You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sentry.apache.org by co...@apache.org on 2016/04/22 08:28:26 UTC
[06/13] sentry git commit: SENTRY-999: Refactor the sentry to
integrate with external components quickly (Colin Ma, reviewed by Dapeng Sun)
http://git-wip-us.apache.org/repos/asf/sentry/blob/d94e900a/sentry-policy/sentry-policy-common/src/test/java/org/apache/sentry/policy/common/TestCommonPrivilege.java
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-common/src/test/java/org/apache/sentry/policy/common/TestCommonPrivilege.java b/sentry-policy/sentry-policy-common/src/test/java/org/apache/sentry/policy/common/TestCommonPrivilege.java
new file mode 100644
index 0000000..3f60b19
--- /dev/null
+++ b/sentry-policy/sentry-policy-common/src/test/java/org/apache/sentry/policy/common/TestCommonPrivilege.java
@@ -0,0 +1,147 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.policy.common;
+
+import org.apache.sentry.core.common.Model;
+import org.apache.sentry.core.common.utils.KeyValue;
+import org.junit.Before;
+import org.junit.Test;
+import java.util.List;
+
+import static junit.framework.Assert.assertEquals;
+import static junit.framework.Assert.assertTrue;
+import static junit.framework.Assert.assertFalse;
+
+public class TestCommonPrivilege {
+
+ private Model testModel;
+
+ @Before
+ public void prepareData() {
+ testModel = new ModelForTest();
+ }
+
+ @Test
+ public void testCreateCommonPrivilege() throws Exception {
+ String privilegeHiveStr = "server=server1->db=db1->table=table1->column=column1->action=select";
+ String privilegeSolrStr = "server=server1->collection=col1->action=update";
+ String privilegeSqoopStr = "server=server1->link=link1->action=read";
+
+ CommonPrivilege privilegeHive = new CommonPrivilege(privilegeHiveStr);
+ CommonPrivilege privilegeSolr = new CommonPrivilege(privilegeSolrStr);
+ CommonPrivilege privilegeSqoop = new CommonPrivilege(privilegeSqoopStr);
+
+ List<KeyValue> keyValues = privilegeHive.getParts();
+ assertEquals(5, keyValues.size());
+ // test the value and the order
+ assertEquals("server", keyValues.get(0).getKey());
+ assertEquals("server1", keyValues.get(0).getValue());
+ assertEquals("db", keyValues.get(1).getKey());
+ assertEquals("db1", keyValues.get(1).getValue());
+ assertEquals("table", keyValues.get(2).getKey());
+ assertEquals("table1", keyValues.get(2).getValue());
+ assertEquals("column", keyValues.get(3).getKey());
+ assertEquals("column1", keyValues.get(3).getValue());
+ assertEquals("action", keyValues.get(4).getKey());
+ assertEquals("select", keyValues.get(4).getValue());
+
+ keyValues = privilegeSolr.getParts();
+ assertEquals(3, keyValues.size());
+ assertEquals("server", keyValues.get(0).getKey());
+ assertEquals("server1", keyValues.get(0).getValue());
+ assertEquals("collection", keyValues.get(1).getKey());
+ assertEquals("col1", keyValues.get(1).getValue());
+ assertEquals("action", keyValues.get(2).getKey());
+ assertEquals("update", keyValues.get(2).getValue());
+
+ keyValues = privilegeSqoop.getParts();
+ assertEquals(3, keyValues.size());
+ assertEquals("server", keyValues.get(0).getKey());
+ assertEquals("server1", keyValues.get(0).getValue());
+ assertEquals("link", keyValues.get(1).getKey());
+ assertEquals("link1", keyValues.get(1).getValue());
+ assertEquals("action", keyValues.get(2).getKey());
+ assertEquals("read", keyValues.get(2).getValue());
+ }
+
+ @Test
+ public void testImplyCommonPrivilegeWithoutAction() throws Exception {
+
+ CommonPrivilege requestPrivilege = new CommonPrivilege("server=server1->db=db1->table=table1");
+ CommonPrivilege privilegForTest1 = new CommonPrivilege("server=server1->db=db1->table=table1");
+ CommonPrivilege privilegForTest2 = new CommonPrivilege("server=server1->db=db1");
+ CommonPrivilege privilegForTest3 = new CommonPrivilege("server=server1->db=db1->table=table2");
+ CommonPrivilege privilegForTest4 = new CommonPrivilege("server=server1->db=db1->table=table1->column=col1");
+ CommonPrivilege privilegForTest5 = new CommonPrivilege("server=server1->db=db1->table=table1->column=*");
+
+ assertTrue(privilegForTest1.implies(requestPrivilege, testModel));
+ assertTrue(privilegForTest2.implies(requestPrivilege, testModel));
+ assertFalse(privilegForTest3.implies(requestPrivilege, testModel));
+ assertFalse(privilegForTest4.implies(requestPrivilege, testModel));
+ assertTrue(privilegForTest5.implies(requestPrivilege, testModel));
+ }
+
+ @Test
+ public void testImplyCommonPrivilegeWithUrl() throws Exception {
+
+ CommonPrivilege requestPrivilege = new CommonPrivilege("server=server1->uri=hdfs:///url/for/request");
+ CommonPrivilege privilegForTest1 = new CommonPrivilege("server=server1->uri=hdfs:///url");
+ CommonPrivilege privilegForTest2 = new CommonPrivilege("server=server1->uri=hdfs:///url/for/request");
+ CommonPrivilege privilegForTest3 = new CommonPrivilege("server=server1->uri=hdfs:///url/unvalid/for/request");
+
+ assertTrue(privilegForTest1.implies(requestPrivilege, testModel));
+ assertTrue(privilegForTest2.implies(requestPrivilege, testModel));
+ assertFalse(privilegForTest3.implies(requestPrivilege, testModel));
+ }
+
+ @Test
+ public void testImplyCommonPrivilegeForAction() throws Exception {
+ CommonPrivilege privilegForSelect = new CommonPrivilege("server=server1->db=db1->table=table1->action=select");
+ CommonPrivilege privilegForInsert = new CommonPrivilege("server=server1->db=db1->table=table1->action=insert");
+ CommonPrivilege privilegForAll = new CommonPrivilege("server=server1->db=db1->table=table1->action=all");
+
+ // the privilege should imply itself
+ assertTrue(privilegForSelect.implies(privilegForSelect, testModel));
+ assertTrue(privilegForInsert.implies(privilegForInsert, testModel));
+ assertTrue(privilegForAll.implies(privilegForAll, testModel));
+
+ // do the imply with the different action based on operate &
+ assertFalse(privilegForInsert.implies(privilegForSelect, testModel));
+ assertTrue(privilegForAll.implies(privilegForSelect, testModel));
+
+ assertFalse(privilegForSelect.implies(privilegForInsert, testModel));
+ assertTrue(privilegForAll.implies(privilegForInsert, testModel));
+
+ assertFalse(privilegForSelect.implies(privilegForAll, testModel));
+ assertFalse(privilegForInsert.implies(privilegForAll, testModel));
+ }
+
+ @Test
+ public void testImplyStringCaseSensitive() throws Exception {
+ CommonPrivilege privileg1 = new CommonPrivilege("server=server1->db=db1->table=table1->column=col1->action=select");
+ CommonPrivilege privileg2 = new CommonPrivilege("server=server1->db=db1->table=table1->column=CoL1->action=select");
+ CommonPrivilege privileg3 = new CommonPrivilege("server=SERver1->db=Db1->table=TAbLe1->column=col1->action=select");
+ CommonPrivilege privileg4 = new CommonPrivilege("SERVER=server1->DB=db1->TABLE=table1->COLUMN=col1->ACTION=select");
+
+ // column is case sensitive
+ assertFalse(privileg1.implies(privileg2, testModel));
+ // server, db, table is case insensitive
+ assertTrue(privileg1.implies(privileg3, testModel));
+ // key in privilege is case insensitive
+ assertTrue(privileg1.implies(privileg4, testModel));
+ }
+}
http://git-wip-us.apache.org/repos/asf/sentry/blob/d94e900a/sentry-policy/sentry-policy-common/src/test/java/org/apache/sentry/policy/common/TestKeyValue.java
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-common/src/test/java/org/apache/sentry/policy/common/TestKeyValue.java b/sentry-policy/sentry-policy-common/src/test/java/org/apache/sentry/policy/common/TestKeyValue.java
deleted file mode 100644
index 0ab6569..0000000
--- a/sentry-policy/sentry-policy-common/src/test/java/org/apache/sentry/policy/common/TestKeyValue.java
+++ /dev/null
@@ -1,76 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.policy.common;
-
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertFalse;
-import static org.apache.sentry.policy.common.PolicyConstants.KV_JOINER;
-
-import org.junit.Test;
-
-public class TestKeyValue {
-
- @Test
- public void testWithSeparators() throws Exception {
- KeyValue kv = new KeyValue("URI=/u/h/w/t/partition=value/");
- assertEquals("URI", kv.getKey());
- assertEquals("/u/h/w/t/partition=value/", kv.getValue());
- }
-
- @Test(expected = IllegalArgumentException.class)
- public void testEmptyKey() throws Exception {
- new KeyValue(KV_JOINER.join("", "b"));
- }
-
- @Test(expected = IllegalArgumentException.class)
- public void testEmptyValue() throws Exception {
- new KeyValue(KV_JOINER.join("a", ""));
- }
-
- @Test
- public void testOneParameterConstructor() throws Exception {
- KeyValue kv1 = new KeyValue(KV_JOINER.join("k1", "v1"));
- KeyValue kv2 = new KeyValue(KV_JOINER.join("k1", "v1"));
- KeyValue kv3 = new KeyValue(KV_JOINER.join("k2", "v2"));
- doTest(kv1, kv2, kv3);
- }
-
- @Test
- public void testTwoParameterConstructor() throws Exception {
- KeyValue kv1 = new KeyValue("k1", "v1");
- KeyValue kv2 = new KeyValue("k1", "v1");
- KeyValue kv3 = new KeyValue("k2", "v2");
- doTest(kv1, kv2, kv3);
- }
-
- private void doTest(KeyValue kv1, KeyValue kv2, KeyValue kv3) {
- assertEquals(kv1, kv2);
- assertFalse(kv1.equals(kv3));
-
- assertEquals(kv1.toString(), kv2.toString());
- assertFalse(kv1.toString().equals(kv3.toString()));
-
- assertEquals(kv1.hashCode(), kv2.hashCode());
- assertFalse(kv1.hashCode() == kv3.hashCode());
-
- assertEquals(kv1.getKey(), kv2.getKey());
- assertFalse(kv1.getKey().equals(kv3.getKey()));
-
- assertEquals(kv1.getValue(), kv2.getValue());
- assertFalse(kv1.getValue().equals(kv3.getValue()));
- }
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/d94e900a/sentry-policy/sentry-policy-db/pom.xml
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-db/pom.xml b/sentry-policy/sentry-policy-db/pom.xml
deleted file mode 100644
index 56206dc..0000000
--- a/sentry-policy/sentry-policy-db/pom.xml
+++ /dev/null
@@ -1,98 +0,0 @@
-<?xml version="1.0"?>
-<!--
-Licensed to the Apache Software Foundation (ASF) under one or more
-contributor license agreements. See the NOTICE file distributed with
-this work for additional information regarding copyright ownership.
-The ASF licenses this file to You under the Apache License, Version 2.0
-(the "License"); you may not use this file except in compliance with
-the License. You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
--->
-<project xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd" xmlns="http://maven.apache.org/POM/4.0.0"
- xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
- <modelVersion>4.0.0</modelVersion>
- <parent>
- <groupId>org.apache.sentry</groupId>
- <artifactId>sentry-policy</artifactId>
- <version>1.8.0-SNAPSHOT</version>
- </parent>
-
- <artifactId>sentry-policy-db</artifactId>
- <name>Sentry Policy for Databases</name>
-
- <dependencies>
- <dependency>
- <groupId>org.apache.hadoop</groupId>
- <artifactId>hadoop-common</artifactId>
- <scope>provided</scope>
- </dependency>
-
- <dependency>
- <groupId>org.apache.hadoop</groupId>
- <artifactId>hadoop-minicluster</artifactId>
- <scope>test</scope>
- </dependency>
-
- <dependency>
- <groupId>junit</groupId>
- <artifactId>junit</artifactId>
- <scope>test</scope>
- </dependency>
- <dependency>
- <groupId>log4j</groupId>
- <artifactId>log4j</artifactId>
- </dependency>
- <dependency>
- <groupId>org.apache.shiro</groupId>
- <artifactId>shiro-core</artifactId>
- </dependency>
- <dependency>
- <groupId>com.google.guava</groupId>
- <artifactId>guava</artifactId>
- </dependency>
- <dependency>
- <groupId>org.slf4j</groupId>
- <artifactId>slf4j-api</artifactId>
- </dependency>
- <dependency>
- <groupId>org.slf4j</groupId>
- <artifactId>slf4j-log4j12</artifactId>
- </dependency>
- <dependency>
- <groupId>org.apache.hive</groupId>
- <artifactId>hive-beeline</artifactId>
- <scope>provided</scope>
- </dependency>
- <dependency>
- <groupId>org.apache.sentry</groupId>
- <artifactId>sentry-core-common</artifactId>
- </dependency>
- <dependency>
- <groupId>org.apache.sentry</groupId>
- <artifactId>sentry-core-model-db</artifactId>
- </dependency>
- <dependency>
- <groupId>org.apache.sentry</groupId>
- <artifactId>sentry-provider-common</artifactId>
- </dependency>
- <dependency>
- <groupId>org.apache.sentry</groupId>
- <artifactId>sentry-provider-file</artifactId>
- </dependency>
- <dependency>
- <groupId>org.apache.sentry</groupId>
- <artifactId>sentry-provider-common</artifactId>
- <scope>test</scope>
- <type>test-jar</type>
- <version>${project.version}</version>
- </dependency>
- </dependencies>
-
-</project>
http://git-wip-us.apache.org/repos/asf/sentry/blob/d94e900a/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/AbstractDBPrivilegeValidator.java
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/AbstractDBPrivilegeValidator.java b/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/AbstractDBPrivilegeValidator.java
deleted file mode 100644
index 8bd311a..0000000
--- a/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/AbstractDBPrivilegeValidator.java
+++ /dev/null
@@ -1,50 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.policy.db;
-
-import static org.apache.sentry.policy.common.PolicyConstants.AUTHORIZABLE_SPLITTER;
-import static org.apache.sentry.policy.common.PolicyConstants.PRIVILEGE_PREFIX;
-
-import java.util.List;
-
-import org.apache.sentry.core.model.db.DBModelAuthorizable;
-import org.apache.sentry.policy.common.PrivilegeValidator;
-import org.apache.shiro.config.ConfigurationException;
-
-import com.google.common.annotations.VisibleForTesting;
-import com.google.common.collect.Lists;
-
-public abstract class AbstractDBPrivilegeValidator implements PrivilegeValidator {
-
- @VisibleForTesting
- public static Iterable<DBModelAuthorizable> parsePrivilege(String string) {
- List<DBModelAuthorizable> result = Lists.newArrayList();
- for(String section : AUTHORIZABLE_SPLITTER.split(string)) {
- // XXX this ugly hack is because action is not an authorizeable
- if(!section.toLowerCase().startsWith(PRIVILEGE_PREFIX)) {
- DBModelAuthorizable authorizable = DBModelAuthorizables.from(section);
- if(authorizable == null) {
- String msg = "No authorizable found for " + section;
- throw new ConfigurationException(msg);
- }
- result.add(authorizable);
- }
- }
- return result;
- }
-
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/d94e900a/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/DBModelAuthorizables.java
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/DBModelAuthorizables.java b/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/DBModelAuthorizables.java
deleted file mode 100644
index 96b172d..0000000
--- a/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/DBModelAuthorizables.java
+++ /dev/null
@@ -1,67 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.policy.db;
-
-import org.apache.sentry.core.model.db.AccessURI;
-import org.apache.sentry.core.model.db.Column;
-import org.apache.sentry.core.model.db.DBModelAuthorizable;
-import org.apache.sentry.core.model.db.DBModelAuthorizable.AuthorizableType;
-import org.apache.sentry.core.model.db.Database;
-import org.apache.sentry.core.model.db.Server;
-import org.apache.sentry.core.model.db.Table;
-import org.apache.sentry.core.model.db.View;
-import org.apache.sentry.policy.common.KeyValue;
-
-public class DBModelAuthorizables {
-
- public static DBModelAuthorizable from(KeyValue keyValue) {
- String prefix = keyValue.getKey().toLowerCase();
- String name = keyValue.getValue();
- for(AuthorizableType type : AuthorizableType.values()) {
- if(prefix.equalsIgnoreCase(type.name())) {
- if (prefix.equalsIgnoreCase(AuthorizableType.URI.toString())) {
- return from(type, name);
- } else {
- return from(type, name.toLowerCase());
- }
- }
- }
- return null;
- }
- public static DBModelAuthorizable from(String s) {
- return from(new KeyValue(s));
- }
-
- private static DBModelAuthorizable from(AuthorizableType type, String name) {
- switch (type) {
- case Server:
- return new Server(name);
- case Db:
- return new Database(name);
- case Table:
- return new Table(name);
- case View:
- return new View(name);
- case Column:
- return new Column(name);
- case URI:
- return new AccessURI(name);
- default:
- return null;
- }
- }
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/d94e900a/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/DBWildcardPrivilege.java
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/DBWildcardPrivilege.java b/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/DBWildcardPrivilege.java
deleted file mode 100644
index 116e0aa..0000000
--- a/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/DBWildcardPrivilege.java
+++ /dev/null
@@ -1,164 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-// copied from apache shiro
-
-package org.apache.sentry.policy.db;
-
-import java.util.List;
-
-import org.apache.sentry.core.common.utils.PathUtils;
-import org.apache.sentry.core.model.db.AccessConstants;
-import org.apache.sentry.core.model.db.DBModelAuthorizable.AuthorizableType;
-import org.apache.sentry.policy.common.PolicyConstants;
-import org.apache.sentry.policy.common.Privilege;
-import org.apache.sentry.policy.common.PrivilegeFactory;
-import org.apache.sentry.policy.common.KeyValue;
-
-import com.google.common.annotations.VisibleForTesting;
-import com.google.common.base.Preconditions;
-import com.google.common.base.Strings;
-import com.google.common.collect.ImmutableList;
-import com.google.common.collect.Lists;
-
-// XXX this class is made ugly by the fact that Action is not a Authorizable.
-public class DBWildcardPrivilege implements Privilege {
-
- private final ImmutableList<KeyValue> parts;
-
- public DBWildcardPrivilege(String wildcardString) {
- wildcardString = Strings.nullToEmpty(wildcardString).trim();
- if (wildcardString.isEmpty()) {
- throw new IllegalArgumentException("Wildcard string cannot be null or empty.");
- }
- List<KeyValue>parts = Lists.newArrayList();
- for (String authorizable : PolicyConstants.AUTHORIZABLE_SPLITTER.trimResults().split(
- wildcardString)) {
- if (authorizable.isEmpty()) {
- throw new IllegalArgumentException("Privilege '" + wildcardString + "' has an empty section");
- }
- parts.add(new KeyValue(authorizable));
- }
- if (parts.isEmpty()) {
- throw new AssertionError("Should never occur: " + wildcardString);
- }
- this.parts = ImmutableList.copyOf(parts);
- }
-
-
- @Override
- public boolean implies(Privilege p) {
- // By default only supports comparisons with other DBWildcardPermissions
- if (!(p instanceof DBWildcardPrivilege)) {
- return false;
- }
-
- DBWildcardPrivilege wp = (DBWildcardPrivilege) p;
-
- List<KeyValue> otherParts = wp.parts;
- if(equals(wp)) {
- return true;
- }
- int index = 0;
- for (KeyValue otherPart : otherParts) {
- // If this privilege has less parts than the other privilege, everything
- // after the number of parts contained
- // in this privilege is automatically implied, so return true
- if (parts.size() - 1 < index) {
- return true;
- } else {
- KeyValue part = parts.get(index);
- // Support for action inheritance from parent to child (eg. Db -> Table)
- if (part.getKey().equalsIgnoreCase("action") && !(otherPart.getKey().equalsIgnoreCase("action"))) {
- continue;
- }
- // are the keys even equal
- if(!part.getKey().equalsIgnoreCase(otherPart.getKey())) {
- return false;
- }
- if (!impliesKeyValue(part, otherPart)) {
- return false;
- }
- index++;
- }
- }
- // If this privilege has more parts than
- // the other parts, only imply it if
- // all of the other parts are wildcards
- for (; index < parts.size(); index++) {
- KeyValue part = parts.get(index);
- if (!part.getValue().equals(AccessConstants.ALL)) {
- return false;
- }
- }
-
- return true;
- }
-
- private boolean impliesKeyValue(KeyValue policyPart, KeyValue requestPart) {
- Preconditions.checkState(policyPart.getKey().equalsIgnoreCase(requestPart.getKey()),
- "Please report, this method should not be called with two different keys");
- if(policyPart.getValue().equals(AccessConstants.ALL) ||
- policyPart.getValue().equalsIgnoreCase("ALL")) {
- return true;
- } else if (!PolicyConstants.PRIVILEGE_NAME.equalsIgnoreCase(policyPart.getKey())
- && AccessConstants.ALL.equalsIgnoreCase(requestPart.getValue())) {
- /* privilege request is to match with any object of given type */
- return true;
- } else if (!PolicyConstants.PRIVILEGE_NAME.equalsIgnoreCase(policyPart.getKey())
- && AccessConstants.SOME.equalsIgnoreCase(requestPart.getValue())) {
- /* privilege request is to match with any object of given type */
- return true;
- } else if(policyPart.getKey().equalsIgnoreCase(AuthorizableType.URI.name())) {
- return impliesURI(policyPart.getValue(), requestPart.getValue());
- }
- return policyPart.equals(requestPart);
- }
-
- @VisibleForTesting
- protected static boolean impliesURI(String privilege, String request) {
- return PathUtils.impliesURI(privilege, request);
- }
-
- @Override
- public String toString() {
- return PolicyConstants.AUTHORIZABLE_JOINER.join(parts);
- }
-
- @Override
- public boolean equals(Object o) {
- if (o instanceof DBWildcardPrivilege) {
- DBWildcardPrivilege wp = (DBWildcardPrivilege) o;
- return parts.equals(wp.parts);
- }
- return false;
- }
-
- @Override
- public int hashCode() {
- return parts.hashCode();
- }
-
- public static class DBWildcardPrivilegeFactory implements PrivilegeFactory {
- @Override
- public Privilege createPrivilege(String privilege) {
- return new DBWildcardPrivilege(privilege);
- }
- }
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/d94e900a/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/DatabaseMustMatch.java
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/DatabaseMustMatch.java b/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/DatabaseMustMatch.java
deleted file mode 100644
index d280c41..0000000
--- a/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/DatabaseMustMatch.java
+++ /dev/null
@@ -1,46 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.policy.db;
-
-import org.apache.sentry.core.model.db.DBModelAuthorizable;
-import org.apache.sentry.core.model.db.Database;
-import org.apache.sentry.policy.common.PrivilegeValidatorContext;
-import org.apache.shiro.config.ConfigurationException;
-
-public class DatabaseMustMatch extends AbstractDBPrivilegeValidator {
-
- @Override
- public void validate(PrivilegeValidatorContext context) throws ConfigurationException {
- String database = context.getDatabase();
- String privilege = context.getPrivilege();
- /*
- * Rule only applies to rules in per database policy file
- */
- if(database != null) {
- Iterable<DBModelAuthorizable> authorizables = parsePrivilege(privilege);
- for(DBModelAuthorizable authorizable : authorizables) {
- if(authorizable instanceof Database &&
- !database.equalsIgnoreCase(authorizable.getName())) {
- String msg = "Privilege " + privilege + " references db " +
- authorizable.getName() + ", but is only allowed to reference "
- + database;
- throw new ConfigurationException(msg);
- }
- }
- }
- }
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/d94e900a/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/DatabaseRequiredInPrivilege.java
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/DatabaseRequiredInPrivilege.java b/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/DatabaseRequiredInPrivilege.java
deleted file mode 100644
index e89aa16..0000000
--- a/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/DatabaseRequiredInPrivilege.java
+++ /dev/null
@@ -1,71 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.policy.db;
-
-import org.apache.sentry.core.model.db.AccessURI;
-import org.apache.sentry.core.model.db.DBModelAuthorizable;
-import org.apache.sentry.core.model.db.Database;
-import org.apache.sentry.policy.common.PrivilegeValidatorContext;
-import org.apache.shiro.config.ConfigurationException;
-
-public class DatabaseRequiredInPrivilege extends AbstractDBPrivilegeValidator {
-
- @Override
- public void validate(PrivilegeValidatorContext context) throws ConfigurationException {
- String database = context.getDatabase();
- String privilege = context.getPrivilege();
- /*
- * Rule only applies to rules in per database policy file
- */
- if(database != null) {
- Iterable<DBModelAuthorizable> authorizables = parsePrivilege(privilege);
- /*
- * Each permission in a non-global file must have a database
- * object except for URIs.
- *
- * We allow URIs to be specified in the per DB policy file for
- * ease of mangeability. URIs will contain to remain server scope
- * objects.
- */
- boolean foundDatabaseInAuthorizables = false;
- boolean foundURIInAuthorizables = false;
- boolean allowURIInAuthorizables = false;
-
- if ("true".equalsIgnoreCase(
- System.getProperty(SimpleDBPolicyEngine.ACCESS_ALLOW_URI_PER_DB_POLICYFILE))) {
- allowURIInAuthorizables = true;
- }
-
- for(DBModelAuthorizable authorizable : authorizables) {
- if(authorizable instanceof Database) {
- foundDatabaseInAuthorizables = true;
- }
- if (authorizable instanceof AccessURI) {
- if (foundDatabaseInAuthorizables) {
- String msg = "URI object is specified at DB scope in " + privilege;
- throw new ConfigurationException(msg);
- }
- foundURIInAuthorizables = true;
- }
- }
- if(!foundDatabaseInAuthorizables && !(foundURIInAuthorizables && allowURIInAuthorizables)) {
- String msg = "Missing database object in " + privilege;
- throw new ConfigurationException(msg);
- }
- }
- }
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/d94e900a/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/ServerNameMustMatch.java
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/ServerNameMustMatch.java b/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/ServerNameMustMatch.java
deleted file mode 100644
index 1848a32..0000000
--- a/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/ServerNameMustMatch.java
+++ /dev/null
@@ -1,43 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.policy.db;
-
-import org.apache.sentry.core.model.db.DBModelAuthorizable;
-import org.apache.sentry.core.model.db.Server;
-import org.apache.sentry.policy.common.PrivilegeValidatorContext;
-import org.apache.shiro.config.ConfigurationException;
-
-public class ServerNameMustMatch extends AbstractDBPrivilegeValidator {
-
- private final String serverName;
- public ServerNameMustMatch(String serverName) {
- this.serverName = serverName;
- }
- @Override
- public void validate(PrivilegeValidatorContext context) throws ConfigurationException {
- String privilege = context.getPrivilege();
- Iterable<DBModelAuthorizable> authorizables = parsePrivilege(privilege);
- for(DBModelAuthorizable authorizable : authorizables) {
- if(authorizable instanceof Server && !serverName.equalsIgnoreCase(authorizable.getName())) {
- String msg = "Server name " + authorizable.getName() + " in "
- + privilege + " is invalid. Expected " + serverName;
- throw new ConfigurationException(msg);
- }
- }
- }
-
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/d94e900a/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/ServersAllIsInvalid.java
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/ServersAllIsInvalid.java b/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/ServersAllIsInvalid.java
deleted file mode 100644
index b729ec3..0000000
--- a/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/ServersAllIsInvalid.java
+++ /dev/null
@@ -1,39 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.policy.db;
-
-import org.apache.sentry.core.model.db.DBModelAuthorizable;
-import org.apache.sentry.core.model.db.Server;
-import org.apache.sentry.policy.common.PrivilegeValidatorContext;
-import org.apache.shiro.config.ConfigurationException;
-
-public class ServersAllIsInvalid extends AbstractDBPrivilegeValidator {
-
- @Override
- public void validate(PrivilegeValidatorContext context) throws ConfigurationException {
- String privilege = context.getPrivilege();
- Iterable<DBModelAuthorizable> authorizables = parsePrivilege(privilege);
- for(DBModelAuthorizable authorizable : authorizables) {
- if(authorizable instanceof Server &&
- authorizable.getName().equals(Server.ALL.getName())) {
- String msg = "Invalid value for " + authorizable.getAuthzType() + " in " + privilege;
- throw new ConfigurationException(msg);
- }
- }
- }
-
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/d94e900a/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/SimpleDBPolicyEngine.java
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/SimpleDBPolicyEngine.java b/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/SimpleDBPolicyEngine.java
deleted file mode 100644
index 9d25592..0000000
--- a/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/SimpleDBPolicyEngine.java
+++ /dev/null
@@ -1,121 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.policy.db;
-
-import java.util.Set;
-
-import org.apache.sentry.core.common.ActiveRoleSet;
-import org.apache.sentry.core.common.Authorizable;
-import org.apache.sentry.core.common.SentryConfigurationException;
-import org.apache.sentry.policy.common.PrivilegeFactory;
-import org.apache.sentry.policy.common.PolicyEngine;
-import org.apache.sentry.policy.common.PrivilegeValidator;
-import org.apache.sentry.provider.common.ProviderBackend;
-import org.apache.sentry.provider.common.ProviderBackendContext;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-import com.google.common.collect.ImmutableList;
-import com.google.common.collect.ImmutableSet;
-
-public class SimpleDBPolicyEngine implements PolicyEngine {
-
- private static final Logger LOGGER = LoggerFactory
- .getLogger(SimpleDBPolicyEngine.class);
-
- public final static String ACCESS_ALLOW_URI_PER_DB_POLICYFILE = "sentry.allow.uri.db.policyfile";
-
- private final ProviderBackend providerBackend;
-
- public SimpleDBPolicyEngine(String serverName, ProviderBackend providerBackend) {
- this.providerBackend = providerBackend;
- ProviderBackendContext context = new ProviderBackendContext();
- context.setAllowPerDatabase(true);
- context.setValidators(createPrivilegeValidators(serverName));
- this.providerBackend.initialize(context);
- }
-
- /**
- * {@inheritDoc}
- */
- @Override
- public PrivilegeFactory getPrivilegeFactory() {
- return new DBWildcardPrivilege.DBWildcardPrivilegeFactory();
- }
-
-
-
- @Override
- public ImmutableSet<String> getAllPrivileges(Set<String> groups,
- ActiveRoleSet roleSet) throws SentryConfigurationException {
- return getPrivileges(groups, roleSet);
- }
-
- @Override
- public ImmutableSet<String> getAllPrivileges(Set<String> groups, Set<String> users,
- ActiveRoleSet roleSet) throws SentryConfigurationException {
- return getPrivileges(groups, users, roleSet);
- }
-
- /**
- * {@inheritDoc}
- */
- @Override
- public ImmutableSet<String> getPrivileges(Set<String> groups, ActiveRoleSet roleSet, Authorizable... authorizableHierarchy)
- throws SentryConfigurationException {
- if(LOGGER.isDebugEnabled()) {
- LOGGER.debug("Getting permissions for {}", groups);
- }
- ImmutableSet<String> result = providerBackend.getPrivileges(groups, roleSet, authorizableHierarchy);
- if(LOGGER.isDebugEnabled()) {
- LOGGER.debug("result = " + result);
- }
- return result;
- }
-
- @Override
- public ImmutableSet<String> getPrivileges(Set<String> groups, Set<String> users,
- ActiveRoleSet roleSet, Authorizable... authorizableHierarchy)
- throws SentryConfigurationException {
- if (LOGGER.isDebugEnabled()) {
- LOGGER.debug("Getting permissions for groups: {}, users: {}", groups, users);
- }
- ImmutableSet<String> result = providerBackend.getPrivileges(groups, users, roleSet,
- authorizableHierarchy);
- if (LOGGER.isDebugEnabled()) {
- LOGGER.debug("result = " + result);
- }
- return result;
- }
-
- @Override
- public void validatePolicy(boolean strictValidation) throws SentryConfigurationException {
- this.providerBackend.validatePolicy(strictValidation);
- }
-
- @Override
- public void close() {
- if (providerBackend != null) {
- providerBackend.close();
- }
- }
-
- public static ImmutableList<PrivilegeValidator> createPrivilegeValidators(String serverName) {
- return ImmutableList.<PrivilegeValidator>of(new ServersAllIsInvalid(), new DatabaseMustMatch(),
- new DatabaseRequiredInPrivilege(), new ServerNameMustMatch(serverName));
- }
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/d94e900a/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/AbstractTestSimplePolicyEngine.java
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/AbstractTestSimplePolicyEngine.java b/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/AbstractTestSimplePolicyEngine.java
deleted file mode 100644
index 0a65b2c..0000000
--- a/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/AbstractTestSimplePolicyEngine.java
+++ /dev/null
@@ -1,156 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.policy.db;
-
-import java.io.File;
-import java.io.IOException;
-import java.util.Set;
-import java.util.TreeSet;
-
-import org.junit.Assert;
-
-import org.apache.commons.io.FileUtils;
-import org.apache.sentry.core.common.ActiveRoleSet;
-import org.apache.sentry.policy.common.PolicyEngine;
-import org.junit.After;
-import org.junit.AfterClass;
-import org.junit.Before;
-import org.junit.BeforeClass;
-import org.junit.Test;
-
-import com.google.common.collect.Sets;
-import com.google.common.io.Files;
-
-public abstract class AbstractTestSimplePolicyEngine {
- private static final String PERM_SERVER1_CUSTOMERS_SELECT = "server=server1->db=customers->table=purchases->action=select";
- private static final String PERM_SERVER1_CUSTOMERS_DB_CUSTOMERS_PARTIAL_SELECT = "server=server1->db=customers->table=purchases_partial->action=select";
- private static final String PERM_SERVER1_ANALYST_ALL = "server=server1->db=analyst1";
- private static final String PERM_SERVER1_JUNIOR_ANALYST_ALL = "server=server1->db=jranalyst1";
- private static final String PERM_SERVER1_JUNIOR_ANALYST_READ = "server=server1->db=jranalyst1->table=*->action=select";
- private static final String PERM_SERVER1_OTHER_GROUP_DB_CUSTOMERS_SELECT = "server=server1->db=other_group_db->table=purchases->action=select";
-
- private static final String PERM_SERVER1_ADMIN = "server=server1";
- private PolicyEngine policy;
- private static File baseDir;
-
- @BeforeClass
- public static void setupClazz() throws IOException {
- baseDir = Files.createTempDir();
- }
-
- @AfterClass
- public static void teardownClazz() throws IOException {
- if(baseDir != null) {
- FileUtils.deleteQuietly(baseDir);
- }
- }
-
- protected void setPolicy(PolicyEngine policy) {
- this.policy = policy;
- }
- protected static File getBaseDir() {
- return baseDir;
- }
- @Before
- public void setup() throws IOException {
- afterSetup();
- }
- @After
- public void teardown() throws IOException {
- beforeTeardown();
- }
- protected void afterSetup() throws IOException {
-
- }
-
- protected void beforeTeardown() throws IOException {
-
- }
-
- @Test
- public void testManager() throws Exception {
- Set<String> expected = Sets.newTreeSet(Sets.newHashSet(
- PERM_SERVER1_CUSTOMERS_SELECT, PERM_SERVER1_ANALYST_ALL,
- PERM_SERVER1_JUNIOR_ANALYST_ALL, PERM_SERVER1_JUNIOR_ANALYST_READ,
- PERM_SERVER1_CUSTOMERS_DB_CUSTOMERS_PARTIAL_SELECT
- ));
- Assert.assertEquals(expected.toString(),
- new TreeSet<String>(policy.getAllPrivileges(set("manager"), ActiveRoleSet.ALL))
- .toString());
- }
-
- @Test
- public void testAnalyst() throws Exception {
- Set<String> expected = Sets.newTreeSet(Sets.newHashSet(
- PERM_SERVER1_CUSTOMERS_SELECT, PERM_SERVER1_ANALYST_ALL,
- PERM_SERVER1_JUNIOR_ANALYST_READ));
- Assert.assertEquals(expected.toString(),
- new TreeSet<String>(policy.getAllPrivileges(set("analyst"), ActiveRoleSet.ALL))
- .toString());
- }
-
- @Test
- public void testJuniorAnalyst() throws Exception {
- Set<String> expected = Sets.newTreeSet(Sets
- .newHashSet(PERM_SERVER1_JUNIOR_ANALYST_ALL,
- PERM_SERVER1_CUSTOMERS_DB_CUSTOMERS_PARTIAL_SELECT));
- Assert.assertEquals(expected.toString(),
- new TreeSet<String>(policy.getAllPrivileges(set("jranalyst"), ActiveRoleSet.ALL))
- .toString());
- }
-
- @Test
- public void testAdmin() throws Exception {
- Set<String> expected = Sets.newTreeSet(Sets.newHashSet(PERM_SERVER1_ADMIN));
- Assert.assertEquals(expected.toString(),
- new TreeSet<String>(policy.getAllPrivileges(set("admin"), ActiveRoleSet.ALL))
- .toString());
- }
-
-
- @Test
- public void testOtherGroup() throws Exception {
- Set<String> expected = Sets.newTreeSet(Sets.newHashSet(
- PERM_SERVER1_OTHER_GROUP_DB_CUSTOMERS_SELECT));
- Assert.assertEquals(expected.toString(),
- new TreeSet<String>(policy.getAllPrivileges(set("other_group"), ActiveRoleSet.ALL))
- .toString());
- }
-
- @Test
- public void testDbAll() throws Exception {
- Set<String> expected = Sets.newTreeSet(Sets
- .newHashSet(PERM_SERVER1_JUNIOR_ANALYST_ALL,
- PERM_SERVER1_CUSTOMERS_DB_CUSTOMERS_PARTIAL_SELECT));
- Assert.assertEquals(expected.toString(),
- new TreeSet<String>(policy.getAllPrivileges(set("jranalyst"), ActiveRoleSet.ALL))
- .toString());
- }
-
- @Test
- public void testDbAllforOtherGroup() throws Exception {
- Set<String> expected = Sets.newTreeSet(Sets.newHashSet(
- PERM_SERVER1_OTHER_GROUP_DB_CUSTOMERS_SELECT));
- Assert.assertEquals(expected.toString(),
- new TreeSet<String>(policy.getAllPrivileges(set("other_group"), ActiveRoleSet.ALL))
- .toString());
- }
-
- private static Set<String> set(String... values) {
- return Sets.newHashSet(values);
- }
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/d94e900a/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/DBPolicyFileBackend.java
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/DBPolicyFileBackend.java b/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/DBPolicyFileBackend.java
deleted file mode 100644
index 9dc63e4..0000000
--- a/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/DBPolicyFileBackend.java
+++ /dev/null
@@ -1,28 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.policy.db;
-
-import java.io.IOException;
-
-import org.apache.hadoop.conf.Configuration;
-import org.apache.sentry.provider.file.SimpleFileProviderBackend;
-
-public class DBPolicyFileBackend extends SimpleDBPolicyEngine {
- public DBPolicyFileBackend(String server, String resource) throws IOException{
- super(server, new SimpleFileProviderBackend(new Configuration(), resource));
- }
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/d94e900a/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestDBModelAuthorizables.java
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestDBModelAuthorizables.java b/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestDBModelAuthorizables.java
deleted file mode 100644
index ad14278..0000000
--- a/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestDBModelAuthorizables.java
+++ /dev/null
@@ -1,75 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.sentry.policy.db;
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertNull;
-
-import org.apache.sentry.core.model.db.AccessURI;
-import org.apache.sentry.core.model.db.Database;
-import org.apache.sentry.core.model.db.Server;
-import org.apache.sentry.core.model.db.Table;
-import org.apache.sentry.core.model.db.View;
-import org.junit.Test;
-
-public class TestDBModelAuthorizables {
-
- @Test
- public void testServer() throws Exception {
- Server server = (Server)DBModelAuthorizables.from("SeRvEr=server1");
- assertEquals("server1", server.getName());
- }
- @Test
- public void testDb() throws Exception {
- Database db = (Database)DBModelAuthorizables.from("dB=db1");
- assertEquals("db1", db.getName());
- }
- @Test
- public void testTable() throws Exception {
- Table table = (Table)DBModelAuthorizables.from("tAbLe=t1");
- assertEquals("t1", table.getName());
- }
- @Test
- public void testView() throws Exception {
- View view = (View)DBModelAuthorizables.from("vIeW=v1");
- assertEquals("v1", view.getName());
- }
- @Test
- public void testURI() throws Exception {
- AccessURI uri = (AccessURI)DBModelAuthorizables.from("UrI=hdfs://uri1:8200/blah");
- assertEquals("hdfs://uri1:8200/blah", uri.getName());
- }
-
- @Test(expected=IllegalArgumentException.class)
- public void testNoKV() throws Exception {
- System.out.println(DBModelAuthorizables.from("nonsense"));
- }
-
- @Test(expected=IllegalArgumentException.class)
- public void testEmptyKey() throws Exception {
- System.out.println(DBModelAuthorizables.from("=v"));
- }
- @Test(expected=IllegalArgumentException.class)
- public void testEmptyValue() throws Exception {
- System.out.println(DBModelAuthorizables.from("k="));
- }
- @Test
- public void testNotAuthorizable() throws Exception {
- assertNull(DBModelAuthorizables.from("k=v"));
- }
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/d94e900a/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestDBWildcardPrivilege.java
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestDBWildcardPrivilege.java b/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestDBWildcardPrivilege.java
deleted file mode 100644
index aa6fccd..0000000
--- a/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestDBWildcardPrivilege.java
+++ /dev/null
@@ -1,335 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.sentry.policy.db;
-import static org.apache.sentry.policy.common.PolicyConstants.AUTHORIZABLE_JOINER;
-import static org.apache.sentry.policy.common.PolicyConstants.KV_JOINER;
-import static org.apache.sentry.policy.common.PolicyConstants.KV_SEPARATOR;
-
-import org.apache.sentry.core.model.db.AccessConstants;
-import org.apache.sentry.policy.common.Privilege;
-import org.apache.sentry.policy.common.KeyValue;
-import org.junit.Test;
-
-public class TestDBWildcardPrivilege extends org.junit.Assert {
-
- private static final String ALL = AccessConstants.ALL;
-
- private static final Privilege ROLE_SERVER_SERVER1_DB_ALL =
- create(new KeyValue("server", "server1"), new KeyValue("db", ALL));
- private static final Privilege ROLE_SERVER_SERVER1_DB_DB1 =
- create(new KeyValue("server", "server1"), new KeyValue("db", "db1"));
- private static final Privilege ROLE_SERVER_SERVER2_DB_ALL =
- create(new KeyValue("server", "server2"), new KeyValue("db", ALL));
- private static final Privilege ROLE_SERVER_SERVER2_DB_DB1 =
- create(new KeyValue("server", "server2"), new KeyValue("db", "db1"));
- private static final Privilege ROLE_SERVER_ALL_DB_ALL =
- create(new KeyValue("server", ALL), new KeyValue("db", ALL));
- private static final Privilege ROLE_SERVER_ALL_DB_DB1 =
- create(new KeyValue("server", ALL), new KeyValue("db", "db1"));
-
- private static final Privilege ROLE_SERVER_SERVER1_URI_URI1 =
- create(new KeyValue("server", "server1"), new KeyValue("uri",
- "hdfs://namenode:8020/path/to/uri1"));
- private static final Privilege ROLE_SERVER_SERVER1_URI_URI2 =
- create(new KeyValue("server", "server1"), new KeyValue("uri",
- "hdfs://namenode:8020/path/to/uri2/"));
- private static final Privilege ROLE_SERVER_SERVER1_URI_ALL =
- create(new KeyValue("server", "server1"), new KeyValue("uri", ALL));
-
-
- private static final Privilege ROLE_SERVER_SERVER1 =
- create(new KeyValue("server", "server1"));
-
-
- private static final Privilege REQUEST_SERVER1_DB1 =
- create(new KeyValue("server", "server1"), new KeyValue("db", "db1"));
- private static final Privilege REQUEST_SERVER2_DB1 =
- create(new KeyValue("server", "server2"), new KeyValue("db", "db1"));
- private static final Privilege REQUEST_SERVER1_DB2 =
- create(new KeyValue("server", "server1"), new KeyValue("db", "db2"));
- private static final Privilege REQUEST_SERVER2_DB2 =
- create(new KeyValue("server", "server2"), new KeyValue("db", "db2"));
-
- private static final Privilege REQUEST_SERVER1_URI1 =
- create(new KeyValue("server", "server1"), new KeyValue("uri",
- "hdfs://namenode:8020/path/to/uri1/some/file"));
- private static final Privilege REQUEST_SERVER1_URI2 =
- create(new KeyValue("server", "server1"), new KeyValue("uri",
- "hdfs://namenode:8020/path/to/uri2/some/other/file"));
-
- private static final Privilege REQUEST_SERVER1_OTHER =
- create(new KeyValue("server", "server2"), new KeyValue("other", "thing"));
-
- private static final Privilege REQUEST_SERVER1 =
- create(new KeyValue("server", "server2"));
-
- @Test
- public void testOther() throws Exception {
- assertFalse(ROLE_SERVER_ALL_DB_ALL.implies(REQUEST_SERVER1_OTHER));
- assertFalse(REQUEST_SERVER1_OTHER.implies(ROLE_SERVER_ALL_DB_ALL));
- }
- @Test
- public void testRoleShorterThanRequest() throws Exception {
- assertTrue(ROLE_SERVER_SERVER1.implies(REQUEST_SERVER1_DB1));
- assertTrue(ROLE_SERVER_SERVER1.implies(REQUEST_SERVER1_DB2));
- assertFalse(ROLE_SERVER_SERVER1.implies(REQUEST_SERVER2_DB1));
- assertFalse(ROLE_SERVER_SERVER1.implies(REQUEST_SERVER2_DB2));
-
- assertTrue(ROLE_SERVER_ALL_DB_ALL.implies(REQUEST_SERVER1));
- assertFalse(ROLE_SERVER_ALL_DB_DB1.implies(REQUEST_SERVER1));
- }
- @Test
- public void testRolesAndRequests() throws Exception {
- // ROLE_SERVER_SERVER1_DB_ALL
- assertTrue(ROLE_SERVER_SERVER1_DB_ALL.implies(REQUEST_SERVER1_DB1));
- assertFalse(ROLE_SERVER_SERVER1_DB_ALL.implies(REQUEST_SERVER2_DB1));
- assertTrue(ROLE_SERVER_SERVER1_DB_ALL.implies(REQUEST_SERVER1_DB2));
- assertFalse(ROLE_SERVER_SERVER1_DB_ALL.implies(REQUEST_SERVER2_DB2));
-
- // test inverse
- assertTrue(REQUEST_SERVER1_DB1.implies(ROLE_SERVER_SERVER1_DB_ALL));
- assertFalse(REQUEST_SERVER2_DB1.implies(ROLE_SERVER_SERVER1_DB_ALL));
- assertTrue(REQUEST_SERVER1_DB2.implies(ROLE_SERVER_SERVER1_DB_ALL));
- assertFalse(REQUEST_SERVER2_DB2.implies(ROLE_SERVER_SERVER1_DB_ALL));
-
- // ROLE_SERVER_SERVER1_DB_DB1
- assertTrue(ROLE_SERVER_SERVER1_DB_DB1.implies(REQUEST_SERVER1_DB1));
- assertFalse(ROLE_SERVER_SERVER1_DB_DB1.implies(REQUEST_SERVER2_DB1));
- assertFalse(ROLE_SERVER_SERVER1_DB_DB1.implies(REQUEST_SERVER1_DB2));
- assertFalse(ROLE_SERVER_SERVER1_DB_DB1.implies(REQUEST_SERVER2_DB2));
-
- // test inverse
- assertTrue(REQUEST_SERVER1_DB1.implies(ROLE_SERVER_SERVER1_DB_DB1));
- assertFalse(REQUEST_SERVER2_DB1.implies(ROLE_SERVER_SERVER1_DB_DB1));
- assertFalse(REQUEST_SERVER1_DB2.implies(ROLE_SERVER_SERVER1_DB_DB1));
- assertFalse(REQUEST_SERVER2_DB2.implies(ROLE_SERVER_SERVER1_DB_DB1));
-
- // ROLE_SERVER_SERVER2_DB_ALL
- assertFalse(ROLE_SERVER_SERVER2_DB_ALL.implies(REQUEST_SERVER1_DB1));
- assertTrue(ROLE_SERVER_SERVER2_DB_ALL.implies(REQUEST_SERVER2_DB1));
- assertFalse(ROLE_SERVER_SERVER2_DB_ALL.implies(REQUEST_SERVER1_DB2));
- assertTrue(ROLE_SERVER_SERVER2_DB_ALL.implies(REQUEST_SERVER2_DB2));
-
- // test inverse
- assertFalse(REQUEST_SERVER1_DB1.implies(ROLE_SERVER_SERVER2_DB_ALL));
- assertTrue(REQUEST_SERVER2_DB1.implies(ROLE_SERVER_SERVER2_DB_ALL));
- assertFalse(REQUEST_SERVER1_DB2.implies(ROLE_SERVER_SERVER2_DB_ALL));
- assertTrue(REQUEST_SERVER2_DB2.implies(ROLE_SERVER_SERVER2_DB_ALL));
-
- // ROLE_SERVER_SERVER2_DB_DB1
- assertFalse(ROLE_SERVER_SERVER2_DB_DB1.implies(REQUEST_SERVER1_DB1));
- assertTrue(ROLE_SERVER_SERVER2_DB_DB1.implies(REQUEST_SERVER2_DB1));
- assertFalse(ROLE_SERVER_SERVER2_DB_DB1.implies(REQUEST_SERVER1_DB2));
- assertFalse(ROLE_SERVER_SERVER2_DB_DB1.implies(REQUEST_SERVER2_DB2));
-
- assertFalse(REQUEST_SERVER1_DB1.implies(ROLE_SERVER_SERVER2_DB_DB1));
- assertTrue(REQUEST_SERVER2_DB1.implies(ROLE_SERVER_SERVER2_DB_DB1));
- assertFalse(REQUEST_SERVER1_DB2.implies(ROLE_SERVER_SERVER2_DB_DB1));
- assertFalse(REQUEST_SERVER2_DB2.implies(ROLE_SERVER_SERVER2_DB_DB1));
-
- // ROLE_SERVER_ALL_DB_ALL
- assertTrue(ROLE_SERVER_ALL_DB_ALL.implies(REQUEST_SERVER1_DB1));
- assertTrue(ROLE_SERVER_ALL_DB_ALL.implies(REQUEST_SERVER2_DB1));
- assertTrue(ROLE_SERVER_ALL_DB_ALL.implies(REQUEST_SERVER1_DB2));
- assertTrue(ROLE_SERVER_ALL_DB_ALL.implies(REQUEST_SERVER2_DB2));
-
- // test inverse
- assertTrue(REQUEST_SERVER1_DB1.implies(ROLE_SERVER_ALL_DB_ALL));
- assertTrue(REQUEST_SERVER2_DB1.implies(ROLE_SERVER_ALL_DB_ALL));
- assertTrue(REQUEST_SERVER1_DB2.implies(ROLE_SERVER_ALL_DB_ALL));
- assertTrue(REQUEST_SERVER2_DB2.implies(ROLE_SERVER_ALL_DB_ALL));
-
- // ROLE_SERVER_ALL_DB_DB1
- assertTrue(ROLE_SERVER_ALL_DB_DB1.implies(REQUEST_SERVER1_DB1));
- assertTrue(ROLE_SERVER_ALL_DB_DB1.implies(REQUEST_SERVER2_DB1));
- assertFalse(ROLE_SERVER_ALL_DB_DB1.implies(REQUEST_SERVER1_DB2));
- assertFalse(ROLE_SERVER_ALL_DB_DB1.implies(REQUEST_SERVER2_DB2));
-
- // test inverse
- assertTrue(REQUEST_SERVER1_DB1.implies(ROLE_SERVER_ALL_DB_DB1));
- assertTrue(REQUEST_SERVER2_DB1.implies(ROLE_SERVER_ALL_DB_DB1));
- assertFalse(REQUEST_SERVER1_DB2.implies(ROLE_SERVER_ALL_DB_DB1));
- assertFalse(REQUEST_SERVER2_DB2.implies(ROLE_SERVER_ALL_DB_DB1));
-
- // uri
- assertTrue(ROLE_SERVER_SERVER1.implies(REQUEST_SERVER1_URI1));
- assertTrue(ROLE_SERVER_SERVER1.implies(REQUEST_SERVER1_URI2));
- assertTrue(ROLE_SERVER_SERVER1.implies(REQUEST_SERVER1_URI2));
- assertTrue(ROLE_SERVER_SERVER1_URI_ALL.implies(REQUEST_SERVER1_URI1));
- assertTrue(ROLE_SERVER_SERVER1_URI_ALL.implies(REQUEST_SERVER1_URI2));
- assertTrue(ROLE_SERVER_SERVER1.implies(REQUEST_SERVER1_URI2));
- assertTrue(ROLE_SERVER_SERVER1_URI_URI1.implies(REQUEST_SERVER1_URI1));
- assertFalse(ROLE_SERVER_SERVER1_URI_URI1.implies(REQUEST_SERVER1_URI2));
- assertTrue(ROLE_SERVER_SERVER1_URI_URI2.implies(REQUEST_SERVER1_URI2));
- assertFalse(ROLE_SERVER_SERVER1_URI_URI2.implies(REQUEST_SERVER1_URI1));
- assertFalse(REQUEST_SERVER2_DB2.implies(REQUEST_SERVER1_URI1));
- assertFalse(ROLE_SERVER_ALL_DB_DB1.implies(REQUEST_SERVER1_URI1));
- // test inverse
- assertTrue(REQUEST_SERVER1_URI1.implies(ROLE_SERVER_SERVER1_URI_ALL));
- assertTrue(REQUEST_SERVER1_URI2.implies(ROLE_SERVER_SERVER1_URI_ALL));
- assertFalse(REQUEST_SERVER1_URI1.implies(ROLE_SERVER_SERVER1));
- assertFalse(REQUEST_SERVER1_URI1.implies(ROLE_SERVER_SERVER1_URI_URI1));
- assertFalse(REQUEST_SERVER1_URI2.implies(ROLE_SERVER_SERVER1_URI_URI1));
- assertFalse(REQUEST_SERVER1_URI2.implies(ROLE_SERVER_SERVER1_URI_URI2));
- assertFalse(REQUEST_SERVER1_URI1.implies(ROLE_SERVER_SERVER1_URI_URI2));
- };
- @Test
- public void testUnexpected() throws Exception {
- Privilege p = new Privilege() {
- @Override
- public boolean implies(Privilege p) {
- return false;
- }
- };
- assertFalse(ROLE_SERVER_SERVER1_DB_ALL.implies(null));
- assertFalse(ROLE_SERVER_SERVER1_DB_ALL.implies(p));
- assertFalse(ROLE_SERVER_SERVER1_DB_ALL.equals(null));
- assertFalse(ROLE_SERVER_SERVER1_DB_ALL.equals(p));
-
- assertEquals(ROLE_SERVER_SERVER1_DB_ALL.hashCode(),
- create(ROLE_SERVER_SERVER1_DB_ALL.toString()).hashCode());
- }
- @Test(expected=IllegalArgumentException.class)
- public void testNullString() throws Exception {
- System.out.println(create((String)null));
- }
- @Test(expected=IllegalArgumentException.class)
- public void testEmptyString() throws Exception {
- System.out.println(create(""));
- }
- @Test(expected=IllegalArgumentException.class)
- public void testEmptyKey() throws Exception {
- System.out.println(create(KV_JOINER.join("", "db1")));
- }
- @Test(expected=IllegalArgumentException.class)
- public void testEmptyValue() throws Exception {
- System.out.println(create(KV_JOINER.join("db", "")));
- }
- @Test(expected=IllegalArgumentException.class)
- public void testEmptyPart() throws Exception {
- System.out.println(create(AUTHORIZABLE_JOINER.
- join(KV_JOINER.join("server", "server1"), "")));
- }
- @Test(expected=IllegalArgumentException.class)
- public void testOnlySeperators() throws Exception {
- System.out.println(create(AUTHORIZABLE_JOINER.
- join(KV_SEPARATOR, KV_SEPARATOR, KV_SEPARATOR)));
- }
- @Test
- public void testImpliesURIPositive() throws Exception {
- assertTrue(DBWildcardPrivilege.impliesURI("hdfs://namenode:8020/path",
- "hdfs://namenode:8020/path/to/some/dir"));
- assertTrue(DBWildcardPrivilege.impliesURI("hdfs://namenode:8020/path",
- "hdfs://namenode:8020/path"));
- assertTrue(DBWildcardPrivilege.impliesURI("file:///path",
- "file:///path/to/some/dir"));
- assertTrue(DBWildcardPrivilege.impliesURI("file:///path",
- "file:///path"));
- }
- @Test
- public void testImpliesURINegative() throws Exception {
- // relative path
- assertFalse(DBWildcardPrivilege.impliesURI("hdfs://namenode:8020/path",
- "hdfs://namenode:8020/path/to/../../other"));
- assertFalse(DBWildcardPrivilege.impliesURI("file:///path",
- "file:///path/to/../../other"));
- // bad policy
- assertFalse(DBWildcardPrivilege.impliesURI("blah",
- "hdfs://namenode:8020/path/to/some/dir"));
- // bad request
- assertFalse(DBWildcardPrivilege.impliesURI("hdfs://namenode:8020/path",
- "blah"));
- // scheme
- assertFalse(DBWildcardPrivilege.impliesURI("hdfs://namenode:8020/path",
- "file:///path/to/some/dir"));
- assertFalse(DBWildcardPrivilege.impliesURI("hdfs://namenode:8020/path",
- "file://namenode:8020/path/to/some/dir"));
- // hostname
- assertFalse(DBWildcardPrivilege.impliesURI("hdfs://namenode1:8020/path",
- "hdfs://namenode2:8020/path/to/some/dir"));
- // port
- assertFalse(DBWildcardPrivilege.impliesURI("hdfs://namenode:8020/path",
- "hdfs://namenode:8021/path/to/some/dir"));
- // mangled path
- assertFalse(DBWildcardPrivilege.impliesURI("hdfs://namenode:8020/path",
- "hdfs://namenode:8020/pathFooBar"));
- // ends in /
- assertTrue(DBWildcardPrivilege.impliesURI("hdfs://namenode:8020/path/",
- "hdfs://namenode:8020/path/FooBar"));
- }
- @Test
- public void testActionHierarchy() throws Exception {
- String dbName = "db1";
- DBWildcardPrivilege dbAll = create(new KeyValue("server", "server1"),
- new KeyValue("db", dbName), new KeyValue("action", "ALL"));
-
- DBWildcardPrivilege dbSelect = create(new KeyValue("server", "server1"),
- new KeyValue("db", dbName), new KeyValue("action", "SELECT"));
- DBWildcardPrivilege dbInsert = create(new KeyValue("server", "server1"),
- new KeyValue("db", dbName), new KeyValue("action", "INSERT"));
- DBWildcardPrivilege dbAlter = create(new KeyValue("server", "server1"),
- new KeyValue("db", dbName), new KeyValue("action", "ALTER"));
- DBWildcardPrivilege dbCreate = create(new KeyValue("server", "server1"),
- new KeyValue("db", dbName), new KeyValue("action", "CREATE"));
- DBWildcardPrivilege dbDrop = create(new KeyValue("server", "server1"),
- new KeyValue("db", dbName), new KeyValue("action", "DROP"));
- DBWildcardPrivilege dbIndex = create(new KeyValue("server", "server1"),
- new KeyValue("db", dbName), new KeyValue("action", "INDEX"));
- DBWildcardPrivilege dbLock = create(new KeyValue("server", "server1"),
- new KeyValue("db", dbName), new KeyValue("action", "LOCK"));
-
- assertTrue(dbAll.implies(dbSelect));
- assertTrue(dbAll.implies(dbInsert));
- assertTrue(dbAll.implies(dbAlter));
- assertTrue(dbAll.implies(dbCreate));
- assertTrue(dbAll.implies(dbDrop));
- assertTrue(dbAll.implies(dbIndex));
- assertTrue(dbAll.implies(dbLock));
-
- dbAll = create(new KeyValue("server", "server1"),
- new KeyValue("db", dbName), new KeyValue("action", "*"));
-
- assertTrue(dbAll.implies(dbSelect));
- assertTrue(dbAll.implies(dbInsert));
- assertTrue(dbAll.implies(dbAlter));
- assertTrue(dbAll.implies(dbCreate));
- assertTrue(dbAll.implies(dbDrop));
- assertTrue(dbAll.implies(dbIndex));
- assertTrue(dbAll.implies(dbLock));
-
- dbAll = create(new KeyValue("server", "server1"),
- new KeyValue("db", dbName));
-
- assertTrue(dbAll.implies(dbSelect));
- assertTrue(dbAll.implies(dbInsert));
- assertTrue(dbAll.implies(dbAlter));
- assertTrue(dbAll.implies(dbCreate));
- assertTrue(dbAll.implies(dbDrop));
- assertTrue(dbAll.implies(dbIndex));
- assertTrue(dbAll.implies(dbLock));
-
- }
- static DBWildcardPrivilege create(KeyValue... keyValues) {
- return create(AUTHORIZABLE_JOINER.join(keyValues));
-
- }
- static DBWildcardPrivilege create(String s) {
- return new DBWildcardPrivilege(s);
- }
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/d94e900a/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestDatabaseRequiredInRole.java
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestDatabaseRequiredInRole.java b/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestDatabaseRequiredInRole.java
deleted file mode 100644
index c08a4f4..0000000
--- a/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestDatabaseRequiredInRole.java
+++ /dev/null
@@ -1,49 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.sentry.policy.db;
-
-import org.junit.Assert;
-
-import org.apache.sentry.policy.common.PrivilegeValidatorContext;
-import org.apache.shiro.config.ConfigurationException;
-import org.junit.Test;
-
-public class TestDatabaseRequiredInRole {
-
- @Test
- public void testURIInPerDbPolicyFile() throws Exception {
- DatabaseRequiredInPrivilege dbRequiredInRole = new DatabaseRequiredInPrivilege();
- System.setProperty("sentry.allow.uri.db.policyfile", "true");
- dbRequiredInRole.validate(new PrivilegeValidatorContext("db1",
- "server=server1->URI=file:///user/db/warehouse/tab1"));
- System.setProperty("sentry.allow.uri.db.policyfile", "false");
- }
-
- @Test
- public void testURIWithDBInPerDbPolicyFile() throws Exception {
- DatabaseRequiredInPrivilege dbRequiredInRole = new DatabaseRequiredInPrivilege();
- try {
- dbRequiredInRole.validate(new PrivilegeValidatorContext("db1",
- "server=server1->db=db1->URI=file:///user/db/warehouse/tab1"));
- Assert.fail("Expected ConfigurationException");
- } catch (ConfigurationException e) {
- // expected
- }
- }
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/d94e900a/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestPolicyParsingNegative.java
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestPolicyParsingNegative.java b/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestPolicyParsingNegative.java
deleted file mode 100644
index fc21ceb..0000000
--- a/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestPolicyParsingNegative.java
+++ /dev/null
@@ -1,194 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.policy.db;
-
-import java.io.File;
-import java.io.IOException;
-
-import org.junit.Assert;
-
-import org.apache.commons.io.FileUtils;
-import org.apache.sentry.core.common.ActiveRoleSet;
-import org.apache.sentry.policy.common.PolicyEngine;
-import org.apache.sentry.provider.file.PolicyFile;
-import org.junit.After;
-import org.junit.Before;
-import org.junit.Test;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-import com.google.common.base.Charsets;
-import com.google.common.collect.ImmutableSet;
-import com.google.common.collect.Sets;
-import com.google.common.io.Files;
-
-public class TestPolicyParsingNegative {
-
- @SuppressWarnings("unused")
- private static final Logger LOGGER = LoggerFactory
- .getLogger(TestPolicyParsingNegative.class);
-
- private File baseDir;
- private File globalPolicyFile;
- private File otherPolicyFile;
-
- @Before
- public void setup() {
- baseDir = Files.createTempDir();
- globalPolicyFile = new File(baseDir, "global.ini");
- otherPolicyFile = new File(baseDir, "other.ini");
- }
-
- @After
- public void teardown() {
- if(baseDir != null) {
- FileUtils.deleteQuietly(baseDir);
- }
- }
-
- private void append(String from, File to) throws IOException {
- Files.append(from + "\n", to, Charsets.UTF_8);
- }
-
- @Test
- public void testUnauthorizedDbSpecifiedInDBPolicyFile() throws Exception {
- append("[databases]", globalPolicyFile);
- append("other_group_db = " + otherPolicyFile.getPath(), globalPolicyFile);
- append("[groups]", otherPolicyFile);
- append("other_group = malicious_role", otherPolicyFile);
- append("[roles]", otherPolicyFile);
- append("malicious_role = server=server1->db=customers->table=purchases->action=select", otherPolicyFile);
- PolicyEngine policy = new DBPolicyFileBackend("server1", globalPolicyFile.getPath());
- ImmutableSet<String> permissions = policy.getAllPrivileges(Sets.newHashSet("other_group"), ActiveRoleSet.ALL);
- Assert.assertTrue(permissions.toString(), permissions.isEmpty());
- }
- @Test
- public void testPerDbFileCannotContainUsersOrDatabases() throws Exception {
- PolicyEngine policy;
- ImmutableSet<String> permissions;
- PolicyFile policyFile;
- // test sanity
- policyFile = PolicyFile.setAdminOnServer1("admin");
- policyFile.addGroupsToUser("admin1", "admin");
- policyFile.write(globalPolicyFile);
- policyFile.write(otherPolicyFile);
- policy = new DBPolicyFileBackend("server1", globalPolicyFile.getPath());
- permissions = policy.getAllPrivileges(Sets.newHashSet("admin"), ActiveRoleSet.ALL);
- Assert.assertEquals(permissions.toString(), "[server=server1]");
- // test to ensure [users] fails parsing of per-db file
- policyFile.addDatabase("other", otherPolicyFile.getPath());
- policyFile.write(globalPolicyFile);
- policyFile.write(otherPolicyFile);
- policy = new DBPolicyFileBackend("server1", globalPolicyFile.getPath());
- permissions = policy.getAllPrivileges(Sets.newHashSet("admin"), ActiveRoleSet.ALL);
- Assert.assertEquals(permissions.toString(), "[server=server1]");
- // test to ensure [databases] fails parsing of per-db file
- // by removing the user mapping from the per-db policy file
- policyFile.removeGroupsFromUser("admin1", "admin")
- .write(otherPolicyFile);
- policy = new DBPolicyFileBackend("server1", globalPolicyFile.getPath());
- permissions = policy.getAllPrivileges(Sets.newHashSet("admin"), ActiveRoleSet.ALL);
- Assert.assertEquals(permissions.toString(), "[server=server1]");
- }
-
- @Test
- public void testDatabaseRequiredInRole() throws Exception {
- append("[databases]", globalPolicyFile);
- append("other_group_db = " + otherPolicyFile.getPath(), globalPolicyFile);
- append("[groups]", otherPolicyFile);
- append("other_group = malicious_role", otherPolicyFile);
- append("[roles]", otherPolicyFile);
- append("malicious_role = server=server1", otherPolicyFile);
- PolicyEngine policy = new DBPolicyFileBackend("server1", globalPolicyFile.getPath());
- ImmutableSet<String> permissions = policy.getAllPrivileges(Sets.newHashSet("other_group"), ActiveRoleSet.ALL);
- Assert.assertTrue(permissions.toString(), permissions.isEmpty());
- }
-
- @Test
- public void testServerAll() throws Exception {
- append("[groups]", globalPolicyFile);
- append("group = malicious_role", globalPolicyFile);
- append("[roles]", globalPolicyFile);
- append("malicious_role = server=*", globalPolicyFile);
- PolicyEngine policy = new DBPolicyFileBackend("server1", globalPolicyFile.getPath());
- ImmutableSet<String> permissions = policy.getAllPrivileges(Sets.newHashSet("group"), ActiveRoleSet.ALL);
- Assert.assertTrue(permissions.toString(), permissions.isEmpty());
- }
-
- @Test
- public void testServerIncorrect() throws Exception {
- append("[groups]", globalPolicyFile);
- append("group = malicious_role", globalPolicyFile);
- append("[roles]", globalPolicyFile);
- append("malicious_role = server=server2", globalPolicyFile);
- PolicyEngine policy = new DBPolicyFileBackend("server1", globalPolicyFile.getPath());
- ImmutableSet<String> permissions = policy.getAllPrivileges(Sets.newHashSet("group"), ActiveRoleSet.ALL);
- Assert.assertTrue(permissions.toString(), permissions.isEmpty());
- }
-
- @Test
- public void testAll() throws Exception {
- append("[groups]", globalPolicyFile);
- append("group = malicious_role", globalPolicyFile);
- append("[roles]", globalPolicyFile);
- append("malicious_role = *", globalPolicyFile);
- PolicyEngine policy = new DBPolicyFileBackend("server1", globalPolicyFile.getPath());
- ImmutableSet<String> permissions = policy.getAllPrivileges(Sets.newHashSet("group"), ActiveRoleSet.ALL);
- Assert.assertTrue(permissions.toString(), permissions.isEmpty());
- }
-
- /**
- * Create policy file with multiple per db files.
- * Verify that a file with bad format is the only one that's ignored
- * @throws Exception
- */
- @Test
- public void testMultiDbWithErrors() throws Exception {
- File db1PolicyFile = new File(baseDir, "db1.ini");
- File db2PolicyFile = new File(baseDir, "db2.ini");
-
- // global policy file
- append("[databases]", globalPolicyFile);
- append("db1 = " + db1PolicyFile.getPath(), globalPolicyFile);
- append("db2 = " + db2PolicyFile.getPath(), globalPolicyFile);
- append("[groups]", globalPolicyFile);
- append("db3_group = db3_rule", globalPolicyFile);
- append("[roles]", globalPolicyFile);
- append("db3_rule = server=server1->db=db3->table=sales->action=select", globalPolicyFile);
-
- //db1 policy file with badly formatted rule
- append("[groups]", db1PolicyFile);
- append("db1_group = bad_rule", db1PolicyFile);
- append("[roles]", db1PolicyFile);
- append("bad_rule = server=server1->db=customers->=purchases->action=", db1PolicyFile);
-
- //db2 policy file with proper rule
- append("[groups]", db2PolicyFile);
- append("db2_group = db2_rule", db2PolicyFile);
- append("[roles]", db2PolicyFile);
- append("db2_rule = server=server1->db=db2->table=purchases->action=select", db2PolicyFile);
-
- PolicyEngine policy = new DBPolicyFileBackend("server1", globalPolicyFile.getPath());
-
- // verify that the db1 rule is empty
- ImmutableSet<String> permissions = policy.getAllPrivileges(Sets.newHashSet("db1_group"), ActiveRoleSet.ALL);
- Assert.assertTrue(permissions.toString(), permissions.isEmpty());
-
- permissions = policy.getAllPrivileges(Sets.newHashSet("db2_group"), ActiveRoleSet.ALL);
- Assert.assertEquals(permissions.toString(), 1, permissions.size());
- }
-}