You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sentry.apache.org by sd...@apache.org on 2015/11/05 02:44:47 UTC
[19/25] incubator-sentry git commit: SENTRY-769: [Improve error
handling] Make sure groups in list_sentry_privileges_for_provider is not
empty ( Colin Ma, Reviewed by: Sravya Tirukkovalur)
SENTRY-769: [Improve error handling] Make sure groups in list_sentry_privileges_for_provider is not empty ( Colin Ma, Reviewed by: Sravya Tirukkovalur)
Project: http://git-wip-us.apache.org/repos/asf/incubator-sentry/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-sentry/commit/c69350b0
Tree: http://git-wip-us.apache.org/repos/asf/incubator-sentry/tree/c69350b0
Diff: http://git-wip-us.apache.org/repos/asf/incubator-sentry/diff/c69350b0
Branch: refs/heads/hive_plugin_v2
Commit: c69350b0a85054954500de306f4613c98798555d
Parents: 89a906a
Author: Sravya Tirukkovalur <sr...@cloudera.com>
Authored: Sun Oct 11 22:31:10 2015 -0700
Committer: Sun Dapeng <sd...@apache.org>
Committed: Mon Nov 2 16:37:06 2015 +0800
----------------------------------------------------------------------
.../binding/hive/TestHiveAuthzBindings.java | 4 +-
.../binding/solr/TestSolrAuthzBinding.java | 65 +++++++++++++++-----
.../common/HadoopGroupMappingService.java | 14 +++--
.../common/SentryGroupNotFoundException.java | 61 ++++++++++++++++++
.../provider/file/LocalGroupMappingService.java | 10 +--
.../provider/file/TestLocalGroupMapping.java | 8 ++-
.../sentry/test-authz-provider.ini | 1 +
.../SentryIndexAuthorizationSingletonTest.java | 34 +++++++---
.../tests/e2e/hive/TestUserManagement.java | 46 +++++++++++++-
.../metastore/TestAuthorizingObjectStore.java | 44 ++++++-------
.../solr/sentry/test-authz-provider.ini | 4 +-
11 files changed, 227 insertions(+), 64 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/c69350b0/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/binding/hive/TestHiveAuthzBindings.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/binding/hive/TestHiveAuthzBindings.java b/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/binding/hive/TestHiveAuthzBindings.java
index 0622b43..1fac0c7 100644
--- a/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/binding/hive/TestHiveAuthzBindings.java
+++ b/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/binding/hive/TestHiveAuthzBindings.java
@@ -42,6 +42,7 @@ import org.apache.sentry.core.model.db.DBModelAuthorizable;
import org.apache.sentry.core.model.db.Database;
import org.apache.sentry.core.model.db.Server;
import org.apache.sentry.core.model.db.Table;
+import org.apache.sentry.provider.common.SentryGroupNotFoundException;
import org.apache.sentry.provider.file.PolicyFiles;
import org.junit.After;
import org.junit.Before;
@@ -299,7 +300,8 @@ public class TestHiveAuthzBindings {
testAuth.authorize(HiveOperation.CREATEFUNCTION, createFuncPrivileges, ANALYST_SUBJECT,
inputTabHierarcyList, outputTabHierarcyList);
}
- @Test(expected=AuthorizationException.class)
+
+ @Test(expected = SentryGroupNotFoundException.class)
public void testValidateCreateFunctionRejectionForUnknownUser() throws Exception {
inputTabHierarcyList.add(Arrays.asList(new DBModelAuthorizable[] {
new Server(SERVER1), new AccessURI("file:///path/to/some/lib/dir/my.jar")
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/c69350b0/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/binding/solr/TestSolrAuthzBinding.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/binding/solr/TestSolrAuthzBinding.java b/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/binding/solr/TestSolrAuthzBinding.java
index c37f8ff..c0445ab 100644
--- a/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/binding/solr/TestSolrAuthzBinding.java
+++ b/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/binding/solr/TestSolrAuthzBinding.java
@@ -43,6 +43,7 @@ import org.apache.sentry.binding.solr.conf.SolrAuthzConf.AuthzConfVars;
import org.apache.sentry.core.common.Subject;
import org.apache.sentry.core.model.search.Collection;
import org.apache.sentry.core.model.search.SearchModelAction;
+import org.apache.sentry.provider.common.SentryGroupNotFoundException;
import org.apache.sentry.provider.file.PolicyFiles;
import org.junit.After;
import org.junit.Before;
@@ -181,14 +182,38 @@ public class TestSolrAuthzBinding {
Set<String> emptyList = Collections.emptySet();
// check non-existant users
- assertEquals(binding.getGroups(null), emptyList);
- assertEquals(binding.getGroups("nonExistantUser"), emptyList);
+ try {
+ binding.getGroups(null);
+ Assert.fail("Expected SentryGroupNotFoundException");
+ } catch (SentryGroupNotFoundException e) {
+ }
+ try {
+ binding.getGroups("nonExistantUser");
+ Assert.fail("Expected SentryGroupNotFoundException");
+ } catch (SentryGroupNotFoundException e) {
+ }
// check group names don't map to user names
- assertEquals(binding.getGroups("corporal"), emptyList);
- assertEquals(binding.getGroups("sergeant"), emptyList);
- assertEquals(binding.getGroups("general"), emptyList);
- assertEquals(binding.getGroups("othergeneralgroup"), emptyList);
+ try {
+ binding.getGroups("corporal");
+ Assert.fail("Expected SentryGroupNotFoundException");
+ } catch (SentryGroupNotFoundException e) {
+ }
+ try {
+ binding.getGroups("sergeant");
+ Assert.fail("Expected SentryGroupNotFoundException");
+ } catch (SentryGroupNotFoundException e) {
+ }
+ try {
+ binding.getGroups("general");
+ Assert.fail("Expected SentryGroupNotFoundException");
+ } catch (SentryGroupNotFoundException e) {
+ }
+ try {
+ binding.getGroups("othergeneralgroup");
+ Assert.fail("Expected SentryGroupNotFoundException");
+ } catch (SentryGroupNotFoundException e) {
+ }
// check valid group names
assertEquals(binding.getGroups("corporal1"), Sets.newHashSet("corporal"));
@@ -207,19 +232,27 @@ public class TestSolrAuthzBinding {
SolrAuthzBinding binding = new SolrAuthzBinding(solrAuthzConf);
Set<String> emptySet = Collections.emptySet();
- // check non-existant users
- assertEquals(binding.getRoles(null), emptySet);
- assertEquals(binding.getRoles("nonExistantUser"), emptySet);
-
// check user with undefined group
assertEquals(binding.getRoles("undefinedGroupUser"), emptySet);
// check group with undefined role
assertEquals(binding.getRoles("undefinedRoleUser"), emptySet);
// check role names don't map in the other direction
- assertEquals(binding.getRoles("corporal_role"), emptySet);
- assertEquals(binding.getRoles("sergeant_role"), emptySet);
- assertEquals(binding.getRoles("general_role"), emptySet);
+ try {
+ binding.getRoles("corporal_role");
+ Assert.fail("Expected SentryGroupNotFoundException");
+ } catch (SentryGroupNotFoundException e) {
+ }
+ try {
+ binding.getRoles("sergeant_role");
+ Assert.fail("Expected SentryGroupNotFoundException");
+ } catch (SentryGroupNotFoundException e) {
+ }
+ try {
+ binding.getRoles("general_role");
+ Assert.fail("Expected SentryGroupNotFoundException");
+ } catch (SentryGroupNotFoundException e) {
+ }
// check valid users
assertEquals(binding.getRoles("corporal1"), Sets.newHashSet("corporal_role"));
@@ -260,7 +293,11 @@ public class TestSolrAuthzBinding {
new SolrAuthzConf(Resources.getResource("sentry-site.xml"));
setUsableAuthzConf(solrAuthzConf);
SolrAuthzBinding binding = new SolrAuthzBinding(solrAuthzConf);
- expectAuthException(binding, new Subject("bogus"), infoCollection, querySet);
+ try {
+ binding.authorizeCollection(new Subject("bogus"), infoCollection, querySet);
+ Assert.fail("Expected SentryGroupNotFoundException");
+ } catch (SentryGroupNotFoundException e) {
+ }
}
/**
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/c69350b0/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/HadoopGroupMappingService.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/HadoopGroupMappingService.java b/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/HadoopGroupMappingService.java
index fb335a3..4214449 100644
--- a/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/HadoopGroupMappingService.java
+++ b/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/HadoopGroupMappingService.java
@@ -17,8 +17,8 @@
package org.apache.sentry.provider.common;
import java.io.IOException;
-import java.util.Collections;
import java.util.HashSet;
+import java.util.List;
import java.util.Set;
import org.apache.commons.lang.StringUtils;
@@ -27,6 +27,8 @@ import org.apache.hadoop.security.Groups;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
+import com.google.common.collect.Lists;
+
public class HadoopGroupMappingService implements GroupMappingService {
private static final Logger LOGGER = LoggerFactory
@@ -56,11 +58,15 @@ public class HadoopGroupMappingService implements GroupMappingService {
@Override
public Set<String> getGroups(String user) {
+ List<String> groupList = Lists.newArrayList();
try {
- return new HashSet<String>(groups.getGroups(user));
+ groupList = groups.getGroups(user);
} catch (IOException e) {
- LOGGER.warn("Unable to obtain groups for " + user, e);
+ throw new SentryGroupNotFoundException("Unable to obtain groups for " + user, e);
+ }
+ if (groupList == null || groupList.isEmpty()) {
+ throw new SentryGroupNotFoundException("Unable to obtain groups for " + user);
}
- return Collections.emptySet();
+ return new HashSet<String>(groupList);
}
}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/c69350b0/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/SentryGroupNotFoundException.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/SentryGroupNotFoundException.java b/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/SentryGroupNotFoundException.java
new file mode 100644
index 0000000..2609bd3
--- /dev/null
+++ b/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/SentryGroupNotFoundException.java
@@ -0,0 +1,61 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.provider.common;
+
+public class SentryGroupNotFoundException extends RuntimeException {
+ private static final long serialVersionUID = -116202866086371881L;
+
+ /**
+ * Creates a new SentryGroupNotFoundException.
+ */
+ public SentryGroupNotFoundException() {
+ super();
+ }
+
+ /**
+ * Constructs a new SentryGroupNotFoundException.
+ *
+ * @param message
+ * the reason for the exception
+ */
+ public SentryGroupNotFoundException(String message) {
+ super(message);
+ }
+
+ /**
+ * Constructs a new SentryGroupNotFoundException.
+ *
+ * @param cause
+ * the underlying Throwable that caused this exception to be thrown.
+ */
+ public SentryGroupNotFoundException(Throwable cause) {
+ super(cause);
+ }
+
+ /**
+ * Constructs a new SentryGroupNotFoundException.
+ *
+ * @param message
+ * the reason for the exception
+ * @param cause
+ * the underlying Throwable that caused this exception to be thrown.
+ */
+ public SentryGroupNotFoundException(String message, Throwable cause) {
+ super(message, cause);
+ }
+}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/c69350b0/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/LocalGroupMappingService.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/LocalGroupMappingService.java b/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/LocalGroupMappingService.java
index e22e6b6..1c12f11 100644
--- a/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/LocalGroupMappingService.java
+++ b/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/LocalGroupMappingService.java
@@ -18,7 +18,6 @@
package org.apache.sentry.provider.file;
import java.io.IOException;
-import java.util.Collections;
import java.util.HashMap;
import java.util.Map;
import java.util.Map.Entry;
@@ -30,6 +29,7 @@ import org.apache.hadoop.fs.Path;
import org.apache.sentry.provider.common.GroupMappingService;
import org.apache.sentry.provider.common.PolicyFileConstants;
import org.apache.sentry.provider.common.ProviderConstants;
+import org.apache.sentry.provider.common.SentryGroupNotFoundException;
import org.apache.shiro.config.Ini;
import org.apache.shiro.config.Ini.Section;
import org.slf4j.Logger;
@@ -85,11 +85,11 @@ public class LocalGroupMappingService implements GroupMappingService {
@Override
public Set<String> getGroups(String user) {
- if (groupMap.containsKey(user)) {
- return groupMap.get(user);
- } else {
- return Collections.emptySet();
+ Set<String> groups = groupMap.get(user);
+ if (groups == null || groups.isEmpty()) {
+ throw new SentryGroupNotFoundException("Unable to obtain groups for " + user);
}
+ return groups;
}
private void parseGroups(FileSystem fileSystem, Path resourcePath) throws IOException {
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/c69350b0/sentry-provider/sentry-provider-file/src/test/java/org/apache/sentry/provider/file/TestLocalGroupMapping.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-file/src/test/java/org/apache/sentry/provider/file/TestLocalGroupMapping.java b/sentry-provider/sentry-provider-file/src/test/java/org/apache/sentry/provider/file/TestLocalGroupMapping.java
index c436009..c5345bc 100644
--- a/sentry-provider/sentry-provider-file/src/test/java/org/apache/sentry/provider/file/TestLocalGroupMapping.java
+++ b/sentry-provider/sentry-provider-file/src/test/java/org/apache/sentry/provider/file/TestLocalGroupMapping.java
@@ -23,6 +23,7 @@ import java.util.Set;
import org.apache.commons.io.FileUtils;
import org.apache.hadoop.fs.Path;
+import org.apache.sentry.provider.common.SentryGroupNotFoundException;
import org.junit.After;
import org.junit.Assert;
import org.junit.Before;
@@ -63,7 +64,10 @@ public class TestLocalGroupMapping {
Set<String> barGroupsFromResource = localGroupMapping.getGroups("bar");
Assert.assertEquals(barGroupsFromResource, barGroups);
- Set<String> unknownGroupsFromResource = localGroupMapping.getGroups("unknown");
- Assert.assertTrue("List not empty " + unknownGroupsFromResource, unknownGroupsFromResource.isEmpty());
+ try {
+ localGroupMapping.getGroups("unknown");
+ Assert.fail("SentryGroupNotFoundException should be thrown.");
+ } catch (SentryGroupNotFoundException sgnfe) {
+ }
}
}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/c69350b0/sentry-solr/solr-sentry-handlers/src/main/resources/sentry-handlers/sentry/test-authz-provider.ini
----------------------------------------------------------------------
diff --git a/sentry-solr/solr-sentry-handlers/src/main/resources/sentry-handlers/sentry/test-authz-provider.ini b/sentry-solr/solr-sentry-handlers/src/main/resources/sentry-handlers/sentry/test-authz-provider.ini
index 8f48a8c..ec029c5 100644
--- a/sentry-solr/solr-sentry-handlers/src/main/resources/sentry-handlers/sentry/test-authz-provider.ini
+++ b/sentry-solr/solr-sentry-handlers/src/main/resources/sentry-handlers/sentry/test-authz-provider.ini
@@ -33,3 +33,4 @@ queryOnlyAdmin=queryOnlyAdmin
updateOnlyAdmin=updateOnlyAdmin
multiGroupUser=junit, queryOnlyAdmin, updateOnlyAdmin
undefinedRoleUser=undefinedRoleGroup
+bogusUser=bogusUserGroup
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/c69350b0/sentry-solr/solr-sentry-handlers/src/test/java/org/apache/solr/sentry/SentryIndexAuthorizationSingletonTest.java
----------------------------------------------------------------------
diff --git a/sentry-solr/solr-sentry-handlers/src/test/java/org/apache/solr/sentry/SentryIndexAuthorizationSingletonTest.java b/sentry-solr/solr-sentry-handlers/src/test/java/org/apache/solr/sentry/SentryIndexAuthorizationSingletonTest.java
index a3d7d19..694c486 100644
--- a/sentry-solr/solr-sentry-handlers/src/test/java/org/apache/solr/sentry/SentryIndexAuthorizationSingletonTest.java
+++ b/sentry-solr/solr-sentry-handlers/src/test/java/org/apache/solr/sentry/SentryIndexAuthorizationSingletonTest.java
@@ -23,6 +23,7 @@ import java.util.Set;
import org.apache.commons.collections.CollectionUtils;
import org.apache.sentry.core.model.search.SearchModelAction;
+import org.apache.sentry.provider.common.SentryGroupNotFoundException;
import org.apache.solr.cloud.CloudDescriptor;
import org.apache.solr.common.SolrException;
import org.apache.solr.common.params.ModifiableSolrParams;
@@ -89,6 +90,17 @@ public class SentryIndexAuthorizationSingletonTest extends SentryTestBase {
}
}
+ private void doExpectExceptionWithoutGroup(SentryIndexAuthorizationSingleton singleton,
+ SolrQueryRequest request, Set<SearchModelAction> actions)
+ throws Exception {
+ try {
+ singleton.authorizeCollectionAction(request, actions, OPERATION_NAME);
+ Assert.fail("Expected SentryGroupNotFoundException");
+ } catch (SentryGroupNotFoundException ex) {
+ // excepted exception, do nothing
+ }
+ }
+
@Test
public void testNoBinding() throws Exception {
// Use reflection to construct a non-singleton version of SentryIndexAuthorizationSingleton
@@ -122,8 +134,7 @@ public class SentryIndexAuthorizationSingletonTest extends SentryTestBase {
public void testNullUserName() throws Exception {
SolrQueryRequest request = getRequest();
prepareCollAndUser(core, request, "collection1", null);
- doExpectUnauthorized(request, EnumSet.of(SearchModelAction.ALL),
- "User null does not have privileges for collection1");
+ doExpectExceptionWithoutGroup(sentryInstance, request, EnumSet.of(SearchModelAction.ALL));
}
@Test
@@ -131,8 +142,7 @@ public class SentryIndexAuthorizationSingletonTest extends SentryTestBase {
System.setProperty("solr.authorization.superuser", "");
SolrQueryRequest request = getRequest();
prepareCollAndUser(core, request, "collection1", "solr");
- doExpectUnauthorized(request, EnumSet.of(SearchModelAction.ALL),
- "User solr does not have privileges for collection1");
+ doExpectExceptionWithoutGroup(sentryInstance, request, EnumSet.of(SearchModelAction.ALL));
}
/**
@@ -212,15 +222,21 @@ public class SentryIndexAuthorizationSingletonTest extends SentryTestBase {
Collection<String> emptyCollection = ImmutableSet.<String>of();
// null user
- Collection<String> roles = sentryInstance.getRoles(null);
- assertTrue(CollectionUtils.isEqualCollection(emptyCollection, roles));
+ try {
+ sentryInstance.getRoles(null);
+ Assert.fail("Excepted SentryGroupNotFoundException");
+ } catch (SentryGroupNotFoundException e) {
+ }
// no group
- roles = sentryInstance.getRoles("bogusUser");
- assertTrue(CollectionUtils.isEqualCollection(emptyCollection, roles));
+ try {
+ sentryInstance.getRoles("withoutGroupUser");
+ Assert.fail("Excepted SentryGroupNotFoundException");
+ } catch (SentryGroupNotFoundException e) {
+ }
// no role
- roles = sentryInstance.getRoles("undefinedRoleUser");
+ Collection<String> roles = sentryInstance.getRoles("undefinedRoleUser");
assertTrue(CollectionUtils.isEqualCollection(emptyCollection, roles));
// single member
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/c69350b0/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestUserManagement.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestUserManagement.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestUserManagement.java
index 471af1a..02ac514 100644
--- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestUserManagement.java
+++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestUserManagement.java
@@ -17,10 +17,9 @@
package org.apache.sentry.tests.e2e.hive;
-import org.apache.sentry.provider.file.PolicyFile;
-import org.junit.After;
import static org.junit.Assert.assertFalse;
import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.fail;
import java.io.File;
import java.io.FileOutputStream;
@@ -29,12 +28,16 @@ import java.sql.ResultSet;
import java.sql.Statement;
import org.apache.hadoop.mapreduce.JobContext;
+import org.apache.hive.service.cli.HiveSQLException;
+import org.apache.sentry.provider.file.PolicyFile;
+import org.junit.After;
import org.junit.Before;
import org.junit.Test;
import com.google.common.io.Resources;
public class TestUserManagement extends AbstractTestWithStaticConfiguration {
+
private static final String SINGLE_TYPE_DATA_FILE_NAME = "kv1.dat";
private static final String dbName = "db1";
private static final String tableName = "t1";
@@ -343,6 +346,45 @@ public class TestUserManagement extends AbstractTestWithStaticConfiguration {
}
}
+ /**
+ * Tests that users without group information will cause the configuration exception
+ **/
+ @Test
+ public void testGroup9() throws Exception {
+ policyFile = PolicyFile.setAdminOnServer1(ADMINGROUP);
+ policyFile.addGroupsToUser("admin1", ADMINGROUP);
+ writePolicyFile(policyFile);
+
+ Connection connection = context.createConnection("admin1");
+ Statement statement = connection.createStatement();
+ statement.execute("DROP DATABASE IF EXISTS db1 CASCADE");
+ statement.execute("CREATE DATABASE db1");
+ statement.execute("USE db1");
+ statement.execute("CREATE TABLE t1 (under_col int)");
+ statement.close();
+ connection.close();
+
+ // user1 hasn't any group
+ connection = context.createConnection("user1");
+ statement = context.createStatement(connection);
+ // for any sql need to be authorized, exception will be thrown if the uer hasn't any group
+ // information
+ try {
+ statement.execute("CREATE TABLE db1.t1 (under_col int, value string)");
+ fail("User without group configuration, SentryGroupNotFoundException should be thrown ");
+ } catch (HiveSQLException hse) {
+ assertTrue(hse.getMessage().indexOf("SentryGroupNotFoundException") >= 0);
+ }
+ try {
+ statement.execute("SELECT under_col from db1.t1");
+ fail("User without group configuration, SentryGroupNotFoundException should be thrown ");
+ } catch (HiveSQLException hse) {
+ assertTrue(hse.getMessage().indexOf("SentryGroupNotFoundException") >= 0);
+ }
+ statement.close();
+ connection.close();
+ }
+
@Test
public void testMrAclsSetting() throws Exception {
Connection connection = context.createConnection("admin1");
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/c69350b0/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/metastore/TestAuthorizingObjectStore.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/metastore/TestAuthorizingObjectStore.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/metastore/TestAuthorizingObjectStore.java
index 44ed096..3c28fd0 100644
--- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/metastore/TestAuthorizingObjectStore.java
+++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/metastore/TestAuthorizingObjectStore.java
@@ -64,7 +64,9 @@ public class TestAuthorizingObjectStore extends
@Before
public void setup() throws Exception {
policyFile = setAdminOnServer1(ADMINGROUP);
- policyFile.setUserGroupMapping(StaticUserGroup.getStaticMapping());
+ // add user ACCESSAllMETAUSER for the test case testPrivilegesForUserNameCaseSensitive
+ policyFile.addGroupsToUser(userWithoutAccess.toUpperCase(), "tempGroup").setUserGroupMapping(
+ StaticUserGroup.getStaticMapping());
writePolicyFile(policyFile);
super.setup();
@@ -97,31 +99,21 @@ public class TestAuthorizingObjectStore extends
client.close();
policyFile
- .addRolesToGroup(USERGROUP1, all_role)
- .addRolesToGroup(USERGROUP2, db1_t1_role)
- .addPermissionsToRole(all_role, "server=server1->db=" + dbName1)
- .addPermissionsToRole(all_role, "server=server1->db=" + dbName2)
- .addPermissionsToRole(
- all_role,
- "server=server1->db=" + dbName1 + "->table=" + tabName1
- + "->action=SELECT")
- .addPermissionsToRole(
- all_role,
- "server=server1->db=" + dbName1 + "->table=" + tabName2
- + "->action=SELECT")
- .addPermissionsToRole(
- all_role,
- "server=server1->db=" + dbName2 + "->table=" + tabName3
- + "->action=SELECT")
- .addPermissionsToRole(
- all_role,
- "server=server1->db=" + dbName2 + "->table=" + tabName4
- + "->action=SELECT")
- .addPermissionsToRole(
- db1_t1_role,
- "server=server1->db=" + dbName1 + "->table=" + tabName1
- + "->action=SELECT")
- .setUserGroupMapping(StaticUserGroup.getStaticMapping());
+ .addRolesToGroup(USERGROUP1, all_role)
+ .addRolesToGroup(USERGROUP2, db1_t1_role)
+ .addPermissionsToRole(all_role, "server=server1->db=" + dbName1)
+ .addPermissionsToRole(all_role, "server=server1->db=" + dbName2)
+ .addPermissionsToRole(all_role,
+ "server=server1->db=" + dbName1 + "->table=" + tabName1 + "->action=SELECT")
+ .addPermissionsToRole(all_role,
+ "server=server1->db=" + dbName1 + "->table=" + tabName2 + "->action=SELECT")
+ .addPermissionsToRole(all_role,
+ "server=server1->db=" + dbName2 + "->table=" + tabName3 + "->action=SELECT")
+ .addPermissionsToRole(all_role,
+ "server=server1->db=" + dbName2 + "->table=" + tabName4 + "->action=SELECT")
+ .addPermissionsToRole(db1_t1_role,
+ "server=server1->db=" + dbName1 + "->table=" + tabName1 + "->action=SELECT")
+ .setUserGroupMapping(StaticUserGroup.getStaticMapping());
writePolicyFile(policyFile);
}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/c69350b0/sentry-tests/sentry-tests-solr/src/test/resources/solr/sentry/test-authz-provider.ini
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-solr/src/test/resources/solr/sentry/test-authz-provider.ini b/sentry-tests/sentry-tests-solr/src/test/resources/solr/sentry/test-authz-provider.ini
index 34a030d..bccc63e 100644
--- a/sentry-tests/sentry-tests-solr/src/test/resources/solr/sentry/test-authz-provider.ini
+++ b/sentry-tests/sentry-tests-solr/src/test/resources/solr/sentry/test-authz-provider.ini
@@ -115,10 +115,12 @@ admin_q__sentryCollection_ = admin_query_group,
admin_ua__sentryCollection_ = admin_update_group, admin_all_group,
admin_u__sentryCollection_ = admin_update_group,
admin_a__sentryCollection_ = admin_all_group,
+admin___sentryCollection_ = sentryCollection_temp_group,
sentryCollection_qua = sentryCollection_query_group, sentryCollection_update_group, sentryCollection_all_group,
sentryCollection_qu = sentryCollection_query_group, sentryCollection_update_group,
sentryCollection_qa = sentryCollection_query_group, sentryCollection_all_group,
sentryCollection_q = sentryCollection_query_group,
sentryCollection_ua = sentryCollection_update_group, sentryCollection_all_group,
sentryCollection_u = sentryCollection_update_group,
-sentryCollection_a = sentryCollection_all_group,
\ No newline at end of file
+sentryCollection_a = sentryCollection_all_group,
+sentryCollection_ = sentryCollection_temp_group
\ No newline at end of file