You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sentry.apache.org by sr...@apache.org on 2014/06/04 10:13:47 UTC
git commit: SENTRY-243: The operation type needs to be set in the
grant/revoke task context for the failure hook ( Prasad Mujumdar via Sravya
Tirukkovalur)
Repository: incubator-sentry
Updated Branches:
refs/heads/master bc755d77d -> 7a9fd90c3
SENTRY-243: The operation type needs to be set in the grant/revoke task context for the failure hook ( Prasad Mujumdar via Sravya Tirukkovalur)
Project: http://git-wip-us.apache.org/repos/asf/incubator-sentry/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-sentry/commit/7a9fd90c
Tree: http://git-wip-us.apache.org/repos/asf/incubator-sentry/tree/7a9fd90c
Diff: http://git-wip-us.apache.org/repos/asf/incubator-sentry/diff/7a9fd90c
Branch: refs/heads/master
Commit: 7a9fd90c345a6e3f9656366773d452f18e0d5b15
Parents: bc755d7
Author: Sravya Tirukkovalur <sr...@clouera.com>
Authored: Wed Jun 4 01:13:11 2014 -0700
Committer: Sravya Tirukkovalur <sr...@clouera.com>
Committed: Wed Jun 4 01:13:11 2014 -0700
----------------------------------------------------------------------
.../hive/ql/exec/SentryGrantRevokeTask.java | 11 +++-
.../binding/hive/HiveAuthzBindingHook.java | 1 +
.../TestDbSentryOnFailureHookLoading.java | 53 +++++++++++++++++---
3 files changed, 56 insertions(+), 9 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/7a9fd90c/sentry-binding/sentry-binding-hive/src/main/java/org/apache/hadoop/hive/ql/exec/SentryGrantRevokeTask.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/hadoop/hive/ql/exec/SentryGrantRevokeTask.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/hadoop/hive/ql/exec/SentryGrantRevokeTask.java
index 54c9a41..6ea1ca0 100644
--- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/hadoop/hive/ql/exec/SentryGrantRevokeTask.java
+++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/hadoop/hive/ql/exec/SentryGrantRevokeTask.java
@@ -41,6 +41,7 @@ import org.apache.hadoop.hive.ql.metadata.HiveException;
import org.apache.hadoop.hive.ql.plan.DDLWork;
import org.apache.hadoop.hive.ql.plan.GrantDesc;
import org.apache.hadoop.hive.ql.plan.GrantRevokeRoleDDL;
+import org.apache.hadoop.hive.ql.plan.HiveOperation;
import org.apache.hadoop.hive.ql.plan.PrincipalDesc;
import org.apache.hadoop.hive.ql.plan.PrivilegeDesc;
import org.apache.hadoop.hive.ql.plan.PrivilegeObjectDesc;
@@ -66,6 +67,7 @@ import org.apache.sentry.core.model.db.Database;
import org.apache.sentry.core.model.db.Server;
import org.apache.sentry.core.model.db.Table;
import org.apache.sentry.core.model.db.AccessConstants;
+import org.apache.sentry.provider.db.SentryAccessDeniedException;
import org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient;
import org.apache.sentry.provider.db.service.thrift.TSentryPrivilege;
import org.apache.sentry.provider.db.service.thrift.TSentryRole;
@@ -97,6 +99,7 @@ public class SentryGrantRevokeTask extends Task<DDLWork> implements Serializable
private Subject subject;
private Set<String> subjectGroups;
private String ipAddress;
+ private HiveOperation stmtOperation;
public SentryGrantRevokeTask() {
@@ -153,13 +156,13 @@ public class SentryGrantRevokeTask extends Task<DDLWork> implements Serializable
}
throw new AssertionError(
"Unknown command passed to Sentry Grant/Revoke Task");
- } catch (SentryUserException e) {
+ } catch (SentryAccessDeniedException e) {
String csHooks = authzConf.get(
HiveAuthzConf.AuthzConfVars.AUTHZ_ONFAILURE_HOOKS.getVar(), "")
.trim();
SentryOnFailureHookContext hookContext = new SentryOnFailureHookContextImpl(
queryPlan.getQueryString(), new HashSet<ReadEntity>(),
- new HashSet<WriteEntity>(), SessionState.get().getHiveOperation(),
+ new HashSet<WriteEntity>(), stmtOperation,
null, null, null, null, subject.getName(), ipAddress,
new AuthorizationException(e), conf);
HiveAuthzBindingHook.runFailureHook(hookContext, csHooks);
@@ -203,6 +206,10 @@ public class SentryGrantRevokeTask extends Task<DDLWork> implements Serializable
this.ipAddress = ipAddress;
}
+ public void setOperation(HiveOperation stmtOperation) {
+ this.stmtOperation = stmtOperation;
+ }
+
private int processRoleDDL(HiveConf conf, LogHelper console,
SentryPolicyServiceClient sentryClient, String subject,
HiveAuthzBinding hiveAuthzBinding, RoleDDLDesc desc)
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/7a9fd90c/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java
index a362363..812f310 100644
--- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java
+++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java
@@ -288,6 +288,7 @@ implements HiveDriverFilterHook {
sentryTask.setSubject(subject);
sentryTask.setSubjectGroups(subjectGroups);
sentryTask.setIpAddress(context.getIpAddress());
+ sentryTask.setOperation(stmtOperation);
}
}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/7a9fd90c/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDbSentryOnFailureHookLoading.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDbSentryOnFailureHookLoading.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDbSentryOnFailureHookLoading.java
index 41a31e8..8beedd7 100644
--- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDbSentryOnFailureHookLoading.java
+++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDbSentryOnFailureHookLoading.java
@@ -157,21 +157,60 @@ public class TestDbSentryOnFailureHookLoading extends AbstractTestWithDbProvider
.setUserGroupMapping(StaticUserGroup.getStaticMapping())
.write(context.getPolicyFile());
- Connection connection = context.createConnection(USER1_1);
+ // setup db objects needed by the test
+ Connection connection = context.createConnection(ADMIN1);
Statement statement = context.createStatement(connection);
+ statement.execute("CREATE ROLE admin_role");
+ statement.execute("GRANT ALL ON SERVER "
+ + HiveServerFactory.DEFAULT_AUTHZ_SERVER_NAME + " TO ROLE admin_role");
+ statement.execute("GRANT ROLE admin_role TO GROUP " + ADMINGROUP);
+ statement.execute("DROP DATABASE IF EXISTS DB_1 CASCADE");
+ statement.execute("DROP DATABASE IF EXISTS DB_2 CASCADE");
+ statement.execute("CREATE DATABASE DB_1");
+ statement.execute("CREATE ROLE all_db1");
+ statement.execute("GRANT ALL ON DATABASE DB_1 TO ROLE all_db1");
+ statement.execute("GRANT ROLE all_db1 TO GROUP " + USERGROUP1);
+ connection.close();
+ connection = context.createConnection(USER1_1);
+ statement = context.createStatement(connection);
+
+ statement.execute("USE DB_1");
+ statement.execute("CREATE TABLE foo (id int)");
+
+ verifyFailureHook(statement, "CREATE ROLE fooTest",
+ HiveOperation.CREATEROLE);
+ verifyFailureHook(statement, "DROP ROLE fooTest", HiveOperation.DROPROLE);
+ verifyFailureHook(statement,
+ "GRANT ALL ON SERVER server1 TO ROLE admin_role",
+ HiveOperation.GRANT_PRIVILEGE);
+ verifyFailureHook(statement,
+ "REVOKE ALL ON SERVER server1 FROM ROLE admin_role",
+ HiveOperation.REVOKE_PRIVILEGE);
+ verifyFailureHook(statement, "GRANT ROLE all_db1 TO GROUP " + USERGROUP1,
+ HiveOperation.GRANT_ROLE);
+ verifyFailureHook(statement,
+ "REVOKE ROLE all_db1 FROM GROUP " + USERGROUP1,
+ HiveOperation.GRANT_ROLE);
+
+ statement.close();
+ connection.close();
+ context.close();
+ }
+
+ // run the given statement and verify that failure hook is invoked as expected
+ private void verifyFailureHook(Statement statement, String sqlStr,
+ HiveOperation expectedOp) throws Exception {
// negative test case: non admin user can't create role
assertFalse(DummySentryOnFailureHook.invoked);
DummySentryOnFailureHook.setHiveOp(HiveOperation.CREATEROLE);
try {
- statement.execute("CREATE ROLE fooTest");
- Assert.fail("Expected SQL exception");
+ statement.execute(sqlStr);
+ Assert.fail("Expected SQL exception for " + sqlStr);
} catch (SQLException e) {
assertTrue(DummySentryOnFailureHook.invoked);
+ } finally {
+ DummySentryOnFailureHook.invoked = false;
}
-
- statement.close();
- connection.close();
- context.close();
}
}