You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sentry.apache.org by co...@apache.org on 2016/06/24 06:00:53 UTC
[24/44] sentry git commit: SENTRY-1287: Create sentry-service-server
module(Colin Ma, reviewed by Dapeng Sun)
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceIntegration.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceIntegration.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceIntegration.java
deleted file mode 100644
index a05521f..0000000
--- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceIntegration.java
+++ /dev/null
@@ -1,1102 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless createRequired by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.sentry.provider.db.service.thrift;
-
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertTrue;
-import static org.junit.Assert.fail;
-
-import java.util.HashMap;
-import java.util.HashSet;
-import java.util.List;
-import java.util.Map;
-import java.util.Set;
-import java.util.TreeMap;
-
-import org.apache.sentry.core.common.ActiveRoleSet;
-import org.apache.sentry.core.common.Authorizable;
-import org.apache.sentry.core.model.db.AccessConstants;
-import org.apache.sentry.core.model.db.AccessURI;
-import org.apache.sentry.core.model.db.Database;
-import org.apache.sentry.core.model.db.Server;
-import org.apache.sentry.core.model.db.Table;
-import org.apache.sentry.core.common.exception.SentryAccessDeniedException;
-import org.apache.sentry.service.thrift.SentryServiceIntegrationBase;
-import org.junit.Test;
-
-import com.google.common.collect.Lists;
-import com.google.common.collect.Maps;
-import com.google.common.collect.Sets;
-
-
-public class TestSentryServiceIntegration extends SentryServiceIntegrationBase {
-
- @Test
- public void testCreateDropShowRole() throws Exception {
- runTestAsSubject(new TestOperation(){
- @Override
- public void runTestAsSubject() throws Exception {
- String requestorUserName = ADMIN_USER;
- Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
- String roleName = "admin_r";
- setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
- writePolicyFile();
-
- client.dropRoleIfExists(requestorUserName, roleName);
-
- client.createRole(requestorUserName, roleName);
-
- Set<TSentryRole> roles = client.listRoles(requestorUserName);
- assertEquals("Incorrect number of roles", 1, roles.size());
-
- for (TSentryRole role:roles) {
- assertTrue(role.getRoleName(), role.getRoleName().equalsIgnoreCase(roleName));
- }
- client.dropRole(requestorUserName, roleName);
- }});
- }
-
- @Test
- public void testGranRevokePrivilegeOnTableForRole() throws Exception {
- runTestAsSubject(new TestOperation(){
- @Override
- public void runTestAsSubject() throws Exception {
- String requestorUserName = ADMIN_USER;
- Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
- setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
- writePolicyFile();
- String roleName1 = "admin_r1";
- String roleName2 = "admin_r2";
-
- client.dropRoleIfExists(requestorUserName, roleName1);
- client.createRole(requestorUserName, roleName1);
-
- client.grantTablePrivilege(requestorUserName, roleName1, "server", "db1", "table1", "ALL");
- client.grantTablePrivilege(requestorUserName, roleName1, "server", "db1", "table2", "ALL");
- client.grantTablePrivilege(requestorUserName, roleName1, "server", "db2", "table3", "ALL");
- client.grantTablePrivilege(requestorUserName, roleName1, "server", "db2", "table4", "ALL");
-
-
- client.dropRoleIfExists(requestorUserName, roleName2);
- client.createRole(requestorUserName, roleName2);
-
- client.grantTablePrivilege(requestorUserName, roleName2, "server", "db1", "table1", "ALL");
- client.grantTablePrivilege(requestorUserName, roleName2, "server", "db1", "table2", "ALL");
- client.grantTablePrivilege(requestorUserName, roleName2, "server", "db2", "table3", "ALL");
- client.grantTablePrivilege(requestorUserName, roleName2, "server", "db2", "table4", "ALL");
-
- Set<TSentryPrivilege> listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName1);
- assertEquals("Privilege not assigned to role1 !!", 4, listPrivilegesByRoleName.size());
-
- listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName2);
- assertEquals("Privilege not assigned to role2 !!", 4, listPrivilegesByRoleName.size());
-
-
- client.revokeTablePrivilege(requestorUserName, roleName1, "server", "db1", "table1", "ALL");
- listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName1);
- assertTrue("Privilege not correctly revoked !!", listPrivilegesByRoleName.size() == 3);
- listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName2);
- assertTrue("Privilege not correctly revoked !!", listPrivilegesByRoleName.size() == 4);
-
- client.revokeTablePrivilege(requestorUserName, roleName2, "server", "db1", "table1", "ALL");
- listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName2);
- assertTrue("Privilege not correctly revoked !!", listPrivilegesByRoleName.size() == 3);
- listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName1);
- assertTrue("Privilege not correctly revoked !!", listPrivilegesByRoleName.size() == 3);
-
- client.revokeTablePrivilege(requestorUserName, roleName1, "server", "db1", "table2", "ALL");
- client.revokeTablePrivilege(requestorUserName, roleName1, "server", "db2", "table3", "ALL");
- client.revokeTablePrivilege(requestorUserName, roleName1, "server", "db2", "table4", "ALL");
- listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName1);
- assertTrue("Privilege not correctly revoked !!", listPrivilegesByRoleName.size() == 0);
-
- client.revokeTablePrivilege(requestorUserName, roleName2, "server", "db1", "table2", "ALL");
- client.revokeTablePrivilege(requestorUserName, roleName2, "server", "db2", "table3", "ALL");
- client.revokeTablePrivilege(requestorUserName, roleName2, "server", "db2", "table4", "ALL");
- listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName2);
- assertTrue("Privilege not correctly revoked !!", listPrivilegesByRoleName.size() == 0);
- }});
- }
-
- @Test
- public void testAddDeleteRolesForUser() throws Exception {
- runTestAsSubject(new TestOperation() {
- @Override
- public void runTestAsSubject() throws Exception {
- String requestorUserName = ADMIN_USER;
- Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
- setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
-
- // user1->group1
- // user2->group1
- // user3->group1, group2
- // user4->group2, group3
- // group1->r1
- // group2->r2
- // group3->r2
- // user2->r3
- // user4->r3
- String roleName1 = "r1";
- String roleName2 = "r2";
- String roleName3 = "r3";
- String user1 = "u1";
- String user2 = "u2";
- String user3 = "u3";
- String user4 = "u4";
- String group1 = "g1";
- String group2 = "g2";
- String group3 = "g3";
- Map<String, Set<String>> userToGroups = Maps.newHashMap();
- userToGroups.put(user1, Sets.newHashSet(group1));
- userToGroups.put(user2, Sets.newHashSet(group1));
- userToGroups.put(user3, Sets.newHashSet(group1, group2));
- userToGroups.put(user4, Sets.newHashSet(group2, group3));
-
- setLocalGroupMapping(user1, Sets.newHashSet(group1));
- setLocalGroupMapping(user2, Sets.newHashSet(group1));
- setLocalGroupMapping(user3, Sets.newHashSet(group1, group2));
- setLocalGroupMapping(user4, Sets.newHashSet(group2, group3));
- writePolicyFile();
-
- client.dropRoleIfExists(requestorUserName, roleName1);
- client.dropRoleIfExists(requestorUserName, roleName2);
- client.dropRoleIfExists(requestorUserName, roleName3);
- client.createRole(requestorUserName, roleName1);
- client.createRole(requestorUserName, roleName2);
- client.createRole(requestorUserName, roleName3);
-
- client.grantRoleToGroup(requestorUserName, group1, roleName1);
- client.grantRoleToUser(requestorUserName, user2, roleName2);
- client.grantRoleToUser(requestorUserName, user3, roleName2);
- client.grantRoleToUser(requestorUserName, user2, roleName3);
- client.grantRoleToUsers(requestorUserName, roleName3, Sets.newHashSet(user4));
- // following test cases also test the grantRoleToUser() and grantRoleToUsers() implicity
- // admin always can get the role list
- Set<TSentryRole> roles = client.listRolesByUserName(requestorUserName, user1);
- assertEquals(0, roles.size());
- // the role list includes the role for user and the role for user's group
- roles = client.listRolesByUserName(requestorUserName, user2);
- assertEquals(2, roles.size());
- for (TSentryRole role : roles) {
- assertTrue(roleName2.equals(role.getRoleName()) || roleName3.equals(role.getRoleName()));
- }
- // user has 2 groups whose role list are different
- roles = client.listRolesByUserName(requestorUserName, user3);
- assertEquals(1, roles.size());
- for (TSentryRole role : roles) {
- assertTrue(roleName2.equals(role.getRoleName()));
- }
- // user has 2 groups whose role list are the same
- roles = client.listRolesByUserName(requestorUserName, user4);
- assertEquals(1, roles.size());
- for (TSentryRole role : roles) {
- assertTrue(roleName3.equals(role.getRoleName()));
- }
- // user can get his own role list if he isn't an admin
- roles = client.listRolesByUserName(user3, user3);
- assertEquals(1, roles.size());
- // user can't get other's role list if he isn't an admin
- try {
- client.listRolesByUserName(user3, user2);
- fail("SentryAccessDeniedException should be caught.");
- } catch (SentryAccessDeniedException e) {
- // excepted exception
- }
- // the user's name can't be empty
- try {
- client.listRolesByUserName(user3, "");
- fail("SentryAccessDeniedException should be caught.");
- } catch (SentryAccessDeniedException e) {
- // excepted exception
- }
- client.revokeRoleFromUser(requestorUserName, user2, roleName3);
- client.revokeRoleFromUsers(requestorUserName, roleName3, Sets.newHashSet(user4));
- // test the result of revokeRoleFromUser() and revokeRoleFromUsers()
- roles = client.listRolesByUserName(requestorUserName, user2);
- assertEquals(1, roles.size());
- for (TSentryRole role : roles) {
- assertTrue(roleName2.equals(role.getRoleName()));
- }
- roles = client.listRolesByUserName(requestorUserName, user4);
- assertEquals(0, roles.size());
- }
- });
- }
-
- @Test
- public void testGranRevokePrivilegeForRoleWithUG() throws Exception {
- runTestAsSubject(new TestOperation() {
- @Override
- public void runTestAsSubject() throws Exception {
- String requestorUserName = ADMIN_USER;
- Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
- setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
-
- // user1_1->group1
- // user1_2->group1
- // user2_1->group2
- // user2_2->group2
- // group1->r1
- // group2->r2
- // user1_1->r3
- // user2_1->r4
- String roleName1 = "r1";
- String roleName2 = "r2";
- String roleName3 = "r3";
- String roleName4 = "r4";
- String user1_1 = "u1_1";
- String user1_2 = "u1_2";
- String user2_1 = "u2_1";
- String user2_2 = "u2_2";
- String group1 = "g1";
- String group2 = "g2";
- Map<String, String> userToGroup = Maps.newHashMap();
- userToGroup.put(user1_1, group1);
- userToGroup.put(user1_2, group1);
- userToGroup.put(user2_1, group2);
- userToGroup.put(user2_2, user2_1);
-
- Set<String> groupSet = Sets.newHashSet(group1);
- setLocalGroupMapping(user1_1, groupSet);
- setLocalGroupMapping(user1_2, groupSet);
- groupSet = Sets.newHashSet(group2);
- setLocalGroupMapping(user2_1, groupSet);
- setLocalGroupMapping(user2_2, groupSet);
- writePolicyFile();
-
- client.dropRoleIfExists(requestorUserName, roleName1);
- client.dropRoleIfExists(requestorUserName, roleName2);
- client.dropRoleIfExists(requestorUserName, roleName3);
- client.dropRoleIfExists(requestorUserName, roleName4);
- client.createRole(requestorUserName, roleName1);
- client.createRole(requestorUserName, roleName2);
- client.createRole(requestorUserName, roleName3);
- client.createRole(requestorUserName, roleName4);
-
- client.grantRoleToGroup(requestorUserName, group1, roleName1);
- client.grantRoleToGroup(requestorUserName, group2, roleName2);
- client.grantRoleToUser(requestorUserName, user1_1, roleName3);
- client.grantRoleToUsers(requestorUserName, roleName4, Sets.newHashSet(user2_1));
-
- client
- .grantTablePrivilege(requestorUserName, roleName1, "server", "db1", "table1_1", "ALL");
- client
- .grantTablePrivilege(requestorUserName, roleName1, "server", "db1", "table1_2", "ALL");
- client
- .grantTablePrivilege(requestorUserName, roleName2, "server", "db1", "table2_1", "ALL");
- client
- .grantTablePrivilege(requestorUserName, roleName2, "server", "db1", "table2_2", "ALL");
- client
- .grantTablePrivilege(requestorUserName, roleName3, "server", "db1", "table3_1", "ALL");
- client
- .grantTablePrivilege(requestorUserName, roleName3, "server", "db1", "table3_2", "ALL");
- client
- .grantTablePrivilege(requestorUserName, roleName4, "server", "db1", "table4_1", "ALL");
- client
- .grantTablePrivilege(requestorUserName, roleName4, "server", "db1", "table4_2", "ALL");
-
- Set<String> listPrivilegesForProvider = client.listPrivilegesForProvider(
- Sets.newHashSet(group1), Sets.newHashSet(""), ActiveRoleSet.ALL, (Authorizable[]) null);
- assertEquals("Privilege not correctly assigned to roles !!", Sets.newHashSet(
- "server=server->db=db1->table=table1_1->action=all",
- "server=server->db=db1->table=table1_2->action=all"), listPrivilegesForProvider);
-
- listPrivilegesForProvider = client.listPrivilegesForProvider(
- Sets.newHashSet(userToGroup.get(user1_2)),
- Sets.newHashSet(user1_2), ActiveRoleSet.ALL, (Authorizable[]) null);
- assertEquals("Privilege not correctly assigned to roles !!", Sets.newHashSet(
- "server=server->db=db1->table=table1_1->action=all",
- "server=server->db=db1->table=table1_2->action=all"), listPrivilegesForProvider);
-
- listPrivilegesForProvider = client.listPrivilegesForProvider(
- Sets.newHashSet(userToGroup.get(user1_1)),
- Sets.newHashSet(user1_1), ActiveRoleSet.ALL, (Authorizable[]) null);
- assertEquals("Privilege not correctly assigned to roles !!", Sets.newHashSet(
- "server=server->db=db1->table=table1_1->action=all",
- "server=server->db=db1->table=table1_2->action=all",
- "server=server->db=db1->table=table3_1->action=all",
- "server=server->db=db1->table=table3_2->action=all"), listPrivilegesForProvider);
-
- listPrivilegesForProvider = client.listPrivilegesForProvider(Sets.newHashSet(group1),
- Sets.newHashSet(user1_1, user1_2), ActiveRoleSet.ALL, (Authorizable[]) null);
- assertEquals("Privilege not correctly assigned to roles !!", Sets.newHashSet(
- "server=server->db=db1->table=table1_1->action=all",
- "server=server->db=db1->table=table1_2->action=all",
- "server=server->db=db1->table=table3_1->action=all",
- "server=server->db=db1->table=table3_2->action=all"), listPrivilegesForProvider);
-
- listPrivilegesForProvider = client.listPrivilegesForProvider(
- Sets.newHashSet(group1, group2), Sets.newHashSet(user1_1, user1_2, user2_1, user2_2),
- ActiveRoleSet.ALL, (Authorizable[]) null);
- assertEquals("Privilege not correctly assigned to roles !!", Sets.newHashSet(
- "server=server->db=db1->table=table1_1->action=all",
- "server=server->db=db1->table=table1_2->action=all",
- "server=server->db=db1->table=table2_1->action=all",
- "server=server->db=db1->table=table2_2->action=all",
- "server=server->db=db1->table=table3_1->action=all",
- "server=server->db=db1->table=table3_2->action=all",
- "server=server->db=db1->table=table4_1->action=all",
- "server=server->db=db1->table=table4_2->action=all"), listPrivilegesForProvider);
-
- client.revokeRoleFromUser(requestorUserName, user1_1, roleName3);
- client.revokeRoleFromUsers(requestorUserName, roleName4, Sets.newHashSet(user2_1));
- }
- });
- }
-
- @Test
- public void testMultipleRolesSamePrivilege() throws Exception {
- runTestAsSubject(new TestOperation(){
- @Override
- public void runTestAsSubject() throws Exception {
- String requestorUserName = ADMIN_USER;
- Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
- setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
- writePolicyFile();
- String roleName1 = "admin_r1";
- String roleName2 = "admin_r2";
-
- client.dropRoleIfExists(requestorUserName, roleName1);
- client.createRole(requestorUserName, roleName1);
-
- client.dropRoleIfExists(requestorUserName, roleName2);
- client.createRole(requestorUserName, roleName2);
-
- client.grantTablePrivilege(requestorUserName, roleName1, "server", "db", "table", "ALL");
- Set<TSentryPrivilege> listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName1);
- assertTrue("Privilege not assigned to role1 !!", listPrivilegesByRoleName.size() == 1);
-
- client.grantTablePrivilege(requestorUserName, roleName2, "server", "db", "table", "ALL");
- listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName2);
- assertTrue("Privilege not assigned to role2 !!", listPrivilegesByRoleName.size() == 1);
- }});
- }
-
- @Test
- public void testShowRoleGrant() throws Exception {
- runTestAsSubject(new TestOperation(){
- @Override
- public void runTestAsSubject() throws Exception {
- String requestorUserName = ADMIN_USER;
- Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
- String roleName = "admin_testdb";
- String groupName = "group1";
- setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
- writePolicyFile();
-
- client.dropRoleIfExists(requestorUserName, roleName);
- client.createRole(requestorUserName, roleName);
-
- Set<TSentryRole> roles = client.listRoles(requestorUserName);
- assertEquals("Incorrect number of roles", 1, roles.size());
-
- client.grantRoleToGroup(requestorUserName, groupName, roleName);
- Set<TSentryRole> groupRoles = client.listRolesByGroupName(requestorUserName, groupName);
- assertTrue(groupRoles.size() == 1);
- for (TSentryRole role:groupRoles) {
- assertTrue(role.getRoleName(), role.getRoleName().equalsIgnoreCase(roleName));
- assertTrue(role.getGroups().size() == 1);
- for (TSentryGroup group :role.getGroups()) {
- assertTrue(group.getGroupName(), group.getGroupName().equalsIgnoreCase(groupName));
- }
- }
-
- client.dropRole(requestorUserName, roleName);
- }});
- }
-
- @Test
- public void testShowGrant() throws Exception {
- runTestAsSubject(new TestOperation(){
- @Override
- public void runTestAsSubject() throws Exception {
- String requestorUserName = ADMIN_USER;
- Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
- String roleName = "admin_testdb";
- String server = "server1";
- String db = "testDB";
- setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
- writePolicyFile();
-
- client.dropRoleIfExists(requestorUserName, roleName);
- client.createRole(requestorUserName, roleName);
-
- Set<TSentryRole> roles = client.listRoles(requestorUserName);
- assertEquals("Incorrect number of roles", 1, roles.size());
-
- client.grantDatabasePrivilege(requestorUserName, roleName, server, db, AccessConstants.ALL);
- Set<TSentryPrivilege> privileges = client.listAllPrivilegesByRoleName(requestorUserName, roleName);
- assertTrue(privileges.size() == 1);
-
- client.revokeDatabasePrivilege(requestorUserName, roleName, server, db, AccessConstants.ALL);
- client.dropRole(requestorUserName, roleName);
- }});
- }
-
- //See SENTRY-166
- @Test
- public void testUriWithEquals() throws Exception {
- runTestAsSubject(new TestOperation(){
- @Override
- public void runTestAsSubject() throws Exception {
- String requestorUserName = ADMIN_USER;
- Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
- String roleName = "admin_testdb";
- String server = "server1";
- String uri = "file://u/w/h/t/partition=value/";
- setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
- writePolicyFile();
-
- // Creating associated role
- client.dropRoleIfExists(requestorUserName, roleName);
- client.createRole(requestorUserName, roleName);
- Set<TSentryRole> roles = client.listRoles(requestorUserName);
- assertEquals("Incorrect number of roles", 1, roles.size());
-
- client.grantURIPrivilege(requestorUserName, roleName, server, uri);
- Set<TSentryPrivilege> privileges = client.listAllPrivilegesByRoleName(requestorUserName, roleName);
- assertTrue(privileges.size() == 1);
-
- // Revoking the same privilege
- client.revokeURIPrivilege(requestorUserName, roleName, server, uri);
- privileges = client.listAllPrivilegesByRoleName(requestorUserName, roleName);
- assertTrue(privileges.size() == 0);
-
- // Clean up
- client.dropRole(requestorUserName, roleName);
- }});
- }
-
-
- //See SENTRY-181
- @Test
- public void testSameGrantTwice() throws Exception {
- runTestAsSubject(new TestOperation(){
- @Override
- public void runTestAsSubject() throws Exception {
- String requestorUserName = ADMIN_USER;
- Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
- setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
- writePolicyFile();
- String roleName = "admin_r1";
-
- client.createRole(requestorUserName, roleName);
- client.grantTablePrivilege(requestorUserName, roleName, "server", "db1", "table1", "ALL");
- client.grantTablePrivilege(requestorUserName, roleName, "server", "db1", "table1", "ALL");
- assertEquals(1, client.listAllPrivilegesByRoleName(requestorUserName, roleName).size());
- }});
- }
-
- @Test
- public void testGrantRevokeWithGrantOption() throws Exception {
- runTestAsSubject(new TestOperation(){
- @Override
- public void runTestAsSubject() throws Exception {
- // Grant a privilege with Grant Option
- String requestorUserName = ADMIN_USER;
- Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
- setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
- writePolicyFile();
- String roleName = "admin_r1";
- boolean grantOption = true;
- boolean withoutGrantOption = false;
-
- client.dropRoleIfExists(requestorUserName, roleName);
- client.createRole(requestorUserName, roleName);
-
- client.grantTablePrivilege(requestorUserName, roleName, "server", "db1", "table1", "ALL", grantOption);
- assertEquals(1, client.listAllPrivilegesByRoleName(requestorUserName, roleName).size());
-
- // Try to revoke the privilege without grantOption and can't revoke the privilege.
- client.revokeTablePrivilege(requestorUserName, roleName, "server", "db1", "table1", "ALL", withoutGrantOption);
- assertEquals(1, client.listAllPrivilegesByRoleName(requestorUserName, roleName).size());
-
- // Try to revoke the privilege with grantOption, the privilege will be revoked.
- client.revokeTablePrivilege(requestorUserName, roleName, "server", "db1", "table1", "ALL", grantOption);
- assertEquals(0, client.listAllPrivilegesByRoleName(requestorUserName, roleName).size());
- }});
- }
-
- @Test
- public void testGrantTwoPrivilegeDiffInGrantOption() throws Exception {
- runTestAsSubject(new TestOperation(){
- @Override
- public void runTestAsSubject() throws Exception {
- // Grant a privilege with 'Grant Option'.
- String requestorUserName = ADMIN_USER;
- Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
- setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
- writePolicyFile();
- String roleName = "admin_r1";
- boolean grantOption = true;
- boolean withoutGrantOption = false;
-
- client.dropRoleIfExists(requestorUserName, roleName);
- client.createRole(requestorUserName, roleName);
-
- client.grantTablePrivilege(requestorUserName, roleName, "server", "db1", "table1", "ALL", grantOption);
- assertEquals(1, client.listAllPrivilegesByRoleName(requestorUserName, roleName).size());
-
- // Grant a privilege without 'Grant Option'.
- client.grantTablePrivilege(requestorUserName, roleName, "server", "db1", "table1", "ALL", withoutGrantOption);
- assertEquals(2, client.listAllPrivilegesByRoleName(requestorUserName, roleName).size());
-
- // Use 'grantOption = null', the two privileges will be revoked.
- client.revokeTablePrivilege(requestorUserName, roleName, "server", "db1", "table1", "ALL", null);
- assertEquals(0, client.listAllPrivilegesByRoleName(requestorUserName, roleName).size());
- }});
- }
-
- @Test
- public void testGranRevokePrivilegeOnColumnForRole() throws Exception {
- runTestAsSubject(new TestOperation(){
- @Override
- public void runTestAsSubject() throws Exception {
- String requestorUserName = ADMIN_USER;
- Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
- setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
- writePolicyFile();
- String roleName1 = "admin_r1";
- String roleName2 = "admin_r2";
-
- client.dropRoleIfExists(requestorUserName, roleName1);
- client.createRole(requestorUserName, roleName1);
-
- client.grantColumnPrivilege(requestorUserName, roleName1, "server", "db1", "table1", "col1", "ALL");
- client.grantColumnPrivilege(requestorUserName, roleName1, "server", "db1", "table1", "col2", "ALL");
- client.grantColumnPrivilege(requestorUserName, roleName1, "server", "db1", "table2", "col1", "ALL");
- client.grantColumnPrivilege(requestorUserName, roleName1, "server", "db1", "table2", "col2", "ALL");
- client.grantColumnPrivilege(requestorUserName, roleName1, "server", "db2", "table1", "col1", "ALL");
- client.grantColumnPrivilege(requestorUserName, roleName1, "server", "db2", "table2", "col1", "ALL");
-
-
- client.dropRoleIfExists(requestorUserName, roleName2);
- client.createRole(requestorUserName, roleName2);
-
- client.grantColumnPrivilege(requestorUserName, roleName2, "server", "db1", "table1", "col1", "ALL");
- client.grantColumnPrivilege(requestorUserName, roleName2, "server", "db1", "table1", "col2", "ALL");
- client.grantColumnPrivilege(requestorUserName, roleName2, "server", "db1", "table2", "col1", "ALL");
- client.grantColumnPrivilege(requestorUserName, roleName2, "server", "db1", "table2", "col2", "ALL");
- client.grantColumnPrivilege(requestorUserName, roleName2, "server", "db2", "table1", "col1", "ALL");
- client.grantColumnPrivilege(requestorUserName, roleName2, "server", "db2", "table2", "col1", "ALL");
-
- Set<TSentryPrivilege> listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName1);
- assertEquals("Privilege not assigned to role1 !!", 6, listPrivilegesByRoleName.size());
-
- listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName2);
- assertEquals("Privilege not assigned to role2 !!", 6, listPrivilegesByRoleName.size());
-
-
- client.revokeColumnPrivilege(requestorUserName, roleName1, "server", "db1", "table1", "col1", "ALL");
- listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName1);
- assertTrue("Privilege not correctly revoked !!", listPrivilegesByRoleName.size() == 5);
- listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName2);
- assertTrue("Privilege not correctly revoked !!", listPrivilegesByRoleName.size() == 6);
-
- client.revokeTablePrivilege(requestorUserName, roleName2, "server", "db1", "table1", "ALL");
- listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName2);
- assertTrue("Privilege not correctly revoked !!", listPrivilegesByRoleName.size() == 4);
- listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName1);
- assertTrue("Privilege not correctly revoked !!", listPrivilegesByRoleName.size() == 5);
-
- client.revokeDatabasePrivilege(requestorUserName, roleName1, "server", "db1", "ALL");
- listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName1);
- assertTrue("Privilege not correctly revoked !!", listPrivilegesByRoleName.size() == 2);
- client.revokeColumnPrivilege(requestorUserName, roleName1, "server", "db2", "table1", "col1", "ALL");
- client.revokeColumnPrivilege(requestorUserName, roleName1, "server", "db2", "table2", "col1", "ALL");
- listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName1);
- assertTrue("Privilege not correctly revoked !!", listPrivilegesByRoleName.size() == 0);
-
- client.revokeColumnPrivilege(requestorUserName, roleName2, "server", "db1", "table2", "col1", "ALL");
- client.revokeColumnPrivilege(requestorUserName, roleName2, "server", "db1", "table2", "col2", "ALL");
- client.revokeColumnPrivilege(requestorUserName, roleName2, "server", "db2", "table1", "col1", "ALL");
- client.revokeColumnPrivilege(requestorUserName, roleName2, "server", "db2", "table2", "col1", "ALL");
- listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName2);
- assertTrue("Privilege not correctly revoked !!", listPrivilegesByRoleName.size() == 0);
- }});
- }
-
- @Test
- public void testListByAuthDB() throws Exception {
- runTestAsSubject(new TestOperation(){
- @Override
- public void runTestAsSubject() throws Exception {
- String requestorUserName = ADMIN_USER;
- Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
- String roleName1 = "role1";
- String roleName2 = "role2";
- Set<String> testRoleSet = Sets.newHashSet(roleName1, roleName2);
- String group1 = "group1";
- String group2 = "group2";
- Set<String> testGroupSet = Sets.newHashSet(group1, group2);
- String server = "server1";
- String db = "testDB";
- String db2 = "testDB2";
- String tab = "testTab";
- setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
- String group1user = "group1user";
- setLocalGroupMapping(group1user, Sets.newHashSet(group1));
- String group2user = "group2user";
- setLocalGroupMapping(group2user, Sets.newHashSet(group2));
- setLocalGroupMapping("random", Sets.newHashSet("foo"));
- writePolicyFile();
-
- client.dropRoleIfExists(requestorUserName, roleName1);
- client.createRole(requestorUserName, roleName1);
- client.dropRoleIfExists(requestorUserName, roleName2);
- client.createRole(requestorUserName, roleName2);
-
- TSentryPrivilege role1db1 = client.grantDatabasePrivilege(
- requestorUserName, roleName1, server, db, AccessConstants.SELECT);
- client.grantTablePrivilege(requestorUserName, roleName1, server, db, tab,
- AccessConstants.ALL);
- client.grantTablePrivilege(requestorUserName, roleName1, server, db2, tab,
- AccessConstants.SELECT);
- client.grantURIPrivilege(requestorUserName, roleName1, server, "hdfs:///fooUri");
- client.grantRoleToGroup(requestorUserName, group1, roleName1);
-
- TSentryPrivilege role2db1 = client.grantDatabasePrivilege(
- requestorUserName, roleName2, server, db,
- AccessConstants.ALL);
- client.grantDatabasePrivilege(requestorUserName, roleName2, server, db2,
- AccessConstants.SELECT);
- client.grantTablePrivilege(requestorUserName, roleName2, server, db2, tab,
- AccessConstants.ALL);
- client.grantRoleToGroup(requestorUserName, group2, roleName2);
-
- // build expected output
- TSentryPrivilegeMap db1RoleToPrivMap = new TSentryPrivilegeMap(
- new TreeMap<String, Set<TSentryPrivilege>>());
- db1RoleToPrivMap.getPrivilegeMap()
- .put(roleName1, Sets.newHashSet(role1db1));
- db1RoleToPrivMap.getPrivilegeMap()
- .put(roleName2, Sets.newHashSet(role2db1));
- Map<TSentryAuthorizable, TSentryPrivilegeMap> expectedResults = Maps
- .newTreeMap();
- List<? extends Authorizable> db1Authrizable = Lists.newArrayList(
- new Server(server), new Database(db));
- expectedResults.put(
- SentryPolicyServiceClientDefaultImpl.setupSentryAuthorizable(db1Authrizable),
- db1RoleToPrivMap);
-
- Set<List<? extends Authorizable>> authorizableSet = Sets.newHashSet();
- authorizableSet.add(db1Authrizable);
-
- // verify for null group and null roleset
- Map<TSentryAuthorizable, TSentryPrivilegeMap> authPrivMap = client
- .listPrivilegsbyAuthorizable(requestorUserName, authorizableSet, null, null);
- assertEquals(expectedResults, authPrivMap);
-
- // verify for null group and specific roleset
- authPrivMap = client.listPrivilegsbyAuthorizable(requestorUserName, authorizableSet,
- null, new ActiveRoleSet(testRoleSet));
- assertEquals(expectedResults, authPrivMap);
-
- // verify for null group and specific roleset
- authPrivMap = client.listPrivilegsbyAuthorizable(requestorUserName, authorizableSet, null,
- ActiveRoleSet.ALL);
- assertEquals(expectedResults, authPrivMap);
-
- // verify for specific group and null roleset
- authPrivMap = client.listPrivilegsbyAuthorizable(requestorUserName, authorizableSet,
- testGroupSet, null);
- assertEquals(expectedResults, authPrivMap);
-
- // verify for specific group and specific roleset
- authPrivMap = client.listPrivilegsbyAuthorizable(requestorUserName, authorizableSet,
- testGroupSet, new ActiveRoleSet(testRoleSet));
- assertEquals(expectedResults, authPrivMap);
-
- // verify for specific group and ALL roleset
- authPrivMap = client.listPrivilegsbyAuthorizable(requestorUserName, authorizableSet,
- testGroupSet, ActiveRoleSet.ALL);
- assertEquals(expectedResults, authPrivMap);
-
- // verify users not belonging to any group are not shown anything
- authPrivMap = client
- .listPrivilegsbyAuthorizable("random", authorizableSet,
- new HashSet<String>(), ActiveRoleSet.ALL);
- expectedResults.clear();
- expectedResults.put(
- SentryPolicyServiceClientDefaultImpl.setupSentryAuthorizable(db1Authrizable),
- new TSentryPrivilegeMap(new HashMap<String, Set<TSentryPrivilege>>()));
- assertEquals(expectedResults, authPrivMap);
- }});
- }
-
- @Test
- public void testListByAuthTab() throws Exception {
- runTestAsSubject(new TestOperation(){
- @Override
- public void runTestAsSubject() throws Exception {
- String requestorUserName = ADMIN_USER;
- Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
- String roleName1 = "role1";
- String roleName2 = "role2";
- String server = "server1";
- String db = "testDB";
- String db2 = "testDB2";
- String tab = "testTab";
- setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
- writePolicyFile();
-
- client.dropRoleIfExists(requestorUserName, roleName1);
- client.createRole(requestorUserName, roleName1);
- client.dropRoleIfExists(requestorUserName, roleName2);
- client.createRole(requestorUserName, roleName2);
-
- client.grantDatabasePrivilege(
- requestorUserName, roleName1, server, db, AccessConstants.SELECT);
- client.grantTablePrivilege(requestorUserName, roleName1, server, db, tab,
- AccessConstants.ALL);
- TSentryPrivilege role1db2tab = client.grantTablePrivilege(
- requestorUserName, roleName1, server, db2, tab,
- AccessConstants.SELECT);
-
- client.grantDatabasePrivilege(
- requestorUserName, roleName2, server, db,
- AccessConstants.ALL);
- client.grantDatabasePrivilege(requestorUserName, roleName2, server, db2,
- AccessConstants.SELECT);
- TSentryPrivilege role2db2tab = client.grantTablePrivilege(
- requestorUserName, roleName2, server, db2, tab,
- AccessConstants.ALL);
- client.grantURIPrivilege(requestorUserName, roleName1, server,
- "hdfs:///fooUri");
-
- // build expected output
- TSentryPrivilegeMap db1RoleToPrivMap = new TSentryPrivilegeMap(
- new TreeMap<String, Set<TSentryPrivilege>>());
- db1RoleToPrivMap.getPrivilegeMap().put(roleName1,
- Sets.newHashSet(role1db2tab));
- db1RoleToPrivMap.getPrivilegeMap().put(roleName2,
- Sets.newHashSet(role2db2tab));
- Map<TSentryAuthorizable, TSentryPrivilegeMap> expectedResults = Maps
- .newTreeMap();
- List<? extends Authorizable> db2TabAuthrizable = Lists.newArrayList(
- new Server(server), new Database(db2), new Table(tab));
- expectedResults.put(
- SentryPolicyServiceClientDefaultImpl.setupSentryAuthorizable(db2TabAuthrizable),
- db1RoleToPrivMap);
-
- Set<List<? extends Authorizable>> authorizableSet = Sets.newHashSet();
- authorizableSet.add(db2TabAuthrizable);
- Map<TSentryAuthorizable, TSentryPrivilegeMap> authPrivMap = client
- .listPrivilegsbyAuthorizable(requestorUserName, authorizableSet, null, null);
-
- assertEquals(expectedResults, authPrivMap);
- }});
- }
-
- @Test
- public void testListByAuthUri() throws Exception {
- runTestAsSubject(new TestOperation(){
- @Override
- public void runTestAsSubject() throws Exception {
- String requestorUserName = ADMIN_USER;
- Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
- String roleName1 = "role1";
- String roleName2 = "role2";
- String server = "server1";
- String db = "testDB";
- String db2 = "testDB2";
- String tab = "testTab";
- String uri1 = "hdfs:///fooUri";
- setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
- writePolicyFile();
-
- client.dropRoleIfExists(requestorUserName, roleName1);
- client.createRole(requestorUserName, roleName1);
- client.dropRoleIfExists(requestorUserName, roleName2);
- client.createRole(requestorUserName, roleName2);
-
- client.grantDatabasePrivilege(requestorUserName, roleName1, server, db,
- AccessConstants.SELECT);
- client.grantTablePrivilege(requestorUserName, roleName1, server, db, tab,
- AccessConstants.ALL);
- client.grantTablePrivilege(requestorUserName, roleName1, server, db2, tab,
- AccessConstants.SELECT);
- TSentryPrivilege role1uri1 = client.grantURIPrivilege(requestorUserName,
- roleName1, server, uri1);
-
- client.grantDatabasePrivilege(requestorUserName, roleName2, server, db,
- AccessConstants.ALL);
- client.grantDatabasePrivilege(requestorUserName, roleName2, server, db2,
- AccessConstants.SELECT);
- client.grantTablePrivilege(requestorUserName, roleName2, server, db2, tab,
- AccessConstants.ALL);
- TSentryPrivilege role2uri2 = client.grantURIPrivilege(requestorUserName,
- roleName2, server, uri1);
-
- // build expected output
- TSentryPrivilegeMap db1RoleToPrivMap = new TSentryPrivilegeMap(
- new TreeMap<String, Set<TSentryPrivilege>>());
- db1RoleToPrivMap.getPrivilegeMap().put(roleName1,
- Sets.newHashSet(role1uri1));
- db1RoleToPrivMap.getPrivilegeMap().put(roleName2,
- Sets.newHashSet(role2uri2));
- Map<TSentryAuthorizable, TSentryPrivilegeMap> expectedResults = Maps
- .newTreeMap();
- List<? extends Authorizable> uri1Authrizable = Lists.newArrayList(
- new Server(server), new AccessURI(uri1));
- expectedResults.put(
- SentryPolicyServiceClientDefaultImpl.setupSentryAuthorizable(uri1Authrizable),
- db1RoleToPrivMap);
-
- Set<List<? extends Authorizable>> authorizableSet = Sets.newHashSet();
- authorizableSet.add(uri1Authrizable);
- Map<TSentryAuthorizable, TSentryPrivilegeMap> authPrivMap = client
- .listPrivilegsbyAuthorizable(requestorUserName, authorizableSet, null, null);
-
- assertEquals(expectedResults, authPrivMap);
- }});
- }
-
- /**
- * List privileges by authorizables executed by non-admin user
- * Test various positive and negative cases for non-admin user
- * @throws Exception
- */
- @Test
- public void testListByAuthTabForNonAdmin() throws Exception {
- runTestAsSubject(new TestOperation(){
- @Override
- public void runTestAsSubject() throws Exception {
- String requestorUserName = ADMIN_USER;
- String user1 = "user1";
- String group1 = "group1";
- String group2 = "group2";
- Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
- Set<String> userGroupNames1 = Sets.newHashSet(group1);
- Set<String> userGroupNames2 = Sets.newHashSet(group2);
- String roleName1 = "role1";
- String roleName2 = "role2";
- String server = "server1";
- String db = "testDB";
- String db2 = "testDB2";
- String tab = "testTab";
- setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
- setLocalGroupMapping(user1, userGroupNames1);
- writePolicyFile();
-
- client.dropRoleIfExists(requestorUserName, roleName1);
- client.createRole(requestorUserName, roleName1);
- client.dropRoleIfExists(requestorUserName, roleName2);
- client.createRole(requestorUserName, roleName2);
-
- client.grantDatabasePrivilege(requestorUserName, roleName1, server, db,
- AccessConstants.SELECT);
- client.grantTablePrivilege(requestorUserName, roleName1, server, db, tab,
- AccessConstants.ALL);
- TSentryPrivilege role1db2tab = client.grantTablePrivilege(
- requestorUserName, roleName1, server, db2, tab, AccessConstants.SELECT);
- client.grantRoleToGroup(requestorUserName, group1, roleName1);
-
- client.grantDatabasePrivilege(requestorUserName, roleName2, server, db,
- AccessConstants.ALL);
- client.grantDatabasePrivilege(requestorUserName, roleName2, server, db2,
- AccessConstants.SELECT);
- client.grantTablePrivilege(requestorUserName, roleName2, server, db2, tab,
- AccessConstants.ALL);
- client.grantURIPrivilege(requestorUserName, roleName1, server,
- "hdfs:///fooUri");
-
- // build expected output. user1 should see privileges on tab1 from role1
- TSentryPrivilegeMap db1RoleToPrivMap = new TSentryPrivilegeMap(
- new TreeMap<String, Set<TSentryPrivilege>>());
- db1RoleToPrivMap.getPrivilegeMap().put(roleName1, Sets.newHashSet(role1db2tab));
- Map<TSentryAuthorizable, TSentryPrivilegeMap> expectedResults = Maps.newTreeMap();
- List<? extends Authorizable> db2TabAuthorizable = Lists.newArrayList(
- new Server(server), new Database(db2), new Table(tab));
- expectedResults.put(
- SentryPolicyServiceClientDefaultImpl.setupSentryAuthorizable(db2TabAuthorizable),
- db1RoleToPrivMap);
-
- Set<List<? extends Authorizable>> authorizableSet = Sets.newHashSet();
- authorizableSet.add(db2TabAuthorizable);
-
- // list privileges with null group and roles
- Map<TSentryAuthorizable, TSentryPrivilegeMap> authPrivMap = client
- .listPrivilegsbyAuthorizable(user1, authorizableSet, null, null);
- assertEquals(expectedResults, authPrivMap);
-
- // list privileges with empty group set and null roles
- authPrivMap = client.listPrivilegsbyAuthorizable(user1, authorizableSet,
- new HashSet<String>(), null);
- assertEquals(expectedResults, authPrivMap);
-
- // list privileges with null group set and ALL roleset
- authPrivMap = client.listPrivilegsbyAuthorizable(user1, authorizableSet,
- null, new ActiveRoleSet(true));
- assertEquals(expectedResults, authPrivMap);
-
- // list privileges with user1's group set and null roles
- authPrivMap = client.listPrivilegsbyAuthorizable(user1, authorizableSet,
- userGroupNames1, null);
- assertEquals(expectedResults, authPrivMap);
-
- // list privileges with user1's group set and ALL roles
- authPrivMap = client.listPrivilegsbyAuthorizable(user1, authorizableSet,
- userGroupNames1, new ActiveRoleSet(true));
- assertEquals(expectedResults, authPrivMap);
-
- // list privileges with null group and user's specific roles with uppercase name
- authPrivMap = client.listPrivilegsbyAuthorizable(user1, authorizableSet,
- null, new ActiveRoleSet(Sets.newHashSet(roleName1.toUpperCase())));
- assertEquals(expectedResults, authPrivMap);
-
- // verify that user1 can't query group2
- try {
- client.listPrivilegsbyAuthorizable(user1, authorizableSet, userGroupNames2, null);
- fail("listPrivilegsbyAuthorizable() should fail for user1 accessing " + group2);
- } catch (SentryAccessDeniedException e) {
- // expected
- }
-
- // verify that user1 can't query role2
- ActiveRoleSet roleSet2 = new ActiveRoleSet(Sets.newHashSet(roleName2));
- try {
- client.listPrivilegsbyAuthorizable(user1, authorizableSet, null, roleSet2);
- fail("listPrivilegsbyAuthorizable() should fail for user1 accessing " + roleName2);
- } catch (SentryAccessDeniedException e) {
- // expected
- }
- }});
- }
-
- /**
- * Attempt to access a configuration value that is forbidden in getConfigVal
- * @param configVal The banned value
- * @param defaultVal A default to pass to getConfigValue
- * @throws Exception
- */
- private void checkBannedConfigVal(final String configVal, final String defaultVal)
- throws Exception {
- runTestAsSubject(new TestOperation(){
- @Override
- public void runTestAsSubject() throws Exception {
- try {
- client.getConfigValue(configVal, defaultVal);
- fail("Attempt to access " + configVal + " succeeded");
- } catch (SentryAccessDeniedException e) {
- assertTrue(e.toString().contains("was denied"));
- assertTrue(e.toString().contains(configVal));
- }
- }});
- }
-
- @Test
- public void testGetConfigVal() throws Exception {
- runTestAsSubject(new TestOperation(){
- @Override
- public void runTestAsSubject() throws Exception {
- String requestorUserName = ADMIN_USER;
- Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
- setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
- writePolicyFile();
-
- String val;
-
- // Basic success case
- val = client.getConfigValue("sentry.service.admin.group", "xxx");
- assertEquals(val, "admin_group");
-
- // Undefined value gets the default back
- val = client.getConfigValue("sentry.this.is.not.defined", "hello");
- assertEquals(val, "hello");
-
- // Undefined value and null default gets null back
- val = client.getConfigValue("sentry.this.is.not.defined", null);
- assertEquals(val, null);
-
- // Known config value with null default works as expected
- val = client.getConfigValue("sentry.service.admin.group", null);
- assertEquals(val, "admin_group");
-
- // Value that is forbidden (anything not starting with "sentry") dies
- checkBannedConfigVal("notsentry", "xxx");
-
- // Ditto with a null default
- checkBannedConfigVal("notsentry", null);
-
- // Values with .jdbc. are forbidden
- checkBannedConfigVal("sentry.xxx.jdbc.xxx", null);
-
- // Values with password are forbidden
- checkBannedConfigVal("sentry.xxx.password", null);
-
- // Attempt to get the location of the keytab also fails
- checkBannedConfigVal("sentry.service.server.keytab", null);
-
- }});
- }
-
- /* SENTRY-841 */
- @Test
- public void testGranRevokePrivilegeOnServerForRole() throws Exception {
- runTestAsSubject(new TestOperation(){
- @Override
- public void runTestAsSubject() throws Exception {
- String requestorUserName = ADMIN_USER;
- Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
- setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
- writePolicyFile();
-
- String roleName1 = "admin_r1";
-
- client.dropRoleIfExists(requestorUserName, roleName1);
- client.createRole(requestorUserName, roleName1);
-
- client.grantServerPrivilege(requestorUserName, roleName1, "server", false);
-
- Set<TSentryPrivilege> listPrivs = client.listAllPrivilegesByRoleName(requestorUserName, roleName1);
- assertTrue("Privilege should be all:",listPrivs.iterator().next().getAction().equals("*"));
-
- client.revokeServerPrivilege(requestorUserName, roleName1, "server", false);
- listPrivs = client.listAllPrivilegesByRoleName(requestorUserName, roleName1);
- assertTrue("Privilege not correctly revoked !!", listPrivs.size() == 0);
-
- }});
- }
-
- @Test
- public void testGranRevokePrivilegeWithoutAction() throws Exception {
- runTestAsSubject(new TestOperation(){
- @Override
- public void runTestAsSubject() throws Exception {
- String requestorUserName = ADMIN_USER;
- String roleName1 = "admin_r1";
- Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
- setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
- writePolicyFile();
-
- client.dropRoleIfExists(requestorUserName, roleName1);
- client.createRole(requestorUserName, roleName1);
- client.grantServerPrivilege(requestorUserName, roleName1, "server1", false);
-
- Set<TSentryPrivilege> listPrivs = client.listAllPrivilegesByRoleName(requestorUserName, roleName1);
- assertTrue("Privilege should be all:", listPrivs.iterator().next().getAction().equals("*"));
-
- client.revokeServerPrivilege(requestorUserName, roleName1, "server1", "ALL", false);
- listPrivs = client.listAllPrivilegesByRoleName(requestorUserName, roleName1);
- assertTrue("Privilege not correctly revoked !!", listPrivs.size() == 0);
-
- }});
- }
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceWithInvalidMsgSize.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceWithInvalidMsgSize.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceWithInvalidMsgSize.java
deleted file mode 100644
index 15eab15..0000000
--- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceWithInvalidMsgSize.java
+++ /dev/null
@@ -1,119 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.provider.db.service.thrift;
-
-import com.google.common.collect.Sets;
-import org.apache.hadoop.conf.Configuration;
-import org.apache.sentry.core.common.exception.SentryUserException;
-import org.apache.sentry.service.thrift.SentryServiceClientFactory;
-import org.apache.sentry.service.thrift.SentryServiceFactory;
-import org.apache.sentry.service.thrift.SentryServiceIntegrationBase;
-import org.apache.sentry.service.thrift.ServiceConstants;
-import org.junit.Assert;
-import org.junit.Test;
-
-import java.util.Set;
-
-/**
- * Test sentry service with a larger message size than the server's or client's thrift max message size.
- */
-public class TestSentryServiceWithInvalidMsgSize extends SentryServiceIntegrationBase {
- private final Set<String> REQUESTER_USER_GROUP_NAMES = Sets.newHashSet(ADMIN_GROUP);
- private final String ROLE_NAME = "admin_r";
-
- /**
- * Test the case when the message size is larger than the client's thrift max message size.
- */
- @Test
- public void testClientWithSmallMaxMsgSize() throws Exception {
- runTestAsSubject(new TestOperation() {
- @Override
- public void runTestAsSubject() throws Exception {
- Configuration confWithSmallMaxMsgSize = new Configuration(conf);
- confWithSmallMaxMsgSize.setLong(ServiceConstants.ClientConfig.SENTRY_POLICY_CLIENT_THRIFT_MAX_MESSAGE_SIZE, 20);
- // create a client with a small thrift max message size
- SentryPolicyServiceClient clientWithSmallMaxMsgSize = SentryServiceClientFactory.create(confWithSmallMaxMsgSize);
-
- setLocalGroupMapping(ADMIN_USER, REQUESTER_USER_GROUP_NAMES);
- writePolicyFile();
-
- boolean exceptionThrown = false;
- try {
- // client throws exception when message size is larger than the client's thrift max message size.
- clientWithSmallMaxMsgSize.listRoles(ADMIN_USER);
- } catch (SentryUserException e) {
- exceptionThrown = true;
- Assert.assertTrue(e.getMessage().contains("Thrift exception occurred"));
- Assert.assertTrue(e.getCause().getMessage().contains("Length exceeded max allowed"));
- } finally {
- Assert.assertEquals(true, exceptionThrown);
- clientWithSmallMaxMsgSize.close();
- }
-
- // client can still talk with sentry server when message size is smaller.
- client.dropRoleIfExists(ADMIN_USER, ROLE_NAME);
- client.listRoles(ADMIN_USER);
- client.createRole(ADMIN_USER, ROLE_NAME);
- client.listRoles(ADMIN_USER);
- }
- });
- }
-
- /**
- * Test the case when the message size is larger than the server's thrift max message size.
- */
- @Test
- public void testServerWithSmallMaxMsgSize() throws Exception {
- runTestAsSubject(new TestOperation() {
- @Override
- public void runTestAsSubject() throws Exception {
- Configuration confWithSmallMaxMsgSize = new Configuration(conf);
- confWithSmallMaxMsgSize.setLong(ServiceConstants.ServerConfig.SENTRY_POLICY_SERVER_THRIFT_MAX_MESSAGE_SIZE,
- 50);
- stopSentryService();
-
- // create a server with a small max thrift message size
- server = new SentryServiceFactory().create(confWithSmallMaxMsgSize);
- startSentryService();
-
- setLocalGroupMapping(ADMIN_USER, REQUESTER_USER_GROUP_NAMES);
- writePolicyFile();
-
- // client can talk with server when message size is smaller.
- client.listRoles(ADMIN_USER);
- client.createRole(ADMIN_USER, ROLE_NAME);
-
- boolean exceptionThrown = false;
- try {
- // client throws exception when message size is larger than the server's thrift max message size.
- client.grantServerPrivilege(ADMIN_USER, ROLE_NAME, "server", false);
- } catch (SentryUserException e) {
- exceptionThrown = true;
- Assert.assertTrue(e.getMessage().contains("org.apache.thrift.transport.TTransportException"));
- } finally {
- Assert.assertEquals(true, exceptionThrown);
- }
-
- // client can still talk with sentry server when message size is smaller.
- Set<TSentryRole> roles = client.listRoles(ADMIN_USER);
- Assert.assertTrue(roles.size() == 1);
- Assert.assertEquals(ROLE_NAME, roles.iterator().next().getRoleName());
- }
- });
- }
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceWithKerberos.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceWithKerberos.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceWithKerberos.java
deleted file mode 100644
index ff73382..0000000
--- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceWithKerberos.java
+++ /dev/null
@@ -1,58 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.provider.db.service.thrift;
-
-import org.apache.sentry.service.thrift.SentryServiceIntegrationBase;
-import org.junit.After;
-import org.junit.Before;
-import org.junit.BeforeClass;
-import org.junit.Test;
-
-/**
- * Test various kerberos related stuff on the SentryService side
- */
-public class TestSentryServiceWithKerberos extends SentryServiceIntegrationBase {
-
- @BeforeClass
- public static void setup() throws Exception {
- SERVER_KERBEROS_NAME = "sentry/_HOST@" + REALM;
- SentryServiceIntegrationBase.setup();
- }
-
- @Override
- @Before
- public void before() throws Exception {
- }
-
- @Override
- @After
- public void after() {
- }
-
- /**
- * Test that we are correctly substituting "_HOST" if/when needed.
- *
- * @throws Exception
- */
- @Test
- public void testHostSubstitution() throws Exception {
- // We just need to ensure that we are able to correct connect to the server
- connectToSentryService();
- }
-
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryWebServerWithKerberos.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryWebServerWithKerberos.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryWebServerWithKerberos.java
deleted file mode 100644
index ece2ee8..0000000
--- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryWebServerWithKerberos.java
+++ /dev/null
@@ -1,136 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.provider.db.service.thrift;
-
-import static org.junit.Assert.fail;
-
-import java.io.File;
-import java.net.HttpURLConnection;
-import java.net.URL;
-import java.security.PrivilegedExceptionAction;
-import java.util.HashSet;
-
-import javax.security.auth.Subject;
-import javax.security.auth.kerberos.KerberosPrincipal;
-import javax.security.auth.login.LoginContext;
-
-import org.apache.commons.io.IOUtils;
-import org.apache.hadoop.security.authentication.client.AuthenticatedURL;
-import org.apache.hadoop.security.authentication.client.AuthenticationException;
-import org.apache.hadoop.security.authentication.client.KerberosAuthenticator;
-import org.apache.sentry.service.thrift.KerberosConfiguration;
-import org.apache.sentry.service.thrift.SentryServiceIntegrationBase;
-import org.junit.After;
-import org.junit.Assert;
-import org.junit.Before;
-import org.junit.BeforeClass;
-import org.junit.Test;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-import com.google.common.collect.Sets;
-
-public class TestSentryWebServerWithKerberos extends SentryServiceIntegrationBase {
-
- private static Logger LOG = LoggerFactory.getLogger(TestSentryWebServerWithKerberos.class);
-
- @BeforeClass
- public static void setup() throws Exception {
- webServerEnabled = true;
- webSecurity = true;
- SentryServiceIntegrationBase.setup();
- }
-
- @Override
- @Before
- public void before() throws Exception {
- }
-
- @Override
- @After
- public void after() {
- }
-
- @Test
- public void testPing() throws Exception {
- clientUgi.doAs(new PrivilegedExceptionAction<Void>() {
- @Override
- public Void run() throws Exception {
- final URL url = new URL("http://"+ SERVER_HOST + ":" + webServerPort + "/ping");
- HttpURLConnection conn = new AuthenticatedURL(new KerberosAuthenticator()).
- openConnection(url, new AuthenticatedURL.Token());
- Assert.assertEquals(HttpURLConnection.HTTP_OK, conn.getResponseCode());
- String response = IOUtils.toString(conn.getInputStream());
- Assert.assertEquals("pong\n", response);
- return null;
- }} );
- }
-
- @Test
- public void testPingWithoutSubject() throws Exception {
- final URL url = new URL("http://"+ SERVER_HOST + ":" + webServerPort + "/ping");
- try {
- new AuthenticatedURL(new KerberosAuthenticator()).openConnection(url, new AuthenticatedURL.Token());
- fail("Here should fail.");
- } catch (Exception e) {
- boolean isExpectError = e.getMessage().contains("No valid credentials provided");
- Assert.assertTrue("Here should fail by 'No valid credentials provided'," +
- " but the exception is:" + e, isExpectError);
- }
- }
-
- @Test
- public void testPingUsingHttpURLConnection() throws Exception {
- final URL url = new URL("http://"+ SERVER_HOST + ":" + webServerPort + "/ping");
- HttpURLConnection conn = (HttpURLConnection) url.openConnection();
- Assert.assertEquals(HttpURLConnection.HTTP_UNAUTHORIZED, conn.getResponseCode());
- String errorMessage = IOUtils.toString(conn.getErrorStream());
- Assert.assertTrue(errorMessage.contains("Authentication required"));
- }
-
- @Test
- public void testPingWithUnauthorizedUser() throws Exception {
- // create an unauthorized User with Kerberos
- String userPrinciple = "user/" + SERVER_HOST;
- String userKerberosName = userPrinciple + "@" + REALM;
- Subject userSubject = new Subject(false, Sets.newHashSet(
- new KerberosPrincipal(userKerberosName)), new HashSet<Object>(),new HashSet<Object>());
- File userKeytab = new File(kdcWorkDir, "user.keytab");
- kdc.createPrincipal(userKeytab, userPrinciple);
- LoginContext userLoginContext = new LoginContext("", userSubject, null,
- KerberosConfiguration.createClientConfig(userKerberosName, userKeytab));
- userLoginContext.login();
- Subject.doAs(userLoginContext.getSubject(), new PrivilegedExceptionAction<Void>() {
- @Override
- public Void run() throws Exception {
- final URL url = new URL("http://"+ SERVER_HOST + ":" + webServerPort + "/ping");
- try {
- new AuthenticatedURL(new KerberosAuthenticator()).openConnection(url, new AuthenticatedURL.Token());
- fail("Here should fail.");
- } catch (AuthenticationException e) {
- String expectedError = "status code: 403";
- if (!e.getMessage().contains(expectedError)) {
- LOG.error("UnexpectedError: " + e.getMessage(), e);
- fail("UnexpectedError: " + e.getMessage());
- }
- }
- return null;
- }
- });
- }
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryWebServerWithSSL.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryWebServerWithSSL.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryWebServerWithSSL.java
deleted file mode 100644
index d1d0b4b..0000000
--- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryWebServerWithSSL.java
+++ /dev/null
@@ -1,52 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.provider.db.service.thrift;
-
-import com.google.common.io.Resources;
-import org.apache.commons.io.IOUtils;
-import org.apache.sentry.service.thrift.SentryServiceIntegrationBase;
-import org.junit.*;
-
-import javax.net.ssl.HttpsURLConnection;
-import java.net.URL;
-import java.util.Properties;
-
-/**
- * Test sentry web server when ssl is enabled.
- */
-public class TestSentryWebServerWithSSL extends SentryServiceIntegrationBase {
- @BeforeClass
- public static void setup() throws Exception {
- webServerEnabled = true;
- webSecurity = false;
- useSSL = true;
- SentryServiceIntegrationBase.setup();
- }
-
- @Test
- public void testPing() throws Exception {
- final URL url = new URL("https://"+ SERVER_HOST + ":" + webServerPort + "/ping");
- Properties systemProps = System.getProperties();
- systemProps.put( "javax.net.ssl.trustStore", Resources.getResource("cacerts.jks").getPath());
- System.setProperties(systemProps);
- HttpsURLConnection conn = (HttpsURLConnection) url.openConnection();
- Assert.assertEquals(HttpsURLConnection.HTTP_OK, conn.getResponseCode());
- String response = IOUtils.toString(conn.getInputStream());
- Assert.assertEquals("pong\n", response);
- }
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryWebServerWithoutSecurity.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryWebServerWithoutSecurity.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryWebServerWithoutSecurity.java
deleted file mode 100644
index 4a913e5..0000000
--- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryWebServerWithoutSecurity.java
+++ /dev/null
@@ -1,87 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.provider.db.service.thrift;
-
-import java.net.HttpURLConnection;
-import java.net.URL;
-
-import org.apache.commons.io.IOUtils;
-import org.apache.sentry.service.thrift.SentryServiceIntegrationBase;
-import org.junit.After;
-import org.junit.Assert;
-import org.junit.Before;
-import org.junit.BeforeClass;
-import org.junit.Test;
-
-public class TestSentryWebServerWithoutSecurity extends SentryServiceIntegrationBase {
-
- @BeforeClass
- public static void setup() throws Exception {
- webServerEnabled = true;
- webSecurity = false;
- SentryServiceIntegrationBase.setup();
- }
-
- @Override
- @Before
- public void before() throws Exception {
- }
-
- @Override
- @After
- public void after() {
- }
-
- @Test
- public void testPing() throws Exception {
- final URL url = new URL("http://"+ SERVER_HOST + ":" + webServerPort + "/ping");
- HttpURLConnection conn = (HttpURLConnection) url.openConnection();
- Assert.assertEquals(HttpURLConnection.HTTP_OK, conn.getResponseCode());
- String response = IOUtils.toString(conn.getInputStream());
- Assert.assertEquals("pong\n", response);
- }
-
- @Test
- public void testConf() throws Exception {
- // test bad format
- final URL url = new URL("http://" + SERVER_HOST + ":" + webServerPort + "/conf?"
- + ConfServlet.FORMAT_PARAM + "=badformat");
- HttpURLConnection conn = (HttpURLConnection) url.openConnection();
- Assert.assertEquals(HttpURLConnection.HTTP_BAD_REQUEST, conn.getResponseCode());
-
- // test json format
- final URL url1 = new URL("http://" + SERVER_HOST + ":" + webServerPort + "/conf?"
- + ConfServlet.FORMAT_PARAM +"=" + ConfServlet.FORMAT_JSON);
- conn = (HttpURLConnection) url1.openConnection();
- Assert.assertEquals(HttpURLConnection.HTTP_OK, conn.getResponseCode());
-
- // test xml format
- final URL url2 = new URL("http://" + SERVER_HOST + ":" + webServerPort + "/conf?"
- + ConfServlet.FORMAT_PARAM +"=" + ConfServlet.FORMAT_XML);
- conn = (HttpURLConnection) url2.openConnection();
- Assert.assertEquals(HttpURLConnection.HTTP_OK, conn.getResponseCode());
- String xmlResponse = IOUtils.toString(conn.getInputStream());
-
- // test default is xml format
- final URL url3 = new URL("http://" + SERVER_HOST + ":" + webServerPort + "/conf");
- conn = (HttpURLConnection) url3.openConnection();
- Assert.assertEquals(HttpURLConnection.HTTP_OK, conn.getResponseCode());
- String defaultResponse = IOUtils.toString(conn.getInputStream());
- Assert.assertEquals(xmlResponse, defaultResponse);
- }
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/tools/TestSentrySchemaTool.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/tools/TestSentrySchemaTool.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/tools/TestSentrySchemaTool.java
deleted file mode 100644
index 68abf27..0000000
--- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/tools/TestSentrySchemaTool.java
+++ /dev/null
@@ -1,94 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.sentry.provider.db.tools;
-
-import java.io.File;
-
-import org.apache.hadoop.conf.Configuration;
-import org.apache.sentry.core.common.exception.SentryUserException;
-import org.apache.sentry.provider.db.service.persistent.SentryStoreSchemaInfo;
-import org.apache.sentry.service.thrift.ServiceConstants.ServerConfig;
-import org.junit.Before;
-import org.junit.Test;
-
-import com.google.common.io.Files;
-
-public class TestSentrySchemaTool {
- private Configuration sentryConf;
- private SentrySchemaTool schemaTool;
-
- private static final String OLDEST_INIT_VERSION = "1.4.0";
-
- @Before
- public void defaultSetup() throws Exception {
- sentryConf = new Configuration();
- File dbDir = new File(Files.createTempDir(), "sentry_policy_db");
- sentryConf.set(ServerConfig.SENTRY_STORE_JDBC_URL,
- "jdbc:derby:;databaseName=" + dbDir.getPath() + ";create=true");
- sentryConf.set(ServerConfig.SENTRY_STORE_JDBC_PASS, "dummy");
- schemaTool = new SentrySchemaTool("./src/main/resources", sentryConf,
- "derby");
- }
-
- private void nonDefaultsetup() throws Exception {
- sentryConf = new Configuration();
- File dbDir = new File(Files.createTempDir(), "sentry_policy_db");
- sentryConf.set(ServerConfig.SENTRY_STORE_JDBC_URL,
- "jdbc:derby:;databaseName=" + dbDir.getPath() + ";create=true");
- sentryConf.set(ServerConfig.SENTRY_STORE_JDBC_PASS, "dummy");
- schemaTool = new SentrySchemaTool("./src/main/resources", sentryConf,
- "derby");
- }
-
- @Test
- public void testInitNonDefault() throws Exception {
- nonDefaultsetup();
- schemaTool.doInit();
- schemaTool.verifySchemaVersion();
- }
-
- @Test
- public void testInit() throws Exception {
- schemaTool.doInit();
- schemaTool.verifySchemaVersion();
- }
-
- @Test
- public void testInitTo() throws Exception {
- schemaTool.doInit(SentryStoreSchemaInfo.getSentryVersion());
- schemaTool.verifySchemaVersion();
- }
-
- @Test(expected = SentryUserException.class)
- public void testDryRun() throws Exception {
- schemaTool.setDryRun(true);
- schemaTool.doInit();
- schemaTool.setDryRun(false);
- // verification should fail since dryRun didn't create the actual schema
- schemaTool.verifySchemaVersion();
- }
-
- @Test
- public void testUpgrade() throws Exception {
- schemaTool.doInit(OLDEST_INIT_VERSION);
- schemaTool.doUpgrade();
- schemaTool.verifySchemaVersion();
- }
-
-}