You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sentry.apache.org by co...@apache.org on 2016/03/15 07:43:47 UTC
[3/4] incubator-sentry git commit: SENTRY-1127: Move test cases from
sentry-policy-xxx to sentry-binding-xxx(Colin Ma, Reviewed by Dapeng Sun)
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/0c006517/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/policy/solr/TestSearchPolicyEngineLocalFS.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/policy/solr/TestSearchPolicyEngineLocalFS.java b/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/policy/solr/TestSearchPolicyEngineLocalFS.java
new file mode 100644
index 0000000..0505432
--- /dev/null
+++ b/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/policy/solr/TestSearchPolicyEngineLocalFS.java
@@ -0,0 +1,43 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.policy.solr;
+
+import java.io.File;
+import java.io.IOException;
+
+import junit.framework.Assert;
+
+import org.apache.commons.io.FileUtils;
+import org.apache.sentry.provider.file.PolicyFiles;
+
+public class TestSearchPolicyEngineLocalFS extends AbstractTestSearchPolicyEngine {
+
+ @Override
+ protected void afterSetup() throws IOException {
+ File baseDir = getBaseDir();
+ Assert.assertNotNull(baseDir);
+ Assert.assertTrue(baseDir.isDirectory() || baseDir.mkdirs());
+ PolicyFiles.copyToDir(baseDir, "solr-policy-test-authz-provider.ini");
+ setPolicy(SearchPolicyTestUtil.createPolicyEngineForTest(new File(baseDir, "solr-policy-test-authz-provider.ini").getPath()));
+ }
+ @Override
+ protected void beforeTeardown() throws IOException {
+ File baseDir = getBaseDir();
+ Assert.assertNotNull(baseDir);
+ FileUtils.deleteQuietly(baseDir);
+ }
+}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/0c006517/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/policy/solr/TestSearchPolicyNegative.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/policy/solr/TestSearchPolicyNegative.java b/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/policy/solr/TestSearchPolicyNegative.java
new file mode 100644
index 0000000..8db1eef
--- /dev/null
+++ b/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/policy/solr/TestSearchPolicyNegative.java
@@ -0,0 +1,101 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.policy.solr;
+
+import java.io.File;
+import java.io.IOException;
+import java.util.Collections;
+
+import junit.framework.Assert;
+
+import org.apache.commons.io.FileUtils;
+import org.apache.sentry.core.common.ActiveRoleSet;
+import org.apache.sentry.policy.common.PolicyEngine;
+import org.junit.After;
+import org.junit.Before;
+import org.junit.Test;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import com.google.common.base.Charsets;
+import com.google.common.collect.ImmutableSet;
+import com.google.common.collect.Sets;
+import com.google.common.io.Files;
+
+public class TestSearchPolicyNegative {
+
+ @SuppressWarnings("unused")
+ private static final Logger LOGGER = LoggerFactory
+ .getLogger(TestSearchPolicyNegative.class);
+
+ private File baseDir;
+ private File globalPolicyFile;
+ private File otherPolicyFile;
+
+ @Before
+ public void setup() {
+ baseDir = Files.createTempDir();
+ globalPolicyFile = new File(baseDir, "global.ini");
+ otherPolicyFile = new File(baseDir, "other.ini");
+ }
+
+ @After
+ public void teardown() {
+ if(baseDir != null) {
+ FileUtils.deleteQuietly(baseDir);
+ }
+ }
+
+ private void append(String from, File to) throws IOException {
+ Files.append(from + "\n", to, Charsets.UTF_8);
+ }
+
+ @Test
+ public void testPerDbFileException() throws Exception {
+ append("[databases]", globalPolicyFile);
+ append("other_group_db = " + otherPolicyFile.getPath(), globalPolicyFile);
+ append("[groups]", otherPolicyFile);
+ append("other_group = some_role", otherPolicyFile);
+ append("[roles]", otherPolicyFile);
+ append("some_role = collection=c1", otherPolicyFile);
+ PolicyEngine policy = SearchPolicyTestUtil.createPolicyEngineForTest(globalPolicyFile.getPath());
+ Assert.assertEquals(Collections.emptySet(),
+ policy.getPrivileges(Sets.newHashSet("other_group"), ActiveRoleSet.ALL));
+ }
+
+ @Test
+ public void testCollectionRequiredInRole() throws Exception {
+ append("[groups]", globalPolicyFile);
+ append("group = some_role", globalPolicyFile);
+ append("[roles]", globalPolicyFile);
+ append("some_role = action=query", globalPolicyFile);
+ PolicyEngine policy = SearchPolicyTestUtil.createPolicyEngineForTest(globalPolicyFile.getPath());
+ ImmutableSet<String> permissions = policy.getPrivileges(Sets.newHashSet("group"), ActiveRoleSet.ALL);
+ Assert.assertTrue(permissions.toString(), permissions.isEmpty());
+ }
+
+ @Test
+ public void testGroupIncorrect() throws Exception {
+ append("[groups]", globalPolicyFile);
+ append("group = malicious_role", globalPolicyFile);
+ append("[roles]", globalPolicyFile);
+ append("malicious_role = collection=*", globalPolicyFile);
+ PolicyEngine policy = SearchPolicyTestUtil.createPolicyEngineForTest(globalPolicyFile.getPath());
+ ImmutableSet<String> permissions = policy.getPrivileges(Sets.newHashSet("incorrectGroup"), ActiveRoleSet.ALL);
+ Assert.assertTrue(permissions.toString(), permissions.isEmpty());
+ }
+}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/0c006517/sentry-binding/sentry-binding-solr/src/test/resources/solr-policy-test-authz-provider.ini
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-solr/src/test/resources/solr-policy-test-authz-provider.ini b/sentry-binding/sentry-binding-solr/src/test/resources/solr-policy-test-authz-provider.ini
new file mode 100644
index 0000000..8af8162
--- /dev/null
+++ b/sentry-binding/sentry-binding-solr/src/test/resources/solr-policy-test-authz-provider.ini
@@ -0,0 +1,31 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+[groups]
+manager = analyst_role, junior_analyst_role
+analyst = analyst_role
+jranalyst = junior_analyst_role
+admin = admin
+
+[roles]
+analyst_role = collection=purchases->action=update, \
+ collection=analyst1, \
+ collection=jranalyst1->action=*, \
+ collection=tmpcollection->action=update, \
+ collection=tmpcollection->action=query
+junior_analyst_role = collection=jranalyst1, collection=purchases_partial->action=query
+admin = collection=*
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/0c006517/sentry-binding/sentry-binding-sqoop/pom.xml
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-sqoop/pom.xml b/sentry-binding/sentry-binding-sqoop/pom.xml
index 20cbda0..a3a6a77 100644
--- a/sentry-binding/sentry-binding-sqoop/pom.xml
+++ b/sentry-binding/sentry-binding-sqoop/pom.xml
@@ -68,12 +68,17 @@ limitations under the License.
<scope>provided</scope>
</dependency>
<dependency>
- <groupId>org.apache.sqoop</groupId>
- <artifactId>sqoop-common</artifactId>
+ <groupId>org.apache.sqoop</groupId>
+ <artifactId>sqoop-common</artifactId>
</dependency>
<dependency>
- <groupId>org.apache.sqoop</groupId>
- <artifactId>sqoop-security</artifactId>
+ <groupId>org.apache.sqoop</groupId>
+ <artifactId>sqoop-security</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.hadoop</groupId>
+ <artifactId>hadoop-minicluster</artifactId>
+ <scope>test</scope>
</dependency>
</dependencies>
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/0c006517/sentry-binding/sentry-binding-sqoop/src/test/java/org/apache/sentry/policy/sqoop/AbstractTestSqoopPolicyEngine.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-sqoop/src/test/java/org/apache/sentry/policy/sqoop/AbstractTestSqoopPolicyEngine.java b/sentry-binding/sentry-binding-sqoop/src/test/java/org/apache/sentry/policy/sqoop/AbstractTestSqoopPolicyEngine.java
new file mode 100644
index 0000000..1389fca
--- /dev/null
+++ b/sentry-binding/sentry-binding-sqoop/src/test/java/org/apache/sentry/policy/sqoop/AbstractTestSqoopPolicyEngine.java
@@ -0,0 +1,145 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.sentry.policy.sqoop;
+
+import java.io.File;
+import java.io.IOException;
+import java.util.Set;
+import java.util.TreeSet;
+
+import junit.framework.Assert;
+
+import org.apache.commons.io.FileUtils;
+import org.apache.sentry.core.common.ActiveRoleSet;
+import org.apache.sentry.policy.common.PolicyEngine;
+import org.junit.After;
+import org.junit.AfterClass;
+import org.junit.Before;
+import org.junit.BeforeClass;
+import org.junit.Test;
+
+import com.google.common.collect.Sets;
+import com.google.common.io.Files;
+
+public abstract class AbstractTestSqoopPolicyEngine {
+ private static final String OPERATOR_JDBC_CONNECTORS_READ = "server=server1->connector=generic-jdbc-connector->action=read";
+ private static final String OPERATOR_HDFS_CONNECTORS_READ = "server=server1->connector=hdfs-connector->action=read";
+ private static final String OPERATOR_KAFKA_CONNECTORS_READ = "server=server1->connector=kafka-connector->action=read";
+ private static final String OPERATOR_KITE_CONNECTORS_READ = "server=server1->connector=kite-connector->action=read";
+ private static final String ANALYST_JOBS_ALL = "server=server1->job=all->action=*";
+ private static final String OPERATOR_JOB1_READ = "server=server1->job=job1->action=read";
+ private static final String OPERATOR_JOB2_READ = "server=server1->job=job2->action=read";
+ private static final String ANALYST_LINKS_ALL = "server=server1->link=all->action=*";
+ private static final String OPERATOR_LINK1_READ = "server=server1->link=link1->action=read";
+ private static final String OPERATOR_LINK2_READ = "server=server1->link=link2->action=read";
+ private static final String ADMIN = "server=server1->action=*";
+
+ private PolicyEngine policy;
+ private static File baseDir;
+
+ protected String sqoopServerName = "server1";
+
+ @BeforeClass
+ public static void setupClazz() throws IOException {
+ baseDir = Files.createTempDir();
+ }
+
+ @AfterClass
+ public static void teardownClazz() throws IOException {
+ if(baseDir != null) {
+ FileUtils.deleteQuietly(baseDir);
+ }
+ }
+
+ protected void setPolicy(PolicyEngine policy) {
+ this.policy = policy;
+ }
+ protected static File getBaseDir() {
+ return baseDir;
+ }
+ @Before
+ public void setup() throws IOException {
+ afterSetup();
+ }
+ @After
+ public void teardown() throws IOException {
+ beforeTeardown();
+ }
+ protected void afterSetup() throws IOException {
+
+ }
+
+ protected void beforeTeardown() throws IOException {
+
+ }
+
+ @Test
+ public void testDeveloper() throws Exception {
+ Set<String> expected = Sets.newTreeSet(Sets.newHashSet(
+ OPERATOR_JDBC_CONNECTORS_READ, OPERATOR_HDFS_CONNECTORS_READ,
+ OPERATOR_KAFKA_CONNECTORS_READ, OPERATOR_KITE_CONNECTORS_READ,
+ ANALYST_JOBS_ALL, ANALYST_LINKS_ALL));
+ Assert.assertEquals(expected.toString(),
+ Sets.newTreeSet(policy.getPrivileges(set("developer"), ActiveRoleSet.ALL))
+ .toString());
+ }
+
+ @Test
+ public void testAnalyst() throws Exception {
+ Set<String> expected = Sets.newTreeSet(Sets.newHashSet(ANALYST_JOBS_ALL, ANALYST_LINKS_ALL));
+ Assert.assertEquals(expected.toString(),
+ new TreeSet<String>(policy.getPrivileges(set("analyst"), ActiveRoleSet.ALL))
+ .toString());
+ }
+
+ @Test
+ public void testConnectorOperator() throws Exception {
+
+ }
+
+ @Test
+ public void testJobOperator() throws Exception {
+ Set<String> expected = Sets.newTreeSet(Sets
+ .newHashSet(OPERATOR_JOB1_READ,OPERATOR_JOB2_READ));
+ Assert.assertEquals(expected.toString(),
+ new TreeSet<String>(policy.getPrivileges(set("job1_2_operator"), ActiveRoleSet.ALL))
+ .toString());
+ }
+
+ @Test
+ public void testLinkOperator() throws Exception {
+ Set<String> expected = Sets.newTreeSet(Sets
+ .newHashSet(OPERATOR_LINK1_READ, OPERATOR_LINK2_READ));
+ Assert.assertEquals(expected.toString(),
+ new TreeSet<String>(policy.getPrivileges(set("link1_2_operator"), ActiveRoleSet.ALL))
+ .toString());
+ }
+
+ @Test
+ public void testAdmin() throws Exception {
+ Set<String> expected = Sets.newTreeSet(Sets.newHashSet(ADMIN));
+ Assert.assertEquals(expected.toString(),
+ new TreeSet<String>(policy.getPrivileges(set("admin"), ActiveRoleSet.ALL))
+ .toString());
+ }
+
+ private static Set<String> set(String... values) {
+ return Sets.newHashSet(values);
+ }
+}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/0c006517/sentry-binding/sentry-binding-sqoop/src/test/java/org/apache/sentry/policy/sqoop/SqoopPolicyTestUtil.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-sqoop/src/test/java/org/apache/sentry/policy/sqoop/SqoopPolicyTestUtil.java b/sentry-binding/sentry-binding-sqoop/src/test/java/org/apache/sentry/policy/sqoop/SqoopPolicyTestUtil.java
new file mode 100644
index 0000000..a76554e
--- /dev/null
+++ b/sentry-binding/sentry-binding-sqoop/src/test/java/org/apache/sentry/policy/sqoop/SqoopPolicyTestUtil.java
@@ -0,0 +1,44 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.policy.sqoop;
+
+import org.apache.hadoop.conf.Configuration;
+import org.apache.sentry.core.model.sqoop.SqoopPrivilegeModel;
+import org.apache.sentry.policy.common.PolicyEngine;
+import org.apache.sentry.provider.common.ProviderBackend;
+import org.apache.sentry.provider.common.ProviderBackendContext;
+import org.apache.sentry.provider.file.SimpleFileProviderBackend;
+
+import java.io.IOException;
+
+public class SqoopPolicyTestUtil {
+
+ public static PolicyEngine createPolicyEngineForTest(String server, String resource) throws IOException {
+
+ ProviderBackend providerBackend = new SimpleFileProviderBackend(new Configuration(), resource);
+
+ // create backendContext
+ ProviderBackendContext context = new ProviderBackendContext();
+ context.setAllowPerDatabase(false);
+ context.setValidators(SqoopPrivilegeModel.getInstance().getPrivilegeValidators(server));
+ // initialize the backend with the context
+ providerBackend.initialize(context);
+
+
+ return new SimpleSqoopPolicyEngine(providerBackend);
+ }
+}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/0c006517/sentry-binding/sentry-binding-sqoop/src/test/java/org/apache/sentry/policy/sqoop/TestServerNameRequiredMatch.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-sqoop/src/test/java/org/apache/sentry/policy/sqoop/TestServerNameRequiredMatch.java b/sentry-binding/sentry-binding-sqoop/src/test/java/org/apache/sentry/policy/sqoop/TestServerNameRequiredMatch.java
new file mode 100644
index 0000000..218a2da
--- /dev/null
+++ b/sentry-binding/sentry-binding-sqoop/src/test/java/org/apache/sentry/policy/sqoop/TestServerNameRequiredMatch.java
@@ -0,0 +1,57 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.sentry.policy.sqoop;
+
+import junit.framework.Assert;
+
+import org.apache.sentry.core.common.validator.PrivilegeValidatorContext;
+import org.apache.sentry.core.model.sqoop.validator.ServerNameRequiredMatch;
+import org.apache.shiro.config.ConfigurationException;
+import org.junit.Test;
+
+public class TestServerNameRequiredMatch {
+ @Test
+ public void testWithoutServerName() {
+ ServerNameRequiredMatch serverNameMatch = new ServerNameRequiredMatch("server1");
+ try {
+ serverNameMatch.validate(new PrivilegeValidatorContext("connector=c1->action=read"));
+ Assert.fail("Expected ConfigurationException");
+ } catch (ConfigurationException ex) {
+ }
+ }
+ @Test
+ public void testServerNameNotMatch() throws Exception {
+ ServerNameRequiredMatch serverNameMatch = new ServerNameRequiredMatch("server1");
+ try {
+ serverNameMatch.validate(new PrivilegeValidatorContext("server=server2->connector=c1->action=read"));
+ Assert.fail("Expected ConfigurationException");
+ } catch (ConfigurationException ex) {
+ }
+ }
+ @Test
+ public void testServerNameMatch() throws Exception {
+ ServerNameRequiredMatch serverNameMatch = new ServerNameRequiredMatch("server1");
+ try {
+ serverNameMatch.validate(new PrivilegeValidatorContext("server=server1->connector=c1->action=read"));
+ } catch (ConfigurationException ex) {
+ Assert.fail("Not expected ConfigurationException");
+ }
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/0c006517/sentry-binding/sentry-binding-sqoop/src/test/java/org/apache/sentry/policy/sqoop/TestSqoopAuthorizationProviderGeneralCases.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-sqoop/src/test/java/org/apache/sentry/policy/sqoop/TestSqoopAuthorizationProviderGeneralCases.java b/sentry-binding/sentry-binding-sqoop/src/test/java/org/apache/sentry/policy/sqoop/TestSqoopAuthorizationProviderGeneralCases.java
new file mode 100644
index 0000000..b01b88f
--- /dev/null
+++ b/sentry-binding/sentry-binding-sqoop/src/test/java/org/apache/sentry/policy/sqoop/TestSqoopAuthorizationProviderGeneralCases.java
@@ -0,0 +1,238 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.sentry.policy.sqoop;
+
+import java.io.File;
+import java.io.IOException;
+import java.util.Arrays;
+import java.util.List;
+import java.util.Set;
+
+import junit.framework.Assert;
+
+import org.apache.commons.io.FileUtils;
+import org.apache.sentry.core.common.Action;
+import org.apache.sentry.core.common.ActiveRoleSet;
+import org.apache.sentry.core.common.Authorizable;
+import org.apache.sentry.core.common.Subject;
+import org.apache.sentry.core.model.sqoop.Connector;
+import org.apache.sentry.core.model.sqoop.Job;
+import org.apache.sentry.core.model.sqoop.Link;
+import org.apache.sentry.core.model.sqoop.Server;
+import org.apache.sentry.core.model.sqoop.SqoopActionConstant;
+import org.apache.sentry.core.model.sqoop.SqoopActionFactory.SqoopAction;
+import org.apache.sentry.provider.common.GroupMappingService;
+import org.apache.sentry.provider.common.ResourceAuthorizationProvider;
+import org.apache.sentry.provider.common.HadoopGroupResourceAuthorizationProvider;
+import org.apache.sentry.provider.file.PolicyFiles;
+import org.junit.After;
+import org.junit.Test;
+
+import com.google.common.base.Objects;
+import com.google.common.collect.HashMultimap;
+import com.google.common.collect.Multimap;
+import com.google.common.collect.Sets;
+import com.google.common.io.Files;
+
+public class TestSqoopAuthorizationProviderGeneralCases {
+ private static final Multimap<String, String> USER_TO_GROUP_MAP = HashMultimap.create();
+
+ private static final Subject SUB_ADMIN = new Subject("admin1");
+ private static final Subject SUB_DEVELOPER = new Subject("developer1");
+ private static final Subject SUB_ANALYST = new Subject("analyst1");
+ private static final Subject SUB_JOB_OPERATOR = new Subject("job_operator1");
+ private static final Subject SUB_LINK_OPERATOR = new Subject("link_operator1");
+ private static final Subject SUB_CONNECTOR_OPERATOR = new Subject("connector_operator1");
+
+
+
+ private static final Server server1 = new Server("server1");
+ private static final Connector jdbc_connector = new Connector("generic-jdbc-connector");
+ private static final Connector hdfs_connector = new Connector("hdfs-connector");
+ private static final Connector kafka_connector = new Connector("kafka-connector");
+ private static final Connector kite_connector = new Connector("kite-connector");
+ private static final Link link1 = new Link("link1");
+ private static final Link link2 = new Link("link2");
+ private static final Job job1 = new Job("job1");
+ private static final Job job2 = new Job("job2");
+
+ private static final SqoopAction ALL = new SqoopAction(SqoopActionConstant.ALL);
+ private static final SqoopAction READ = new SqoopAction(SqoopActionConstant.READ);
+ private static final SqoopAction WRITE = new SqoopAction(SqoopActionConstant.WRITE);
+
+ private static final String ADMIN = "admin";
+ private static final String DEVELOPER = "developer";
+ private static final String ANALYST = "analyst";
+ private static final String JOB_OPERATOR = "job1_2_operator";
+ private static final String LINK_OPERATOR ="link1_2_operator";
+ private static final String CONNECTOR_OPERATOR = "connectors_operator";
+
+ static {
+ USER_TO_GROUP_MAP.putAll(SUB_ADMIN.getName(), Arrays.asList(ADMIN));
+ USER_TO_GROUP_MAP.putAll(SUB_DEVELOPER.getName(), Arrays.asList(DEVELOPER));
+ USER_TO_GROUP_MAP.putAll(SUB_ANALYST.getName(), Arrays.asList(ANALYST));
+ USER_TO_GROUP_MAP.putAll(SUB_JOB_OPERATOR.getName(),Arrays.asList(JOB_OPERATOR));
+ USER_TO_GROUP_MAP.putAll(SUB_LINK_OPERATOR.getName(),Arrays.asList(LINK_OPERATOR));
+ USER_TO_GROUP_MAP.putAll(SUB_CONNECTOR_OPERATOR.getName(),Arrays.asList(CONNECTOR_OPERATOR));
+ }
+
+ private final ResourceAuthorizationProvider authzProvider;
+ private File baseDir;
+
+ public TestSqoopAuthorizationProviderGeneralCases() throws IOException {
+ baseDir = Files.createTempDir();
+ PolicyFiles.copyToDir(baseDir, "sqoop-policy-test-authz-provider.ini");
+ authzProvider = new HadoopGroupResourceAuthorizationProvider(
+ SqoopPolicyTestUtil.createPolicyEngineForTest(server1.getName(),
+ new File(baseDir, "sqoop-policy-test-authz-provider.ini").getPath()),
+ new MockGroupMappingServiceProvider(USER_TO_GROUP_MAP));
+ }
+
+ @After
+ public void teardown() {
+ if(baseDir != null) {
+ FileUtils.deleteQuietly(baseDir);
+ }
+ }
+
+ private void doTestResourceAuthorizationProvider(Subject subject, List<? extends Authorizable> authorizableHierarchy,
+ Set<? extends Action> actions, boolean expected) throws Exception {
+ Objects.ToStringHelper helper = Objects.toStringHelper("TestParameters");
+ helper.add("Subject", subject).add("authzHierarchy", authorizableHierarchy).add("action", actions);
+ Assert.assertEquals(helper.toString(), expected,
+ authzProvider.hasAccess(subject, authorizableHierarchy, actions, ActiveRoleSet.ALL));
+ }
+
+ @Test
+ public void testAdmin() throws Exception {
+ Set<? extends Action> allActions = Sets.newHashSet(ALL, READ, WRITE);
+ doTestResourceAuthorizationProvider(SUB_ADMIN, Arrays.asList(server1), allActions, true);
+ doTestResourceAuthorizationProvider(SUB_ADMIN, Arrays.asList(server1,hdfs_connector), allActions, true);
+ doTestResourceAuthorizationProvider(SUB_ADMIN, Arrays.asList(server1,jdbc_connector), allActions, true);
+ doTestResourceAuthorizationProvider(SUB_ADMIN, Arrays.asList(server1,kafka_connector), allActions, true);
+ doTestResourceAuthorizationProvider(SUB_ADMIN, Arrays.asList(server1,kite_connector), allActions, true);
+ doTestResourceAuthorizationProvider(SUB_ADMIN, Arrays.asList(server1,link1), allActions, true);
+ doTestResourceAuthorizationProvider(SUB_ADMIN, Arrays.asList(server1,link2), allActions, true);
+ doTestResourceAuthorizationProvider(SUB_ADMIN, Arrays.asList(server1,job1), allActions, true);
+ doTestResourceAuthorizationProvider(SUB_ADMIN, Arrays.asList(server1,job2), allActions, true);
+ }
+
+ @Test
+ public void testDeveloper() throws Exception {
+ Set<SqoopAction> allActions = Sets.newHashSet(ALL, READ, WRITE);
+ for (SqoopAction action : allActions) {
+ //developer only has the read action on all connectors
+ for (Connector connector : Sets.newHashSet(jdbc_connector, hdfs_connector, kafka_connector, kite_connector))
+ doTestResourceAuthorizationProvider(SUB_DEVELOPER, Arrays.asList(server1, connector), Sets.newHashSet(action), READ.equals(action));
+ }
+
+ for (Link link : Sets.newHashSet(link1, link2)) {
+ //developer has the all action on all links
+ doTestResourceAuthorizationProvider(SUB_DEVELOPER, Arrays.asList(server1, link), allActions, true);
+ }
+
+ for (Job job : Sets.newHashSet(job1,job2)) {
+ //developer has the all action on all jobs
+ doTestResourceAuthorizationProvider(SUB_DEVELOPER, Arrays.asList(server1, job), allActions, true);
+ }
+ }
+
+ @Test
+ public void testAnalyst() throws Exception {
+ Set<SqoopAction> allActions = Sets.newHashSet(ALL, READ, WRITE);
+ for (SqoopAction action : allActions) {
+ //analyst has not the any action on all connectors
+ for (Connector connector : Sets.newHashSet(jdbc_connector, hdfs_connector, kafka_connector, kite_connector))
+ doTestResourceAuthorizationProvider(SUB_ANALYST, Arrays.asList(server1, connector), Sets.newHashSet(action), false);
+ }
+
+ for (Link link : Sets.newHashSet(link1, link2)) {
+ //analyst has the all action on all links
+ doTestResourceAuthorizationProvider(SUB_ANALYST, Arrays.asList(server1, link), allActions, true);
+ }
+
+ for (Job job : Sets.newHashSet(job1,job2)) {
+ //analyst has the all action on all jobs
+ doTestResourceAuthorizationProvider(SUB_ANALYST, Arrays.asList(server1, job), allActions, true);
+ }
+ }
+
+ @Test
+ public void testJobOperator() throws Exception {
+ Set<SqoopAction> allActions = Sets.newHashSet(ALL, READ, WRITE);
+ for (SqoopAction action : allActions) {
+ for (Job job : Sets.newHashSet(job1,job2)) {
+ //Job operator has the read action on all jobs
+ doTestResourceAuthorizationProvider(SUB_JOB_OPERATOR, Arrays.asList(server1, job), Sets.newHashSet(action), READ.equals(action));
+ }
+ for (Link link : Sets.newHashSet(link1, link2)) {
+ doTestResourceAuthorizationProvider(SUB_JOB_OPERATOR, Arrays.asList(server1, link), Sets.newHashSet(action), false);
+ }
+ for (Connector connector : Sets.newHashSet(jdbc_connector, hdfs_connector, kafka_connector, kite_connector)) {
+ doTestResourceAuthorizationProvider(SUB_JOB_OPERATOR, Arrays.asList(server1, connector), Sets.newHashSet(action), false);
+ }
+ }
+ }
+
+ @Test
+ public void testLinkOperator() throws Exception {
+ Set<SqoopAction> allActions = Sets.newHashSet(ALL, READ, WRITE);
+ for (SqoopAction action : allActions) {
+ for (Link link : Sets.newHashSet(link1, link2)) {
+ //Link operator has the read action on all links
+ doTestResourceAuthorizationProvider(SUB_LINK_OPERATOR, Arrays.asList(server1, link), Sets.newHashSet(action), READ.equals(action));
+ }
+ for (Job job : Sets.newHashSet(job1,job2)) {
+ doTestResourceAuthorizationProvider(SUB_LINK_OPERATOR, Arrays.asList(server1, job), Sets.newHashSet(action), false);
+ }
+ for (Connector connector : Sets.newHashSet(jdbc_connector, hdfs_connector, kafka_connector, kite_connector)) {
+ doTestResourceAuthorizationProvider(SUB_LINK_OPERATOR, Arrays.asList(server1, connector), Sets.newHashSet(action), false);
+ }
+ }
+ }
+
+ @Test
+ public void testConnectorOperator() throws Exception {
+ Set<SqoopAction> allActions = Sets.newHashSet(ALL, READ, WRITE);
+ for (SqoopAction action : allActions) {
+ for (Connector connector : Sets.newHashSet(jdbc_connector, hdfs_connector, kafka_connector, kite_connector)) {
+ doTestResourceAuthorizationProvider(SUB_CONNECTOR_OPERATOR, Arrays.asList(server1, connector), Sets.newHashSet(action), READ.equals(action));
+ }
+ for (Job job : Sets.newHashSet(job1,job2)) {
+ doTestResourceAuthorizationProvider(SUB_CONNECTOR_OPERATOR, Arrays.asList(server1, job), Sets.newHashSet(action), false);
+ }
+ for (Link link : Sets.newHashSet(link1, link2)) {
+ doTestResourceAuthorizationProvider(SUB_CONNECTOR_OPERATOR, Arrays.asList(server1, link), Sets.newHashSet(action), false);
+ }
+ }
+ }
+
+ public class MockGroupMappingServiceProvider implements GroupMappingService {
+ private final Multimap<String, String> userToGroupMap;
+
+ public MockGroupMappingServiceProvider(Multimap<String, String> userToGroupMap) {
+ this.userToGroupMap = userToGroupMap;
+ }
+
+ @Override
+ public Set<String> getGroups(String user) {
+ return Sets.newHashSet(userToGroupMap.get(user));
+ }
+ }
+}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/0c006517/sentry-binding/sentry-binding-sqoop/src/test/java/org/apache/sentry/policy/sqoop/TestSqoopAuthorizationProviderSpecialCases.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-sqoop/src/test/java/org/apache/sentry/policy/sqoop/TestSqoopAuthorizationProviderSpecialCases.java b/sentry-binding/sentry-binding-sqoop/src/test/java/org/apache/sentry/policy/sqoop/TestSqoopAuthorizationProviderSpecialCases.java
new file mode 100644
index 0000000..99eaf18
--- /dev/null
+++ b/sentry-binding/sentry-binding-sqoop/src/test/java/org/apache/sentry/policy/sqoop/TestSqoopAuthorizationProviderSpecialCases.java
@@ -0,0 +1,88 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.sentry.policy.sqoop;
+
+import java.io.File;
+import java.io.IOException;
+import java.util.List;
+import java.util.Set;
+
+import junit.framework.Assert;
+
+import org.apache.commons.io.FileUtils;
+import org.apache.sentry.core.common.Action;
+import org.apache.sentry.core.common.ActiveRoleSet;
+import org.apache.sentry.core.common.Authorizable;
+import org.apache.sentry.core.common.Subject;
+import org.apache.sentry.core.model.sqoop.Connector;
+import org.apache.sentry.core.model.sqoop.Server;
+import org.apache.sentry.core.model.sqoop.SqoopActionConstant;
+import org.apache.sentry.core.model.sqoop.SqoopActionFactory.SqoopAction;
+import org.apache.sentry.policy.common.PolicyEngine;
+import org.apache.sentry.provider.common.AuthorizationProvider;
+import org.apache.sentry.provider.file.LocalGroupResourceAuthorizationProvider;
+import org.apache.sentry.provider.file.PolicyFile;
+import org.junit.After;
+import org.junit.Before;
+import org.junit.Test;
+
+import com.google.common.collect.ImmutableList;
+import com.google.common.collect.Sets;
+import com.google.common.io.Files;
+
+public class TestSqoopAuthorizationProviderSpecialCases {
+ private AuthorizationProvider authzProvider;
+ private PolicyFile policyFile;
+ private File baseDir;
+ private File iniFile;
+ private String initResource;
+ @Before
+ public void setup() throws IOException {
+ baseDir = Files.createTempDir();
+ iniFile = new File(baseDir, "policy.ini");
+ initResource = "file://" + iniFile.getPath();
+ policyFile = new PolicyFile();
+ }
+
+ @After
+ public void teardown() throws IOException {
+ if(baseDir != null) {
+ FileUtils.deleteQuietly(baseDir);
+ }
+ }
+
+ @Test
+ public void testDuplicateEntries() throws Exception {
+ Subject user1 = new Subject("user1");
+ Server server1 = new Server("server1");
+ Connector connector1 = new Connector("c1");
+ Set<? extends Action> actions = Sets.newHashSet(new SqoopAction(SqoopActionConstant.READ));
+ policyFile.addGroupsToUser(user1.getName(), true, "group1", "group1")
+ .addRolesToGroup("group1", true, "role1", "role1")
+ .addPermissionsToRole("role1", true, "server=server1->connector=c1->action=read",
+ "server=server1->connector=c1->action=read");
+ policyFile.write(iniFile);
+ PolicyEngine policy = SqoopPolicyTestUtil.createPolicyEngineForTest(server1.getName(), initResource);
+ authzProvider = new LocalGroupResourceAuthorizationProvider(initResource, policy);
+ List<? extends Authorizable> authorizableHierarchy = ImmutableList.of(server1, connector1);
+ Assert.assertTrue(authorizableHierarchy.toString(),
+ authzProvider.hasAccess(user1, authorizableHierarchy, actions, ActiveRoleSet.ALL));
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/0c006517/sentry-binding/sentry-binding-sqoop/src/test/java/org/apache/sentry/policy/sqoop/TestSqoopModelAuthorizables.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-sqoop/src/test/java/org/apache/sentry/policy/sqoop/TestSqoopModelAuthorizables.java b/sentry-binding/sentry-binding-sqoop/src/test/java/org/apache/sentry/policy/sqoop/TestSqoopModelAuthorizables.java
new file mode 100644
index 0000000..c393d0e
--- /dev/null
+++ b/sentry-binding/sentry-binding-sqoop/src/test/java/org/apache/sentry/policy/sqoop/TestSqoopModelAuthorizables.java
@@ -0,0 +1,54 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.sentry.policy.sqoop;
+import static junit.framework.Assert.assertEquals;
+import static junit.framework.Assert.assertNull;
+
+import org.apache.sentry.core.model.sqoop.Server;
+import org.apache.sentry.core.model.sqoop.SqoopModelAuthorizables;
+import org.junit.Test;
+
+public class TestSqoopModelAuthorizables {
+
+ @Test
+ public void testServer() throws Exception {
+ Server server1 = (Server) SqoopModelAuthorizables.from("SERVER=server1");
+ assertEquals("server1", server1.getName());
+ }
+
+ @Test(expected=IllegalArgumentException.class)
+ public void testNoKV() throws Exception {
+ System.out.println(SqoopModelAuthorizables.from("nonsense"));
+ }
+
+ @Test(expected=IllegalArgumentException.class)
+ public void testEmptyKey() throws Exception {
+ System.out.println(SqoopModelAuthorizables.from("=server1"));
+ }
+
+ @Test(expected=IllegalArgumentException.class)
+ public void testEmptyValue() throws Exception {
+ System.out.println(SqoopModelAuthorizables.from("SERVER="));
+ }
+
+ @Test
+ public void testNotAuthorizable() throws Exception {
+ assertNull(SqoopModelAuthorizables.from("k=v"));
+ }
+}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/0c006517/sentry-binding/sentry-binding-sqoop/src/test/java/org/apache/sentry/policy/sqoop/TestSqoopPolicyEngineDFS.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-sqoop/src/test/java/org/apache/sentry/policy/sqoop/TestSqoopPolicyEngineDFS.java b/sentry-binding/sentry-binding-sqoop/src/test/java/org/apache/sentry/policy/sqoop/TestSqoopPolicyEngineDFS.java
new file mode 100644
index 0000000..318a267
--- /dev/null
+++ b/sentry-binding/sentry-binding-sqoop/src/test/java/org/apache/sentry/policy/sqoop/TestSqoopPolicyEngineDFS.java
@@ -0,0 +1,75 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.sentry.policy.sqoop;
+
+import java.io.File;
+import java.io.IOException;
+
+import junit.framework.Assert;
+
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.fs.FileSystem;
+import org.apache.hadoop.fs.Path;
+import org.apache.hadoop.hdfs.MiniDFSCluster;
+import org.apache.sentry.provider.file.PolicyFiles;
+import org.junit.AfterClass;
+import org.junit.BeforeClass;
+
+public class TestSqoopPolicyEngineDFS extends AbstractTestSqoopPolicyEngine {
+ private static MiniDFSCluster dfsCluster;
+ private static FileSystem fileSystem;
+ private static Path root;
+ private static Path etc;
+
+ @BeforeClass
+ public static void setupLocalClazz() throws IOException {
+ File baseDir = getBaseDir();
+ Assert.assertNotNull(baseDir);
+ File dfsDir = new File(baseDir, "dfs");
+ Assert.assertTrue(dfsDir.isDirectory() || dfsDir.mkdirs());
+ Configuration conf = new Configuration();
+ conf.set(MiniDFSCluster.HDFS_MINIDFS_BASEDIR, dfsDir.getPath());
+ dfsCluster = new MiniDFSCluster.Builder(conf).numDataNodes(2).build();
+ fileSystem = dfsCluster.getFileSystem();
+ root = new Path(fileSystem.getUri().toString());
+ etc = new Path(root, "/etc");
+ fileSystem.mkdirs(etc);
+ }
+
+ @AfterClass
+ public static void teardownLocalClazz() {
+ if(dfsCluster != null) {
+ dfsCluster.shutdown();
+ }
+ }
+
+ @Override
+ protected void afterSetup() throws IOException {
+ fileSystem.delete(etc, true);
+ fileSystem.mkdirs(etc);
+ PolicyFiles.copyToDir(fileSystem, etc, "sqoop-policy-test-authz-provider.ini");
+ setPolicy(SqoopPolicyTestUtil.createPolicyEngineForTest(sqoopServerName, new Path(etc,
+ "sqoop-policy-test-authz-provider.ini").toString()));
+ }
+
+ @Override
+ protected void beforeTeardown() throws IOException {
+ fileSystem.delete(etc, true);
+ }
+}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/0c006517/sentry-binding/sentry-binding-sqoop/src/test/java/org/apache/sentry/policy/sqoop/TestSqoopPolicyEngineLocalFS.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-sqoop/src/test/java/org/apache/sentry/policy/sqoop/TestSqoopPolicyEngineLocalFS.java b/sentry-binding/sentry-binding-sqoop/src/test/java/org/apache/sentry/policy/sqoop/TestSqoopPolicyEngineLocalFS.java
new file mode 100644
index 0000000..2c9b300
--- /dev/null
+++ b/sentry-binding/sentry-binding-sqoop/src/test/java/org/apache/sentry/policy/sqoop/TestSqoopPolicyEngineLocalFS.java
@@ -0,0 +1,45 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.sentry.policy.sqoop;
+
+import java.io.File;
+import java.io.IOException;
+
+import junit.framework.Assert;
+
+import org.apache.commons.io.FileUtils;
+import org.apache.sentry.provider.file.PolicyFiles;
+
+public class TestSqoopPolicyEngineLocalFS extends AbstractTestSqoopPolicyEngine {
+ @Override
+ protected void afterSetup() throws IOException {
+ File baseDir = getBaseDir();
+ Assert.assertNotNull(baseDir);
+ Assert.assertTrue(baseDir.isDirectory() || baseDir.mkdirs());
+ PolicyFiles.copyToDir(baseDir, "sqoop-policy-test-authz-provider.ini");
+ setPolicy(SqoopPolicyTestUtil.createPolicyEngineForTest(sqoopServerName,
+ new File(baseDir, "sqoop-policy-test-authz-provider.ini").getPath()));
+ }
+ @Override
+ protected void beforeTeardown() throws IOException {
+ File baseDir = getBaseDir();
+ Assert.assertNotNull(baseDir);
+ FileUtils.deleteQuietly(baseDir);
+ }
+}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/0c006517/sentry-binding/sentry-binding-sqoop/src/test/java/org/apache/sentry/policy/sqoop/TestSqoopPolicyNegative.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-sqoop/src/test/java/org/apache/sentry/policy/sqoop/TestSqoopPolicyNegative.java b/sentry-binding/sentry-binding-sqoop/src/test/java/org/apache/sentry/policy/sqoop/TestSqoopPolicyNegative.java
new file mode 100644
index 0000000..646a3c8
--- /dev/null
+++ b/sentry-binding/sentry-binding-sqoop/src/test/java/org/apache/sentry/policy/sqoop/TestSqoopPolicyNegative.java
@@ -0,0 +1,121 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.policy.sqoop;
+
+import java.io.File;
+import java.io.IOException;
+
+import junit.framework.Assert;
+
+import org.apache.commons.io.FileUtils;
+import org.apache.sentry.core.common.ActiveRoleSet;
+import org.apache.sentry.policy.common.PolicyEngine;
+import org.junit.After;
+import org.junit.Before;
+import org.junit.Test;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import com.google.common.base.Charsets;
+import com.google.common.collect.ImmutableSet;
+import com.google.common.collect.Sets;
+import com.google.common.io.Files;
+
+public class TestSqoopPolicyNegative {
+ @SuppressWarnings("unused")
+ private static final Logger LOGGER = LoggerFactory
+ .getLogger(TestSqoopPolicyNegative.class);
+
+ private File baseDir;
+ private File globalPolicyFile;
+
+ @Before
+ public void setup() {
+ baseDir = Files.createTempDir();
+ globalPolicyFile = new File(baseDir, "global.ini");
+ }
+
+ @After
+ public void teardown() {
+ if(baseDir != null) {
+ FileUtils.deleteQuietly(baseDir);
+ }
+ }
+
+ private void append(String from, File to) throws IOException {
+ Files.append(from + "\n", to, Charsets.UTF_8);
+ }
+
+ @Test
+ public void testauthorizedSqoopInPolicyFile() throws Exception {
+ append("[groups]", globalPolicyFile);
+ append("other_group = other_role", globalPolicyFile);
+ append("[roles]", globalPolicyFile);
+ append("other_role = server=server1->connector=c1->action=read, server=server1->link=l1->action=read", globalPolicyFile);
+ PolicyEngine policy = SqoopPolicyTestUtil.createPolicyEngineForTest("server1", globalPolicyFile.getPath());
+ //malicious_group has no privilege
+ ImmutableSet<String> permissions = policy.getAllPrivileges(Sets.newHashSet("malicious_group"), ActiveRoleSet.ALL);
+ Assert.assertTrue(permissions.toString(), permissions.isEmpty());
+ //other_group has two privileges
+ permissions = policy.getAllPrivileges(Sets.newHashSet("other_group"), ActiveRoleSet.ALL);
+ Assert.assertTrue(permissions.toString(), permissions.size() == 2);
+ }
+
+ @Test
+ public void testNoServerNameConfig() throws Exception {
+ append("[groups]", globalPolicyFile);
+ append("other_group = malicious_role", globalPolicyFile);
+ append("[roles]", globalPolicyFile);
+ append("malicious_role = connector=c1->action=read,link=l1->action=read", globalPolicyFile);
+ PolicyEngine policy = SqoopPolicyTestUtil.createPolicyEngineForTest("server1", globalPolicyFile.getPath());
+ ImmutableSet<String> permissions = policy.getAllPrivileges(Sets.newHashSet("other_group"), ActiveRoleSet.ALL);
+ Assert.assertTrue(permissions.toString(), permissions.isEmpty());
+ }
+
+ @Test
+ public void testServerAllName() throws Exception {
+ append("[groups]", globalPolicyFile);
+ append("group = malicious_role", globalPolicyFile);
+ append("[roles]", globalPolicyFile);
+ append("malicious_role = server=*", globalPolicyFile);
+ PolicyEngine policy = SqoopPolicyTestUtil.createPolicyEngineForTest("server1", globalPolicyFile.getPath());
+ ImmutableSet<String> permissions = policy.getAllPrivileges(Sets.newHashSet("group"), ActiveRoleSet.ALL);
+ Assert.assertTrue(permissions.toString(), permissions.isEmpty());
+ }
+
+ @Test
+ public void testServerIncorrect() throws Exception {
+ append("[groups]", globalPolicyFile);
+ append("group = malicious_role", globalPolicyFile);
+ append("[roles]", globalPolicyFile);
+ append("malicious_role = server=server2", globalPolicyFile);
+ PolicyEngine policy = SqoopPolicyTestUtil.createPolicyEngineForTest("server1", globalPolicyFile.getPath());
+ ImmutableSet<String> permissions = policy.getAllPrivileges(Sets.newHashSet("group"), ActiveRoleSet.ALL);
+ Assert.assertTrue(permissions.toString(), permissions.isEmpty());
+ }
+
+ @Test
+ public void testAll() throws Exception {
+ append("[groups]", globalPolicyFile);
+ append("group = malicious_role", globalPolicyFile);
+ append("[roles]", globalPolicyFile);
+ append("malicious_role = *", globalPolicyFile);
+ PolicyEngine policy = SqoopPolicyTestUtil.createPolicyEngineForTest("server1", globalPolicyFile.getPath());
+ ImmutableSet<String> permissions = policy.getAllPrivileges(Sets.newHashSet("group"), ActiveRoleSet.ALL);
+ Assert.assertTrue(permissions.toString(), permissions.isEmpty());
+ }
+}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/0c006517/sentry-binding/sentry-binding-sqoop/src/test/resources/sqoop-policy-test-authz-provider.ini
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-sqoop/src/test/resources/sqoop-policy-test-authz-provider.ini b/sentry-binding/sentry-binding-sqoop/src/test/resources/sqoop-policy-test-authz-provider.ini
new file mode 100644
index 0000000..a4ab5d1
--- /dev/null
+++ b/sentry-binding/sentry-binding-sqoop/src/test/resources/sqoop-policy-test-authz-provider.ini
@@ -0,0 +1,40 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+[groups]
+developer = jdbc_connector_role, hdfs_connector_role,kafka_connector_role,kite_connector_role,\
+ jobs_analyst_role,links_analyst_role
+analyst = jobs_analyst_role,links_analyst_role
+connectors_operator = jdbc_connector_role, hdfs_connector_role,kafka_connector_role,kite_connector_role
+jobs_analyst = jobs_analyst_role
+job1_2_operator = job1_role,job2_role
+links_analyst = links_analyst_role
+link1_2_operator = link1_role,link2_role
+admin = admin_role
+
+[roles]
+admin_role = server=server1->action=*
+jdbc_connector_role = server=server1->connector=generic-jdbc-connector->action=read
+hdfs_connector_role = server=server1->connector=hdfs-connector->action=read
+kafka_connector_role = server=server1->connector=kafka-connector->action=read
+kite_connector_role = server=server1->connector=kite-connector->action=read
+jobs_analyst_role = server=server1->job=all->action=*
+job1_role = server=server1->job=job1->action=read
+job2_role = server=server1->job=job2->action=read
+links_analyst_role = server=server1->link=all->action=*
+link1_role = server=server1->link=link1->action=read
+link2_role = server=server1->link=link2->action=read
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/0c006517/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/AbstractTestSimplePolicyEngine.java
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/AbstractTestSimplePolicyEngine.java b/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/AbstractTestSimplePolicyEngine.java
deleted file mode 100644
index d1151e3..0000000
--- a/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/AbstractTestSimplePolicyEngine.java
+++ /dev/null
@@ -1,156 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.policy.db;
-
-import java.io.File;
-import java.io.IOException;
-import java.util.Set;
-import java.util.TreeSet;
-
-import junit.framework.Assert;
-
-import org.apache.commons.io.FileUtils;
-import org.apache.sentry.core.common.ActiveRoleSet;
-import org.apache.sentry.policy.common.PolicyEngine;
-import org.junit.After;
-import org.junit.AfterClass;
-import org.junit.Before;
-import org.junit.BeforeClass;
-import org.junit.Test;
-
-import com.google.common.collect.Sets;
-import com.google.common.io.Files;
-
-public abstract class AbstractTestSimplePolicyEngine {
- private static final String PERM_SERVER1_CUSTOMERS_SELECT = "server=server1->db=customers->table=purchases->action=select";
- private static final String PERM_SERVER1_CUSTOMERS_DB_CUSTOMERS_PARTIAL_SELECT = "server=server1->db=customers->table=purchases_partial->action=select";
- private static final String PERM_SERVER1_ANALYST_ALL = "server=server1->db=analyst1";
- private static final String PERM_SERVER1_JUNIOR_ANALYST_ALL = "server=server1->db=jranalyst1";
- private static final String PERM_SERVER1_JUNIOR_ANALYST_READ = "server=server1->db=jranalyst1->table=*->action=select";
- private static final String PERM_SERVER1_OTHER_GROUP_DB_CUSTOMERS_SELECT = "server=server1->db=other_group_db->table=purchases->action=select";
-
- private static final String PERM_SERVER1_ADMIN = "server=server1";
- private PolicyEngine policy;
- private static File baseDir;
-
- @BeforeClass
- public static void setupClazz() throws IOException {
- baseDir = Files.createTempDir();
- }
-
- @AfterClass
- public static void teardownClazz() throws IOException {
- if(baseDir != null) {
- FileUtils.deleteQuietly(baseDir);
- }
- }
-
- protected void setPolicy(PolicyEngine policy) {
- this.policy = policy;
- }
- protected static File getBaseDir() {
- return baseDir;
- }
- @Before
- public void setup() throws IOException {
- afterSetup();
- }
- @After
- public void teardown() throws IOException {
- beforeTeardown();
- }
- protected void afterSetup() throws IOException {
-
- }
-
- protected void beforeTeardown() throws IOException {
-
- }
-
- @Test
- public void testManager() throws Exception {
- Set<String> expected = Sets.newTreeSet(Sets.newHashSet(
- PERM_SERVER1_CUSTOMERS_SELECT, PERM_SERVER1_ANALYST_ALL,
- PERM_SERVER1_JUNIOR_ANALYST_ALL, PERM_SERVER1_JUNIOR_ANALYST_READ,
- PERM_SERVER1_CUSTOMERS_DB_CUSTOMERS_PARTIAL_SELECT
- ));
- Assert.assertEquals(expected.toString(),
- new TreeSet<String>(policy.getAllPrivileges(set("manager"), ActiveRoleSet.ALL))
- .toString());
- }
-
- @Test
- public void testAnalyst() throws Exception {
- Set<String> expected = Sets.newTreeSet(Sets.newHashSet(
- PERM_SERVER1_CUSTOMERS_SELECT, PERM_SERVER1_ANALYST_ALL,
- PERM_SERVER1_JUNIOR_ANALYST_READ));
- Assert.assertEquals(expected.toString(),
- new TreeSet<String>(policy.getAllPrivileges(set("analyst"), ActiveRoleSet.ALL))
- .toString());
- }
-
- @Test
- public void testJuniorAnalyst() throws Exception {
- Set<String> expected = Sets.newTreeSet(Sets
- .newHashSet(PERM_SERVER1_JUNIOR_ANALYST_ALL,
- PERM_SERVER1_CUSTOMERS_DB_CUSTOMERS_PARTIAL_SELECT));
- Assert.assertEquals(expected.toString(),
- new TreeSet<String>(policy.getAllPrivileges(set("jranalyst"), ActiveRoleSet.ALL))
- .toString());
- }
-
- @Test
- public void testAdmin() throws Exception {
- Set<String> expected = Sets.newTreeSet(Sets.newHashSet(PERM_SERVER1_ADMIN));
- Assert.assertEquals(expected.toString(),
- new TreeSet<String>(policy.getAllPrivileges(set("admin"), ActiveRoleSet.ALL))
- .toString());
- }
-
-
- @Test
- public void testOtherGroup() throws Exception {
- Set<String> expected = Sets.newTreeSet(Sets.newHashSet(
- PERM_SERVER1_OTHER_GROUP_DB_CUSTOMERS_SELECT));
- Assert.assertEquals(expected.toString(),
- new TreeSet<String>(policy.getAllPrivileges(set("other_group"), ActiveRoleSet.ALL))
- .toString());
- }
-
- @Test
- public void testDbAll() throws Exception {
- Set<String> expected = Sets.newTreeSet(Sets
- .newHashSet(PERM_SERVER1_JUNIOR_ANALYST_ALL,
- PERM_SERVER1_CUSTOMERS_DB_CUSTOMERS_PARTIAL_SELECT));
- Assert.assertEquals(expected.toString(),
- new TreeSet<String>(policy.getAllPrivileges(set("jranalyst"), ActiveRoleSet.ALL))
- .toString());
- }
-
- @Test
- public void testDbAllforOtherGroup() throws Exception {
- Set<String> expected = Sets.newTreeSet(Sets.newHashSet(
- PERM_SERVER1_OTHER_GROUP_DB_CUSTOMERS_SELECT));
- Assert.assertEquals(expected.toString(),
- new TreeSet<String>(policy.getAllPrivileges(set("other_group"), ActiveRoleSet.ALL))
- .toString());
- }
-
- private static Set<String> set(String... values) {
- return Sets.newHashSet(values);
- }
-}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/0c006517/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/DBPolicyTestUtil.java
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/DBPolicyTestUtil.java b/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/DBPolicyTestUtil.java
deleted file mode 100644
index c46df8f..0000000
--- a/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/DBPolicyTestUtil.java
+++ /dev/null
@@ -1,44 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.policy.db;
-
-import org.apache.hadoop.conf.Configuration;
-import org.apache.sentry.core.model.db.HivePrivilegeModel;
-import org.apache.sentry.policy.common.PolicyEngine;
-import org.apache.sentry.provider.common.ProviderBackend;
-import org.apache.sentry.provider.common.ProviderBackendContext;
-import org.apache.sentry.provider.file.SimpleFileProviderBackend;
-
-import java.io.IOException;
-
-public class DBPolicyTestUtil {
-
- public static PolicyEngine createPolicyEngineForTest(String server, String resource) throws IOException {
-
- ProviderBackend providerBackend = new SimpleFileProviderBackend(new Configuration(), resource);
-
- // create backendContext
- ProviderBackendContext context = new ProviderBackendContext();
- context.setAllowPerDatabase(true);
- context.setValidators(HivePrivilegeModel.getInstance().getPrivilegeValidators(server));
- // initialize the backend with the context
- providerBackend.initialize(context);
-
-
- return new SimpleDBPolicyEngine(providerBackend);
- }
-}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/0c006517/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestDBModelAuthorizables.java
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestDBModelAuthorizables.java b/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestDBModelAuthorizables.java
deleted file mode 100644
index 4c123b5..0000000
--- a/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestDBModelAuthorizables.java
+++ /dev/null
@@ -1,76 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.sentry.policy.db;
-import static junit.framework.Assert.assertEquals;
-import static junit.framework.Assert.assertNull;
-
-import org.apache.sentry.core.model.db.AccessURI;
-import org.apache.sentry.core.model.db.DBModelAuthorizables;
-import org.apache.sentry.core.model.db.Database;
-import org.apache.sentry.core.model.db.Server;
-import org.apache.sentry.core.model.db.Table;
-import org.apache.sentry.core.model.db.View;
-import org.junit.Test;
-
-public class TestDBModelAuthorizables {
-
- @Test
- public void testServer() throws Exception {
- Server server = (Server) DBModelAuthorizables.from("SeRvEr=server1");
- assertEquals("server1", server.getName());
- }
- @Test
- public void testDb() throws Exception {
- Database db = (Database)DBModelAuthorizables.from("dB=db1");
- assertEquals("db1", db.getName());
- }
- @Test
- public void testTable() throws Exception {
- Table table = (Table)DBModelAuthorizables.from("tAbLe=t1");
- assertEquals("t1", table.getName());
- }
- @Test
- public void testView() throws Exception {
- View view = (View)DBModelAuthorizables.from("vIeW=v1");
- assertEquals("v1", view.getName());
- }
- @Test
- public void testURI() throws Exception {
- AccessURI uri = (AccessURI)DBModelAuthorizables.from("UrI=hdfs://uri1:8200/blah");
- assertEquals("hdfs://uri1:8200/blah", uri.getName());
- }
-
- @Test(expected=IllegalArgumentException.class)
- public void testNoKV() throws Exception {
- System.out.println(DBModelAuthorizables.from("nonsense"));
- }
-
- @Test(expected=IllegalArgumentException.class)
- public void testEmptyKey() throws Exception {
- System.out.println(DBModelAuthorizables.from("=v"));
- }
- @Test(expected=IllegalArgumentException.class)
- public void testEmptyValue() throws Exception {
- System.out.println(DBModelAuthorizables.from("k="));
- }
- @Test
- public void testNotAuthorizable() throws Exception {
- assertNull(DBModelAuthorizables.from("k=v"));
- }
-}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/0c006517/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestDatabaseRequiredInRole.java
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestDatabaseRequiredInRole.java b/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestDatabaseRequiredInRole.java
deleted file mode 100644
index 7fbef36..0000000
--- a/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestDatabaseRequiredInRole.java
+++ /dev/null
@@ -1,50 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.sentry.policy.db;
-
-import junit.framework.Assert;
-
-import org.apache.sentry.core.common.validator.PrivilegeValidatorContext;
-import org.apache.sentry.core.model.db.validator.DatabaseRequiredInPrivilege;
-import org.apache.shiro.config.ConfigurationException;
-import org.junit.Test;
-
-public class TestDatabaseRequiredInRole {
-
- @Test
- public void testURIInPerDbPolicyFile() throws Exception {
- DatabaseRequiredInPrivilege dbRequiredInRole = new DatabaseRequiredInPrivilege();
- System.setProperty("sentry.allow.uri.db.policyfile", "true");
- dbRequiredInRole.validate(new PrivilegeValidatorContext("db1",
- "server=server1->URI=file:///user/db/warehouse/tab1"));
- System.setProperty("sentry.allow.uri.db.policyfile", "false");
- }
-
- @Test
- public void testURIWithDBInPerDbPolicyFile() throws Exception {
- DatabaseRequiredInPrivilege dbRequiredInRole = new DatabaseRequiredInPrivilege();
- try {
- dbRequiredInRole.validate(new PrivilegeValidatorContext("db1",
- "server=server1->db=db1->URI=file:///user/db/warehouse/tab1"));
- Assert.fail("Expected ConfigurationException");
- } catch (ConfigurationException e) {
- ;
- }
- }
-}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/0c006517/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestPolicyParsingNegative.java
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestPolicyParsingNegative.java b/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestPolicyParsingNegative.java
deleted file mode 100644
index 8bc511d..0000000
--- a/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestPolicyParsingNegative.java
+++ /dev/null
@@ -1,194 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.policy.db;
-
-import java.io.File;
-import java.io.IOException;
-
-import junit.framework.Assert;
-
-import org.apache.commons.io.FileUtils;
-import org.apache.sentry.core.common.ActiveRoleSet;
-import org.apache.sentry.policy.common.PolicyEngine;
-import org.apache.sentry.provider.file.PolicyFile;
-import org.junit.After;
-import org.junit.Before;
-import org.junit.Test;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-import com.google.common.base.Charsets;
-import com.google.common.collect.ImmutableSet;
-import com.google.common.collect.Sets;
-import com.google.common.io.Files;
-
-public class TestPolicyParsingNegative {
-
- @SuppressWarnings("unused")
- private static final Logger LOGGER = LoggerFactory
- .getLogger(TestPolicyParsingNegative.class);
-
- private File baseDir;
- private File globalPolicyFile;
- private File otherPolicyFile;
-
- @Before
- public void setup() {
- baseDir = Files.createTempDir();
- globalPolicyFile = new File(baseDir, "global.ini");
- otherPolicyFile = new File(baseDir, "other.ini");
- }
-
- @After
- public void teardown() {
- if(baseDir != null) {
- FileUtils.deleteQuietly(baseDir);
- }
- }
-
- private void append(String from, File to) throws IOException {
- Files.append(from + "\n", to, Charsets.UTF_8);
- }
-
- @Test
- public void testUnauthorizedDbSpecifiedInDBPolicyFile() throws Exception {
- append("[databases]", globalPolicyFile);
- append("other_group_db = " + otherPolicyFile.getPath(), globalPolicyFile);
- append("[groups]", otherPolicyFile);
- append("other_group = malicious_role", otherPolicyFile);
- append("[roles]", otherPolicyFile);
- append("malicious_role = server=server1->db=customers->table=purchases->action=select", otherPolicyFile);
- PolicyEngine policy = DBPolicyTestUtil.createPolicyEngineForTest("server1", globalPolicyFile.getPath());
- ImmutableSet<String> permissions = policy.getAllPrivileges(Sets.newHashSet("other_group"), ActiveRoleSet.ALL);
- Assert.assertTrue(permissions.toString(), permissions.isEmpty());
- }
- @Test
- public void testPerDbFileCannotContainUsersOrDatabases() throws Exception {
- PolicyEngine policy;
- ImmutableSet<String> permissions;
- PolicyFile policyFile;
- // test sanity
- policyFile = PolicyFile.setAdminOnServer1("admin");
- policyFile.addGroupsToUser("admin1", "admin");
- policyFile.write(globalPolicyFile);
- policyFile.write(otherPolicyFile);
- policy = DBPolicyTestUtil.createPolicyEngineForTest("server1", globalPolicyFile.getPath());
- permissions = policy.getAllPrivileges(Sets.newHashSet("admin"), ActiveRoleSet.ALL);
- Assert.assertEquals(permissions.toString(), "[server=server1]");
- // test to ensure [users] fails parsing of per-db file
- policyFile.addDatabase("other", otherPolicyFile.getPath());
- policyFile.write(globalPolicyFile);
- policyFile.write(otherPolicyFile);
- policy = DBPolicyTestUtil.createPolicyEngineForTest("server1", globalPolicyFile.getPath());
- permissions = policy.getAllPrivileges(Sets.newHashSet("admin"), ActiveRoleSet.ALL);
- Assert.assertEquals(permissions.toString(), "[server=server1]");
- // test to ensure [databases] fails parsing of per-db file
- // by removing the user mapping from the per-db policy file
- policyFile.removeGroupsFromUser("admin1", "admin")
- .write(otherPolicyFile);
- policy = DBPolicyTestUtil.createPolicyEngineForTest("server1", globalPolicyFile.getPath());
- permissions = policy.getAllPrivileges(Sets.newHashSet("admin"), ActiveRoleSet.ALL);
- Assert.assertEquals(permissions.toString(), "[server=server1]");
- }
-
- @Test
- public void testDatabaseRequiredInRole() throws Exception {
- append("[databases]", globalPolicyFile);
- append("other_group_db = " + otherPolicyFile.getPath(), globalPolicyFile);
- append("[groups]", otherPolicyFile);
- append("other_group = malicious_role", otherPolicyFile);
- append("[roles]", otherPolicyFile);
- append("malicious_role = server=server1", otherPolicyFile);
- PolicyEngine policy = DBPolicyTestUtil.createPolicyEngineForTest("server1", globalPolicyFile.getPath());
- ImmutableSet<String> permissions = policy.getAllPrivileges(Sets.newHashSet("other_group"), ActiveRoleSet.ALL);
- Assert.assertTrue(permissions.toString(), permissions.isEmpty());
- }
-
- @Test
- public void testServerAll() throws Exception {
- append("[groups]", globalPolicyFile);
- append("group = malicious_role", globalPolicyFile);
- append("[roles]", globalPolicyFile);
- append("malicious_role = server=*", globalPolicyFile);
- PolicyEngine policy = DBPolicyTestUtil.createPolicyEngineForTest("server1", globalPolicyFile.getPath());
- ImmutableSet<String> permissions = policy.getAllPrivileges(Sets.newHashSet("group"), ActiveRoleSet.ALL);
- Assert.assertTrue(permissions.toString(), permissions.isEmpty());
- }
-
- @Test
- public void testServerIncorrect() throws Exception {
- append("[groups]", globalPolicyFile);
- append("group = malicious_role", globalPolicyFile);
- append("[roles]", globalPolicyFile);
- append("malicious_role = server=server2", globalPolicyFile);
- PolicyEngine policy = DBPolicyTestUtil.createPolicyEngineForTest("server1", globalPolicyFile.getPath());
- ImmutableSet<String> permissions = policy.getAllPrivileges(Sets.newHashSet("group"), ActiveRoleSet.ALL);
- Assert.assertTrue(permissions.toString(), permissions.isEmpty());
- }
-
- @Test
- public void testAll() throws Exception {
- append("[groups]", globalPolicyFile);
- append("group = malicious_role", globalPolicyFile);
- append("[roles]", globalPolicyFile);
- append("malicious_role = *", globalPolicyFile);
- PolicyEngine policy = DBPolicyTestUtil.createPolicyEngineForTest("server1", globalPolicyFile.getPath());
- ImmutableSet<String> permissions = policy.getAllPrivileges(Sets.newHashSet("group"), ActiveRoleSet.ALL);
- Assert.assertTrue(permissions.toString(), permissions.isEmpty());
- }
-
- /**
- * Create policy file with multiple per db files.
- * Verify that a file with bad format is the only one that's ignored
- * @throws Exception
- */
- @Test
- public void testMultiDbWithErrors() throws Exception {
- File db1PolicyFile = new File(baseDir, "db1.ini");
- File db2PolicyFile = new File(baseDir, "db2.ini");
-
- // global policy file
- append("[databases]", globalPolicyFile);
- append("db1 = " + db1PolicyFile.getPath(), globalPolicyFile);
- append("db2 = " + db2PolicyFile.getPath(), globalPolicyFile);
- append("[groups]", globalPolicyFile);
- append("db3_group = db3_rule", globalPolicyFile);
- append("[roles]", globalPolicyFile);
- append("db3_rule = server=server1->db=db3->table=sales->action=select", globalPolicyFile);
-
- //db1 policy file with badly formatted rule
- append("[groups]", db1PolicyFile);
- append("db1_group = bad_rule", db1PolicyFile);
- append("[roles]", db1PolicyFile);
- append("bad_rule = server=server1->db=customers->=purchases->action=", db1PolicyFile);
-
- //db2 policy file with proper rule
- append("[groups]", db2PolicyFile);
- append("db2_group = db2_rule", db2PolicyFile);
- append("[roles]", db2PolicyFile);
- append("db2_rule = server=server1->db=db2->table=purchases->action=select", db2PolicyFile);
-
- PolicyEngine policy = DBPolicyTestUtil.createPolicyEngineForTest("server1", globalPolicyFile.getPath());
-
- // verify that the db1 rule is empty
- ImmutableSet<String> permissions = policy.getAllPrivileges(Sets.newHashSet("db1_group"), ActiveRoleSet.ALL);
- Assert.assertTrue(permissions.toString(), permissions.isEmpty());
-
- permissions = policy.getAllPrivileges(Sets.newHashSet("db2_group"), ActiveRoleSet.ALL);
- Assert.assertEquals(permissions.toString(), 1, permissions.size());
- }
-}