You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sentry.apache.org by sr...@apache.org on 2014/06/04 10:13:47 UTC

git commit: SENTRY-243: The operation type needs to be set in the grant/revoke task context for the failure hook ( Prasad Mujumdar via Sravya Tirukkovalur)

Repository: incubator-sentry
Updated Branches:
  refs/heads/master bc755d77d -> 7a9fd90c3


SENTRY-243: The operation type needs to be set in the grant/revoke task context for the failure hook ( Prasad Mujumdar via Sravya Tirukkovalur)


Project: http://git-wip-us.apache.org/repos/asf/incubator-sentry/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-sentry/commit/7a9fd90c
Tree: http://git-wip-us.apache.org/repos/asf/incubator-sentry/tree/7a9fd90c
Diff: http://git-wip-us.apache.org/repos/asf/incubator-sentry/diff/7a9fd90c

Branch: refs/heads/master
Commit: 7a9fd90c345a6e3f9656366773d452f18e0d5b15
Parents: bc755d7
Author: Sravya Tirukkovalur <sr...@clouera.com>
Authored: Wed Jun 4 01:13:11 2014 -0700
Committer: Sravya Tirukkovalur <sr...@clouera.com>
Committed: Wed Jun 4 01:13:11 2014 -0700

----------------------------------------------------------------------
 .../hive/ql/exec/SentryGrantRevokeTask.java     | 11 +++-
 .../binding/hive/HiveAuthzBindingHook.java      |  1 +
 .../TestDbSentryOnFailureHookLoading.java       | 53 +++++++++++++++++---
 3 files changed, 56 insertions(+), 9 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/7a9fd90c/sentry-binding/sentry-binding-hive/src/main/java/org/apache/hadoop/hive/ql/exec/SentryGrantRevokeTask.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/hadoop/hive/ql/exec/SentryGrantRevokeTask.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/hadoop/hive/ql/exec/SentryGrantRevokeTask.java
index 54c9a41..6ea1ca0 100644
--- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/hadoop/hive/ql/exec/SentryGrantRevokeTask.java
+++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/hadoop/hive/ql/exec/SentryGrantRevokeTask.java
@@ -41,6 +41,7 @@ import org.apache.hadoop.hive.ql.metadata.HiveException;
 import org.apache.hadoop.hive.ql.plan.DDLWork;
 import org.apache.hadoop.hive.ql.plan.GrantDesc;
 import org.apache.hadoop.hive.ql.plan.GrantRevokeRoleDDL;
+import org.apache.hadoop.hive.ql.plan.HiveOperation;
 import org.apache.hadoop.hive.ql.plan.PrincipalDesc;
 import org.apache.hadoop.hive.ql.plan.PrivilegeDesc;
 import org.apache.hadoop.hive.ql.plan.PrivilegeObjectDesc;
@@ -66,6 +67,7 @@ import org.apache.sentry.core.model.db.Database;
 import org.apache.sentry.core.model.db.Server;
 import org.apache.sentry.core.model.db.Table;
 import org.apache.sentry.core.model.db.AccessConstants;
+import org.apache.sentry.provider.db.SentryAccessDeniedException;
 import org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient;
 import org.apache.sentry.provider.db.service.thrift.TSentryPrivilege;
 import org.apache.sentry.provider.db.service.thrift.TSentryRole;
@@ -97,6 +99,7 @@ public class SentryGrantRevokeTask extends Task<DDLWork> implements Serializable
   private Subject subject;
   private Set<String> subjectGroups;
   private String ipAddress;
+  private HiveOperation stmtOperation;
 
 
   public SentryGrantRevokeTask() {
@@ -153,13 +156,13 @@ public class SentryGrantRevokeTask extends Task<DDLWork> implements Serializable
         }
         throw new AssertionError(
             "Unknown command passed to Sentry Grant/Revoke Task");
-      } catch (SentryUserException e) {
+      } catch (SentryAccessDeniedException e) {
         String csHooks = authzConf.get(
             HiveAuthzConf.AuthzConfVars.AUTHZ_ONFAILURE_HOOKS.getVar(), "")
             .trim();
         SentryOnFailureHookContext hookContext = new SentryOnFailureHookContextImpl(
             queryPlan.getQueryString(), new HashSet<ReadEntity>(),
-            new HashSet<WriteEntity>(), SessionState.get().getHiveOperation(),
+            new HashSet<WriteEntity>(), stmtOperation,
             null, null, null, null, subject.getName(), ipAddress,
             new AuthorizationException(e), conf);
         HiveAuthzBindingHook.runFailureHook(hookContext, csHooks);
@@ -203,6 +206,10 @@ public class SentryGrantRevokeTask extends Task<DDLWork> implements Serializable
     this.ipAddress = ipAddress;
   }
 
+  public void setOperation(HiveOperation stmtOperation) {
+    this.stmtOperation = stmtOperation;
+  }
+
   private int processRoleDDL(HiveConf conf, LogHelper console,
       SentryPolicyServiceClient sentryClient, String subject,
       HiveAuthzBinding hiveAuthzBinding, RoleDDLDesc desc)

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/7a9fd90c/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java
index a362363..812f310 100644
--- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java
+++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java
@@ -288,6 +288,7 @@ implements HiveDriverFilterHook {
         sentryTask.setSubject(subject);
         sentryTask.setSubjectGroups(subjectGroups);
         sentryTask.setIpAddress(context.getIpAddress());
+        sentryTask.setOperation(stmtOperation);
       }
     }
 

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/7a9fd90c/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDbSentryOnFailureHookLoading.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDbSentryOnFailureHookLoading.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDbSentryOnFailureHookLoading.java
index 41a31e8..8beedd7 100644
--- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDbSentryOnFailureHookLoading.java
+++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDbSentryOnFailureHookLoading.java
@@ -157,21 +157,60 @@ public class TestDbSentryOnFailureHookLoading extends AbstractTestWithDbProvider
         .setUserGroupMapping(StaticUserGroup.getStaticMapping())
         .write(context.getPolicyFile());
 
-    Connection connection = context.createConnection(USER1_1);
+    // setup db objects needed by the test
+    Connection connection = context.createConnection(ADMIN1);
     Statement statement = context.createStatement(connection);
+    statement.execute("CREATE ROLE admin_role");
+    statement.execute("GRANT ALL ON SERVER "
+        + HiveServerFactory.DEFAULT_AUTHZ_SERVER_NAME + " TO ROLE admin_role");
+    statement.execute("GRANT ROLE admin_role TO GROUP " + ADMINGROUP);
+    statement.execute("DROP DATABASE IF EXISTS DB_1 CASCADE");
+    statement.execute("DROP DATABASE IF EXISTS DB_2 CASCADE");
+    statement.execute("CREATE DATABASE DB_1");
+    statement.execute("CREATE ROLE all_db1");
+    statement.execute("GRANT ALL ON DATABASE DB_1 TO ROLE all_db1");
+    statement.execute("GRANT ROLE all_db1 TO GROUP " + USERGROUP1);
+    connection.close();
 
+    connection = context.createConnection(USER1_1);
+    statement = context.createStatement(connection);
+
+    statement.execute("USE DB_1");
+    statement.execute("CREATE TABLE foo (id int)");
+
+    verifyFailureHook(statement, "CREATE ROLE fooTest",
+        HiveOperation.CREATEROLE);
+    verifyFailureHook(statement, "DROP ROLE fooTest", HiveOperation.DROPROLE);
+    verifyFailureHook(statement,
+        "GRANT ALL ON SERVER server1 TO ROLE admin_role",
+        HiveOperation.GRANT_PRIVILEGE);
+    verifyFailureHook(statement,
+        "REVOKE ALL ON SERVER server1 FROM ROLE admin_role",
+        HiveOperation.REVOKE_PRIVILEGE);
+    verifyFailureHook(statement, "GRANT ROLE all_db1 TO GROUP " + USERGROUP1,
+        HiveOperation.GRANT_ROLE);
+    verifyFailureHook(statement,
+        "REVOKE ROLE all_db1 FROM GROUP " + USERGROUP1,
+        HiveOperation.GRANT_ROLE);
+
+    statement.close();
+    connection.close();
+    context.close();
+  }
+
+  // run the given statement and verify that failure hook is invoked as expected
+  private void verifyFailureHook(Statement statement, String sqlStr,
+      HiveOperation expectedOp) throws Exception {
     // negative test case: non admin user can't create role
     assertFalse(DummySentryOnFailureHook.invoked);
     DummySentryOnFailureHook.setHiveOp(HiveOperation.CREATEROLE);
     try {
-      statement.execute("CREATE ROLE fooTest");
-      Assert.fail("Expected SQL exception");
+      statement.execute(sqlStr);
+      Assert.fail("Expected SQL exception for " + sqlStr);
     } catch (SQLException e) {
       assertTrue(DummySentryOnFailureHook.invoked);
+    } finally {
+      DummySentryOnFailureHook.invoked = false;
     }
-
-    statement.close();
-    connection.close();
-    context.close();
   }
 }