You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sentry.apache.org by co...@apache.org on 2016/03/15 07:56:48 UTC
[2/2] incubator-sentry git commit: SENTRY-1123: Add test cases for
Hive, Solr, Index, Sqoop with the CommonPrivilege(Colin Ma,
Reviewed by Dapeng Sun)
SENTRY-1123: Add test cases for Hive, Solr, Index, Sqoop with the CommonPrivilege(Colin Ma, Reviewed by Dapeng Sun)
Project: http://git-wip-us.apache.org/repos/asf/incubator-sentry/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-sentry/commit/6c248e46
Tree: http://git-wip-us.apache.org/repos/asf/incubator-sentry/tree/6c248e46
Diff: http://git-wip-us.apache.org/repos/asf/incubator-sentry/diff/6c248e46
Branch: refs/heads/SENTRY-999
Commit: 6c248e4655f32f62baf00538cd4672b3373fc8cb
Parents: 0c00651
Author: Colin Ma <co...@apache.org>
Authored: Tue Mar 15 15:30:13 2016 +0800
Committer: Colin Ma <co...@apache.org>
Committed: Tue Mar 15 15:30:13 2016 +0800
----------------------------------------------------------------------
.../hive/TestCommonPrivilegeForHive.java | 345 +++++++++++++++++++
.../solr/TestCommonPrivilegeForSearch.java | 215 ++++++++++++
.../sqoop/TestCommonPrivilegeForSqoop.java | 197 +++++++++++
.../core/common/utils/SentryConstants.java | 2 +
.../sentry/policy/common/CommonPrivilege.java | 41 ++-
.../policy/db/TestDBWildcardPrivilege.java | 338 ------------------
.../indexer/TestCommonPrivilegeForIndexer.java | 215 ++++++++++++
.../indexer/TestIndexerWildcardPrivilege.java | 205 -----------
.../search/TestSearchWildcardPrivilege.java | 205 -----------
.../sqoop/TestSqoopWildcardPrivilege.java | 178 ----------
10 files changed, 1005 insertions(+), 936 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/6c248e46/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/privilege/hive/TestCommonPrivilegeForHive.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/privilege/hive/TestCommonPrivilegeForHive.java b/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/privilege/hive/TestCommonPrivilegeForHive.java
new file mode 100644
index 0000000..28674bd
--- /dev/null
+++ b/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/privilege/hive/TestCommonPrivilegeForHive.java
@@ -0,0 +1,345 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.privilege.hive;
+
+import junit.framework.Assert;
+import org.apache.sentry.core.common.Model;
+import org.apache.sentry.core.common.utils.KeyValue;
+import org.apache.sentry.core.common.utils.PathUtils;
+import org.apache.sentry.core.model.db.AccessConstants;
+import org.apache.sentry.core.model.db.HivePrivilegeModel;
+import org.apache.sentry.policy.common.CommonPrivilege;
+import org.apache.sentry.policy.common.Privilege;
+import org.junit.Before;
+import org.junit.Test;
+
+import static junit.framework.Assert.assertFalse;
+import static junit.framework.Assert.assertTrue;
+import static org.apache.sentry.core.common.utils.SentryConstants.AUTHORIZABLE_JOINER;
+import static org.apache.sentry.core.common.utils.SentryConstants.KV_JOINER;
+import static org.apache.sentry.core.common.utils.SentryConstants.KV_SEPARATOR;
+
+public class TestCommonPrivilegeForHive {
+
+ private Model hivePrivilegeModel;
+
+ private static final String ALL = AccessConstants.ALL;
+
+ private static final CommonPrivilege ROLE_SERVER_SERVER1_DB_ALL =
+ create(new KeyValue("server", "server1"), new KeyValue("db", ALL));
+ private static final CommonPrivilege ROLE_SERVER_SERVER1_DB_DB1 =
+ create(new KeyValue("server", "server1"), new KeyValue("db", "db1"));
+ private static final CommonPrivilege ROLE_SERVER_SERVER2_DB_ALL =
+ create(new KeyValue("server", "server2"), new KeyValue("db", ALL));
+ private static final CommonPrivilege ROLE_SERVER_SERVER2_DB_DB1 =
+ create(new KeyValue("server", "server2"), new KeyValue("db", "db1"));
+ private static final CommonPrivilege ROLE_SERVER_ALL_DB_ALL =
+ create(new KeyValue("server", ALL), new KeyValue("db", ALL));
+ private static final CommonPrivilege ROLE_SERVER_ALL_DB_DB1 =
+ create(new KeyValue("server", ALL), new KeyValue("db", "db1"));
+
+ private static final CommonPrivilege ROLE_SERVER_SERVER1_URI_URI1 =
+ create(new KeyValue("server", "server1"), new KeyValue("uri",
+ "hdfs://namenode:8020/path/to/uri1"));
+ private static final CommonPrivilege ROLE_SERVER_SERVER1_URI_URI2 =
+ create(new KeyValue("server", "server1"), new KeyValue("uri",
+ "hdfs://namenode:8020/path/to/uri2/"));
+ private static final CommonPrivilege ROLE_SERVER_SERVER1_URI_ALL =
+ create(new KeyValue("server", "server1"), new KeyValue("uri", ALL));
+
+ private static final CommonPrivilege ROLE_SERVER_SERVER1 =
+ create(new KeyValue("server", "server1"));
+
+ private static final CommonPrivilege REQUEST_SERVER1_DB1 =
+ create(new KeyValue("server", "server1"), new KeyValue("db", "db1"));
+ private static final CommonPrivilege REQUEST_SERVER2_DB1 =
+ create(new KeyValue("server", "server2"), new KeyValue("db", "db1"));
+ private static final CommonPrivilege REQUEST_SERVER1_DB2 =
+ create(new KeyValue("server", "server1"), new KeyValue("db", "db2"));
+ private static final CommonPrivilege REQUEST_SERVER2_DB2 =
+ create(new KeyValue("server", "server2"), new KeyValue("db", "db2"));
+
+ private static final CommonPrivilege REQUEST_SERVER1_URI1 =
+ create(new KeyValue("server", "server1"), new KeyValue("uri",
+ "hdfs://namenode:8020/path/to/uri1/some/file"));
+ private static final CommonPrivilege REQUEST_SERVER1_URI2 =
+ create(new KeyValue("server", "server1"), new KeyValue("uri",
+ "hdfs://namenode:8020/path/to/uri2/some/other/file"));
+
+ private static final CommonPrivilege REQUEST_SERVER1_OTHER =
+ create(new KeyValue("server", "server2"), new KeyValue("other", "thing"));
+
+ private static final CommonPrivilege REQUEST_SERVER1 =
+ create(new KeyValue("server", "server2"));
+
+ @Before
+ public void prepareData() {
+ hivePrivilegeModel = HivePrivilegeModel.getInstance();
+ }
+
+ @Test
+ public void testOther() throws Exception {
+ assertFalse(ROLE_SERVER_ALL_DB_ALL.implies(REQUEST_SERVER1_OTHER, hivePrivilegeModel));
+ assertFalse(REQUEST_SERVER1_OTHER.implies(ROLE_SERVER_ALL_DB_ALL, hivePrivilegeModel));
+ }
+
+ @Test
+ public void testRoleShorterThanRequest() throws Exception {
+ assertTrue(ROLE_SERVER_SERVER1.implies(REQUEST_SERVER1_DB1, hivePrivilegeModel));
+ assertTrue(ROLE_SERVER_SERVER1.implies(REQUEST_SERVER1_DB2, hivePrivilegeModel));
+ assertFalse(ROLE_SERVER_SERVER1.implies(REQUEST_SERVER2_DB1, hivePrivilegeModel));
+ assertFalse(ROLE_SERVER_SERVER1.implies(REQUEST_SERVER2_DB2, hivePrivilegeModel));
+
+ assertTrue(ROLE_SERVER_ALL_DB_ALL.implies(REQUEST_SERVER1, hivePrivilegeModel));
+ assertFalse(ROLE_SERVER_ALL_DB_DB1.implies(REQUEST_SERVER1, hivePrivilegeModel));
+ }
+
+ @Test
+ public void testRolesAndRequests() throws Exception {
+ // ROLE_SERVER_SERVER1_DB_ALL
+ assertTrue(ROLE_SERVER_SERVER1_DB_ALL.implies(REQUEST_SERVER1_DB1, hivePrivilegeModel));
+ assertFalse(ROLE_SERVER_SERVER1_DB_ALL.implies(REQUEST_SERVER2_DB1, hivePrivilegeModel));
+ assertTrue(ROLE_SERVER_SERVER1_DB_ALL.implies(REQUEST_SERVER1_DB2, hivePrivilegeModel));
+ assertFalse(ROLE_SERVER_SERVER1_DB_ALL.implies(REQUEST_SERVER2_DB2, hivePrivilegeModel));
+
+ // test inverse
+ assertTrue(REQUEST_SERVER1_DB1.implies(ROLE_SERVER_SERVER1_DB_ALL, hivePrivilegeModel));
+ assertFalse(REQUEST_SERVER2_DB1.implies(ROLE_SERVER_SERVER1_DB_ALL, hivePrivilegeModel));
+ assertTrue(REQUEST_SERVER1_DB2.implies(ROLE_SERVER_SERVER1_DB_ALL, hivePrivilegeModel));
+ assertFalse(REQUEST_SERVER2_DB2.implies(ROLE_SERVER_SERVER1_DB_ALL, hivePrivilegeModel));
+
+ // ROLE_SERVER_SERVER1_DB_DB1
+ assertTrue(ROLE_SERVER_SERVER1_DB_DB1.implies(REQUEST_SERVER1_DB1, hivePrivilegeModel));
+ assertFalse(ROLE_SERVER_SERVER1_DB_DB1.implies(REQUEST_SERVER2_DB1, hivePrivilegeModel));
+ assertFalse(ROLE_SERVER_SERVER1_DB_DB1.implies(REQUEST_SERVER1_DB2, hivePrivilegeModel));
+ assertFalse(ROLE_SERVER_SERVER1_DB_DB1.implies(REQUEST_SERVER2_DB2, hivePrivilegeModel));
+
+ // test inverse
+ assertTrue(REQUEST_SERVER1_DB1.implies(ROLE_SERVER_SERVER1_DB_DB1, hivePrivilegeModel));
+ assertFalse(REQUEST_SERVER2_DB1.implies(ROLE_SERVER_SERVER1_DB_DB1, hivePrivilegeModel));
+ assertFalse(REQUEST_SERVER1_DB2.implies(ROLE_SERVER_SERVER1_DB_DB1, hivePrivilegeModel));
+ assertFalse(REQUEST_SERVER2_DB2.implies(ROLE_SERVER_SERVER1_DB_DB1, hivePrivilegeModel));
+
+ // ROLE_SERVER_SERVER2_DB_ALL
+ assertFalse(ROLE_SERVER_SERVER2_DB_ALL.implies(REQUEST_SERVER1_DB1, hivePrivilegeModel));
+ assertTrue(ROLE_SERVER_SERVER2_DB_ALL.implies(REQUEST_SERVER2_DB1, hivePrivilegeModel));
+ assertFalse(ROLE_SERVER_SERVER2_DB_ALL.implies(REQUEST_SERVER1_DB2, hivePrivilegeModel));
+ assertTrue(ROLE_SERVER_SERVER2_DB_ALL.implies(REQUEST_SERVER2_DB2, hivePrivilegeModel));
+
+ // test inverse
+ assertFalse(REQUEST_SERVER1_DB1.implies(ROLE_SERVER_SERVER2_DB_ALL, hivePrivilegeModel));
+ assertTrue(REQUEST_SERVER2_DB1.implies(ROLE_SERVER_SERVER2_DB_ALL, hivePrivilegeModel));
+ assertFalse(REQUEST_SERVER1_DB2.implies(ROLE_SERVER_SERVER2_DB_ALL, hivePrivilegeModel));
+ assertTrue(REQUEST_SERVER2_DB2.implies(ROLE_SERVER_SERVER2_DB_ALL, hivePrivilegeModel));
+
+ // ROLE_SERVER_SERVER2_DB_DB1
+ assertFalse(ROLE_SERVER_SERVER2_DB_DB1.implies(REQUEST_SERVER1_DB1, hivePrivilegeModel));
+ assertTrue(ROLE_SERVER_SERVER2_DB_DB1.implies(REQUEST_SERVER2_DB1, hivePrivilegeModel));
+ assertFalse(ROLE_SERVER_SERVER2_DB_DB1.implies(REQUEST_SERVER1_DB2, hivePrivilegeModel));
+ assertFalse(ROLE_SERVER_SERVER2_DB_DB1.implies(REQUEST_SERVER2_DB2, hivePrivilegeModel));
+
+ assertFalse(REQUEST_SERVER1_DB1.implies(ROLE_SERVER_SERVER2_DB_DB1, hivePrivilegeModel));
+ assertTrue(REQUEST_SERVER2_DB1.implies(ROLE_SERVER_SERVER2_DB_DB1, hivePrivilegeModel));
+ assertFalse(REQUEST_SERVER1_DB2.implies(ROLE_SERVER_SERVER2_DB_DB1, hivePrivilegeModel));
+ assertFalse(REQUEST_SERVER2_DB2.implies(ROLE_SERVER_SERVER2_DB_DB1, hivePrivilegeModel));
+
+ // ROLE_SERVER_ALL_DB_ALL
+ assertTrue(ROLE_SERVER_ALL_DB_ALL.implies(REQUEST_SERVER1_DB1, hivePrivilegeModel));
+ assertTrue(ROLE_SERVER_ALL_DB_ALL.implies(REQUEST_SERVER2_DB1, hivePrivilegeModel));
+ assertTrue(ROLE_SERVER_ALL_DB_ALL.implies(REQUEST_SERVER1_DB2, hivePrivilegeModel));
+ assertTrue(ROLE_SERVER_ALL_DB_ALL.implies(REQUEST_SERVER2_DB2, hivePrivilegeModel));
+
+ // test inverse
+ assertTrue(REQUEST_SERVER1_DB1.implies(ROLE_SERVER_ALL_DB_ALL, hivePrivilegeModel));
+ assertTrue(REQUEST_SERVER2_DB1.implies(ROLE_SERVER_ALL_DB_ALL, hivePrivilegeModel));
+ assertTrue(REQUEST_SERVER1_DB2.implies(ROLE_SERVER_ALL_DB_ALL, hivePrivilegeModel));
+ assertTrue(REQUEST_SERVER2_DB2.implies(ROLE_SERVER_ALL_DB_ALL, hivePrivilegeModel));
+
+ // ROLE_SERVER_ALL_DB_DB1
+ assertTrue(ROLE_SERVER_ALL_DB_DB1.implies(REQUEST_SERVER1_DB1, hivePrivilegeModel));
+ assertTrue(ROLE_SERVER_ALL_DB_DB1.implies(REQUEST_SERVER2_DB1, hivePrivilegeModel));
+ assertFalse(ROLE_SERVER_ALL_DB_DB1.implies(REQUEST_SERVER1_DB2, hivePrivilegeModel));
+ assertFalse(ROLE_SERVER_ALL_DB_DB1.implies(REQUEST_SERVER2_DB2, hivePrivilegeModel));
+
+ // test inverse
+ assertTrue(REQUEST_SERVER1_DB1.implies(ROLE_SERVER_ALL_DB_DB1, hivePrivilegeModel));
+ assertTrue(REQUEST_SERVER2_DB1.implies(ROLE_SERVER_ALL_DB_DB1, hivePrivilegeModel));
+ assertFalse(REQUEST_SERVER1_DB2.implies(ROLE_SERVER_ALL_DB_DB1, hivePrivilegeModel));
+ assertFalse(REQUEST_SERVER2_DB2.implies(ROLE_SERVER_ALL_DB_DB1, hivePrivilegeModel));
+
+ // uri
+ assertTrue(ROLE_SERVER_SERVER1.implies(REQUEST_SERVER1_URI1, hivePrivilegeModel));
+ assertTrue(ROLE_SERVER_SERVER1.implies(REQUEST_SERVER1_URI2, hivePrivilegeModel));
+ assertTrue(ROLE_SERVER_SERVER1.implies(REQUEST_SERVER1_URI2, hivePrivilegeModel));
+ assertTrue(ROLE_SERVER_SERVER1_URI_ALL.implies(REQUEST_SERVER1_URI1, hivePrivilegeModel));
+ assertTrue(ROLE_SERVER_SERVER1_URI_ALL.implies(REQUEST_SERVER1_URI2, hivePrivilegeModel));
+ assertTrue(ROLE_SERVER_SERVER1.implies(REQUEST_SERVER1_URI2, hivePrivilegeModel));
+ assertTrue(ROLE_SERVER_SERVER1_URI_URI1.implies(REQUEST_SERVER1_URI1, hivePrivilegeModel));
+ assertFalse(ROLE_SERVER_SERVER1_URI_URI1.implies(REQUEST_SERVER1_URI2, hivePrivilegeModel));
+ assertTrue(ROLE_SERVER_SERVER1_URI_URI2.implies(REQUEST_SERVER1_URI2, hivePrivilegeModel));
+ assertFalse(ROLE_SERVER_SERVER1_URI_URI2.implies(REQUEST_SERVER1_URI1, hivePrivilegeModel));
+ assertFalse(REQUEST_SERVER2_DB2.implies(REQUEST_SERVER1_URI1, hivePrivilegeModel));
+ assertFalse(ROLE_SERVER_ALL_DB_DB1.implies(REQUEST_SERVER1_URI1, hivePrivilegeModel));
+ // test inverse
+ assertTrue(REQUEST_SERVER1_URI1.implies(ROLE_SERVER_SERVER1_URI_ALL, hivePrivilegeModel));
+ assertTrue(REQUEST_SERVER1_URI2.implies(ROLE_SERVER_SERVER1_URI_ALL, hivePrivilegeModel));
+ assertFalse(REQUEST_SERVER1_URI1.implies(ROLE_SERVER_SERVER1, hivePrivilegeModel));
+ assertFalse(REQUEST_SERVER1_URI1.implies(ROLE_SERVER_SERVER1_URI_URI1, hivePrivilegeModel));
+ assertFalse(REQUEST_SERVER1_URI2.implies(ROLE_SERVER_SERVER1_URI_URI1, hivePrivilegeModel));
+ assertFalse(REQUEST_SERVER1_URI2.implies(ROLE_SERVER_SERVER1_URI_URI2, hivePrivilegeModel));
+ assertFalse(REQUEST_SERVER1_URI1.implies(ROLE_SERVER_SERVER1_URI_URI2, hivePrivilegeModel));
+ };
+
+ @Test
+ public void testUnexpected() throws Exception {
+ Privilege p = new Privilege() {
+ @Override
+ public boolean implies(Privilege p) {
+ return false;
+ }
+ };
+ assertFalse(ROLE_SERVER_SERVER1_DB_ALL.implies(null));
+ assertFalse(ROLE_SERVER_SERVER1_DB_ALL.implies(p));
+ assertFalse(ROLE_SERVER_SERVER1_DB_ALL.equals(null));
+ assertFalse(ROLE_SERVER_SERVER1_DB_ALL.equals(p));
+
+ Assert.assertEquals(ROLE_SERVER_SERVER1_DB_ALL.hashCode(),
+ create(ROLE_SERVER_SERVER1_DB_ALL.toString()).hashCode());
+ }
+
+ @Test(expected=IllegalArgumentException.class)
+ public void testNullString() throws Exception {
+ System.out.println(create((String)null));
+ }
+
+ @Test(expected=IllegalArgumentException.class)
+ public void testEmptyString() throws Exception {
+ System.out.println(create(""));
+ }
+
+ @Test(expected=IllegalArgumentException.class)
+ public void testEmptyKey() throws Exception {
+ System.out.println(create(KV_JOINER.join("", "db1")));
+ }
+
+ @Test(expected=IllegalArgumentException.class)
+ public void testEmptyValue() throws Exception {
+ System.out.println(create(KV_JOINER.join("db", "")));
+ }
+
+ @Test(expected=IllegalArgumentException.class)
+ public void testEmptyPart() throws Exception {
+ System.out.println(create(AUTHORIZABLE_JOINER.
+ join(KV_JOINER.join("server", "server1"), "")));
+ }
+
+ @Test(expected=IllegalArgumentException.class)
+ public void testOnlySeperators() throws Exception {
+ System.out.println(create(AUTHORIZABLE_JOINER.
+ join(KV_SEPARATOR, KV_SEPARATOR, KV_SEPARATOR)));
+ }
+
+ @Test
+ public void testImpliesURIPositive() throws Exception {
+ assertTrue(PathUtils.impliesURI("hdfs://namenode:8020/path", "hdfs://namenode:8020/path/to/some/dir"));
+ assertTrue(PathUtils.impliesURI("hdfs://namenode:8020/path", "hdfs://namenode:8020/path"));
+ assertTrue(PathUtils.impliesURI("file:///path", "file:///path/to/some/dir"));
+ assertTrue(PathUtils.impliesURI("file:///path", "file:///path"));
+ }
+
+ @Test
+ public void testImpliesURINegative() throws Exception {
+ // relative path
+ assertFalse(PathUtils.impliesURI("hdfs://namenode:8020/path", "hdfs://namenode:8020/path/to/../../other"));
+ assertFalse(PathUtils.impliesURI("file:///path", "file:///path/to/../../other"));
+ // bad policy
+ assertFalse(PathUtils.impliesURI("blah", "hdfs://namenode:8020/path/to/some/dir"));
+ // bad request
+ assertFalse(PathUtils.impliesURI("hdfs://namenode:8020/path", "blah"));
+ // scheme
+ assertFalse(PathUtils.impliesURI("hdfs://namenode:8020/path", "file:///path/to/some/dir"));
+ assertFalse(PathUtils.impliesURI("hdfs://namenode:8020/path", "file://namenode:8020/path/to/some/dir"));
+ // hostname
+ assertFalse(PathUtils.impliesURI("hdfs://namenode1:8020/path", "hdfs://namenode2:8020/path/to/some/dir"));
+ // port
+ assertFalse(PathUtils.impliesURI("hdfs://namenode:8020/path", "hdfs://namenode:8021/path/to/some/dir"));
+ // mangled path
+ assertFalse(PathUtils.impliesURI("hdfs://namenode:8020/path", "hdfs://namenode:8020/pathFooBar"));
+ // ends in /
+ assertTrue(PathUtils.impliesURI("hdfs://namenode:8020/path/", "hdfs://namenode:8020/path/FooBar"));
+ }
+
+ @Test
+ public void testActionHierarchy() throws Exception {
+ String dbName = "db1";
+ CommonPrivilege dbAll = create(new KeyValue("server", "server1"),
+ new KeyValue("db", dbName), new KeyValue("action", "ALL"));
+
+ CommonPrivilege dbSelect = create(new KeyValue("server", "server1"),
+ new KeyValue("db", dbName), new KeyValue("action", "SELECT"));
+ CommonPrivilege dbInsert = create(new KeyValue("server", "server1"),
+ new KeyValue("db", dbName), new KeyValue("action", "INSERT"));
+ CommonPrivilege dbAlter = create(new KeyValue("server", "server1"),
+ new KeyValue("db", dbName), new KeyValue("action", "ALTER"));
+ CommonPrivilege dbCreate = create(new KeyValue("server", "server1"),
+ new KeyValue("db", dbName), new KeyValue("action", "CREATE"));
+ CommonPrivilege dbDrop = create(new KeyValue("server", "server1"),
+ new KeyValue("db", dbName), new KeyValue("action", "DROP"));
+ CommonPrivilege dbIndex = create(new KeyValue("server", "server1"),
+ new KeyValue("db", dbName), new KeyValue("action", "INDEX"));
+ CommonPrivilege dbLock = create(new KeyValue("server", "server1"),
+ new KeyValue("db", dbName), new KeyValue("action", "LOCK"));
+
+ assertTrue(dbAll.implies(dbSelect, hivePrivilegeModel));
+ assertTrue(dbAll.implies(dbInsert, hivePrivilegeModel));
+ assertTrue(dbAll.implies(dbAlter, hivePrivilegeModel));
+ assertTrue(dbAll.implies(dbCreate, hivePrivilegeModel));
+ assertTrue(dbAll.implies(dbDrop, hivePrivilegeModel));
+ assertTrue(dbAll.implies(dbIndex, hivePrivilegeModel));
+ assertTrue(dbAll.implies(dbLock, hivePrivilegeModel));
+
+ dbAll = create(new KeyValue("server", "server1"),
+ new KeyValue("db", dbName), new KeyValue("action", "*"));
+
+ assertTrue(dbAll.implies(dbSelect, hivePrivilegeModel));
+ assertTrue(dbAll.implies(dbInsert, hivePrivilegeModel));
+ assertTrue(dbAll.implies(dbAlter, hivePrivilegeModel));
+ assertTrue(dbAll.implies(dbCreate, hivePrivilegeModel));
+ assertTrue(dbAll.implies(dbDrop, hivePrivilegeModel));
+ assertTrue(dbAll.implies(dbIndex, hivePrivilegeModel));
+ assertTrue(dbAll.implies(dbLock, hivePrivilegeModel));
+
+ dbAll = create(new KeyValue("server", "server1"),
+ new KeyValue("db", dbName));
+
+ assertTrue(dbAll.implies(dbSelect, hivePrivilegeModel));
+ assertTrue(dbAll.implies(dbInsert, hivePrivilegeModel));
+ assertTrue(dbAll.implies(dbAlter, hivePrivilegeModel));
+ assertTrue(dbAll.implies(dbCreate, hivePrivilegeModel));
+ assertTrue(dbAll.implies(dbDrop, hivePrivilegeModel));
+ assertTrue(dbAll.implies(dbIndex, hivePrivilegeModel));
+ assertTrue(dbAll.implies(dbLock, hivePrivilegeModel));
+ }
+
+ static CommonPrivilege create(KeyValue... keyValues) {
+ return create(AUTHORIZABLE_JOINER.join(keyValues));
+ }
+
+ static CommonPrivilege create(String s) {
+ return new CommonPrivilege(s);
+ }
+}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/6c248e46/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/privilege/solr/TestCommonPrivilegeForSearch.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/privilege/solr/TestCommonPrivilegeForSearch.java b/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/privilege/solr/TestCommonPrivilegeForSearch.java
new file mode 100644
index 0000000..644e0ef
--- /dev/null
+++ b/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/privilege/solr/TestCommonPrivilegeForSearch.java
@@ -0,0 +1,215 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.privilege.solr;
+
+import org.apache.sentry.core.common.Model;
+import org.apache.sentry.core.common.utils.KeyValue;
+import org.apache.sentry.core.model.search.SearchConstants;
+import org.apache.sentry.core.model.search.SearchPrivilegeModel;
+import org.apache.sentry.policy.common.CommonPrivilege;
+import org.apache.sentry.policy.common.Privilege;
+import org.junit.Before;
+import org.junit.Test;
+
+import static junit.framework.Assert.assertFalse;
+import static junit.framework.Assert.assertTrue;
+import static org.apache.sentry.core.common.utils.SentryConstants.AUTHORIZABLE_JOINER;
+import static org.apache.sentry.core.common.utils.SentryConstants.KV_JOINER;
+import static org.apache.sentry.core.common.utils.SentryConstants.KV_SEPARATOR;
+
+public class TestCommonPrivilegeForSearch {
+
+ private Model searchPrivilegeModel;
+
+ private static final String ALL = SearchConstants.ALL;
+
+ @Before
+ public void prepareData() {
+ searchPrivilegeModel = SearchPrivilegeModel.getInstance();
+ }
+
+ @Test
+ public void testSimpleNoAction() throws Exception {
+ CommonPrivilege collection1 = create(new KeyValue("collection", "coll1"));
+ CommonPrivilege collection2 = create(new KeyValue("collection", "coll2"));
+ CommonPrivilege collection1Case = create(new KeyValue("colleCtIon", "coLl1"));
+
+ assertTrue(collection1.implies(collection1, searchPrivilegeModel));
+ assertTrue(collection2.implies(collection2, searchPrivilegeModel));
+ assertTrue(collection1.implies(collection1Case, searchPrivilegeModel));
+ assertTrue(collection1Case.implies(collection1, searchPrivilegeModel));
+
+ assertFalse(collection1.implies(collection2, searchPrivilegeModel));
+ assertFalse(collection1Case.implies(collection2, searchPrivilegeModel));
+ assertFalse(collection2.implies(collection1, searchPrivilegeModel));
+ assertFalse(collection2.implies(collection1Case, searchPrivilegeModel));
+ }
+
+ @Test
+ public void testSimpleAction() throws Exception {
+ CommonPrivilege query =
+ create(new KeyValue("collection", "coll1"), new KeyValue("action", "query"));
+ CommonPrivilege update =
+ create(new KeyValue("collection", "coll1"), new KeyValue("action", "update"));
+ CommonPrivilege queryCase =
+ create(new KeyValue("colleCtIon", "coLl1"), new KeyValue("AcTiOn", "QuERy"));
+
+ assertTrue(query.implies(query, searchPrivilegeModel));
+ assertTrue(update.implies(update, searchPrivilegeModel));
+ assertTrue(query.implies(queryCase, searchPrivilegeModel));
+ assertTrue(queryCase.implies(query, searchPrivilegeModel));
+
+ assertFalse(query.implies(update, searchPrivilegeModel));
+ assertFalse(queryCase.implies(update, searchPrivilegeModel));
+ assertFalse(update.implies(query, searchPrivilegeModel));
+ assertFalse(update.implies(queryCase, searchPrivilegeModel));
+ }
+
+ @Test
+ public void testRoleShorterThanRequest() throws Exception {
+ CommonPrivilege collection1 = create(new KeyValue("collection", "coll1"));
+ CommonPrivilege query =
+ create(new KeyValue("collection", "coll1"), new KeyValue("action", "query"));
+ CommonPrivilege update =
+ create(new KeyValue("collection", "coll1"), new KeyValue("action", "update"));
+ CommonPrivilege all =
+ create(new KeyValue("collection", "coll1"), new KeyValue("action", ALL));
+
+ assertTrue(collection1.implies(query, searchPrivilegeModel));
+ assertTrue(collection1.implies(update, searchPrivilegeModel));
+ assertTrue(collection1.implies(all, searchPrivilegeModel));
+
+ assertFalse(query.implies(collection1, searchPrivilegeModel));
+ assertFalse(update.implies(collection1, searchPrivilegeModel));
+ assertTrue(all.implies(collection1, searchPrivilegeModel));
+ }
+
+ @Test
+ public void testCollectionAll() throws Exception {
+ CommonPrivilege collectionAll = create(new KeyValue("collection", ALL));
+ CommonPrivilege collection1 = create(new KeyValue("collection", "coll1"));
+ assertTrue(collectionAll.implies(collection1, searchPrivilegeModel));
+ assertTrue(collection1.implies(collectionAll, searchPrivilegeModel));
+
+ CommonPrivilege allUpdate =
+ create(new KeyValue("collection", ALL), new KeyValue("action", "update"));
+ CommonPrivilege allQuery =
+ create(new KeyValue("collection", ALL), new KeyValue("action", "query"));
+ CommonPrivilege coll1Update =
+ create(new KeyValue("collection", "coll1"), new KeyValue("action", "update"));
+ CommonPrivilege coll1Query =
+ create(new KeyValue("collection", "coll1"), new KeyValue("action", "query"));
+ assertTrue(allUpdate.implies(coll1Update, searchPrivilegeModel));
+ assertTrue(allQuery.implies(coll1Query, searchPrivilegeModel));
+ assertTrue(coll1Update.implies(allUpdate, searchPrivilegeModel));
+ assertTrue(coll1Query.implies(allQuery, searchPrivilegeModel));
+ assertFalse(allUpdate.implies(coll1Query, searchPrivilegeModel));
+ assertFalse(coll1Update.implies(coll1Query, searchPrivilegeModel));
+ assertFalse(allQuery.implies(coll1Update, searchPrivilegeModel));
+ assertFalse(coll1Query.implies(allUpdate, searchPrivilegeModel));
+ assertFalse(allUpdate.implies(allQuery, searchPrivilegeModel));
+ assertFalse(allQuery.implies(allUpdate, searchPrivilegeModel));
+ assertFalse(coll1Update.implies(coll1Query, searchPrivilegeModel));
+ assertFalse(coll1Query.implies(coll1Update, searchPrivilegeModel));
+
+ // test different length paths
+ assertTrue(collectionAll.implies(allUpdate, searchPrivilegeModel));
+ assertTrue(collectionAll.implies(allQuery, searchPrivilegeModel));
+ assertTrue(collectionAll.implies(coll1Update, searchPrivilegeModel));
+ assertTrue(collectionAll.implies(coll1Query, searchPrivilegeModel));
+ assertFalse(allUpdate.implies(collectionAll, searchPrivilegeModel));
+ assertFalse(allQuery.implies(collectionAll, searchPrivilegeModel));
+ assertFalse(coll1Update.implies(collectionAll, searchPrivilegeModel));
+ assertFalse(coll1Query.implies(collectionAll, searchPrivilegeModel));
+ }
+
+ @Test
+ public void testActionAll() throws Exception {
+ CommonPrivilege coll1All =
+ create(new KeyValue("collection", "coll1"), new KeyValue("action", ALL));
+ CommonPrivilege coll1Update =
+ create(new KeyValue("collection", "coll1"), new KeyValue("action", "update"));
+ CommonPrivilege coll1Query =
+ create(new KeyValue("collection", "coll1"), new KeyValue("action", "query"));
+ assertTrue(coll1All.implies(coll1All, searchPrivilegeModel));
+ assertTrue(coll1All.implies(coll1Update, searchPrivilegeModel));
+ assertTrue(coll1All.implies(coll1Query, searchPrivilegeModel));
+ assertFalse(coll1Update.implies(coll1All, searchPrivilegeModel));
+ assertFalse(coll1Query.implies(coll1All, searchPrivilegeModel));
+
+ // test different lengths
+ CommonPrivilege coll1 =
+ create(new KeyValue("collection", "coll1"));
+ assertTrue(coll1All.implies(coll1, searchPrivilegeModel));
+ assertTrue(coll1.implies(coll1All, searchPrivilegeModel));
+ }
+
+ @Test
+ public void testUnexpected() throws Exception {
+ Privilege p = new Privilege() {
+ @Override
+ public boolean implies(Privilege p) {
+ return false;
+ }
+ };
+ Privilege collection1 = create(new KeyValue("collection", "coll1"));
+ assertFalse(collection1.implies(null));
+ assertFalse(collection1.implies(p));
+ assertFalse(collection1.equals(null));
+ assertFalse(collection1.equals(p));
+ }
+
+ @Test(expected=IllegalArgumentException.class)
+ public void testNullString() throws Exception {
+ System.out.println(create((String)null));
+ }
+
+ @Test(expected=IllegalArgumentException.class)
+ public void testEmptyString() throws Exception {
+ System.out.println(create(""));
+ }
+
+ @Test(expected=IllegalArgumentException.class)
+ public void testEmptyKey() throws Exception {
+ System.out.println(create(KV_JOINER.join("collection", "")));
+ }
+
+ @Test(expected=IllegalArgumentException.class)
+ public void testEmptyValue() throws Exception {
+ System.out.println(create(KV_JOINER.join("", "coll1")));
+ }
+
+ @Test(expected=IllegalArgumentException.class)
+ public void testEmptyPart() throws Exception {
+ System.out.println(create(AUTHORIZABLE_JOINER.
+ join(KV_JOINER.join("collection1", "coll1"), "")));
+ }
+
+ @Test(expected=IllegalArgumentException.class)
+ public void testOnlySeperators() throws Exception {
+ System.out.println(create(AUTHORIZABLE_JOINER.
+ join(KV_SEPARATOR, KV_SEPARATOR, KV_SEPARATOR)));
+ }
+
+ static CommonPrivilege create(KeyValue... keyValues) {
+ return create(AUTHORIZABLE_JOINER.join(keyValues));
+ }
+
+ static CommonPrivilege create(String s) {
+ return new CommonPrivilege(s);
+ }
+}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/6c248e46/sentry-binding/sentry-binding-sqoop/src/test/java/org/apache/sentry/privilege/sqoop/TestCommonPrivilegeForSqoop.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-sqoop/src/test/java/org/apache/sentry/privilege/sqoop/TestCommonPrivilegeForSqoop.java b/sentry-binding/sentry-binding-sqoop/src/test/java/org/apache/sentry/privilege/sqoop/TestCommonPrivilegeForSqoop.java
new file mode 100644
index 0000000..0ec7783
--- /dev/null
+++ b/sentry-binding/sentry-binding-sqoop/src/test/java/org/apache/sentry/privilege/sqoop/TestCommonPrivilegeForSqoop.java
@@ -0,0 +1,197 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.privilege.sqoop;
+
+import org.apache.sentry.core.common.Model;
+import org.apache.sentry.core.common.utils.KeyValue;
+import org.apache.sentry.core.model.sqoop.SqoopActionConstant;
+import org.apache.sentry.core.model.sqoop.SqoopPrivilegeModel;
+import org.apache.sentry.policy.common.CommonPrivilege;
+import org.apache.sentry.policy.common.Privilege;
+import org.junit.Before;
+import org.junit.Test;
+
+import static junit.framework.Assert.assertFalse;
+import static junit.framework.Assert.assertTrue;
+import static org.apache.sentry.core.common.utils.SentryConstants.AUTHORIZABLE_JOINER;
+import static org.apache.sentry.core.common.utils.SentryConstants.KV_JOINER;
+import static org.apache.sentry.core.common.utils.SentryConstants.KV_SEPARATOR;
+
+public class TestCommonPrivilegeForSqoop {
+
+ private Model sqoopPrivilegeModel;
+
+ private static final CommonPrivilege SQOOP_SERVER1_ALL =
+ create(new KeyValue("SERVER", "server1"), new KeyValue("action", SqoopActionConstant.ALL));
+ private static final CommonPrivilege SQOOP_SERVER1_READ =
+ create(new KeyValue("SERVER", "server1"), new KeyValue("action", SqoopActionConstant.READ));
+ private static final CommonPrivilege SQOOP_SERVER1_WRITE =
+ create(new KeyValue("SERVER", "server1"), new KeyValue("action", SqoopActionConstant.WRITE));
+
+ private static final CommonPrivilege SQOOP_SERVER1_JOB1_ALL =
+ create(new KeyValue("SERVER", "server1"), new KeyValue("JOB", "job1"),
+ new KeyValue("action", SqoopActionConstant.ALL));
+ private static final CommonPrivilege SQOOP_SERVER1_JOB1_READ =
+ create(new KeyValue("SERVER", "server1"), new KeyValue("JOB", "job1"),
+ new KeyValue("action", SqoopActionConstant.READ));
+ private static final CommonPrivilege SQOOP_SERVER1_JOB1_WRITE =
+ create(new KeyValue("SERVER", "server1"), new KeyValue("JOB", "job1"),
+ new KeyValue("action", SqoopActionConstant.WRITE));
+
+ private static final CommonPrivilege SQOOP_SERVER1_LINK1_ALL =
+ create(new KeyValue("SERVER", "server1"), new KeyValue("LINK", "link1"),
+ new KeyValue("action", SqoopActionConstant.ALL));
+ private static final CommonPrivilege SQOOP_SERVER1_LINK1_READ =
+ create(new KeyValue("SERVER", "server1"), new KeyValue("LINK", "link1"),
+ new KeyValue("action", SqoopActionConstant.READ));
+ private static final CommonPrivilege SQOOP_SERVER1_LINK1_WRITE =
+ create(new KeyValue("SERVER", "server1"), new KeyValue("LINK", "link1"),
+ new KeyValue("action", SqoopActionConstant.WRITE));
+
+ private static final CommonPrivilege SQOOP_SERVER1_CONNECTOR1_ALL =
+ create(new KeyValue("SERVER", "server1"), new KeyValue("CONNECTOR", "connector1"),
+ new KeyValue("action", SqoopActionConstant.ALL));
+ private static final CommonPrivilege SQOOP_SERVER1_CONNECTOR1_READ =
+ create(new KeyValue("SERVER", "server1"), new KeyValue("CONNECTOR", "connector1"),
+ new KeyValue("action", SqoopActionConstant.READ));
+ private static final CommonPrivilege SQOOP_SERVER1_CONNECTOR1_WRITE =
+ create(new KeyValue("SERVER", "server1"), new KeyValue("CONNECTOR", "connector1"),
+ new KeyValue("action", SqoopActionConstant.WRITE));
+
+ @Before
+ public void prepareData() {
+ sqoopPrivilegeModel = SqoopPrivilegeModel.getInstance();
+ }
+
+ @Test
+ public void testSimpleAction() throws Exception {
+ //server
+ assertFalse(SQOOP_SERVER1_WRITE.implies(SQOOP_SERVER1_READ, sqoopPrivilegeModel));
+ assertFalse(SQOOP_SERVER1_READ.implies(SQOOP_SERVER1_WRITE, sqoopPrivilegeModel));
+ //connector
+ assertFalse(SQOOP_SERVER1_CONNECTOR1_WRITE.implies(SQOOP_SERVER1_CONNECTOR1_READ, sqoopPrivilegeModel));
+ assertFalse(SQOOP_SERVER1_CONNECTOR1_READ.implies(SQOOP_SERVER1_CONNECTOR1_WRITE, sqoopPrivilegeModel));
+ //job
+ assertFalse(SQOOP_SERVER1_JOB1_READ.implies(SQOOP_SERVER1_JOB1_WRITE, sqoopPrivilegeModel));
+ assertFalse(SQOOP_SERVER1_JOB1_WRITE.implies(SQOOP_SERVER1_JOB1_READ, sqoopPrivilegeModel));
+ //link
+ assertFalse(SQOOP_SERVER1_LINK1_READ.implies(SQOOP_SERVER1_LINK1_WRITE, sqoopPrivilegeModel));
+ assertFalse(SQOOP_SERVER1_LINK1_WRITE.implies(SQOOP_SERVER1_LINK1_READ, sqoopPrivilegeModel));
+ }
+
+ @Test
+ public void testShorterThanRequest() throws Exception {
+ //job
+ assertTrue(SQOOP_SERVER1_ALL.implies(SQOOP_SERVER1_JOB1_ALL, sqoopPrivilegeModel));
+ assertTrue(SQOOP_SERVER1_ALL.implies(SQOOP_SERVER1_JOB1_READ, sqoopPrivilegeModel));
+ assertTrue(SQOOP_SERVER1_ALL.implies(SQOOP_SERVER1_JOB1_WRITE, sqoopPrivilegeModel));
+
+ assertFalse(SQOOP_SERVER1_WRITE.implies(SQOOP_SERVER1_READ, sqoopPrivilegeModel));
+ assertTrue(SQOOP_SERVER1_READ.implies(SQOOP_SERVER1_JOB1_READ, sqoopPrivilegeModel));
+ assertTrue(SQOOP_SERVER1_WRITE.implies(SQOOP_SERVER1_JOB1_WRITE, sqoopPrivilegeModel));
+
+ //link
+ assertTrue(SQOOP_SERVER1_ALL.implies(SQOOP_SERVER1_LINK1_ALL, sqoopPrivilegeModel));
+ assertTrue(SQOOP_SERVER1_ALL.implies(SQOOP_SERVER1_LINK1_READ, sqoopPrivilegeModel));
+ assertTrue(SQOOP_SERVER1_ALL.implies(SQOOP_SERVER1_LINK1_WRITE, sqoopPrivilegeModel));
+
+ assertTrue(SQOOP_SERVER1_READ.implies(SQOOP_SERVER1_LINK1_READ, sqoopPrivilegeModel));
+ assertTrue(SQOOP_SERVER1_WRITE.implies(SQOOP_SERVER1_LINK1_WRITE, sqoopPrivilegeModel));
+
+ //connector
+ assertTrue(SQOOP_SERVER1_ALL.implies(SQOOP_SERVER1_CONNECTOR1_ALL, sqoopPrivilegeModel));
+ assertTrue(SQOOP_SERVER1_ALL.implies(SQOOP_SERVER1_CONNECTOR1_READ, sqoopPrivilegeModel));
+ assertTrue(SQOOP_SERVER1_ALL.implies(SQOOP_SERVER1_CONNECTOR1_WRITE, sqoopPrivilegeModel));
+
+ assertTrue(SQOOP_SERVER1_READ.implies(SQOOP_SERVER1_CONNECTOR1_READ, sqoopPrivilegeModel));
+ assertTrue(SQOOP_SERVER1_WRITE.implies(SQOOP_SERVER1_CONNECTOR1_WRITE, sqoopPrivilegeModel));
+ }
+
+ @Test
+ public void testActionAll() throws Exception {
+ //server
+ assertTrue(SQOOP_SERVER1_ALL.implies(SQOOP_SERVER1_READ, sqoopPrivilegeModel));
+ assertTrue(SQOOP_SERVER1_ALL.implies(SQOOP_SERVER1_WRITE, sqoopPrivilegeModel));
+
+ //job
+ assertTrue(SQOOP_SERVER1_JOB1_ALL.implies(SQOOP_SERVER1_JOB1_READ, sqoopPrivilegeModel));
+ assertTrue(SQOOP_SERVER1_JOB1_ALL.implies(SQOOP_SERVER1_JOB1_WRITE, sqoopPrivilegeModel));
+
+ //link
+ assertTrue(SQOOP_SERVER1_LINK1_ALL.implies(SQOOP_SERVER1_LINK1_READ, sqoopPrivilegeModel));
+ assertTrue(SQOOP_SERVER1_LINK1_ALL.implies(SQOOP_SERVER1_LINK1_WRITE, sqoopPrivilegeModel));
+
+ //connector
+ assertTrue(SQOOP_SERVER1_CONNECTOR1_ALL.implies(SQOOP_SERVER1_CONNECTOR1_READ, sqoopPrivilegeModel));
+ assertTrue(SQOOP_SERVER1_CONNECTOR1_ALL.implies(SQOOP_SERVER1_CONNECTOR1_WRITE, sqoopPrivilegeModel));
+ }
+
+ @Test
+ public void testUnexpected() throws Exception {
+ Privilege p = new Privilege() {
+ @Override
+ public boolean implies(Privilege p) {
+ return false;
+ }
+ };
+ Privilege job1 = create(new KeyValue("SERVER", "server"), new KeyValue("JOB", "job1"));
+ assertFalse(job1.implies(null));
+ assertFalse(job1.implies(p));
+ assertFalse(job1.equals(null));
+ assertFalse(job1.equals(p));
+ }
+
+ @Test(expected=IllegalArgumentException.class)
+ public void testNullString() throws Exception {
+ System.out.println(create((String)null));
+ }
+
+ @Test(expected=IllegalArgumentException.class)
+ public void testEmptyString() throws Exception {
+ System.out.println(create(""));
+ }
+
+ @Test(expected=IllegalArgumentException.class)
+ public void testEmptyKey() throws Exception {
+ System.out.println(create(KV_JOINER.join("", "server1")));
+ }
+
+ @Test(expected=IllegalArgumentException.class)
+ public void testEmptyValue() throws Exception {
+ System.out.println(create(KV_JOINER.join("SERVER", "")));
+ }
+
+ @Test(expected=IllegalArgumentException.class)
+ public void testEmptyPart() throws Exception {
+ System.out.println(create(AUTHORIZABLE_JOINER.
+ join(KV_JOINER.join("SERVER", "server1"), "")));
+ }
+
+ @Test(expected=IllegalArgumentException.class)
+ public void testOnlySeperators() throws Exception {
+ System.out.println(create(AUTHORIZABLE_JOINER.
+ join(KV_SEPARATOR, KV_SEPARATOR, KV_SEPARATOR)));
+ }
+
+ static CommonPrivilege create(KeyValue... keyValues) {
+ return create(AUTHORIZABLE_JOINER.join(keyValues));
+ }
+
+ static CommonPrivilege create(String s) {
+ return new CommonPrivilege(s);
+ }
+}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/6c248e46/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/utils/SentryConstants.java
----------------------------------------------------------------------
diff --git a/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/utils/SentryConstants.java b/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/utils/SentryConstants.java
index e752c76..3da4906 100644
--- a/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/utils/SentryConstants.java
+++ b/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/utils/SentryConstants.java
@@ -37,5 +37,7 @@ public class SentryConstants {
public static final String PRIVILEGE_WILDCARD_VALUE = "*";
public static final String RESOURCE_WILDCARD_VALUE = "*";
+ public static final String RESOURCE_WILDCARD_VALUE_ALL = "ALL";
+ public static final String RESOURCE_WILDCARD_VALUE_SOME = "+";
public static final String ACCESS_ALLOW_URI_PER_DB_POLICYFILE = "sentry.allow.uri.db.policyfile";
}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/6c248e46/sentry-policy/sentry-policy-common/src/main/java/org/apache/sentry/policy/common/CommonPrivilege.java
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-common/src/main/java/org/apache/sentry/policy/common/CommonPrivilege.java b/sentry-policy/sentry-policy-common/src/main/java/org/apache/sentry/policy/common/CommonPrivilege.java
index 8583448..43cb5c8 100644
--- a/sentry-policy/sentry-policy-common/src/main/java/org/apache/sentry/policy/common/CommonPrivilege.java
+++ b/sentry-policy/sentry-policy-common/src/main/java/org/apache/sentry/policy/common/CommonPrivilege.java
@@ -76,6 +76,10 @@ public class CommonPrivilege implements Privilege {
String policyKey = part.getKey();
// are the keys even equal
if(!policyKey.equalsIgnoreCase(otherPart.getKey())) {
+ // Support for action inheritance from parent to child
+ if (SentryConstants.PRIVILEGE_NAME.equalsIgnoreCase(policyKey)) {
+ continue;
+ }
return false;
}
@@ -110,12 +114,23 @@ public class CommonPrivilege implements Privilege {
// for Hive, databaseName, tableName, columnName will be compared using String.equal(wildcard support)
// url will be compared using PathUtils.impliesURI
private boolean impliesResource(ImplyMethodType implyMethodType, String policyValue, String requestValue) {
+ // wildcard support, "*", "+", "all"("+" and "all" are for backward compatibility) are represented as wildcard
+ // if requestValue is wildcard, means privilege request is to match with any value of given resource
+ if (SentryConstants.RESOURCE_WILDCARD_VALUE.equals(policyValue)
+ || SentryConstants.RESOURCE_WILDCARD_VALUE.equals(requestValue)
+ || SentryConstants.RESOURCE_WILDCARD_VALUE_ALL.equals(policyValue)
+ || SentryConstants.RESOURCE_WILDCARD_VALUE_ALL.equals(requestValue)
+ || SentryConstants.RESOURCE_WILDCARD_VALUE_SOME.equals(policyValue)
+ || SentryConstants.RESOURCE_WILDCARD_VALUE_SOME.equals(requestValue)) {
+ return true;
+ }
+
// compare as the url
if (ImplyMethodType.URL == implyMethodType) {
return PathUtils.impliesURI(policyValue, requestValue);
}
- // default: compare as the string with wildcard support
- return impliesStringWithWildcard(policyValue, requestValue);
+ // default: compare as the string
+ return policyValue.equals(requestValue);
}
// The method is used for compare the action for the privilege model.
@@ -132,14 +147,6 @@ public class CommonPrivilege implements Privilege {
return currentAction.implies(requestAction);
}
- private boolean impliesStringWithWildcard(String policyValue, String requestValue) {
- if (SentryConstants.RESOURCE_WILDCARD_VALUE.equals(policyValue)) {
- return true;
- }
- return policyValue.equals(requestValue);
- }
-
-
@Override
public String toString() {
return SentryConstants.AUTHORIZABLE_JOINER.join(parts);
@@ -152,4 +159,18 @@ public class CommonPrivilege implements Privilege {
public List<KeyValue> getParts() {
return parts;
}
+
+ @Override
+ public boolean equals(Object o) {
+ if (o instanceof CommonPrivilege) {
+ CommonPrivilege cp = (CommonPrivilege) o;
+ return parts.equals(cp.parts);
+ }
+ return false;
+ }
+
+ @Override
+ public int hashCode() {
+ return parts.hashCode();
+ }
}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/6c248e46/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestDBWildcardPrivilege.java
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestDBWildcardPrivilege.java b/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestDBWildcardPrivilege.java
deleted file mode 100644
index 343a45d..0000000
--- a/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestDBWildcardPrivilege.java
+++ /dev/null
@@ -1,338 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.sentry.policy.db;
-import static junit.framework.Assert.assertEquals;
-import static junit.framework.Assert.assertFalse;
-import static junit.framework.Assert.assertTrue;
-import static org.apache.sentry.core.common.utils.SentryConstants.AUTHORIZABLE_JOINER;
-import static org.apache.sentry.core.common.utils.SentryConstants.KV_JOINER;
-import static org.apache.sentry.core.common.utils.SentryConstants.KV_SEPARATOR;
-
-import org.apache.sentry.core.model.db.AccessConstants;
-import org.apache.sentry.policy.common.Privilege;
-import org.apache.sentry.core.common.utils.KeyValue;
-import org.junit.Test;
-
-public class TestDBWildcardPrivilege {
-
- private static final String ALL = AccessConstants.ALL;
-
- private static final Privilege ROLE_SERVER_SERVER1_DB_ALL =
- create(new KeyValue("server", "server1"), new KeyValue("db", ALL));
- private static final Privilege ROLE_SERVER_SERVER1_DB_DB1 =
- create(new KeyValue("server", "server1"), new KeyValue("db", "db1"));
- private static final Privilege ROLE_SERVER_SERVER2_DB_ALL =
- create(new KeyValue("server", "server2"), new KeyValue("db", ALL));
- private static final Privilege ROLE_SERVER_SERVER2_DB_DB1 =
- create(new KeyValue("server", "server2"), new KeyValue("db", "db1"));
- private static final Privilege ROLE_SERVER_ALL_DB_ALL =
- create(new KeyValue("server", ALL), new KeyValue("db", ALL));
- private static final Privilege ROLE_SERVER_ALL_DB_DB1 =
- create(new KeyValue("server", ALL), new KeyValue("db", "db1"));
-
- private static final Privilege ROLE_SERVER_SERVER1_URI_URI1 =
- create(new KeyValue("server", "server1"), new KeyValue("uri",
- "hdfs://namenode:8020/path/to/uri1"));
- private static final Privilege ROLE_SERVER_SERVER1_URI_URI2 =
- create(new KeyValue("server", "server1"), new KeyValue("uri",
- "hdfs://namenode:8020/path/to/uri2/"));
- private static final Privilege ROLE_SERVER_SERVER1_URI_ALL =
- create(new KeyValue("server", "server1"), new KeyValue("uri", ALL));
-
-
- private static final Privilege ROLE_SERVER_SERVER1 =
- create(new KeyValue("server", "server1"));
-
-
- private static final Privilege REQUEST_SERVER1_DB1 =
- create(new KeyValue("server", "server1"), new KeyValue("db", "db1"));
- private static final Privilege REQUEST_SERVER2_DB1 =
- create(new KeyValue("server", "server2"), new KeyValue("db", "db1"));
- private static final Privilege REQUEST_SERVER1_DB2 =
- create(new KeyValue("server", "server1"), new KeyValue("db", "db2"));
- private static final Privilege REQUEST_SERVER2_DB2 =
- create(new KeyValue("server", "server2"), new KeyValue("db", "db2"));
-
- private static final Privilege REQUEST_SERVER1_URI1 =
- create(new KeyValue("server", "server1"), new KeyValue("uri",
- "hdfs://namenode:8020/path/to/uri1/some/file"));
- private static final Privilege REQUEST_SERVER1_URI2 =
- create(new KeyValue("server", "server1"), new KeyValue("uri",
- "hdfs://namenode:8020/path/to/uri2/some/other/file"));
-
- private static final Privilege REQUEST_SERVER1_OTHER =
- create(new KeyValue("server", "server2"), new KeyValue("other", "thing"));
-
- private static final Privilege REQUEST_SERVER1 =
- create(new KeyValue("server", "server2"));
-
- @Test
- public void testOther() throws Exception {
- assertFalse(ROLE_SERVER_ALL_DB_ALL.implies(REQUEST_SERVER1_OTHER));
- assertFalse(REQUEST_SERVER1_OTHER.implies(ROLE_SERVER_ALL_DB_ALL));
- }
- @Test
- public void testRoleShorterThanRequest() throws Exception {
- assertTrue(ROLE_SERVER_SERVER1.implies(REQUEST_SERVER1_DB1));
- assertTrue(ROLE_SERVER_SERVER1.implies(REQUEST_SERVER1_DB2));
- assertFalse(ROLE_SERVER_SERVER1.implies(REQUEST_SERVER2_DB1));
- assertFalse(ROLE_SERVER_SERVER1.implies(REQUEST_SERVER2_DB2));
-
- assertTrue(ROLE_SERVER_ALL_DB_ALL.implies(REQUEST_SERVER1));
- assertFalse(ROLE_SERVER_ALL_DB_DB1.implies(REQUEST_SERVER1));
- }
- @Test
- public void testRolesAndRequests() throws Exception {
- // ROLE_SERVER_SERVER1_DB_ALL
- assertTrue(ROLE_SERVER_SERVER1_DB_ALL.implies(REQUEST_SERVER1_DB1));
- assertFalse(ROLE_SERVER_SERVER1_DB_ALL.implies(REQUEST_SERVER2_DB1));
- assertTrue(ROLE_SERVER_SERVER1_DB_ALL.implies(REQUEST_SERVER1_DB2));
- assertFalse(ROLE_SERVER_SERVER1_DB_ALL.implies(REQUEST_SERVER2_DB2));
-
- // test inverse
- assertTrue(REQUEST_SERVER1_DB1.implies(ROLE_SERVER_SERVER1_DB_ALL));
- assertFalse(REQUEST_SERVER2_DB1.implies(ROLE_SERVER_SERVER1_DB_ALL));
- assertTrue(REQUEST_SERVER1_DB2.implies(ROLE_SERVER_SERVER1_DB_ALL));
- assertFalse(REQUEST_SERVER2_DB2.implies(ROLE_SERVER_SERVER1_DB_ALL));
-
- // ROLE_SERVER_SERVER1_DB_DB1
- assertTrue(ROLE_SERVER_SERVER1_DB_DB1.implies(REQUEST_SERVER1_DB1));
- assertFalse(ROLE_SERVER_SERVER1_DB_DB1.implies(REQUEST_SERVER2_DB1));
- assertFalse(ROLE_SERVER_SERVER1_DB_DB1.implies(REQUEST_SERVER1_DB2));
- assertFalse(ROLE_SERVER_SERVER1_DB_DB1.implies(REQUEST_SERVER2_DB2));
-
- // test inverse
- assertTrue(REQUEST_SERVER1_DB1.implies(ROLE_SERVER_SERVER1_DB_DB1));
- assertFalse(REQUEST_SERVER2_DB1.implies(ROLE_SERVER_SERVER1_DB_DB1));
- assertFalse(REQUEST_SERVER1_DB2.implies(ROLE_SERVER_SERVER1_DB_DB1));
- assertFalse(REQUEST_SERVER2_DB2.implies(ROLE_SERVER_SERVER1_DB_DB1));
-
- // ROLE_SERVER_SERVER2_DB_ALL
- assertFalse(ROLE_SERVER_SERVER2_DB_ALL.implies(REQUEST_SERVER1_DB1));
- assertTrue(ROLE_SERVER_SERVER2_DB_ALL.implies(REQUEST_SERVER2_DB1));
- assertFalse(ROLE_SERVER_SERVER2_DB_ALL.implies(REQUEST_SERVER1_DB2));
- assertTrue(ROLE_SERVER_SERVER2_DB_ALL.implies(REQUEST_SERVER2_DB2));
-
- // test inverse
- assertFalse(REQUEST_SERVER1_DB1.implies(ROLE_SERVER_SERVER2_DB_ALL));
- assertTrue(REQUEST_SERVER2_DB1.implies(ROLE_SERVER_SERVER2_DB_ALL));
- assertFalse(REQUEST_SERVER1_DB2.implies(ROLE_SERVER_SERVER2_DB_ALL));
- assertTrue(REQUEST_SERVER2_DB2.implies(ROLE_SERVER_SERVER2_DB_ALL));
-
- // ROLE_SERVER_SERVER2_DB_DB1
- assertFalse(ROLE_SERVER_SERVER2_DB_DB1.implies(REQUEST_SERVER1_DB1));
- assertTrue(ROLE_SERVER_SERVER2_DB_DB1.implies(REQUEST_SERVER2_DB1));
- assertFalse(ROLE_SERVER_SERVER2_DB_DB1.implies(REQUEST_SERVER1_DB2));
- assertFalse(ROLE_SERVER_SERVER2_DB_DB1.implies(REQUEST_SERVER2_DB2));
-
- assertFalse(REQUEST_SERVER1_DB1.implies(ROLE_SERVER_SERVER2_DB_DB1));
- assertTrue(REQUEST_SERVER2_DB1.implies(ROLE_SERVER_SERVER2_DB_DB1));
- assertFalse(REQUEST_SERVER1_DB2.implies(ROLE_SERVER_SERVER2_DB_DB1));
- assertFalse(REQUEST_SERVER2_DB2.implies(ROLE_SERVER_SERVER2_DB_DB1));
-
- // ROLE_SERVER_ALL_DB_ALL
- assertTrue(ROLE_SERVER_ALL_DB_ALL.implies(REQUEST_SERVER1_DB1));
- assertTrue(ROLE_SERVER_ALL_DB_ALL.implies(REQUEST_SERVER2_DB1));
- assertTrue(ROLE_SERVER_ALL_DB_ALL.implies(REQUEST_SERVER1_DB2));
- assertTrue(ROLE_SERVER_ALL_DB_ALL.implies(REQUEST_SERVER2_DB2));
-
- // test inverse
- assertTrue(REQUEST_SERVER1_DB1.implies(ROLE_SERVER_ALL_DB_ALL));
- assertTrue(REQUEST_SERVER2_DB1.implies(ROLE_SERVER_ALL_DB_ALL));
- assertTrue(REQUEST_SERVER1_DB2.implies(ROLE_SERVER_ALL_DB_ALL));
- assertTrue(REQUEST_SERVER2_DB2.implies(ROLE_SERVER_ALL_DB_ALL));
-
- // ROLE_SERVER_ALL_DB_DB1
- assertTrue(ROLE_SERVER_ALL_DB_DB1.implies(REQUEST_SERVER1_DB1));
- assertTrue(ROLE_SERVER_ALL_DB_DB1.implies(REQUEST_SERVER2_DB1));
- assertFalse(ROLE_SERVER_ALL_DB_DB1.implies(REQUEST_SERVER1_DB2));
- assertFalse(ROLE_SERVER_ALL_DB_DB1.implies(REQUEST_SERVER2_DB2));
-
- // test inverse
- assertTrue(REQUEST_SERVER1_DB1.implies(ROLE_SERVER_ALL_DB_DB1));
- assertTrue(REQUEST_SERVER2_DB1.implies(ROLE_SERVER_ALL_DB_DB1));
- assertFalse(REQUEST_SERVER1_DB2.implies(ROLE_SERVER_ALL_DB_DB1));
- assertFalse(REQUEST_SERVER2_DB2.implies(ROLE_SERVER_ALL_DB_DB1));
-
- // uri
- assertTrue(ROLE_SERVER_SERVER1.implies(REQUEST_SERVER1_URI1));
- assertTrue(ROLE_SERVER_SERVER1.implies(REQUEST_SERVER1_URI2));
- assertTrue(ROLE_SERVER_SERVER1.implies(REQUEST_SERVER1_URI2));
- assertTrue(ROLE_SERVER_SERVER1_URI_ALL.implies(REQUEST_SERVER1_URI1));
- assertTrue(ROLE_SERVER_SERVER1_URI_ALL.implies(REQUEST_SERVER1_URI2));
- assertTrue(ROLE_SERVER_SERVER1.implies(REQUEST_SERVER1_URI2));
- assertTrue(ROLE_SERVER_SERVER1_URI_URI1.implies(REQUEST_SERVER1_URI1));
- assertFalse(ROLE_SERVER_SERVER1_URI_URI1.implies(REQUEST_SERVER1_URI2));
- assertTrue(ROLE_SERVER_SERVER1_URI_URI2.implies(REQUEST_SERVER1_URI2));
- assertFalse(ROLE_SERVER_SERVER1_URI_URI2.implies(REQUEST_SERVER1_URI1));
- assertFalse(REQUEST_SERVER2_DB2.implies(REQUEST_SERVER1_URI1));
- assertFalse(ROLE_SERVER_ALL_DB_DB1.implies(REQUEST_SERVER1_URI1));
- // test inverse
- assertTrue(REQUEST_SERVER1_URI1.implies(ROLE_SERVER_SERVER1_URI_ALL));
- assertTrue(REQUEST_SERVER1_URI2.implies(ROLE_SERVER_SERVER1_URI_ALL));
- assertFalse(REQUEST_SERVER1_URI1.implies(ROLE_SERVER_SERVER1));
- assertFalse(REQUEST_SERVER1_URI1.implies(ROLE_SERVER_SERVER1_URI_URI1));
- assertFalse(REQUEST_SERVER1_URI2.implies(ROLE_SERVER_SERVER1_URI_URI1));
- assertFalse(REQUEST_SERVER1_URI2.implies(ROLE_SERVER_SERVER1_URI_URI2));
- assertFalse(REQUEST_SERVER1_URI1.implies(ROLE_SERVER_SERVER1_URI_URI2));
- };
- @Test
- public void testUnexpected() throws Exception {
- Privilege p = new Privilege() {
- @Override
- public boolean implies(Privilege p) {
- return false;
- }
- };
- assertFalse(ROLE_SERVER_SERVER1_DB_ALL.implies(null));
- assertFalse(ROLE_SERVER_SERVER1_DB_ALL.implies(p));
- assertFalse(ROLE_SERVER_SERVER1_DB_ALL.equals(null));
- assertFalse(ROLE_SERVER_SERVER1_DB_ALL.equals(p));
-
- assertEquals(ROLE_SERVER_SERVER1_DB_ALL.hashCode(),
- create(ROLE_SERVER_SERVER1_DB_ALL.toString()).hashCode());
- }
- @Test(expected=IllegalArgumentException.class)
- public void testNullString() throws Exception {
- System.out.println(create((String)null));
- }
- @Test(expected=IllegalArgumentException.class)
- public void testEmptyString() throws Exception {
- System.out.println(create(""));
- }
- @Test(expected=IllegalArgumentException.class)
- public void testEmptyKey() throws Exception {
- System.out.println(create(KV_JOINER.join("", "db1")));
- }
- @Test(expected=IllegalArgumentException.class)
- public void testEmptyValue() throws Exception {
- System.out.println(create(KV_JOINER.join("db", "")));
- }
- @Test(expected=IllegalArgumentException.class)
- public void testEmptyPart() throws Exception {
- System.out.println(create(AUTHORIZABLE_JOINER.
- join(KV_JOINER.join("server", "server1"), "")));
- }
- @Test(expected=IllegalArgumentException.class)
- public void testOnlySeperators() throws Exception {
- System.out.println(create(AUTHORIZABLE_JOINER.
- join(KV_SEPARATOR, KV_SEPARATOR, KV_SEPARATOR)));
- }
- @Test
- public void testImpliesURIPositive() throws Exception {
- assertTrue(DBWildcardPrivilege.impliesURI("hdfs://namenode:8020/path",
- "hdfs://namenode:8020/path/to/some/dir"));
- assertTrue(DBWildcardPrivilege.impliesURI("hdfs://namenode:8020/path",
- "hdfs://namenode:8020/path"));
- assertTrue(DBWildcardPrivilege.impliesURI("file:///path",
- "file:///path/to/some/dir"));
- assertTrue(DBWildcardPrivilege.impliesURI("file:///path",
- "file:///path"));
- }
- @Test
- public void testImpliesURINegative() throws Exception {
- // relative path
- assertFalse(DBWildcardPrivilege.impliesURI("hdfs://namenode:8020/path",
- "hdfs://namenode:8020/path/to/../../other"));
- assertFalse(DBWildcardPrivilege.impliesURI("file:///path",
- "file:///path/to/../../other"));
- // bad policy
- assertFalse(DBWildcardPrivilege.impliesURI("blah",
- "hdfs://namenode:8020/path/to/some/dir"));
- // bad request
- assertFalse(DBWildcardPrivilege.impliesURI("hdfs://namenode:8020/path",
- "blah"));
- // scheme
- assertFalse(DBWildcardPrivilege.impliesURI("hdfs://namenode:8020/path",
- "file:///path/to/some/dir"));
- assertFalse(DBWildcardPrivilege.impliesURI("hdfs://namenode:8020/path",
- "file://namenode:8020/path/to/some/dir"));
- // hostname
- assertFalse(DBWildcardPrivilege.impliesURI("hdfs://namenode1:8020/path",
- "hdfs://namenode2:8020/path/to/some/dir"));
- // port
- assertFalse(DBWildcardPrivilege.impliesURI("hdfs://namenode:8020/path",
- "hdfs://namenode:8021/path/to/some/dir"));
- // mangled path
- assertFalse(DBWildcardPrivilege.impliesURI("hdfs://namenode:8020/path",
- "hdfs://namenode:8020/pathFooBar"));
- // ends in /
- assertTrue(DBWildcardPrivilege.impliesURI("hdfs://namenode:8020/path/",
- "hdfs://namenode:8020/path/FooBar"));
- }
- @Test
- public void testActionHierarchy() throws Exception {
- String dbName = "db1";
- DBWildcardPrivilege dbAll = create(new KeyValue("server", "server1"),
- new KeyValue("db", dbName), new KeyValue("action", "ALL"));
-
- DBWildcardPrivilege dbSelect = create(new KeyValue("server", "server1"),
- new KeyValue("db", dbName), new KeyValue("action", "SELECT"));
- DBWildcardPrivilege dbInsert = create(new KeyValue("server", "server1"),
- new KeyValue("db", dbName), new KeyValue("action", "INSERT"));
- DBWildcardPrivilege dbAlter = create(new KeyValue("server", "server1"),
- new KeyValue("db", dbName), new KeyValue("action", "ALTER"));
- DBWildcardPrivilege dbCreate = create(new KeyValue("server", "server1"),
- new KeyValue("db", dbName), new KeyValue("action", "CREATE"));
- DBWildcardPrivilege dbDrop = create(new KeyValue("server", "server1"),
- new KeyValue("db", dbName), new KeyValue("action", "DROP"));
- DBWildcardPrivilege dbIndex = create(new KeyValue("server", "server1"),
- new KeyValue("db", dbName), new KeyValue("action", "INDEX"));
- DBWildcardPrivilege dbLock = create(new KeyValue("server", "server1"),
- new KeyValue("db", dbName), new KeyValue("action", "LOCK"));
-
- assertTrue(dbAll.implies(dbSelect));
- assertTrue(dbAll.implies(dbInsert));
- assertTrue(dbAll.implies(dbAlter));
- assertTrue(dbAll.implies(dbCreate));
- assertTrue(dbAll.implies(dbDrop));
- assertTrue(dbAll.implies(dbIndex));
- assertTrue(dbAll.implies(dbLock));
-
- dbAll = create(new KeyValue("server", "server1"),
- new KeyValue("db", dbName), new KeyValue("action", "*"));
-
- assertTrue(dbAll.implies(dbSelect));
- assertTrue(dbAll.implies(dbInsert));
- assertTrue(dbAll.implies(dbAlter));
- assertTrue(dbAll.implies(dbCreate));
- assertTrue(dbAll.implies(dbDrop));
- assertTrue(dbAll.implies(dbIndex));
- assertTrue(dbAll.implies(dbLock));
-
- dbAll = create(new KeyValue("server", "server1"),
- new KeyValue("db", dbName));
-
- assertTrue(dbAll.implies(dbSelect));
- assertTrue(dbAll.implies(dbInsert));
- assertTrue(dbAll.implies(dbAlter));
- assertTrue(dbAll.implies(dbCreate));
- assertTrue(dbAll.implies(dbDrop));
- assertTrue(dbAll.implies(dbIndex));
- assertTrue(dbAll.implies(dbLock));
-
- }
- static DBWildcardPrivilege create(KeyValue... keyValues) {
- return create(AUTHORIZABLE_JOINER.join(keyValues));
-
- }
- static DBWildcardPrivilege create(String s) {
- return new DBWildcardPrivilege(s);
- }
-}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/6c248e46/sentry-policy/sentry-policy-indexer/src/test/java/org/apache/sentry/policy/indexer/TestCommonPrivilegeForIndexer.java
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-indexer/src/test/java/org/apache/sentry/policy/indexer/TestCommonPrivilegeForIndexer.java b/sentry-policy/sentry-policy-indexer/src/test/java/org/apache/sentry/policy/indexer/TestCommonPrivilegeForIndexer.java
new file mode 100644
index 0000000..42fed4b
--- /dev/null
+++ b/sentry-policy/sentry-policy-indexer/src/test/java/org/apache/sentry/policy/indexer/TestCommonPrivilegeForIndexer.java
@@ -0,0 +1,215 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.policy.indexer;
+
+import org.apache.sentry.core.common.Model;
+import org.apache.sentry.core.common.utils.KeyValue;
+import org.apache.sentry.core.model.indexer.IndexerConstants;
+import org.apache.sentry.core.model.indexer.IndexerPrivilegeModel;
+import org.apache.sentry.policy.common.CommonPrivilege;
+import org.apache.sentry.policy.common.Privilege;
+import org.junit.Before;
+import org.junit.Test;
+
+import static junit.framework.Assert.assertFalse;
+import static junit.framework.Assert.assertTrue;
+import static org.apache.sentry.core.common.utils.SentryConstants.AUTHORIZABLE_JOINER;
+import static org.apache.sentry.core.common.utils.SentryConstants.KV_JOINER;
+import static org.apache.sentry.core.common.utils.SentryConstants.KV_SEPARATOR;
+
+public class TestCommonPrivilegeForIndexer {
+
+ private Model indexerPrivilegeModel;
+
+ private static final String ALL = IndexerConstants.ALL;
+
+ @Before
+ public void prepareData() {
+ indexerPrivilegeModel = IndexerPrivilegeModel.getInstance();
+ }
+
+ @Test
+ public void testSimpleNoAction() throws Exception {
+ CommonPrivilege indexer1 = create(new KeyValue("indexer", "ind1"));
+ CommonPrivilege indexer2 = create(new KeyValue("indexer", "ind2"));
+ CommonPrivilege indexer1Case = create(new KeyValue("indeXeR", "inD1"));
+
+ assertTrue(indexer1.implies(indexer1, indexerPrivilegeModel));
+ assertTrue(indexer2.implies(indexer2, indexerPrivilegeModel));
+ assertTrue(indexer1.implies(indexer1Case, indexerPrivilegeModel));
+ assertTrue(indexer1Case.implies(indexer1, indexerPrivilegeModel));
+
+ assertFalse(indexer1.implies(indexer2, indexerPrivilegeModel));
+ assertFalse(indexer1Case.implies(indexer2, indexerPrivilegeModel));
+ assertFalse(indexer2.implies(indexer1, indexerPrivilegeModel));
+ assertFalse(indexer2.implies(indexer1Case, indexerPrivilegeModel));
+ }
+
+ @Test
+ public void testSimpleAction() throws Exception {
+ CommonPrivilege read =
+ create(new KeyValue("indexer", "ind1"), new KeyValue("action", "read"));
+ CommonPrivilege write =
+ create(new KeyValue("indexer", "ind1"), new KeyValue("action", "write"));
+ CommonPrivilege readCase =
+ create(new KeyValue("indeXeR", "iNd1"), new KeyValue("AcTiOn", "ReAd"));
+
+ assertTrue(read.implies(read, indexerPrivilegeModel));
+ assertTrue(write.implies(write, indexerPrivilegeModel));
+ assertTrue(read.implies(readCase, indexerPrivilegeModel));
+ assertTrue(readCase.implies(read, indexerPrivilegeModel));
+
+ assertFalse(read.implies(write, indexerPrivilegeModel));
+ assertFalse(readCase.implies(write, indexerPrivilegeModel));
+ assertFalse(write.implies(read, indexerPrivilegeModel));
+ assertFalse(write.implies(readCase, indexerPrivilegeModel));
+ }
+
+ @Test
+ public void testRoleShorterThanRequest() throws Exception {
+ CommonPrivilege indexer1 = create(new KeyValue("indexer", "ind1"));
+ CommonPrivilege read =
+ create(new KeyValue("indexer", "ind1"), new KeyValue("action", "read"));
+ CommonPrivilege write =
+ create(new KeyValue("indexer", "ind1"), new KeyValue("action", "write"));
+ CommonPrivilege all =
+ create(new KeyValue("indexer", "ind1"), new KeyValue("action", ALL));
+
+ assertTrue(indexer1.implies(read, indexerPrivilegeModel));
+ assertTrue(indexer1.implies(write, indexerPrivilegeModel));
+ assertTrue(indexer1.implies(all, indexerPrivilegeModel));
+
+ assertFalse(read.implies(indexer1, indexerPrivilegeModel));
+ assertFalse(write.implies(indexer1, indexerPrivilegeModel));
+ assertTrue(all.implies(indexer1, indexerPrivilegeModel));
+ }
+
+ @Test
+ public void testIndexerAll() throws Exception {
+ CommonPrivilege indexerAll = create(new KeyValue("indexer", ALL));
+ CommonPrivilege indexer1 = create(new KeyValue("indexer", "ind1"));
+ assertTrue(indexerAll.implies(indexer1, indexerPrivilegeModel));
+ assertTrue(indexer1.implies(indexerAll, indexerPrivilegeModel));
+
+ CommonPrivilege allWrite =
+ create(new KeyValue("indexer", ALL), new KeyValue("action", "write"));
+ CommonPrivilege allRead =
+ create(new KeyValue("indexer", ALL), new KeyValue("action", "read"));
+ CommonPrivilege ind1Write =
+ create(new KeyValue("indexer", "ind1"), new KeyValue("action", "write"));
+ CommonPrivilege ind1Read =
+ create(new KeyValue("indexer", "ind1"), new KeyValue("action", "read"));
+ assertTrue(allWrite.implies(ind1Write, indexerPrivilegeModel));
+ assertTrue(allRead.implies(ind1Read, indexerPrivilegeModel));
+ assertTrue(ind1Write.implies(allWrite, indexerPrivilegeModel));
+ assertTrue(ind1Read.implies(allRead, indexerPrivilegeModel));
+ assertFalse(allWrite.implies(ind1Read, indexerPrivilegeModel));
+ assertFalse(ind1Write.implies(ind1Read, indexerPrivilegeModel));
+ assertFalse(allRead.implies(ind1Write, indexerPrivilegeModel));
+ assertFalse(ind1Read.implies(allWrite, indexerPrivilegeModel));
+ assertFalse(allWrite.implies(allRead, indexerPrivilegeModel));
+ assertFalse(allRead.implies(allWrite, indexerPrivilegeModel));
+ assertFalse(ind1Write.implies(ind1Read, indexerPrivilegeModel));
+ assertFalse(ind1Read.implies(ind1Write, indexerPrivilegeModel));
+
+ // test different length paths
+ assertTrue(indexerAll.implies(allWrite, indexerPrivilegeModel));
+ assertTrue(indexerAll.implies(allRead, indexerPrivilegeModel));
+ assertTrue(indexerAll.implies(ind1Write, indexerPrivilegeModel));
+ assertTrue(indexerAll.implies(ind1Read, indexerPrivilegeModel));
+ assertFalse(allWrite.implies(indexerAll, indexerPrivilegeModel));
+ assertFalse(allRead.implies(indexerAll, indexerPrivilegeModel));
+ assertFalse(ind1Write.implies(indexerAll, indexerPrivilegeModel));
+ assertFalse(ind1Read.implies(indexerAll, indexerPrivilegeModel));
+ }
+
+ @Test
+ public void testActionAll() throws Exception {
+ CommonPrivilege ind1All =
+ create(new KeyValue("indexer", "index1"), new KeyValue("action", ALL));
+ CommonPrivilege ind1Write =
+ create(new KeyValue("indexer", "index1"), new KeyValue("action", "write"));
+ CommonPrivilege ind1Read =
+ create(new KeyValue("indexer", "index1"), new KeyValue("action", "read"));
+ assertTrue(ind1All.implies(ind1All, indexerPrivilegeModel));
+ assertTrue(ind1All.implies(ind1Write, indexerPrivilegeModel));
+ assertTrue(ind1All.implies(ind1Read, indexerPrivilegeModel));
+ assertFalse(ind1Write.implies(ind1All, indexerPrivilegeModel));
+ assertFalse(ind1Read.implies(ind1All, indexerPrivilegeModel));
+
+ // test different lengths
+ CommonPrivilege ind1 =
+ create(new KeyValue("indexer", "index1"));
+ assertTrue(ind1All.implies(ind1, indexerPrivilegeModel));
+ assertTrue(ind1.implies(ind1All, indexerPrivilegeModel));
+ }
+
+ @Test
+ public void testUnexpected() throws Exception {
+ Privilege p = new Privilege() {
+ @Override
+ public boolean implies(Privilege p) {
+ return false;
+ }
+ };
+ CommonPrivilege indexer1 = create(new KeyValue("indexer", "index1"));
+ assertFalse(indexer1.implies(null));
+ assertFalse(indexer1.implies(p));
+ assertFalse(indexer1.equals(null));
+ assertFalse(indexer1.equals(p));
+ }
+
+ @Test(expected=IllegalArgumentException.class)
+ public void testNullString() throws Exception {
+ System.out.println(create((String)null));
+ }
+
+ @Test(expected=IllegalArgumentException.class)
+ public void testEmptyString() throws Exception {
+ System.out.println(create(""));
+ }
+
+ @Test(expected=IllegalArgumentException.class)
+ public void testEmptyKey() throws Exception {
+ System.out.println(create(KV_JOINER.join("indexer", "")));
+ }
+
+ @Test(expected=IllegalArgumentException.class)
+ public void testEmptyValue() throws Exception {
+ System.out.println(create(KV_JOINER.join("", "index1")));
+ }
+
+ @Test(expected=IllegalArgumentException.class)
+ public void testEmptyPart() throws Exception {
+ System.out.println(create(AUTHORIZABLE_JOINER.
+ join(KV_JOINER.join("indexer11", "index1"), "")));
+ }
+
+ @Test(expected=IllegalArgumentException.class)
+ public void testOnlySeperators() throws Exception {
+ System.out.println(create(AUTHORIZABLE_JOINER.
+ join(KV_SEPARATOR, KV_SEPARATOR, KV_SEPARATOR)));
+ }
+
+ static CommonPrivilege create(KeyValue... keyValues) {
+ return create(AUTHORIZABLE_JOINER.join(keyValues));
+ }
+
+ static CommonPrivilege create(String s) {
+ return new CommonPrivilege(s);
+ }
+}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/6c248e46/sentry-policy/sentry-policy-indexer/src/test/java/org/apache/sentry/policy/indexer/TestIndexerWildcardPrivilege.java
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-indexer/src/test/java/org/apache/sentry/policy/indexer/TestIndexerWildcardPrivilege.java b/sentry-policy/sentry-policy-indexer/src/test/java/org/apache/sentry/policy/indexer/TestIndexerWildcardPrivilege.java
deleted file mode 100644
index 3ecde2d..0000000
--- a/sentry-policy/sentry-policy-indexer/src/test/java/org/apache/sentry/policy/indexer/TestIndexerWildcardPrivilege.java
+++ /dev/null
@@ -1,205 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.sentry.policy.indexer;
-import static junit.framework.Assert.assertFalse;
-import static junit.framework.Assert.assertTrue;
-import static org.apache.sentry.core.common.utils.SentryConstants.AUTHORIZABLE_JOINER;
-import static org.apache.sentry.core.common.utils.SentryConstants.KV_JOINER;
-import static org.apache.sentry.core.common.utils.SentryConstants.KV_SEPARATOR;
-
-import org.apache.sentry.core.model.indexer.IndexerConstants;
-import org.apache.sentry.policy.common.Privilege;
-import org.apache.sentry.core.common.utils.KeyValue;
-import org.junit.Test;
-
-public class TestIndexerWildcardPrivilege {
-
- private static final String ALL = IndexerConstants.ALL;
-
- @Test
- public void testSimpleNoAction() throws Exception {
- Privilege indexer1 = create(new KeyValue("indexer", "ind1"));
- Privilege indexer2 = create(new KeyValue("indexer", "ind2"));
- Privilege indexer1Case = create(new KeyValue("indeXeR", "inD1"));
-
- assertTrue(indexer1.implies(indexer1));
- assertTrue(indexer2.implies(indexer2));
- assertTrue(indexer1.implies(indexer1Case));
- assertTrue(indexer1Case.implies(indexer1));
-
- assertFalse(indexer1.implies(indexer2));
- assertFalse(indexer1Case.implies(indexer2));
- assertFalse(indexer2.implies(indexer1));
- assertFalse(indexer2.implies(indexer1Case));
- }
-
- @Test
- public void testSimpleAction() throws Exception {
- Privilege read =
- create(new KeyValue("indexer", "ind1"), new KeyValue("action", "read"));
- Privilege write =
- create(new KeyValue("indexer", "ind1"), new KeyValue("action", "write"));
- Privilege readCase =
- create(new KeyValue("indeXeR", "iNd1"), new KeyValue("AcTiOn", "ReAd"));
-
- assertTrue(read.implies(read));
- assertTrue(write.implies(write));
- assertTrue(read.implies(readCase));
- assertTrue(readCase.implies(read));
-
- assertFalse(read.implies(write));
- assertFalse(readCase.implies(write));
- assertFalse(write.implies(read));
- assertFalse(write.implies(readCase));
- }
-
- @Test
- public void testRoleShorterThanRequest() throws Exception {
- Privilege indexer1 = create(new KeyValue("indexer", "ind1"));
- Privilege read =
- create(new KeyValue("indexer", "ind1"), new KeyValue("action", "read"));
- Privilege write =
- create(new KeyValue("indexer", "ind1"), new KeyValue("action", "write"));
- Privilege all =
- create(new KeyValue("indexer", "ind1"), new KeyValue("action", ALL));
-
- assertTrue(indexer1.implies(read));
- assertTrue(indexer1.implies(write));
- assertTrue(indexer1.implies(all));
-
- assertFalse(read.implies(indexer1));
- assertFalse(write.implies(indexer1));
- assertTrue(all.implies(indexer1));
- }
-
- @Test
- public void testIndexerAll() throws Exception {
- Privilege indexerAll = create(new KeyValue("indexer", ALL));
- Privilege indexer1 = create(new KeyValue("indexer", "ind1"));
- assertTrue(indexerAll.implies(indexer1));
- assertTrue(indexer1.implies(indexerAll));
-
- Privilege allWrite =
- create(new KeyValue("indexer", ALL), new KeyValue("action", "write"));
- Privilege allRead =
- create(new KeyValue("indexer", ALL), new KeyValue("action", "read"));
- Privilege ind1Write =
- create(new KeyValue("indexer", "ind1"), new KeyValue("action", "write"));
- Privilege ind1Read =
- create(new KeyValue("indexer", "ind1"), new KeyValue("action", "read"));
- assertTrue(allWrite.implies(ind1Write));
- assertTrue(allRead.implies(ind1Read));
- assertTrue(ind1Write.implies(allWrite));
- assertTrue(ind1Read.implies(allRead));
- assertFalse(allWrite.implies(ind1Read));
- assertFalse(ind1Write.implies(ind1Read));
- assertFalse(allRead.implies(ind1Write));
- assertFalse(ind1Read.implies(allWrite));
- assertFalse(allWrite.implies(allRead));
- assertFalse(allRead.implies(allWrite));
- assertFalse(ind1Write.implies(ind1Read));
- assertFalse(ind1Read.implies(ind1Write));
-
- // test different length paths
- assertTrue(indexerAll.implies(allWrite));
- assertTrue(indexerAll.implies(allRead));
- assertTrue(indexerAll.implies(ind1Write));
- assertTrue(indexerAll.implies(ind1Read));
- assertFalse(allWrite.implies(indexerAll));
- assertFalse(allRead.implies(indexerAll));
- assertFalse(ind1Write.implies(indexerAll));
- assertFalse(ind1Read.implies(indexerAll));
- }
-
- @Test
- public void testActionAll() throws Exception {
- Privilege ind1All =
- create(new KeyValue("indexer", "index1"), new KeyValue("action", ALL));
- Privilege ind1Write =
- create(new KeyValue("indexer", "index1"), new KeyValue("action", "write"));
- Privilege ind1Read =
- create(new KeyValue("indexer", "index1"), new KeyValue("action", "read"));
- assertTrue(ind1All.implies(ind1All));
- assertTrue(ind1All.implies(ind1Write));
- assertTrue(ind1All.implies(ind1Read));
- assertFalse(ind1Write.implies(ind1All));
- assertFalse(ind1Read.implies(ind1All));
-
- // test different lengths
- Privilege ind1 =
- create(new KeyValue("indexer", "index1"));
- assertTrue(ind1All.implies(ind1));
- assertTrue(ind1.implies(ind1All));
- }
-
- @Test
- public void testUnexpected() throws Exception {
- Privilege p = new Privilege() {
- @Override
- public boolean implies(Privilege p) {
- return false;
- }
- };
- Privilege indexer1 = create(new KeyValue("indexer", "index1"));
- assertFalse(indexer1.implies(null));
- assertFalse(indexer1.implies(p));
- assertFalse(indexer1.equals(null));
- assertFalse(indexer1.equals(p));
- }
-
- @Test(expected=IllegalArgumentException.class)
- public void testNullString() throws Exception {
- System.out.println(create((String)null));
- }
-
- @Test(expected=IllegalArgumentException.class)
- public void testEmptyString() throws Exception {
- System.out.println(create(""));
- }
-
- @Test(expected=IllegalArgumentException.class)
- public void testEmptyKey() throws Exception {
- System.out.println(create(KV_JOINER.join("indexer", "")));
- }
-
- @Test(expected=IllegalArgumentException.class)
- public void testEmptyValue() throws Exception {
- System.out.println(create(KV_JOINER.join("", "index1")));
- }
-
- @Test(expected=IllegalArgumentException.class)
- public void testEmptyPart() throws Exception {
- System.out.println(create(AUTHORIZABLE_JOINER.
- join(KV_JOINER.join("indexer11", "index1"), "")));
- }
-
- @Test(expected=IllegalArgumentException.class)
- public void testOnlySeperators() throws Exception {
- System.out.println(create(AUTHORIZABLE_JOINER.
- join(KV_SEPARATOR, KV_SEPARATOR, KV_SEPARATOR)));
- }
-
- static IndexerWildcardPrivilege create(KeyValue... keyValues) {
- return create(AUTHORIZABLE_JOINER.join(keyValues));
-
- }
- static IndexerWildcardPrivilege create(String s) {
- return new IndexerWildcardPrivilege(s);
- }
-}