Google Git
Sign in
apache / sentry / b17c1acc7d86e07c9f54415b9aa2c66a0bb158f0 / . / sentry-binding / sentry-binding-hive / src / test / java / org / apache / sentry / privilege / hive / TestCommonPrivilegeForHive.java
blob: cd5716367d7d1d0dd9f5394673c28c1105daaf1c [file] [log] [blame]
/*
* Licensed to the Apache Software Foundation (ASF) under one or more
* contributor license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright ownership.
* The ASF licenses this file to You under the Apache License, Version 2.0
* (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.apache.sentry.privilege.hive;
import org.apache.sentry.core.common.Model;
import org.apache.sentry.core.common.utils.KeyValue;
import org.apache.sentry.core.common.utils.PathUtils;
import org.apache.sentry.core.common.utils.SentryConstants;
import org.apache.sentry.core.model.db.AccessConstants;
import org.apache.sentry.core.model.db.HivePrivilegeModel;
import org.apache.sentry.policy.common.CommonPrivilege;
import org.apache.sentry.policy.common.Privilege;
import org.junit.Before;
import org.junit.Test;
import java.util.List;
import static junit.framework.Assert.assertFalse;
import static junit.framework.Assert.assertTrue;
import static junit.framework.Assert.assertEquals;
public class TestCommonPrivilegeForHive {
private Model hivePrivilegeModel;
private static final String ALL = AccessConstants.ALL;
private static final CommonPrivilege ROLE_SERVER_SERVER1_DB_ALL =
create(new KeyValue("server", "server1"), new KeyValue("db", ALL));
private static final CommonPrivilege ROLE_SERVER_SERVER1_DB_DB1 =
create(new KeyValue("server", "server1"), new KeyValue("db", "db1"));
private static final CommonPrivilege ROLE_SERVER_SERVER2_DB_ALL =
create(new KeyValue("server", "server2"), new KeyValue("db", ALL));
private static final CommonPrivilege ROLE_SERVER_SERVER2_DB_DB1 =
create(new KeyValue("server", "server2"), new KeyValue("db", "db1"));
private static final CommonPrivilege ROLE_SERVER_ALL_DB_ALL =
create(new KeyValue("server", ALL), new KeyValue("db", ALL));
private static final CommonPrivilege ROLE_SERVER_ALL_DB_DB1 =
create(new KeyValue("server", ALL), new KeyValue("db", "db1"));
private static final CommonPrivilege ROLE_SERVER_SERVER1_URI_URI1 =
create(new KeyValue("server", "server1"), new KeyValue("uri",
"hdfs://namenode:8020/path/to/uri1"));
private static final CommonPrivilege ROLE_SERVER_SERVER1_URI_URI2 =
create(new KeyValue("server", "server1"), new KeyValue("uri",
"hdfs://namenode:8020/path/to/uri2/"));
private static final CommonPrivilege ROLE_SERVER_SERVER1_URI_ALL =
create(new KeyValue("server", "server1"), new KeyValue("uri", ALL));
private static final CommonPrivilege ROLE_SERVER_SERVER1 =
create(new KeyValue("server", "server1"));
private static final CommonPrivilege REQUEST_SERVER1_DB1 =
create(new KeyValue("server", "server1"), new KeyValue("db", "db1"));
private static final CommonPrivilege REQUEST_SERVER2_DB1 =
create(new KeyValue("server", "server2"), new KeyValue("db", "db1"));
private static final CommonPrivilege REQUEST_SERVER1_DB2 =
create(new KeyValue("server", "server1"), new KeyValue("db", "db2"));
private static final CommonPrivilege REQUEST_SERVER2_DB2 =
create(new KeyValue("server", "server2"), new KeyValue("db", "db2"));
private static final CommonPrivilege REQUEST_SERVER1_URI1 =
create(new KeyValue("server", "server1"), new KeyValue("uri",
"hdfs://namenode:8020/path/to/uri1/some/file"));
private static final CommonPrivilege REQUEST_SERVER1_URI2 =
create(new KeyValue("server", "server1"), new KeyValue("uri",
"hdfs://namenode:8020/path/to/uri2/some/other/file"));
private static final CommonPrivilege REQUEST_SERVER1_OTHER =
create(new KeyValue("server", "server2"), new KeyValue("other", "thing"));
private static final CommonPrivilege REQUEST_SERVER1 =
create(new KeyValue("server", "server2"));
@Before
public void prepareData() {
hivePrivilegeModel = HivePrivilegeModel.getInstance();
}
@Test
public void testOther() throws Exception {
assertFalse(ROLE_SERVER_ALL_DB_ALL.implies(REQUEST_SERVER1_OTHER, hivePrivilegeModel));
assertFalse(REQUEST_SERVER1_OTHER.implies(ROLE_SERVER_ALL_DB_ALL, hivePrivilegeModel));
}
@Test
public void testRoleShorterThanRequest() throws Exception {
assertTrue(ROLE_SERVER_SERVER1.implies(REQUEST_SERVER1_DB1, hivePrivilegeModel));
assertTrue(ROLE_SERVER_SERVER1.implies(REQUEST_SERVER1_DB2, hivePrivilegeModel));
assertFalse(ROLE_SERVER_SERVER1.implies(REQUEST_SERVER2_DB1, hivePrivilegeModel));
assertFalse(ROLE_SERVER_SERVER1.implies(REQUEST_SERVER2_DB2, hivePrivilegeModel));
assertTrue(ROLE_SERVER_ALL_DB_ALL.implies(REQUEST_SERVER1, hivePrivilegeModel));
assertFalse(ROLE_SERVER_ALL_DB_DB1.implies(REQUEST_SERVER1, hivePrivilegeModel));
}
@Test
public void testRolesAndRequests() throws Exception {
// ROLE_SERVER_SERVER1_DB_ALL
assertTrue(ROLE_SERVER_SERVER1_DB_ALL.implies(REQUEST_SERVER1_DB1, hivePrivilegeModel));
assertFalse(ROLE_SERVER_SERVER1_DB_ALL.implies(REQUEST_SERVER2_DB1, hivePrivilegeModel));
assertTrue(ROLE_SERVER_SERVER1_DB_ALL.implies(REQUEST_SERVER1_DB2, hivePrivilegeModel));
assertFalse(ROLE_SERVER_SERVER1_DB_ALL.implies(REQUEST_SERVER2_DB2, hivePrivilegeModel));
// test inverse
assertTrue(REQUEST_SERVER1_DB1.implies(ROLE_SERVER_SERVER1_DB_ALL, hivePrivilegeModel));
assertFalse(REQUEST_SERVER2_DB1.implies(ROLE_SERVER_SERVER1_DB_ALL, hivePrivilegeModel));
assertTrue(REQUEST_SERVER1_DB2.implies(ROLE_SERVER_SERVER1_DB_ALL, hivePrivilegeModel));
assertFalse(REQUEST_SERVER2_DB2.implies(ROLE_SERVER_SERVER1_DB_ALL, hivePrivilegeModel));
// ROLE_SERVER_SERVER1_DB_DB1
assertTrue(ROLE_SERVER_SERVER1_DB_DB1.implies(REQUEST_SERVER1_DB1, hivePrivilegeModel));
assertFalse(ROLE_SERVER_SERVER1_DB_DB1.implies(REQUEST_SERVER2_DB1, hivePrivilegeModel));
assertFalse(ROLE_SERVER_SERVER1_DB_DB1.implies(REQUEST_SERVER1_DB2, hivePrivilegeModel));
assertFalse(ROLE_SERVER_SERVER1_DB_DB1.implies(REQUEST_SERVER2_DB2, hivePrivilegeModel));
// test inverse
assertTrue(REQUEST_SERVER1_DB1.implies(ROLE_SERVER_SERVER1_DB_DB1, hivePrivilegeModel));
assertFalse(REQUEST_SERVER2_DB1.implies(ROLE_SERVER_SERVER1_DB_DB1, hivePrivilegeModel));
assertFalse(REQUEST_SERVER1_DB2.implies(ROLE_SERVER_SERVER1_DB_DB1, hivePrivilegeModel));
assertFalse(REQUEST_SERVER2_DB2.implies(ROLE_SERVER_SERVER1_DB_DB1, hivePrivilegeModel));
// ROLE_SERVER_SERVER2_DB_ALL
assertFalse(ROLE_SERVER_SERVER2_DB_ALL.implies(REQUEST_SERVER1_DB1, hivePrivilegeModel));
assertTrue(ROLE_SERVER_SERVER2_DB_ALL.implies(REQUEST_SERVER2_DB1, hivePrivilegeModel));
assertFalse(ROLE_SERVER_SERVER2_DB_ALL.implies(REQUEST_SERVER1_DB2, hivePrivilegeModel));
assertTrue(ROLE_SERVER_SERVER2_DB_ALL.implies(REQUEST_SERVER2_DB2, hivePrivilegeModel));
// test inverse
assertFalse(REQUEST_SERVER1_DB1.implies(ROLE_SERVER_SERVER2_DB_ALL, hivePrivilegeModel));
assertTrue(REQUEST_SERVER2_DB1.implies(ROLE_SERVER_SERVER2_DB_ALL, hivePrivilegeModel));
assertFalse(REQUEST_SERVER1_DB2.implies(ROLE_SERVER_SERVER2_DB_ALL, hivePrivilegeModel));
assertTrue(REQUEST_SERVER2_DB2.implies(ROLE_SERVER_SERVER2_DB_ALL, hivePrivilegeModel));
// ROLE_SERVER_SERVER2_DB_DB1
assertFalse(ROLE_SERVER_SERVER2_DB_DB1.implies(REQUEST_SERVER1_DB1, hivePrivilegeModel));
assertTrue(ROLE_SERVER_SERVER2_DB_DB1.implies(REQUEST_SERVER2_DB1, hivePrivilegeModel));
assertFalse(ROLE_SERVER_SERVER2_DB_DB1.implies(REQUEST_SERVER1_DB2, hivePrivilegeModel));
assertFalse(ROLE_SERVER_SERVER2_DB_DB1.implies(REQUEST_SERVER2_DB2, hivePrivilegeModel));
assertFalse(REQUEST_SERVER1_DB1.implies(ROLE_SERVER_SERVER2_DB_DB1, hivePrivilegeModel));
assertTrue(REQUEST_SERVER2_DB1.implies(ROLE_SERVER_SERVER2_DB_DB1, hivePrivilegeModel));
assertFalse(REQUEST_SERVER1_DB2.implies(ROLE_SERVER_SERVER2_DB_DB1, hivePrivilegeModel));
assertFalse(REQUEST_SERVER2_DB2.implies(ROLE_SERVER_SERVER2_DB_DB1, hivePrivilegeModel));
// ROLE_SERVER_ALL_DB_ALL
assertTrue(ROLE_SERVER_ALL_DB_ALL.implies(REQUEST_SERVER1_DB1, hivePrivilegeModel));
assertTrue(ROLE_SERVER_ALL_DB_ALL.implies(REQUEST_SERVER2_DB1, hivePrivilegeModel));
assertTrue(ROLE_SERVER_ALL_DB_ALL.implies(REQUEST_SERVER1_DB2, hivePrivilegeModel));
assertTrue(ROLE_SERVER_ALL_DB_ALL.implies(REQUEST_SERVER2_DB2, hivePrivilegeModel));
// test inverse
assertTrue(REQUEST_SERVER1_DB1.implies(ROLE_SERVER_ALL_DB_ALL, hivePrivilegeModel));
assertTrue(REQUEST_SERVER2_DB1.implies(ROLE_SERVER_ALL_DB_ALL, hivePrivilegeModel));
assertTrue(REQUEST_SERVER1_DB2.implies(ROLE_SERVER_ALL_DB_ALL, hivePrivilegeModel));
assertTrue(REQUEST_SERVER2_DB2.implies(ROLE_SERVER_ALL_DB_ALL, hivePrivilegeModel));
// ROLE_SERVER_ALL_DB_DB1
assertTrue(ROLE_SERVER_ALL_DB_DB1.implies(REQUEST_SERVER1_DB1, hivePrivilegeModel));
assertTrue(ROLE_SERVER_ALL_DB_DB1.implies(REQUEST_SERVER2_DB1, hivePrivilegeModel));
assertFalse(ROLE_SERVER_ALL_DB_DB1.implies(REQUEST_SERVER1_DB2, hivePrivilegeModel));
assertFalse(ROLE_SERVER_ALL_DB_DB1.implies(REQUEST_SERVER2_DB2, hivePrivilegeModel));
// test inverse
assertTrue(REQUEST_SERVER1_DB1.implies(ROLE_SERVER_ALL_DB_DB1, hivePrivilegeModel));
assertTrue(REQUEST_SERVER2_DB1.implies(ROLE_SERVER_ALL_DB_DB1, hivePrivilegeModel));
assertFalse(REQUEST_SERVER1_DB2.implies(ROLE_SERVER_ALL_DB_DB1, hivePrivilegeModel));
assertFalse(REQUEST_SERVER2_DB2.implies(ROLE_SERVER_ALL_DB_DB1, hivePrivilegeModel));
// uri
assertTrue(ROLE_SERVER_SERVER1.implies(REQUEST_SERVER1_URI1, hivePrivilegeModel));
assertTrue(ROLE_SERVER_SERVER1.implies(REQUEST_SERVER1_URI2, hivePrivilegeModel));
assertTrue(ROLE_SERVER_SERVER1.implies(REQUEST_SERVER1_URI2, hivePrivilegeModel));
assertTrue(ROLE_SERVER_SERVER1_URI_ALL.implies(REQUEST_SERVER1_URI1, hivePrivilegeModel));
assertTrue(ROLE_SERVER_SERVER1_URI_ALL.implies(REQUEST_SERVER1_URI2, hivePrivilegeModel));
assertTrue(ROLE_SERVER_SERVER1.implies(REQUEST_SERVER1_URI2, hivePrivilegeModel));
assertTrue(ROLE_SERVER_SERVER1_URI_URI1.implies(REQUEST_SERVER1_URI1, hivePrivilegeModel));
assertFalse(ROLE_SERVER_SERVER1_URI_URI1.implies(REQUEST_SERVER1_URI2, hivePrivilegeModel));
assertTrue(ROLE_SERVER_SERVER1_URI_URI2.implies(REQUEST_SERVER1_URI2, hivePrivilegeModel));
assertFalse(ROLE_SERVER_SERVER1_URI_URI2.implies(REQUEST_SERVER1_URI1, hivePrivilegeModel));
assertFalse(REQUEST_SERVER2_DB2.implies(REQUEST_SERVER1_URI1, hivePrivilegeModel));
assertFalse(ROLE_SERVER_ALL_DB_DB1.implies(REQUEST_SERVER1_URI1, hivePrivilegeModel));
// test inverse
assertTrue(REQUEST_SERVER1_URI1.implies(ROLE_SERVER_SERVER1_URI_ALL, hivePrivilegeModel));
assertTrue(REQUEST_SERVER1_URI2.implies(ROLE_SERVER_SERVER1_URI_ALL, hivePrivilegeModel));
assertFalse(REQUEST_SERVER1_URI1.implies(ROLE_SERVER_SERVER1, hivePrivilegeModel));
assertFalse(REQUEST_SERVER1_URI1.implies(ROLE_SERVER_SERVER1_URI_URI1, hivePrivilegeModel));
assertFalse(REQUEST_SERVER1_URI2.implies(ROLE_SERVER_SERVER1_URI_URI1, hivePrivilegeModel));
assertFalse(REQUEST_SERVER1_URI2.implies(ROLE_SERVER_SERVER1_URI_URI2, hivePrivilegeModel));
assertFalse(REQUEST_SERVER1_URI1.implies(ROLE_SERVER_SERVER1_URI_URI2, hivePrivilegeModel));
};
@Test
public void testUnexpected() throws Exception {
Privilege p = new Privilege() {
@Override
public boolean implies(Privilege p, Model m) {
return false;
}
@Override
public List<KeyValue> getAuthorizable() {
return null;
}
@Override
public List<KeyValue> getParts() { return null; }
};
assertFalse(ROLE_SERVER_SERVER1_DB_ALL.implies(null, hivePrivilegeModel));
assertFalse(ROLE_SERVER_SERVER1_DB_ALL.implies(p, hivePrivilegeModel));
assertFalse(ROLE_SERVER_SERVER1_DB_ALL.equals(null));
assertFalse(ROLE_SERVER_SERVER1_DB_ALL.equals(p));
assertEquals(ROLE_SERVER_SERVER1_DB_ALL.hashCode(),
create(ROLE_SERVER_SERVER1_DB_ALL.toString()).hashCode());
}
@Test(expected=IllegalArgumentException.class)
public void testNullString() throws Exception {
System.out.println(create((String)null));
}
@Test(expected=IllegalArgumentException.class)
public void testEmptyString() throws Exception {
System.out.println(create(""));
}
@Test(expected=IllegalArgumentException.class)
public void testEmptyKey() throws Exception {
System.out.println(create(SentryConstants.KV_JOINER.join("", "db1")));
}
@Test(expected=IllegalArgumentException.class)
public void testEmptyValue() throws Exception {
System.out.println(create(SentryConstants.KV_JOINER.join("db", "")));
}
@Test(expected=IllegalArgumentException.class)
public void testEmptyPart() throws Exception {
System.out.println(create(SentryConstants.AUTHORIZABLE_JOINER.
join(SentryConstants.KV_JOINER.join("server", "server1"), "")));
}
@Test(expected=IllegalArgumentException.class)
public void testOnlySeperators() throws Exception {
System.out.println(create(SentryConstants.AUTHORIZABLE_JOINER.
join(SentryConstants.KV_SEPARATOR, SentryConstants.KV_SEPARATOR,
SentryConstants.KV_SEPARATOR)));
}
@Test
public void testImpliesURIPositive() throws Exception {
assertTrue(PathUtils.impliesURI("hdfs://namenode:8020/path", "hdfs://namenode:8020/path/to/some/dir"));
assertTrue(PathUtils.impliesURI("hdfs://namenode:8020/path", "hdfs://namenode:8020/path"));
assertTrue(PathUtils.impliesURI("file:///path", "file:///path/to/some/dir"));
assertTrue(PathUtils.impliesURI("file:///path", "file:///path"));
}
@Test
public void testGetAuthz() throws Exception {
CommonPrivilege dbAll = create(new KeyValue("server", "server1"),
new KeyValue("db", "db1"), new KeyValue("action", "ALL"));
assertEquals(2, dbAll.getAuthorizable().size());
}
@Test
public void testImpliesURINegative() throws Exception {
// relative path
assertFalse(PathUtils.impliesURI("hdfs://namenode:8020/path", "hdfs://namenode:8020/path/to/../../other"));
assertFalse(PathUtils.impliesURI("file:///path", "file:///path/to/../../other"));
// bad policy
assertFalse(PathUtils.impliesURI("blah", "hdfs://namenode:8020/path/to/some/dir"));
// bad request
assertFalse(PathUtils.impliesURI("hdfs://namenode:8020/path", "blah"));
// scheme
assertFalse(PathUtils.impliesURI("hdfs://namenode:8020/path", "file:///path/to/some/dir"));
assertFalse(PathUtils.impliesURI("hdfs://namenode:8020/path", "file://namenode:8020/path/to/some/dir"));
// hostname
assertFalse(PathUtils.impliesURI("hdfs://namenode1:8020/path", "hdfs://namenode2:8020/path/to/some/dir"));
// port
assertFalse(PathUtils.impliesURI("hdfs://namenode:8020/path", "hdfs://namenode:8021/path/to/some/dir"));
// mangled path
assertFalse(PathUtils.impliesURI("hdfs://namenode:8020/path", "hdfs://namenode:8020/pathFooBar"));
// ends in /
assertTrue(PathUtils.impliesURI("hdfs://namenode:8020/path/", "hdfs://namenode:8020/path/FooBar"));
}
@Test
public void testActionHierarchy() throws Exception {
String dbName = "db1";
CommonPrivilege dbAll = create(new KeyValue("server", "server1"),
new KeyValue("db", dbName), new KeyValue("action", "ALL"));
CommonPrivilege dbSelect = create(new KeyValue("server", "server1"),
new KeyValue("db", dbName), new KeyValue("action", "SELECT"));
CommonPrivilege dbInsert = create(new KeyValue("server", "server1"),
new KeyValue("db", dbName), new KeyValue("action", "INSERT"));
CommonPrivilege dbAlter = create(new KeyValue("server", "server1"),
new KeyValue("db", dbName), new KeyValue("action", "ALTER"));
CommonPrivilege dbCreate = create(new KeyValue("server", "server1"),
new KeyValue("db", dbName), new KeyValue("action", "CREATE"));
CommonPrivilege dbDrop = create(new KeyValue("server", "server1"),
new KeyValue("db", dbName), new KeyValue("action", "DROP"));
CommonPrivilege dbIndex = create(new KeyValue("server", "server1"),
new KeyValue("db", dbName), new KeyValue("action", "INDEX"));
CommonPrivilege dbLock = create(new KeyValue("server", "server1"),
new KeyValue("db", dbName), new KeyValue("action", "LOCK"));
assertTrue(dbAll.implies(dbSelect, hivePrivilegeModel));
assertTrue(dbAll.implies(dbInsert, hivePrivilegeModel));
assertTrue(dbAll.implies(dbAlter, hivePrivilegeModel));
assertTrue(dbAll.implies(dbCreate, hivePrivilegeModel));
assertTrue(dbAll.implies(dbDrop, hivePrivilegeModel));
assertTrue(dbAll.implies(dbIndex, hivePrivilegeModel));
assertTrue(dbAll.implies(dbLock, hivePrivilegeModel));
dbAll = create(new KeyValue("server", "server1"),
new KeyValue("db", dbName), new KeyValue("action", "*"));
assertTrue(dbAll.implies(dbSelect, hivePrivilegeModel));
assertTrue(dbAll.implies(dbInsert, hivePrivilegeModel));
assertTrue(dbAll.implies(dbAlter, hivePrivilegeModel));
assertTrue(dbAll.implies(dbCreate, hivePrivilegeModel));
assertTrue(dbAll.implies(dbDrop, hivePrivilegeModel));
assertTrue(dbAll.implies(dbIndex, hivePrivilegeModel));
assertTrue(dbAll.implies(dbLock, hivePrivilegeModel));
dbAll = create(new KeyValue("server", "server1"),
new KeyValue("db", dbName));
assertTrue(dbAll.implies(dbSelect, hivePrivilegeModel));
assertTrue(dbAll.implies(dbInsert, hivePrivilegeModel));
assertTrue(dbAll.implies(dbAlter, hivePrivilegeModel));
assertTrue(dbAll.implies(dbCreate, hivePrivilegeModel));
assertTrue(dbAll.implies(dbDrop, hivePrivilegeModel));
assertTrue(dbAll.implies(dbIndex, hivePrivilegeModel));
assertTrue(dbAll.implies(dbLock, hivePrivilegeModel));
}
static CommonPrivilege create(KeyValue... keyValues) {
return create(SentryConstants.AUTHORIZABLE_JOINER.join(keyValues));
}
static CommonPrivilege create(String s) {
return new CommonPrivilege(s);
}
}