You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sentry.apache.org by ak...@apache.org on 2017/03/11 02:13:49 UTC
sentry git commit: SENTRY-1402: Add TestGrantUserToRole to V2
Repository: sentry
Updated Branches:
refs/heads/sentry-ha-redesign f6d31428f -> f407a680a
SENTRY-1402: Add TestGrantUserToRole to V2
Project: http://git-wip-us.apache.org/repos/asf/sentry/repo
Commit: http://git-wip-us.apache.org/repos/asf/sentry/commit/f407a680
Tree: http://git-wip-us.apache.org/repos/asf/sentry/tree/f407a680
Diff: http://git-wip-us.apache.org/repos/asf/sentry/diff/f407a680
Branch: refs/heads/sentry-ha-redesign
Commit: f407a680a10fe233ff4fb209134d6ef876a69624
Parents: f6d3142
Author: Alexander Kolbasov <ak...@cloudera.com>
Authored: Fri Mar 10 18:13:43 2017 -0800
Committer: Alexander Kolbasov <ak...@cloudera.com>
Committed: Fri Mar 10 18:13:43 2017 -0800
----------------------------------------------------------------------
.../e2e/dbprovider/TestGrantUserToRole.java | 261 +++++++++++++++++++
1 file changed, 261 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/sentry/blob/f407a680/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestGrantUserToRole.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestGrantUserToRole.java b/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestGrantUserToRole.java
new file mode 100644
index 0000000..5364937
--- /dev/null
+++ b/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestGrantUserToRole.java
@@ -0,0 +1,261 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.tests.e2e.dbprovider;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.fail;
+
+import java.sql.Connection;
+import java.sql.ResultSet;
+import java.sql.Statement;
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Set;
+
+import org.apache.sentry.tests.e2e.hive.AbstractTestWithStaticConfiguration;
+import org.junit.Before;
+import org.junit.BeforeClass;
+import org.junit.Test;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import com.google.common.collect.Sets;
+
+public class TestGrantUserToRole extends AbstractTestWithStaticConfiguration {
+
+ private static final Logger LOGGER = LoggerFactory.getLogger(TestGrantUserToRole.class);
+
+ private static String ROLENAME1 = "testGrantUserToRole_r1";
+ private static String ROLENAME2 = "testGrantUserToRole_r2";
+ private static String ROLENAME3 = "testGrantUserToRole_r3";
+
+ @BeforeClass
+ public static void setupTestStaticConfiguration() throws Exception {
+ useSentryService = true;
+ AbstractTestWithStaticConfiguration.setupTestStaticConfiguration();
+ }
+
+ @Override
+ @Before
+ public void setup() throws Exception {
+ super.setupAdmin();
+ super.setup();
+ prepareTestData();
+ }
+
+ private void prepareTestData() throws Exception {
+ Connection connection = context.createConnection(ADMIN1);
+ Statement statement = context.createStatement(connection);
+ statement.execute("CREATE ROLE " + ROLENAME1);
+ statement.execute("CREATE ROLE " + ROLENAME2);
+ statement.execute("CREATE ROLE " + ROLENAME3);
+ // grant role to groups and users as the following:
+ statement.execute("GRANT ROLE " + ROLENAME1 + " TO GROUP " + USERGROUP1);
+ statement.execute("GRANT ROLE " + ROLENAME2 + " TO GROUP " + USERGROUP2);
+ statement.execute("GRANT ROLE " + ROLENAME3 + " TO USER " + USER2_1);
+ statement.execute("GRANT ROLE " + ROLENAME2 + " TO USER " + USER3_1);
+ statement.execute("GRANT ROLE " + ROLENAME2 + " TO USER " + USER4_1);
+ statement.execute("GRANT ROLE " + ROLENAME3 + " TO USER " + USER4_1);
+ statement.close();
+ connection.close();
+ }
+
+ @Test
+ public void testAddDeleteRolesForUser() throws Exception {
+ Connection connection = context.createConnection(ADMIN1);
+ Statement statement = context.createStatement(connection);
+ Set<String> emptyRoleSet = Sets.newHashSet();
+ // admin can get all roles for users
+ // user1 get the role1 for group1
+ ResultSet resultSet = statement.executeQuery("SHOW ROLE GRANT USER " + USER1_1);
+ verifyResultRoles(resultSet, emptyRoleSet);
+
+ // user2 get the role1 for group1 and role2 for user2
+ resultSet = statement.executeQuery("SHOW ROLE GRANT USER " + USER2_1);
+ verifyResultRoles(resultSet, Sets.newHashSet(ROLENAME3.toLowerCase()));
+
+ // user3 get the role1 for group1 and role2 for group2
+ resultSet = statement.executeQuery("SHOW ROLE GRANT USER " + USER3_1);
+ verifyResultRoles(resultSet, Sets.newHashSet(ROLENAME2.toLowerCase()));
+
+ // user4 get the role2 for group2 and group3, role3 for user4
+ resultSet = statement.executeQuery("SHOW ROLE GRANT USER " + USER4_1);
+ verifyResultRoles(resultSet, Sets.newHashSet(ROLENAME2.toLowerCase(), ROLENAME3.toLowerCase()));
+ statement.close();
+ connection.close();
+
+ connection = context.createConnection(USER1_1);
+ statement = context.createStatement(connection);
+ // user1 can show his own roles
+ resultSet = statement.executeQuery("SHOW ROLE GRANT USER " + USER1_1);
+ verifyResultRoles(resultSet, emptyRoleSet);
+ // test the command : show current roles
+ resultSet = statement.executeQuery("SHOW CURRENT ROLES");
+ verifyResultRoles(resultSet, Sets.newHashSet(ROLENAME1.toLowerCase()));
+
+ try {
+ // user1 can't show other's roles if he isn't an admin
+ resultSet = statement.executeQuery("SHOW ROLE GRANT USER " + USER2_1);
+ fail("Can't show other's role if the user is not an admin.");
+ } catch (Exception e) {
+ // excepted exception
+ }
+ statement.close();
+ connection.close();
+
+ connection = context.createConnection(USER2_1);
+ statement = context.createStatement(connection);
+ // user2 can show his own roles
+ resultSet = statement.executeQuery("SHOW ROLE GRANT USER " + USER2_1);
+ verifyResultRoles(resultSet, Sets.newHashSet(ROLENAME3.toLowerCase()));
+ // test the command : show current roles
+ resultSet = statement.executeQuery("SHOW CURRENT ROLES");
+ verifyResultRoles(resultSet, Sets.newHashSet(ROLENAME2.toLowerCase(), ROLENAME3.toLowerCase()));
+ statement.close();
+ connection.close();
+
+ connection = context.createConnection(ADMIN1);
+ statement = context.createStatement(connection);
+ // revoke the role from user
+ statement.execute("REVOKE ROLE " + ROLENAME3 + " FROM USER " + USER2_1);
+ statement.execute("REVOKE ROLE " + ROLENAME3 + " FROM USER " + USER4_1);
+
+ resultSet = statement.executeQuery("SHOW ROLE GRANT USER " + USER2_1);
+ verifyResultRoles(resultSet, emptyRoleSet);
+
+ resultSet = statement.executeQuery("SHOW ROLE GRANT USER " + USER4_1);
+ verifyResultRoles(resultSet, Sets.newHashSet(ROLENAME2.toLowerCase()));
+ statement.close();
+ connection.close();
+ }
+
+ @Test
+ public void testShowGrantNotExistGroup() throws Exception {
+ Connection connection = context.createConnection(ADMIN1);
+ Statement statement = context.createStatement(connection);
+ //group1 does not exist in db;
+ ResultSet res = statement.executeQuery("SHOW ROLE GRANT GROUP group1");
+
+ List<String> expectedResult = new ArrayList<String>();
+ List<String> returnedResult = new ArrayList<String>();
+
+ while (res.next()) {
+ returnedResult.add(res.getString(1).trim());
+ }
+ validateReturnedResult(expectedResult, returnedResult);
+ returnedResult.clear();
+ expectedResult.clear();
+
+ statement.close();
+ connection.close();
+
+ }
+
+ @Test
+ public void testAuthorizationForUsersWithRoles() throws Exception {
+ Connection connection = context.createConnection(ADMIN1);
+ Statement statement = context.createStatement(connection);
+ statement.execute("CREATE TABLE t1 (c1 string)");
+ statement.execute("CREATE TABLE t2 (c1 string)");
+ statement.execute("CREATE TABLE t3 (c1 string)");
+ statement.execute("GRANT SELECT ON TABLE t1 TO ROLE " + ROLENAME1);
+ statement.execute("GRANT SELECT ON TABLE t2 TO ROLE " + ROLENAME2);
+ statement.execute("GRANT SELECT ON TABLE t3 TO ROLE " + ROLENAME3);
+ statement.close();
+ connection.close();
+
+ // user1 can access the t1
+ connection = context.createConnection(USER1_1);
+ statement = context.createStatement(connection);
+ statement.execute("select c1 from t1");
+ try {
+ statement.execute("select c1 from t2");
+ fail("Can't access the table t2");
+ } catch (Exception e) {
+ // excepted exception
+ }
+ try {
+ statement.execute("select c1 from t3");
+ fail("Can't access the table t3");
+ } catch (Exception e) {
+ // excepted exception
+ }
+ statement.close();
+ connection.close();
+
+ // user2 can access the t2, t3
+ connection = context.createConnection(USER2_1);
+ statement = context.createStatement(connection);
+ try {
+ statement.execute("select c1 from t1");
+ fail("Can't access the table t1");
+ } catch (Exception e) {
+ // excepted exception
+ }
+ statement.execute("select c1 from t2");
+ statement.execute("select c1 from t3");
+ statement.close();
+ connection.close();
+
+ // user3 can access the t2
+ connection = context.createConnection(USER3_1);
+ statement = context.createStatement(connection);
+ try {
+ statement.execute("select c1 from t1");
+ fail("Can't access the table t1");
+ } catch (Exception e) {
+ // excepted exception
+ }
+ statement.execute("select c1 from t2");
+ try {
+ statement.execute("select c1 from t3");
+ fail("Can't access the table t3");
+ } catch (Exception e) {
+ // excepted exception
+ }
+ statement.close();
+ connection.close();
+
+ // user4 can access the t2,t3
+ connection = context.createConnection(USER4_1);
+ statement = context.createStatement(connection);
+ try {
+ statement.execute("select c1 from t1");
+ fail("Can't access the table t1");
+ } catch (Exception e) {
+ // excepted exception
+ }
+ statement.execute("select c1 from t2");
+ statement.execute("select c1 from t3");
+ statement.close();
+ connection.close();
+ }
+
+ private void verifyResultRoles(ResultSet resultSet, Set<String> exceptedRoles) throws Exception {
+ int size = 0;
+ while (resultSet.next()) {
+ String tempRole = resultSet.getString(1);
+ LOGGER.debug("tempRole:" + tempRole);
+ assertTrue(exceptedRoles.contains(tempRole));
+ size++;
+ }
+ assertEquals(exceptedRoles.size(), size);
+ resultSet.close();
+ }
+}