You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sentry.apache.org by sr...@apache.org on 2014/09/16 18:59:50 UTC
git commit: SENTRY-417: Allow all users "Show role GRANT" as long as
they belong to that group ( Prasad Mujumdar via Sravya Tirukkovalur)
Repository: incubator-sentry
Updated Branches:
refs/heads/master 89a9243fd -> fd704487d
SENTRY-417: Allow all users "Show role GRANT" as long as they belong to that group ( Prasad Mujumdar via Sravya Tirukkovalur)
Project: http://git-wip-us.apache.org/repos/asf/incubator-sentry/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-sentry/commit/fd704487
Tree: http://git-wip-us.apache.org/repos/asf/incubator-sentry/tree/fd704487
Diff: http://git-wip-us.apache.org/repos/asf/incubator-sentry/diff/fd704487
Branch: refs/heads/master
Commit: fd704487df49428cba258c8ef26db970dbc9d211
Parents: 89a9243
Author: Sravya Tirukkovalur <sr...@clouera.com>
Authored: Tue Sep 16 09:59:12 2014 -0700
Committer: Sravya Tirukkovalur <sr...@clouera.com>
Committed: Tue Sep 16 09:59:12 2014 -0700
----------------------------------------------------------------------
.../thrift/SentryPolicyStoreProcessor.java | 13 +++--
.../e2e/dbprovider/TestDatabaseProvider.java | 54 ++++++++++++++++++++
2 files changed, 62 insertions(+), 5 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/fd704487/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessor.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessor.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessor.java
index 070c494..ad66838 100644
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessor.java
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessor.java
@@ -337,17 +337,20 @@ public class SentryPolicyStoreProcessor implements SentryPolicyService.Iface {
TListSentryRolesResponse response = new TListSentryRolesResponse();
TSentryResponseStatus status;
Set<TSentryRole> roleSet = new HashSet<TSentryRole>();
- Set<String> groups = new HashSet<String>();
+ String subject = request.getRequestorUserName();
boolean checkAllGroups = false;
try {
+ Set<String> groups = getRequestorGroups(subject);
// Don't check admin permissions for listing requestor's own roles
if (AccessConstants.ALL.equalsIgnoreCase(request.getGroupName())) {
- groups = getRequestorGroups(request.getRequestorUserName());
checkAllGroups = true;
} else {
- authorize(request.getRequestorUserName(),
- getRequestorGroups(request.getRequestorUserName()));
- groups.add(request.getGroupName());
+ if (!inAdminGroups(groups)) {
+ // non-admin can only list roles for their own group
+ if (!groups.contains(request.getGroupName())) {
+ throw new SentryAccessDeniedException("Access denied to " + subject);
+ }
+ }
}
roleSet = sentryStore.getTSentryRolesByGroupName(groups, checkAllGroups);
response.setRoles(roleSet);
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/fd704487/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDatabaseProvider.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDatabaseProvider.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDatabaseProvider.java
index 066e909..2865a6f 100644
--- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDatabaseProvider.java
+++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDatabaseProvider.java
@@ -19,6 +19,7 @@ package org.apache.sentry.tests.e2e.dbprovider;
import static org.hamcrest.Matchers.equalToIgnoringCase;
import static org.hamcrest.Matchers.is;
+import static org.junit.Assert.assertFalse;
import static org.junit.Assert.assertThat;
import static org.junit.Assert.assertTrue;
import static org.junit.Assert.fail;
@@ -1369,6 +1370,59 @@ public class TestDatabaseProvider extends AbstractTestWithStaticConfiguration {
}
/**
+ * SHOW ROLE GRANT GROUP groupName
+ * @throws Exception
+ 4.1. Show role grant works for non-admin users when the user belongs to the requested group
+ 4.2. Show role grant FAILS for non-admin users when the user doesn't belongs to the requested group
+ */
+ @Test
+ public void testShowRolesByGroupNonAdmin() throws Exception {
+ Connection connection = context.createConnection(ADMIN1);
+ Statement statement = context.createStatement(connection);
+ //This is non deterministic as we are now using same sentry service across the tests
+ // and orphan groups are not cleaned up.
+ //context.assertSentryException(statement,"SHOW ROLE GRANT GROUP " + ADMINGROUP,
+ // SentryNoSuchObjectException.class.getSimpleName());
+ statement.execute("CREATE ROLE role1");
+ statement.execute("CREATE ROLE role2");
+ statement.execute("GRANT ROLE role1 to GROUP " + USERGROUP1);
+ statement.execute("GRANT ROLE role2 to GROUP " + USERGROUP2);
+ statement.execute("GRANT ROLE role1 to GROUP " + ADMINGROUP);
+ statement.execute("GRANT ROLE role2 to GROUP " + ADMINGROUP);
+ statement.close();
+ connection.close();
+
+ connection = context.createConnection(USER1_1);
+ statement = context.createStatement(connection);
+ // show role ADMINGROUP should fail for user1
+ context.assertSentryException(statement, "SHOW ROLE GRANT GROUP " + ADMINGROUP, SentryAccessDeniedException.class.getSimpleName());
+ ResultSet resultSet = statement.executeQuery("SHOW ROLE GRANT GROUP " + USERGROUP1);
+ assertTrue(resultSet.next());
+ assertThat(resultSet.getString(1), equalToIgnoringCase("role1"));
+ assertFalse(resultSet.next());
+ statement.close();
+ connection.close();
+
+ connection = context.createConnection(USER2_1);
+ statement = context.createStatement(connection);
+ // show role group1 should fail for user2
+ context.assertSentryException(statement, "SHOW ROLE GRANT GROUP " + USERGROUP1, SentryAccessDeniedException.class.getSimpleName());
+ resultSet = statement.executeQuery("SHOW ROLE GRANT GROUP " + USERGROUP2);
+ assertTrue(resultSet.next());
+ assertThat(resultSet.getString(1), equalToIgnoringCase("role2"));
+ assertFalse(resultSet.next());
+ statement.close();
+ connection.close();
+
+ connection = context.createConnection(USER3_1);
+ statement = context.createStatement(connection);
+ // show role group1 should fail for user3
+ context.assertSentryException(statement, "SHOW ROLE GRANT GROUP " + USERGROUP1, SentryAccessDeniedException.class.getSimpleName());
+ statement.close();
+ connection.close();
+ }
+
+ /**
* SHOW GRANT ROLE roleName
* @throws Exception
5.1. When there are no privileges granted to a role, returns an empty list