You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sentry.apache.org by li...@apache.org on 2018/06/26 18:24:21 UTC
sentry git commit: SENTRY-2264: It is possible to elevate privileges
from DROP using alter table rename (Na Li, reviewed by Sergio Pena,
Kalyan Kumar Kalvagadda)
Repository: sentry
Updated Branches:
refs/heads/master 3ae60f6b8 -> 9aeb2e236
SENTRY-2264: It is possible to elevate privileges from DROP using alter table rename (Na Li, reviewed by Sergio Pena, Kalyan Kumar Kalvagadda)
Project: http://git-wip-us.apache.org/repos/asf/sentry/repo
Commit: http://git-wip-us.apache.org/repos/asf/sentry/commit/9aeb2e23
Tree: http://git-wip-us.apache.org/repos/asf/sentry/tree/9aeb2e23
Diff: http://git-wip-us.apache.org/repos/asf/sentry/diff/9aeb2e23
Branch: refs/heads/master
Commit: 9aeb2e236045c960aa90eea4a36ff050cc78c1d8
Parents: 3ae60f6
Author: lina.li <li...@cloudera.com>
Authored: Tue Jun 26 13:22:12 2018 -0500
Committer: lina.li <li...@cloudera.com>
Committed: Tue Jun 26 13:22:12 2018 -0500
----------------------------------------------------------------------
.../hive/authz/HiveAuthzPrivilegesMap.java | 2 +-
.../tests/e2e/hive/TestOperationsPart1.java | 92 +++++++++++++++++---
.../tests/e2e/hive/TestOperationsPart2.java | 56 +++++++++---
3 files changed, 125 insertions(+), 25 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/sentry/blob/9aeb2e23/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivilegesMap.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivilegesMap.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivilegesMap.java
index 4f932ea..9350af0 100644
--- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivilegesMap.java
+++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivilegesMap.java
@@ -106,7 +106,7 @@ public class HiveAuthzPrivilegesMap {
build();
HiveAuthzPrivileges alterTableRenamePrivilege = new HiveAuthzPrivileges.AuthzPrivilegeBuilder().
- addInputObjectPriviledge(AuthorizableType.Db, EnumSet.of(DBModelAction.DROP)).
+ addInputObjectPriviledge(AuthorizableType.Table, EnumSet.of(DBModelAction.ALL)).
addOutputObjectPriviledge(AuthorizableType.Db, EnumSet.of(DBModelAction.CREATE)).
setOperationScope(HiveOperationScope.DATABASE).
setOperationType(HiveOperationType.DDL).
http://git-wip-us.apache.org/repos/asf/sentry/blob/9aeb2e23/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestOperationsPart1.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestOperationsPart1.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestOperationsPart1.java
index 1e72990..f3edae2 100644
--- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestOperationsPart1.java
+++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestOperationsPart1.java
@@ -60,6 +60,8 @@ public class TestOperationsPart1 extends AbstractTestWithStaticConfiguration {
privileges.put("create_db2", "server=server1->db=" + DB2 + "->action=create");
privileges.put("all_db1_tb1", "server=server1->db=" + DB1 + "->table=tb1->action=all");
+ privileges.put("create_db1_tb1", "server=server1->db=" + DB1 + "->action=create");
+ privileges.put("drop_db1_tb1", "server=server1->db=" + DB1 + "->action=drop");
privileges.put("select_db1_tb1", "server=server1->db=" + DB1 + "->table=tb1->action=select");
privileges.put("insert_db1_tb1", "server=server1->db=" + DB1 + "->table=tb1->action=insert");
privileges.put("alter_db1_tb1", "server=server1->db=" + DB1 + "->table=tb1->action=alter");
@@ -70,6 +72,7 @@ public class TestOperationsPart1 extends AbstractTestWithStaticConfiguration {
privileges.put("insert_db2_tb2", "server=server1->db=" + DB2 + "->table=tb2->action=insert");
privileges.put("select_db1_view1", "server=server1->db=" + DB1 + "->table=view1->action=select");
privileges.put("create_db1_view1", "server=server1->db=" + DB1 + "->action=create");
+ privileges.put("all_db1_view1", "server=server1->db=" + DB1 + "->action=all");
privileges.put("drop_db1_view1", "server=server1->db=" + DB1 + "->action=drop");
privileges.put("select_db1_tb2", "server=server1->db=" + DB1 + "->table=tb2->action=select");
@@ -605,6 +608,72 @@ public class TestOperationsPart1 extends AbstractTestWithStaticConfiguration {
}
@Test
+ public void testAlterRenameTableWithinDB() throws Exception {
+ adminCreate(DB1, "tb1", true);
+
+ Connection connection;
+ Statement statement;
+ //Setup
+ policyFile
+ .addPermissionsToRole("create_db1", privileges.get("create_db1"))
+ .addPermissionsToRole("all_db1_tb1", privileges.get("all_db1_tb1"))
+ .addRolesToGroup(USERGROUP1, "create_db1", "all_db1_tb1")
+ .addRolesToGroup(USERGROUP2, "create_db1");
+ writePolicyFile(policyFile);
+
+ String command = "ALTER TABLE " + DB1 + ".tb1 RENAME TO " + DB1 + ".tb2";
+
+ //negative test cases
+ connection = context.createConnection(USER2_1);
+ statement = context.createStatement(connection);
+ context.assertSentrySemanticException(statement, command, semanticException);
+ statement.close();
+ connection.close();
+
+ //positive test cases
+ connection = context.createConnection(USER1_1);
+ statement = context.createStatement(connection);
+ statement.execute(command);
+ statement.close();
+ connection.close();
+ }
+
+ @Test
+ public void testAlterRenameTableCrossDB() throws Exception {
+ adminCreate(DB1, tableName, true);
+ adminCreate(DB2, null, true);
+
+ Connection connection;
+ Statement statement;
+ //Setup
+ policyFile
+ .addPermissionsToRole("create_db2", privileges.get("create_db2"))
+ .addPermissionsToRole("create_db1_tb1", privileges.get("create_db1_tb1"))
+ .addPermissionsToRole("all_db1_tb1", privileges.get("all_db1_tb1"))
+ .addPermissionsToRole("select_db1_tb1", privileges.get("select_db1_tb1"))
+ .addRolesToGroup(USERGROUP1, "create_db2", "all_db1_tb1")
+ .addRolesToGroup(USERGROUP2, "create_db2", "select_db1_tb1");
+ writePolicyFile(policyFile);
+
+ String command = "ALTER TABLE " + DB1 + ".tb1 RENAME TO " + DB2 + ".tb2";
+
+ //negative test cases
+ connection = context.createConnection(USER2_1);
+ statement = context.createStatement(connection);
+ context.assertSentrySemanticException(statement, command, semanticException);
+ statement.close();
+ connection.close();
+
+ //positive test cases
+ connection = context.createConnection(USER1_1);
+ statement = context.createStatement(connection);
+ statement.execute(command);
+ statement.close();
+ connection.close();
+ }
+
+
+ @Test
public void testAlterRenameView() throws Exception {
adminCreate(DB1, tableName, true);
@@ -618,29 +687,28 @@ public class TestOperationsPart1 extends AbstractTestWithStaticConfiguration {
policyFile
.addPermissionsToRole("create_db1_view1", privileges.get("create_db1_view1"))
- .addPermissionsToRole("drop_db1_view1", privileges.get("drop_db1_view1"))
+ .addPermissionsToRole("all_db1_view1", privileges.get("all_db1_view1"))
.addPermissionsToRole("create_db1", privileges.get("create_db1"))
- .addRolesToGroup(USERGROUP1, "create_db1", "create_db1_view1", "drop_db1_view1")
- .addPermissionsToRole("select_db1_view1", privileges.get("select_db1_view1"))
.addPermissionsToRole("select_db1_tb1", privileges.get("select_db1_tb1"))
- .addRolesToGroup(USERGROUP2, "select_db1_tb1", "create_db1", "select_db1_view1");
+ .addPermissionsToRole("select_db1_view1", privileges.get("select_db1_view1"))
+ .addRolesToGroup(USERGROUP1, "create_db1", "all_db1_view1")
+ .addRolesToGroup(USERGROUP2, "create_db1", "select_db1_tb1", "select_db1_view1");
writePolicyFile(policyFile);
- //positive test cases
- connection = context.createConnection(USER1_1);
+ //negative test cases
+ connection = context.createConnection(USER2_1);
statement = context.createStatement(connection);
statement.execute("Use " + DB1);
- statement.execute("ALTER VIEW view1 RENAME TO view2");
+ context.assertSentrySemanticException(statement, "ALTER VIEW view1 RENAME TO view2",
+ semanticException);
statement.close();
connection.close();
- //negative test cases
- connection = context.createConnection(USER2_1);
+ //positive test cases
+ connection = context.createConnection(USER1_1);
statement = context.createStatement(connection);
statement.execute("Use " + DB1);
- statement.execute("CREATE VIEW view1 AS SELECT * FROM tb1");
- context.assertSentrySemanticException(statement, "ALTER VIEW view1 RENAME TO view2",
- semanticException);
+ statement.execute("ALTER VIEW view1 RENAME TO view2");
statement.close();
connection.close();
}
http://git-wip-us.apache.org/repos/asf/sentry/blob/9aeb2e23/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestOperationsPart2.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestOperationsPart2.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestOperationsPart2.java
index cf89b5d..8bcc013 100644
--- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestOperationsPart2.java
+++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestOperationsPart2.java
@@ -256,7 +256,7 @@ public class TestOperationsPart2 extends AbstractTestWithStaticConfiguration {
1. HiveOperation.ALTERTABLE_RENAME
*/
@Test
- public void renameTable() throws Exception {
+ public void renameTablePositive() throws Exception {
adminCreate(DB1, "TAB_1");
adminCreate(DB2, "TAB_3");
adminCreate(DB3, null);
@@ -270,9 +270,50 @@ public class TestOperationsPart2 extends AbstractTestWithStaticConfiguration {
.addRolesToGroup(USERGROUP1, "all_db1")
.addRolesToGroup(USERGROUP1, "drop_db2")
.addRolesToGroup(USERGROUP1, "create_db3")
- .addPermissionsToRole("all_db1", "server=server1->db=" + DB1)
+ .addRolesToGroup(USERGROUP1, "all_db2_table3")
+ .addPermissionsToRole("all_db1", "server=server1->db=" + DB1 + "->action=all")
.addPermissionsToRole("drop_db2", "server=server1->db=" + DB2 + "->action=drop")
.addPermissionsToRole("create_db3", "server=server1->db=" + DB3 + "->action=create")
+ .addPermissionsToRole("all_db2_table3", "server=server1->db=" + DB2 + "->table=TAB_3" + "->action=all")
+ .setUserGroupMapping(StaticUserGroup.getStaticMapping());
+ writePolicyFile(policyFile);
+
+ connection = context.createConnection(USER1_1);
+ statement = context.createStatement(connection);
+
+ // user1 have all permission with db_1 and create permission with db_3, alter_table_rename pass
+ exec(statement, "use " + DB1);
+ exec(statement, "alter table TAB_1 rename to " + DB3 + ".TAB_1");
+ exec(statement, "alter table " + DB1 + ".TAB_2 rename to " + DB3 + ".TAB_2");
+
+ // user1 have all permission with db_2.tab_3 and create permission with db_3, alter_table_rename pass
+ exec(statement, "use " + DB2);
+ exec(statement, "alter table TAB_3 rename to " + DB3 + ".TAB_3");
+ }
+
+ /*
+ 1. HiveOperation.ALTERTABLE_RENAME
+ */
+ @Test
+ public void renameTableNegative() throws Exception {
+ adminCreate(DB1, "TAB_1");
+ adminCreate(DB2, "TAB_3");
+ adminCreate(DB3, "TAB_3");
+ Connection connection = context.createConnection(ADMIN1);
+ Statement statement = context.createStatement(connection);
+ exec(statement, "CREATE table " + DB1 + ".TAB_2 (a string)");
+ statement.close();
+ connection.close();
+
+ policyFile
+ .addRolesToGroup(USERGROUP1, "all_db1")
+ .addRolesToGroup(USERGROUP1, "drop_db2")
+ .addRolesToGroup(USERGROUP1, "create_db3")
+ .addRolesToGroup(USERGROUP1, "all_db2_table3")
+ .addPermissionsToRole("all_db1", "server=server1->db=" + DB1 + "->action=all")
+ .addPermissionsToRole("drop_db2", "server=server1->db=" + DB2 + "->action=drop")
+ .addPermissionsToRole("create_db3", "server=server1->db=" + DB3 + "->action=create")
+ .addPermissionsToRole("all_db2_table3", "server=server1->db=" + DB2 + "->table=TAB_3" + "->action=all")
.setUserGroupMapping(StaticUserGroup.getStaticMapping());
writePolicyFile(policyFile);
@@ -310,16 +351,7 @@ public class TestOperationsPart2 extends AbstractTestWithStaticConfiguration {
// ignore the exception
}
- // user1 have all permission with db_1 and create permission with db_3, alter_table_rename pass
- exec(statement, "use " + DB1);
- exec(statement, "alter table TAB_1 rename to " + DB3 + ".TAB_1");
- exec(statement, "alter table " + DB1 + ".TAB_2 rename to " + DB3 + ".TAB_2");
-
- // user1 have drop permission with db_2 and create permission with db_3, alter_table_rename pass
- exec(statement, "use " + DB2);
- exec(statement, "alter table TAB_3 rename to " + DB3 + ".TAB_3");
-
- // user1 haven't drop permission with db_3, can't move table to db_3
+ // user1 does not have all permission with db_3.tab_3, cannot move table to db_3.tab_4
exec(statement, "use " + DB3);
try {
exec(statement, "alter table TAB_3 rename to TAB_4");