You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sentry.apache.org by li...@apache.org on 2018/10/19 04:34:36 UTC
sentry git commit: SENTRY-2429: Transfer database owner drops table
owner
Repository: sentry
Updated Branches:
refs/heads/master 542e984ba -> 985b70887
SENTRY-2429: Transfer database owner drops table owner
Project: http://git-wip-us.apache.org/repos/asf/sentry/repo
Commit: http://git-wip-us.apache.org/repos/asf/sentry/commit/985b7088
Tree: http://git-wip-us.apache.org/repos/asf/sentry/tree/985b7088
Diff: http://git-wip-us.apache.org/repos/asf/sentry/diff/985b7088
Branch: refs/heads/master
Commit: 985b7088742906b266f0c1af393916e1d58ddd0e
Parents: 542e984
Author: lina.li <li...@cloudera.com>
Authored: Thu Oct 18 15:18:00 2018 -0500
Committer: lina.li <li...@cloudera.com>
Committed: Thu Oct 18 23:33:16 2018 -0500
----------------------------------------------------------------------
.../db/service/persistent/SentryStore.java | 32 ++++-
.../e2e/dbprovider/TestOwnerPrivileges.java | 141 +++++++++++++++++++
2 files changed, 172 insertions(+), 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/sentry/blob/985b7088/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java
index 29f83a8..b387a22 100644
--- a/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java
+++ b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java
@@ -1492,6 +1492,13 @@ public class SentryStore implements SentryStoreInterface {
removeStaledPrivileges(pm, privilegesCopy);
}
+ /**
+ * Return the privileges on the authorizable object specified in tPriv, and including
+ * privileges on the child authorizable objects.
+ * @param tPriv the privilege that specifies the authorizable object to find its privileges
+ * @param pm persistant manager
+ * @return the privileges on the authorizable object specified in tPriv
+ */
@SuppressWarnings("unchecked")
private List<MSentryPrivilege> getMSentryPrivileges(TSentryPrivilege tPriv, PersistenceManager pm) {
Query query = pm.newQuery(MSentryPrivilege.class);
@@ -1522,6 +1529,29 @@ public class SentryStore implements SentryStoreInterface {
return (List<MSentryPrivilege>) query.executeWithMap(paramBuilder.getArguments());
}
+ /**
+ * Return the privileges on the authorizable object specified in tPriv, and not including
+ * privileges on the child authorizable objects.
+ * @param tPriv the privilege that specifies the authorizable object to find its privileges
+ * @param pm persistant manager
+ * @return the privileges on the authorizable object specified in tPriv
+ */
+ @SuppressWarnings("unchecked")
+ private List<MSentryPrivilege> getMSentryPrivilegesExactMatch(TSentryPrivilege tPriv, PersistenceManager pm) {
+ Query query = pm.newQuery(MSentryPrivilege.class);
+ QueryParamBuilder paramBuilder = QueryParamBuilder.newQueryParamBuilder();
+ paramBuilder
+ .add(SERVER_NAME, tPriv.getServerName())
+ .add("action", tPriv.getAction())
+ .add(DB_NAME, tPriv.getDbName())
+ .add(TABLE_NAME, tPriv.getTableName())
+ .add(COLUMN_NAME, tPriv.getColumnName())
+ .add(URI, tPriv.getURI(), true);
+
+ query.setFilter(paramBuilder.toString());
+ return (List<MSentryPrivilege>) query.executeWithMap(paramBuilder.getArguments());
+ }
+
private MSentryPrivilege getMSentryPrivilege(TSentryPrivilege tPriv, PersistenceManager pm) {
Boolean grantOption = null;
if (tPriv.getGrantOption().equals(TSentryGrantOption.TRUE)) {
@@ -2854,7 +2884,7 @@ public class SentryStore implements SentryStoreInterface {
tOwnerPrivilege.setAction(AccessConstants.OWNER);
// Finding owner privileges and removing them.
- List<MSentryPrivilege> mOwnerPrivileges = getMSentryPrivileges(tOwnerPrivilege, pm);
+ List<MSentryPrivilege> mOwnerPrivileges = getMSentryPrivilegesExactMatch(tOwnerPrivilege, pm);
for(MSentryPrivilege mOwnerPriv : mOwnerPrivileges) {
Set<MSentryUser> users;
users = mOwnerPriv.getUsers();
http://git-wip-us.apache.org/repos/asf/sentry/blob/985b7088/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestOwnerPrivileges.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestOwnerPrivileges.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestOwnerPrivileges.java
index 880fa94..d3294f4 100644
--- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestOwnerPrivileges.java
+++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestOwnerPrivileges.java
@@ -363,6 +363,147 @@ public class TestOwnerPrivileges extends TestHDFSIntegrationBase {
}
}
+ /**
+ * Verify that if the same user is owner of both DB and table, after alter DB's owner,
+ * the table owner is still that user
+ *
+ * @throws Exception
+ */
+ @Ignore("Enable the test once HIVE-18031 is in the hiver version integrated with Sentry")
+ @Test
+ public void testAlterDBNotDropTableOwnerSameOwner() throws Exception {
+ String allWithGrantRole = "allWithGrant_role";
+ String ownerRole = "owner_role";
+ dbNames = new String[]{DB1};
+ roles = new String[]{"admin_role", "create_db1", "owner_role"};
+
+ // create required roles
+ setupUserRoles(roles, statementAdmin);
+
+ // remove test DB if it exists
+ statementAdmin.execute("DROP DATABASE IF EXISTS " + DB1 + " CASCADE");
+
+ // setup privileges for USER1
+ statementAdmin.execute("GRANT CREATE ON SERVER server1 TO ROLE create_db1");
+
+ // USER1 creates test DB
+ Connection connectionUSER1_1 = hiveServer2.createConnection(USER1_1, USER1_1);
+ Statement statementUSER1_1 = connectionUSER1_1.createStatement();
+ statementUSER1_1.execute("CREATE DATABASE " + DB1);
+ statementUSER1_1.execute("USE " + DB1);
+
+ // USER1 create table
+ statementUSER1_1.execute("CREATE TABLE " + DB1 + "." + tableName1
+ + " (under_col int comment 'the under column')");
+
+ // verify privileges created for new database
+ verifyTableOwnerPrivilegeExistForPrincipal(statementUSER1_1, SentryPrincipalType.USER, Lists.newArrayList(USER1_1),
+ DB1, "", 1);
+
+ // verify privileges created for new table
+ verifyTableOwnerPrivilegeExistForPrincipal(statementUSER1_1, SentryPrincipalType.USER, Lists.newArrayList(USER1_1),
+ DB1, tableName1, 1);
+
+ // change db owner
+ // setup all privilege for USERGROUP2
+ statementAdmin.execute("create role " + allWithGrantRole);
+ statementAdmin.execute("grant role " + allWithGrantRole + " to group " + USERGROUP2);
+ statementAdmin.execute("GRANT ALL ON DATABASE " + DB1 + " to role " +
+ allWithGrantRole + " with grant option");
+ Connection connectionUSER2_1 = hiveServer2.createConnection(USER2_1, USER2_1);
+ Statement statementUSER2_1 = connectionUSER2_1.createStatement();
+ statementUSER2_1.execute("ALTER DATABASE " + DB1 + " SET OWNER ROLE " + "owner_role");
+
+ // Verify that new owner has owner privilege on DB
+ verifyTableOwnerPrivilegeExistForPrincipal(statementAdmin, SentryPrincipalType.ROLE,
+ Lists.newArrayList(ownerRole), DB1, "", 1);
+
+ // Verify table still has its owner
+ verifyTableOwnerPrivilegeExistForPrincipal(statementUSER1_1, SentryPrincipalType.USER, Lists.newArrayList(USER1_1),
+ DB1, tableName1, 1);
+
+ statementAdmin.execute("DROP ROLE " + allWithGrantRole);
+
+ statementAdmin.close();
+ connection.close();
+
+ statementUSER1_1.close();
+ connectionUSER1_1.close();
+
+ statementUSER2_1.close();
+ connectionUSER2_1.close();
+ }
+
+ /**
+ * Verify that if owner of DB is different from owner of its table, after alter DB's owner,
+ * the table owner still exists
+ *
+ * @throws Exception
+ */
+ @Ignore("Enable the test once HIVE-18031 is in the hiver version integrated with Sentry")
+ @Test
+ public void testAlterDBNotDropTableOwnerDifferentOwner() throws Exception {
+ String allWithGrantRole = "allWithGrant_role";
+ String ownerRole = "owner_role";
+ dbNames = new String[]{DB1};
+ roles = new String[]{"admin_role", "create_db1", "owner_role"};
+
+ // create required roles
+ setupUserRoles(roles, statementAdmin);
+
+ // remove test DB if it exists, then create the DB, so its owner is admin
+ statementAdmin.execute("DROP DATABASE IF EXISTS " + DB1 + " CASCADE");
+ statementAdmin.execute("CREATE DATABASE " + DB1);
+
+ // setup privileges for USER1
+ statementAdmin.execute("GRANT CREATE ON SERVER server1 TO ROLE create_db1");
+ Connection connectionUSER1_1 = hiveServer2.createConnection(USER1_1, USER1_1);
+ Statement statementUSER1_1 = connectionUSER1_1.createStatement();
+ statementUSER1_1.execute("USE " + DB1);
+
+ // USER1 create table and becomes owner of that table
+ statementUSER1_1.execute("CREATE TABLE " + DB1 + "." + tableName1
+ + " (under_col int comment 'the under column')");
+
+ // verify privileges created for new database
+ verifyTableOwnerPrivilegeExistForPrincipal(statementAdmin, SentryPrincipalType.USER, Lists.newArrayList(admin),
+ DB1, "", 1);
+
+ // verify privileges created for new table
+ verifyTableOwnerPrivilegeExistForPrincipal(statementUSER1_1, SentryPrincipalType.USER, Lists.newArrayList(USER1_1),
+ DB1, tableName1, 1);
+
+ // change db owner
+ // setup all privilege for USERGROUP2
+ statementAdmin.execute("create role " + allWithGrantRole);
+ statementAdmin.execute("grant role " + allWithGrantRole + " to group " + USERGROUP2);
+ statementAdmin.execute("GRANT ALL ON DATABASE " + DB1 + " to role " +
+ allWithGrantRole + " with grant option");
+ Connection connectionUSER2_1 = hiveServer2.createConnection(USER2_1, USER2_1);
+ Statement statementUSER2_1 = connectionUSER2_1.createStatement();
+ statementUSER2_1.execute("ALTER DATABASE " + DB1 + " SET OWNER ROLE " + "owner_role");
+
+ // Verify that new owner has owner privilege on DB
+ verifyTableOwnerPrivilegeExistForPrincipal(statementAdmin, SentryPrincipalType.ROLE,
+ Lists.newArrayList(ownerRole), DB1, "", 1);
+
+ // Verify table still has its owner
+ verifyTableOwnerPrivilegeExistForPrincipal(statementUSER1_1, SentryPrincipalType.USER, Lists.newArrayList(USER1_1),
+ DB1, tableName1, 1);
+
+ statementAdmin.execute("DROP ROLE " + allWithGrantRole);
+
+ statementAdmin.close();
+ connection.close();
+
+ statementUSER1_1.close();
+ connectionUSER1_1.close();
+
+ statementUSER2_1.close();
+ connectionUSER2_1.close();
+ }
+
+
/**
* Verify that the user who creases table has owner privilege on this table and