You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sentry.apache.org by sr...@apache.org on 2014/09/16 18:59:50 UTC

git commit: SENTRY-417: Allow all users "Show role GRANT" as long as they belong to that group ( Prasad Mujumdar via Sravya Tirukkovalur)

Repository: incubator-sentry
Updated Branches:
  refs/heads/master 89a9243fd -> fd704487d


SENTRY-417: Allow all users "Show role GRANT" as long as they belong to that group ( Prasad Mujumdar via Sravya Tirukkovalur)


Project: http://git-wip-us.apache.org/repos/asf/incubator-sentry/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-sentry/commit/fd704487
Tree: http://git-wip-us.apache.org/repos/asf/incubator-sentry/tree/fd704487
Diff: http://git-wip-us.apache.org/repos/asf/incubator-sentry/diff/fd704487

Branch: refs/heads/master
Commit: fd704487df49428cba258c8ef26db970dbc9d211
Parents: 89a9243
Author: Sravya Tirukkovalur <sr...@clouera.com>
Authored: Tue Sep 16 09:59:12 2014 -0700
Committer: Sravya Tirukkovalur <sr...@clouera.com>
Committed: Tue Sep 16 09:59:12 2014 -0700

----------------------------------------------------------------------
 .../thrift/SentryPolicyStoreProcessor.java      | 13 +++--
 .../e2e/dbprovider/TestDatabaseProvider.java    | 54 ++++++++++++++++++++
 2 files changed, 62 insertions(+), 5 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/fd704487/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessor.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessor.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessor.java
index 070c494..ad66838 100644
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessor.java
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessor.java
@@ -337,17 +337,20 @@ public class SentryPolicyStoreProcessor implements SentryPolicyService.Iface {
     TListSentryRolesResponse response = new TListSentryRolesResponse();
     TSentryResponseStatus status;
     Set<TSentryRole> roleSet = new HashSet<TSentryRole>();
-    Set<String> groups = new HashSet<String>();
+    String subject = request.getRequestorUserName();
     boolean checkAllGroups = false;
     try {
+      Set<String> groups = getRequestorGroups(subject);
       // Don't check admin permissions for listing requestor's own roles
       if (AccessConstants.ALL.equalsIgnoreCase(request.getGroupName())) {
-        groups = getRequestorGroups(request.getRequestorUserName());
         checkAllGroups = true;
       } else {
-        authorize(request.getRequestorUserName(),
-          getRequestorGroups(request.getRequestorUserName()));
-        groups.add(request.getGroupName());
+        if (!inAdminGroups(groups)) {
+          // non-admin can only list roles for their own group
+          if (!groups.contains(request.getGroupName())) {
+            throw new SentryAccessDeniedException("Access denied to " + subject);
+          }
+        }
       }
       roleSet = sentryStore.getTSentryRolesByGroupName(groups, checkAllGroups);
       response.setRoles(roleSet);

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/fd704487/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDatabaseProvider.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDatabaseProvider.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDatabaseProvider.java
index 066e909..2865a6f 100644
--- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDatabaseProvider.java
+++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDatabaseProvider.java
@@ -19,6 +19,7 @@ package org.apache.sentry.tests.e2e.dbprovider;
 
 import static org.hamcrest.Matchers.equalToIgnoringCase;
 import static org.hamcrest.Matchers.is;
+import static org.junit.Assert.assertFalse;
 import static org.junit.Assert.assertThat;
 import static org.junit.Assert.assertTrue;
 import static org.junit.Assert.fail;
@@ -1369,6 +1370,59 @@ public class TestDatabaseProvider extends AbstractTestWithStaticConfiguration {
   }
 
   /**
+   * SHOW ROLE GRANT GROUP groupName
+   * @throws Exception
+   4.1. Show role grant works for non-admin users when the user belongs to the requested group
+   4.2. Show role grant FAILS for non-admin users when the user doesn't belongs to the requested group
+   */
+  @Test
+  public void testShowRolesByGroupNonAdmin() throws Exception {
+    Connection connection = context.createConnection(ADMIN1);
+    Statement statement = context.createStatement(connection);
+    //This is non deterministic as we are now using same sentry service across the tests
+    // and orphan groups are not cleaned up.
+    //context.assertSentryException(statement,"SHOW ROLE GRANT GROUP " + ADMINGROUP,
+    //    SentryNoSuchObjectException.class.getSimpleName());
+    statement.execute("CREATE ROLE role1");
+    statement.execute("CREATE ROLE role2");
+    statement.execute("GRANT ROLE role1 to GROUP " + USERGROUP1);
+    statement.execute("GRANT ROLE role2 to GROUP " + USERGROUP2);
+    statement.execute("GRANT ROLE role1 to GROUP " + ADMINGROUP);
+    statement.execute("GRANT ROLE role2 to GROUP " + ADMINGROUP);
+    statement.close();
+    connection.close();
+
+    connection = context.createConnection(USER1_1);
+    statement = context.createStatement(connection);
+    // show role ADMINGROUP should fail for user1
+    context.assertSentryException(statement, "SHOW ROLE GRANT GROUP " + ADMINGROUP, SentryAccessDeniedException.class.getSimpleName());
+    ResultSet resultSet = statement.executeQuery("SHOW ROLE GRANT GROUP " + USERGROUP1);
+    assertTrue(resultSet.next());
+    assertThat(resultSet.getString(1), equalToIgnoringCase("role1"));
+    assertFalse(resultSet.next());
+    statement.close();
+    connection.close();
+
+    connection = context.createConnection(USER2_1);
+    statement = context.createStatement(connection);
+    // show role group1 should fail for user2
+    context.assertSentryException(statement, "SHOW ROLE GRANT GROUP " + USERGROUP1, SentryAccessDeniedException.class.getSimpleName());
+    resultSet = statement.executeQuery("SHOW ROLE GRANT GROUP " + USERGROUP2);
+    assertTrue(resultSet.next());
+    assertThat(resultSet.getString(1), equalToIgnoringCase("role2"));
+    assertFalse(resultSet.next());
+    statement.close();
+    connection.close();
+
+    connection = context.createConnection(USER3_1);
+    statement = context.createStatement(connection);
+    // show role group1 should fail for user3
+    context.assertSentryException(statement, "SHOW ROLE GRANT GROUP " + USERGROUP1, SentryAccessDeniedException.class.getSimpleName());
+    statement.close();
+    connection.close();
+  }
+
+  /**
    * SHOW GRANT ROLE roleName
    * @throws Exception
     5.1. When there are no privileges granted to a role, returns an empty list