthzConf =
       new SolrAuthzConf(Resources.getResource("sentry-site.xml"));
     setUsableAuthzConf(solrAuthzConf);
     // verify it is usable
     new SolrAuthzBinding(solrAuthzConf);

     // give a bogus provider
     solrAuthzConf.set(AuthzConfVars.AUTHZ_PROVIDER.getVar(), "org.apache.sentry.provider.BogusProvider");
     try {
       new SolrAuthzBinding(solrAuthzConf);
       Assert.fail("Expected ClassNotFoundException");
     } catch (ClassNotFoundException e) {}

     setUsableAuthzConf(solrAuthzConf);
     // give a bogus provider backend
     solrAuthzConf.set(AuthzConfVars.AUTHZ_PROVIDER_BACKEND.getVar(), "org.apache.sentry.provider.file.BogusProviderBackend");
     try {
       new SolrAuthzBinding(solrAuthzConf);
       Assert.fail("Expected ClassNotFoundException");
     } catch (ClassNotFoundException e) {}

     setUsableAuthzConf(solrAuthzConf);
     // give a bogus policy enine
     solrAuthzConf.set(AuthzConfVars.AUTHZ_POLICY_ENGINE.getVar(), "org.apache.sentry.provider.solr.BogusPolicyEngine");
     try {
       new SolrAuthzBinding(solrAuthzConf);
       Assert.fail("Expected ClassNotFoundException");
     } catch (ClassNotFoundException e) {}
   }

   /**
    * Test that incorrect specification of the provider resource
    * throws an exception
    */
   @Test
   public void testResourceNotFound() throws Exception {
     SolrAuthzConf solrAuthzConf =
       new SolrAuthzConf(Resources.getResource("sentry-site.xml"));
     setUsableAuthzConf(solrAuthzConf);

     // bogus specification
     solrAuthzConf.set(AuthzConfVars.AUTHZ_PROVIDER_RESOURCE.getVar(), new File(baseDir, "test-authz-bogus-provider.ini").getPath());
     try {
       new SolrAuthzBinding(solrAuthzConf);
       Assert.fail("Expected InvocationTargetException");
     } catch (InvocationTargetException e) {
       assertTrue(e.getTargetException() instanceof FileNotFoundException);
     }

     // missing specification
     solrAuthzConf.unset(AuthzConfVars.AUTHZ_PROVIDER_RESOURCE.getVar());
     try {
       new SolrAuthzBinding(solrAuthzConf);
       Assert.fail("Expected InvocationTargetException");
     } catch (InvocationTargetException e) {
       assertTrue(e.getTargetException() instanceof IllegalArgumentException);
     }
   }

   /**
    * Verify that an definition of only the AuthorizationProvider
    * (not ProviderBackend or PolicyEngine) works.
    */
   @Test
   public void testAuthProviderOnlySolrAuthzConfs() throws Exception {
     new SolrAuthzBinding(authzConf);
   }

   /**
    * Test for group mapping
    */
   @Test
   public void testGroupMapping() throws Exception {
     SolrAuthzConf solrAuthzConf =
       new SolrAuthzConf(Resources.getResource("sentry-site.xml"));
     setUsableAuthzConf(solrAuthzConf);
     SolrAuthzBinding binding = new SolrAuthzBinding(solrAuthzConf);

     // check non-existant users
     try {
       binding.getGroups(null);
       Assert.fail("Expected SentryGroupNotFoundException");
     } catch (SentryGroupNotFoundException e) {
     }
     try {
       binding.getGroups("nonExistantUser");
       Assert.fail("Expected SentryGroupNotFoundException");
     } catch (SentryGroupNotFoundException e) {
     }

     // check group names don't map to user names
     try {
       binding.getGroups("corporal");
       Assert.fail("Expected SentryGroupNotFoundException");
     } catch (SentryGroupNotFoundException e) {
     }
     try {
       binding.getGroups("sergeant");
       Assert.fail("Expected SentryGroupNotFoundException");
     } catch (SentryGroupNotFoundException e) {
     }
     try {
       binding.getGroups("general");
       Assert.fail("Expected SentryGroupNotFoundException");
     } catch (SentryGroupNotFoundException e) {
     }
     try {
       binding.getGroups("othergeneralgroup");
       Assert.fail("Expected SentryGroupNotFoundException");
     } catch (SentryGroupNotFoundException e) {
     }

     // check valid group names
     assertEquals(binding.getGroups("corporal1"), Sets.newHashSet("corporal"));
     assertEquals(binding.getGroups("sergeant1"), Sets.newHashSet("sergeant"));
     assertEquals(binding.getGroups("general1"), Sets.newHashSet("general", "othergeneralgroup"));
   }

   /**
    * Test for role mapping
    */
   @Test
   public void testGetRoles() throws Exception {
     SolrAuthzConf solrAuthzConf =
       new SolrAuthzConf(Resources.getResource("sentry-site.xml"));
     setUsableAuthzConf(solrAuthzConf);
     SolrAuthzBinding binding = new SolrAuthzBinding(solrAuthzConf);
     Set<String> emptySet = Collections.emptySet();

     // check user with undefined group
     assertEquals(binding.getRoles("undefinedGroupUser"), emptySet);
     // check group with undefined role
     assertEquals(binding.getRoles("undefinedRoleUser"), emptySet);

     // check role names don't map in the other direction
     try {
       binding.getRoles("corporal_role");
       Assert.fail("Expected SentryGroupNotFoundException");
     } catch (SentryGroupNotFoundException e) {
     }
     try {
       binding.getRoles("sergeant_role");
       Assert.fail("Expected SentryGroupNotFoundException");
     } catch (SentryGroupNotFoundException e) {
     }
     try {
       binding.getRoles("general_role");
       Assert.fail("Expected SentryGroupNotFoundException");
     } catch (SentryGroupNotFoundException e) {
     }

     // check valid users
     assertEquals(binding.getRoles("corporal1"), Sets.newHashSet("corporal_role"));
     assertEquals(binding.getRoles("sergeant1"), Sets.newHashSet("corporal_role", "sergeant_role"));
     assertEquals(binding.getRoles("general1"), Sets.newHashSet("corporal_role", "sergeant_role", "general_role"));

     // check user whos groups have overlapping roles
     assertEquals(binding.getRoles("overlappingUser"), Sets.newHashSet("corporal_role", "sergeant_role", "general_role"));
   }

   /**
    * Test that a full sentry-site definition works.
    */
   @Test
   public void testSolrAuthzConfs() throws Exception {
      SolrAuthzConf solrAuthzConf =
        new SolrAuthzConf(Resources.getResource("sentry-site.xml"));
      setUsableAuthzConf(solrAuthzConf);
      new SolrAuthzBinding(solrAuthzConf);
   }

   private void expectAuthException(SolrAuthzBinding binding, Subject subject,
       Collection collection, EnumSet<SearchModelAction> action) throws Exception {
      try {
        binding.authorizeCollection(subject, collection, action);
        Assert.fail("Expected SentrySolrAuthorizationException");
      } catch(SentrySolrAuthorizationException e) {
      }
   }

   /**
    * Test that a user that doesn't exist throws an exception
    * when trying to authorize
    */
   @Test
   public void testNoUser() throws Exception {
      SolrAuthzConf solrAuthzConf =
        new SolrAuthzConf(Resources.getResource("sentry-site.xml"));
      setUsableAuthzConf(solrAuthzConf);
      SolrAuthzBinding binding = new SolrAuthzBinding(solrAuthzConf);
     try {
       binding.authorizeCollection(new Subject("bogus"), infoCollection, querySet);
       Assert.fail("Expected SentryGroupNotFoundException");
     } catch (SentryGroupNotFoundException e) {
     }
   }

   /**
    * Test that a bogus collection name throws an exception
    */
   @Test
   public void testNoCollection() throws Exception {
      SolrAuthzConf solrAuthzConf =
        new SolrAuthzConf(Resources.getResource("sentry-site.xml"));
      setUsableAuthzConf(solrAuthzConf);
      SolrAuthzBinding binding = new SolrAuthzBinding(solrAuthzConf);
      expectAuthException(binding, corporal1, new Collection("bogus"), querySet);
   }

   /**
    * Test if no action is attempted an exception is thrown
    */
   @Test
   public void testNoAction() throws Exception {
     SolrAuthzConf solrAuthzConf =
       new SolrAuthzConf(Resources.getResource("sentry-site.xml"));
     setUsableAuthzConf(solrAuthzConf);
     SolrAuthzBinding binding = new SolrAuthzBinding(solrAuthzConf);
     try {
       binding.authorizeCollection(corporal1, infoCollection, emptySet);
       Assert.fail("Expected IllegalArgumentException");
     } catch (IllegalArgumentException e) {
     }
   }

   /**
    * Test that standard unauthorized attempts fail
    */
   @Test
   public void testAuthException() throws Exception {
     SolrAuthzConf solrAuthzConf =
        new SolrAuthzConf(Resources.getResource("sentry-site.xml"));
      setUsableAuthzConf(solrAuthzConf);
      SolrAuthzBinding binding = new SolrAuthzBinding(solrAuthzConf);
      expectAuthException(binding, corporal1, infoCollection, updateSet);
      expectAuthException(binding, corporal1, infoCollection, allSet);
      expectAuthException(binding, corporal1, generalInfoCollection, querySet);
      expectAuthException(binding, corporal1, generalInfoCollection, updateSet);
      expectAuthException(binding, corporal1, generalInfoCollection, allSet);
      expectAuthException(binding, sergeant1, infoCollection, allSet);
      expectAuthException(binding, sergeant1, generalInfoCollection, querySet);
      expectAuthException(binding, sergeant1, generalInfoCollection, updateSet);
      expectAuthException(binding, sergeant1, generalInfoCollection, allSet);
   }

   /**
    * Test that standard authorized attempts succeed
    */
   @Test
   public void testAuthAllowed() throws Exception {
      SolrAuthzConf solrAuthzConf =
        new SolrAuthzConf(Resources.getResource("sentry-site.xml"));
      setUsableAuthzConf(solrAuthzConf);
      SolrAuthzBinding binding = new SolrAuthzBinding(solrAuthzConf);
      binding.authorizeCollection(corporal1, infoCollection, querySet);
      binding.authorizeCollection(sergeant1, infoCollection, querySet);
      binding.authorizeCollection(sergeant1, infoCollection, updateSet);
      binding.authorizeCollection(general1, infoCollection, querySet);
      binding.authorizeCollection(general1, infoCollection, updateSet);
      binding.authorizeCollection(general1, infoCollection, allSet);
      binding.authorizeCollection(general1, infoCollection, allOfSet);
      binding.authorizeCollection(general1, generalInfoCollection, querySet);
      binding.authorizeCollection(general1, generalInfoCollection, updateSet);
      binding.authorizeCollection(general1, generalInfoCollection, allSet);
      binding.authorizeCollection(general1, generalInfoCollection, allOfSet);
   }

   /**
    * Test that when the resource is put on  HDFS and the scheme of the resource is not set,
    * the resouce can be found if fs.defaultFS is specified
    */
   @Test
   public void testResourceWithSchemeNotSet() throws Exception {
     SolrAuthzConf solrAuthzConf =
         new SolrAuthzConf(Resources.getResource("sentry-site.xml"));
     setUsableAuthzConf(solrAuthzConf);

     MiniDFSCluster dfsCluster =  HdfsTestUtil.setupClass(new File(Files.createTempDir(),
       TestSolrAuthzBinding.class.getName() + "_"
         + System.currentTimeMillis()).getAbsolutePath());
     String resourceOnHDFS = "/hdfs" + File.separator + UUID.randomUUID() + File.separator + "test-authz-provider.ini";
     try {
       // Copy resource to HDFSS
       dfsCluster.getFileSystem().copyFromLocalFile(false,
           new Path(baseDir.getPath(), RESOURCE_PATH),
           new Path(resourceOnHDFS));
       solrAuthzConf.set(AuthzConfVars.AUTHZ_PROVIDER_RESOURCE.getVar(), resourceOnHDFS);
       // set HDFS as the defaultFS so the resource will be found
       solrAuthzConf.set("fs.defaultFS", dfsCluster.getFileSystem().getConf().get("fs.defaultFS"));
       new SolrAuthzBinding(solrAuthzConf);
     } finally {
       if (dfsCluster != null) {
         HdfsTestUtil.teardownClass(dfsCluster);
       }
     }
   }

   @Test
   public void testCustomGroupMapping() throws Exception {
     SolrAuthzConf solrAuthzConf =
       new SolrAuthzConf(Resources.getResource("sentry-site.xml"));
     setUsableAuthzConf(solrAuthzConf);
     solrAuthzConf.set(AuthzConfVars.AUTHZ_PROVIDER.getVar(), "org.apache.sentry.provider.common.HadoopGroupResourceAuthorizationProvider");
     solrAuthzConf.set("hadoop.security.group.mapping",
       FoobarGroupMappingServiceProvider.class.getName());
     SolrAuthzBinding binding = new SolrAuthzBinding(solrAuthzConf);
     final String user = "userTestSolrAuthzBinding";
     assertEquals(1, binding.getGroups(user).size());
     assertTrue(binding.getGroups(user).contains("foobar"));
   }

   /**
    * GroupMappingServiceProvider that returns "foobar" for any group
    */
   private static class FoobarGroupMappingServiceProvider implements GroupMappingServiceProvider {
     @Override
     public List<String> getGroups(String user) throws IOException {
       return Arrays.asList("foobar");
     }

     @Override
     public void cacheGroupsRefresh() throws IOException {}

     @Override
     public void cacheGroupsAdd(List<String> groups) throws IOException {}
   }
 }
	/*
	* Licensed to the Apache Software Foundation (ASF) under one or more
	* contributor license agreements. See the NOTICE file distributed with
	* this work for additional information regarding copyright ownership.
	* The ASF licenses this file to You under the Apache License, Version 2.0
	* (the "License"); you may not use this file except in compliance with
	* the License. You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing, software
	* distributed under the License is distributed on an "AS IS" BASIS,
	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	* See the License for the specific language governing permissions and
	* limitations under the License.
	*/
	package org.apache.sentry.binding.solr;

	import static org.junit.Assert.assertEquals;
	import static org.junit.Assert.assertTrue;

	import java.io.File;
	import java.io.FileNotFoundException;
	import java.io.IOException;
	import java.lang.reflect.InvocationTargetException;
	import java.util.Arrays;
	import java.util.Collections;
	import java.util.EnumSet;
	import java.util.List;
	import java.util.Set;
	import java.util.UUID;

	import org.junit.Assert;

	import org.apache.commons.io.FileUtils;
	import org.apache.hadoop.fs.Path;
	import org.apache.hadoop.hdfs.MiniDFSCluster;
	import org.apache.hadoop.security.GroupMappingServiceProvider;
	import org.apache.sentry.binding.solr.authz.SentrySolrAuthorizationException;
	import org.apache.sentry.binding.solr.authz.SolrAuthzBinding;
	import org.apache.sentry.binding.solr.conf.SolrAuthzConf;
	import org.apache.sentry.binding.solr.conf.SolrAuthzConf.AuthzConfVars;
	import org.apache.sentry.core.common.Subject;
	import org.apache.sentry.core.model.search.Collection;
	import org.apache.sentry.core.model.search.SearchModelAction;
	import org.apache.sentry.core.common.exception.SentryGroupNotFoundException;
	import org.apache.sentry.core.common.utils.PolicyFiles;
	import org.junit.After;
	import org.junit.Before;
	import org.junit.Test;

	import com.google.common.collect.Sets;
	import com.google.common.io.Files;
	import com.google.common.io.Resources;

	/**
	* Test for solr authz binding
	*/
	public class TestSolrAuthzBinding {
	private static final String RESOURCE_PATH = "test-authz-provider.ini";
	private SolrAuthzConf authzConf = new SolrAuthzConf(Resources.getResource("sentry-site.xml"));
	private File baseDir;

	private Collection infoCollection = new Collection("info");
	private Collection generalInfoCollection = new Collection("generalInfo");

	private Subject corporal1 = new Subject("corporal1");
	private Subject sergeant1 = new Subject("sergeant1");
	private Subject general1 = new Subject("general1");

	private EnumSet<SearchModelAction> querySet = EnumSet.of(SearchModelAction.QUERY);
	private EnumSet<SearchModelAction> updateSet = EnumSet.of(SearchModelAction.UPDATE);
	private EnumSet<SearchModelAction> allSet = EnumSet.of(SearchModelAction.ALL);
	private EnumSet<SearchModelAction> allOfSet = EnumSet.allOf(SearchModelAction.class);
	private EnumSet<SearchModelAction> emptySet = EnumSet.noneOf(SearchModelAction.class);

	@Before
	public void setUp() throws Exception {
	baseDir = Files.createTempDir();
	PolicyFiles.copyToDir(baseDir, RESOURCE_PATH);
	authzConf.set(AuthzConfVars.AUTHZ_PROVIDER_RESOURCE.getVar(), new File(baseDir, RESOURCE_PATH).getPath());
	}

	@After
	public void teardown() {
	if(baseDir != null) {
	FileUtils.deleteQuietly(baseDir);
	}
	}

	private void setUsableAuthzConf(SolrAuthzConf conf) {
	conf.set(AuthzConfVars.AUTHZ_PROVIDER.getVar(), "org.apache.sentry.provider.file.LocalGroupResourceAuthorizationProvider");
	conf.set(AuthzConfVars.AUTHZ_PROVIDER_RESOURCE.getVar(), new File(baseDir, RESOURCE_PATH).getPath());
	conf.set(AuthzConfVars.AUTHZ_PROVIDER_BACKEND.getVar(), AuthzConfVars.AUTHZ_PROVIDER_BACKEND.getDefault());
	conf.set(AuthzConfVars.AUTHZ_POLICY_ENGINE.getVar(), AuthzConfVars.AUTHZ_POLICY_ENGINE.getDefault());
	}

	/**
	* Test that incorrect specification of classes for
	* AUTHZ_PROVIDER, AUTHZ_PROVIDER_BACKEND, and AUTHZ_POLICY_ENGINE
	* correctly throw ClassNotFoundExceptions
	*/
	@Test
	public void testClassNotFound() throws Exception {
	SolrAuthzConf solrAuthzConf =
	new SolrAuthzConf(Resources.getResource("sentry-site.xml"));
	setUsableAuthzConf(solrAuthzConf);
	// verify it is usable
	new SolrAuthzBinding(solrAuthzConf);

	// give a bogus provider
	solrAuthzConf.set(AuthzConfVars.AUTHZ_PROVIDER.getVar(), "org.apache.sentry.provider.BogusProvider");
	try {
	new SolrAuthzBinding(solrAuthzConf);
	Assert.fail("Expected ClassNotFoundException");
	} catch (ClassNotFoundException e) {}

	setUsableAuthzConf(solrAuthzConf);
	// give a bogus provider backend
	solrAuthzConf.set(AuthzConfVars.AUTHZ_PROVIDER_BACKEND.getVar(), "org.apache.sentry.provider.file.BogusProviderBackend");
	try {
	new SolrAuthzBinding(solrAuthzConf);
	Assert.fail("Expected ClassNotFoundException");
	} catch (ClassNotFoundException e) {}

	setUsableAuthzConf(solrAuthzConf);
	// give a bogus policy enine
	solrAuthzConf.set(AuthzConfVars.AUTHZ_POLICY_ENGINE.getVar(), "org.apache.sentry.provider.solr.BogusPolicyEngine");
	try {
	new SolrAuthzBinding(solrAuthzConf);
	Assert.fail("Expected ClassNotFoundException");
	} catch (ClassNotFoundException e) {}
	}

	/**
	* Test that incorrect specification of the provider resource
	* throws an exception
	*/
	@Test
	public void testResourceNotFound() throws Exception {
	SolrAuthzConf solrAuthzConf =
	new SolrAuthzConf(Resources.getResource("sentry-site.xml"));
	setUsableAuthzConf(solrAuthzConf);

	// bogus specification
	solrAuthzConf.set(AuthzConfVars.AUTHZ_PROVIDER_RESOURCE.getVar(), new File(baseDir, "test-authz-bogus-provider.ini").getPath());
	try {
	new SolrAuthzBinding(solrAuthzConf);
	Assert.fail("Expected InvocationTargetException");
	} catch (InvocationTargetException e) {
	assertTrue(e.getTargetException() instanceof FileNotFoundException);
	}

	// missing specification
	solrAuthzConf.unset(AuthzConfVars.AUTHZ_PROVIDER_RESOURCE.getVar());
	try {
	new SolrAuthzBinding(solrAuthzConf);
	Assert.fail("Expected InvocationTargetException");
	} catch (InvocationTargetException e) {
	assertTrue(e.getTargetException() instanceof IllegalArgumentException);
	}
	}

	/**
	* Verify that an definition of only the AuthorizationProvider
	* (not ProviderBackend or PolicyEngine) works.
	*/
	@Test
	public void testAuthProviderOnlySolrAuthzConfs() throws Exception {
	new SolrAuthzBinding(authzConf);
	}

	/**
	* Test for group mapping
	*/
	@Test
	public void testGroupMapping() throws Exception {
	SolrAuthzConf solrAuthzConf =
	new SolrAuthzConf(Resources.getResource("sentry-site.xml"));
	setUsableAuthzConf(solrAuthzConf);
	SolrAuthzBinding binding = new SolrAuthzBinding(solrAuthzConf);

	// check non-existant users
	try {
	binding.getGroups(null);
	Assert.fail("Expected SentryGroupNotFoundException");
	} catch (SentryGroupNotFoundException e) {
	}
	try {
	binding.getGroups("nonExistantUser");
	Assert.fail("Expected SentryGroupNotFoundException");
	} catch (SentryGroupNotFoundException e) {
	}

	// check group names don't map to user names
	try {
	binding.getGroups("corporal");
	Assert.fail("Expected SentryGroupNotFoundException");
	} catch (SentryGroupNotFoundException e) {
	}
	try {
	binding.getGroups("sergeant");
	Assert.fail("Expected SentryGroupNotFoundException");
	} catch (SentryGroupNotFoundException e) {
	}
	try {
	binding.getGroups("general");
	Assert.fail("Expected SentryGroupNotFoundException");
	} catch (SentryGroupNotFoundException e) {
	}
	try {
	binding.getGroups("othergeneralgroup");
	Assert.fail("Expected SentryGroupNotFoundException");
	} catch (SentryGroupNotFoundException e) {
	}

	// check valid group names
	assertEquals(binding.getGroups("corporal1"), Sets.newHashSet("corporal"));
	assertEquals(binding.getGroups("sergeant1"), Sets.newHashSet("sergeant"));
	assertEquals(binding.getGroups("general1"), Sets.newHashSet("general", "othergeneralgroup"));
	}

	/**
	* Test for role mapping
	*/
	@Test
	public void testGetRoles() throws Exception {
	SolrAuthzConf solrAuthzConf =
	new SolrAuthzConf(Resources.getResource("sentry-site.xml"));
	setUsableAuthzConf(solrAuthzConf);
	SolrAuthzBinding binding = new SolrAuthzBinding(solrAuthzConf);
	Set<String> emptySet = Collections.emptySet();

	// check user with undefined group
	assertEquals(binding.getRoles("undefinedGroupUser"), emptySet);
	// check group with undefined role
	assertEquals(binding.getRoles("undefinedRoleUser"), emptySet);

	// check role names don't map in the other direction
	try {
	binding.getRoles("corporal_role");
	Assert.fail("Expected SentryGroupNotFoundException");
	} catch (SentryGroupNotFoundException e) {
	}
	try {
	binding.getRoles("sergeant_role");
	Assert.fail("Expected SentryGroupNotFoundException");
	} catch (SentryGroupNotFoundException e) {
	}
	try {
	binding.getRoles("general_role");
	Assert.fail("Expected SentryGroupNotFoundException");
	} catch (SentryGroupNotFoundException e) {
	}

	// check valid users
	assertEquals(binding.getRoles("corporal1"), Sets.newHashSet("corporal_role"));
	assertEquals(binding.getRoles("sergeant1"), Sets.newHashSet("corporal_role", "sergeant_role"));
	assertEquals(binding.getRoles("general1"), Sets.newHashSet("corporal_role", "sergeant_role", "general_role"));

	// check user whos groups have overlapping roles
	assertEquals(binding.getRoles("overlappingUser"), Sets.newHashSet("corporal_role", "sergeant_role", "general_role"));
	}

	/**
	* Test that a full sentry-site definition works.
	*/
	@Test
	public void testSolrAuthzConfs() throws Exception {
	SolrAuthzConf solrAuthzConf =
	new SolrAuthzConf(Resources.getResource("sentry-site.xml"));
	setUsableAuthzConf(solrAuthzConf);
	new SolrAuthzBinding(solrAuthzConf);
	}

	private void expectAuthException(SolrAuthzBinding binding, Subject subject,
	Collection collection, EnumSet<SearchModelAction> action) throws Exception {
	try {
	binding.authorizeCollection(subject, collection, action);
	Assert.fail("Expected SentrySolrAuthorizationException");
	} catch(SentrySolrAuthorizationException e) {
	}
	}

	/**
	* Test that a user that doesn't exist throws an exception
	* when trying to authorize
	*/
	@Test
	public void testNoUser() throws Exception {
	SolrAuthzConf solrAuthzConf =
	new SolrAuthzConf(Resources.getResource("sentry-site.xml"));
	setUsableAuthzConf(solrAuthzConf);
	SolrAuthzBinding binding = new SolrAuthzBinding(solrAuthzConf);
	try {
	binding.authorizeCollection(new Subject("bogus"), infoCollection, querySet);
	Assert.fail("Expected SentryGroupNotFoundException");
	} catch (SentryGroupNotFoundException e) {
	}
	}

	/**
	* Test that a bogus collection name throws an exception
	*/
	@Test
	public void testNoCollection() throws Exception {
	SolrAuthzConf solrAuthzConf =
	new SolrAuthzConf(Resources.getResource("sentry-site.xml"));
	setUsableAuthzConf(solrAuthzConf);
	SolrAuthzBinding binding = new SolrAuthzBinding(solrAuthzConf);
	expectAuthException(binding, corporal1, new Collection("bogus"), querySet);
	}

	/**
	* Test if no action is attempted an exception is thrown
	*/
	@Test
	public void testNoAction() throws Exception {
	SolrAuthzConf solrAuthzConf =
	new SolrAuthzConf(Resources.getResource("sentry-site.xml"));
	setUsableAuthzConf(solrAuthzConf);
	SolrAuthzBinding binding = new SolrAuthzBinding(solrAuthzConf);
	try {
	binding.authorizeCollection(corporal1, infoCollection, emptySet);
	Assert.fail("Expected IllegalArgumentException");
	} catch (IllegalArgumentException e) {
	}
	}

	/**
	* Test that standard unauthorized attempts fail
	*/
	@Test
	public void testAuthException() throws Exception {
	SolrAuthzConf solrAuthzConf =
	new SolrAuthzConf(Resources.getResource("sentry-site.xml"));
	setUsableAuthzConf(solrAuthzConf);
	SolrAuthzBinding binding = new SolrAuthzBinding(solrAuthzConf);
	expectAuthException(binding, corporal1, infoCollection, updateSet);
	expectAuthException(binding, corporal1, infoCollection, allSet);
	expectAuthException(binding, corporal1, generalInfoCollection, querySet);
	expectAuthException(binding, corporal1, generalInfoCollection, updateSet);
	expectAuthException(binding, corporal1, generalInfoCollection, allSet);
	expectAuthException(binding, sergeant1, infoCollection, allSet);
	expectAuthException(binding, sergeant1, generalInfoCollection, querySet);
	expectAuthException(binding, sergeant1, generalInfoCollection, updateSet);
	expectAuthException(binding, sergeant1, generalInfoCollection, allSet);
	}

	/**
	* Test that standard authorized attempts succeed
	*/
	@Test
	public void testAuthAllowed() throws Exception {
	SolrAuthzConf solrAuthzConf =
	new SolrAuthzConf(Resources.getResource("sentry-site.xml"));
	setUsableAuthzConf(solrAuthzConf);
	SolrAuthzBinding binding = new SolrAuthzBinding(solrAuthzConf);
	binding.authorizeCollection(corporal1, infoCollection, querySet);
	binding.authorizeCollection(sergeant1, infoCollection, querySet);
	binding.authorizeCollection(sergeant1, infoCollection, updateSet);
	binding.authorizeCollection(general1, infoCollection, querySet);
	binding.authorizeCollection(general1, infoCollection, updateSet);
	binding.authorizeCollection(general1, infoCollection, allSet);
	binding.authorizeCollection(general1, infoCollection, allOfSet);
	binding.authorizeCollection(general1, generalInfoCollection, querySet);
	binding.authorizeCollection(general1, generalInfoCollection, updateSet);
	binding.authorizeCollection(general1, generalInfoCollection, allSet);
	binding.authorizeCollection(general1, generalInfoCollection, allOfSet);
	}

	/**
	* Test that when the resource is put on HDFS and the scheme of the resource is not set,
	* the resouce can be found if fs.defaultFS is specified
	*/
	@Test
	public void testResourceWithSchemeNotSet() throws Exception {
	SolrAuthzConf solrAuthzConf =
	new SolrAuthzConf(Resources.getResource("sentry-site.xml"));
	setUsableAuthzConf(solrAuthzConf);

	MiniDFSCluster dfsCluster = HdfsTestUtil.setupClass(new File(Files.createTempDir(),
	TestSolrAuthzBinding.class.getName() + "_"
	+ System.currentTimeMillis()).getAbsolutePath());
	String resourceOnHDFS = "/hdfs" + File.separator + UUID.randomUUID() + File.separator + "test-authz-provider.ini";
	try {
	// Copy resource to HDFSS
	dfsCluster.getFileSystem().copyFromLocalFile(false,
	new Path(baseDir.getPath(), RESOURCE_PATH),
	new Path(resourceOnHDFS));
	solrAuthzConf.set(AuthzConfVars.AUTHZ_PROVIDER_RESOURCE.getVar(), resourceOnHDFS);
	// set HDFS as the defaultFS so the resource will be found
	solrAuthzConf.set("fs.defaultFS", dfsCluster.getFileSystem().getConf().get("fs.defaultFS"));
	new SolrAuthzBinding(solrAuthzConf);
	} finally {
	if (dfsCluster != null) {
	HdfsTestUtil.teardownClass(dfsCluster);
	}
	}
	}

	@Test
	public void testCustomGroupMapping() throws Exception {
	SolrAuthzConf solrAuthzConf =
	new SolrAuthzConf(Resources.getResource("sentry-site.xml"));
	setUsableAuthzConf(solrAuthzConf);
	solrAuthzConf.set(AuthzConfVars.AUTHZ_PROVIDER.getVar(), "org.apache.sentry.provider.common.HadoopGroupResourceAuthorizationProvider");
	solrAuthzConf.set("hadoop.security.group.mapping",
	FoobarGroupMappingServiceProvider.class.getName());
	SolrAuthzBinding binding = new SolrAuthzBinding(solrAuthzConf);
	final String user = "userTestSolrAuthzBinding";
	assertEquals(1, binding.getGroups(user).size());
	assertTrue(binding.getGroups(user).contains("foobar"));
	}

	/**
	* GroupMappingServiceProvider that returns "foobar" for any group
	*/
	private static class FoobarGroupMappingServiceProvider implements GroupMappingServiceProvider {
	@Override
	public List<String> getGroups(String user) throws IOException {
	return Arrays.asList("foobar");
	}

	@Override
	public void cacheGroupsRefresh() throws IOException {}

	@Override
	public void cacheGroupsAdd(List<String> groups) throws IOException {}
	}
	}