You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sentry.apache.org by sr...@apache.org on 2014/09/23 19:10:24 UTC
git commit: SENTRY-383: Add TestPrivilegeWithGrantOption to cluster
test profile (Prasad Mujumdar via Sravya Tirukkovalur)
Repository: incubator-sentry
Updated Branches:
refs/heads/master a8cd4fbc6 -> b18457d26
SENTRY-383: Add TestPrivilegeWithGrantOption to cluster test profile (Prasad Mujumdar via Sravya Tirukkovalur)
Project: http://git-wip-us.apache.org/repos/asf/incubator-sentry/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-sentry/commit/b18457d2
Tree: http://git-wip-us.apache.org/repos/asf/incubator-sentry/tree/b18457d2
Diff: http://git-wip-us.apache.org/repos/asf/incubator-sentry/diff/b18457d2
Branch: refs/heads/master
Commit: b18457d2600a412746d3a2ebb03b66c6ed183188
Parents: a8cd4fb
Author: Sravya Tirukkovalur <sr...@clouera.com>
Authored: Tue Sep 23 10:09:56 2014 -0700
Committer: Sravya Tirukkovalur <sr...@clouera.com>
Committed: Tue Sep 23 10:09:56 2014 -0700
----------------------------------------------------------------------
sentry-tests/sentry-tests-hive/pom.xml | 1 +
.../TestPrivilegeWithGrantOption.java | 153 +++++++++++++++----
2 files changed, 122 insertions(+), 32 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/b18457d2/sentry-tests/sentry-tests-hive/pom.xml
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-hive/pom.xml b/sentry-tests/sentry-tests-hive/pom.xml
index 067d1ab..10415fc 100644
--- a/sentry-tests/sentry-tests-hive/pom.xml
+++ b/sentry-tests/sentry-tests-hive/pom.xml
@@ -508,6 +508,7 @@ limitations under the License.
<include>**/TestDbPrivilegesAtFunctionScope.java</include>
<include>**/TestDatabaseProvider.java</include>
<include>**/TestDbOperations.java</include>
+ <include>**/TestPrivilegeWithGrantOption.java</include>
</includes>
<argLine>-Dsentry.e2etest.hiveServer2Type=UnmanagedHiveServer2 -Dsentry.e2etest.DFSType=ClusterDFS -Dsentry.e2etest.external.sentry=true</argLine>
</configuration>
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/b18457d2/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestPrivilegeWithGrantOption.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestPrivilegeWithGrantOption.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestPrivilegeWithGrantOption.java
index 7cd667e..581350a 100644
--- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestPrivilegeWithGrantOption.java
+++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestPrivilegeWithGrantOption.java
@@ -17,47 +17,53 @@
package org.apache.sentry.tests.e2e.dbprovider;
+import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertFalse;
import static org.junit.Assert.assertTrue;
import java.sql.Connection;
+import java.sql.ResultSet;
import java.sql.SQLException;
import java.sql.Statement;
-import java.util.HashMap;
-import java.util.Map;
import junit.framework.Assert;
import org.apache.hadoop.hive.ql.plan.HiveOperation;
import org.apache.sentry.binding.hive.conf.HiveAuthzConf;
import org.apache.sentry.provider.db.SentryAccessDeniedException;
+import org.apache.sentry.tests.e2e.hive.AbstractTestWithStaticConfiguration;
import org.apache.sentry.tests.e2e.hive.DummySentryOnFailureHook;
import org.apache.sentry.tests.e2e.hive.hiveserver.HiveServerFactory;
-import org.junit.Assume;
import org.junit.Before;
+import org.junit.BeforeClass;
import org.junit.Test;
-public class TestPrivilegeWithGrantOption extends AbstractTestWithDbProvider {
+public class TestPrivilegeWithGrantOption extends AbstractTestWithStaticConfiguration {
- Map<String, String > testProperties;
+ private static boolean isInternalServer = false;
- @Before
- public void setup() throws Exception {
- testProperties = new HashMap<String, String>();
- testProperties.put(HiveAuthzConf.AuthzConfVars.AUTHZ_ONFAILURE_HOOKS.getVar(),
- DummySentryOnFailureHook.class.getName());
- createContext(testProperties);
- DummySentryOnFailureHook.invoked = false;
-
- // Do not run these tests if run with external HiveServer2
- // This test checks for a static member, which will not
- // be set if HiveServer2 and the test run in different JVMs
+ @BeforeClass
+ public static void setupTestStaticConfiguration() throws Exception {
+ useSentryService = true;
String hiveServer2Type = System
.getProperty(HiveServerFactory.HIVESERVER2_TYPE);
- if(hiveServer2Type != null) {
- Assume.assumeTrue(HiveServerFactory.isInternalServer(
- HiveServerFactory.HiveServer2Type.valueOf(hiveServer2Type.trim())));
+ if ((hiveServer2Type == null)
+ || HiveServerFactory.isInternalServer(HiveServerFactory.HiveServer2Type
+ .valueOf(hiveServer2Type.trim()))) {
+ System.setProperty(
+ HiveAuthzConf.AuthzConfVars.AUTHZ_ONFAILURE_HOOKS.getVar(),
+ DummySentryOnFailureHook.class.getName());
+ isInternalServer = true;
}
+ AbstractTestWithStaticConfiguration.setupTestStaticConfiguration();
+ }
+
+ @Override
+ @Before
+ public void setup() throws Exception {
+ DummySentryOnFailureHook.invoked = false;
+ super.setupAdmin();
+ super.setup();
}
/*
@@ -74,10 +80,6 @@ public class TestPrivilegeWithGrantOption extends AbstractTestWithDbProvider {
// setup db objects needed by the test
Connection connection = context.createConnection(ADMIN1);
Statement statement = context.createStatement(connection);
- statement.execute("CREATE ROLE admin_role");
- statement.execute("GRANT ALL ON SERVER "
- + HiveServerFactory.DEFAULT_AUTHZ_SERVER_NAME + " TO ROLE admin_role");
- statement.execute("GRANT ROLE admin_role TO GROUP " + ADMINGROUP);
statement.execute("DROP DATABASE IF EXISTS db_1 CASCADE");
statement.execute("DROP DATABASE IF EXISTS db_2 CASCADE");
statement.execute("CREATE DATABASE db_1");
@@ -97,8 +99,11 @@ public class TestPrivilegeWithGrantOption extends AbstractTestWithDbProvider {
statement.execute("USE db_1");
statement.execute("CREATE TABLE foo (id int)");
- verifyFailureHook(statement,"GRANT ALL ON DATABASE db_1 TO ROLE group2_role",HiveOperation.GRANT_PRIVILEGE,null,null,true);
- verifyFailureHook(statement,"GRANT ALL ON DATABASE db_1 TO ROLE group2_role WITH GRANT OPTION",HiveOperation.GRANT_PRIVILEGE,null,null,true);
+ runSQLWithError(statement, "GRANT ALL ON DATABASE db_1 TO ROLE group2_role",
+ HiveOperation.GRANT_PRIVILEGE, null, null, true);
+ runSQLWithError(statement,
+ "GRANT ALL ON DATABASE db_1 TO ROLE group2_role WITH GRANT OPTION",
+ HiveOperation.GRANT_PRIVILEGE, null, null, true);
connection.close();
connection = context.createConnection(USER3_1);
@@ -108,34 +113,107 @@ public class TestPrivilegeWithGrantOption extends AbstractTestWithDbProvider {
connection = context.createConnection(USER1_1);
statement = context.createStatement(connection);
- verifyFailureHook(statement,"REVOKE ALL ON Database db_1 FROM ROLE admin_role",HiveOperation.REVOKE_PRIVILEGE,null,null,true);
- verifyFailureHook(statement,"REVOKE ALL ON Database db_1 FROM ROLE group2_role",HiveOperation.REVOKE_PRIVILEGE,null,null,true);
- verifyFailureHook(statement,"REVOKE ALL ON Database db_1 FROM ROLE group3_grant_role",HiveOperation.REVOKE_PRIVILEGE,null,null,true);
+ runSQLWithError(statement, "REVOKE ALL ON Database db_1 FROM ROLE admin_role",
+ HiveOperation.REVOKE_PRIVILEGE, null, null, true);
+ runSQLWithError(statement, "REVOKE ALL ON Database db_1 FROM ROLE group2_role",
+ HiveOperation.REVOKE_PRIVILEGE, null, null, true);
+ runSQLWithError(statement,
+ "REVOKE ALL ON Database db_1 FROM ROLE group3_grant_role",
+ HiveOperation.REVOKE_PRIVILEGE, null, null, true);
connection.close();
connection = context.createConnection(USER3_1);
statement = context.createStatement(connection);
statement.execute("REVOKE ALL ON Database db_1 FROM ROLE group2_role");
statement.execute("REVOKE ALL ON Database db_1 FROM ROLE group3_grant_role");
- verifyFailureHook(statement,"REVOKE ALL ON Database db_1 FROM ROLE group1_role",HiveOperation.REVOKE_PRIVILEGE,null,null,true);
+ runSQLWithError(statement, "REVOKE ALL ON Database db_1 FROM ROLE group1_role",
+ HiveOperation.REVOKE_PRIVILEGE, null, null, true);
connection.close();
context.close();
}
+ /**
+ * Test privileges with grant on parent objects are sufficient for operation
+ * on child objects
+ * @throws Exception
+ */
+ @Test
+ public void testImpliedPrivilegesWithGrant() throws Exception {
+ // setup db objects needed by the test
+ Connection connection = context.createConnection(ADMIN1);
+ Statement statement = context.createStatement(connection);
+
+ statement.execute("DROP DATABASE IF EXISTS db_1 CASCADE");
+ statement.execute("CREATE DATABASE db_1");
+
+ statement.execute("CREATE ROLE role1");
+ statement
+ .execute("GRANT ALL ON DATABASE db_1 TO ROLE role1 WITH GRANT OPTION");
+ statement.execute("GRANT ROLE role1 TO GROUP " + USERGROUP1);
+
+ statement.execute("CREATE ROLE role2");
+ statement.execute("GRANT ROLE role2 TO GROUP " + USERGROUP2);
+
+ statement.execute("CREATE ROLE role3_1");
+ statement.execute("GRANT ROLE role3_1 TO GROUP " + USERGROUP3);
+
+ statement.execute("CREATE ROLE role3_2");
+ statement.execute("GRANT ROLE role3_2 TO GROUP " + USERGROUP3);
+ connection.close();
+
+ connection = context.createConnection(USER1_1);
+ statement = context.createStatement(connection);
+
+ statement.execute("USE db_1");
+ statement.execute("CREATE TABLE foo (id int)");
+ // user1 with grant option of ALL on DB should be able grant ALL on TABLE
+ statement.execute("GRANT ALL ON TABLE foo TO ROLE role2");
+ // user1 with grant option of ALL on DB should be able grant SELECT on DB
+ statement.execute("GRANT SELECT ON DATABASE db_1 TO ROLE role3_1");
+ // user1 with grant option of ALL on DB should be able grant INSERT on TABLE
+ statement.execute("GRANT INSERT ON TABLE foo TO ROLE role3_2");
+ connection.close();
+
+ connection = context.createConnection(ADMIN1);
+ statement = context.createStatement(connection);
+ statement.execute("use db_1");
+ verifySingleGrantWithGrantOption(statement,
+ "SHOW GRANT ROLE role2 ON TABLE foo", 2, "foo");
+ verifySingleGrantWithGrantOption(statement,
+ "SHOW GRANT ROLE role3_1 ON DATABASE db_1", 1, "db_1");
+ verifySingleGrantWithGrantOption(statement,
+ "SHOW GRANT ROLE role3_2 ON TABLE foo", 2, "foo");
+ statement.close();
+ connection.close();
+ }
+
// run the given statement and verify that failure hook is invoked as expected
- private void verifyFailureHook(Statement statement, String sqlStr, HiveOperation expectedOp,
- String dbName, String tableName, boolean checkSentryAccessDeniedException) throws Exception {
+ private void runSQLWithError(Statement statement, String sqlStr,
+ HiveOperation expectedOp, String dbName, String tableName,
+ boolean checkSentryAccessDeniedException) throws Exception {
// negative test case: non admin user can't create role
assertFalse(DummySentryOnFailureHook.invoked);
try {
statement.execute(sqlStr);
Assert.fail("Expected SQL exception for " + sqlStr);
} catch (SQLException e) {
- assertTrue(DummySentryOnFailureHook.invoked);
+ verifyFailureHook(expectedOp, dbName, tableName, checkSentryAccessDeniedException);
} finally {
DummySentryOnFailureHook.invoked = false;
}
+
+ }
+
+ // run the given statement and verify that failure hook is invoked as expected
+ private void verifyFailureHook(HiveOperation expectedOp,
+ String dbName, String tableName, boolean checkSentryAccessDeniedException)
+ throws Exception {
+ if (!isInternalServer) {
+ return;
+ }
+
+ assertTrue(DummySentryOnFailureHook.invoked);
if (expectedOp != null) {
Assert.assertNotNull("Hive op is null for op: " + expectedOp, DummySentryOnFailureHook.hiveOp);
Assert.assertTrue(expectedOp.equals(DummySentryOnFailureHook.hiveOp));
@@ -153,4 +231,15 @@ public class TestPrivilegeWithGrantOption extends AbstractTestWithDbProvider {
Assert.assertTrue(dbName.equalsIgnoreCase(DummySentryOnFailureHook.db.getName()));
}
}
+
+ // verify the expected object name at specific position in the SHOW GRANT result
+ private void verifySingleGrantWithGrantOption(Statement statetment,
+ String statementSql, int dbObjectPosition, String dbObjectName)
+ throws Exception {
+ ResultSet res = statetment.executeQuery(statementSql);
+ assertTrue(res.next());
+ assertEquals(dbObjectName, res.getString(dbObjectPosition));
+ res.close();
+ }
+
}