Google Git
Sign in
apache / sentry / dd51db4431cd63df26d72779421a61f785f183bf / . / sentry-service / sentry-service-server / src / test / java / org / apache / sentry / provider / db / service / persistent / TestSentryStore.java
blob: fd14963a459c5b355bb7df6884ed55ec890b533d [file] [log] [blame]
/**
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.apache.sentry.provider.db.service.persistent;
import java.io.File;
import java.time.Instant;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.TreeSet;
import java.util.concurrent.CyclicBarrier;
import java.util.concurrent.ExecutorService;
import java.util.concurrent.Executors;
import java.util.concurrent.TimeUnit;
import java.util.concurrent.atomic.AtomicLong;
import com.google.common.collect.Lists;
import org.apache.commons.collections.CollectionUtils;
import org.apache.commons.io.FileUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.security.alias.CredentialProvider;
import org.apache.hadoop.security.alias.CredentialProviderFactory;
import org.apache.hadoop.security.alias.UserProvider;
import org.apache.sentry.SentryOwnerInfo;
import org.apache.sentry.api.common.ApiConstants.PrivilegeScope;
import org.apache.sentry.api.service.thrift.TSentryPrivilegeMap;
import org.apache.sentry.core.common.exception.SentryAccessDeniedException;
import org.apache.sentry.core.common.exception.SentryInvalidInputException;
import org.apache.sentry.core.common.utils.SentryConstants;
import org.apache.sentry.core.model.db.AccessConstants;
import org.apache.sentry.core.common.exception.SentryAlreadyExistsException;
import org.apache.sentry.core.common.exception.SentryNoSuchObjectException;
import org.apache.sentry.hdfs.PathsUpdate;
import org.apache.sentry.hdfs.PermissionsUpdate;
import org.apache.sentry.hdfs.UniquePathsUpdate;
import org.apache.sentry.hdfs.Updateable;
import org.apache.sentry.hdfs.service.thrift.TPathEntry;
import org.apache.sentry.hdfs.service.thrift.TPathsDump;
import org.apache.sentry.hdfs.service.thrift.TPathsUpdate;
import org.apache.sentry.hdfs.service.thrift.TPrivilegeChanges;
import org.apache.sentry.hdfs.service.thrift.TPrivilegePrincipal;
import org.apache.sentry.hdfs.service.thrift.TPrivilegePrincipalType;
import org.apache.sentry.hdfs.service.thrift.TRoleChanges;
import org.apache.sentry.provider.db.service.model.MSentryPermChange;
import org.apache.sentry.provider.db.service.model.MSentryPathChange;
import org.apache.sentry.provider.db.service.model.MSentryPrivilege;
import org.apache.sentry.provider.db.service.model.MSentryRole;
import org.apache.sentry.provider.db.service.model.MPath;
import org.apache.sentry.api.service.thrift.TSentryActiveRoleSet;
import org.apache.sentry.api.service.thrift.TSentryAuthorizable;
import org.apache.sentry.api.service.thrift.TSentryGrantOption;
import org.apache.sentry.api.service.thrift.TSentryGroup;
import org.apache.sentry.api.service.thrift.TSentryPrivilege;
import org.apache.sentry.api.service.thrift.TSentryRole;
import org.apache.sentry.provider.db.service.model.MSentryUser;
import org.apache.sentry.provider.file.PolicyFile;
import org.apache.sentry.api.common.SentryServiceUtil;
import org.apache.sentry.service.common.ServiceConstants;
import org.apache.sentry.service.common.ServiceConstants.SentryPrincipalType;
import org.apache.sentry.service.common.ServiceConstants.ServerConfig;
import org.junit.After;
import org.junit.AfterClass;
import org.junit.Before;
import org.junit.BeforeClass;
import org.junit.Test;
import com.google.common.collect.Iterables;
import com.google.common.collect.Maps;
import com.google.common.collect.Sets;
import com.google.common.io.Files;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import static org.apache.sentry.provider.db.service.persistent.QueryParamBuilder.newQueryParamBuilder;
import javax.jdo.JDODataStoreException;
public class TestSentryStore extends org.junit.Assert {
private static final Logger LOGGER = LoggerFactory.getLogger(TestSentryStore.class);
private static File dataDir;
private static SentryStore sentryStore;
private static String[] adminGroups = { "adminGroup1" };
private static PolicyFile policyFile;
private static File policyFilePath;
final long NUM_PRIVS = 5; // > SentryStore.PrivCleaner.NOTIFY_THRESHOLD
private static Configuration conf = null;
private static char[] passwd = new char[] { '1', '2', '3'};
@BeforeClass
public static void setup() throws Exception {
conf = new Configuration(true);
final String ourUrl = UserProvider.SCHEME_NAME + ":///";
conf.set(CredentialProviderFactory.CREDENTIAL_PROVIDER_PATH, ourUrl);
// enable HDFS sync, so perm and path changes will be saved into DB
conf.set(ServiceConstants.ServerConfig.PROCESSOR_FACTORIES, "org.apache.sentry.hdfs.SentryHDFSServiceProcessorFactory");
conf.set(ServiceConstants.ServerConfig.SENTRY_POLICY_STORE_PLUGINS, "org.apache.sentry.hdfs.SentryPlugin");
// THis should be a UserGroupInformation provider
CredentialProvider provider = CredentialProviderFactory.getProviders(conf).get(0);
// The user credentials are stored as a static variable by UserGrouoInformation provider.
// We need to only set the password the first time, an attempt to set it for the second
// time fails with an exception.
if(provider.getCredentialEntry(ServerConfig.SENTRY_STORE_JDBC_PASS) == null) {
provider.createCredentialEntry(ServerConfig.SENTRY_STORE_JDBC_PASS, passwd);
provider.flush();
}
dataDir = new File(Files.createTempDir(), "sentry_policy_db");
conf.set(ServerConfig.SENTRY_VERIFY_SCHEM_VERSION, "false");
conf.set(ServerConfig.SENTRY_STORE_JDBC_URL,
"jdbc:derby:;databaseName=" + dataDir.getPath() + ";create=true");
conf.set(ServerConfig.SENTRY_STORE_JDBC_PASS, "dummy");
conf.setStrings(ServerConfig.ADMIN_GROUPS, adminGroups);
conf.set(ServerConfig.SENTRY_STORE_GROUP_MAPPING,
ServerConfig.SENTRY_STORE_LOCAL_GROUP_MAPPING);
policyFilePath = new File(dataDir, "local_policy_file.ini");
conf.set(ServerConfig.SENTRY_STORE_GROUP_MAPPING_RESOURCE,
policyFilePath.getPath());
// These tests do not need to retry transactions, so setting to 1 to reduce testing time
conf.setInt(ServerConfig.SENTRY_STORE_TRANSACTION_RETRY, 1);
// SentryStore should be initialized only once. The tables created by the test cases will
// be cleaned up during the @After method.
sentryStore = new SentryStore(conf);
boolean hdfsSyncEnabled = SentryServiceUtil.isHDFSSyncEnabled(conf);
sentryStore.setPersistUpdateDeltas(hdfsSyncEnabled);
}
@Before
public void before() throws Exception {
policyFile = new PolicyFile();
String adminUser = "g1";
addGroupsToUser(adminUser, adminGroups);
writePolicyFile();
}
@After
public void after() {
sentryStore.clearAllTables();
}
@AfterClass
public static void teardown() {
if (dataDir != null) {
FileUtils.deleteQuietly(dataDir);
}
sentryStore.stop();
}
/**
* Fail test if role already exists
* @param roleName Role name to checl
* @throws Exception
*/
private void checkRoleDoesNotExist(String roleName) throws Exception {
try {
sentryStore.getMSentryRoleByName(roleName);
fail("Role " + roleName + "already exists");
} catch (SentryNoSuchObjectException e) {
// Ok
}
}
/**
* Fail test if role doesn't exist
* @param roleName Role name to checl
* @throws Exception
*/
private void checkRoleExists(String roleName) throws Exception {
assertEquals(roleName.toLowerCase(),
sentryStore.getMSentryRoleByName(roleName).getRoleName());
}
/**
* Create a role with the given name and verify that it is created
* @param roleName
* @throws Exception
*/
private void createRole(String roleName) throws Exception {
checkRoleDoesNotExist(roleName);
sentryStore.createSentryRole(roleName);
checkRoleExists(roleName);
}
@Test
public void testCredentialProvider() throws Exception {
assertArrayEquals(passwd, conf.getPassword(ServerConfig.
SENTRY_STORE_JDBC_PASS));
}
@Test
public void testCaseInsensitiveRole() throws Exception {
String roleName = "newRole";
String grantor = "g1";
Set<TSentryGroup> groups = Sets.newHashSet();
TSentryGroup group = new TSentryGroup();
group.setGroupName("test-groups-g1");
groups.add(group);
TSentryPrivilege privilege = new TSentryPrivilege();
privilege.setPrivilegeScope("TABLE");
privilege.setServerName("server1");
privilege.setDbName("default");
privilege.setTableName("table1");
privilege.setAction(AccessConstants.ALL);
privilege.setCreateTime(System.currentTimeMillis());
Set<String> users = Sets.newHashSet("user1");
createRole(roleName);
sentryStore.alterSentryRoleAddGroups(grantor, roleName, groups);
sentryStore.alterSentryRoleDeleteGroups(roleName, groups);
sentryStore.alterSentryRoleAddUsers(roleName, users);
MSentryUser user = sentryStore.getMSentryUserByName(users.iterator().next());
assertNotNull(user);
sentryStore.alterSentryRoleDeleteUsers(roleName, users);
user = sentryStore.getMSentryUserByName(users.iterator().next(), false);
assertNull(user);
sentryStore.alterSentryGrantPrivileges(SentryPrincipalType.ROLE, roleName, Sets.newHashSet(privilege), null);
sentryStore.alterSentryRevokePrivileges(SentryPrincipalType.ROLE, roleName, Sets.newHashSet(privilege), null);
}
@Test
public void testURI() throws Exception {
String roleName1 = "test-role1";
String roleName2 = "test-role2";
String grantor = "g1";
String uri1 = "file:///var/folders/dt/9zm44z9s6bjfxbrm4v36lzdc0000gp/T/1401860678102-0/data/kv1.dat";
String uri2 = "file:///var/folders/dt/9zm44z9s6bjfxbrm4v36lzdc0000gp/T/1401860678102-0/data/kv2.dat";
createRole(roleName1);
createRole(roleName2);
TSentryPrivilege tSentryPrivilege1 = new TSentryPrivilege("URI", "server1", "ALL");
tSentryPrivilege1.setURI(uri1);
TSentryPrivilege tSentryPrivilege2 = new TSentryPrivilege("URI", "server1", "ALL");
tSentryPrivilege2.setURI(uri2);
sentryStore.alterSentryGrantPrivileges(SentryPrincipalType.ROLE, roleName1, Sets.newHashSet(tSentryPrivilege1), null);
sentryStore.alterSentryGrantPrivileges(SentryPrincipalType.ROLE, roleName2, Sets.newHashSet(tSentryPrivilege2), null);
TSentryAuthorizable tSentryAuthorizable1 = new TSentryAuthorizable();
tSentryAuthorizable1.setUri(uri1);
tSentryAuthorizable1.setServer("server1");
TSentryAuthorizable tSentryAuthorizable2 = new TSentryAuthorizable();
tSentryAuthorizable2.setUri(uri2);
tSentryAuthorizable2.setServer("server1");
Set<TSentryPrivilege> privileges =
sentryStore.getTSentryPrivileges(SentryPrincipalType.ROLE, new HashSet<String>(Arrays.asList(roleName1, roleName2)), tSentryAuthorizable1);
assertTrue(privileges.size() == 1);
//Test with other URI Authorizable
privileges =
sentryStore.getTSentryPrivileges(SentryPrincipalType.ROLE, new HashSet<String>(Arrays.asList(roleName1, roleName2)), tSentryAuthorizable2);
assertTrue(privileges.size() == 1);
Set<TSentryGroup> tSentryGroups = new HashSet<TSentryGroup>();
tSentryGroups.add(new TSentryGroup("group1"));
sentryStore.alterSentryRoleAddGroups(grantor, roleName1, tSentryGroups);
sentryStore.alterSentryRoleAddUsers(roleName1, Sets.newHashSet("user1"));
sentryStore.alterSentryRoleAddGroups(grantor, roleName2, tSentryGroups);
sentryStore.alterSentryRoleAddUsers(roleName2, Sets.newHashSet("user1"));
TSentryActiveRoleSet thriftRoleSet = new TSentryActiveRoleSet(true, new HashSet<String>(Arrays.asList(roleName1,roleName2)));
// list privilege for group only
Set<String> privs = sentryStore.listSentryPrivilegesForProvider(
new HashSet<String>(Arrays.asList("group1")), Sets.newHashSet(""), thriftRoleSet,
tSentryAuthorizable1);
assertTrue(privs.size()==1);
assertTrue(privs.contains("server=server1->uri=" + uri1 + "->action=all"));
privs = sentryStore.listSentryPrivilegesForProvider(
new HashSet<String>(Arrays.asList("group1")), Sets.newHashSet(""), thriftRoleSet,
tSentryAuthorizable2);
assertTrue(privs.size()==1);
assertTrue(privs.contains("server=server1->uri=" + uri2 + "->action=all"));
// list privilege for user only
privs = sentryStore.listSentryPrivilegesForProvider(new HashSet<String>(Arrays.asList("")),
Sets.newHashSet("user1"), thriftRoleSet, tSentryAuthorizable1);
assertTrue(privs.size() == 1);
assertTrue(privs.contains("server=server1->uri=" + uri1 + "->action=all"));
privs = sentryStore.listSentryPrivilegesForProvider(new HashSet<String>(Arrays.asList("")),
Sets.newHashSet("user1"), thriftRoleSet, tSentryAuthorizable2);
assertTrue(privs.size() == 1);
assertTrue(privs.contains("server=server1->uri=" + uri2 + "->action=all"));
// list privilege for both user and group
privs = sentryStore.listSentryPrivilegesForProvider(
new HashSet<String>(Arrays.asList("group1")), Sets.newHashSet("user1"), thriftRoleSet,
tSentryAuthorizable1);
assertTrue(privs.size() == 1);
assertTrue(privs.contains("server=server1->uri=" + uri1 + "->action=all"));
privs = sentryStore.listSentryPrivilegesForProvider(
new HashSet<String>(Arrays.asList("group1")), Sets.newHashSet("user1"), thriftRoleSet,
tSentryAuthorizable2);
assertTrue(privs.size() == 1);
assertTrue(privs.contains("server=server1->uri=" + uri2 + "->action=all"));
}
@Test
public void testURIGrantRevokeOnEmptyPath() throws Exception {
String roleName = "test-empty-uri-role";
String uri = "";
createRole(roleName);
TSentryPrivilege tSentryPrivilege = new TSentryPrivilege("URI", "server1", "ALL");
tSentryPrivilege.setURI(uri);
//Test grant on empty URI
try {
sentryStore.alterSentryGrantPrivileges(SentryPrincipalType.ROLE, roleName, Sets.newHashSet(tSentryPrivilege), null);
fail("Expected SentryInvalidInputException");
} catch(SentryInvalidInputException e) {
// expected
}
//Test revoke on empty URI
try {
sentryStore.alterSentryRevokePrivileges(SentryPrincipalType.ROLE, roleName, Sets.newHashSet(tSentryPrivilege), null);
fail("Expected SentryInvalidInputException");
} catch(SentryInvalidInputException e) {
// expected
}
}
@Test
public void testCreateDuplicateRole() throws Exception {
String roleName = "test-dup-role";
createRole(roleName);
try {
sentryStore.createSentryRole(roleName);
fail("Expected SentryAlreadyExistsException");
} catch(SentryAlreadyExistsException e) {
// expected
}
}
@Test
public void testCaseSensitiveScope() throws Exception {
String roleName = "role1";
createRole(roleName);
TSentryPrivilege sentryPrivilege = new TSentryPrivilege("Database", "server1", "all");
sentryPrivilege.setDbName("db1");
sentryStore.alterSentryGrantPrivileges(SentryPrincipalType.ROLE, roleName, Sets.newHashSet(sentryPrivilege), null);
}
/**
* Create a new role and then destroy it
* @throws Exception
*/
@Test
public void testCreateDropRole() throws Exception {
String roleName = "test-drop-role";
createRole(roleName);
sentryStore.dropSentryRole(roleName);
checkRoleDoesNotExist(roleName);
}
@Test
public void testAddDeleteGroupsNonExistantRole()
throws Exception {
String roleName = "non-existant-role";
String grantor = "g1";
Set<TSentryGroup> groups = Sets.newHashSet();
Set<String> users = Sets.newHashSet(grantor);
try {
sentryStore.alterSentryRoleAddGroups(grantor, roleName, groups);
fail("Expected SentryNoSuchObjectException exception");
} catch (SentryNoSuchObjectException e) {
// excepted exception
}
try {
sentryStore.alterSentryRoleAddUsers(roleName, users);
fail("Expected SentryNoSuchObjectException exception");
} catch (SentryNoSuchObjectException e) {
// excepted exception
}
}
@Test
public void testAddDeleteGroups() throws Exception {
String roleName = "test-groups";
String grantor = "g1";
createRole(roleName);
Set<TSentryGroup> groups = Sets.newHashSet();
TSentryGroup group = new TSentryGroup();
group.setGroupName("test-groups-g1");
groups.add(group);
group = new TSentryGroup();
group.setGroupName("test-groups-g2");
groups.add(group);
sentryStore.alterSentryRoleAddGroups(grantor, roleName, groups);
sentryStore.alterSentryRoleDeleteGroups(roleName, groups);
MSentryRole role = sentryStore.getMSentryRoleByName(roleName);
assertEquals(Collections.emptySet(), role.getGroups());
}
@Test
public void testAddDeleteUsers() throws Exception {
String roleName = "test-users";
createRole(roleName);
Set<String> users = Sets.newHashSet("test-user-u1", "test-user-u2");
sentryStore.alterSentryRoleAddUsers(roleName, users);
MSentryRole role = sentryStore.getMSentryRoleByName(roleName);
role.getUsers().size();
sentryStore.alterSentryRoleDeleteUsers(roleName, users);
role = sentryStore.getMSentryRoleByName(roleName);
assertEquals(0, role.getUsers().size());
}
@Test
public void testGetTSentryRolesForUser() throws Exception {
// Test the method GetTSentryRolesForUser according to the following test data:
// user1->group1
// user2->group1
// user3->group1, group2
// user4->group2, group3
// group1->r1
// group2->r2
// group3->r2
// user2->r3
// user4->r3
String roleName1 = "r1";
String roleName2 = "r2";
String roleName3 = "r3";
String user1 = "u1";
String user2 = "u2";
String user3 = "u3";
String user4 = "u4";
String group1 = "group1";
String group2 = "group2";
String group3 = "group3";
Map<String, Set<String>> userToGroups = Maps.newHashMap();
userToGroups.put(user1, Sets.newHashSet(group1));
userToGroups.put(user2, Sets.newHashSet(group1));
userToGroups.put(user3, Sets.newHashSet(group1, group2));
userToGroups.put(user4, Sets.newHashSet(group2, group3));
sentryStore.createSentryRole(roleName1);
sentryStore.createSentryRole(roleName2);
sentryStore.createSentryRole(roleName3);
sentryStore.alterSentryRoleAddUsers(roleName1, Sets.newHashSet(user1));
sentryStore.alterSentryRoleAddUsers(roleName2, Sets.newHashSet(user2));
sentryStore.alterSentryRoleAddUsers(roleName2, Sets.newHashSet(user3));
sentryStore.alterSentryRoleAddUsers(roleName3, Sets.newHashSet(user2, user4));
Set<TSentryRole> roles = sentryStore.getTSentryRolesByUserNames(Sets.newHashSet(user1));
assertEquals(1, roles.size());
for (TSentryRole role : roles) {
assertTrue(roleName1.equals(role.getRoleName()));
}
roles = sentryStore.getTSentryRolesByUserNames(Sets.newHashSet(user2));
assertEquals(2, roles.size());
for (TSentryRole role : roles) {
assertTrue(roleName2.equals(role.getRoleName()) || roleName3.equals(role.getRoleName()));
}
roles = sentryStore.getTSentryRolesByUserNames(Sets.newHashSet(user3));
assertEquals(1, roles.size());
for (TSentryRole role : roles) {
assertTrue(roleName2.equals(role.getRoleName()));
}
roles = sentryStore.getTSentryRolesByUserNames(Sets.newHashSet(user4));
assertEquals(1, roles.size());
for (TSentryRole role : roles) {
assertTrue(roleName3.equals(role.getRoleName()));
}
}
@Test
public void testGetTSentryRolesForUsers() throws Exception {
// Test the method getTSentryRolesByUserNames according to the following test data:
// user1->r1
// user2->r3
// user3->r2
// user4->r3, r2
String roleName1 = "r1";
String roleName2 = "r2";
String roleName3 = "r3";
String user1 = "u1";
String user2 = "u2";
String user3 = "u3";
String user4 = "u4";
createRole(roleName1);
createRole(roleName2);
createRole(roleName3);
sentryStore.alterSentryRoleAddUsers(roleName1, Sets.newHashSet(user1));
sentryStore.alterSentryRoleAddUsers(roleName2, Sets.newHashSet(user3));
sentryStore.alterSentryRoleAddUsers(roleName2, Sets.newHashSet(user4));
sentryStore.alterSentryRoleAddUsers(roleName3, Sets.newHashSet(user2, user4));
Set<String> userSet1 = Sets.newHashSet(user1, user2, user3);
Set<String> roleSet1 = Sets.newHashSet(roleName1, roleName2, roleName3);
Set<String> userSet2 = Sets.newHashSet(user4);
Set<String> roleSet2 = Sets.newHashSet(roleName2, roleName3);
Set<String> userSet3 = Sets.newHashSet("foo");
Set<String> roleSet3 = Sets.newHashSet();
// Query for multiple users
Set<String> roles = convertToRoleNameSet(sentryStore.getTSentryRolesByUserNames(userSet1));
assertEquals("Returned roles should match the expected roles", 0, Sets.symmetricDifference(roles, roleSet1).size());
// Query for single users
roles = convertToRoleNameSet(sentryStore.getTSentryRolesByUserNames(userSet2));
assertEquals("Returned roles should match the expected roles", 0, Sets.symmetricDifference(roles, roleSet2).size());
// Query for non-existing user
roles = convertToRoleNameSet(sentryStore.getTSentryRolesByUserNames(userSet3));
assertEquals("Returned roles should match the expected roles", 0, Sets.symmetricDifference(roles, roleSet3).size());
}
private Set<String> convertToRoleNameSet(Set<TSentryRole> tSentryRoles) {
Set<String> roleNameSet = Sets.newHashSet();
for (TSentryRole role : tSentryRoles) {
roleNameSet.add(role.getRoleName());
}
return roleNameSet;
}
@Test
public void testGetTSentryRolesForGroups() throws Exception {
// Test the method getRoleNamesForGroups according to the following test data:
// group1->r1
// group2->r2
// group3->r2
String grantor = "g1";
String roleName1 = "r1";
String roleName2 = "r2";
String roleName3 = "r3";
String group1 = "group1";
String group2 = "group2";
String group3 = "group3";
createRole(roleName1);
createRole(roleName2);
createRole(roleName3);
sentryStore.alterSentryRoleAddGroups(grantor, roleName1, Sets.newHashSet(new TSentryGroup(group1)));
sentryStore.alterSentryRoleAddGroups(grantor, roleName2, Sets.newHashSet(new TSentryGroup(group2),
new TSentryGroup(group3)));
Set<String> groupSet1 = Sets.newHashSet(group1, group2, group3);
Set<String> roleSet1 = Sets.newHashSet(roleName1, roleName2);
Set<String> groupSet2 = Sets.newHashSet(group1);
Set<String> roleSet2 = Sets.newHashSet(roleName1);
Set<String> groupSet3 = Sets.newHashSet("foo");
Set<String> roleSet3 = Sets.newHashSet();
// Query for multiple groups
Set<String> roles = sentryStore.getRoleNamesForGroups(groupSet1);
assertEquals("Returned roles should match the expected roles", 0, Sets.symmetricDifference(roles, roleSet1).size());
// Query for single group
roles = sentryStore.getRoleNamesForGroups(groupSet2);
assertEquals("Returned roles should match the expected roles", 0, Sets.symmetricDifference(roles, roleSet2).size());
// Query for non-existing group
roles = sentryStore.getRoleNamesForGroups(groupSet3);
assertEquals("Returned roles should match the expected roles", 0, Sets.symmetricDifference(roles, roleSet3).size());
}
@Test
public void testGrantRevokePrivilege() throws Exception {
String roleName = "test-privilege";
String server = "server1";
String db = "db1";
String table = "tbl1";
createRole(roleName);
TSentryPrivilege privilege = new TSentryPrivilege();
privilege.setPrivilegeScope("TABLE");
privilege.setServerName(server);
privilege.setDbName(db);
privilege.setTableName(table);
privilege.setAction(AccessConstants.ALL);
privilege.setCreateTime(System.currentTimeMillis());
sentryStore.alterSentryGrantPrivileges(SentryPrincipalType.ROLE, roleName, Sets.newHashSet(privilege), null);
MSentryRole role = sentryStore.getMSentryRoleByName(roleName);
Set<MSentryPrivilege> privileges = role.getPrivileges();
assertEquals(privileges.toString(), 1, privileges.size());
privilege.setAction(AccessConstants.SELECT);
sentryStore.alterSentryRevokePrivileges(SentryPrincipalType.ROLE, roleName, Sets.newHashSet(privilege), null);
// after having ALL and revoking SELECT, we should have INSERT
role = sentryStore.getMSentryRoleByName(roleName);
privileges = role.getPrivileges();
assertEquals(privileges.toString(), 1, privileges.size());
for (MSentryPrivilege mPrivilege : privileges) {
assertEquals(server, mPrivilege.getServerName());
assertEquals(db, mPrivilege.getDbName());
assertEquals(table, mPrivilege.getTableName());
assertNotSame(AccessConstants.SELECT, mPrivilege.getAction());
assertFalse(mPrivilege.getGrantOption());
}
long numDBPrivs = sentryStore.countMSentryPrivileges();
assertEquals("Privilege count", numDBPrivs,1);
}
private void verifyOrphanCleanup() throws Exception {
assertFalse("Failed to cleanup orphaned privileges", sentryStore.findOrphanedPrivileges());
}
/**
* Create several privileges in the database, then delete the role that
* created them. This makes them all orphans. Wait a bit to ensure the
* cleanup thread runs, and expect them all to be gone from the database.
* @throws Exception
*/
// @Ignore("Disabled with SENTRY-545 following SENTRY-140 problems")
@Test
public void testPrivilegeCleanup() throws Exception {
final String roleName = "test-priv-cleanup";
final String server = "server";
final String dBase = "db";
final String table = "table-";
createRole(roleName);
// Create NUM_PRIVS unique privilege objects in the database
for (int i = 0; i < NUM_PRIVS; i++) {
TSentryPrivilege priv = new TSentryPrivilege();
priv.setPrivilegeScope("TABLE");
priv.setServerName(server);
priv.setAction(AccessConstants.ALL);
priv.setCreateTime(System.currentTimeMillis());
priv.setTableName(table + i);
priv.setDbName(dBase);
sentryStore.alterSentryGrantPrivileges(SentryPrincipalType.ROLE, roleName, Sets.newHashSet(priv), null);
}
// Make sure we really have the expected number of privs in the database
assertEquals(sentryStore.countMSentryPrivileges(), NUM_PRIVS);
// Now to make a bunch of orphans, we just remove the role that
// created them.
sentryStore.dropSentryRole(roleName);
// Now wait and see if the orphans get cleaned up
verifyOrphanCleanup();
List<MSentryPrivilege> list = sentryStore.getAllMSentryPrivileges();
assertEquals(list.size(), 0);
}
/**
* Much like testPrivilegeCleanup, make a lot of privileges and make sure
* they get cleaned up. The difference here is that the privileges are
* created by granting ALL and then removing SELECT - thus leaving INSERT.
* This test exists because the revocation plays havoc with the orphan
* cleanup thread.
* @throws Exception
*/
// @Ignore("Disabled with SENTRY-545 following SENTRY-140 problems")
@Test
public void testPrivilegeCleanup2() throws Exception {
final String roleName = "test-priv-cleanup";
final String server = "server";
final String dBase = "db";
final String table = "table-";
createRole(roleName);
// Create NUM_PRIVS unique privilege objects in the database once more,
// this time granting ALL and revoking SELECT to make INSERT.
for (int i=0 ; i < NUM_PRIVS; i++) {
TSentryPrivilege priv = new TSentryPrivilege();
priv.setPrivilegeScope("DATABASE");
priv.setServerName(server);
priv.setAction(AccessConstants.ALL);
priv.setCreateTime(System.currentTimeMillis());
priv.setTableName(table + i);
priv.setDbName(dBase);
priv.setGrantOption(TSentryGrantOption.TRUE);
sentryStore.alterSentryGrantPrivileges(SentryPrincipalType.ROLE, roleName, Sets.newHashSet(priv), null);
priv.setAction(AccessConstants.SELECT);
priv.setGrantOption(TSentryGrantOption.UNSET);
sentryStore.alterSentryRevokePrivileges(SentryPrincipalType.ROLE, roleName, Sets.newHashSet(priv), null);
// after having ALL and revoking SELECT, we should have INSERT
MSentryRole role = sentryStore.getMSentryRoleByName(roleName);
Set<MSentryPrivilege> privileges = role.getPrivileges();
assertEquals(privileges.toString(), 1 * (i+1), privileges.size());
for ( MSentryPrivilege mSentryPrivilege : privileges) {
assertNotSame(AccessConstants.INSERT, mSentryPrivilege.getAction());
assertNotSame(AccessConstants.ALL, mSentryPrivilege.getAction());
}
}
// Drop the role and clean up as before
sentryStore.dropSentryRole(roleName);
verifyOrphanCleanup();
//There should not be any Privileges left
List<MSentryPrivilege> list = sentryStore.getAllMSentryPrivileges();
assertEquals(list.size(), 0);
}
/**
* This method tries to add ALL privileges on
* databases to a role and immediately revokes
* SELECT and INSERT privileges. At the end of
* each iteration we should not find any privileges
* for that role. Finally we should not find any
* privileges, as we are cleaning up orphan privileges
* immediately.
* @throws Exception
*/
@Test
public void testPrivilegeCleanup3() throws Exception {
final String roleName = "test-priv-cleanup";
final String server = "server";
final String dBase = "db";
final String table = "table-";
createRole(roleName);
// Create NUM_PRIVS unique privilege objects in the database once more,
// this time granting ALL and revoking SELECT to make INSERT.
for (int i=0 ; i < NUM_PRIVS; i++) {
TSentryPrivilege priv = new TSentryPrivilege();
priv.setPrivilegeScope("DATABASE");
priv.setServerName(server);
priv.setAction(AccessConstants.ALL);
priv.setCreateTime(System.currentTimeMillis());
priv.setTableName(table + i);
priv.setDbName(dBase);
priv.setGrantOption(TSentryGrantOption.TRUE);
sentryStore.alterSentryGrantPrivileges(SentryPrincipalType.ROLE, roleName, Sets.newHashSet(priv), null);
priv.setAction(AccessConstants.SELECT);
priv.setGrantOption(TSentryGrantOption.UNSET);
sentryStore.alterSentryRevokePrivileges(SentryPrincipalType.ROLE, roleName, Sets.newHashSet(priv), null);
assertFalse(sentryStore.findOrphanedPrivileges());
//After having ALL and revoking SELECT, we should have INSERT
//Remove the INSERT privilege as well.
//There should not be any more privileges in the sentry store
priv.setAction(AccessConstants.INSERT);
sentryStore.alterSentryRevokePrivileges(SentryPrincipalType.ROLE, roleName, Sets.newHashSet(priv), null);
MSentryRole role = sentryStore.getMSentryRoleByName(roleName);
assertEquals("Privilege Count", 0, role.getPrivileges().size());
priv.setAction(AccessConstants.CREATE);
sentryStore.alterSentryRevokePrivileges(SentryPrincipalType.ROLE, roleName, Sets.newHashSet(priv), null);
role = sentryStore.getMSentryRoleByName(roleName);
assertEquals("Privilege Count", 0, role.getPrivileges().size());
priv.setAction(AccessConstants.DROP);
sentryStore.alterSentryRevokePrivileges(SentryPrincipalType.ROLE, roleName, Sets.newHashSet(priv), null);
role = sentryStore.getMSentryRoleByName(roleName);
assertEquals("Privilege Count", 0, role.getPrivileges().size());
priv.setAction(AccessConstants.ALTER);
sentryStore.alterSentryRevokePrivileges(SentryPrincipalType.ROLE, roleName, Sets.newHashSet(priv), null);
role = sentryStore.getMSentryRoleByName(roleName);
assertEquals("Privilege Count", 0, role.getPrivileges().size());
}
// Drop the role and clean up as before
verifyOrphanCleanup();
//There should not be any Privileges left
List<MSentryPrivilege> list = sentryStore.getAllMSentryPrivileges();
assertEquals(list.size(), 0);
}
/**
* This method "n" privileges with action "ALL" on
* tables to a role. Later we are revoking insert
* and select privileges to of the tables making the
* the privilege orphan. Finally we should find only
* n -1 privileges, as we are cleaning up orphan
* privileges immediately.
* @throws Exception
*/
@Test
public void testPrivilegeCleanup4 () throws Exception {
final String roleName = "test-priv-cleanup";
final String server = "server";
final String dBase = "db";
final String table = "table-";
createRole(roleName);
// Create NUM_PRIVS unique privilege objects in the database
for (int i = 0; i < NUM_PRIVS; i++) {
TSentryPrivilege priv = new TSentryPrivilege();
priv.setPrivilegeScope("TABLE");
priv.setServerName(server);
priv.setAction(AccessConstants.ALL);
priv.setCreateTime(System.currentTimeMillis());
priv.setTableName(table + i);
priv.setDbName(dBase);
sentryStore.alterSentryGrantPrivileges(SentryPrincipalType.ROLE, roleName, Sets.newHashSet(priv), null);
}
// Make sure we really have the expected number of privs in the database
assertEquals(sentryStore.countMSentryPrivileges(), NUM_PRIVS);
//Revoking INSERT privilege. This is change the privilege to SELECT, CREATE, DROP, ALTER
TSentryPrivilege priv = new TSentryPrivilege();
priv.setPrivilegeScope("TABLE");
priv.setServerName(server);
priv.setAction(AccessConstants.INSERT);
priv.setCreateTime(System.currentTimeMillis());
priv.setTableName(table + '0');
priv.setDbName(dBase);
sentryStore.alterSentryRevokePrivileges(SentryPrincipalType.ROLE, roleName, Sets.newHashSet(priv), null);
//There should be SELECT privilege in the sentry store
priv = new TSentryPrivilege();
priv.setPrivilegeScope("TABLE");
priv.setServerName(server);
priv.setAction(AccessConstants.SELECT);
priv.setCreateTime(System.currentTimeMillis());
priv.setTableName(table + '0');
priv.setDbName(dBase);
MSentryPrivilege mPriv = sentryStore.findMSentryPrivilegeFromTSentryPrivilege(priv);
assertNotNull(mPriv);
MSentryRole role = sentryStore.getMSentryRoleByName(roleName);
// should have NUM_PRIVS - 1 ALL privileges, and 4 privileges (SELECT, CREATE, DROP, ALTER)
assertEquals("Privilege Count", NUM_PRIVS, role.getPrivileges().size());
sentryStore.alterSentryRevokePrivileges(SentryPrincipalType.ROLE, roleName, Sets.newHashSet(priv), null);
role = sentryStore.getMSentryRoleByName(roleName);
assertEquals("Privilege Count", NUM_PRIVS - 1, role.getPrivileges().size());
}
/**
* This method tries to add alter privileges on
* databases to a role and immediately revokes
* them. At the end of each iteration we should
* not find any privileges for that role
* Finally we should not find any privileges, as
* we are cleaning up orphan privileges immediately.
* @throws Exception
*/
@Test
public void testPrivilegeCleanup5() throws Exception {
final String roleName = "test-priv-cleanup";
final String server = "server";
final String dBase = "db";
final String table = "table-";
createRole(roleName);
// Create NUM_PRIVS unique privilege objects in the database once more,
// this time granting ALL and revoking SELECT to make INSERT.
for (int i=0 ; i < NUM_PRIVS; i++) {
TSentryPrivilege priv = new TSentryPrivilege();
priv.setPrivilegeScope("DATABASE");
priv.setServerName(server);
priv.setAction(AccessConstants.ALTER);
priv.setCreateTime(System.currentTimeMillis());
priv.setTableName(table + i);
priv.setDbName(dBase);
priv.setGrantOption(TSentryGrantOption.TRUE);
sentryStore.alterSentryGrantPrivileges(SentryPrincipalType.ROLE, roleName, Sets.newHashSet(priv), null);
priv.setAction(AccessConstants.ALTER);
sentryStore.alterSentryRevokePrivileges( SentryPrincipalType.ROLE, roleName, Sets.newHashSet(priv), null);
MSentryRole role = sentryStore.getMSentryRoleByName(roleName);
assertEquals("Privilege Count", 0, role.getPrivileges().size());
}
//There should not be any Privileges left
List<MSentryPrivilege> list = sentryStore.getAllMSentryPrivileges();
assertEquals(list.size(), 0);
}
@Test
public void testDropIndividualPrivilegesWhenGrantAllIsGranted() throws Exception {
final String ROLE_NAME = "r1";
final String SERVER_NAME = "server1";
final String DB_NAME = "db1";
final String TABLE_NAME = "table1";
TSentryPrivilege allPrivilege = toTSentryPrivilege(AccessConstants.ACTION_ALL,
PrivilegeScope.SERVER.toString(), SERVER_NAME, DB_NAME, TABLE_NAME, TSentryGrantOption.FALSE);
TSentryPrivilege allWithGrant = toTSentryPrivilege(AccessConstants.ACTION_ALL,
PrivilegeScope.SERVER.toString(), SERVER_NAME, DB_NAME, TABLE_NAME, TSentryGrantOption.TRUE);
TSentryPrivilege ownerPrivilege = toTSentryPrivilege(AccessConstants.OWNER,
PrivilegeScope.DATABASE.toString(), SERVER_NAME, DB_NAME, TABLE_NAME);
Set<TSentryPrivilege> grantPrivileges = Sets.newHashSet(
toTSentryPrivilege(AccessConstants.SELECT, PrivilegeScope.SERVER.toString(), SERVER_NAME,
DB_NAME, TABLE_NAME),
toTSentryPrivilege(AccessConstants.INSERT, PrivilegeScope.SERVER.toString(), SERVER_NAME,
DB_NAME, TABLE_NAME),
toTSentryPrivilege(AccessConstants.CREATE, PrivilegeScope.SERVER.toString(), SERVER_NAME,
DB_NAME, TABLE_NAME),
toTSentryPrivilege(AccessConstants.ALTER, PrivilegeScope.SERVER.toString(), SERVER_NAME,
DB_NAME, TABLE_NAME),
toTSentryPrivilege(AccessConstants.DROP, PrivilegeScope.SERVER.toString(), SERVER_NAME,
DB_NAME, TABLE_NAME),
toTSentryPrivilege(AccessConstants.INDEX, PrivilegeScope.SERVER.toString(), SERVER_NAME,
DB_NAME, TABLE_NAME),
toTSentryPrivilege(AccessConstants.LOCK, PrivilegeScope.SERVER.toString(), SERVER_NAME,
DB_NAME, TABLE_NAME),
// This special privilege will not be removed when granting all privileges
ownerPrivilege
);
// Grant individual privileges to a role
createRole(ROLE_NAME);
sentryStore.alterSentryRoleGrantPrivileges(ROLE_NAME, grantPrivileges);
// Check those individual privileges are granted
Set<TSentryPrivilege> rolePrivileges = sentryStore.getAllTSentryPrivilegesByRoleName(ROLE_NAME);
assertEquals(grantPrivileges.size(), rolePrivileges.size());
for (TSentryPrivilege privilege : grantPrivileges) {
assertTrue(String.format("Privilege %s was not granted.", privilege.getAction()),
rolePrivileges.contains(privilege));
}
// Grant the ALL privilege (this should remove all individual privileges, and grant only ALL)
sentryStore.alterSentryRoleGrantPrivileges(ROLE_NAME, Sets.newHashSet(allPrivilege));
// Check the ALL and OWNER privileges are the only privileges
rolePrivileges = sentryStore.getAllTSentryPrivilegesByRoleName(ROLE_NAME);
assertEquals(2, rolePrivileges.size()); // ALL and OWNER privileges should be there
assertTrue("Privilege ALL was not granted.", rolePrivileges.contains(allPrivilege));
assertTrue("Privilege OWNER was dropped.", rolePrivileges.contains(ownerPrivilege));
// Check the ALL WITH GRANT privilege just replaces the ALL and keeps the OWNER privilege
sentryStore.alterSentryRoleGrantPrivileges(ROLE_NAME, Sets.newHashSet(allWithGrant));
rolePrivileges = sentryStore.getAllTSentryPrivilegesByRoleName(ROLE_NAME);
assertTrue("Privilege ALL WITH GRANT was not granted.", rolePrivileges.contains(allWithGrant));
assertTrue("Privilege OWNER was dropped.", rolePrivileges.contains(ownerPrivilege));
// Check the ALL privilege just replaces the ALL WITH GRANT and keeps the OWNER privilege
sentryStore.alterSentryRoleGrantPrivileges(ROLE_NAME, Sets.newHashSet(allPrivilege));
rolePrivileges = sentryStore.getAllTSentryPrivilegesByRoleName(ROLE_NAME);
assertTrue("Privilege ALL was not granted.", rolePrivileges.contains(allPrivilege));
assertTrue("Privilege OWNER was dropped.", rolePrivileges.contains(ownerPrivilege));
// Clean-up test
sentryStore.dropSentryRole(ROLE_NAME);
}
//TODO Use new transaction Manager logic, Instead of
@Test
public void testGrantRevokeMultiPrivileges() throws Exception {
String roleName = "test-privilege";
String server = "server1";
String db = "db1";
String table = "tbl1";
String[] columns = {"c1","c2","c3","c4"};
createRole(roleName);
Set<TSentryPrivilege> tPrivileges = Sets.newHashSet();
for (String column : columns) {
TSentryPrivilege privilege = new TSentryPrivilege();
privilege.setPrivilegeScope("Column");
privilege.setServerName(server);
privilege.setDbName(db);
privilege.setTableName(table);
privilege.setColumnName(column);
privilege.setAction(AccessConstants.SELECT);
privilege.setCreateTime(System.currentTimeMillis());
tPrivileges.add(privilege);
}
sentryStore.alterSentryRoleGrantPrivileges(roleName, tPrivileges);
MSentryRole role = sentryStore.getMSentryRoleByName(roleName);
Set<MSentryPrivilege> privileges = role.getPrivileges();
assertEquals(privileges.toString(), 4, privileges.size());
tPrivileges = Sets.newHashSet();
for (int i = 0; i < 2; i++) {
TSentryPrivilege privilege = new TSentryPrivilege();
privilege.setPrivilegeScope("Column");
privilege.setServerName(server);
privilege.setDbName(db);
privilege.setTableName(table);
privilege.setColumnName(columns[i]);
privilege.setAction(AccessConstants.SELECT);
privilege.setCreateTime(System.currentTimeMillis());
tPrivileges.add(privilege);
}
sentryStore.alterSentryRoleRevokePrivileges(roleName, tPrivileges);
role = sentryStore.getMSentryRoleByName(roleName);
privileges = role.getPrivileges();
assertEquals(privileges.toString(), 2, privileges.size());
TSentryPrivilege privilege = new TSentryPrivilege();
privilege.setPrivilegeScope("Table");
privilege.setServerName(server);
privilege.setDbName(db);
privilege.setTableName(table);
privilege.setAction(AccessConstants.SELECT);
privilege.setCreateTime(System.currentTimeMillis());
sentryStore.alterSentryRevokePrivileges(SentryPrincipalType.ROLE, roleName, Sets.newHashSet(privilege), null);
// After revoking table scope, we will have 0 privileges
role = sentryStore.getMSentryRoleByName(roleName);
privileges = role.getPrivileges();
assertEquals(privileges.toString(), 0, privileges.size());
}
/**
* Regression test for SENTRY-74 and SENTRY-552
*/
@Test
public void testGrantRevokePrivilegeWithColumn() throws Exception {
String roleName = "test-col-privilege";
String server = "server1";
String db = "db1";
String table = "tbl1";
String column1 = "c1";
String column2 = "c2";
createRole(roleName);
TSentryPrivilege privilege = new TSentryPrivilege();
privilege.setPrivilegeScope("COLUMN");
privilege.setServerName(server);
privilege.setDbName(db);
privilege.setTableName(table);
privilege.setColumnName(column1);
privilege.setAction(AccessConstants.ALL);
privilege.setCreateTime(System.currentTimeMillis());
// Grant ALL on c1 and c2
sentryStore.alterSentryGrantPrivileges(SentryPrincipalType.ROLE, roleName, Sets.newHashSet(privilege), null);
privilege.setColumnName(column2);
sentryStore.alterSentryGrantPrivileges(SentryPrincipalType.ROLE, roleName, Sets.newHashSet(privilege), null);
MSentryRole role = sentryStore.getMSentryRoleByName(roleName);
Set<MSentryPrivilege> privileges = role.getPrivileges();
assertEquals(privileges.toString(), 2, privileges.size());
// Revoke SELECT on c2
privilege.setAction(AccessConstants.SELECT);
sentryStore.alterSentryRevokePrivileges(SentryPrincipalType.ROLE, roleName, Sets.newHashSet(privilege), null);
// At this point c1 has ALL privileges and c2 should have (INSERT, CREATE, DROP, ALTER)
// after revoking SELECT
role = sentryStore.getMSentryRoleByName(roleName);
privileges = role.getPrivileges();
assertEquals(privileges.toString(), 2, privileges.size());
for (MSentryPrivilege mPrivilege: privileges) {
assertEquals(server, mPrivilege.getServerName());
assertEquals(db, mPrivilege.getDbName());
assertEquals(table, mPrivilege.getTableName());
assertFalse(mPrivilege.getGrantOption());
if (mPrivilege.getColumnName().equals(column1)) {
assertEquals(AccessConstants.ALL, mPrivilege.getAction());
} else if (mPrivilege.getColumnName().equals(column2)) {
assertNotSame(AccessConstants.SELECT, mPrivilege.getAction());
assertNotSame(AccessConstants.ALL, mPrivilege.getAction());
} else {
fail("Unexpected column name: " + mPrivilege.getColumnName());
}
}
// after revoking INSERT table level privilege will remove INSERT privileges from column2
// and downgrade column1 to (SELECT) privileges.
privilege = new TSentryPrivilege();
privilege.setPrivilegeScope("TABLE");
privilege.setServerName(server);
privilege.setDbName(db);
privilege.setTableName(table);
privilege.setAction(AccessConstants.INSERT);
privilege.setCreateTime(System.currentTimeMillis());
sentryStore.alterSentryRevokePrivileges(SentryPrincipalType.ROLE, roleName, Sets.newHashSet(privilege), null);
role = sentryStore.getMSentryRoleByName(roleName);
privileges = role.getPrivileges();
assertEquals(privileges.toString(), 1, privileges.size());
// Revoke ALL from the table should now remove all the column privileges.
privilege.setAction(AccessConstants.ALL);
privilege.setCreateTime(System.currentTimeMillis());
sentryStore.alterSentryRevokePrivileges(SentryPrincipalType.ROLE, roleName, Sets.newHashSet(privilege), null);
role = sentryStore.getMSentryRoleByName(roleName);
privileges = role.getPrivileges();
assertEquals(privileges.toString(), 0, privileges.size());
}
/**
* Regression test for SENTRY-552
*/
@Test
public void testGrantRevokeTablePrivilegeDowngradeByDb() throws Exception {
String roleName = "test-table-db-downgrade-privilege";
String server = "server1";
String db = "db1";
String table1 = "tbl1";
String table2 = "tbl2";
createRole(roleName);
TSentryPrivilege privilegeTable1 = new TSentryPrivilege();
privilegeTable1.setPrivilegeScope("TABLE");
privilegeTable1.setServerName(server);
privilegeTable1.setDbName(db);
privilegeTable1.setTableName(table1);
privilegeTable1.setAction(AccessConstants.ALL);
privilegeTable1.setCreateTime(System.currentTimeMillis());
TSentryPrivilege privilegeTable2 = privilegeTable1.deepCopy();
privilegeTable2.setTableName(table2);
// Grant ALL on table1 and table2
sentryStore.alterSentryGrantPrivileges(SentryPrincipalType.ROLE, roleName, Sets.newHashSet(privilegeTable1), null);
sentryStore.alterSentryGrantPrivileges(SentryPrincipalType.ROLE, roleName, Sets.newHashSet(privilegeTable2), null);
MSentryRole role = sentryStore.getMSentryRoleByName(roleName);
Set<MSentryPrivilege> privileges = role.getPrivileges();
assertEquals(privileges.toString(), 2, privileges.size());
// Revoke SELECT on table2
privilegeTable2.setAction(AccessConstants.SELECT);
sentryStore.alterSentryRevokePrivileges(SentryPrincipalType.ROLE, roleName, Sets.newHashSet(privilegeTable2), null);
// after having ALL and revoking SELECT, we should have (INSERT) at table2
role = sentryStore.getMSentryRoleByName(roleName);
privileges = role.getPrivileges();
assertEquals(privileges.toString(), 2, privileges.size());
for (MSentryPrivilege mPrivilege: privileges) {
assertEquals(server, mPrivilege.getServerName());
assertEquals(db, mPrivilege.getDbName());
assertFalse(mPrivilege.getGrantOption());
if (mPrivilege.getTableName().equals(table1)) {
assertEquals(AccessConstants.ALL, mPrivilege.getAction());
} else if (mPrivilege.getTableName().equals(table2)) {
assertNotSame(AccessConstants.SELECT, mPrivilege.getAction());
assertNotSame(AccessConstants.ALL, mPrivilege.getAction());
} else {
fail("Unexpected table name: " + mPrivilege.getTableName());
}
}
// Revoke INSERT on Database
privilegeTable2.setAction(AccessConstants.INSERT);
privilegeTable2.setPrivilegeScope("DATABASE");
privilegeTable2.unsetTableName();
sentryStore.alterSentryRevokePrivileges(SentryPrincipalType.ROLE, roleName, Sets.newHashSet(privilegeTable2), null);
role = sentryStore.getMSentryRoleByName(roleName);
privileges = role.getPrivileges();
// after revoking INSERT database level privilege
// table1 should have (SELECT)
// table2 should have ()
assertEquals(privileges.toString(), 1, privileges.size());
for (MSentryPrivilege mPrivilege : privileges) {
assertEquals(server, mPrivilege.getServerName());
assertEquals(db, mPrivilege.getDbName());
if (table1.equals(mPrivilege.getTableName())) {
assertNotSame(AccessConstants.INSERT, mPrivilege.getAction());
assertNotSame(AccessConstants.ALL, mPrivilege.getAction());
} else if (table2.equals(mPrivilege.getTableName())) {
assertNotSame(AccessConstants.INSERT, mPrivilege.getAction());
assertNotSame(AccessConstants.SELECT, mPrivilege.getAction());
assertNotSame(AccessConstants.ALL, mPrivilege.getAction());
}
assertFalse(mPrivilege.getGrantOption());
}
}
/**
* Regression test for SENTRY-552
*/
@Test
public void testGrantRevokeColumnPrivilegeDowngradeByDb() throws Exception {
String roleName = "test-column-db-downgrade-privilege";
String server = "server1";
String db = "db1";
String table = "tbl1";
String column1 = "c1";
String column2 = "c2";
createRole(roleName);
TSentryPrivilege privilegeCol1 = new TSentryPrivilege();
privilegeCol1.setPrivilegeScope("COLUMN");
privilegeCol1.setServerName(server);
privilegeCol1.setDbName(db);
privilegeCol1.setTableName(table);
privilegeCol1.setColumnName(column1);
privilegeCol1.setAction(AccessConstants.ALL);
privilegeCol1.setCreateTime(System.currentTimeMillis());
TSentryPrivilege privilegeCol2 = privilegeCol1.deepCopy();
privilegeCol2.setColumnName(column2);
// Grant ALL on column1 and column2
sentryStore.alterSentryGrantPrivileges(SentryPrincipalType.ROLE, roleName, Sets.newHashSet(privilegeCol1), null);
sentryStore.alterSentryGrantPrivileges(SentryPrincipalType.ROLE, roleName, Sets.newHashSet(privilegeCol2), null);
MSentryRole role = sentryStore.getMSentryRoleByName(roleName);
Set<MSentryPrivilege> privileges = role.getPrivileges();
assertEquals(privileges.toString(), 2, privileges.size());
// Revoke SELECT on column2
privilegeCol2.setAction(AccessConstants.SELECT);
sentryStore.alterSentryRevokePrivileges(SentryPrincipalType.ROLE, roleName, Sets.newHashSet(privilegeCol2), null);
// after having ALL and revoking SELECT, we should have (INSERT)
role = sentryStore.getMSentryRoleByName(roleName);
privileges = role.getPrivileges();
assertEquals(privileges.toString(), 2, privileges.size());
for (MSentryPrivilege mPrivilege: privileges) {
assertEquals(server, mPrivilege.getServerName());
assertEquals(db, mPrivilege.getDbName());
assertEquals(table, mPrivilege.getTableName());
assertFalse(mPrivilege.getGrantOption());
if (mPrivilege.getColumnName().equals(column1)) {
assertEquals(AccessConstants.ALL, mPrivilege.getAction());
} else if (mPrivilege.getColumnName().equals(column2)) {
assertNotSame(AccessConstants.SELECT, mPrivilege.getAction());
} else {
fail("Unexpected column name: " + mPrivilege.getColumnName());
}
}
// Revoke INSERT on Database
privilegeCol2.setAction(AccessConstants.INSERT);
privilegeCol2.setPrivilegeScope("DATABASE");
privilegeCol2.unsetTableName();
privilegeCol2.unsetColumnName();
sentryStore.alterSentryRevokePrivileges(SentryPrincipalType.ROLE, roleName, Sets.newHashSet(privilegeCol2), null);
role = sentryStore.getMSentryRoleByName(roleName);
privileges = role.getPrivileges();
// after revoking INSERT database level privilege
// column2 has ()
// and downgrade column1 to (SELECT) privileges.
assertEquals(privileges.toString(), 1, privileges.size());
for (MSentryPrivilege mPrivilege : privileges) {
assertEquals(server, mPrivilege.getServerName());
assertEquals(db, mPrivilege.getDbName());
assertEquals(table, mPrivilege.getTableName());
if (column1.equals(mPrivilege.getColumnName())) {
assertNotSame(AccessConstants.INSERT, mPrivilege.getAction());
} else if (column1.equals(mPrivilege.getColumnName())) {
assertNotSame(AccessConstants.SELECT, mPrivilege.getAction());
assertNotSame(AccessConstants.INSERT, mPrivilege.getAction());
}
assertFalse(mPrivilege.getGrantOption());
}
}
@Test
public void testGrantRevokePrivilegeWithGrantOption() throws Exception {
String roleName = "test-grantOption-table";
String server = "server1";
String db = "db1";
String table = "tbl1";
TSentryGrantOption grantOption = TSentryGrantOption.TRUE;
createRole(roleName);
TSentryPrivilege privilege = new TSentryPrivilege();
privilege.setPrivilegeScope("TABLE");
privilege.setServerName(server);
privilege.setDbName(db);
privilege.setTableName(table);
privilege.setAction(AccessConstants.ALL);
privilege.setCreateTime(System.currentTimeMillis());
privilege.setGrantOption(grantOption);
sentryStore.alterSentryGrantPrivileges(SentryPrincipalType.ROLE, roleName, Sets.newHashSet(privilege), null);
MSentryRole role = sentryStore.getMSentryRoleByName(roleName);
Set<MSentryPrivilege> privileges = role.getPrivileges();
assertEquals(privileges.toString(), 1, privileges.size());
assertEquals(Boolean.valueOf(privilege.getGrantOption().toString()), Iterables.get(privileges, 0).getGrantOption());
sentryStore.alterSentryRevokePrivileges(SentryPrincipalType.ROLE, roleName, Sets.newHashSet(privilege), null);
role = sentryStore.getMSentryRoleByName(roleName);
privileges = role.getPrivileges();
assertEquals(0, privileges.size());
roleName = "test-grantOption-db";
createRole(roleName);
privilege = new TSentryPrivilege();
privilege.setPrivilegeScope("DATABASE");
privilege.setServerName(server);
privilege.setDbName(db);
privilege.setAction(AccessConstants.ALL);
privilege.setGrantOption(TSentryGrantOption.TRUE);
privilege.setCreateTime(System.currentTimeMillis());
privilege.setGrantOption(grantOption);
sentryStore.alterSentryGrantPrivileges(SentryPrincipalType.ROLE, roleName, Sets.newHashSet(privilege), null);
role = sentryStore.getMSentryRoleByName(roleName);
privileges = role.getPrivileges();
assertEquals(privileges.toString(), 1, privileges.size());
privilege.setAction(AccessConstants.SELECT);
privilege.setGrantOption(TSentryGrantOption.UNSET);
sentryStore.alterSentryRevokePrivileges(SentryPrincipalType.ROLE, roleName, Sets.newHashSet(privilege), null);
// after having ALL and revoking SELECT, we should have (INSERT)
role = sentryStore.getMSentryRoleByName(roleName);
privileges = role.getPrivileges();
assertEquals(privileges.toString(), 1, privileges.size());
for (MSentryPrivilege mPrivilege : privileges) {
assertEquals(server, mPrivilege.getServerName());
assertEquals(db, mPrivilege.getDbName());
assertNotSame(AccessConstants.SELECT, mPrivilege.getAction());
}
}
@Test
public void testRevokeAllGrantOption() throws Exception {
// 1. set local group mapping
// user0->group0->role0
String grantor = "g1";
String[] users = {"user0"};
String[] roles = {"role0"};
String[] groups = {"group0"};
for (int i = 0; i < users.length; i++) {
addGroupsToUser(users[i], groups[i]);
sentryStore.createSentryRole(roles[i]);
Set<TSentryGroup> tGroups = Sets.newHashSet();
TSentryGroup tGroup = new TSentryGroup(groups[i]);
tGroups.add(tGroup);
sentryStore.alterSentryRoleAddGroups(grantor, roles[i], tGroups);
}
writePolicyFile();
// 2. g1 grant select on table tb1 to role0, with grant option
String server = "server1";
String db = "db1";
String table = "tbl1";
String roleName = roles[0];
TSentryPrivilege privilege = new TSentryPrivilege();
privilege.setPrivilegeScope("TABLE");
privilege.setServerName(server);
privilege.setDbName(db);
privilege.setTableName(table);
privilege.setAction(AccessConstants.SELECT);
privilege.setCreateTime(System.currentTimeMillis());
privilege.setGrantOption(TSentryGrantOption.TRUE);
sentryStore.alterSentryGrantPrivileges(SentryPrincipalType.ROLE, roleName, Sets.newHashSet(privilege), null);
// 3. g1 grant select on table tb1 to role0, no grant option
roleName = roles[0];
privilege.setGrantOption(TSentryGrantOption.FALSE);
sentryStore.alterSentryGrantPrivileges(SentryPrincipalType.ROLE, roleName, Sets.newHashSet(privilege), null);
// 4. g1 revoke all privilege from role0
roleName = roles[0];
privilege.setGrantOption(TSentryGrantOption.UNSET);
sentryStore.alterSentryRevokePrivileges(SentryPrincipalType.ROLE, roleName, Sets.newHashSet(privilege), null);
MSentryRole role = sentryStore.getMSentryRoleByName(roleName);
Set<MSentryPrivilege> privileges = role.getPrivileges();
assertEquals(privileges.toString(), 0, privileges.size());
}
@Test
public void testGrantDuplicatePrivilege() throws Exception {
String roleName = "test-privilege";
String server = "server1";
String db = "db1";
String table = "tbl1";
createRole(roleName);
TSentryPrivilege privilege = new TSentryPrivilege();
privilege.setPrivilegeScope("TABLE");
privilege.setServerName(server);
privilege.setDbName(db);
privilege.setTableName(table);
privilege.setAction(AccessConstants.ALL);
privilege.setCreateTime(System.currentTimeMillis());
sentryStore.alterSentryGrantPrivileges(SentryPrincipalType.ROLE, roleName, Sets.newHashSet(privilege), null);
sentryStore.alterSentryGrantPrivileges(SentryPrincipalType.ROLE, roleName, Sets.newHashSet(privilege), null);
privilege.setServerName("Server1");
privilege.setDbName("DB1");
privilege.setTableName("TBL1");
sentryStore.alterSentryGrantPrivileges(SentryPrincipalType.ROLE, roleName, Sets.newHashSet(privilege), null);
MSentryRole role = sentryStore.getMSentryRoleByName(roleName);
Set<MSentryPrivilege> privileges = role.getPrivileges();
assertEquals(privileges.toString(), 1, privileges.size());
}
@Test
public void testListSentryPrivilegesForProvider() throws Exception {
String roleName1 = "list-privs-r1", roleName2 = "list-privs-r2";
String groupName1 = "list-privs-g1", groupName2 = "list-privs-g2";
String userName1 = "list-privs-u1", userName2 = "list-privs-u2";
String userWithoutRole = "user-no-privs";
Set<String> noRoleUsers = Sets.newHashSet(userWithoutRole);
String grantor = "g1";
sentryStore.createSentryRole(roleName1);
sentryStore.createSentryRole(roleName2);
TSentryPrivilege privilege1 = new TSentryPrivilege();
privilege1.setPrivilegeScope("TABLE");
privilege1.setServerName("server1");
privilege1.setDbName("db1");
privilege1.setTableName("tbl1");
privilege1.setAction("SELECT");
privilege1.setCreateTime(System.currentTimeMillis());
sentryStore.alterSentryGrantPrivileges(SentryPrincipalType.ROLE, roleName1, Sets.newHashSet(privilege1), null);
sentryStore.alterSentryGrantPrivileges(SentryPrincipalType.ROLE, roleName2, Sets.newHashSet(privilege1), null);
TSentryPrivilege privilege2 = new TSentryPrivilege();
privilege2.setPrivilegeScope("SERVER");
privilege2.setServerName("server1");
privilege2.setCreateTime(System.currentTimeMillis());
sentryStore.alterSentryGrantPrivileges(SentryPrincipalType.ROLE, roleName2, Sets.newHashSet(privilege2), null);
Set<TSentryGroup> groups = Sets.newHashSet();
Set<String> users = Sets.newHashSet();
TSentryGroup group = new TSentryGroup();
group.setGroupName(groupName1);
groups.add(group);
users.add(userName1);
sentryStore.alterSentryRoleAddGroups(grantor, roleName1, groups);
sentryStore.alterSentryRoleAddUsers(roleName1, users);
groups.clear();
users.clear();
group = new TSentryGroup();
group.setGroupName(groupName2);
groups.add(group);
users.add(userName2);
// group 2 and user2 has both roles 1 and 2
sentryStore.alterSentryRoleAddGroups(grantor, roleName1, groups);
sentryStore.alterSentryRoleAddGroups(grantor, roleName2, groups);
sentryStore.alterSentryRoleAddUsers(roleName1, users);
sentryStore.alterSentryRoleAddUsers(roleName2, users);
// group1 all roles
assertEquals(Sets.newHashSet("server=server1->db=db1->table=tbl1->action=select"),
SentryStore.toTrimedLower(sentryStore.listAllSentryPrivilegesForProvider(Sets
.newHashSet(groupName1), noRoleUsers, new TSentryActiveRoleSet(true,
new HashSet<String>()))));
// user1 all roles
assertEquals(Sets.newHashSet("server=server1->db=db1->table=tbl1->action=select"),
SentryStore.toTrimedLower(sentryStore.listAllSentryPrivilegesForProvider(Sets
.newHashSet(""), Sets.newHashSet(userName1), new TSentryActiveRoleSet(true,
new HashSet<String>()))));
// group1 and user1 all roles
assertEquals(Sets.newHashSet("server=server1->db=db1->table=tbl1->action=select"),
SentryStore.toTrimedLower(sentryStore.listAllSentryPrivilegesForProvider(Sets
.newHashSet(groupName1), Sets.newHashSet(userName1), new TSentryActiveRoleSet(true,
new HashSet<String>()))));
// one active role
assertEquals(
Sets.newHashSet("server=server1->db=db1->table=tbl1->action=select"),
SentryStore.toTrimedLower(sentryStore.listAllSentryPrivilegesForProvider(
Sets.newHashSet(groupName1), noRoleUsers,
new TSentryActiveRoleSet(false, Sets.newHashSet(roleName1)))));
// unknown active role
assertEquals(
Sets.newHashSet(),
SentryStore.toTrimedLower(sentryStore.listAllSentryPrivilegesForProvider(
Sets.newHashSet(groupName1), noRoleUsers,
new TSentryActiveRoleSet(false, Sets.newHashSet("not a role")))));
// no active roles
assertEquals(Sets.newHashSet(), SentryStore.toTrimedLower(sentryStore
.listAllSentryPrivilegesForProvider(Sets.newHashSet(groupName1), noRoleUsers,
new TSentryActiveRoleSet(false, new HashSet<String>()))));
// group2 all roles
assertEquals(Sets.newHashSet("server=server1->db=db1->table=tbl1->action=select",
"server=server1"), SentryStore.toTrimedLower(sentryStore
.listAllSentryPrivilegesForProvider(Sets.newHashSet(groupName2), Sets.newHashSet(""),
new TSentryActiveRoleSet(true, new HashSet<String>()))));
// user2 all roles
assertEquals(Sets.newHashSet("server=server1->db=db1->table=tbl1->action=select",
"server=server1"), SentryStore.toTrimedLower(sentryStore
.listAllSentryPrivilegesForProvider(Sets.newHashSet(""), Sets.newHashSet(userName2),
new TSentryActiveRoleSet(true, new HashSet<String>()))));
// user2 and group2 all roles
assertEquals(Sets.newHashSet("server=server1->db=db1->table=tbl1->action=select",
"server=server1"), SentryStore.toTrimedLower(sentryStore
.listAllSentryPrivilegesForProvider(Sets.newHashSet(groupName2),
Sets.newHashSet(userName2), new TSentryActiveRoleSet(true, new HashSet<String>()))));
// one active role
assertEquals(
Sets.newHashSet("server=server1->db=db1->table=tbl1->action=select"),
SentryStore.toTrimedLower(sentryStore.listAllSentryPrivilegesForProvider(
Sets.newHashSet(groupName2), noRoleUsers,
new TSentryActiveRoleSet(false, Sets.newHashSet(roleName1)))));
assertEquals(
Sets.newHashSet("server=server1->db=db1->table=tbl1->action=select", "server=server1"),
SentryStore.toTrimedLower(sentryStore.listAllSentryPrivilegesForProvider(
Sets.newHashSet(groupName2), noRoleUsers,
new TSentryActiveRoleSet(false, Sets.newHashSet(roleName2)))));
// unknown active role
assertEquals(
Sets.newHashSet(),
SentryStore.toTrimedLower(sentryStore.listAllSentryPrivilegesForProvider(
Sets.newHashSet(groupName2), noRoleUsers,
new TSentryActiveRoleSet(false, Sets.newHashSet("not a role")))));
// no active roles
assertEquals(Sets.newHashSet(), SentryStore.toTrimedLower(sentryStore
.listAllSentryPrivilegesForProvider(Sets.newHashSet(groupName2), noRoleUsers,
new TSentryActiveRoleSet(false, new HashSet<String>()))));
// both groups, all active roles
assertEquals(Sets.newHashSet("server=server1->db=db1->table=tbl1->action=select",
"server=server1"), SentryStore.toTrimedLower(sentryStore
.listAllSentryPrivilegesForProvider(Sets.newHashSet(groupName1, groupName2), noRoleUsers,
new TSentryActiveRoleSet(true, new HashSet<String>()))));
// both users and groups, all active roles
assertEquals(Sets.newHashSet("server=server1->db=db1->table=tbl1->action=select",
"server=server1"), SentryStore.toTrimedLower(sentryStore
.listAllSentryPrivilegesForProvider(Sets.newHashSet(groupName1, groupName2), Sets
.newHashSet(userName1, userName2),
new TSentryActiveRoleSet(true, new HashSet<String>()))));
// one active role
assertEquals(Sets.newHashSet("server=server1->db=db1->table=tbl1->action=select"),
SentryStore.toTrimedLower(sentryStore.listAllSentryPrivilegesForProvider(Sets.newHashSet(
groupName1, groupName2), noRoleUsers,
new TSentryActiveRoleSet(false, Sets.newHashSet(roleName1)))));
assertEquals(Sets.newHashSet("server=server1->db=db1->table=tbl1->action=select",
"server=server1"), SentryStore.toTrimedLower(sentryStore
.listAllSentryPrivilegesForProvider(Sets.newHashSet(groupName1, groupName2), noRoleUsers,
new TSentryActiveRoleSet(false, Sets.newHashSet(roleName2)))));
// unknown active role
assertEquals(Sets.newHashSet(), SentryStore.toTrimedLower(sentryStore
.listAllSentryPrivilegesForProvider(Sets.newHashSet(groupName1, groupName2), noRoleUsers,
new TSentryActiveRoleSet(false, Sets.newHashSet("not a role")))));
// no active roles
assertEquals(Sets.newHashSet(), SentryStore.toTrimedLower(sentryStore
.listAllSentryPrivilegesForProvider(Sets.newHashSet(groupName1, groupName2), noRoleUsers,
new TSentryActiveRoleSet(false, new HashSet<String>()))));
}
@Test
public void testListRole() throws Exception {
String roleName1 = "role1", roleName2 = "role2", roleName3 = "role3";
String group1 = "group1", group2 = "group2";
String grantor = "g1";
sentryStore.createSentryRole(roleName1);
sentryStore.createSentryRole(roleName2);
sentryStore.createSentryRole(roleName3);
sentryStore.alterSentryRoleAddGroups(grantor, roleName1, Sets.newHashSet(new TSentryGroup(group1)));
sentryStore.alterSentryRoleAddGroups(grantor, roleName2, Sets.newHashSet(new TSentryGroup(group2)));
sentryStore.alterSentryRoleAddGroups(grantor, roleName3,
Sets.newHashSet(new TSentryGroup(group1), new TSentryGroup(group2)));
assertEquals(2, sentryStore.getTSentryRolesByGroupName(Sets.newHashSet(group1), false).size());
assertEquals(2, sentryStore.getTSentryRolesByGroupName(Sets.newHashSet(group2), false).size());
assertEquals(3, sentryStore.getTSentryRolesByGroupName(Sets.newHashSet(group1,group2), false).size());
assertEquals(0,
sentryStore.getTSentryRolesByGroupName(Sets.newHashSet("foo"), true)
.size());
}
/**
* Assign multiple table and SERVER privileges to roles and users
* drop privilege for the object verify that it's removed correctly
* @throws Exception
*/
@Test
public void testDropDbObject() throws Exception {
String roleName1 = "list-privs-r1", roleName2 = "list-privs-r2", roleName3 = "list-privs-r3";
String userName1 = "user-1", userName2 = "user-2";
sentryStore.createSentryRole(roleName1);
sentryStore.createSentryRole(roleName2);
sentryStore.createSentryRole(roleName3);
sentryStore.createSentryUser(userName1);
sentryStore.createSentryUser(userName2);
TSentryPrivilege privilege_tbl1 = new TSentryPrivilege();
privilege_tbl1.setPrivilegeScope("TABLE");
privilege_tbl1.setServerName("server1");
privilege_tbl1.setDbName("db1");
privilege_tbl1.setTableName("tbl1");
privilege_tbl1.setCreateTime(System.currentTimeMillis());
TSentryPrivilege privilege1 = new TSentryPrivilege(privilege_tbl1);
privilege1.setAction("SELECT");
TSentryPrivilege privilege2_1 = new TSentryPrivilege(privilege_tbl1);
privilege2_1.setAction("INSERT");
TSentryPrivilege privilege3_1 = new TSentryPrivilege(privilege_tbl1);
privilege3_1.setAction("*");
TSentryPrivilege privilege_server = new TSentryPrivilege();
privilege_server.setPrivilegeScope("SERVER");
privilege_server.setServerName("server1");
privilege_server.setCreateTime(System.currentTimeMillis());
TSentryPrivilege privilege_tbl2 = new TSentryPrivilege();
privilege_tbl2.setPrivilegeScope("TABLE");
privilege_tbl2.setServerName("server1");
privilege_tbl2.setDbName("db1");
privilege_tbl2.setTableName("tbl2");
privilege_tbl2.setCreateTime(System.currentTimeMillis());
TSentryPrivilege privilege2_3 = new TSentryPrivilege(privilege_tbl2);
privilege2_3.setAction("SELECT");
TSentryPrivilege privilege3_2 = new TSentryPrivilege(privilege_tbl2);
privilege3_2.setAction("INSERT");
sentryStore.alterSentryGrantPrivileges(SentryPrincipalType.ROLE, roleName1, Sets.newHashSet(privilege1), null);
sentryStore.alterSentryGrantPrivileges(SentryPrincipalType.ROLE, roleName2, Sets.newHashSet(privilege2_1), null);
sentryStore.alterSentryGrantPrivileges(SentryPrincipalType.ROLE, roleName2, Sets.newHashSet(privilege_server), null);
sentryStore.alterSentryGrantPrivileges(SentryPrincipalType.ROLE, roleName2, Sets.newHashSet(privilege2_3), null);
sentryStore.alterSentryGrantPrivileges(SentryPrincipalType.ROLE, roleName3, Sets.newHashSet(privilege3_1), null);
sentryStore.alterSentryGrantPrivileges(SentryPrincipalType.ROLE, roleName3, Sets.newHashSet(privilege3_2), null);
sentryStore.alterSentryGrantPrivileges(SentryPrincipalType.USER, userName1, Sets.newHashSet(privilege1), null);
sentryStore.alterSentryGrantPrivileges(SentryPrincipalType.USER, userName2, Sets.newHashSet(privilege2_3), null);
sentryStore.dropPrivilege(toTSentryAuthorizable(privilege_tbl1));
assertEquals(0, sentryStore.getAllTSentryPrivilegesByRoleName(roleName1)
.size());
assertEquals(2, sentryStore.getAllTSentryPrivilegesByRoleName(roleName2)
.size());
assertEquals(1, sentryStore.getAllTSentryPrivilegesByRoleName(roleName3)
.size());
try {
sentryStore.getAllTSentryPrivilegesByUserName(userName1);
fail("Should have received an exception");
} catch (Exception e) {
}
assertEquals(1, sentryStore.getAllTSentryPrivilegesByUserName(userName2)
.size());
sentryStore.dropPrivilege(toTSentryAuthorizable(privilege_tbl2));
assertEquals(0, sentryStore.getAllTSentryPrivilegesByRoleName(roleName1)
.size());
assertEquals(1, sentryStore.getAllTSentryPrivilegesByRoleName(roleName2)
.size());
assertEquals(0, sentryStore.getAllTSentryPrivilegesByRoleName(roleName3)
.size());
try {
sentryStore.getAllTSentryPrivilegesByUserName(userName2);
fail("Should have received an exception");
} catch (Exception e) {
}
}
/**
* Grants owner privileges to role/user and updates the owner
* and makes sure that the owner privilege is updated.
* @throws Exception
*/
@Test
public void testUpdateOwnerPrivilege() throws Exception {
String roleName1 = "list-privs-r1", roleName2 = "list-privs-r2", roleName3 = "list-privs-r3";
String userName1 = "user1", userName2 = "user2";
List<SentryOwnerInfo> ownerInfoList = null;
sentryStore.createSentryRole(roleName1);
sentryStore.createSentryRole(roleName2);
sentryStore.createSentryRole(roleName3);
sentryStore.createSentryUser(userName1);
sentryStore.createSentryUser(userName2);
TSentryPrivilege privilege_tbl1 = new TSentryPrivilege();
privilege_tbl1.setPrivilegeScope("TABLE");
privilege_tbl1.setServerName("server1");
privilege_tbl1.setDbName("db1");
privilege_tbl1.setTableName("tbl1");
privilege_tbl1.setCreateTime(System.currentTimeMillis());
privilege_tbl1.setAction("OWNER");
TSentryAuthorizable tSentryAuthorizable = new TSentryAuthorizable();
tSentryAuthorizable.setServer("server1");
tSentryAuthorizable.setDb("db1");
tSentryAuthorizable.setTable("tbl1");
sentryStore.alterSentryGrantPrivileges(SentryPrincipalType.ROLE, roleName1, Sets.newHashSet(privilege_tbl1), null);
assertEquals(1, sentryStore.getAllTSentryPrivilegesByRoleName(roleName1)
.size());
assertEquals(0, sentryStore.getAllTSentryPrivilegesByRoleName(roleName2)
.size());
ownerInfoList = sentryStore.listOwnersByAuthorizable(tSentryAuthorizable);
assertEquals(1, ownerInfoList.size());
assertEquals(SentryPrincipalType.ROLE, ownerInfoList.get(0).getOwnerType());
assertEquals(roleName1, ownerInfoList.get(0).getOwnerName());
// Change owner from a one role to another role
sentryStore.updateOwnerPrivilege(tSentryAuthorizable, roleName2, SentryPrincipalType.ROLE, null);
ownerInfoList = sentryStore.listOwnersByAuthorizable(tSentryAuthorizable);
assertEquals(1, ownerInfoList.size());
assertEquals(SentryPrincipalType.ROLE, ownerInfoList.get(0).getOwnerType());
assertEquals(roleName2, ownerInfoList.get(0).getOwnerName());
assertEquals(0, sentryStore.getAllTSentryPrivilegesByRoleName(roleName1)
.size());
assertEquals(1, sentryStore.getAllTSentryPrivilegesByRoleName(roleName2)
.size());
tSentryAuthorizable.setTable("tbl2");
TSentryPrivilege privilege_tbl2 = new TSentryPrivilege(privilege_tbl1);
privilege_tbl2.setTableName("tbl2");
// Change owner from a one user to another user
sentryStore.alterSentryGrantPrivileges(SentryPrincipalType.USER,userName1, Sets.newHashSet(privilege_tbl2), null);
assertEquals(1, sentryStore.getAllTSentryPrivilegesByUserName(userName1)
.size());
sentryStore.updateOwnerPrivilege(tSentryAuthorizable, userName2, SentryPrincipalType.USER, null);
assertEquals(1, sentryStore.getAllTSentryPrivilegesByUserName(userName2)
.size());
ownerInfoList = sentryStore.listOwnersByAuthorizable(tSentryAuthorizable);
assertEquals(1, ownerInfoList.size());
assertEquals(SentryPrincipalType.USER, ownerInfoList.get(0).getOwnerType());
assertEquals(userName2, ownerInfoList.get(0).getOwnerName());
// Change owner from a user to role
sentryStore.updateOwnerPrivilege(tSentryAuthorizable, roleName1, SentryPrincipalType.ROLE, null);
assertEquals(1, sentryStore.getAllTSentryPrivilegesByRoleName(roleName1)
.size());
// At this point roleName1 has owner privilege on db1.tb2
//Add all privilege to roleName1 and make sure that owner privilege is not effected.
TSentryPrivilege privilege_tbl2_all = new TSentryPrivilege(privilege_tbl2);
privilege_tbl2_all.setAction(AccessConstants.ALL);
sentryStore.alterSentryGrantPrivileges(SentryPrincipalType.ROLE, roleName1, Sets.newHashSet(privilege_tbl2_all), null);
// Verify that there are two privileges.
assertEquals(2, sentryStore.getAllTSentryPrivilegesByRoleName(roleName1)
.size());
tSentryAuthorizable.setTable("tbl3");
TSentryPrivilege privilege_tbl3_all = new TSentryPrivilege(privilege_tbl2);
privilege_tbl3_all.setAction(AccessConstants.ALL);
privilege_tbl3_all.setTableName("tbl3");
sentryStore.alterSentryGrantPrivileges(SentryPrincipalType.ROLE, roleName3, Sets.newHashSet(privilege_tbl3_all), null);
assertEquals(1, sentryStore.getAllTSentryPrivilegesByRoleName(roleName3)
.size());
TSentryPrivilege privilege_tbl3_owner = new TSentryPrivilege(privilege_tbl3_all);
privilege_tbl3_owner.setAction(AccessConstants.OWNER);
sentryStore.alterSentryGrantPrivileges(SentryPrincipalType.ROLE, roleName3, Sets.newHashSet(privilege_tbl3_owner), null);
assertEquals(2, sentryStore.getAllTSentryPrivilegesByRoleName(roleName3)
.size());
}
@Test
public void testListSentryOwnerPrivilegesByAuthorizable() throws Exception {
String roleName1 = "list-privs-r1";
String userName1 = "user1";
sentryStore.createSentryRole(roleName1);
sentryStore.createSentryUser(userName1);
TSentryPrivilege privilege_tbl1 = new TSentryPrivilege();
privilege_tbl1.setPrivilegeScope("TABLE");
privilege_tbl1.setServerName("server1");
privilege_tbl1.setDbName("db1");
privilege_tbl1.setTableName("tbl1");
privilege_tbl1.setCreateTime(System.currentTimeMillis());
privilege_tbl1.setAction("OWNER");
privilege_tbl1.setGrantOption(TSentryGrantOption.TRUE);
TSentryAuthorizable tSentryAuthorizable = new TSentryAuthorizable();
tSentryAuthorizable.setServer("server1");
tSentryAuthorizable.setDb("db1");
tSentryAuthorizable.setTable("tbl1");
sentryStore.alterSentryGrantPrivileges(SentryPrincipalType.ROLE, roleName1, Sets.newHashSet(privilege_tbl1), null);
sentryStore.updateOwnerPrivilege(tSentryAuthorizable, userName1, SentryPrincipalType.USER, null);
assertEquals(1, sentryStore.getAllTSentryPrivilegesByUserName(userName1)
.size());
}
@Test
public void testRevokeOwnerPrivilege() throws Exception {
String roleName1 = "list-privs-r1";
String userName1 = "user1";
sentryStore.createSentryRole(roleName1);
sentryStore.createSentryUser(userName1);
TSentryPrivilege privilege_tbl1 = new TSentryPrivilege();
privilege_tbl1.setPrivilegeScope("TABLE");
privilege_tbl1.setServerName("server1");
privilege_tbl1.setDbName("db1");
privilege_tbl1.setTableName("tbl1");
privilege_tbl1.setCreateTime(System.currentTimeMillis());
privilege_tbl1.setAction("OWNER");
privilege_tbl1.setGrantOption(TSentryGrantOption.TRUE);
TSentryAuthorizable tSentryAuthorizable = new TSentryAuthorizable();
tSentryAuthorizable.setServer("server1");
tSentryAuthorizable.setDb("db1");
tSentryAuthorizable.setTable("tbl1");
sentryStore.alterSentryGrantPrivileges(SentryPrincipalType.ROLE, roleName1, Sets.newHashSet(privilege_tbl1), null);
sentryStore.revokeOwnerPrivileges(tSentryAuthorizable, null);
assertEquals(0, sentryStore.getAllTSentryPrivilegesByUserName(userName1)
.size());
}
@Test
public void testgetPrivilegesForAuthorizables() throws Exception {
String roleName1 = "list-privs-r1";
String userName1 = "user1";
String uri1 = "file:///var/folders/dt/9zm44z9s6bjfxbrm4v36lzdc0000gp/T/1401860678102-0/data/kv1.dat";
sentryStore.createSentryRole(roleName1);
sentryStore.createSentryUser(userName1);
TSentryPrivilege privilege_tbl1 = new TSentryPrivilege();
privilege_tbl1.setPrivilegeScope("TABLE");
privilege_tbl1.setServerName("server1");
privilege_tbl1.setDbName("db1");
privilege_tbl1.setTableName("tbl1");
privilege_tbl1.setCreateTime(System.currentTimeMillis());
privilege_tbl1.setAction("SELECT");
privilege_tbl1.setGrantOption(TSentryGrantOption.TRUE);
TSentryAuthorizable tSentryAuthorizable = new TSentryAuthorizable();
tSentryAuthorizable.setServer("server1");
tSentryAuthorizable.setDb("db1");
tSentryAuthorizable.setTable("tbl1");
TSentryPrivilege privilege_tbl2 = new TSentryPrivilege();
privilege_tbl2.setPrivilegeScope("TABLE");
privilege_tbl2.setServerName("server1");
privilege_tbl2.setDbName("db1");
privilege_tbl2.setTableName("tbl2");
privilege_tbl2.setCreateTime(System.currentTimeMillis());
privilege_tbl2.setAction("SELECT");
privilege_tbl2.setGrantOption(TSentryGrantOption.TRUE);
TSentryAuthorizable tSentryAuthorizable2 = new TSentryAuthorizable();
tSentryAuthorizable2.setServer("server1");
tSentryAuthorizable2.setDb("db1");
tSentryAuthorizable2.setTable("tbl2");
TSentryPrivilege privilege_col1 = new TSentryPrivilege(privilege_tbl2);
privilege_col1.setPrivilegeScope("TABLE");
privilege_col1.setServerName("server1");
privilege_col1.setDbName("db3");
privilege_col1.setTableName("tbl3");
privilege_col1.setCreateTime(System.currentTimeMillis());
privilege_col1.setAction("SELECT");
privilege_col1.setGrantOption(TSentryGrantOption.TRUE);
privilege_col1.setColumnName("Column1");
TSentryAuthorizable tSentryAuthorizable3 = new TSentryAuthorizable();
tSentryAuthorizable3.setServer("server1");
tSentryAuthorizable3.setDb("db3");
tSentryAuthorizable3.setTable("tbl3");
tSentryAuthorizable3.setColumn("Column1");
TSentryPrivilege tSentryUriPrivilege = new TSentryPrivilege("URI", "server1", "ALL");
tSentryUriPrivilege.setURI(uri1);
TSentryAuthorizable tSentryUriAuthorizable = new TSentryAuthorizable();
tSentryUriAuthorizable.setUri(uri1);
tSentryUriAuthorizable.setServer("server1");
sentryStore.alterSentryGrantPrivileges(SentryPrincipalType.ROLE, roleName1, Sets.newHashSet(privilege_tbl1,privilege_tbl2, privilege_col1, tSentryUriPrivilege), null);
// Verify the privilege count
List<MSentryPrivilege> privilege = sentryStore.getPrivilegesForAuthorizables(Lists.newArrayList(tSentryAuthorizable,tSentryAuthorizable2, tSentryUriAuthorizable, tSentryAuthorizable3));
assertEquals(4, privilege.size());
// Verify the behavior when the empty authorizable list provided.
privilege = sentryStore.getPrivilegesForAuthorizables(Collections.EMPTY_LIST);
assertNotNull(privilege);
assertEquals(4, privilege.size());
// Verify the behvaior when the authorizable list is null.
privilege = sentryStore.getPrivilegesForAuthorizables(null);
assertNotNull(privilege);
assertEquals(4, privilege.size());
// Verify the privilege granted to URI is returned
privilege = sentryStore.getPrivilegesForAuthorizables(Lists.newArrayList(tSentryAuthorizable2));
assertEquals(1, privilege.size());
TSentryAuthorizable tSentrDbAuthorizable = new TSentryAuthorizable();
tSentrDbAuthorizable.setServer("server1");
tSentrDbAuthorizable.setDb("db1");
// Verify that all the privileges granted to tables in database db1 are returned.
privilege = sentryStore.getPrivilegesForAuthorizables(Lists.newArrayList(tSentrDbAuthorizable));
assertEquals(2, privilege.size());
// Verify that all the privileges granted to server are returned.
privilege = sentryStore.getPrivilegesForAuthorizables(Lists.newArrayList(tSentryAuthorizable3));
assertEquals(1, privilege.size());
TSentryAuthorizable tSentrServerAuthorizable = new TSentryAuthorizable();
tSentrServerAuthorizable.setServer("server1");
// Verify that all the privileges granted to server are returned.
privilege = sentryStore.getPrivilegesForAuthorizables(Lists.newArrayList(tSentrServerAuthorizable));
assertEquals(4, privilege.size());
// Grant user1 same privileges granted to role1 and make sure that there are no duplicates in the privileges.
sentryStore.alterSentryGrantPrivileges(SentryPrincipalType.USER, userName1, Sets.newHashSet(privilege_tbl1,privilege_tbl2, tSentryUriPrivilege), null);
// Verify that all the privileges granted to server are returned.
privilege = sentryStore.getPrivilegesForAuthorizables(Lists.newArrayList(tSentrServerAuthorizable));
assertEquals(4, privilege.size());
}
@Test
public void testgetPrivilegesForURIs() throws Exception {
String roleName1 = "list-privs-r1";
String uriPrefix = "file:///var/folders/dt/9zm44z9s6bjfxbrm4v36lzdc0000gp/T/1401860678102-0/";
String uri1 = "file:///var/folders/dt/9zm44z9s6bjfxbrm4v36lzdc0000gp/T/1401860678102-0/data/kv1.dat";
String uri2 = "file:///var/folders/dt/9zm44z9s6bjfxbrm4v36lzdc0000gp/T/1401860678102-0/data/kv2.dat";
sentryStore.createSentryRole(roleName1);
TSentryPrivilege tSentryUriPrivilege1 = new TSentryPrivilege("URI", "server1", "ALL");
tSentryUriPrivilege1.setURI(uri1);
TSentryPrivilege tSentryUriPrivilege2 = new TSentryPrivilege("URI", "server1", "ALL");
tSentryUriPrivilege2.setURI(uri2);
TSentryAuthorizable tSentryUriAuthorizable = new TSentryAuthorizable();
tSentryUriAuthorizable.setUri(uriPrefix);
tSentryUriAuthorizable.setServer("server1");
// Grant user1 same privileges granted to role1 and make sure that there are no duplicates in the privileges.
sentryStore.alterSentryGrantPrivileges(SentryPrincipalType.ROLE, roleName1, Sets.newHashSet(tSentryUriPrivilege1, tSentryUriPrivilege2), null);
// Verify that all the privileges granted to all the URI;s under given prefix are returned.
List<MSentryPrivilege> privilege = sentryStore.getPrivilegesForAuthorizables(Lists.newArrayList(tSentryUriAuthorizable));
assertEquals(2, privilege.size());
}
@Test
public void testDropUserOnUpdateOwnerPrivilege() throws Exception {
String userName1 = "user1", userName2 = "user2";
sentryStore.createSentryUser(userName1);
sentryStore.createSentryUser(userName2);
TSentryPrivilege privilege_tbl1 = new TSentryPrivilege();
privilege_tbl1.setPrivilegeScope("TABLE");
privilege_tbl1.setServerName("server1");
privilege_tbl1.setDbName("db1");
privilege_tbl1.setTableName("tbl1");
privilege_tbl1.setCreateTime(System.currentTimeMillis());
privilege_tbl1.setAction("OWNER");
TSentryAuthorizable tSentryAuthorizable = new TSentryAuthorizable();
tSentryAuthorizable.setServer("server1");
tSentryAuthorizable.setDb("db1");
tSentryAuthorizable.setTable("tbl1");
// Change owner from a one user to another user
sentryStore.alterSentryGrantPrivileges(SentryPrincipalType.USER, userName1, Sets.newHashSet(privilege_tbl1), null);
assertEquals(1, sentryStore.getAllTSentryPrivilegesByUserName(userName1)
.size());
sentryStore.updateOwnerPrivilege(tSentryAuthorizable, userName2, SentryPrincipalType.USER, null);
assertEquals(1, sentryStore.getAllTSentryPrivilegesByUserName(userName2)
.size());
try {
sentryStore.createSentryUser(userName1);
} catch (Exception e) {
fail("Exception should not be seen asthe user: " + userName1 + " should have been deleted.");
}
}
/**
* Regression test for SENTRY-547 and SENTRY-548
* Use case:
* GRANT INSERT on TABLE tbl1 to ROLE role1
* GRANT SELECT on TABLE tbl1 to ROLE role1
* GRANT ALTER on TABLE tbl1 to ROLE role1
* GRANT DROP on TABLE tbl1 to ROLE role1
* DROP TABLE tbl1
*
* After drop tbl1, role1 should have 0 privileges
*/
@Test
public void testDropTableWithMultiAction() throws Exception {
String roleName1 = "role1";
sentryStore.createSentryRole(roleName1);
TSentryPrivilege privilege_tbl1 = new TSentryPrivilege();
privilege_tbl1.setPrivilegeScope("TABLE");
privilege_tbl1.setServerName("server1");
privilege_tbl1.setDbName("db1");
privilege_tbl1.setTableName("tbl1");
privilege_tbl1.setCreateTime(System.currentTimeMillis());
TSentryPrivilege privilege_tbl1_insert = new TSentryPrivilege(
privilege_tbl1);
privilege_tbl1_insert.setAction(AccessConstants.INSERT);
TSentryPrivilege privilege_tbl1_select = new TSentryPrivilege(
privilege_tbl1);
privilege_tbl1_select.setAction(AccessConstants.SELECT);
TSentryPrivilege privilege_tbl1_alter = new TSentryPrivilege(
privilege_tbl1);
privilege_tbl1_alter.setAction(AccessConstants.ALTER);
TSentryPrivilege privilege_tbl1_drop = new TSentryPrivilege(
privilege_tbl1);
privilege_tbl1_drop.setAction(AccessConstants.DROP);
sentryStore.alterSentryGrantPrivileges(SentryPrincipalType.ROLE, roleName1, Sets.newHashSet(privilege_tbl1_insert), null);
sentryStore.alterSentryGrantPrivileges(SentryPrincipalType.ROLE, roleName1, Sets.newHashSet(privilege_tbl1_select), null);
sentryStore.alterSentryGrantPrivileges(SentryPrincipalType.ROLE, roleName1, Sets.newHashSet(privilege_tbl1_alter), null);
sentryStore.alterSentryGrantPrivileges(SentryPrincipalType.ROLE, roleName1, Sets.newHashSet(privilege_tbl1_drop), null);
assertEquals(4, sentryStore.getAllTSentryPrivilegesByRoleName(roleName1).size());
// after drop privilege_tbl1, role1 should have 0 privileges
sentryStore.dropPrivilege(toTSentryAuthorizable(privilege_tbl1));
assertEquals(0, sentryStore.getAllTSentryPrivilegesByRoleName(roleName1).size());
}
@Test
public void testDropTableWithColumn() throws Exception {
String roleName1 = "role1", roleName2 = "role2";
String table1 = "tbl1";
sentryStore.createSentryRole(roleName1);
sentryStore.createSentryRole(roleName2);
TSentryPrivilege privilege_tbl1 = new TSentryPrivilege();
privilege_tbl1.setPrivilegeScope("TABLE");
privilege_tbl1.setServerName("server1");
privilege_tbl1.setDbName("db1");
privilege_tbl1.setTableName(table1);
privilege_tbl1.setAction(AccessConstants.SELECT);
privilege_tbl1.setCreateTime(System.currentTimeMillis());
TSentryPrivilege privilege_tbl1_c1 = new TSentryPrivilege(privilege_tbl1);
privilege_tbl1_c1.setPrivilegeScope("COLUMN");
privilege_tbl1_c1.setColumnName("c1");
privilege_tbl1_c1.setCreateTime(System.currentTimeMillis());
TSentryPrivilege privilege_tbl1_c2 = new TSentryPrivilege(privilege_tbl1);
privilege_tbl1_c2.setPrivilegeScope("COLUMN");
privilege_tbl1_c2.setColumnName("c2");
privilege_tbl1_c2.setCreateTime(System.currentTimeMillis());
TSentryPrivilege privilege_tbl1_c3 = new TSentryPrivilege(privilege_tbl1);
privilege_tbl1_c3.setPrivilegeScope("COLUMN");
privilege_tbl1_c3.setColumnName("c3");
privilege_tbl1_c3.setCreateTime(System.currentTimeMillis());
sentryStore.alterSentryGrantPrivileges(SentryPrincipalType.ROLE, roleName1, Sets.newHashSet(privilege_tbl1_c1), null);
sentryStore.alterSentryGrantPrivileges(SentryPrincipalType.ROLE, roleName1, Sets.newHashSet(privilege_tbl1_c2), null);
sentryStore.alterSentryGrantPrivileges(SentryPrincipalType.ROLE, roleName2, Sets.newHashSet(privilege_tbl1_c3), null);
Set<TSentryPrivilege> privilegeSet = sentryStore.getAllTSentryPrivilegesByRoleName(roleName1);
assertEquals(2, privilegeSet.size());
privilegeSet = sentryStore.getAllTSentryPrivilegesByRoleName(roleName2);
assertEquals(1, privilegeSet.size());
TSentryAuthorizable tableAuthorizable = toTSentryAuthorizable(privilege_tbl1);
sentryStore.dropPrivilege(tableAuthorizable);
privilegeSet = sentryStore.getAllTSentryPrivilegesByRoleName(roleName1);
assertEquals(0, privilegeSet.size());
privilegeSet = sentryStore.getAllTSentryPrivilegesByRoleName(roleName2);
assertEquals(0, privilegeSet.size());
}
@Test
public void testDropOverlappedPrivileges() throws Exception {
String roleName1 = "list-privs-r1";
sentryStore.createSentryRole(roleName1);
TSentryPrivilege privilege_tbl1 = new TSentryPrivilege();
privilege_tbl1.setPrivilegeScope("TABLE");
privilege_tbl1.setServerName("server1");
privilege_tbl1.setDbName("db1");
privilege_tbl1.setTableName("tbl1");
privilege_tbl1.setCreateTime(System.currentTimeMillis());
TSentryPrivilege privilege_tbl1_insert = new TSentryPrivilege(
privilege_tbl1);
privilege_tbl1_insert.setAction("INSERT");
TSentryPrivilege privilege_tbl1_all = new TSentryPrivilege(privilege_tbl1);
privilege_tbl1_all.setAction("*");
sentryStore.alterSentryGrantPrivileges(SentryPrincipalType.ROLE, roleName1, Sets.newHashSet(privilege_tbl1_insert), null);
sentryStore.alterSentryGrantPrivileges(SentryPrincipalType.ROLE, roleName1, Sets.newHashSet(privilege_tbl1_all), null);
sentryStore.dropPrivilege(toTSentryAuthorizable(privilege_tbl1));
assertEquals(0, sentryStore.getAllTSentryPrivilegesByRoleName(roleName1)
.size());
}
private TSentryAuthorizable toTSentryAuthorizable(
TSentryPrivilege tSentryPrivilege) {
TSentryAuthorizable tSentryAuthorizable = new TSentryAuthorizable();
tSentryAuthorizable.setServer(tSentryPrivilege.getServerName());
tSentryAuthorizable.setDb(tSentryPrivilege.getDbName());
tSentryAuthorizable.setTable(tSentryPrivilege.getTableName());
tSentryAuthorizable.setUri(tSentryPrivilege.getURI());
return tSentryAuthorizable;
}
/***
* Create roles and users and assign privileges for same table rename the privileges for
* the table and verify the new privileges
* @throws Exception
*/
@Test
public void testRenameTable() throws Exception {
String roleName1 = "role1", roleName2 = "role2", roleName3 = "role3";
String userName1 = "user-1", userName2 = "user-2", userName3 = "user-3";
String table1 = "tbl1", table2 = "tbl2";
sentryStore.createSentryRole(roleName1);
sentryStore.createSentryRole(roleName2);
sentryStore.createSentryRole(roleName3);
sentryStore.createSentryUser(userName1);
sentryStore.createSentryUser(userName2);
sentryStore.createSentryUser(userName3);
TSentryPrivilege privilege_tbl1 = new TSentryPrivilege();
privilege_tbl1.setPrivilegeScope("TABLE");
privilege_tbl1.setServerName("server1");
privilege_tbl1.setDbName("db1");
privilege_tbl1.setTableName(table1);
privilege_tbl1.setCreateTime(System.currentTimeMillis());
TSentryPrivilege privilege_tbl1_insert = new TSentryPrivilege(
privilege_tbl1);
privilege_tbl1_insert.setAction(AccessConstants.INSERT);
TSentryPrivilege privilege_tbl1_select = new TSentryPrivilege(
privilege_tbl1);
privilege_tbl1_select.setAction(AccessConstants.SELECT);
TSentryPrivilege privilege_tbl1_all = new TSentryPrivilege(privilege_tbl1);
privilege_tbl1_all.setAction(AccessConstants.ALL);
sentryStore.alterSentryGrantPrivileges(SentryPrincipalType.ROLE, roleName1, Sets.newHashSet(privilege_tbl1_insert), null);
sentryStore.alterSentryGrantPrivileges(SentryPrincipalType.ROLE, roleName2, Sets.newHashSet(privilege_tbl1_select), null);
sentryStore.alterSentryGrantPrivileges(SentryPrincipalType.ROLE, roleName3, Sets.newHashSet(privilege_tbl1_all), null);
sentryStore.alterSentryGrantPrivileges(SentryPrincipalType.USER, userName1, Sets.newHashSet(privilege_tbl1_insert), null);
sentryStore.alterSentryGrantPrivileges(SentryPrincipalType.USER, userName2, Sets.newHashSet(privilege_tbl1_select), null);
sentryStore.alterSentryGrantPrivileges(SentryPrincipalType.USER, userName3, Sets.newHashSet(privilege_tbl1_all), null);
TSentryAuthorizable oldTable = toTSentryAuthorizable(privilege_tbl1);
TSentryAuthorizable newTable = toTSentryAuthorizable(privilege_tbl1);
newTable.setTable(table2);
sentryStore.renamePrivilege(oldTable, newTable);
for (String roleName : Sets.newHashSet(roleName1, roleName2, roleName3)) {
Set<TSentryPrivilege> privilegeSet = sentryStore
.getAllTSentryPrivilegesByRoleName(roleName);
assertEquals(1, privilegeSet.size());
for (TSentryPrivilege privilege : privilegeSet) {
assertTrue(table2.equalsIgnoreCase(privilege.getTableName()));
}
}
for (String userName : Sets.newHashSet(userName1, userName2, userName3)) {
Set<TSentryPrivilege> privilegeSet = sentryStore
.getAllTSentryPrivilegesByUserName(userName);
assertEquals(1, privilegeSet.size());
for (TSentryPrivilege privilege : privilegeSet) {
assertTrue(table2.equalsIgnoreCase(privilege.getTableName()));
}
}
}
/**
* Regression test for SENTRY-550
* Use case:
* GRANT INSERT on TABLE tbl1 to ROLE role1
* GRANT SELECT on TABLE tbl1 to ROLE role1
* GRANT ALTER on TABLE tbl1 to ROLE role1
* GRANT DROP on TABLE tbl1 to ROLE role1
* RENAME TABLE tbl1 to tbl2
*
* After rename tbl1 to tbl2, table name of all role1's privileges should be "tbl2"
*/
@Test
public void testRenameTableWithMultiAction() throws Exception {
String roleName1 = "role1";
String table1 = "tbl1", table2 = "tbl2";
sentryStore.createSentryRole(roleName1);
TSentryPrivilege privilege_tbl1 = new TSentryPrivilege();
privilege_tbl1.setPrivilegeScope("TABLE");
privilege_tbl1.setServerName("server1");
privilege_tbl1.setDbName("db1");
privilege_tbl1.setTableName(table1);
privilege_tbl1.setCreateTime(System.currentTimeMillis());
TSentryPrivilege privilege_tbl1_insert = new TSentryPrivilege(
privilege_tbl1);
privilege_tbl1_insert.setAction(AccessConstants.INSERT);
TSentryPrivilege privilege_tbl1_select = new TSentryPrivilege(
privilege_tbl1);
privilege_tbl1_select.setAction(AccessConstants.SELECT);
TSentryPrivilege privilege_tbl1_alter = new TSentryPrivilege(
privilege_tbl1);
privilege_tbl1_alter.setAction(AccessConstants.ALTER);
TSentryPrivilege privilege_tbl1_drop = new TSentryPrivilege(
privilege_tbl1);
privilege_tbl1_drop.setAction(AccessConstants.DROP);
sentryStore.alterSentryGrantPrivileges(SentryPrincipalType.ROLE, roleName1, Sets.newHashSet(privilege_tbl1_insert), null);
sentryStore.alterSentryGrantPrivileges(SentryPrincipalType.ROLE, roleName1, Sets.newHashSet(privilege_tbl1_select), null);
sentryStore.alterSentryGrantPrivileges(SentryPrincipalType.ROLE, roleName1, Sets.newHashSet(privilege_tbl1_alter), null);
sentryStore.alterSentryGrantPrivileges(SentryPrincipalType.ROLE, roleName1, Sets.newHashSet(privilege_tbl1_drop), null);
TSentryAuthorizable oldTable = toTSentryAuthorizable(privilege_tbl1);
TSentryAuthorizable newTable = toTSentryAuthorizable(privilege_tbl1);
newTable.setTable(table2);
sentryStore.renamePrivilege(oldTable, newTable);
// after rename tbl1 to tbl2, all table name of role's privilege will be tbl2
Set<TSentryPrivilege> privilegeSet = sentryStore
.getAllTSentryPrivilegesByRoleName(roleName1);
assertEquals(4, privilegeSet.size());
for (TSentryPrivilege privilege : privilegeSet) {
assertTrue(table2.equalsIgnoreCase(privilege.getTableName()));
}
}
@Test
public void testSentryRoleSize() throws Exception {
for( long i = 0; i< 5; i++ ) {
assertEquals((Long)i, sentryStore.getRoleCountGauge().getValue());
sentryStore.createSentryRole("role" + i);
}
}
@Test
public void testSentryPrivilegeSize() throws Exception {
String role1 = "role1";
String role2 = "role2";
sentryStore.createSentryRole(role1);
sentryStore.createSentryRole(role2);
TSentryPrivilege privilege = new TSentryPrivilege();
privilege.setPrivilegeScope("TABLE");
privilege.setServerName("server1");
privilege.setDbName("db1");
privilege.setTableName("tb1");
privilege.setCreateTime(System.currentTimeMillis());
assertEquals(Long.valueOf(0), sentryStore.getPrivilegeCountGauge().getValue());
sentryStore.alterSentryGrantPrivileges(SentryPrincipalType.ROLE, role1, Sets.newHashSet(privilege), null);
assertEquals(Long.valueOf(1), sentryStore.getPrivilegeCountGauge().getValue());
sentryStore.alterSentryGrantPrivileges(SentryPrincipalType.ROLE, role2, Sets.newHashSet(privilege), null);
assertEquals(Long.valueOf(1), sentryStore.getPrivilegeCountGauge().getValue());
privilege.setTableName("tb2");
sentryStore.alterSentryGrantPrivileges(SentryPrincipalType.ROLE, role2, Sets.newHashSet(privilege), null);
assertEquals(Long.valueOf(2), sentryStore.getPrivilegeCountGauge().getValue());
}
@Test
public void testSentryGroupsSize() throws Exception {
String role1 = "role1";
String role2 = "role2";
sentryStore.createSentryRole(role1);
sentryStore.createSentryRole(role2);
Set<TSentryGroup> groups = Sets.newHashSet();
TSentryGroup group = new TSentryGroup();
group.setGroupName("group1");
groups.add(group);
String grantor = "g1";
sentryStore.alterSentryRoleAddGroups(grantor, role1, groups);
assertEquals(Long.valueOf(1), sentryStore.getGroupCountGauge().getValue());
sentryStore.alterSentryRoleAddGroups(grantor, role2, groups);
assertEquals(Long.valueOf(1), sentryStore.getGroupCountGauge().getValue());
groups.add(new TSentryGroup("group2"));
sentryStore.alterSentryRoleAddGroups(grantor, role2, groups);
assertEquals(Long.valueOf(2), sentryStore.getGroupCountGauge().getValue());
}
@Test
public void testSentryUsersSize() throws Exception {
String role1 = "role1";
String role2 = "role2";
sentryStore.createSentryRole(role1);
sentryStore.createSentryRole(role2);
Set<String> users = Sets.newHashSet("user1");
sentryStore.alterSentryRoleAddUsers(role1, users);
assertEquals(Long.valueOf(1), sentryStore.getUserCountGauge().getValue());
sentryStore.alterSentryRoleAddUsers(role2, users);
assertEquals(Long.valueOf(1), sentryStore.getUserCountGauge().getValue());
users.add("user2");
sentryStore.alterSentryRoleAddUsers(role2, users);
assertEquals(Long.valueOf(2), sentryStore.getUserCountGauge().getValue());
}
@Test
public void testRenameTableWithColumn() throws Exception {
String roleName1 = "role1", roleName2 = "role2";
String table1 = "tbl1", table2 = "tbl2";
sentryStore.createSentryRole(roleName1);
sentryStore.createSentryRole(roleName2);
TSentryPrivilege privilege_tbl1 = new TSentryPrivilege();
privilege_tbl1.setPrivilegeScope("TABLE");
privilege_tbl1.setServerName("server1");
privilege_tbl1.setDbName("db1");
privilege_tbl1.setTableName(table1);
privilege_tbl1.setAction(AccessConstants.SELECT);
privilege_tbl1.setCreateTime(System.currentTimeMillis());
TSentryPrivilege privilege_tbl1_c1 = new TSentryPrivilege(privilege_tbl1);
privilege_tbl1_c1.setPrivilegeScope("COLUMN");
privilege_tbl1_c1.setColumnName("c1");
privilege_tbl1_c1.setCreateTime(System.currentTimeMillis());
TSentryPrivilege privilege_tbl1_c2 = new TSentryPrivilege(privilege_tbl1);
privilege_tbl1_c2.setPrivilegeScope("COLUMN");
privilege_tbl1_c2.setColumnName("c2");
privilege_tbl1_c2.setCreateTime(System.currentTimeMillis());
TSentryPrivilege privilege_tbl1_c3 = new TSentryPrivilege(privilege_tbl1);
privilege_tbl1_c3.setPrivilegeScope("COLUMN");
privilege_tbl1_c3.setColumnName("c3");
privilege_tbl1_c3.setCreateTime(System.currentTimeMillis());
sentryStore.alterSentryGrantPrivileges(SentryPrincipalType.ROLE, roleName1, Sets.newHashSet(privilege_tbl1_c1), null);
sentryStore.alterSentryGrantPrivileges(SentryPrincipalType.ROLE, roleName1, Sets.newHashSet(privilege_tbl1_c2), null);
sentryStore.alterSentryGrantPrivileges(SentryPrincipalType.ROLE, roleName2, Sets.newHashSet(privilege_tbl1_c3), null);
Set<TSentryPrivilege> privilegeSet = sentryStore.getAllTSentryPrivilegesByRoleName(roleName1);
assertEquals(2, privilegeSet.size());
privilegeSet = sentryStore.getAllTSentryPrivilegesByRoleName(roleName2);
assertEquals(1, privilegeSet.size());
TSentryAuthorizable oldTable = toTSentryAuthorizable(privilege_tbl1);
TSentryAuthorizable newTable = toTSentryAuthorizable(privilege_tbl1);
newTable.setTable(table2);
sentryStore.renamePrivilege(oldTable, newTable);
privilegeSet = sentryStore.getAllTSentryPrivilegesByRoleName(roleName1);
assertEquals(2, privilegeSet.size());
for (TSentryPrivilege privilege : privilegeSet) {
assertTrue(table2.equalsIgnoreCase(privilege.getTableName()));
}
privilegeSet = sentryStore.getAllTSentryPrivilegesByRoleName(roleName2);
assertEquals(1, privilegeSet.size());
}
@Test
public void testSentryTablePrivilegeSome() throws Exception {
String roleName = "test-table-privilege-some";
String grantor = "g1";
String dbName = "db1";
String table = "tb1";
createRole(roleName);
TSentryPrivilege tSentryPrivilege = new TSentryPrivilege("TABLE", "server1", "ALL");
tSentryPrivilege.setDbName(dbName);
tSentryPrivilege.setTableName(table);
sentryStore.alterSentryGrantPrivileges(SentryPrincipalType.ROLE, roleName, Sets.newHashSet(tSentryPrivilege), null);
TSentryAuthorizable tSentryAuthorizable = new TSentryAuthorizable();
tSentryAuthorizable.setDb(dbName);
tSentryAuthorizable.setTable(AccessConstants.SOME);
tSentryAuthorizable.setServer("server1");
Set<TSentryPrivilege> privileges =
sentryStore.getTSentryPrivileges(SentryPrincipalType.ROLE, new HashSet<String>(Arrays.asList(roleName)), tSentryAuthorizable);
assertTrue(privileges.size() == 1);
Set<TSentryGroup> tSentryGroups = new HashSet<TSentryGroup>();
tSentryGroups.add(new TSentryGroup("group1"));
sentryStore.alterSentryRoleAddGroups(grantor, roleName, tSentryGroups);
TSentryActiveRoleSet thriftRoleSet = new TSentryActiveRoleSet(true, new HashSet<String>(Arrays.asList(roleName)));
Set<String> privs =
sentryStore.listSentryPrivilegesForProvider(new HashSet<String>(Arrays.asList("group1")),
Sets.newHashSet(grantor), thriftRoleSet, tSentryAuthorizable);
assertTrue(privs.size()==1);
assertTrue(privs.contains("server=server1->db=" + dbName + "->table=" + table + "->action=all"));
}
@Test
public void testSentryColumnPrivilegeSome() throws Exception {
String roleName = "test-column-privilege-some";
String grantor = "g1";
String dbName = "db1";
String table = "tb1";
String column = "col1";
createRole(roleName);
TSentryPrivilege tSentryPrivilege = new TSentryPrivilege("TABLE", "server1", "ALL");
tSentryPrivilege.setDbName(dbName);
tSentryPrivilege.setTableName(table);
tSentryPrivilege.setColumnName(column);
sentryStore.alterSentryGrantPrivileges(SentryPrincipalType.ROLE, roleName, Sets.newHashSet(tSentryPrivilege), null);
TSentryAuthorizable tSentryAuthorizable = new TSentryAuthorizable();
tSentryAuthorizable.setDb(dbName);
tSentryAuthorizable.setTable(table);
tSentryAuthorizable.setColumn(AccessConstants.SOME);
tSentryAuthorizable.setServer("server1");
Set<TSentryPrivilege> privileges =
sentryStore.getTSentryPrivileges(SentryPrincipalType.ROLE, new HashSet<String>(Arrays.asList(roleName)), tSentryAuthorizable);
assertTrue(privileges.size() == 1);
Set<TSentryGroup> tSentryGroups = new HashSet<TSentryGroup>();
tSentryGroups.add(new TSentryGroup("group1"));
sentryStore.alterSentryRoleAddGroups(grantor, roleName, tSentryGroups);
TSentryActiveRoleSet thriftRoleSet = new TSentryActiveRoleSet(true, new HashSet<String>(Arrays.asList(roleName)));
Set<String> privs =
sentryStore.listSentryPrivilegesForProvider(new HashSet<String>(Arrays.asList("group1")), Sets.newHashSet(grantor),
thriftRoleSet, tSentryAuthorizable);
assertTrue(privs.size() == 1);
assertTrue(privs.contains("server=server1->db=" + dbName + "->table=" + table + "->column="
+ column + "->action=all"));
}
@Test
public void testSentryVersionCheck() throws Exception {
// don't verify version, the current version willll be set in MSentryVersion
sentryStore.verifySentryStoreSchema(false);
assertEquals(sentryStore.getSentryVersion(),
SentryStoreSchemaInfo.getSentryVersion());
// verify the version with the same value
sentryStore.verifySentryStoreSchema(true);
// verify the version with the different value
sentryStore.setSentryVersion("test-version", "test-version");
try {
sentryStore.verifySentryStoreSchema(true);
fail("SentryAccessDeniedException should be thrown.");
} catch (SentryAccessDeniedException e) {
// the excepted exception, recover the version
sentryStore.verifySentryStoreSchema(false);
}
}
@Test
public void testRetrieveFullPermssionsImage() throws Exception {
// Create roles
String roleName1 = "privs-r1", roleName2 = "privs-r2";
String groupName1 = "privs-g1";
String grantor = "g1";
sentryStore.createSentryRole(roleName1);
sentryStore.createSentryRole(roleName2);
// Grant Privileges to the roles
TSentryPrivilege privilege1 = new TSentryPrivilege();
privilege1.setPrivilegeScope("TABLE");
privilege1.setServerName("server1");
privilege1.setDbName("db1");
privilege1.setTableName("tbl1");
privilege1.setAction("SELECT");
privilege1.setCreateTime(System.currentTimeMillis());
sentryStore.alterSentryGrantPrivileges(SentryPrincipalType.ROLE, roleName1, Sets.newHashSet(privilege1), null);
sentryStore.alterSentryGrantPrivileges(SentryPrincipalType.ROLE, roleName2, Sets.newHashSet(privilege1), null);
TSentryPrivilege privilege2 = new TSentryPrivilege();
privilege2.setPrivilegeScope("SERVER");
privilege2.setServerName("server1");
privilege1.setDbName("db2");
privilege1.setAction("ALL");
privilege2.setCreateTime(System.currentTimeMillis());
sentryStore.alterSentryGrantPrivileges(SentryPrincipalType.ROLE, roleName2, Sets.newHashSet(privilege2), null);
// Grant roles to the groups
Set<TSentryGroup> groups = Sets.newHashSet();
TSentryGroup group = new TSentryGroup();
group.setGroupName(groupName1);
groups.add(group);
sentryStore.alterSentryRoleAddGroups(grantor, roleName1, groups);
sentryStore.alterSentryRoleAddGroups(grantor, roleName2, groups);
//Grant owner privilege to role
TSentryPrivilege privilege3 = new TSentryPrivilege();
privilege3.setPrivilegeScope("TABLE");
privilege3.setServerName("server1");
privilege3.setDbName("db3");
privilege3.setTableName("tbl1");
privilege3.setAction("OWNER");
privilege3.setCreateTime(System.currentTimeMillis());
sentryStore.alterSentryGrantPrivileges(SentryPrincipalType.ROLE, roleName1, Sets.newHashSet(privilege3), null);
sentryStore.alterSentryGrantPrivileges(SentryPrincipalType.ROLE, roleName2, Sets.newHashSet(privilege3), null);
PermissionsImage permImage = sentryStore.retrieveFullPermssionsImage();
Map<String, Map<TPrivilegePrincipal, String>> privs = permImage.getPrivilegeImage();
Map<String, List<String>> roles = permImage.getRoleImage();
assertEquals(2, privs.get("db1.tbl1").size());
assertEquals(2, roles.size());
assertEquals(2, privs.get("db3.tbl1").size());
assertEquals("ALL", privs.get("db3.tbl1").get(new TPrivilegePrincipal(TPrivilegePrincipalType.ROLE, roleName1)));
assertEquals("ALL", privs.get("db3.tbl1").get(new TPrivilegePrincipal(TPrivilegePrincipalType.ROLE, roleName2)));
}
@Test
public void testRetrieveFullPermssionsImageWithMultiplePrivielgesPerRolePerObject() throws Exception {
// Create roles
String roleName1 = "privs-r1";
String groupName1 = "privs-g1";
String grantor = "g1";
sentryStore.createSentryRole(roleName1);
// Grant roles to the groups
Set<TSentryGroup> groups = Sets.newHashSet();
TSentryGroup group = new TSentryGroup();
group.setGroupName(groupName1);
groups.add(group);
sentryStore.alterSentryRoleAddGroups(grantor, roleName1, groups);
// Grant multiple privileges to a role on one object
TSentryPrivilege privilege1 = new TSentryPrivilege();
privilege1.setPrivilegeScope("TABLE");
privilege1.setServerName("server1");
privilege1.setDbName("db1");
privilege1.setTableName("tbl1");
privilege1.setAction("SELECT");
privilege1.setCreateTime(System.currentTimeMillis());
TSentryPrivilege privilege2 = new TSentryPrivilege();
privilege2.setPrivilegeScope("TABLE");
privilege2.setServerName("server1");
privilege2.setDbName("db1");
privilege2.setTableName("tbl1");
privilege2.setAction("INSERT");
privilege2.setCreateTime(System.currentTimeMillis());
TSentryPrivilege privilege3 = new TSentryPrivilege();
privilege3.setPrivilegeScope("TABLE");
privilege3.setServerName("server1");
privilege3.setDbName("db1");
privilege3.setTableName("tbl1");
privilege3.setAction("REFRESH");
privilege3.setCreateTime(System.currentTimeMillis());
sentryStore.alterSentryGrantPrivileges(SentryPrincipalType.ROLE, roleName1, Sets.newHashSet(privilege1), null);
sentryStore.alterSentryGrantPrivileges(SentryPrincipalType.ROLE, roleName1, Sets.newHashSet(privilege2), null);
sentryStore.alterSentryGrantPrivileges(SentryPrincipalType.ROLE, roleName1, Sets.newHashSet(privilege3), null);
PermissionsImage permImage = sentryStore.retrieveFullPermssionsImage();
Map<String, Map<TPrivilegePrincipal, String>> privs = permImage.getPrivilegeImage();
assertEquals(1, privs.get("db1.tbl1").size());
assertEquals("REFRESH,INSERT,SELECT", privs.get("db1.tbl1").get(new TPrivilegePrincipal(TPrivilegePrincipalType.ROLE, roleName1)));
}
/**
* Verifies complete snapshot of HMS Paths can be persisted and retrieved properly.
*/
@Test
public void testPersistFullPathsImage() throws Exception {
Map<String, Collection<String>> authzPaths = new HashMap<>();
String[] prefixes = {"/user/hive/warehouse"};
// Makes sure that authorizable object could be associated
// with different paths and can be properly persisted into database.
authzPaths.put("db1.table1", Sets.newHashSet("/user/hive/warehouse/db2.db/table1.1",
"/user/hive/warehouse/db2.db/table1.2"));
// Makes sure that the same MPaths object could be associated
// with multiple authorizable and can be properly persisted into database.
authzPaths.put("db1.table2", Sets.newHashSet("/user/hive/warehouse/db2.db/table2.1",
"/user/hive/warehouse/db2.db/table2.2"));
authzPaths.put("db2.table2", Sets.newHashSet("/user/hive/warehouse/db2.db/table2.1",
"/user/hive/warehouse/db2.db/table2.3"));
long notificationID = 11;
sentryStore.persistFullPathsImage(authzPaths, notificationID);
PathsUpdate pathsUpdate = sentryStore.retrieveFullPathsImageUpdate(prefixes);
long savedNotificationID = sentryStore.getLastProcessedNotificationID();
assertEquals(1, pathsUpdate.getImgNum());
TPathsDump pathDump = pathsUpdate.toThrift().getPathsDump();
Map<Integer, TPathEntry> nodeMap = pathDump.getNodeMap();
assertEquals(10, nodeMap.size());
//First element is "/"
int rootId = pathDump.getRootId();
TPathEntry root = nodeMap.get(rootId);
assertEquals("/", root.getPathElement());
Map<String, Collection<String>>pathImage = new HashMap<>();
buildPathsImageMap(nodeMap, root, "", pathImage, true);
assertEquals(3, pathImage.size());
for (Map.Entry<String, Collection<String>> entry : pathImage.entrySet()) {
assertEquals(2, entry.getValue().size());
}
assertEquals(2, pathImage.get("db2.table2").size());
assertTrue(CollectionUtils.isEqualCollection(Lists.newArrayList("/user/hive/warehouse/db2.db/table1.1",
"/user/hive/warehouse/db2.db/table1.2"),
pathImage.get("db1.table1")));
assertTrue(CollectionUtils.isEqualCollection(Lists.newArrayList("/user/hive/warehouse/db2.db/table2.1",
"/user/hive/warehouse/db2.db/table2.2"),
pathImage.get("db1.table2")));
assertTrue(CollectionUtils.isEqualCollection(Lists.newArrayList("/user/hive/warehouse/db2.db/table2.1",
"/user/hive/warehouse/db2.db/table2.3"),
pathImage.get("db2.table2")));
assertEquals(6, sentryStore.getPathCount());
assertEquals(notificationID, savedNotificationID);
}
@Test
public void testAddAuthzPathsMapping() throws Exception {
Set<MPath> paths;
// Persist an empty image so that we can add paths to it.
sentryStore.persistFullPathsImage(new HashMap<String, Collection<String>>(), 0);
// Check the latest persisted ID matches to both the path updates
long latestID = sentryStore.getCurrentAuthzPathsSnapshotID();
// Persist the path
sentryStore.addAuthzPathsMapping("db1.tb1", Arrays.asList("/hive/db1/tb1"), null);
paths = sentryStore.getMAuthzPaths(latestID, "db1.tb1");
// Verify that mapping is been added
assertEquals(paths.size(), 1);
assertTrue(paths.stream().anyMatch(x -> x.getPath().equalsIgnoreCase("/hive/db1/tb1")));
// Add new path to an existing mapping
sentryStore.addAuthzPathsMapping("db1.tb1", Arrays.asList("/hive/db1/tb1/par1"), null);
paths = sentryStore.getMAuthzPaths(latestID, "db1.tb1");
// Verify that mapping is been updated with the new path
assertEquals(paths.size(), 2);
assertTrue(paths.stream().anyMatch(x -> x.getPath().equalsIgnoreCase("/hive/db1/tb1/par1")));
// Add multiples path to an existing mapping
sentryStore.addAuthzPathsMapping("db1.tb1", Arrays.asList("/hive/db1/tb1/par2","/hive/db1/tb1/par3"), null);
paths = sentryStore.getMAuthzPaths(latestID, "db1.tb1");
// Verify that mapping is been updated with the new path
assertEquals(paths.size(), 4);
assertTrue(paths.stream().anyMatch(x -> x.getPath().equalsIgnoreCase("/hive/db1/tb1/par2")));
assertTrue(paths.stream().anyMatch(x -> x.getPath().equalsIgnoreCase("/hive/db1/tb1/par3")));
//Add null paths to an existing mapping and verify that there are no exceptions
try {
sentryStore.addAuthzPathsMapping("db1.tb1", null, null);
} catch (Exception e) {
fail("Exception occurred while adding mapping with null paths");
}
//Add new mapping with null paths and verify that there are no exceptions
try {
sentryStore.addAuthzPathsMapping("db1.tb5", null, null);
} catch (Exception e) {
fail("Exception occurred while adding mapping with null paths");
}
//Add empty paths collection to existing mapping verify that there are no exceptions
try {
sentryStore.addAuthzPathsMapping("db1.tb6", Collections.EMPTY_SET, null);
} catch (Exception e) {
fail("Exception occurred while adding mapping with empty path collection");
}
//Add new mapping with empty paths collection and verify that there are no exceptions
try {
sentryStore.addAuthzPathsMapping("db1.tb1", Collections.EMPTY_SET, null);
} catch (Exception e) {
fail("Exception occurred while adding mapping with empty path collection");
}
}
@Test
public void testAddPathsWithDuplicatedNotificationIdShouldBeAllowed() throws Exception {
long notificationID = 1;
// Persist an empty image so that we can add paths to it.
sentryStore.persistFullPathsImage(new HashMap<String, Collection<String>>(), 0);
// Create two path updates with the same sequence ID
UniquePathsUpdate update1 = new UniquePathsUpdate("u1", notificationID, false);
UniquePathsUpdate update2 = new UniquePathsUpdate("u2", notificationID, false);
// Populate the path updates with different objects and paths
update1.newPathChange("db1").addToAddPaths(Arrays.asList("/hive/db1"));
update2.newPathChange("db2").addToAddPaths(Arrays.asList("/hive/db2"));
// Persist both path updates. Persisting should be allowed, and paths should be
// persisted even if they have the same sequence ID
sentryStore.addAuthzPathsMapping("db1", Arrays.asList("/hive/db1"), update1);
sentryStore.addAuthzPathsMapping("db2", Arrays.asList("/hive/db2"), update2);
// Check the latest persisted ID matches to both the path updates
long latestID = sentryStore.getLastProcessedNotificationID();
assertEquals(notificationID, latestID);
String []prefixes = {"/hive"};
PathsUpdate pathsUpdate = sentryStore.retrieveFullPathsImageUpdate(prefixes);
TPathsDump pathDump = pathsUpdate.toThrift().getPathsDump();
Map<Integer, TPathEntry> nodeMap = pathDump.getNodeMap();
assertEquals(4, nodeMap.size());
int rootId = pathDump.getRootId();
TPathEntry root = nodeMap.get(rootId);
assertEquals("/", root.getPathElement());
Map<String, Collection<String>>pathsImage = new HashMap<>();
buildPathsImageMap(nodeMap, root, "", pathsImage, true);
// Check that retrieving a full paths image returns both paths updates
assertEquals(2, pathsImage.size());
assertEquals(1, pathsImage.get("db1").size());
assertTrue(pathsImage.get("db1").contains("/hive/db1"));
assertEquals(1, pathsImage.get("db2").size());
assertTrue(pathsImage.get("db2").contains("/hive/db2"));
// Check that retrieving delta changes returns both patch updates
List<MSentryPathChange> pathsChanges = sentryStore.getMSentryPathChanges();
assertEquals(2, pathsChanges.size());
assertEquals(1, pathsChanges.get(0).getChangeID()); // changeID = 1
assertTrue(pathsChanges.get(0).getPathChange().contains("/hive/db1"));
assertEquals(2, pathsChanges.get(1).getChangeID()); // changeID = 2
assertTrue(pathsChanges.get(1).getPathChange().contains("/hive/db2"));
// Check that the SHA1 hash calculated for unique notifications is correct
assertEquals("u1", pathsChanges.get(0).getNotificationHash());
assertEquals("u2", pathsChanges.get(1).getNotificationHash());
}
private void buildPathsImageMap(Map<Integer, TPathEntry> nodeMap, TPathEntry node, String path,
Map<String, Collection<String>> pathsImage, boolean includeLeadingSlash) {
path = path.isEmpty()?node.getPathElement(): (path + node.getPathElement() + "/");
TPathEntry tempNode = node;
for(int childVal:node.getChildren()) {
node = nodeMap.get(childVal);
buildPathsImageMap(nodeMap, node, path, pathsImage, includeLeadingSlash);
}
if(tempNode.getChildren().isEmpty() && node.getAuthzObjs() != null) {
for (String authz : node.getAuthzObjs()) {
if (!pathsImage.containsKey(authz)) {
pathsImage.put(authz, new LinkedList<>());
}
if(includeLeadingSlash) {
pathsImage.get(authz).add(path.replaceAll("(/+$)", ""));
} else {
pathsImage.get(authz).add(path.replaceAll("(^/+)|(/+$)", ""));
}
}
}
}
@Test
public void testPersistDuplicatedNotificationIdShouldBeAllowed() throws Exception {
long notificationID = 1;
// Persist the same ID twice should not cause any issues
sentryStore.persistLastProcessedNotificationID(notificationID);
sentryStore.persistLastProcessedNotificationID(notificationID);
// Retrieving latest peristed ID should match with the previous persisted ID
long latestID = sentryStore.getLastProcessedNotificationID();
assertEquals(notificationID, latestID);
}
@Test
public void testAddDeleteAuthzPathsMapping() throws Exception {
long notificationID = 0;
// Persist an empty image so that we can add paths to it.
sentryStore.persistFullPathsImage(new HashMap<String, Collection<String>>(), notificationID);
// Add "db1.table1" authzObj
Long lastNotificationId = sentryStore.getLastProcessedNotificationID();
UniquePathsUpdate addUpdate = new UniquePathsUpdate("u1", 1, false);
addUpdate.newPathChange("db1.table").
addToAddPaths(Arrays.asList("db1", "tbl1"));
addUpdate.newPathChange("db1.table").
addToAddPaths(Arrays.asList("db1", "tbl2"));
sentryStore.addAuthzPathsMapping("db1.table",
Sets.newHashSet("db1/tbl1", "db1/tbl2"), addUpdate);
String[]prefixes = {"/"};
PathsUpdate pathsUpdate = sentryStore.retrieveFullPathsImageUpdate(prefixes);
TPathsDump pathsDump = pathsUpdate.toThrift().getPathsDump();
Map<Integer, TPathEntry>nodeMap = pathsDump.getNodeMap();
TPathEntry root = nodeMap.get(pathsDump.getRootId());
Map<String, Collection<String>> pathImage = new HashMap<>();
buildPathsImageMap(nodeMap, root, "", pathImage, false);
assertEquals(4, nodeMap.size());//Tree size
assertEquals("/", root.getPathElement());
assertEquals(1, pathImage.size());
assertEquals(2, pathImage.get("db1.table").size());
assertEquals(2, sentryStore.getMPaths().size());
// Query the persisted path change and ensure it equals to the original one
long lastChangeID = sentryStore.getLastProcessedPathChangeID();
MSentryPathChange addPathChange = sentryStore.getMSentryPathChangeByID(lastChangeID);
assertEquals(addUpdate.JSONSerialize(), addPathChange.getPathChange());
lastNotificationId = sentryStore.getLastProcessedNotificationID();
assertEquals(1, lastNotificationId.longValue());
// Delete path 'db1.db/tbl1' from "db1.table1" authzObj.
UniquePathsUpdate delUpdate = new UniquePathsUpdate("u2",2, false);
delUpdate.newPathChange("db1.table")
.addToDelPaths(Arrays.asList("db1", "tbl1"));
sentryStore.deleteAuthzPathsMapping("db1.table", Sets.newHashSet("db1/tbl1"), delUpdate);
pathsUpdate = sentryStore.retrieveFullPathsImageUpdate(prefixes);
pathsDump = pathsUpdate.toThrift().getPathsDump();
nodeMap = pathsDump.getNodeMap();
root = nodeMap.get(pathsDump.getRootId());
pathImage = new HashMap<>();
buildPathsImageMap(nodeMap, root, "", pathImage, false);
assertEquals("/", root.getPathElement());
assertEquals(3, nodeMap.size());//Tree size
assertEquals(1, pathImage.size());
assertEquals(1, pathImage.get("db1.table").size());
assertEquals(1, sentryStore.getMPaths().size());
// Query the persisted path change and ensure it equals to the original one
lastChangeID = sentryStore.getLastProcessedPathChangeID();
MSentryPathChange delPathChange = sentryStore.getMSentryPathChangeByID(lastChangeID);
assertEquals(delUpdate.JSONSerialize(), delPathChange.getPathChange());
lastNotificationId = sentryStore.getLastProcessedNotificationID();
assertEquals(2, lastNotificationId.longValue());
// Delete "db1.table" authzObj from the authzObj -> [Paths] mapping.
UniquePathsUpdate delAllupdate = new UniquePathsUpdate("u3",3, false);
delAllupdate.newPathChange("db1.table")
.addToDelPaths(Lists.newArrayList(PathsUpdate.ALL_PATHS));
sentryStore.deleteAllAuthzPathsMapping("db1.table", delAllupdate);
pathsUpdate = sentryStore.retrieveFullPathsImageUpdate(prefixes);
pathsDump = pathsUpdate.toThrift().getPathsDump();
nodeMap = pathsDump.getNodeMap();
root = nodeMap.get(pathsDump.getRootId());
pathImage = new HashMap<>();
buildPathsImageMap(nodeMap, root, "", pathImage, false);
assertEquals("/", root.getPathElement());
assertEquals(1, nodeMap.size());//Tree size
assertEquals(0, pathImage.size());
assertEquals(0, sentryStore.getMPaths().size());
assertEquals(0, sentryStore.getCount(MPath.class).intValue());
// Query the persisted path change and ensure it equals to the original one
lastChangeID = sentryStore.getLastProcessedPathChangeID();
MSentryPathChange delAllPathChange = sentryStore.getMSentryPathChangeByID(lastChangeID);
assertEquals(delAllupdate.JSONSerialize(), delAllPathChange.getPathChange());
lastNotificationId = sentryStore.getLastProcessedNotificationID();
assertEquals(3, lastNotificationId.longValue());
}
@Test
public void testDeleteAuthzPathsMapping() throws Exception {
long notificationID = 0;
// Persist an empty image so that we can add paths to it.
sentryStore.persistFullPathsImage(new HashMap<String, Collection<String>>(), notificationID);
// Add a mapping to two paths
sentryStore.addAuthzPathsMapping("db1.table",
Sets.newHashSet("db1/tbl1", "db1/tbl2"), null);
// Verify the Path count
assertEquals(2, sentryStore.getCount(MPath.class).intValue());
// Add a mapping to three paths
sentryStore.addAuthzPathsMapping("db2.table",
Sets.newHashSet("db2/tbl1", "db2/tbl2", "db2/tbl3"), null);
// Verify the Path count
assertEquals(5, sentryStore.getCount(MPath.class).intValue());
// deleting the mapping and verifying the MPath count
sentryStore.deleteAllAuthzPathsMapping("db1.table", null);
// Verify the Path count
assertEquals(3, sentryStore.getCount(MPath.class).intValue());
// deleting the mapping and verifying the MPath count
sentryStore.deleteAllAuthzPathsMapping("db2.table", null);
// Verify the Path count
assertEquals(0, sentryStore.getCount(MPath.class).intValue());
// Add a mapping to two paths
sentryStore.addAuthzPathsMapping("db1.table",
Sets.newHashSet("db1/tbl1", "db1/tbl2"), null);
// deleting the mapping with paths as null and verifying that all the paths are deleted.
sentryStore.deleteAuthzPathsMapping("db1.table", null, null);
// Verify the Path count
assertEquals(0, sentryStore.getCount(MPath.class).intValue());
// Add a mapping to two paths
sentryStore.addAuthzPathsMapping("db1.table",
Sets.newHashSet("db1/tbl1", "db1/tbl2"), null);
// deleting the mapping with paths as empty set and verifying that all the paths are deleted.
sentryStore.deleteAuthzPathsMapping("db1.table", Collections.EMPTY_SET, null);
// Verify the Path count
assertEquals(0, sentryStore.getCount(MPath.class).intValue());
}
@Test
public void testRenameUpdateAuthzPathsMapping() throws Exception {
Map<String, Collection<String>> authzPaths = new HashMap<>();
Long lastNotificationId = sentryStore.getLastProcessedNotificationID();
authzPaths.put("db1.table1", Sets.newHashSet("user/hive/warehouse/db1.db/table1",
"user/hive/warehouse/db1.db/table1/p1"));
authzPaths.put("db1.table2", Sets.newHashSet("user/hive/warehouse/db1.db/table2"));
sentryStore.persistFullPathsImage(authzPaths, lastNotificationId);
String[]prefixes = {"/user/hive/warehouse"};
PathsUpdate pathsUpdate = sentryStore.retrieveFullPathsImageUpdate(prefixes);
TPathsDump pathsDump = pathsUpdate.toThrift().getPathsDump();
Map<Integer, TPathEntry>nodeMap = pathsDump.getNodeMap();
TPathEntry root = nodeMap.get(pathsDump.getRootId());
Map<String, Collection<String>> pathsImage = new HashMap<>();
buildPathsImageMap(nodeMap, root, "", pathsImage, false);
assertEquals("/", root.getPathElement());
assertEquals(8, nodeMap.size());//Tree size
assertEquals(2, pathsImage.size());
// Rename path of 'db1.table1' from 'db1.table1' to 'db1.newTable1'
UniquePathsUpdate renameUpdate = new UniquePathsUpdate("u1",1, false);
renameUpdate.newPathChange("db1.table1")
.addToDelPaths(Arrays.asList("user", "hive", "warehouse", "db1.db", "table1"));
renameUpdate.newPathChange("db1.newTable1")
.addToAddPaths(Arrays.asList("user", "hive", "warehouse", "db1.db", "newTable1"));
sentryStore.renameAuthzPathsMapping("db1.table1", "db1.newTable1",
"user/hive/warehouse/db1.db/table1", "user/hive/warehouse/db1.db/newTable1", renameUpdate);
pathsUpdate = sentryStore.retrieveFullPathsImageUpdate(prefixes);
pathsDump = pathsUpdate.toThrift().getPathsDump();
nodeMap = pathsDump.getNodeMap();
root = nodeMap.get(pathsDump.getRootId());
pathsImage = new HashMap<>();
buildPathsImageMap(nodeMap, root, "", pathsImage, false);
assertEquals("/", root.getPathElement());
assertEquals(9, nodeMap.size());//Tree size
assertEquals(2, pathsImage.size());
assertEquals(3, sentryStore.getMPaths().size());
assertTrue(pathsImage.containsKey("db1.newTable1"));
assertTrue(CollectionUtils.isEqualCollection(Lists.newArrayList("user/hive/warehouse/db1.db/table1/p1",
"user/hive/warehouse/db1.db/newTable1"),
pathsImage.get("db1.newTable1")));
// Query the persisted path change and ensure it equals to the original one
long lastChangeID = sentryStore.getLastProcessedPathChangeID();
MSentryPathChange renamePathChange = sentryStore.getMSentryPathChangeByID(lastChangeID);
assertEquals(renameUpdate.JSONSerialize(), renamePathChange.getPathChange());
lastNotificationId = sentryStore.getLastProcessedNotificationID();
assertEquals(1, lastNotificationId.longValue());
// Rename 'db1.table1' to "db1.table2" but did not change its location.
renameUpdate = new UniquePathsUpdate("u2",2, false);
renameUpdate.newPathChange("db1.newTable1")
.addToDelPaths(Arrays.asList("user", "hive", "warehouse", "db1.db", "newTable1"));
renameUpdate.newPathChange("db1.newTable2")
.addToAddPaths(Arrays.asList("user", "hive", "warehouse", "db1.db", "newTable1"));
sentryStore.renameAuthzObj("db1.newTable1", "db1.newTable2", renameUpdate);
pathsUpdate = sentryStore.retrieveFullPathsImageUpdate(prefixes);
pathsDump = pathsUpdate.toThrift().getPathsDump();
nodeMap = pathsDump.getNodeMap();
root = nodeMap.get(pathsDump.getRootId());
pathsImage = new HashMap<>();
buildPathsImageMap(nodeMap, root, "", pathsImage, false);
assertEquals("/", root.getPathElement());
assertEquals(9, nodeMap.size());//Tree size
assertEquals(2, pathsImage.size());
assertEquals(3, sentryStore.getMPaths().size());
assertTrue(pathsImage.containsKey("db1.newTable2"));
assertTrue(CollectionUtils.isEqualCollection(Lists.newArrayList("user/hive/warehouse/db1.db/table1/p1",
"user/hive/warehouse/db1.db/newTable1"),
pathsImage.get("db1.newTable2")));
lastNotificationId = sentryStore.getLastProcessedNotificationID();
assertEquals(2, lastNotificationId.longValue());
// Query the persisted path change and ensure it equals to the original one
lastChangeID = sentryStore.getLastProcessedPathChangeID();
renamePathChange = sentryStore.getMSentryPathChangeByID(lastChangeID);
assertEquals(renameUpdate.JSONSerialize(), renamePathChange.getPathChange());
// Update path of 'db1.newTable2' from 'db1.newTable1' to 'db1.newTable2'
UniquePathsUpdate update = new UniquePathsUpdate("u3",3, false);
update.newPathChange("db1.newTable1")
.addToDelPaths(Arrays.asList("user", "hive", "warehouse", "db1.db", "newTable1"));
update.newPathChange("db1.newTable1")
.addToAddPaths(Arrays.asList("user", "hive", "warehouse", "db1.db", "newTable2"));
sentryStore.updateAuthzPathsMapping("db1.newTable2",
"user/hive/warehouse/db1.db/newTable1",
"user/hive/warehouse/db1.db/newTable2",
update);
pathsUpdate = sentryStore.retrieveFullPathsImageUpdate(prefixes);
pathsDump = pathsUpdate.toThrift().getPathsDump();
nodeMap = pathsDump.getNodeMap();
root = nodeMap.get(pathsDump.getRootId());
pathsImage = new HashMap<>();
buildPathsImageMap(nodeMap, root, "", pathsImage, false);
assertEquals("/", root.getPathElement());
assertEquals(9, nodeMap.size());//Tree size
assertEquals(2, pathsImage.size());
assertEquals(3, sentryStore.getMPaths().size());
assertTrue(pathsImage.containsKey("db1.newTable2"));
assertTrue(CollectionUtils.isEqualCollection(Lists.newArrayList("user/hive/warehouse/db1.db/table1/p1",
"user/hive/warehouse/db1.db/newTable2"),
pathsImage.get("db1.newTable2")));
// Query the persisted path change and ensure it equals to the original one
lastChangeID = sentryStore.getLastProcessedPathChangeID();
MSentryPathChange updatePathChange = sentryStore.getMSentryPathChangeByID(lastChangeID);
assertEquals(update.JSONSerialize(), updatePathChange.getPathChange());
lastNotificationId = sentryStore.getLastProcessedNotificationID();
assertEquals(3, lastNotificationId.longValue());
}
@Test
public void testPersistAndReplaceANewPathsImage() throws Exception {
Map<String, Collection<String>> authzPaths = new HashMap<>();
long notificationID = 1;
// First image to persist (this will be replaced later)
authzPaths.put("db1.table1", Sets.newHashSet("/user/hive/warehouse/db2.db/table1.1",
"/user/hive/warehouse/db2.db/table1.2"));
authzPaths.put("db1.table2", Sets.newHashSet("/user/hive/warehouse/db2.db/table2.1",
"/user/hive/warehouse/db2.db/table2.2"));
sentryStore.persistFullPathsImage(authzPaths, notificationID);
String[]prefixes = {"/user/hive/warehouse"};
PathsUpdate pathsUpdate = sentryStore.retrieveFullPathsImageUpdate(prefixes);
TPathsDump pathsDump = pathsUpdate.toThrift().getPathsDump();
Map<Integer, TPathEntry>nodeMap = pathsDump.getNodeMap();
TPathEntry root = nodeMap.get(pathsDump.getRootId());
Map<String, Collection<String>> pathImage = new HashMap<>();
buildPathsImageMap(nodeMap, root, "", pathImage, true);
assertEquals("/", root.getPathElement());
assertEquals(9, nodeMap.size());//Tree size
assertEquals(1, pathsUpdate.getImgNum());
// Second image to persist (it should replace first image)
authzPaths.clear();
authzPaths.put("db3.table1", Sets.newHashSet("/another-warehouse/db2.db/table1.1",
"/another-warehouse/db2.db/table1.2"));
authzPaths.put("db3.table2", Sets.newHashSet("/another-warehouse/db2.db/table2.1",
"/another-warehouse/db2.db/table2.2"));
authzPaths.put("db4.table2", Sets.newHashSet("/another-warehouse/db2.db/table2.1",
"/another-warehouse/db2.db/table2.3"));
sentryStore.persistFullPathsImage(authzPaths, notificationID+1);
prefixes = new String[]{"/another-warehouse"};
pathsUpdate = sentryStore.retrieveFullPathsImageUpdate(prefixes);
pathsDump = pathsUpdate.toThrift().getPathsDump();
nodeMap = pathsDump.getNodeMap();
root = nodeMap.get(pathsDump.getRootId());
pathImage = new HashMap<>();
buildPathsImageMap(nodeMap, root, "", pathImage, true);
assertEquals("/", root.getPathElement());
assertEquals(8, nodeMap.size());//Tree size
assertEquals(2, pathsUpdate.getImgNum());
assertEquals(3, pathImage.size());
for (Map.Entry<String, Collection<String>> entry : pathImage.entrySet()) {
assertEquals(2, entry.getValue().size());
}
assertEquals(2, pathImage.get("db4.table2").size());
assertTrue(CollectionUtils.isEqualCollection(Lists.newArrayList("/another-warehouse/db2.db/table1.1",
"/another-warehouse/db2.db/table1.2"),
pathImage.get("db3.table1")));
assertTrue(CollectionUtils.isEqualCollection(Lists.newArrayList("/another-warehouse/db2.db/table2.1",
"/another-warehouse/db2.db/table2.2"),
pathImage.get("db3.table2")));
assertTrue(CollectionUtils.isEqualCollection(Lists.newArrayList("/another-warehouse/db2.db/table2.1",
"/another-warehouse/db2.db/table2.3"),
pathImage.get("db4.table2")));
assertEquals(6, sentryStore.getMPaths().size());
}
@Test
public void testAddDeleteAfterReplacingANewPathsImage() throws Exception {
long notificationID = 1;
// Add some paths first (these should be replaced)
UniquePathsUpdate addUpdate = new UniquePathsUpdate("u1", notificationID, false);
addUpdate.newPathChange("db1.table").addToAddPaths(Arrays.asList("db1", "tbl1"));
addUpdate.newPathChange("db1.table").addToAddPaths(Arrays.asList("db1", "tbl2"));
sentryStore.addAuthzPathsMapping("db1.table", Sets.newHashSet("db1/tbl1", "db1/tbl2"), addUpdate);
// Persist a new image that contains a new image ID (it replaces previous paths)
notificationID ++;
Map<String, Collection<String>> authzPaths = new HashMap<>();
authzPaths.put("db2.table3", Sets.newHashSet("/user/hive/warehouse/db2.db/table1.1",
"/user/hive/warehouse/db2.db/table1.2"));
sentryStore.persistFullPathsImage(authzPaths, notificationID);
// Add new paths
notificationID ++;
UniquePathsUpdate newAddUpdate = new UniquePathsUpdate("u2", notificationID, false);
newAddUpdate.newPathChange("db2.table").addToAddPaths(Arrays.asList("db2", "tbl1"));
newAddUpdate.newPathChange("db2.table").addToAddPaths(Arrays.asList("db2", "tbl2"));
sentryStore.addAuthzPathsMapping("db2.table", Sets.newHashSet("db2/tbl1", "db2/tbl2"), newAddUpdate);
String[]prefixes = {"/"};
PathsUpdate pathsUpdate = sentryStore.retrieveFullPathsImageUpdate(prefixes);
TPathsDump pathsDump = pathsUpdate.toThrift().getPathsDump();
Map<Integer, TPathEntry>nodeMap = pathsDump.getNodeMap();
TPathEntry root = nodeMap.get(pathsDump.getRootId());
Map<String, Collection<String>> pathImage = new HashMap<>();
buildPathsImageMap(nodeMap, root, "", pathImage, false);
assertEquals("/", root.getPathElement());
assertEquals(10, nodeMap.size());//Tree size
assertEquals(2, pathImage.size());
assertEquals(2, pathImage.get("db2.table").size());
assertEquals(4, sentryStore.getMPaths().size());
// Delete one path
notificationID ++;
UniquePathsUpdate delUpdate = new UniquePathsUpdate("u3", notificationID, false);
delUpdate.newPathChange("db2.table").addToDelPaths(Arrays.asList("db2", "tbl1"));
sentryStore.deleteAuthzPathsMapping("db2.table", Sets.newHashSet("db2/tbl1"), delUpdate);
pathsUpdate = sentryStore.retrieveFullPathsImageUpdate(prefixes);
pathsDump = pathsUpdate.toThrift().getPathsDump();
nodeMap = pathsDump.getNodeMap();
root = nodeMap.get(pathsDump.getRootId());
pathImage = new HashMap<>();
buildPathsImageMap(nodeMap, root, "", pathImage, false);
assertEquals("/", root.getPathElement());
assertEquals(9, nodeMap.size());//Tree size
assertEquals(2, pathImage.size());
assertEquals(1, pathImage.get("db2.table").size());
assertEquals(3, sentryStore.getMPaths().size());
Long lastNotificationId = sentryStore.getLastProcessedNotificationID();
assertEquals(notificationID, lastNotificationId.longValue());
}
@Test
public void testRenameUpdateAfterReplacingANewPathsImage() throws Exception {
long notificationID = 1;
Map<String, Collection<String>> authzPaths = new HashMap<>();
// First image to persist (this will be replaced later)
authzPaths.put("db1.table1", Sets.newHashSet("/user/hive/warehouse/db2.db/table1.1",
"/user/hive/warehouse/db2.db/table1.2"));
authzPaths.put("db1.table2", Sets.newHashSet("/user/hive/warehouse/db2.db/table2.1",
"/user/hive/warehouse/db2.db/table2.2"));
sentryStore.persistFullPathsImage(authzPaths, notificationID);
// Second image to persist (it should replace first image)
notificationID ++;
authzPaths.clear();
authzPaths.put("db3.table1", Sets.newHashSet("/another-warehouse/db3.db/table1.1",
"/another-warehouse/db3.db/table1.2"));
authzPaths.put("db3.table2", Sets.newHashSet("/another-warehouse/db3.db/table2.1",
"/another-warehouse/db3.db/table2.2"));
sentryStore.persistFullPathsImage(authzPaths, notificationID);
// Rename path of 'db1.table1' from 'db1.table1' to 'db1.newTable1'
notificationID ++;
UniquePathsUpdate renameUpdate = new UniquePathsUpdate("u1", notificationID, false);
renameUpdate.newPathChange("db3.table1")
.addToDelPaths(Arrays.asList("another-warehouse", "db3.db", "table1.1"));
renameUpdate.newPathChange("db1.newTable1")
.addToAddPaths(Arrays.asList("user", "hive", "warehouse", "db1.db", "newTable1"));
sentryStore.renameAuthzPathsMapping("db3.table1", "db1.newTable1",
"/another-warehouse/db3.db/table1.1", "user/hive/warehouse/db1.db/newTable1", renameUpdate);
String[]prefixes = {"/"};
PathsUpdate pathsUpdate = sentryStore.retrieveFullPathsImageUpdate(prefixes);
TPathsDump pathsDump = pathsUpdate.toThrift().getPathsDump();
Map<Integer, TPathEntry>nodeMap = pathsDump.getNodeMap();
TPathEntry root = nodeMap.get(pathsDump.getRootId());
Map<String, Collection<String>> pathsImage = new HashMap<>();
buildPathsImageMap(nodeMap, root, "", pathsImage, true);
assertEquals("/", root.getPathElement());
assertEquals(11, nodeMap.size());//Tree size
assertEquals(2, pathsImage.size());
assertEquals(4, sentryStore.getMPaths().size());
assertTrue(pathsImage.containsKey("db1.newTable1"));
assertTrue(CollectionUtils.isEqualCollection(Lists.newArrayList("/another-warehouse/db3.db/table1.2",
"/user/hive/warehouse/db1.db/newTable1"),
pathsImage.get("db1.newTable1")));
// Update path of 'db1.newTable2' from 'db1.newTable1' to 'db1.newTable2'
notificationID++;
UniquePathsUpdate update = new UniquePathsUpdate("u2", notificationID, false);
update.newPathChange("db1.newTable1")
.addToDelPaths(Arrays.asList("user", "hive", "warehouse", "db1.db", "newTable1"));
update.newPathChange("db1.newTable1")
.addToAddPaths(Arrays.asList("user", "hive", "warehouse", "db1.db", "newTable2"));
sentryStore.updateAuthzPathsMapping("db1.newTable2",
"user/hive/warehouse/db1.db/newTable1",
"user/hive/warehouse/db1.db/newTable2",
update);
pathsUpdate = sentryStore.retrieveFullPathsImageUpdate(prefixes);
pathsDump = pathsUpdate.toThrift().getPathsDump();
nodeMap = pathsDump.getNodeMap();
root = nodeMap.get(pathsDump.getRootId());
pathsImage = new HashMap<>();
buildPathsImageMap(nodeMap, root, "", pathsImage, false);
assertEquals("/", root.getPathElement());
assertEquals(12, nodeMap.size());//Tree size
assertEquals(3, pathsImage.size());
assertEquals(5, sentryStore.getMPaths().size());
assertTrue(pathsImage.containsKey("db1.newTable2"));
assertEquals(Lists.newArrayList("user/hive/warehouse/db1.db/newTable2"),
pathsImage.get("db1.newTable2"));
}
@Test
public void testQueryParamBuilder() {
QueryParamBuilder paramBuilder;
paramBuilder = newQueryParamBuilder();
// Try single parameter
paramBuilder.add("key", "val");
assertEquals("(this.key == :key)", paramBuilder.toString());
// Try adding second parameter plus add trimming and conversion
// to lower case
paramBuilder.add("key1", " Val1 ", true);
assertEquals("(this.key == :key && this.key1 == :key1)",
paramBuilder.toString());
Map<String, Object> params = paramBuilder.getArguments();
assertEquals("val", params.get("key"));
assertEquals("Val1", params.get("key1"));
paramBuilder = newQueryParamBuilder(QueryParamBuilder.Op.OR);
paramBuilder.add("key", " Val ", true);
paramBuilder.addNotNull("notNullField");
paramBuilder.addNull("nullField");
assertEquals("(this.key == :key || this.notNullField != \"__NULL__\" || this.nullField == \"__NULL__\")",
paramBuilder.toString());
params = paramBuilder.getArguments();
assertEquals("Val", params.get("key"));
paramBuilder = newQueryParamBuilder()
.addNull("var1")
.addNotNull("var2");
assertEquals("(this.var1 == \"__NULL__\" && this.var2 != \"__NULL__\")",
paramBuilder.toString());
// Test newChild()
paramBuilder = newQueryParamBuilder();
paramBuilder
.addString("e1")
.addString("e2")
.newChild()
.add("v3", "e3")
.add("v4", "e4")
.newChild()
.addString("e5")
.addString("e6")
;
assertEquals("(e1 && e2 && (this.v3 == :v3 || this.v4 == :v4 || (e5 && e6)))",
paramBuilder.toString());
paramBuilder = newQueryParamBuilder();
paramBuilder
.addString("e1")
.addString("e2")
.newChild()
.add("v3", "e3")
.add("v4", "e4")
.newChild()
.addString("e5")
.addString("e6")
;
params = paramBuilder.getArguments();
assertEquals("e3", params.get("v3"));
assertEquals("e4", params.get("v4"));
// Test addSet
paramBuilder = newQueryParamBuilder();
Set<String>names = new HashSet<>();
names.add("foo");
names.add("bar");
names.add("bob");
paramBuilder.addSet("prefix == ", names, true);
assertEquals("(prefix == :var0 && prefix == :var1 && prefix == :var2)",
paramBuilder.toString());
params = paramBuilder.getArguments();
Set<String>result = new HashSet<>();
result.add((String)params.get("var0"));
result.add((String)params.get("var1"));
result.add((String)params.get("var2"));
assertTrue(result.containsAll(names));
assertTrue(names.containsAll(result));
}
@Test
public void testPrivilegesWithPermUpdate() throws Exception {
String roleName = "test-privilege";
String server = "server1";
String db = "db1";
String table = "tbl1";
String authzObj = "db1.tbl1";
createRole(roleName);
TSentryPrivilege privilege = new TSentryPrivilege();
privilege.setPrivilegeScope("Column");
privilege.setServerName(server);
privilege.setDbName(db);
privilege.setTableName(table);
privilege.setAction(AccessConstants.SELECT);
privilege.setCreateTime(System.currentTimeMillis());
// Generate the permission add update authzObj "db1.tbl1"
PermissionsUpdate addUpdate = new PermissionsUpdate(0, false);
addUpdate.addPrivilegeUpdate(authzObj).putToAddPrivileges(
new TPrivilegePrincipal(TPrivilegePrincipalType.ROLE, roleName), privilege.getAction().toUpperCase());
// Grant the privilege to role test-privilege and verify it has been persisted.
Map<TSentryPrivilege, Updateable.Update> addPrivilegesUpdateMap = Maps.newHashMap();
addPrivilegesUpdateMap.put(privilege, addUpdate);
sentryStore.alterSentryRoleGrantPrivileges(roleName, Sets.newHashSet(privilege), addPrivilegesUpdateMap);
MSentryRole role = sentryStore.getMSentryRoleByName(roleName);
Set<MSentryPrivilege> privileges = role.getPrivileges();
assertEquals(privileges.toString(), 1, privileges.size());
// Query the persisted perm change and ensure it equals to the original one
long lastChangeID = sentryStore.getLastProcessedPermChangeID();
long initialID = lastChangeID;
MSentryPermChange addPermChange = sentryStore.getMSentryPermChangeByID(lastChangeID);
assertEquals(addUpdate.JSONSerialize(), addPermChange.getPermChange());
// Generate the permission delete update authzObj "db1.tbl1"
PermissionsUpdate delUpdate = new PermissionsUpdate(0, false);
delUpdate.addPrivilegeUpdate(authzObj).putToDelPrivileges(
new TPrivilegePrincipal(TPrivilegePrincipalType.ROLE, roleName),
privilege.getAction().toUpperCase());
// Revoke the same privilege and verify it has been removed.
Map<TSentryPrivilege, Updateable.Update> delPrivilegesUpdateMap = Maps.newHashMap();
delPrivilegesUpdateMap.put(privilege, delUpdate);
sentryStore.alterSentryRoleRevokePrivileges(roleName,
Sets.newHashSet(privilege), delPrivilegesUpdateMap);
role = sentryStore.getMSentryRoleByName(roleName);
privileges = role.getPrivileges();
assertEquals(0, privileges.size());
// Query the persisted perm change and ensure it equals to the original one
lastChangeID = sentryStore.getLastProcessedPermChangeID();
MSentryPermChange delPermChange = sentryStore.getMSentryPermChangeByID(lastChangeID);
assertEquals(delUpdate.JSONSerialize(), delPermChange.getPermChange());
// Verify getMSentryPermChanges will return all MSentryPermChanges up
// to the given changeID.
List<MSentryPermChange> mSentryPermChanges = sentryStore.getMSentryPermChanges(initialID);
assertEquals(lastChangeID - initialID + 1, mSentryPermChanges.size());
// Verify ifPermChangeExists will return true for persisted MSentryPermChange.
assertEquals(true, sentryStore.permChangeExists(1));
}
@Test
public void testAddDeleteGroupsWithPermUpdate() throws Exception {
String roleName = "test-groups";
String grantor = "g1";
createRole(roleName);
Set<TSentryGroup> groups = Sets.newHashSet();
TSentryGroup group = new TSentryGroup();
group.setGroupName("test-groups-g1");
groups.add(group);
group = new TSentryGroup();
group.setGroupName("test-groups-g2");
groups.add(group);
// Generate the permission add update for role "test-groups"
PermissionsUpdate addUpdate = new PermissionsUpdate(0, false);
TRoleChanges addrUpdate = addUpdate.addRoleUpdate(roleName);
for (TSentryGroup g : groups) {
addrUpdate.addToAddGroups(g.getGroupName());
}
// Assign the role "test-groups" to the groups and verify.
sentryStore.alterSentryRoleAddGroups(grantor, roleName, groups, addUpdate);
MSentryRole role = sentryStore.getMSentryRoleByName(roleName);
assertEquals(2, role.getGroups().size());
// Query the persisted perm change and ensure it equals to the original one
long lastChangeID = sentryStore.getLastProcessedPermChangeID();
MSentryPermChange addPermChange = sentryStore.getMSentryPermChangeByID(lastChangeID);
assertEquals(addUpdate.JSONSerialize(), addPermChange.getPermChange());
// Generate the permission add update for role "test-groups"
PermissionsUpdate delUpdate = new PermissionsUpdate(0, false);
TRoleChanges delrUpdate = delUpdate.addRoleUpdate(roleName);
for (TSentryGroup g : groups) {
delrUpdate.addToDelGroups(g.getGroupName());
}
// Revoke the role "test-groups" to the groups and verify.
sentryStore.alterSentryRoleDeleteGroups(roleName, groups, delUpdate);
role = sentryStore.getMSentryRoleByName(roleName);
assertEquals(Collections.emptySet(), role.getGroups());
// Query the persisted perm change and ensure it equals to the original one
MSentryPermChange delPermChange = sentryStore.getMSentryPermChangeByID(lastChangeID + 1);
assertEquals(delUpdate.JSONSerialize(), delPermChange.getPermChange());
}
@Test
public void testCreateDropRoleWithPermUpdate() throws Exception {
String roleName = "test-drop-role";
createRole(roleName);
// Generate the permission del update for dropping role "test-drop-role"
PermissionsUpdate delUpdate = new PermissionsUpdate(0, false);
delUpdate.addPrivilegeUpdate(PermissionsUpdate.ALL_AUTHZ_OBJ).putToDelPrivileges(
new TPrivilegePrincipal(TPrivilegePrincipalType.ROLE, roleName),
PermissionsUpdate.ALL_AUTHZ_OBJ);
delUpdate.addRoleUpdate(roleName).addToDelGroups(PermissionsUpdate.ALL_GROUPS);
// Drop the role and verify.
sentryStore.dropSentryRole(roleName, delUpdate);
checkRoleDoesNotExist(roleName);
// Query the persisted perm change and ensure it equals to the original one
long lastChangeID = sentryStore.getLastProcessedPermChangeID();
MSentryPermChange delPermChange = sentryStore.getMSentryPermChangeByID(lastChangeID);
assertEquals(delUpdate.JSONSerialize(), delPermChange.getPermChange());
}
@Test
public void testDropObjWithPermUpdate() throws Exception {
String roleName1 = "list-privs-r1", roleName2 = "list-privs-r2";
sentryStore.createSentryRole(roleName1);
sentryStore.createSentryRole(roleName2);
String authzObj = "db1.tbl1";
TSentryPrivilege privilege_tbl1 = new TSentryPrivilege();
privilege_tbl1.setPrivilegeScope("TABLE");
privilege_tbl1.setServerName("server1");
privilege_tbl1.setDbName("db1");
privilege_tbl1.setTableName("tbl1");
privilege_tbl1.setCreateTime(System.currentTimeMillis());
privilege_tbl1.setAction("SELECT");
sentryStore.alterSentryGrantPrivileges(SentryPrincipalType.ROLE, roleName1, Sets.newHashSet(privilege_tbl1), null);
// Generate the permission drop update for dropping privilege for "db1.tbl1"
PermissionsUpdate dropUpdate = new PermissionsUpdate(0, false);
dropUpdate.addPrivilegeUpdate(authzObj).putToDelPrivileges(new TPrivilegePrincipal(TPrivilegePrincipalType.ROLE,
PermissionsUpdate.ALL_ROLES),
PermissionsUpdate.ALL_ROLES);
// Drop the privilege and verify.
sentryStore.dropPrivilege(toTSentryAuthorizable(privilege_tbl1), dropUpdate);
assertEquals(0, sentryStore.getAllTSentryPrivilegesByRoleName(roleName1).size());
assertEquals(0, sentryStore.getAllTSentryPrivilegesByRoleName(roleName2).size());
// Query the persisted perm change and ensure it equals to the original one
long lastChangeID = sentryStore.getLastProcessedPermChangeID();
MSentryPermChange dropPermChange = sentryStore.getMSentryPermChangeByID(lastChangeID);
assertEquals(dropUpdate.JSONSerialize(), dropPermChange.getPermChange());
}
@Test
public void testRenameObjWithPermUpdate() throws Exception {
String roleName1 = "role1";
String table1 = "tbl1", table2 = "tbl2";
sentryStore.createSentryRole(roleName1);
TSentryPrivilege privilege_tbl1 = new TSentryPrivilege();
privilege_tbl1.setPrivilegeScope("TABLE");
privilege_tbl1.setServerName("server1");
privilege_tbl1.setDbName("db1");
privilege_tbl1.setTableName(table1);
privilege_tbl1.setCreateTime(System.currentTimeMillis());
privilege_tbl1.setAction(AccessConstants.ALL);
sentryStore.alterSentryGrantPrivileges(SentryPrincipalType.ROLE, roleName1, Sets.newHashSet(privilege_tbl1), null);
// Generate the permission rename update for renaming privilege for "db1.tbl1"
String oldAuthz = "db1.tbl1";
String newAuthz = "db1.tbl2";
PermissionsUpdate renameUpdate = new PermissionsUpdate(0, false);
TPrivilegeChanges privUpdate = renameUpdate.addPrivilegeUpdate(PermissionsUpdate.RENAME_PRIVS);
privUpdate.putToAddPrivileges(new TPrivilegePrincipal(TPrivilegePrincipalType.AUTHZ_OBJ, newAuthz), newAuthz);
privUpdate.putToDelPrivileges(new TPrivilegePrincipal(TPrivilegePrincipalType.AUTHZ_OBJ, oldAuthz), oldAuthz);
// Rename the privilege and verify.
TSentryAuthorizable oldTable = toTSentryAuthorizable(privilege_tbl1);
TSentryAuthorizable newTable = toTSentryAuthorizable(privilege_tbl1);
newTable.setTable(table2);
sentryStore.renamePrivilege(oldTable, newTable, renameUpdate);
Set<TSentryPrivilege> privilegeSet = sentryStore.getAllTSentryPrivilegesByRoleName(roleName1);
assertEquals(1, privilegeSet.size());
for (TSentryPrivilege privilege : privilegeSet) {
assertTrue(table2.equalsIgnoreCase(privilege.getTableName()));
}
// Query the persisted perm change and ensure it equals to the original one
long lastChangeID = sentryStore.getLastProcessedPermChangeID();
MSentryPermChange renamePermChange = sentryStore.getMSentryPermChangeByID(lastChangeID);
assertEquals(renameUpdate.JSONSerialize(), renamePermChange.getPermChange());
}
protected static void addGroupsToUser(String user, String... groupNames) {
policyFile.addGroupsToUser(user, groupNames);
}
protected static void writePolicyFile() throws Exception {
policyFile.write(policyFilePath);
}
@Test
public void testPurgeDeltaChanges() throws Exception {
String role = "purgeRole";
String table = "purgeTable";
assertEquals(0, sentryStore.getMSentryPermChanges().size());
assertEquals(0, sentryStore.getMSentryPathChanges().size());
sentryStore.createSentryRole(role);
int privCleanCount = ServerConfig.SENTRY_DELTA_KEEP_COUNT_DEFAULT;
int extraPrivs = 5;
final int numPermChanges = extraPrivs + privCleanCount;
for (int i = 0; i < numPermChanges; i++) {
TSentryPrivilege privilege = new TSentryPrivilege();
privilege.setPrivilegeScope("Column");
privilege.setServerName("server");
privilege.setDbName("db");
privilege.setTableName(table);
privilege.setColumnName("column");
privilege.setAction(AccessConstants.SELECT);
privilege.setCreateTime(System.currentTimeMillis());
PermissionsUpdate update = new PermissionsUpdate(i + 1, false);
sentryStore.alterSentryGrantPrivileges(SentryPrincipalType.ROLE, role, Sets.newHashSet(privilege), Lists.newArrayList(update));
}
assertEquals(numPermChanges, sentryStore.getMSentryPermChanges().size());
sentryStore.purgeDeltaChangeTables();
assertEquals(privCleanCount, sentryStore.getMSentryPermChanges().size());
// TODO: verify MSentryPathChange being purged.
// assertEquals(1, sentryStore.getMSentryPathChanges().size());
}
@Test
public void testpurgeNotificationIdTable() throws Exception {
int totalentires = 200;
int remainingEntires = ServerConfig.SENTRY_HMS_NOTIFICATION_ID_KEEP_COUNT_DEFAULT;
assertTrue(sentryStore.isHmsNotificationEmpty());
for(int id = 1; id <= totalentires; id++) {
sentryStore.persistLastProcessedNotificationID((long)id);
}
assertEquals(totalentires, sentryStore.getMSentryHmsNotificationCore().size());
sentryStore.purgeNotificationIdTable();
// Make sure that sentry store still hold entries based on SENTRY_HMS_NOTIFICATION_ID_KEEP_COUNT_DEFAULT
assertEquals(remainingEntires, sentryStore.getMSentryHmsNotificationCore().size());
sentryStore.purgeNotificationIdTable();
// Make sure that sentry store still hold entries based on SENTRY_HMS_NOTIFICATION_ID_KEEP_COUNT_DEFAULT
assertEquals(remainingEntires, sentryStore.getMSentryHmsNotificationCore().size());
sentryStore.clearAllTables();
totalentires = 50;
for(int id = 1; id <= totalentires; id++) {
sentryStore.persistLastProcessedNotificationID((long)id);
}
assertEquals(totalentires, sentryStore.getMSentryHmsNotificationCore().size());
sentryStore.purgeNotificationIdTable();
// Make sure that sentry store still holds all the entries as total entries is less than
// SENTRY_HMS_NOTIFICATION_ID_KEEP_COUNT_DEFAULT.
assertEquals(totalentires, sentryStore.getMSentryHmsNotificationCore().size());
}
/**
* This test verifies that in the case of concurrently updating delta change tables, no gap
* between change ID was made. All the change IDs must be consecutive ({@see SENTRY-1643}).
*
* @throws Exception
*/
@Test(timeout = 60000)
public void testConcurrentUpdateChanges() throws Exception {
final int numThreads = 20;
final int numChangesPerThread = 100;
final TransactionManager tm = sentryStore.getTransactionManager();
final AtomicLong seqNumGenerator = new AtomicLong(0);
final CyclicBarrier barrier = new CyclicBarrier(numThreads);
ExecutorService executor = Executors.newFixedThreadPool(numThreads);
for (int i = 0; i < numThreads; i++) {
executor.submit(new Runnable() {
@Override
public void run() {
try {
barrier.await();
} catch (Exception e) {
LOGGER.error("Barrier failed to await", e);
return;
}
for (int j = 0; j < numChangesPerThread; j++) {
List<TransactionBlock<Object>> tbs = new ArrayList<>();
PermissionsUpdate update =
new PermissionsUpdate(seqNumGenerator.getAndIncrement(), false);
tbs.add(new DeltaTransactionBlock(update));
try {
tm.executeTransactionBlocksWithRetry(tbs);
} catch (Exception e) {
LOGGER.error("Failed to execute permission update transaction", e);
fail(String.format("Transaction failed: %s", e.getMessage()));
}
}
}
});
}
executor.shutdown();
executor.awaitTermination(60, TimeUnit.SECONDS);
List<MSentryPermChange> changes = sentryStore.getMSentryPermChanges();
int actualSize = changes.size();
if (actualSize != (numThreads * numChangesPerThread)) {
LOGGER.warn("Detected {} dropped changes", ((numChangesPerThread * numThreads) - actualSize));
}
TreeSet<Long> changeIDs = new TreeSet<>();
for (MSentryPermChange change : changes) {
changeIDs.add(change.getChangeID());
}
assertEquals("duplicated change ID", actualSize, changeIDs.size());
long prevId = changeIDs.first() - 1;
for (Long changeId : changeIDs) {
assertTrue(String.format("Found non-consecutive number: prev=%d cur=%d", prevId, changeId),
changeId - prevId == 1);
prevId = changeId;
}
}
@Test
public void testDuplicateNotification() throws Exception {
Map<String, Collection<String>> authzPaths = new HashMap<>();
Long lastNotificationId = sentryStore.getLastProcessedNotificationID();
lastNotificationId ++;
authzPaths.put("db1.table1", Sets.newHashSet("user/hive/warehouse/db1.db/table1",
"user/hive/warehouse/db1.db/table1/p1"));
authzPaths.put("db1.table2", Sets.newHashSet("user/hive/warehouse/db1.db/table2"));
sentryStore.persistFullPathsImage(authzPaths, lastNotificationId);
String[]prefixes = {"/user/hive/warehouse"};
PathsUpdate pathsUpdate = sentryStore.retrieveFullPathsImageUpdate(prefixes);
TPathsDump pathsDump = pathsUpdate.toThrift().getPathsDump();
Map<Integer, TPathEntry>nodeMap = pathsDump.getNodeMap();
TPathEntry root = nodeMap.get(pathsDump.getRootId());
Map<String, Collection<String>> pathsImage = new HashMap<>();
buildPathsImageMap(nodeMap, root, "", pathsImage, false);
assertEquals("/", root.getPathElement());
assertEquals(8, nodeMap.size());//Tree size
assertEquals(2, pathsImage.size());
if (lastNotificationId == null) {
lastNotificationId = SentryConstants.EMPTY_NOTIFICATION_ID;
}
// Rename path of 'db1.table1' from 'db1.table1' to 'db1.newTable1'
lastNotificationId ++;
UniquePathsUpdate renameUpdate = new UniquePathsUpdate("u1", lastNotificationId, false);
renameUpdate.newPathChange("db1.table1")
.addToDelPaths(Arrays.asList("user", "hive", "warehouse", "db1.db", "table1"));
renameUpdate.newPathChange("db1.newTable1")
.addToAddPaths(Arrays.asList("user", "hive", "warehouse", "db1.db", "newTable1"));
sentryStore.renameAuthzPathsMapping("db1.table1", "db1.newTable1",
"user/hive/warehouse/db1.db/table1", "user/hive/warehouse/db1.db/newTable1", renameUpdate);
pathsUpdate = sentryStore.retrieveFullPathsImageUpdate(prefixes);
pathsDump = pathsUpdate.toThrift().getPathsDump();
nodeMap = pathsDump.getNodeMap();
root = nodeMap.get(pathsDump.getRootId());
pathsImage = new HashMap<>();
buildPathsImageMap(nodeMap, root, "", pathsImage, false);
assertEquals("/", root.getPathElement());
assertEquals(9, nodeMap.size());//Tree size
assertEquals(2, pathsImage.size());
assertEquals(3, sentryStore.getMPaths().size());
assertTrue(pathsImage.containsKey("db1.newTable1"));
assertTrue(CollectionUtils.isEqualCollection(Lists.newArrayList("user/hive/warehouse/db1.db/table1/p1",
"user/hive/warehouse/db1.db/newTable1"),
pathsImage.get("db1.newTable1")));
// Query the persisted path change and ensure it equals to the original one
long lastChangeID = sentryStore.getLastProcessedPathChangeID();
MSentryPathChange renamePathChange = sentryStore.getMSentryPathChangeByID(lastChangeID);
assertEquals(renameUpdate.JSONSerialize(), renamePathChange.getPathChange());
Long savedLastNotificationId = sentryStore.getLastProcessedNotificationID();
assertEquals(lastNotificationId.longValue(), savedLastNotificationId.longValue());
// Process the notificaiton second time
try {
sentryStore.renameAuthzPathsMapping("db1.table1", "db1.newTable1",
"user/hive/warehouse/db1.db/table1", "user/hive/warehouse/db1.db/newTable1", renameUpdate);
} catch (Exception e) {
if (!(e.getCause() instanceof JDODataStoreException)) {
fail("Unexpected failure occured while processing duplicate notification");
}
}
}
@Test
public void testIsAuthzPathsMappingEmpty() throws Exception {
// Add "db1.table1" authzObj
UniquePathsUpdate addUpdate = new UniquePathsUpdate("u1",1, false);
addUpdate.newPathChange("db1.table").
addToAddPaths(Arrays.asList("db1", "tbl1"));
addUpdate.newPathChange("db1.table").
addToAddPaths(Arrays.asList("db1", "tbl2"));
// Persist an empty image so that we can add paths to it.
sentryStore.persistFullPathsImage(new HashMap<String, Collection<String>>(), 0);
assertEquals(sentryStore.isAuthzPathsMappingEmpty(), true);
sentryStore.addAuthzPathsMapping("db1.table",
Sets.newHashSet("db1/tbl1", "db1/tbl2"), addUpdate);
String[]prefixes = {"/"};
PathsUpdate pathsUpdate = sentryStore.retrieveFullPathsImageUpdate(prefixes);
TPathsDump pathsDump = pathsUpdate.toThrift().getPathsDump();
Map<Integer, TPathEntry>nodeMap = pathsDump.getNodeMap();
TPathEntry root = nodeMap.get(pathsDump.getRootId());
Map<String, Collection<String>> pathImage = new HashMap<>();
buildPathsImageMap(nodeMap, root, "", pathImage, false);
assertEquals("/", root.getPathElement());
assertEquals(4, nodeMap.size());//Tree size
assertEquals(1, pathImage.size());
assertEquals(2, pathImage.get("db1.table").size());
assertEquals(2, sentryStore.getMPaths().size());
assertEquals(sentryStore.isAuthzPathsMappingEmpty(), false);
sentryStore.clearAllTables();
assertEquals(sentryStore.isAuthzPathsMappingEmpty(), true);
}
@Test
public void testAddDeleteAuthzPathsMappingNoDeltaSavedWithoutHDFSSync() throws Exception {
// disable HDFS
conf.set(ServiceConstants.ServerConfig.PROCESSOR_FACTORIES, "");
conf.set(ServiceConstants.ServerConfig.SENTRY_POLICY_STORE_PLUGINS, "");
SentryStore localSentryStore = new SentryStore(conf);
// Persist an empty image so that we can add paths to it.
localSentryStore.persistFullPathsImage(new HashMap<String, Collection<String>>(), 0);
// Add "db1.table1" authzObj
Long lastNotificationId = sentryStore.getLastProcessedNotificationID();
UniquePathsUpdate addUpdate = new UniquePathsUpdate("u1",1, false);
addUpdate.newPathChange("db1.table").
addToAddPaths(Arrays.asList("db1", "tbl1"));
addUpdate.newPathChange("db1.table").
addToAddPaths(Arrays.asList("db1", "tbl2"));
localSentryStore.addAuthzPathsMapping("db1.table",
Sets.newHashSet("db1/tbl1", "db1/tbl2"), addUpdate);
String[]prefixes = {"/"};
PathsUpdate pathsUpdate = localSentryStore.retrieveFullPathsImageUpdate(prefixes);
TPathsDump pathsDump = pathsUpdate.toThrift().getPathsDump();
Map<Integer, TPathEntry>nodeMap = pathsDump.getNodeMap();
TPathEntry root = nodeMap.get(pathsDump.getRootId());
Map<String, Collection<String>> pathImage = new HashMap<>();
buildPathsImageMap(nodeMap, root, "", pathImage, false);
assertEquals("/", root.getPathElement());
assertEquals(4, nodeMap.size());//Tree size
assertEquals(1, pathImage.size());
assertEquals(2, pathImage.get("db1.table").size());
assertEquals(2, localSentryStore.getMPaths().size());
// Query the persisted path change and ensure it is not saved
long lastChangeID = localSentryStore.getLastProcessedPathChangeID();
assertEquals(0, lastChangeID);
// Delete path 'db1.db/tbl1' from "db1.table1" authzObj.
UniquePathsUpdate delUpdate = new UniquePathsUpdate("u2",2, false);
delUpdate.newPathChange("db1.table")
.addToDelPaths(Arrays.asList("db1", "tbl1"));
localSentryStore.deleteAuthzPathsMapping("db1.table", Sets.newHashSet("db1/tbl1"), delUpdate);
pathsUpdate = localSentryStore.retrieveFullPathsImageUpdate(prefixes);
pathsDump = pathsUpdate.toThrift().getPathsDump();
nodeMap = pathsDump.getNodeMap();
root = nodeMap.get(pathsDump.getRootId());
pathImage = new HashMap<>();
buildPathsImageMap(nodeMap, root, "", pathImage, false);
assertEquals("/", root.getPathElement());
assertEquals(3, nodeMap.size());//Tree size
assertEquals(1, pathImage.size());
assertEquals(1, pathImage.get("db1.table").size());
assertEquals(1, localSentryStore.getMPaths().size());
// Query the persisted path change and ensure it is not saved
lastChangeID = localSentryStore.getLastProcessedPathChangeID();
assertEquals(0, lastChangeID);
// Delete "db1.table" authzObj from the authzObj -> [Paths] mapping.
UniquePathsUpdate delAllupdate = new UniquePathsUpdate("u3",3, false);
delAllupdate.newPathChange("db1.table")
.addToDelPaths(Lists.newArrayList(PathsUpdate.ALL_PATHS));
localSentryStore.deleteAllAuthzPathsMapping("db1.table", delAllupdate);
pathsUpdate = localSentryStore.retrieveFullPathsImageUpdate(prefixes);
pathsDump = pathsUpdate.toThrift().getPathsDump();
nodeMap = pathsDump.getNodeMap();
root = nodeMap.get(pathsDump.getRootId());
pathImage = new HashMap<>();
buildPathsImageMap(nodeMap, root, "", pathImage, false);
assertEquals("/", root.getPathElement());
assertEquals(1, nodeMap.size());//Tree size
assertEquals(0, pathImage.size());
assertEquals(0, localSentryStore.getMPaths().size());
// Query the persisted path change and ensure it is not saved
lastChangeID = localSentryStore.getLastProcessedPathChangeID();
assertEquals(0, lastChangeID);
lastNotificationId = localSentryStore.getLastProcessedNotificationID();
assertEquals(0, lastNotificationId.longValue());
// enable HDFS for other tests
conf.set(ServiceConstants.ServerConfig.PROCESSOR_FACTORIES, "org.apache.sentry.hdfs.SentryHDFSServiceProcessorFactory");
conf.set(ServiceConstants.ServerConfig.SENTRY_POLICY_STORE_PLUGINS, "org.apache.sentry.hdfs.SentryPlugin");
}
/**
* Test retrieveFullPathsImageUpdate() when no image is present.
* @throws Exception
*/
@Test
public void testRetrieveEmptyPathImage() throws Exception {
String[] prefixes = {};
PathsUpdate pathsUpdate = sentryStore.retrieveFullPathsImageUpdate(prefixes);
TPathsUpdate tPathsUpdate = pathsUpdate.toThrift();
TPathsDump pathDump = tPathsUpdate.getPathsDump();
Map<Integer, TPathEntry> nodeMap = pathDump.getNodeMap();
assertEquals(1, nodeMap.size());
System.out.printf(nodeMap.toString());
}
/**
* Test retrieveFullPathsImageUpdate() when a single path is present.
* @throws Exception
*/
@Test
public void testRetrievePathImageWithSingleEntry() throws Exception {
String prefix = "user/hive/warehouse";
String[] prefixes = {"/" + prefix};
Map<String, Collection<String>> authzPaths = new HashMap<>();
// Makes sure that authorizable object could be associated
// with different paths and can be properly persisted into database.
String tablePath = prefix + "/db2.db/table1.1";
authzPaths.put("db1.table1", Sets.newHashSet(tablePath));
long notificationID = 1;
sentryStore.persistFullPathsImage(authzPaths, notificationID);
PathsUpdate pathsUpdate = sentryStore.retrieveFullPathsImageUpdate(prefixes);
assertEquals(notificationID, pathsUpdate.getImgNum());
TPathsUpdate tPathsUpdate = pathsUpdate.toThrift();
TPathsDump pathDump = tPathsUpdate.getPathsDump();
Map<Integer, TPathEntry> nodeMap = pathDump.getNodeMap();
System.out.printf(nodeMap.toString());
assertEquals(6, nodeMap.size());
int rootId = pathDump.getRootId();
TPathEntry root = nodeMap.get(rootId);
assertEquals("/", root.getPathElement());
List<Integer> children;
TPathEntry child = root;
// Walk tree down and verify elements
for (String path: tablePath.split("/")) {
children = child.getChildren();
assertEquals(1, children.size());
child = nodeMap.get(children.get(0));
assertEquals(path, child.getPathElement());
}
}
/**
* Test paths with multiple leading slashes
* @throws Exception
*/
@Test
public void testRetrievePathImageWithMultipleLeadingSlashes() throws Exception {
//Test with no leading slashes
String prefix = "user/hive/warehouse";
String []prefixes = {"/" + prefix};
Map<String, Collection<String>> authzPaths = new HashMap<>();
// Makes sure that authorizable object could be associated
// with different paths and can be properly persisted into database.
String tablePath = prefix + "/loc1/db2.db/table1.1";
authzPaths.put("db1.table1", Sets.newHashSet(tablePath));
long notificationID = 1;
sentryStore.persistFullPathsImage(authzPaths, notificationID);
PathsUpdate pathsUpdate = sentryStore.retrieveFullPathsImageUpdate(prefixes);
assertEquals(notificationID, pathsUpdate.getImgNum());
TPathsUpdate tPathsUpdate = pathsUpdate.toThrift();
TPathsDump pathDump = tPathsUpdate.getPathsDump();
Map<Integer, TPathEntry> nodeMap = pathDump.getNodeMap();
assertEquals(7, nodeMap.size());
//Test with single leading slashes
prefix = "/user/hive/warehouse";
prefixes = new String[]{prefix};
authzPaths = new HashMap<>();
// Makes sure that authorizable object could be associated
// with different paths and can be properly persisted into database.
tablePath = prefix + "/loc1/db2.db/table1.1";
authzPaths.put("db1.table1", Sets.newHashSet(tablePath));
notificationID = 2;
sentryStore.persistFullPathsImage(authzPaths, notificationID);
pathsUpdate = sentryStore.retrieveFullPathsImageUpdate(prefixes);
assertEquals(notificationID, pathsUpdate.getImgNum());
tPathsUpdate = pathsUpdate.toThrift();
pathDump = tPathsUpdate.getPathsDump();
nodeMap = pathDump.getNodeMap();
assertEquals(7, nodeMap.size());
//Test with multiple leading slash
prefix = "///user/hive/warehouse";
prefixes = new String[]{prefix};
authzPaths = new HashMap<>();
// Makes sure that authorizable object could be associated
// with different paths and can be properly persisted into database.
tablePath = prefix + "/loc1/db2.db/table1.1";
authzPaths.put("db1.table1", Sets.newHashSet(tablePath));
notificationID = 3;
sentryStore.persistFullPathsImage(authzPaths, notificationID);
pathsUpdate = sentryStore.retrieveFullPathsImageUpdate(prefixes);
assertEquals(notificationID, pathsUpdate.getImgNum());
tPathsUpdate = pathsUpdate.toThrift();
pathDump = tPathsUpdate.getPathsDump();
nodeMap = pathDump.getNodeMap();
assertEquals(7, nodeMap.size());
}
/**
* Create a user with the given name and verify that it is created
*
* @param userName
* @throws Exception
*/
private void createUser(String userName) throws Exception {
checkUserDoesNotExist(userName);
sentryStore.createSentryUser(userName);
checkUserExists(userName);
}
/**
* Fail test if user already exists
* @param userName User name to checl
* @throws Exception
*/
private void checkUserDoesNotExist(String userName) throws Exception {
try {
sentryStore.getMSentryUserByName(userName);
fail("User " + userName + "already exists");
} catch (SentryNoSuchObjectException e) {
// Ok
}
}
/**
* Fail test if user doesn't exist
* @param userName User name to checl
* @throws Exception
*/
private void checkUserExists(String userName) throws Exception {
assertEquals(userName.toLowerCase(),
sentryStore.getMSentryUserByName(userName).getUserName());
}
@Test
public void testGrantRevokePrivilegeForUser() throws Exception {
String userName = "test-privilege";
String server = "server1";
String db = "db1";
String table = "tbl1";
createUser(userName);
TSentryPrivilege privilege = new TSentryPrivilege();
privilege.setPrivilegeScope("TABLE");
privilege.setServerName(server);
privilege.setDbName(db);
privilege.setTableName(table);
privilege.setAction(AccessConstants.ALL);
privilege.setCreateTime(System.currentTimeMillis());
sentryStore.alterSentryGrantPrivileges(SentryPrincipalType.USER, userName, Sets.newHashSet(privilege), null);
MSentryUser user = sentryStore.getMSentryUserByName(userName);
Set<MSentryPrivilege> privileges = user.getPrivileges();
assertEquals(privileges.toString(), 1, privileges.size());
privilege.setAction(AccessConstants.SELECT);
sentryStore.alterSentryRevokePrivileges(SentryPrincipalType.USER, userName, Sets.newHashSet(privilege), null);
// after having ALL and revoking SELECT, we should have (INSERT)
user = sentryStore.getMSentryUserByName(userName);
privileges = user.getPrivileges();
assertEquals(privileges.toString(), 1, privileges.size());
for (MSentryPrivilege mPrivilege : privileges) {
assertEquals(server, mPrivilege.getServerName());
assertEquals(db, mPrivilege.getDbName());
assertEquals(table, mPrivilege.getTableName());
assertNotSame(AccessConstants.SELECT, mPrivilege.getAction());
assertFalse(mPrivilege.getGrantOption());
}
long numDBPrivs = sentryStore.countMSentryPrivileges();
assertEquals("Privilege count", numDBPrivs,1);
privilege.setAction(AccessConstants.INSERT);
sentryStore.alterSentryRevokePrivileges(SentryPrincipalType.USER, userName, Sets.newHashSet(privilege), null);
user = sentryStore.getMSentryUserByName(userName, false);
assertNull(user);
}
/**
* Test after granting DB ALL privilege, can still grant table ALL privilege
* @throws Exception
*/
@Test
public void testGrantDuplicatePrivilegeHierchy() throws Exception {
// grant database all privilege
String roleName = "test-privilege";
String server = "server1";
String db = "db1";
String table = "tbl1";
createRole(roleName);
TSentryPrivilege privilege = new TSentryPrivilege();
privilege.setPrivilegeScope("DATABASE");
privilege.setServerName(server);
privilege.setDbName(db);
privilege.setAction(AccessConstants.ALL);
privilege.setCreateTime(System.currentTimeMillis());
sentryStore.alterSentryGrantPrivileges(SentryPrincipalType.ROLE, roleName, Sets.newHashSet(privilege), null);
MSentryRole role = sentryStore.getMSentryRoleByName(roleName);
Set<MSentryPrivilege> privileges = role.getPrivileges();
assertEquals(privileges.toString(), 1, privileges.size());
// grant table all privlege
privilege.setPrivilegeScope("TABLE");
privilege.setServerName(server.toUpperCase());
privilege.setDbName(db.toUpperCase());
privilege.setTableName(table.toUpperCase());
sentryStore.alterSentryGrantPrivileges(SentryPrincipalType.ROLE, roleName, Sets.newHashSet(privilege), null);
// check if the table privilege is created
role = sentryStore.getMSentryRoleByName(roleName);
privileges = role.getPrivileges();
assertEquals(privileges.toString(), 2, privileges.size());
}
@Test
public void testListSentryPrivilegesForUsersAndGroups() throws Exception {
String roleName = "role1";
String groupName = "list-privs-g1";
String userName = "u1";
String grantor = "g1";
sentryStore.createSentryRole(roleName);
TSentryPrivilege privilege1 = new TSentryPrivilege();
privilege1.setPrivilegeScope("TABLE");
privilege1.setServerName("server1");
privilege1.setDbName("db1");
privilege1.setTableName("tbl1");
privilege1.setAction("SELECT");
privilege1.setCreateTime(System.currentTimeMillis());
sentryStore.alterSentryGrantPrivileges(SentryPrincipalType.ROLE, roleName, Sets.newHashSet(privilege1), null);
TSentryPrivilege privilege2 = new TSentryPrivilege();
privilege2.setPrivilegeScope("SERVER");
privilege2.setServerName("server1");
privilege2.setCreateTime(System.currentTimeMillis());
sentryStore.alterSentryGrantPrivileges(SentryPrincipalType.USER, userName, Sets.newHashSet(privilege2), null);
Set<TSentryGroup> groups = Sets.newHashSet();
TSentryGroup group = new TSentryGroup();
group.setGroupName(groupName);
groups.add(group);
sentryStore.alterSentryRoleAddGroups(grantor, roleName, groups);
// list-privs-g1 has privilege1
// u1 has privilege2
Set<TSentryPrivilege> expectedPrivs = new HashSet<>();
expectedPrivs.add(privilege1);
expectedPrivs.add(privilege2);
assertEquals(expectedPrivs,
sentryStore.listSentryPrivilegesByUsersAndGroups(
Sets.newHashSet(groupName),
Sets.newHashSet(userName),
new TSentryActiveRoleSet(true, new HashSet<>()),
null));
}
@Test
public void testListSentryPrivilegesForProviderForUser() throws Exception {
String userName1 = "list-privs-user1";
String userName2 = "list-privs-user2";
sentryStore.createSentryUser(userName1);
sentryStore.createSentryUser(userName2);
TSentryPrivilege privilege1 = new TSentryPrivilege();
privilege1.setPrivilegeScope("TABLE");
privilege1.setServerName("server1");
privilege1.setDbName("db1");
privilege1.setTableName("tbl1");
privilege1.setAction("SELECT");
privilege1.setCreateTime(System.currentTimeMillis());
sentryStore.alterSentryGrantPrivileges(SentryPrincipalType.USER, userName1, Sets.newHashSet(privilege1), null);
privilege1.setAction("ALL");
sentryStore.alterSentryGrantPrivileges(SentryPrincipalType.USER, userName2, Sets.newHashSet(privilege1), null);
assertEquals(Sets.newHashSet("server=server1->db=db1->table=tbl1->action=select"),
SentryStore.toTrimedLower(sentryStore.listAllSentryPrivilegesForProvider(
new HashSet<String>(),
Sets.newHashSet(userName1),
new TSentryActiveRoleSet(true, new HashSet<String>()))));
}
@Test
public void testListSentryPrivilegesByAuthorizableForUser() throws Exception {
String userName1 = "list-privs-user1";
sentryStore.createSentryUser(userName1);
TSentryPrivilege privilege1 = new TSentryPrivilege();
privilege1.setPrivilegeScope("TABLE");
privilege1.setServerName("server1");
privilege1.setDbName("db1");
privilege1.setTableName("tbl1");
privilege1.setAction("SELECT");
privilege1.setCreateTime(System.currentTimeMillis());
sentryStore.alterSentryGrantPrivileges(SentryPrincipalType.USER, userName1, Sets.newHashSet(privilege1), null);
TSentryAuthorizable tSentryAuthorizable = new TSentryAuthorizable();
tSentryAuthorizable.setServer("server1");
tSentryAuthorizable.setDb("db1");
tSentryAuthorizable.setTable("tbl1");
TSentryPrivilegeMap map = sentryStore.listSentryPrivilegesByAuthorizableForUser(
Sets.newHashSet(userName1),
tSentryAuthorizable,false);
assertEquals(1, map.getPrivilegeMapSize());
assertEquals(Sets.newHashSet(userName1), map.getPrivilegeMap().keySet());
}
@Test
public void testGrantRevokePrivilegeMultipleTimesForRole() throws Exception {
String roleName = "test-privilege";
String server = "server1";
String db = "db1";
String table = "tbl1";
createRole(roleName);
TSentryPrivilege privilege = new TSentryPrivilege();
privilege.setPrivilegeScope("TABLE");
privilege.setServerName(server);
privilege.setDbName(db);
privilege.setTableName(table);
privilege.setAction(AccessConstants.ALL);
privilege.setCreateTime(System.currentTimeMillis());
sentryStore.alterSentryGrantPrivileges(SentryPrincipalType.ROLE, roleName, Sets.newHashSet(privilege), null);
MSentryRole role = sentryStore.getMSentryRoleByName(roleName);
Set<MSentryPrivilege> privileges = role.getPrivileges();
assertEquals(privileges.toString(), 1, privileges.size());
privilege.setAction(AccessConstants.SELECT);
sentryStore.alterSentryRevokePrivileges(SentryPrincipalType.ROLE, roleName, Sets.newHashSet(privilege), null);
// after having ALL and revoking SELECT, we should have (INSERT)
role = sentryStore.getMSentryRoleByName(roleName);
privileges = role.getPrivileges();
assertEquals(privileges.toString(), 1, privileges.size());
// second round
privilege.setAction(AccessConstants.ALL);
sentryStore.alterSentryGrantPrivileges(SentryPrincipalType.ROLE, roleName, Sets.newHashSet(privilege), null);
List<MSentryPrivilege> totalPrivileges = sentryStore.getAllMSentryPrivileges();
assertEquals(totalPrivileges.toString(),1, totalPrivileges.size());
role = sentryStore.getMSentryRoleByName(roleName);
privileges = role.getPrivileges();
assertEquals(privileges.toString(), 1, privileges.size());
privilege.setAction(AccessConstants.INSERT);
sentryStore.alterSentryRevokePrivileges(SentryPrincipalType.ROLE, roleName, Sets.newHashSet(privilege), null);
// after having ALL and revoking INSERT, we should have (SELECT)
totalPrivileges = sentryStore.getAllMSentryPrivileges();
assertEquals(totalPrivileges.toString(),1, totalPrivileges.size());
role = sentryStore.getMSentryRoleByName(roleName);
privileges = role.getPrivileges();
assertEquals(privileges.toString(), 1, privileges.size());
sentryStore.dropSentryRole(roleName);
}
@Test
public void testGrantRevokePrivilegeMultipleTimesForUser() throws Exception {
String userName = "test-privilege";
String server = "server1";
String db = "db1";
String table = "tbl1";
createUser(userName);
TSentryPrivilege privilege = new TSentryPrivilege();
privilege.setPrivilegeScope("TABLE");
privilege.setServerName(server);
privilege.setDbName(db);
privilege.setTableName(table);
privilege.setAction(AccessConstants.ALL);
privilege.setCreateTime(System.currentTimeMillis());
sentryStore.alterSentryGrantPrivileges(SentryPrincipalType.USER, userName, Sets.newHashSet(privilege), null);
MSentryUser user = sentryStore.getMSentryUserByName(userName);
Set<MSentryPrivilege> privileges = user.getPrivileges();
assertEquals(privileges.toString(), 1, privileges.size());
privilege.setAction(AccessConstants.SELECT);
sentryStore.alterSentryRevokePrivileges(SentryPrincipalType.USER, userName, Sets.newHashSet(privilege), null);
// after having ALL and revoking SELECT, we should have (INSERT)
user = sentryStore.getMSentryUserByName(userName);
privileges = user.getPrivileges();
assertEquals(privileges.toString(), 1, privileges.size());
// second round
privilege.setAction(AccessConstants.ALL);
sentryStore.alterSentryGrantPrivileges(SentryPrincipalType.USER, userName, Sets.newHashSet(privilege), null);
List<MSentryPrivilege> totalPrivileges = sentryStore.getAllMSentryPrivileges();
assertEquals(totalPrivileges.toString(),1, totalPrivileges.size());
user = sentryStore.getMSentryUserByName(userName);
privileges = user.getPrivileges();
assertEquals(privileges.toString(), 1, privileges.size());
privilege.setAction(AccessConstants.INSERT);
sentryStore.alterSentryRevokePrivileges(SentryPrincipalType.USER, userName, Sets.newHashSet(privilege), null);
// after having ALL and revoking INSERT, we should have (SELECT)
totalPrivileges = sentryStore.getAllMSentryPrivileges();
assertEquals(totalPrivileges.toString(),1, totalPrivileges.size());
user = sentryStore.getMSentryUserByName(userName);
privileges = user.getPrivileges();
assertEquals(privileges.toString(), 1, privileges.size());
privilege.setAction(AccessConstants.SELECT);
sentryStore.alterSentryRevokePrivileges(SentryPrincipalType.USER, userName, Sets.newHashSet(privilege), null);
// after having ALL and revoking INSERT and SELECT, we should have NO privileges
// user should be removed automatically
user = sentryStore.getMSentryUserByName(userName, false);
assertNull(user);
}
@Test
public void testGetAllRolesPrivileges() throws Exception {
Map<String, Set<TSentryPrivilege>> allPrivileges;
// The map must be empty (no null) if no roles exist on the system yet
allPrivileges = sentryStore.getAllRolesPrivileges();
assertNotNull(allPrivileges);
assertTrue(allPrivileges.isEmpty());
final String ROLE1 = "role1";
final TSentryPrivilege ROLE1_PRIV1 =
toTSentryPrivilege("ALL", "TABLE", "server1", "db1", "table1");
final TSentryPrivilege ROLE1_PRIV2 =
toTSentryPrivilege("SELECT", "TABLE", "server1", "db1", "table2");
createRole(ROLE1);
sentryStore.alterSentryGrantPrivileges(SentryPrincipalType.ROLE, ROLE1, Sets.newHashSet(ROLE1_PRIV1), null);
sentryStore.alterSentryGrantPrivileges(SentryPrincipalType.ROLE, ROLE1, Sets.newHashSet(ROLE1_PRIV2), null);
final String ROLE2 = "role2";
final TSentryPrivilege ROLE2_PRIV1 =
toTSentryPrivilege("INSERT", "DATABASE", "server1", "db1", "");
final TSentryPrivilege ROLE2_PRIV2 =
toTSentryPrivilege("ALL", "SERVER", "server1", "", "");
createRole(ROLE2);
sentryStore.alterSentryGrantPrivileges(SentryPrincipalType.ROLE, ROLE2, Sets.newHashSet(ROLE2_PRIV1), null);
sentryStore.alterSentryGrantPrivileges(SentryPrincipalType.ROLE, ROLE2, Sets.newHashSet(ROLE2_PRIV2), null);
final String ROLE3 = "role3";
createRole(ROLE3);
allPrivileges = sentryStore.getAllRolesPrivileges();
// Must return 3 roles, 2 roles has 2 privileges each, 1 role has no privileges
assertEquals(3, allPrivileges.size());
assertEquals(2, allPrivileges.get(ROLE1).size());
assertTrue(allPrivileges.get(ROLE1).contains(ROLE1_PRIV1));
assertTrue(allPrivileges.get(ROLE1).contains(ROLE1_PRIV2));
assertEquals(2, allPrivileges.get(ROLE2).size());
assertTrue(allPrivileges.get(ROLE2).contains(ROLE2_PRIV1));
assertTrue(allPrivileges.get(ROLE2).contains(ROLE2_PRIV2));
assertEquals(0, allPrivileges.get(ROLE3).size());
}
@Test
public void testGetAllUsersPrivileges() throws Exception {
Map<String, Set<TSentryPrivilege>> allPrivileges;
// The map must be empty (no null) if no roles exist on the system yet
allPrivileges = sentryStore.getAllUsersPrivileges();
assertNotNull(allPrivileges);
assertTrue(allPrivileges.isEmpty());
final String USER1 = "user1";
final TSentryPrivilege USER1_PRIV1 =
toTSentryPrivilege("ALL", "TABLE", "server1", "db1", "table1");
final TSentryPrivilege USER1_PRIV2 =
toTSentryPrivilege("SELECT", "TABLE", "server1", "db1", "table2");
createUser(USER1);
sentryStore.alterSentryGrantPrivileges(SentryPrincipalType.USER, USER1, Sets.newHashSet(USER1_PRIV1), null);
sentryStore.alterSentryGrantPrivileges(SentryPrincipalType.USER,USER1, Sets.newHashSet(USER1_PRIV2), null);
final String USER2 = "user2";
final TSentryPrivilege USER2_PRIV1 =
toTSentryPrivilege("INSERT", "DATABASE", "server1", "db1", "");
final TSentryPrivilege USER2_PRIV2 =
toTSentryPrivilege("ALL", "SERVER", "server1", "", "");
createUser(USER2);
sentryStore.alterSentryGrantPrivileges(SentryPrincipalType.USER,USER2, Sets.newHashSet(USER2_PRIV1), null);
sentryStore.alterSentryGrantPrivileges(SentryPrincipalType.USER,USER2, Sets.newHashSet(USER2_PRIV2), null);
final String USER3 = "user3";
createUser(USER3);
allPrivileges = sentryStore.getAllUsersPrivileges();
// Must return 3 roles, 2 roles has 2 privileges each, 1 role has no privileges
assertEquals(3, allPrivileges.size());
assertEquals(2, allPrivileges.get(USER1).size());
assertTrue(allPrivileges.get(USER1).contains(USER1_PRIV1));
assertTrue(allPrivileges.get(USER1).contains(USER1_PRIV2));
assertEquals(2, allPrivileges.get(USER2).size());
assertTrue(allPrivileges.get(USER2).contains(USER2_PRIV1));
assertTrue(allPrivileges.get(USER2).contains(USER2_PRIV2));
assertEquals(0, allPrivileges.get(USER3).size());
}
@Test
public void testPersistFullPathsImageWithHugeData() throws Exception {
Map<String, Collection<String>> authzPaths = new HashMap<>();
String[] prefixes = {"/user/hive/warehouse/"};
int dbCount = 10, tableCount = 10, partitionCount = 10, prefixSize;
prefixSize = StringUtils.countMatches(prefixes[0], "/");
// Makes sure that authorizable object could be associated
// with different paths and can be properly persisted into database.
for(int db_index = 1 ; db_index <= dbCount; db_index++) {
String db_name = "db" + db_index;
for( int table_index = 1; table_index <= tableCount; table_index++) {
Set<String> paths = Sets.newHashSet();
String table_name = "tb" + table_index;
String location = prefixes[0] + db_name + "/" + table_name;
paths.add(location);
for (int part_index = 1; part_index <= partitionCount; part_index++) {
paths.add(location + "/" + part_index);
}
authzPaths.put(db_name+table_name, paths);
}
}
long notificationID = 110000;
LOGGER.debug("Before " + Instant.now());
sentryStore.persistFullPathsImage(authzPaths, notificationID);
LOGGER.debug("After " + Instant.now());
PathsUpdate pathsUpdate = sentryStore.retrieveFullPathsImageUpdate(prefixes);
assertTrue(pathsUpdate.hasFullImage());
long savedNotificationID = sentryStore.getLastProcessedNotificationID();
assertEquals(1, pathsUpdate.getImgNum());
TPathsDump pathDump = pathsUpdate.toThrift().getPathsDump();
assertNotNull(pathDump);
Map<Integer, TPathEntry> nodeMap = pathDump.getNodeMap();
int nodeCount = prefixSize + dbCount + (dbCount * tableCount) +
(dbCount * tableCount * partitionCount);
assertTrue(nodeMap.size() == nodeCount);
assertEquals(notificationID, savedNotificationID);
}
@Test
public void testRevokeHiveAllPrivilegeFromImpalaUnset() throws Exception {
String roleName1 = "impala-r1";
String serverName = "server1";
String dbName = "db1";
String tableName = "tbl1";
String hiveAll = "*";
sentryStore.createSentryRole(roleName1);
TSentryPrivilege hive_privilege_tbl1 = new TSentryPrivilege();
hive_privilege_tbl1.setPrivilegeScope("TABLE");
hive_privilege_tbl1.setServerName(serverName);
hive_privilege_tbl1.setDbName(dbName);
hive_privilege_tbl1.setTableName(tableName);
hive_privilege_tbl1.setCreateTime(System.currentTimeMillis());
hive_privilege_tbl1.setAction(hiveAll);
hive_privilege_tbl1.setGrantOption(TSentryGrantOption.FALSE);
TSentryPrivilege impala_privilege_tbl1_unset = new TSentryPrivilege();
impala_privilege_tbl1_unset.setPrivilegeScope("TABLE");
impala_privilege_tbl1_unset.setServerName(serverName);
impala_privilege_tbl1_unset.setDbName(dbName);
impala_privilege_tbl1_unset.setTableName(tableName);
impala_privilege_tbl1_unset.setCreateTime(System.currentTimeMillis());
impala_privilege_tbl1_unset.setAction("ALL");
impala_privilege_tbl1_unset.setGrantOption(TSentryGrantOption.UNSET);
TSentryAuthorizable tSentryAuthorizable = new TSentryAuthorizable();
tSentryAuthorizable.setServer(serverName);
tSentryAuthorizable.setDb(dbName);
tSentryAuthorizable.setTable(tableName);
// grant hive ALL privilege to role roleName1
sentryStore.alterSentryGrantPrivileges(SentryPrincipalType.ROLE, roleName1, Sets.newHashSet(hive_privilege_tbl1), null);
// revoke impala ALL privilege to role roleName1
sentryStore.alterSentryRoleRevokePrivileges(roleName1, Sets.newHashSet(impala_privilege_tbl1_unset));
Map<String, Set<TSentryPrivilege>> rolePrivilegesMap = sentryStore.getRoleNameTPrivilegesMap(dbName, tableName);
assertNotNull(rolePrivilegesMap);
Set<TSentryPrivilege> rolePrivileges = rolePrivilegesMap.get(roleName1);
boolean privilegeRevoked = (rolePrivileges == null) || (rolePrivileges.size() == 0);
assertTrue(privilegeRevoked);
}
@Test
public void testRevokeHiveAllPrivilegeGrantOptionFromImpalaUnset() throws Exception {
String roleName1 = "impala-r1";
String serverName = "server1";
String dbName = "db1";
String tableName = "tbl1";
String hiveAll = "*";
sentryStore.createSentryRole(roleName1);
TSentryPrivilege hive_privilege_tbl1 = new TSentryPrivilege();
hive_privilege_tbl1.setPrivilegeScope("TABLE");
hive_privilege_tbl1.setServerName(serverName);
hive_privilege_tbl1.setDbName(dbName);
hive_privilege_tbl1.setTableName(tableName);
hive_privilege_tbl1.setCreateTime(System.currentTimeMillis());
hive_privilege_tbl1.setAction(hiveAll);
hive_privilege_tbl1.setGrantOption(TSentryGrantOption.FALSE);
TSentryPrivilege impala_privilege_tbl1_unset = new TSentryPrivilege();
impala_privilege_tbl1_unset.setPrivilegeScope("TABLE");
impala_privilege_tbl1_unset.setServerName(serverName);
impala_privilege_tbl1_unset.setDbName(dbName);
impala_privilege_tbl1_unset.setTableName(tableName);
impala_privilege_tbl1_unset.setCreateTime(System.currentTimeMillis());
impala_privilege_tbl1_unset.setAction("ALL");
impala_privilege_tbl1_unset.setGrantOption(TSentryGrantOption.UNSET);
TSentryAuthorizable tSentryAuthorizable = new TSentryAuthorizable();
tSentryAuthorizable.setServer(serverName);
tSentryAuthorizable.setDb(dbName);
tSentryAuthorizable.setTable(tableName);
// grant hive ALL privilege to role roleName1
hive_privilege_tbl1.setGrantOption(TSentryGrantOption.FALSE);
sentryStore.alterSentryGrantPrivileges(SentryPrincipalType.ROLE, roleName1, Sets.newHashSet(hive_privilege_tbl1), null);
hive_privilege_tbl1.setGrantOption(TSentryGrantOption.TRUE);
sentryStore.alterSentryGrantPrivileges(SentryPrincipalType.ROLE, roleName1, Sets.newHashSet(hive_privilege_tbl1), null);
// revoke impala ALL privilege to role roleName1
sentryStore.alterSentryRoleRevokePrivileges(roleName1, Sets.newHashSet(impala_privilege_tbl1_unset));
Map<String, Set<TSentryPrivilege>> rolePrivilegesMap = sentryStore.getRoleNameTPrivilegesMap(dbName, tableName);
assertNotNull(rolePrivilegesMap);
Set<TSentryPrivilege> rolePrivileges = rolePrivilegesMap.get(roleName1);
boolean privilegeRevoked = (rolePrivileges == null) || (rolePrivileges.size() == 0);
assertTrue(privilegeRevoked);
}
@Test
public void testRevokeHiveAllPrivilegeFromImpala() throws Exception {
String roleName1 = "impala-r1";
String serverName = "server1";
String dbName = "db1";
String tableName = "tbl1";
sentryStore.createSentryRole(roleName1);
TSentryPrivilege hive_privilege_tbl1 = new TSentryPrivilege();
hive_privilege_tbl1.setPrivilegeScope("TABLE");
hive_privilege_tbl1.setServerName(serverName);
hive_privilege_tbl1.setDbName(dbName);
hive_privilege_tbl1.setTableName(tableName);
hive_privilege_tbl1.setCreateTime(System.currentTimeMillis());
hive_privilege_tbl1.setAction("*");
hive_privilege_tbl1.setGrantOption(TSentryGrantOption.FALSE);
TSentryPrivilege impala_privilege_tbl1 = new TSentryPrivilege();
impala_privilege_tbl1.setPrivilegeScope("TABLE");
impala_privilege_tbl1.setServerName(serverName);
impala_privilege_tbl1.setDbName(dbName);
impala_privilege_tbl1.setTableName(tableName);
impala_privilege_tbl1.setCreateTime(System.currentTimeMillis());
impala_privilege_tbl1.setAction("ALL");
impala_privilege_tbl1.setGrantOption(TSentryGrantOption.FALSE);
TSentryAuthorizable tSentryAuthorizable = new TSentryAuthorizable();
tSentryAuthorizable.setServer(serverName);
tSentryAuthorizable.setDb(dbName);
tSentryAuthorizable.setTable(tableName);
// grant hive ALL privilege to role roleName1
sentryStore.alterSentryGrantPrivileges(SentryPrincipalType.ROLE, roleName1, Sets.newHashSet(hive_privilege_tbl1), null);
// revoke impala ALL privilege to role roleName1
sentryStore.alterSentryRoleRevokePrivileges(roleName1, Sets.newHashSet(impala_privilege_tbl1));
Map<String, Set<TSentryPrivilege>> rolePrivilegesMap = sentryStore.getRoleNameTPrivilegesMap(dbName, tableName);
assertNotNull(rolePrivilegesMap);
Set<TSentryPrivilege> rolePrivileges = rolePrivilegesMap.get(roleName1);
boolean privilegeRevoked = (rolePrivileges == null) || (rolePrivileges.size() == 0);
assertTrue(privilegeRevoked);
}
@Test
public void testRevokeImpalaAllPrivilegeFromHive() throws Exception {
String roleName1 = "impala-r1";
String serverName = "server1";
String dbName = "db1";
String tableName = "tbl1";
sentryStore.createSentryRole(roleName1);
TSentryPrivilege hive_privilege_tbl1 = new TSentryPrivilege();
hive_privilege_tbl1.setPrivilegeScope("TABLE");
hive_privilege_tbl1.setServerName(serverName);
hive_privilege_tbl1.setDbName(dbName);
hive_privilege_tbl1.setTableName(tableName);
hive_privilege_tbl1.setCreateTime(System.currentTimeMillis());
hive_privilege_tbl1.setAction("*");
hive_privilege_tbl1.setGrantOption(TSentryGrantOption.FALSE);
TSentryPrivilege impala_privilege_tbl1 = new TSentryPrivilege();
impala_privilege_tbl1.setPrivilegeScope("TABLE");
impala_privilege_tbl1.setServerName(serverName);
impala_privilege_tbl1.setDbName(dbName);
impala_privilege_tbl1.setTableName(tableName);
impala_privilege_tbl1.setCreateTime(System.currentTimeMillis());
impala_privilege_tbl1.setAction("ALL");
impala_privilege_tbl1.setGrantOption(TSentryGrantOption.FALSE);
TSentryAuthorizable tSentryAuthorizable = new TSentryAuthorizable();
tSentryAuthorizable.setServer(serverName);
tSentryAuthorizable.setDb(dbName);
tSentryAuthorizable.setTable(tableName);
// grant impala ALL privilege to role roleName1
sentryStore.alterSentryGrantPrivileges(SentryPrincipalType.ROLE, roleName1, Sets.newHashSet(impala_privilege_tbl1), null);
// revoke hive ALL privilege to role roleName1
sentryStore.alterSentryRoleRevokePrivileges(roleName1, Sets.newHashSet(hive_privilege_tbl1));
Map<String, Set<TSentryPrivilege>> rolePrivilegesMap = sentryStore.getRoleNameTPrivilegesMap(dbName, tableName);
assertNotNull(rolePrivilegesMap);
Set<TSentryPrivilege> rolePrivileges = rolePrivilegesMap.get(roleName1);
boolean privilegeRevoked = (rolePrivileges == null) || (rolePrivileges.size() == 0);
assertTrue(privilegeRevoked);
}
private TSentryPrivilege toTSentryPrivilege(String action, String scope, String server,
String dbName, String tableName) {
TSentryPrivilege privilege = new TSentryPrivilege();
privilege.setPrivilegeScope(scope);
privilege.setServerName(server);
privilege.setDbName(dbName);
privilege.setTableName(tableName);
privilege.setAction(action);
privilege.setCreateTime(System.currentTimeMillis());
return privilege;
}
private TSentryPrivilege toTSentryPrivilege(String action, String scope, String server,
String dbName, String tableName, TSentryGrantOption grantOption) {
TSentryPrivilege privilege = toTSentryPrivilege(action, scope, server, dbName, tableName);
privilege.setGrantOption(grantOption);
return privilege;
}
}