Google Git
Sign in
apache / sentry / refs/tags/release-2.2.0 / . / sentry-tests / sentry-tests-hive / src / test / java / org / apache / sentry / tests / e2e / dbprovider / TestOwnerPrivilegesWithGrantOption.java
blob: 04ff27db656eb6bffe56cd2e8f55ad6788729c97 [file] [log] [blame]
/**
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.apache.sentry.tests.e2e.dbprovider;
import com.google.common.collect.Lists;
import java.sql.Connection;
import java.sql.Statement;
import org.apache.sentry.service.common.ServiceConstants.SentryPrincipalType;
import org.junit.Assert;
import org.junit.BeforeClass;
import org.junit.Ignore;
import org.junit.Test;
public class TestOwnerPrivilegesWithGrantOption extends TestOwnerPrivileges {
@BeforeClass
public static void setup() throws Exception {
ownerPrivilegeGrantEnabled = true;
TestOwnerPrivileges.setup();
}
/**
* Verify that the owner with grant option can call alter table set owner on this table
*
* @throws Exception
*/
@Ignore("Enable the test once HIVE-18762 is in the hiver version integrated with Sentry")
@Test
public void testAuthorizeAlterTableSetOwnerByOwner() throws Throwable {
String ownerRole = "owner_role";
dbNames = new String[]{DB1};
roles = new String[]{"admin_role", "create_db1", ownerRole};
// create required roles, and assign them to USERGROUP1
setupUserRoles(roles, statementAdmin);
// create test DB
statementAdmin.execute("DROP DATABASE IF EXISTS " + DB1 + " CASCADE");
statementAdmin.execute("CREATE DATABASE " + DB1);
// setup privileges for USER1
statementAdmin.execute("GRANT CREATE ON DATABASE " + DB1 + " TO ROLE create_db1");
statementAdmin.execute("USE " + DB1);
statementAdmin.execute("GRANT ROLE " + ownerRole + " TO GROUP " + USERGROUP2);
// USER1_1 create table
Connection connectionUSER1_1 = hiveServer2.createConnection(USER1_1, USER1_1);
Statement statementUSER1_1 = connectionUSER1_1.createStatement();
statementUSER1_1.execute("CREATE TABLE " + DB1 + "." + tableName1
+ " (under_col int comment 'the under column')");
Connection connectionUSER2_1 = hiveServer2.createConnection(USER2_1, USER2_1);
Statement statementUSER2_1 = connectionUSER2_1.createStatement();
try {
// user1_1 is owner of the table having all with grant on this table and can issue
// command: alter table set owner for user
statementUSER1_1
.execute("ALTER TABLE " + DB1 + "." + tableName1 + " SET OWNER USER " + USER2_1);
// verify privileges is transferred to USER2_1
verifyTableOwnerPrivilegeExistForPrincipal(statementAdmin, SentryPrincipalType.USER,
Lists.newArrayList(USER2_1),
DB1, tableName1, 1);
// Verify that HDFS ACL are not set.
verifyHdfsAcl(Lists.newArrayList(USER1_1), null, DB1, tableName1, null, false);
// Verify that HDFS ACL are set.
verifyHdfsAcl(null, Lists.newArrayList(USERGROUP2), DB1, tableName1, null, true);
// alter table set owner for role
statementUSER2_1
.execute("ALTER TABLE " + DB1 + "." + tableName1 + " SET OWNER ROLE " + ownerRole);
// verify privileges is transferred to ownerRole
verifyTableOwnerPrivilegeExistForPrincipal(statementAdmin, SentryPrincipalType.ROLE,
Lists.newArrayList(ownerRole),
DB1, tableName1, 1);
// Verify that HDFS ACL are not set.
verifyHdfsAcl(null, Lists.newArrayList(USERGROUP2), DB1, tableName1, null, false);
} finally {
statementAdmin.close();
connection.close();
statementUSER1_1.close();
connectionUSER1_1.close();
statementUSER2_1.close();
connectionUSER2_1.close();
}
}
@Test
public void testPermissionGrantToRoleByOwner() throws Exception {
String ownerRole = "owner_role";
String newOwnerRole = "new_owner_role";
dbNames = new String[]{DB1};
roles = new String[]{"admin_role", ownerRole};
// create required roles, and assign them to USERGROUP1
setupUserRoles(roles, statementAdmin);
// create test DB
statementAdmin.execute("DROP DATABASE IF EXISTS " + DB1 + " CASCADE");
statementAdmin.execute("CREATE DATABASE " + DB1);
statementAdmin.execute("CREATE ROLE " + newOwnerRole);
statementAdmin.execute("GRANT ROLE " + newOwnerRole + " to GROUP " + USERGROUP2);
// setup privileges for USER1
statementAdmin.execute("GRANT CREATE ON DATABASE " + DB1 + " TO ROLE " + ownerRole);
statementAdmin.execute("USE " + DB1);
// USER1_1 create table
Connection connectionUSER1_1 = hiveServer2.createConnection(USER1_1, USER1_1);
Statement statementUSER1_1 = connectionUSER1_1.createStatement();
statementUSER1_1.execute("CREATE TABLE " + DB1 + "." + tableName1
+ " (under_col int comment 'the under column')");
// Verify that the user who created the table has owner privilege on the table created.
verifyTableOwnerPrivilegeExistForPrincipal(statementAdmin, SentryPrincipalType.USER,
Lists.newArrayList(USER1_1),
DB1, tableName1, 1);
// Owner granting privileges to another user
try {
statementUSER1_1
.execute("GRANT ALL ON " + DB1 + "." + tableName1 + " TO ROLE " + newOwnerRole);
} catch (Exception ex) {
Assert.fail("Exception received while granting permissions");
}
// Making sure that user who is granted all permissions can drop the table.
Connection connectionUSER2_1 = hiveServer2.createConnection(USER2_1, USER2_1);
Statement statementUSER2_1 = connectionUSER2_1.createStatement();
try {
statementUSER2_1
.execute("DROP TABLE " + DB1 + "." + tableName1 );
} catch (Exception ex) {
Assert.fail("Exception received while dropping the table");
}
}
}