You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sentry.apache.org by ka...@apache.org on 2018/01/03 22:56:00 UTC
sentry git commit: SENTRY-2085: Sentry error handling exposes
SentryGroupNotFoundException externally. (Zachary Amsden,
reviewed by Kalyan Kumar Kalvagadda, Lina Li)
Repository: sentry
Updated Branches:
refs/heads/master 23bc2159a -> 4dc017163
SENTRY-2085: Sentry error handling exposes SentryGroupNotFoundException externally. (Zachary Amsden, reviewed by Kalyan Kumar Kalvagadda, Lina Li)
Project: http://git-wip-us.apache.org/repos/asf/sentry/repo
Commit: http://git-wip-us.apache.org/repos/asf/sentry/commit/4dc01716
Tree: http://git-wip-us.apache.org/repos/asf/sentry/tree/4dc01716
Diff: http://git-wip-us.apache.org/repos/asf/sentry/diff/4dc01716
Branch: refs/heads/master
Commit: 4dc017163c18d941ee06d160ec0e83f8e60620f1
Parents: 23bc215
Author: Kalyan Kumar Kalvagadda <kk...@cloudera.com>
Authored: Wed Jan 3 16:55:34 2018 -0600
Committer: Kalyan Kumar Kalvagadda <kk...@cloudera.com>
Committed: Wed Jan 3 16:55:34 2018 -0600
----------------------------------------------------------------------
.../binding/hive/authz/HiveAuthzBinding.java | 2 +-
.../hive/authz/HiveAuthzBindingHookBase.java | 22 ++++--
.../binding/hive/TestHiveAuthzBindings.java | 3 +-
.../solr/authz/SentrySolrPluginImpl.java | 5 +-
.../binding/solr/authz/SolrAuthzBinding.java | 6 +-
.../binding/solr/TestSolrAuthzBinding.java | 9 +--
.../exception/SentryGroupNotFoundException.java | 35 ++-------
.../provider/common/AuthorizationProvider.java | 4 +-
.../provider/common/GroupMappingService.java | 5 +-
.../common/HadoopGroupMappingService.java | 2 +-
.../common/ResourceAuthorizationProvider.java | 19 ++++-
.../common/TestNoAuthorizationProvider.java | 12 ++-
.../thrift/SentryPolicyStoreProcessor.java | 77 ++++++++++++++++++--
.../TestSentryGenericPolicyProcessor.java | 48 +++++++++++-
.../provider/file/LocalGroupMappingService.java | 2 +-
.../provider/file/TestLocalGroupMapping.java | 14 +++-
.../QueryDocAuthorizationComponent.java | 10 ++-
.../tests/e2e/hive/TestUserManagement.java | 21 +-----
.../tests/e2e/hive/TestUserManagement.java | 21 +-----
19 files changed, 211 insertions(+), 106 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/sentry/blob/4dc01716/sentry-binding/sentry-binding-hive-common/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBinding.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-hive-common/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBinding.java b/sentry-binding/sentry-binding-hive-common/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBinding.java
index 8ce7a02..7565a34 100644
--- a/sentry-binding/sentry-binding-hive-common/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBinding.java
+++ b/sentry-binding/sentry-binding-hive-common/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBinding.java
@@ -391,7 +391,7 @@ public class HiveAuthzBinding {
return activeRoleSet;
}
- public Set<String> getGroups(Subject subject) {
+ public Set<String> getGroups(Subject subject) throws SentryUserException {
return authProvider.getGroupMapping().getGroups(subject.getName());
}
http://git-wip-us.apache.org/repos/asf/sentry/blob/4dc01716/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBindingHookBase.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBindingHookBase.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBindingHookBase.java
index 9c60c22..447deaf 100644
--- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBindingHookBase.java
+++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBindingHookBase.java
@@ -53,6 +53,7 @@ import org.apache.sentry.binding.hive.authz.HiveAuthzPrivileges.HiveOperationSco
import org.apache.sentry.binding.hive.authz.HiveAuthzPrivileges.HiveOperationType;
import org.apache.sentry.binding.hive.conf.HiveAuthzConf;
import org.apache.sentry.core.common.Subject;
+import org.apache.sentry.core.common.exception.SentryGroupNotFoundException;
import org.apache.sentry.core.common.utils.PathUtils;
import org.apache.sentry.core.model.db.AccessURI;
import org.apache.sentry.core.model.db.Column;
@@ -74,6 +75,7 @@ import java.net.URL;
import java.security.CodeSource;
import java.util.ArrayList;
import java.util.Arrays;
+import java.util.Collections;
import java.util.EnumSet;
import java.util.List;
import java.util.Set;
@@ -823,14 +825,20 @@ public abstract class HiveAuthzBindingHookBase extends AbstractSemanticAnalyzerH
String userName) throws SemanticException {
// get the original HiveAuthzBinding, and get the user's privileges by AuthorizationProvider
AuthorizationProvider authProvider = hiveAuthzBinding.getCurrentAuthProvider();
- Set<String> userPrivileges =
- authProvider.getPolicyEngine().getPrivileges(
- authProvider.getGroupMapping().getGroups(userName), Sets.newHashSet(userName),
- hiveAuthzBinding.getActiveRoleSet(), hiveAuthzBinding.getAuthServer());
-
- // create PrivilegeCache using user's privileges
- PrivilegeCache privilegeCache = new SimplePrivilegeCache(userPrivileges);
try {
+ Set<String> groups;
+ try {
+ groups = authProvider.getGroupMapping().getGroups(userName);
+ } catch (SentryGroupNotFoundException e) {
+ groups = Collections.emptySet();
+ LOG.debug("Could not find groups for user: " + userName);
+ }
+ Set<String> userPrivileges =
+ authProvider.getPolicyEngine().getPrivileges(groups, Sets.newHashSet(userName),
+ hiveAuthzBinding.getActiveRoleSet(), hiveAuthzBinding.getAuthServer());
+
+ // create PrivilegeCache using user's privileges
+ PrivilegeCache privilegeCache = new SimplePrivilegeCache(userPrivileges);
// create new instance of HiveAuthzBinding whose backend provider should be SimpleCacheProviderBackend
return new HiveAuthzBinding(HiveAuthzBinding.HiveHook.HiveServer2, hiveAuthzBinding.getHiveConf(),
hiveAuthzBinding.getAuthzConf(), privilegeCache);
http://git-wip-us.apache.org/repos/asf/sentry/blob/4dc01716/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/binding/hive/TestHiveAuthzBindings.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/binding/hive/TestHiveAuthzBindings.java b/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/binding/hive/TestHiveAuthzBindings.java
index a41d1bd..3bbf6fb 100644
--- a/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/binding/hive/TestHiveAuthzBindings.java
+++ b/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/binding/hive/TestHiveAuthzBindings.java
@@ -42,7 +42,6 @@ import org.apache.sentry.core.model.db.DBModelAuthorizable;
import org.apache.sentry.core.model.db.Database;
import org.apache.sentry.core.model.db.Server;
import org.apache.sentry.core.model.db.Table;
-import org.apache.sentry.core.common.exception.SentryGroupNotFoundException;
import org.apache.sentry.core.common.utils.PolicyFiles;
import org.junit.After;
import org.junit.Before;
@@ -299,7 +298,7 @@ public class TestHiveAuthzBindings {
inputTabHierarcyList, outputTabHierarcyList);
}
- @Test(expected = SentryGroupNotFoundException.class)
+ @Test(expected = AuthorizationException.class)
public void testValidateCreateFunctionRejectionForUnknownUser() throws Exception {
inputTabHierarcyList.add(Arrays.asList(new DBModelAuthorizable[] {
new Server(SERVER1), new AccessURI("file:///path/to/some/lib/dir/my.jar")
http://git-wip-us.apache.org/repos/asf/sentry/blob/4dc01716/sentry-binding/sentry-binding-solr/src/main/java/org/apache/sentry/binding/solr/authz/SentrySolrPluginImpl.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-solr/src/main/java/org/apache/sentry/binding/solr/authz/SentrySolrPluginImpl.java b/sentry-binding/sentry-binding-solr/src/main/java/org/apache/sentry/binding/solr/authz/SentrySolrPluginImpl.java
index 91d08f0..4092fe4 100644
--- a/sentry-binding/sentry-binding-solr/src/main/java/org/apache/sentry/binding/solr/authz/SentrySolrPluginImpl.java
+++ b/sentry-binding/sentry-binding-solr/src/main/java/org/apache/sentry/binding/solr/authz/SentrySolrPluginImpl.java
@@ -39,6 +39,7 @@ import org.apache.hadoop.security.authentication.util.KerberosName;
import org.apache.http.auth.BasicUserPrincipal;
import org.apache.sentry.binding.solr.conf.SolrAuthzConf;
import org.apache.sentry.core.common.Subject;
+import org.apache.sentry.core.common.exception.SentryUserException;
import org.apache.sentry.core.model.solr.AdminOperation;
import org.apache.sentry.core.model.solr.Collection;
import org.apache.sentry.core.model.solr.SolrConstants;
@@ -268,7 +269,7 @@ public class SentrySolrPluginImpl implements AuthorizationPlugin {
/**
* This method returns the roles associated with the specified user name.
*/
- public Set<String> getRoles (String userName) {
+ public Set<String> getRoles (String userName) throws SentryUserException {
return binding.getRoles(userName);
}
@@ -457,4 +458,4 @@ public class SentrySolrPluginImpl implements AuthorizationPlugin {
&& "kerberos".equalsIgnoreCase(authVal);
}
-}
\ No newline at end of file
+}
http://git-wip-us.apache.org/repos/asf/sentry/blob/4dc01716/sentry-binding/sentry-binding-solr/src/main/java/org/apache/sentry/binding/solr/authz/SolrAuthzBinding.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-solr/src/main/java/org/apache/sentry/binding/solr/authz/SolrAuthzBinding.java b/sentry-binding/sentry-binding-solr/src/main/java/org/apache/sentry/binding/solr/authz/SolrAuthzBinding.java
index 803e5ea..5c2a301 100644
--- a/sentry-binding/sentry-binding-solr/src/main/java/org/apache/sentry/binding/solr/authz/SolrAuthzBinding.java
+++ b/sentry-binding/sentry-binding-solr/src/main/java/org/apache/sentry/binding/solr/authz/SolrAuthzBinding.java
@@ -34,6 +34,7 @@ import org.apache.sentry.core.common.ActiveRoleSet;
import org.apache.sentry.core.common.Authorizable;
import org.apache.sentry.core.common.Model;
import org.apache.sentry.core.common.Subject;
+import org.apache.sentry.core.common.exception.SentryUserException;
import org.apache.sentry.core.model.solr.SolrPrivilegeModel;
import org.apache.sentry.core.model.solr.AdminOperation;
import org.apache.sentry.core.model.solr.Collection;
@@ -214,7 +215,7 @@ public class SolrAuthzBinding implements Closeable {
* @deprecated use getRoles instead
*/
@Deprecated
- public Set<String> getGroups(String user) {
+ public Set<String> getGroups(String user) throws SentryUserException {
return groupMapping.getGroups(user);
}
@@ -222,8 +223,9 @@ public class SolrAuthzBinding implements Closeable {
* Get the roles associated with the user
* @param user
* @return The roles associated with the user
+ * @throws SentryUserException
*/
- public Set<String> getRoles(String user) {
+ public Set<String> getRoles(String user) throws SentryUserException {
return providerBackend.getRoles(getGroups(user), ActiveRoleSet.ALL);
}
http://git-wip-us.apache.org/repos/asf/sentry/blob/4dc01716/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/binding/solr/TestSolrAuthzBinding.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/binding/solr/TestSolrAuthzBinding.java b/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/binding/solr/TestSolrAuthzBinding.java
index f060b82..8d28ccc 100644
--- a/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/binding/solr/TestSolrAuthzBinding.java
+++ b/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/binding/solr/TestSolrAuthzBinding.java
@@ -309,7 +309,7 @@ public class TestSolrAuthzBinding {
}
/**
- * Test that a user that doesn't exist throws an exception
+ * Test that a user that doesn't exist gets an AuthException
* when trying to authorize
*/
@Test
@@ -317,11 +317,8 @@ public class TestSolrAuthzBinding {
SolrAuthzConf solrAuthzConf =
new SolrAuthzConf(Collections.singletonList(Resources.getResource("sentry-site.xml")));
setUsableAuthzConf(solrAuthzConf);
- try (SolrAuthzBinding binding = new SolrAuthzBinding(solrAuthzConf)) {
- binding.authorizeCollection(new Subject("bogus"), infoCollection, querySet);
- Assert.fail("Expected SentryGroupNotFoundException");
- } catch (SentryGroupNotFoundException e) {
- }
+ SolrAuthzBinding binding = new SolrAuthzBinding(solrAuthzConf);
+ expectAuthException(binding, new Subject("bogus"), infoCollection, querySet);
}
/**
http://git-wip-us.apache.org/repos/asf/sentry/blob/4dc01716/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/exception/SentryGroupNotFoundException.java
----------------------------------------------------------------------
diff --git a/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/exception/SentryGroupNotFoundException.java b/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/exception/SentryGroupNotFoundException.java
index b978df6..6344435 100644
--- a/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/exception/SentryGroupNotFoundException.java
+++ b/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/exception/SentryGroupNotFoundException.java
@@ -17,45 +17,26 @@
package org.apache.sentry.core.common.exception;
-public class SentryGroupNotFoundException extends RuntimeException {
+public class SentryGroupNotFoundException extends SentryUserException {
private static final long serialVersionUID = -116202866086371881L;
/**
- * Creates a new SentryGroupNotFoundException.
- */
- public SentryGroupNotFoundException() {
- super();
- }
-
- /**
* Constructs a new SentryGroupNotFoundException.
*
- * @param message
- * the reason for the exception
+ * @param msg The reason for the exception
*/
- public SentryGroupNotFoundException(String message) {
- super(message);
+ public SentryGroupNotFoundException(String msg) {
+ super(msg);
}
/**
* Constructs a new SentryGroupNotFoundException.
*
- * @param cause
- * the underlying Throwable that caused this exception to be thrown.
- */
- public SentryGroupNotFoundException(Throwable cause) {
- super(cause);
- }
-
- /**
- * Constructs a new SentryGroupNotFoundException.
+ * @param msg The message to send
+ * @param t The underlying exception
*
- * @param message
- * the reason for the exception
- * @param cause
- * the underlying Throwable that caused this exception to be thrown.
*/
- public SentryGroupNotFoundException(String message, Throwable cause) {
- super(message, cause);
+ public SentryGroupNotFoundException(String msg, Throwable t) {
+ super(msg, t);
}
}
http://git-wip-us.apache.org/repos/asf/sentry/blob/4dc01716/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/AuthorizationProvider.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/AuthorizationProvider.java b/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/AuthorizationProvider.java
index 2d82bcf..73fcda8 100644
--- a/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/AuthorizationProvider.java
+++ b/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/AuthorizationProvider.java
@@ -25,6 +25,7 @@ import org.apache.sentry.core.common.Action;
import org.apache.sentry.core.common.ActiveRoleSet;
import org.apache.sentry.core.common.Authorizable;
import org.apache.sentry.core.common.exception.SentryConfigurationException;
+import org.apache.sentry.core.common.exception.SentryGroupNotFoundException;
import org.apache.sentry.core.common.Subject;
import org.apache.sentry.policy.common.PolicyEngine;
@@ -71,7 +72,8 @@ public interface AuthorizationProvider {
* @return
* @throws SentryConfigurationException
*/
- Set<String> listPrivilegesForSubject(Subject subject) throws SentryConfigurationException;
+ Set<String> listPrivilegesForSubject(Subject subject)
+ throws SentryConfigurationException, SentryGroupNotFoundException;
/**
* Returns the list privileges for the given group
http://git-wip-us.apache.org/repos/asf/sentry/blob/4dc01716/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/GroupMappingService.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/GroupMappingService.java b/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/GroupMappingService.java
index 7e85261..9048d76 100644
--- a/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/GroupMappingService.java
+++ b/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/GroupMappingService.java
@@ -17,9 +17,10 @@
package org.apache.sentry.provider.common;
import java.util.Set;
-
import javax.annotation.concurrent.ThreadSafe;
+import org.apache.sentry.core.common.exception.SentryGroupNotFoundException;
+
/**
* Interface so the Groups class is easier to unit test with.
* Implementations of this class are expected to be thread safe
@@ -31,5 +32,5 @@ public interface GroupMappingService {
/**
* @return non-null list of groups for user
*/
- Set<String> getGroups(String user);
+ Set<String> getGroups(String user) throws SentryGroupNotFoundException;
}
http://git-wip-us.apache.org/repos/asf/sentry/blob/4dc01716/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/HadoopGroupMappingService.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/HadoopGroupMappingService.java b/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/HadoopGroupMappingService.java
index bde53d5..00b5cf6 100644
--- a/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/HadoopGroupMappingService.java
+++ b/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/HadoopGroupMappingService.java
@@ -54,7 +54,7 @@ public class HadoopGroupMappingService implements GroupMappingService {
}
@Override
- public Set<String> getGroups(String user) {
+ public Set<String> getGroups(String user) throws SentryGroupNotFoundException {
List<String> groupList = Lists.newArrayList();
try {
groupList = groups.getGroups(user);
http://git-wip-us.apache.org/repos/asf/sentry/blob/4dc01716/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/ResourceAuthorizationProvider.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/ResourceAuthorizationProvider.java b/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/ResourceAuthorizationProvider.java
index 005724f..a9b98f3 100644
--- a/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/ResourceAuthorizationProvider.java
+++ b/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/ResourceAuthorizationProvider.java
@@ -22,6 +22,7 @@ import static org.apache.sentry.core.common.utils.SentryConstants.KV_JOINER;
import static org.apache.sentry.core.common.utils.SentryConstants.PRIVILEGE_NAME;
import java.util.ArrayList;
+import java.util.Collections;
import java.util.HashSet;
import java.util.List;
import java.util.Set;
@@ -31,6 +32,7 @@ import org.apache.sentry.core.common.ActiveRoleSet;
import org.apache.sentry.core.common.Authorizable;
import org.apache.sentry.core.common.Model;
import org.apache.sentry.core.common.exception.SentryConfigurationException;
+import org.apache.sentry.core.common.exception.SentryGroupNotFoundException;
import org.apache.sentry.core.common.Subject;
import org.apache.sentry.policy.common.PolicyEngine;
import org.apache.sentry.policy.common.Privilege;
@@ -91,13 +93,21 @@ public abstract class ResourceAuthorizationProvider implements AuthorizationProv
Preconditions.checkNotNull(actions, "Actions cannot be null");
Preconditions.checkArgument(!actions.isEmpty(), "Actions cannot be empty");
Preconditions.checkNotNull(roleSet, "ActiveRoleSet cannot be null");
- return doHasAccess(subject, authorizableHierarchy, actions, roleSet);
+ boolean hasAccess = false;
+ hasAccess = doHasAccess(subject, authorizableHierarchy, actions, roleSet);
+ return hasAccess;
}
private boolean doHasAccess(Subject subject,
List<? extends Authorizable> authorizables, Set<? extends Action> actions,
ActiveRoleSet roleSet) {
- Set<String> groups = getGroups(subject);
+ Set<String> groups;
+ try {
+ groups = getGroups(subject);
+ } catch (SentryGroupNotFoundException e) {
+ groups = Collections.emptySet();
+ LOGGER.debug("Groups not found for " + subject);
+ }
Set<String> users = Sets.newHashSet(subject.getName());
Set<String> hierarchy = new HashSet<String>();
for (Authorizable authorizable : authorizables) {
@@ -169,7 +179,7 @@ public abstract class ResourceAuthorizationProvider implements AuthorizationProv
return groupService;
}
- private Set<String> getGroups(Subject subject) {
+ private Set<String> getGroups(Subject subject) throws SentryGroupNotFoundException {
return groupService.getGroups(subject.getName());
}
@@ -179,7 +189,8 @@ public abstract class ResourceAuthorizationProvider implements AuthorizationProv
}
@Override
- public Set<String> listPrivilegesForSubject(Subject subject) throws SentryConfigurationException {
+ public Set<String> listPrivilegesForSubject(Subject subject)
+ throws SentryConfigurationException, SentryGroupNotFoundException {
return policy.getPrivileges(getGroups(subject), Sets.newHashSet(subject.getName()),
ActiveRoleSet.ALL, (Authorizable[]) null);
}
http://git-wip-us.apache.org/repos/asf/sentry/blob/4dc01716/sentry-provider/sentry-provider-common/src/test/java/org/apache/sentry/provider/common/TestNoAuthorizationProvider.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-common/src/test/java/org/apache/sentry/provider/common/TestNoAuthorizationProvider.java b/sentry-provider/sentry-provider-common/src/test/java/org/apache/sentry/provider/common/TestNoAuthorizationProvider.java
index fe01b06..c8f2bed 100644
--- a/sentry-provider/sentry-provider-common/src/test/java/org/apache/sentry/provider/common/TestNoAuthorizationProvider.java
+++ b/sentry-provider/sentry-provider-common/src/test/java/org/apache/sentry/provider/common/TestNoAuthorizationProvider.java
@@ -19,6 +19,8 @@ package org.apache.sentry.provider.common;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertFalse;
+import org.apache.sentry.core.common.exception.SentryGroupNotFoundException;
+import org.junit.Assert;
import org.junit.Test;
/**
@@ -32,8 +34,12 @@ public class TestNoAuthorizationProvider {
assertFalse(nap.hasAccess(null, null, null, null));
GroupMappingService gms = nap.getGroupMapping();
- assertEquals(gms.getGroups(null).size(), 0);
- assertEquals(gms.getGroups("").size(), 0);
- assertEquals(gms.getGroups("a").size(), 0);
+ try {
+ assertEquals(gms.getGroups(null).size(), 0);
+ assertEquals(gms.getGroups("").size(), 0);
+ assertEquals(gms.getGroups("a").size(), 0);
+ } catch (SentryGroupNotFoundException e) {
+ Assert.fail("SentryGroupsNotFoundException should not be thrown");
+ }
}
}
http://git-wip-us.apache.org/repos/asf/sentry/blob/4dc01716/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessor.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessor.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessor.java
index 650880b..2fbad36 100644
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessor.java
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessor.java
@@ -211,6 +211,9 @@ public class SentryPolicyStoreProcessor implements SentryPolicyService.Iface {
} catch (SentryAccessDeniedException e) {
LOGGER.error(e.getMessage(), e);
response.setStatus(Status.AccessDenied(e.getMessage(), e));
+ } catch (SentryGroupNotFoundException e) {
+ LOGGER.error(e.getMessage(), e);
+ response.setStatus(Status.AccessDenied(e.getMessage(), e));
} catch (SentryThriftAPIMismatchException e) {
LOGGER.error(e.getMessage(), e);
response.setStatus(Status.THRIFT_VERSION_MISMATCH(e.getMessage(), e));
@@ -282,6 +285,9 @@ public class SentryPolicyStoreProcessor implements SentryPolicyService.Iface {
} catch (SentryAccessDeniedException e) {
LOGGER.error(e.getMessage(), e);
response.setStatus(Status.AccessDenied(e.getMessage(), e));
+ } catch (SentryGroupNotFoundException e) {
+ LOGGER.error(e.getMessage(), e);
+ response.setStatus(Status.AccessDenied(e.getMessage(), e));
} catch (SentryThriftAPIMismatchException e) {
LOGGER.error(e.getMessage(), e);
response.setStatus(Status.THRIFT_VERSION_MISMATCH(e.getMessage(), e));
@@ -368,6 +374,9 @@ public class SentryPolicyStoreProcessor implements SentryPolicyService.Iface {
} catch (SentryAccessDeniedException e) {
LOGGER.error(e.getMessage(), e);
response.setStatus(Status.AccessDenied(e.getMessage(), e));
+ } catch (SentryGroupNotFoundException e) {
+ LOGGER.error(e.getMessage(), e);
+ response.setStatus(Status.AccessDenied(e.getMessage(), e));
} catch (SentryThriftAPIMismatchException e) {
LOGGER.error(e.getMessage(), e);
response.setStatus(Status.THRIFT_VERSION_MISMATCH(e.getMessage(), e));
@@ -426,6 +435,9 @@ public class SentryPolicyStoreProcessor implements SentryPolicyService.Iface {
} catch (SentryAccessDeniedException e) {
LOGGER.error(e.getMessage(), e);
response.setStatus(Status.AccessDenied(e.getMessage(), e));
+ } catch (SentryGroupNotFoundException e) {
+ LOGGER.error(e.getMessage(), e);
+ response.setStatus(Status.AccessDenied(e.getMessage(), e));
} catch (SentryThriftAPIMismatchException e) {
LOGGER.error(e.getMessage(), e);
response.setStatus(Status.THRIFT_VERSION_MISMATCH(e.getMessage(), e));
@@ -482,6 +494,9 @@ public class SentryPolicyStoreProcessor implements SentryPolicyService.Iface {
} catch (SentryAccessDeniedException e) {
LOGGER.error(e.getMessage(), e);
response.setStatus(Status.AccessDenied(e.getMessage(), e));
+ } catch (SentryGroupNotFoundException e) {
+ LOGGER.error(e.getMessage(), e);
+ response.setStatus(Status.AccessDenied(e.getMessage(), e));
} catch (SentryThriftAPIMismatchException e) {
LOGGER.error(e.getMessage(), e);
response.setStatus(Status.THRIFT_VERSION_MISMATCH(e.getMessage(), e));
@@ -522,6 +537,9 @@ public class SentryPolicyStoreProcessor implements SentryPolicyService.Iface {
} catch (SentryAccessDeniedException e) {
LOGGER.error(e.getMessage(), e);
response.setStatus(Status.AccessDenied(e.getMessage(), e));
+ } catch (SentryGroupNotFoundException e) {
+ LOGGER.error(e.getMessage(), e);
+ response.setStatus(Status.AccessDenied(e.getMessage(), e));
} catch (SentryThriftAPIMismatchException e) {
LOGGER.error(e.getMessage(), e);
response.setStatus(Status.THRIFT_VERSION_MISMATCH(e.getMessage(), e));
@@ -563,6 +581,9 @@ public class SentryPolicyStoreProcessor implements SentryPolicyService.Iface {
} catch (SentryAccessDeniedException e) {
LOGGER.error(e.getMessage(), e);
response.setStatus(Status.AccessDenied(e.getMessage(), e));
+ } catch (SentryGroupNotFoundException e) {
+ LOGGER.error(e.getMessage(), e);
+ response.setStatus(Status.AccessDenied(e.getMessage(), e));
} catch (SentryThriftAPIMismatchException e) {
LOGGER.error(e.getMessage(), e);
response.setStatus(Status.THRIFT_VERSION_MISMATCH(e.getMessage(), e));
@@ -620,6 +641,9 @@ public class SentryPolicyStoreProcessor implements SentryPolicyService.Iface {
} catch (SentryAccessDeniedException e) {
LOGGER.error(e.getMessage(), e);
response.setStatus(Status.AccessDenied(e.getMessage(), e));
+ } catch (SentryGroupNotFoundException e) {
+ LOGGER.error(e.getMessage(), e);
+ response.setStatus(Status.AccessDenied(e.getMessage(), e));
} catch (SentryThriftAPIMismatchException e) {
LOGGER.error(e.getMessage(), e);
response.setStatus(Status.THRIFT_VERSION_MISMATCH(e.getMessage(), e));
@@ -663,7 +687,7 @@ public class SentryPolicyStoreProcessor implements SentryPolicyService.Iface {
//Non admin users are only allowed to list only groups which they belong to
if(!admin && (request.getGroupName() == null || !groups.contains(request.getGroupName()))) {
throw new SentryAccessDeniedException("Access denied to " + subject);
- }else {
+ } else {
groups.clear();
groups.add(request.getGroupName());
}
@@ -679,6 +703,9 @@ public class SentryPolicyStoreProcessor implements SentryPolicyService.Iface {
} catch (SentryAccessDeniedException e) {
LOGGER.error(e.getMessage(), e);
response.setStatus(Status.AccessDenied(e.getMessage(), e));
+ } catch (SentryGroupNotFoundException e) {
+ LOGGER.error(e.getMessage(), e);
+ response.setStatus(Status.AccessDenied(e.getMessage(), e));
} catch (SentryThriftAPIMismatchException e) {
LOGGER.error(e.getMessage(), e);
response.setStatus(Status.THRIFT_VERSION_MISMATCH(e.getMessage(), e));
@@ -708,8 +735,24 @@ public class SentryPolicyStoreProcessor implements SentryPolicyService.Iface {
throw new SentryAccessDeniedException("The user name can't be empty.");
}
- Set<String> requestorGroups = getRequestorGroups(requestor);
- Set<String> userGroups = getRequestorGroups(userName);
+ Set<String> requestorGroups;
+ try {
+ requestorGroups = getRequestorGroups(requestor);
+ } catch (SentryGroupNotFoundException e) {
+ LOGGER.error(e.getMessage(), e);
+ response.setStatus(Status.AccessDenied(e.getMessage(), e));
+ return response;
+ }
+
+ Set<String> userGroups;
+ try {
+ userGroups = getRequestorGroups(userName);
+ } catch (SentryGroupNotFoundException e) {
+ LOGGER.error(e.getMessage(), e);
+ String msg = "Groups for user " + userName + " do not exist: " + e.getMessage();
+ response.setStatus(Status.AccessDenied(msg, e));
+ return response;
+ }
boolean isAdmin = inAdminGroups(requestorGroups);
// Only admin users can list other user's roles in the system
@@ -720,10 +763,6 @@ public class SentryPolicyStoreProcessor implements SentryPolicyService.Iface {
roleSet = sentryStore.getTSentryRolesByUserNames(Sets.newHashSet(userName));
response.setRoles(roleSet);
response.setStatus(Status.OK());
- } catch (SentryGroupNotFoundException e) {
- LOGGER.error(e.getMessage(), e);
- String msg = "Group couldn't be retrieved for " + requestor + " or " + userName + ".";
- response.setStatus(Status.AccessDenied(msg, e));
} catch (SentryNoSuchObjectException e) {
response.setRoles(roleSet);
String msg = "Role: " + request + " couldn't be retrieved.";
@@ -779,6 +818,9 @@ public class SentryPolicyStoreProcessor implements SentryPolicyService.Iface {
} catch (SentryAccessDeniedException e) {
LOGGER.error(e.getMessage(), e);
response.setStatus(Status.AccessDenied(e.getMessage(), e));
+ } catch (SentryGroupNotFoundException e) {
+ LOGGER.error(e.getMessage(), e);
+ response.setStatus(Status.AccessDenied(e.getMessage(), e));
} catch (SentryThriftAPIMismatchException e) {
LOGGER.error(e.getMessage(), e);
response.setStatus(Status.THRIFT_VERSION_MISMATCH(e.getMessage(), e));
@@ -901,6 +943,9 @@ public class SentryPolicyStoreProcessor implements SentryPolicyService.Iface {
} catch (SentryAccessDeniedException e) {
LOGGER.error(e.getMessage(), e);
response.setStatus(Status.AccessDenied(e.getMessage(), e));
+ } catch (SentryGroupNotFoundException e) {
+ LOGGER.error(e.getMessage(), e);
+ response.setStatus(Status.AccessDenied(e.getMessage(), e));
} catch (SentryThriftAPIMismatchException e) {
LOGGER.error(e.getMessage(), e);
response.setStatus(Status.THRIFT_VERSION_MISMATCH(e.getMessage(), e));
@@ -942,6 +987,9 @@ public class SentryPolicyStoreProcessor implements SentryPolicyService.Iface {
} catch (SentryAccessDeniedException e) {
LOGGER.error(e.getMessage(), e);
response.setStatus(Status.AccessDenied(e.getMessage(), e));
+ } catch (SentryGroupNotFoundException e) {
+ LOGGER.error(e.getMessage(), e);
+ response.setStatus(Status.AccessDenied(e.getMessage(), e));
} catch (SentryThriftAPIMismatchException e) {
LOGGER.error(e.getMessage(), e);
response.setStatus(Status.THRIFT_VERSION_MISMATCH(e.getMessage(), e));
@@ -1010,6 +1058,9 @@ public class SentryPolicyStoreProcessor implements SentryPolicyService.Iface {
} catch (SentryAccessDeniedException e) {
LOGGER.error(e.getMessage(), e);
response.setStatus(Status.AccessDenied(e.getMessage(), e));
+ } catch (SentryGroupNotFoundException e) {
+ LOGGER.error(e.getMessage(), e);
+ response.setStatus(Status.AccessDenied(e.getMessage(), e));
} catch (SentryThriftAPIMismatchException e) {
LOGGER.error(e.getMessage(), e);
response.setStatus(Status.THRIFT_VERSION_MISMATCH(e.getMessage(), e));
@@ -1113,6 +1164,12 @@ public class SentryPolicyStoreProcessor implements SentryPolicyService.Iface {
response.setMappingData(tSentryMappingData);
response.setStatus(Status.OK());
+ } catch (SentryAccessDeniedException e) {
+ LOGGER.error(e.getMessage(), e);
+ response.setStatus(Status.AccessDenied(e.getMessage(), e));
+ } catch (SentryGroupNotFoundException e) {
+ LOGGER.error(e.getMessage(), e);
+ response.setStatus(Status.AccessDenied(e.getMessage(), e));
} catch (Exception e) {
String msg = "Unknown error for request: " + request + ", message: " + e.getMessage();
LOGGER.error(msg, e);
@@ -1137,6 +1194,12 @@ public class SentryPolicyStoreProcessor implements SentryPolicyService.Iface {
}
sentryStore.importSentryMetaData(request.getMappingData(), request.isOverwriteRole());
response.setStatus(Status.OK());
+ } catch (SentryAccessDeniedException e) {
+ LOGGER.error(e.getMessage(), e);
+ response.setStatus(Status.AccessDenied(e.getMessage(), e));
+ } catch (SentryGroupNotFoundException e) {
+ LOGGER.error(e.getMessage(), e);
+ response.setStatus(Status.AccessDenied(e.getMessage(), e));
} catch (SentryInvalidInputException e) {
String msg = "Invalid input privilege object";
LOGGER.error(msg, e);
http://git-wip-us.apache.org/repos/asf/sentry/blob/4dc01716/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/service/thrift/TestSentryGenericPolicyProcessor.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/service/thrift/TestSentryGenericPolicyProcessor.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/service/thrift/TestSentryGenericPolicyProcessor.java
index 6597a7c..cc72b33 100644
--- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/service/thrift/TestSentryGenericPolicyProcessor.java
+++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/service/thrift/TestSentryGenericPolicyProcessor.java
@@ -53,6 +53,9 @@ import com.google.common.collect.Sets;
public class TestSentryGenericPolicyProcessor extends org.junit.Assert {
private static final String ADMIN_GROUP = "admin_group";
private static final String ADMIN_USER = "admin_user";
+ private static final String NOT_ADMIN_USER = "not_admin_user";
+ private static final String NOT_ADMIN_GROUP = "not_admin_group";
+ private static final String NO_GROUP_USER = "no_group_user";
private SentryStoreLayer mockStore = Mockito.mock(SentryStoreLayer.class);
private SentryGenericPolicyProcessor processor;
@@ -67,7 +70,7 @@ public class TestSentryGenericPolicyProcessor extends org.junit.Assert {
@Test
public void testNotAdminOperation() throws Exception {
- String requestUser = "not_" + ADMIN_USER;
+ String requestUser = NOT_ADMIN_USER;
Status validateStatus = Status.ACCESS_DENIED;
testOperation(requestUser, validateStatus);
}
@@ -217,6 +220,45 @@ public class TestSentryGenericPolicyProcessor extends org.junit.Assert {
}
@Test
+ public void testUserWithNoGroup() throws Exception {
+ setup();
+
+ TCreateSentryRoleRequest createrequest = new TCreateSentryRoleRequest();
+ createrequest.setRequestorUserName(NO_GROUP_USER);
+ createrequest.setRoleName("r1");
+ assertEquals(Status.ACCESS_DENIED, fromTSentryStatus(processor.create_sentry_role(createrequest).getStatus()));
+
+ TDropSentryRoleRequest dropRequest = new TDropSentryRoleRequest();
+ dropRequest.setRequestorUserName(NO_GROUP_USER);
+ dropRequest.setRoleName("r1");
+ assertEquals(Status.ACCESS_DENIED, fromTSentryStatus(processor.drop_sentry_role(dropRequest).getStatus()));
+
+ TAlterSentryRoleAddGroupsRequest addRequest = new TAlterSentryRoleAddGroupsRequest();
+ addRequest.setRequestorUserName(NO_GROUP_USER);
+ addRequest.setRoleName("r1");
+ addRequest.setGroups(Sets.newHashSet("g1"));
+ assertEquals(Status.ACCESS_DENIED, fromTSentryStatus(processor.alter_sentry_role_add_groups(addRequest).getStatus()));
+
+ TAlterSentryRoleDeleteGroupsRequest delRequest = new TAlterSentryRoleDeleteGroupsRequest();
+ delRequest.setRequestorUserName(NO_GROUP_USER);
+ delRequest.setRoleName("r1");
+ delRequest.setGroups(Sets.newHashSet("g1"));
+ assertEquals(Status.ACCESS_DENIED, fromTSentryStatus(processor.alter_sentry_role_delete_groups(delRequest).getStatus()));
+
+ TDropPrivilegesRequest dropPrivRequest = new TDropPrivilegesRequest();
+ dropPrivRequest.setRequestorUserName(NO_GROUP_USER);
+ dropPrivRequest.setPrivilege(new TSentryPrivilege("test", "test", new ArrayList<TAuthorizable>(), "test"));
+ assertEquals(Status.ACCESS_DENIED, fromTSentryStatus(processor.drop_sentry_privilege(dropPrivRequest).getStatus()));
+
+ TRenamePrivilegesRequest renameRequest = new TRenamePrivilegesRequest();
+ renameRequest.setRequestorUserName(NO_GROUP_USER);
+ assertEquals(Status.ACCESS_DENIED, fromTSentryStatus(processor.rename_sentry_privilege(renameRequest).getStatus()));
+
+ // Can't test GrantPrivilege / RevokePrivilege since the authorization happens
+ // in the persistence layer, which isn't setup in this test.
+ }
+
+ @Test
public void testGetRolesAndPrivileges() throws Exception {
String roleName = "r1";
String groupName = "g1";
@@ -311,8 +353,10 @@ public class TestSentryGenericPolicyProcessor extends org.junit.Assert {
public Set<String> getGroups(String user) {
if (user.equalsIgnoreCase(ADMIN_USER)) {
return Sets.newHashSet(ADMIN_GROUP);
+ } else if (user.equalsIgnoreCase(NOT_ADMIN_USER)){
+ return Sets.newHashSet(NOT_ADMIN_GROUP);
} else {
- return Sets.newHashSet("not" + ADMIN_GROUP);
+ return Collections.emptySet();
}
}
}
http://git-wip-us.apache.org/repos/asf/sentry/blob/4dc01716/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/LocalGroupMappingService.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/LocalGroupMappingService.java b/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/LocalGroupMappingService.java
index 5447420..4430ce7 100644
--- a/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/LocalGroupMappingService.java
+++ b/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/LocalGroupMappingService.java
@@ -85,7 +85,7 @@ public class LocalGroupMappingService implements GroupMappingService {
}
@Override
- public Set<String> getGroups(String user) {
+ public Set<String> getGroups(String user) throws SentryGroupNotFoundException {
Set<String> groups = groupMap.get(user);
if (groups == null || groups.isEmpty()) {
throw new SentryGroupNotFoundException("Unable to obtain groups for " + user);
http://git-wip-us.apache.org/repos/asf/sentry/blob/4dc01716/sentry-provider/sentry-provider-file/src/test/java/org/apache/sentry/provider/file/TestLocalGroupMapping.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-file/src/test/java/org/apache/sentry/provider/file/TestLocalGroupMapping.java b/sentry-provider/sentry-provider-file/src/test/java/org/apache/sentry/provider/file/TestLocalGroupMapping.java
index 9864b82..40cb814 100644
--- a/sentry-provider/sentry-provider-file/src/test/java/org/apache/sentry/provider/file/TestLocalGroupMapping.java
+++ b/sentry-provider/sentry-provider-file/src/test/java/org/apache/sentry/provider/file/TestLocalGroupMapping.java
@@ -59,10 +59,20 @@ public class TestLocalGroupMapping {
@Test
public void testGroupMapping() {
- Set<String> fooGroupsFromResource = localGroupMapping.getGroups("foo");
+ Set<String> fooGroupsFromResource = null;
+ try {
+ fooGroupsFromResource = localGroupMapping.getGroups("foo");
+ } catch (SentryGroupNotFoundException e) {
+ Assert.fail("SentryGroupNotFoundException should not be thrown");
+ }
Assert.assertEquals(fooGroupsFromResource, fooGroups);
- Set<String> barGroupsFromResource = localGroupMapping.getGroups("bar");
+ Set<String> barGroupsFromResource = null;
+ try {
+ barGroupsFromResource = localGroupMapping.getGroups("bar");
+ } catch (SentryGroupNotFoundException e) {
+ Assert.fail("SentryGroupNotFoundException should not be thrown");
+ }
Assert.assertEquals(barGroupsFromResource, barGroups);
try {
http://git-wip-us.apache.org/repos/asf/sentry/blob/4dc01716/sentry-solr/solr-sentry-handlers/src/main/java/org/apache/solr/handler/component/QueryDocAuthorizationComponent.java
----------------------------------------------------------------------
diff --git a/sentry-solr/solr-sentry-handlers/src/main/java/org/apache/solr/handler/component/QueryDocAuthorizationComponent.java b/sentry-solr/solr-sentry-handlers/src/main/java/org/apache/solr/handler/component/QueryDocAuthorizationComponent.java
index 2338ab8..9da3d6e 100644
--- a/sentry-solr/solr-sentry-handlers/src/main/java/org/apache/solr/handler/component/QueryDocAuthorizationComponent.java
+++ b/sentry-solr/solr-sentry-handlers/src/main/java/org/apache/solr/handler/component/QueryDocAuthorizationComponent.java
@@ -21,6 +21,7 @@ import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.apache.sentry.binding.solr.authz.SentrySolrPluginImpl;
+import org.apache.sentry.core.common.exception.SentryUserException;
import org.apache.solr.common.SolrException;
import org.apache.solr.common.params.ModifiableSolrParams;
import org.apache.solr.common.params.SolrParams;
@@ -166,8 +167,13 @@ public class QueryDocAuthorizationComponent extends SearchComponent
throw new SolrException(SolrException.ErrorCode.UNAUTHORIZED, getClass().getSimpleName() +
" can only be used with Sentry authorization plugin for Solr");
}
-
- return ((SentrySolrPluginImpl)plugin).getRoles(userName);
+ try {
+ return ((SentrySolrPluginImpl)plugin).getRoles(userName);
+ } catch (SentryUserException e) {
+ throw new SolrException(SolrException.ErrorCode.UNAUTHORIZED,
+ "Request from user: " + userName +
+ " rejected due to SentryUserException: ", e);
+ }
}
}
http://git-wip-us.apache.org/repos/asf/sentry/blob/4dc01716/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/hive/TestUserManagement.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/hive/TestUserManagement.java b/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/hive/TestUserManagement.java
index 02ac514..fd8ec56 100644
--- a/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/hive/TestUserManagement.java
+++ b/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/hive/TestUserManagement.java
@@ -19,7 +19,6 @@ package org.apache.sentry.tests.e2e.hive;
import static org.junit.Assert.assertFalse;
import static org.junit.Assert.assertTrue;
-import static org.junit.Assert.fail;
import java.io.File;
import java.io.FileOutputStream;
@@ -28,7 +27,6 @@ import java.sql.ResultSet;
import java.sql.Statement;
import org.apache.hadoop.mapreduce.JobContext;
-import org.apache.hive.service.cli.HiveSQLException;
import org.apache.sentry.provider.file.PolicyFile;
import org.junit.After;
import org.junit.Before;
@@ -364,23 +362,12 @@ public class TestUserManagement extends AbstractTestWithStaticConfiguration {
statement.close();
connection.close();
- // user1 hasn't any group
+ // user1 has no group
connection = context.createConnection("user1");
statement = context.createStatement(connection);
- // for any sql need to be authorized, exception will be thrown if the uer hasn't any group
- // information
- try {
- statement.execute("CREATE TABLE db1.t1 (under_col int, value string)");
- fail("User without group configuration, SentryGroupNotFoundException should be thrown ");
- } catch (HiveSQLException hse) {
- assertTrue(hse.getMessage().indexOf("SentryGroupNotFoundException") >= 0);
- }
- try {
- statement.execute("SELECT under_col from db1.t1");
- fail("User without group configuration, SentryGroupNotFoundException should be thrown ");
- } catch (HiveSQLException hse) {
- assertTrue(hse.getMessage().indexOf("SentryGroupNotFoundException") >= 0);
- }
+ context.assertAuthzException(statement,
+ "CREATE TABLE db1.t1 (under_col int, value string)");
+ context.assertAuthzException(statement, "SELECT under_col from db1.t1");
statement.close();
connection.close();
}
http://git-wip-us.apache.org/repos/asf/sentry/blob/4dc01716/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestUserManagement.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestUserManagement.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestUserManagement.java
index 02ac514..fd8ec56 100644
--- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestUserManagement.java
+++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestUserManagement.java
@@ -19,7 +19,6 @@ package org.apache.sentry.tests.e2e.hive;
import static org.junit.Assert.assertFalse;
import static org.junit.Assert.assertTrue;
-import static org.junit.Assert.fail;
import java.io.File;
import java.io.FileOutputStream;
@@ -28,7 +27,6 @@ import java.sql.ResultSet;
import java.sql.Statement;
import org.apache.hadoop.mapreduce.JobContext;
-import org.apache.hive.service.cli.HiveSQLException;
import org.apache.sentry.provider.file.PolicyFile;
import org.junit.After;
import org.junit.Before;
@@ -364,23 +362,12 @@ public class TestUserManagement extends AbstractTestWithStaticConfiguration {
statement.close();
connection.close();
- // user1 hasn't any group
+ // user1 has no group
connection = context.createConnection("user1");
statement = context.createStatement(connection);
- // for any sql need to be authorized, exception will be thrown if the uer hasn't any group
- // information
- try {
- statement.execute("CREATE TABLE db1.t1 (under_col int, value string)");
- fail("User without group configuration, SentryGroupNotFoundException should be thrown ");
- } catch (HiveSQLException hse) {
- assertTrue(hse.getMessage().indexOf("SentryGroupNotFoundException") >= 0);
- }
- try {
- statement.execute("SELECT under_col from db1.t1");
- fail("User without group configuration, SentryGroupNotFoundException should be thrown ");
- } catch (HiveSQLException hse) {
- assertTrue(hse.getMessage().indexOf("SentryGroupNotFoundException") >= 0);
- }
+ context.assertAuthzException(statement,
+ "CREATE TABLE db1.t1 (under_col int, value string)");
+ context.assertAuthzException(statement, "SELECT under_col from db1.t1");
statement.close();
connection.close();
}