You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sentry.apache.org by sr...@apache.org on 2014/09/23 19:10:24 UTC

git commit: SENTRY-383: Add TestPrivilegeWithGrantOption to cluster test profile (Prasad Mujumdar via Sravya Tirukkovalur)

Repository: incubator-sentry
Updated Branches:
  refs/heads/master a8cd4fbc6 -> b18457d26


SENTRY-383: Add TestPrivilegeWithGrantOption to cluster test profile (Prasad Mujumdar via Sravya Tirukkovalur)


Project: http://git-wip-us.apache.org/repos/asf/incubator-sentry/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-sentry/commit/b18457d2
Tree: http://git-wip-us.apache.org/repos/asf/incubator-sentry/tree/b18457d2
Diff: http://git-wip-us.apache.org/repos/asf/incubator-sentry/diff/b18457d2

Branch: refs/heads/master
Commit: b18457d2600a412746d3a2ebb03b66c6ed183188
Parents: a8cd4fb
Author: Sravya Tirukkovalur <sr...@clouera.com>
Authored: Tue Sep 23 10:09:56 2014 -0700
Committer: Sravya Tirukkovalur <sr...@clouera.com>
Committed: Tue Sep 23 10:09:56 2014 -0700

----------------------------------------------------------------------
 sentry-tests/sentry-tests-hive/pom.xml          |   1 +
 .../TestPrivilegeWithGrantOption.java           | 153 +++++++++++++++----
 2 files changed, 122 insertions(+), 32 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/b18457d2/sentry-tests/sentry-tests-hive/pom.xml
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-hive/pom.xml b/sentry-tests/sentry-tests-hive/pom.xml
index 067d1ab..10415fc 100644
--- a/sentry-tests/sentry-tests-hive/pom.xml
+++ b/sentry-tests/sentry-tests-hive/pom.xml
@@ -508,6 +508,7 @@ limitations under the License.
           <include>**/TestDbPrivilegesAtFunctionScope.java</include>
           <include>**/TestDatabaseProvider.java</include>
           <include>**/TestDbOperations.java</include>
+          <include>**/TestPrivilegeWithGrantOption.java</include>
         </includes>
         <argLine>-Dsentry.e2etest.hiveServer2Type=UnmanagedHiveServer2 -Dsentry.e2etest.DFSType=ClusterDFS -Dsentry.e2etest.external.sentry=true</argLine>
        </configuration>

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/b18457d2/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestPrivilegeWithGrantOption.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestPrivilegeWithGrantOption.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestPrivilegeWithGrantOption.java
index 7cd667e..581350a 100644
--- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestPrivilegeWithGrantOption.java
+++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestPrivilegeWithGrantOption.java
@@ -17,47 +17,53 @@
 
 package org.apache.sentry.tests.e2e.dbprovider;
 
+import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertFalse;
 import static org.junit.Assert.assertTrue;
 
 import java.sql.Connection;
+import java.sql.ResultSet;
 import java.sql.SQLException;
 import java.sql.Statement;
-import java.util.HashMap;
-import java.util.Map;
 
 import junit.framework.Assert;
 
 import org.apache.hadoop.hive.ql.plan.HiveOperation;
 import org.apache.sentry.binding.hive.conf.HiveAuthzConf;
 import org.apache.sentry.provider.db.SentryAccessDeniedException;
+import org.apache.sentry.tests.e2e.hive.AbstractTestWithStaticConfiguration;
 import org.apache.sentry.tests.e2e.hive.DummySentryOnFailureHook;
 import org.apache.sentry.tests.e2e.hive.hiveserver.HiveServerFactory;
-import org.junit.Assume;
 import org.junit.Before;
+import org.junit.BeforeClass;
 import org.junit.Test;
 
-public class TestPrivilegeWithGrantOption extends AbstractTestWithDbProvider {
+public class TestPrivilegeWithGrantOption extends AbstractTestWithStaticConfiguration {
 
-  Map<String, String > testProperties;
+  private static boolean isInternalServer = false;
 
-  @Before
-  public void setup() throws Exception {
-    testProperties = new HashMap<String, String>();
-    testProperties.put(HiveAuthzConf.AuthzConfVars.AUTHZ_ONFAILURE_HOOKS.getVar(),
-        DummySentryOnFailureHook.class.getName());
-    createContext(testProperties);
-    DummySentryOnFailureHook.invoked = false;
-
-    // Do not run these tests if run with external HiveServer2
-    // This test checks for a static member, which will not
-    // be set if HiveServer2 and the test run in different JVMs
+  @BeforeClass
+  public static void setupTestStaticConfiguration() throws Exception {
+    useSentryService = true;
     String hiveServer2Type = System
         .getProperty(HiveServerFactory.HIVESERVER2_TYPE);
-    if(hiveServer2Type != null) {
-      Assume.assumeTrue(HiveServerFactory.isInternalServer(
-          HiveServerFactory.HiveServer2Type.valueOf(hiveServer2Type.trim())));
+    if ((hiveServer2Type == null)
+        || HiveServerFactory.isInternalServer(HiveServerFactory.HiveServer2Type
+            .valueOf(hiveServer2Type.trim()))) {
+      System.setProperty(
+        HiveAuthzConf.AuthzConfVars.AUTHZ_ONFAILURE_HOOKS.getVar(),
+        DummySentryOnFailureHook.class.getName());
+      isInternalServer = true;
     }
+    AbstractTestWithStaticConfiguration.setupTestStaticConfiguration();
+  }
+
+  @Override
+  @Before
+  public void setup() throws Exception {
+    DummySentryOnFailureHook.invoked = false;
+    super.setupAdmin();
+    super.setup();
   }
 
   /*
@@ -74,10 +80,6 @@ public class TestPrivilegeWithGrantOption extends AbstractTestWithDbProvider {
     // setup db objects needed by the test
     Connection connection = context.createConnection(ADMIN1);
     Statement statement = context.createStatement(connection);
-    statement.execute("CREATE ROLE admin_role");
-    statement.execute("GRANT ALL ON SERVER "
-        + HiveServerFactory.DEFAULT_AUTHZ_SERVER_NAME + " TO ROLE admin_role");
-    statement.execute("GRANT ROLE admin_role TO GROUP " + ADMINGROUP);
     statement.execute("DROP DATABASE IF EXISTS db_1 CASCADE");
     statement.execute("DROP DATABASE IF EXISTS db_2 CASCADE");
     statement.execute("CREATE DATABASE db_1");
@@ -97,8 +99,11 @@ public class TestPrivilegeWithGrantOption extends AbstractTestWithDbProvider {
 
     statement.execute("USE db_1");
     statement.execute("CREATE TABLE foo (id int)");
-    verifyFailureHook(statement,"GRANT ALL ON DATABASE db_1 TO ROLE group2_role",HiveOperation.GRANT_PRIVILEGE,null,null,true);
-    verifyFailureHook(statement,"GRANT ALL ON DATABASE db_1 TO ROLE group2_role WITH GRANT OPTION",HiveOperation.GRANT_PRIVILEGE,null,null,true);
+    runSQLWithError(statement, "GRANT ALL ON DATABASE db_1 TO ROLE group2_role",
+        HiveOperation.GRANT_PRIVILEGE, null, null, true);
+    runSQLWithError(statement,
+        "GRANT ALL ON DATABASE db_1 TO ROLE group2_role WITH GRANT OPTION",
+        HiveOperation.GRANT_PRIVILEGE, null, null, true);
     connection.close();
 
     connection = context.createConnection(USER3_1);
@@ -108,34 +113,107 @@ public class TestPrivilegeWithGrantOption extends AbstractTestWithDbProvider {
 
     connection = context.createConnection(USER1_1);
     statement = context.createStatement(connection);
-    verifyFailureHook(statement,"REVOKE ALL ON Database db_1 FROM ROLE admin_role",HiveOperation.REVOKE_PRIVILEGE,null,null,true);
-    verifyFailureHook(statement,"REVOKE ALL ON Database db_1 FROM ROLE group2_role",HiveOperation.REVOKE_PRIVILEGE,null,null,true);
-    verifyFailureHook(statement,"REVOKE ALL ON Database db_1 FROM ROLE group3_grant_role",HiveOperation.REVOKE_PRIVILEGE,null,null,true);
+    runSQLWithError(statement, "REVOKE ALL ON Database db_1 FROM ROLE admin_role",
+        HiveOperation.REVOKE_PRIVILEGE, null, null, true);
+    runSQLWithError(statement, "REVOKE ALL ON Database db_1 FROM ROLE group2_role",
+        HiveOperation.REVOKE_PRIVILEGE, null, null, true);
+    runSQLWithError(statement,
+        "REVOKE ALL ON Database db_1 FROM ROLE group3_grant_role",
+        HiveOperation.REVOKE_PRIVILEGE, null, null, true);
     connection.close();
 
     connection = context.createConnection(USER3_1);
     statement = context.createStatement(connection);
     statement.execute("REVOKE ALL ON Database db_1 FROM ROLE group2_role");
     statement.execute("REVOKE ALL ON Database db_1 FROM ROLE group3_grant_role");
-    verifyFailureHook(statement,"REVOKE ALL ON Database db_1 FROM ROLE group1_role",HiveOperation.REVOKE_PRIVILEGE,null,null,true);
+    runSQLWithError(statement, "REVOKE ALL ON Database db_1 FROM ROLE group1_role",
+        HiveOperation.REVOKE_PRIVILEGE, null, null, true);
 
     connection.close();
     context.close();
   }
 
+  /**
+   * Test privileges with grant on parent objects are sufficient for operation
+   * on child objects
+   * @throws Exception
+   */
+  @Test
+  public void testImpliedPrivilegesWithGrant() throws Exception {
+    // setup db objects needed by the test
+    Connection connection = context.createConnection(ADMIN1);
+    Statement statement = context.createStatement(connection);
+
+    statement.execute("DROP DATABASE IF EXISTS db_1 CASCADE");
+    statement.execute("CREATE DATABASE db_1");
+
+    statement.execute("CREATE ROLE role1");
+    statement
+        .execute("GRANT ALL ON DATABASE db_1 TO ROLE role1 WITH GRANT OPTION");
+    statement.execute("GRANT ROLE role1 TO GROUP " + USERGROUP1);
+
+    statement.execute("CREATE ROLE role2");
+    statement.execute("GRANT ROLE role2 TO GROUP " + USERGROUP2);
+
+    statement.execute("CREATE ROLE role3_1");
+    statement.execute("GRANT ROLE role3_1 TO GROUP " + USERGROUP3);
+
+    statement.execute("CREATE ROLE role3_2");
+    statement.execute("GRANT ROLE role3_2 TO GROUP " + USERGROUP3);
+    connection.close();
+
+    connection = context.createConnection(USER1_1);
+    statement = context.createStatement(connection);
+
+    statement.execute("USE db_1");
+    statement.execute("CREATE TABLE foo (id int)");
+    // user1 with grant option of ALL on DB should be able grant ALL on TABLE
+    statement.execute("GRANT ALL ON TABLE foo TO ROLE role2");
+    // user1 with grant option of ALL on DB should be able grant SELECT on DB
+    statement.execute("GRANT SELECT ON DATABASE db_1 TO ROLE role3_1");
+    // user1 with grant option of ALL on DB should be able grant INSERT on TABLE
+    statement.execute("GRANT INSERT ON TABLE foo TO ROLE role3_2");
+    connection.close();
+
+    connection = context.createConnection(ADMIN1);
+    statement = context.createStatement(connection);
+    statement.execute("use db_1");
+    verifySingleGrantWithGrantOption(statement,
+        "SHOW GRANT ROLE role2 ON TABLE foo", 2, "foo");
+    verifySingleGrantWithGrantOption(statement,
+        "SHOW GRANT ROLE role3_1 ON DATABASE db_1", 1, "db_1");
+    verifySingleGrantWithGrantOption(statement,
+        "SHOW GRANT ROLE role3_2 ON TABLE foo", 2, "foo");
+    statement.close();
+    connection.close();
+  }
+
   // run the given statement and verify that failure hook is invoked as expected
-  private void verifyFailureHook(Statement statement, String sqlStr, HiveOperation expectedOp,
-       String dbName, String tableName, boolean checkSentryAccessDeniedException) throws Exception {
+  private void runSQLWithError(Statement statement, String sqlStr,
+      HiveOperation expectedOp, String dbName, String tableName,
+      boolean checkSentryAccessDeniedException) throws Exception {
     // negative test case: non admin user can't create role
     assertFalse(DummySentryOnFailureHook.invoked);
     try {
       statement.execute(sqlStr);
       Assert.fail("Expected SQL exception for " + sqlStr);
     } catch (SQLException e) {
-      assertTrue(DummySentryOnFailureHook.invoked);
+      verifyFailureHook(expectedOp, dbName, tableName, checkSentryAccessDeniedException);
     } finally {
       DummySentryOnFailureHook.invoked = false;
     }
+
+  }
+
+  // run the given statement and verify that failure hook is invoked as expected
+  private void verifyFailureHook(HiveOperation expectedOp,
+      String dbName, String tableName, boolean checkSentryAccessDeniedException)
+      throws Exception {
+    if (!isInternalServer) {
+      return;
+    }
+
+    assertTrue(DummySentryOnFailureHook.invoked);
     if (expectedOp != null) {
       Assert.assertNotNull("Hive op is null for op: " + expectedOp, DummySentryOnFailureHook.hiveOp);
       Assert.assertTrue(expectedOp.equals(DummySentryOnFailureHook.hiveOp));
@@ -153,4 +231,15 @@ public class TestPrivilegeWithGrantOption extends AbstractTestWithDbProvider {
       Assert.assertTrue(dbName.equalsIgnoreCase(DummySentryOnFailureHook.db.getName()));
     }
   }
+
+  // verify the expected object name at specific position in the SHOW GRANT result
+  private void verifySingleGrantWithGrantOption(Statement statetment,
+      String statementSql, int dbObjectPosition, String dbObjectName)
+      throws Exception {
+    ResultSet res = statetment.executeQuery(statementSql);
+    assertTrue(res.next());
+    assertEquals(dbObjectName, res.getString(dbObjectPosition));
+    res.close();
+  }
+
 }