You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sentry.apache.org by sd...@apache.org on 2015/08/14 09:28:44 UTC
[10/50] [abbrv] incubator-sentry git commit: SENTRY-647: Add e2e
tests for Sqoop Sentry integration (Guoquan Shen, reviewed by Dapeng Sun)
SENTRY-647: Add e2e tests for Sqoop Sentry integration (Guoquan Shen,reviewed by Dapeng Sun)
Project: http://git-wip-us.apache.org/repos/asf/incubator-sentry/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-sentry/commit/98761811
Tree: http://git-wip-us.apache.org/repos/asf/incubator-sentry/tree/98761811
Diff: http://git-wip-us.apache.org/repos/asf/incubator-sentry/diff/98761811
Branch: refs/heads/hive_plugin_v2
Commit: 987618115b39d33937a44c0bdcdde3ff0c6be2f3
Parents: c8d5fce
Author: Guoquan Shen <gu...@intel.com>
Authored: Thu Jul 9 12:43:19 2015 +0800
Committer: Guoquan Shen <gu...@intel.com>
Committed: Thu Jul 9 12:43:19 2015 +0800
----------------------------------------------------------------------
pom.xml | 1 +
sentry-tests/pom.xml | 1 +
sentry-tests/sentry-tests-sqoop/pom.xml | 153 +++++++++
.../e2e/sqoop/AbstractSqoopSentryTestBase.java | 225 +++++++++++++
.../tests/e2e/sqoop/StaticUserGroupRole.java | 62 ++++
.../tests/e2e/sqoop/TestConnectorEndToEnd.java | 111 +++++++
.../tests/e2e/sqoop/TestGrantPrivilege.java | 215 +++++++++++++
.../sentry/tests/e2e/sqoop/TestJobEndToEnd.java | 305 ++++++++++++++++++
.../tests/e2e/sqoop/TestLinkEndToEnd.java | 238 ++++++++++++++
.../tests/e2e/sqoop/TestOwnerPrivilege.java | 156 +++++++++
.../tests/e2e/sqoop/TestRevokePrivilege.java | 175 ++++++++++
.../tests/e2e/sqoop/TestRoleOperation.java | 209 ++++++++++++
.../e2e/sqoop/TestServerScopeEndToEnd.java | 185 +++++++++++
.../tests/e2e/sqoop/TestShowPrivilege.java | 92 ++++++
.../tests/e2e/sqoop/TomcatSqoopRunner.java | 320 +++++++++++++++++++
15 files changed, 2448 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/98761811/pom.xml
----------------------------------------------------------------------
diff --git a/pom.xml b/pom.xml
index c623819..839eb1d 100644
--- a/pom.xml
+++ b/pom.xml
@@ -754,6 +754,7 @@ limitations under the License.
<exclude>**/datanucleus.log</exclude>
<exclude>**/metastore_db/</exclude>
<exclude>**/*.rej</exclude>
+ <exclude>**/thirdparty/</exclude>
</excludes>
</configuration>
</execution>
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/98761811/sentry-tests/pom.xml
----------------------------------------------------------------------
diff --git a/sentry-tests/pom.xml b/sentry-tests/pom.xml
index 37f0f3e..c12b118 100644
--- a/sentry-tests/pom.xml
+++ b/sentry-tests/pom.xml
@@ -30,6 +30,7 @@ limitations under the License.
<modules>
<module>sentry-tests-hive</module>
<module>sentry-tests-solr</module>
+ <module>sentry-tests-sqoop</module>
</modules>
</project>
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/98761811/sentry-tests/sentry-tests-sqoop/pom.xml
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-sqoop/pom.xml b/sentry-tests/sentry-tests-sqoop/pom.xml
new file mode 100644
index 0000000..491dbaa
--- /dev/null
+++ b/sentry-tests/sentry-tests-sqoop/pom.xml
@@ -0,0 +1,153 @@
+<?xml version="1.0"?>
+<!--
+Licensed to the Apache Software Foundation (ASF) under one or more
+contributor license agreements. See the NOTICE file distributed with
+this work for additional information regarding copyright ownership.
+The ASF licenses this file to You under the Apache License, Version 2.0
+(the "License"); you may not use this file except in compliance with
+the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+-->
+<project xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd" xmlns="http://maven.apache.org/POM/4.0.0"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+ <modelVersion>4.0.0</modelVersion>
+
+ <parent>
+ <groupId>org.apache.sentry</groupId>
+ <artifactId>sentry-tests</artifactId>
+ <version>1.6.0-incubating-SNAPSHOT</version>
+ </parent>
+
+ <artifactId>sentry-tests-sqoop</artifactId>
+ <name>Sentry Sqoop Tests</name>
+ <description>end to end tests for sentry-sqoop integration</description>
+
+ <dependencies>
+ <dependency>
+ <groupId>junit</groupId>
+ <artifactId>junit</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>log4j</groupId>
+ <artifactId>log4j</artifactId>
+ <version>1.2.16</version>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.sqoop</groupId>
+ <artifactId>test</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.hadoop</groupId>
+ <artifactId>hadoop-common</artifactId>
+ <exclusions>
+ <exclusion>
+ <groupId>javax.servlet</groupId>
+ <artifactId>servlet-api</artifactId>
+ </exclusion>
+ </exclusions>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.hadoop</groupId>
+ <artifactId>hadoop-minicluster</artifactId>
+ <exclusions>
+ <exclusion>
+ <groupId>javax.servlet</groupId>
+ <artifactId>servlet-api</artifactId>
+ </exclusion>
+ </exclusions>
+ </dependency>
+ <dependency>
+ <groupId>org.eclipse.jetty</groupId>
+ <artifactId>jetty-servlet</artifactId>
+ <version>8.1.10.v20130312</version>
+ </dependency>
+ <dependency>
+ <groupId>org.eclipse.jetty</groupId>
+ <artifactId>jetty-server</artifactId>
+ <version>8.1.10.v20130312</version>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.sentry</groupId>
+ <artifactId>sentry-provider-db</artifactId>
+ <scope>test</scope>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.sentry</groupId>
+ <artifactId>sentry-provider-file</artifactId>
+ <scope>test</scope>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.sentry</groupId>
+ <artifactId>sentry-binding-sqoop</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.sentry</groupId>
+ <artifactId>sentry-core-model-sqoop</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>com.google.guava</groupId>
+ <artifactId>guava</artifactId>
+ </dependency>
+ </dependencies>
+ <profiles>
+ <profile>
+ <id>download-sqoop2</id>
+ <activation>
+ <activeByDefault>true</activeByDefault>
+ <property><name>!skipTests</name></property>
+ </activation>
+ <build>
+ <plugins>
+ <plugin>
+ <groupId>org.apache.maven.plugins</groupId>
+ <artifactId>maven-antrun-plugin</artifactId>
+ <configuration>
+ <skipTests>true</skipTests>
+ </configuration>
+ <executions>
+ <execution>
+ <id>download-sqoop2</id>
+ <phase>generate-sources</phase>
+ <goals>
+ <goal>run</goal>
+ </goals>
+ <configuration>
+ <target>
+ <echo file="target/download.sh">
+ set -e
+ set -x
+ /bin/pwd
+ BASE_DIR=./target
+ DOWNLOAD_DIR=./thirdparty
+ download() {
+ url=$1;
+ packageName=$2
+ if [[ ! -f $DOWNLOAD_DIR/$packageName ]]
+ then
+ wget --no-check-certificate -nv -O $DOWNLOAD_DIR/$packageName $url
+ fi
+ }
+ mkdir -p $DOWNLOAD_DIR
+ download "https://repository.apache.org/content/repositories/snapshots/org/apache/sqoop/sqoop-server/2.0.0-SNAPSHOT/sqoop-server-2.0.0-20150530.005523-4.war" sqoop.war
+ download "http://archive.apache.org/dist/tomcat/tomcat-6/v6.0.36/bin/apache-tomcat-6.0.36.zip" apache-tomcat-6.0.36.zip
+ </echo>
+ <exec executable="bash" dir="${basedir}" failonerror="true">
+ <arg line="target/download.sh"/>
+ </exec>
+ </target>
+ </configuration>
+ </execution>
+ </executions>
+ </plugin>
+ </plugins>
+ </build>
+ </profile>
+ </profiles>
+</project>
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/98761811/sentry-tests/sentry-tests-sqoop/src/test/java/org/apache/sentry/tests/e2e/sqoop/AbstractSqoopSentryTestBase.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-sqoop/src/test/java/org/apache/sentry/tests/e2e/sqoop/AbstractSqoopSentryTestBase.java b/sentry-tests/sentry-tests-sqoop/src/test/java/org/apache/sentry/tests/e2e/sqoop/AbstractSqoopSentryTestBase.java
new file mode 100644
index 0000000..2c6f329
--- /dev/null
+++ b/sentry-tests/sentry-tests-sqoop/src/test/java/org/apache/sentry/tests/e2e/sqoop/AbstractSqoopSentryTestBase.java
@@ -0,0 +1,225 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/**
+ * This class used to test the Sqoop integration with Sentry.
+ * It will set up a miniSqoopCluster and Sentry service in a JVM process.
+ */
+package org.apache.sentry.tests.e2e.sqoop;
+
+import static org.junit.Assert.assertTrue;
+
+import java.io.File;
+import java.io.FileOutputStream;
+import java.util.ArrayList;
+import java.util.Set;
+import java.util.UUID;
+import java.util.concurrent.TimeoutException;
+
+
+import org.apache.commons.io.FileUtils;
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.net.NetUtils;
+import org.apache.hadoop.security.UserGroupInformation;
+
+import org.apache.sentry.core.model.sqoop.SqoopActionConstant;
+import org.apache.sentry.provider.db.generic.service.thrift.SentryGenericServiceClient;
+import org.apache.sentry.provider.db.generic.service.thrift.TAuthorizable;
+import org.apache.sentry.provider.db.generic.service.thrift.TSentryPrivilege;
+import org.apache.sentry.provider.file.LocalGroupResourceAuthorizationProvider;
+import org.apache.sentry.provider.file.PolicyFile;
+import org.apache.sentry.service.thrift.SentryService;
+import org.apache.sentry.service.thrift.SentryServiceFactory;
+import org.apache.sentry.service.thrift.ServiceConstants.ClientConfig;
+import org.apache.sentry.service.thrift.ServiceConstants.ServerConfig;
+
+import org.apache.sentry.sqoop.binding.SqoopProviderBackend;
+import org.apache.sentry.sqoop.conf.SqoopAuthConf.AuthzConfVars;
+
+import org.junit.AfterClass;
+import org.junit.BeforeClass;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import com.google.common.base.Joiner;
+import com.google.common.collect.Sets;
+
+public class AbstractSqoopSentryTestBase {
+ private static final Logger LOGGER = LoggerFactory
+ .getLogger(AbstractSqoopSentryTestBase.class);
+
+ private static final String SERVER_HOST = NetUtils
+ .createSocketAddr("localhost:80").getAddress().getCanonicalHostName();
+ private static final int PORT = 8038;
+
+ protected static final String COMPONENT = "sqoop";
+ protected static final String ADMIN_USER = "sqoop";
+ protected static final String ADMIN_GROUP = "sqoop";
+ protected static final String ADMIN_ROLE = "sqoop";
+ protected static final String SQOOP_SERVER_NAME = "sqoopServer1";
+ /** test users, groups and roles */
+ protected static final String USER1 = StaticUserGroupRole.USER_1;
+ protected static final String USER2 = StaticUserGroupRole.USER_2;
+ protected static final String USER3 = StaticUserGroupRole.USER_3;
+ protected static final String USER4 = StaticUserGroupRole.USER_4;
+ protected static final String USER5 = StaticUserGroupRole.USER_5;
+
+ protected static final String GROUP1 = StaticUserGroupRole.GROUP_1;
+ protected static final String GROUP2 = StaticUserGroupRole.GROUP_2;
+ protected static final String GROUP3 = StaticUserGroupRole.GROUP_3;
+ protected static final String GROUP4 = StaticUserGroupRole.GROUP_4;
+ protected static final String GROUP5 = StaticUserGroupRole.GROUP_5;
+
+ protected static final String ROLE1 = StaticUserGroupRole.ROLE_1;
+ protected static final String ROLE2 = StaticUserGroupRole.ROLE_2;
+ protected static final String ROLE3 = StaticUserGroupRole.ROLE_3;
+ protected static final String ROLE4 = StaticUserGroupRole.ROLE_4;
+ protected static final String ROLE5 = StaticUserGroupRole.ROLE_5;
+
+ protected static SentryService server;
+ protected static TomcatSqoopRunner sqoopServerRunner;
+
+ protected static File baseDir;
+ protected static File sqoopDir;
+ protected static File dbDir;
+ protected static File policyFilePath;
+
+ protected static PolicyFile policyFile;
+
+ @BeforeClass
+ public static void beforeTestEndToEnd() throws Exception {
+ setupConf();
+ startSentryService();
+ setUserGroups();
+ setAdminPrivilege();
+ startSqoopWithSentryEnable();
+ }
+
+ @AfterClass
+ public static void afterTestEndToEnd() throws Exception {
+ if (server != null) {
+ server.stop();
+ }
+ if (sqoopServerRunner != null) {
+ sqoopServerRunner.stop();
+ }
+
+ FileUtils.deleteDirectory(baseDir);
+ }
+
+ public static void setupConf() throws Exception {
+ baseDir = createTempDir();
+ sqoopDir = new File(baseDir, "sqoop");
+ dbDir = new File(baseDir, "sentry_policy_db");
+ policyFilePath = new File(baseDir, "local_policy_file.ini");
+ policyFile = new PolicyFile();
+
+ /** set the configuratoion for Sentry Service */
+ Configuration conf = new Configuration();
+
+ conf.set(ServerConfig.SECURITY_MODE, ServerConfig.SECURITY_MODE_NONE);
+ conf.set(ServerConfig.SENTRY_VERIFY_SCHEM_VERSION, "false");
+ conf.set(ServerConfig.ADMIN_GROUPS, Joiner.on(",").join(ADMIN_GROUP,
+ UserGroupInformation.getLoginUser().getPrimaryGroupName()));
+ conf.set(ServerConfig.RPC_ADDRESS, SERVER_HOST);
+ conf.set(ServerConfig.RPC_PORT, String.valueOf(PORT));
+ conf.set(ServerConfig.SENTRY_STORE_JDBC_URL,
+ "jdbc:derby:;databaseName=" + dbDir.getPath() + ";create=true");
+ conf.set(ServerConfig.SENTRY_STORE_GROUP_MAPPING,
+ ServerConfig.SENTRY_STORE_LOCAL_GROUP_MAPPING);
+ conf.set(ServerConfig.SENTRY_STORE_GROUP_MAPPING_RESOURCE,
+ policyFilePath.getPath());
+ server = new SentryServiceFactory().create(conf);
+ }
+
+ public static File createTempDir() {
+ File baseDir = new File(System.getProperty("java.io.tmpdir"));
+ String baseName = "sqoop-e2e-";
+ File tempDir = new File(baseDir, baseName + UUID.randomUUID().toString());
+ if (tempDir.mkdir()) {
+ return tempDir;
+ }
+ throw new IllegalStateException("Failed to create temp directory");
+ }
+
+ public static void startSentryService() throws Exception {
+ server.start();
+ final long start = System.currentTimeMillis();
+ while(!server.isRunning()) {
+ Thread.sleep(1000);
+ if(System.currentTimeMillis() - start > 60000L) {
+ throw new TimeoutException("Server did not start after 60 seconds");
+ }
+ }
+ }
+
+ public static void startSqoopWithSentryEnable() throws Exception {
+ File sentrySitePath = new File(baseDir, "sentry-site.xml");
+ getClientConfig().writeXml(new FileOutputStream(sentrySitePath));
+ sqoopServerRunner = new TomcatSqoopRunner(sqoopDir.toString(), SQOOP_SERVER_NAME,
+ sentrySitePath.toURI().toURL().toString());
+ sqoopServerRunner.start();
+ }
+
+ private static Configuration getClientConfig() {
+ Configuration conf = new Configuration();
+ /** set the Sentry client configuration for Sqoop Service integration */
+ conf.set(ServerConfig.SECURITY_MODE, ServerConfig.SECURITY_MODE_NONE);
+ conf.set(ClientConfig.SERVER_RPC_ADDRESS, server.getAddress().getHostName());
+ conf.set(ClientConfig.SERVER_RPC_PORT, String.valueOf(server.getAddress().getPort()));
+
+ conf.set(AuthzConfVars.AUTHZ_PROVIDER.getVar(),
+ LocalGroupResourceAuthorizationProvider.class.getName());
+ conf.set(AuthzConfVars.AUTHZ_PROVIDER_BACKEND.getVar(), SqoopProviderBackend.class.getName());
+ conf.set(AuthzConfVars.AUTHZ_PROVIDER_RESOURCE.getVar(), policyFilePath.getPath());
+ conf.set(AuthzConfVars.AUTHZ_TESTING_MODE.getVar(), "true");
+ return conf;
+ }
+
+ public static void setUserGroups() throws Exception {
+ for (String user : StaticUserGroupRole.getUsers()) {
+ Set<String> groups = StaticUserGroupRole.getGroups(user);
+ policyFile.addGroupsToUser(user,
+ groups.toArray(new String[groups.size()]));
+ }
+ policyFile.addGroupsToUser(ADMIN_USER, ADMIN_GROUP);
+ UserGroupInformation loginUser = UserGroupInformation.getLoginUser();
+ policyFile.addGroupsToUser(loginUser.getShortUserName(), loginUser.getGroupNames());
+ policyFile.write(policyFilePath);
+ }
+
+ public static void setAdminPrivilege() throws Exception {
+ SentryGenericServiceClient sentryClient = null;
+ try {
+ /** grant all privilege to admin user */
+ sentryClient = new SentryGenericServiceClient(getClientConfig());
+ sentryClient.createRoleIfNotExist(ADMIN_USER, ADMIN_ROLE, COMPONENT);
+ sentryClient.addRoleToGroups(ADMIN_USER, ADMIN_ROLE, COMPONENT, Sets.newHashSet(ADMIN_GROUP));
+ sentryClient.grantPrivilege(ADMIN_USER, ADMIN_ROLE, COMPONENT,
+ new TSentryPrivilege(COMPONENT, SQOOP_SERVER_NAME, new ArrayList<TAuthorizable>(),
+ SqoopActionConstant.ALL));
+ } finally {
+ if (sentryClient != null) {
+ sentryClient.close();
+ }
+ }
+ }
+
+ public static void assertCausedMessage(Exception e, String message) {
+ assertTrue(e.getCause().getMessage().contains(message));
+ }
+}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/98761811/sentry-tests/sentry-tests-sqoop/src/test/java/org/apache/sentry/tests/e2e/sqoop/StaticUserGroupRole.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-sqoop/src/test/java/org/apache/sentry/tests/e2e/sqoop/StaticUserGroupRole.java b/sentry-tests/sentry-tests-sqoop/src/test/java/org/apache/sentry/tests/e2e/sqoop/StaticUserGroupRole.java
new file mode 100644
index 0000000..e51ee00
--- /dev/null
+++ b/sentry-tests/sentry-tests-sqoop/src/test/java/org/apache/sentry/tests/e2e/sqoop/StaticUserGroupRole.java
@@ -0,0 +1,62 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.tests.e2e.sqoop;
+
+import java.util.HashMap;
+import java.util.Map;
+import java.util.Set;
+
+import com.google.common.collect.Sets;
+
+public class StaticUserGroupRole {
+ public static final String USER_1 = "user1";
+ public static final String USER_2 = "user2";
+ public static final String USER_3 = "user3";
+ public static final String USER_4 = "user4";
+ public static final String USER_5 = "user5";
+
+ public static final String GROUP_1 = "group1";
+ public static final String GROUP_2 = "group2";
+ public static final String GROUP_3 = "group3";
+ public static final String GROUP_4 = "group4";
+ public static final String GROUP_5 = "group5";
+
+ public static final String ROLE_1 = "role1";
+ public static final String ROLE_2 = "role2";
+ public static final String ROLE_3 = "role3";
+ public static final String ROLE_4 = "role4";
+ public static final String ROLE_5 = "role5";
+
+ private static Map<String, Set<String>> userToGroupsMapping =
+ new HashMap<String, Set<String>>();
+
+ static {
+ userToGroupsMapping.put(USER_1, Sets.newHashSet(GROUP_1));
+ userToGroupsMapping.put(USER_2, Sets.newHashSet(GROUP_2));
+ userToGroupsMapping.put(USER_3, Sets.newHashSet(GROUP_3));
+ userToGroupsMapping.put(USER_4, Sets.newHashSet(GROUP_4));
+ userToGroupsMapping.put(USER_5, Sets.newHashSet(GROUP_5));
+ }
+
+ public static Set<String> getUsers() {
+ return userToGroupsMapping.keySet();
+ }
+
+ public static Set<String> getGroups(String user) {
+ return userToGroupsMapping.get(user);
+ }
+}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/98761811/sentry-tests/sentry-tests-sqoop/src/test/java/org/apache/sentry/tests/e2e/sqoop/TestConnectorEndToEnd.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-sqoop/src/test/java/org/apache/sentry/tests/e2e/sqoop/TestConnectorEndToEnd.java b/sentry-tests/sentry-tests-sqoop/src/test/java/org/apache/sentry/tests/e2e/sqoop/TestConnectorEndToEnd.java
new file mode 100644
index 0000000..9e13b13
--- /dev/null
+++ b/sentry-tests/sentry-tests-sqoop/src/test/java/org/apache/sentry/tests/e2e/sqoop/TestConnectorEndToEnd.java
@@ -0,0 +1,111 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.tests.e2e.sqoop;
+
+import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.fail;
+
+import java.util.Collection;
+
+import org.apache.sentry.core.model.sqoop.SqoopActionConstant;
+import org.apache.sqoop.client.SqoopClient;
+import org.apache.sqoop.model.MConnector;
+import org.apache.sqoop.model.MPrincipal;
+import org.apache.sqoop.model.MPrivilege;
+import org.apache.sqoop.model.MResource;
+import org.apache.sqoop.model.MRole;
+import org.junit.Test;
+
+import com.google.common.collect.Lists;
+
+public class TestConnectorEndToEnd extends AbstractSqoopSentryTestBase {
+ private static String JDBC_CONNECTOR_NAME = "generic-jdbc-connector";
+ private static String HDFS_CONNECTOR_NAME = "hdfs-connector";
+
+ @Test
+ public void testShowAllConnector() throws Exception {
+ // USER3 at firstly has no privilege on any Sqoop resource
+ SqoopClient client = sqoopServerRunner.getSqoopClient(USER3);
+ assertTrue(client.getConnectors().size() == 0);
+ /**
+ * ADMIN_USER grant read action privilege on connector all to role ROLE3
+ * ADMIN_USER grant role ROLE3 to group GROUP3
+ */
+ client = sqoopServerRunner.getSqoopClient(ADMIN_USER);
+ MRole role3 = new MRole(ROLE3);
+ MPrincipal group3 = new MPrincipal(GROUP3, MPrincipal.TYPE.GROUP);
+ MResource allConnector = new MResource(SqoopActionConstant.ALL, MResource.TYPE.CONNECTOR);
+ MPrivilege readPriv = new MPrivilege(allConnector,SqoopActionConstant.READ, false);
+ client.createRole(role3);
+ client.grantRole(Lists.newArrayList(role3), Lists.newArrayList(group3));
+ client.grantPrivilege(Lists.newArrayList(new MPrincipal(role3.getName(), MPrincipal.TYPE.ROLE)),
+ Lists.newArrayList(readPriv));
+
+ // check USER3 has the read privilege on all connector
+ client = sqoopServerRunner.getSqoopClient(USER3);
+ assertTrue(client.getConnectors().size() > 0);
+ }
+
+ @Test
+ public void testShowSpecificConnector() throws Exception {
+ // USER1 and USER2 at firstly has no privilege on any Sqoop resource
+ SqoopClient client = sqoopServerRunner.getSqoopClient(USER1);
+ assertTrue(client.getConnectors().size() == 0);
+ client = sqoopServerRunner.getSqoopClient(USER2);
+ assertTrue(client.getConnectors().size() == 0);
+
+ /**
+ * ADMIN_USER grant read action privilege on jdbc connector to role ROLE1
+ * ADMIN_USER grant read action privilege on hdfs connector to role ROLE2
+ */
+ client = sqoopServerRunner.getSqoopClient(ADMIN_USER);
+ MConnector hdfsConnector = client.getConnector(HDFS_CONNECTOR_NAME);
+ MConnector jdbcConnector = client.getConnector(JDBC_CONNECTOR_NAME);
+
+ MRole role1 = new MRole(ROLE1);
+ MPrincipal group1 = new MPrincipal(GROUP1, MPrincipal.TYPE.GROUP);
+ MPrivilege readHdfsPriv = new MPrivilege(new MResource(String.valueOf(hdfsConnector.getPersistenceId()), MResource.TYPE.CONNECTOR),
+ SqoopActionConstant.READ, false);
+ client.createRole(role1);
+ client.grantRole(Lists.newArrayList(role1), Lists.newArrayList(group1));
+ client.grantPrivilege(Lists.newArrayList(new MPrincipal(role1.getName(), MPrincipal.TYPE.ROLE)),
+ Lists.newArrayList(readHdfsPriv));
+
+ MRole role2 = new MRole(ROLE2);
+ MPrincipal group2 = new MPrincipal(GROUP2, MPrincipal.TYPE.GROUP);
+ MPrivilege readJdbcPriv = new MPrivilege(new MResource(String.valueOf(jdbcConnector.getPersistenceId()), MResource.TYPE.CONNECTOR),
+ SqoopActionConstant.READ, false);
+ client.createRole(role2);
+ client.grantRole(Lists.newArrayList(role2), Lists.newArrayList(group2));
+ client.grantPrivilege(Lists.newArrayList(new MPrincipal(role2.getName(), MPrincipal.TYPE.ROLE)),
+ Lists.newArrayList(readJdbcPriv));
+
+ client = sqoopServerRunner.getSqoopClient(USER1);
+ assertTrue(client.getConnectors().size() == 1);
+ // user1 can show hdfs connector
+ assertTrue(client.getConnector(HDFS_CONNECTOR_NAME) != null);
+ // user1 can't show jdbc connector
+ assertTrue(client.getConnector(JDBC_CONNECTOR_NAME) == null);
+
+ client = sqoopServerRunner.getSqoopClient(USER2);
+ assertTrue(client.getConnectors().size() == 1);
+ // user2 can show jdbc connector
+ assertTrue(client.getConnector(JDBC_CONNECTOR_NAME) != null);
+ // user2 can't show hdfs connector
+ assertTrue(client.getConnector(HDFS_CONNECTOR_NAME) == null);
+ }
+}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/98761811/sentry-tests/sentry-tests-sqoop/src/test/java/org/apache/sentry/tests/e2e/sqoop/TestGrantPrivilege.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-sqoop/src/test/java/org/apache/sentry/tests/e2e/sqoop/TestGrantPrivilege.java b/sentry-tests/sentry-tests-sqoop/src/test/java/org/apache/sentry/tests/e2e/sqoop/TestGrantPrivilege.java
new file mode 100644
index 0000000..bc9dd13
--- /dev/null
+++ b/sentry-tests/sentry-tests-sqoop/src/test/java/org/apache/sentry/tests/e2e/sqoop/TestGrantPrivilege.java
@@ -0,0 +1,215 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.tests.e2e.sqoop;
+
+import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.fail;
+
+import java.util.List;
+
+import org.apache.sentry.core.model.sqoop.SqoopActionConstant;
+import org.apache.sentry.sqoop.SentrySqoopError;
+import org.apache.sqoop.client.SqoopClient;
+import org.apache.sqoop.model.MPrincipal;
+import org.apache.sqoop.model.MPrivilege;
+import org.apache.sqoop.model.MResource;
+import org.apache.sqoop.model.MRole;
+import org.junit.Test;
+
+import com.google.common.collect.Lists;
+
+public class TestGrantPrivilege extends AbstractSqoopSentryTestBase {
+
+ @Test
+ public void testNotSupportGrantPrivilegeToUser() throws Exception {
+ SqoopClient client = sqoopServerRunner.getSqoopClient(ADMIN_USER);
+ MPrincipal user1 = new MPrincipal("not_support_grant_user_1", MPrincipal.TYPE.GROUP);
+ MResource allConnector = new MResource(SqoopActionConstant.ALL, MResource.TYPE.CONNECTOR);
+ MPrivilege readPriv = new MPrivilege(allConnector,SqoopActionConstant.READ, false);
+ try {
+ client.grantPrivilege(Lists.newArrayList(user1), Lists.newArrayList(readPriv));
+ fail("expected not support exception happend");
+ } catch (Exception e) {
+ assertCausedMessage(e, SentrySqoopError.GRANT_REVOKE_PRIVILEGE_NOT_SUPPORT_FOR_PRINCIPAL);
+ }
+ }
+
+ @Test
+ public void testNotSupportGrantPrivilegeToGroup() throws Exception {
+ SqoopClient client = sqoopServerRunner.getSqoopClient(ADMIN_USER);
+ MPrincipal group1 = new MPrincipal("not_support_grant_group_1", MPrincipal.TYPE.GROUP);
+ MResource allConnector = new MResource(SqoopActionConstant.ALL, MResource.TYPE.CONNECTOR);
+ MPrivilege readPriv = new MPrivilege(allConnector,SqoopActionConstant.READ, false);
+ try {
+ client.grantPrivilege(Lists.newArrayList(group1), Lists.newArrayList(readPriv));
+ fail("expected not support exception happend");
+ } catch (Exception e) {
+ assertCausedMessage(e, SentrySqoopError.GRANT_REVOKE_PRIVILEGE_NOT_SUPPORT_FOR_PRINCIPAL);
+ }
+ }
+
+ @Test
+ public void testGrantPrivilege() throws Exception {
+ /**
+ * user1 belongs to group group1
+ * admin user grant role role1 to group group1
+ * admin user grant read privilege on connector all to role role1
+ */
+ SqoopClient client = sqoopServerRunner.getSqoopClient(ADMIN_USER);
+ MRole role1 = new MRole(ROLE1);
+ MPrincipal group1Princ = new MPrincipal(GROUP1, MPrincipal.TYPE.GROUP);
+ MPrincipal role1Princ = new MPrincipal(ROLE1, MPrincipal.TYPE.ROLE);
+ MResource allConnector = new MResource(SqoopActionConstant.ALL, MResource.TYPE.CONNECTOR);
+ MPrivilege readPrivilege = new MPrivilege(allConnector, SqoopActionConstant.READ, false);
+ client.createRole(role1);
+ client.grantRole(Lists.newArrayList(role1), Lists.newArrayList(group1Princ));
+ client.grantPrivilege(Lists.newArrayList(role1Princ), Lists.newArrayList(readPrivilege));
+
+ // check user1 has privilege on role1
+ client = sqoopServerRunner.getSqoopClient(USER1);
+ assertTrue(client.getPrivilegesByPrincipal(role1Princ, allConnector).size() == 1);
+ }
+
+ @Test
+ public void testGrantPrivilegeTwice() throws Exception {
+ /**
+ * user2 belongs to group group2
+ * admin user grant role role2 to group group2
+ * admin user grant write privilege on connector all to role role2
+ */
+ SqoopClient client = sqoopServerRunner.getSqoopClient(ADMIN_USER);
+ MRole role2 = new MRole(ROLE2);
+ MPrincipal group2Princ = new MPrincipal(GROUP2, MPrincipal.TYPE.GROUP);
+ MPrincipal role2Princ = new MPrincipal(ROLE2, MPrincipal.TYPE.ROLE);
+ MResource allConnector = new MResource(SqoopActionConstant.ALL, MResource.TYPE.CONNECTOR);
+ MPrivilege writePrivilege = new MPrivilege(allConnector, SqoopActionConstant.WRITE, false);
+ client.createRole(role2);
+ client.grantRole(Lists.newArrayList(role2), Lists.newArrayList(group2Princ));
+ client.grantPrivilege(Lists.newArrayList(role2Princ), Lists.newArrayList(writePrivilege));
+
+ // check user2 has one privilege on role2
+ client = sqoopServerRunner.getSqoopClient(USER2);
+ assertTrue(client.getPrivilegesByPrincipal(role2Princ, allConnector).size() == 1);
+
+ // grant privilege to role role2 again
+ client = sqoopServerRunner.getSqoopClient(ADMIN_USER);
+ client.grantPrivilege(Lists.newArrayList(role2Princ), Lists.newArrayList(writePrivilege));
+
+ // check user2 has only one privilege on role2
+ client = sqoopServerRunner.getSqoopClient(USER2);
+ assertTrue(client.getPrivilegesByPrincipal(role2Princ, allConnector).size() == 1);
+ }
+
+ @Test
+ public void testGrantPrivilegeWithAllPrivilegeExist() throws Exception {
+ /**
+ * user3 belongs to group group3
+ * admin user grant role role3 to group group3
+ * admin user grant all privilege on connector all to role role3
+ */
+ SqoopClient client = sqoopServerRunner.getSqoopClient(ADMIN_USER);
+ MRole role3 = new MRole(ROLE3);
+ MPrincipal group3Princ = new MPrincipal(GROUP3, MPrincipal.TYPE.GROUP);
+ MPrincipal role3Princ = new MPrincipal(ROLE3, MPrincipal.TYPE.ROLE);
+ MResource allConnector = new MResource(SqoopActionConstant.ALL, MResource.TYPE.CONNECTOR);
+ MPrivilege allPrivilege = new MPrivilege(allConnector, SqoopActionConstant.ALL_NAME, false);
+ client.createRole(role3);
+ client.grantRole(Lists.newArrayList(role3), Lists.newArrayList(group3Princ));
+ client.grantPrivilege(Lists.newArrayList(role3Princ), Lists.newArrayList(allPrivilege));
+
+ // check user3 has one privilege on role3
+ client = sqoopServerRunner.getSqoopClient(USER3);
+ assertTrue(client.getPrivilegesByPrincipal(role3Princ, allConnector).size() == 1);
+ // user3 has the all action on role3
+ MPrivilege user3Privilege = client.getPrivilegesByPrincipal(role3Princ, allConnector).get(0);
+ assertEquals(user3Privilege.getAction(), SqoopActionConstant.ALL_NAME);
+
+ /**
+ * admin user grant read privilege on connector all to role role3
+ * because the role3 has already the all privilege, the read privilege granting has
+ * no impact on the role3
+ */
+ client = sqoopServerRunner.getSqoopClient(ADMIN_USER);
+ MPrivilege readPrivilege = new MPrivilege(allConnector, SqoopActionConstant.READ, false);
+ client.grantPrivilege(Lists.newArrayList(role3Princ), Lists.newArrayList(readPrivilege));
+ // check user3 has only one privilege on role3
+ client = sqoopServerRunner.getSqoopClient(USER3);
+ assertTrue(client.getPrivilegesByPrincipal(role3Princ, allConnector).size() == 1);
+ // user3 has the all action on role3
+ user3Privilege = client.getPrivilegesByPrincipal(role3Princ, allConnector).get(0);
+ assertEquals(user3Privilege.getAction(), SqoopActionConstant.ALL_NAME);
+ }
+
+ @Test
+ public void testGrantALLPrivilegeWithOtherPrivilegesExist() throws Exception {
+ /**
+ * user4 belongs to group group4
+ * admin user grant role role4 to group group4
+ * admin user grant read privilege on connector all to role role4
+ */
+ SqoopClient client = sqoopServerRunner.getSqoopClient(ADMIN_USER);
+ MRole role4 = new MRole(ROLE4);
+ MPrincipal group4Princ = new MPrincipal(GROUP4, MPrincipal.TYPE.GROUP);
+ MPrincipal role4Princ = new MPrincipal(ROLE4, MPrincipal.TYPE.ROLE);
+ MResource allConnector = new MResource(SqoopActionConstant.ALL, MResource.TYPE.CONNECTOR);
+ MPrivilege readPrivilege = new MPrivilege(allConnector, SqoopActionConstant.READ, false);
+ client.createRole(role4);
+ client.grantRole(Lists.newArrayList(role4), Lists.newArrayList(group4Princ));
+ client.grantPrivilege(Lists.newArrayList(role4Princ), Lists.newArrayList(readPrivilege));
+
+ // check user4 has one privilege on role1
+ client = sqoopServerRunner.getSqoopClient(USER4);
+ assertTrue(client.getPrivilegesByPrincipal(role4Princ, allConnector).size() == 1);
+ // user4 has the read action on collector all
+ MPrivilege user4Privilege = client.getPrivilegesByPrincipal(role4Princ, allConnector).get(0);
+ assertEquals(user4Privilege.getAction().toLowerCase(), SqoopActionConstant.READ);
+
+ /**
+ * admin user grant write privilege on connector all to role role4
+ */
+ client = sqoopServerRunner.getSqoopClient(ADMIN_USER);
+ MPrivilege writePrivilege = new MPrivilege(allConnector, SqoopActionConstant.WRITE, false);
+ client.grantPrivilege(Lists.newArrayList(role4Princ), Lists.newArrayList(writePrivilege));
+
+ // check user4 has two privileges on role1
+ client = sqoopServerRunner.getSqoopClient(USER4);
+ assertTrue(client.getPrivilegesByPrincipal(role4Princ, allConnector).size() == 2);
+ // user4 has the read and write action on collector all
+ List<String> actions = Lists.newArrayList();
+ for (MPrivilege privilege : client.getPrivilegesByPrincipal(role4Princ, allConnector)) {
+ actions.add(privilege.getAction().toLowerCase());
+ }
+ assertEquals(Lists.newArrayList(SqoopActionConstant.READ, SqoopActionConstant.WRITE), actions);
+
+ /**
+ * admin user grant all privilege on connector all to role role4
+ * because the all privilege includes the read and write privileges, these privileges will
+ * be removed
+ */
+ client = sqoopServerRunner.getSqoopClient(ADMIN_USER);
+ MPrivilege allPrivilege = new MPrivilege(allConnector, SqoopActionConstant.ALL_NAME, false);
+ client.grantPrivilege(Lists.newArrayList(role4Princ), Lists.newArrayList(allPrivilege));
+
+ // check user4 has only privilege on role1
+ client = sqoopServerRunner.getSqoopClient(USER4);
+ assertTrue(client.getPrivilegesByPrincipal(role4Princ, allConnector).size() == 1);
+ // user4 has the all action on role3
+ user4Privilege = client.getPrivilegesByPrincipal(role4Princ, allConnector).get(0);
+ assertEquals(user4Privilege.getAction(), SqoopActionConstant.ALL_NAME);
+ }
+}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/98761811/sentry-tests/sentry-tests-sqoop/src/test/java/org/apache/sentry/tests/e2e/sqoop/TestJobEndToEnd.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-sqoop/src/test/java/org/apache/sentry/tests/e2e/sqoop/TestJobEndToEnd.java b/sentry-tests/sentry-tests-sqoop/src/test/java/org/apache/sentry/tests/e2e/sqoop/TestJobEndToEnd.java
new file mode 100644
index 0000000..636e269
--- /dev/null
+++ b/sentry-tests/sentry-tests-sqoop/src/test/java/org/apache/sentry/tests/e2e/sqoop/TestJobEndToEnd.java
@@ -0,0 +1,305 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.tests.e2e.sqoop;
+
+import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.fail;
+
+import org.apache.sentry.core.model.sqoop.SqoopActionConstant;
+import org.apache.sqoop.client.SqoopClient;
+import org.apache.sqoop.model.MJob;
+import org.apache.sqoop.model.MLink;
+import org.apache.sqoop.model.MPrincipal;
+import org.apache.sqoop.model.MPrivilege;
+import org.apache.sqoop.model.MResource;
+import org.apache.sqoop.model.MRole;
+import org.apache.sqoop.security.SecurityError;
+import org.junit.Test;
+
+import com.google.common.collect.Lists;
+
+public class TestJobEndToEnd extends AbstractSqoopSentryTestBase {
+ @Test
+ public void testShowJob() throws Exception {
+ /**
+ * ADMIN_USER create two links and one job
+ */
+ SqoopClient client = sqoopServerRunner.getSqoopClient(ADMIN_USER);
+ MLink rdbmsLink = client.createLink("generic-jdbc-connector");
+ sqoopServerRunner.fillRdbmsLinkConfig(rdbmsLink);
+ sqoopServerRunner.saveLink(client, rdbmsLink);
+
+ MLink hdfsLink = client.createLink("hdfs-connector");
+ sqoopServerRunner.fillHdfsLink(hdfsLink);
+ sqoopServerRunner.saveLink(client, hdfsLink);
+
+ MJob job1 = client.createJob(hdfsLink.getPersistenceId(), rdbmsLink.getPersistenceId());
+ // set HDFS "FROM" config for the job, since the connector test case base class only has utilities for HDFS!
+ sqoopServerRunner.fillHdfsFromConfig(job1);
+ // set the RDBM "TO" config here
+ sqoopServerRunner.fillRdbmsToConfig(job1);
+ // create job
+ sqoopServerRunner.saveJob(client, job1);
+ /**
+ * ADMIN_USER grant read privilege on all job to role1
+ */
+ MRole role1 = new MRole(ROLE1);
+ MPrincipal group1 = new MPrincipal(GROUP1, MPrincipal.TYPE.GROUP);
+ MResource allJob = new MResource(SqoopActionConstant.ALL, MResource.TYPE.JOB);
+ MPrivilege readAllPrivilege = new MPrivilege(allJob,SqoopActionConstant.READ, false);
+ client.createRole(role1);
+ client.grantRole(Lists.newArrayList(role1), Lists.newArrayList(group1));
+ client.grantPrivilege(Lists.newArrayList(new MPrincipal(role1.getName(), MPrincipal.TYPE.ROLE)),
+ Lists.newArrayList(readAllPrivilege));
+
+ /**
+ * ADMIN_USER grant read privilege on job1 to role2
+ */
+ MRole role2 = new MRole(ROLE2);
+ MPrincipal group2 = new MPrincipal(GROUP2, MPrincipal.TYPE.GROUP);
+ MResource job1Resource = new MResource(String.valueOf(job1.getPersistenceId()), MResource.TYPE.JOB);
+ MPrivilege readJob1Privilege = new MPrivilege(job1Resource,SqoopActionConstant.READ, false);
+ client.createRole(role2);
+ client.grantRole(Lists.newArrayList(role2), Lists.newArrayList(group2));
+ client.grantPrivilege(Lists.newArrayList(new MPrincipal(role2.getName(), MPrincipal.TYPE.ROLE)),
+ Lists.newArrayList(readJob1Privilege));
+
+ // user1 can show all jobs
+ client = sqoopServerRunner.getSqoopClient(USER1);
+ try {
+ assertTrue(client.getJobs().size() == 1);
+ assertTrue(client.getJob(job1.getPersistenceId()) != null);
+ } catch (Exception e) {
+ fail("unexpected Authorization exception happend");
+ }
+
+ // user2 can show job1
+ client = sqoopServerRunner.getSqoopClient(USER2);
+ try {
+ assertTrue(client.getJobs().size() == 1);
+ assertTrue(client.getJob(job1.getPersistenceId()) != null);
+ } catch (Exception e) {
+ fail("unexpected Authorization exception happend");
+ }
+
+ // user3 can't show job1
+ client = sqoopServerRunner.getSqoopClient(USER3);
+ try {
+ assertTrue(client.getJobs().size() == 0);
+ client.getJob(job1.getPersistenceId());
+ fail("expected Authorization exception happend");
+ } catch (Exception e) {
+ assertCausedMessage(e, SecurityError.AUTH_0014.getMessage());
+ }
+
+ client = sqoopServerRunner.getSqoopClient(ADMIN_USER);
+ client.deleteJob(job1.getPersistenceId());
+ }
+
+ @Test
+ public void testUpdateDeleteJob() throws Exception {
+ /**
+ * ADMIN_USER create two links and one job
+ */
+ SqoopClient client = sqoopServerRunner.getSqoopClient(ADMIN_USER);
+ MLink rdbmsLink = client.createLink("generic-jdbc-connector");
+ sqoopServerRunner.fillRdbmsLinkConfig(rdbmsLink);
+ rdbmsLink.setName("rdbm_testUpdateJob");
+ sqoopServerRunner.saveLink(client, rdbmsLink);
+
+ MLink hdfsLink = client.createLink("hdfs-connector");
+ sqoopServerRunner.fillHdfsLink(hdfsLink);
+ hdfsLink.setName("hdfs_testUpdateJob");
+ sqoopServerRunner.saveLink(client, hdfsLink);
+
+ MJob job2 = client.createJob(hdfsLink.getPersistenceId(), rdbmsLink.getPersistenceId());
+ // set HDFS "FROM" config for the job, since the connector test case base class only has utilities for HDFS!
+ sqoopServerRunner.fillHdfsFromConfig(job2);
+ // set the RDBM "TO" config here
+ sqoopServerRunner.fillRdbmsToConfig(job2);
+ // create job
+ sqoopServerRunner.saveJob(client, job2);
+
+ /**
+ * ADMIN_USER grant update privilege on job2 to role4
+ * ADMIN_USER grant read privilege on all connector to role4
+ * ADMIN_USER grant read privilege on all link to role4
+ */
+ MRole role4 = new MRole(ROLE4);
+ MPrincipal group4 = new MPrincipal(GROUP4, MPrincipal.TYPE.GROUP);
+ MResource job2Resource = new MResource(String.valueOf(job2.getPersistenceId()), MResource.TYPE.JOB);
+ MPrivilege writeJob2Privilege = new MPrivilege(job2Resource,SqoopActionConstant.WRITE, false);
+ MResource allConnector = new MResource(SqoopActionConstant.ALL, MResource.TYPE.CONNECTOR);
+ MPrivilege readConnectorPriv = new MPrivilege(allConnector,SqoopActionConstant.READ, false);
+ MResource allLink = new MResource(SqoopActionConstant.ALL, MResource.TYPE.LINK);
+ MPrivilege readLinkPriv = new MPrivilege(allLink,SqoopActionConstant.READ, false);
+ client.createRole(role4);
+ client.grantRole(Lists.newArrayList(role4), Lists.newArrayList(group4));
+ client.grantPrivilege(Lists.newArrayList(new MPrincipal(role4.getName(), MPrincipal.TYPE.ROLE)),
+ Lists.newArrayList(writeJob2Privilege, readConnectorPriv, readLinkPriv));
+
+ // user4 can't show job2
+ client = sqoopServerRunner.getSqoopClient(USER4);
+ try {
+ assertTrue(client.getJobs().size() == 0);
+ client.getJob(job2.getPersistenceId());
+ fail("expected Authorization exception happend");
+ } catch (Exception e) {
+ assertCausedMessage(e, SecurityError.AUTH_0014.getMessage());
+ }
+ // user4 can update job2
+ try {
+ job2.setName("job2_update_user4_1");
+ client.updateJob(job2);
+ } catch (Exception e) {
+ fail("unexpected Authorization exception happend");
+ }
+ // user3 can't update job2
+ client = sqoopServerRunner.getSqoopClient(USER3);
+ try {
+ assertTrue(client.getJobs().size() == 0);
+ job2.setName("job2_update_user3_1");
+ client.updateJob(job2);
+ fail("expected Authorization exception happend");
+ } catch (Exception e) {
+ assertCausedMessage(e, SecurityError.AUTH_0014.getMessage());
+ }
+
+ // user3 can't delete job2
+ try {
+ client.deleteJob(job2.getPersistenceId());
+ fail("expected Authorization exception happend");
+ } catch (Exception e) {
+ assertCausedMessage(e, SecurityError.AUTH_0014.getMessage());
+ }
+
+ //user4 can delete job2 because user4 has write privilege on job2
+ client = sqoopServerRunner.getSqoopClient(USER4);
+ try {
+ client.deleteJob(job2.getPersistenceId());
+ } catch (Exception e) {
+ fail("unexpected Authorization exception happend");
+ }
+
+ client = sqoopServerRunner.getSqoopClient(ADMIN_USER);
+ client.dropRole(role4);
+ }
+
+ @Test
+ public void testEnableAndStartJob() throws Exception {
+ /**
+ * ADMIN_USER create two links and one job
+ */
+ SqoopClient client = sqoopServerRunner.getSqoopClient(ADMIN_USER);
+ MLink rdbmsLink = client.createLink("generic-jdbc-connector");
+ sqoopServerRunner.fillRdbmsLinkConfig(rdbmsLink);
+ rdbmsLink.setName("rdbm_testEnableAndStartJob");
+ sqoopServerRunner.saveLink(client, rdbmsLink);
+
+ MLink hdfsLink = client.createLink("hdfs-connector");
+ sqoopServerRunner.fillHdfsLink(hdfsLink);
+ hdfsLink.setName("hdfs_testEnableAndStartJob");
+ sqoopServerRunner.saveLink(client, hdfsLink);
+
+ MJob job2 = client.createJob(hdfsLink.getPersistenceId(), rdbmsLink.getPersistenceId());
+ // set HDFS "FROM" config for the job, since the connector test case base class only has utilities for HDFS!
+ sqoopServerRunner.fillHdfsFromConfig(job2);
+ // set the RDBM "TO" config here
+ sqoopServerRunner.fillRdbmsToConfig(job2);
+ // create job
+ sqoopServerRunner.saveJob(client, job2);
+
+ /**
+ * ADMIN_USER grant update privilege on job2 to role4
+ * ADMIN_USER grant read privilege on all connector to role4
+ * ADMIN_USER grant read privilege on all link to role4
+ */
+ MRole role4 = new MRole(ROLE4);
+ MPrincipal group4 = new MPrincipal(GROUP4, MPrincipal.TYPE.GROUP);
+ MResource job2Resource = new MResource(String.valueOf(job2.getPersistenceId()), MResource.TYPE.JOB);
+ MPrivilege writeJob2Privilege = new MPrivilege(job2Resource,SqoopActionConstant.WRITE, false);
+ MResource allConnector = new MResource(SqoopActionConstant.ALL, MResource.TYPE.CONNECTOR);
+ MPrivilege readConnectorPriv = new MPrivilege(allConnector,SqoopActionConstant.READ, false);
+ MResource allLink = new MResource(SqoopActionConstant.ALL, MResource.TYPE.LINK);
+ MPrivilege readLinkPriv = new MPrivilege(allLink,SqoopActionConstant.READ, false);
+ client.createRole(role4);
+ client.grantRole(Lists.newArrayList(role4), Lists.newArrayList(group4));
+ client.grantPrivilege(Lists.newArrayList(new MPrincipal(role4.getName(), MPrincipal.TYPE.ROLE)),
+ Lists.newArrayList(writeJob2Privilege, readConnectorPriv, readLinkPriv));
+
+
+ /**
+ * ADMIN_USER grant read privilege on job2 to role5
+ * ADMIN_USER grant read privilege on all connector to role5
+ * ADMIN_USER grant read privilege on all link to role5
+ */
+ MRole role5 = new MRole(ROLE5);
+ MPrincipal group5 = new MPrincipal(GROUP5, MPrincipal.TYPE.GROUP);
+ MPrivilege readJob2Privilege = new MPrivilege(job2Resource,SqoopActionConstant.READ, false);
+ client.createRole(role5);
+ client.grantRole(Lists.newArrayList(role5), Lists.newArrayList(group5));
+ client.grantPrivilege(Lists.newArrayList(new MPrincipal(role5.getName(), MPrincipal.TYPE.ROLE)),
+ Lists.newArrayList(readJob2Privilege, readConnectorPriv, readLinkPriv));
+
+ // user5 can't enable and start job2
+ client = sqoopServerRunner.getSqoopClient(USER5);
+ try {
+ client.enableJob(job2.getPersistenceId(), true);
+ fail("expected Authorization exception happend");
+ } catch (Exception e) {
+ assertCausedMessage(e, SecurityError.AUTH_0014.getMessage());
+ }
+
+ try {
+ client.startJob(job2.getPersistenceId());
+ fail("expected Authorization exception happend");
+ } catch (Exception e) {
+ assertCausedMessage(e, SecurityError.AUTH_0014.getMessage());
+ }
+
+ // user3 can't enable and start job2
+ client = sqoopServerRunner.getSqoopClient(USER3);
+ try {
+ client.enableJob(job2.getPersistenceId(), true);
+ fail("expected Authorization exception happend");
+ } catch (Exception e) {
+ assertCausedMessage(e, SecurityError.AUTH_0014.getMessage());
+ }
+
+ try {
+ client.startJob(job2.getPersistenceId());
+ fail("expected Authorization exception happend");
+ } catch (Exception e) {
+ assertCausedMessage(e, SecurityError.AUTH_0014.getMessage());
+ }
+
+ // user4 can enable or start job2
+ client = sqoopServerRunner.getSqoopClient(USER4);
+ try {
+ client.enableJob(job2.getPersistenceId(), false);
+ client.enableJob(job2.getPersistenceId(), true);
+ client.deleteJob(job2.getPersistenceId());
+ } catch (Exception e) {
+ fail("unexpected Authorization exception happend");
+ }
+
+
+ client = sqoopServerRunner.getSqoopClient(ADMIN_USER);
+ client.dropRole(role4);
+ client.dropRole(role5);
+ }
+}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/98761811/sentry-tests/sentry-tests-sqoop/src/test/java/org/apache/sentry/tests/e2e/sqoop/TestLinkEndToEnd.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-sqoop/src/test/java/org/apache/sentry/tests/e2e/sqoop/TestLinkEndToEnd.java b/sentry-tests/sentry-tests-sqoop/src/test/java/org/apache/sentry/tests/e2e/sqoop/TestLinkEndToEnd.java
new file mode 100644
index 0000000..a67ef63
--- /dev/null
+++ b/sentry-tests/sentry-tests-sqoop/src/test/java/org/apache/sentry/tests/e2e/sqoop/TestLinkEndToEnd.java
@@ -0,0 +1,238 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.tests.e2e.sqoop;
+
+import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.fail;
+
+import org.apache.sentry.core.model.sqoop.SqoopActionConstant;
+import org.apache.sqoop.client.SqoopClient;
+import org.apache.sqoop.model.MLink;
+import org.apache.sqoop.model.MPrincipal;
+import org.apache.sqoop.model.MPrivilege;
+import org.apache.sqoop.model.MResource;
+import org.apache.sqoop.model.MRole;
+import org.apache.sqoop.security.SecurityError;
+import org.junit.Test;
+
+import com.google.common.collect.Lists;
+
+public class TestLinkEndToEnd extends AbstractSqoopSentryTestBase {
+
+ @Test
+ public void testShowLink() throws Exception {
+ /**
+ * ADMIN_USER create a hdfs link
+ */
+ SqoopClient client = sqoopServerRunner.getSqoopClient(ADMIN_USER);
+ MLink hdfsLink = client.createLink("hdfs-connector");
+ sqoopServerRunner.fillHdfsLink(hdfsLink);
+ sqoopServerRunner.saveLink(client, hdfsLink);
+
+ /**
+ * ADMIN_USER grant read privilege on all link to role1
+ */
+ MRole role1 = new MRole(ROLE1);
+ MPrincipal group1 = new MPrincipal(GROUP1, MPrincipal.TYPE.GROUP);
+ MResource allLink = new MResource(SqoopActionConstant.ALL, MResource.TYPE.LINK);
+ MPrivilege readAllPrivilege = new MPrivilege(allLink,SqoopActionConstant.READ, false);
+ client.createRole(role1);
+ client.grantRole(Lists.newArrayList(role1), Lists.newArrayList(group1));
+ client.grantPrivilege(Lists.newArrayList(new MPrincipal(role1.getName(), MPrincipal.TYPE.ROLE)),
+ Lists.newArrayList(readAllPrivilege));
+
+ /**
+ * ADMIN_USER grant read privilege on hdfs link to role2
+ */
+ MRole role2 = new MRole(ROLE2);
+ MPrincipal group2 = new MPrincipal(GROUP2, MPrincipal.TYPE.GROUP);
+ MResource hdfsLinkResource = new MResource(String.valueOf(hdfsLink.getPersistenceId()), MResource.TYPE.LINK);
+ MPrivilege readHdfsLinkPrivilege = new MPrivilege(hdfsLinkResource,SqoopActionConstant.READ, false);
+ client.createRole(role2);
+ client.grantRole(Lists.newArrayList(role2), Lists.newArrayList(group2));
+ client.grantPrivilege(Lists.newArrayList(new MPrincipal(role2.getName(), MPrincipal.TYPE.ROLE)),
+ Lists.newArrayList(readHdfsLinkPrivilege));
+
+ // user1 can show all link
+ client = sqoopServerRunner.getSqoopClient(USER1);
+ try {
+ assertTrue(client.getLinks().size() == 1);
+ assertTrue(client.getLink(hdfsLink.getPersistenceId()) != null);
+ } catch (Exception e) {
+ fail("unexpected Authorization exception happend");
+ }
+
+ // user2 can show hdfs link
+ client = sqoopServerRunner.getSqoopClient(USER2);
+ try {
+ assertTrue(client.getLinks().size() == 1);
+ assertTrue(client.getLink(hdfsLink.getPersistenceId()) != null);
+ } catch (Exception e) {
+ fail("unexpected Authorization exception happend");
+ }
+
+ // user3 can't show hdfs link
+ client = sqoopServerRunner.getSqoopClient(USER3);
+ try {
+ assertTrue(client.getLinks().size() == 0);
+ client.getLink(hdfsLink.getPersistenceId());
+ fail("expected Authorization exception happend");
+ } catch (Exception e) {
+ assertCausedMessage(e, SecurityError.AUTH_0014.getMessage());
+ }
+
+ client = sqoopServerRunner.getSqoopClient(ADMIN_USER);
+ client.deleteLink(hdfsLink.getPersistenceId());
+ }
+
+ @Test
+ public void testUpdateDtestUpdateDeleteLinkeleteLink() throws Exception {
+ /**
+ * ADMIN_USER create a hdfs link
+ */
+ SqoopClient client = sqoopServerRunner.getSqoopClient(ADMIN_USER);
+ MLink hdfsLink = client.createLink("hdfs-connector");
+ sqoopServerRunner.fillHdfsLink(hdfsLink);
+ sqoopServerRunner.saveLink(client, hdfsLink);
+
+ /**
+ * ADMIN_USER grant update privilege on hdfs link to role4
+ * ADMIN_USER grant read privilege on all connector to role4
+ */
+ MRole role4 = new MRole(ROLE4);
+ MPrincipal group4 = new MPrincipal(GROUP4, MPrincipal.TYPE.GROUP);
+ MResource hdfsLinkResource = new MResource(String.valueOf(hdfsLink.getPersistenceId()), MResource.TYPE.LINK);
+ MPrivilege writeHdfsPrivilege = new MPrivilege(hdfsLinkResource,SqoopActionConstant.WRITE, false);
+ MResource allConnector = new MResource(SqoopActionConstant.ALL, MResource.TYPE.CONNECTOR);
+ MPrivilege readConnectorPriv = new MPrivilege(allConnector,SqoopActionConstant.READ, false);
+ client.createRole(role4);
+ client.grantRole(Lists.newArrayList(role4), Lists.newArrayList(group4));
+ client.grantPrivilege(Lists.newArrayList(new MPrincipal(role4.getName(), MPrincipal.TYPE.ROLE)),
+ Lists.newArrayList(writeHdfsPrivilege, readConnectorPriv));
+
+ // user4 can't show hdfs link
+ client = sqoopServerRunner.getSqoopClient(USER4);
+ try {
+ assertTrue(client.getLinks().size() == 0);
+ client.getLink(hdfsLink.getPersistenceId());
+ fail("expected Authorization exception happend");
+ } catch (Exception e) {
+ assertCausedMessage(e, SecurityError.AUTH_0014.getMessage());
+ }
+ // user4 can update hdfs link
+ try {
+ hdfsLink.setName("hdfs_link_update_user4_1");
+ client.updateLink(hdfsLink);
+ } catch (Exception e) {
+ fail("unexpected Authorization exception happend");
+ }
+ // user3 can't update hdfs link
+ client = sqoopServerRunner.getSqoopClient(USER3);
+ try {
+ assertTrue(client.getLinks().size() == 0);
+ hdfsLink.setName("hdfs_link_update_user3_1");
+ client.updateLink(hdfsLink);
+ fail("expected Authorization exception happend");
+ } catch (Exception e) {
+ assertCausedMessage(e, SecurityError.AUTH_0014.getMessage());
+ }
+
+ // user3 can't delete hdfs link
+ try {
+ client.deleteLink(hdfsLink.getPersistenceId());
+ fail("expected Authorization exception happend");
+ } catch (Exception e) {
+ assertCausedMessage(e, SecurityError.AUTH_0014.getMessage());
+ }
+
+ //user4 can delete hdfs link because user4 has write privilege on hdfs link
+ client = sqoopServerRunner.getSqoopClient(USER4);
+ try {
+ client.deleteLink(hdfsLink.getPersistenceId());
+ } catch (Exception e) {
+ fail("unexpected Authorization exception happend");
+ }
+
+ client = sqoopServerRunner.getSqoopClient(ADMIN_USER);
+ client.dropRole(role4);
+ }
+
+ @Test
+ public void testEnableLink() throws Exception {
+ /**
+ * ADMIN_USER create a hdfs link
+ */
+ SqoopClient client = sqoopServerRunner.getSqoopClient(ADMIN_USER);
+ MLink hdfsLink = client.createLink("hdfs-connector");
+ sqoopServerRunner.fillHdfsLink(hdfsLink);
+ sqoopServerRunner.saveLink(client, hdfsLink);
+
+ /**
+ * ADMIN_USER grant read privilege on hdfs link to role4
+ * ADMIN_USER grant read privilege on all connector to role4
+ */
+ MRole role4 = new MRole(ROLE4);
+ MPrincipal group4 = new MPrincipal(GROUP4, MPrincipal.TYPE.GROUP);
+ MResource hdfsLinkResource = new MResource(String.valueOf(hdfsLink.getPersistenceId()), MResource.TYPE.LINK);
+ MPrivilege readHdfsPrivilege = new MPrivilege(hdfsLinkResource,SqoopActionConstant.READ, false);
+ MResource allConnector = new MResource(SqoopActionConstant.ALL, MResource.TYPE.CONNECTOR);
+ MPrivilege readConnectorPriv = new MPrivilege(allConnector,SqoopActionConstant.READ, false);
+ client.createRole(role4);
+ client.grantRole(Lists.newArrayList(role4), Lists.newArrayList(group4));
+ client.grantPrivilege(Lists.newArrayList(new MPrincipal(role4.getName(), MPrincipal.TYPE.ROLE)),
+ Lists.newArrayList(readHdfsPrivilege, readConnectorPriv));
+
+ /**
+ * ADMIN_USER grant write privilege on hdfs link to role5
+ * ADMIN_USER grant read privilege on all connector to role5
+ */
+ MRole role5 = new MRole(ROLE5);
+ MPrincipal group5 = new MPrincipal(GROUP5, MPrincipal.TYPE.GROUP);
+ MPrivilege writeHdfsPrivilege = new MPrivilege(hdfsLinkResource,SqoopActionConstant.WRITE, false);
+ client.createRole(role5);
+ client.grantRole(Lists.newArrayList(role5), Lists.newArrayList(group5));
+ client.grantPrivilege(Lists.newArrayList(new MPrincipal(role5.getName(), MPrincipal.TYPE.ROLE)),
+ Lists.newArrayList(writeHdfsPrivilege, readConnectorPriv));
+
+ // user4 can't enable hdfs link
+ client = sqoopServerRunner.getSqoopClient(USER4);
+ try {
+ client.enableLink(hdfsLink.getPersistenceId(), true);
+ fail("expected Authorization exception happend");
+ } catch (Exception e) {
+ assertCausedMessage(e, SecurityError.AUTH_0014.getMessage());
+ }
+ // user5 can enbale hdfs link
+ client = sqoopServerRunner.getSqoopClient(USER5);
+ try {
+ client.enableLink(hdfsLink.getPersistenceId(), true);
+ } catch (Exception e) {
+ fail("unexpected Authorization exception happend");
+ }
+ // user3 can't update hdfs link
+ client = sqoopServerRunner.getSqoopClient(USER3);
+ try {
+ client.enableLink(hdfsLink.getPersistenceId(), true);
+ fail("expected Authorization exception happend");
+ } catch (Exception e) {
+ assertCausedMessage(e, SecurityError.AUTH_0014.getMessage());
+ }
+
+ client = sqoopServerRunner.getSqoopClient(ADMIN_USER);
+ client.deleteLink(hdfsLink.getPersistenceId());
+ }
+}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/98761811/sentry-tests/sentry-tests-sqoop/src/test/java/org/apache/sentry/tests/e2e/sqoop/TestOwnerPrivilege.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-sqoop/src/test/java/org/apache/sentry/tests/e2e/sqoop/TestOwnerPrivilege.java b/sentry-tests/sentry-tests-sqoop/src/test/java/org/apache/sentry/tests/e2e/sqoop/TestOwnerPrivilege.java
new file mode 100644
index 0000000..9bed526
--- /dev/null
+++ b/sentry-tests/sentry-tests-sqoop/src/test/java/org/apache/sentry/tests/e2e/sqoop/TestOwnerPrivilege.java
@@ -0,0 +1,156 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.tests.e2e.sqoop;
+
+import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.fail;
+
+import org.apache.sentry.core.model.sqoop.SqoopActionConstant;
+import org.apache.sqoop.client.SqoopClient;
+import org.apache.sqoop.model.MConnector;
+import org.apache.sqoop.model.MDriverConfig;
+import org.apache.sqoop.model.MJob;
+import org.apache.sqoop.model.MLink;
+import org.apache.sqoop.model.MPrincipal;
+import org.apache.sqoop.model.MPrivilege;
+import org.apache.sqoop.model.MResource;
+import org.apache.sqoop.model.MRole;
+import org.apache.sqoop.security.SecurityError;
+import org.junit.Test;
+
+import com.google.common.collect.Lists;
+
+public class TestOwnerPrivilege extends AbstractSqoopSentryTestBase {
+
+ @Test
+ public void testLinkOwner() throws Exception {
+ // USER1 at firstly has no privilege on any Sqoop resource
+ SqoopClient client = sqoopServerRunner.getSqoopClient(USER1);
+ assertTrue(client.getConnectors().size() == 0);
+ /**
+ * ADMIN_USER grant read action privilege on connector all to role ROLE1
+ * ADMIN_USER grant role ROLE1 to group GROUP1
+ */
+ client = sqoopServerRunner.getSqoopClient(ADMIN_USER);
+ MRole role1 = new MRole(ROLE1);
+ MPrincipal group1 = new MPrincipal(GROUP1, MPrincipal.TYPE.GROUP);
+ MResource allConnector = new MResource(SqoopActionConstant.ALL, MResource.TYPE.CONNECTOR);
+ MPrivilege readPriv = new MPrivilege(allConnector,SqoopActionConstant.READ, false);
+ client.createRole(role1);
+ client.grantRole(Lists.newArrayList(role1), Lists.newArrayList(group1));
+ client.grantPrivilege(Lists.newArrayList(new MPrincipal(role1.getName(), MPrincipal.TYPE.ROLE)),
+ Lists.newArrayList(readPriv));
+
+ // check USER1 has the read privilege on all connector
+ client = sqoopServerRunner.getSqoopClient(USER1);
+ assertTrue(client.getConnectors().size() > 0);
+
+ // USER1 create a new HDFS link
+ MLink hdfsLink = client.createLink("hdfs-connector");
+ sqoopServerRunner.fillHdfsLink(hdfsLink);
+ sqoopServerRunner.saveLink(client, hdfsLink);
+
+ // USER1 is the owner of HDFS link, so he can show and update HDFS link
+ assertEquals(client.getLink(hdfsLink.getPersistenceId()), hdfsLink);
+
+ // USER1 update the name of HDFS link
+ hdfsLink.setName("HDFS_update1");
+ sqoopServerRunner.updateLink(client, hdfsLink);
+
+ // USER2 has no privilege on HDFS link
+ client = sqoopServerRunner.getSqoopClient(USER2);
+ assertTrue(client.getLinks().size() == 0);
+
+ //delete the HDFS link
+ client = sqoopServerRunner.getSqoopClient(USER1);
+ client.deleteLink(hdfsLink.getPersistenceId());
+ }
+
+ @Test
+ public void testJobOwner() throws Exception {
+ // USER3 at firstly has no privilege on any Sqoop resource
+ SqoopClient client = sqoopServerRunner.getSqoopClient(USER3);
+ assertTrue(client.getConnectors().size() == 0);
+ /**
+ * ADMIN_USER grant read action privilege on connector all to role ROLE3
+ * ADMIN_USER grant role ROLE3 to group GROUP3
+ */
+ client = sqoopServerRunner.getSqoopClient(ADMIN_USER);
+ MRole role3 = new MRole(ROLE3);
+ MPrincipal group3 = new MPrincipal(GROUP3, MPrincipal.TYPE.GROUP);
+ MResource allConnector = new MResource(SqoopActionConstant.ALL, MResource.TYPE.CONNECTOR);
+ MPrivilege readPriv = new MPrivilege(allConnector,SqoopActionConstant.READ, false);
+ client.createRole(role3);
+ client.grantRole(Lists.newArrayList(role3), Lists.newArrayList(group3));
+ client.grantPrivilege(Lists.newArrayList(new MPrincipal(ROLE3, MPrincipal.TYPE.ROLE)),
+ Lists.newArrayList(readPriv));
+
+ // check USER3 has the read privilege on all connector
+ client = sqoopServerRunner.getSqoopClient(USER3);
+ assertTrue(client.getConnectors().size() > 0);
+
+ // USER3 create two links: hdfs link and rdbm link
+ MLink rdbmsLink = client.createLink("generic-jdbc-connector");
+ sqoopServerRunner.fillRdbmsLinkConfig(rdbmsLink);
+ sqoopServerRunner.saveLink(client, rdbmsLink);
+
+ MLink hdfsLink = client.createLink("hdfs-connector");
+ sqoopServerRunner.fillHdfsLink(hdfsLink);
+ sqoopServerRunner.saveLink(client, hdfsLink);
+
+ // USER3 is the owner of hdfs and link, so he can show and update hdfs link
+ assertTrue(client.getLinks().size() == 2);
+ hdfsLink.setName("HDFS_update2");
+ client.updateLink(hdfsLink);
+ rdbmsLink.setName("RDBM_update");
+ client.updateLink(rdbmsLink);
+
+ // USER_3 create a job: transfer date from HDFS to RDBM
+ MJob job1 = client.createJob(hdfsLink.getPersistenceId(), rdbmsLink.getPersistenceId());
+ // set HDFS "FROM" config for the job, since the connector test case base class only has utilities for HDFS!
+ sqoopServerRunner.fillHdfsFromConfig(job1);
+
+ // set the RDBM "TO" config here
+ sqoopServerRunner.fillRdbmsToConfig(job1);
+
+ // create job
+ sqoopServerRunner.saveJob(client, job1);
+
+ /**
+ * USER3 is the owner of job1 , so he can show and delete job1.
+ * USER4 has no privilege on job1
+ */
+ client = sqoopServerRunner.getSqoopClient(USER4);
+ assertTrue(client.getJobs().size() == 0);
+ try {
+ client.deleteJob(job1.getPersistenceId());
+ fail("expected Authorization exception happend");
+ } catch (Exception e) {
+ assertCausedMessage(e, SecurityError.AUTH_0014.getMessage());
+ }
+ client = sqoopServerRunner.getSqoopClient(USER3);
+ assertEquals(client.getJob(job1.getPersistenceId()), job1);
+ client.deleteJob(job1.getPersistenceId());
+
+ // delete the HDFS and RDBM links
+ client.deleteLink(hdfsLink.getPersistenceId());
+ client.deleteLink(rdbmsLink.getPersistenceId());
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/98761811/sentry-tests/sentry-tests-sqoop/src/test/java/org/apache/sentry/tests/e2e/sqoop/TestRevokePrivilege.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-sqoop/src/test/java/org/apache/sentry/tests/e2e/sqoop/TestRevokePrivilege.java b/sentry-tests/sentry-tests-sqoop/src/test/java/org/apache/sentry/tests/e2e/sqoop/TestRevokePrivilege.java
new file mode 100644
index 0000000..f71595c
--- /dev/null
+++ b/sentry-tests/sentry-tests-sqoop/src/test/java/org/apache/sentry/tests/e2e/sqoop/TestRevokePrivilege.java
@@ -0,0 +1,175 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.tests.e2e.sqoop;
+
+import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.fail;
+
+import org.apache.sentry.core.model.sqoop.SqoopActionConstant;
+import org.apache.sentry.sqoop.SentrySqoopError;
+import org.apache.sqoop.client.SqoopClient;
+import org.apache.sqoop.model.MPrincipal;
+import org.apache.sqoop.model.MPrivilege;
+import org.apache.sqoop.model.MResource;
+import org.apache.sqoop.model.MRole;
+import org.junit.Test;
+
+import com.google.common.collect.Lists;
+
+public class TestRevokePrivilege extends AbstractSqoopSentryTestBase {
+ @Test
+ public void testNotSupportRevokePrivilegeFromUser() throws Exception {
+ SqoopClient client = sqoopServerRunner.getSqoopClient(ADMIN_USER);
+ MPrincipal user1 = new MPrincipal("not_support_revoke_user_1", MPrincipal.TYPE.GROUP);
+ MResource allConnector = new MResource(SqoopActionConstant.ALL, MResource.TYPE.CONNECTOR);
+ MPrivilege readPriv = new MPrivilege(allConnector,SqoopActionConstant.READ, false);
+ try {
+ client.revokePrivilege(Lists.newArrayList(user1), Lists.newArrayList(readPriv));
+ fail("expected not support exception happend");
+ } catch (Exception e) {
+ assertCausedMessage(e, SentrySqoopError.GRANT_REVOKE_PRIVILEGE_NOT_SUPPORT_FOR_PRINCIPAL);
+ }
+ }
+
+ @Test
+ public void testNotSupportRevokePrivilegeFromGroup() throws Exception {
+ SqoopClient client = sqoopServerRunner.getSqoopClient(ADMIN_USER);
+ MPrincipal group1 = new MPrincipal("not_support_revoke_group_1", MPrincipal.TYPE.GROUP);
+ MResource allConnector = new MResource(SqoopActionConstant.ALL, MResource.TYPE.CONNECTOR);
+ MPrivilege readPriv = new MPrivilege(allConnector,SqoopActionConstant.READ, false);
+ try {
+ client.revokePrivilege(Lists.newArrayList(group1), Lists.newArrayList(readPriv));
+ fail("expected not support exception happend");
+ } catch (Exception e) {
+ assertCausedMessage(e, SentrySqoopError.GRANT_REVOKE_PRIVILEGE_NOT_SUPPORT_FOR_PRINCIPAL);
+ }
+ }
+
+ @Test
+ public void testRevokeNotExistPrivilege() throws Exception {
+ SqoopClient client = sqoopServerRunner.getSqoopClient(ADMIN_USER);
+ MRole testRole = new MRole("noexist_privilege_role1");
+ MPrincipal testPrinc = new MPrincipal(testRole.getName(), MPrincipal.TYPE.ROLE);
+ MResource allConnector = new MResource(SqoopActionConstant.ALL, MResource.TYPE.CONNECTOR);
+ MPrivilege readPrivilege = new MPrivilege(allConnector, SqoopActionConstant.READ, false);
+ client.createRole(testRole);
+ assertTrue(client.getPrivilegesByPrincipal(testPrinc, allConnector).size() == 0);
+
+ client.revokePrivilege(Lists.newArrayList(testPrinc), Lists.newArrayList(readPrivilege));
+ assertTrue(client.getPrivilegesByPrincipal(testPrinc, allConnector).size() == 0);
+ }
+
+
+ @Test
+ public void testRevokePrivilege() throws Exception {
+ /**
+ * user1 belongs to group group1
+ * admin user grant role role1 to group group1
+ * admin user grant read privilege on connector all to role role1
+ */
+ SqoopClient client = sqoopServerRunner.getSqoopClient(ADMIN_USER);
+ MRole role1 = new MRole(ROLE1);
+ MPrincipal group1Princ = new MPrincipal(GROUP1, MPrincipal.TYPE.GROUP);
+ MPrincipal role1Princ = new MPrincipal(ROLE1, MPrincipal.TYPE.ROLE);
+ MResource allConnector = new MResource(SqoopActionConstant.ALL, MResource.TYPE.CONNECTOR);
+ MPrivilege readPrivilege = new MPrivilege(allConnector, SqoopActionConstant.READ, false);
+ client.createRole(role1);
+ client.grantRole(Lists.newArrayList(role1), Lists.newArrayList(group1Princ));
+ client.grantPrivilege(Lists.newArrayList(role1Princ), Lists.newArrayList(readPrivilege));
+
+ // check user1 has privilege on role1
+ client = sqoopServerRunner.getSqoopClient(USER1);
+ assertTrue(client.getPrivilegesByPrincipal(role1Princ, allConnector).size() == 1);
+
+ // admin user revoke read privilege from role1
+ client = sqoopServerRunner.getSqoopClient(ADMIN_USER);
+ client.revokePrivilege(Lists.newArrayList(role1Princ), Lists.newArrayList(readPrivilege));
+
+ // check user1 has no privilege on role1
+ client = sqoopServerRunner.getSqoopClient(USER1);
+ assertTrue(client.getPrivilegesByPrincipal(role1Princ, allConnector).size() == 0);
+ }
+
+ @Test
+ public void testRevokeAllPrivilege() throws Exception {
+ /**
+ * user2 belongs to group group2
+ * admin user grant role role2 to group group2
+ * admin user grant read and write privilege on connector all to role role2
+ */
+ SqoopClient client = sqoopServerRunner.getSqoopClient(ADMIN_USER);
+ MRole role2 = new MRole(ROLE2);
+ MPrincipal group2Princ = new MPrincipal(GROUP2, MPrincipal.TYPE.GROUP);
+ MPrincipal role2Princ = new MPrincipal(ROLE2, MPrincipal.TYPE.ROLE);
+ MResource allConnector = new MResource(SqoopActionConstant.ALL, MResource.TYPE.CONNECTOR);
+ MPrivilege writePrivilege = new MPrivilege(allConnector, SqoopActionConstant.WRITE, false);
+ MPrivilege readPrivilege = new MPrivilege(allConnector, SqoopActionConstant.READ, false);
+ client.createRole(role2);
+ client.grantRole(Lists.newArrayList(role2), Lists.newArrayList(group2Princ));
+ client.grantPrivilege(Lists.newArrayList(role2Princ), Lists.newArrayList(writePrivilege, readPrivilege));
+
+ // check user2 has two privileges on role2
+ client = sqoopServerRunner.getSqoopClient(USER2);
+ assertTrue(client.getPrivilegesByPrincipal(role2Princ, allConnector).size() == 2);
+
+ // admin user revoke all privilege from role2
+ MPrivilege allPrivilege = new MPrivilege(allConnector, SqoopActionConstant.ALL_NAME, false);
+ client = sqoopServerRunner.getSqoopClient(ADMIN_USER);
+ client.revokePrivilege(Lists.newArrayList(role2Princ), Lists.newArrayList(allPrivilege));
+
+ // check user2 has no privilege on role2
+ client = sqoopServerRunner.getSqoopClient(USER2);
+ assertTrue(client.getPrivilegesByPrincipal(role2Princ, allConnector).size() == 0);
+ }
+
+ @Test
+ public void testRevokePrivilegeWithAllPrivilegeExist() throws Exception {
+ /**
+ * user3 belongs to group group3
+ * admin user grant role role3 to group group3
+ * admin user grant all privilege on connector all to role role3
+ */
+ SqoopClient client = sqoopServerRunner.getSqoopClient(ADMIN_USER);
+ MRole role3 = new MRole(ROLE3);
+ MPrincipal group3Princ = new MPrincipal(GROUP3, MPrincipal.TYPE.GROUP);
+ MPrincipal role3Princ = new MPrincipal(ROLE3, MPrincipal.TYPE.ROLE);
+ MResource allConnector = new MResource(SqoopActionConstant.ALL, MResource.TYPE.CONNECTOR);
+ MPrivilege allPrivilege = new MPrivilege(allConnector, SqoopActionConstant.ALL_NAME, false);
+ client.createRole(role3);
+ client.grantRole(Lists.newArrayList(role3), Lists.newArrayList(group3Princ));
+ client.grantPrivilege(Lists.newArrayList(role3Princ), Lists.newArrayList(allPrivilege));
+
+ // check user3 has one privilege on role3
+ client = sqoopServerRunner.getSqoopClient(USER3);
+ assertTrue(client.getPrivilegesByPrincipal(role3Princ, allConnector).size() == 1);
+ // user3 has the all action on role3
+ MPrivilege user3Privilege = client.getPrivilegesByPrincipal(role3Princ, allConnector).get(0);
+ assertEquals(user3Privilege.getAction(), SqoopActionConstant.ALL_NAME);
+
+ // admin user revoke the read privilege on connector all from role role3
+ MPrivilege readPrivilege = new MPrivilege(allConnector, SqoopActionConstant.READ, false);
+ client = sqoopServerRunner.getSqoopClient(ADMIN_USER);
+ client.revokePrivilege(Lists.newArrayList(role3Princ), Lists.newArrayList(readPrivilege));
+
+ // check user3 has only the write privilege on role3
+ client = sqoopServerRunner.getSqoopClient(USER3);
+ assertTrue(client.getPrivilegesByPrincipal(role3Princ, allConnector).size() == 1);
+ user3Privilege = client.getPrivilegesByPrincipal(role3Princ, allConnector).get(0);
+ assertEquals(user3Privilege.getAction().toLowerCase(), SqoopActionConstant.WRITE);
+ }
+}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/98761811/sentry-tests/sentry-tests-sqoop/src/test/java/org/apache/sentry/tests/e2e/sqoop/TestRoleOperation.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-sqoop/src/test/java/org/apache/sentry/tests/e2e/sqoop/TestRoleOperation.java b/sentry-tests/sentry-tests-sqoop/src/test/java/org/apache/sentry/tests/e2e/sqoop/TestRoleOperation.java
new file mode 100644
index 0000000..1a6ca02
--- /dev/null
+++ b/sentry-tests/sentry-tests-sqoop/src/test/java/org/apache/sentry/tests/e2e/sqoop/TestRoleOperation.java
@@ -0,0 +1,209 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.tests.e2e.sqoop;
+
+import org.apache.sentry.sqoop.SentrySqoopError;
+import org.apache.sqoop.client.SqoopClient;
+import org.apache.sqoop.model.MPrincipal;
+import org.apache.sqoop.model.MRole;
+import org.junit.Test;
+
+import com.google.common.collect.Lists;
+
+import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.fail;
+
+public class TestRoleOperation extends AbstractSqoopSentryTestBase {
+
+ @Test
+ public void testAdminToCreateDeleteRole() throws Exception {
+ SqoopClient client = sqoopServerRunner.getSqoopClient(ADMIN_USER);
+ MRole role1 = new MRole("create_delete_role_1");
+ MRole role2 = new MRole("create_delete_role_2");
+ client.createRole(role1);
+ client.createRole(role2);
+ assertTrue( client.getRoles().size() > 0);
+ }
+
+ @Test
+ public void testNotAdminToCreateDeleteRole() throws Exception {
+ SqoopClient client = sqoopServerRunner.getSqoopClient(ADMIN_USER);
+ MRole role1 = new MRole("not_admin_create_delete_role_1");
+ MRole role2 = new MRole("not_admin_create_delete_role_2");
+ client.createRole(role1);
+
+ client = sqoopServerRunner.getSqoopClient(USER1);
+ try {
+ client.createRole(role2);
+ fail("expected SentryAccessDeniedException happend");
+ } catch (Exception e) {
+ assertCausedMessage(e, "SentryAccessDeniedException");
+ }
+ try {
+ client.dropRole(role1);
+ fail("expected SentryAccessDeniedException happend");
+ } catch (Exception e) {
+ assertCausedMessage(e, "SentryAccessDeniedException");
+ }
+ }
+
+ @Test
+ public void testCreateExistedRole() throws Exception {
+ SqoopClient client = sqoopServerRunner.getSqoopClient(ADMIN_USER);
+ MRole role1 = new MRole("create_exist_role_1");
+ client.createRole(role1);
+ try {
+ client.createRole(role1);
+ fail("expected SentryAlreadyExistsException happend");
+ } catch (Exception e) {
+ assertCausedMessage(e, "SentryAlreadyExistsException");
+ }
+ }
+
+ @Test
+ public void testDropNotExistedRole() throws Exception {
+ SqoopClient client = sqoopServerRunner.getSqoopClient(ADMIN_USER);
+ try {
+ client.dropRole(new MRole("drop_noexisted_role_1"));
+ fail("expected SentryNoSuchObjectException happend");
+ } catch (Exception e) {
+ assertCausedMessage(e, "SentryNoSuchObjectException");
+ }
+ }
+
+ @Test
+ public void testAdminShowAllRole() throws Exception {
+ SqoopClient client = sqoopServerRunner.getSqoopClient(ADMIN_USER);
+ client.createRole(new MRole("show_all_role"));
+ assertTrue(client.getRoles().size() > 0);
+ }
+
+ @Test
+ public void testNotAdminShowAllRole() throws Exception {
+ SqoopClient client = sqoopServerRunner.getSqoopClient(USER1);
+ try {
+ client.getRoles();
+ fail("expected SentryAccessDeniedException happend");
+ } catch (Exception e) {
+ assertCausedMessage(e, "SentryAccessDeniedException");
+ }
+ }
+
+ @Test
+ public void testNotSupportAddRoleToUser() throws Exception {
+ SqoopClient client = sqoopServerRunner.getSqoopClient(ADMIN_USER);
+ MRole role1 = new MRole("add_to_user_role");
+ MPrincipal user1 = new MPrincipal("add_to_user", MPrincipal.TYPE.USER);
+ try {
+ client.grantRole(Lists.newArrayList(role1), Lists.newArrayList(user1));
+ fail("expected not support exception happend");
+ } catch (Exception e) {
+ assertCausedMessage(e, SentrySqoopError.GRANT_REVOKE_ROLE_NOT_SUPPORT_FOR_PRINCIPAL);
+ }
+ }
+
+ @Test
+ public void testShowRoleOnGroup() throws Exception {
+ SqoopClient client = sqoopServerRunner.getSqoopClient(ADMIN_USER);
+ // admin user grant role1 to group1
+ MRole role1 = new MRole(ROLE1);
+ client.createRole(role1);
+ MPrincipal group1 = new MPrincipal(GROUP1, MPrincipal.TYPE.GROUP);
+ client.grantRole(Lists.newArrayList(role1), Lists.newArrayList(group1));
+ // admin user grant role2 to group2
+ MRole role2 = new MRole(ROLE2);
+ client.createRole(role2);
+ MPrincipal group2 = new MPrincipal(GROUP2, MPrincipal.TYPE.GROUP);
+ client.grantRole(Lists.newArrayList(role2), Lists.newArrayList(group2));
+
+ // use1 can show role on group1
+ client = sqoopServerRunner.getSqoopClient(USER1);
+ assertEquals(role1.getName(), client.getRolesByPrincipal(group1).get(0).getName());
+
+ // use1 can't show role on group2
+ try {
+ client.getRolesByPrincipal(group2);
+ fail("expected SentryAccessDeniedException happend");
+ } catch (Exception e) {
+ assertCausedMessage(e, "SentryAccessDeniedException");
+ }
+
+ // user2 can show role on group2
+ client = sqoopServerRunner.getSqoopClient(USER2);
+ assertEquals(role2.getName(), client.getRolesByPrincipal(group2).get(0).getName());
+
+ // use2 can't show role on group1
+ try {
+ client.getRolesByPrincipal(group1);
+ fail("expected SentryAccessDeniedException happend");
+ } catch (Exception e) {
+ assertCausedMessage(e, "SentryAccessDeniedException");
+ }
+ }
+
+ @Test
+ public void testAddDeleteRoleOnGroup() throws Exception {
+ SqoopClient client = sqoopServerRunner.getSqoopClient(ADMIN_USER);
+ // admin user grant role3 to group3
+ MRole role3 = new MRole(ROLE3);
+ client.createRole(role3);
+ MPrincipal group3 = new MPrincipal(GROUP3, MPrincipal.TYPE.GROUP);
+ client.grantRole(Lists.newArrayList(role3), Lists.newArrayList(group3));
+ // admin user grant role4 to group4
+ MRole role4 = new MRole(ROLE4);
+ client.createRole(role4);
+ MPrincipal group4 = new MPrincipal(GROUP4, MPrincipal.TYPE.GROUP);
+ client.grantRole(Lists.newArrayList(role4), Lists.newArrayList(group4));
+
+ // use3 can show role on group3
+ client = sqoopServerRunner.getSqoopClient(USER3);
+ assertEquals(role3.getName(), client.getRolesByPrincipal(group3).get(0).getName());
+
+ // user4 can show role on group4
+ client = sqoopServerRunner.getSqoopClient(USER4);
+ assertEquals(role4.getName(), client.getRolesByPrincipal(group4).get(0).getName());
+
+ /**
+ * admin delete role3 from group3
+ * admin delete role4 from group4
+ */
+ client = sqoopServerRunner.getSqoopClient(ADMIN_USER);
+ client.revokeRole(Lists.newArrayList(role3), Lists.newArrayList(group3));
+ client.revokeRole(Lists.newArrayList(role4), Lists.newArrayList(group4));
+
+ // use3 show role on group3, empty role list return
+ client = sqoopServerRunner.getSqoopClient(USER3);
+ assertTrue(client.getRolesByPrincipal(group3).isEmpty());
+
+ // use4 show role on group4, empty role list return
+ client = sqoopServerRunner.getSqoopClient(USER4);
+ assertTrue(client.getRolesByPrincipal(group4).isEmpty());
+ }
+
+ @Test
+ public void testNotSupportShowRoleonUser() throws Exception {
+ SqoopClient client = sqoopServerRunner.getSqoopClient(ADMIN_USER);
+ MPrincipal user1 = new MPrincipal("showRoleOnUser", MPrincipal.TYPE.USER);
+ try {
+ client.getRolesByPrincipal(user1);
+ fail("expected not support exception happend");
+ } catch (Exception e) {
+ assertCausedMessage(e, SentrySqoopError.SHOW_GRANT_NOT_SUPPORTED_FOR_PRINCIPAL);
+ }
+ }
+}