You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sentry.apache.org by br...@apache.org on 2014/02/25 03:52:44 UTC
[01/26] git commit: SENTRY-71: Solr Update authorization tests for
Sentry (Vamsee Yarlagadda via Gregory Chanan)
Repository: incubator-sentry
Updated Branches:
refs/heads/db_policy_store 22b6a3480 -> 15c6b4bcf
SENTRY-71: Solr Update authorization tests for Sentry (Vamsee Yarlagadda via Gregory Chanan)
Project: http://git-wip-us.apache.org/repos/asf/incubator-sentry/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-sentry/commit/5601cdd1
Tree: http://git-wip-us.apache.org/repos/asf/incubator-sentry/tree/5601cdd1
Diff: http://git-wip-us.apache.org/repos/asf/incubator-sentry/diff/5601cdd1
Branch: refs/heads/db_policy_store
Commit: 5601cdd18c4a89b468c1c0cdde3b68fbabf28ceb
Parents: b9aa0b7
Author: Gregory Chanan <gc...@cloudera.com>
Authored: Mon Dec 23 15:44:01 2013 -0800
Committer: Gregory Chanan <gc...@cloudera.com>
Committed: Mon Dec 23 15:44:01 2013 -0800
----------------------------------------------------------------------
sentry-tests/sentry-tests-solr/pom.xml | 15 +-
.../e2e/solr/AbstractSolrSentryTestBase.java | 335 ++++++++++++++++++-
.../e2e/solr/JunitAuthenticationFilter.java | 55 ---
.../ModifiableUserAuthenticationFilter.java | 68 ++++
.../e2e/solr/TestSimpleUpdatePositiveTest.java | 44 ---
.../tests/e2e/solr/TestUpdateOperations.java | 79 +++++
.../solr/sentry/test-authz-provider.ini | 35 +-
7 files changed, 521 insertions(+), 110 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/5601cdd1/sentry-tests/sentry-tests-solr/pom.xml
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-solr/pom.xml b/sentry-tests/sentry-tests-solr/pom.xml
index 23a2ec5..3f0fa2d 100644
--- a/sentry-tests/sentry-tests-solr/pom.xml
+++ b/sentry-tests/sentry-tests-solr/pom.xml
@@ -18,14 +18,22 @@ limitations under the License.
<project xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd" xmlns="http://maven.apache.org/POM/4.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<modelVersion>4.0.0</modelVersion>
+
<parent>
<groupId>org.apache.sentry</groupId>
<artifactId>sentry-tests</artifactId>
<version>1.3.0-incubating-SNAPSHOT</version>
</parent>
+
<artifactId>sentry-tests-solr</artifactId>
<name>Sentry Solr Tests</name>
<description>end to end tests for sentry-solr integration</description>
+
+ <properties>
+ <lucene-junit.version>4.10</lucene-junit.version>
+ <carrot-search.version>2.0.10</carrot-search.version>
+ </properties>
+
<dependencies>
<dependency>
<groupId>org.apache.solr</groupId>
@@ -46,7 +54,12 @@ limitations under the License.
<dependency>
<groupId>junit</groupId>
<artifactId>junit</artifactId>
- <version>4.10</version> <!-- required for LuceneTestCase -->
+ <version>${lucene-junit.version}</version> <!-- required for LuceneTestCase -->
+ </dependency>
+ <dependency>
+ <groupId>com.carrotsearch.randomizedtesting</groupId>
+ <artifactId>randomizedtesting-runner</artifactId>
+ <version>${carrot-search.version}</version>
</dependency>
</dependencies>
</project>
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/5601cdd1/sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/AbstractSolrSentryTestBase.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/AbstractSolrSentryTestBase.java b/sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/AbstractSolrSentryTestBase.java
index 52fcecf..c0abd28 100644
--- a/sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/AbstractSolrSentryTestBase.java
+++ b/sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/AbstractSolrSentryTestBase.java
@@ -18,7 +18,11 @@ package org.apache.sentry.tests.e2e.solr;
import java.io.File;
import java.io.IOException;
+import java.net.MalformedURLException;
+import java.util.Arrays;
import java.util.Comparator;
+import java.util.List;
+import java.util.Random;
import java.util.SortedMap;
import java.util.TreeMap;
@@ -27,11 +31,17 @@ import org.apache.hadoop.fs.FileSystem;
import org.apache.hadoop.fs.Path;
import org.apache.hadoop.hdfs.MiniDFSCluster;
import org.apache.solr.SolrTestCaseJ4;
+import org.apache.solr.client.solrj.SolrQuery;
import org.apache.solr.client.solrj.impl.CloudSolrServer;
+import org.apache.solr.client.solrj.response.QueryResponse;
import org.apache.solr.cloud.AbstractFullDistribZkTestBase;
import org.apache.solr.cloud.ZkController;
+import org.apache.solr.common.SolrDocument;
+import org.apache.solr.common.SolrDocumentList;
+import org.apache.solr.common.SolrInputDocument;
import org.apache.solr.servlet.SolrDispatchFilter;
+import org.junit.After;
import org.junit.AfterClass;
import org.junit.Before;
import org.junit.BeforeClass;
@@ -41,8 +51,11 @@ import org.slf4j.LoggerFactory;
public abstract class AbstractSolrSentryTestBase extends AbstractFullDistribZkTestBase {
private static final Logger LOG = LoggerFactory.getLogger(AbstractSolrSentryTestBase.class);
+ protected static final String SENTRY_ERROR_MSG = "401, message:Unauthorized";
private static MiniDFSCluster dfsCluster;
private static SortedMap<Class, String> extraRequestFilters;
+ protected static final String ADMIN_USER = "admin";
+ protected static final Random RANDOM = new Random();
private static void addPropertyToSentry(StringBuilder builder, String name, String value) {
builder.append("<property>\n");
@@ -92,7 +105,7 @@ public abstract class AbstractSolrSentryTestBase extends AbstractFullDistribZkTe
return true;
}
});
- extraRequestFilters.put(JunitAuthenticationFilter.class, "*");
+ extraRequestFilters.put(ModifiableUserAuthenticationFilter.class, "*");
}
@AfterClass
@@ -104,17 +117,23 @@ public abstract class AbstractSolrSentryTestBase extends AbstractFullDistribZkTe
extraRequestFilters = null;
}
- @Override
- protected String getDataDir(String dataDir) throws IOException {
- return HdfsTestUtil.getDataDir(dfsCluster, dataDir);
- }
-
@Before
- @Override
- public void setUp() throws Exception {
- super.setUp();
+ public void setupBeforeTest() throws Exception {
System.setProperty("numShards", Integer.toString(sliceCount));
System.setProperty("solr.xml.persist", "true");
+ super.setUp();
+ }
+
+ @After
+ public void tearDown() throws Exception {
+ super.tearDown();
+ System.clearProperty("numShards");
+ System.clearProperty("solr.xml.persist");
+ }
+
+ @Override
+ protected String getDataDir(String dataDir) throws IOException {
+ return HdfsTestUtil.getDataDir(dfsCluster, dataDir);
}
@Override
@@ -133,6 +152,304 @@ public abstract class AbstractSolrSentryTestBase extends AbstractFullDistribZkTe
}
/**
+ * Set the proper user in the Solr authentication filter
+ * @param solrUser
+ */
+ protected void setAuthenticationUser(String solrUser) throws Exception {
+ ModifiableUserAuthenticationFilter.setUser(solrUser);
+ }
+
+ /**
+ * Function to return the user name based on the permissions provided.
+ * @param collectionName - Name of the solr collection.
+ * @param isQuery - Boolean that specifies query permission.
+ * @param isUpdate - Boolean that specifies update permission.
+ * @param isAll - Boolean that specifies all permission.
+ * @return - String which represents the Solr username.
+ */
+ protected String getUsernameForPermissions(String collectionName,
+ boolean isQuery,
+ boolean isUpdate,
+ boolean isAll) {
+ StringBuilder finalStr = new StringBuilder();
+ finalStr.append(collectionName);
+ finalStr.append("_");
+ StringBuilder permissions = new StringBuilder();
+ if (isQuery) {
+ permissions.append("q");
+ }
+
+ if (isUpdate) {
+ permissions.append("u");
+ }
+
+ if (isAll) {
+ permissions.append("a");
+ }
+
+ finalStr.append(permissions.toString());
+ return finalStr.toString();
+ }
+
+ /**
+ * Method to validate Solr update passes
+ * @param solrUserName - User authenticated into Solr
+ * @param collectionName - Name of the collection to which the data has to be updated
+ * @param solrInputDoc - Instance of SolrInputDocument
+ * @throws Exception
+ */
+ protected void verifyUpdatePass(String solrUserName,
+ String collectionName,
+ SolrInputDocument solrInputDoc)
+ throws Exception {
+ int originalSolrDocCount = getSolrDocs(collectionName).size();
+ setAuthenticationUser(solrUserName);
+ CloudSolrServer cloudSolrServer = getCloudSolrServer(collectionName);
+ try {
+ cloudSolrServer.add(solrInputDoc);
+ cloudSolrServer.commit();
+ } finally {
+ cloudSolrServer.shutdown();
+ }
+
+ // Validate Solr content to check whether the update command went through.
+ // Authenticate as user "admin"
+ validateSolrDocCountAndContent(collectionName, originalSolrDocCount+1, solrInputDoc);
+ }
+
+ /**
+ * Method to validate Solr update fails
+ * @param solrUserName - User authenticated into Solr
+ * @param collectionName - Name of the collection to which the data has to be updated
+ * @param solrInputDoc - Instance of SolrInputDocument
+ * @throws Exception
+ */
+ protected void verifyUpdateFail(String solrUserName,
+ String collectionName,
+ SolrInputDocument solrInputDoc)
+ throws Exception {
+ int originalSolrDocCount = getSolrDocs(collectionName).size();
+ setAuthenticationUser(solrUserName);
+ CloudSolrServer cloudSolrServer = getCloudSolrServer(collectionName);
+ try {
+ cloudSolrServer.add(solrInputDoc);
+ cloudSolrServer.commit();
+ fail("The specified user: " + solrUserName + " shouldn't get update access!");
+ } catch (Exception exception) {
+ assertTrue("Expected " + SENTRY_ERROR_MSG + " in " + exception.toString(),
+ exception.toString().contains(SENTRY_ERROR_MSG));
+ } finally {
+ cloudSolrServer.shutdown();
+ }
+
+ // Validate Solr content to check whether the update command didn't go through.
+ // Authenticate as user "admin"
+ validateSolrDocCountAndContent(collectionName, originalSolrDocCount, null);
+ }
+
+ /**
+ * Method to validate Solr deletedocs passes
+ * (This function doesn't check if there is at least one Solr document present in Solr)
+ * @param solrUserName - User authenticated into Solr
+ * @param collectionName - Name of the collection to which the data has to be updated
+ * @param allowZeroDocs - Boolean for running this method only if there is atleast one Solr doc present.
+ * @throws MalformedURLException, SolrServerException, IOException
+ */
+ protected void verifyDeletedocsPass(String solrUserName,
+ String collectionName, boolean allowZeroDocs)
+ throws Exception {
+ int originalSolrDocCount = getSolrDocs(collectionName).size();
+ if (allowZeroDocs == false) {
+ assertTrue("Solr should contain atleast one solr doc to run this test.", originalSolrDocCount > 0);
+ }
+
+ setAuthenticationUser(solrUserName);
+ CloudSolrServer cloudSolrServer = getCloudSolrServer(collectionName);
+ try {
+ cloudSolrServer.deleteByQuery("*:*");
+ cloudSolrServer.commit();
+ } finally {
+ cloudSolrServer.shutdown();
+ }
+
+ // Validate Solr content to check whether the update command didn't go through.
+ // Authenticate as user "admin"
+ validateSolrDocCountAndContent(collectionName, 0, null);
+ }
+
+ /**
+ * Method to validate Solr deletedocs fails
+ * (This function doesn't check if there is at least one Solr document present in Solr)
+ * @param solrUserName - User authenticated into Solr
+ * @param collectionName - Name of the collection to which the data has to be updated
+ * @param allowZeroDocs - Boolean for running this method only if there is atleast one Solr doc present.
+ * @throws Exception
+ */
+ protected void verifyDeletedocsFail(String solrUserName,
+ String collectionName, boolean allowZeroDocs)
+ throws Exception {
+ int originalSolrDocCount = getSolrDocs(collectionName).size();
+ if (allowZeroDocs == false) {
+ assertTrue("Solr should contain atleast one solr doc to run this test.", originalSolrDocCount > 0);
+ }
+
+ setAuthenticationUser(solrUserName);
+ CloudSolrServer cloudSolrServer = getCloudSolrServer(collectionName);
+ try {
+ cloudSolrServer.deleteByQuery("*:*");
+ cloudSolrServer.commit();
+ fail("The specified user: " + solrUserName + " shouldn't get deletedocs access!");
+ } catch (Exception exception) {
+ assertTrue("Expected " + SENTRY_ERROR_MSG + " in " + exception.toString(),
+ exception.toString().contains(SENTRY_ERROR_MSG));
+ } finally {
+ cloudSolrServer.shutdown();
+ }
+
+ // Validate Solr content to check whether the deletedocs command didn't go through.
+ // Authenticate as user "admin"
+ validateSolrDocCountAndContent(collectionName, originalSolrDocCount, null);
+ }
+
+ /**
+ * Function to verify whether Solr doc count matches the expected number and
+ * also to verify if the Input document is present in present in the response.
+ * @param collectionName - Name of the Solr collection
+ * @param expectedDocCount - Count of expected Solr docs
+ * @param solrInputDoc - Solr doc inserted into Solr
+ * @throws Exception
+ */
+ public void validateSolrDocCountAndContent(String collectionName, int expectedDocCount, SolrInputDocument solrInputDoc)
+ throws Exception {
+ // Authenticate as user "admin"
+ setAuthenticationUser(ADMIN_USER);
+ SolrDocumentList solrRespDocs = getSolrDocs(collectionName);
+ assertEquals("Expected: " + expectedDocCount + " Solr docs; But, found "
+ + solrRespDocs.size() + " Solr docs.", solrRespDocs.size(), expectedDocCount);
+ if (solrInputDoc != null) {
+ validateSolrDocContent(solrInputDoc, solrRespDocs);
+ }
+ }
+
+ /**
+ * Function to query the collection and fetch the Solr docs
+ * @param collectionName - Name of the collection
+ * @return - Instance of SolrDocumentList
+ * @throws Exception
+ */
+ protected SolrDocumentList getSolrDocs(String collectionName) throws Exception {
+ // Authenticate as user "admin"
+ setAuthenticationUser(ADMIN_USER);
+ CloudSolrServer cloudSolrServer = getCloudSolrServer(collectionName);
+ SolrDocumentList solrDocs = null;
+ try {
+ SolrQuery query = new SolrQuery("*:*");
+ QueryResponse response = cloudSolrServer.query(query);
+ solrDocs = response.getResults();
+ } finally {
+ cloudSolrServer.shutdown();
+ }
+
+ return solrDocs;
+ }
+
+ /**
+ * Function to validate the content of Solr response with that of input document.
+ * @param solrInputDoc - Solr doc inserted into Solr
+ * @param solrRespDocs - List of Solr doc obtained as response
+ * (NOTE: This function ignores "_version_" field in validating Solr doc content)
+ */
+ public void validateSolrDocContent(SolrInputDocument solrInputDoc, SolrDocumentList solrRespDocs) {
+ solrInputDoc.removeField("_version_");
+ for (SolrDocument solrRespDoc : solrRespDocs) {
+ solrRespDoc.removeFields("_version_");
+ String expFieldValue = (String) solrInputDoc.getFieldValue("id");
+ String resFieldValue = (String) solrRespDoc.getFieldValue("id");
+ if (expFieldValue.equals(resFieldValue)) {
+ assertEquals("Expected " + solrInputDoc.size() + " fields. But, found "
+ + solrRespDoc.size() + " fields", solrInputDoc.size() , solrRespDoc.size());
+ for (String field : solrInputDoc.getFieldNames()) {
+ expFieldValue = (String) solrInputDoc.getFieldValue(field);
+ resFieldValue = (String) solrRespDoc.getFieldValue(field);
+ assertEquals("Expected value for field: " + field + " is " + expFieldValue
+ + "; But, found " + resFieldValue, expFieldValue, resFieldValue);
+ }
+
+ return;
+ }
+ }
+
+ fail("Solr doc not found in Solr collection");
+ }
+
+ /**
+ * Function to return the instance of CloudSolrServer for the collectionName specified
+ * @param collectionName - Name of the collection
+ * @return instance of CloudSolrServer
+ * @throws MalformedURLException
+ */
+ protected CloudSolrServer getCloudSolrServer(String collectionName) throws MalformedURLException {
+ CloudSolrServer cloudSolrServer = new CloudSolrServer(zkServer.getZkAddress(),
+ random().nextBoolean());
+ cloudSolrServer.setDefaultCollection(collectionName);
+ cloudSolrServer.connect();
+ return cloudSolrServer;
+ }
+
+ /**
+ * Function to create a solr collection with the name passed as parameter
+ * (Runs commands as ADMIN user)
+ * @param collectionName - Name of the collection
+ * @throws Exception
+ */
+ protected void setupCollection(String collectionName) throws Exception {
+ // Authenticate as user "admin"
+ setAuthenticationUser(ADMIN_USER);
+ uploadConfigDirToZk(getSolrHome() + File.separator + DEFAULT_COLLECTION
+ + File.separator + "conf");
+ createCollection(collectionName, 1, 1, 1);
+ waitForRecoveriesToFinish(collectionName, false);
+ }
+
+ /**
+ * Function to clean Solr collections
+ * @param collectionName - Name of the collection
+ * @throws Exception
+ */
+ protected void cleanSolrCollection(String collectionName)
+ throws Exception {
+ verifyDeletedocsPass(ADMIN_USER, collectionName, true);
+ }
+
+ /**
+ * Function to create a test Solrdoc with a random number as the ID
+ * @throws Exception
+ */
+ protected SolrInputDocument createSolrTestDoc() throws Exception {
+ SolrInputDocument solrInputDoc = new SolrInputDocument();
+ String solrDocId = String.valueOf(RANDOM.nextInt());
+ solrInputDoc.addField("id", solrDocId);
+ solrInputDoc.addField("name", "testdoc" + solrDocId);
+ return solrInputDoc;
+ }
+
+ /**
+ * Load Solr collection with the SolrDocument passed.
+ * @param collectionName - Name of the Solr collection
+ * @param solrInputDoc - Solr document to be uploaded
+ * (If solrInputDoc is null, then a test Solr doc will be uploaded)
+ * @throws Exception
+ */
+ protected void uploadSolrDoc(String collectionName,
+ SolrInputDocument solrInputDoc) throws Exception {
+ if (solrInputDoc == null) {
+ solrInputDoc = createSolrTestDoc();
+ }
+
+ verifyUpdatePass(ADMIN_USER, collectionName, solrInputDoc);
+ }
+
+ /**
* Subclasses can override this to change a test's solr home
* (default is in test-files)
*/
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/5601cdd1/sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/JunitAuthenticationFilter.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/JunitAuthenticationFilter.java b/sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/JunitAuthenticationFilter.java
deleted file mode 100644
index 7e2690f..0000000
--- a/sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/JunitAuthenticationFilter.java
+++ /dev/null
@@ -1,55 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.tests.e2e.solr;
-
-import java.io.IOException;
-
-import javax.servlet.Filter;
-import javax.servlet.FilterChain;
-import javax.servlet.FilterConfig;
-import javax.servlet.ServletException;
-import javax.servlet.ServletRequest;
-import javax.servlet.ServletResponse;
-import javax.servlet.http.HttpServletRequest;
-import org.apache.solr.servlet.SolrHadoopAuthenticationFilter;
-
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-/**
- * Authentication Filter that authenticates any request as user "junit"
- */
-public class JunitAuthenticationFilter implements Filter {
- private static final Logger LOG = LoggerFactory
- .getLogger(JunitAuthenticationFilter.class);
- private static final String userName = "junit";
-
- @Override
- public void init(FilterConfig filterConfig) throws ServletException {
- }
-
- @Override
- public void destroy() {
- }
-
- @Override
- public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
- HttpServletRequest httpRequest = (HttpServletRequest) request;
- httpRequest.setAttribute(SolrHadoopAuthenticationFilter.USER_NAME, userName);
- chain.doFilter(request, response);
- }
-}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/5601cdd1/sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/ModifiableUserAuthenticationFilter.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/ModifiableUserAuthenticationFilter.java b/sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/ModifiableUserAuthenticationFilter.java
new file mode 100644
index 0000000..9f550c4
--- /dev/null
+++ b/sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/ModifiableUserAuthenticationFilter.java
@@ -0,0 +1,68 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.tests.e2e.solr;
+
+import java.io.IOException;
+
+import javax.servlet.Filter;
+import javax.servlet.FilterChain;
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletRequest;
+import org.apache.solr.servlet.SolrHadoopAuthenticationFilter;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/**
+ * Authentication Filter that authenticates any request as user "junit"
+ */
+public class ModifiableUserAuthenticationFilter implements Filter {
+ private static final Logger LOG = LoggerFactory
+ .getLogger(ModifiableUserAuthenticationFilter.class);
+
+ /**
+ * String that saves the user to be authenticated into Solr
+ */
+ private static String userName = "admin";
+
+ @Override
+ public void init(FilterConfig filterConfig) throws ServletException {
+ }
+
+ @Override
+ public void destroy() {
+ }
+
+ @Override
+ public void doFilter(ServletRequest request, ServletResponse response,
+ FilterChain chain) throws IOException, ServletException {
+ HttpServletRequest httpRequest = (HttpServletRequest) request;
+ httpRequest.setAttribute(SolrHadoopAuthenticationFilter.USER_NAME, userName);
+ chain.doFilter(request, response);
+ }
+
+ /**
+ * Function to set the userName with the corresponding user passed as parameter
+ * @param solrUser
+ */
+ public static void setUser(String solrUser) {
+ userName = solrUser;
+ }
+}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/5601cdd1/sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/TestSimpleUpdatePositiveTest.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/TestSimpleUpdatePositiveTest.java b/sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/TestSimpleUpdatePositiveTest.java
deleted file mode 100644
index c5174b6..0000000
--- a/sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/TestSimpleUpdatePositiveTest.java
+++ /dev/null
@@ -1,44 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.tests.e2e.solr;
-
-import java.io.File;
-import org.apache.solr.client.solrj.impl.CloudSolrServer;
-
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-import com.carrotsearch.randomizedtesting.annotations.ThreadLeakScope;
-import com.carrotsearch.randomizedtesting.annotations.ThreadLeakScope.Scope;
-
-@ThreadLeakScope(Scope.NONE) // hdfs client currently leaks thread(s)
-public class TestSimpleUpdatePositiveTest extends AbstractSolrSentryTestBase {
- private static final Logger LOG = LoggerFactory.getLogger(TestSimpleUpdatePositiveTest.class);
-
- /**
- * Solr-sentry positive test on updates
- */
- @Override
- public void doTest() throws Exception {
- uploadConfigDirToZk(getSolrHome() + File.separator + DEFAULT_COLLECTION
- + File.separator + "conf");
- createCollection(DEFAULT_COLLECTION, 1, 1, 1);
- waitForRecoveriesToFinish(DEFAULT_COLLECTION, false);
- CloudSolrServer cloudServer = getCommonCloudSolrServer();
- cloudServer.deleteByQuery("*:*");
- }
-}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/5601cdd1/sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/TestUpdateOperations.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/TestUpdateOperations.java b/sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/TestUpdateOperations.java
new file mode 100644
index 0000000..131fa2c
--- /dev/null
+++ b/sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/TestUpdateOperations.java
@@ -0,0 +1,79 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.tests.e2e.solr;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import com.carrotsearch.randomizedtesting.annotations.ThreadLeakScope;
+import com.carrotsearch.randomizedtesting.annotations.ThreadLeakScope.Scope;
+import java.util.ArrayList;
+
+import java.util.Arrays;
+import java.util.List;
+
+import org.apache.solr.common.SolrInputDocument;
+
+@ThreadLeakScope(Scope.NONE) // hdfs client currently leaks thread(s)
+public class TestUpdateOperations extends AbstractSolrSentryTestBase {
+ private static final Logger LOG = LoggerFactory
+ .getLogger(TestUpdateOperations.class);
+ private static final String COLLECTION_NAME = "sentryCollection";
+ private static final List<Boolean> BOOLEAN_VALUES = Arrays.asList(new Boolean[]{true, false});
+
+ @Override
+ public void doTest() throws Exception {
+ setupCollection(COLLECTION_NAME);
+ ArrayList<String> testFailures = new ArrayList<String>();
+
+ for (boolean query : BOOLEAN_VALUES) {
+ for (boolean update : BOOLEAN_VALUES) {
+ for (boolean all : BOOLEAN_VALUES) {
+ // Create user name to be used for Solr requests based on the permissions generated by the for-loop.
+ String test_user = getUsernameForPermissions(COLLECTION_NAME, query, update, all);
+ LOG.info("TEST_USER: " + test_user);
+
+ try {
+ if (all || update) {
+ cleanSolrCollection(COLLECTION_NAME);
+ SolrInputDocument solrInputDoc = createSolrTestDoc();
+ verifyUpdatePass(test_user, COLLECTION_NAME, solrInputDoc);
+
+ cleanSolrCollection(COLLECTION_NAME);
+ uploadSolrDoc(COLLECTION_NAME, null);
+ verifyDeletedocsPass(test_user, COLLECTION_NAME, false);
+ } else {
+ cleanSolrCollection(COLLECTION_NAME);
+ SolrInputDocument solrInputDoc = createSolrTestDoc();
+ verifyUpdateFail(test_user, COLLECTION_NAME, solrInputDoc);
+
+ cleanSolrCollection(COLLECTION_NAME);
+ uploadSolrDoc(COLLECTION_NAME, null);
+ verifyDeletedocsFail(test_user, COLLECTION_NAME, false);
+ }
+ } catch (Throwable testException) {
+ testFailures.add("\n\nTestFailure: User -> " + test_user + "\n"
+ + testException.toString());
+ }
+ }
+ }
+ }
+
+ assertEquals("Total test failures: " + testFailures.size() + " \n\n"
+ + testFailures.toString(), 0, testFailures.size());
+ }
+}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/5601cdd1/sentry-tests/sentry-tests-solr/src/test/resources/solr/sentry/test-authz-provider.ini
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-solr/src/test/resources/solr/sentry/test-authz-provider.ini b/sentry-tests/sentry-tests-solr/src/test/resources/solr/sentry/test-authz-provider.ini
index 34926ae..f988eae 100644
--- a/sentry-tests/sentry-tests-solr/src/test/resources/solr/sentry/test-authz-provider.ini
+++ b/sentry-tests/sentry-tests-solr/src/test/resources/solr/sentry/test-authz-provider.ini
@@ -17,9 +17,42 @@
[groups]
junit = junit_role
+admin = admin_role
+sentry_collection_query_group = sentry_collection_query_role
+sentry_collection_update_group = sentry_collection_update_role
+sentry_collection_query_update_group = sentry_collection_query_update_role
+sentry_collection_all_group = sentry_collection_all_role
+admin_query_group = admin_query_role
+admin_update_group = admin_update_role
+admin_query_update_group = admin_query_update_role
+admin_all_group = admin_all_role
[roles]
junit_role = collection=admin, collection=collection1
+admin_role = collection=admin, collection=collection1, collection=sentryCollection
+sentry_collection_query_role = collection=sentryCollection->action=query
+sentry_collection_update_role = collection=sentryCollection->action=update
+sentry_collection_query_update_role = collection=sentryCollection->action=query, collection=sentryCollection->action=update
+sentry_collection_all_role = collection=sentryCollection->action=*
+admin_query_role = collection=admin->action=query
+admin_update_role = collection=admin->action=update
+admin_query_update_role = collection=admin->action=query, collection=admin->action=update
+admin_all_role = collection=admin->action=*
[users]
-junit=junit
+junit = junit
+admin = admin
+sentryCollection_q = sentry_collection_query_group
+sentryCollection_u = sentry_collection_update_group
+sentryCollection_a = sentry_collection_all_group
+sentryCollection_qu = sentry_collection_query_update_group
+sentryCollection_ua = sentry_collection_update_group, sentry_collection_all_group
+sentryCollection_qa = sentry_collection_query_group, sentry_collection_all_group
+sentryCollection_qua = sentry_collection_query_group, sentry_collection_update_group, sentry_collection_all_group
+admin_q = admin_query_group
+admin_u = admin_update_group
+admin_a = admin_all_group
+admin_qu = admin_query_update_group
+admin_ua = admin_update_group, admin_all_group
+admin_qa = admin_query_group, admin_all_group
+admin_qua = admin_query_group, admin_update_group, admin_all_group
\ No newline at end of file
[26/26] git commit: SENTRY-125 - Merge master into branch
Posted by br...@apache.org.
SENTRY-125 - Merge master into branch
Project: http://git-wip-us.apache.org/repos/asf/incubator-sentry/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-sentry/commit/15c6b4bc
Tree: http://git-wip-us.apache.org/repos/asf/incubator-sentry/tree/15c6b4bc
Diff: http://git-wip-us.apache.org/repos/asf/incubator-sentry/diff/15c6b4bc
Branch: refs/heads/db_policy_store
Commit: 15c6b4bcf08601d06bf20b0e2099d77cbc01631e
Parents: 22b6a34 a4819f5
Author: Brock Noland <br...@apache.org>
Authored: Mon Feb 24 20:52:03 2014 -0600
Committer: Brock Noland <br...@apache.org>
Committed: Mon Feb 24 20:52:03 2014 -0600
----------------------------------------------------------------------
bin/config-tool.sh | 25 +
bin/sentry | 65 +++
.../binding/hive/HiveAuthzBindingHook.java | 12 +-
.../binding/hive/authz/HiveAuthzBinding.java | 9 +-
.../binding/hive/authz/SentryConfigTool.java | 510 +++++++++++++++++++
.../sentry/binding/hive/conf/HiveAuthzConf.java | 51 ++
sentry-core/sentry-core-common/pom.xml | 4 +
.../common/SentryConfigurationException.java | 67 +++
sentry-dist/pom.xml | 1 +
sentry-dist/src/main/assembly/bin.xml | 82 +++
.../sentry/policy/common/PolicyEngine.java | 13 +-
.../sentry/policy/db/SimpleDBPolicyEngine.java | 37 +-
.../policy/search/SimpleSearchPolicyEngine.java | 22 +-
.../provider/common/AuthorizationProvider.java | 30 ++
.../common/NoAuthorizationProvider.java | 26 +
.../sentry/provider/common/ProviderBackend.java | 7 +
.../file/ResourceAuthorizationProvider.java | 56 +-
.../file/SimpleFileProviderBackend.java | 79 ++-
.../provider/file/TestGetGroupMapping.java | 16 +
.../apache/sentry/tests/e2e/hive/Context.java | 6 +-
.../sentry/tests/e2e/hive/TestConfigTool.java | 304 +++++++++++
21 files changed, 1392 insertions(+), 30 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/15c6b4bc/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/15c6b4bc/sentry-dist/pom.xml
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/15c6b4bc/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/ResourceAuthorizationProvider.java
----------------------------------------------------------------------
diff --cc sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/ResourceAuthorizationProvider.java
index 205d012,0743604..1b5f2c2
--- a/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/ResourceAuthorizationProvider.java
+++ b/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/ResourceAuthorizationProvider.java
@@@ -121,4 -125,47 +125,46 @@@ public abstract class ResourceAuthoriza
public GroupMappingService getGroupMapping() {
return groupService;
}
+
+ private List<String> getGroups(Subject subject) {
+ return groupService.getGroups(subject.getName());
+ }
+
+ @Override
+ public void validateResource(boolean strictValidation) throws SentryConfigurationException {
+ policy.validatePolicy(strictValidation);
+ }
+
+ @Override
+ public Set<String> listPermissionsForSubject(Subject subject) throws SentryConfigurationException {
+ return policy.listPermissions(getGroups(subject));
+ }
+
+ @Override
+ public Set<String> listPermissionsForGroup(String groupName) throws SentryConfigurationException {
+ return policy.listPermissions(groupName);
+ }
+
+ @Override
+ public List<String> getLastFailedPermissions() {
+ return lastFailedPermissions;
+ }
+
+ private List<String> buildPermissions(List<? extends Authorizable> authorizables,
+ Set<? extends Action> actions) {
+ List<String> hierarchy = new ArrayList<String>();
+ List<String> requestedPermissions = new ArrayList<String>();
+
+ for (Authorizable authorizable : authorizables) {
+ hierarchy.add(KV_JOINER.join(authorizable.getTypeName(), authorizable.getName()));
+ }
+
+ for (Action action : actions) {
+ String requestPermission = AUTHORIZABLE_JOINER.join(hierarchy);
+ requestPermission = AUTHORIZABLE_JOINER.join(requestPermission,
+ KV_JOINER.join(PRIVILEGE_NAME, action.getValue()));
+ requestedPermissions.add(requestPermission);
+ }
+ return requestedPermissions;
+ }
-
}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/15c6b4bc/sentry-provider/sentry-provider-file/src/test/java/org/apache/sentry/provider/file/TestGetGroupMapping.java
----------------------------------------------------------------------
diff --cc sentry-provider/sentry-provider-file/src/test/java/org/apache/sentry/provider/file/TestGetGroupMapping.java
index a4d4bb3,a50bd24..f223bee
--- a/sentry-provider/sentry-provider-file/src/test/java/org/apache/sentry/provider/file/TestGetGroupMapping.java
+++ b/sentry-provider/sentry-provider-file/src/test/java/org/apache/sentry/provider/file/TestGetGroupMapping.java
@@@ -18,12 -18,18 +18,14 @@@ package org.apache.sentry.provider.file
import java.util.Arrays;
import java.util.List;
-
import org.apache.sentry.core.common.Authorizable;
+ import org.apache.sentry.core.common.SentryConfigurationException;
import org.apache.sentry.policy.common.PermissionFactory;
import org.apache.sentry.policy.common.PolicyEngine;
import org.apache.sentry.provider.common.GroupMappingService;
-
-import com.google.common.collect.ImmutableSet;
import com.google.common.collect.ImmutableSetMultimap;
-
++import com.google.common.collect.ImmutableSet;
import org.junit.Test;
-
import static org.junit.Assert.assertSame;
public class TestGetGroupMapping {
@@@ -45,6 -51,21 +47,20 @@@
public PermissionFactory getPermissionFactory() { return null; }
public ImmutableSetMultimap<String, String> getPermissions(List<? extends Authorizable> authorizables, List<String> groups) { return null; }
-
+ public ImmutableSet<String> listPermissions(String groupName)
+ throws SentryConfigurationException {
+ return null;
+ }
+
+ public ImmutableSet<String> listPermissions(List<String> groupName)
+ throws SentryConfigurationException {
+ return null;
+ }
+
+ public void validatePolicy(boolean strictValidation)
+ throws SentryConfigurationException {
+ return;
+ }
};
TestResourceAuthorizationProvider authProvider =
[14/26] git commit: SENTRY-90: Normalize scratch path for comparison
(Brock Noland via Shreepadma Venugopalan)
Posted by br...@apache.org.
SENTRY-90: Normalize scratch path for comparison (Brock Noland via Shreepadma Venugopalan)
Project: http://git-wip-us.apache.org/repos/asf/incubator-sentry/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-sentry/commit/a9f9790b
Tree: http://git-wip-us.apache.org/repos/asf/incubator-sentry/tree/a9f9790b
Diff: http://git-wip-us.apache.org/repos/asf/incubator-sentry/diff/a9f9790b
Branch: refs/heads/db_policy_store
Commit: a9f9790ba1f0a606e286e3ab813b2b2f319b70a8
Parents: 8fc91c5
Author: Shreepadma Venugopalan <sh...@apache.org>
Authored: Mon Jan 20 13:58:41 2014 -0800
Committer: Shreepadma Venugopalan <sh...@apache.org>
Committed: Mon Jan 20 13:58:41 2014 -0800
----------------------------------------------------------------------
pom.xml | 27 ++--
.../binding/hive/HiveAuthzBindingHook.java | 63 +++------
sentry-core/sentry-core-common/pom.xml | 12 ++
.../sentry/core/common/utils/PathUtils.java | 131 +++++++++++++++++++
.../sentry/core/common/utils/TestPathUtils.java | 76 +++++++++++
.../sentry/policy/db/DBWildcardPermission.java | 54 ++------
sentry-provider/sentry-provider-file/pom.xml | 4 +
sentry-tests/sentry-tests-hive/.gitignore | 2 +
8 files changed, 271 insertions(+), 98 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/a9f9790b/pom.xml
----------------------------------------------------------------------
diff --git a/pom.xml b/pom.xml
index 7fd7696..2f70df1 100644
--- a/pom.xml
+++ b/pom.xml
@@ -52,24 +52,29 @@ limitations under the License.
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
<maven.compile.source>1.6</maven.compile.source>
<maven.compile.target>1.6</maven.compile.target>
+ <commons.lang.version>2.6</commons.lang.version>
+ <derby.version>10.4.2.0</derby.version>
+ <fest.reflect.version>1.4.1</fest.reflect.version>
+ <guava.version>11.0.2</guava.version>
+ <hadoop.version>2.0.0-cdh4.4.0</hadoop.version>
<hive.version>0.10.0-cdh4.4.0</hive.version>
- <hadoop.version>2.0.0-cdh4.4.</hadoop.version>
- <solr.version>4.4.0-cdh5.0.0-SNAPSHOT</solr.version>
<junit.version>4.9</junit.version>
- <fest.reflect.version>1.4.1</fest.reflect.version>
+ <libthrift.version>0.9.0-cdh4-1</libthrift.version>
<log4j.version>1.2.16</log4j.version>
- <guava.version>11.0.2</guava.version>
<shiro.version>1.2.1</shiro.version>
<slf4j.version>1.6.1</slf4j.version>
- <derby.version>10.4.2.0</derby.version>
- <libthrift.version>0.9.0-cdh4-1</libthrift.version>
- <hadoop.version>2.0.0-cdh4.4.0</hadoop.version>
+ <solr.version>4.4.0-cdh5.0.0-SNAPSHOT</solr.version>
<zookeeper.version>3.4.5-cdh4.4.0</zookeeper.version>
</properties>
<dependencyManagement>
<dependencies>
<dependency>
+ <groupId>commons-lang</groupId>
+ <artifactId>commons-lang</artifactId>
+ <version>${commons.lang.version}</version>
+ </dependency>
+ <dependency>
<groupId>org.apache.derby</groupId>
<artifactId>derby</artifactId>
<version>${derby.version}</version>
@@ -352,11 +357,11 @@ limitations under the License.
<exclude>**/nb-configuration.xml</exclude>
<exclude>**.patch</exclude>
<exclude>README*</exclude>
- <exclude>.project</exclude>
+ <exclude>**/.project</exclude>
<exclude>**/target/</exclude>
- <exclude>.settings</exclude>
- <exclude>.metadata/</exclude>
- <exclude>.classpath</exclude>
+ <exclude>**/.settings/**</exclude>
+ <exclude>**/.metadata/</exclude>
+ <exclude>**/.classpath</exclude>
<exclude>**/service.properties</exclude>
<exclude>**/kv1.dat</exclude>
<exclude>**/*.lck</exclude>
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/a9f9790b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java
index 0dd28b7..9852c9e 100644
--- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java
+++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java
@@ -62,6 +62,7 @@ import org.apache.sentry.binding.hive.authz.HiveAuthzPrivilegesMap;
import org.apache.sentry.binding.hive.conf.HiveAuthzConf;
import org.apache.sentry.core.common.Action;
import org.apache.sentry.core.common.Subject;
+import org.apache.sentry.core.common.utils.PathUtils;
import org.apache.sentry.core.model.db.AccessURI;
import org.apache.sentry.core.model.db.Database;
import org.apache.sentry.core.model.db.DBModelAction;
@@ -251,41 +252,16 @@ implements HiveDriverFilterHook {
@VisibleForTesting
protected static AccessURI parseURI(String uri, boolean isLocal)
throws SemanticException {
- if (!(uri.startsWith("file://") || uri.startsWith("hdfs://"))) {
- if (uri.startsWith("file:")) {
- uri = uri.replace("file:", "file://");
- } else if (uri.startsWith("/")) {
- String wareHouseDir = SessionState.get().getConf()
- .get(ConfVars.METASTOREWAREHOUSE.varname);
- if (wareHouseDir.startsWith("hdfs:")) {
- URI warehouse = toDFSURI(wareHouseDir);
- uri = warehouse.getScheme() + "://" + warehouse.getAuthority() + uri;
- } else if (wareHouseDir.startsWith("file:")) {
- uri = "file://" + uri;
- } else {
- if (isLocal) {
- uri = "file://" + uri;
- } else {
- uri = "hdfs://" + uri;
- }
- }
- }
- return new AccessURI(uri);
- }
- return new AccessURI(uri);
- }
-
- private static URI toDFSURI(String s) throws SemanticException {
try {
- URI uri = new URI(s);
- if(uri.getScheme() == null || uri.getAuthority() == null) {
- throw new SemanticException("Invalid URI " + s + ". No scheme or authority.");
- }
- return uri;
- } catch (URISyntaxException e) {
- throw new SemanticException("Invalid URI " + s, e);
+ HiveConf conf = SessionState.get().getConf();
+ String warehouseDir = conf.getVar(ConfVars.METASTOREWAREHOUSE);
+ return new AccessURI(PathUtils.parseDFSURI(warehouseDir, uri, isLocal));
+ } catch (Exception e) {
+ throw new SemanticException("Error parsing URI " + uri + ": " +
+ e.getMessage(), e);
}
}
+
/**
* Post analyze hook that invokes hive auth bindings
*/
@@ -378,7 +354,6 @@ implements HiveDriverFilterHook {
}
continue;
}
-
List<DBModelAuthorizable> entityHierarchy = new ArrayList<DBModelAuthorizable>();
entityHierarchy.add(hiveAuthzBinding.getAuthServer());
entityHierarchy.addAll(getAuthzHierarchyFromEntity(readEntity));
@@ -469,7 +444,7 @@ implements HiveDriverFilterHook {
private boolean isUDF(ReadEntity readEntity) {
return readEntity.getType().equals(Type.UDF);
}
-
+
private boolean isBuiltinUDF(ReadEntity readEntity) {
return readEntity.getType().equals(Type.UDF) &&
readEntity.getUDF().isNative();
@@ -538,19 +513,17 @@ implements HiveDriverFilterHook {
if (writeEntity.getTyp().equals(Type.DFS_DIR)
|| writeEntity.getTyp().equals(Type.LOCAL_DIR)) {
HiveConf conf = SessionState.get().getConf();
- String scratchDirPath = conf.getVar(HiveConf.ConfVars.SCRATCHDIR);
- if (!scratchDirPath.endsWith(File.pathSeparator)) {
- scratchDirPath = scratchDirPath + File.pathSeparator;
- }
- if (writeEntity.getLocation().getPath().startsWith(scratchDirPath)) {
+ String warehouseDir = conf.getVar(ConfVars.METASTOREWAREHOUSE);
+ URI scratchURI = new URI(PathUtils.parseDFSURI(warehouseDir,
+ conf.getVar(HiveConf.ConfVars.SCRATCHDIR)));
+ URI requestURI = new URI(PathUtils.parseDFSURI(warehouseDir,
+ writeEntity.getLocation().getPath()));
+ if (PathUtils.impliesURI(scratchURI, requestURI)) {
return true;
}
-
- String localScratchDirPath = conf.getVar(HiveConf.ConfVars.LOCALSCRATCHDIR);
- if (!scratchDirPath.endsWith(File.pathSeparator)) {
- localScratchDirPath = localScratchDirPath + File.pathSeparator;
- }
- if (writeEntity.getLocation().getPath().startsWith(localScratchDirPath)) {
+ URI localScratchURI = new URI(PathUtils.parseLocalURI(conf.getVar(HiveConf.ConfVars.LOCALSCRATCHDIR)));
+ URI localRequestURI = new URI(PathUtils.parseLocalURI(writeEntity.getLocation().getPath()));
+ if (PathUtils.impliesURI(localScratchURI, localRequestURI)) {
return true;
}
}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/a9f9790b/sentry-core/sentry-core-common/pom.xml
----------------------------------------------------------------------
diff --git a/sentry-core/sentry-core-common/pom.xml b/sentry-core/sentry-core-common/pom.xml
index 9b7d067..a14f129 100644
--- a/sentry-core/sentry-core-common/pom.xml
+++ b/sentry-core/sentry-core-common/pom.xml
@@ -27,4 +27,16 @@ limitations under the License.
<artifactId>sentry-core-common</artifactId>
<name>Sentry Core Common</name>
+ <dependencies>
+ <dependency>
+ <groupId>com.google.guava</groupId>
+ <artifactId>guava</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>junit</groupId>
+ <artifactId>junit</artifactId>
+ <scope>test</scope>
+ </dependency>
+ </dependencies>
+
</project>
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/a9f9790b/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/utils/PathUtils.java
----------------------------------------------------------------------
diff --git a/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/utils/PathUtils.java b/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/utils/PathUtils.java
new file mode 100644
index 0000000..1659450
--- /dev/null
+++ b/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/utils/PathUtils.java
@@ -0,0 +1,131 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.core.common.utils;
+
+import java.io.File;
+import java.net.URI;
+import java.net.URISyntaxException;
+
+import com.google.common.base.Strings;
+
+public class PathUtils {
+ /**
+ * URI is a a special case. For URI's, /a implies /a/b.
+ * Therefore the test is "/a/b".startsWith("/a");
+ */
+ public static boolean impliesURI(URI privilegeURI, URI requestURI)
+ throws URISyntaxException {
+ if (privilegeURI.getPath() == null || requestURI.getPath() == null) {
+ return false;
+ }
+ // ensure that either both schemes are null or equal
+ if (privilegeURI.getScheme() == null) {
+ if (requestURI.getScheme() != null) {
+ return false;
+ }
+ } else if (!privilegeURI.getScheme().equals(requestURI.getScheme())) {
+ return false;
+ }
+ // request path does not contain relative parts /a/../b &&
+ // request path starts with privilege path &&
+ // authorities (nullable) are equal
+ String requestPath = ensureEndsWithSeparator(requestURI.getPath());
+ String privilegePath = ensureEndsWithSeparator(privilegeURI.getPath());
+ if (requestURI.getPath().equals(requestURI.normalize().getPath()) &&
+ requestPath.startsWith(privilegePath) &&
+ Strings.nullToEmpty(privilegeURI.getAuthority()).equals(Strings.nullToEmpty(requestURI.getAuthority()))) {
+ return true;
+ }
+ return false;
+ }
+
+ /**
+ * The URI must be a directory as opposed to a partial
+ * path entry name. To ensure this is true we add a /
+ * at the end of the path. Without this the admin might
+ * grant access to /dir1 but the user would be given access
+ * to /dir1* whereas the admin meant /dir1/
+ */
+ private static String ensureEndsWithSeparator(String path) {
+ if (path.endsWith(File.separator)) {
+ return path;
+ }
+ return path + File.separator;
+ }
+
+ public static String parseDFSURI(String warehouseDir, String uri)
+ throws URISyntaxException {
+ return parseDFSURI(warehouseDir, uri, false);
+ }
+
+ /**
+ * Parse a URI which should be on HDFS in the normal case but can be on a local
+ * file system in the testing case. In either case it should be on the same fs
+ * as the warehouse directory.
+ */
+ public static String parseDFSURI(String warehouseDir, String uri, boolean isLocal)
+ throws URISyntaxException {
+ if ((uri.startsWith("file://") || uri.startsWith("hdfs://"))) {
+ return uri;
+ } else {
+ if (uri.startsWith("file:")) {
+ uri = uri.replace("file:", "file://");
+ } else if (uri.startsWith("/")) {
+ if (warehouseDir.startsWith("hdfs:")) {
+ URI warehouse = toDFSURI(warehouseDir);
+ uri = warehouse.getScheme() + "://" + warehouse.getAuthority() + uri;
+ } else if (warehouseDir.startsWith("file:")) {
+ uri = "file://" + uri;
+ } else {
+ if (isLocal) {
+ uri = "file://" + uri;
+ } else {
+ // TODO fix this logic. I don't see why we would want to add hdfs://
+ // to a URI at this point in time since no namenode is specified
+ // and warehouseDir appear to just be a path starting with / ?
+ // I think in the isLocal = false case we might want to throw
+ uri = "hdfs://" + uri;
+ }
+ }
+ }
+ return uri;
+ }
+ }
+
+ /**
+ * Parse a URI which is on a local file system.
+ */
+ public static String parseLocalURI(String uri)
+ throws URISyntaxException {
+ if (uri.startsWith("file://")) {
+ return uri;
+ } else if (uri.startsWith("file:")) {
+ return uri.replace("file:", "file://");
+ } else if (uri.startsWith("/")) {
+ return "file://" + uri;
+ }
+ throw new IllegalStateException("Parse URI does not work on relative URI: " + uri);
+ }
+
+ private static URI toDFSURI(String s) throws URISyntaxException {
+ URI uri = new URI(s);
+ if(uri.getScheme() == null || uri.getAuthority() == null) {
+ throw new IllegalArgumentException("Invalid URI " + s + ". No scheme or authority.");
+ }
+ return uri;
+ }
+}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/a9f9790b/sentry-core/sentry-core-common/src/test/java/org/apache/sentry/core/common/utils/TestPathUtils.java
----------------------------------------------------------------------
diff --git a/sentry-core/sentry-core-common/src/test/java/org/apache/sentry/core/common/utils/TestPathUtils.java b/sentry-core/sentry-core-common/src/test/java/org/apache/sentry/core/common/utils/TestPathUtils.java
new file mode 100644
index 0000000..28818ba
--- /dev/null
+++ b/sentry-core/sentry-core-common/src/test/java/org/apache/sentry/core/common/utils/TestPathUtils.java
@@ -0,0 +1,76 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.core.common.utils;
+
+import static junit.framework.Assert.assertEquals;
+import static junit.framework.Assert.assertFalse;
+import static junit.framework.Assert.assertTrue;
+
+import java.net.URI;
+import org.junit.Test;
+
+public class TestPathUtils {
+
+ @Test
+ public void testNullScheme() throws Exception {
+ assertTrue(PathUtils.impliesURI(new URI("/tmp"), new URI("/tmp/a")));
+ assertFalse(PathUtils.impliesURI(new URI("file:/tmp"), new URI("/tmp/a")));
+ assertFalse(PathUtils.impliesURI(new URI("/tmp"), new URI("file:/tmp/a")));
+ // Privileges on /tmp/ are distinct from /tmp.+/ e.g. /tmp/ and /tmpdata/
+ assertFalse(PathUtils.impliesURI(new URI("/tmp"), new URI("/tmpdata")));
+ }
+
+ @Test
+ public void testParseDFSURI() throws Exception {
+ // warehouse hdfs, path /
+ assertEquals("hdfs://namenode:8020/tmp/hive-user", PathUtils.
+ parseDFSURI("hdfs://namenode:8020/user/hive/warehouse", "/tmp/hive-user"));
+ // warehouse hdfs, path hdfs
+ assertEquals("hdfs://namenode:8020/tmp/hive-user", PathUtils.
+ parseDFSURI("hdfs://namenode:8020/user/hive/warehouse", "hdfs://namenode:8020/tmp/hive-user"));
+
+ // warehouse file:///, path /
+ assertEquals("file:///tmp/hive-user", PathUtils.
+ parseDFSURI("file:///tmp/hive-warehouse", "/tmp/hive-user"));
+ // warehouse file:///, path file:/
+ assertEquals("file:///tmp/hive-user", PathUtils.
+ parseDFSURI("file:///tmp/hive-warehouse", "file:/tmp/hive-user"));
+ // warehouse file:///, path file:///
+ assertEquals("file:///tmp/hive-user", PathUtils.
+ parseDFSURI("file:///tmp/hive-warehouse", "file:///tmp/hive-user"));
+
+ // warehouse file:/, path /
+ assertEquals("file:///tmp/hive-user", PathUtils.
+ parseDFSURI("file:/tmp/hive-warehouse", "/tmp/hive-user"));
+ // warehouse file:/, path file:/
+ assertEquals("file:///tmp/hive-user", PathUtils.
+ parseDFSURI("file:/tmp/hive-warehouse", "file:/tmp/hive-user"));
+ // warehouse file:/, path file:///
+ assertEquals("file:///tmp/hive-user", PathUtils.
+ parseDFSURI("file:/tmp/hive-warehouse", "file:///tmp/hive-user"));
+ }
+
+ @Test
+ public void testParseLocalURI() throws Exception {
+ assertEquals("file:///tmp/hive-user", PathUtils.
+ parseLocalURI("/tmp/hive-user"));
+ assertEquals("file:///tmp/hive-user", PathUtils.
+ parseLocalURI("file:/tmp/hive-user"));
+ assertEquals("file:///tmp/hive-user", PathUtils.
+ parseLocalURI("file:///tmp/hive-user"));
+ }
+}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/a9f9790b/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/DBWildcardPermission.java
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/DBWildcardPermission.java b/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/DBWildcardPermission.java
index e0eb2dc..01981d1 100644
--- a/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/DBWildcardPermission.java
+++ b/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/DBWildcardPermission.java
@@ -24,13 +24,13 @@ package org.apache.sentry.policy.db;
import static org.apache.sentry.provider.file.PolicyFileConstants.AUTHORIZABLE_JOINER;
import static org.apache.sentry.provider.file.PolicyFileConstants.AUTHORIZABLE_SPLITTER;
-import java.io.File;
import java.io.Serializable;
import java.net.URI;
import java.net.URISyntaxException;
import java.util.List;
import org.apache.commons.lang.text.StrSubstitutor;
+import org.apache.sentry.core.common.utils.PathUtils;
import org.apache.sentry.core.model.db.AccessConstants;
import org.apache.sentry.core.model.db.DBModelAuthorizable.AuthorizableType;
import org.apache.sentry.policy.common.PermissionFactory;
@@ -133,56 +133,26 @@ public class DBWildcardPermission implements Permission, Serializable {
return false;
}
- /**
- * URI is a a special case. For URI's, /a implies /a/b.
- * Therefore the test is "/a/b".startsWith("/a");
- */
@VisibleForTesting
- protected static boolean impliesURI(String policy, String request) {
+ protected static boolean impliesURI(String privilege, String request) {
try {
- URI policyURI = new URI(new StrSubstitutor(System.getProperties()).replace(policy));
- URI requestURI = new URI(request);
- if(policyURI.getScheme() == null || policyURI.getPath() == null) {
- LOGGER.warn("Policy URI " + policy + " is not valid. Either no scheme or no path.");
- return false;
- }
- if(requestURI.getScheme() == null || requestURI.getPath() == null) {
- LOGGER.warn("Request URI " + request + " is not valid. Either no scheme or no path.");
- return false;
- }
- // schemes are equal &&
- // request path does not contain relative parts /a/../b &&
- // request path starts with policy path &&
- // authorities (nullable) are equal
- String requestPath = ensureEndsWithSeparator(requestURI.getPath());
- String policyPath = ensureEndsWithSeparator(policyURI.getPath());
- if(policyURI.getScheme().equals(requestURI.getScheme()) &&
- requestURI.getPath().equals(new URI(request).normalize().getPath()) &&
- requestPath.startsWith(policyPath) &&
- Strings.nullToEmpty(policyURI.getAuthority()).equals(Strings.nullToEmpty(requestURI.getAuthority()))) {
- return true;
- }
+ URI privilegeURI = new URI(new StrSubstitutor(System.getProperties()).replace(privilege));
+ URI requestURI = new URI(request);
+ if(privilegeURI.getScheme() == null || privilegeURI.getPath() == null) {
+ LOGGER.warn("Privilege URI " + request + " is not valid. Either no scheme or no path.");
return false;
+ }
+ if(requestURI.getScheme() == null || requestURI.getPath() == null) {
+ LOGGER.warn("Request URI " + request + " is not valid. Either no scheme or no path.");
+ return false;
+ }
+ return PathUtils.impliesURI(privilegeURI, requestURI);
} catch (URISyntaxException e) {
LOGGER.warn("Request URI " + request + " is not a URI", e);
return false;
}
}
- /**
- * The URI must be a directory as opposed to a partial
- * path entry name. To ensure this is true we add a /
- * at the end of the path. Without this the admin might
- * grant access to /dir1 but the user would be given access
- * to /dir1* whereas the admin meant /dir1/
- */
- private static String ensureEndsWithSeparator(String path) {
- if (path.endsWith(File.separator)) {
- return path;
- }
- return path + File.separator;
- }
-
@Override
public String toString() {
return AUTHORIZABLE_JOINER.join(parts);
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/a9f9790b/sentry-provider/sentry-provider-file/pom.xml
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-file/pom.xml b/sentry-provider/sentry-provider-file/pom.xml
index a804952..60c4836 100644
--- a/sentry-provider/sentry-provider-file/pom.xml
+++ b/sentry-provider/sentry-provider-file/pom.xml
@@ -29,6 +29,10 @@ limitations under the License.
<dependencies>
<dependency>
+ <groupId>commons-lang</groupId>
+ <artifactId>commons-lang</artifactId>
+ </dependency>
+ <dependency>
<groupId>org.apache.hadoop</groupId>
<artifactId>hadoop-common</artifactId>
</dependency>
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/a9f9790b/sentry-tests/sentry-tests-hive/.gitignore
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-hive/.gitignore b/sentry-tests/sentry-tests-hive/.gitignore
new file mode 100644
index 0000000..f8feb49
--- /dev/null
+++ b/sentry-tests/sentry-tests-hive/.gitignore
@@ -0,0 +1,2 @@
+derby.log
+TempStatsStore/**
[10/26] git commit: SENTRY-83: Sentry Solr Tests should have a
dependency on solr-sentry-handlers(Gregory Chanan via Shreepadma Venugopalan)
Posted by br...@apache.org.
SENTRY-83: Sentry Solr Tests should have a dependency on solr-sentry-handlers(Gregory Chanan via Shreepadma Venugopalan)
Project: http://git-wip-us.apache.org/repos/asf/incubator-sentry/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-sentry/commit/27c8293e
Tree: http://git-wip-us.apache.org/repos/asf/incubator-sentry/tree/27c8293e
Diff: http://git-wip-us.apache.org/repos/asf/incubator-sentry/diff/27c8293e
Branch: refs/heads/db_policy_store
Commit: 27c8293eda947638f7073f073826499342211ec8
Parents: 1a4a7b4
Author: Shreepadma Venugopalan <sh...@apache.org>
Authored: Mon Jan 13 14:31:52 2014 -0800
Committer: Shreepadma Venugopalan <sh...@apache.org>
Committed: Mon Jan 13 14:31:52 2014 -0800
----------------------------------------------------------------------
pom.xml | 6 ++++++
sentry-tests/sentry-tests-solr/pom.xml | 4 ++++
2 files changed, 10 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/27c8293e/pom.xml
----------------------------------------------------------------------
diff --git a/pom.xml b/pom.xml
index e74ef71..f3ec427 100644
--- a/pom.xml
+++ b/pom.xml
@@ -119,6 +119,12 @@ limitations under the License.
</dependency>
<dependency>
<groupId>org.apache.solr</groupId>
+ <artifactId>solr-sentry-handlers</artifactId>
+ <version>${solr.version}</version>
+ <scope>test</scope>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.solr</groupId>
<artifactId>solr-solrj</artifactId>
<version>${solr.version}</version>
<scope>test</scope>
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/27c8293e/sentry-tests/sentry-tests-solr/pom.xml
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-solr/pom.xml b/sentry-tests/sentry-tests-solr/pom.xml
index 3f0fa2d..7819114 100644
--- a/sentry-tests/sentry-tests-solr/pom.xml
+++ b/sentry-tests/sentry-tests-solr/pom.xml
@@ -41,6 +41,10 @@ limitations under the License.
</dependency>
<dependency>
<groupId>org.apache.solr</groupId>
+ <artifactId>solr-sentry-handlers</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.solr</groupId>
<artifactId>solr-solrj</artifactId>
</dependency>
<dependency>
[09/26] git commit: SENTRY-86: Additional logging for Solr/Sentry end
to end tests (Vamsee Yarlagadda via Gregory Chanan)
Posted by br...@apache.org.
SENTRY-86: Additional logging for Solr/Sentry end to end tests (Vamsee Yarlagadda via Gregory Chanan)
Project: http://git-wip-us.apache.org/repos/asf/incubator-sentry/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-sentry/commit/1a4a7b49
Tree: http://git-wip-us.apache.org/repos/asf/incubator-sentry/tree/1a4a7b49
Diff: http://git-wip-us.apache.org/repos/asf/incubator-sentry/diff/1a4a7b49
Branch: refs/heads/db_policy_store
Commit: 1a4a7b49820c3aa3ebcb52d2d3d4881473ea7d09
Parents: c5ff1c3
Author: Gregory Chanan <gc...@cloudera.com>
Authored: Thu Jan 9 16:39:56 2014 -0800
Committer: Gregory Chanan <gc...@cloudera.com>
Committed: Thu Jan 9 16:39:56 2014 -0800
----------------------------------------------------------------------
.../sentry/tests/e2e/solr/TestQueryOperations.java | 11 ++++++++---
.../sentry/tests/e2e/solr/TestUpdateOperations.java | 11 ++++++++---
2 files changed, 16 insertions(+), 6 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/1a4a7b49/sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/TestQueryOperations.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/TestQueryOperations.java b/sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/TestQueryOperations.java
index 2ccbbce..a9b9f28 100644
--- a/sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/TestQueryOperations.java
+++ b/sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/TestQueryOperations.java
@@ -21,8 +21,10 @@ import org.slf4j.LoggerFactory;
import com.carrotsearch.randomizedtesting.annotations.ThreadLeakScope;
import com.carrotsearch.randomizedtesting.annotations.ThreadLeakScope.Scope;
-import java.util.ArrayList;
+import java.io.PrintWriter;
+import java.io.StringWriter;
+import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
@@ -56,14 +58,17 @@ public class TestQueryOperations extends AbstractSolrSentryTestBase {
verifyQueryFail(test_user, COLLECTION_NAME, ALL_DOCS);
}
} catch (Throwable testException) {
+ StringWriter stringWriter = new StringWriter();
+ PrintWriter printWriter = new PrintWriter(stringWriter);
+ testException.printStackTrace(printWriter);
testFailures.add("\n\nTestFailure: User -> " + test_user + "\n"
- + testException.toString());
+ + stringWriter.toString());
}
}
}
}
assertEquals("Total test failures: " + testFailures.size() + " \n\n"
- + testFailures.toString(), 0, testFailures.size());
+ + testFailures.toString() + "\n\n\n", 0, testFailures.size());
}
}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/1a4a7b49/sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/TestUpdateOperations.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/TestUpdateOperations.java b/sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/TestUpdateOperations.java
index 1703fe6..b57e6c6 100644
--- a/sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/TestUpdateOperations.java
+++ b/sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/TestUpdateOperations.java
@@ -21,8 +21,10 @@ import org.slf4j.LoggerFactory;
import com.carrotsearch.randomizedtesting.annotations.ThreadLeakScope;
import com.carrotsearch.randomizedtesting.annotations.ThreadLeakScope.Scope;
-import java.util.ArrayList;
+import java.io.PrintWriter;
+import java.io.StringWriter;
+import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
@@ -65,14 +67,17 @@ public class TestUpdateOperations extends AbstractSolrSentryTestBase {
verifyDeletedocsFail(test_user, COLLECTION_NAME, false);
}
} catch (Throwable testException) {
+ StringWriter stringWriter = new StringWriter();
+ PrintWriter printWriter = new PrintWriter(stringWriter);
+ testException.printStackTrace(printWriter);
testFailures.add("\n\nTestFailure: User -> " + test_user + "\n"
- + testException.toString());
+ + stringWriter.toString());
}
}
}
}
assertEquals("Total test failures: " + testFailures.size() + " \n\n"
- + testFailures.toString(), 0, testFailures.size());
+ + testFailures.toString() + "\n\n\n", 0, testFailures.size());
}
}
[04/26] git commit: SENTRY-73: solrconfig.xml should specify
SecureAdminHandlers (Gregory Chanan via Shreepadma Venugopalan)
Posted by br...@apache.org.
SENTRY-73: solrconfig.xml should specify SecureAdminHandlers (Gregory Chanan via Shreepadma Venugopalan)
Project: http://git-wip-us.apache.org/repos/asf/incubator-sentry/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-sentry/commit/72b43756
Tree: http://git-wip-us.apache.org/repos/asf/incubator-sentry/tree/72b43756
Diff: http://git-wip-us.apache.org/repos/asf/incubator-sentry/diff/72b43756
Branch: refs/heads/db_policy_store
Commit: 72b437564759e552e33f806de939c4b300180915
Parents: 319d64a
Author: Shreepadma Venugopalan <sh...@apache.org>
Authored: Thu Dec 26 16:09:45 2013 -0800
Committer: Shreepadma Venugopalan <sh...@apache.org>
Committed: Thu Dec 26 16:42:44 2013 -0800
----------------------------------------------------------------------
.../src/test/resources/solr/collection1/conf/solrconfig.xml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/72b43756/sentry-tests/sentry-tests-solr/src/test/resources/solr/collection1/conf/solrconfig.xml
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-solr/src/test/resources/solr/collection1/conf/solrconfig.xml b/sentry-tests/sentry-tests-solr/src/test/resources/solr/collection1/conf/solrconfig.xml
index 91f1a61..4276cda 100644
--- a/sentry-tests/sentry-tests-solr/src/test/resources/solr/collection1/conf/solrconfig.xml
+++ b/sentry-tests/sentry-tests-solr/src/test/resources/solr/collection1/conf/solrconfig.xml
@@ -1122,7 +1122,7 @@
RequestHandlers.
-->
<requestHandler name="/admin/"
- class="solr.admin.AdminHandlers" />
+ class="solr.admin.SecureAdminHandlers" />
<!-- This single handler is equivalent to the following... -->
<!--
<requestHandler name="/admin/luke" class="solr.admin.LukeRequestHandler" />
[16/26] git commit: SENTRY-107: Upgrade hadoop on master (Brock
Noland via Shreepadma Venugopalan)
Posted by br...@apache.org.
SENTRY-107: Upgrade hadoop on master (Brock Noland via Shreepadma Venugopalan)
Project: http://git-wip-us.apache.org/repos/asf/incubator-sentry/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-sentry/commit/a39b2325
Tree: http://git-wip-us.apache.org/repos/asf/incubator-sentry/tree/a39b2325
Diff: http://git-wip-us.apache.org/repos/asf/incubator-sentry/diff/a39b2325
Branch: refs/heads/db_policy_store
Commit: a39b2325e4460faa9187d68b875f4342f8768256
Parents: 2a5fb34
Author: Shreepadma Venugopalan <sh...@apache.org>
Authored: Fri Jan 31 15:41:48 2014 -0800
Committer: Shreepadma Venugopalan <sh...@apache.org>
Committed: Fri Jan 31 15:41:48 2014 -0800
----------------------------------------------------------------------
pom.xml | 110 +++++++++----------
sentry-binding/sentry-binding-hive/pom.xml | 4 -
.../binding/hive/HiveAuthzBindingHook.java | 8 +-
.../hive/HiveAuthzBindingSessionHook.java | 5 +-
.../binding/hive/authz/HiveAuthzBinding.java | 2 +-
.../binding/hive/TestHiveAuthzBindings.java | 6 +-
sentry-tests/sentry-tests-hive/pom.xml | 24 +---
.../e2e/hive/TestPrivilegesAtTableScope.java | 2 +-
.../tests/e2e/hive/TestServerConfiguration.java | 4 +-
9 files changed, 66 insertions(+), 99 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/a39b2325/pom.xml
----------------------------------------------------------------------
diff --git a/pom.xml b/pom.xml
index 2f70df1..3bab152 100644
--- a/pom.xml
+++ b/pom.xml
@@ -52,19 +52,29 @@ limitations under the License.
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
<maven.compile.source>1.6</maven.compile.source>
<maven.compile.target>1.6</maven.compile.target>
+ <!-- versions are in alphabetical order -->
+ <ant.contrib.version>1.0b3</ant.contrib.version>
+ <maven.antrun.plugin.version>1.7</maven.antrun.plugin.version>
+ <maven.enforcer.plugin.version>1.3.1</maven.enforcer.plugin.version>
+ <build.helper.maven.plugin.version>1.8</build.helper.maven.plugin.version>
<commons.lang.version>2.6</commons.lang.version>
+ <datanucleus.maven.plugin.version>3.3.0-release</datanucleus.maven.plugin.version>
+ <datanucleus-api-jdo.version>3.2.1</datanucleus-api-jdo.version>
+ <datanucleus-core.version>3.2.2</datanucleus-core.version>
+ <datanucleus-rdbms.version>3.2.1</datanucleus-rdbms.version>
<derby.version>10.4.2.0</derby.version>
+ <hive.version>0.12.0-cdh5.0.0-beta-2-SNAPSHOT</hive.version>
+ <hadoop.version>2.2.0-cdh5.0.0-beta-2-SNAPSHOT</hadoop.version>
<fest.reflect.version>1.4.1</fest.reflect.version>
<guava.version>11.0.2</guava.version>
- <hadoop.version>2.0.0-cdh4.4.0</hadoop.version>
- <hive.version>0.10.0-cdh4.4.0</hive.version>
<junit.version>4.9</junit.version>
<libthrift.version>0.9.0-cdh4-1</libthrift.version>
+ <libfb303.version>0.9.0</libfb303.version>
<log4j.version>1.2.16</log4j.version>
<shiro.version>1.2.1</shiro.version>
<slf4j.version>1.6.1</slf4j.version>
- <solr.version>4.4.0-cdh5.0.0-SNAPSHOT</solr.version>
- <zookeeper.version>3.4.5-cdh4.4.0</zookeeper.version>
+ <solr.version>4.4.0-cdh5.0.0-beta-2-SNAPSHOT</solr.version>
+ <zookeeper.version>3.4.5-cdh5.0.0-beta-2-SNAPSHOT</zookeeper.version>
</properties>
<dependencyManagement>
@@ -78,49 +88,51 @@ limitations under the License.
<groupId>org.apache.derby</groupId>
<artifactId>derby</artifactId>
<version>${derby.version}</version>
- <scope>provided</scope>
</dependency>
<dependency>
<groupId>org.apache.thrift</groupId>
<artifactId>libthrift</artifactId>
<version>${libthrift.version}</version>
- <scope>provided</scope>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.thrift</groupId>
+ <artifactId>libfb303</artifactId>
+ <version>${libfb303.version}</version>
</dependency>
<dependency>
<groupId>org.apache.hive</groupId>
<artifactId>hive-common</artifactId>
<version>${hive.version}</version>
- <scope>provided</scope>
</dependency>
<dependency>
<groupId>org.apache.hadoop</groupId>
<artifactId>hadoop-common</artifactId>
<version>${hadoop.version}</version>
- <scope>provided</scope>
</dependency>
<dependency>
<groupId>org.apache.hadoop</groupId>
<artifactId>hadoop-minicluster</artifactId>
<version>${hadoop.version}</version>
- <scope>provided</scope>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.hadoop</groupId>
+ <artifactId>hadoop-minikdc</artifactId>
+ <version>${hadoop.version}</version>
</dependency>
<dependency>
<groupId>org.apache.hadoop</groupId>
<artifactId>hadoop-client</artifactId>
- <version>${cdh.hadoop.version}</version>
- <scope>provided</scope>
+ <version>${hadoop.version}</version>
</dependency>
<dependency>
<groupId>org.apache.hive</groupId>
<artifactId>hive-metastore</artifactId>
<version>${hive.version}</version>
- <scope>provided</scope>
</dependency>
<dependency>
<groupId>org.apache.solr</groupId>
<artifactId>solr-test-framework</artifactId>
<version>${solr.version}</version>
- <scope>test</scope>
</dependency>
<dependency>
<groupId>org.apache.solr</groupId>
@@ -132,25 +144,21 @@ limitations under the License.
<groupId>org.apache.solr</groupId>
<artifactId>solr-solrj</artifactId>
<version>${solr.version}</version>
- <scope>test</scope>
</dependency>
<dependency>
<groupId>junit</groupId>
<artifactId>junit</artifactId>
<version>${junit.version}</version>
- <scope>test</scope>
</dependency>
<dependency>
<groupId>org.easytesting</groupId>
<artifactId>fest-reflect</artifactId>
<version>${fest.reflect.version}</version>
- <scope>test</scope>
</dependency>
<dependency>
<groupId>log4j</groupId>
<artifactId>log4j</artifactId>
<version>${log4j.version}</version>
- <scope>provided</scope>
</dependency>
<dependency>
<groupId>org.apache.shiro</groupId>
@@ -161,19 +169,16 @@ limitations under the License.
<groupId>com.google.guava</groupId>
<artifactId>guava</artifactId>
<version>${guava.version}</version>
- <scope>provided</scope>
</dependency>
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-api</artifactId>
<version>${slf4j.version}</version>
- <scope>provided</scope>
</dependency>
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-log4j12</artifactId>
<version>${slf4j.version}</version>
- <scope>provided</scope>
</dependency>
<dependency>
<groupId>org.apache.sentry</groupId>
@@ -194,85 +199,51 @@ limitations under the License.
<groupId>org.apache.hive</groupId>
<artifactId>hive-jdbc</artifactId>
<version>${hive.version}</version>
- <scope>provided</scope>
</dependency>
<dependency>
<groupId>org.apache.hive</groupId>
<artifactId>hive-shims</artifactId>
<version>${hive.version}</version>
- <scope>provided</scope>
</dependency>
<dependency>
<groupId>org.apache.hive</groupId>
<artifactId>hive-serde</artifactId>
<version>${hive.version}</version>
- <scope>provided</scope>
</dependency>
<dependency>
<groupId>org.apache.hive</groupId>
<artifactId>hive-exec</artifactId>
<version>${hive.version}</version>
- <scope>provided</scope>
</dependency>
<dependency>
<groupId>org.apache.hive</groupId>
<artifactId>hive-service</artifactId>
<version>${hive.version}</version>
- <scope>provided</scope>
- </dependency>
- <dependency>
- <groupId>org.apache.hive</groupId>
- <artifactId>hive-hwi</artifactId>
- <version>${hive.version}</version>
- <scope>provided</scope>
- </dependency>
- <dependency>
- <groupId>org.apache.hive</groupId>
- <artifactId>hive-pdk</artifactId>
- <version>${hive.version}</version>
- <scope>provided</scope>
</dependency>
<dependency>
<groupId>org.apache.hive</groupId>
<artifactId>hive-hbase-handler</artifactId>
<version>${hive.version}</version>
- <scope>provided</scope>
</dependency>
<dependency>
<groupId>org.apache.hive</groupId>
<artifactId>hive-contrib</artifactId>
<version>${hive.version}</version>
- <scope>provided</scope>
</dependency>
<dependency>
<groupId>org.apache.hive</groupId>
<artifactId>hive-cli</artifactId>
<version>${hive.version}</version>
- <scope>provided</scope>
- </dependency>
- <dependency>
- <groupId>org.apache.hive</groupId>
- <artifactId>hive-builtins</artifactId>
- <version>${hive.version}</version>
- <scope>provided</scope>
- </dependency>
- <dependency>
- <groupId>org.apache.hive</groupId>
- <artifactId>hive-anttasks</artifactId>
- <version>${hive.version}</version>
- <scope>provided</scope>
</dependency>
<dependency>
<groupId>org.apache.sentry</groupId>
<artifactId>sentry-binding-hive</artifactId>
<version>${project.version}</version>
- <scope>test</scope>
</dependency>
<dependency>
<groupId>org.apache.sentry</groupId>
<artifactId>sentry-binding-solr</artifactId>
<version>${project.version}</version>
- <scope>test</scope>
</dependency>
<dependency>
<groupId>org.apache.sentry</groupId>
@@ -293,7 +264,6 @@ limitations under the License.
<groupId>org.apache.sentry</groupId>
<artifactId>sentry-policy-db</artifactId>
<version>${project.version}</version>
- <scope>test</scope>
</dependency>
<dependency>
<groupId>org.apache.sentry</groupId>
@@ -320,6 +290,12 @@ limitations under the License.
<build>
<plugins>
<plugin>
+ <groupId>org.apache.felix</groupId>
+ <artifactId>maven-bundle-plugin</artifactId>
+ <inherited>true</inherited>
+ <extensions>true</extensions>
+ </plugin>
+ <plugin>
<groupId>org.apache.rat</groupId>
<artifactId>apache-rat-plugin</artifactId>
</plugin>
@@ -328,6 +304,11 @@ limitations under the License.
<pluginManagement>
<plugins>
<plugin>
+ <groupId>org.apache.felix</groupId>
+ <artifactId>maven-bundle-plugin</artifactId>
+ <version>2.4.0</version>
+ </plugin>
+ <plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-compiler-plugin</artifactId>
<version>2.5.1</version>
@@ -399,8 +380,23 @@ limitations under the License.
<repositories>
<repository>
- <id>cloudera</id>
- <url>https://repository.cloudera.com/artifactory/cloudera-repos/</url>
+ <id>cdh.repo</id>
+ <url>https://repository.cloudera.com/artifactory/cloudera-repos</url>
+ <name>Cloudera Repositories</name>
+ <snapshots>
+ <enabled>false</enabled>
+ </snapshots>
+ </repository>
+ <repository>
+ <id>cdh.snapshots.repo</id>
+ <url>https://repository.cloudera.com/artifactory/libs-snapshot-local</url>
+ <name>Cloudera Snapshots Repository</name>
+ <snapshots>
+ <enabled>true</enabled>
+ </snapshots>
+ <releases>
+ <enabled>false</enabled>
+ </releases>
</repository>
</repositories>
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/a39b2325/sentry-binding/sentry-binding-hive/pom.xml
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-hive/pom.xml b/sentry-binding/sentry-binding-hive/pom.xml
index 74f9065..132f4bc 100644
--- a/sentry-binding/sentry-binding-hive/pom.xml
+++ b/sentry-binding/sentry-binding-hive/pom.xml
@@ -56,10 +56,6 @@ limitations under the License.
</dependency>
<dependency>
<groupId>org.apache.hive</groupId>
- <artifactId>hive-builtins</artifactId>
- </dependency>
- <dependency>
- <groupId>org.apache.hive</groupId>
<artifactId>hive-service</artifactId>
</dependency>
<dependency>
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/a39b2325/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java
index 9852c9e..cac4864 100644
--- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java
+++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java
@@ -220,12 +220,8 @@ implements HiveDriverFilterHook {
}
// Find the current database for session
- private Database getCanonicalDb() throws SemanticException {
- try {
- return new Database(Hive.get().getCurrentDatabase());
- } catch (HiveException e) {
- throw new SemanticException("Error retrieving current db", e);
- }
+ private Database getCanonicalDb() {
+ return new Database(SessionState.get().getCurrentDatabase());
}
private Database extractDatabase(ASTNode ast) throws SemanticException {
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/a39b2325/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingSessionHook.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingSessionHook.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingSessionHook.java
index f584b9b..1506d8a 100644
--- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingSessionHook.java
+++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingSessionHook.java
@@ -39,7 +39,6 @@ public class HiveAuthzBindingSessionHook
ConfVars.HIVE_EXTENDED_ENITITY_CAPTURE.varname + "," +
ConfVars.SCRATCHDIR.varname + "," +
ConfVars.LOCALSCRATCHDIR.varname + "," +
- ConfVars.HIVE_SERVER2_AUTHZ_EXTERNAL_EXEC.varname + "," +
ConfVars.METASTOREURIS.varname + "," +
ConfVars.METASTORECONNECTURLKEY.varname + "," +
ConfVars.HADOOPBIN.varname + "," +
@@ -47,6 +46,7 @@ public class HiveAuthzBindingSessionHook
ConfVars.HIVEAUXJARS.varname + "," +
ConfVars.HIVESTATSDBCONNECTIONSTRING.varname + "," +
ConfVars.SCRATCHDIRPERMISSION.varname + "," +
+ ConfVars.HIVE_SECURITY_COMMAND_WHITELIST.varname + "," +
HiveAuthzConf.HIVE_ACCESS_CONF_URL + "," +
HiveAuthzConf.HIVE_SENTRY_CONF_URL + "," +
HiveAuthzConf.HIVE_ACCESS_SUBJECT_NAME + "," +
@@ -58,7 +58,6 @@ public class HiveAuthzBindingSessionHook
* semantic, exec and filter hooks
* 2. Set additional config properties required for auth
* set HIVE_EXTENDED_ENITITY_CAPTURE = true
- * set HIVE_SERVER2_AUTHZ_EXTERNAL_EXEC = false
* set SCRATCHDIRPERMISSION = 700
* 3. Add sensetive config parameters to the config restrict list so that they can't be overridden by users
*/
@@ -73,7 +72,7 @@ public class HiveAuthzBindingSessionHook
// setup config
sessionConf.setBoolVar(ConfVars.HIVE_EXTENDED_ENITITY_CAPTURE, true);
- sessionConf.setBoolVar(ConfVars.HIVE_SERVER2_AUTHZ_EXTERNAL_EXEC, false);
+ sessionConf.setVar(ConfVars.HIVE_SECURITY_COMMAND_WHITELIST, "set");
sessionConf.setVar(ConfVars.SCRATCHDIRPERMISSION, SCRATCH_DIR_PERMISSIONS);
// set user name
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/a39b2325/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBinding.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBinding.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBinding.java
index a769991..45d5d3b 100644
--- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBinding.java
+++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBinding.java
@@ -111,7 +111,7 @@ public class HiveAuthzBinding {
if("none".equalsIgnoreCase(authMethod)) {
throw new InvalidConfigurationException("Authentication can't be NONE in non-testing mode");
}
- boolean impersonation = hiveConf.getBoolVar(ConfVars.HIVE_SERVER2_KERBEROS_IMPERSONATION);
+ boolean impersonation = hiveConf.getBoolVar(ConfVars.HIVE_SERVER2_ENABLE_DOAS);
boolean allowImpersonation = Boolean.parseBoolean(Strings.nullToEmpty(
authzConf.get(AuthzConfVars.AUTHZ_ALLOW_HIVE_IMPERSONATION.getVar())).trim());
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/a39b2325/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/binding/hive/TestHiveAuthzBindings.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/binding/hive/TestHiveAuthzBindings.java b/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/binding/hive/TestHiveAuthzBindings.java
index 6b2166b..e6d790a 100644
--- a/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/binding/hive/TestHiveAuthzBindings.java
+++ b/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/binding/hive/TestHiveAuthzBindings.java
@@ -289,7 +289,7 @@ public class TestHiveAuthzBindings {
@Test(expected=AuthorizationException.class)
public void testImpersonationRestriction() throws Exception {
// perpare the hive and auth configs
- hiveConf.setBoolVar(ConfVars.HIVE_SERVER2_KERBEROS_IMPERSONATION, true);
+ hiveConf.setBoolVar(ConfVars.HIVE_SERVER2_ENABLE_DOAS, true);
hiveConf.setVar(ConfVars.HIVE_SERVER2_AUTHENTICATION, "Kerberos");
authzConf.set(AuthzConfVars.SENTRY_TESTING_MODE.getVar(), "false");
testAuth = new HiveAuthzBinding(hiveConf, authzConf);
@@ -307,7 +307,7 @@ public class TestHiveAuthzBindings {
@Test
public void testImpersonationAllowed() throws Exception {
// perpare the hive and auth configs
- hiveConf.setBoolVar(ConfVars.HIVE_SERVER2_KERBEROS_IMPERSONATION, true);
+ hiveConf.setBoolVar(ConfVars.HIVE_SERVER2_ENABLE_DOAS, true);
hiveConf.setVar(ConfVars.HIVE_SERVER2_AUTHENTICATION, "Kerberos");
authzConf.set(AuthzConfVars.SENTRY_TESTING_MODE.getVar(), "false");
authzConf.set(AuthzConfVars.AUTHZ_ALLOW_HIVE_IMPERSONATION.getVar(), "true");
@@ -330,7 +330,7 @@ public class TestHiveAuthzBindings {
}
return authList;
}
-
+
/**
* Turn off authentication and verify exception is raised in non-testing mode
* @throws Exception
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/a39b2325/sentry-tests/sentry-tests-hive/pom.xml
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-hive/pom.xml b/sentry-tests/sentry-tests-hive/pom.xml
index f46e275..030b9b1 100644
--- a/sentry-tests/sentry-tests-hive/pom.xml
+++ b/sentry-tests/sentry-tests-hive/pom.xml
@@ -71,16 +71,6 @@ limitations under the License.
</dependency>
<dependency>
<groupId>org.apache.hive</groupId>
- <artifactId>hive-pdk</artifactId>
- <scope>test</scope>
- </dependency>
- <dependency>
- <groupId>org.apache.hive</groupId>
- <artifactId>hive-hwi</artifactId>
- <scope>test</scope>
- </dependency>
- <dependency>
- <groupId>org.apache.hive</groupId>
<artifactId>hive-jdbc</artifactId>
<scope>test</scope>
</dependency>
@@ -110,16 +100,6 @@ limitations under the License.
<scope>test</scope>
</dependency>
<dependency>
- <groupId>org.apache.hive</groupId>
- <artifactId>hive-builtins</artifactId>
- <scope>test</scope>
- </dependency>
- <dependency>
- <groupId>org.apache.hive</groupId>
- <artifactId>hive-anttasks</artifactId>
- <scope>test</scope>
- </dependency>
- <dependency>
<groupId>org.apache.hadoop</groupId>
<artifactId>hadoop-common</artifactId>
<scope>test</scope>
@@ -280,8 +260,8 @@ limitations under the License.
mv $BASE_DIR/${finalName}* $BASE_DIR/$finalName
}
mkdir -p $DOWNLOAD_DIR
- download "http://archive.cloudera.com/cdh4/cdh/4/hadoop-latest.tar.gz" hadoop.tar.gz hadoop
- download "http://archive.cloudera.com/cdh4/cdh/4/hive-latest.tar.gz" hive.tar.gz hive
+ download "http://archive.cloudera.com/cdh5/cdh/5/hadoop-latest.tar.gz" hadoop.tar.gz hadoop
+ download "http://archive.cloudera.com/cdh5/cdh/5/hive-latest.tar.gz" hive.tar.gz hive
</echo>
<exec executable="bash" dir="${basedir}" failonerror="true">
<arg line="target/download.sh"/>
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/a39b2325/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestPrivilegesAtTableScope.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestPrivilegesAtTableScope.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestPrivilegesAtTableScope.java
index 0198a6f..c267ea6 100644
--- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestPrivilegesAtTableScope.java
+++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestPrivilegesAtTableScope.java
@@ -200,7 +200,7 @@ public class TestPrivilegesAtTableScope extends AbstractTestWithStaticConfigurat
statement = context.createStatement(connection);
statement.execute("USE DB_1");
// test user can execute insert on table
- statement.executeQuery("INSERT INTO TABLE TAB_1 SELECT A FROM TAB_2");
+ statement.execute("INSERT INTO TABLE TAB_1 SELECT A FROM TAB_2");
// negative test: user can't query table
try {
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/a39b2325/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestServerConfiguration.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestServerConfiguration.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestServerConfiguration.java
index fa8a75e..6bb39bc 100644
--- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestServerConfiguration.java
+++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestServerConfiguration.java
@@ -190,7 +190,7 @@ public class TestServerConfiguration extends AbstractTestWithHiveServer {
verifyConfig(testUser, ConfVars.HIVE_EXEC_FILTER_HOOK.varname,
HiveAuthzBindingSessionHook.FILTER_HOOK);
verifyConfig(testUser, ConfVars.HIVE_EXTENDED_ENITITY_CAPTURE.varname, "true");
- verifyConfig(testUser, ConfVars.HIVE_SERVER2_AUTHZ_EXTERNAL_EXEC.varname, "false");
+ verifyConfig(testUser, ConfVars.HIVE_SECURITY_COMMAND_WHITELIST.varname, "set");
verifyConfig(testUser, ConfVars.SCRATCHDIRPERMISSION.varname, HiveAuthzBindingSessionHook.SCRATCH_DIR_PERMISSIONS);
verifyConfig(testUser, HiveConf.ConfVars.HIVE_CONF_RESTRICTED_LIST.varname,
HiveAuthzBindingSessionHook.ACCESS_RESTRICT_LIST);
@@ -263,4 +263,4 @@ public class TestServerConfiguration extends AbstractTestWithHiveServer {
context.close();
}
-}
\ No newline at end of file
+}
[05/26] git commit: SENTRY-78 - UDFs can't be referenced in a CTAS
when Sentry is enabled for Hive (Shreepadma via Brock)
Posted by br...@apache.org.
SENTRY-78 - UDFs can't be referenced in a CTAS when Sentry is enabled for Hive (Shreepadma via Brock)
Project: http://git-wip-us.apache.org/repos/asf/incubator-sentry/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-sentry/commit/c8c17032
Tree: http://git-wip-us.apache.org/repos/asf/incubator-sentry/tree/c8c17032
Diff: http://git-wip-us.apache.org/repos/asf/incubator-sentry/diff/c8c17032
Branch: refs/heads/db_policy_store
Commit: c8c170324c06709e74e282b6117c0f9313a35bdb
Parents: 72b4375
Author: Brock Noland <br...@apache.org>
Authored: Mon Dec 30 15:11:22 2013 -0600
Committer: Brock Noland <br...@apache.org>
Committed: Mon Dec 30 15:11:22 2013 -0600
----------------------------------------------------------------------
.../apache/sentry/binding/hive/HiveAuthzBindingHook.java | 9 +++++++++
.../tests/e2e/hive/TestPrivilegesAtDatabaseScope.java | 4 ++++
2 files changed, 13 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/c8c17032/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java
index 7f9560f..0dd28b7 100644
--- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java
+++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java
@@ -370,6 +370,15 @@ implements HiveDriverFilterHook {
}
for(ReadEntity readEntity:inputs) {
+ // If this is a UDF, then check whether its allowed to be executed
+ // TODO: when we support execute privileges on UDF, this can be removed.
+ if (isUDF(readEntity)) {
+ if (isBuiltinUDF(readEntity)) {
+ checkUDFWhiteList(readEntity.getUDF().getDisplayName());
+ }
+ continue;
+ }
+
List<DBModelAuthorizable> entityHierarchy = new ArrayList<DBModelAuthorizable>();
entityHierarchy.add(hiveAuthzBinding.getAuthServer());
entityHierarchy.addAll(getAuthzHierarchyFromEntity(readEntity));
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/c8c17032/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestPrivilegesAtDatabaseScope.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestPrivilegesAtDatabaseScope.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestPrivilegesAtDatabaseScope.java
index 82d73e5..8c145ca 100644
--- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestPrivilegesAtDatabaseScope.java
+++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestPrivilegesAtDatabaseScope.java
@@ -107,6 +107,10 @@ public class TestPrivilegesAtDatabaseScope extends AbstractTestWithStaticConfigu
statement.execute("CREATE TABLE DB_1.TAB_2(A STRING)");
statement.execute("LOAD DATA LOCAL INPATH '" + dataFile.getPath() + "' INTO TABLE DB_1.TAB_2");
+ // test CTAS can reference UDFs
+ statement.execute("USE DB_1");
+ statement.execute("create table table2 as select A, count(A) from TAB_1 GROUP BY A");
+
// test user can switch db
statement.execute("USE DB_1");
//test user can create view
[20/26] git commit: SENTRY-113: Fix Sentry Precommit tests (Brock
Noland via Gregory Chanan)
Posted by br...@apache.org.
SENTRY-113: Fix Sentry Precommit tests (Brock Noland via Gregory Chanan)
Project: http://git-wip-us.apache.org/repos/asf/incubator-sentry/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-sentry/commit/7e1ce212
Tree: http://git-wip-us.apache.org/repos/asf/incubator-sentry/tree/7e1ce212
Diff: http://git-wip-us.apache.org/repos/asf/incubator-sentry/diff/7e1ce212
Branch: refs/heads/db_policy_store
Commit: 7e1ce212fb851b8233f0f5af9d23c9a82257b6cb
Parents: 55ca6c7
Author: Gregory Chanan <gr...@gmail.com>
Authored: Fri Feb 7 16:06:19 2014 -0800
Committer: Gregory Chanan <gr...@gmail.com>
Committed: Fri Feb 7 16:06:19 2014 -0800
----------------------------------------------------------------------
.gitignore | 1 +
dev-support/smart-apply-patch.sh | 99 +++++++++++++++++++++++++++++++++++
dev-support/test-patch.py | 73 +++++++++++++-------------
pom.xml | 2 +
4 files changed, 137 insertions(+), 38 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/7e1ce212/.gitignore
----------------------------------------------------------------------
diff --git a/.gitignore b/.gitignore
index 920de9a..06f9ff4 100644
--- a/.gitignore
+++ b/.gitignore
@@ -13,3 +13,4 @@ target/
*.war
*.ear
test-output/
+maven-repo/
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/7e1ce212/dev-support/smart-apply-patch.sh
----------------------------------------------------------------------
diff --git a/dev-support/smart-apply-patch.sh b/dev-support/smart-apply-patch.sh
new file mode 100644
index 0000000..fce2735
--- /dev/null
+++ b/dev-support/smart-apply-patch.sh
@@ -0,0 +1,99 @@
+#!/usr/bin/env bash
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -e
+
+PATCH_FILE=$1
+DRY_RUN=$2
+if [ -z "$PATCH_FILE" ]; then
+ echo usage: $0 patch-file
+ exit 1
+fi
+
+PATCH=${PATCH:-patch} # allow overriding patch binary
+
+# Cleanup handler for temporary files
+TOCLEAN=""
+cleanup() {
+ rm $TOCLEAN
+ exit $1
+}
+trap "cleanup 1" HUP INT QUIT TERM
+
+# Allow passing "-" for stdin patches
+if [ "$PATCH_FILE" == "-" ]; then
+ PATCH_FILE=/tmp/tmp.in.$$
+ cat /dev/fd/0 > $PATCH_FILE
+ TOCLEAN="$TOCLEAN $PATCH_FILE"
+fi
+
+# Come up with a list of changed files into $TMP
+TMP=/tmp/tmp.paths.$$
+TOCLEAN="$TOCLEAN $TMP"
+
+if $PATCH -p0 -E --dry-run < $PATCH_FILE 2>&1 > $TMP; then
+ PLEVEL=0
+ #if the patch applied at P0 there is the possability that all we are doing
+ # is adding new files and they would apply anywhere. So try to guess the
+ # correct place to put those files.
+
+ TMP2=/tmp/tmp.paths.2.$$
+ TOCLEAN="$TOCLEAN $TMP2"
+
+ egrep '^patching file |^checking file ' $TMP | awk '{print $3}' | grep -v /dev/null | sort | uniq > $TMP2
+
+ if [ ! -s $TMP2 ]; then
+ echo "Error: Patch dryrun couldn't detect changes the patch would make. Exiting."
+ cleanup 1
+ fi
+
+ #first off check that all of the files do not exist
+ FOUND_ANY=0
+ for CHECK_FILE in $(cat $TMP2)
+ do
+ if [[ -f $CHECK_FILE ]]; then
+ FOUND_ANY=1
+ fi
+ done
+
+ if [[ "$FOUND_ANY" = "0" ]]; then
+ #all of the files are new files so we have to guess where the correct place to put it is.
+
+ # if all of the lines start with a/ or b/, then this is a git patch that
+ # was generated without --no-prefix
+ if ! grep -qv '^a/\|^b/' $TMP2 ; then
+ echo Looks like this is a git patch. Stripping a/ and b/ prefixes
+ echo and incrementing PLEVEL
+ PLEVEL=$[$PLEVEL + 1]
+ sed -i -e 's,^[ab]/,,' $TMP2
+ fi
+
+ fi
+elif $PATCH -p1 -E --dry-run < $PATCH_FILE 2>&1 > /dev/null; then
+ PLEVEL=1
+elif $PATCH -p2 -E --dry-run < $PATCH_FILE 2>&1 > /dev/null; then
+ PLEVEL=2
+else
+ echo "The patch does not appear to apply with p0, p1, or p2";
+ cleanup 1;
+fi
+
+# If this is a dry run then exit instead of applying the patch
+if [[ -n $DRY_RUN ]]; then
+ cleanup 0;
+fi
+
+echo Going to apply patch with: $PATCH -p$PLEVEL
+$PATCH -p$PLEVEL -E < $PATCH_FILE
+
+cleanup $?
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/7e1ce212/dev-support/test-patch.py
----------------------------------------------------------------------
diff --git a/dev-support/test-patch.py b/dev-support/test-patch.py
index 8fd158d..449fe0e 100644
--- a/dev-support/test-patch.py
+++ b/dev-support/test-patch.py
@@ -88,7 +88,7 @@ def jira_post_comment(result, defect, branch, username, password):
# hack (from hadoop) but REST api doesn't list attachments?
def jira_get_attachment(result, defect, username, password):
html = jira_get_defect_html(result, defect, username, password)
- pattern = "(/secure/attachment/[0-9]+/%s[0-9\-]*\.(patch|txt|patch\.txt))" % (re.escape(defect))
+ pattern = "(/secure/attachment/[0-9]+/%s[0-9\.\-]*\.(patch|txt|patch\.txt))" % (re.escape(defect))
matches = []
for match in re.findall(pattern, html, re.IGNORECASE):
matches += [ match[0] ]
@@ -118,26 +118,25 @@ def git_checkout(result, branch):
if execute("git merge --ff-only origin/%s" % (branch)):
result.fatal("git merge failed")
-def git_apply(result, cmd, patch_file, strip, output_dir):
+def git_apply(result, cmd, patch_file, output_dir):
output_file = "%s/apply.txt" % (output_dir)
- rc = execute("%s -p%s < %s 1>%s 2>&1" % (cmd, strip, patch_file, output_file))
+ rc = execute("%s %s 1>%s 2>&1" % (cmd, patch_file, output_file))
output = ""
if os.path.exists(output_file):
with open(output_file) as fh:
output = fh.read()
- if rc == 0:
- if output:
- print output
- else:
+ if output:
+ print output
+ if rc != 0:
result.fatal("failed to apply patch (exit code %d):\n%s\n" % (rc, output))
-def mvn_clean(result, workspace, output_dir):
- rc = execute("mvn clean -Dmaven.repo.local=%s 1>%s/clean.txt 2>&1" % (workspace, output_dir))
+def mvn_clean(result, mvn_repo, output_dir):
+ rc = execute("mvn clean -Dmaven.repo.local=%s 1>%s/clean.txt 2>&1" % (mvn_repo, output_dir))
if rc != 0:
result.fatal("failed to clean project (exit code %d)" % (rc))
-def mvn_install(result, workspace, output_dir):
- rc = execute("mvn install -DskipTests -Dmaven.repo.local=%s 1>%s/install.txt 2>&1" % (workspace, output_dir))
+def mvn_install(result, mvn_repo, output_dir):
+ rc = execute("mvn install -DskipTests -Dmaven.repo.local=%s 1>%s/install.txt 2>&1" % (mvn_repo, output_dir))
if rc != 0:
result.fatal("failed to build with patch (exit code %d)" % (rc))
@@ -146,8 +145,8 @@ def find_all_files(top):
for f in files:
yield os.path.join(root, f)
-def mvn_test(result, workspace, output_dir):
- rc = execute("mvn verify -Dmaven.repo.local=%s 1>%s/test.txt 2>&1" % (workspace, output_dir))
+def mvn_test(result, mvn_repo, output_dir):
+ rc = execute("mvn verify -Dmaven.repo.local=%s 1>%s/test.txt 2>&1" % (mvn_repo, output_dir))
if rc == 0:
result.success("all tests passed")
else:
@@ -189,9 +188,10 @@ class Result(object):
if self._fatal or self._error:
if tmp_dir:
print "INFO: output is located %s" % (tmp_dir)
+ sys.exit(1)
elif tmp_dir:
shutil.rmtree(tmp_dir)
- sys.exit(0)
+ sys.exit(0)
usage = "usage: %prog [options]"
parser = OptionParser(usage)
@@ -205,16 +205,10 @@ parser.add_option("--run-tests", dest="run_tests",
help="Run Tests", action="store_true")
parser.add_option("--username", dest="username",
help="JIRA Username", metavar="USERNAME", default="hiveqa")
-parser.add_option("--output", dest="output_dir",
- help="Directory to write output", metavar="DIRECTORY")
parser.add_option("--post-results", dest="post_results",
help="Post results to JIRA (only works in defect mode)", action="store_true")
parser.add_option("--password", dest="password",
help="JIRA Password", metavar="PASSWORD")
-parser.add_option("--patch-command", dest="patch_cmd", default="git apply",
- help="Patch command such as `git apply' or `patch'", metavar="COMMAND")
-parser.add_option("-p", "--strip", dest="strip", default="1",
- help="Remove <n> leading slashes from diff paths", metavar="N")
parser.add_option("--workspace", dest="workspace",
help="Jenkins workspace directory", metavar="DIR")
@@ -227,10 +221,6 @@ if options.defect and options.filename:
print "FATAL: Both --defect and --file cannot be specified."
sys.exit(1)
-if options.output_dir and not os.path.isdir(options.output_dir):
- print "FATAL: Output directory %s does not exist" % (options.output_dir)
- sys.exit(1)
-
if options.post_results and not options.password:
print "FATAL: --post-results requires --password"
sys.exit(1)
@@ -239,15 +229,13 @@ if not options.workspace:
print "FATAL: --workspace is required"
sys.exit(1)
+patch_cmd = "bash ./dev-support/smart-apply-patch.sh"
branch = options.branch
-output_dir = options.output_dir
defect = options.defect
username = options.username
password = options.password
run_tests = options.run_tests
post_results = options.post_results
-strip = options.strip
-patch_cmd = options.patch_cmd
workspace = options.workspace
result = Result()
@@ -270,12 +258,19 @@ if post_results:
result.exit()
result.exit_handler = post_jira_comment_and_exit
-if not output_dir:
- tmp_dir = tempfile.mkdtemp()
- output_dir = tmp_dir
-
-if output_dir.endswith("/"):
- output_dir = output_dir[:-1]
+if workspace.endswith("/"):
+ workspace = workspace[:-1]
+mvn_repo = workspace + "/maven-repo"
+output_dir = workspace + "/test-output"
+if os.path.exists(mvn_repo):
+ if not os.path.isdir(mvn_repo):
+ shutil.rmtree(mvn_repo)
+ os.mkdir(mvn_repo)
+else:
+ os.mkdir(mvn_repo)
+if os.path.exists(output_dir):
+ shutil.rmtree(output_dir)
+os.mkdir(output_dir)
if defect:
jira_json = jira_get_defect(result, defect, username, password)
@@ -294,14 +289,16 @@ if defect:
elif options.filename:
patch_file = options.filename
else:
- raise Exception("Not reachable")
+ print "ERROR: Reached unreachable code. Please report."
+ sys.exit(1)
+
-mvn_clean(result, workspace, output_dir)
+mvn_clean(result, mvn_repo, output_dir)
git_checkout(result, branch)
-git_apply(result, patch_cmd, patch_file, strip, output_dir)
-mvn_install(result, workspace, output_dir)
+git_apply(result, patch_cmd, patch_file, output_dir)
+mvn_install(result, mvn_repo, output_dir)
if run_tests:
- mvn_test(result, workspace, output_dir)
+ mvn_test(result, mvn_repo, output_dir)
else:
result.info("patch applied and built but tests did not execute")
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/7e1ce212/pom.xml
----------------------------------------------------------------------
diff --git a/pom.xml b/pom.xml
index 7db0088..7fdfb72 100644
--- a/pom.xml
+++ b/pom.xml
@@ -345,6 +345,8 @@ limitations under the License.
<exclude>.git/</exclude>
<exclude>.gitignore</exclude>
<exclude>.idea/</exclude>
+ <exclude>maven-repo/</exclude>
+ <exclude>test-output/</exclude>
<exclude>**/*.iml</exclude>
<exclude>*.log</exclude>
<exclude>**/nb-configuration.xml</exclude>
[13/26] git commit: SENTRY-89: Sentry WildCardPermission always ends
a / to the URI (Brock Noland via Shreepadma Venugopalan)
Posted by br...@apache.org.
SENTRY-89: Sentry WildCardPermission always ends a / to the URI (Brock Noland via Shreepadma Venugopalan)
Project: http://git-wip-us.apache.org/repos/asf/incubator-sentry/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-sentry/commit/8fc91c54
Tree: http://git-wip-us.apache.org/repos/asf/incubator-sentry/tree/8fc91c54
Diff: http://git-wip-us.apache.org/repos/asf/incubator-sentry/diff/8fc91c54
Branch: refs/heads/db_policy_store
Commit: 8fc91c54f6d412dd404825f35b77805784d51d5d
Parents: a93fb41
Author: Shreepadma Venugopalan <sh...@apache.org>
Authored: Thu Jan 16 11:14:13 2014 -0800
Committer: Shreepadma Venugopalan <sh...@apache.org>
Committed: Thu Jan 16 11:14:13 2014 -0800
----------------------------------------------------------------------
.../sentry/policy/db/DBWildcardPermission.java | 18 ++++++++++++++++--
.../policy/db/TestDBWildcardPermission.java | 5 ++++-
2 files changed, 20 insertions(+), 3 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/8fc91c54/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/DBWildcardPermission.java
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/DBWildcardPermission.java b/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/DBWildcardPermission.java
index e84e5b9..e0eb2dc 100644
--- a/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/DBWildcardPermission.java
+++ b/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/DBWildcardPermission.java
@@ -154,8 +154,8 @@ public class DBWildcardPermission implements Permission, Serializable {
// request path does not contain relative parts /a/../b &&
// request path starts with policy path &&
// authorities (nullable) are equal
- String requestPath = requestURI.getPath() + File.separator;
- String policyPath = policyURI.getPath() + File.separator;
+ String requestPath = ensureEndsWithSeparator(requestURI.getPath());
+ String policyPath = ensureEndsWithSeparator(policyURI.getPath());
if(policyURI.getScheme().equals(requestURI.getScheme()) &&
requestURI.getPath().equals(new URI(request).normalize().getPath()) &&
requestPath.startsWith(policyPath) &&
@@ -169,6 +169,20 @@ public class DBWildcardPermission implements Permission, Serializable {
}
}
+ /**
+ * The URI must be a directory as opposed to a partial
+ * path entry name. To ensure this is true we add a /
+ * at the end of the path. Without this the admin might
+ * grant access to /dir1 but the user would be given access
+ * to /dir1* whereas the admin meant /dir1/
+ */
+ private static String ensureEndsWithSeparator(String path) {
+ if (path.endsWith(File.separator)) {
+ return path;
+ }
+ return path + File.separator;
+ }
+
@Override
public String toString() {
return AUTHORIZABLE_JOINER.join(parts);
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/8fc91c54/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestDBWildcardPermission.java
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestDBWildcardPermission.java b/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestDBWildcardPermission.java
index 8f1ee2c..2024cd8 100644
--- a/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestDBWildcardPermission.java
+++ b/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestDBWildcardPermission.java
@@ -51,7 +51,7 @@ public class TestDBWildcardPermission {
"hdfs://namenode:8020/path/to/uri1"));
private static final Permission ROLE_SERVER_SERVER1_URI_URI2 =
create(new KeyValue("server", "server1"), new KeyValue("uri",
- "hdfs://namenode:8020/path/to/uri2"));
+ "hdfs://namenode:8020/path/to/uri2/"));
private static final Permission ROLE_SERVER_SERVER1_URI_ALL =
create(new KeyValue("server", "server1"), new KeyValue("uri", ALL));
@@ -272,6 +272,9 @@ public class TestDBWildcardPermission {
// mangled path
assertFalse(DBWildcardPermission.impliesURI("hdfs://namenode:8020/path",
"hdfs://namenode:8020/pathFooBar"));
+ // ends in /
+ assertTrue(DBWildcardPermission.impliesURI("hdfs://namenode:8020/path/",
+ "hdfs://namenode:8020/path/FooBar"));
}
static DBWildcardPermission create(KeyValue... keyValues) {
return create(AUTHORIZABLE_JOINER.join(keyValues));
[11/26] git commit: SENTRY-87: Sentry depends on SNAPSHOT release of
Hadoop that is no longer available (Jarek Jarcec Cecho via Shreepadma
Venugopalan)
Posted by br...@apache.org.
SENTRY-87: Sentry depends on SNAPSHOT release of Hadoop that is no longer available (Jarek Jarcec Cecho via Shreepadma Venugopalan)
Project: http://git-wip-us.apache.org/repos/asf/incubator-sentry/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-sentry/commit/07b8010c
Tree: http://git-wip-us.apache.org/repos/asf/incubator-sentry/tree/07b8010c
Diff: http://git-wip-us.apache.org/repos/asf/incubator-sentry/diff/07b8010c
Branch: refs/heads/db_policy_store
Commit: 07b8010c3febaf1bd49e132ed7e98605287bc50f
Parents: 27c8293
Author: Shreepadma Venugopalan <sh...@apache.org>
Authored: Wed Jan 15 11:33:05 2014 -0800
Committer: Shreepadma Venugopalan <sh...@apache.org>
Committed: Wed Jan 15 11:33:05 2014 -0800
----------------------------------------------------------------------
pom.xml | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/07b8010c/pom.xml
----------------------------------------------------------------------
diff --git a/pom.xml b/pom.xml
index f3ec427..7fd7696 100644
--- a/pom.xml
+++ b/pom.xml
@@ -52,8 +52,8 @@ limitations under the License.
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
<maven.compile.source>1.6</maven.compile.source>
<maven.compile.target>1.6</maven.compile.target>
- <hive.version>0.10.0-cdh4.4.0-SNAPSHOT</hive.version>
- <hadoop.version>2.0.0-cdh4.4.0-SNAPSHOT</hadoop.version>
+ <hive.version>0.10.0-cdh4.4.0</hive.version>
+ <hadoop.version>2.0.0-cdh4.4.</hadoop.version>
<solr.version>4.4.0-cdh5.0.0-SNAPSHOT</solr.version>
<junit.version>4.9</junit.version>
<fest.reflect.version>1.4.1</fest.reflect.version>
@@ -63,8 +63,8 @@ limitations under the License.
<slf4j.version>1.6.1</slf4j.version>
<derby.version>10.4.2.0</derby.version>
<libthrift.version>0.9.0-cdh4-1</libthrift.version>
- <hadoop.version>2.0.0-cdh4.4.0-SNAPSHOT</hadoop.version>
- <zookeeper.version>3.4.5-cdh4.4.0-SNAPSHOT</zookeeper.version>
+ <hadoop.version>2.0.0-cdh4.4.0</hadoop.version>
+ <zookeeper.version>3.4.5-cdh4.4.0</zookeeper.version>
</properties>
<dependencyManagement>
[02/26] git commit: SENTRY-78: UDFs can't be referenced in a CTAS
when Sentry is enabled for Hive
Posted by br...@apache.org.
SENTRY-78: UDFs can't be referenced in a CTAS when Sentry is enabled for Hive
Project: http://git-wip-us.apache.org/repos/asf/incubator-sentry/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-sentry/commit/4baffe9b
Tree: http://git-wip-us.apache.org/repos/asf/incubator-sentry/tree/4baffe9b
Diff: http://git-wip-us.apache.org/repos/asf/incubator-sentry/diff/4baffe9b
Branch: refs/heads/db_policy_store
Commit: 4baffe9b4182d54a69a7ff7c3765212bb92becd8
Parents: 5601cdd
Author: Shreepadma Venugopalan <sh...@apache.org>
Authored: Thu Dec 26 15:53:51 2013 -0800
Committer: Shreepadma Venugopalan <sh...@apache.org>
Committed: Thu Dec 26 15:53:51 2013 -0800
----------------------------------------------------------------------
.../apache/sentry/binding/hive/HiveAuthzBindingHook.java | 9 +++++++++
.../tests/e2e/hive/TestPrivilegesAtDatabaseScope.java | 4 ++++
2 files changed, 13 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/4baffe9b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java
index 7f9560f..0dd28b7 100644
--- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java
+++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java
@@ -370,6 +370,15 @@ implements HiveDriverFilterHook {
}
for(ReadEntity readEntity:inputs) {
+ // If this is a UDF, then check whether its allowed to be executed
+ // TODO: when we support execute privileges on UDF, this can be removed.
+ if (isUDF(readEntity)) {
+ if (isBuiltinUDF(readEntity)) {
+ checkUDFWhiteList(readEntity.getUDF().getDisplayName());
+ }
+ continue;
+ }
+
List<DBModelAuthorizable> entityHierarchy = new ArrayList<DBModelAuthorizable>();
entityHierarchy.add(hiveAuthzBinding.getAuthServer());
entityHierarchy.addAll(getAuthzHierarchyFromEntity(readEntity));
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/4baffe9b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestPrivilegesAtDatabaseScope.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestPrivilegesAtDatabaseScope.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestPrivilegesAtDatabaseScope.java
index 82d73e5..8c145ca 100644
--- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestPrivilegesAtDatabaseScope.java
+++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestPrivilegesAtDatabaseScope.java
@@ -107,6 +107,10 @@ public class TestPrivilegesAtDatabaseScope extends AbstractTestWithStaticConfigu
statement.execute("CREATE TABLE DB_1.TAB_2(A STRING)");
statement.execute("LOAD DATA LOCAL INPATH '" + dataFile.getPath() + "' INTO TABLE DB_1.TAB_2");
+ // test CTAS can reference UDFs
+ statement.execute("USE DB_1");
+ statement.execute("create table table2 as select A, count(A) from TAB_1 GROUP BY A");
+
// test user can switch db
statement.execute("USE DB_1");
//test user can create view
[22/26] git commit: SENTRY-118: cast udf should be added to sentry
udf whitelist for hive (Shreepadma Venugopalan via Jarek Jarcec Cecho)
Posted by br...@apache.org.
SENTRY-118: cast udf should be added to sentry udf whitelist for hive (Shreepadma Venugopalan via Jarek Jarcec Cecho)
Project: http://git-wip-us.apache.org/repos/asf/incubator-sentry/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-sentry/commit/87f476ce
Tree: http://git-wip-us.apache.org/repos/asf/incubator-sentry/tree/87f476ce
Diff: http://git-wip-us.apache.org/repos/asf/incubator-sentry/diff/87f476ce
Branch: refs/heads/db_policy_store
Commit: 87f476cecee50701d31aff02aec3afe01326ea9d
Parents: 796b4cb
Author: Jarek Jarcec Cecho <ja...@apache.org>
Authored: Wed Feb 19 17:50:06 2014 -0800
Committer: Jarek Jarcec Cecho <ja...@apache.org>
Committed: Wed Feb 19 17:50:06 2014 -0800
----------------------------------------------------------------------
.../java/org/apache/sentry/binding/hive/conf/HiveAuthzConf.java | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/87f476ce/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/conf/HiveAuthzConf.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/conf/HiveAuthzConf.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/conf/HiveAuthzConf.java
index 2d562a5..b7d79d6 100644
--- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/conf/HiveAuthzConf.java
+++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/conf/HiveAuthzConf.java
@@ -91,7 +91,7 @@ public class HiveAuthzConf extends Configuration {
private static final String HIVE_UDF_WHITE_LIST =
"abs,acos,and,array,array_contains,ascii,asin,assert_true,atan,avg," +
- "between,bin,case,ceil,ceiling,coalesce,collect_set,compute_stats,concat,concat_ws," +
+ "between,bin,case,cast,ceil,ceiling,coalesce,collect_set,compute_stats,concat,concat_ws," +
"context_ngrams,conv,corr,cos,count,covar_pop,covar_samp,create_union,date_add,date_sub," +
"datediff,day,dayofmonth,degrees,div,e,elt,ewah_bitmap,ewah_bitmap_and,ewah_bitmap_empty," +
"ewah_bitmap_or,exp,explode,field,find_in_set,floor,format_number,from_unixtime," +
[21/26] git commit: SENTRY-115: Give bindings the ability to access
the group mappings (Gregory Chanan via Brock)
Posted by br...@apache.org.
SENTRY-115: Give bindings the ability to access the group mappings (Gregory Chanan via Brock)
Project: http://git-wip-us.apache.org/repos/asf/incubator-sentry/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-sentry/commit/796b4cb5
Tree: http://git-wip-us.apache.org/repos/asf/incubator-sentry/tree/796b4cb5
Diff: http://git-wip-us.apache.org/repos/asf/incubator-sentry/diff/796b4cb5
Branch: refs/heads/db_policy_store
Commit: 796b4cb567e9c9d8616d94a284ef2bae69e0a668
Parents: 7e1ce21
Author: Brock Noland <br...@apache.org>
Authored: Thu Feb 13 08:21:25 2014 -0800
Committer: Brock Noland <br...@apache.org>
Committed: Thu Feb 13 08:21:25 2014 -0800
----------------------------------------------------------------------
.../binding/solr/authz/SolrAuthzBinding.java | 13 +++++
.../binding/solr/TestSolrAuthzBinding.java | 28 ++++++++++
.../src/test/resources/test-authz-provider.ini | 2 +-
sentry-provider/sentry-provider-common/pom.xml | 5 ++
.../provider/common/AuthorizationProvider.java | 6 +++
.../common/NoAuthorizationProvider.java | 5 ++
.../provider/common/NoGroupMappingService.java | 33 ++++++++++++
.../common/TestNoAuthorizationProvider.java | 39 ++++++++++++++
.../file/ResourceAuthorizationProvider.java | 5 ++
.../provider/file/TestGetGroupMapping.java | 54 ++++++++++++++++++++
10 files changed, 189 insertions(+), 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/796b4cb5/sentry-binding/sentry-binding-solr/src/main/java/org/apache/sentry/binding/solr/authz/SolrAuthzBinding.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-solr/src/main/java/org/apache/sentry/binding/solr/authz/SolrAuthzBinding.java b/sentry-binding/sentry-binding-solr/src/main/java/org/apache/sentry/binding/solr/authz/SolrAuthzBinding.java
index 995f376..c6ce53e 100644
--- a/sentry-binding/sentry-binding-solr/src/main/java/org/apache/sentry/binding/solr/authz/SolrAuthzBinding.java
+++ b/sentry-binding/sentry-binding-solr/src/main/java/org/apache/sentry/binding/solr/authz/SolrAuthzBinding.java
@@ -20,6 +20,7 @@ import java.io.File;
import java.io.IOException;
import java.lang.reflect.Constructor;
import java.util.Arrays;
+import java.util.List;
import java.util.Set;
import org.apache.hadoop.conf.Configuration;
@@ -32,6 +33,7 @@ import org.apache.sentry.binding.solr.conf.SolrAuthzConf;
import org.apache.sentry.binding.solr.conf.SolrAuthzConf.AuthzConfVars;
import org.apache.sentry.policy.common.PolicyEngine;
import org.apache.sentry.provider.common.AuthorizationProvider;
+import org.apache.sentry.provider.common.GroupMappingService;
import org.apache.sentry.provider.common.ProviderBackend;
import org.slf4j.Logger;
@@ -54,10 +56,12 @@ public class SolrAuthzBinding {
private final SolrAuthzConf authzConf;
private final AuthorizationProvider authProvider;
+ private final GroupMappingService groupMapping;
public SolrAuthzBinding (SolrAuthzConf authzConf) throws Exception {
this.authzConf = authzConf;
this.authProvider = getAuthProvider();
+ this.groupMapping = authProvider.getGroupMapping();
}
// Instantiate the configured authz provider
@@ -122,6 +126,15 @@ public class SolrAuthzBinding {
}
}
+ /**
+ * Get the list of groups the user belongs to
+ * @param user
+ * @return list of groups the user belongs to
+ */
+ public List<String> getGroups(String user) {
+ return groupMapping.getGroups(user);
+ }
+
private Configuration getConf() throws IOException {
Configuration conf = new Configuration();
String confDir = System.getProperty("solr.hdfs.confdir");
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/796b4cb5/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/binding/solr/TestSolrAuthzBinding.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/binding/solr/TestSolrAuthzBinding.java b/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/binding/solr/TestSolrAuthzBinding.java
index 494a430..b061eec 100644
--- a/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/binding/solr/TestSolrAuthzBinding.java
+++ b/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/binding/solr/TestSolrAuthzBinding.java
@@ -25,6 +25,7 @@ import java.util.List;
import java.lang.reflect.InvocationTargetException;
import junit.framework.Assert;
+import static junit.framework.Assert.assertEquals;
import static junit.framework.Assert.assertTrue;
import org.apache.commons.io.FileUtils;
@@ -161,6 +162,33 @@ public class TestSolrAuthzBinding {
}
/**
+ * Test for group mapping
+ */
+ @Test
+ public void testGroupMapping() throws Exception {
+ SolrAuthzConf solrAuthzConf =
+ new SolrAuthzConf(Resources.getResource("sentry-site.xml"));
+ setUsableAuthzConf(solrAuthzConf);
+ SolrAuthzBinding binding = new SolrAuthzBinding(solrAuthzConf);
+ List<String> emptyList = Arrays.asList();
+
+ // check non-existant users
+ assertEquals(binding.getGroups(null), emptyList);
+ assertEquals(binding.getGroups("nonExistantUser"), emptyList);
+
+ // check group names don't map to user names
+ assertEquals(binding.getGroups("corporal"), emptyList);
+ assertEquals(binding.getGroups("sergeant"), emptyList);
+ assertEquals(binding.getGroups("general"), emptyList);
+ assertEquals(binding.getGroups("othergeneralgroup"), emptyList);
+
+ // check valid group names
+ assertEquals(binding.getGroups("corporal1"), Arrays.asList("corporal"));
+ assertEquals(binding.getGroups("sergeant1"), Arrays.asList("sergeant"));
+ assertEquals(binding.getGroups("general1"), Arrays.asList("general", "othergeneralgroup"));
+ }
+
+ /**
* Test that a full sentry-site definition works.
*/
@Test
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/796b4cb5/sentry-binding/sentry-binding-solr/src/test/resources/test-authz-provider.ini
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-solr/src/test/resources/test-authz-provider.ini b/sentry-binding/sentry-binding-solr/src/test/resources/test-authz-provider.ini
index db9af6e..f8100e0 100644
--- a/sentry-binding/sentry-binding-solr/src/test/resources/test-authz-provider.ini
+++ b/sentry-binding/sentry-binding-solr/src/test/resources/test-authz-provider.ini
@@ -30,4 +30,4 @@ general_role = collection=*->action=*
[users]
corporal1=corporal
sergeant1=sergeant
-general1=general
\ No newline at end of file
+general1=general, othergeneralgroup
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/796b4cb5/sentry-provider/sentry-provider-common/pom.xml
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-common/pom.xml b/sentry-provider/sentry-provider-common/pom.xml
index 321f7c6..1e9dc1b 100644
--- a/sentry-provider/sentry-provider-common/pom.xml
+++ b/sentry-provider/sentry-provider-common/pom.xml
@@ -29,6 +29,11 @@ limitations under the License.
<dependencies>
<dependency>
+ <groupId>junit</groupId>
+ <artifactId>junit</artifactId>
+ <scope>test</scope>
+ </dependency>
+ <dependency>
<groupId>org.apache.sentry</groupId>
<artifactId>sentry-core-common</artifactId>
</dependency>
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/796b4cb5/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/AuthorizationProvider.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/AuthorizationProvider.java b/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/AuthorizationProvider.java
index 4351c3f..1244755 100644
--- a/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/AuthorizationProvider.java
+++ b/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/AuthorizationProvider.java
@@ -38,4 +38,10 @@ public interface AuthorizationProvider {
*/
public boolean hasAccess(Subject subject, List<? extends Authorizable> authorizableHierarchy, Set<? extends Action> actions);
+ /***
+ * Get the GroupMappingService used by the AuthorizationProvider
+ *
+ * @return GroupMappingService used by the AuthorizationProvider
+ */
+ public GroupMappingService getGroupMapping();
}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/796b4cb5/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/NoAuthorizationProvider.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/NoAuthorizationProvider.java b/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/NoAuthorizationProvider.java
index 9cdda97..f48eafe 100644
--- a/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/NoAuthorizationProvider.java
+++ b/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/NoAuthorizationProvider.java
@@ -24,6 +24,7 @@ import org.apache.sentry.core.common.Authorizable;
import org.apache.sentry.core.common.Subject;
public class NoAuthorizationProvider implements AuthorizationProvider {
+ private GroupMappingService noGroupMappingService = new NoGroupMappingService();
@Override
public boolean hasAccess(Subject subject, List<? extends Authorizable> authorizableHierarchy,
@@ -31,4 +32,8 @@ public class NoAuthorizationProvider implements AuthorizationProvider {
return false;
}
+ @Override
+ public GroupMappingService getGroupMapping() {
+ return noGroupMappingService;
+ }
}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/796b4cb5/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/NoGroupMappingService.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/NoGroupMappingService.java b/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/NoGroupMappingService.java
new file mode 100644
index 0000000..e1bc6d2
--- /dev/null
+++ b/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/NoGroupMappingService.java
@@ -0,0 +1,33 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.provider.common;
+
+import java.util.LinkedList;
+import java.util.List;
+
+/**
+ * GroupMappingService that always returns an empty list of groups
+ */
+public class NoGroupMappingService implements GroupMappingService {
+
+ /**
+ * @return empty list of groups for every user
+ */
+ public List<String> getGroups(String user) {
+ return new LinkedList<String>();
+ }
+}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/796b4cb5/sentry-provider/sentry-provider-common/src/test/java/org/apache/sentry/provider/common/TestNoAuthorizationProvider.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-common/src/test/java/org/apache/sentry/provider/common/TestNoAuthorizationProvider.java b/sentry-provider/sentry-provider-common/src/test/java/org/apache/sentry/provider/common/TestNoAuthorizationProvider.java
new file mode 100644
index 0000000..3f48f49
--- /dev/null
+++ b/sentry-provider/sentry-provider-common/src/test/java/org/apache/sentry/provider/common/TestNoAuthorizationProvider.java
@@ -0,0 +1,39 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.provider.common;
+
+import org.junit.Test;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertFalse;
+
+/**
+ * Tests around the NoAuthorizationProvider
+ */
+public class TestNoAuthorizationProvider {
+
+ @Test
+ public void testNoAuthorizationProvider() {
+ NoAuthorizationProvider nap = new NoAuthorizationProvider();
+ assertFalse(nap.hasAccess(null, null, null));
+
+ GroupMappingService gms = nap.getGroupMapping();
+ assertEquals(gms.getGroups(null).size(), 0);
+ assertEquals(gms.getGroups("").size(), 0);
+ assertEquals(gms.getGroups("a").size(), 0);
+ }
+}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/796b4cb5/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/ResourceAuthorizationProvider.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/ResourceAuthorizationProvider.java b/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/ResourceAuthorizationProvider.java
index c7d983d..205d012 100644
--- a/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/ResourceAuthorizationProvider.java
+++ b/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/ResourceAuthorizationProvider.java
@@ -116,4 +116,9 @@ public abstract class ResourceAuthorizationProvider implements AuthorizationProv
}
});
}
+
+ @Override
+ public GroupMappingService getGroupMapping() {
+ return groupService;
+ }
}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/796b4cb5/sentry-provider/sentry-provider-file/src/test/java/org/apache/sentry/provider/file/TestGetGroupMapping.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-file/src/test/java/org/apache/sentry/provider/file/TestGetGroupMapping.java b/sentry-provider/sentry-provider-file/src/test/java/org/apache/sentry/provider/file/TestGetGroupMapping.java
new file mode 100644
index 0000000..a4d4bb3
--- /dev/null
+++ b/sentry-provider/sentry-provider-file/src/test/java/org/apache/sentry/provider/file/TestGetGroupMapping.java
@@ -0,0 +1,54 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.provider.file;
+
+import java.util.Arrays;
+import java.util.List;
+import org.apache.sentry.core.common.Authorizable;
+import org.apache.sentry.policy.common.PermissionFactory;
+import org.apache.sentry.policy.common.PolicyEngine;
+import org.apache.sentry.provider.common.GroupMappingService;
+import com.google.common.collect.ImmutableSetMultimap;
+import org.junit.Test;
+import static org.junit.Assert.assertSame;
+
+public class TestGetGroupMapping {
+
+ private static class TestResourceAuthorizationProvider extends ResourceAuthorizationProvider {
+ public TestResourceAuthorizationProvider(PolicyEngine policy,
+ GroupMappingService groupService) {
+ super(policy, groupService);
+ }
+ };
+
+ @Test
+ public void testResourceAuthorizationProvider() {
+ final List<String> list = Arrays.asList("a", "b", "c");
+ GroupMappingService mappingService = new GroupMappingService() {
+ public List<String> getGroups(String user) { return list; }
+ };
+ PolicyEngine policyEngine = new PolicyEngine() {
+ public PermissionFactory getPermissionFactory() { return null; }
+
+ public ImmutableSetMultimap<String, String> getPermissions(List<? extends Authorizable> authorizables, List<String> groups) { return null; }
+ };
+
+ TestResourceAuthorizationProvider authProvider =
+ new TestResourceAuthorizationProvider(policyEngine, mappingService);
+ assertSame(authProvider.getGroupMapping(), mappingService);
+ }
+}
[17/26] git commit: SENTRY-108: Add eclipse formatter to
pom.xml(Brock Noland via Shreepadma Venugopalan)
Posted by br...@apache.org.
SENTRY-108: Add eclipse formatter to pom.xml(Brock Noland via Shreepadma Venugopalan)
Project: http://git-wip-us.apache.org/repos/asf/incubator-sentry/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-sentry/commit/3409c167
Tree: http://git-wip-us.apache.org/repos/asf/incubator-sentry/tree/3409c167
Diff: http://git-wip-us.apache.org/repos/asf/incubator-sentry/diff/3409c167
Branch: refs/heads/db_policy_store
Commit: 3409c16703aeffde9122beca089ed72fc98d8a93
Parents: a39b232
Author: Shreepadma Venugopalan <sh...@apache.org>
Authored: Tue Feb 4 14:37:23 2014 -0800
Committer: Shreepadma Venugopalan <sh...@apache.org>
Committed: Tue Feb 4 14:37:23 2014 -0800
----------------------------------------------------------------------
pom.xml | 12 ++++++++++++
1 file changed, 12 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/3409c167/pom.xml
----------------------------------------------------------------------
diff --git a/pom.xml b/pom.xml
index 3bab152..7db0088 100644
--- a/pom.xml
+++ b/pom.xml
@@ -55,6 +55,7 @@ limitations under the License.
<!-- versions are in alphabetical order -->
<ant.contrib.version>1.0b3</ant.contrib.version>
<maven.antrun.plugin.version>1.7</maven.antrun.plugin.version>
+ <maven.eclipse.plugin.version>2.9</maven.eclipse.plugin.version>
<maven.enforcer.plugin.version>1.3.1</maven.enforcer.plugin.version>
<build.helper.maven.plugin.version>1.8</build.helper.maven.plugin.version>
<commons.lang.version>2.6</commons.lang.version>
@@ -299,6 +300,17 @@ limitations under the License.
<groupId>org.apache.rat</groupId>
<artifactId>apache-rat-plugin</artifactId>
</plugin>
+ <plugin>
+ <groupId>org.apache.maven.plugins</groupId>
+ <artifactId>maven-eclipse-plugin</artifactId>
+ <version>${maven.eclipse.plugin.version}</version>
+ <configuration>
+ <downloadJavadocs>true</downloadJavadocs>
+ <downloadSources>true</downloadSources>
+ <workspaceActiveCodeStyleProfileName>GoogleStyle</workspaceActiveCodeStyleProfileName>
+ <workspaceCodeStylesURL>https://google-styleguide.googlecode.com/svn/trunk/eclipse-java-google-style.xml</workspaceCodeStylesURL>
+ </configuration>
+ </plugin>
</plugins>
<pluginManagement>
[06/26] git commit: SENTRY-79: Solr/Sentry test filter should pass
request headers ((Vamsee Yarlagadda via Gregory Chanan)
Posted by br...@apache.org.
SENTRY-79: Solr/Sentry test filter should pass request headers ((Vamsee Yarlagadda via Gregory Chanan)
Project: http://git-wip-us.apache.org/repos/asf/incubator-sentry/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-sentry/commit/09f0e580
Tree: http://git-wip-us.apache.org/repos/asf/incubator-sentry/tree/09f0e580
Diff: http://git-wip-us.apache.org/repos/asf/incubator-sentry/diff/09f0e580
Branch: refs/heads/db_policy_store
Commit: 09f0e580e7a957ddedcbc6fd03abb908a0f97c33
Parents: c8c1703
Author: Gregory Chanan <gr...@gmail.com>
Authored: Mon Dec 30 13:39:37 2013 -0800
Committer: Gregory Chanan <gr...@gmail.com>
Committed: Mon Dec 30 13:39:37 2013 -0800
----------------------------------------------------------------------
.../sentry/tests/e2e/solr/ModifiableUserAuthenticationFilter.java | 3 +++
1 file changed, 3 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/09f0e580/sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/ModifiableUserAuthenticationFilter.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/ModifiableUserAuthenticationFilter.java b/sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/ModifiableUserAuthenticationFilter.java
index 9f550c4..997d420 100644
--- a/sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/ModifiableUserAuthenticationFilter.java
+++ b/sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/ModifiableUserAuthenticationFilter.java
@@ -25,7 +25,9 @@ import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
+
import org.apache.solr.servlet.SolrHadoopAuthenticationFilter;
+import org.apache.solr.servlet.SolrRequestParsers;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -44,6 +46,7 @@ public class ModifiableUserAuthenticationFilter implements Filter {
@Override
public void init(FilterConfig filterConfig) throws ServletException {
+ SolrRequestParsers.DEFAULT.setAddRequestHeadersToContext(true);
}
@Override
[15/26] git commit: SENTRY-102: Remove download-hadoop profile
requirement and cache downloads (Brock via Shreepadma)
Posted by br...@apache.org.
SENTRY-102: Remove download-hadoop profile requirement and cache downloads (Brock via Shreepadma)
Project: http://git-wip-us.apache.org/repos/asf/incubator-sentry/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-sentry/commit/2a5fb34b
Tree: http://git-wip-us.apache.org/repos/asf/incubator-sentry/tree/2a5fb34b
Diff: http://git-wip-us.apache.org/repos/asf/incubator-sentry/diff/2a5fb34b
Branch: refs/heads/db_policy_store
Commit: 2a5fb34b8df0c9e4a6d911fc5d8c8913ea41da30
Parents: a9f9790
Author: Brock Noland <br...@cloudera.com>
Authored: Fri Jan 31 15:20:24 2014 -0600
Committer: Brock Noland <br...@cloudera.com>
Committed: Fri Jan 31 15:20:24 2014 -0600
----------------------------------------------------------------------
sentry-tests/sentry-tests-hive/.gitignore | 1 +
sentry-tests/sentry-tests-hive/pom.xml | 98 ++++++++++++--------------
2 files changed, 47 insertions(+), 52 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/2a5fb34b/sentry-tests/sentry-tests-hive/.gitignore
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-hive/.gitignore b/sentry-tests/sentry-tests-hive/.gitignore
index f8feb49..1f01ed7 100644
--- a/sentry-tests/sentry-tests-hive/.gitignore
+++ b/sentry-tests/sentry-tests-hive/.gitignore
@@ -1,2 +1,3 @@
derby.log
TempStatsStore/**
+thirdparty/*
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/2a5fb34b/sentry-tests/sentry-tests-hive/pom.xml
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-hive/pom.xml b/sentry-tests/sentry-tests-hive/pom.xml
index 08df4c2..f46e275 100644
--- a/sentry-tests/sentry-tests-hive/pom.xml
+++ b/sentry-tests/sentry-tests-hive/pom.xml
@@ -246,61 +246,55 @@ limitations under the License.
</systemPropertyVariables>
</configuration>
</plugin>
+ <plugin>
+ <groupId>org.apache.maven.plugins</groupId>
+ <artifactId>maven-antrun-plugin</artifactId>
+ <configuration>
+ <skipTests>false</skipTests>
+ </configuration>
+ <executions>
+ <execution>
+ <id>download-hadoop</id>
+ <phase>generate-sources</phase>
+ <goals>
+ <goal>run</goal>
+ </goals>
+ <configuration>
+ <target>
+ <echo file="target/download.sh">
+ set -e
+ set -x
+ /bin/pwd
+ BASE_DIR=./target
+ DOWNLOAD_DIR=./thirdparty
+ download() {
+ url=$1;
+ tarName=$2
+ finalName=$3
+ rm -rf $BASE_DIR/$finalName
+ if [[ ! -f $DOWNLOAD_DIR/$tarName ]]
+ then
+ wget -nv -O $DOWNLOAD_DIR/$tarName $url
+ fi
+ tar -zxf $DOWNLOAD_DIR/$tarName -C $BASE_DIR
+ mv $BASE_DIR/${finalName}* $BASE_DIR/$finalName
+ }
+ mkdir -p $DOWNLOAD_DIR
+ download "http://archive.cloudera.com/cdh4/cdh/4/hadoop-latest.tar.gz" hadoop.tar.gz hadoop
+ download "http://archive.cloudera.com/cdh4/cdh/4/hive-latest.tar.gz" hive.tar.gz hive
+ </echo>
+ <exec executable="bash" dir="${basedir}" failonerror="true">
+ <arg line="target/download.sh"/>
+ </exec>
+ </target>
+ </configuration>
+ </execution>
+ </executions>
+ </plugin>
</plugins>
</build>
<profiles>
<profile>
- <id>download-hadoop</id>
- <build>
- <plugins>
- <plugin>
- <groupId>org.apache.maven.plugins</groupId>
- <artifactId>maven-antrun-plugin</artifactId>
- <configuration>
- <skipTests>false</skipTests>
- </configuration>
- <executions>
- <execution>
- <id>download-hadoop</id>
- <phase>generate-sources</phase>
- <goals>
- <goal>run</goal>
- </goals>
- <configuration>
- <target>
- <echo file="target/download.sh">
- set -e
- set -x
- /bin/pwd
- BASE_DIR=./target
- DOWNLOAD_DIR=$BASE_DIR/downloads
- download() {
- url=$1;
- tarName=$2
- finalName=$3
- rm -rf $BASE_DIR/$finalName
- wget -nv -O $DOWNLOAD_DIR/$tarName $url
- tar -zxf $DOWNLOAD_DIR/$tarName -C $BASE_DIR
- rm $DOWNLOAD_DIR/$tarName
- mv $BASE_DIR/${finalName}* $BASE_DIR/$finalName
- }
- rm -rf $DOWNLOAD_DIR
- mkdir -p $DOWNLOAD_DIR
- download "http://archive.cloudera.com/cdh4/cdh/4/hadoop-latest.tar.gz" hadoop.tar.gz hadoop
- download "http://archive.cloudera.com/cdh4/cdh/4/hive-latest.tar.gz" hive.tar.gz hive
- </echo>
- <exec executable="sh" dir="${basedir}" failonerror="true">
- <arg line="target/download.sh"/>
- </exec>
- </target>
- </configuration>
- </execution>
- </executions>
- </plugin>
- </plugins>
- </build>
- </profile>
- <profile>
<id>link-hadoop</id>
<build>
<plugins>
@@ -329,7 +323,7 @@ limitations under the License.
rm -f $BASE_DIR/hive
ln -s $2/hive $BASE_DIR/.
</echo>
- <exec executable="sh" dir="${basedir}" failonerror="true">
+ <exec executable="bash" dir="${basedir}" failonerror="true">
<arg line="target/link_dist.sh ${hadoop-dist} ${hive-dist}"/>
</exec>
</target>
[07/26] git commit: SENTRY-70: Solr Query authorization tests for
Sentry (Vamsee Yarlagadda via Gregory Chanan)
Posted by br...@apache.org.
SENTRY-70: Solr Query authorization tests for Sentry (Vamsee Yarlagadda via Gregory Chanan)
Project: http://git-wip-us.apache.org/repos/asf/incubator-sentry/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-sentry/commit/ee9565f0
Tree: http://git-wip-us.apache.org/repos/asf/incubator-sentry/tree/ee9565f0
Diff: http://git-wip-us.apache.org/repos/asf/incubator-sentry/diff/ee9565f0
Branch: refs/heads/db_policy_store
Commit: ee9565f046c967fb379e293b4f85da2a0161f997
Parents: 09f0e58
Author: Gregory Chanan <gc...@cloudera.com>
Authored: Fri Jan 3 16:26:17 2014 -0800
Committer: Gregory Chanan <gc...@cloudera.com>
Committed: Fri Jan 3 16:26:17 2014 -0800
----------------------------------------------------------------------
.../e2e/solr/AbstractSolrSentryTestBase.java | 307 ++++++++++++-------
.../ModifiableUserAuthenticationFilter.java | 8 +
.../tests/e2e/solr/TestQueryOperations.java | 69 +++++
.../tests/e2e/solr/TestUpdateOperations.java | 1 -
4 files changed, 281 insertions(+), 104 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/ee9565f0/sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/AbstractSolrSentryTestBase.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/AbstractSolrSentryTestBase.java b/sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/AbstractSolrSentryTestBase.java
index c0abd28..fcbc67c 100644
--- a/sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/AbstractSolrSentryTestBase.java
+++ b/sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/AbstractSolrSentryTestBase.java
@@ -19,9 +19,7 @@ package org.apache.sentry.tests.e2e.solr;
import java.io.File;
import java.io.IOException;
import java.net.MalformedURLException;
-import java.util.Arrays;
import java.util.Comparator;
-import java.util.List;
import java.util.Random;
import java.util.SortedMap;
import java.util.TreeMap;
@@ -34,6 +32,7 @@ import org.apache.solr.SolrTestCaseJ4;
import org.apache.solr.client.solrj.SolrQuery;
import org.apache.solr.client.solrj.impl.CloudSolrServer;
import org.apache.solr.client.solrj.response.QueryResponse;
+import org.apache.solr.client.solrj.util.ClientUtils;
import org.apache.solr.cloud.AbstractFullDistribZkTestBase;
import org.apache.solr.cloud.ZkController;
import org.apache.solr.common.SolrDocument;
@@ -55,6 +54,7 @@ public abstract class AbstractSolrSentryTestBase extends AbstractFullDistribZkTe
private static MiniDFSCluster dfsCluster;
private static SortedMap<Class, String> extraRequestFilters;
protected static final String ADMIN_USER = "admin";
+ protected static final String ALL_DOCS = "*:*";
protected static final Random RANDOM = new Random();
private static void addPropertyToSentry(StringBuilder builder, String name, String value) {
@@ -160,6 +160,15 @@ public abstract class AbstractSolrSentryTestBase extends AbstractFullDistribZkTe
}
/**
+ * Get the user defined in the Solr authentication filter
+ * @return - the username as String
+ * @throws Exception
+ */
+ private String getAuthenticatedUser() throws Exception {
+ return ModifiableUserAuthenticationFilter.getUser();
+ }
+
+ /**
* Function to return the user name based on the permissions provided.
* @param collectionName - Name of the solr collection.
* @param isQuery - Boolean that specifies query permission.
@@ -199,22 +208,28 @@ public abstract class AbstractSolrSentryTestBase extends AbstractFullDistribZkTe
* @throws Exception
*/
protected void verifyUpdatePass(String solrUserName,
- String collectionName,
- SolrInputDocument solrInputDoc)
- throws Exception {
- int originalSolrDocCount = getSolrDocs(collectionName).size();
- setAuthenticationUser(solrUserName);
- CloudSolrServer cloudSolrServer = getCloudSolrServer(collectionName);
+ String collectionName,
+ SolrInputDocument solrInputDoc) throws Exception {
+ String originalUser = getAuthenticatedUser();
try {
- cloudSolrServer.add(solrInputDoc);
- cloudSolrServer.commit();
- } finally {
- cloudSolrServer.shutdown();
- }
+ SolrDocumentList orginalSolrDocs = getSolrDocs(collectionName, ALL_DOCS, true);
+ setAuthenticationUser(solrUserName);
+ CloudSolrServer cloudSolrServer = getCloudSolrServer(collectionName);
+ try {
+ cloudSolrServer.add(solrInputDoc);
+ cloudSolrServer.commit();
+ } finally {
+ cloudSolrServer.shutdown();
+ }
- // Validate Solr content to check whether the update command went through.
- // Authenticate as user "admin"
- validateSolrDocCountAndContent(collectionName, originalSolrDocCount+1, solrInputDoc);
+ orginalSolrDocs.add(ClientUtils.toSolrDocument(solrInputDoc));
+ SolrDocumentList solrRespDocs = getSolrDocs(collectionName, ALL_DOCS, true);
+ // Validate Solr content to check whether the update command went through.
+ validateSolrDocCountAndContent(orginalSolrDocs, solrRespDocs);
+ }
+ finally {
+ setAuthenticationUser(originalUser);
+ }
}
/**
@@ -225,26 +240,30 @@ public abstract class AbstractSolrSentryTestBase extends AbstractFullDistribZkTe
* @throws Exception
*/
protected void verifyUpdateFail(String solrUserName,
- String collectionName,
- SolrInputDocument solrInputDoc)
- throws Exception {
- int originalSolrDocCount = getSolrDocs(collectionName).size();
- setAuthenticationUser(solrUserName);
- CloudSolrServer cloudSolrServer = getCloudSolrServer(collectionName);
+ String collectionName,
+ SolrInputDocument solrInputDoc) throws Exception {
+ String originalUser = getAuthenticatedUser();
try {
- cloudSolrServer.add(solrInputDoc);
- cloudSolrServer.commit();
- fail("The specified user: " + solrUserName + " shouldn't get update access!");
- } catch (Exception exception) {
- assertTrue("Expected " + SENTRY_ERROR_MSG + " in " + exception.toString(),
- exception.toString().contains(SENTRY_ERROR_MSG));
+ SolrDocumentList orginalSolrDocs = getSolrDocs(collectionName, ALL_DOCS, true);
+ setAuthenticationUser(solrUserName);
+ CloudSolrServer cloudSolrServer = getCloudSolrServer(collectionName);
+ try {
+ cloudSolrServer.add(solrInputDoc);
+ cloudSolrServer.commit();
+ fail("The specified user: " + solrUserName + " shouldn't get update access!");
+ } catch (Exception exception) {
+ assertTrue("Expected " + SENTRY_ERROR_MSG + " in " + exception.toString(),
+ exception.toString().contains(SENTRY_ERROR_MSG));
+ } finally {
+ cloudSolrServer.shutdown();
+ }
+
+ SolrDocumentList solrRespDocs = getSolrDocs(collectionName, ALL_DOCS, true);
+ // Validate Solr content to check whether the update command didn't go through.
+ validateSolrDocCountAndContent(orginalSolrDocs, solrRespDocs);
} finally {
- cloudSolrServer.shutdown();
+ setAuthenticationUser(originalUser);
}
-
- // Validate Solr content to check whether the update command didn't go through.
- // Authenticate as user "admin"
- validateSolrDocCountAndContent(collectionName, originalSolrDocCount, null);
}
/**
@@ -256,25 +275,30 @@ public abstract class AbstractSolrSentryTestBase extends AbstractFullDistribZkTe
* @throws MalformedURLException, SolrServerException, IOException
*/
protected void verifyDeletedocsPass(String solrUserName,
- String collectionName, boolean allowZeroDocs)
- throws Exception {
- int originalSolrDocCount = getSolrDocs(collectionName).size();
- if (allowZeroDocs == false) {
- assertTrue("Solr should contain atleast one solr doc to run this test.", originalSolrDocCount > 0);
- }
-
- setAuthenticationUser(solrUserName);
- CloudSolrServer cloudSolrServer = getCloudSolrServer(collectionName);
+ String collectionName,
+ boolean allowZeroDocs) throws Exception {
+ String originalUser = getAuthenticatedUser();
try {
- cloudSolrServer.deleteByQuery("*:*");
- cloudSolrServer.commit();
+ SolrDocumentList orginalSolrDocs = getSolrDocs(collectionName, ALL_DOCS, true);
+ if (allowZeroDocs == false) {
+ assertTrue("Solr should contain atleast one solr doc to run this test.", orginalSolrDocs.size() > 0);
+ }
+
+ setAuthenticationUser(solrUserName);
+ CloudSolrServer cloudSolrServer = getCloudSolrServer(collectionName);
+ try {
+ cloudSolrServer.deleteByQuery(ALL_DOCS);
+ cloudSolrServer.commit();
+ } finally {
+ cloudSolrServer.shutdown();
+ }
+
+ // Validate Solr doc count is zero
+ SolrDocumentList solrRespDocs = getSolrDocs(collectionName, ALL_DOCS, true);
+ validateSolrDocCountAndContent(new SolrDocumentList(), solrRespDocs);
} finally {
- cloudSolrServer.shutdown();
+ setAuthenticationUser(originalUser);
}
-
- // Validate Solr content to check whether the update command didn't go through.
- // Authenticate as user "admin"
- validateSolrDocCountAndContent(collectionName, 0, null);
}
/**
@@ -286,71 +310,132 @@ public abstract class AbstractSolrSentryTestBase extends AbstractFullDistribZkTe
* @throws Exception
*/
protected void verifyDeletedocsFail(String solrUserName,
- String collectionName, boolean allowZeroDocs)
- throws Exception {
- int originalSolrDocCount = getSolrDocs(collectionName).size();
- if (allowZeroDocs == false) {
- assertTrue("Solr should contain atleast one solr doc to run this test.", originalSolrDocCount > 0);
+ String collectionName,
+ boolean allowZeroDocs) throws Exception {
+ String originalUser = getAuthenticatedUser();
+ try {
+ SolrDocumentList orginalSolrDocs = getSolrDocs(collectionName, ALL_DOCS, true);
+ if (allowZeroDocs == false) {
+ assertTrue("Solr should contain atleast one solr doc to run this test.", orginalSolrDocs.size() > 0);
+ }
+
+ setAuthenticationUser(solrUserName);
+ CloudSolrServer cloudSolrServer = getCloudSolrServer(collectionName);
+ try {
+ cloudSolrServer.deleteByQuery(ALL_DOCS);
+ cloudSolrServer.commit();
+ fail("The specified user: " + solrUserName + " shouldn't get deletedocs access!");
+ } catch (Exception exception) {
+ assertTrue("Expected " + SENTRY_ERROR_MSG + " in " + exception.toString(),
+ exception.toString().contains(SENTRY_ERROR_MSG));
+ } finally {
+ cloudSolrServer.shutdown();
+ }
+
+ // Validate Solr doc count and content is same as original set.
+ SolrDocumentList solrRespDocs = getSolrDocs(collectionName, ALL_DOCS, true);
+ validateSolrDocCountAndContent(orginalSolrDocs, solrRespDocs);
+ } finally {
+ setAuthenticationUser(originalUser);
}
+ }
- setAuthenticationUser(solrUserName);
- CloudSolrServer cloudSolrServer = getCloudSolrServer(collectionName);
+ /**
+ * Method to validate Solr query passes
+ * @param solrUserName - User authenticated into Solr
+ * @param collectionName - Name of the collection to be queried
+ * @param solrQueryStr - Query string to be searched in Solr
+ * @throws Exception
+ */
+ protected void verifyQueryPass(String solrUserName,
+ String collectionName,
+ String solrQueryStr) throws Exception {
+ String originalUser = getAuthenticatedUser();
try {
- cloudSolrServer.deleteByQuery("*:*");
- cloudSolrServer.commit();
- fail("The specified user: " + solrUserName + " shouldn't get deletedocs access!");
- } catch (Exception exception) {
- assertTrue("Expected " + SENTRY_ERROR_MSG + " in " + exception.toString(),
- exception.toString().contains(SENTRY_ERROR_MSG));
+ SolrDocumentList orginalSolrDocs = getSolrDocs(collectionName, solrQueryStr, true);
+ setAuthenticationUser(solrUserName);
+ SolrDocumentList solrRespDocs = null;
+ solrRespDocs = getSolrDocs(collectionName, solrQueryStr, false);
+
+ // Validate Solr content to check whether the query command went through.
+ validateSolrDocCountAndContent(orginalSolrDocs, solrRespDocs);
} finally {
- cloudSolrServer.shutdown();
+ setAuthenticationUser(originalUser);
}
-
- // Validate Solr content to check whether the deletedocs command didn't go through.
- // Authenticate as user "admin"
- validateSolrDocCountAndContent(collectionName, originalSolrDocCount, null);
}
/**
- * Function to verify whether Solr doc count matches the expected number and
- * also to verify if the Input document is present in present in the response.
- * @param collectionName - Name of the Solr collection
- * @param expectedDocCount - Count of expected Solr docs
- * @param solrInputDoc - Solr doc inserted into Solr
+ * Method to validate Solr query fails
+ * @param solrUserName - User authenticated into Solr
+ * @param collectionName - Name of the collection to be queried
+ * @param solrQueryStr - Query string to be searched in Solr
* @throws Exception
*/
- public void validateSolrDocCountAndContent(String collectionName, int expectedDocCount, SolrInputDocument solrInputDoc)
- throws Exception {
- // Authenticate as user "admin"
- setAuthenticationUser(ADMIN_USER);
- SolrDocumentList solrRespDocs = getSolrDocs(collectionName);
- assertEquals("Expected: " + expectedDocCount + " Solr docs; But, found "
- + solrRespDocs.size() + " Solr docs.", solrRespDocs.size(), expectedDocCount);
- if (solrInputDoc != null) {
- validateSolrDocContent(solrInputDoc, solrRespDocs);
+ protected void verifyQueryFail(String solrUserName,
+ String collectionName,
+ String solrQueryStr) throws Exception {
+ String originalUser = getAuthenticatedUser();
+ try {
+ setAuthenticationUser(solrUserName);
+ try {
+ getSolrDocs(collectionName, solrQueryStr, false);
+ fail("The specified user: " + solrUserName + " shouldn't get query access!");
+ } catch (Exception exception) {
+ assertTrue("Expected " + SENTRY_ERROR_MSG + " in " + exception.toString(),
+ exception.toString().contains(SENTRY_ERROR_MSG));
}
+ } finally {
+ setAuthenticationUser(originalUser);
+ }
+ }
+
+ /**
+ * Function to validate the count and content of two SolrDocumentList's.
+ * @param solrOriginalDocs - Instance of initial set of solr docs before processing
+ * @param solrResponseDocs - Instance of response solr docs after processing
+ */
+ protected void validateSolrDocCountAndContent(SolrDocumentList solrOriginalDocs,
+ SolrDocumentList solrResponseDocs) {
+ assertEquals("Expected number of Solr docs: " + solrOriginalDocs.size() + "; But found:" + solrResponseDocs.size(),
+ solrOriginalDocs.size(), solrResponseDocs.size());
+ for (SolrDocument solrDoc : solrOriginalDocs) {
+ SolrInputDocument solrInputDoc = ClientUtils.toSolrInputDocument(solrDoc);
+ validateSolrDocContent(solrInputDoc, solrResponseDocs);
+ }
}
/**
* Function to query the collection and fetch the Solr docs
* @param collectionName - Name of the collection
+ * @param solrQueryStr - Query string to be searched in Solr
+ * @param runAsAdmin - Boolean to specify whether to execute the Solr query as admin user
* @return - Instance of SolrDocumentList
* @throws Exception
*/
- protected SolrDocumentList getSolrDocs(String collectionName) throws Exception {
- // Authenticate as user "admin"
- setAuthenticationUser(ADMIN_USER);
- CloudSolrServer cloudSolrServer = getCloudSolrServer(collectionName);
- SolrDocumentList solrDocs = null;
+ protected SolrDocumentList getSolrDocs(String collectionName,
+ String solrQueryStr,
+ boolean runAsAdmin) throws Exception {
+ String originalUser = getAuthenticatedUser();
try {
- SolrQuery query = new SolrQuery("*:*");
- QueryResponse response = cloudSolrServer.query(query);
- solrDocs = response.getResults();
+ if (runAsAdmin == true) {
+ // Authenticate as user "admin"
+ setAuthenticationUser(ADMIN_USER);
+ }
+
+ CloudSolrServer cloudSolrServer = getCloudSolrServer(collectionName);
+ assertNotNull("Solr query shouldn't be null.", solrQueryStr);
+ SolrDocumentList solrDocs = null;
+ try {
+ SolrQuery query = new SolrQuery(solrQueryStr);
+ QueryResponse response = cloudSolrServer.query(query);
+ solrDocs = response.getResults();
+ return solrDocs;
+ } finally {
+ cloudSolrServer.shutdown();
+ }
} finally {
- cloudSolrServer.shutdown();
+ setAuthenticationUser(originalUser);
}
-
- return solrDocs;
}
/**
@@ -359,16 +444,27 @@ public abstract class AbstractSolrSentryTestBase extends AbstractFullDistribZkTe
* @param solrRespDocs - List of Solr doc obtained as response
* (NOTE: This function ignores "_version_" field in validating Solr doc content)
*/
- public void validateSolrDocContent(SolrInputDocument solrInputDoc, SolrDocumentList solrRespDocs) {
- solrInputDoc.removeField("_version_");
+ public void validateSolrDocContent(SolrInputDocument solrInputDoc,
+ SolrDocumentList solrRespDocs) {
for (SolrDocument solrRespDoc : solrRespDocs) {
- solrRespDoc.removeFields("_version_");
String expFieldValue = (String) solrInputDoc.getFieldValue("id");
String resFieldValue = (String) solrRespDoc.getFieldValue("id");
if (expFieldValue.equals(resFieldValue)) {
- assertEquals("Expected " + solrInputDoc.size() + " fields. But, found "
- + solrRespDoc.size() + " fields", solrInputDoc.size() , solrRespDoc.size());
+ int expectedRespFieldCount = solrRespDoc.size();
+ if (solrRespDoc.containsKey("_version_")) {
+ expectedRespFieldCount = expectedRespFieldCount - 1;
+ }
+ int expectedOrigFieldCount = solrInputDoc.size();
+ if (solrInputDoc.containsKey("_version_")) {
+ expectedOrigFieldCount = expectedOrigFieldCount - 1;
+ }
+ assertEquals("Expected " + expectedOrigFieldCount + " fields. But, found "
+ + expectedRespFieldCount + " fields", expectedOrigFieldCount , expectedRespFieldCount);
for (String field : solrInputDoc.getFieldNames()) {
+ if (field.equals("_version_") == true) {
+ continue;
+ }
+
expFieldValue = (String) solrInputDoc.getFieldValue(field);
resFieldValue = (String) solrRespDoc.getFieldValue(field);
assertEquals("Expected value for field: " + field + " is " + expFieldValue
@@ -404,11 +500,16 @@ public abstract class AbstractSolrSentryTestBase extends AbstractFullDistribZkTe
*/
protected void setupCollection(String collectionName) throws Exception {
// Authenticate as user "admin"
- setAuthenticationUser(ADMIN_USER);
- uploadConfigDirToZk(getSolrHome() + File.separator + DEFAULT_COLLECTION
- + File.separator + "conf");
- createCollection(collectionName, 1, 1, 1);
- waitForRecoveriesToFinish(collectionName, false);
+ String originalUser = getAuthenticatedUser();
+ try {
+ setAuthenticationUser(ADMIN_USER);
+ uploadConfigDirToZk(getSolrHome() + File.separator + DEFAULT_COLLECTION
+ + File.separator + "conf");
+ createCollection(collectionName, 1, 1, 1);
+ waitForRecoveriesToFinish(collectionName, false);
+ } finally {
+ setAuthenticationUser(originalUser);
+ }
}
/**
@@ -441,7 +542,7 @@ public abstract class AbstractSolrSentryTestBase extends AbstractFullDistribZkTe
* @throws Exception
*/
protected void uploadSolrDoc(String collectionName,
- SolrInputDocument solrInputDoc) throws Exception {
+ SolrInputDocument solrInputDoc) throws Exception {
if (solrInputDoc == null) {
solrInputDoc = createSolrTestDoc();
}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/ee9565f0/sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/ModifiableUserAuthenticationFilter.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/ModifiableUserAuthenticationFilter.java b/sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/ModifiableUserAuthenticationFilter.java
index 997d420..b7081ba 100644
--- a/sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/ModifiableUserAuthenticationFilter.java
+++ b/sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/ModifiableUserAuthenticationFilter.java
@@ -68,4 +68,12 @@ public class ModifiableUserAuthenticationFilter implements Filter {
public static void setUser(String solrUser) {
userName = solrUser;
}
+
+ /**
+ * Function to return the authenticated user name defined.
+ * @param solrUser
+ */
+ public static String getUser() {
+ return userName;
+ }
}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/ee9565f0/sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/TestQueryOperations.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/TestQueryOperations.java b/sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/TestQueryOperations.java
new file mode 100644
index 0000000..2ccbbce
--- /dev/null
+++ b/sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/TestQueryOperations.java
@@ -0,0 +1,69 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.tests.e2e.solr;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import com.carrotsearch.randomizedtesting.annotations.ThreadLeakScope;
+import com.carrotsearch.randomizedtesting.annotations.ThreadLeakScope.Scope;
+import java.util.ArrayList;
+
+import java.util.Arrays;
+import java.util.List;
+
+import org.apache.solr.common.SolrInputDocument;
+
+@ThreadLeakScope(Scope.NONE) // hdfs client currently leaks thread(s)
+public class TestQueryOperations extends AbstractSolrSentryTestBase {
+ private static final Logger LOG = LoggerFactory
+ .getLogger(TestQueryOperations.class);
+ private static final String COLLECTION_NAME = "sentryCollection";
+ private static final List<Boolean> BOOLEAN_VALUES = Arrays.asList(new Boolean[]{true, false});
+
+ @Override
+ public void doTest() throws Exception {
+ setupCollection(COLLECTION_NAME);
+ ArrayList<String> testFailures = new ArrayList<String>();
+
+ for (boolean query : BOOLEAN_VALUES) {
+ for (boolean update : BOOLEAN_VALUES) {
+ for (boolean all : BOOLEAN_VALUES) {
+ String test_user = getUsernameForPermissions(COLLECTION_NAME, query, update, all);
+ LOG.info("TEST_USER: " + test_user);
+
+ try {
+ cleanSolrCollection(COLLECTION_NAME);
+ SolrInputDocument solrInputDoc = createSolrTestDoc();
+ uploadSolrDoc(COLLECTION_NAME, solrInputDoc);
+ if (all || query) {
+ verifyQueryPass(test_user, COLLECTION_NAME, ALL_DOCS);
+ } else {
+ verifyQueryFail(test_user, COLLECTION_NAME, ALL_DOCS);
+ }
+ } catch (Throwable testException) {
+ testFailures.add("\n\nTestFailure: User -> " + test_user + "\n"
+ + testException.toString());
+ }
+ }
+ }
+ }
+
+ assertEquals("Total test failures: " + testFailures.size() + " \n\n"
+ + testFailures.toString(), 0, testFailures.size());
+ }
+}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/ee9565f0/sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/TestUpdateOperations.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/TestUpdateOperations.java b/sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/TestUpdateOperations.java
index 131fa2c..1703fe6 100644
--- a/sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/TestUpdateOperations.java
+++ b/sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/TestUpdateOperations.java
@@ -43,7 +43,6 @@ public class TestUpdateOperations extends AbstractSolrSentryTestBase {
for (boolean query : BOOLEAN_VALUES) {
for (boolean update : BOOLEAN_VALUES) {
for (boolean all : BOOLEAN_VALUES) {
- // Create user name to be used for Solr requests based on the permissions generated by the for-loop.
String test_user = getUsernameForPermissions(COLLECTION_NAME, query, update, all);
LOG.info("TEST_USER: " + test_user);
[25/26] git commit: SENTRY-3: Create a diagnostics tool for
configuration validation (Prasad via Brock)
Posted by br...@apache.org.
SENTRY-3: Create a diagnostics tool for configuration validation (Prasad via Brock)
Project: http://git-wip-us.apache.org/repos/asf/incubator-sentry/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-sentry/commit/a4819f5b
Tree: http://git-wip-us.apache.org/repos/asf/incubator-sentry/tree/a4819f5b
Diff: http://git-wip-us.apache.org/repos/asf/incubator-sentry/diff/a4819f5b
Branch: refs/heads/db_policy_store
Commit: a4819f5b7b8ce5fb9f3c9b94c6dbb1e2dfbe1f78
Parents: cf798ac
Author: Brock Noland <br...@apache.org>
Authored: Mon Feb 24 17:06:07 2014 -0600
Committer: Brock Noland <br...@apache.org>
Committed: Mon Feb 24 17:06:07 2014 -0600
----------------------------------------------------------------------
bin/config-tool.sh | 25 +
bin/sentry | 65 +++
.../binding/hive/HiveAuthzBindingHook.java | 12 +-
.../binding/hive/authz/HiveAuthzBinding.java | 9 +-
.../binding/hive/authz/SentryConfigTool.java | 510 +++++++++++++++++++
.../sentry/binding/hive/conf/HiveAuthzConf.java | 51 ++
sentry-core/sentry-core-common/pom.xml | 4 +
.../common/SentryConfigurationException.java | 67 +++
.../sentry/policy/common/PolicyEngine.java | 13 +-
.../sentry/policy/db/SimpleDBPolicyEngine.java | 37 +-
.../policy/search/SimpleSearchPolicyEngine.java | 22 +-
.../provider/common/AuthorizationProvider.java | 30 ++
.../common/NoAuthorizationProvider.java | 26 +
.../sentry/provider/common/ProviderBackend.java | 7 +
.../file/ResourceAuthorizationProvider.java | 57 ++-
.../file/SimpleFileProviderBackend.java | 79 ++-
.../provider/file/TestGetGroupMapping.java | 21 +
.../apache/sentry/tests/e2e/hive/Context.java | 6 +-
.../sentry/tests/e2e/hive/TestConfigTool.java | 304 +++++++++++
19 files changed, 1315 insertions(+), 30 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/a4819f5b/bin/config-tool.sh
----------------------------------------------------------------------
diff --git a/bin/config-tool.sh b/bin/config-tool.sh
new file mode 100755
index 0000000..b286421
--- /dev/null
+++ b/bin/config-tool.sh
@@ -0,0 +1,25 @@
+#!/usr/bin/env bash
+
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+_CMD_JAR=sentry-binding-hive-*.jar
+_HIVE_CMD=${HIVE_HOME}/bin/hive
+for f in ${SENTRY_HOME}/lib/*.jar; do
+ HADOOP_CLASSPATH=${HADOOP_CLASSPATH}:${f}
+done
+
+${_HIVE_CMD} --service jar ${SENTRY_HOME}/lib/${_CMD_JAR} org.apache.sentry.binding.hive.authz.SentryConfigTool "$@"
+
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/a4819f5b/bin/sentry
----------------------------------------------------------------------
diff --git a/bin/sentry b/bin/sentry
new file mode 100755
index 0000000..9f2ce77
--- /dev/null
+++ b/bin/sentry
@@ -0,0 +1,65 @@
+#!/usr/bin/env bash
+
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+bin=`dirname "$0"`
+myhome=`cd "$bin/.."; pwd`
+
+# the root of the Hive installation
+if [[ -z $SENTRY_HOME ]] ; then
+ export SENTRY_HOME=$myhome
+fi
+
+_HIVE_CMD=hive
+#check to see if the hive conf dir is given as an optional argument
+while [ $# -gt 0 ]; do # Until you run out of parameters . . .
+ case "$1" in
+ --hive-config)
+ shift
+ confdir=$1
+ shift
+ export HIVE_CONF_DIR=$confdir
+ echo Using hive-conf-dir $HIVE_CONF_DIR
+ ;;
+ --hive-home)
+ shift
+ homedir=$1
+ shift
+ export HIVE_HOME=$homedir
+ echo Using hive-home $HIVE_HOME
+ ;;
+ --command)
+ shift
+ case "$1" in
+ config-tool)
+ shift
+ $SENTRY_HOME/bin/config-tool.sh "$@"
+ ;;
+ *)
+ echo Unknown option $1
+ echo "Usage sentry --command <config-tool [config-tool-options]>"
+ break
+ ;;
+ esac
+ break
+ ;;
+ *)
+ echo "Usage sentry --command <config-tool [config-tool-options]>"
+ break
+ ;;
+ esac
+done
+
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/a4819f5b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java
index cac4864..3624e8f 100644
--- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java
+++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java
@@ -277,7 +277,17 @@ implements HiveDriverFilterHook {
authorizeWithHiveBindings(context, stmtAuthObject, stmtOperation);
} catch (AuthorizationException e) {
executeOnFailureHooks(context, stmtOperation, e);
- throw new SemanticException("No valid privileges", e);
+ String permsRequired = "";
+ for (String perm : hiveAuthzBinding.getLastQueryPermissionErrors()) {
+ permsRequired += perm + ";";
+ }
+ context.getConf().set(HiveAuthzConf.HIVE_SENTRY_AUTH_ERRORS, permsRequired);
+ throw new SemanticException(HiveAuthzConf.HIVE_SENTRY_PRIVILEGE_ERROR_MESSAGE, e);
+ }
+ if ("true".equalsIgnoreCase(context.getConf().
+ get(HiveAuthzConf.HIVE_SENTRY_MOCK_COMPILATION))) {
+ throw new SemanticException(HiveAuthzConf.HIVE_SENTRY_MOCK_ERROR + " Mock query compilation aborted. Set " +
+ HiveAuthzConf.HIVE_SENTRY_MOCK_COMPILATION + " to 'false' for normal query processing");
}
hiveAuthzBinding.set(context.getConf());
}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/a4819f5b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBinding.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBinding.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBinding.java
index 45d5d3b..f6a1ecc 100644
--- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBinding.java
+++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBinding.java
@@ -63,7 +63,7 @@ public class HiveAuthzBinding {
public HiveAuthzBinding (HiveConf hiveConf, HiveAuthzConf authzConf) throws Exception {
this.authzConf = authzConf;
this.authServer = new Server(authzConf.get(AuthzConfVars.AUTHZ_SERVER_NAME.getVar()));
- this.authProvider = getAuthProvider(hiveConf, authServer.getName());
+ this.authProvider = getAuthProvider(hiveConf, authzConf, authServer.getName());
}
/**
@@ -102,7 +102,8 @@ public class HiveAuthzBinding {
}
// Instantiate the configured authz provider
- private AuthorizationProvider getAuthProvider(HiveConf hiveConf, String serverName) throws Exception {
+ public static AuthorizationProvider getAuthProvider(HiveConf hiveConf, HiveAuthzConf authzConf,
+ String serverName) throws Exception {
boolean isTestingMode = Boolean.parseBoolean(Strings.nullToEmpty(
authzConf.get(AuthzConfVars.SENTRY_TESTING_MODE.getVar())).trim());
LOG.debug("Testing mode is " + isTestingMode);
@@ -232,4 +233,8 @@ public class HiveAuthzBinding {
private AuthorizableType getAuthzType (List<DBModelAuthorizable> hierarchy){
return hierarchy.get(hierarchy.size() -1).getAuthzType();
}
+
+ public List<String> getLastQueryPermissionErrors() {
+ return authProvider.getLastFailedPermissions();
+ }
}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/a4819f5b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/SentryConfigTool.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/SentryConfigTool.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/SentryConfigTool.java
new file mode 100644
index 0000000..d7a518d
--- /dev/null
+++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/SentryConfigTool.java
@@ -0,0 +1,510 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.binding.hive.authz;
+
+import java.security.CodeSource;
+import java.sql.Connection;
+import java.sql.DriverManager;
+import java.sql.ResultSet;
+import java.sql.SQLException;
+import java.sql.Statement;
+import java.util.Set;
+
+import org.apache.sentry.binding.hive.HiveAuthzBindingSessionHook;
+import org.apache.commons.cli.CommandLine;
+import org.apache.commons.cli.GnuParser;
+import org.apache.commons.cli.HelpFormatter;
+import org.apache.commons.cli.Option;
+import org.apache.commons.cli.OptionGroup;
+import org.apache.commons.cli.Options;
+import org.apache.commons.cli.ParseException;
+import org.apache.commons.cli.Parser;
+import org.apache.hadoop.hive.conf.HiveConf;
+import org.apache.hadoop.hive.conf.HiveConf.ConfVars;
+import org.apache.hadoop.hive.ql.Driver;
+import org.apache.hadoop.hive.ql.parse.SemanticException;
+import org.apache.hadoop.hive.ql.processors.CommandProcessorResponse;
+import org.apache.hadoop.hive.ql.session.SessionState;
+import org.apache.log4j.Level;
+import org.apache.log4j.LogManager;
+import org.apache.sentry.binding.hive.HiveAuthzBindingHook;
+import org.apache.sentry.binding.hive.conf.HiveAuthzConf;
+import org.apache.sentry.binding.hive.conf.HiveAuthzConf.AuthzConfVars;
+import org.apache.sentry.provider.common.AuthorizationProvider;
+import org.apache.sentry.core.common.SentryConfigurationException;
+import org.apache.sentry.core.model.db.Server;
+import org.apache.sentry.core.common.Subject;
+
+public class SentryConfigTool {
+ private String sentrySiteFile = null;
+ private String policyFile = null;
+ private String query = null;
+ private String jdbcURL = null;
+ private String user = null;
+ private String passWord = null;
+ private boolean listPerms = false;
+ private boolean validate = false;
+ private HiveConf hiveConf = null;
+ private HiveAuthzConf authzConf = null;
+ private AuthorizationProvider sentryProvider = null;
+
+ public SentryConfigTool() {
+
+ }
+
+ public AuthorizationProvider getSentryProvider() {
+ return sentryProvider;
+ }
+
+ public void setSentryProvider(AuthorizationProvider sentryProvider) {
+ this.sentryProvider = sentryProvider;
+ }
+
+ public HiveConf getHiveConf() {
+ return hiveConf;
+ }
+
+ public void setHiveConf(HiveConf hiveConf) {
+ this.hiveConf = hiveConf;
+ }
+
+ public HiveAuthzConf getAuthzConf() {
+ return authzConf;
+ }
+
+ public void setAuthzConf(HiveAuthzConf authzConf) {
+ this.authzConf = authzConf;
+ }
+
+ public boolean isValidate() {
+ return validate;
+ }
+
+ public void setValidate(boolean validate) {
+ this.validate = validate;
+ }
+
+ public String getSentrySiteFile() {
+ return sentrySiteFile;
+ }
+
+ public void setSentrySiteFile(String sentrySiteFile) {
+ this.sentrySiteFile = sentrySiteFile;
+ }
+
+ public String getPolicyFile() {
+ return policyFile;
+ }
+
+ public void setPolicyFile(String policyFile) {
+ this.policyFile = policyFile;
+ }
+
+ public String getQuery() {
+ return query;
+ }
+
+ public void setQuery(String query) {
+ this.query = query;
+ }
+
+ public String getJdbcURL() {
+ return jdbcURL;
+ }
+
+ public void setJdbcURL(String jdbcURL) {
+ this.jdbcURL = jdbcURL;
+ }
+
+ public String getUser() {
+ return user;
+ }
+
+ public void setUser(String user) {
+ this.user = user;
+ }
+
+ public String getPassWord() {
+ return passWord;
+ }
+
+ public void setPassWord(String passWord) {
+ this.passWord = passWord;
+ }
+
+ public boolean isListPerms() {
+ return listPerms;
+ }
+
+ public void setListPerms(boolean listPerms) {
+ this.listPerms = listPerms;
+ }
+
+ /**
+ * set the required system property to be read by HiveConf and AuthzConf
+ * @throws Exception
+ */
+ public void setupConfig() throws Exception {
+ System.out.println("Configuration: ");
+ CodeSource src = SentryConfigTool.class.getProtectionDomain()
+ .getCodeSource();
+ if (src != null) {
+ System.out.println("Sentry package jar: " + src.getLocation());
+ }
+
+ if (getPolicyFile() != null) {
+ System.setProperty(AuthzConfVars.AUTHZ_PROVIDER_RESOURCE.getVar(),
+ getPolicyFile());
+ }
+ System.setProperty(AuthzConfVars.SENTRY_TESTING_MODE.getVar(), "true");
+ setHiveConf(new HiveConf(SessionState.class));
+ getHiveConf().setVar(ConfVars.SEMANTIC_ANALYZER_HOOK,
+ HiveAuthzBindingHook.class.getName());
+ try {
+ System.out.println("Hive config: " + getHiveConf().getHiveSiteLocation());
+ } catch (NullPointerException e) {
+ // Hack, hiveConf doesn't provide a reliable way check if it found a valid
+ // hive-site
+ throw new SentryConfigurationException("Didn't find a hive-site.xml");
+
+ }
+
+ if (getSentrySiteFile() != null) {
+ getHiveConf()
+ .set(HiveAuthzConf.HIVE_SENTRY_CONF_URL, getSentrySiteFile());
+ }
+
+ setAuthzConf(HiveAuthzConf.getAuthzConf(getHiveConf()));
+ System.out.println("Sentry config: "
+ + getAuthzConf().getHiveAuthzSiteFile());
+ System.out.println("Sentry Policy: "
+ + getAuthzConf().get(AuthzConfVars.AUTHZ_PROVIDER_RESOURCE.getVar()));
+ System.out.println("Sentry server: "
+ + getAuthzConf().get(AuthzConfVars.AUTHZ_SERVER_NAME.getVar()));
+
+ setSentryProvider(getAuthorizationProvider());
+ }
+
+ // load auth provider
+ private AuthorizationProvider getAuthorizationProvider()
+ throws IllegalStateException, SentryConfigurationException {
+ String serverName = new Server(getAuthzConf().get(
+ AuthzConfVars.AUTHZ_SERVER_NAME.getVar())).getName();
+ // get the configured sentry provider
+ AuthorizationProvider sentryProvider = null;
+ try {
+ sentryProvider = HiveAuthzBinding.getAuthProvider(getHiveConf(),
+ authzConf, serverName);
+ } catch (SentryConfigurationException eC) {
+ printConfigErrors(eC);
+ } catch (Exception e) {
+ throw new IllegalStateException("Couldn't load sentry provider ", e);
+ }
+ return sentryProvider;
+ }
+
+ // validate policy files
+ public void validatePolicy() throws Exception {
+ try {
+ getSentryProvider().validateResource(true);
+ } catch (SentryConfigurationException e) {
+ printConfigErrors(e);
+ }
+ System.out.println("No errors found in the policy file");
+ }
+
+ // list permissions for given user
+ public void listPerms() throws Exception {
+ getSentryProvider().validateResource(true);
+ System.out.println("Available privileges for user " + getUser() + ":");
+ Set<String> permList = getSentryProvider().listPermissionsForSubject(
+ new Subject(getUser()));
+ for (String perms : permList) {
+ System.out.println("\t" + perms);
+ }
+ if (permList.isEmpty()) {
+ System.out.println("\t*** No permissions available ***");
+ }
+ }
+
+ // Verify the given query
+ public void verifyLocalQuery(String queryStr) throws Exception {
+ // setup Hive driver
+ SessionState session = new SessionState(getHiveConf());
+ SessionState.start(session);
+ Driver driver = new Driver(session.getConf(), getUser(), null);
+
+ // compile the query
+ CommandProcessorResponse compilerStatus = driver
+ .compileAndRespond(queryStr);
+ if (compilerStatus.getResponseCode() != 0) {
+ String errMsg = compilerStatus.getErrorMessage();
+ if (errMsg.contains(HiveAuthzConf.HIVE_SENTRY_PRIVILEGE_ERROR_MESSAGE)) {
+ printMissingPerms(getHiveConf().get(
+ HiveAuthzConf.HIVE_SENTRY_AUTH_ERRORS));
+ }
+ throw new SemanticException("Compilation error: "
+ + compilerStatus.getErrorMessage());
+ }
+ driver.close();
+ System.out
+ .println("User " + getUser() + " has privileges to run the query");
+ }
+
+ // connect to remote HS2 and run mock query
+ public void verifyRemoteQuery(String queryStr) throws Exception {
+ Class.forName("org.apache.hive.jdbc.HiveDriver");
+ Connection conn = DriverManager.getConnection(getJdbcURL(), getUser(),
+ getPassWord());
+ Statement stmt = conn.createStatement();
+ if (!isSentryEnabledOnHiveServer(stmt)) {
+ throw new IllegalStateException("Sentry is not enabled on HiveServer2");
+ }
+ stmt.execute("set " + HiveAuthzConf.HIVE_SENTRY_MOCK_COMPILATION + "=true");
+ try {
+ stmt.execute(queryStr);
+ } catch (SQLException e) {
+ String errMsg = e.getMessage();
+ if (errMsg.contains(HiveAuthzConf.HIVE_SENTRY_MOCK_ERROR)) {
+ System.out.println("User "
+ + readConfig(stmt, HiveAuthzConf.HIVE_SENTRY_SUBJECT_NAME)
+ + " has privileges to run the query");
+ return;
+ } else if (errMsg
+ .contains(HiveAuthzConf.HIVE_SENTRY_PRIVILEGE_ERROR_MESSAGE)) {
+ printMissingPerms(readConfig(stmt,
+ HiveAuthzConf.HIVE_SENTRY_AUTH_ERRORS));
+ throw e;
+ } else {
+ throw e;
+ }
+ } finally {
+ if (!stmt.isClosed()) {
+ stmt.close();
+ }
+ conn.close();
+ }
+
+ }
+
+ // verify senty session hook is set
+ private boolean isSentryEnabledOnHiveServer(Statement stmt)
+ throws SQLException {
+ return HiveAuthzBindingSessionHook.class.getName().equalsIgnoreCase(
+ readConfig(stmt, HiveConf.ConfVars.HIVE_SERVER2_SESSION_HOOK.varname));
+ }
+
+ // read a config value using 'set' statement
+ private String readConfig(Statement stmt, String configKey)
+ throws SQLException {
+ ResultSet res = stmt.executeQuery("set " + configKey);
+ if (!res.next()) {
+ return null;
+ }
+ // parse key=value result format
+ String result = res.getString(1);
+ res.close();
+ return result.substring(result.indexOf("=") + 1);
+ }
+
+ // print configuration/policy file errors and warnings
+ private void printConfigErrors(SentryConfigurationException configException)
+ throws SentryConfigurationException {
+ System.out.println(" *** Found configuration problems *** ");
+ for (String errMsg : configException.getConfigErrors()) {
+ System.out.println("ERROR: " + errMsg);
+ }
+ for (String warnMsg : configException.getConfigWarnings()) {
+ System.out.println("Warning: " + warnMsg);
+ }
+ throw configException;
+ }
+
+ // extract the authorization errors from config property and print
+ private void printMissingPerms(String errMsg) {
+ if (errMsg == null || errMsg.isEmpty()) {
+ return;
+ }
+ System.out.println("*** Query compilation failed ***");
+ String perms[] = errMsg.replaceFirst(
+ ".*" + HiveAuthzConf.HIVE_SENTRY_PRIVILEGE_ERROR_MESSAGE, "")
+ .split(";");
+ System.out.println("Required privileges for given query:");
+ for (int count = 0; count < perms.length; count++) {
+ System.out.println(" \t " + perms[count]);
+ }
+ }
+
+ // print usage
+ private void usage(Options sentryOptions) {
+ HelpFormatter formatter = new HelpFormatter();
+ formatter.printHelp("Sentry", sentryOptions);
+ System.exit(-1);
+ }
+
+ /**
+ * parse arguments
+ *
+ * -d,--debug enable debug output
+ * -e,--query <arg> Query privilege verification, requires -u
+ * -h,--help Print usage
+ * -i,--policyIni <arg> Policy file path
+ * -j,--jdbcURL <arg> JDBC URL
+ * -l,--listPerms list permissions for given user, requires -u
+ * -p,--password <arg> Password
+ * -s,--sentry-site <arg> sentry-site file path
+ * -u,--user <arg> user name
+ * -v,--validate Validate policy file
+ * @param args
+ */
+ private void parseArgs(String[] args) {
+ boolean enableDebug = false;
+
+ Options sentryOptions = new Options();
+
+ Option helpOpt = new Option("h", "help", false, "Print usage");
+ helpOpt.setRequired(false);
+
+ Option validateOpt = new Option("v", "validate", false,
+ "Validate policy file");
+ validateOpt.setRequired(false);
+
+ Option queryOpt = new Option("e", "query", true,
+ "Query privilege verification, requires -u");
+ queryOpt.setRequired(false);
+
+ Option listPermsOpt = new Option("l", "listPerms", false,
+ "list permissions for given user, requires -u");
+ listPermsOpt.setRequired(false);
+
+ // required args
+ OptionGroup sentryOptGroup = new OptionGroup();
+ sentryOptGroup.addOption(helpOpt);
+ sentryOptGroup.addOption(validateOpt);
+ sentryOptGroup.addOption(queryOpt);
+ sentryOptGroup.addOption(listPermsOpt);
+ sentryOptGroup.setRequired(true);
+ sentryOptions.addOptionGroup(sentryOptGroup);
+
+ // optional args
+ Option jdbcArg = new Option("j", "jdbcURL", true, "JDBC URL");
+ jdbcArg.setRequired(false);
+ sentryOptions.addOption(jdbcArg);
+
+ Option sentrySitePath = new Option("s", "sentry-site", true,
+ "sentry-site file path");
+ sentrySitePath.setRequired(false);
+ sentryOptions.addOption(sentrySitePath);
+
+ Option globalPolicyPath = new Option("i", "policyIni", true,
+ "Policy file path");
+ globalPolicyPath.setRequired(false);
+ sentryOptions.addOption(globalPolicyPath);
+
+ Option userOpt = new Option("u", "user", true, "user name");
+ userOpt.setRequired(false);
+ sentryOptions.addOption(userOpt);
+
+ Option passWordOpt = new Option("p", "password", true, "Password");
+ userOpt.setRequired(false);
+ sentryOptions.addOption(passWordOpt);
+
+ Option debugOpt = new Option("d", "debug", false, "enable debug output");
+ debugOpt.setRequired(false);
+ sentryOptions.addOption(debugOpt);
+
+ try {
+ Parser parser = new GnuParser();
+ CommandLine cmd = parser.parse(sentryOptions, args);
+
+ for (Option opt : cmd.getOptions()) {
+ if (opt.getOpt().equals("s")) {
+ setSentrySiteFile(opt.getValue());
+ } else if (opt.getOpt().equals("i")) {
+ setPolicyFile(opt.getValue());
+ } else if (opt.getOpt().equals("e")) {
+ setQuery(opt.getValue());
+ } else if (opt.getOpt().equals("j")) {
+ setJdbcURL(opt.getValue());
+ } else if (opt.getOpt().equals("u")) {
+ setUser(opt.getValue());
+ } else if (opt.getOpt().equals("p")) {
+ setPassWord(opt.getValue());
+ } else if (opt.getOpt().equals("l")) {
+ setListPerms(true);
+ } else if (opt.getOpt().equals("v")) {
+ setValidate(true);
+ } else if (opt.getOpt().equals("h")) {
+ usage(sentryOptions);
+ } else if (opt.getOpt().equals("d")) {
+ enableDebug = true;
+ }
+ }
+
+ if (isListPerms() && (getUser() == null)) {
+ throw new ParseException("Can't use -l without -u ");
+ }
+ if ((getQuery() != null) && (getUser() == null)) {
+ throw new ParseException("Must use -u with -e ");
+ }
+ } catch (ParseException e1) {
+ System.out.println("Argument parsing error: " + e1.getMessage());
+ usage(sentryOptions);
+ }
+
+ if (!enableDebug) {
+ // turn off log
+ LogManager.getRootLogger().setLevel(Level.OFF);
+ }
+ }
+
+ public static void main(String args[]) throws Exception {
+ SentryConfigTool sentryTool = new SentryConfigTool();
+
+ try {
+ // parse arguments
+ sentryTool.parseArgs(args);
+
+ // load configuration
+ sentryTool.setupConfig();
+
+ // validate configuration
+ if (sentryTool.isValidate()) {
+ sentryTool.validatePolicy();
+ }
+
+ // list permissions for give user
+ if (sentryTool.isListPerms()) {
+ sentryTool.listPerms();
+ }
+
+ // verify given query
+ if (sentryTool.getQuery() != null) {
+ if (sentryTool.getJdbcURL() != null) {
+ sentryTool.verifyRemoteQuery(sentryTool.getQuery());
+ } else {
+ sentryTool.verifyLocalQuery(sentryTool.getQuery());
+ }
+ }
+ } catch (Exception e) {
+ System.out.println("Sentry tool reported Errors: " + e.getMessage());
+ System.exit(1);
+ }
+
+ }
+}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/a4819f5b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/conf/HiveAuthzConf.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/conf/HiveAuthzConf.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/conf/HiveAuthzConf.java
index b7d79d6..c4f12b5 100644
--- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/conf/HiveAuthzConf.java
+++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/conf/HiveAuthzConf.java
@@ -16,12 +16,14 @@
*/
package org.apache.sentry.binding.hive.conf;
+import java.net.MalformedURLException;
import java.net.URL;
import java.util.HashMap;
import java.util.Map;
import java.util.Map.Entry;
import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.hive.conf.HiveConf;
import org.mortbay.log.Log;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -36,6 +38,10 @@ public class HiveAuthzConf extends Configuration {
public static final String HIVE_SENTRY_CONF_URL = "hive.sentry.conf.url";
public static final String HIVE_ACCESS_SUBJECT_NAME = "hive.access.subject.name";
public static final String HIVE_SENTRY_SUBJECT_NAME = "hive.sentry.subject.name";
+ public static final String HIVE_SENTRY_AUTH_ERRORS = "sentry.hive.authorization.errors";
+ public static final String HIVE_SENTRY_MOCK_COMPILATION = "hive.sentry.mock.compilation";
+ public static final String HIVE_SENTRY_MOCK_ERROR = "hive.sentry.mock.error";
+ public static final String HIVE_SENTRY_PRIVILEGE_ERROR_MESSAGE = "No valid privileges";
/**
* Config setting definitions
@@ -132,11 +138,13 @@ public class HiveAuthzConf extends Configuration {
private static final Logger LOG = LoggerFactory
.getLogger(HiveAuthzConf.class);
public static final String AUTHZ_SITE_FILE = "sentry-site.xml";
+ private final String hiveAuthzSiteFile;
public HiveAuthzConf(URL hiveAuthzSiteURL) {
super(false);
addResource(hiveAuthzSiteURL);
applySystemProperties();
+ this.hiveAuthzSiteFile = hiveAuthzSiteURL.toString();
}
/**
* Apply system properties to this object if the property name is defined in ConfVars
@@ -182,4 +190,47 @@ public class HiveAuthzConf extends Configuration {
}
return retVal;
}
+
+ public String getHiveAuthzSiteFile() {
+ return hiveAuthzSiteFile;
+ }
+
+ /**
+ * Extract the authz config file path from given hive conf and load the authz config
+ * @param hiveConf
+ * @return
+ * @throws IllegalArgumentException
+ */
+ public static HiveAuthzConf getAuthzConf(HiveConf hiveConf)
+ throws IllegalArgumentException {
+ boolean depreicatedConfigFile = false;
+
+ String hiveAuthzConf = hiveConf.get(HiveAuthzConf.HIVE_SENTRY_CONF_URL);
+ if (hiveAuthzConf == null
+ || (hiveAuthzConf = hiveAuthzConf.trim()).isEmpty()) {
+ hiveAuthzConf = hiveConf.get(HiveAuthzConf.HIVE_ACCESS_CONF_URL);
+ depreicatedConfigFile = true;
+ }
+
+ if (hiveAuthzConf == null
+ || (hiveAuthzConf = hiveAuthzConf.trim()).isEmpty()) {
+ throw new IllegalArgumentException("Configuration key "
+ + HiveAuthzConf.HIVE_SENTRY_CONF_URL + " value '" + hiveAuthzConf
+ + "' is invalid.");
+ }
+
+ try {
+ return new HiveAuthzConf(new URL(hiveAuthzConf));
+ } catch (MalformedURLException e) {
+ if (depreicatedConfigFile) {
+ throw new IllegalArgumentException("Configuration key "
+ + HiveAuthzConf.HIVE_ACCESS_CONF_URL
+ + " specifies a malformed URL '" + hiveAuthzConf + "'", e);
+ } else {
+ throw new IllegalArgumentException("Configuration key "
+ + HiveAuthzConf.HIVE_SENTRY_CONF_URL
+ + " specifies a malformed URL '" + hiveAuthzConf + "'", e);
+ }
+ }
+ }
}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/a4819f5b/sentry-core/sentry-core-common/pom.xml
----------------------------------------------------------------------
diff --git a/sentry-core/sentry-core-common/pom.xml b/sentry-core/sentry-core-common/pom.xml
index a14f129..d50963e 100644
--- a/sentry-core/sentry-core-common/pom.xml
+++ b/sentry-core/sentry-core-common/pom.xml
@@ -33,6 +33,10 @@ limitations under the License.
<artifactId>guava</artifactId>
</dependency>
<dependency>
+ <groupId>org.apache.shiro</groupId>
+ <artifactId>shiro-core</artifactId>
+ </dependency>
+ <dependency>
<groupId>junit</groupId>
<artifactId>junit</artifactId>
<scope>test</scope>
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/a4819f5b/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/SentryConfigurationException.java
----------------------------------------------------------------------
diff --git a/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/SentryConfigurationException.java b/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/SentryConfigurationException.java
new file mode 100644
index 0000000..516b2da
--- /dev/null
+++ b/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/SentryConfigurationException.java
@@ -0,0 +1,67 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.core.common;
+
+import java.util.ArrayList;
+import java.util.List;
+
+import org.apache.shiro.config.ConfigurationException;
+
+public class SentryConfigurationException extends ConfigurationException {
+ private List<String> configErrors = new ArrayList<String>();
+ private List<String> configWarnings = new ArrayList<String>();
+
+ public boolean hasWarnings() {
+ return !configWarnings.isEmpty();
+ }
+
+ public boolean hasErrors() {
+ return !configErrors.isEmpty();
+ }
+
+ public SentryConfigurationException() {
+ super();
+ }
+
+ public SentryConfigurationException(String message, Throwable cause) {
+ super(message, cause);
+ }
+
+ public SentryConfigurationException(String message) {
+ super(message);
+ }
+
+ public SentryConfigurationException(Throwable cause) {
+ super(cause);
+ }
+
+ public List<String> getConfigErrors() {
+ return configErrors;
+ }
+
+ public void setConfigErrors(List<String> configErrors) {
+ this.configErrors = configErrors;
+ }
+
+ public List<String> getConfigWarnings() {
+ return configWarnings;
+ }
+
+ public void setConfigWarnings(List<String> configWarnings) {
+ this.configWarnings = configWarnings;
+ }
+}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/a4819f5b/sentry-policy/sentry-policy-common/src/main/java/org/apache/sentry/policy/common/PolicyEngine.java
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-common/src/main/java/org/apache/sentry/policy/common/PolicyEngine.java b/sentry-policy/sentry-policy-common/src/main/java/org/apache/sentry/policy/common/PolicyEngine.java
index 693de1b..c08d082 100644
--- a/sentry-policy/sentry-policy-common/src/main/java/org/apache/sentry/policy/common/PolicyEngine.java
+++ b/sentry-policy/sentry-policy-common/src/main/java/org/apache/sentry/policy/common/PolicyEngine.java
@@ -20,7 +20,9 @@ package org.apache.sentry.policy.common;
import java.util.List;
import org.apache.sentry.core.common.Authorizable;
+import org.apache.sentry.core.common.SentryConfigurationException;
+import com.google.common.collect.ImmutableSet;
import com.google.common.collect.ImmutableSetMultimap;
public interface PolicyEngine {
@@ -41,6 +43,15 @@ public interface PolicyEngine {
* @param group name
* @return non-null immutable set of permissions
*/
- public ImmutableSetMultimap<String, String> getPermissions(List<? extends Authorizable> authorizables, List<String> groups);
+ public ImmutableSetMultimap<String, String> getPermissions(
+ List<? extends Authorizable> authorizables, List<String> groups)
+ throws SentryConfigurationException;
+ public ImmutableSet<String> listPermissions(String groupName)
+ throws SentryConfigurationException;
+
+ public ImmutableSet<String> listPermissions(List<String> groupName)
+ throws SentryConfigurationException;
+
+ public void validatePolicy(boolean strictValidation) throws SentryConfigurationException;
}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/a4819f5b/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/SimpleDBPolicyEngine.java
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/SimpleDBPolicyEngine.java b/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/SimpleDBPolicyEngine.java
index 1d72f87..1d01b47 100644
--- a/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/SimpleDBPolicyEngine.java
+++ b/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/SimpleDBPolicyEngine.java
@@ -19,11 +19,14 @@ package org.apache.sentry.policy.db;
import javax.annotation.Nullable;
import java.io.IOException;
+import java.util.ArrayList;
import java.util.List;
import java.util.Map.Entry;
+
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.fs.Path;
import org.apache.sentry.core.common.Authorizable;
+import org.apache.sentry.core.common.SentryConfigurationException;
import org.apache.sentry.core.model.db.AccessURI;
import org.apache.sentry.core.model.db.Database;
import org.apache.sentry.policy.common.PermissionFactory;
@@ -36,7 +39,6 @@ import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import com.google.common.annotations.VisibleForTesting;
-
import com.google.common.collect.ImmutableMap;
import com.google.common.collect.ImmutableSet;
import com.google.common.collect.ImmutableSetMultimap;
@@ -50,13 +52,15 @@ public class SimpleDBPolicyEngine implements PolicyEngine {
public final static String ACCESS_ALLOW_URI_PER_DB_POLICYFILE = "sentry.allow.uri.db.policyfile";
private ProviderBackend providerBackend;
+ private String serverName;
+ private List<? extends RoleValidator> validators;
public SimpleDBPolicyEngine(String serverName, ProviderBackend providerBackend) {
- List<? extends RoleValidator> validators =
- Lists.newArrayList(new ServersAllIsInvalid(), new DatabaseMustMatch(),
- new DatabaseRequiredInRole(), new ServerNameMustMatch(serverName));
+ validators = Lists.newArrayList(new ServersAllIsInvalid(), new DatabaseMustMatch(),
+ new DatabaseRequiredInRole(), new ServerNameMustMatch(serverName));
this.providerBackend = providerBackend;
this.providerBackend.process(validators);
+ this.serverName = serverName;
}
/**
@@ -71,7 +75,9 @@ public class SimpleDBPolicyEngine implements PolicyEngine {
* {@inheritDoc}
*/
@Override
- public ImmutableSetMultimap<String, String> getPermissions(List<? extends Authorizable> authorizables, List<String> groups) {
+ public ImmutableSetMultimap<String, String> getPermissions(
+ List<? extends Authorizable> authorizables, List<String> groups)
+ throws SentryConfigurationException {
String database = null;
Boolean isURI = false;
for(Authorizable authorizable : authorizables) {
@@ -139,4 +145,25 @@ public class SimpleDBPolicyEngine implements PolicyEngine {
}
return result;
}
+
+ @Override
+ public void validatePolicy(boolean strictValidation) throws SentryConfigurationException {
+ this.providerBackend.validatePolicy(validators, strictValidation);
+ }
+
+ @Override
+ public ImmutableSet<String> listPermissions(String groupName) throws SentryConfigurationException {
+ return getDBRoles(Database.ALL.getName(), groupName, true, providerBackend.getRoles());
+ }
+
+ @Override
+ public ImmutableSet<String> listPermissions(List<String> groupNames)
+ throws SentryConfigurationException {
+ ImmutableSet.Builder<String> resultBuilder = ImmutableSet.builder();
+ for (String groupName : groupNames) {
+ resultBuilder.addAll(listPermissions(groupName));
+ }
+ return resultBuilder.build();
+ }
+
}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/a4819f5b/sentry-policy/sentry-policy-search/src/main/java/org/apache/sentry/policy/search/SimpleSearchPolicyEngine.java
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-search/src/main/java/org/apache/sentry/policy/search/SimpleSearchPolicyEngine.java b/sentry-policy/sentry-policy-search/src/main/java/org/apache/sentry/policy/search/SimpleSearchPolicyEngine.java
index 21711ef..51ab35d 100644
--- a/sentry-policy/sentry-policy-search/src/main/java/org/apache/sentry/policy/search/SimpleSearchPolicyEngine.java
+++ b/sentry-policy/sentry-policy-search/src/main/java/org/apache/sentry/policy/search/SimpleSearchPolicyEngine.java
@@ -21,8 +21,10 @@ import javax.annotation.Nullable;
import java.io.IOException;
import java.util.List;
import java.util.Map.Entry;
+
import org.apache.shiro.config.ConfigurationException;
import org.apache.sentry.core.common.Authorizable;
+import org.apache.sentry.core.common.SentryConfigurationException;
import org.apache.sentry.policy.common.PermissionFactory;
import org.apache.sentry.policy.common.PolicyEngine;
import org.apache.sentry.policy.common.RoleValidator;
@@ -33,7 +35,6 @@ import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import com.google.common.annotations.VisibleForTesting;
-
import com.google.common.collect.ImmutableMap;
import com.google.common.collect.ImmutableSet;
import com.google.common.collect.ImmutableSetMultimap;
@@ -111,4 +112,23 @@ public class SimpleSearchPolicyEngine implements PolicyEngine {
}
return result;
}
+
+ @Override
+ public ImmutableSet<String> listPermissions(String groupName)
+ throws SentryConfigurationException {
+ // TODO: not supported yet
+ throw new SentryConfigurationException("Not implemented yet");
+ }
+
+ @Override
+ public ImmutableSet<String> listPermissions(List<String> groupName)
+ throws SentryConfigurationException {
+ throw new SentryConfigurationException("Not implemented yet");
+ }
+
+ @Override
+ public void validatePolicy(boolean strictValidation)
+ throws SentryConfigurationException {
+ throw new SentryConfigurationException("Not implemented yet");
+ }
}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/a4819f5b/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/AuthorizationProvider.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/AuthorizationProvider.java b/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/AuthorizationProvider.java
index 1244755..4887678 100644
--- a/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/AuthorizationProvider.java
+++ b/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/AuthorizationProvider.java
@@ -21,6 +21,7 @@ import java.util.Set;
import org.apache.sentry.core.common.Action;
import org.apache.sentry.core.common.Authorizable;
+import org.apache.sentry.core.common.SentryConfigurationException;
import org.apache.sentry.core.common.Subject;
public interface AuthorizationProvider {
@@ -44,4 +45,33 @@ public interface AuthorizationProvider {
* @return GroupMappingService used by the AuthorizationProvider
*/
public GroupMappingService getGroupMapping();
+
+ /***
+ * Validate the policy file format for syntax and semantic errors
+ * @param strictValidation
+ * @throws SentryConfigurationException
+ */
+ public void validateResource(boolean strictValidation) throws SentryConfigurationException;
+
+ /***
+ * Returns the list privileges for the given subject
+ * @param subject
+ * @return
+ * @throws SentryConfigurationException
+ */
+ public Set<String> listPermissionsForSubject(Subject subject) throws SentryConfigurationException;
+
+ /**
+ * Returns the list privileges for the given group
+ * @param groupName
+ * @return
+ * @throws SentryConfigurationException
+ */
+ public Set<String> listPermissionsForGroup(String groupName) throws SentryConfigurationException;
+
+ /***
+ * Returns the list of missing privileges of the last access request
+ * @return
+ */
+ public List<String> getLastFailedPermissions();
}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/a4819f5b/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/NoAuthorizationProvider.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/NoAuthorizationProvider.java b/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/NoAuthorizationProvider.java
index f48eafe..8f18926 100644
--- a/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/NoAuthorizationProvider.java
+++ b/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/NoAuthorizationProvider.java
@@ -16,11 +16,14 @@
*/
package org.apache.sentry.provider.common;
+import java.util.ArrayList;
+import java.util.HashSet;
import java.util.List;
import java.util.Set;
import org.apache.sentry.core.common.Action;
import org.apache.sentry.core.common.Authorizable;
+import org.apache.sentry.core.common.SentryConfigurationException;
import org.apache.sentry.core.common.Subject;
public class NoAuthorizationProvider implements AuthorizationProvider {
@@ -36,4 +39,27 @@ public class NoAuthorizationProvider implements AuthorizationProvider {
public GroupMappingService getGroupMapping() {
return noGroupMappingService;
}
+
+ @Override
+ public void validateResource(boolean strictValidation) throws SentryConfigurationException {
+ return;
+ }
+
+ @Override
+ public Set<String> listPermissionsForSubject(Subject subject)
+ throws SentryConfigurationException {
+ return new HashSet<String>();
+ }
+
+ @Override
+ public Set<String> listPermissionsForGroup(String groupName)
+ throws SentryConfigurationException {
+ return new HashSet<String>();
+ }
+
+ @Override
+ public List<String> getLastFailedPermissions() {
+ return new ArrayList<String>();
+ }
+
}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/a4819f5b/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/ProviderBackend.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/ProviderBackend.java b/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/ProviderBackend.java
index 415a509..327a3a5 100644
--- a/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/ProviderBackend.java
+++ b/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/ProviderBackend.java
@@ -17,8 +17,12 @@
package org.apache.sentry.provider.common;
import javax.annotation.Nullable;
+
import java.util.List;
+
+import org.apache.sentry.core.common.SentryConfigurationException;
import org.apache.sentry.policy.common.RoleValidator;
+
import com.google.common.collect.ImmutableSet;
/**
@@ -36,4 +40,7 @@ public interface ProviderBackend {
* least once prior.
*/
public Roles getRoles();
+
+ public void validatePolicy(List<? extends RoleValidator> validators, boolean strictValidation)
+ throws SentryConfigurationException;
}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/a4819f5b/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/ResourceAuthorizationProvider.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/ResourceAuthorizationProvider.java b/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/ResourceAuthorizationProvider.java
index 205d012..0743604 100644
--- a/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/ResourceAuthorizationProvider.java
+++ b/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/ResourceAuthorizationProvider.java
@@ -21,11 +21,13 @@ import static org.apache.sentry.provider.file.PolicyFileConstants.KV_JOINER;
import static org.apache.sentry.provider.file.PolicyFileConstants.PRIVILEGE_NAME;
import java.util.ArrayList;
+import java.util.EnumSet;
import java.util.List;
import java.util.Set;
import org.apache.sentry.core.common.Action;
import org.apache.sentry.core.common.Authorizable;
+import org.apache.sentry.core.common.SentryConfigurationException;
import org.apache.sentry.core.common.Subject;
import org.apache.sentry.policy.common.PermissionFactory;
import org.apache.sentry.policy.common.PolicyEngine;
@@ -46,6 +48,7 @@ public abstract class ResourceAuthorizationProvider implements AuthorizationProv
private final GroupMappingService groupService;
private final PolicyEngine policy;
private final PermissionFactory permissionFactory;
+ private final List<String> lastFailedPermissions = new ArrayList<String>();
public ResourceAuthorizationProvider(PolicyEngine policy,
GroupMappingService groupService) {
@@ -80,16 +83,16 @@ public abstract class ResourceAuthorizationProvider implements AuthorizationProv
private boolean doHasAccess(Subject subject,
List<? extends Authorizable> authorizables, Set<? extends Action> actions) {
- List<String> groups = groupService.getGroups(subject.getName());
+ List<String> groups = getGroups(subject);
List<String> hierarchy = new ArrayList<String>();
for (Authorizable authorizable : authorizables) {
hierarchy.add(KV_JOINER.join(authorizable.getTypeName(), authorizable.getName()));
}
Iterable<Permission> permissions = getPermissions(authorizables, groups);
- for (Action action : actions) {
- String requestPermission = AUTHORIZABLE_JOINER.join(hierarchy);
- requestPermission = AUTHORIZABLE_JOINER.join(requestPermission,
- KV_JOINER.join(PRIVILEGE_NAME, action.getValue()));
+ List<String> requestPermissions = buildPermissions(authorizables, actions);
+ lastFailedPermissions.clear();
+
+ for (String requestPermission : requestPermissions) {
for (Permission permission : permissions) {
/*
* Does the permission granted in the policy file imply the requested action?
@@ -104,6 +107,7 @@ public abstract class ResourceAuthorizationProvider implements AuthorizationProv
}
}
}
+ lastFailedPermissions.addAll(requestPermissions);
return false;
}
@@ -121,4 +125,47 @@ public abstract class ResourceAuthorizationProvider implements AuthorizationProv
public GroupMappingService getGroupMapping() {
return groupService;
}
+
+ private List<String> getGroups(Subject subject) {
+ return groupService.getGroups(subject.getName());
+ }
+
+ @Override
+ public void validateResource(boolean strictValidation) throws SentryConfigurationException {
+ policy.validatePolicy(strictValidation);
+ }
+
+ @Override
+ public Set<String> listPermissionsForSubject(Subject subject) throws SentryConfigurationException {
+ return policy.listPermissions(getGroups(subject));
+ }
+
+ @Override
+ public Set<String> listPermissionsForGroup(String groupName) throws SentryConfigurationException {
+ return policy.listPermissions(groupName);
+ }
+
+ @Override
+ public List<String> getLastFailedPermissions() {
+ return lastFailedPermissions;
+ }
+
+ private List<String> buildPermissions(List<? extends Authorizable> authorizables,
+ Set<? extends Action> actions) {
+ List<String> hierarchy = new ArrayList<String>();
+ List<String> requestedPermissions = new ArrayList<String>();
+
+ for (Authorizable authorizable : authorizables) {
+ hierarchy.add(KV_JOINER.join(authorizable.getTypeName(), authorizable.getName()));
+ }
+
+ for (Action action : actions) {
+ String requestPermission = AUTHORIZABLE_JOINER.join(hierarchy);
+ requestPermission = AUTHORIZABLE_JOINER.join(requestPermission,
+ KV_JOINER.join(PRIVILEGE_NAME, action.getValue()));
+ requestedPermissions.add(requestPermission);
+ }
+ return requestedPermissions;
+ }
+
}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/a4819f5b/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/SimpleFileProviderBackend.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/SimpleFileProviderBackend.java b/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/SimpleFileProviderBackend.java
index f432915..9eabb53 100644
--- a/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/SimpleFileProviderBackend.java
+++ b/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/SimpleFileProviderBackend.java
@@ -25,6 +25,7 @@ import static org.apache.sentry.provider.file.PolicyFileConstants.USERS;
import java.io.FileNotFoundException;
import java.io.IOException;
import java.net.URI;
+import java.util.ArrayList;
import java.util.Collection;
import java.util.List;
import java.util.Map;
@@ -36,6 +37,7 @@ import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.fs.FileSystem;
import org.apache.hadoop.fs.Path;
import org.apache.sentry.core.common.Authorizable;
+import org.apache.sentry.core.common.SentryConfigurationException;
import org.apache.sentry.policy.common.RoleValidator;
import org.apache.sentry.provider.common.ProviderBackend;
import org.apache.sentry.provider.common.Roles;
@@ -70,6 +72,8 @@ public class SimpleFileProviderBackend implements ProviderBackend {
private Roles rolesStorage;
private final Configuration conf;
private boolean processed;
+ private final List<String> configErrors = new ArrayList<String>();
+ private final List<String> configWarnings = new ArrayList<String>();
public SimpleFileProviderBackend(String resourcePath) throws IOException {
this(new Configuration(), resourcePath);
@@ -92,11 +96,26 @@ public class SimpleFileProviderBackend implements ProviderBackend {
* {@inheritDoc}
*/
public void process(List<? extends RoleValidator> validators) {
+ configErrors.clear();
+ perDbResources.clear();
+ Ini ini;
+
LOGGER.info("Parsing " + resourcePath);
Roles roles = new Roles();
try {
perDbResources.clear();
- Ini ini = PolicyFiles.loadFromPath(fileSystem, resourcePath);
+ try {
+ ini = PolicyFiles.loadFromPath(fileSystem, resourcePath);
+ } catch (IOException e) {
+ configErrors.add("Failed to read policy file " + resourcePath +
+ " Error: " + e.getMessage());
+ throw new SentryConfigurationException("Error loading policy file " + resourcePath, e);
+ } catch (IllegalArgumentException e) {
+ configErrors.add("Failed to read policy file " + resourcePath +
+ " Error: " + e.getMessage());
+ throw new SentryConfigurationException("Error loading policy file " + resourcePath, e);
+ }
+
if(LOGGER.isDebugEnabled()) {
for(String sectionName : ini.getSectionNames()) {
LOGGER.debug("Section: " + sectionName);
@@ -109,7 +128,7 @@ public class SimpleFileProviderBackend implements ProviderBackend {
}
ImmutableSetMultimap<String, String> globalRoles;
Map<String, ImmutableSetMultimap<String, String>> perDatabaseRoles = Maps.newHashMap();
- globalRoles = parseIni(null, ini, validators);
+ globalRoles = parseIni(null, ini, validators, resourcePath);
Ini.Section filesSection = ini.getSection(DATABASES);
if(filesSection == null) {
LOGGER.info("Section " + DATABASES + " needs no further processing");
@@ -124,21 +143,27 @@ public class SimpleFileProviderBackend implements ProviderBackend {
LOGGER.info("Parsing " + perDbPolicy);
Ini perDbIni = PolicyFiles.loadFromPath(perDbPolicy.getFileSystem(conf), perDbPolicy);
if(perDbIni.containsKey(USERS)) {
+ configErrors.add("Per-db policy file cannot contain " + USERS + " section in " + perDbPolicy);
throw new ConfigurationException("Per-db policy files cannot contain " + USERS + " section");
}
if(perDbIni.containsKey(DATABASES)) {
+ configErrors.add("Per-db policy files cannot contain " + DATABASES
+ + " section in " + perDbPolicy);
throw new ConfigurationException("Per-db policy files cannot contain " + DATABASES + " section");
}
- ImmutableSetMultimap<String, String> currentDbRoles = parseIni(database, perDbIni, validators);
+ ImmutableSetMultimap<String, String> currentDbRoles = parseIni(database, perDbIni, validators, perDbPolicy);
perDatabaseRoles.put(database, currentDbRoles);
perDbResources.add(perDbPolicy);
} catch (Exception e) {
+ configErrors.add("Failed to read per-DB policy file " + perDbPolicy +
+ " Error: " + e.getMessage());
LOGGER.error("Error processing key " + entry.getKey() + ", skipping " + entry.getValue(), e);
}
}
}
roles = new Roles(globalRoles, ImmutableMap.copyOf(perDatabaseRoles));
} catch (Exception e) {
+ configErrors.add("Error processing file " + resourcePath + e.getMessage());
LOGGER.error("Error processing file, ignoring " + resourcePath, e);
}
rolesStorage = roles;
@@ -167,26 +192,32 @@ public class SimpleFileProviderBackend implements ProviderBackend {
return result;
}
- private ImmutableSetMultimap<String, String> parseIni(String database, Ini ini, List<? extends RoleValidator> validators) {
+ private ImmutableSetMultimap<String, String> parseIni(String database, Ini ini, List<? extends RoleValidator> validators,
+ Path policyPath) {
Ini.Section privilegesSection = ini.getSection(ROLES);
boolean invalidConfiguration = false;
if (privilegesSection == null) {
- LOGGER.warn("Section {} empty for {}", ROLES, resourcePath);
+ String errMsg = String.format("Section %s empty for %s", ROLES, policyPath);
+ LOGGER.warn(errMsg);
+ configErrors.add(errMsg);
invalidConfiguration = true;
}
Ini.Section groupsSection = ini.getSection(GROUPS);
if (groupsSection == null) {
- LOGGER.warn("Section {} empty for {}", GROUPS, resourcePath);
+ String warnMsg = String.format("Section %s empty for %s", GROUPS, policyPath);
+ LOGGER.warn(warnMsg);
+ configErrors.add(warnMsg);
invalidConfiguration = true;
}
if (!invalidConfiguration) {
- return parsePermissions(database, privilegesSection, groupsSection, validators);
+ return parsePermissions(database, privilegesSection, groupsSection, validators, policyPath);
}
return ImmutableSetMultimap.of();
}
private ImmutableSetMultimap<String, String> parsePermissions(@Nullable String database,
- Ini.Section rolesSection, Ini.Section groupsSection, List<? extends RoleValidator> validators) {
+ Ini.Section rolesSection, Ini.Section groupsSection, List<? extends RoleValidator> validators,
+ Path policyPath) {
ImmutableSetMultimap.Builder<String, String> resultBuilder = ImmutableSetMultimap.builder();
Multimap<String, String> roleNameToPrivilegeMap = HashMultimap
.create();
@@ -195,16 +226,21 @@ public class SimpleFileProviderBackend implements ProviderBackend {
String roleValue = Strings.nullToEmpty(entry.getValue()).trim();
boolean invalidConfiguration = false;
if (roleName.isEmpty()) {
- LOGGER.warn("Empty role name encountered in {}", resourcePath);
+ String errMsg = String.format("Empty role name encountered in %s", policyPath);
+ LOGGER.warn(errMsg);
+ configErrors.add(errMsg);
invalidConfiguration = true;
}
if (roleValue.isEmpty()) {
- LOGGER.warn("Empty role value encountered in {}", resourcePath);
+ String errMsg = String.format("Empty role value encountered in %s", policyPath);
+ LOGGER.warn(errMsg);
+ configErrors.add(errMsg);
invalidConfiguration = true;
}
if (roleNameToPrivilegeMap.containsKey(roleName)) {
- LOGGER.warn("Role {} defined twice in {}", roleName,
- resourcePath);
+ String warnMsg = String.format("Role %s defined twice in %s", roleName, policyPath);
+ LOGGER.warn(warnMsg);
+ configWarnings.add(warnMsg);
}
Set<String> roles = PermissionUtils
.toPermissionStrings(roleValue);
@@ -227,8 +263,10 @@ public class SimpleFileProviderBackend implements ProviderBackend {
resolvedGroupPrivileges.addAll(roleNameToPrivilegeMap
.get(roleName));
} else {
- LOGGER.warn("Role {} for group {} does not exist in privileges section in {}",
- new Object[] { roleName, groupName, resourcePath });
+ String warnMsg = String.format("Role %s for group %s does not exist in privileges section in %s",
+ roleName, groupName, policyPath);
+ LOGGER.warn(warnMsg);
+ configWarnings.add(warnMsg);
}
}
resultBuilder.putAll(groupName, resolvedGroupPrivileges);
@@ -244,4 +282,17 @@ public class SimpleFileProviderBackend implements ProviderBackend {
return rolesStorage;
}
+
+ @Override
+ public void validatePolicy(List<? extends RoleValidator> validators, boolean strictValidation)
+ throws SentryConfigurationException {
+ if ((strictValidation && !configWarnings.isEmpty()) || !configErrors.isEmpty()) {
+ configErrors.add("Failed to process global policy file " + resourcePath);
+ SentryConfigurationException e = new SentryConfigurationException("");
+ e.setConfigErrors(configErrors);
+ e.setConfigWarnings(configWarnings);
+ throw e;
+ }
+ }
+
}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/a4819f5b/sentry-provider/sentry-provider-file/src/test/java/org/apache/sentry/provider/file/TestGetGroupMapping.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-file/src/test/java/org/apache/sentry/provider/file/TestGetGroupMapping.java b/sentry-provider/sentry-provider-file/src/test/java/org/apache/sentry/provider/file/TestGetGroupMapping.java
index a4d4bb3..a50bd24 100644
--- a/sentry-provider/sentry-provider-file/src/test/java/org/apache/sentry/provider/file/TestGetGroupMapping.java
+++ b/sentry-provider/sentry-provider-file/src/test/java/org/apache/sentry/provider/file/TestGetGroupMapping.java
@@ -18,12 +18,18 @@ package org.apache.sentry.provider.file;
import java.util.Arrays;
import java.util.List;
+
import org.apache.sentry.core.common.Authorizable;
+import org.apache.sentry.core.common.SentryConfigurationException;
import org.apache.sentry.policy.common.PermissionFactory;
import org.apache.sentry.policy.common.PolicyEngine;
import org.apache.sentry.provider.common.GroupMappingService;
+
+import com.google.common.collect.ImmutableSet;
import com.google.common.collect.ImmutableSetMultimap;
+
import org.junit.Test;
+
import static org.junit.Assert.assertSame;
public class TestGetGroupMapping {
@@ -45,6 +51,21 @@ public class TestGetGroupMapping {
public PermissionFactory getPermissionFactory() { return null; }
public ImmutableSetMultimap<String, String> getPermissions(List<? extends Authorizable> authorizables, List<String> groups) { return null; }
+
+ public ImmutableSet<String> listPermissions(String groupName)
+ throws SentryConfigurationException {
+ return null;
+ }
+
+ public ImmutableSet<String> listPermissions(List<String> groupName)
+ throws SentryConfigurationException {
+ return null;
+ }
+
+ public void validatePolicy(boolean strictValidation)
+ throws SentryConfigurationException {
+ return;
+ }
};
TestResourceAuthorizationProvider authProvider =
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/a4819f5b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/Context.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/Context.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/Context.java
index 66cd2d1..2f83678 100644
--- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/Context.java
+++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/Context.java
@@ -209,4 +209,8 @@ public class Context {
public String getProperty(String propName) {
return hiveServer.getProperty(propName);
}
-}
\ No newline at end of file
+
+ public String getConnectionURL() {
+ return hiveServer.getURL();
+ }
+}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/a4819f5b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestConfigTool.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestConfigTool.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestConfigTool.java
new file mode 100644
index 0000000..6968cc0
--- /dev/null
+++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestConfigTool.java
@@ -0,0 +1,304 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.tests.e2e.hive;
+
+import static org.junit.Assert.*;
+
+import org.junit.After;
+import org.junit.Before;
+import org.junit.Test;
+
+import java.io.BufferedInputStream;
+import java.io.BufferedOutputStream;
+import java.io.ByteArrayOutputStream;
+import java.io.File;
+import java.io.FileOutputStream;
+import java.io.PrintStream;
+import java.sql.Connection;
+import java.sql.ResultSet;
+import java.sql.ResultSetMetaData;
+import java.sql.SQLException;
+import java.sql.Statement;
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Set;
+
+import junit.framework.Assert;
+
+import org.apache.sentry.binding.hive.authz.SentryConfigTool;
+import org.apache.sentry.binding.hive.conf.HiveAuthzConf;
+import org.apache.sentry.core.common.SentryConfigurationException;
+import org.apache.sentry.core.common.Subject;
+import org.apache.sentry.provider.file.PolicyFile;
+
+import com.google.common.io.Resources;
+
+public class TestConfigTool extends AbstractTestWithStaticConfiguration {
+ private static final String DB2_POLICY_FILE = "db2-policy-file.ini";
+ private static String prefix;
+
+ private PolicyFile policyFile;
+ private SentryConfigTool configTool;
+
+ @Before
+ public void setup() throws Exception {
+ context = createContext();
+ policyFile = PolicyFile.setAdminOnServer1(ADMINGROUP);
+ configTool = new SentryConfigTool();
+ String hiveServer2 = System.getProperty("sentry.e2etest.hiveServer2Type",
+ "InternalHiveServer2");
+ String policyOnHDFS = System.getProperty(
+ "sentry.e2etest.hive.policyOnHDFS", "true");
+ if (policyOnHDFS.trim().equalsIgnoreCase("true")
+ && (hiveServer2.equals("UnmanagedHiveServer2"))) {
+ String policyLocation = System.getProperty(
+ "sentry.e2etest.hive.policy.location", "/user/hive/sentry");
+ prefix = "hdfs://" + policyLocation + "/";
+ } else {
+ prefix = "file://" + context.getPolicyFile().getParent() + "/";
+ }
+
+ }
+
+ @After
+ public void tearDown() throws Exception {
+ if (context != null) {
+ context.close();
+ }
+ }
+
+ /**
+ * Verify errors/warnings from malformed policy file
+ * @throws Exception
+ */
+ @Test
+ public void testInvalidPolicy() throws Exception {
+ // policy file, missing insert_tab2 and select_tab3 role definition
+ policyFile
+ .addRolesToGroup(USERGROUP1, "select_tab1", "insert_tab2")
+ .addRolesToGroup(USERGROUP2, "select_tab3")
+ .addPermissionsToRole("select_tab1",
+ "server=server1->db=db1->table=tab1->action=select")
+ .setUserGroupMapping(StaticUserGroup.getStaticMapping());
+ policyFile.write(context.getPolicyFile());
+
+ configTool.setPolicyFile(context.getPolicyFile().getPath());
+ configTool.setupConfig();
+ try {
+ configTool.getSentryProvider().validateResource(true);
+ fail("Policy validation should fail for malformed policy");
+ } catch (SentryConfigurationException e) {
+ assertTrue(e
+ .getConfigWarnings()
+ .get(0)
+ .contains(
+ "Role select_tab3 for group " + USERGROUP2 + " does not exist"));
+ assertTrue(e
+ .getConfigWarnings()
+ .get(1)
+ .contains(
+ "Role insert_tab2 for group " + USERGROUP1 + " does not exist"));
+ }
+ }
+
+ /**
+ * Verify errors/warnings from malformed policy file with per-DB policy
+ * @throws Exception
+ */
+ @Test
+ public void testInvalidPerDbPolicy() throws Exception {
+ PolicyFile db2PolicyFile = new PolicyFile();
+ File db2PolicyFileHandle = new File(context.getPolicyFile().getParent(),
+ DB2_POLICY_FILE);
+ // invalid db2 policy file with missing roles
+ db2PolicyFile
+ .addRolesToGroup(USERGROUP2, "select_tbl2", "insert_db2_tab2")
+ .addPermissionsToRole("select_tbl2",
+ "server=server1->db=db2->table=tbl2->action=select")
+ .write(db2PolicyFileHandle);
+
+ policyFile
+ .addRolesToGroup(USERGROUP1, "select_tbl1")
+ .addRolesToGroup(USERGROUP2, "select_tbl3")
+ .addPermissionsToRole("select_tbl1",
+ "server=server1->db=db1->table=tbl1->action=select")
+ .addDatabase("db2", prefix + db2PolicyFileHandle.getName())
+ .setUserGroupMapping(StaticUserGroup.getStaticMapping())
+ .write(context.getPolicyFile());
+
+ configTool.setPolicyFile(context.getPolicyFile().getPath());
+ configTool.setupConfig();
+ try {
+ configTool.getSentryProvider().validateResource(true);
+ fail("Policy validation should fail for malformed policy");
+ } catch (SentryConfigurationException e) {
+ assertTrue(e
+ .getConfigWarnings()
+ .get(0)
+ .contains(
+ "Role select_tbl3 for group " + USERGROUP2 + " does not exist"));
+ assertTrue(e.getConfigWarnings().get(0)
+ .contains(context.getPolicyFile().getName()));
+ assertTrue(e
+ .getConfigWarnings()
+ .get(1)
+ .contains(
+ "Role insert_db2_tab2 for group " + USERGROUP2
+ + " does not exist"));
+ assertTrue(e.getConfigWarnings().get(1)
+ .contains(db2PolicyFileHandle.getName()));
+ }
+ }
+
+ /**
+ * Validate user permissions listing
+ * @throws Exception
+ */
+ @Test
+ public void testUserPermissions() throws Exception {
+ policyFile
+ .addRolesToGroup(USERGROUP1, "select_tab1", "insert_tab2")
+ .addRolesToGroup(USERGROUP2, "select_tab3")
+ .addPermissionsToRole("select_tab1",
+ "server=server1->db=db1->table=tab1->action=select")
+ .addPermissionsToRole("insert_tab2",
+ "server=server1->db=db1->table=tab2->action=insert")
+ .addPermissionsToRole("select_tab3",
+ "server=server1->db=db1->table=tab3->action=select")
+ .setUserGroupMapping(StaticUserGroup.getStaticMapping());
+ policyFile.write(context.getPolicyFile());
+
+ configTool.setPolicyFile(context.getPolicyFile().getPath());
+ configTool.setupConfig();
+ configTool.validatePolicy();
+
+ Set<String> permList = configTool.getSentryProvider()
+ .listPermissionsForSubject(new Subject(USER1_1));
+ assertTrue(permList
+ .contains("server=server1->db=db1->table=tab1->action=select"));
+ assertTrue(permList
+ .contains("server=server1->db=db1->table=tab2->action=insert"));
+
+ permList = configTool.getSentryProvider().listPermissionsForSubject(
+ new Subject(USER2_1));
+ assertTrue(permList
+ .contains("server=server1->db=db1->table=tab3->action=select"));
+
+ permList = configTool.getSentryProvider().listPermissionsForSubject(
+ new Subject(ADMIN1));
+ assertTrue(permList.contains("server=server1"));
+ }
+
+ /***
+ * Verify the mock compilation config setting forces query to abort
+ * @throws Exception
+ */
+ @Test
+ public void testMockCompilation() throws Exception {
+ policyFile.setUserGroupMapping(StaticUserGroup.getStaticMapping());
+ policyFile.write(context.getPolicyFile());
+ // setup db objects needed by the test
+ Connection connection = context.createConnection(ADMIN1);
+ Statement statement = context.createStatement(connection);
+
+ statement.execute("DROP TABLE IF EXISTS tab1");
+ statement.execute("CREATE TABLE tab1(B INT, A STRING) "
+ + " row format delimited fields terminated by '|' stored as textfile");
+ statement.execute("SELECT * FROM tab1");
+
+ statement.execute("SET " + HiveAuthzConf.HIVE_SENTRY_MOCK_COMPILATION
+ + "=true");
+ try {
+ statement.execute("SELECT * FROM tab1");
+ fail("Query should fail with mock error config enabled");
+ } catch (SQLException e) {
+ assertTrue(e.getMessage().contains(HiveAuthzConf.HIVE_SENTRY_MOCK_ERROR));
+ }
+ statement.close();
+
+ }
+
+ /**
+ * verify missing permissions for query using remote query validation
+ * @throws Exception
+ */
+ @Test
+ public void testQueryPermissions() throws Exception {
+ policyFile
+ .addRolesToGroup(USERGROUP1, "select_tab1", "insert_tab2")
+ .addRolesToGroup(USERGROUP2, "select_tab3")
+ .addPermissionsToRole("select_tab1",
+ "server=server1->db=default->table=tab1->action=select")
+ .addPermissionsToRole("insert_tab2",
+ "server=server1->db=default->table=tab2->action=insert")
+ .addPermissionsToRole("select_tab3",
+ "server=server1->db=default->table=tab3->action=select")
+ .setUserGroupMapping(StaticUserGroup.getStaticMapping());
+ policyFile.write(context.getPolicyFile());
+
+ // setup db objects needed by the test
+ Connection connection = context.createConnection(ADMIN1);
+ Statement statement = context.createStatement(connection);
+
+ statement.execute("DROP TABLE IF EXISTS tab1");
+ statement.execute("DROP TABLE IF EXISTS tab2");
+ statement.execute("DROP TABLE IF EXISTS tab3");
+ statement.execute("CREATE TABLE tab1(B INT, A STRING) "
+ + " row format delimited fields terminated by '|' stored as textfile");
+ statement.execute("CREATE TABLE tab2(B INT, A STRING) "
+ + " row format delimited fields terminated by '|' stored as textfile");
+ statement.execute("CREATE TABLE tab3(B INT, A STRING) "
+ + " row format delimited fields terminated by '|' stored as textfile");
+ statement.close();
+ connection.close();
+
+ configTool.setPolicyFile(context.getPolicyFile().getPath());
+ configTool.setJdbcURL(context.getConnectionURL());
+ configTool.setUser(USER1_1);
+ configTool.setupConfig();
+ ByteArrayOutputStream errBuffer = new ByteArrayOutputStream();
+
+ // user1_1 can query table1
+ configTool.setUser(USER1_1);
+ configTool.verifyRemoteQuery("SELECT COUNT(*) FROM tab1");
+
+ // user1_1 can't select from tab3
+ try {
+ System.setOut(new PrintStream(errBuffer));
+ configTool.setUser(USER1_1);
+ configTool.verifyRemoteQuery("SELECT COUNT(*) FROM tab3");
+ fail("Query should have failed with insufficient perms");
+ } catch (SQLException e) {
+ assertTrue(errBuffer.toString().contains(
+ "Server=server1->Db=default->Table=tab3->action=select"));
+ errBuffer.flush();
+ }
+
+ // user2_1 can select from tab3, but can't insert into tab2
+ try {
+ configTool.setUser(USER2_1);
+ configTool
+ .verifyRemoteQuery("INSERT OVERWRITE TABLE tab2 SELECT * FROM tab3");
+ fail("Query should have failed with insufficient perms");
+ } catch (SQLException e) {
+ assertTrue(errBuffer.toString().contains(
+ "Server=server1->Db=default->Table=tab2->action=insert"));
+ }
+
+ }
+}
[19/26] git commit: SENTRY-112: Add test-output directory to
.gitignore (Brock Noland via Shreepadma Venugopalan)
Posted by br...@apache.org.
SENTRY-112: Add test-output directory to .gitignore (Brock Noland via Shreepadma Venugopalan)
Project: http://git-wip-us.apache.org/repos/asf/incubator-sentry/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-sentry/commit/55ca6c7c
Tree: http://git-wip-us.apache.org/repos/asf/incubator-sentry/tree/55ca6c7c
Diff: http://git-wip-us.apache.org/repos/asf/incubator-sentry/diff/55ca6c7c
Branch: refs/heads/db_policy_store
Commit: 55ca6c7c27b42c1cfcdf54ed0175adc7f4eab855
Parents: c6e23e9
Author: Shreepadma Venugopalan <sh...@apache.org>
Authored: Thu Feb 6 14:10:33 2014 -0800
Committer: Shreepadma Venugopalan <sh...@apache.org>
Committed: Thu Feb 6 14:10:33 2014 -0800
----------------------------------------------------------------------
.gitignore | 1 +
1 file changed, 1 insertion(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/55ca6c7c/.gitignore
----------------------------------------------------------------------
diff --git a/.gitignore b/.gitignore
index 252b816..920de9a 100644
--- a/.gitignore
+++ b/.gitignore
@@ -12,3 +12,4 @@ target/
*.jar
*.war
*.ear
+test-output/
[18/26] git commit: SENTRY-111: Setup automated patch testing (Brock
Noland via Shreepadma Venugopalan)
Posted by br...@apache.org.
SENTRY-111: Setup automated patch testing (Brock Noland via Shreepadma Venugopalan)
Project: http://git-wip-us.apache.org/repos/asf/incubator-sentry/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-sentry/commit/c6e23e9e
Tree: http://git-wip-us.apache.org/repos/asf/incubator-sentry/tree/c6e23e9e
Diff: http://git-wip-us.apache.org/repos/asf/incubator-sentry/diff/c6e23e9e
Branch: refs/heads/db_policy_store
Commit: c6e23e9e5b8c9f6d4e5eae2fc60df0196c4c66c2
Parents: 3409c16
Author: Shreepadma Venugopalan <sh...@apache.org>
Authored: Tue Feb 4 14:39:26 2014 -0800
Committer: Shreepadma Venugopalan <sh...@apache.org>
Committed: Tue Feb 4 14:39:26 2014 -0800
----------------------------------------------------------------------
dev-support/test-patch.py | 308 +++++++++++++++++++++++++++++++++++++++++
1 file changed, 308 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/c6e23e9e/dev-support/test-patch.py
----------------------------------------------------------------------
diff --git a/dev-support/test-patch.py b/dev-support/test-patch.py
new file mode 100644
index 0000000..8fd158d
--- /dev/null
+++ b/dev-support/test-patch.py
@@ -0,0 +1,308 @@
+#!/usr/bin/env python
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+import sys, os, re, urllib2, base64, subprocess, tempfile, shutil
+from optparse import OptionParser
+
+tmp_dir = None
+BASE_JIRA_URL = 'https://issues.apache.org/jira'
+
+def execute(cmd, log=True):
+ if log:
+ print "INFO: Executing %s" % (cmd)
+ return subprocess.call(cmd, shell=True)
+
+def jira_request(result, url, username, password, data, headers):
+ request = urllib2.Request(url, data, headers)
+ print "INFO: URL = %s, Username = %s, data = %s, headers = %s" % (url, username, data, str(headers))
+ if username and password:
+ base64string = base64.encodestring('%s:%s' % (username, password)).replace('\n', '')
+ request.add_header("Authorization", "Basic %s" % base64string)
+ return urllib2.urlopen(request)
+
+def jira_get_defect_html(result, defect, username, password):
+ url = "%s/browse/%s" % (BASE_JIRA_URL, defect)
+ return jira_request(result, url, username, password, None, {}).read()
+
+def jira_get_defect(result, defect, username, password):
+ url = "%s/rest/api/2/issue/%s" % (BASE_JIRA_URL, defect)
+ return jira_request(result, url, username, password, None, {}).read()
+
+def jira_post_comment(result, defect, branch, username, password):
+ url = "%s/rest/api/2/issue/%s/comment" % (BASE_JIRA_URL, defect)
+ body = [ "Here are the results of testing the latest attachment" ]
+ body += [ "%s against %s." % (result.attachment, branch) ]
+ body += [ "" ]
+ if result._fatal:
+ result._error = [ result._fatal ] + result._error
+ if result._error:
+ count = len(result._error)
+ if count == 1:
+ body += [ "{color:red}Overall:{color} -1 due to an error" ]
+ else:
+ body += [ "{color:red}Overall:{color} -1 due to %d errors" % (count) ]
+ else:
+ body += [ "{color:green}Overall:{color} +1 all checks pass" ]
+ body += [ "" ]
+ for error in result._error:
+ body += [ "{color:red}ERROR:{color} %s" % (error.replace("\n", "\\n")) ]
+ for info in result._info:
+ body += [ "INFO: %s" % (info.replace("\n", "\\n")) ]
+ for success in result._success:
+ body += [ "{color:green}SUCCESS:{color} %s" % (success.replace("\n", "\\n")) ]
+ if "BUILD_URL" in os.environ:
+ body += [ "" ]
+ body += [ "Console output: %sconsole" % (os.environ['BUILD_URL']) ]
+ body += [ "" ]
+ body += [ "This message is automatically generated." ]
+ body = "{\"body\": \"%s\"}" % ("\\n".join(body))
+ headers = {'Content-Type' : 'application/json'}
+ response = jira_request(result, url, username, password, body, headers)
+ body = response.read()
+ if response.code != 201:
+ msg = """Request for %s failed:
+ URL = '%s'
+ Code = '%d'
+ Comment = '%s'
+ Response = '%s'
+ """ % (defect, url, response.code, comment, body)
+ print "FATAL: %s" % (msg)
+ sys.exit(1)
+
+# hack (from hadoop) but REST api doesn't list attachments?
+def jira_get_attachment(result, defect, username, password):
+ html = jira_get_defect_html(result, defect, username, password)
+ pattern = "(/secure/attachment/[0-9]+/%s[0-9\-]*\.(patch|txt|patch\.txt))" % (re.escape(defect))
+ matches = []
+ for match in re.findall(pattern, html, re.IGNORECASE):
+ matches += [ match[0] ]
+ if matches:
+ matches.sort()
+ return "%s%s" % (BASE_JIRA_URL, matches.pop())
+ return None
+
+def git_cleanup():
+ clean_rc = execute("git clean -d -f", False)
+ if clean_rc != 0:
+ print "ERROR: git clean failed"
+ reset_rc = execute("git reset --hard HEAD", False)
+ if reset_rc != 0:
+ print "ERROR: git reset failed"
+ return clean_rc + reset_rc
+
+def git_checkout(result, branch):
+ if git_cleanup() != 0:
+ result.fatal("git cleanup")
+ if execute("git fetch origin") != 0:
+ result.fatal("git fetch failed")
+ if execute("git checkout %s || git checkout -b %s origin/%s" % (branch, branch, branch)) != 0:
+ result.fatal("git checkout %s failed" % (branch))
+ if execute("git reset --hard origin/%s" % (branch)) != 0:
+ result.fatal("git reset %s failed" % (branch))
+ if execute("git merge --ff-only origin/%s" % (branch)):
+ result.fatal("git merge failed")
+
+def git_apply(result, cmd, patch_file, strip, output_dir):
+ output_file = "%s/apply.txt" % (output_dir)
+ rc = execute("%s -p%s < %s 1>%s 2>&1" % (cmd, strip, patch_file, output_file))
+ output = ""
+ if os.path.exists(output_file):
+ with open(output_file) as fh:
+ output = fh.read()
+ if rc == 0:
+ if output:
+ print output
+ else:
+ result.fatal("failed to apply patch (exit code %d):\n%s\n" % (rc, output))
+
+def mvn_clean(result, workspace, output_dir):
+ rc = execute("mvn clean -Dmaven.repo.local=%s 1>%s/clean.txt 2>&1" % (workspace, output_dir))
+ if rc != 0:
+ result.fatal("failed to clean project (exit code %d)" % (rc))
+
+def mvn_install(result, workspace, output_dir):
+ rc = execute("mvn install -DskipTests -Dmaven.repo.local=%s 1>%s/install.txt 2>&1" % (workspace, output_dir))
+ if rc != 0:
+ result.fatal("failed to build with patch (exit code %d)" % (rc))
+
+def find_all_files(top):
+ for root, dirs, files in os.walk(top):
+ for f in files:
+ yield os.path.join(root, f)
+
+def mvn_test(result, workspace, output_dir):
+ rc = execute("mvn verify -Dmaven.repo.local=%s 1>%s/test.txt 2>&1" % (workspace, output_dir))
+ if rc == 0:
+ result.success("all tests passed")
+ else:
+ result.error("mvn test exited %d" % (rc))
+ failed_tests = []
+ for path in list(find_all_files(".")):
+ file_name = os.path.basename(path)
+ if file_name.startswith("TEST-") and file_name.endswith(".xml"):
+ fd = open(path)
+ for line in fd:
+ if "<failure" in line or "<error" in line:
+ matcher = re.search("TEST\-(.*).xml$", file_name)
+ if matcher:
+ failed_tests += [ matcher.groups()[0] ]
+ fd.close()
+ for failed_test in failed_tests:
+ result.error("Failed: %s" % (failed_test))
+
+class Result(object):
+ def __init__(self):
+ self._error = []
+ self._info = []
+ self._success = []
+ self._fatal = None
+ self.exit_handler = None
+ self.attachment = "Not Found"
+ def error(self, msg):
+ self._error.append(msg)
+ def info(self, msg):
+ self._info.append(msg)
+ def success(self, msg):
+ self._success.append(msg)
+ def fatal(self, msg):
+ self._fatal = msg
+ self.exit_handler()
+ self.exit()
+ def exit(self):
+ git_cleanup()
+ if self._fatal or self._error:
+ if tmp_dir:
+ print "INFO: output is located %s" % (tmp_dir)
+ elif tmp_dir:
+ shutil.rmtree(tmp_dir)
+ sys.exit(0)
+
+usage = "usage: %prog [options]"
+parser = OptionParser(usage)
+parser.add_option("--branch", dest="branch",
+ help="Local git branch to test against", metavar="master", default="master")
+parser.add_option("--defect", dest="defect",
+ help="Defect name", metavar="SENTRY-1787")
+parser.add_option("--file", dest="filename",
+ help="Test patch file", metavar="FILE")
+parser.add_option("--run-tests", dest="run_tests",
+ help="Run Tests", action="store_true")
+parser.add_option("--username", dest="username",
+ help="JIRA Username", metavar="USERNAME", default="hiveqa")
+parser.add_option("--output", dest="output_dir",
+ help="Directory to write output", metavar="DIRECTORY")
+parser.add_option("--post-results", dest="post_results",
+ help="Post results to JIRA (only works in defect mode)", action="store_true")
+parser.add_option("--password", dest="password",
+ help="JIRA Password", metavar="PASSWORD")
+parser.add_option("--patch-command", dest="patch_cmd", default="git apply",
+ help="Patch command such as `git apply' or `patch'", metavar="COMMAND")
+parser.add_option("-p", "--strip", dest="strip", default="1",
+ help="Remove <n> leading slashes from diff paths", metavar="N")
+parser.add_option("--workspace", dest="workspace",
+ help="Jenkins workspace directory", metavar="DIR")
+
+(options, args) = parser.parse_args()
+if not (options.defect or options.filename):
+ print "FATAL: Either --defect or --file is required."
+ sys.exit(1)
+
+if options.defect and options.filename:
+ print "FATAL: Both --defect and --file cannot be specified."
+ sys.exit(1)
+
+if options.output_dir and not os.path.isdir(options.output_dir):
+ print "FATAL: Output directory %s does not exist" % (options.output_dir)
+ sys.exit(1)
+
+if options.post_results and not options.password:
+ print "FATAL: --post-results requires --password"
+ sys.exit(1)
+
+if not options.workspace:
+ print "FATAL: --workspace is required"
+ sys.exit(1)
+
+branch = options.branch
+output_dir = options.output_dir
+defect = options.defect
+username = options.username
+password = options.password
+run_tests = options.run_tests
+post_results = options.post_results
+strip = options.strip
+patch_cmd = options.patch_cmd
+workspace = options.workspace
+result = Result()
+
+def log_and_exit():
+ if result._fatal:
+ print "FATAL: %s" % (result._fatal)
+ for error in result._error:
+ print "ERROR: %s" % (error)
+ for info in result._info:
+ print "INFO: %s" % (info)
+ for success in result._success:
+ print "SUCCESS: %s" % (success)
+ result.exit()
+
+result.exit_handler = log_and_exit
+
+if post_results:
+ def post_jira_comment_and_exit():
+ jira_post_comment(result, defect, branch, username, password)
+ result.exit()
+ result.exit_handler = post_jira_comment_and_exit
+
+if not output_dir:
+ tmp_dir = tempfile.mkdtemp()
+ output_dir = tmp_dir
+
+if output_dir.endswith("/"):
+ output_dir = output_dir[:-1]
+
+if defect:
+ jira_json = jira_get_defect(result, defect, username, password)
+ if '"Patch Available"' not in jira_json:
+ print "ERROR: Defect %s not in patch available state" % (defect)
+ sys.exit(1)
+ attachment = jira_get_attachment(result, defect, username, password)
+ if not attachment:
+ print "ERROR: No attachments found for %s" % (defect)
+ sys.exit(1)
+ result.attachment = attachment
+ patch_contents = jira_request(result, result.attachment, username, password, None, {}).read()
+ patch_file = "%s/%s.patch" % (output_dir, defect)
+ with open(patch_file, 'a') as fh:
+ fh.write(patch_contents)
+elif options.filename:
+ patch_file = options.filename
+else:
+ raise Exception("Not reachable")
+
+mvn_clean(result, workspace, output_dir)
+git_checkout(result, branch)
+git_apply(result, patch_cmd, patch_file, strip, output_dir)
+mvn_install(result, workspace, output_dir)
+if run_tests:
+ mvn_test(result, workspace, output_dir)
+else:
+ result.info("patch applied and built but tests did not execute")
+
+result.exit_handler()
[24/26] git commit: SENTRY-124: Create bin packaging (Brock Noland
via Prasad Mujumdar)
Posted by br...@apache.org.
SENTRY-124: Create bin packaging (Brock Noland via Prasad Mujumdar)
Project: http://git-wip-us.apache.org/repos/asf/incubator-sentry/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-sentry/commit/cf798ac7
Tree: http://git-wip-us.apache.org/repos/asf/incubator-sentry/tree/cf798ac7
Diff: http://git-wip-us.apache.org/repos/asf/incubator-sentry/diff/cf798ac7
Branch: refs/heads/db_policy_store
Commit: cf798ac71a5e0b2d9839fac9c08538bad4f05307
Parents: 06d2b34
Author: Prasad Mujumdar <pr...@cloudera.com>
Authored: Mon Feb 24 14:24:48 2014 -0800
Committer: Prasad Mujumdar <pr...@cloudera.com>
Committed: Mon Feb 24 14:25:31 2014 -0800
----------------------------------------------------------------------
sentry-dist/pom.xml | 1 +
sentry-dist/src/main/assembly/bin.xml | 82 ++++++++++++++++++++++++++++++
2 files changed, 83 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/cf798ac7/sentry-dist/pom.xml
----------------------------------------------------------------------
diff --git a/sentry-dist/pom.xml b/sentry-dist/pom.xml
index 62f1c79..e43bb7c 100644
--- a/sentry-dist/pom.xml
+++ b/sentry-dist/pom.xml
@@ -84,6 +84,7 @@ limitations under the License.
<finalName>apache-sentry-${project.version}</finalName>
<descriptors>
<descriptor>src/main/assembly/src.xml</descriptor>
+ <descriptor>src/main/assembly/bin.xml</descriptor>
</descriptors>
</configuration>
</execution>
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/cf798ac7/sentry-dist/src/main/assembly/bin.xml
----------------------------------------------------------------------
diff --git a/sentry-dist/src/main/assembly/bin.xml b/sentry-dist/src/main/assembly/bin.xml
new file mode 100644
index 0000000..7c7c4a9
--- /dev/null
+++ b/sentry-dist/src/main/assembly/bin.xml
@@ -0,0 +1,82 @@
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements. See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership. The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied. See the License for the
+ specific language governing permissions and limitations
+ under the License.
+-->
+
+<assembly
+ xmlns="http://maven.apache.org/plugins/maven-assembly-plugin/assembly/1.1.2"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation="http://maven.apache.org/plugins/maven-assembly-plugin/assembly/1.1.2 http://maven.apache.org/xsd/assembly-1.1.2.xsd">
+
+ <id>bin</id>
+
+ <formats>
+ <format>dir</format>
+ <format>tar.gz</format>
+ </formats>
+
+ <baseDirectory>apache-sentry-${project.version}-bin</baseDirectory>
+
+
+ <dependencySets>
+ <dependencySet>
+ <outputDirectory>lib</outputDirectory>
+ <unpack>false</unpack>
+ <useProjectArtifact>false</useProjectArtifact>
+ <useStrictFiltering>true</useStrictFiltering>
+ <useTransitiveFiltering>true</useTransitiveFiltering>
+ <excludes>
+ <exclude>org.slf4j:*</exclude>
+ </excludes>
+ </dependencySet>
+ </dependencySets>
+ <fileSets>
+ <fileSet>
+ <directory>${project.parent.basedir}</directory>
+
+ <excludes>
+ <exclude>**/target/**</exclude>
+ <exclude>**/.classpath</exclude>
+ <exclude>**/.project</exclude>
+ <exclude>**/.settings/**</exclude>
+ <exclude>**/.gitignore</exclude>
+ <exclude>dev-support/**</exclude>
+ <exclude>pom.xml</exclude>
+ <exclude>sentry-binding/**</exclude>
+ <exclude>sentry-core/**</exclude>
+ <exclude>sentry-dist/**</exclude>
+ <exclude>sentry-provider/**</exclude>
+ <exclude>sentry-policy/**</exclude>
+ <exclude>sentry-tests/**</exclude>
+ </excludes>
+
+ <includes>
+ <include>bin/**</include>
+ <include>conf/**</include>
+ <include>lib/**</include>
+ <include>CHANGELOG*</include>
+ <include>DISCLAIMER*</include>
+ <include>LICENSE*</include>
+ <include>NOTICE*</include>
+ <include>README*</include>
+ </includes>
+ <outputDirectory>/</outputDirectory>
+ </fileSet>
+ </fileSets>
+
+</assembly>
+
[08/26] git commit: SENTRY-85: The JDBC connection from hive test
framework should use a userid that's supported by default test resource
(Prasad Mujumdar via Shreepadma Venugopalan)
Posted by br...@apache.org.
SENTRY-85: The JDBC connection from hive test framework should use a userid that's supported by default test resource (Prasad Mujumdar via Shreepadma Venugopalan)
Project: http://git-wip-us.apache.org/repos/asf/incubator-sentry/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-sentry/commit/c5ff1c3f
Tree: http://git-wip-us.apache.org/repos/asf/incubator-sentry/tree/c5ff1c3f
Diff: http://git-wip-us.apache.org/repos/asf/incubator-sentry/diff/c5ff1c3f
Branch: refs/heads/db_policy_store
Commit: c5ff1c3faa61344c89bea15b6babf9574637a434
Parents: ee9565f
Author: Shreepadma Venugopalan <sh...@apache.org>
Authored: Thu Jan 9 16:14:28 2014 -0800
Committer: Shreepadma Venugopalan <sh...@apache.org>
Committed: Thu Jan 9 16:14:28 2014 -0800
----------------------------------------------------------------------
.../sentry/tests/e2e/hive/hiveserver/AbstractHiveServer.java | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/c5ff1c3f/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/hiveserver/AbstractHiveServer.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/hiveserver/AbstractHiveServer.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/hiveserver/AbstractHiveServer.java
index badd523..be6eafc 100644
--- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/hiveserver/AbstractHiveServer.java
+++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/hiveserver/AbstractHiveServer.java
@@ -76,7 +76,7 @@ public abstract class AbstractHiveServer implements HiveServer {
}
try {
DriverManager.setLoginTimeout(30);
- Connection connection = DriverManager.getConnection(hiveServer.getURL(), "hive", "bar");
+ Connection connection = DriverManager.getConnection(hiveServer.getURL(), "foo", "bar");
connection.close();
break;
} catch (SQLException e) {
[12/26] git commit: SENTRY-88: Solr Collection Admin tests (CREATE,
DELETE, RELOAD) (Vamsee Yarlagadda via Gregory Chanan)
Posted by br...@apache.org.
SENTRY-88: Solr Collection Admin tests (CREATE,DELETE,RELOAD) (Vamsee Yarlagadda via Gregory Chanan)
Project: http://git-wip-us.apache.org/repos/asf/incubator-sentry/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-sentry/commit/a93fb416
Tree: http://git-wip-us.apache.org/repos/asf/incubator-sentry/tree/a93fb416
Diff: http://git-wip-us.apache.org/repos/asf/incubator-sentry/diff/a93fb416
Branch: refs/heads/db_policy_store
Commit: a93fb4161972a7ab75cb9b36de6f043c177f2461
Parents: 07b8010
Author: Gregory Chanan <gc...@cloudera.com>
Authored: Wed Jan 15 22:34:27 2014 -0800
Committer: Gregory Chanan <gc...@cloudera.com>
Committed: Wed Jan 15 22:34:27 2014 -0800
----------------------------------------------------------------------
.../e2e/solr/AbstractSolrSentryTestBase.java | 151 +++++++++++++++++--
.../e2e/solr/TestCollAdminCoreOperations.java | 145 ++++++++++++++++++
.../tests/e2e/solr/TestQueryOperations.java | 4 +
.../tests/e2e/solr/TestUpdateOperations.java | 4 +
.../solr/sentry/test-authz-provider.ini | 109 ++++++++++---
5 files changed, 381 insertions(+), 32 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/a93fb416/sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/AbstractSolrSentryTestBase.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/AbstractSolrSentryTestBase.java b/sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/AbstractSolrSentryTestBase.java
index fcbc67c..05c5263 100644
--- a/sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/AbstractSolrSentryTestBase.java
+++ b/sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/AbstractSolrSentryTestBase.java
@@ -19,6 +19,7 @@ package org.apache.sentry.tests.e2e.solr;
import java.io.File;
import java.io.IOException;
import java.net.MalformedURLException;
+import java.util.Collections;
import java.util.Comparator;
import java.util.Random;
import java.util.SortedMap;
@@ -30,7 +31,10 @@ import org.apache.hadoop.fs.Path;
import org.apache.hadoop.hdfs.MiniDFSCluster;
import org.apache.solr.SolrTestCaseJ4;
import org.apache.solr.client.solrj.SolrQuery;
+import org.apache.solr.client.solrj.SolrServer;
import org.apache.solr.client.solrj.impl.CloudSolrServer;
+import org.apache.solr.client.solrj.impl.HttpSolrServer;
+import org.apache.solr.client.solrj.request.QueryRequest;
import org.apache.solr.client.solrj.response.QueryResponse;
import org.apache.solr.client.solrj.util.ClientUtils;
import org.apache.solr.cloud.AbstractFullDistribZkTestBase;
@@ -38,6 +42,10 @@ import org.apache.solr.cloud.ZkController;
import org.apache.solr.common.SolrDocument;
import org.apache.solr.common.SolrDocumentList;
import org.apache.solr.common.SolrInputDocument;
+import org.apache.solr.common.params.CollectionParams.CollectionAction;
+import org.apache.solr.common.params.CoreAdminParams;
+import org.apache.solr.common.params.ModifiableSolrParams;
+import org.apache.solr.common.util.NamedList;
import org.apache.solr.servlet.SolrDispatchFilter;
import org.junit.After;
@@ -390,6 +398,122 @@ public abstract class AbstractSolrSentryTestBase extends AbstractFullDistribZkTe
}
/**
+ * Method to validate collection Admin operation pass
+ * @param solrUserName - User authenticated into Solr
+ * @param adminOp - Admin operation to be performed
+ * @param collectionName - Name of the collection to be queried
+ * @param ignoreError - boolean to specify whether to ignore the error if any occurred.
+ * (We may need this attribute for running DELETE command on a collection which doesn't exist)
+ * @throws Exception
+ */
+ protected void verifyCollectionAdminOpPass(String solrUserName,
+ CollectionAction adminOp,
+ String collectionName) throws Exception {
+ String originalUser = getAuthenticatedUser();
+ try {
+ setAuthenticationUser(solrUserName);
+ QueryRequest request = populateCollectionAdminParams(adminOp, collectionName);
+ SolrServer solrServer = createNewSolrServer("", getBaseUrl((HttpSolrServer) clients.get(0)));
+ try {
+ NamedList<Object> result = solrServer.request(request);
+ if (adminOp.compareTo(CollectionAction.CREATE) == 0) {
+ // Wait for collection creation to complete.
+ waitForRecoveriesToFinish(collectionName, false);
+ }
+ } finally {
+ solrServer.shutdown();
+ }
+ } finally {
+ setAuthenticationUser(originalUser);
+ }
+ }
+
+ /**
+ * Method to validate collection Admin operation fail
+ * @param solrUserName - User authenticated into Solr
+ * @param adminOp - Admin operation to be performed
+ * @param collectionName - Name of the collection to be queried
+ * @throws Exception
+ */
+ protected void verifyCollectionAdminOpFail(String solrUserName,
+ CollectionAction adminOp,
+ String collectionName) throws Exception {
+
+ String originalUser = getAuthenticatedUser();
+ try {
+ setAuthenticationUser(solrUserName);
+ try {
+ QueryRequest request = populateCollectionAdminParams(adminOp, collectionName);
+ SolrServer solrServer = createNewSolrServer("", getBaseUrl((HttpSolrServer) clients.get(0)));
+ try {
+ NamedList<Object> result = solrServer.request(request);
+ if (adminOp.compareTo(CollectionAction.CREATE) == 0) {
+ // Wait for collection creation to complete.
+ waitForRecoveriesToFinish(collectionName, false);
+ }
+ } finally {
+ solrServer.shutdown();
+ }
+
+ fail("The specified user: " + solrUserName + " shouldn't get admin access for " + adminOp);
+ } catch (Exception exception) {
+ assertTrue("Expected " + SENTRY_ERROR_MSG + " in " + exception.toString(),
+ exception.toString().contains(SENTRY_ERROR_MSG));
+ }
+ } finally {
+ setAuthenticationUser(originalUser);
+ }
+ }
+
+ /**
+ * Method to populate the Solr params based on the collection admin being performed.
+ * @param adminOp - Collection admin operation
+ * @param collectionName - Name of the collection
+ * @return - instance of QueryRequest.
+ */
+ public QueryRequest populateCollectionAdminParams(CollectionAction adminOp,
+ String collectionName) {
+ ModifiableSolrParams modParams = new ModifiableSolrParams();
+ modParams.set(CoreAdminParams.ACTION, adminOp.name());
+ switch (adminOp) {
+ case CREATE:
+ modParams.set("name", collectionName);
+ modParams.set("numShards", 2);
+ modParams.set("shards", "shard1,shard2");
+ modParams.set("replicationFactor", 1);
+ break;
+ case DELETE:
+ modParams.set("name", collectionName);
+ break;
+ case RELOAD:
+ modParams.set("name", collectionName);
+ break;
+ case SPLITSHARD:
+ modParams.set("collection", collectionName);
+ modParams.set("shard", "shard1");
+ break;
+ case DELETESHARD:
+ modParams.set("collection", collectionName);
+ modParams.set("shard", "shard1");
+ break;
+ case CREATEALIAS:
+ modParams.set("name", collectionName);
+ modParams.set("collections", collectionName + "_underlying1"
+ + "," + collectionName + "_underlying2");
+ break;
+ case DELETEALIAS:
+ modParams.set("name", collectionName);
+ break;
+ default:
+ throw new IllegalArgumentException("Admin operation: " + adminOp + " is not supported!");
+ }
+
+ QueryRequest request = new QueryRequest(modParams);
+ request.setPath("/admin/collections");
+ return request;
+ }
+
+ /**
* Function to validate the count and content of two SolrDocumentList's.
* @param solrOriginalDocs - Instance of initial set of solr docs before processing
* @param solrResponseDocs - Instance of response solr docs after processing
@@ -499,16 +623,25 @@ public abstract class AbstractSolrSentryTestBase extends AbstractFullDistribZkTe
* @throws Exception
*/
protected void setupCollection(String collectionName) throws Exception {
- // Authenticate as user "admin"
- String originalUser = getAuthenticatedUser();
+ verifyCollectionAdminOpPass(ADMIN_USER,
+ CollectionAction.CREATE,
+ collectionName);
+ }
+
+ /**
+ * Function to delete a solr collection with the name passed as parameter
+ * (Runs commands as ADMIN user)
+ * @param collectionName - Name of the collection
+ * This function will simply ignore the errors raised in deleting the collections.
+ * e.g: As part of the clean up job, the tests can issue a DELETE command on the collection which doesn't exist.
+ */
+ protected void deleteCollection(String collectionName) {
try {
- setAuthenticationUser(ADMIN_USER);
- uploadConfigDirToZk(getSolrHome() + File.separator + DEFAULT_COLLECTION
- + File.separator + "conf");
- createCollection(collectionName, 1, 1, 1);
- waitForRecoveriesToFinish(collectionName, false);
- } finally {
- setAuthenticationUser(originalUser);
+ verifyCollectionAdminOpPass(ADMIN_USER,
+ CollectionAction.DELETE,
+ collectionName);
+ } catch (Exception e) {
+ LOG.warn("Ignoring errors raised while deleting the collection : " + e.toString());
}
}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/a93fb416/sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/TestCollAdminCoreOperations.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/TestCollAdminCoreOperations.java b/sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/TestCollAdminCoreOperations.java
new file mode 100644
index 0000000..865fd10
--- /dev/null
+++ b/sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/TestCollAdminCoreOperations.java
@@ -0,0 +1,145 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.tests.e2e.solr;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import com.carrotsearch.randomizedtesting.annotations.ThreadLeakScope;
+import com.carrotsearch.randomizedtesting.annotations.ThreadLeakScope.Scope;
+
+import java.io.File;
+import java.io.PrintWriter;
+import java.io.StringWriter;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Properties;
+import java.util.Random;
+
+import org.apache.solr.common.params.CollectionParams.CollectionAction;
+
+@ThreadLeakScope(Scope.NONE) // hdfs client currently leaks thread(s)
+public class TestCollAdminCoreOperations extends AbstractSolrSentryTestBase {
+ private static final Logger LOG = LoggerFactory
+ .getLogger(TestCollAdminCoreOperations.class);
+ private static final String ADMIN_COLLECTION_NAME = "admin";
+ private static final String TEST_COLLECTION_NAME = "sentryCollection";
+ private static final List<Boolean> BOOLEAN_VALUES = Arrays.asList(new Boolean[]{true, false});
+
+ /**
+ * Maximum number of combinations that will be tested by this class.
+ */
+ private static final int MAX_TEST_RUNS = 64;
+
+ /**
+ * Default number of combinations to be tested:15.
+ */
+ private static int NUM_TESTS_TO_RUN = 15;
+
+ @Override
+ public void doTest() throws Exception {
+ String maxTestsToRun = System.getProperty("sentry.solr.e2e.maxTestsToRun");
+ if (maxTestsToRun != null) {
+ if (maxTestsToRun.compareToIgnoreCase("all") == 0) {
+ NUM_TESTS_TO_RUN = MAX_TEST_RUNS;
+ } else {
+ NUM_TESTS_TO_RUN = Integer.parseInt(maxTestsToRun);
+ if (NUM_TESTS_TO_RUN > MAX_TEST_RUNS) {
+ NUM_TESTS_TO_RUN = MAX_TEST_RUNS;
+ }
+ }
+ }
+
+ Random randomNum = new Random();
+ HashSet<Integer> iterationSet = new HashSet<Integer>();
+ while (iterationSet.size() < NUM_TESTS_TO_RUN) {
+ iterationSet.add(randomNum.nextInt(MAX_TEST_RUNS));
+ }
+ int testCounter = 0;
+
+ ArrayList<String> testFailures = new ArrayList<String>();
+ // Upload configs to ZK
+ uploadConfigDirToZk(getSolrHome() + File.separator + DEFAULT_COLLECTION
+ + File.separator + "conf");
+ for (boolean admin_query : BOOLEAN_VALUES) {
+ for (boolean admin_update : BOOLEAN_VALUES) {
+ for (boolean admin_all : BOOLEAN_VALUES) {
+ String admin_test_user = getUsernameForPermissions(ADMIN_COLLECTION_NAME, admin_query, admin_update, admin_all);
+
+ for (boolean coll_query : BOOLEAN_VALUES) {
+ for (boolean coll_update : BOOLEAN_VALUES) {
+ for (boolean coll_all : BOOLEAN_VALUES) {
+ if (!iterationSet.contains(testCounter)) {
+ testCounter = testCounter + 1;
+ continue;
+ }
+ testCounter = testCounter + 1;
+
+ String coll_test_user = null;
+ try {
+ coll_test_user = admin_test_user
+ .concat("__")
+ .concat(getUsernameForPermissions(TEST_COLLECTION_NAME, coll_query, coll_update, coll_all));
+ LOG.info("TEST_USER: " + coll_test_user);
+
+ // Setup the environment
+ deleteCollection(TEST_COLLECTION_NAME);
+
+ if ((admin_all || admin_update) && (coll_all || coll_update)) {
+ verifyCollectionAdminOpPass(coll_test_user,
+ CollectionAction.CREATE,
+ TEST_COLLECTION_NAME);
+ verifyCollectionAdminOpPass(coll_test_user,
+ CollectionAction.RELOAD,
+ TEST_COLLECTION_NAME);
+ verifyCollectionAdminOpPass(coll_test_user,
+ CollectionAction.DELETE,
+ TEST_COLLECTION_NAME);
+ } else {
+ verifyCollectionAdminOpFail(coll_test_user,
+ CollectionAction.CREATE,
+ TEST_COLLECTION_NAME);
+ // In-order to test RELOAD, DELETE for the current user,
+ // we need to setup a collection.
+ setupCollection(TEST_COLLECTION_NAME);
+ verifyCollectionAdminOpFail(coll_test_user,
+ CollectionAction.RELOAD,
+ TEST_COLLECTION_NAME);
+ verifyCollectionAdminOpFail(coll_test_user,
+ CollectionAction.DELETE,
+ TEST_COLLECTION_NAME);
+ }
+ } catch (Throwable testException) {
+ StringWriter stringWriter = new StringWriter();
+ PrintWriter printWriter = new PrintWriter(stringWriter);
+ testException.printStackTrace(printWriter);
+ testFailures.add("\n\nTestFailure: User -> " + coll_test_user + "\n"
+ + stringWriter.toString());
+ }
+ }
+ }
+ }
+ }
+ }
+ }
+
+ assertEquals("Total test failures: " + testFailures.size() + " \n\n"
+ + testFailures.toString() + "\n\n\n", 0, testFailures.size());
+ }
+}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/a93fb416/sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/TestQueryOperations.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/TestQueryOperations.java b/sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/TestQueryOperations.java
index a9b9f28..ace0d0f 100644
--- a/sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/TestQueryOperations.java
+++ b/sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/TestQueryOperations.java
@@ -22,6 +22,7 @@ import org.slf4j.LoggerFactory;
import com.carrotsearch.randomizedtesting.annotations.ThreadLeakScope;
import com.carrotsearch.randomizedtesting.annotations.ThreadLeakScope.Scope;
+import java.io.File;
import java.io.PrintWriter;
import java.io.StringWriter;
import java.util.ArrayList;
@@ -39,6 +40,9 @@ public class TestQueryOperations extends AbstractSolrSentryTestBase {
@Override
public void doTest() throws Exception {
+ // Upload configs to ZK
+ uploadConfigDirToZk(getSolrHome() + File.separator + DEFAULT_COLLECTION
+ + File.separator + "conf");
setupCollection(COLLECTION_NAME);
ArrayList<String> testFailures = new ArrayList<String>();
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/a93fb416/sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/TestUpdateOperations.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/TestUpdateOperations.java b/sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/TestUpdateOperations.java
index b57e6c6..aaca7b4 100644
--- a/sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/TestUpdateOperations.java
+++ b/sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/TestUpdateOperations.java
@@ -22,6 +22,7 @@ import org.slf4j.LoggerFactory;
import com.carrotsearch.randomizedtesting.annotations.ThreadLeakScope;
import com.carrotsearch.randomizedtesting.annotations.ThreadLeakScope.Scope;
+import java.io.File;
import java.io.PrintWriter;
import java.io.StringWriter;
import java.util.ArrayList;
@@ -39,6 +40,9 @@ public class TestUpdateOperations extends AbstractSolrSentryTestBase {
@Override
public void doTest() throws Exception {
+ // Upload configs to ZK
+ uploadConfigDirToZk(getSolrHome() + File.separator + DEFAULT_COLLECTION
+ + File.separator + "conf");
setupCollection(COLLECTION_NAME);
ArrayList<String> testFailures = new ArrayList<String>();
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/a93fb416/sentry-tests/sentry-tests-solr/src/test/resources/solr/sentry/test-authz-provider.ini
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-solr/src/test/resources/solr/sentry/test-authz-provider.ini b/sentry-tests/sentry-tests-solr/src/test/resources/solr/sentry/test-authz-provider.ini
index f988eae..3e02699 100644
--- a/sentry-tests/sentry-tests-solr/src/test/resources/solr/sentry/test-authz-provider.ini
+++ b/sentry-tests/sentry-tests-solr/src/test/resources/solr/sentry/test-authz-provider.ini
@@ -18,10 +18,10 @@
[groups]
junit = junit_role
admin = admin_role
-sentry_collection_query_group = sentry_collection_query_role
-sentry_collection_update_group = sentry_collection_update_role
-sentry_collection_query_update_group = sentry_collection_query_update_role
-sentry_collection_all_group = sentry_collection_all_role
+sentryCollection_query_group = sentryCollection_query_role
+sentryCollection_update_group = sentryCollection_update_role
+sentryCollection_query_update_group = sentryCollection_query_update_role
+sentryCollection_all_group = sentryCollection_all_role
admin_query_group = admin_query_role
admin_update_group = admin_update_role
admin_query_update_group = admin_query_update_role
@@ -29,11 +29,11 @@ admin_all_group = admin_all_role
[roles]
junit_role = collection=admin, collection=collection1
-admin_role = collection=admin, collection=collection1, collection=sentryCollection
-sentry_collection_query_role = collection=sentryCollection->action=query
-sentry_collection_update_role = collection=sentryCollection->action=update
-sentry_collection_query_update_role = collection=sentryCollection->action=query, collection=sentryCollection->action=update
-sentry_collection_all_role = collection=sentryCollection->action=*
+admin_role = collection=admin, collection=collection1, collection=sentryCollection, collection=sentryCollection_underlying1, collection=sentryCollection_underlying2
+sentryCollection_query_role = collection=sentryCollection->action=query
+sentryCollection_update_role = collection=sentryCollection->action=update
+sentryCollection_query_update_role = collection=sentryCollection->action=query, collection=sentryCollection->action=update
+sentryCollection_all_role = collection=sentryCollection->action=*
admin_query_role = collection=admin->action=query
admin_update_role = collection=admin->action=update
admin_query_update_role = collection=admin->action=query, collection=admin->action=update
@@ -42,17 +42,80 @@ admin_all_role = collection=admin->action=*
[users]
junit = junit
admin = admin
-sentryCollection_q = sentry_collection_query_group
-sentryCollection_u = sentry_collection_update_group
-sentryCollection_a = sentry_collection_all_group
-sentryCollection_qu = sentry_collection_query_update_group
-sentryCollection_ua = sentry_collection_update_group, sentry_collection_all_group
-sentryCollection_qa = sentry_collection_query_group, sentry_collection_all_group
-sentryCollection_qua = sentry_collection_query_group, sentry_collection_update_group, sentry_collection_all_group
-admin_q = admin_query_group
-admin_u = admin_update_group
-admin_a = admin_all_group
-admin_qu = admin_query_update_group
-admin_ua = admin_update_group, admin_all_group
-admin_qa = admin_query_group, admin_all_group
-admin_qua = admin_query_group, admin_update_group, admin_all_group
\ No newline at end of file
+admin_qua = admin_query_group, admin_update_group, admin_all_group,
+admin_qu = admin_query_group, admin_update_group,
+admin_qa = admin_query_group, admin_all_group,
+admin_q = admin_query_group,
+admin_ua = admin_update_group, admin_all_group,
+admin_u = admin_update_group,
+admin_a = admin_all_group,
+admin_qua__sentryCollection_qua = sentryCollection_query_group, sentryCollection_update_group, sentryCollection_all_group, admin_query_group, admin_update_group, admin_all_group,
+admin_qu__sentryCollection_qua = sentryCollection_query_group, sentryCollection_update_group, sentryCollection_all_group, admin_query_group, admin_update_group,
+admin_qa__sentryCollection_qua = sentryCollection_query_group, sentryCollection_update_group, sentryCollection_all_group, admin_query_group, admin_all_group,
+admin_q__sentryCollection_qua = sentryCollection_query_group, sentryCollection_update_group, sentryCollection_all_group, admin_query_group,
+admin_ua__sentryCollection_qua = sentryCollection_query_group, sentryCollection_update_group, sentryCollection_all_group, admin_update_group, admin_all_group,
+admin_u__sentryCollection_qua = sentryCollection_query_group, sentryCollection_update_group, sentryCollection_all_group, admin_update_group,
+admin_a__sentryCollection_qua = sentryCollection_query_group, sentryCollection_update_group, sentryCollection_all_group, admin_all_group,
+admin___sentryCollection_qua = sentryCollection_query_group, sentryCollection_update_group, sentryCollection_all_group,
+admin_qua__sentryCollection_qu = sentryCollection_query_group, sentryCollection_update_group, admin_query_group, admin_update_group, admin_all_group,
+admin_qu__sentryCollection_qu = sentryCollection_query_group, sentryCollection_update_group, admin_query_group, admin_update_group,
+admin_qa__sentryCollection_qu = sentryCollection_query_group, sentryCollection_update_group, admin_query_group, admin_all_group,
+admin_q__sentryCollection_qu = sentryCollection_query_group, sentryCollection_update_group, admin_query_group,
+admin_ua__sentryCollection_qu = sentryCollection_query_group, sentryCollection_update_group, admin_update_group, admin_all_group,
+admin_u__sentryCollection_qu = sentryCollection_query_group, sentryCollection_update_group, admin_update_group,
+admin_a__sentryCollection_qu = sentryCollection_query_group, sentryCollection_update_group, admin_all_group,
+admin___sentryCollection_qu = sentryCollection_query_group, sentryCollection_update_group,
+admin_qua__sentryCollection_qa = sentryCollection_query_group, sentryCollection_all_group, admin_query_group, admin_update_group, admin_all_group,
+admin_qu__sentryCollection_qa = sentryCollection_query_group, sentryCollection_all_group, admin_query_group, admin_update_group,
+admin_qa__sentryCollection_qa = sentryCollection_query_group, sentryCollection_all_group, admin_query_group, admin_all_group,
+admin_q__sentryCollection_qa = sentryCollection_query_group, sentryCollection_all_group, admin_query_group,
+admin_ua__sentryCollection_qa = sentryCollection_query_group, sentryCollection_all_group, admin_update_group, admin_all_group,
+admin_u__sentryCollection_qa = sentryCollection_query_group, sentryCollection_all_group, admin_update_group,
+admin_a__sentryCollection_qa = sentryCollection_query_group, sentryCollection_all_group, admin_all_group,
+admin___sentryCollection_qa = sentryCollection_query_group, sentryCollection_all_group,
+admin_qua__sentryCollection_q = sentryCollection_query_group, admin_query_group, admin_update_group, admin_all_group,
+admin_qu__sentryCollection_q = sentryCollection_query_group, admin_query_group, admin_update_group,
+admin_qa__sentryCollection_q = sentryCollection_query_group, admin_query_group, admin_all_group,
+admin_q__sentryCollection_q = sentryCollection_query_group, admin_query_group,
+admin_ua__sentryCollection_q = sentryCollection_query_group, admin_update_group, admin_all_group,
+admin_u__sentryCollection_q = sentryCollection_query_group, admin_update_group,
+admin_a__sentryCollection_q = sentryCollection_query_group, admin_all_group,
+admin___sentryCollection_q = sentryCollection_query_group,
+admin_qua__sentryCollection_ua = sentryCollection_update_group, sentryCollection_all_group, admin_query_group, admin_update_group, admin_all_group,
+admin_qu__sentryCollection_ua = sentryCollection_update_group, sentryCollection_all_group, admin_query_group, admin_update_group,
+admin_qa__sentryCollection_ua = sentryCollection_update_group, sentryCollection_all_group, admin_query_group, admin_all_group,
+admin_q__sentryCollection_ua = sentryCollection_update_group, sentryCollection_all_group, admin_query_group,
+admin_ua__sentryCollection_ua = sentryCollection_update_group, sentryCollection_all_group, admin_update_group, admin_all_group,
+admin_u__sentryCollection_ua = sentryCollection_update_group, sentryCollection_all_group, admin_update_group,
+admin_a__sentryCollection_ua = sentryCollection_update_group, sentryCollection_all_group, admin_all_group,
+admin___sentryCollection_ua = sentryCollection_update_group, sentryCollection_all_group,
+admin_qua__sentryCollection_u = sentryCollection_update_group, admin_query_group, admin_update_group, admin_all_group,
+admin_qu__sentryCollection_u = sentryCollection_update_group, admin_query_group, admin_update_group,
+admin_qa__sentryCollection_u = sentryCollection_update_group, admin_query_group, admin_all_group,
+admin_q__sentryCollection_u = sentryCollection_update_group, admin_query_group,
+admin_ua__sentryCollection_u = sentryCollection_update_group, admin_update_group, admin_all_group,
+admin_u__sentryCollection_u = sentryCollection_update_group, admin_update_group,
+admin_a__sentryCollection_u = sentryCollection_update_group, admin_all_group,
+admin___sentryCollection_u = sentryCollection_update_group,
+admin_qua__sentryCollection_a = sentryCollection_all_group, admin_query_group, admin_update_group, admin_all_group,
+admin_qu__sentryCollection_a = sentryCollection_all_group, admin_query_group, admin_update_group,
+admin_qa__sentryCollection_a = sentryCollection_all_group, admin_query_group, admin_all_group,
+admin_q__sentryCollection_a = sentryCollection_all_group, admin_query_group,
+admin_ua__sentryCollection_a = sentryCollection_all_group, admin_update_group, admin_all_group,
+admin_u__sentryCollection_a = sentryCollection_all_group, admin_update_group,
+admin_a__sentryCollection_a = sentryCollection_all_group, admin_all_group,
+admin___sentryCollection_a = sentryCollection_all_group,
+admin_qua__sentryCollection_ = admin_query_group, admin_update_group, admin_all_group,
+admin_qu__sentryCollection_ = admin_query_group, admin_update_group,
+admin_qa__sentryCollection_ = admin_query_group, admin_all_group,
+admin_q__sentryCollection_ = admin_query_group,
+admin_ua__sentryCollection_ = admin_update_group, admin_all_group,
+admin_u__sentryCollection_ = admin_update_group,
+admin_a__sentryCollection_ = admin_all_group,
+sentryCollection_qua = sentryCollection_query_group, sentryCollection_update_group, sentryCollection_all_group,
+sentryCollection_qu = sentryCollection_query_group, sentryCollection_update_group,
+sentryCollection_qa = sentryCollection_query_group, sentryCollection_all_group,
+sentryCollection_q = sentryCollection_query_group,
+sentryCollection_ua = sentryCollection_update_group, sentryCollection_all_group,
+sentryCollection_u = sentryCollection_update_group,
+sentryCollection_a = sentryCollection_all_group,
\ No newline at end of file
[23/26] git commit: SENTRY-119 - Reduce tarball size by excluding
third party directory (Brock Noland via Gregory Chanan)
Posted by br...@apache.org.
SENTRY-119 - Reduce tarball size by excluding third party directory (Brock Noland via Gregory Chanan)
Project: http://git-wip-us.apache.org/repos/asf/incubator-sentry/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-sentry/commit/06d2b349
Tree: http://git-wip-us.apache.org/repos/asf/incubator-sentry/tree/06d2b349
Diff: http://git-wip-us.apache.org/repos/asf/incubator-sentry/diff/06d2b349
Branch: refs/heads/db_policy_store
Commit: 06d2b34915a86fb4dcf6b312056a8e7c8475aa48
Parents: 87f476c
Author: Gregory Chanan <gr...@gmail.com>
Authored: Thu Feb 20 16:27:44 2014 -0800
Committer: Gregory Chanan <gr...@gmail.com>
Committed: Thu Feb 20 16:27:44 2014 -0800
----------------------------------------------------------------------
sentry-dist/pom.xml | 2 +-
sentry-dist/src/main/assembly/src.xml | 91 ++++++------------------------
2 files changed, 19 insertions(+), 74 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/06d2b349/sentry-dist/pom.xml
----------------------------------------------------------------------
diff --git a/sentry-dist/pom.xml b/sentry-dist/pom.xml
index 1190fe1..62f1c79 100644
--- a/sentry-dist/pom.xml
+++ b/sentry-dist/pom.xml
@@ -81,7 +81,7 @@ limitations under the License.
</goals>
<inherited>false</inherited>
<configuration>
- <finalName>sentry-${project.version}</finalName>
+ <finalName>apache-sentry-${project.version}</finalName>
<descriptors>
<descriptor>src/main/assembly/src.xml</descriptor>
</descriptors>
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/06d2b349/sentry-dist/src/main/assembly/src.xml
----------------------------------------------------------------------
diff --git a/sentry-dist/src/main/assembly/src.xml b/sentry-dist/src/main/assembly/src.xml
index 323488b..fefe182 100644
--- a/sentry-dist/src/main/assembly/src.xml
+++ b/sentry-dist/src/main/assembly/src.xml
@@ -22,100 +22,45 @@
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/plugins/maven-assembly-plugin/assembly/1.1.2 http://maven.apache.org/xsd/assembly-1.1.2.xsd">
- <id>dist</id>
+ <id>src</id>
<formats>
<format>tar.gz</format>
</formats>
- <baseDirectory>sentry-${project.version}</baseDirectory>
+ <baseDirectory>apache-sentry-${project.version}-src</baseDirectory>
- <moduleSets>
-
- <moduleSet>
- <useAllReactorProjects>true</useAllReactorProjects>
-
- <includes>
- <include>org.apache.sentry:sentry-binding</include>
- <include>org.apache.sentry:sentry-binding-hive</include>
- <include>org.apache.sentry:sentry-binding-solr</include>
- <include>org.apache.sentry:sentry-core</include>
- <include>org.apache.sentry:sentry-core-common</include>
- <include>org.apache.sentry:sentry-core-model-db</include>
- <include>org.apache.sentry:sentry-core-model-search</include>
- <include>org.apache.sentry:sentry-provider</include>
- <include>org.apache.sentry:sentry-provider-common</include>
- <include>org.apache.sentry:sentry-provider-file</include>
- <include>org.apache.sentry:sentry-policy</include>
- <include>org.apache.sentry:sentry-policy-common</include>
- <include>org.apache.sentry:sentry-policy-db</include>
- <include>org.apache.sentry:sentry-policy-search</include>
- <include>org.apache.sentry:sentry-tests</include>
- <include>org.apache.sentry:sentry-tests-hive</include>
- <include>org.apache.sentry:sentry-dist</include>
- </includes>
-
- <binaries>
- <unpack>false</unpack>
- <outputDirectory>lib</outputDirectory>
-
- <dependencySets>
- <dependencySet>
- <useProjectArtifact>false</useProjectArtifact>
- <outputDirectory>lib</outputDirectory>
- </dependencySet>
- </dependencySets>
- </binaries>
-
- <sources>
- <includeModuleDirectory>true</includeModuleDirectory>
- <excludeSubModuleDirectories>false</excludeSubModuleDirectories>
-
- <fileSets>
- <fileSet>
- <excludes>
- <exclude>target/**</exclude>
- <exclude>*/target/**</exclude>
- <exclude>.classpath</exclude>
- <exclude>*/.classpath</exclude>
- <exclude>.project</exclude>
- <exclude>*/.project</exclude>
- <exclude>.settings/**</exclude>
- <exclude>*/.settings/**</exclude>
- </excludes>
- </fileSet>
- </fileSets>
- </sources>
-
- </moduleSet>
-
- </moduleSets>
<fileSets>
<fileSet>
- <directory>../</directory>
+ <directory>${project.parent.basedir}</directory>
<excludes>
- <exclude>sentry-binding/**</exclude>
- <exclude>sentry-core/**</exclude>
- <exclude>sentry-dist/**</exclude>
- <exclude>sentry-provider/**</exclude>
- <exclude>sentry-policy/**</exclude>
- <exclude>sentry-test/**</exclude>
<exclude>**/target/**</exclude>
<exclude>**/.classpath</exclude>
<exclude>**/.project</exclude>
<exclude>**/.settings/**</exclude>
- <exclude>lib/**</exclude>
+ <exclude>sentry-tests/sentry-tests-hive/thirdparty/**</exclude>
</excludes>
<includes>
- <include>.gitignore</include>
<include>bin/**</include>
+ <include>**/.gitignore</include>
<include>conf/**</include>
<include>pom.xml</include>
- <include>LICENSE.txt</include>
- <include>NOTICE</include>
+ <include>CHANGELOG*</include>
+ <include>DISCLAIMER*</include>
+ <include>LICENSE*</include>
+ <include>NOTICE*</include>
+ <include>README*</include>
+ <include>dev-support/**</include>
+ <include>sentry-binding/**</include>
+ <include>sentry-core/**</include>
+ <include>sentry-dist/**</include>
+ <include>sentry-provider/**</include>
+ <include>sentry-policy/**</include>
+ <include>sentry-tests/**</include>
</includes>
+ <outputDirectory>/</outputDirectory>
</fileSet>
</fileSets>
[03/26] git commit: Revert commit of SENTRY-78
Posted by br...@apache.org.
Revert commit of SENTRY-78
Project: http://git-wip-us.apache.org/repos/asf/incubator-sentry/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-sentry/commit/319d64a4
Tree: http://git-wip-us.apache.org/repos/asf/incubator-sentry/tree/319d64a4
Diff: http://git-wip-us.apache.org/repos/asf/incubator-sentry/diff/319d64a4
Branch: refs/heads/db_policy_store
Commit: 319d64a4a31182dd73a7368d69fd1924f07bb968
Parents: 4baffe9
Author: Shreepadma Venugopalan <sh...@apache.org>
Authored: Thu Dec 26 16:42:08 2013 -0800
Committer: Shreepadma Venugopalan <sh...@apache.org>
Committed: Thu Dec 26 16:42:08 2013 -0800
----------------------------------------------------------------------
.../apache/sentry/binding/hive/HiveAuthzBindingHook.java | 9 ---------
.../tests/e2e/hive/TestPrivilegesAtDatabaseScope.java | 4 ----
2 files changed, 13 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/319d64a4/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java
index 0dd28b7..7f9560f 100644
--- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java
+++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java
@@ -370,15 +370,6 @@ implements HiveDriverFilterHook {
}
for(ReadEntity readEntity:inputs) {
- // If this is a UDF, then check whether its allowed to be executed
- // TODO: when we support execute privileges on UDF, this can be removed.
- if (isUDF(readEntity)) {
- if (isBuiltinUDF(readEntity)) {
- checkUDFWhiteList(readEntity.getUDF().getDisplayName());
- }
- continue;
- }
-
List<DBModelAuthorizable> entityHierarchy = new ArrayList<DBModelAuthorizable>();
entityHierarchy.add(hiveAuthzBinding.getAuthServer());
entityHierarchy.addAll(getAuthzHierarchyFromEntity(readEntity));
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/319d64a4/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestPrivilegesAtDatabaseScope.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestPrivilegesAtDatabaseScope.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestPrivilegesAtDatabaseScope.java
index 8c145ca..82d73e5 100644
--- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestPrivilegesAtDatabaseScope.java
+++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestPrivilegesAtDatabaseScope.java
@@ -107,10 +107,6 @@ public class TestPrivilegesAtDatabaseScope extends AbstractTestWithStaticConfigu
statement.execute("CREATE TABLE DB_1.TAB_2(A STRING)");
statement.execute("LOAD DATA LOCAL INPATH '" + dataFile.getPath() + "' INTO TABLE DB_1.TAB_2");
- // test CTAS can reference UDFs
- statement.execute("USE DB_1");
- statement.execute("create table table2 as select A, count(A) from TAB_1 GROUP BY A");
-
// test user can switch db
statement.execute("USE DB_1");
//test user can create view