You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sentry.apache.org by sp...@apache.org on 2018/01/16 20:37:39 UTC
[1/3] sentry git commit: Revert "SENTRY-2023: Add sentry-shell
support for hbase-indexer permissions (Mano Kovacs, reviewed by Sergio Pena)"
Repository: sentry
Updated Branches:
refs/heads/master b5910d24b -> 5a7b07643
http://git-wip-us.apache.org/repos/asf/sentry/blob/01c76e79/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/tools/TestSentryShellSolr.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/tools/TestSentryShellSolr.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/tools/TestSentryShellSolr.java
index 40e7555..0f4bb62 100644
--- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/tools/TestSentryShellSolr.java
+++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/tools/TestSentryShellSolr.java
@@ -18,17 +18,12 @@
package org.apache.sentry.provider.db.generic.tools;
-import com.google.common.collect.Sets;
import com.google.common.io.Files;
-import org.apache.commons.io.FileUtils;
-import org.apache.sentry.core.common.exception.SentryUserException;
-import org.apache.sentry.provider.db.generic.service.thrift.SentryGenericServiceIntegrationBase;
-import org.apache.sentry.provider.db.generic.service.thrift.TSentryPrivilege;
-import org.apache.sentry.provider.db.generic.service.thrift.TSentryRole;
-import org.apache.sentry.provider.db.tools.SentryShellCommon;
-import org.junit.After;
-import org.junit.Before;
-import org.junit.Test;
+import com.google.common.collect.Sets;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.fail;
import java.io.ByteArrayOutputStream;
import java.io.File;
@@ -38,7 +33,16 @@ import java.util.HashSet;
import java.util.Iterator;
import java.util.Set;
-import static org.junit.Assert.*;
+import org.apache.commons.io.FileUtils;
+import org.apache.sentry.core.common.exception.SentryUserException;
+import org.apache.sentry.provider.db.generic.service.thrift.SentryGenericServiceIntegrationBase;
+import org.apache.sentry.provider.db.generic.service.thrift.TSentryRole;
+import org.apache.sentry.provider.db.generic.service.thrift.TSentryPrivilege;
+import org.apache.sentry.provider.db.tools.SentryShellCommon;
+
+import org.junit.After;
+import org.junit.Before;
+import org.junit.Test;
public class TestSentryShellSolr extends SentryGenericServiceIntegrationBase {
private File confDir;
@@ -76,32 +80,32 @@ public class TestSentryShellSolr extends SentryGenericServiceIntegrationBase {
@Override
public void runTestAsSubject() throws Exception {
// test: create role with -cr
- String[] args = { "-cr", "-r", TEST_ROLE_NAME_1, "-conf", confPath.getAbsolutePath() };
- SentryShellSolr.main(args);
+ String[] args = { "-cr", "-r", TEST_ROLE_NAME_1, "-conf", confPath.getAbsolutePath(), "-t", "solr" };
+ SentryShellGeneric.main(args);
// test: create role with --create_role
args = new String[] { "--create_role", "-r", TEST_ROLE_NAME_2, "-conf",
- confPath.getAbsolutePath() };
- SentryShellSolr.main(args);
+ confPath.getAbsolutePath(), "-t", "solr" };
+ SentryShellGeneric.main(args);
// validate the result, list roles with -lr
- args = new String[] { "-lr", "-conf", confPath.getAbsolutePath() };
- SentryShellSolr sentryShell = new SentryShellSolr();
+ args = new String[] { "-lr", "-conf", confPath.getAbsolutePath(), "-t", "solr" };
+ SentryShellGeneric sentryShell = new SentryShellGeneric();
Set<String> roleNames = getShellResultWithOSRedirect(sentryShell, args, true);
validateRoleNames(roleNames, TEST_ROLE_NAME_1, TEST_ROLE_NAME_2);
// validate the result, list roles with --list_role
- args = new String[] { "--list_role", "-conf", confPath.getAbsolutePath() };
- sentryShell = new SentryShellSolr();
+ args = new String[] { "--list_role", "-conf", confPath.getAbsolutePath(), "-t", "solr" };
+ sentryShell = new SentryShellGeneric();
roleNames = getShellResultWithOSRedirect(sentryShell, args, true);
validateRoleNames(roleNames, TEST_ROLE_NAME_1, TEST_ROLE_NAME_2);
// test: drop role with -dr
- args = new String[] { "-dr", "-r", TEST_ROLE_NAME_1, "-conf", confPath.getAbsolutePath() };
- SentryShellSolr.main(args);
+ args = new String[] { "-dr", "-r", TEST_ROLE_NAME_1, "-conf", confPath.getAbsolutePath(), "-t", "solr" };
+ SentryShellGeneric.main(args);
// test: drop role with --drop_role
args = new String[] { "--drop_role", "-r", TEST_ROLE_NAME_2, "-conf",
- confPath.getAbsolutePath() };
- SentryShellSolr.main(args);
+ confPath.getAbsolutePath(), "-t", "solr" };
+ SentryShellGeneric.main(args);
// validate the result
Set<TSentryRole> roles = client.listAllRoles(requestorName, SOLR);
@@ -125,41 +129,41 @@ public class TestSentryShellSolr extends SentryGenericServiceIntegrationBase {
client.createRole(requestorName, TEST_ROLE_NAME_2, SOLR);
// test: add role to group with -arg
String[] args = { "-arg", "-r", TEST_ROLE_NAME_1, "-g", TEST_GROUP_1, "-conf",
- confPath.getAbsolutePath() };
- SentryShellSolr.main(args);
+ confPath.getAbsolutePath(), "-t", "solr" };
+ SentryShellGeneric.main(args);
// test: add role to multiple groups
args = new String[] { "-arg", "-r", TEST_ROLE_NAME_1, "-g", TEST_GROUP_2 + "," + TEST_GROUP_3,
- "-conf",
- confPath.getAbsolutePath() };
- SentryShellSolr.main(args);
+ "-conf",
+ confPath.getAbsolutePath(), "-t", "solr" };
+ SentryShellGeneric.main(args);
// test: add role to group with --add_role_group
args = new String[] { "--add_role_group", "-r", TEST_ROLE_NAME_2, "-g", TEST_GROUP_1,
- "-conf",
- confPath.getAbsolutePath() };
- SentryShellSolr.main(args);
+ "-conf",
+ confPath.getAbsolutePath(), "-t", "solr" };
+ SentryShellGeneric.main(args);
// validate the result list roles with -lr and -g
- args = new String[] { "-lr", "-g", TEST_GROUP_1, "-conf", confPath.getAbsolutePath() };
- SentryShellSolr sentryShell = new SentryShellSolr();
+ args = new String[] { "-lr", "-g", TEST_GROUP_1, "-conf", confPath.getAbsolutePath(), "-t", "solr" };
+ SentryShellGeneric sentryShell = new SentryShellGeneric();
Set<String> roleNames = getShellResultWithOSRedirect(sentryShell, args, true);
validateRoleNames(roleNames, TEST_ROLE_NAME_1, TEST_ROLE_NAME_2);
// list roles with --list_role and -g
args = new String[] { "--list_role", "-g", TEST_GROUP_2, "-conf",
- confPath.getAbsolutePath() };
- sentryShell = new SentryShellSolr();
+ confPath.getAbsolutePath(), "-t", "solr" };
+ sentryShell = new SentryShellGeneric();
roleNames = getShellResultWithOSRedirect(sentryShell, args, true);
validateRoleNames(roleNames, TEST_ROLE_NAME_1);
args = new String[] { "--list_role", "-g", TEST_GROUP_3, "-conf",
- confPath.getAbsolutePath() };
- sentryShell = new SentryShellSolr();
+ confPath.getAbsolutePath(), "-t", "solr" };
+ sentryShell = new SentryShellGeneric();
roleNames = getShellResultWithOSRedirect(sentryShell, args, true);
validateRoleNames(roleNames, TEST_ROLE_NAME_1);
// List the groups and roles via listGroups
- args = new String[] { "--list_group", "-conf", confPath.getAbsolutePath()};
- sentryShell = new SentryShellSolr();
+ args = new String[] { "--list_group", "-conf", confPath.getAbsolutePath(), "-t", "solr" };
+ sentryShell = new SentryShellGeneric();
Set<String> groups = getShellResultWithOSRedirect(sentryShell, args, true);
assertEquals(3, groups.size());
assertTrue(groups.contains("testGroup3 = testrole1"));
@@ -168,17 +172,17 @@ public class TestSentryShellSolr extends SentryGenericServiceIntegrationBase {
// test: delete role from group with -drg
args = new String[] { "-drg", "-r", TEST_ROLE_NAME_1, "-g", TEST_GROUP_1, "-conf",
- confPath.getAbsolutePath() };
- SentryShellSolr.main(args);
+ confPath.getAbsolutePath(), "-t", "solr" };
+ SentryShellGeneric.main(args);
// test: delete role to multiple groups
args = new String[] { "-drg", "-r", TEST_ROLE_NAME_1, "-g", TEST_GROUP_2 + "," + TEST_GROUP_3,
- "-conf",
- confPath.getAbsolutePath() };
- SentryShellSolr.main(args);
+ "-conf",
+ confPath.getAbsolutePath(), "-t", "solr" };
+ SentryShellGeneric.main(args);
// test: delete role from group with --delete_role_group
args = new String[] { "--delete_role_group", "-r", TEST_ROLE_NAME_2, "-g", TEST_GROUP_1,
- "-conf", confPath.getAbsolutePath() };
- SentryShellSolr.main(args);
+ "-conf", confPath.getAbsolutePath(), "-t", "solr" };
+ SentryShellGeneric.main(args);
// validate the result
Set<TSentryRole> roles = client.listRolesByGroupName(requestorName, TEST_GROUP_1, SOLR);
@@ -204,22 +208,22 @@ public class TestSentryShellSolr extends SentryGenericServiceIntegrationBase {
client.createRole(requestorName, TEST_ROLE_NAME_1, SOLR);
// add role to a group (lower case)
String[] args = { "-arg", "-r", TEST_ROLE_NAME_1, "-g", "group1", "-conf",
- confPath.getAbsolutePath() };
- SentryShellSolr.main(args);
+ confPath.getAbsolutePath(), "-t", "solr" };
+ SentryShellGeneric.main(args);
// validate the roles when group name is same case as above
- args = new String[] { "-lr", "-g", "group1", "-conf", confPath.getAbsolutePath() };
- SentryShellSolr sentryShell = new SentryShellSolr();
+ args = new String[] { "-lr", "-g", "group1", "-conf", confPath.getAbsolutePath(), "-t", "solr" };
+ SentryShellGeneric sentryShell = new SentryShellGeneric();
Set<String> roleNames = getShellResultWithOSRedirect(sentryShell, args, true);
validateRoleNames(roleNames, TEST_ROLE_NAME_1);
// roles should be empty when group name is different case than above
- args = new String[] { "-lr", "-g", "GROUP1", "-conf", confPath.getAbsolutePath() };
+ args = new String[] { "-lr", "-g", "GROUP1", "-conf", confPath.getAbsolutePath(), "-t", "solr" };
roleNames = getShellResultWithOSRedirect(sentryShell, args, true);
validateRoleNames(roleNames);
}
- });
- }
+ });
+ }
public static String grant(boolean shortOption) {
return shortOption ? "-gpr" : "--grant_privilege_role";
@@ -242,21 +246,21 @@ public class TestSentryShellSolr extends SentryGenericServiceIntegrationBase {
client.createRole(requestorName, TEST_ROLE_NAME_2, SOLR);
String [] privs = {
- "Collection=*->action=*",
- "Collection=collection2->action=update",
- "Collection=collection3->action=query",
+ "Collection=*->action=*",
+ "Collection=collection2->action=update",
+ "Collection=collection3->action=query",
};
for (int i = 0; i < privs.length; ++i) {
// test: grant privilege to role
String [] args = new String [] { grant(shortOption), "-r", TEST_ROLE_NAME_1, "-p",
- privs[ i ],
- "-conf", confPath.getAbsolutePath() };
- SentryShellSolr.main(args);
+ privs[ i ],
+ "-conf", confPath.getAbsolutePath(), "-t", "solr" };
+ SentryShellGeneric.main(args);
}
// test the list privilege
- String [] args = new String[] { list(shortOption), "-r", TEST_ROLE_NAME_1, "-conf", confPath.getAbsolutePath() };
- SentryShellSolr sentryShell = new SentryShellSolr();
+ String [] args = new String[] { list(shortOption), "-r", TEST_ROLE_NAME_1, "-conf", confPath.getAbsolutePath(), "-t", "solr" };
+ SentryShellGeneric sentryShell = new SentryShellGeneric();
Set<String> privilegeStrs = getShellResultWithOSRedirect(sentryShell, args, true);
assertEquals("Incorrect number of privileges", privs.length, privilegeStrs.size());
for (int i = 0; i < privs.length; ++i) {
@@ -266,8 +270,8 @@ public class TestSentryShellSolr extends SentryGenericServiceIntegrationBase {
for (int i = 0; i < privs.length; ++i) {
args = new String[] { revoke(shortOption), "-r", TEST_ROLE_NAME_1, "-p",
privs[ i ], "-conf",
- confPath.getAbsolutePath()};
- SentryShellSolr.main(args);
+ confPath.getAbsolutePath(), "-t", "solr" };
+ SentryShellGeneric.main(args);
Set<TSentryPrivilege> privileges = client.listAllPrivilegesByRoleName(requestorName,
TEST_ROLE_NAME_1, SOLR, service);
assertEquals("Incorrect number of privileges", privs.length - (i + 1), privileges.size());
@@ -299,8 +303,8 @@ public class TestSentryShellSolr extends SentryGenericServiceIntegrationBase {
public void runTestAsSubject() throws Exception {
client.createRole(requestorName, TEST_ROLE_NAME_1, SOLR);
// test: create duplicate role with -cr
- String[] args = { "-cr", "-r", TEST_ROLE_NAME_1, "-conf", confPath.getAbsolutePath() };
- SentryShellSolr sentryShell = new SentryShellSolr();
+ String[] args = { "-cr", "-r", TEST_ROLE_NAME_1, "-conf", confPath.getAbsolutePath(), "-t", "solr" };
+ SentryShellGeneric sentryShell = new SentryShellGeneric();
try {
sentryShell.executeShell(args);
fail("Exception should be thrown for creating duplicate role");
@@ -309,8 +313,8 @@ public class TestSentryShellSolr extends SentryGenericServiceIntegrationBase {
}
// test: drop non-exist role with -dr
- args = new String[] { "-dr", "-r", TEST_ROLE_NAME_2, "-conf", confPath.getAbsolutePath() };
- sentryShell = new SentryShellSolr();
+ args = new String[] { "-dr", "-r", TEST_ROLE_NAME_2, "-conf", confPath.getAbsolutePath(), "-t", "solr" };
+ sentryShell = new SentryShellGeneric();
try {
sentryShell.executeShell(args);
fail("Exception should be thrown for dropping non-exist role");
@@ -320,8 +324,8 @@ public class TestSentryShellSolr extends SentryGenericServiceIntegrationBase {
// test: add non-exist role to group with -arg
args = new String[] { "-arg", "-r", TEST_ROLE_NAME_2, "-g", "testGroup1", "-conf",
- confPath.getAbsolutePath() };
- sentryShell = new SentryShellSolr();
+ confPath.getAbsolutePath(), "-t", "solr" };
+ sentryShell = new SentryShellGeneric();
try {
sentryShell.executeShell(args);
fail("Exception should be thrown for granting non-exist role to group");
@@ -331,8 +335,8 @@ public class TestSentryShellSolr extends SentryGenericServiceIntegrationBase {
// test: drop group from non-exist role with -drg
args = new String[] { "-drg", "-r", TEST_ROLE_NAME_2, "-g", "testGroup1", "-conf",
- confPath.getAbsolutePath() };
- sentryShell = new SentryShellSolr();
+ confPath.getAbsolutePath(), "-t", "solr" };
+ sentryShell = new SentryShellGeneric();
try {
sentryShell.executeShell(args);
fail("Exception should be thrown for drop group from non-exist role");
@@ -342,8 +346,8 @@ public class TestSentryShellSolr extends SentryGenericServiceIntegrationBase {
// test: grant privilege to role with the error privilege format
args = new String[] { "-gpr", "-r", TEST_ROLE_NAME_1, "-p", "serverserver1->action=*",
- "-conf", confPath.getAbsolutePath() };
- sentryShell = new SentryShellSolr();
+ "-conf", confPath.getAbsolutePath(), "-t", "solr" };
+ sentryShell = new SentryShellGeneric();
try {
sentryShell.executeShell(args);
fail("Exception should be thrown for the error privilege format, invalid key value.");
@@ -353,9 +357,9 @@ public class TestSentryShellSolr extends SentryGenericServiceIntegrationBase {
// test: grant privilege to role with the error privilege hierarchy
args = new String[] { "-gpr", "-r", TEST_ROLE_NAME_1, "-p",
- "server=server1->table=tbl1->column=col2->action=insert", "-conf",
- confPath.getAbsolutePath() };
- sentryShell = new SentryShellSolr();
+ "server=server1->table=tbl1->column=col2->action=insert", "-conf",
+ confPath.getAbsolutePath(), "-t", "solr" };
+ sentryShell = new SentryShellGeneric();
try {
sentryShell.executeShell(args);
fail("Exception should be thrown for the error privilege format, invalid key value.");
@@ -377,63 +381,63 @@ public class TestSentryShellSolr extends SentryGenericServiceIntegrationBase {
String strOptionConf = "conf";
client.createRole(requestorName, TEST_ROLE_NAME_1, SOLR);
// test: the conf is required argument
- String[] args = { "-cr", "-r", TEST_ROLE_NAME_1 };
- SentryShellSolr sentryShell = new SentryShellSolr();
+ String[] args = { "-cr", "-r", TEST_ROLE_NAME_1, "-t", "solr" };
+ SentryShellGeneric sentryShell = new SentryShellGeneric();
validateMissingParameterMsg(sentryShell, args,
SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + strOptionConf);
// test: -r is required when create role
- args = new String[] { "-cr", "-conf", confPath.getAbsolutePath() };
- sentryShell = new SentryShellSolr();
+ args = new String[] { "-cr", "-conf", confPath.getAbsolutePath(), "-t", "solr" };
+ sentryShell = new SentryShellGeneric();
validateMissingParameterMsg(sentryShell, args,
SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_ROLE_NAME);
// test: -r is required when drop role
- args = new String[] { "-dr", "-conf", confPath.getAbsolutePath() };
- sentryShell = new SentryShellSolr();
+ args = new String[] { "-dr", "-conf", confPath.getAbsolutePath(), "-t", "solr" };
+ sentryShell = new SentryShellGeneric();
validateMissingParameterMsg(sentryShell, args,
SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_ROLE_NAME);
// test: -r is required when add role to group
- args = new String[] { "-arg", "-g", "testGroup1", "-conf", confPath.getAbsolutePath() };
- sentryShell = new SentryShellSolr();
+ args = new String[] { "-arg", "-g", "testGroup1", "-conf", confPath.getAbsolutePath(), "-t", "solr" };
+ sentryShell = new SentryShellGeneric();
validateMissingParameterMsg(sentryShell, args,
SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_ROLE_NAME);
// test: -g is required when add role to group
- args = new String[] { "-arg", "-r", TEST_ROLE_NAME_2, "-conf", confPath.getAbsolutePath() };
- sentryShell = new SentryShellSolr();
+ args = new String[] { "-arg", "-r", TEST_ROLE_NAME_2, "-conf", confPath.getAbsolutePath(), "-t", "solr" };
+ sentryShell = new SentryShellGeneric();
validateMissingParameterMsg(sentryShell, args,
SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_GROUP_NAME);
// test: -r is required when delete role from group
- args = new String[] { "-drg", "-g", "testGroup1", "-conf", confPath.getAbsolutePath() };
- sentryShell = new SentryShellSolr();
+ args = new String[] { "-drg", "-g", "testGroup1", "-conf", confPath.getAbsolutePath(), "-t", "solr" };
+ sentryShell = new SentryShellGeneric();
validateMissingParameterMsg(sentryShell, args,
SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_ROLE_NAME);
// test: -g is required when delete role from group
- args = new String[] { "-drg", "-r", TEST_ROLE_NAME_2, "-conf", confPath.getAbsolutePath() };
- sentryShell = new SentryShellSolr();
+ args = new String[] { "-drg", "-r", TEST_ROLE_NAME_2, "-conf", confPath.getAbsolutePath(), "-t", "solr" };
+ sentryShell = new SentryShellGeneric();
validateMissingParameterMsg(sentryShell, args,
SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_GROUP_NAME);
// test: -r is required when grant privilege to role
- args = new String[] { "-gpr", "-p", "server=server1", "-conf", confPath.getAbsolutePath() };
- sentryShell = new SentryShellSolr();
+ args = new String[] { "-gpr", "-p", "server=server1", "-conf", confPath.getAbsolutePath(), "-t", "solr" };
+ sentryShell = new SentryShellGeneric();
validateMissingParameterMsg(sentryShell, args,
SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_ROLE_NAME);
// test: -p is required when grant privilege to role
- args = new String[] { "-gpr", "-r", TEST_ROLE_NAME_1, "-conf", confPath.getAbsolutePath() };
- sentryShell = new SentryShellSolr();
+ args = new String[] { "-gpr", "-r", TEST_ROLE_NAME_1, "-conf", confPath.getAbsolutePath(), "-t", "solr" };
+ sentryShell = new SentryShellGeneric();
validateMissingParameterMsg(sentryShell, args,
SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_PRIVILEGE);
// test: action is required in privilege
- args = new String[] { "-gpr", "-r", TEST_ROLE_NAME_1, "-conf", confPath.getAbsolutePath(), "-p", "collection=collection1" };
- sentryShell = new SentryShellSolr();
- try {
+ args = new String[] { "-gpr", "-r", TEST_ROLE_NAME_1, "-conf", confPath.getAbsolutePath(), "-p", "collection=collection1", "-t", "solr" };
+ sentryShell = new SentryShellGeneric();
+ try {
getShellResultWithOSRedirect(sentryShell, args, false);
fail("Expected IllegalArgumentException");
} catch (IllegalArgumentException e) {
@@ -441,20 +445,20 @@ public class TestSentryShellSolr extends SentryGenericServiceIntegrationBase {
}
// test: -r is required when revoke privilege from role
- args = new String[] { "-rpr", "-p", "server=server1", "-conf", confPath.getAbsolutePath() };
- sentryShell = new SentryShellSolr();
+ args = new String[] { "-rpr", "-p", "server=server1", "-conf", confPath.getAbsolutePath(), "-t", "solr" };
+ sentryShell = new SentryShellGeneric();
validateMissingParameterMsg(sentryShell, args,
SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_ROLE_NAME);
// test: -p is required when revoke privilege from role
- args = new String[] { "-rpr", "-r", TEST_ROLE_NAME_1, "-conf", confPath.getAbsolutePath() };
- sentryShell = new SentryShellSolr();
+ args = new String[] { "-rpr", "-r", TEST_ROLE_NAME_1, "-conf", confPath.getAbsolutePath(), "-t", "solr" };
+ sentryShell = new SentryShellGeneric();
validateMissingParameterMsg(sentryShell, args,
SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_PRIVILEGE);
// test: command option is required for shell
args = new String[] {"-conf", confPath.getAbsolutePath() };
- sentryShell = new SentryShellSolr();
+ sentryShell = new SentryShellGeneric();
validateMissingParameterMsgsContains(sentryShell, args,
SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + "[",
"-arg Add role to group",
@@ -473,8 +477,8 @@ public class TestSentryShellSolr extends SentryGenericServiceIntegrationBase {
}
// redirect the System.out to ByteArrayOutputStream, then execute the command and parse the result.
- private Set<String> getShellResultWithOSRedirect(SentryShellSolr sentryShell,
- String[] args, boolean expectedExecuteResult) throws Exception {
+ private Set<String> getShellResultWithOSRedirect(SentryShellGeneric sentryShell,
+ String[] args, boolean expectedExecuteResult) throws Exception {
PrintStream oldOut = System.out;
ByteArrayOutputStream outContent = new ByteArrayOutputStream();
System.setOut(new PrintStream(outContent));
@@ -487,7 +491,7 @@ public class TestSentryShellSolr extends SentryGenericServiceIntegrationBase {
private void validateRoleNames(Set<String> roleNames, String ... expectedRoleNames) {
if (expectedRoleNames != null && expectedRoleNames.length > 0) {
assertEquals("Found: " + roleNames.size() + " roles, expected: " + expectedRoleNames.length,
- expectedRoleNames.length, roleNames.size());
+ expectedRoleNames.length, roleNames.size());
Set<String> lowerCaseRoles = new HashSet<String>();
for (String role : roleNames) {
lowerCaseRoles.add(role.toLowerCase());
@@ -495,19 +499,19 @@ public class TestSentryShellSolr extends SentryGenericServiceIntegrationBase {
for (String expectedRole : expectedRoleNames) {
assertTrue("Expected role: " + expectedRole,
- lowerCaseRoles.contains(expectedRole.toLowerCase()));
+ lowerCaseRoles.contains(expectedRole.toLowerCase()));
}
}
}
- private void validateMissingParameterMsg(SentryShellSolr sentryShell, String[] args,
- String expectedErrorMsg) throws Exception {
+ private void validateMissingParameterMsg(SentryShellGeneric sentryShell, String[] args,
+ String expectedErrorMsg) throws Exception {
Set<String> errorMsgs = getShellResultWithOSRedirect(sentryShell, args, false);
assertTrue("Expected error message: " + expectedErrorMsg, errorMsgs.contains(expectedErrorMsg));
}
- private void validateMissingParameterMsgsContains(SentryShellSolr sentryShell, String[] args,
- String ... expectedErrorMsgsContains) throws Exception {
+ private void validateMissingParameterMsgsContains(SentryShellGeneric sentryShell, String[] args,
+ String ... expectedErrorMsgsContains) throws Exception {
Set<String> errorMsgs = getShellResultWithOSRedirect(sentryShell, args, false);
boolean foundAllMessages = false;
Iterator<String> it = errorMsgs.iterator();
http://git-wip-us.apache.org/repos/asf/sentry/blob/01c76e79/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/tools/TestSentryShellSqoop.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/tools/TestSentryShellSqoop.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/tools/TestSentryShellSqoop.java
index 27614eb..cdba442 100644
--- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/tools/TestSentryShellSqoop.java
+++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/tools/TestSentryShellSqoop.java
@@ -78,32 +78,32 @@ public class TestSentryShellSqoop extends SentryGenericServiceIntegrationBase {
@Override
public void runTestAsSubject() throws Exception {
// test: create role with -cr
- String[] args = { "-cr", "-r", TEST_ROLE_NAME_1, "-conf", confPath.getAbsolutePath() };
- SentryShellSqoop.main(args);
+ String[] args = { "-cr", "-r", TEST_ROLE_NAME_1, "-conf", confPath.getAbsolutePath(), "-t", "sqoop" };
+ SentryShellGeneric.main(args);
// test: create role with --create_role
args = new String[] { "--create_role", "-r", TEST_ROLE_NAME_2, "-conf",
- confPath.getAbsolutePath() };
- SentryShellSqoop.main(args);
+ confPath.getAbsolutePath(), "-t", "sqoop" };
+ SentryShellGeneric.main(args);
// validate the result, list roles with -lr
- args = new String[] { "-lr", "-conf", confPath.getAbsolutePath() };
- SentryShellSqoop sentryShell = new SentryShellSqoop();
+ args = new String[] { "-lr", "-conf", confPath.getAbsolutePath(), "-t", "sqoop" };
+ SentryShellGeneric sentryShell = new SentryShellGeneric();
Set<String> roleNames = getShellResultWithOSRedirect(sentryShell, args, true);
validateRoleNames(roleNames, TEST_ROLE_NAME_1, TEST_ROLE_NAME_2);
// validate the result, list roles with --list_role
- args = new String[] { "--list_role", "-conf", confPath.getAbsolutePath() };
- sentryShell = new SentryShellSqoop();
+ args = new String[] { "--list_role", "-conf", confPath.getAbsolutePath(), "-t", "sqoop" };
+ sentryShell = new SentryShellGeneric();
roleNames = getShellResultWithOSRedirect(sentryShell, args, true);
validateRoleNames(roleNames, TEST_ROLE_NAME_1, TEST_ROLE_NAME_2);
// test: drop role with -dr
- args = new String[] { "-dr", "-r", TEST_ROLE_NAME_1, "-conf", confPath.getAbsolutePath() };
- SentryShellSqoop.main(args);
+ args = new String[] { "-dr", "-r", TEST_ROLE_NAME_1, "-conf", confPath.getAbsolutePath(), "-t", "sqoop" };
+ SentryShellGeneric.main(args);
// test: drop role with --drop_role
args = new String[] { "--drop_role", "-r", TEST_ROLE_NAME_2, "-conf",
- confPath.getAbsolutePath() };
- SentryShellSqoop.main(args);
+ confPath.getAbsolutePath(), "-t", "sqoop" };
+ SentryShellGeneric.main(args);
// validate the result
Set<TSentryRole> roles = client.listAllRoles(requestorName, AuthorizationComponent.SQOOP);
@@ -127,41 +127,41 @@ public class TestSentryShellSqoop extends SentryGenericServiceIntegrationBase {
client.createRole(requestorName, TEST_ROLE_NAME_2, AuthorizationComponent.SQOOP);
// test: add role to group with -arg
String[] args = { "-arg", "-r", TEST_ROLE_NAME_1, "-g", TEST_GROUP_1, "-conf",
- confPath.getAbsolutePath() };
- SentryShellSqoop.main(args);
+ confPath.getAbsolutePath(), "-t", "sqoop" };
+ SentryShellGeneric.main(args);
// test: add role to multiple groups
args = new String[] { "-arg", "-r", TEST_ROLE_NAME_1, "-g", TEST_GROUP_2 + "," + TEST_GROUP_3,
"-conf",
- confPath.getAbsolutePath() };
- SentryShellSqoop.main(args);
+ confPath.getAbsolutePath(), "-t", "sqoop" };
+ SentryShellGeneric.main(args);
// test: add role to group with --add_role_group
args = new String[] { "--add_role_group", "-r", TEST_ROLE_NAME_2, "-g", TEST_GROUP_1,
"-conf",
- confPath.getAbsolutePath() };
- SentryShellSqoop.main(args);
+ confPath.getAbsolutePath(), "-t", "sqoop" };
+ SentryShellGeneric.main(args);
// validate the result list roles with -lr and -g
- args = new String[] { "-lr", "-g", TEST_GROUP_1, "-conf", confPath.getAbsolutePath() };
- SentryShellSqoop sentryShell = new SentryShellSqoop();
+ args = new String[] { "-lr", "-g", TEST_GROUP_1, "-conf", confPath.getAbsolutePath(), "-t", "sqoop" };
+ SentryShellGeneric sentryShell = new SentryShellGeneric();
Set<String> roleNames = getShellResultWithOSRedirect(sentryShell, args, true);
validateRoleNames(roleNames, TEST_ROLE_NAME_1, TEST_ROLE_NAME_2);
// list roles with --list_role and -g
args = new String[] { "--list_role", "-g", TEST_GROUP_2, "-conf",
- confPath.getAbsolutePath() };
- sentryShell = new SentryShellSqoop();
+ confPath.getAbsolutePath(), "-t", "sqoop" };
+ sentryShell = new SentryShellGeneric();
roleNames = getShellResultWithOSRedirect(sentryShell, args, true);
validateRoleNames(roleNames, TEST_ROLE_NAME_1);
args = new String[] { "--list_role", "-g", TEST_GROUP_3, "-conf",
- confPath.getAbsolutePath() };
- sentryShell = new SentryShellSqoop();
+ confPath.getAbsolutePath(), "-t", "sqoop" };
+ sentryShell = new SentryShellGeneric();
roleNames = getShellResultWithOSRedirect(sentryShell, args, true);
validateRoleNames(roleNames, TEST_ROLE_NAME_1);
// List the groups and roles via listGroups
- args = new String[] { "--list_group", "-conf", confPath.getAbsolutePath()};
- sentryShell = new SentryShellSqoop();
+ args = new String[] { "--list_group", "-conf", confPath.getAbsolutePath(), "-t", "sqoop" };
+ sentryShell = new SentryShellGeneric();
Set<String> groups = getShellResultWithOSRedirect(sentryShell, args, true);
assertEquals(3, groups.size());
assertTrue(groups.contains("testGroup3 = testrole1"));
@@ -170,17 +170,17 @@ public class TestSentryShellSqoop extends SentryGenericServiceIntegrationBase {
// test: delete role from group with -drg
args = new String[] { "-drg", "-r", TEST_ROLE_NAME_1, "-g", TEST_GROUP_1, "-conf",
- confPath.getAbsolutePath() };
- SentryShellSqoop.main(args);
+ confPath.getAbsolutePath(), "-t", "sqoop" };
+ SentryShellGeneric.main(args);
// test: delete role to multiple groups
args = new String[] { "-drg", "-r", TEST_ROLE_NAME_1, "-g", TEST_GROUP_2 + "," + TEST_GROUP_3,
"-conf",
- confPath.getAbsolutePath() };
- SentryShellSqoop.main(args);
+ confPath.getAbsolutePath(), "-t", "sqoop" };
+ SentryShellGeneric.main(args);
// test: delete role from group with --delete_role_group
args = new String[] { "--delete_role_group", "-r", TEST_ROLE_NAME_2, "-g", TEST_GROUP_1,
- "-conf", confPath.getAbsolutePath() };
- SentryShellSqoop.main(args);
+ "-conf", confPath.getAbsolutePath(), "-t", "sqoop" };
+ SentryShellGeneric.main(args);
// validate the result
Set<TSentryRole> roles = client.listRolesByGroupName(requestorName, TEST_GROUP_1, AuthorizationComponent.SQOOP);
@@ -206,17 +206,17 @@ public class TestSentryShellSqoop extends SentryGenericServiceIntegrationBase {
client.createRole(requestorName, TEST_ROLE_NAME_1, AuthorizationComponent.SQOOP);
// add role to a group (lower case)
String[] args = {"-arg", "-r", TEST_ROLE_NAME_1, "-g", "group1", "-conf",
- confPath.getAbsolutePath()};
- SentryShellSqoop.main(args);
+ confPath.getAbsolutePath(), "-t", "sqoop"};
+ SentryShellGeneric.main(args);
// validate the roles when group name is same case as above
- args = new String[]{"-lr", "-g", "group1", "-conf", confPath.getAbsolutePath()};
- SentryShellSqoop sentryShell = new SentryShellSqoop();
+ args = new String[]{"-lr", "-g", "group1", "-conf", confPath.getAbsolutePath(), "-t", "sqoop"};
+ SentryShellGeneric sentryShell = new SentryShellGeneric();
Set<String> roleNames = getShellResultWithOSRedirect(sentryShell, args, true);
validateRoleNames(roleNames, TEST_ROLE_NAME_1);
// roles should be empty when group name is different case than above
- args = new String[]{"-lr", "-g", "GROUP1", "-conf", confPath.getAbsolutePath()};
+ args = new String[]{"-lr", "-g", "GROUP1", "-conf", confPath.getAbsolutePath(), "-t", "sqoop"};
roleNames = getShellResultWithOSRedirect(sentryShell, args, true);
validateRoleNames(roleNames);
}
@@ -252,13 +252,13 @@ public class TestSentryShellSqoop extends SentryGenericServiceIntegrationBase {
// test: grant privilege to role
String [] args = new String [] { grant(shortOption), "-r", TEST_ROLE_NAME_1, "-p",
privs[ i ],
- "-conf", confPath.getAbsolutePath() };
- SentryShellSqoop.main(args);
+ "-conf", confPath.getAbsolutePath(), "-t", "sqoop" };
+ SentryShellGeneric.main(args);
}
// test the list privilege
- String [] args = new String[] { list(shortOption), "-r", TEST_ROLE_NAME_1, "-conf", confPath.getAbsolutePath() };
- SentryShellSqoop sentryShell = new SentryShellSqoop();
+ String [] args = new String[] { list(shortOption), "-r", TEST_ROLE_NAME_1, "-conf", confPath.getAbsolutePath(), "-t", "sqoop" };
+ SentryShellGeneric sentryShell = new SentryShellGeneric();
Set<String> privilegeStrs = getShellResultWithOSRedirect(sentryShell, args, true);
assertEquals("Incorrect number of privileges", privs.length, privilegeStrs.size());
@@ -269,8 +269,8 @@ public class TestSentryShellSqoop extends SentryGenericServiceIntegrationBase {
for (int i = 0; i < privs.length; ++i) {
args = new String[] { revoke(shortOption), "-r", TEST_ROLE_NAME_1, "-p",
privs[ i ], "-conf",
- confPath.getAbsolutePath()};
- SentryShellSqoop.main(args);
+ confPath.getAbsolutePath(), "-t", "sqoop" };
+ SentryShellGeneric.main(args);
Set<TSentryPrivilege> privileges = client.listAllPrivilegesByRoleName(requestorName,
TEST_ROLE_NAME_1, AuthorizationComponent.SQOOP, service);
assertEquals("Incorrect number of privileges. Received privileges: " + Arrays.toString(privileges.toArray()), privs.length - (i + 1), privileges.size());
@@ -301,8 +301,8 @@ public class TestSentryShellSqoop extends SentryGenericServiceIntegrationBase {
public void runTestAsSubject() throws Exception {
client.createRole(requestorName, TEST_ROLE_NAME_1, AuthorizationComponent.SQOOP);
// test: create duplicate role with -cr
- String[] args = { "-cr", "-r", TEST_ROLE_NAME_1, "-conf", confPath.getAbsolutePath() };
- SentryShellSqoop sentryShell = new SentryShellSqoop();
+ String[] args = { "-cr", "-r", TEST_ROLE_NAME_1, "-conf", confPath.getAbsolutePath(), "-t", "sqoop" };
+ SentryShellGeneric sentryShell = new SentryShellGeneric();
try {
sentryShell.executeShell(args);
fail("Exception should be thrown for creating duplicate role");
@@ -313,8 +313,8 @@ public class TestSentryShellSqoop extends SentryGenericServiceIntegrationBase {
}
// test: drop non-exist role with -dr
- args = new String[] { "-dr", "-r", TEST_ROLE_NAME_2, "-conf", confPath.getAbsolutePath() };
- sentryShell = new SentryShellSqoop();
+ args = new String[] { "-dr", "-r", TEST_ROLE_NAME_2, "-conf", confPath.getAbsolutePath(), "-t", "sqoop" };
+ sentryShell = new SentryShellGeneric();
try {
sentryShell.executeShell(args);
fail("Exception should be thrown for dropping non-exist role");
@@ -326,8 +326,8 @@ public class TestSentryShellSqoop extends SentryGenericServiceIntegrationBase {
// test: add non-exist role to group with -arg
args = new String[] { "-arg", "-r", TEST_ROLE_NAME_2, "-g", "testGroup1", "-conf",
- confPath.getAbsolutePath() };
- sentryShell = new SentryShellSqoop();
+ confPath.getAbsolutePath(), "-t", "sqoop" };
+ sentryShell = new SentryShellGeneric();
try {
sentryShell.executeShell(args);
fail("Exception should be thrown for granting non-exist role to group");
@@ -339,8 +339,8 @@ public class TestSentryShellSqoop extends SentryGenericServiceIntegrationBase {
// test: drop group from non-exist role with -drg
args = new String[] { "-drg", "-r", TEST_ROLE_NAME_2, "-g", "testGroup1", "-conf",
- confPath.getAbsolutePath() };
- sentryShell = new SentryShellSqoop();
+ confPath.getAbsolutePath(), "-t", "sqoop" };
+ sentryShell = new SentryShellGeneric();
try {
sentryShell.executeShell(args);
fail("Exception should be thrown for drop group from non-exist role");
@@ -352,8 +352,8 @@ public class TestSentryShellSqoop extends SentryGenericServiceIntegrationBase {
// test: grant privilege to role with the error privilege format
args = new String[] { "-gpr", "-r", TEST_ROLE_NAME_1, "-p", "serverserver1->action=all",
- "-conf", confPath.getAbsolutePath() };
- sentryShell = new SentryShellSqoop();
+ "-conf", confPath.getAbsolutePath(), "-t", "sqoop" };
+ sentryShell = new SentryShellGeneric();
try {
sentryShell.executeShell(args);
fail("Exception should be thrown for the error privilege format, invalid key value.");
@@ -377,62 +377,62 @@ public class TestSentryShellSqoop extends SentryGenericServiceIntegrationBase {
String strOptionConf = "conf";
client.createRole(requestorName, TEST_ROLE_NAME_1, AuthorizationComponent.SQOOP);
// test: the conf is required argument
- String[] args = { "-cr", "-r", TEST_ROLE_NAME_1 };
- SentryShellSqoop sentryShell = new SentryShellSqoop();
+ String[] args = { "-cr", "-r", TEST_ROLE_NAME_1, "-t", "sqoop" };
+ SentryShellGeneric sentryShell = new SentryShellGeneric();
validateMissingParameterMsg(sentryShell, args,
SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + strOptionConf);
// test: -r is required when create role
- args = new String[] { "-cr", "-conf", confPath.getAbsolutePath() };
- sentryShell = new SentryShellSqoop();
+ args = new String[] { "-cr", "-conf", confPath.getAbsolutePath(), "-t", "sqoop" };
+ sentryShell = new SentryShellGeneric();
validateMissingParameterMsg(sentryShell, args,
SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_ROLE_NAME);
// test: -r is required when drop role
- args = new String[] { "-dr", "-conf", confPath.getAbsolutePath() };
- sentryShell = new SentryShellSqoop();
+ args = new String[] { "-dr", "-conf", confPath.getAbsolutePath(), "-t", "sqoop" };
+ sentryShell = new SentryShellGeneric();
validateMissingParameterMsg(sentryShell, args,
SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_ROLE_NAME);
// test: -r is required when add role to group
- args = new String[] { "-arg", "-g", "testGroup1", "-conf", confPath.getAbsolutePath() };
- sentryShell = new SentryShellSqoop();
+ args = new String[] { "-arg", "-g", "testGroup1", "-conf", confPath.getAbsolutePath(), "-t", "sqoop" };
+ sentryShell = new SentryShellGeneric();
validateMissingParameterMsg(sentryShell, args,
SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_ROLE_NAME);
// test: -g is required when add role to group
- args = new String[] { "-arg", "-r", TEST_ROLE_NAME_2, "-conf", confPath.getAbsolutePath() };
- sentryShell = new SentryShellSqoop();
+ args = new String[] { "-arg", "-r", TEST_ROLE_NAME_2, "-conf", confPath.getAbsolutePath(), "-t", "sqoop" };
+ sentryShell = new SentryShellGeneric();
validateMissingParameterMsg(sentryShell, args,
SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_GROUP_NAME);
// test: -r is required when delete role from group
- args = new String[] { "-drg", "-g", "testGroup1", "-conf", confPath.getAbsolutePath() };
- sentryShell = new SentryShellSqoop();
+ args = new String[] { "-drg", "-g", "testGroup1", "-conf", confPath.getAbsolutePath(), "-t", "sqoop" };
+ sentryShell = new SentryShellGeneric();
validateMissingParameterMsg(sentryShell, args,
SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_ROLE_NAME);
// test: -g is required when delete role from group
- args = new String[] { "-drg", "-r", TEST_ROLE_NAME_2, "-conf", confPath.getAbsolutePath() };
- sentryShell = new SentryShellSqoop();
+ args = new String[] { "-drg", "-r", TEST_ROLE_NAME_2, "-conf", confPath.getAbsolutePath(), "-t", "sqoop" };
+ sentryShell = new SentryShellGeneric();
validateMissingParameterMsg(sentryShell, args,
SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_GROUP_NAME);
// test: -r is required when grant privilege to role
- args = new String[] { "-gpr", "-p", "server=server1", "-conf", confPath.getAbsolutePath() };
- sentryShell = new SentryShellSqoop();
+ args = new String[] { "-gpr", "-p", "server=server1", "-conf", confPath.getAbsolutePath(), "-t", "sqoop" };
+ sentryShell = new SentryShellGeneric();
validateMissingParameterMsg(sentryShell, args,
SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_ROLE_NAME);
// test: -p is required when grant privilege to role
- args = new String[] { "-gpr", "-r", TEST_ROLE_NAME_1, "-conf", confPath.getAbsolutePath() };
- sentryShell = new SentryShellSqoop();
+ args = new String[] { "-gpr", "-r", TEST_ROLE_NAME_1, "-conf", confPath.getAbsolutePath(), "-t", "sqoop" };
+ sentryShell = new SentryShellGeneric();
validateMissingParameterMsg(sentryShell, args,
SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_PRIVILEGE);
// test: action is required in privilege
- args = new String[] { "-gpr", "-r", TEST_ROLE_NAME_1, "-conf", confPath.getAbsolutePath(), "-p", "Server=sqoopServer1->Connector" };
- sentryShell = new SentryShellSqoop();
+ args = new String[] { "-gpr", "-r", TEST_ROLE_NAME_1, "-conf", confPath.getAbsolutePath(), "-p", "Server=sqoopServer1->Connector", "-t", "sqoop" };
+ sentryShell = new SentryShellGeneric();
try {
getShellResultWithOSRedirect(sentryShell, args, false);
fail("Expected IllegalArgumentException");
@@ -443,20 +443,20 @@ public class TestSentryShellSqoop extends SentryGenericServiceIntegrationBase {
}
// test: -r is required when revoke privilege from role
- args = new String[] { "-rpr", "-p", "Server=sqoopServer1->Connector->action=*", "-conf", confPath.getAbsolutePath() };
- sentryShell = new SentryShellSqoop();
+ args = new String[] { "-rpr", "-p", "Server=sqoopServer1->Connector->action=*", "-conf", confPath.getAbsolutePath(), "-t", "sqoop" };
+ sentryShell = new SentryShellGeneric();
validateMissingParameterMsg(sentryShell, args,
SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_ROLE_NAME);
// test: -p is required when revoke privilege from role
- args = new String[] { "-rpr", "-r", TEST_ROLE_NAME_1, "-conf", confPath.getAbsolutePath() };
- sentryShell = new SentryShellSqoop();
+ args = new String[] { "-rpr", "-r", TEST_ROLE_NAME_1, "-conf", confPath.getAbsolutePath(), "-t", "sqoop" };
+ sentryShell = new SentryShellGeneric();
validateMissingParameterMsg(sentryShell, args,
SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_PRIVILEGE);
// test: command option is required for shell
- args = new String[] {"-conf", confPath.getAbsolutePath() };
- sentryShell = new SentryShellSqoop();
+ args = new String[] {"-conf", confPath.getAbsolutePath(), "-t", "sqoop" };
+ sentryShell = new SentryShellGeneric();
validateMissingParameterMsgsContains(sentryShell, args,
SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + "[",
"-arg Add role to group",
@@ -475,7 +475,7 @@ public class TestSentryShellSqoop extends SentryGenericServiceIntegrationBase {
}
// redirect the System.out to ByteArrayOutputStream, then execute the command and parse the result.
- private Set<String> getShellResultWithOSRedirect(SentryShellSqoop sentryShell,
+ private Set<String> getShellResultWithOSRedirect(SentryShellGeneric sentryShell,
String[] args, boolean expectedExecuteResult) throws Exception {
PrintStream oldOut = System.out;
ByteArrayOutputStream outContent = new ByteArrayOutputStream();
@@ -502,13 +502,13 @@ public class TestSentryShellSqoop extends SentryGenericServiceIntegrationBase {
}
}
- private void validateMissingParameterMsg(SentryShellSqoop sentryShell, String[] args,
+ private void validateMissingParameterMsg(SentryShellGeneric sentryShell, String[] args,
String expectedErrorMsg) throws Exception {
Set<String> errorMsgs = getShellResultWithOSRedirect(sentryShell, args, false);
assertTrue("Expected error message: " + expectedErrorMsg, errorMsgs.contains(expectedErrorMsg));
}
- private void validateMissingParameterMsgsContains(SentryShellSqoop sentryShell, String[] args,
+ private void validateMissingParameterMsgsContains(SentryShellGeneric sentryShell, String[] args,
String ... expectedErrorMsgsContains) throws Exception {
Set<String> errorMsgs = getShellResultWithOSRedirect(sentryShell, args, false);
boolean foundAllMessages = false;
[2/3] sentry git commit: Revert "SENTRY-2023: Add sentry-shell
support for hbase-indexer permissions (Mano Kovacs, reviewed by Sergio Pena)"
Posted by sp...@apache.org.
Revert "SENTRY-2023: Add sentry-shell support for hbase-indexer permissions (Mano Kovacs, reviewed by Sergio Pena)"
Incorrect patch was committed.
This reverts commit b5910d24bfeb7dc42ec098080b3faafc50537250.
Project: http://git-wip-us.apache.org/repos/asf/sentry/repo
Commit: http://git-wip-us.apache.org/repos/asf/sentry/commit/01c76e79
Tree: http://git-wip-us.apache.org/repos/asf/sentry/tree/01c76e79
Diff: http://git-wip-us.apache.org/repos/asf/sentry/diff/01c76e79
Branch: refs/heads/master
Commit: 01c76e79ef5d2dd3fac2df1206918a91de8a7b01
Parents: b5910d2
Author: Sergio Pena <se...@cloudera.com>
Authored: Tue Jan 16 14:29:03 2018 -0600
Committer: Sergio Pena <se...@cloudera.com>
Committed: Tue Jan 16 14:29:03 2018 -0600
----------------------------------------------------------------------
bin/sentryShell | 6 +-
.../common/AbstractAuthorizableFactory.java | 72 ------
.../sentry/core/common/AuthorizableFactory.java | 50 -----
.../sentry/core/common/AuthorizableType.java | 21 --
.../core/model/kafka/KafkaAuthorizable.java | 2 +-
.../model/kafka/KafkaModelAuthorizables.java | 27 ++-
.../core/model/solr/SolrModelAuthorizable.java | 6 +-
.../core/model/solr/SolrModelAuthorizables.java | 52 +++--
.../core/model/sqoop/SqoopAuthorizable.java | 2 +-
.../model/sqoop/SqoopModelAuthorizables.java | 50 +++--
.../tools/GenericPrivilegeConverter.java | 96 ++++----
.../db/generic/tools/SentryConfigToolSolr.java | 9 +-
.../db/generic/tools/SentryShellGeneric.java | 51 +++--
.../db/generic/tools/SentryShellKafka.java | 71 ------
.../db/generic/tools/SentryShellSolr.java | 52 -----
.../db/generic/tools/SentryShellSqoop.java | 52 -----
.../generic/tools/TestSentryConfigToolSolr.java | 9 +-
.../db/generic/tools/TestSentryShellKafka.java | 207 +++++++++--------
.../db/generic/tools/TestSentryShellSolr.java | 224 ++++++++++---------
.../db/generic/tools/TestSentryShellSqoop.java | 164 +++++++-------
20 files changed, 473 insertions(+), 750 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/sentry/blob/01c76e79/bin/sentryShell
----------------------------------------------------------------------
diff --git a/bin/sentryShell b/bin/sentryShell
index d7a53b8..17b1429 100755
--- a/bin/sentryShell
+++ b/bin/sentryShell
@@ -60,9 +60,9 @@ while [ $# -gt 0 ]; do # Until you run out of parameters . . .
if [[ "$1" = "-t" || "$1" = "--type" ]]; then
case $2 in
"hive") shell=org.apache.sentry.provider.db.tools.SentryShellHive ;;
- "kafka") shell=org.apache.sentry.provider.db.generic.tools.SentryShellKafka ;;
- "solr") shell=org.apache.sentry.provider.db.generic.tools.SentryShellSolr ;;
- "sqoop") shell=org.apache.sentry.provider.db.generic.tools.SentryShellSqoop;;
+ "kafka") shell=org.apache.sentry.provider.db.generic.tools.SentryShellGeneric ;;
+ "solr") shell=org.apache.sentry.provider.db.generic.tools.SentryShellGeneric ;;
+ "sqoop") shell=org.apache.sentry.provider.db.generic.tools.SentryShellGeneric ;;
*) echo "Doesn't support the type $2!"; exit 1 ;;
esac
fi
http://git-wip-us.apache.org/repos/asf/sentry/blob/01c76e79/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/AbstractAuthorizableFactory.java
----------------------------------------------------------------------
diff --git a/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/AbstractAuthorizableFactory.java b/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/AbstractAuthorizableFactory.java
deleted file mode 100644
index 14bf2df..0000000
--- a/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/AbstractAuthorizableFactory.java
+++ /dev/null
@@ -1,72 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.core.common;
-
-import com.google.common.base.Preconditions;
-import com.google.common.collect.Lists;
-import org.apache.sentry.core.common.utils.SentryConstants;
-
-import java.util.List;
-
-/**
- * @param <A> The type of Authorizable the class handles
- */
-public abstract class AbstractAuthorizableFactory<A extends Authorizable, T extends AuthorizableType<A>> implements AuthorizableFactory<A, T> {
-
- @Override
- public A create(String s) {
- List<String> kvList = Lists.newArrayList(SentryConstants.KV_SPLITTER.trimResults().limit(2).split(s));
- if (kvList.size() != 2) {
- throw new IllegalArgumentException("Invalid authorizable string value: " + s + " " + kvList);
- }
-
- String type;
- String name;
-
- type = kvList.get(0);
- Preconditions.checkArgument(!type.isEmpty(), "Type cannot be empty");
- name = kvList.get(1);
- Preconditions.checkArgument(!name.isEmpty(), "Name cannot be empty");
- try {
- return create(type, name);
- } catch (IllegalArgumentException e) {
- return null;
- }
- }
-
- @Override
- public A create(String type, String name) {
- T typeObject = getType(type);
- if (typeObject == null) {
- return null;
- } else {
- return create(typeObject, name);
- }
- }
-
- private T getType(String typeName) {
- for (T type : getTypes()) {
- if (typeName.equalsIgnoreCase(type.name())) {
- return type;
- }
- }
- return null;
- }
-
- protected abstract T[] getTypes();
-
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/01c76e79/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/AuthorizableFactory.java
----------------------------------------------------------------------
diff --git a/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/AuthorizableFactory.java b/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/AuthorizableFactory.java
deleted file mode 100644
index 9d3b5e0..0000000
--- a/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/AuthorizableFactory.java
+++ /dev/null
@@ -1,50 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.core.common;
-
-import javax.annotation.Nullable;
-
-/**
- * Interface for factory class for creating authorizable objects from strings or type-name pairs.
- *
- * @param <A> Type of the Authorizable the implementation handles
- */
-public interface AuthorizableFactory<A extends Authorizable, T extends AuthorizableType<A>> {
- /**
- * Parses authorizable and returns it. If s is unknown authorizable, it returns null.
- * @param s type=name format of authorizable
- * @return
- */
- @Nullable
- A create(String s);
-
- /**
- * Returns authorizable based on type and name
- * @param type
- * @param name
- * @return
- */
- A create(String type, String name);
-
- /**
- * Returns authorizable based on type and name
- * @param type
- * @param name
- * @return
- */
- A create(T type, String name);
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/01c76e79/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/AuthorizableType.java
----------------------------------------------------------------------
diff --git a/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/AuthorizableType.java b/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/AuthorizableType.java
deleted file mode 100644
index 71cc6dd..0000000
--- a/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/AuthorizableType.java
+++ /dev/null
@@ -1,21 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.core.common;
-
-public interface AuthorizableType<T extends Authorizable> {
- String name();
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/01c76e79/sentry-core/sentry-core-model-kafka/src/main/java/org/apache/sentry/core/model/kafka/KafkaAuthorizable.java
----------------------------------------------------------------------
diff --git a/sentry-core/sentry-core-model-kafka/src/main/java/org/apache/sentry/core/model/kafka/KafkaAuthorizable.java b/sentry-core/sentry-core-model-kafka/src/main/java/org/apache/sentry/core/model/kafka/KafkaAuthorizable.java
index 269572c..52ae614 100644
--- a/sentry-core/sentry-core-model-kafka/src/main/java/org/apache/sentry/core/model/kafka/KafkaAuthorizable.java
+++ b/sentry-core/sentry-core-model-kafka/src/main/java/org/apache/sentry/core/model/kafka/KafkaAuthorizable.java
@@ -44,7 +44,7 @@ public interface KafkaAuthorizable extends Authorizable {
/**
* Types of resources that Kafka supports authorization on.
*/
- enum AuthorizableType implements org.apache.sentry.core.common.AuthorizableType<KafkaAuthorizable>{
+ public enum AuthorizableType {
CLUSTER,
HOST,
TOPIC,
http://git-wip-us.apache.org/repos/asf/sentry/blob/01c76e79/sentry-core/sentry-core-model-kafka/src/main/java/org/apache/sentry/core/model/kafka/KafkaModelAuthorizables.java
----------------------------------------------------------------------
diff --git a/sentry-core/sentry-core-model-kafka/src/main/java/org/apache/sentry/core/model/kafka/KafkaModelAuthorizables.java b/sentry-core/sentry-core-model-kafka/src/main/java/org/apache/sentry/core/model/kafka/KafkaModelAuthorizables.java
index 57a4e20..45a1148 100644
--- a/sentry-core/sentry-core-model-kafka/src/main/java/org/apache/sentry/core/model/kafka/KafkaModelAuthorizables.java
+++ b/sentry-core/sentry-core-model-kafka/src/main/java/org/apache/sentry/core/model/kafka/KafkaModelAuthorizables.java
@@ -16,19 +16,27 @@
*/
package org.apache.sentry.core.model.kafka;
-import org.apache.sentry.core.common.AbstractAuthorizableFactory;
+import org.apache.sentry.core.common.utils.KeyValue;
+import org.apache.sentry.core.model.kafka.KafkaAuthorizable.AuthorizableType;
import org.apache.shiro.config.ConfigurationException;
-public class KafkaModelAuthorizables extends AbstractAuthorizableFactory<KafkaAuthorizable, KafkaAuthorizable.AuthorizableType> {
- private static final KafkaModelAuthorizables instance = new KafkaModelAuthorizables();
-
+public class KafkaModelAuthorizables {
+ public static KafkaAuthorizable from(KeyValue keyValue) throws ConfigurationException {
+ String prefix = keyValue.getKey().toLowerCase();
+ String name = keyValue.getValue();
+ for (AuthorizableType type : AuthorizableType.values()) {
+ if (prefix.equalsIgnoreCase(type.name())) {
+ return from(type, name);
+ }
+ }
+ return null;
+ }
public static KafkaAuthorizable from(String keyValue) throws ConfigurationException {
- return instance.create(keyValue);
+ return from(new KeyValue(keyValue));
}
- @Override
- public KafkaAuthorizable create(KafkaAuthorizable.AuthorizableType type, String name) throws ConfigurationException {
+ public static KafkaAuthorizable from(AuthorizableType type, String name) throws ConfigurationException {
switch (type) {
case HOST:
return new Host(name);
@@ -46,9 +54,4 @@ public class KafkaModelAuthorizables extends AbstractAuthorizableFactory<KafkaAu
return null;
}
}
-
- @Override
- protected KafkaAuthorizable.AuthorizableType[] getTypes() {
- return KafkaAuthorizable.AuthorizableType.values();
- }
}
http://git-wip-us.apache.org/repos/asf/sentry/blob/01c76e79/sentry-core/sentry-core-model-solr/src/main/java/org/apache/sentry/core/model/solr/SolrModelAuthorizable.java
----------------------------------------------------------------------
diff --git a/sentry-core/sentry-core-model-solr/src/main/java/org/apache/sentry/core/model/solr/SolrModelAuthorizable.java b/sentry-core/sentry-core-model-solr/src/main/java/org/apache/sentry/core/model/solr/SolrModelAuthorizable.java
index 9eb10c3..56cb4c2 100644
--- a/sentry-core/sentry-core-model-solr/src/main/java/org/apache/sentry/core/model/solr/SolrModelAuthorizable.java
+++ b/sentry-core/sentry-core-model-solr/src/main/java/org/apache/sentry/core/model/solr/SolrModelAuthorizable.java
@@ -22,15 +22,13 @@ import com.google.common.annotations.VisibleForTesting;
public abstract class SolrModelAuthorizable implements Authorizable {
- public enum AuthorizableType implements org.apache.sentry.core.common.AuthorizableType<SolrModelAuthorizable> {
+ public enum AuthorizableType {
Collection,
Field,
Admin,
Config,
Schema
- }
-
- ;
+ };
private final AuthorizableType type;
private final String name;
http://git-wip-us.apache.org/repos/asf/sentry/blob/01c76e79/sentry-core/sentry-core-model-solr/src/main/java/org/apache/sentry/core/model/solr/SolrModelAuthorizables.java
----------------------------------------------------------------------
diff --git a/sentry-core/sentry-core-model-solr/src/main/java/org/apache/sentry/core/model/solr/SolrModelAuthorizables.java b/sentry-core/sentry-core-model-solr/src/main/java/org/apache/sentry/core/model/solr/SolrModelAuthorizables.java
index 09255e7..7979b33 100644
--- a/sentry-core/sentry-core-model-solr/src/main/java/org/apache/sentry/core/model/solr/SolrModelAuthorizables.java
+++ b/sentry-core/sentry-core-model-solr/src/main/java/org/apache/sentry/core/model/solr/SolrModelAuthorizables.java
@@ -16,39 +16,43 @@
*/
package org.apache.sentry.core.model.solr;
-import org.apache.sentry.core.common.AbstractAuthorizableFactory;
+import org.apache.sentry.core.common.utils.KeyValue;
import org.apache.sentry.core.model.solr.SolrModelAuthorizable.AuthorizableType;
-public class SolrModelAuthorizables extends AbstractAuthorizableFactory<SolrModelAuthorizable, AuthorizableType> {
- private static final SolrModelAuthorizables instance = new SolrModelAuthorizables();
+public class SolrModelAuthorizables {
- public static SolrModelAuthorizable from(String s) {
- return instance.create(s);
+ private SolrModelAuthorizables() {
+ // Make constructor private to avoid instantiation
}
- public SolrModelAuthorizable create(SolrModelAuthorizable.AuthorizableType type, String name) {
+ public static SolrModelAuthorizable from(KeyValue keyValue) {
+ String prefix = keyValue.getKey().toLowerCase();
+ String name = keyValue.getValue().toLowerCase();
SolrModelAuthorizable result = null;
- switch (type) {
- case Collection:
- result = new Collection(name);
- break;
- case Admin:
- result = new AdminOperation(name);
- break;
- case Config:
- result = new Config(name);
- break;
- case Schema:
- result = new Schema(name);
- break;
- default:
- break;
+ for(AuthorizableType type : AuthorizableType.values()) {
+ if(prefix.equalsIgnoreCase(type.name())) {
+ switch (type) {
+ case Collection:
+ result = new Collection(name);
+ break;
+ case Admin:
+ result = new AdminOperation(name);
+ break;
+ case Config:
+ result = new Config(name);
+ break;
+ case Schema:
+ result = new Schema(name);
+ break;
+ default:
+ break;
+ }
+ }
}
return result;
}
- @Override
- protected SolrModelAuthorizable.AuthorizableType[] getTypes() {
- return SolrModelAuthorizable.AuthorizableType.values();
+ public static SolrModelAuthorizable from(String s) {
+ return from(new KeyValue(s));
}
}
http://git-wip-us.apache.org/repos/asf/sentry/blob/01c76e79/sentry-core/sentry-core-model-sqoop/src/main/java/org/apache/sentry/core/model/sqoop/SqoopAuthorizable.java
----------------------------------------------------------------------
diff --git a/sentry-core/sentry-core-model-sqoop/src/main/java/org/apache/sentry/core/model/sqoop/SqoopAuthorizable.java b/sentry-core/sentry-core-model-sqoop/src/main/java/org/apache/sentry/core/model/sqoop/SqoopAuthorizable.java
index f060d27..934875e 100644
--- a/sentry-core/sentry-core-model-sqoop/src/main/java/org/apache/sentry/core/model/sqoop/SqoopAuthorizable.java
+++ b/sentry-core/sentry-core-model-sqoop/src/main/java/org/apache/sentry/core/model/sqoop/SqoopAuthorizable.java
@@ -24,7 +24,7 @@ import org.apache.sentry.core.common.Authorizable;
*/
public interface SqoopAuthorizable extends Authorizable {
String ALL = "*";
- enum AuthorizableType implements org.apache.sentry.core.common.AuthorizableType<SqoopAuthorizable> {
+ public enum AuthorizableType {
SERVER,
CONNECTOR,
LINK,
http://git-wip-us.apache.org/repos/asf/sentry/blob/01c76e79/sentry-core/sentry-core-model-sqoop/src/main/java/org/apache/sentry/core/model/sqoop/SqoopModelAuthorizables.java
----------------------------------------------------------------------
diff --git a/sentry-core/sentry-core-model-sqoop/src/main/java/org/apache/sentry/core/model/sqoop/SqoopModelAuthorizables.java b/sentry-core/sentry-core-model-sqoop/src/main/java/org/apache/sentry/core/model/sqoop/SqoopModelAuthorizables.java
index 0227fb8..3bb9a19 100644
--- a/sentry-core/sentry-core-model-sqoop/src/main/java/org/apache/sentry/core/model/sqoop/SqoopModelAuthorizables.java
+++ b/sentry-core/sentry-core-model-sqoop/src/main/java/org/apache/sentry/core/model/sqoop/SqoopModelAuthorizables.java
@@ -16,34 +16,42 @@
*/
package org.apache.sentry.core.model.sqoop;
-import org.apache.sentry.core.common.AbstractAuthorizableFactory;
+import org.apache.sentry.core.model.sqoop.SqoopAuthorizable.AuthorizableType;
+import org.apache.sentry.core.common.utils.KeyValue;
-public class SqoopModelAuthorizables extends AbstractAuthorizableFactory<SqoopAuthorizable, SqoopAuthorizable.AuthorizableType> {
+public class SqoopModelAuthorizables {
- private static final SqoopModelAuthorizables instance = new SqoopModelAuthorizables();
+ private SqoopModelAuthorizables() {
+ // Make constructor private to avoid instantiation
+ }
- public static SqoopAuthorizable from(String keyValue) {
- return instance.create(keyValue);
+ public static SqoopAuthorizable from(KeyValue keyValue) {
+ String prefix = keyValue.getKey().toLowerCase();
+ String name = keyValue.getValue().toLowerCase();
+ for (AuthorizableType type : AuthorizableType.values()) {
+ if(prefix.equalsIgnoreCase(type.name())) {
+ return from(type, name);
+ }
+ }
+ return null;
}
+ public static SqoopAuthorizable from(String keyValue) {
+ return from(new KeyValue(keyValue));
+ }
- public SqoopAuthorizable create(SqoopAuthorizable.AuthorizableType type, String name) {
+ public static SqoopAuthorizable from(AuthorizableType type, String name) {
switch(type) {
- case SERVER:
- return new Server(name);
- case JOB:
- return new Job(name);
- case CONNECTOR:
- return new Connector(name);
- case LINK:
- return new Link(name);
- default:
- return null;
+ case SERVER:
+ return new Server(name);
+ case JOB:
+ return new Job(name);
+ case CONNECTOR:
+ return new Connector(name);
+ case LINK:
+ return new Link(name);
+ default:
+ return null;
}
}
-
- @Override
- protected SqoopAuthorizable.AuthorizableType[] getTypes() {
- return SqoopAuthorizable.AuthorizableType.values();
- }
}
http://git-wip-us.apache.org/repos/asf/sentry/blob/01c76e79/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/GenericPrivilegeConverter.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/GenericPrivilegeConverter.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/GenericPrivilegeConverter.java
index e6fa763..c65b66d 100644
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/GenericPrivilegeConverter.java
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/GenericPrivilegeConverter.java
@@ -18,25 +18,37 @@
package org.apache.sentry.provider.db.generic.tools;
-import com.google.common.base.Function;
+import static org.apache.sentry.core.common.utils.SentryConstants.AUTHORIZABLE_SEPARATOR;
+import static org.apache.sentry.core.common.utils.SentryConstants.KV_SEPARATOR;
+import static org.apache.sentry.core.common.utils.SentryConstants.RESOURCE_WILDCARD_VALUE;
+
import com.google.common.collect.Lists;
+
+import java.util.Iterator;
+import java.util.LinkedList;
+import java.util.List;
+
import org.apache.sentry.core.common.Authorizable;
-import org.apache.sentry.core.common.AuthorizableFactory;
import org.apache.sentry.core.common.exception.SentryUserException;
import org.apache.sentry.core.common.utils.KeyValue;
import org.apache.sentry.core.common.utils.PolicyFileConstants;
import org.apache.sentry.core.common.utils.SentryConstants;
import org.apache.sentry.core.common.validator.PrivilegeValidator;
import org.apache.sentry.core.common.validator.PrivilegeValidatorContext;
+import org.apache.sentry.core.model.kafka.KafkaAuthorizable;
+import org.apache.sentry.core.model.kafka.KafkaModelAuthorizables;
+import org.apache.sentry.core.model.kafka.KafkaPrivilegeModel;
+import org.apache.sentry.core.model.solr.SolrModelAuthorizables;
+import org.apache.sentry.core.model.solr.SolrPrivilegeModel;
+import org.apache.sentry.core.model.sqoop.SqoopModelAuthorizables;
+import org.apache.sentry.core.model.sqoop.SqoopPrivilegeModel;
+import org.apache.sentry.provider.common.AuthorizationComponent;
import org.apache.sentry.provider.db.generic.service.thrift.TAuthorizable;
import org.apache.sentry.provider.db.generic.service.thrift.TSentryGrantOption;
import org.apache.sentry.provider.db.generic.service.thrift.TSentryPrivilege;
import org.apache.sentry.provider.db.generic.tools.command.TSentryPrivilegeConverter;
import org.apache.shiro.config.ConfigurationException;
-import java.util.ArrayList;
-import java.util.List;
-
/**
* A TSentryPrivilegeConverter implementation for "Generic" privileges, covering Apache Kafka, Apache Solr and Apache Sqoop.
* It converts privilege Strings to TSentryPrivilege Objects, and vice versa, for Generic clients.
@@ -49,24 +61,16 @@ public class GenericPrivilegeConverter implements TSentryPrivilegeConverter {
private String service;
private boolean validate;
- private List<PrivilegeValidator> privilegeValidators;
-
- private AuthorizableFactory authorizableFactory;
-
- /**
- * Optional function to parse or convert privilege string.
- */
- private Function<String, String> privilegeStrParser;
+ public GenericPrivilegeConverter(String component, String service) {
+ this(component, service, true);
+ }
- public GenericPrivilegeConverter(String component, String service, List<PrivilegeValidator> privilegeValidators, AuthorizableFactory authorizableFactory, boolean validate) {
+ public GenericPrivilegeConverter(String component, String service, boolean validate) {
this.component = component;
this.service = service;
- this.privilegeValidators = privilegeValidators;
- this.authorizableFactory = authorizableFactory;
this.validate = validate;
}
-
public TSentryPrivilege fromString(String privilegeStr) throws SentryUserException {
privilegeStr = parsePrivilegeString(privilegeStr);
if (validate) {
@@ -74,13 +78,13 @@ public class GenericPrivilegeConverter implements TSentryPrivilegeConverter {
}
TSentryPrivilege tSentryPrivilege = new TSentryPrivilege();
- List<TAuthorizable> authorizables = new ArrayList<>();
+ List<TAuthorizable> authorizables = new LinkedList<TAuthorizable>();
for (String authorizable : SentryConstants.AUTHORIZABLE_SPLITTER.split(privilegeStr)) {
KeyValue keyValue = new KeyValue(authorizable);
String key = keyValue.getKey();
String value = keyValue.getValue();
- Authorizable authz = authorizableFactory.create(key, value);
+ Authorizable authz = getAuthorizable(keyValue);
if (authz != null) {
authorizables.add(new TAuthorizable(authz.getTypeName(), authz.getName()));
} else if (PolicyFileConstants.PRIVILEGE_ACTION_NAME.equalsIgnoreCase(key)) {
@@ -107,30 +111,39 @@ public class GenericPrivilegeConverter implements TSentryPrivilegeConverter {
String grantOption = (tSentryPrivilege.getGrantOption() == TSentryGrantOption.TRUE ? "true"
: "false");
- for (TAuthorizable tAuthorizable : authorizables) {
- privileges.add(SentryConstants.KV_JOINER.join(
- tAuthorizable.getType(), tAuthorizable.getName()));
+ Iterator<TAuthorizable> it = authorizables.iterator();
+ if (it != null) {
+ while (it.hasNext()) {
+ TAuthorizable tAuthorizable = it.next();
+ privileges.add(SentryConstants.KV_JOINER.join(
+ tAuthorizable.getType(), tAuthorizable.getName()));
+ }
}
if (!authorizables.isEmpty()) {
privileges.add(SentryConstants.KV_JOINER.join(
- PolicyFileConstants.PRIVILEGE_ACTION_NAME, action));
+ PolicyFileConstants.PRIVILEGE_ACTION_NAME, action));
}
// only append the grant option to privilege string if it's true
if ("true".equals(grantOption)) {
privileges.add(SentryConstants.KV_JOINER.join(
- PolicyFileConstants.PRIVILEGE_GRANT_OPTION_NAME, grantOption));
+ PolicyFileConstants.PRIVILEGE_GRANT_OPTION_NAME, grantOption));
}
}
return SentryConstants.AUTHORIZABLE_JOINER.join(privileges);
}
private String parsePrivilegeString(String privilegeStr) {
- if (privilegeStrParser == null) {
- return privilegeStr;
+ if (AuthorizationComponent.KAFKA.equals(component)) {
+ final String hostPrefix = KafkaAuthorizable.AuthorizableType.HOST.name() + KV_SEPARATOR;
+ final String hostPrefixLowerCase = hostPrefix.toLowerCase();
+ if (!privilegeStr.toLowerCase().startsWith(hostPrefixLowerCase)) {
+ return hostPrefix + RESOURCE_WILDCARD_VALUE + AUTHORIZABLE_SEPARATOR + privilegeStr;
+ }
}
- return privilegeStrParser.apply(privilegeStr);
+
+ return privilegeStr;
}
private void validatePrivilegeHierarchy(String privilegeStr) throws SentryUserException {
@@ -145,21 +158,28 @@ public class GenericPrivilegeConverter implements TSentryPrivilegeConverter {
}
}
- private List<PrivilegeValidator> getPrivilegeValidators() {
- return privilegeValidators;
- }
-
+ private List<PrivilegeValidator> getPrivilegeValidators() throws SentryUserException {
+ if (AuthorizationComponent.KAFKA.equals(component)) {
+ return KafkaPrivilegeModel.getInstance().getPrivilegeValidators();
+ } else if ("SOLR".equals(component)) {
+ return SolrPrivilegeModel.getInstance().getPrivilegeValidators();
+ } else if (AuthorizationComponent.SQOOP.equals(component)) {
+ return SqoopPrivilegeModel.getInstance().getPrivilegeValidators(service);
+ }
- public void setPrivilegeValidators(List<PrivilegeValidator> privilegeValidators) {
- this.privilegeValidators = privilegeValidators;
+ throw new SentryUserException("Invalid component specified for GenericPrivilegeCoverter: " + component);
}
- public void setAuthorizableFactory(AuthorizableFactory authorizableFactory) {
- this.authorizableFactory = authorizableFactory;
- }
+ private Authorizable getAuthorizable(KeyValue keyValue) throws SentryUserException {
+ if (AuthorizationComponent.KAFKA.equals(component)) {
+ return KafkaModelAuthorizables.from(keyValue);
+ } else if ("SOLR".equals(component)) {
+ return SolrModelAuthorizables.from(keyValue);
+ } else if (AuthorizationComponent.SQOOP.equals(component)) {
+ return SqoopModelAuthorizables.from(keyValue);
+ }
- public void setPrivilegeStrParser(Function<String, String> privilegeStrParser) {
- this.privilegeStrParser = privilegeStrParser;
+ throw new SentryUserException("Invalid component specified for GenericPrivilegeCoverter: " + component);
}
}
http://git-wip-us.apache.org/repos/asf/sentry/blob/01c76e79/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryConfigToolSolr.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryConfigToolSolr.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryConfigToolSolr.java
index 10b875d..5649f43 100644
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryConfigToolSolr.java
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryConfigToolSolr.java
@@ -18,7 +18,6 @@
package org.apache.sentry.provider.db.generic.tools;
-import com.google.common.collect.ImmutableList;
import com.google.common.collect.Lists;
import com.google.common.collect.Sets;
import com.google.common.collect.Table;
@@ -30,8 +29,6 @@ import org.apache.sentry.core.common.Action;
import org.apache.sentry.core.common.exception.SentryConfigurationException;
import org.apache.sentry.core.common.utils.KeyValue;
import org.apache.sentry.core.common.utils.SentryConstants;
-import org.apache.sentry.core.common.validator.PrivilegeValidator;
-import org.apache.sentry.core.model.solr.SolrModelAuthorizables;
import org.apache.sentry.core.model.solr.SolrPrivilegeModel;
import org.apache.sentry.provider.common.ProviderBackend;
import org.apache.sentry.provider.common.ProviderBackendContext;
@@ -95,8 +92,7 @@ public class SentryConfigToolSolr extends SentryConfigToolCommon {
SimpleFileProviderBackend policyFileBackend =
new SimpleFileProviderBackend(conf, policyFile);
ProviderBackendContext context = new ProviderBackendContext();
- ImmutableList<PrivilegeValidator> privilegeValidators = SolrPrivilegeModel.getInstance().getPrivilegeValidators();
- context.setValidators(privilegeValidators);
+ context.setValidators(SolrPrivilegeModel.getInstance().getPrivilegeValidators());
policyFileBackend.initialize(context);
if (validate) {
validatePolicy(policyFileBackend);
@@ -110,8 +106,7 @@ public class SentryConfigToolSolr extends SentryConfigToolCommon {
Set<String> roles = Sets.newHashSet();
Table<String, String, Set<String>> groupRolePrivilegeTable =
policyFileBackend.getGroupRolePrivilegeTable();
- SolrModelAuthorizables authorizableFactory = new SolrModelAuthorizables();
- GenericPrivilegeConverter converter = new GenericPrivilegeConverter(component, service, privilegeValidators, authorizableFactory, false);
+ GenericPrivilegeConverter converter = new GenericPrivilegeConverter(component, service, false);
for (String groupName : groupRolePrivilegeTable.rowKeySet()) {
for (String roleName : groupRolePrivilegeTable.columnKeySet()) {
http://git-wip-us.apache.org/repos/asf/sentry/blob/01c76e79/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryShellGeneric.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryShellGeneric.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryShellGeneric.java
index 8dc04f3..1623f38 100644
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryShellGeneric.java
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryShellGeneric.java
@@ -25,11 +25,12 @@ import org.apache.commons.lang.StringUtils;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.fs.Path;
import org.apache.hadoop.security.UserGroupInformation;
+import org.apache.sentry.provider.common.AuthorizationComponent;
import org.apache.sentry.provider.db.generic.service.thrift.SentryGenericServiceClient;
import org.apache.sentry.provider.db.generic.service.thrift.SentryGenericServiceClientFactory;
import org.apache.sentry.provider.db.generic.tools.command.GenericShellCommand;
+import org.apache.sentry.provider.db.generic.tools.command.TSentryPrivilegeConverter;
import org.apache.sentry.provider.db.tools.SentryShellCommon;
-import org.apache.sentry.service.thrift.ServiceConstants;
import org.apache.sentry.provider.db.tools.ShellCommand;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -42,26 +43,25 @@ import com.google.common.collect.Sets;
* create role, drop role, add group to role, grant privilege to role,
* revoke privilege from role, list roles, list privilege for role.
*/
-abstract public class SentryShellGeneric extends SentryShellCommon {
+public class SentryShellGeneric extends SentryShellCommon {
private static final Logger LOGGER = LoggerFactory.getLogger(SentryShellGeneric.class);
-
- abstract protected GenericPrivilegeConverter getPrivilegeConverter(String component, String service);
-
- abstract protected String getComponent(Configuration conf);
+ private static final String KAFKA_SERVICE_NAME = "sentry.service.client.kafka.service.name";
+ private static final String SOLR_SERVICE_NAME = "sentry.service.client.solr.service.name";
+ private static final String SQOOP_SERVICE_NAME = "sentry.service.client.sqoop.service.name";
@Override
public void run() throws Exception {
+ String component = getComponent();
Configuration conf = getSentryConf();
- String component = getComponent(conf);
- String service = getServiceName(conf);
-
+ String service = getService(conf);
try (SentryGenericServiceClient client =
- SentryGenericServiceClientFactory.create(conf)) {
+ SentryGenericServiceClientFactory.create(conf)) {
UserGroupInformation ugi = UserGroupInformation.getLoginUser();
String requestorName = ugi.getShortUserName();
- ShellCommand command = new GenericShellCommand(client, component, service, getPrivilegeConverter(component, service));
+ TSentryPrivilegeConverter converter = new GenericPrivilegeConverter(component, service);
+ ShellCommand command = new GenericShellCommand(client, component, service, converter);
// check the requestor name
if (StringUtils.isEmpty(requestorName)) {
@@ -102,12 +102,28 @@ abstract public class SentryShellGeneric extends SentryShellCommon {
}
}
- protected String getServiceName(Configuration conf) {
- return getServiceNameGeneric(conf);
+ private String getComponent() throws Exception {
+ if (type == TYPE.kafka) {
+ return AuthorizationComponent.KAFKA;
+ } else if (type == TYPE.solr) {
+ return "SOLR";
+ } else if (type == TYPE.sqoop) {
+ return AuthorizationComponent.SQOOP;
+ }
+
+ throw new Exception("Invalid type specified for SentryShellGeneric: " + type);
}
- protected String getServiceNameGeneric(Configuration conf) {
- return conf.get(ServiceConstants.ClientConfig.SERVICE_NAME);
+ private String getService(Configuration conf) throws Exception {
+ if (type == TYPE.kafka) {
+ return conf.get(KAFKA_SERVICE_NAME, AuthorizationComponent.KAFKA);
+ } else if (type == TYPE.solr) {
+ return conf.get(SOLR_SERVICE_NAME, "service1");
+ } else if (type == TYPE.sqoop) {
+ return conf.get(SQOOP_SERVICE_NAME, "sqoopServer1");
+ }
+
+ throw new Exception("Invalid type specified for SentryShellGeneric: " + type);
}
private Configuration getSentryConf() {
@@ -116,9 +132,10 @@ abstract public class SentryShellGeneric extends SentryShellCommon {
return conf;
}
- protected void doMain(String[] args) throws Exception {
+ public static void main(String[] args) throws Exception {
+ SentryShellGeneric sentryShell = new SentryShellGeneric();
try {
- executeShell(args);
+ sentryShell.executeShell(args);
} catch (Exception e) {
LOGGER.error(e.getMessage(), e);
Throwable current = e;
http://git-wip-us.apache.org/repos/asf/sentry/blob/01c76e79/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryShellKafka.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryShellKafka.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryShellKafka.java
deleted file mode 100644
index 225c2e3..0000000
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryShellKafka.java
+++ /dev/null
@@ -1,71 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.provider.db.generic.tools;
-
-import com.google.common.base.Function;
-import org.apache.hadoop.conf.Configuration;
-import org.apache.sentry.core.model.kafka.KafkaAuthorizable;
-import org.apache.sentry.core.model.kafka.KafkaModelAuthorizables;
-import org.apache.sentry.core.model.kafka.KafkaPrivilegeModel;
-import org.apache.sentry.provider.common.AuthorizationComponent;
-
-import javax.annotation.Nullable;
-
-import static org.apache.sentry.core.common.utils.SentryConstants.*;
-
-public class SentryShellKafka extends SentryShellGeneric {
- private static final String KAFKA_SERVICE_NAME = "sentry.service.client.kafka.service.name";
-
- @Override
- protected GenericPrivilegeConverter getPrivilegeConverter(String component, String service) {
- GenericPrivilegeConverter privilegeConverter = new GenericPrivilegeConverter(
- component,
- service,
- KafkaPrivilegeModel.getInstance().getPrivilegeValidators(),
- new KafkaModelAuthorizables(),
- true
- );
- privilegeConverter.setPrivilegeStrParser(new Function<String, String>() {
- @Nullable
- @Override
- public String apply(@Nullable String privilegeStr) {
- final String hostPrefix = KafkaAuthorizable.AuthorizableType.HOST.name() + KV_SEPARATOR;
- final String hostPrefixLowerCase = hostPrefix.toLowerCase();
- if (!privilegeStr.toLowerCase().startsWith(hostPrefixLowerCase)) {
- return hostPrefix + RESOURCE_WILDCARD_VALUE + AUTHORIZABLE_SEPARATOR + privilegeStr;
- }
- return privilegeStr;
- }
- });
- return privilegeConverter;
- }
-
- @Override
- protected String getComponent(Configuration conf) {
- return AuthorizationComponent.KAFKA;
- }
-
- @Override
- protected String getServiceName(Configuration conf) {
- return conf.get(KAFKA_SERVICE_NAME, AuthorizationComponent.KAFKA);
- }
-
- public static void main(String[] args) throws Exception {
- new SentryShellKafka().doMain(args);
- }
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/01c76e79/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryShellSolr.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryShellSolr.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryShellSolr.java
deleted file mode 100644
index de37e42..0000000
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryShellSolr.java
+++ /dev/null
@@ -1,52 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.provider.db.generic.tools;
-
-import org.apache.hadoop.conf.Configuration;
-import org.apache.sentry.core.model.solr.SolrModelAuthorizables;
-import org.apache.sentry.core.model.solr.SolrPrivilegeModel;
-import org.apache.sentry.provider.common.AuthorizationComponent;
-
-public class SentryShellSolr extends SentryShellGeneric {
- private static final String SOLR_SERVICE_NAME = "sentry.service.client.solr.service.name";
-
- @Override
- protected GenericPrivilegeConverter getPrivilegeConverter(String component, String service) {
- return new GenericPrivilegeConverter(
- component,
- service,
- SolrPrivilegeModel.getInstance().getPrivilegeValidators(),
- new SolrModelAuthorizables(),
- true
- );
- }
-
- @Override
- protected String getComponent(Configuration conf) {
- return AuthorizationComponent.Search;
- }
-
- @Override
- protected String getServiceName(Configuration conf) {
- return conf.get(SOLR_SERVICE_NAME, "service1");
- }
-
- public static void main(String[] args) throws Exception {
- new SentryShellSolr().doMain(args);
- }
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/01c76e79/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryShellSqoop.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryShellSqoop.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryShellSqoop.java
deleted file mode 100644
index 6315bb5..0000000
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryShellSqoop.java
+++ /dev/null
@@ -1,52 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.provider.db.generic.tools;
-
-import org.apache.hadoop.conf.Configuration;
-import org.apache.sentry.core.model.sqoop.SqoopModelAuthorizables;
-import org.apache.sentry.core.model.sqoop.SqoopPrivilegeModel;
-import org.apache.sentry.provider.common.AuthorizationComponent;
-
-public class SentryShellSqoop extends SentryShellGeneric {
- private static final String SQOOP_SERVICE_NAME = "sentry.service.client.sqoop.service.name";
-
- @Override
- protected GenericPrivilegeConverter getPrivilegeConverter(String component, String service) {
- return new GenericPrivilegeConverter(
- component,
- service,
- SqoopPrivilegeModel.getInstance().getPrivilegeValidators(service),
- new SqoopModelAuthorizables(),
- true
- );
- }
-
- @Override
- protected String getComponent(Configuration conf) {
- return AuthorizationComponent.SQOOP;
- }
-
- @Override
- protected String getServiceName(Configuration conf) {
- return conf.get(SQOOP_SERVICE_NAME, "sqoopServer1");
- }
-
- public static void main(String[] args) throws Exception {
- new SentryShellSqoop().doMain(args);
- }
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/01c76e79/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/tools/TestSentryConfigToolSolr.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/tools/TestSentryConfigToolSolr.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/tools/TestSentryConfigToolSolr.java
index 4a94776..9e6ff42 100644
--- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/tools/TestSentryConfigToolSolr.java
+++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/tools/TestSentryConfigToolSolr.java
@@ -33,8 +33,6 @@ import java.util.Map;
import java.util.Set;
import org.apache.commons.io.FileUtils;
-import org.apache.sentry.core.model.solr.SolrModelAuthorizables;
-import org.apache.sentry.core.model.solr.SolrPrivilegeModel;
import org.apache.sentry.provider.db.generic.service.thrift.SentryGenericServiceIntegrationBase;
import org.apache.sentry.provider.db.generic.service.thrift.TSentryRole;
import org.apache.sentry.provider.db.generic.service.thrift.TSentryPrivilege;
@@ -135,12 +133,7 @@ public class TestSentryConfigToolSolr extends SentryGenericServiceIntegrationBas
}
// check privileges
- GenericPrivilegeConverter convert = new GenericPrivilegeConverter(
- SOLR,
- service,
- SolrPrivilegeModel.getInstance().getPrivilegeValidators(),
- new SolrModelAuthorizables(),
- true);
+ GenericPrivilegeConverter convert = new GenericPrivilegeConverter(SOLR, service);
for (String role : roles) {
Set<TSentryPrivilege> privileges = client.listAllPrivilegesByRoleName(
requestorName, role, SOLR, service);
http://git-wip-us.apache.org/repos/asf/sentry/blob/01c76e79/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/tools/TestSentryShellKafka.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/tools/TestSentryShellKafka.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/tools/TestSentryShellKafka.java
index fc1d1ac..a9234fa 100644
--- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/tools/TestSentryShellKafka.java
+++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/tools/TestSentryShellKafka.java
@@ -79,32 +79,32 @@ public class TestSentryShellKafka extends SentryGenericServiceIntegrationBase {
@Override
public void runTestAsSubject() throws Exception {
// test: create role with -cr
- String[] args = { "-cr", "-r", TEST_ROLE_NAME_1, "-conf", confPath.getAbsolutePath() };
- SentryShellKafka.main(args);
+ String[] args = { "-cr", "-r", TEST_ROLE_NAME_1, "-conf", confPath.getAbsolutePath(), "-t", "kafka" };
+ SentryShellGeneric.main(args);
// test: create role with --create_role
args = new String[] { "--create_role", "-r", TEST_ROLE_NAME_2, "-conf",
- confPath.getAbsolutePath() };
- SentryShellKafka.main(args);
+ confPath.getAbsolutePath(), "-t", "kafka" };
+ SentryShellGeneric.main(args);
// validate the result, list roles with -lr
- args = new String[] { "-lr", "-conf", confPath.getAbsolutePath() };
- SentryShellKafka sentryShell = new SentryShellKafka();
+ args = new String[] { "-lr", "-conf", confPath.getAbsolutePath(), "-t", "kafka" };
+ SentryShellGeneric sentryShell = new SentryShellGeneric();
Set<String> roleNames = getShellResultWithOSRedirect(sentryShell, args, true);
validateRoleNames(roleNames, TEST_ROLE_NAME_1, TEST_ROLE_NAME_2);
// validate the result, list roles with --list_role
- args = new String[] { "--list_role", "-conf", confPath.getAbsolutePath() };
- sentryShell = new SentryShellKafka();
+ args = new String[] { "--list_role", "-conf", confPath.getAbsolutePath(), "-t", "kafka" };
+ sentryShell = new SentryShellGeneric();
roleNames = getShellResultWithOSRedirect(sentryShell, args, true);
validateRoleNames(roleNames, TEST_ROLE_NAME_1, TEST_ROLE_NAME_2);
// test: drop role with -dr
- args = new String[] { "-dr", "-r", TEST_ROLE_NAME_1, "-conf", confPath.getAbsolutePath() };
- SentryShellKafka.main(args);
+ args = new String[] { "-dr", "-r", TEST_ROLE_NAME_1, "-conf", confPath.getAbsolutePath(), "-t", "kafka" };
+ SentryShellGeneric.main(args);
// test: drop role with --drop_role
args = new String[] { "--drop_role", "-r", TEST_ROLE_NAME_2, "-conf",
- confPath.getAbsolutePath() };
- SentryShellKafka.main(args);
+ confPath.getAbsolutePath(), "-t", "kafka" };
+ SentryShellGeneric.main(args);
// validate the result
Set<TSentryRole> roles = client.listAllRoles(requestorName, KAFKA);
@@ -128,41 +128,41 @@ public class TestSentryShellKafka extends SentryGenericServiceIntegrationBase {
client.createRole(requestorName, TEST_ROLE_NAME_2, KAFKA);
// test: add role to group with -arg
String[] args = { "-arg", "-r", TEST_ROLE_NAME_1, "-g", TEST_GROUP_1, "-conf",
- confPath.getAbsolutePath() };
- SentryShellKafka.main(args);
+ confPath.getAbsolutePath(), "-t", "kafka" };
+ SentryShellGeneric.main(args);
// test: add role to multiple groups
args = new String[] { "-arg", "-r", TEST_ROLE_NAME_1, "-g", TEST_GROUP_2 + "," + TEST_GROUP_3,
- "-conf",
- confPath.getAbsolutePath() };
- SentryShellKafka.main(args);
+ "-conf",
+ confPath.getAbsolutePath(), "-t", "kafka" };
+ SentryShellGeneric.main(args);
// test: add role to group with --add_role_group
args = new String[] { "--add_role_group", "-r", TEST_ROLE_NAME_2, "-g", TEST_GROUP_1,
- "-conf",
- confPath.getAbsolutePath() };
- SentryShellKafka.main(args);
+ "-conf",
+ confPath.getAbsolutePath(), "-t", "kafka" };
+ SentryShellGeneric.main(args);
// validate the result list roles with -lr and -g
- args = new String[] { "-lr", "-g", TEST_GROUP_1, "-conf", confPath.getAbsolutePath() };
- SentryShellKafka sentryShell = new SentryShellKafka();
+ args = new String[] { "-lr", "-g", TEST_GROUP_1, "-conf", confPath.getAbsolutePath(), "-t", "kafka" };
+ SentryShellGeneric sentryShell = new SentryShellGeneric();
Set<String> roleNames = getShellResultWithOSRedirect(sentryShell, args, true);
validateRoleNames(roleNames, TEST_ROLE_NAME_1, TEST_ROLE_NAME_2);
// list roles with --list_role and -g
args = new String[] { "--list_role", "-g", TEST_GROUP_2, "-conf",
- confPath.getAbsolutePath() };
- sentryShell = new SentryShellKafka();
+ confPath.getAbsolutePath(), "-t", "kafka" };
+ sentryShell = new SentryShellGeneric();
roleNames = getShellResultWithOSRedirect(sentryShell, args, true);
validateRoleNames(roleNames, TEST_ROLE_NAME_1);
args = new String[] { "--list_role", "-g", TEST_GROUP_3, "-conf",
- confPath.getAbsolutePath() };
- sentryShell = new SentryShellKafka();
+ confPath.getAbsolutePath(), "-t", "kafka" };
+ sentryShell = new SentryShellGeneric();
roleNames = getShellResultWithOSRedirect(sentryShell, args, true);
validateRoleNames(roleNames, TEST_ROLE_NAME_1);
// List the groups and roles via listGroups
- args = new String[] { "--list_group", "-conf", confPath.getAbsolutePath()};
- sentryShell = new SentryShellKafka();
+ args = new String[] { "--list_group", "-conf", confPath.getAbsolutePath(), "-t", "kafka" };
+ sentryShell = new SentryShellGeneric();
Set<String> groups = getShellResultWithOSRedirect(sentryShell, args, true);
assertEquals(3, groups.size());
assertTrue(groups.contains("testGroup3 = testrole1"));
@@ -171,17 +171,17 @@ public class TestSentryShellKafka extends SentryGenericServiceIntegrationBase {
// test: delete role from group with -drg
args = new String[] { "-drg", "-r", TEST_ROLE_NAME_1, "-g", TEST_GROUP_1, "-conf",
- confPath.getAbsolutePath() };
- SentryShellKafka.main(args);
+ confPath.getAbsolutePath(), "-t", "kafka" };
+ SentryShellGeneric.main(args);
// test: delete role to multiple groups
args = new String[] { "-drg", "-r", TEST_ROLE_NAME_1, "-g", TEST_GROUP_2 + "," + TEST_GROUP_3,
- "-conf",
- confPath.getAbsolutePath() };
- SentryShellKafka.main(args);
+ "-conf",
+ confPath.getAbsolutePath(), "-t", "kafka" };
+ SentryShellGeneric.main(args);
// test: delete role from group with --delete_role_group
args = new String[] { "--delete_role_group", "-r", TEST_ROLE_NAME_2, "-g", TEST_GROUP_1,
- "-conf", confPath.getAbsolutePath() };
- SentryShellKafka.main(args);
+ "-conf", confPath.getAbsolutePath(), "-t", "kafka" };
+ SentryShellGeneric.main(args);
// validate the result
Set<TSentryRole> roles = client.listRolesByGroupName(requestorName, TEST_GROUP_1, KAFKA);
@@ -207,17 +207,17 @@ public class TestSentryShellKafka extends SentryGenericServiceIntegrationBase {
client.createRole(requestorName, TEST_ROLE_NAME_1, KAFKA);
// add role to a group (lower case)
String[] args = {"-arg", "-r", TEST_ROLE_NAME_1, "-g", "group1", "-conf",
- confPath.getAbsolutePath()};
- SentryShellKafka.main(args);
+ confPath.getAbsolutePath(), "-t", "kafka"};
+ SentryShellGeneric.main(args);
// validate the roles when group name is same case as above
- args = new String[]{"-lr", "-g", "group1", "-conf", confPath.getAbsolutePath()};
- SentryShellKafka sentryShell = new SentryShellKafka();
+ args = new String[]{"-lr", "-g", "group1", "-conf", confPath.getAbsolutePath(), "-t", "kafka"};
+ SentryShellGeneric sentryShell = new SentryShellGeneric();
Set<String> roleNames = getShellResultWithOSRedirect(sentryShell, args, true);
validateRoleNames(roleNames, TEST_ROLE_NAME_1);
// roles should be empty when group name is different case than above
- args = new String[]{"-lr", "-g", "GROUP1", "-conf", confPath.getAbsolutePath()};
+ args = new String[]{"-lr", "-g", "GROUP1", "-conf", confPath.getAbsolutePath(), "-t", "kafka"};
roleNames = getShellResultWithOSRedirect(sentryShell, args, true);
validateRoleNames(roleNames);
}
@@ -245,23 +245,23 @@ public class TestSentryShellKafka extends SentryGenericServiceIntegrationBase {
client.createRole(requestorName, TEST_ROLE_NAME_2, KAFKA);
String [] privs = {
- "HOST=*->CLUSTER=kafka-cluster->action=read",
- "HOST=h1->TOPIC=t1->action=write",
- "HOST=*->CONSUMERGROUP=cg1->action=read",
- "CLUSTER=kafka-cluster->action=write",
- "CONSUMERGROUP=cg2->action=write"
+ "HOST=*->CLUSTER=kafka-cluster->action=read",
+ "HOST=h1->TOPIC=t1->action=write",
+ "HOST=*->CONSUMERGROUP=cg1->action=read",
+ "CLUSTER=kafka-cluster->action=write",
+ "CONSUMERGROUP=cg2->action=write"
};
for (int i = 0; i < privs.length; ++i) {
// test: grant privilege to role
String [] args = new String [] { grant(shortOption), "-r", TEST_ROLE_NAME_1, "-p",
- privs[ i ],
- "-conf", confPath.getAbsolutePath()};
- SentryShellKafka.main(args);
+ privs[ i ],
+ "-conf", confPath.getAbsolutePath(), "-t", "kafka" };
+ SentryShellGeneric.main(args);
}
// test the list privilege
- String [] args = new String[] { list(shortOption), "-r", TEST_ROLE_NAME_1, "-conf", confPath.getAbsolutePath()};
- SentryShellKafka sentryShell = new SentryShellKafka();
+ String [] args = new String[] { list(shortOption), "-r", TEST_ROLE_NAME_1, "-conf", confPath.getAbsolutePath(), "-t", "kafka" };
+ SentryShellGeneric sentryShell = new SentryShellGeneric();
Set<String> privilegeStrs = getShellResultWithOSRedirect(sentryShell, args, true);
assertEquals("Incorrect number of privileges", privs.length, privilegeStrs.size());
@@ -272,8 +272,8 @@ public class TestSentryShellKafka extends SentryGenericServiceIntegrationBase {
for (int i = 0; i < privs.length; ++i) {
args = new String[] { revoke(shortOption), "-r", TEST_ROLE_NAME_1, "-p",
privs[ i ], "-conf",
- confPath.getAbsolutePath() };
- SentryShellKafka.main(args);
+ confPath.getAbsolutePath(), "-t", "kafka" };
+ SentryShellGeneric.main(args);
Set<TSentryPrivilege> privileges = client.listAllPrivilegesByRoleName(requestorName,
TEST_ROLE_NAME_1, KAFKA, service);
assertEquals("Incorrect number of privileges. Received privileges: " + Arrays.toString(privileges.toArray()), privs.length - (i + 1), privileges.size());
@@ -305,8 +305,8 @@ public class TestSentryShellKafka extends SentryGenericServiceIntegrationBase {
public void runTestAsSubject() throws Exception {
client.createRole(requestorName, TEST_ROLE_NAME_1, KAFKA);
// test: create duplicate role with -cr
- String[] args = { "-cr", "-r", TEST_ROLE_NAME_1, "-conf", confPath.getAbsolutePath() };
- SentryShellKafka sentryShell = new SentryShellKafka();
+ String[] args = { "-cr", "-r", TEST_ROLE_NAME_1, "-conf", confPath.getAbsolutePath(), "-t", "kafka" };
+ SentryShellGeneric sentryShell = new SentryShellGeneric();
try {
sentryShell.executeShell(args);
fail("Exception should be thrown for creating duplicate role");
@@ -317,8 +317,8 @@ public class TestSentryShellKafka extends SentryGenericServiceIntegrationBase {
}
// test: drop non-exist role with -dr
- args = new String[] { "-dr", "-r", TEST_ROLE_NAME_2, "-conf", confPath.getAbsolutePath() };
- sentryShell = new SentryShellKafka();
+ args = new String[] { "-dr", "-r", TEST_ROLE_NAME_2, "-conf", confPath.getAbsolutePath(), "-t", "kafka" };
+ sentryShell = new SentryShellGeneric();
try {
sentryShell.executeShell(args);
fail("Exception should be thrown for dropping non-exist role");
@@ -330,8 +330,8 @@ public class TestSentryShellKafka extends SentryGenericServiceIntegrationBase {
// test: add non-exist role to group with -arg
args = new String[] { "-arg", "-r", TEST_ROLE_NAME_2, "-g", "testGroup1", "-conf",
- confPath.getAbsolutePath() };
- sentryShell = new SentryShellKafka();
+ confPath.getAbsolutePath(), "-t", "kafka" };
+ sentryShell = new SentryShellGeneric();
try {
sentryShell.executeShell(args);
fail("Exception should be thrown for granting non-exist role to group");
@@ -343,8 +343,8 @@ public class TestSentryShellKafka extends SentryGenericServiceIntegrationBase {
// test: drop group from non-exist role with -drg
args = new String[] { "-drg", "-r", TEST_ROLE_NAME_2, "-g", "testGroup1", "-conf",
- confPath.getAbsolutePath() };
- sentryShell = new SentryShellKafka();
+ confPath.getAbsolutePath(), "-t", "kafka" };
+ sentryShell = new SentryShellGeneric();
try {
sentryShell.executeShell(args);
fail("Exception should be thrown for drop group from non-exist role");
@@ -356,8 +356,8 @@ public class TestSentryShellKafka extends SentryGenericServiceIntegrationBase {
// test: grant privilege to role with the error privilege format
args = new String[] { "-gpr", "-r", TEST_ROLE_NAME_1, "-p", "serverserver1->action=all",
- "-conf", confPath.getAbsolutePath() };
- sentryShell = new SentryShellKafka();
+ "-conf", confPath.getAbsolutePath(), "-t", "kafka" };
+ sentryShell = new SentryShellGeneric();
try {
sentryShell.executeShell(args);
fail("Exception should be thrown for the error privilege format, invalid key value.");
@@ -369,17 +369,16 @@ public class TestSentryShellKafka extends SentryGenericServiceIntegrationBase {
// test: grant privilege to role with the error privilege hierarchy
args = new String[] { "-gpr", "-r", TEST_ROLE_NAME_1, "-p",
- "consumergroup=cg1->host=h1->action=create", "-conf",
- confPath.getAbsolutePath() };
- sentryShell = new SentryShellKafka();
+ "consumergroup=cg1->host=h1->action=create", "-conf",
+ confPath.getAbsolutePath(), "-t", "kafka" };
+ sentryShell = new SentryShellGeneric();
try {
sentryShell.executeShell(args);
fail("Exception should be thrown for the error privilege format, invalid key value.");
} catch (IllegalArgumentException e) {
// expected exception
} catch (Exception e) {
- throw e;
-// fail ("Unexpected exception received. " + e);
+ fail ("Unexpected exception received. " + e);
}
// clear the test data
@@ -396,86 +395,86 @@ public class TestSentryShellKafka extends SentryGenericServiceIntegrationBase {
String strOptionConf = "conf";
client.createRole(requestorName, TEST_ROLE_NAME_1, KAFKA);
// test: the conf is required argument
- String[] args = { "-cr", "-r", TEST_ROLE_NAME_1 };
- SentryShellKafka sentryShell = new SentryShellKafka();
+ String[] args = { "-cr", "-r", TEST_ROLE_NAME_1, "-t", "kafka" };
+ SentryShellGeneric sentryShell = new SentryShellGeneric();
validateMissingParameterMsg(sentryShell, args,
SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + strOptionConf);
// test: -r is required when create role
- args = new String[] { "-cr", "-conf", confPath.getAbsolutePath() };
- sentryShell = new SentryShellKafka();
+ args = new String[] { "-cr", "-conf", confPath.getAbsolutePath(), "-t", "kafka" };
+ sentryShell = new SentryShellGeneric();
validateMissingParameterMsg(sentryShell, args,
SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_ROLE_NAME);
// test: -r is required when drop role
- args = new String[] { "-dr", "-conf", confPath.getAbsolutePath() };
- sentryShell = new SentryShellKafka();
+ args = new String[] { "-dr", "-conf", confPath.getAbsolutePath(), "-t", "kafka" };
+ sentryShell = new SentryShellGeneric();
validateMissingParameterMsg(sentryShell, args,
SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_ROLE_NAME);
// test: -r is required when add role to group
- args = new String[] { "-arg", "-g", "testGroup1", "-conf", confPath.getAbsolutePath() };
- sentryShell = new SentryShellKafka();
+ args = new String[] { "-arg", "-g", "testGroup1", "-conf", confPath.getAbsolutePath(), "-t", "kafka" };
+ sentryShell = new SentryShellGeneric();
validateMissingParameterMsg(sentryShell, args,
SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_ROLE_NAME);
// test: -g is required when add role to group
- args = new String[] { "-arg", "-r", TEST_ROLE_NAME_2, "-conf", confPath.getAbsolutePath() };
- sentryShell = new SentryShellKafka();
+ args = new String[] { "-arg", "-r", TEST_ROLE_NAME_2, "-conf", confPath.getAbsolutePath(), "-t", "kafka" };
+ sentryShell = new SentryShellGeneric();
validateMissingParameterMsg(sentryShell, args,
SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_GROUP_NAME);
// test: -r is required when delete role from group
- args = new String[] { "-drg", "-g", "testGroup1", "-conf", confPath.getAbsolutePath() };
- sentryShell = new SentryShellKafka();
+ args = new String[] { "-drg", "-g", "testGroup1", "-conf", confPath.getAbsolutePath(), "-t", "kafka" };
+ sentryShell = new SentryShellGeneric();
validateMissingParameterMsg(sentryShell, args,
SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_ROLE_NAME);
// test: -g is required when delete role from group
- args = new String[] { "-drg", "-r", TEST_ROLE_NAME_2, "-conf", confPath.getAbsolutePath() };
- sentryShell = new SentryShellKafka();
+ args = new String[] { "-drg", "-r", TEST_ROLE_NAME_2, "-conf", confPath.getAbsolutePath(), "-t", "kafka" };
+ sentryShell = new SentryShellGeneric();
validateMissingParameterMsg(sentryShell, args,
SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_GROUP_NAME);
// test: -r is required when grant privilege to role
- args = new String[] { "-gpr", "-p", "server=server1", "-conf", confPath.getAbsolutePath() };
- sentryShell = new SentryShellKafka();
+ args = new String[] { "-gpr", "-p", "server=server1", "-conf", confPath.getAbsolutePath(), "-t", "kafka" };
+ sentryShell = new SentryShellGeneric();
validateMissingParameterMsg(sentryShell, args,
SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_ROLE_NAME);
// test: -p is required when grant privilege to role
- args = new String[] { "-gpr", "-r", TEST_ROLE_NAME_1, "-conf", confPath.getAbsolutePath() };
- sentryShell = new SentryShellKafka();
+ args = new String[] { "-gpr", "-r", TEST_ROLE_NAME_1, "-conf", confPath.getAbsolutePath(), "-t", "kafka" };
+ sentryShell = new SentryShellGeneric();
validateMissingParameterMsg(sentryShell, args,
SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_PRIVILEGE);
// test: action is required in privilege
- args = new String[] { "-gpr", "-r", TEST_ROLE_NAME_1, "-conf", confPath.getAbsolutePath(), "-p", "host=*->topic=t1" };
- sentryShell = new SentryShellKafka();
- try {
+ args = new String[] { "-gpr", "-r", TEST_ROLE_NAME_1, "-conf", confPath.getAbsolutePath(), "-p", "host=*->topic=t1", "-t", "kafka" };
+ sentryShell = new SentryShellGeneric();
+ try {
getShellResultWithOSRedirect(sentryShell, args, false);
fail("Expected IllegalArgumentException");
} catch (IllegalArgumentException e) {
assert(("Kafka privilege must end with a valid action.\n" + KafkaPrivilegeValidator.KafkaPrivilegeHelpMsg).equals(e.getCause().getMessage()));
} catch (Exception e) {
- fail ("Unexpected exception received. " + e);
- }
+ fail ("Unexpected exception received. " + e);
+ }
// test: -r is required when revoke privilege from role
- args = new String[] { "-rpr", "-p", "host=h1", "-conf", confPath.getAbsolutePath() };
- sentryShell = new SentryShellKafka();
+ args = new String[] { "-rpr", "-p", "host=h1", "-conf", confPath.getAbsolutePath(), "-t", "kafka" };
+ sentryShell = new SentryShellGeneric();
validateMissingParameterMsg(sentryShell, args,
SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_ROLE_NAME);
// test: -p is required when revoke privilege from role
- args = new String[] { "-rpr", "-r", TEST_ROLE_NAME_1, "-conf", confPath.getAbsolutePath() };
- sentryShell = new SentryShellKafka();
+ args = new String[] { "-rpr", "-r", TEST_ROLE_NAME_1, "-conf", confPath.getAbsolutePath(), "-t", "kafka" };
+ sentryShell = new SentryShellGeneric();
validateMissingParameterMsg(sentryShell, args,
SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_PRIVILEGE);
// test: command option is required for shell
- args = new String[] {"-conf", confPath.getAbsolutePath() };
- sentryShell = new SentryShellKafka();
+ args = new String[] {"-conf", confPath.getAbsolutePath(), "-t", "kafka" };
+ sentryShell = new SentryShellGeneric();
validateMissingParameterMsgsContains(sentryShell, args,
SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + "[",
"-arg Add role to group",
@@ -494,8 +493,8 @@ public class TestSentryShellKafka extends SentryGenericServiceIntegrationBase {
}
// redirect the System.out to ByteArrayOutputStream, then execute the command and parse the result.
- private Set<String> getShellResultWithOSRedirect(SentryShellKafka sentryShell,
- String[] args, boolean expectedExecuteResult) throws Exception {
+ private Set<String> getShellResultWithOSRedirect(SentryShellGeneric sentryShell,
+ String[] args, boolean expectedExecuteResult) throws Exception {
PrintStream oldOut = System.out;
ByteArrayOutputStream outContent = new ByteArrayOutputStream();
System.setOut(new PrintStream(outContent));
@@ -508,7 +507,7 @@ public class TestSentryShellKafka extends SentryGenericServiceIntegrationBase {
private void validateRoleNames(Set<String> roleNames, String ... expectedRoleNames) {
if (expectedRoleNames != null && expectedRoleNames.length > 0) {
assertEquals("Found: " + roleNames.size() + " roles, expected: " + expectedRoleNames.length,
- expectedRoleNames.length, roleNames.size());
+ expectedRoleNames.length, roleNames.size());
Set<String> lowerCaseRoles = new HashSet<String>();
for (String role : roleNames) {
lowerCaseRoles.add(role.toLowerCase());
@@ -516,19 +515,19 @@ public class TestSentryShellKafka extends SentryGenericServiceIntegrationBase {
for (String expectedRole : expectedRoleNames) {
assertTrue("Expected role: " + expectedRole,
- lowerCaseRoles.contains(expectedRole.toLowerCase()));
+ lowerCaseRoles.contains(expectedRole.toLowerCase()));
}
}
}
- private void validateMissingParameterMsg(SentryShellKafka sentryShell, String[] args,
- String expectedErrorMsg) throws Exception {
+ private void validateMissingParameterMsg(SentryShellGeneric sentryShell, String[] args,
+ String expectedErrorMsg) throws Exception {
Set<String> errorMsgs = getShellResultWithOSRedirect(sentryShell, args, false);
assertTrue("Expected error message: " + expectedErrorMsg, errorMsgs.contains(expectedErrorMsg));
}
- private void validateMissingParameterMsgsContains(SentryShellKafka sentryShell, String[] args,
- String ... expectedErrorMsgsContains) throws Exception {
+ private void validateMissingParameterMsgsContains(SentryShellGeneric sentryShell, String[] args,
+ String ... expectedErrorMsgsContains) throws Exception {
Set<String> errorMsgs = getShellResultWithOSRedirect(sentryShell, args, false);
boolean foundAllMessages = false;
Iterator<String> it = errorMsgs.iterator();
[3/3] sentry git commit: SENTRY-2023: Add sentry-shell support for
hbase-indexer permissions (Mano Kovacs, reviewed by Sergio Pena)
Posted by sp...@apache.org.
SENTRY-2023: Add sentry-shell support for hbase-indexer permissions (Mano Kovacs, reviewed by Sergio Pena)
Project: http://git-wip-us.apache.org/repos/asf/sentry/repo
Commit: http://git-wip-us.apache.org/repos/asf/sentry/commit/5a7b0764
Tree: http://git-wip-us.apache.org/repos/asf/sentry/tree/5a7b0764
Diff: http://git-wip-us.apache.org/repos/asf/sentry/diff/5a7b0764
Branch: refs/heads/master
Commit: 5a7b076435dfe54f9d093fbf892d4b7141634d66
Parents: 01c76e7
Author: Sergio Pena <se...@cloudera.com>
Authored: Tue Jan 16 14:29:31 2018 -0600
Committer: Sergio Pena <se...@cloudera.com>
Committed: Tue Jan 16 14:29:31 2018 -0600
----------------------------------------------------------------------
sentry-provider/sentry-provider-db/pom.xml | 4 +
.../persistent/PrivilegeOperatePersistence.java | 2 +
.../tools/GenericPrivilegeConverter.java | 10 +-
.../generic/tools/SentryConfigToolIndexer.java | 340 ++++++++++++
.../db/generic/tools/SentryShellGeneric.java | 17 +-
.../db/generic/tools/SentryShellIndexer.java | 124 +++++
.../provider/db/tools/SentryShellCommon.java | 224 ++++----
.../tools/TestSentryConfigToolIndexer.java | 263 ++++++++++
.../generic/tools/TestSentryShellIndexer.java | 526 +++++++++++++++++++
.../src/test/resources/indexer_case.ini | 26 +
.../resources/indexer_config_import_tool.ini | 29 +
.../src/test/resources/indexer_invalid.ini | 21 +
12 files changed, 1477 insertions(+), 109 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/sentry/blob/5a7b0764/sentry-provider/sentry-provider-db/pom.xml
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/pom.xml b/sentry-provider/sentry-provider-db/pom.xml
index 192f8c8..db4808d 100644
--- a/sentry-provider/sentry-provider-db/pom.xml
+++ b/sentry-provider/sentry-provider-db/pom.xml
@@ -112,6 +112,10 @@ limitations under the License.
</dependency>
<dependency>
<groupId>org.apache.sentry</groupId>
+ <artifactId>sentry-core-model-indexer</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.sentry</groupId>
<artifactId>sentry-core-model-sqoop</artifactId>
</dependency>
<dependency>
http://git-wip-us.apache.org/repos/asf/sentry/blob/5a7b0764/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/persistent/PrivilegeOperatePersistence.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/persistent/PrivilegeOperatePersistence.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/persistent/PrivilegeOperatePersistence.java
index c13e000..9dcfc03 100644
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/persistent/PrivilegeOperatePersistence.java
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/service/persistent/PrivilegeOperatePersistence.java
@@ -34,6 +34,7 @@ import org.apache.sentry.core.common.Action;
import org.apache.sentry.core.common.Authorizable;
import org.apache.sentry.core.common.BitFieldAction;
import org.apache.sentry.core.common.BitFieldActionFactory;
+import org.apache.sentry.core.model.indexer.IndexerActionFactory;
import org.apache.sentry.core.model.kafka.KafkaActionFactory;
import org.apache.sentry.core.model.solr.SolrActionFactory;
import org.apache.sentry.core.model.sqoop.SqoopActionFactory;
@@ -70,6 +71,7 @@ public class PrivilegeOperatePersistence {
actionFactories.put("solr", new SolrActionFactory());
actionFactories.put("sqoop", new SqoopActionFactory());
actionFactories.put("kafka", KafkaActionFactory.getInstance());
+ actionFactories.put("hbaseindexer", new IndexerActionFactory());
}
private final Configuration conf;
http://git-wip-us.apache.org/repos/asf/sentry/blob/5a7b0764/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/GenericPrivilegeConverter.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/GenericPrivilegeConverter.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/GenericPrivilegeConverter.java
index c65b66d..8de543c 100644
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/GenericPrivilegeConverter.java
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/GenericPrivilegeConverter.java
@@ -35,6 +35,8 @@ import org.apache.sentry.core.common.utils.PolicyFileConstants;
import org.apache.sentry.core.common.utils.SentryConstants;
import org.apache.sentry.core.common.validator.PrivilegeValidator;
import org.apache.sentry.core.common.validator.PrivilegeValidatorContext;
+import org.apache.sentry.core.model.indexer.IndexerModelAuthorizables;
+import org.apache.sentry.core.model.indexer.IndexerPrivilegeModel;
import org.apache.sentry.core.model.kafka.KafkaAuthorizable;
import org.apache.sentry.core.model.kafka.KafkaModelAuthorizables;
import org.apache.sentry.core.model.kafka.KafkaPrivilegeModel;
@@ -158,25 +160,29 @@ public class GenericPrivilegeConverter implements TSentryPrivilegeConverter {
}
}
- private List<PrivilegeValidator> getPrivilegeValidators() throws SentryUserException {
+ protected List<PrivilegeValidator> getPrivilegeValidators() throws SentryUserException {
if (AuthorizationComponent.KAFKA.equals(component)) {
return KafkaPrivilegeModel.getInstance().getPrivilegeValidators();
} else if ("SOLR".equals(component)) {
return SolrPrivilegeModel.getInstance().getPrivilegeValidators();
} else if (AuthorizationComponent.SQOOP.equals(component)) {
return SqoopPrivilegeModel.getInstance().getPrivilegeValidators(service);
+ } else if (AuthorizationComponent.HBASE_INDEXER.equals(component)) {
+ return IndexerPrivilegeModel.getInstance().getPrivilegeValidators();
}
throw new SentryUserException("Invalid component specified for GenericPrivilegeCoverter: " + component);
}
- private Authorizable getAuthorizable(KeyValue keyValue) throws SentryUserException {
+ protected Authorizable getAuthorizable(KeyValue keyValue) throws SentryUserException {
if (AuthorizationComponent.KAFKA.equals(component)) {
return KafkaModelAuthorizables.from(keyValue);
} else if ("SOLR".equals(component)) {
return SolrModelAuthorizables.from(keyValue);
} else if (AuthorizationComponent.SQOOP.equals(component)) {
return SqoopModelAuthorizables.from(keyValue);
+ } else if (AuthorizationComponent.HBASE_INDEXER.equals(component)) {
+ return IndexerModelAuthorizables.from(keyValue);
}
throw new SentryUserException("Invalid component specified for GenericPrivilegeCoverter: " + component);
http://git-wip-us.apache.org/repos/asf/sentry/blob/5a7b0764/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryConfigToolIndexer.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryConfigToolIndexer.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryConfigToolIndexer.java
new file mode 100644
index 0000000..c2341d3
--- /dev/null
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryConfigToolIndexer.java
@@ -0,0 +1,340 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.provider.db.generic.tools;
+
+import com.google.common.collect.Lists;
+import com.google.common.collect.Sets;
+import com.google.common.collect.Table;
+import org.apache.commons.cli.CommandLine;
+import org.apache.commons.cli.Option;
+import org.apache.commons.cli.Options;
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.fs.Path;
+import org.apache.hadoop.security.UserGroupInformation;
+import org.apache.sentry.core.common.Action;
+import org.apache.sentry.core.common.exception.SentryConfigurationException;
+import org.apache.sentry.core.common.utils.KeyValue;
+import org.apache.sentry.core.model.indexer.IndexerPrivilegeModel;
+import org.apache.sentry.provider.common.ProviderBackend;
+import org.apache.sentry.provider.common.ProviderBackendContext;
+import org.apache.sentry.provider.db.generic.service.thrift.SentryGenericServiceClient;
+import org.apache.sentry.provider.db.generic.service.thrift.SentryGenericServiceClientFactory;
+import org.apache.sentry.provider.file.SimpleFileProviderBackend;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.util.HashMap;
+import java.util.LinkedList;
+import java.util.List;
+import java.util.Locale;
+import java.util.Map;
+import java.util.Set;
+
+import static org.apache.sentry.core.common.utils.SentryConstants.AUTHORIZABLE_SPLITTER;
+import static org.apache.sentry.provider.common.AuthorizationComponent.HBASE_INDEXER;
+import static org.apache.sentry.service.thrift.ServiceConstants.ClientConfig.SERVICE_NAME;
+
+/**
+ * SentryConfigToolIndexer is an administrative tool used to parse a HBase Indexer policy file
+ * and add the role, group mappings, and privileges therein to the Sentry service.
+ */
+public class SentryConfigToolIndexer {
+
+ private static final Logger LOGGER = LoggerFactory.getLogger(SentryConfigToolIndexer.class);
+
+ private String policyFile;
+ private boolean validate;
+ private boolean importPolicy;
+ private boolean checkCompat;
+ private String confPath;
+
+ private String serviceName;
+
+
+
+ public String getPolicyFile() { return policyFile; }
+
+ public boolean getValidate() { return validate; }
+ public boolean getImportPolicy() { return importPolicy; }
+ public boolean getCheckCompat() { return checkCompat; }
+ public String getConfPath() { return confPath; }
+ public String getServiceName() {
+ return serviceName;
+ }
+
+ /**
+ * Adds command line options for the tool to the passed Options object. Used to extend existing options.
+ * @param options
+ */
+ public void setupOptions(Options options) {
+ Option globalPolicyPath = new Option("f", "policy_ini", true,
+ "Policy file path");
+ globalPolicyPath.setRequired(false);
+ options.addOption(globalPolicyPath);
+
+ Option validateOpt = new Option("v", "validate", false,
+ "Validate policy file");
+ validateOpt.setRequired(false);
+ options.addOption(validateOpt);
+
+ Option checkCompatOpt = new Option("c","checkcompat",false,
+ "Check compatibility with Sentry Service");
+ checkCompatOpt.setRequired(false);
+ options.addOption(checkCompatOpt);
+
+ Option importOpt = new Option("i", "import", false,
+ "Import policy file");
+ importOpt.setRequired(false);
+ options.addOption(importOpt);
+
+ }
+
+ /**
+ * Parses and processes the arguments from the given command line object.
+ * @param cmd
+ */
+ public void parseOptions(CommandLine cmd) {
+ boolean isToolActive = false;
+ for (Option opt : cmd.getOptions()) {
+ if (opt.getOpt().equals("mgr")) {
+ isToolActive = true;
+ }
+ }
+ if (!isToolActive) {
+ return;
+ }
+ for (Option opt : cmd.getOptions()) {
+ if (opt.getOpt().equals("f")) {
+ policyFile = opt.getValue();
+ } else if (opt.getOpt().equals("v")) {
+ validate = true;
+ } else if (opt.getOpt().equals("i")) {
+ importPolicy = true;
+ } else if (opt.getOpt().equals("c")) {
+ checkCompat = true;
+ } else if (opt.getOpt().equals("conf")) {
+ confPath = opt.getValue();
+ } else if (opt.getOpt().equals("s")) {
+ serviceName = opt.getValue();
+ }
+ }
+ if (policyFile == null) {
+ throw new IllegalArgumentException("Missing required option: f");
+ }
+ if (!validate && !importPolicy) {
+ throw new IllegalArgumentException("No action specified; at least one of action or import must be specified");
+ }
+ }
+
+
+ /**
+ * Processes the necessary command based on the arguments parsed earlier.
+ * @throws Exception
+ */
+ public void run() throws Exception {
+ String component = HBASE_INDEXER;
+ Configuration conf = getSentryConf();
+
+ String service = conf.get(SERVICE_NAME, getServiceName());
+
+ if (service == null) {
+ throw new IllegalArgumentException("Service was not defined. Please, use -s command option, or sentry.provider.backend.generic.service-name configuration entry.");
+ }
+
+ LOGGER.info(String.format("Context: component=%s, service=%s", component, service));
+ // instantiate a solr client for sentry service. This sets the ugi, so must
+ // be done before getting the ugi below.
+ try(SentryGenericServiceClient client =
+ SentryGenericServiceClientFactory.create(conf)) {
+ UserGroupInformation ugi = UserGroupInformation.getLoginUser();
+ String requestorName = ugi.getShortUserName();
+
+ convertINIToSentryServiceCmds(component, service, requestorName, conf, client,
+ getPolicyFile(), getValidate(), getImportPolicy(), getCheckCompat());
+ }
+ }
+
+ private Configuration getSentryConf() {
+ Configuration conf = new Configuration();
+ conf.addResource(new Path(getConfPath()));
+ return conf;
+ }
+
+ private void convertINIToSentryServiceCmds(String component,
+ String service, String requestorName,
+ Configuration conf, SentryGenericServiceClient client,
+ String policyFile, boolean validate, boolean importPolicy,
+ boolean checkCompat) throws Exception {
+
+ //instantiate a file providerBackend for parsing
+ LOGGER.info("Reading policy file at: " + policyFile);
+ SimpleFileProviderBackend policyFileBackend =
+ new SimpleFileProviderBackend(conf, policyFile);
+ ProviderBackendContext context = new ProviderBackendContext();
+ context.setValidators(IndexerPrivilegeModel.getInstance().getPrivilegeValidators());
+ policyFileBackend.initialize(context);
+ if (validate) {
+ validatePolicy(policyFileBackend);
+ }
+
+ if (checkCompat) {
+ checkCompat(policyFileBackend);
+ }
+
+ //import the relations about group,role and privilege into the DB store
+ Set<String> roles = Sets.newHashSet();
+ Table<String, String, Set<String>> groupRolePrivilegeTable =
+ policyFileBackend.getGroupRolePrivilegeTable();
+ GenericPrivilegeConverter converter = new GenericPrivilegeConverter(component, service, false);
+
+ for (String groupName : groupRolePrivilegeTable.rowKeySet()) {
+ for (String roleName : groupRolePrivilegeTable.columnKeySet()) {
+ if (!roles.contains(roleName)) {
+ LOGGER.info(dryRunMessage(importPolicy) + "Creating role: " + roleName.toLowerCase(Locale.US));
+ if (importPolicy) {
+ client.createRoleIfNotExist(requestorName, roleName, component);
+ }
+ roles.add(roleName);
+ }
+
+ Set<String> privileges = groupRolePrivilegeTable.get(groupName, roleName);
+ if (privileges == null) {
+ continue;
+ }
+ LOGGER.info(dryRunMessage(importPolicy) + "Adding role: " + roleName.toLowerCase(Locale.US) + " to group: " + groupName);
+ if (importPolicy) {
+ client.grantRoleToGroups(requestorName, roleName, component, Sets.newHashSet(groupName));
+ }
+
+ for (String permission : privileges) {
+ String action = null;
+
+ for (String authorizable : AUTHORIZABLE_SPLITTER.
+ trimResults().split(permission)) {
+ KeyValue kv = new KeyValue(authorizable);
+ String key = kv.getKey();
+ String value = kv.getValue();
+ if ("action".equalsIgnoreCase(key)) {
+ action = value;
+ }
+ }
+
+ // Service doesn't support not specifying action
+ if (action == null) {
+ permission += "->action=" + Action.ALL;
+ }
+ LOGGER.info(dryRunMessage(importPolicy) + "Adding permission: " + permission + " to role: " + roleName.toLowerCase(Locale.US));
+ if (importPolicy) {
+ client.grantPrivilege(requestorName, roleName, component, converter.fromString(permission));
+ }
+ }
+ }
+ }
+ }
+
+ private void validatePolicy(ProviderBackend backend) throws Exception {
+ try {
+ backend.validatePolicy(true);
+ } catch (SentryConfigurationException e) {
+ printConfigErrorsWarnings(e);
+ throw e;
+ }
+ }
+
+ private void printConfigErrorsWarnings(SentryConfigurationException configException) {
+ System.out.println(" *** Found configuration problems *** ");
+ for (String errMsg : configException.getConfigErrors()) {
+ System.out.println("ERROR: " + errMsg);
+ }
+ for (String warnMsg : configException.getConfigWarnings()) {
+ System.out.println("Warning: " + warnMsg);
+ }
+ }
+
+ private void checkCompat(SimpleFileProviderBackend backend) throws Exception {
+ Map<String, Set<String>> rolesCaseMapping = new HashMap<String, Set<String>>();
+ Table<String, String, Set<String>> groupRolePrivilegeTable =
+ backend.getGroupRolePrivilegeTable();
+
+ for (String roleName : groupRolePrivilegeTable.columnKeySet()) {
+ String roleNameLower = roleName.toLowerCase(Locale.US);
+ if (!roleName.equals(roleNameLower)) {
+ if (!rolesCaseMapping.containsKey(roleNameLower)) {
+ rolesCaseMapping.put(roleNameLower, Sets.newHashSet(roleName));
+ } else {
+ rolesCaseMapping.get(roleNameLower).add(roleName);
+ }
+ }
+ }
+
+ List<String> errors = new LinkedList<String>();
+ StringBuilder warningString = new StringBuilder();
+ if (!rolesCaseMapping.isEmpty()) {
+ warningString.append("The following roles names will be lower cased when added to the Sentry Service.\n");
+ warningString.append("This will cause document-level security to fail to match the role tokens.\n");
+ warningString.append("Role names: ");
+ }
+ boolean firstWarning = true;
+
+ for (Map.Entry<String, Set<String>> entry : rolesCaseMapping.entrySet()) {
+ Set<String> caseMapping = entry.getValue();
+ if (caseMapping.size() > 1) {
+ StringBuilder errorString = new StringBuilder();
+ errorString.append("The following (cased) roles map to the same role in the sentry service: ");
+ boolean first = true;
+ for (String casedRole : caseMapping) {
+ errorString.append(first ? "" : ", ");
+ errorString.append(casedRole);
+ first = false;
+ }
+ errorString.append(". Role in service: ").append(entry.getKey());
+ errors.add(errorString.toString());
+ }
+
+ for (String casedRole : caseMapping) {
+ warningString.append(firstWarning? "" : ", ");
+ warningString.append(casedRole);
+ firstWarning = false;
+ }
+ }
+
+ for (String error : errors) {
+ System.out.println("ERROR: " + error);
+ }
+ System.out.println("\n");
+
+ System.out.println("Warning: " + warningString.toString());
+ if (errors.size() > 0) {
+ SentryConfigurationException ex =
+ new SentryConfigurationException("Compatibility check failure");
+ ex.setConfigErrors(errors);
+ ex.setConfigWarnings(Lists.<String>asList(warningString.toString(), new String[0]));
+ throw ex;
+ }
+ }
+
+ private String dryRunMessage(boolean importPolicy) {
+ if (importPolicy) {
+ return "";
+ } else {
+ return "[Dry Run] ";
+ }
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/sentry/blob/5a7b0764/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryShellGeneric.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryShellGeneric.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryShellGeneric.java
index 1623f38..907e146 100644
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryShellGeneric.java
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryShellGeneric.java
@@ -18,9 +18,7 @@
package org.apache.sentry.provider.db.generic.tools;
-import java.util.List;
-import java.util.Set;
-
+import com.google.common.collect.Sets;
import org.apache.commons.lang.StringUtils;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.fs.Path;
@@ -35,7 +33,8 @@ import org.apache.sentry.provider.db.tools.ShellCommand;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
-import com.google.common.collect.Sets;
+import java.util.List;
+import java.util.Set;
/**
* SentryShellGeneric is an admin tool, and responsible for the management of repository.
@@ -60,7 +59,7 @@ public class SentryShellGeneric extends SentryShellCommon {
SentryGenericServiceClientFactory.create(conf)) {
UserGroupInformation ugi = UserGroupInformation.getLoginUser();
String requestorName = ugi.getShortUserName();
- TSentryPrivilegeConverter converter = new GenericPrivilegeConverter(component, service);
+ TSentryPrivilegeConverter converter = getPrivilegeConverter(component, service);
ShellCommand command = new GenericShellCommand(client, component, service, converter);
// check the requestor name
@@ -102,7 +101,11 @@ public class SentryShellGeneric extends SentryShellCommon {
}
}
- private String getComponent() throws Exception {
+ protected GenericPrivilegeConverter getPrivilegeConverter(String component, String service) {
+ return new GenericPrivilegeConverter(component, service);
+ }
+
+ protected String getComponent() throws Exception {
if (type == TYPE.kafka) {
return AuthorizationComponent.KAFKA;
} else if (type == TYPE.solr) {
@@ -114,7 +117,7 @@ public class SentryShellGeneric extends SentryShellCommon {
throw new Exception("Invalid type specified for SentryShellGeneric: " + type);
}
- private String getService(Configuration conf) throws Exception {
+ protected String getService(Configuration conf) throws Exception {
if (type == TYPE.kafka) {
return conf.get(KAFKA_SERVICE_NAME, AuthorizationComponent.KAFKA);
} else if (type == TYPE.solr) {
http://git-wip-us.apache.org/repos/asf/sentry/blob/5a7b0764/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryShellIndexer.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryShellIndexer.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryShellIndexer.java
new file mode 100644
index 0000000..5bbe772
--- /dev/null
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryShellIndexer.java
@@ -0,0 +1,124 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ * <p>
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * <p>
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.provider.db.generic.tools;
+
+import org.apache.commons.cli.CommandLine;
+import org.apache.commons.cli.Option;
+import org.apache.commons.cli.OptionGroup;
+import org.apache.commons.cli.Options;
+import org.apache.commons.cli.ParseException;
+import org.apache.hadoop.conf.Configuration;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import static org.apache.sentry.provider.common.AuthorizationComponent.HBASE_INDEXER;
+import static org.apache.sentry.service.thrift.ServiceConstants.ClientConfig.SERVICE_NAME;
+
+/**
+ * SentryShellIndexer is an admin tool, and responsible for the management of repository.
+ * The following commands are supported:
+ * create role, drop role, add group to role, grant privilege to role,
+ * revoke privilege from role, list roles, list privilege for role.
+ */
+public class SentryShellIndexer extends SentryShellGeneric {
+
+ protected boolean isMigration = false;
+
+ private static final Logger LOGGER = LoggerFactory.getLogger(SentryShellIndexer.class);
+
+ private final SentryConfigToolIndexer configTool = new SentryConfigToolIndexer();
+
+ @Override
+ protected void setupOptions(Options simpleShellOptions) {
+ super.setupOptions(simpleShellOptions);
+ configTool.setupOptions(simpleShellOptions);
+ }
+
+ @Override
+ protected void parseOptions(CommandLine cmd) throws ParseException {
+ super.parseOptions(cmd);
+ configTool.parseOptions(cmd);
+ for (Option opt : cmd.getOptions()) {
+ if (opt.getOpt().equals("mgr")) {
+ isMigration = true;
+ }
+ }
+ }
+
+ @Override
+ protected OptionGroup getMainOptions() {
+ OptionGroup mainOptions = super.getMainOptions();
+ Option mgrOpt = new Option("mgr", "migrate", false, "Migrate ini file to Sentry service");
+ mgrOpt.setRequired(false);
+ mainOptions.addOption(mgrOpt);
+ return mainOptions;
+ }
+
+ /**
+ * Processes the necessary command based on the arguments parsed earlier.
+ * @throws Exception
+ */
+ @Override
+ public void run() throws Exception {
+
+ if (isMigration) {
+ configTool.run();
+ return;
+ }
+
+ super.run();
+ }
+
+ @Override
+ protected String getComponent() throws Exception {
+ return HBASE_INDEXER;
+ }
+
+ @Override
+ protected String getService(Configuration conf) throws Exception {
+ String service = conf.get(SERVICE_NAME, serviceName);
+ if (service == null) {
+ throw new IllegalArgumentException("Service was not defined. Please, use -s command option, or sentry.provider.backend.generic.service-name configuration entry.");
+ }
+ return service;
+ }
+
+ /**
+ * Entry-point for Hbase indexer cli tool.
+ * @param args
+ * @throws Exception
+ */
+ public static void main(String[] args) throws Exception {
+ SentryShellIndexer sentryShell = new SentryShellIndexer();
+ try {
+ sentryShell.executeShell(args);
+ } catch (Exception e) {
+ LOGGER.error(e.getMessage(), e);
+ Throwable current = e;
+ // find the first printable message;
+ while (current != null && current.getMessage() == null) {
+ current = current.getCause();
+ }
+ System.out.println("The operation failed." +
+ (current.getMessage() == null ? "" : " Message: " + current.getMessage()));
+ System.exit(1);
+ }
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/sentry/blob/5a7b0764/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/SentryShellCommon.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/SentryShellCommon.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/SentryShellCommon.java
index 5fbc961..c8b2eef 100644
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/SentryShellCommon.java
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/SentryShellCommon.java
@@ -43,11 +43,13 @@ abstract public class SentryShellCommon {
public static final String OPTION_DESC_ROLE_NAME = "Role name";
public static final String OPTION_DESC_GROUP_NAME = "Group name";
public static final String OPTION_DESC_PRIVILEGE = "Privilege string";
+ public final static String OPTION_DESC_SERVICE = "Name of the service being managed";
public static final String PREFIX_MESSAGE_MISSING_OPTION = "Missing required option: ";
public static final String GROUP_SPLIT_CHAR = ",";
protected String roleName;
+ protected String serviceName;
protected String groupName;
protected String privilegeStr;
protected String confPath;
@@ -90,47 +92,52 @@ abstract public class SentryShellCommon {
protected boolean parseArgs(String[] args) {
Options simpleShellOptions = new Options();
- Option crOpt = new Option("cr", "create_role", false, "Create role");
- crOpt.setRequired(false);
+ setupOptions(simpleShellOptions);
- Option drOpt = new Option("dr", "drop_role", false, "Drop role");
- drOpt.setRequired(false);
- Option argOpt = new Option("arg", "add_role_group", false, "Add role to group");
- argOpt.setRequired(false);
- Option drgOpt = new Option("drg", "delete_role_group", false, "Delete role from group");
- drgOpt.setRequired(false);
+ // help option
+ Option helpOpt = new Option("h", "help", false, OPTION_DESC_HELP);
+ helpOpt.setRequired(false);
+ simpleShellOptions.addOption(helpOpt);
- Option gprOpt = new Option("gpr", "grant_privilege_role", false, "Grant privilege to role");
- gprOpt.setRequired(false);
+ // this Options is parsed first for help option
+ Options helpOptions = new Options();
+ helpOptions.addOption(helpOpt);
- Option rprOpt = new Option("rpr", "revoke_privilege_role", false, "Revoke privilege from role");
- rprOpt.setRequired(false);
+ try {
+ Parser parser = new GnuParser();
- Option lrOpt = new Option("lr", "list_role", false, "List role");
- lrOpt.setRequired(false);
+ // parse help option first
+ CommandLine cmd = parser.parse(helpOptions, args, true);
+ for (Option opt : cmd.getOptions()) {
+ if (opt.getOpt().equals("h")) {
+ // get the help option, print the usage and exit
+ usage(simpleShellOptions);
+ return false;
+ }
+ }
- Option lpOpt = new Option("lp", "list_privilege", false, "List privilege");
- lpOpt.setRequired(false);
+ // without help option
+ cmd = parser.parse(simpleShellOptions, args);
- Option lgOpt = new Option("lg", "list_group", false, "List groups");
- lgOpt.setRequired(false);
+ parseOptions(cmd);
+ } catch (ParseException pe) {
+ System.out.println(pe.getMessage());
+ usage(simpleShellOptions);
+ return false;
+ }
+ return true;
+ }
- // required args group
- OptionGroup simpleShellOptGroup = new OptionGroup();
- simpleShellOptGroup.addOption(crOpt);
- simpleShellOptGroup.addOption(drOpt);
- simpleShellOptGroup.addOption(argOpt);
- simpleShellOptGroup.addOption(drgOpt);
- simpleShellOptGroup.addOption(gprOpt);
- simpleShellOptGroup.addOption(rprOpt);
- simpleShellOptGroup.addOption(lrOpt);
- simpleShellOptGroup.addOption(lpOpt);
- simpleShellOptGroup.addOption(lgOpt);
- simpleShellOptGroup.setRequired(true);
+ protected void setupOptions(Options simpleShellOptions) {
+ OptionGroup simpleShellOptGroup = getMainOptions();
simpleShellOptions.addOptionGroup(simpleShellOptGroup);
+ Option sOpt = new Option("s", "service", true, OPTION_DESC_SERVICE);
+ sOpt.setRequired(false);
+ simpleShellOptions.addOption(sOpt);
+
// optional args
Option pOpt = new Option("p", "privilege", true, OPTION_DESC_PRIVILEGE);
pOpt.setRequired(false);
@@ -153,86 +160,103 @@ abstract public class SentryShellCommon {
Option sentrySitePathOpt = new Option("conf", "sentry_conf", true, OPTION_DESC_CONF);
sentrySitePathOpt.setRequired(true);
simpleShellOptions.addOption(sentrySitePathOpt);
+ }
- // help option
- Option helpOpt = new Option("h", "help", false, OPTION_DESC_HELP);
- helpOpt.setRequired(false);
- simpleShellOptions.addOption(helpOpt);
+ protected OptionGroup getMainOptions() {
+ OptionGroup simpleShellOptGroup = new OptionGroup();
+ Option crOpt = new Option("cr", "create_role", false, "Create role");
+ crOpt.setRequired(false);
- // this Options is parsed first for help option
- Options helpOptions = new Options();
- helpOptions.addOption(helpOpt);
+ Option drOpt = new Option("dr", "drop_role", false, "Drop role");
+ drOpt.setRequired(false);
- try {
- Parser parser = new GnuParser();
+ Option argOpt = new Option("arg", "add_role_group", false, "Add role to group");
+ argOpt.setRequired(false);
- // parse help option first
- CommandLine cmd = parser.parse(helpOptions, args, true);
- for (Option opt : cmd.getOptions()) {
- if (opt.getOpt().equals("h")) {
- // get the help option, print the usage and exit
- usage(simpleShellOptions);
- return false;
- }
- }
+ Option drgOpt = new Option("drg", "delete_role_group", false, "Delete role from group");
+ drgOpt.setRequired(false);
- // without help option
- cmd = parser.parse(simpleShellOptions, args);
+ Option gprOpt = new Option("gpr", "grant_privilege_role", false, "Grant privilege to role");
+ gprOpt.setRequired(false);
- for (Option opt : cmd.getOptions()) {
- if (opt.getOpt().equals("p")) {
- privilegeStr = opt.getValue();
- } else if (opt.getOpt().equals("g")) {
- groupName = opt.getValue();
- } else if (opt.getOpt().equals("r")) {
- roleName = opt.getValue();
- } else if (opt.getOpt().equals("cr")) {
- isCreateRole = true;
- roleNameRequired = true;
- } else if (opt.getOpt().equals("dr")) {
- isDropRole = true;
- roleNameRequired = true;
- } else if (opt.getOpt().equals("arg")) {
- isAddRoleGroup = true;
- roleNameRequired = true;
- groupNameRequired = true;
- } else if (opt.getOpt().equals("drg")) {
- isDeleteRoleGroup = true;
- roleNameRequired = true;
- groupNameRequired = true;
- } else if (opt.getOpt().equals("gpr")) {
- isGrantPrivilegeRole = true;
- roleNameRequired = true;
- privilegeStrRequired = true;
- } else if (opt.getOpt().equals("rpr")) {
- isRevokePrivilegeRole = true;
- roleNameRequired = true;
- privilegeStrRequired = true;
- } else if (opt.getOpt().equals("lr")) {
- isListRole = true;
- } else if (opt.getOpt().equals("lp")) {
- isListPrivilege = true;
- roleNameRequired = true;
- } else if (opt.getOpt().equals("lg")) {
- isListGroup = true;
- } else if (opt.getOpt().equals("conf")) {
- confPath = opt.getValue();
- } else if (opt.getOpt().equals("t")) {
- type = TYPE.valueOf(opt.getValue());
- }
+ Option rprOpt = new Option("rpr", "revoke_privilege_role", false, "Revoke privilege from role");
+ rprOpt.setRequired(false);
+
+ Option lrOpt = new Option("lr", "list_role", false, "List role");
+ lrOpt.setRequired(false);
+
+ Option lpOpt = new Option("lp", "list_privilege", false, "List privilege");
+ lpOpt.setRequired(false);
+
+ Option lgOpt = new Option("lg", "list_group", false, "List groups");
+ lgOpt.setRequired(false);
+
+
+ // required args group
+ simpleShellOptGroup.addOption(crOpt);
+ simpleShellOptGroup.addOption(drOpt);
+ simpleShellOptGroup.addOption(argOpt);
+ simpleShellOptGroup.addOption(drgOpt);
+ simpleShellOptGroup.addOption(gprOpt);
+ simpleShellOptGroup.addOption(rprOpt);
+ simpleShellOptGroup.addOption(lrOpt);
+ simpleShellOptGroup.addOption(lpOpt);
+ simpleShellOptGroup.addOption(lgOpt);
+ simpleShellOptGroup.setRequired(true);
+ return simpleShellOptGroup;
+ }
+
+ protected void parseOptions(CommandLine cmd) throws ParseException {
+ for (Option opt : cmd.getOptions()) {
+ if (opt.getOpt().equals("p")) {
+ privilegeStr = opt.getValue();
+ } else if (opt.getOpt().equals("g")) {
+ groupName = opt.getValue();
+ } else if (opt.getOpt().equals("r")) {
+ roleName = opt.getValue();
+ } else if (opt.getOpt().equals("s")) {
+ serviceName = opt.getValue();
+ } else if (opt.getOpt().equals("cr")) {
+ isCreateRole = true;
+ roleNameRequired = true;
+ } else if (opt.getOpt().equals("dr")) {
+ isDropRole = true;
+ roleNameRequired = true;
+ } else if (opt.getOpt().equals("arg")) {
+ isAddRoleGroup = true;
+ roleNameRequired = true;
+ groupNameRequired = true;
+ } else if (opt.getOpt().equals("drg")) {
+ isDeleteRoleGroup = true;
+ roleNameRequired = true;
+ groupNameRequired = true;
+ } else if (opt.getOpt().equals("gpr")) {
+ isGrantPrivilegeRole = true;
+ roleNameRequired = true;
+ privilegeStrRequired = true;
+ } else if (opt.getOpt().equals("rpr")) {
+ isRevokePrivilegeRole = true;
+ roleNameRequired = true;
+ privilegeStrRequired = true;
+ } else if (opt.getOpt().equals("lr")) {
+ isListRole = true;
+ } else if (opt.getOpt().equals("lp")) {
+ isListPrivilege = true;
+ roleNameRequired = true;
+ } else if (opt.getOpt().equals("lg")) {
+ isListGroup = true;
+ } else if (opt.getOpt().equals("conf")) {
+ confPath = opt.getValue();
+ } else if (opt.getOpt().equals("t")) {
+ type = TYPE.valueOf(opt.getValue());
}
- checkRequiredParameter(roleNameRequired, roleName, OPTION_DESC_ROLE_NAME);
- checkRequiredParameter(groupNameRequired, groupName, OPTION_DESC_GROUP_NAME);
- checkRequiredParameter(privilegeStrRequired, privilegeStr, OPTION_DESC_PRIVILEGE);
- } catch (ParseException pe) {
- System.out.println(pe.getMessage());
- usage(simpleShellOptions);
- return false;
}
- return true;
+ checkRequiredParameter(roleNameRequired, roleName, OPTION_DESC_ROLE_NAME);
+ checkRequiredParameter(groupNameRequired, groupName, OPTION_DESC_GROUP_NAME);
+ checkRequiredParameter(privilegeStrRequired, privilegeStr, OPTION_DESC_PRIVILEGE);
}
- private void checkRequiredParameter(boolean isRequired, String paramValue, String paramName) throws ParseException {
+ protected void checkRequiredParameter(boolean isRequired, String paramValue, String paramName) throws ParseException {
if (isRequired && StringUtils.isEmpty(paramValue)) {
throw new ParseException(PREFIX_MESSAGE_MISSING_OPTION + paramName);
}
http://git-wip-us.apache.org/repos/asf/sentry/blob/5a7b0764/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/tools/TestSentryConfigToolIndexer.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/tools/TestSentryConfigToolIndexer.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/tools/TestSentryConfigToolIndexer.java
new file mode 100644
index 0000000..4dddf78
--- /dev/null
+++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/tools/TestSentryConfigToolIndexer.java
@@ -0,0 +1,263 @@
+ /**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.provider.db.generic.tools;
+
+ import com.google.common.collect.Sets;
+ import com.google.common.io.Files;
+ import org.apache.commons.io.FileUtils;
+ import org.apache.sentry.core.common.exception.SentryConfigurationException;
+ import org.apache.sentry.provider.db.generic.service.thrift.SentryGenericServiceIntegrationBase;
+ import org.apache.sentry.provider.db.generic.service.thrift.TSentryPrivilege;
+ import org.apache.sentry.provider.db.generic.service.thrift.TSentryRole;
+ import org.apache.sentry.service.thrift.ServiceConstants;
+ import org.junit.After;
+ import org.junit.Before;
+ import org.junit.Test;
+
+ import java.io.File;
+ import java.io.FileOutputStream;
+ import java.util.HashMap;
+ import java.util.HashSet;
+ import java.util.Map;
+ import java.util.Set;
+
+ import static org.apache.sentry.provider.common.AuthorizationComponent.HBASE_INDEXER;
+ import static org.junit.Assert.assertEquals;
+ import static org.junit.Assert.assertTrue;
+ import static org.junit.Assert.fail;
+
+ public class TestSentryConfigToolIndexer extends SentryGenericServiceIntegrationBase {
+ private static String RESOURCES_DIR = "target" + File.separator + "test-classes" + File.separator;
+ private static String VALID_POLICY_INI = RESOURCES_DIR + "indexer_config_import_tool.ini";
+ private static String INVALID_POLICY_INI = RESOURCES_DIR + "indexer_invalid.ini";
+ private static String CASE_POLICY_INI = RESOURCES_DIR + "indexer_case.ini";
+ private File confDir;
+ private File confPath;
+ private String requestorName = "";
+ private String service = "service1";
+
+ @Before
+ public void prepareForTest() throws Exception {
+ confDir = Files.createTempDir();
+ confPath = new File(confDir, "sentry-site.xml");
+ conf.set(ServiceConstants.ClientConfig.SERVICE_NAME, service);
+ if (confPath.createNewFile()) {
+ FileOutputStream to = new FileOutputStream(confPath);
+ conf.writeXml(to);
+ to.close();
+ }
+ requestorName = clientUgi.getShortUserName();//System.getProperty("user.name", "");
+ Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
+ setLocalGroupMapping(requestorName, requestorUserGroupNames);
+ // add ADMIN_USER for the after() in SentryServiceIntegrationBase
+ setLocalGroupMapping(ADMIN_USER, requestorUserGroupNames);
+ writePolicyFile();
+ }
+
+ @After
+ public void clearTestData() throws Exception {
+ FileUtils.deleteQuietly(confDir);
+
+ // clear roles and privileges
+ Set<TSentryRole> tRoles = client.listAllRoles(requestorName, HBASE_INDEXER);
+ for (TSentryRole tRole : tRoles) {
+ String role = tRole.getRoleName();
+ Set<TSentryPrivilege> privileges = client.listAllPrivilegesByRoleName(
+ requestorName, role, HBASE_INDEXER, service);
+ for (TSentryPrivilege privilege : privileges) {
+ client.revokePrivilege(requestorName, role, HBASE_INDEXER, privilege);
+ }
+ client.dropRole(requestorName, role, HBASE_INDEXER);
+ }
+ }
+
+ @Test
+ public void testConvertIni() throws Exception {
+ runTestAsSubject(new TestOperation() {
+ @Override
+ public void runTestAsSubject() throws Exception {
+ String[] args = {"-mgr", "-f", VALID_POLICY_INI, "-conf", confPath.getAbsolutePath(), "-v", "-i"};
+ SentryShellIndexer sentryTool = new SentryShellIndexer();
+ sentryTool.executeShell(args);
+
+ Map<String, Set<String>> groupMapping = new HashMap<String, Set<String>>();
+ groupMapping.put("corporal_role", Sets.newHashSet("corporal", "sergeant", "general", "commander_in_chief"));
+ groupMapping.put("sergeant_role", Sets.newHashSet("sergeant", "general", "commander_in_chief"));
+ groupMapping.put("general_role", Sets.newHashSet("general", "commander_in_chief"));
+ groupMapping.put("commander_in_chief_role", Sets.newHashSet("commander_in_chief"));
+
+
+ Map<String, Set<String>> privilegeMapping = new HashMap<String, Set<String>>();
+ privilegeMapping.put("corporal_role",
+ Sets.newHashSet("Indexer=info->action=read", "Indexer=info->action=write"));
+ privilegeMapping.put("sergeant_role",
+ Sets.newHashSet("Indexer=info->action=write"));
+ privilegeMapping.put("general_role",
+ Sets.newHashSet("Indexer=info->action=*"));
+ privilegeMapping.put("commander_in_chief_role",
+ Sets.newHashSet("Indexer=*->action=*"));
+
+ // check roles
+ Set<TSentryRole> tRoles = client.listAllRoles(requestorName, HBASE_INDEXER);
+ assertEquals("Unexpected number of roles", groupMapping.keySet().size(), tRoles.size());
+ Set<String> roles = new HashSet<String>();
+ for (TSentryRole tRole : tRoles) {
+ roles.add(tRole.getRoleName());
+ }
+
+ for (String expectedRole : groupMapping.keySet()) {
+ assertTrue("Didn't find expected role: " + expectedRole, roles.contains(expectedRole));
+ }
+
+ // check groups
+ for (TSentryRole tRole : tRoles) {
+ Set<String> expectedGroups = groupMapping.get(tRole.getRoleName());
+ assertEquals("Group size doesn't match for role: " + tRole.getRoleName(),
+ expectedGroups.size(), tRole.getGroups().size());
+ assertTrue("Group does not contain all expected members for role: " + tRole.getRoleName(),
+ tRole.getGroups().containsAll(expectedGroups));
+ }
+
+ // check privileges
+ GenericPrivilegeConverter convert = new GenericPrivilegeConverter(HBASE_INDEXER, service);
+ for (String role : roles) {
+ Set<TSentryPrivilege> privileges = client.listAllPrivilegesByRoleName(
+ requestorName, role, HBASE_INDEXER, service);
+ Set<String> expectedPrivileges = privilegeMapping.get(role);
+ assertEquals("Privilege set size doesn't match for role: " + role,
+ expectedPrivileges.size(), privileges.size());
+
+ Set<String> privilegeStrs = new HashSet<String>();
+ for (TSentryPrivilege privilege : privileges) {
+ privilegeStrs.add(convert.toString(privilege));
+ }
+
+ for (String expectedPrivilege : expectedPrivileges) {
+ assertTrue("Did not find expected privilege: " + expectedPrivilege,
+ privilegeStrs.contains(expectedPrivilege));
+ }
+ }
+ }
+ });
+ }
+
+ @Test
+ public void testNoPolicyFile() throws Exception {
+ runTestAsSubject(new TestOperation() {
+ @Override
+ public void runTestAsSubject() throws Exception {
+ String[] args = { "-mgr", "-f", INVALID_POLICY_INI + "Foobar", "-conf", confPath.getAbsolutePath(), "-v", "-i"};
+ SentryShellIndexer sentryTool = new SentryShellIndexer();
+ try {
+ sentryTool.executeShell(args);
+ fail("Exception should be thrown for nonexistant ini");
+ } catch (SentryConfigurationException e) {
+ // expected exception
+ }
+ }
+ });
+ }
+
+ @Test
+ public void testNoValidateNorImport() throws Exception {
+ runTestAsSubject(new TestOperation() {
+ @Override
+ public void runTestAsSubject() throws Exception {
+ String[] args = { "-mgr", "-f", INVALID_POLICY_INI, "-conf", confPath.getAbsolutePath()};
+ SentryShellIndexer sentryTool = new SentryShellIndexer();
+ try {
+ sentryTool.executeShell(args);
+ fail("Exception should be thrown for validating invalid ini");
+ } catch (IllegalArgumentException e) {
+ // expected exception
+ }
+ }
+ });
+ }
+
+ @Test
+ public void testConvertInvalidIni() throws Exception {
+ runTestAsSubject(new TestOperation() {
+ @Override
+ public void runTestAsSubject() throws Exception {
+ // test: validate an invalid ini
+ String[] args = { "-mgr", "-f", INVALID_POLICY_INI, "-conf", confPath.getAbsolutePath(), "-v", "-i"};
+ SentryShellIndexer sentryTool = new SentryShellIndexer();
+ try {
+ sentryTool.executeShell(args);
+ fail("Exception should be thrown for validating invalid ini");
+ } catch (SentryConfigurationException e) {
+ // expected exception
+ }
+
+ // test without validating, should not error
+ args = new String[] { "-mgr", "-f", INVALID_POLICY_INI, "-conf", confPath.getAbsolutePath(), "-i"};
+ sentryTool = new SentryShellIndexer();
+ sentryTool.executeShell(args);
+ }
+ });
+ }
+
+ @Test
+ public void testCompatCheck() throws Exception {
+ runTestAsSubject(new TestOperation() {
+ @Override
+ public void runTestAsSubject() throws Exception {
+ // test: validate an invalid ini
+ String[] args = { "-mgr", "-f", CASE_POLICY_INI, "-conf", confPath.getAbsolutePath(), "-v", "-i", "-c"};
+ SentryShellIndexer sentryTool = new SentryShellIndexer();
+ try {
+ sentryTool.executeShell(args);
+ fail("Exception should be thrown for validating invalid ini");
+ } catch (SentryConfigurationException e) {
+ assertEquals("Expected error", 1, e.getConfigErrors().size());
+ String error = e.getConfigErrors().get(0);
+ assertCasedRoleNamesInMessage(error, "RoLe1", "rOlE1");
+ String warning = e.getConfigWarnings().get(0);
+ assertCasedRoleNamesInMessage(warning, "ROLE2", "RoLe1", "rOlE1");
+ assertEquals("Expected warning", 1, e.getConfigWarnings().size());
+ }
+
+ // test without compat checking
+ args = new String[] { "-mgr", "-f", CASE_POLICY_INI, "-conf", confPath.getAbsolutePath(), "-i", "-v"};
+ sentryTool = new SentryShellIndexer();
+ sentryTool.executeShell(args);
+ }
+ });
+ }
+
+ // Test that a valid compat check doesn't throw an exception
+ @Test
+ public void testCompatCheckValid() throws Exception {
+ runTestAsSubject(new TestOperation() {
+ @Override
+ public void runTestAsSubject() throws Exception {
+ String[] args = { "-mgr", "-f", VALID_POLICY_INI, "-conf", confPath.getAbsolutePath(), "-v", "-i", "-c"};
+ SentryShellIndexer sentryTool = new SentryShellIndexer();
+ sentryTool.executeShell(args);
+ }
+ });
+ }
+
+ private void assertCasedRoleNamesInMessage(String message, String ... casedRoleNames) {
+ for (String casedRoleName : casedRoleNames) {
+ assertTrue("Expected cased role name: " + casedRoleName, message.contains(casedRoleName));
+ }
+ }
+ }
http://git-wip-us.apache.org/repos/asf/sentry/blob/5a7b0764/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/tools/TestSentryShellIndexer.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/tools/TestSentryShellIndexer.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/tools/TestSentryShellIndexer.java
new file mode 100644
index 0000000..f66eb85
--- /dev/null
+++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/generic/tools/TestSentryShellIndexer.java
@@ -0,0 +1,526 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.provider.db.generic.tools;
+
+import com.google.common.collect.Sets;
+import com.google.common.io.Files;
+import org.apache.commons.io.FileUtils;
+import org.apache.sentry.core.common.exception.SentryUserException;
+import org.apache.sentry.provider.db.generic.service.thrift.SentryGenericServiceIntegrationBase;
+import org.apache.sentry.provider.db.generic.service.thrift.TSentryPrivilege;
+import org.apache.sentry.provider.db.generic.service.thrift.TSentryRole;
+import org.apache.sentry.provider.db.tools.SentryShellCommon;
+import org.apache.sentry.service.thrift.ServiceConstants;
+import org.junit.After;
+import org.junit.Before;
+import org.junit.Test;
+
+import java.io.ByteArrayOutputStream;
+import java.io.File;
+import java.io.FileOutputStream;
+import java.io.PrintStream;
+import java.util.HashSet;
+import java.util.Iterator;
+import java.util.Set;
+
+import static junit.framework.Assert.assertEquals;
+import static org.apache.sentry.provider.common.AuthorizationComponent.HBASE_INDEXER;
+import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.fail;
+
+public class TestSentryShellIndexer extends SentryGenericServiceIntegrationBase {
+ private File confDir;
+ private File confPath;
+ private static String TEST_ROLE_NAME_1 = "testRole1";
+ private static String TEST_ROLE_NAME_2 = "testRole2";
+ private String requestorName = "";
+ private String service = "service1";
+
+ @Before
+ public void prepareForTest() throws Exception {
+ confDir = Files.createTempDir();
+ confPath = new File(confDir, "sentry-site.xml");
+ conf.set(ServiceConstants.ClientConfig.SERVICE_NAME, service);
+ if (confPath.createNewFile()) {
+ FileOutputStream to = new FileOutputStream(confPath);
+ conf.writeXml(to);
+ to.close();
+ }
+ requestorName = clientUgi.getShortUserName();
+ Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
+ setLocalGroupMapping(requestorName, requestorUserGroupNames);
+ // add ADMIN_USER for the after() in SentryServiceIntegrationBase
+ setLocalGroupMapping(ADMIN_USER, requestorUserGroupNames);
+ writePolicyFile();
+ }
+
+ @After
+ public void clearTestData() throws Exception {
+ FileUtils.deleteQuietly(confDir);
+ }
+
+ @Test
+ public void testCreateDropRole() throws Exception {
+ runTestAsSubject(new TestOperation() {
+ @Override
+ public void runTestAsSubject() throws Exception {
+ // test: create role with -cr
+ String[] args = { "-cr", "-r", TEST_ROLE_NAME_1, "-conf", confPath.getAbsolutePath() };
+ SentryShellIndexer.main(args);
+ // test: create role with --create_role
+ args = new String[] { "--create_role", "-r", TEST_ROLE_NAME_2, "-conf",
+ confPath.getAbsolutePath() };
+ SentryShellIndexer.main(args);
+
+ // validate the result, list roles with -lr
+ args = new String[] { "-lr", "-conf", confPath.getAbsolutePath() };
+ SentryShellIndexer sentryShell = new SentryShellIndexer();
+ Set<String> roleNames = getShellResultWithOSRedirect(sentryShell, args, true);
+ validateRoleNames(roleNames, TEST_ROLE_NAME_1, TEST_ROLE_NAME_2);
+
+ // validate the result, list roles with --list_role
+ args = new String[] { "--list_role", "-conf", confPath.getAbsolutePath() };
+ sentryShell = new SentryShellIndexer();
+ roleNames = getShellResultWithOSRedirect(sentryShell, args, true);
+ validateRoleNames(roleNames, TEST_ROLE_NAME_1, TEST_ROLE_NAME_2);
+
+ // test: drop role with -dr
+ args = new String[] { "-dr", "-r", TEST_ROLE_NAME_1, "-conf", confPath.getAbsolutePath() };
+ SentryShellIndexer.main(args);
+ // test: drop role with --drop_role
+ args = new String[] { "--drop_role", "-r", TEST_ROLE_NAME_2, "-conf",
+ confPath.getAbsolutePath() };
+ SentryShellIndexer.main(args);
+
+ // validate the result
+ Set<TSentryRole> roles = client.listAllRoles(requestorName, HBASE_INDEXER);
+ assertEquals("Incorrect number of roles", 0, roles.size());
+ }
+ });
+ }
+
+ @Test
+ public void testAddDeleteRoleForGroup() throws Exception {
+ runTestAsSubject(new TestOperation() {
+ @Override
+ public void runTestAsSubject() throws Exception {
+ // Group names are case sensitive - mixed case names should work
+ String TEST_GROUP_1 = "testGroup1";
+ String TEST_GROUP_2 = "testGroup2";
+ String TEST_GROUP_3 = "testGroup3";
+
+ // create the role for test
+ client.createRole(requestorName, TEST_ROLE_NAME_1, HBASE_INDEXER);
+ client.createRole(requestorName, TEST_ROLE_NAME_2, HBASE_INDEXER);
+ // test: add role to group with -arg
+ String[] args = { "-arg", "-r", TEST_ROLE_NAME_1, "-g", TEST_GROUP_1, "-conf",
+ confPath.getAbsolutePath() };
+ SentryShellIndexer.main(args);
+ // test: add role to multiple groups
+ args = new String[] { "-arg", "-r", TEST_ROLE_NAME_1, "-g", TEST_GROUP_2 + "," + TEST_GROUP_3,
+ "-conf",
+ confPath.getAbsolutePath() };
+ SentryShellIndexer.main(args);
+ // test: add role to group with --add_role_group
+ args = new String[] { "--add_role_group", "-r", TEST_ROLE_NAME_2, "-g", TEST_GROUP_1,
+ "-conf",
+ confPath.getAbsolutePath() };
+ SentryShellIndexer.main(args);
+
+ // validate the result list roles with -lr and -g
+ args = new String[] { "-lr", "-g", TEST_GROUP_1, "-conf", confPath.getAbsolutePath() };
+ SentryShellIndexer sentryShell = new SentryShellIndexer();
+ Set<String> roleNames = getShellResultWithOSRedirect(sentryShell, args, true);
+ validateRoleNames(roleNames, TEST_ROLE_NAME_1, TEST_ROLE_NAME_2);
+
+ // list roles with --list_role and -g
+ args = new String[] { "--list_role", "-g", TEST_GROUP_2, "-conf",
+ confPath.getAbsolutePath() };
+ sentryShell = new SentryShellIndexer();
+ roleNames = getShellResultWithOSRedirect(sentryShell, args, true);
+ validateRoleNames(roleNames, TEST_ROLE_NAME_1);
+
+ args = new String[] { "--list_role", "-g", TEST_GROUP_3, "-conf",
+ confPath.getAbsolutePath() };
+ sentryShell = new SentryShellIndexer();
+ roleNames = getShellResultWithOSRedirect(sentryShell, args, true);
+ validateRoleNames(roleNames, TEST_ROLE_NAME_1);
+
+ // test: delete role from group with -drg
+ args = new String[] { "-drg", "-r", TEST_ROLE_NAME_1, "-g", TEST_GROUP_1, "-conf",
+ confPath.getAbsolutePath() };
+ SentryShellIndexer.main(args);
+ // test: delete role to multiple groups
+ args = new String[] { "-drg", "-r", TEST_ROLE_NAME_1, "-g", TEST_GROUP_2 + "," + TEST_GROUP_3,
+ "-conf",
+ confPath.getAbsolutePath() };
+ SentryShellIndexer.main(args);
+ // test: delete role from group with --delete_role_group
+ args = new String[] { "--delete_role_group", "-r", TEST_ROLE_NAME_2, "-g", TEST_GROUP_1,
+ "-conf", confPath.getAbsolutePath() };
+ SentryShellIndexer.main(args);
+
+ // validate the result
+ Set<TSentryRole> roles = client.listRolesByGroupName(requestorName, TEST_GROUP_1, HBASE_INDEXER);
+ assertEquals("Incorrect number of roles", 0, roles.size());
+ roles = client.listRolesByGroupName(requestorName, TEST_GROUP_2, HBASE_INDEXER);
+ assertEquals("Incorrect number of roles", 0, roles.size());
+ roles = client.listRolesByGroupName(requestorName, TEST_GROUP_3, HBASE_INDEXER);
+ assertEquals("Incorrect number of roles", 0, roles.size());
+ // clear the test data
+ client.dropRole(requestorName, TEST_ROLE_NAME_1, HBASE_INDEXER);
+ client.dropRole(requestorName, TEST_ROLE_NAME_2, HBASE_INDEXER);
+ }
+ });
+ }
+
+ @Test
+ public void testCaseSensitiveGroupName() throws Exception {
+ runTestAsSubject(new TestOperation() {
+ @Override
+ public void runTestAsSubject() throws Exception {
+
+ // create the role for test
+ client.createRole(requestorName, TEST_ROLE_NAME_1, HBASE_INDEXER);
+ // add role to a group (lower case)
+ String[] args = { "-arg", "-r", TEST_ROLE_NAME_1, "-g", "group1", "-conf",
+ confPath.getAbsolutePath() };
+ SentryShellIndexer.main(args);
+
+ // validate the roles when group name is same case as above
+ args = new String[] { "-lr", "-g", "group1", "-conf", confPath.getAbsolutePath() };
+ SentryShellIndexer sentryShell = new SentryShellIndexer();
+ Set<String> roleNames = getShellResultWithOSRedirect(sentryShell, args, true);
+ validateRoleNames(roleNames, TEST_ROLE_NAME_1);
+
+ // roles should be empty when group name is different case than above
+ args = new String[] { "-lr", "-g", "GROUP1", "-conf", confPath.getAbsolutePath() };
+ roleNames = getShellResultWithOSRedirect(sentryShell, args, true);
+ validateRoleNames(roleNames);
+ }
+ });
+ }
+
+ public static String grant(boolean shortOption) {
+ return shortOption ? "-gpr" : "--grant_privilege_role";
+ }
+
+ public static String revoke(boolean shortOption) {
+ return shortOption ? "-rpr" : "--revoke_privilege_role";
+ }
+
+ public static String list(boolean shortOption) {
+ return shortOption ? "-lp" : "--list_privilege";
+ }
+
+ private void assertGrantRevokePrivilege(final boolean shortOption) throws Exception {
+ runTestAsSubject(new TestOperation() {
+ @Override
+ public void runTestAsSubject() throws Exception {
+ // create the role for test
+ client.createRole(requestorName, TEST_ROLE_NAME_1, HBASE_INDEXER);
+ client.createRole(requestorName, TEST_ROLE_NAME_2, HBASE_INDEXER);
+
+ String [] privs = {
+ "Indexer=*->action=*",
+ "Indexer=indexer1->action=read",
+ "Indexer=indexer2->action=write"
+ };
+ for (int i = 0; i < privs.length; ++i) {
+ // test: grant privilege to role
+ String [] args = new String [] { grant(shortOption), "-r", TEST_ROLE_NAME_1, "-p",
+ privs[ i ],
+ "-conf", confPath.getAbsolutePath() };
+ SentryShellIndexer.main(args);
+ }
+
+ // test the list privilege
+ String [] args = new String[] { list(shortOption), "-r", TEST_ROLE_NAME_1, "-conf", confPath.getAbsolutePath() };
+ SentryShellIndexer sentryShell = new SentryShellIndexer();
+ Set<String> privilegeStrs = getShellResultWithOSRedirect(sentryShell, args, true);
+ assertEquals("Incorrect number of privileges", privs.length, privilegeStrs.size());
+ for (int i = 0; i < privs.length; ++i) {
+ assertTrue("Expected privilege: " + privs[ i ], privilegeStrs.contains(privs[ i ]));
+ }
+
+ for (int i = 0; i < privs.length; ++i) {
+ args = new String[] { revoke(shortOption), "-r", TEST_ROLE_NAME_1, "-p",
+ privs[ i ], "-conf",
+ confPath.getAbsolutePath() };
+ SentryShellIndexer.main(args);
+ Set<TSentryPrivilege> privileges = client.listAllPrivilegesByRoleName(requestorName,
+ TEST_ROLE_NAME_1, HBASE_INDEXER, service);
+ assertEquals("Incorrect number of privileges", privs.length - (i + 1), privileges.size());
+ }
+
+ // clear the test data
+ client.dropRole(requestorName, TEST_ROLE_NAME_1, HBASE_INDEXER);
+ client.dropRole(requestorName, TEST_ROLE_NAME_2, HBASE_INDEXER);
+ }
+ });
+ }
+
+
+ @Test
+ public void testGrantRevokePrivilegeWithShortOption() throws Exception {
+ assertGrantRevokePrivilege(true);
+ }
+
+ @Test
+ public void testGrantRevokePrivilegeWithLongOption() throws Exception {
+ assertGrantRevokePrivilege(false);
+ }
+
+ @Test
+ public void testNegativeCaseWithInvalidArgument() throws Exception {
+ runTestAsSubject(new TestOperation() {
+ @Override
+ public void runTestAsSubject() throws Exception {
+ client.createRole(requestorName, TEST_ROLE_NAME_1, HBASE_INDEXER);
+ // test: create duplicate role with -cr
+ String[] args = { "-cr", "-r", TEST_ROLE_NAME_1, "-conf", confPath.getAbsolutePath() };
+ SentryShellIndexer sentryShell = new SentryShellIndexer();
+ try {
+ sentryShell.executeShell(args);
+ fail("Exception should be thrown for creating duplicate role");
+ } catch (SentryUserException e) {
+ // expected exception
+ }
+
+ // test: drop non-exist role with -dr
+ args = new String[] { "-dr", "-r", TEST_ROLE_NAME_2, "-conf", confPath.getAbsolutePath() };
+ sentryShell = new SentryShellIndexer();
+ try {
+ sentryShell.executeShell(args);
+ fail("Exception should be thrown for dropping non-exist role");
+ } catch (SentryUserException e) {
+ // excepted exception
+ }
+
+ // test: add non-exist role to group with -arg
+ args = new String[] { "-arg", "-r", TEST_ROLE_NAME_2, "-g", "testGroup1", "-conf",
+ confPath.getAbsolutePath() };
+ sentryShell = new SentryShellIndexer();
+ try {
+ sentryShell.executeShell(args);
+ fail("Exception should be thrown for granting non-exist role to group");
+ } catch (SentryUserException e) {
+ // excepted exception
+ }
+
+ // test: drop group from non-exist role with -drg
+ args = new String[] { "-drg", "-r", TEST_ROLE_NAME_2, "-g", "testGroup1", "-conf",
+ confPath.getAbsolutePath() };
+ sentryShell = new SentryShellIndexer();
+ try {
+ sentryShell.executeShell(args);
+ fail("Exception should be thrown for drop group from non-exist role");
+ } catch (SentryUserException e) {
+ // excepted exception
+ }
+
+ // test: grant privilege to role with the error privilege format
+ args = new String[] { "-gpr", "-r", TEST_ROLE_NAME_1, "-p", "serverserver1->action=*",
+ "-conf", confPath.getAbsolutePath() };
+ sentryShell = new SentryShellIndexer();
+ try {
+ sentryShell.executeShell(args);
+ fail("Exception should be thrown for the error privilege format, invalid key value.");
+ } catch (IllegalArgumentException e) {
+ // excepted exception
+ }
+
+ // test: grant privilege to role with the error privilege hierarchy
+ args = new String[] { "-gpr", "-r", TEST_ROLE_NAME_1, "-p",
+ "server=server1->table=tbl1->column=col2->action=insert", "-conf",
+ confPath.getAbsolutePath() };
+ sentryShell = new SentryShellIndexer();
+ try {
+ sentryShell.executeShell(args);
+ fail("Exception should be thrown for the error privilege format, invalid key value.");
+ } catch (IllegalArgumentException e) {
+ // expected exception
+ }
+
+ // clear the test data
+ client.dropRole(requestorName, TEST_ROLE_NAME_1, HBASE_INDEXER);
+ }
+ });
+ }
+
+ @Test
+ public void testNegativeCaseWithoutRequiredArgument() throws Exception {
+ runTestAsSubject(new TestOperation() {
+ @Override
+ public void runTestAsSubject() throws Exception {
+ String strOptionConf = "conf";
+ client.createRole(requestorName, TEST_ROLE_NAME_1, HBASE_INDEXER);
+ // test: the conf is required argument
+ String[] args = { "-cr", "-r", TEST_ROLE_NAME_1 };
+ SentryShellIndexer sentryShell = new SentryShellIndexer();
+ validateMissingParameterMsg(sentryShell, args,
+ SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + strOptionConf);
+
+ // test: -r is required when create role
+ args = new String[] { "-cr", "-conf", confPath.getAbsolutePath() };
+ sentryShell = new SentryShellIndexer();
+ validateMissingParameterMsg(sentryShell, args,
+ SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_ROLE_NAME);
+
+ // test: -r is required when drop role
+ args = new String[] { "-dr", "-conf", confPath.getAbsolutePath() };
+ sentryShell = new SentryShellIndexer();
+ validateMissingParameterMsg(sentryShell, args,
+ SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_ROLE_NAME);
+
+ // test: -r is required when add role to group
+ args = new String[] { "-arg", "-g", "testGroup1", "-conf", confPath.getAbsolutePath() };
+ sentryShell = new SentryShellIndexer();
+ validateMissingParameterMsg(sentryShell, args,
+ SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_ROLE_NAME);
+
+ // test: -g is required when add role to group
+ args = new String[] { "-arg", "-r", TEST_ROLE_NAME_2, "-conf", confPath.getAbsolutePath() };
+ sentryShell = new SentryShellIndexer();
+ validateMissingParameterMsg(sentryShell, args,
+ SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_GROUP_NAME);
+
+ // test: -r is required when delete role from group
+ args = new String[] { "-drg", "-g", "testGroup1", "-conf", confPath.getAbsolutePath() };
+ sentryShell = new SentryShellIndexer();
+ validateMissingParameterMsg(sentryShell, args,
+ SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_ROLE_NAME);
+
+ // test: -g is required when delete role from group
+ args = new String[] { "-drg", "-r", TEST_ROLE_NAME_2, "-conf", confPath.getAbsolutePath() };
+ sentryShell = new SentryShellIndexer();
+ validateMissingParameterMsg(sentryShell, args,
+ SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_GROUP_NAME);
+
+ // test: -r is required when grant privilege to role
+ args = new String[] { "-gpr", "-p", "indexer=Indexer1", "-conf", confPath.getAbsolutePath() };
+ sentryShell = new SentryShellIndexer();
+ validateMissingParameterMsg(sentryShell, args,
+ SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_ROLE_NAME);
+
+ // test: -p is required when grant privilege to role
+ args = new String[] { "-gpr", "-r", TEST_ROLE_NAME_1, "-conf", confPath.getAbsolutePath() };
+ sentryShell = new SentryShellIndexer();
+ validateMissingParameterMsg(sentryShell, args,
+ SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_PRIVILEGE);
+
+ // test: action is required in privilege
+ args = new String[] { "-gpr", "-r", TEST_ROLE_NAME_1, "-conf", confPath.getAbsolutePath(), "-p", "indexer=Indexer1" };
+ sentryShell = new SentryShellIndexer();
+ try {
+ getShellResultWithOSRedirect(sentryShell, args, false);
+ fail("Expected IllegalArgumentException");
+ } catch (IllegalArgumentException e) {
+ assert("Privilege is invalid: action required but not specified.".equals(e.getMessage()));
+ }
+
+ // test: -r is required when revoke privilege from role
+ args = new String[] { "-rpr", "-p", "indexer=Indexer1", "-conf", confPath.getAbsolutePath() };
+ sentryShell = new SentryShellIndexer();
+ validateMissingParameterMsg(sentryShell, args,
+ SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_ROLE_NAME);
+
+ // test: -p is required when revoke privilege from role
+ args = new String[] { "-rpr", "-r", TEST_ROLE_NAME_1, "-conf", confPath.getAbsolutePath() };
+ sentryShell = new SentryShellIndexer();
+ validateMissingParameterMsg(sentryShell, args,
+ SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_PRIVILEGE);
+
+ // test: command option is required for shell
+ args = new String[] {"-conf", confPath.getAbsolutePath() };
+ sentryShell = new SentryShellIndexer();
+ validateMissingParameterMsgsContains(sentryShell, args,
+ SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + "[",
+ "-arg Add role to group",
+ "-cr Create role",
+ "-rpr Revoke privilege from role",
+ "-drg Delete role from group",
+ "-lr List role",
+ "-lp List privilege",
+ "-gpr Grant privilege to role",
+ "-dr Drop role");
+
+ // clear the test data
+ client.dropRole(requestorName, TEST_ROLE_NAME_1, HBASE_INDEXER);
+ }
+ });
+ }
+
+ // redirect the System.out to ByteArrayOutputStream, then execute the command and parse the result.
+ private Set<String> getShellResultWithOSRedirect(SentryShellIndexer sentryShell,
+ String[] args, boolean expectedExecuteResult) throws Exception {
+ PrintStream oldOut = System.out;
+ ByteArrayOutputStream outContent = new ByteArrayOutputStream();
+ System.setOut(new PrintStream(outContent));
+ assertEquals(expectedExecuteResult, sentryShell.executeShell(args));
+ String outContentStr = outContent.toString();
+ Set<String> resultSet = outContentStr.length() > 0 ? Sets.<String>newHashSet(outContentStr.split("\n")) : Sets.<String>newHashSet();
+ System.setOut(oldOut);
+ return resultSet;
+ }
+
+ private void validateRoleNames(Set<String> roleNames, String ... expectedRoleNames) {
+ if (expectedRoleNames != null && expectedRoleNames.length > 0) {
+ assertEquals("Found: " + roleNames.size() + " roles, expected: " + expectedRoleNames.length,
+ expectedRoleNames.length, roleNames.size());
+ Set<String> lowerCaseRoles = new HashSet<String>();
+ for (String role : roleNames) {
+ lowerCaseRoles.add(role.toLowerCase());
+ }
+
+ for (String expectedRole : expectedRoleNames) {
+ assertTrue("Expected role: " + expectedRole,
+ lowerCaseRoles.contains(expectedRole.toLowerCase()));
+ }
+ }
+ }
+
+ private void validateMissingParameterMsg(SentryShellIndexer sentryShell, String[] args,
+ String expectedErrorMsg) throws Exception {
+ Set<String> errorMsgs = getShellResultWithOSRedirect(sentryShell, args, false);
+ assertTrue("Expected error message: " + expectedErrorMsg, errorMsgs.contains(expectedErrorMsg));
+ }
+
+ private void validateMissingParameterMsgsContains(SentryShellIndexer sentryShell, String[] args,
+ String ... expectedErrorMsgsContains) throws Exception {
+ Set<String> errorMsgs = getShellResultWithOSRedirect(sentryShell, args, false);
+ boolean foundAllMessages = false;
+ Iterator<String> it = errorMsgs.iterator();
+ while (it.hasNext()) {
+ String errorMessage = it.next();
+ boolean missingExpected = false;
+ for (String expectedContains : expectedErrorMsgsContains) {
+ if (!errorMessage.contains(expectedContains)) {
+ missingExpected = true;
+ break;
+ }
+ }
+ if (!missingExpected) {
+ foundAllMessages = true;
+ break;
+ }
+ }
+ assertTrue(foundAllMessages);
+ }
+}
http://git-wip-us.apache.org/repos/asf/sentry/blob/5a7b0764/sentry-provider/sentry-provider-db/src/test/resources/indexer_case.ini
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/resources/indexer_case.ini b/sentry-provider/sentry-provider-db/src/test/resources/indexer_case.ini
new file mode 100644
index 0000000..f1afe1f
--- /dev/null
+++ b/sentry-provider/sentry-provider-db/src/test/resources/indexer_case.ini
@@ -0,0 +1,26 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+[groups]
+groupa = RoLe1
+groupb = rOlE1
+groupc = ROLE2
+
+[roles]
+RoLe1 = indexer=*
+rOlE1 = indexer=*
+ROLE2 = indexer=*
http://git-wip-us.apache.org/repos/asf/sentry/blob/5a7b0764/sentry-provider/sentry-provider-db/src/test/resources/indexer_config_import_tool.ini
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/resources/indexer_config_import_tool.ini b/sentry-provider/sentry-provider-db/src/test/resources/indexer_config_import_tool.ini
new file mode 100644
index 0000000..c1bfe4b
--- /dev/null
+++ b/sentry-provider/sentry-provider-db/src/test/resources/indexer_config_import_tool.ini
@@ -0,0 +1,29 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+[groups]
+corporal = corporal_role
+sergeant = corporal_role, sergeant_role
+general = corporal_role, sergeant_role, general_role
+commander_in_chief = corporal_role, sergeant_role, general_role, commander_in_chief_role
+
+[roles]
+corporal_role = indexer=info->action=read, \
+ indexer=info->action=write
+sergeant_role = indexer=info->action=write
+general_role = indexer=info->action=*
+commander_in_chief_role = indexer=*
http://git-wip-us.apache.org/repos/asf/sentry/blob/5a7b0764/sentry-provider/sentry-provider-db/src/test/resources/indexer_invalid.ini
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/resources/indexer_invalid.ini b/sentry-provider/sentry-provider-db/src/test/resources/indexer_invalid.ini
new file mode 100644
index 0000000..03083a7
--- /dev/null
+++ b/sentry-provider/sentry-provider-db/src/test/resources/indexer_invalid.ini
@@ -0,0 +1,21 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+[groups]
+
+[roles]
+