You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sentry.apache.org by co...@apache.org on 2016/06/24 06:00:52 UTC
[23/44] sentry git commit: SENTRY-1287: Create sentry-service-server
module(Colin Ma, reviewed by Dapeng Sun)
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/tools/TestSentryShellHive.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/tools/TestSentryShellHive.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/tools/TestSentryShellHive.java
deleted file mode 100644
index 81059c5..0000000
--- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/tools/TestSentryShellHive.java
+++ /dev/null
@@ -1,608 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.sentry.provider.db.tools;
-
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertTrue;
-import static org.junit.Assert.fail;
-
-import java.io.ByteArrayOutputStream;
-import java.io.File;
-import java.io.FileOutputStream;
-import java.io.PrintStream;
-import java.util.HashSet;
-import java.util.Iterator;
-import java.util.Set;
-
-import org.apache.commons.io.FileUtils;
-import org.apache.sentry.core.common.exception.SentryUserException;
-import org.apache.sentry.provider.db.service.thrift.TSentryPrivilege;
-import org.apache.sentry.provider.db.service.thrift.TSentryRole;
-import org.apache.sentry.service.thrift.SentryServiceIntegrationBase;
-import org.junit.After;
-import org.junit.Before;
-import org.junit.Test;
-
-import com.google.common.collect.Sets;
-import com.google.common.io.Files;
-
-public class TestSentryShellHive extends SentryServiceIntegrationBase {
-
- private File confDir;
- private File confPath;
- private static String TEST_ROLE_NAME_1 = "testRole1";
- private static String TEST_ROLE_NAME_2 = "testRole2";
- private String requestorName = "";
-
- @Before
- public void prepareForTest() throws Exception {
- confDir = Files.createTempDir();
- confPath = new File(confDir, "sentry-site.xml");
- if (confPath.createNewFile()) {
- FileOutputStream to = new FileOutputStream(confPath);
- conf.writeXml(to);
- to.close();
- }
- requestorName = clientUgi.getShortUserName();
- Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
- setLocalGroupMapping(requestorName, requestorUserGroupNames);
- // add ADMIN_USER for the after() in SentryServiceIntegrationBase
- setLocalGroupMapping(ADMIN_USER, requestorUserGroupNames);
- writePolicyFile();
- }
-
- @After
- public void clearTestData() throws Exception {
- FileUtils.deleteQuietly(confDir);
- }
-
- @Test
- public void testCreateDropRole() throws Exception {
- runTestAsSubject(new TestOperation() {
- @Override
- public void runTestAsSubject() throws Exception {
- // test: create role with -cr
- String[] args = { "-cr", "-r", TEST_ROLE_NAME_1, "-conf", confPath.getAbsolutePath() };
- SentryShellHive.main(args);
- // test: create role with --create_role
- args = new String[] { "--create_role", "-r", TEST_ROLE_NAME_2, "-conf",
- confPath.getAbsolutePath() };
- SentryShellHive.main(args);
-
- // validate the result, list roles with -lr
- args = new String[] { "-lr", "-conf", confPath.getAbsolutePath() };
- SentryShellHive sentryShell = new SentryShellHive();
- Set<String> roleNames = getShellResultWithOSRedirect(sentryShell, args, true);
- validateRoleNames(roleNames, TEST_ROLE_NAME_1, TEST_ROLE_NAME_2);
-
- // validate the result, list roles with --list_role
- args = new String[] { "--list_role", "-conf", confPath.getAbsolutePath() };
- sentryShell = new SentryShellHive();
- roleNames = getShellResultWithOSRedirect(sentryShell, args, true);
- validateRoleNames(roleNames, TEST_ROLE_NAME_1, TEST_ROLE_NAME_2);
-
- // test: drop role with -dr
- args = new String[] { "-dr", "-r", TEST_ROLE_NAME_1, "-conf", confPath.getAbsolutePath() };
- SentryShellHive.main(args);
- // test: drop role with --drop_role
- args = new String[] { "--drop_role", "-r", TEST_ROLE_NAME_2, "-conf",
- confPath.getAbsolutePath() };
- SentryShellHive.main(args);
-
- // validate the result
- Set<TSentryRole> roles = client.listRoles(requestorName);
- assertEquals("Incorrect number of roles", 0, roles.size());
- }
- });
- }
-
- @Test
- public void testAddDeleteRoleForGroup() throws Exception {
- runTestAsSubject(new TestOperation() {
- @Override
- public void runTestAsSubject() throws Exception {
- // create the role for test
- client.createRole(requestorName, TEST_ROLE_NAME_1);
- client.createRole(requestorName, TEST_ROLE_NAME_2);
- // test: add role to group with -arg
- String[] args = { "-arg", "-r", TEST_ROLE_NAME_1, "-g", "testGroup1", "-conf",
- confPath.getAbsolutePath() };
- SentryShellHive.main(args);
- // test: add role to multiple groups
- args = new String[] { "-arg", "-r", TEST_ROLE_NAME_1, "-g", "testGroup2,testGroup3",
- "-conf",
- confPath.getAbsolutePath() };
- SentryShellHive.main(args);
- // test: add role to group with --add_role_group
- args = new String[] { "--add_role_group", "-r", TEST_ROLE_NAME_2, "-g", "testGroup1",
- "-conf",
- confPath.getAbsolutePath() };
- SentryShellHive.main(args);
-
- // validate the result list roles with -lr and -g
- args = new String[] { "-lr", "-g", "testGroup1", "-conf", confPath.getAbsolutePath() };
- SentryShellHive sentryShell = new SentryShellHive();
- Set<String> roleNames = getShellResultWithOSRedirect(sentryShell, args, true);
- validateRoleNames(roleNames, TEST_ROLE_NAME_1, TEST_ROLE_NAME_2);
-
-
- // list roles with --list_role and -g
- args = new String[] { "--list_role", "-g", "testGroup2", "-conf",
- confPath.getAbsolutePath() };
- sentryShell = new SentryShellHive();
- roleNames = getShellResultWithOSRedirect(sentryShell, args, true);
- validateRoleNames(roleNames, TEST_ROLE_NAME_1);
-
- args = new String[] { "--list_role", "-g", "testGroup3", "-conf",
- confPath.getAbsolutePath() };
- sentryShell = new SentryShellHive();
- roleNames = getShellResultWithOSRedirect(sentryShell, args, true);
- validateRoleNames(roleNames, TEST_ROLE_NAME_1);
-
- // test: delete role from group with -drg
- args = new String[] { "-drg", "-r", TEST_ROLE_NAME_1, "-g", "testGroup1", "-conf",
- confPath.getAbsolutePath() };
- SentryShellHive.main(args);
- // test: delete role to multiple groups
- args = new String[] { "-drg", "-r", TEST_ROLE_NAME_1, "-g", "testGroup2,testGroup3",
- "-conf",
- confPath.getAbsolutePath() };
- SentryShellHive.main(args);
- // test: delete role from group with --delete_role_group
- args = new String[] { "--delete_role_group", "-r", TEST_ROLE_NAME_2, "-g", "testGroup1",
- "-conf", confPath.getAbsolutePath() };
- SentryShellHive.main(args);
-
- // validate the result
- Set<TSentryRole> roles = client.listRolesByGroupName(requestorName, "testGroup1");
- assertEquals("Incorrect number of roles", 0, roles.size());
- roles = client.listRolesByGroupName(requestorName, "testGroup2");
- assertEquals("Incorrect number of roles", 0, roles.size());
- roles = client.listRolesByGroupName(requestorName, "testGroup3");
- assertEquals("Incorrect number of roles", 0, roles.size());
- // clear the test data
- client.dropRole(requestorName, TEST_ROLE_NAME_1);
- client.dropRole(requestorName, TEST_ROLE_NAME_2);
- }
- });
- }
-
- @Test
- public void testGrantRevokePrivilegeWithShortOption() throws Exception {
- runTestAsSubject(new TestOperation() {
- @Override
- public void runTestAsSubject() throws Exception {
- // create the role for test
- client.createRole(requestorName, TEST_ROLE_NAME_1);
- client.createRole(requestorName, TEST_ROLE_NAME_2);
-
- // test: grant privilege to role with -gpr
- String[] args = { "-gpr", "-r", TEST_ROLE_NAME_1, "-p",
- "server=server1->action=*",
- "-conf", confPath.getAbsolutePath() };
- SentryShellHive.main(args);
- args = new String[] { "-gpr", "-r", TEST_ROLE_NAME_1, "-p",
- "server=server1->db=db1->action=select", "-conf", confPath.getAbsolutePath() };
- SentryShellHive.main(args);
- args = new String[] { "-gpr", "-r", TEST_ROLE_NAME_1, "-p",
- "server=server1->db=db1->table=tbl1->action=insert", "-conf",
- confPath.getAbsolutePath() };
- SentryShellHive.main(args);
- args = new String[] { "-gpr", "-r", TEST_ROLE_NAME_1, "-p",
- "server=server1->db=db1->table=tbl1->column=col1->action=insert", "-conf",
- confPath.getAbsolutePath() };
- SentryShellHive.main(args);
- args = new String[] { "-gpr", "-r", TEST_ROLE_NAME_1, "-p",
- "server=server1->db=db1->table=tbl1->column=col2->action=insert->grantoption=true",
- "-conf", confPath.getAbsolutePath() };
- SentryShellHive.main(args);
- // for the uri privilege, the action will be awalys *
- args = new String[] { "-gpr", "-r", TEST_ROLE_NAME_1, "-p",
- "server=server1->uri=hdfs://path/testuri", "-conf", confPath.getAbsolutePath() };
- SentryShellHive.main(args);
-
- // test the list privilege with -lp
- args = new String[] { "-lp", "-r", TEST_ROLE_NAME_1, "-conf", confPath.getAbsolutePath() };
- SentryShellHive sentryShell = new SentryShellHive();
- Set<String> privilegeStrs = getShellResultWithOSRedirect(sentryShell, args, true);
- // validate the result for -lp
- assertEquals("Incorrect number of privileges", 6, privilegeStrs.size());
- assertTrue(privilegeStrs.contains("server=server1->action=*"));
- assertTrue(privilegeStrs.contains("server=server1->db=db1->action=select"));
- assertTrue(privilegeStrs.contains("server=server1->db=db1->table=tbl1->action=insert"));
- assertTrue(privilegeStrs
- .contains("server=server1->db=db1->table=tbl1->column=col1->action=insert"));
- assertTrue(privilegeStrs
- .contains("server=server1->db=db1->table=tbl1->column=col2->action=insert->grantoption=true"));
- // for the uri privilege, the action will be awalys *
- assertTrue(privilegeStrs.contains("server=server1->uri=hdfs://path/testuri->action=*"));
-
- // test: revoke privilege from role with -rpr
- args = new String[] { "-rpr", "-r", TEST_ROLE_NAME_1, "-p",
- "server=server1->db=db1->table=tbl1->column=col1->action=insert", "-conf",
- confPath.getAbsolutePath() };
- SentryShellHive.main(args);
- Set<TSentryPrivilege> privileges = client.listAllPrivilegesByRoleName(requestorName,
- TEST_ROLE_NAME_1);
- assertEquals("Incorrect number of privileges", 5, privileges.size());
-
- args = new String[] { "-rpr", "-r", TEST_ROLE_NAME_1, "-p",
- "server=server1->db=db1->table=tbl1->column=col2->action=insert->grantoption=true",
- "-conf", confPath.getAbsolutePath() };
- SentryShellHive.main(args);
- privileges = client.listAllPrivilegesByRoleName(requestorName, TEST_ROLE_NAME_1);
- assertEquals("Incorrect number of privileges", 4, privileges.size());
-
- args = new String[] { "-rpr", "-r", TEST_ROLE_NAME_1, "-p",
- "server=server1->uri=hdfs://path/testuri", "-conf", confPath.getAbsolutePath() };
- SentryShellHive.main(args);
- privileges = client.listAllPrivilegesByRoleName(requestorName, TEST_ROLE_NAME_1);
- assertEquals("Incorrect number of privileges", 3, privileges.size());
-
- args = new String[] { "-rpr", "-r", TEST_ROLE_NAME_1, "-p",
- "server=server1->db=db1->table=tbl1->action=insert", "-conf",
- confPath.getAbsolutePath() };
- SentryShellHive.main(args);
- privileges = client.listAllPrivilegesByRoleName(requestorName, TEST_ROLE_NAME_1);
- assertEquals("Incorrect number of privileges", 2, privileges.size());
-
- args = new String[] { "-rpr", "-r", TEST_ROLE_NAME_1, "-p",
- "server=server1->db=db1->action=select", "-conf", confPath.getAbsolutePath() };
- SentryShellHive.main(args);
- privileges = client.listAllPrivilegesByRoleName(requestorName, TEST_ROLE_NAME_1);
- assertEquals("Incorrect number of privileges", 1, privileges.size());
-
- args = new String[] { "-rpr", "-r", TEST_ROLE_NAME_1, "-p", "server=server1->action=*",
- "-conf",
- confPath.getAbsolutePath() };
- SentryShellHive.main(args);
- privileges = client.listAllPrivilegesByRoleName(requestorName, TEST_ROLE_NAME_1);
- assertEquals("Incorrect number of privileges", 0, privileges.size());
-
- // clear the test data
- client.dropRole(requestorName, TEST_ROLE_NAME_1);
- client.dropRole(requestorName, TEST_ROLE_NAME_2);
- }
- });
- }
-
- @Test
- public void testGrantRevokePrivilegeWithLongOption() throws Exception {
- runTestAsSubject(new TestOperation() {
- @Override
- public void runTestAsSubject() throws Exception {
- // create the role for test
- client.createRole(requestorName, TEST_ROLE_NAME_1);
- client.createRole(requestorName, TEST_ROLE_NAME_2);
-
- // test: grant privilege to role with -gpr
- String[] args = { "--grant_privilege_role", "-r", TEST_ROLE_NAME_1, "-p",
- "server=server1->action=*", "-conf", confPath.getAbsolutePath() };
- SentryShellHive.main(args);
- args = new String[] { "--grant_privilege_role", "-r", TEST_ROLE_NAME_1, "-p",
- "server=server1->db=db1->action=select", "-conf", confPath.getAbsolutePath() };
- SentryShellHive.main(args);
- args = new String[] { "--grant_privilege_role", "-r", TEST_ROLE_NAME_1, "-p",
- "server=server1->db=db1->table=tbl1->action=insert", "-conf",
- confPath.getAbsolutePath() };
- SentryShellHive.main(args);
- args = new String[] { "--grant_privilege_role", "-r", TEST_ROLE_NAME_1, "-p",
- "server=server1->db=db1->table=tbl1->column=col1->action=insert", "-conf",
- confPath.getAbsolutePath() };
- SentryShellHive.main(args);
- args = new String[] { "--grant_privilege_role", "-r", TEST_ROLE_NAME_1, "-p",
- "server=server1->db=db1->table=tbl1->column=col2->action=insert->grantoption=true",
- "-conf", confPath.getAbsolutePath() };
- SentryShellHive.main(args);
- // for the uri privilege, the action will be awalys *
- args = new String[] { "--grant_privilege_role", "-r", TEST_ROLE_NAME_1, "-p",
- "server=server1->uri=hdfs://path/testuri", "-conf", confPath.getAbsolutePath() };
- SentryShellHive.main(args);
-
- // test the list privilege with -lp
- args = new String[] { "--list_privilege", "-r", TEST_ROLE_NAME_1, "-conf",
- confPath.getAbsolutePath() };
- SentryShellHive sentryShell = new SentryShellHive();
- Set<String> privilegeStrs = getShellResultWithOSRedirect(sentryShell, args, true);
- // validate the result for -lp
- assertEquals("Incorrect number of privileges", 6, privilegeStrs.size());
- assertTrue(privilegeStrs.contains("server=server1->action=*"));
- assertTrue(privilegeStrs.contains("server=server1->db=db1->action=select"));
- assertTrue(privilegeStrs.contains("server=server1->db=db1->table=tbl1->action=insert"));
- assertTrue(privilegeStrs
- .contains("server=server1->db=db1->table=tbl1->column=col1->action=insert"));
- assertTrue(privilegeStrs
- .contains("server=server1->db=db1->table=tbl1->column=col2->action=insert->grantoption=true"));
- // for the uri privilege, the action will be awalys *
- assertTrue(privilegeStrs.contains("server=server1->uri=hdfs://path/testuri->action=*"));
-
- // test: revoke privilege from role with -rpr
- args = new String[] { "--revoke_privilege_role", "-r", TEST_ROLE_NAME_1, "-p",
- "server=server1->db=db1->table=tbl1->column=col1->action=insert", "-conf",
- confPath.getAbsolutePath() };
- SentryShellHive.main(args);
- Set<TSentryPrivilege> privileges = client.listAllPrivilegesByRoleName(requestorName,
- TEST_ROLE_NAME_1);
- assertEquals("Incorrect number of privileges", 5, privileges.size());
-
- args = new String[] { "--revoke_privilege_role", "-r", TEST_ROLE_NAME_1, "-p",
- "server=server1->db=db1->table=tbl1->column=col2->action=insert->grantoption=true",
- "-conf", confPath.getAbsolutePath() };
- SentryShellHive.main(args);
- privileges = client.listAllPrivilegesByRoleName(requestorName, TEST_ROLE_NAME_1);
- assertEquals("Incorrect number of privileges", 4, privileges.size());
-
- args = new String[] { "--revoke_privilege_role", "-r", TEST_ROLE_NAME_1, "-p",
- "server=server1->uri=hdfs://path/testuri", "-conf", confPath.getAbsolutePath() };
- SentryShellHive.main(args);
- privileges = client.listAllPrivilegesByRoleName(requestorName, TEST_ROLE_NAME_1);
- assertEquals("Incorrect number of privileges", 3, privileges.size());
-
- args = new String[] { "--revoke_privilege_role", "-r", TEST_ROLE_NAME_1, "-p",
- "server=server1->db=db1->table=tbl1->action=insert", "-conf",
- confPath.getAbsolutePath() };
- SentryShellHive.main(args);
- privileges = client.listAllPrivilegesByRoleName(requestorName, TEST_ROLE_NAME_1);
- assertEquals("Incorrect number of privileges", 2, privileges.size());
-
- args = new String[] { "--revoke_privilege_role", "-r", TEST_ROLE_NAME_1, "-p",
- "server=server1->db=db1->action=select", "-conf", confPath.getAbsolutePath() };
- SentryShellHive.main(args);
- privileges = client.listAllPrivilegesByRoleName(requestorName, TEST_ROLE_NAME_1);
- assertEquals("Incorrect number of privileges", 1, privileges.size());
-
- args = new String[] { "--revoke_privilege_role", "-r", TEST_ROLE_NAME_1, "-p",
- "server=server1->action=*", "-conf", confPath.getAbsolutePath() };
- SentryShellHive.main(args);
- privileges = client.listAllPrivilegesByRoleName(requestorName, TEST_ROLE_NAME_1);
- assertEquals("Incorrect number of privileges", 0, privileges.size());
-
- // clear the test data
- client.dropRole(requestorName, TEST_ROLE_NAME_1);
- client.dropRole(requestorName, TEST_ROLE_NAME_2);
- }
- });
- }
-
- @Test
- public void testNegativeCaseWithInvalidArgument() throws Exception {
- runTestAsSubject(new TestOperation() {
- @Override
- public void runTestAsSubject() throws Exception {
- client.createRole(requestorName, TEST_ROLE_NAME_1);
- // test: create duplicate role with -cr
- String[] args = { "-cr", "-r", TEST_ROLE_NAME_1, "-conf", confPath.getAbsolutePath() };
- SentryShellHive sentryShell = new SentryShellHive();
- try {
- sentryShell.executeShell(args);
- fail("Exception should be thrown for creating duplicate role");
- } catch (SentryUserException e) {
- // excepted exception
- }
-
- // test: drop non-exist role with -dr
- args = new String[] { "-dr", "-r", TEST_ROLE_NAME_2, "-conf", confPath.getAbsolutePath() };
- sentryShell = new SentryShellHive();
- try {
- sentryShell.executeShell(args);
- fail("Exception should be thrown for dropping non-exist role");
- } catch (SentryUserException e) {
- // excepted exception
- }
-
- // test: add non-exist role to group with -arg
- args = new String[] { "-arg", "-r", TEST_ROLE_NAME_2, "-g", "testGroup1", "-conf",
- confPath.getAbsolutePath() };
- sentryShell = new SentryShellHive();
- try {
- sentryShell.executeShell(args);
- fail("Exception should be thrown for granting non-exist role to group");
- } catch (SentryUserException e) {
- // excepted exception
- }
-
- // test: drop group from non-exist role with -drg
- args = new String[] { "-drg", "-r", TEST_ROLE_NAME_2, "-g", "testGroup1", "-conf",
- confPath.getAbsolutePath() };
- sentryShell = new SentryShellHive();
- try {
- sentryShell.executeShell(args);
- fail("Exception should be thrown for drop group from non-exist role");
- } catch (SentryUserException e) {
- // excepted exception
- }
-
- // test: grant privilege to role with the error privilege format
- args = new String[] { "-gpr", "-r", TEST_ROLE_NAME_1, "-p", "serverserver1->action=*",
- "-conf", confPath.getAbsolutePath() };
- sentryShell = new SentryShellHive();
- try {
- sentryShell.executeShell(args);
- fail("Exception should be thrown for the error privilege format, invalid key value.");
- } catch (IllegalArgumentException e) {
- // excepted exception
- }
-
- // test: grant privilege to role with the error privilege hierarchy
- args = new String[] { "-gpr", "-r", TEST_ROLE_NAME_1, "-p",
- "server=server1->table=tbl1->column=col2->action=insert", "-conf",
- confPath.getAbsolutePath() };
- sentryShell = new SentryShellHive();
- try {
- sentryShell.executeShell(args);
- fail("Exception should be thrown for the error privilege format, invalid key value.");
- } catch (IllegalArgumentException e) {
- // excepted exception
- }
-
- // clear the test data
- client.dropRole(requestorName, TEST_ROLE_NAME_1);
- }
- });
- }
-
- @Test
- public void testNegativeCaseWithoutRequiredArgument() throws Exception {
- runTestAsSubject(new TestOperation() {
- @Override
- public void runTestAsSubject() throws Exception {
- String strOptionConf = "conf";
- client.createRole(requestorName, TEST_ROLE_NAME_1);
- // test: the conf is required argument
- String[] args = { "-cr", "-r", TEST_ROLE_NAME_1 };
- SentryShellHive sentryShell = new SentryShellHive();
- validateMissingParameterMsg(sentryShell, args,
- SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + strOptionConf);
-
- // test: -r is required when create role
- args = new String[] { "-cr", "-conf", confPath.getAbsolutePath() };
- sentryShell = new SentryShellHive();
- validateMissingParameterMsg(sentryShell, args,
- SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_ROLE_NAME);
-
- // test: -r is required when drop role
- args = new String[] { "-dr", "-conf", confPath.getAbsolutePath() };
- sentryShell = new SentryShellHive();
- validateMissingParameterMsg(sentryShell, args,
- SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_ROLE_NAME);
-
- // test: -r is required when add role to group
- args = new String[] { "-arg", "-g", "testGroup1", "-conf", confPath.getAbsolutePath() };
- sentryShell = new SentryShellHive();
- validateMissingParameterMsg(sentryShell, args,
- SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_ROLE_NAME);
-
- // test: -g is required when add role to group
- args = new String[] { "-arg", "-r", TEST_ROLE_NAME_2, "-conf", confPath.getAbsolutePath() };
- sentryShell = new SentryShellHive();
- validateMissingParameterMsg(sentryShell, args,
- SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_GROUP_NAME);
-
- // test: -r is required when delete role from group
- args = new String[] { "-drg", "-g", "testGroup1", "-conf", confPath.getAbsolutePath() };
- sentryShell = new SentryShellHive();
- validateMissingParameterMsg(sentryShell, args,
- SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_ROLE_NAME);
-
- // test: -g is required when delete role from group
- args = new String[] { "-drg", "-r", TEST_ROLE_NAME_2, "-conf", confPath.getAbsolutePath() };
- sentryShell = new SentryShellHive();
- validateMissingParameterMsg(sentryShell, args,
- SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_GROUP_NAME);
-
- // test: -r is required when grant privilege to role
- args = new String[] { "-gpr", "-p", "server=server1", "-conf", confPath.getAbsolutePath() };
- sentryShell = new SentryShellHive();
- validateMissingParameterMsg(sentryShell, args,
- SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_ROLE_NAME);
-
- // test: -p is required when grant privilege to role
- args = new String[] { "-gpr", "-r", TEST_ROLE_NAME_1, "-conf", confPath.getAbsolutePath() };
- sentryShell = new SentryShellHive();
- validateMissingParameterMsg(sentryShell, args,
- SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_PRIVILEGE);
-
- // test: -r is required when revoke privilege from role
- args = new String[] { "-rpr", "-p", "server=server1", "-conf", confPath.getAbsolutePath() };
- sentryShell = new SentryShellHive();
- validateMissingParameterMsg(sentryShell, args,
- SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_ROLE_NAME);
-
- // test: -p is required when revoke privilege from role
- args = new String[] { "-rpr", "-r", TEST_ROLE_NAME_1, "-conf", confPath.getAbsolutePath() };
- sentryShell = new SentryShellHive();
- validateMissingParameterMsg(sentryShell, args,
- SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_PRIVILEGE);
-
- // test: command option is required for shell
- args = new String[] {"-conf", confPath.getAbsolutePath() };
- sentryShell = new SentryShellHive();
- validateMissingParameterMsgsContains(sentryShell, args,
- SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + "[",
- "-arg Add role to group",
- "-cr Create role",
- "-rpr Revoke privilege from role",
- "-drg Delete role from group",
- "-lr List role",
- "-lp List privilege",
- "-gpr Grant privilege to role",
- "-dr Drop role");
-
- // clear the test data
- client.dropRole(requestorName, TEST_ROLE_NAME_1);
- }
- });
- }
-
- // redirect the System.out to ByteArrayOutputStream, then execute the command and parse the result.
- private Set<String> getShellResultWithOSRedirect(SentryShellHive sentryShell,
- String[] args, boolean exceptedExecuteResult) throws Exception {
- PrintStream oldOut = System.out;
- ByteArrayOutputStream outContent = new ByteArrayOutputStream();
- System.setOut(new PrintStream(outContent));
- assertEquals(exceptedExecuteResult, sentryShell.executeShell(args));
- Set<String> resultSet = Sets.newHashSet(outContent.toString().split("\n"));
- System.setOut(oldOut);
- return resultSet;
- }
-
- private void validateRoleNames(Set<String> roleNames, String ... expectedRoleNames) {
- if (expectedRoleNames != null && expectedRoleNames.length > 0) {
- assertEquals("Found: " + roleNames.size() + " roles, expected: " + expectedRoleNames.length,
- expectedRoleNames.length, roleNames.size());
- Set<String> lowerCaseRoles = new HashSet<String>();
- for (String role : roleNames) {
- lowerCaseRoles.add(role.toLowerCase());
- }
-
- for (String expectedRole : expectedRoleNames) {
- assertTrue("Expected role: " + expectedRole,
- lowerCaseRoles.contains(expectedRole.toLowerCase()));
- }
- }
- }
-
- private void validateMissingParameterMsg(SentryShellHive sentryShell, String[] args,
- String exceptedErrorMsg) throws Exception {
- Set<String> errorMsgs = getShellResultWithOSRedirect(sentryShell, args, false);
- assertTrue(errorMsgs.contains(exceptedErrorMsg));
- }
-
- private void validateMissingParameterMsgsContains(SentryShellHive sentryShell, String[] args,
- String ... expectedErrorMsgsContains) throws Exception {
- Set<String> errorMsgs = getShellResultWithOSRedirect(sentryShell, args, false);
- boolean foundAllMessages = false;
- Iterator<String> it = errorMsgs.iterator();
- while (it.hasNext()) {
- String errorMessage = it.next();
- boolean missingExpected = false;
- for (String expectedContains : expectedErrorMsgsContains) {
- if (!errorMessage.contains(expectedContains)) {
- missingExpected = true;
- break;
- }
- }
- if (!missingExpected) {
- foundAllMessages = true;
- break;
- }
- }
- assertTrue(foundAllMessages);
- }
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/service/thrift/SentryServiceIntegrationBase.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/service/thrift/SentryServiceIntegrationBase.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/service/thrift/SentryServiceIntegrationBase.java
deleted file mode 100644
index cb2d9c9..0000000
--- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/service/thrift/SentryServiceIntegrationBase.java
+++ /dev/null
@@ -1,355 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.sentry.service.thrift;
-import java.io.File;
-import java.security.PrivilegedExceptionAction;
-import java.util.Properties;
-import java.util.Set;
-import java.util.concurrent.TimeoutException;
-
-
-import com.google.common.io.Resources;
-import org.apache.commons.io.FileUtils;
-import org.apache.curator.test.TestingServer;
-import org.apache.hadoop.conf.Configuration;
-import org.apache.hadoop.minikdc.MiniKdc;
-import org.apache.hadoop.net.NetUtils;
-import org.apache.hadoop.security.UserGroupInformation;
-import org.apache.sentry.provider.db.service.persistent.HAContext;
-import org.apache.sentry.provider.db.service.thrift.SentryMiniKdcTestcase;
-import org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient;
-import org.apache.sentry.provider.db.service.thrift.TSentryRole;
-import org.apache.sentry.provider.file.PolicyFile;
-import org.apache.sentry.service.thrift.ServiceConstants.ClientConfig;
-import org.apache.sentry.service.thrift.ServiceConstants.ServerConfig;
-import org.apache.zookeeper.server.ZooKeeperSaslServer;
-import org.junit.After;
-import org.junit.AfterClass;
-import org.junit.Assert;
-import org.junit.Before;
-import org.junit.BeforeClass;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-import com.google.common.base.Strings;
-import com.google.common.io.Files;
-
-public abstract class SentryServiceIntegrationBase extends SentryMiniKdcTestcase {
- private static final Logger LOGGER = LoggerFactory.getLogger(SentryServiceIntegrationBase.class);
-
- protected static final String SERVER_HOST = NetUtils.createSocketAddr("localhost:80").getAddress().getCanonicalHostName();
- protected static final String REALM = "EXAMPLE.COM";
- protected static final String SERVER_PRINCIPAL = "sentry/" + SERVER_HOST;
- protected static String SERVER_KERBEROS_NAME = "sentry/" + SERVER_HOST + "@" + REALM;
- protected static final String HTTP_PRINCIPAL = "HTTP/" + SERVER_HOST;
- protected static final String CLIENT_PRINCIPAL = "hive/" + SERVER_HOST;
- protected static final String CLIENT_KERBEROS_SHORT_NAME = "hive";
- protected static final String CLIENT_KERBEROS_NAME = CLIENT_KERBEROS_SHORT_NAME
- + "/" + SERVER_HOST + "@" + REALM;
- protected static final String ADMIN_USER = "admin_user";
- protected static final String ADMIN_GROUP = "admin_group";
-
- protected static SentryService server;
- protected SentryPolicyServiceClient client;
- protected static MiniKdc kdc;
- protected static File kdcWorkDir;
- protected static File dbDir;
- protected static File serverKeytab;
- protected static File httpKeytab;
- protected static File clientKeytab;
- protected static UserGroupInformation clientUgi;
- protected static boolean kerberos;
- protected final static Configuration conf = new Configuration(false);
- protected PolicyFile policyFile;
- protected File policyFilePath;
- protected static Properties kdcConfOverlay = new Properties();
-
- protected static boolean haEnabled = false;
- protected static final String ZK_SERVER_PRINCIPAL = "zookeeper/" + SERVER_HOST;
- protected static TestingServer zkServer;
-
- private static File ZKKeytabFile;
-
- protected static boolean webServerEnabled = false;
- protected static int webServerPort = ServerConfig.SENTRY_WEB_PORT_DEFAULT;
- protected static boolean webSecurity = false;
-
- protected static boolean pooled = false;
-
- protected static boolean useSSL = false;
-
- @BeforeClass
- public static void setup() throws Exception {
- kerberos = true;
- pooled = true;
- beforeSetup();
- setupConf();
- startSentryService();
- afterSetup();
- }
-
- private static void setupKdc() throws Exception {
- startMiniKdc(kdcConfOverlay);
- }
-
- public static void startSentryService() throws Exception {
- server.start();
- final long start = System.currentTimeMillis();
- while(!server.isRunning()) {
- Thread.sleep(1000);
- if(System.currentTimeMillis() - start > 60000L) {
- throw new TimeoutException("Server did not start after 60 seconds");
- }
- }
- }
-
- public void stopSentryService() throws Exception {
- server.stop();
- Thread.sleep(30000);
- }
-
- public static void setupConf() throws Exception {
- if (kerberos) {
- setupKdc();
- kdc = getKdc();
- kdcWorkDir = getWorkDir();
- serverKeytab = new File(kdcWorkDir, "server.keytab");
- clientKeytab = new File(kdcWorkDir, "client.keytab");
- kdc.createPrincipal(serverKeytab, SERVER_PRINCIPAL);
- kdc.createPrincipal(clientKeytab, CLIENT_PRINCIPAL);
- conf.set(ServerConfig.PRINCIPAL, getServerKerberosName());
- conf.set(ServerConfig.KEY_TAB, serverKeytab.getPath());
- conf.set(ServerConfig.ALLOW_CONNECT, CLIENT_KERBEROS_SHORT_NAME);
- conf.set(ServerConfig.SERVER_HA_ZOOKEEPER_CLIENT_PRINCIPAL,
- getServerKerberosName());
- conf.set(ServerConfig.SERVER_HA_ZOOKEEPER_CLIENT_KEYTAB,
- serverKeytab.getPath());
-
- conf.set(ServerConfig.SECURITY_USE_UGI_TRANSPORT, "true");
- conf.set("hadoop.security.authentication", "kerberos");
- UserGroupInformation.setConfiguration(conf);
- UserGroupInformation.loginUserFromKeytab(CLIENT_PRINCIPAL, clientKeytab.getPath());
- clientUgi = UserGroupInformation.getLoginUser();
- } else {
- LOGGER.info("Stopped KDC");
- conf.set(ServerConfig.SECURITY_MODE, ServerConfig.SECURITY_MODE_NONE);
- }
- if (haEnabled) {
- zkServer = getZKServer();
- conf.set(ServerConfig.SENTRY_HA_ENABLED, "true");
- conf.set(ServerConfig.SENTRY_HA_ZOOKEEPER_QUORUM, zkServer.getConnectString());
- conf.set(ServerConfig.SENTRY_HA_ZOOKEEPER_NAMESPACE, "sentry-test-case");
- if (kerberos) {
- conf.set(ServerConfig.SENTRY_HA_ZOOKEEPER_SECURITY, "true");
- }
- }
- if (webServerEnabled) {
- conf.set(ServerConfig.SENTRY_WEB_ENABLE, "true");
- conf.set(ServerConfig.SENTRY_WEB_PORT, String.valueOf(webServerPort));
- if (webSecurity) {
- httpKeytab = new File(kdcWorkDir, "http.keytab");
- kdc.createPrincipal(httpKeytab, HTTP_PRINCIPAL);
- conf.set(ServerConfig.SENTRY_WEB_SECURITY_TYPE,
- ServerConfig.SENTRY_WEB_SECURITY_TYPE_KERBEROS);
- conf.set(ServerConfig.SENTRY_WEB_SECURITY_PRINCIPAL, HTTP_PRINCIPAL);
- conf.set(ServerConfig.SENTRY_WEB_SECURITY_KEYTAB, httpKeytab.getPath());
- } else {
- conf.set(ServerConfig.SENTRY_WEB_SECURITY_TYPE,
- ServerConfig.SENTRY_WEB_SECURITY_TYPE_NONE);
- }
- } else {
- conf.set(ServerConfig.SENTRY_WEB_ENABLE, "false");
- }
- if (pooled) {
- conf.set(ClientConfig.SENTRY_POOL_ENABLED, "true");
- }
- if (useSSL) {
- conf.set(ServerConfig.SENTRY_WEB_USE_SSL, "true");
- conf.set(ServerConfig.SENTRY_WEB_SSL_KEYSTORE_PATH,
- Resources.getResource("keystore.jks").getPath());
- conf.set(ServerConfig.SENTRY_WEB_SSL_KEYSTORE_PASSWORD, "password");
- }
- conf.set(ServerConfig.SENTRY_VERIFY_SCHEM_VERSION, "false");
- conf.set(ServerConfig.ADMIN_GROUPS, ADMIN_GROUP);
- conf.set(ServerConfig.RPC_ADDRESS, SERVER_HOST);
- conf.set(ServerConfig.RPC_PORT, String.valueOf(0));
- dbDir = new File(Files.createTempDir(), "sentry_policy_db");
- conf.set(ServerConfig.SENTRY_STORE_JDBC_URL,
- "jdbc:derby:;databaseName=" + dbDir.getPath() + ";create=true");
- conf.set(ServerConfig.SENTRY_STORE_JDBC_PASS, "dummy");
- server = new SentryServiceFactory().create(conf);
- conf.set(ClientConfig.SERVER_RPC_ADDRESS, server.getAddress().getHostName());
- conf.set(ClientConfig.SERVER_RPC_PORT, String.valueOf(server.getAddress().getPort()));
- conf.set(ServerConfig.SENTRY_STORE_GROUP_MAPPING,
- ServerConfig.SENTRY_STORE_LOCAL_GROUP_MAPPING);
- }
-
- @Before
- public void before() throws Exception {
- policyFilePath = new File(dbDir, "local_policy_file.ini");
- conf.set(ServerConfig.SENTRY_STORE_GROUP_MAPPING_RESOURCE,
- policyFilePath.getPath());
- policyFile = new PolicyFile();
- connectToSentryService();
- }
-
- @After
- public void after() {
- try {
- runTestAsSubject(new TestOperation() {
- @Override
- public void runTestAsSubject() throws Exception {
- if (client != null) {
- Set<TSentryRole> tRoles = client.listRoles(ADMIN_USER);
- if (tRoles != null) {
- for (TSentryRole tRole : tRoles) {
- client.dropRole(ADMIN_USER, tRole.getRoleName());
- }
- }
- client.close();
- }
- }
- });
- } catch (Exception e) {
- LOGGER.error(e.getMessage(), e);
- } finally {
- policyFilePath.delete();
- }
- }
-
- public void connectToSentryService() throws Exception {
- if (kerberos) {
- client = clientUgi.doAs(new PrivilegedExceptionAction<SentryPolicyServiceClient>() {
- @Override
- public SentryPolicyServiceClient run() throws Exception {
- return SentryServiceClientFactory.create(conf);
- }
- });
- } else {
- client = SentryServiceClientFactory.create(conf);
- }
- }
-
- @AfterClass
- public static void tearDown() throws Exception {
- beforeTeardown();
-
- if(server != null) {
- server.stop();
- }
- if (dbDir != null) {
- FileUtils.deleteQuietly(dbDir);
- }
- stopMiniKdc();
- afterTeardown();
- }
-
- public static String getServerKerberosName() {
- return SERVER_KERBEROS_NAME;
- }
-
- public static void beforeSetup() throws Exception {
-
- }
- public static void afterSetup() throws Exception {
-
- }
- public static void beforeTeardown() throws Exception {
-
- }
- public static void afterTeardown() throws Exception {
-
- }
- protected static void assertOK(TSentryResponseStatus resp) {
- assertStatus(Status.OK, resp);
- }
-
- protected static void assertStatus(Status status, TSentryResponseStatus resp) {
- if (resp.getValue() != status.getCode()) {
- String message = "Expected: " + status + ", Response: " + Status.fromCode(resp.getValue())
- + ", Code: " + resp.getValue() + ", Message: " + resp.getMessage();
- String stackTrace = Strings.nullToEmpty(resp.getStack()).trim();
- if (!stackTrace.isEmpty()) {
- message += ", StackTrace: " + stackTrace;
- }
- Assert.fail(message);
- }
- }
-
- protected void setLocalGroupMapping(String user, Set<String> groupSet) {
- for (String group : groupSet) {
- policyFile.addGroupsToUser(user, group);
- }
- }
-
- protected void writePolicyFile() throws Exception {
- policyFile.write(policyFilePath);
- }
-
- protected static TestingServer getZKServer() throws Exception {
- if (!kerberos) {
- LOGGER.info("Creating a non-security ZooKeeper Server.");
- return new TestingServer();
- } else {
- LOGGER.info("Creating a security ZooKeeper Server.");
- // Not entirely sure exactly what "javax.security.auth.useSubjectCredsOnly=false" does, but it has something to do with
- // re-authenticating in cases where it otherwise wouldn't. One of the sections on this page briefly mentions it:
- // http://docs.oracle.com/javase/7/docs/technotes/guides/security/jgss/tutorials/Troubleshooting.html
- System.setProperty("javax.security.auth.useSubjectCredsOnly", "false");
-
- // Setup KDC and principal
- kdc = getKdc();
- ZKKeytabFile = new File(kdcWorkDir, "test.keytab");
- kdc.createPrincipal(ZKKeytabFile, ZK_SERVER_PRINCIPAL);
-
- System.setProperty("zookeeper.authProvider.1", "org.apache.zookeeper.server.auth.SASLAuthenticationProvider");
- System.setProperty("zookeeper.kerberos.removeHostFromPrincipal", "true");
- System.setProperty("zookeeper.kerberos.removeRealmFromPrincipal", "true");
-
- JaasConfiguration.addEntryForKeytab("Server", ZK_SERVER_PRINCIPAL, ZKKeytabFile.getAbsolutePath());
- // Here's where we add the "Client" to the jaas configuration, even though we'd like not to
- JaasConfiguration.addEntryForKeytab(HAContext.SENTRY_ZK_JAAS_NAME,
- SERVER_KERBEROS_NAME, serverKeytab.getAbsolutePath());
- javax.security.auth.login.Configuration.setConfiguration(JaasConfiguration.getInstance());
-
- System.setProperty(ZooKeeperSaslServer.LOGIN_CONTEXT_NAME_KEY, "Server");
-
- return new TestingServer();
- }
-
- }
-
- protected void runTestAsSubject(final TestOperation test) throws Exception {
- /*if (false) {
- clientUgi.doAs(new PrivilegedExceptionAction<Void>() {
- @Override
- public Void run() throws Exception {
- test.runTestAsSubject();
- return null;
- }});
- } else {
- */ test.runTestAsSubject();
- //}
- }
-
- protected interface TestOperation {
- void runTestAsSubject() throws Exception;
- }
-
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/test/resources/cacerts.jks
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/resources/cacerts.jks b/sentry-provider/sentry-provider-db/src/test/resources/cacerts.jks
deleted file mode 100644
index 6ac6495..0000000
Binary files a/sentry-provider/sentry-provider-db/src/test/resources/cacerts.jks and /dev/null differ
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/test/resources/keystore.jks
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/resources/keystore.jks b/sentry-provider/sentry-provider-db/src/test/resources/keystore.jks
deleted file mode 100644
index a6beece..0000000
Binary files a/sentry-provider/sentry-provider-db/src/test/resources/keystore.jks and /dev/null differ
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/test/resources/log4j.properties
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/resources/log4j.properties b/sentry-provider/sentry-provider-db/src/test/resources/log4j.properties
deleted file mode 100644
index 9766758..0000000
--- a/sentry-provider/sentry-provider-db/src/test/resources/log4j.properties
+++ /dev/null
@@ -1,34 +0,0 @@
-#
-# Licensed to the Apache Software Foundation (ASF) under one
-# or more contributor license agreements. See the NOTICE file
-# distributed with this work for additional information
-# regarding copyright ownership. The ASF licenses this file
-# to you under the Apache License, Version 2.0 (the
-# "License"); you may not use this file except in compliance
-# with the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing,
-# software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-# KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations
-# under the License.
-#
-
-# Define some default values that can be overridden by system properties.
-#
-# For testing, it may also be convenient to specify
-
-log4j.rootLogger=DEBUG,console
-
-log4j.appender.console=org.apache.log4j.ConsoleAppender
-log4j.appender.console.target=System.err
-log4j.appender.console.layout=org.apache.log4j.PatternLayout
-log4j.appender.console.layout.ConversionPattern=%d (%t) [%p - %l] %m%n
-
-log4j.logger.org.apache.hadoop.conf.Configuration=INFO
-log4j.logger.org.apache.hadoop.metrics2=INFO
-log4j.logger.org.apache.directory=INFO
-log4j.logger.org.apache.directory.api.ldap.model.entry.AbstractValue=WARN
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/test/resources/solr_case.ini
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/resources/solr_case.ini b/sentry-provider/sentry-provider-db/src/test/resources/solr_case.ini
deleted file mode 100644
index fbbebfc..0000000
--- a/sentry-provider/sentry-provider-db/src/test/resources/solr_case.ini
+++ /dev/null
@@ -1,26 +0,0 @@
-# Licensed to the Apache Software Foundation (ASF) under one
-# or more contributor license agreements. See the NOTICE file
-# distributed with this work for additional information
-# regarding copyright ownership. The ASF licenses this file
-# to you under the Apache License, Version 2.0 (the
-# "License"); you may not use this file except in compliance
-# with the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing,
-# software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-# KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations
-# under the License.
-
-[groups]
-groupa = RoLe1
-groupb = rOlE1
-groupc = ROLE2
-
-[roles]
-RoLe1 = collection=*
-rOlE1 = collection=*
-ROLE2 = collection=*
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/test/resources/solr_config_import_tool.ini
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/resources/solr_config_import_tool.ini b/sentry-provider/sentry-provider-db/src/test/resources/solr_config_import_tool.ini
deleted file mode 100644
index da7df4c..0000000
--- a/sentry-provider/sentry-provider-db/src/test/resources/solr_config_import_tool.ini
+++ /dev/null
@@ -1,29 +0,0 @@
-# Licensed to the Apache Software Foundation (ASF) under one
-# or more contributor license agreements. See the NOTICE file
-# distributed with this work for additional information
-# regarding copyright ownership. The ASF licenses this file
-# to you under the Apache License, Version 2.0 (the
-# "License"); you may not use this file except in compliance
-# with the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing,
-# software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-# KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations
-# under the License.
-
-[groups]
-corporal = corporal_role
-sergeant = corporal_role, sergeant_role
-general = corporal_role, sergeant_role, general_role
-commander_in_chief = corporal_role, sergeant_role, general_role, commander_in_chief_role
-
-[roles]
-corporal_role = collection=info->action=query, \
- collection=info->action=update
-sergeant_role = collection=info->action=update
-general_role = collection=info->action=*
-commander_in_chief_role = collection=*
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/test/resources/solr_invalid.ini
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/resources/solr_invalid.ini b/sentry-provider/sentry-provider-db/src/test/resources/solr_invalid.ini
deleted file mode 100644
index 03083a7..0000000
--- a/sentry-provider/sentry-provider-db/src/test/resources/solr_invalid.ini
+++ /dev/null
@@ -1,21 +0,0 @@
-# Licensed to the Apache Software Foundation (ASF) under one
-# or more contributor license agreements. See the NOTICE file
-# distributed with this work for additional information
-# regarding copyright ownership. The ASF licenses this file
-# to you under the Apache License, Version 2.0 (the
-# "License"); you may not use this file except in compliance
-# with the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing,
-# software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-# KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations
-# under the License.
-
-[groups]
-
-[roles]
-
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/PolicyFile.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/PolicyFile.java b/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/PolicyFile.java
deleted file mode 100644
index 6a77827..0000000
--- a/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/PolicyFile.java
+++ /dev/null
@@ -1,202 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.sentry.provider.file;
-
-import static org.apache.sentry.core.common.utils.PolicyFileConstants.DATABASES;
-import static org.apache.sentry.core.common.utils.PolicyFileConstants.GROUPS;
-import static org.apache.sentry.core.common.utils.PolicyFileConstants.ROLES;
-import static org.apache.sentry.core.common.utils.PolicyFileConstants.USERS;
-
-import java.io.File;
-import java.util.Collection;
-import java.util.List;
-import java.util.Map;
-import java.util.Map.Entry;
-
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-import com.google.common.annotations.VisibleForTesting;
-import com.google.common.base.Charsets;
-import com.google.common.base.Joiner;
-import com.google.common.collect.ArrayListMultimap;
-import com.google.common.collect.Lists;
-import com.google.common.collect.Maps;
-import com.google.common.collect.Multimap;
-import com.google.common.io.Files;
-
-/**
- * PolicyFile creator. Written specifically to be used with tests. Specifically
- * due to the fact that methods that would typically return true or false to
- * indicate success or failure these methods throw an unchecked exception.
- * This is because in a test if you mean to remove a user from the policy file,
- * the user should absolutely be there. If not, the test is mis-behaving.
- */
-@VisibleForTesting
-public class PolicyFile {
-
- private static final Logger LOGGER = LoggerFactory
- .getLogger(PolicyFile.class);
-
- private static final String NL = System.getProperty("line.separator", "\n");
-
- private final Map<String, String> databasesToPolicyFiles = Maps.newHashMap();
- private final Multimap<String, String> usersToGroups = ArrayListMultimap.create();
- private final Multimap<String, String> groupsToRoles = ArrayListMultimap
- .create();
- private final Multimap<String, String> rolesToPermissions = ArrayListMultimap
- .create();
-
- public Multimap<String, String> getGroupsToRoles() {
- return groupsToRoles;
- }
- public Multimap<String, String> getRolesToPermissions() {
- return rolesToPermissions;
- }
- public PolicyFile addRolesToGroup(String groupName, String... roleNames)
- throws Exception {
- return addRolesToGroup(groupName, false, roleNames);
- }
- public PolicyFile addRolesToGroup(String groupName, boolean allowDuplicates, String... roleNames) {
- return add(groupsToRoles.get(groupName), allowDuplicates, roleNames);
- }
- public PolicyFile addPermissionsToRole(String roleName, String... permissionNames) {
- return addPermissionsToRole(roleName, false, permissionNames);
- }
- public PolicyFile addPermissionsToRole(String roleName, boolean allowDuplicates, String... permissionNames) {
- return add(rolesToPermissions.get(roleName), allowDuplicates, permissionNames);
- }
- public PolicyFile addGroupsToUser(String userName, String... groupNames) {
- LOGGER.warn("Static user:group mapping is not being used");
- return addGroupsToUser(userName, false, groupNames);
- }
- public PolicyFile addGroupsToUser(String userName, boolean allowDuplicates, String... groupNames) {
- LOGGER.warn("Static user:group mapping is not being used");
- return add(usersToGroups.get(userName), allowDuplicates, groupNames);
- }
- public PolicyFile setUserGroupMapping(Map<String, String> mapping) {
- for (Entry<String, String> entry : mapping.entrySet()) {
- usersToGroups.put(entry.getKey(), entry.getValue());
- }
- return this;
- }
- public PolicyFile addDatabase(String databaseName, String path) {
- String oldPath = databasesToPolicyFiles.put(databaseName, path);
- if (oldPath != null) {
- throw new IllegalStateException("Database " + databaseName + " already existed in " +
- databasesToPolicyFiles + " with value of " + oldPath);
- }
- databasesToPolicyFiles.put(databaseName, path);
- return this;
- }
- public PolicyFile removeRolesFromGroup(String groupName, String... roleNames) {
- return remove(groupsToRoles.get(groupName), roleNames);
- }
- public PolicyFile removePermissionsFromRole(String roleName, String... permissionNames) {
- return remove(rolesToPermissions.get(roleName), permissionNames);
- }
- public PolicyFile removeGroupsFromUser(String userName, String... groupNames) {
- LOGGER.warn("Static user:group mapping is not being used");
- return remove(usersToGroups.get(userName), groupNames);
- }
- public PolicyFile removeDatabase(String databaseName) {
- if(databasesToPolicyFiles.remove(databaseName) == null) {
- throw new IllegalStateException("Database " + databaseName + " did not exist in " +
- databasesToPolicyFiles);
- }
- return this;
- }
- public PolicyFile copy() {
- PolicyFile other = new PolicyFile();
- other.databasesToPolicyFiles.putAll(databasesToPolicyFiles);
- other.usersToGroups.putAll(usersToGroups);
- other.groupsToRoles.putAll(groupsToRoles);
- other.rolesToPermissions.putAll(rolesToPermissions);
- return other;
- }
-
- public void write(File clientFile, File serverFile) throws Exception {
- write(clientFile);
- write(serverFile);
- }
-
- public void write(File file) throws Exception {
- if(file.exists() && !file.delete()) {
- throw new IllegalStateException("Unable to delete " + file);
- }
- String contents = Joiner.on(NL)
- .join(getSection(DATABASES, databasesToPolicyFiles),
- getSection(USERS, usersToGroups),
- getSection(GROUPS, groupsToRoles),
- getSection(ROLES, rolesToPermissions),
- "");
- LOGGER.info("Writing policy file to " + file + ":\n" + contents);
- Files.write(contents, file, Charsets.UTF_8);
- }
-
- private String getSection(String name, Map<String, String> mapping) {
- if(mapping.isEmpty()) {
- return "";
- }
- Joiner kvJoiner = Joiner.on(" = ");
- List<String> lines = Lists.newArrayList();
- lines.add("[" + name + "]");
- for (Entry<String, String> entry : mapping.entrySet()) {
- lines.add(kvJoiner.join(entry.getKey(), entry.getValue()));
- }
- return Joiner.on(NL).join(lines);
- }
- private String getSection(String name, Multimap<String, String> mapping) {
- if(mapping.isEmpty()) {
- return "";
- }
- Joiner kvJoiner = Joiner.on(" = ");
- Joiner itemJoiner = Joiner.on(" , ");
- List<String> lines = Lists.newArrayList();
- lines.add("[" + name + "]");
- for(String key : mapping.keySet()) {
- lines.add(kvJoiner.join(key, itemJoiner.join(mapping.get(key))));
- }
- return Joiner.on(NL).join(lines);
- }
-
- private PolicyFile remove(Collection<String> exitingItems, String[] newItems) {
- for(String newItem : newItems) {
- if(!exitingItems.remove(newItem)) {
- throw new IllegalStateException("Item " + newItem + " did not exist in " + exitingItems);
- }
- }
- return this;
- }
- private PolicyFile add(Collection<String> exitingItems, boolean allowDuplicates, String[] newItems) {
- for(String newItem : newItems) {
- if(exitingItems.contains(newItem) && !allowDuplicates) {
- throw new IllegalStateException("Item " + newItem + " already exists in " + exitingItems);
- }
- exitingItems.add(newItem);
- }
- return this;
- }
-
- //User:Group mapping for the admin user needs to be set separately
- public static PolicyFile setAdminOnServer1(String admin) throws Exception {
- return new PolicyFile()
- .addRolesToGroup(admin, "admin_role")
- .addPermissionsToRole("admin_role", "server=server1");
- }
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/pom.xml
----------------------------------------------------------------------
diff --git a/sentry-service/pom.xml b/sentry-service/pom.xml
index bea89e5..ae42d0f 100644
--- a/sentry-service/pom.xml
+++ b/sentry-service/pom.xml
@@ -31,6 +31,7 @@ limitations under the License.
<modules>
<module>sentry-service-common</module>
+ <module>sentry-service-server</module>
</modules>
</project>
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-common/src/main/java/org/apache/sentry/service/thrift/SentryServiceUtil.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-common/src/main/java/org/apache/sentry/service/thrift/SentryServiceUtil.java b/sentry-service/sentry-service-common/src/main/java/org/apache/sentry/service/thrift/SentryServiceUtil.java
new file mode 100644
index 0000000..ce73358
--- /dev/null
+++ b/sentry-service/sentry-service-common/src/main/java/org/apache/sentry/service/thrift/SentryServiceUtil.java
@@ -0,0 +1,158 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.service.thrift;
+
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+
+import org.apache.commons.lang.StringUtils;
+import org.apache.sentry.core.common.utils.SentryConstants;
+import org.apache.sentry.core.common.utils.KeyValue;
+import org.apache.sentry.core.common.utils.PolicyFileConstants;
+import org.apache.sentry.provider.db.service.thrift.TSentryGrantOption;
+import org.apache.sentry.provider.db.service.thrift.TSentryPrivilege;
+import org.apache.sentry.service.thrift.ServiceConstants.PrivilegeScope;
+
+import com.google.common.collect.Lists;
+
+public final class SentryServiceUtil {
+
+ // parse the privilege in String and get the TSentryPrivilege as result
+ public static TSentryPrivilege convertToTSentryPrivilege(String privilegeStr) {
+ TSentryPrivilege tSentryPrivilege = new TSentryPrivilege();
+ for (String authorizable : SentryConstants.AUTHORIZABLE_SPLITTER.split(privilegeStr)) {
+ KeyValue tempKV = new KeyValue(authorizable);
+ String key = tempKV.getKey();
+ String value = tempKV.getValue();
+
+ if (PolicyFileConstants.PRIVILEGE_SERVER_NAME.equalsIgnoreCase(key)) {
+ tSentryPrivilege.setServerName(value);
+ } else if (PolicyFileConstants.PRIVILEGE_DATABASE_NAME.equalsIgnoreCase(key)) {
+ tSentryPrivilege.setDbName(value);
+ } else if (PolicyFileConstants.PRIVILEGE_TABLE_NAME.equalsIgnoreCase(key)) {
+ tSentryPrivilege.setTableName(value);
+ } else if (PolicyFileConstants.PRIVILEGE_COLUMN_NAME.equalsIgnoreCase(key)) {
+ tSentryPrivilege.setColumnName(value);
+ } else if (PolicyFileConstants.PRIVILEGE_URI_NAME.equalsIgnoreCase(key)) {
+ tSentryPrivilege.setURI(value);
+ } else if (PolicyFileConstants.PRIVILEGE_ACTION_NAME.equalsIgnoreCase(key)) {
+ tSentryPrivilege.setAction(value);
+ } else if (PolicyFileConstants.PRIVILEGE_GRANT_OPTION_NAME.equalsIgnoreCase(key)) {
+ TSentryGrantOption grantOption = "true".equalsIgnoreCase(value) ? TSentryGrantOption.TRUE
+ : TSentryGrantOption.FALSE;
+ tSentryPrivilege.setGrantOption(grantOption);
+ }
+ }
+ tSentryPrivilege.setPrivilegeScope(getPrivilegeScope(tSentryPrivilege));
+ return tSentryPrivilege;
+ }
+
+ /**
+ * Parse the object path from string to map.
+ * @param objectPath the string format as db=db1->table=tbl1
+ * @return Map
+ */
+ public static Map<String, String> parseObjectPath(String objectPath) {
+ Map<String, String> objectMap = new HashMap<String, String>();
+ if (StringUtils.isEmpty(objectPath)) {
+ return objectMap;
+ }
+ for (String kvStr : SentryConstants.AUTHORIZABLE_SPLITTER.split(objectPath)) {
+ KeyValue kv = new KeyValue(kvStr);
+ String key = kv.getKey();
+ String value = kv.getValue();
+
+ if (PolicyFileConstants.PRIVILEGE_DATABASE_NAME.equalsIgnoreCase(key)) {
+ objectMap.put(PolicyFileConstants.PRIVILEGE_DATABASE_NAME, value);
+ } else if (PolicyFileConstants.PRIVILEGE_TABLE_NAME.equalsIgnoreCase(key)) {
+ objectMap.put(PolicyFileConstants.PRIVILEGE_TABLE_NAME, value);
+ }
+ }
+ return objectMap;
+ }
+
+ // for the different hierarchy for hive:
+ // 1: server->url
+ // 2: server->database->table->column
+ // if both of them are found in the privilege string, the privilege scope will be set as
+ // PrivilegeScope.URI
+ public static String getPrivilegeScope(TSentryPrivilege tSentryPrivilege) {
+ PrivilegeScope privilegeScope = PrivilegeScope.SERVER;
+ if (!StringUtils.isEmpty(tSentryPrivilege.getURI())) {
+ privilegeScope = PrivilegeScope.URI;
+ } else if (!StringUtils.isEmpty(tSentryPrivilege.getColumnName())) {
+ privilegeScope = PrivilegeScope.COLUMN;
+ } else if (!StringUtils.isEmpty(tSentryPrivilege.getTableName())) {
+ privilegeScope = PrivilegeScope.TABLE;
+ } else if (!StringUtils.isEmpty(tSentryPrivilege.getDbName())) {
+ privilegeScope = PrivilegeScope.DATABASE;
+ }
+ return privilegeScope.toString();
+ }
+
+ // convert TSentryPrivilege to privilege in string
+ public static String convertTSentryPrivilegeToStr(TSentryPrivilege tSentryPrivilege) {
+ List<String> privileges = Lists.newArrayList();
+ if (tSentryPrivilege != null) {
+ String serverName = tSentryPrivilege.getServerName();
+ String dbName = tSentryPrivilege.getDbName();
+ String tableName = tSentryPrivilege.getTableName();
+ String columnName = tSentryPrivilege.getColumnName();
+ String uri = tSentryPrivilege.getURI();
+ String action = tSentryPrivilege.getAction();
+ String grantOption = (tSentryPrivilege.getGrantOption() == TSentryGrantOption.TRUE ? "true"
+ : "false");
+ if (!StringUtils.isEmpty(serverName)) {
+ privileges.add(SentryConstants.KV_JOINER.join(PolicyFileConstants.PRIVILEGE_SERVER_NAME,
+ serverName));
+ if (!StringUtils.isEmpty(uri)) {
+ privileges.add(SentryConstants.KV_JOINER.join(PolicyFileConstants.PRIVILEGE_URI_NAME,
+ uri));
+ } else if (!StringUtils.isEmpty(dbName)) {
+ privileges.add(SentryConstants.KV_JOINER.join(
+ PolicyFileConstants.PRIVILEGE_DATABASE_NAME, dbName));
+ if (!StringUtils.isEmpty(tableName)) {
+ privileges.add(SentryConstants.KV_JOINER.join(
+ PolicyFileConstants.PRIVILEGE_TABLE_NAME, tableName));
+ if (!StringUtils.isEmpty(columnName)) {
+ privileges.add(SentryConstants.KV_JOINER.join(
+ PolicyFileConstants.PRIVILEGE_COLUMN_NAME, columnName));
+ }
+ }
+ }
+ if (!StringUtils.isEmpty(action)) {
+ privileges.add(SentryConstants.KV_JOINER.join(
+ PolicyFileConstants.PRIVILEGE_ACTION_NAME, action));
+ }
+ }
+ // only append the grant option to privilege string if it's true
+ if ("true".equals(grantOption)) {
+ privileges.add(SentryConstants.KV_JOINER.join(
+ PolicyFileConstants.PRIVILEGE_GRANT_OPTION_NAME, grantOption));
+ }
+ }
+ return SentryConstants.AUTHORIZABLE_JOINER.join(privileges);
+ }
+
+ private SentryServiceUtil() {
+ // Make constructor private to avoid instantiation
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-common/src/main/java/org/apache/sentry/service/thrift/ServiceConstants.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-common/src/main/java/org/apache/sentry/service/thrift/ServiceConstants.java b/sentry-service/sentry-service-common/src/main/java/org/apache/sentry/service/thrift/ServiceConstants.java
index ab0930b..5ec364c 100644
--- a/sentry-service/sentry-service-common/src/main/java/org/apache/sentry/service/thrift/ServiceConstants.java
+++ b/sentry-service/sentry-service-common/src/main/java/org/apache/sentry/service/thrift/ServiceConstants.java
@@ -28,6 +28,8 @@ import com.google.common.collect.ImmutableMap;
public class ServiceConstants {
private static final ImmutableMap<String, String> SASL_PROPERTIES;
+ public static final String SENTRY_POLICY_SERVICE_NAME = "SentryPolicyService";
+ public static final String SENTRY_GENERIC_SERVICE_NAME = "SentryGenericPolicyService";
static {
Map<String, String> saslProps = new HashMap<String, String>();
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/pom.xml
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/pom.xml b/sentry-service/sentry-service-server/pom.xml
new file mode 100644
index 0000000..d327bf6
--- /dev/null
+++ b/sentry-service/sentry-service-server/pom.xml
@@ -0,0 +1,283 @@
+<?xml version="1.0"?>
+<!--
+Licensed to the Apache Software Foundation (ASF) under one or more
+contributor license agreements. See the NOTICE file distributed with
+this work for additional information regarding copyright ownership.
+The ASF licenses this file to You under the Apache License, Version 2.0
+(the "License"); you may not use this file except in compliance with
+the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+-->
+<project xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd" xmlns="http://maven.apache.org/POM/4.0.0"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+ <modelVersion>4.0.0</modelVersion>
+ <parent>
+ <groupId>org.apache.sentry</groupId>
+ <artifactId>sentry-service</artifactId>
+ <version>1.8.0-SNAPSHOT</version>
+ </parent>
+
+ <artifactId>sentry-service-server</artifactId>
+ <name>Sentry Service Server</name>
+
+ <dependencies>
+ <dependency>
+ <groupId>commons-lang</groupId>
+ <artifactId>commons-lang</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>org.slf4j</groupId>
+ <artifactId>slf4j-api</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>org.slf4j</groupId>
+ <artifactId>slf4j-log4j12</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.thrift</groupId>
+ <artifactId>libfb303</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.thrift</groupId>
+ <artifactId>libthrift</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.sentry</groupId>
+ <artifactId>sentry-core-common</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.sentry</groupId>
+ <artifactId>sentry-service-common</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.sentry</groupId>
+ <artifactId>sentry-core-model-db</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.sentry</groupId>
+ <artifactId>sentry-core-model-kafka</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.sentry</groupId>
+ <artifactId>sentry-core-model-search</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.sentry</groupId>
+ <artifactId>sentry-core-model-sqoop</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>org.codehaus.jackson</groupId>
+ <artifactId>jackson-core-asl</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>org.codehaus.jackson</groupId>
+ <artifactId>jackson-mapper-asl</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>javax.jdo</groupId>
+ <artifactId>jdo-api</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>com.codahale.metrics</groupId>
+ <artifactId>metrics-core</artifactId>
+ <version>${metrics.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>com.codahale.metrics</groupId>
+ <artifactId>metrics-servlets</artifactId>
+ <version>${metrics.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>com.codahale.metrics</groupId>
+ <artifactId>metrics-jvm</artifactId>
+ <version>${metrics.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>org.eclipse.jetty.aggregate</groupId>
+ <artifactId>jetty-all</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>org.eclipse.jetty</groupId>
+ <artifactId>jetty-server</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>org.eclipse.jetty</groupId>
+ <artifactId>jetty-servlet</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.sentry</groupId>
+ <artifactId>sentry-provider-db</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.hive</groupId>
+ <artifactId>hive-beeline</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>org.mockito</groupId>
+ <artifactId>mockito-all</artifactId>
+ <scope>test</scope>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.hadoop</groupId>
+ <artifactId>hadoop-minikdc</artifactId>
+ <scope>test</scope>
+ </dependency>
+ <dependency>
+ <groupId>junit</groupId>
+ <artifactId>junit</artifactId>
+ <scope>test</scope>
+ </dependency>
+ </dependencies>
+
+ <build>
+ <sourceDirectory>${basedir}/src/main/java</sourceDirectory>
+ <testSourceDirectory>${basedir}/src/test/java</testSourceDirectory>
+ <resources>
+ <resource>
+ <directory>../../sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/model</directory>
+ <includes>
+ <include>package.jdo</include>
+ </includes>
+ </resource>
+ <resource>
+ <directory>${basedir}/src/main</directory>
+ <includes>
+ <include>webapp/*</include>
+ <include>webapp/css/*</include>
+ </includes>
+ </resource>
+ </resources>
+ <plugins>
+ <plugin>
+ <groupId>com.google.code.maven-replacer-plugin</groupId>
+ <artifactId>replacer</artifactId>
+ <version>1.5.2</version>
+ <executions>
+ <execution>
+ <id>replaceTokens</id>
+ <phase>clean</phase>
+ <goals>
+ <goal>replace</goal>
+ </goals>
+ </execution>
+ </executions>
+ <configuration>
+ <file>${basedir}/src/main/webapp/SentryService.html</file>
+ <replacements>
+ <replacement>
+ <token>%PROJECT_VERSION%</token>
+ <value>${version}</value>
+ </replacement>
+ </replacements>
+ </configuration>
+ </plugin>
+ <plugin>
+ <groupId>org.datanucleus</groupId>
+ <artifactId>datanucleus-maven-plugin</artifactId>
+ <configuration>
+ <api>JDO</api>
+ <metadataIncludes>**/*.jdo</metadataIncludes>
+ <verbose>true</verbose>
+ </configuration>
+ <executions>
+ <execution>
+ <phase>process-classes</phase>
+ <goals>
+ <goal>enhance</goal>
+ </goals>
+ </execution>
+ </executions>
+ </plugin>
+ <plugin>
+ <groupId>org.apache.maven.plugins</groupId>
+ <artifactId>maven-jar-plugin</artifactId>
+ <executions>
+ <execution>
+ <goals>
+ <goal>test-jar</goal>
+ </goals>
+ </execution>
+ </executions>
+ </plugin>
+ <plugin>
+ <groupId>org.apache.maven.plugins</groupId>
+ <artifactId>maven-surefire-plugin</artifactId>
+ <configuration>
+ <reuseForks>false</reuseForks>
+ </configuration>
+ </plugin>
+ </plugins>
+ </build>
+
+ <profiles>
+ <profile>
+ <id>datanucleus3</id>
+ <activation>
+ <activeByDefault>true</activeByDefault>
+ </activation>
+ <properties>
+ <datanucleus-api-jdo.version>3.2.6</datanucleus-api-jdo.version>
+ <datanucleus-core.version>3.2.12</datanucleus-core.version>
+ <datanucleus-rdbms.version>3.2.12</datanucleus-rdbms.version>
+ </properties>
+ <dependencies>
+ <dependency>
+ <groupId>org.datanucleus</groupId>
+ <artifactId>datanucleus-core</artifactId>
+ <version>${datanucleus-core.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>org.datanucleus</groupId>
+ <artifactId>datanucleus-api-jdo</artifactId>
+ <version>${datanucleus-api-jdo.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>org.datanucleus</groupId>
+ <artifactId>datanucleus-rdbms</artifactId>
+ <version>${datanucleus-rdbms.version}</version>
+ </dependency>
+ </dependencies>
+ </profile>
+ <profile>
+ <id>datanucleus4</id>
+ <activation>
+ <activeByDefault>false</activeByDefault>
+ </activation>
+ <properties>
+ <datanucleus-api-jdo.version>4.2.1</datanucleus-api-jdo.version>
+ <datanucleus-core.version>4.1.6</datanucleus-core.version>
+ <datanucleus-rdbms.version>4.1.7</datanucleus-rdbms.version>
+ <datanucleus-jdo.version>3.2.0-m3</datanucleus-jdo.version>
+ </properties>
+ <dependencies>
+ <dependency>
+ <groupId>org.datanucleus</groupId>
+ <artifactId>datanucleus-core</artifactId>
+ <version>${datanucleus-core.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>org.datanucleus</groupId>
+ <artifactId>datanucleus-api-jdo</artifactId>
+ <version>${datanucleus-api-jdo.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>org.datanucleus</groupId>
+ <artifactId>datanucleus-rdbms</artifactId>
+ <version>${datanucleus-rdbms.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>org.datanucleus</groupId>
+ <artifactId>javax.jdo</artifactId>
+ <version>${datanucleus-jdo.version}</version>
+ </dependency>
+ </dependencies>
+ </profile>
+ </profiles>
+</project>
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/SentryPolicyStorePlugin.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/SentryPolicyStorePlugin.java b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/SentryPolicyStorePlugin.java
new file mode 100644
index 0000000..2ff715f
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/SentryPolicyStorePlugin.java
@@ -0,0 +1,60 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.provider.db;
+
+import org.apache.hadoop.conf.Configuration;
+import org.apache.sentry.core.common.exception.SentryUserException;
+import org.apache.sentry.provider.db.service.persistent.SentryStore;
+import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleAddGroupsRequest;
+import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleDeleteGroupsRequest;
+import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleGrantPrivilegeRequest;
+import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleRevokePrivilegeRequest;
+import org.apache.sentry.provider.db.service.thrift.TDropPrivilegesRequest;
+import org.apache.sentry.provider.db.service.thrift.TDropSentryRoleRequest;
+import org.apache.sentry.provider.db.service.thrift.TRenamePrivilegesRequest;
+
+public interface SentryPolicyStorePlugin {
+
+ @SuppressWarnings("serial")
+ class SentryPluginException extends SentryUserException {
+ public SentryPluginException(String msg) {
+ super(msg);
+ }
+ public SentryPluginException(String msg, Throwable t) {
+ super(msg, t);
+ }
+ }
+
+ void initialize(Configuration conf, SentryStore sentryStore) throws SentryPluginException;
+
+ void onAlterSentryRoleAddGroups(TAlterSentryRoleAddGroupsRequest tRequest) throws SentryPluginException;
+
+ void onAlterSentryRoleDeleteGroups(TAlterSentryRoleDeleteGroupsRequest tRequest) throws SentryPluginException;
+
+ void onAlterSentryRoleGrantPrivilege(TAlterSentryRoleGrantPrivilegeRequest tRequest) throws SentryPluginException;
+
+ void onAlterSentryRoleRevokePrivilege(TAlterSentryRoleRevokePrivilegeRequest tRequest) throws SentryPluginException;
+
+ void onDropSentryRole(TDropSentryRoleRequest tRequest) throws SentryPluginException;
+
+ void onRenameSentryPrivilege(TRenamePrivilegesRequest request) throws SentryPluginException;
+
+ void onDropSentryPrivilege(TDropPrivilegesRequest request) throws SentryPluginException;
+
+}