You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sentry.apache.org by sp...@apache.org on 2018/06/27 16:47:37 UTC
[10/17] sentry git commit: SENTRY-2282: Remove hive-authzv2 binding
and tests modules completely (Sergio Pena, reviewed by Na Li)
http://git-wip-us.apache.org/repos/asf/sentry/blob/e358fde7/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDbPrivilegeCleanupOnDrop.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDbPrivilegeCleanupOnDrop.java b/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDbPrivilegeCleanupOnDrop.java
deleted file mode 100644
index 767bcbe..0000000
--- a/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDbPrivilegeCleanupOnDrop.java
+++ /dev/null
@@ -1,354 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.tests.e2e.dbprovider;
-
-import static org.hamcrest.Matchers.is;
-import static org.junit.Assert.assertFalse;
-import static org.junit.Assert.assertThat;
-import static org.junit.Assert.assertTrue;
-
-import java.io.File;
-import java.io.FileOutputStream;
-import java.sql.Connection;
-import java.sql.ResultSet;
-import java.sql.SQLException;
-import java.sql.Statement;
-import java.util.ArrayList;
-import java.util.List;
-
-import org.apache.sentry.tests.e2e.hive.AbstractTestWithStaticConfiguration;
-import org.junit.After;
-import org.junit.Before;
-import org.junit.BeforeClass;
-import org.junit.Test;
-
-import com.google.common.collect.Lists;
-import com.google.common.io.Resources;
-
-public class TestDbPrivilegeCleanupOnDrop extends
- AbstractTestWithStaticConfiguration {
-
- private final static int SHOW_GRANT_TABLE_POSITION = 2;
- private final static int SHOW_GRANT_DB_POSITION = 1;
-
- private final String SINGLE_TYPE_DATA_FILE_NAME = "kv1.dat";
-
- private final static String tableName1 = "tb_1";
- private final static String tableName2 = "tb_2";
- private final static String tableName3 = "tb_3";
- private final static String tableName4 = "tb_4";
- private final static String renameTag = "_new";
-
- @BeforeClass
- public static void setupTestStaticConfiguration() throws Exception {
- useSentryService = true;
- if (!setMetastoreListener) {
- setMetastoreListener = true;
- }
- AbstractTestWithStaticConfiguration.setupTestStaticConfiguration();
- }
-
- @Override
- @Before
- public void setup() throws Exception {
- super.setupAdmin();
- super.setup();
- // context = createContext();
- File dataFile = new File(dataDir, SINGLE_TYPE_DATA_FILE_NAME);
- FileOutputStream to = new FileOutputStream(dataFile);
- Resources.copy(Resources.getResource(SINGLE_TYPE_DATA_FILE_NAME), to);
- to.close();
- }
-
- @After
- public void tearDown() throws Exception {
- if (context != null) {
- context.close();
- }
- }
-
- /**
- * drop table and verify that the no privileges are referring to it drop db
- * and verify that the no privileges are referring to it drop db cascade
- * verify that the no privileges are referring to db and tables under it
- *
- * @throws Exception
- */
- @Test
- public void testDropObjects() throws Exception {
- Connection connection = context.createConnection(ADMIN1);
- Statement statement = context.createStatement(connection);
-
- setupRoles(statement); // create required roles
- setupDbObjects(statement); // create test DBs and Tables
- setupPrivileges(statement); // setup privileges for USER1
- dropDbObjects(statement); // drop objects
- verifyPrivilegesDropped(statement); // verify privileges are removed
-
- statement.close();
- connection.close();
- }
-
- /**
- * Return the remaining rows of the current resultSet
- * Cautiously it will modify the cursor position of the resultSet
- *
- */
- private void assertRemainingRows(ResultSet resultSet, int expected) throws SQLException{
- int count = 0;
- while(resultSet.next()) {
- count++;
- }
- assertThat(count, is(expected));
- }
-
- /**
- * drop table and verify that the no privileges are referring to it drop db
- * and verify that the no privileges are referring to it drop db cascade
- * verify that the no privileges are referring to db and tables under it
- *
- * @throws Exception
- */
- @Test
- public void testReCreateObjects() throws Exception {
- Connection connection = context.createConnection(ADMIN1);
- Statement statement = context.createStatement(connection);
- setupRoles(statement); // create required roles
- setupDbObjects(statement); // create test DBs and Tables
- setupPrivileges(statement); // setup privileges for USER1
- dropDbObjects(statement); // drop DB and tables
-
- setupDbObjects(statement); // recreate same DBs and tables
- verifyPrivilegesDropped(statement); // verify the stale privileges removed
- }
-
- /**
- * rename table and verify that the no privileges are referring to it old table
- * verify that the same privileges are created for the new table name
- *
- * @throws Exception
- */
- @Test
- public void testRenameTables() throws Exception {
- Connection connection = context.createConnection(ADMIN1);
- Statement statement = context.createStatement(connection);
-
- setupRoles(statement); // create required roles
- setupDbObjects(statement); // create test DBs and Tables
- setupPrivileges(statement); // setup privileges for USER1
-
- // verify privileges on the created tables
- statement.execute("USE " + DB2);
- verifyTablePrivilegeExist(statement,
- Lists.newArrayList("select_tbl1", "insert_tbl1", "all_tbl1"),
- tableName1);
- verifyTablePrivilegeExist(statement, Lists.newArrayList("all_tbl2"),
- tableName2);
-
- renameTables(statement); // alter tables to rename
-
- // verify privileges removed for old tables
- verifyTablePrivilegesDropped(statement);
-
- // verify privileges created for new tables
- statement.execute("USE " + DB2);
- verifyTablePrivilegeExist(statement,
- Lists.newArrayList("select_tbl1", "insert_tbl1", "all_tbl1"),
- tableName1 + renameTag);
- verifyTablePrivilegeExist(statement, Lists.newArrayList("all_tbl2"),
- tableName2 + renameTag);
-
- statement.close();
- connection.close();
- }
-
- /**
- * After we drop/rename table, we will drop/rename all privileges(ALL,SELECT,INSERT,ALTER,DROP...)
- * from this role
- *
- * @throws Exception
- */
- @Test
- public void testDropAndRenameWithMultiAction() throws Exception {
- Connection connection = context.createConnection(ADMIN1);
- Statement statement = context.createStatement(connection);
- statement.execute("CREATE ROLE user_role");
- statement.execute("GRANT ROLE user_role TO GROUP " + USERGROUP1);
-
- statement.execute("CREATE DATABASE " + DB1);
- statement.execute("USE " + DB1);
- statement.execute("CREATE TABLE t1 (c1 string)");
-
- // Grant SELECT/INSERT/DROP/ALTER to TABLE t1
- statement.execute("GRANT SELECT ON TABLE t1 TO ROLE user_role");
- statement.execute("GRANT INSERT ON TABLE t1 TO ROLE user_role");
- statement.execute("GRANT ALTER ON TABLE t1 TO ROLE user_role");
- statement.execute("GRANT DROP ON TABLE t1 TO ROLE user_role");
- // For rename, grant CREATE to DB1
- statement.execute("GRANT CREATE ON DATABASE " + DB1 + " TO ROLE user_role");
-
- // After rename table t1 to t2, user_role will have no permission to drop t1
- connection = context.createConnection(USER1_1);
- statement = context.createStatement(connection);
- statement.execute("USE " + DB1);
- statement.execute("ALTER TABLE t1 RENAME TO t2");
- context.assertSentrySemanticException(statement, "drop table t1", semanticException);
-
- // After rename table t1 to t2, user_role should have permission to drop t2
- statement.execute("drop table t2");
- ResultSet resultSet = statement.executeQuery("SHOW GRANT ROLE user_role");
- // user_role will revoke all privilege from table t2, only remain CREATE on db_1
- assertRemainingRows(resultSet, 1);
-
- statement.close();
- connection.close();
- }
-
- // Create test roles
- private void setupRoles(Statement statement) throws Exception {
- statement.execute("CREATE ROLE all_db1");
- statement.execute("CREATE ROLE read_db1");
- statement.execute("CREATE ROLE select_tbl1");
- statement.execute("CREATE ROLE insert_tbl1");
- statement.execute("CREATE ROLE all_tbl1");
- statement.execute("CREATE ROLE all_tbl2");
- statement.execute("CREATE ROLE all_prod");
-
- statement.execute("GRANT ROLE all_db1, read_db1, select_tbl1, insert_tbl1,"
- + " all_tbl1, all_tbl2, all_prod to GROUP " + USERGROUP1);
-
- statement.execute("DROP DATABASE IF EXISTS " + DB1 + " CASCADE");
- statement.execute("DROP DATABASE IF EXISTS " + DB2 + " CASCADE");
- }
-
- // create test DBs and Tables
- private void setupDbObjects(Statement statement) throws Exception {
- statement.execute("CREATE DATABASE " + DB1);
- statement.execute("CREATE DATABASE " + DB2);
- statement.execute("create table " + DB2 + "." + tableName1
- + " (under_col int comment 'the under column', value string)");
- statement.execute("create table " + DB2 + "." + tableName2
- + " (under_col int comment 'the under column', value string)");
- statement.execute("create table " + DB1 + "." + tableName3
- + " (under_col int comment 'the under column', value string)");
- statement.execute("create table " + DB1 + "." + tableName4
- + " (under_col int comment 'the under column', value string)");
- }
-
- // Create privileges on DB and Tables
- private void setupPrivileges(Statement statement) throws Exception {
- statement.execute("GRANT ALL ON DATABASE " + DB1 + " TO ROLE all_db1");
- statement.execute("GRANT SELECT ON DATABASE " + DB1
- + " TO ROLE read_db1");
- statement.execute("GRANT ALL ON DATABASE " + DB2 + " TO ROLE all_prod");
- statement.execute("USE " + DB2);
- statement.execute("GRANT SELECT ON TABLE " + tableName1
- + " TO ROLE select_tbl1");
- statement.execute("GRANT INSERT ON TABLE " + tableName1
- + " TO ROLE insert_tbl1");
- statement.execute("GRANT ALL ON TABLE " + tableName1 + " TO ROLE all_tbl1");
- statement.execute("GRANT ALL ON TABLE " + tableName2 + " TO ROLE all_tbl2");
- }
-
- // Drop test DBs and Tables
- private void dropDbObjects(Statement statement) throws Exception {
- statement.execute("DROP TABLE " + DB2 + "." + tableName1);
- statement.execute("DROP TABLE " + DB2 + "." + tableName2);
- statement.execute("DROP DATABASE " + DB2);
- statement.execute("DROP DATABASE " + DB1 + " CASCADE");
- }
-
- // rename tables
- private void renameTables(Statement statement) throws Exception {
- statement.execute("USE " + DB2);
- statement.execute("ALTER TABLE " + tableName1 + " RENAME TO " + tableName1
- + renameTag);
- statement.execute("ALTER TABLE " + tableName2 + " RENAME TO " + tableName2
- + renameTag);
- statement.execute("USE " + DB1);
- statement.execute("ALTER TABLE " + tableName3 + " RENAME TO " + tableName3
- + renameTag);
- statement.execute("ALTER TABLE " + tableName4 + " RENAME TO " + tableName4
- + renameTag);
- }
-
- // verify all the test privileges are dropped as we drop the objects
- private void verifyPrivilegesDropped(Statement statement)
- throws Exception {
- verifyDbPrivilegesDropped(statement);
- verifyTablePrivilegesDropped(statement);
- }
-
- // verify all the test privileges are dropped as we drop the objects
- private void verifyTablePrivilegesDropped(Statement statement)
- throws Exception {
- List<String> roles = getRoles(statement);
- verifyPrivilegeDropped(statement, roles, tableName1,
- SHOW_GRANT_TABLE_POSITION);
- verifyPrivilegeDropped(statement, roles, tableName2,
- SHOW_GRANT_TABLE_POSITION);
- verifyPrivilegeDropped(statement, roles, tableName3,
- SHOW_GRANT_TABLE_POSITION);
- verifyPrivilegeDropped(statement, roles, tableName4,
- SHOW_GRANT_TABLE_POSITION);
-
- }
-
- // verify all the test privileges are dropped as we drop the objects
- private void verifyDbPrivilegesDropped(Statement statement) throws Exception {
- List<String> roles = getRoles(statement);
- verifyPrivilegeDropped(statement, roles, DB2, SHOW_GRANT_DB_POSITION);
- verifyPrivilegeDropped(statement, roles, DB1, SHOW_GRANT_DB_POSITION);
-
- }
-
- // verify given table/DB has no longer permissions
- private void verifyPrivilegeDropped(Statement statement, List<String> roles,
- String objectName, int resultPos) throws Exception {
- for (String roleName : roles) {
- ResultSet resultSet = statement.executeQuery("SHOW GRANT ROLE "
- + roleName);
- while (resultSet.next()) {
- String returned = resultSet.getString(resultPos);
- assertFalse("value " + objectName + " shouldn't be detected, but actually " + returned + " is found from resultSet",
- objectName.equalsIgnoreCase(returned));
- }
- resultSet.close();
- }
- }
-
- // verify given table is part of the role
- private void verifyTablePrivilegeExist(Statement statement,
- List<String> roles, String tableName) throws Exception {
- for (String roleName : roles) {
- ResultSet resultSet = statement.executeQuery("SHOW GRANT ROLE "
- + roleName + " ON TABLE " + tableName);
- assertTrue(resultSet.next());
- resultSet.close();
- }
- }
-
- private List<String> getRoles(Statement statement) throws Exception {
- ArrayList<String> roleList = Lists.newArrayList();
- ResultSet resultSet = statement.executeQuery("SHOW ROLES ");
- while (resultSet.next()) {
- roleList.add(resultSet.getString(1));
- }
- return roleList;
- }
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e358fde7/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDbPrivilegesAtColumnScope.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDbPrivilegesAtColumnScope.java b/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDbPrivilegesAtColumnScope.java
deleted file mode 100644
index 659c61f..0000000
--- a/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDbPrivilegesAtColumnScope.java
+++ /dev/null
@@ -1,38 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.sentry.tests.e2e.dbprovider;
-
-import org.apache.sentry.tests.e2e.hive.TestPrivilegesAtColumnScope;
-import org.junit.Before;
-import org.junit.BeforeClass;
-
-public class TestDbPrivilegesAtColumnScope extends TestPrivilegesAtColumnScope {
- @Override
- @Before
- public void setup() throws Exception {
- setupAdmin();
- super.setup();
- }
-
- @BeforeClass
- public static void setupTestStaticConfiguration() throws Exception {
- useSentryService = true;
- TestPrivilegesAtColumnScope.setupTestStaticConfiguration();
- }
-
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e358fde7/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDbPrivilegesAtDatabaseScope.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDbPrivilegesAtDatabaseScope.java b/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDbPrivilegesAtDatabaseScope.java
deleted file mode 100644
index 883bedd..0000000
--- a/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDbPrivilegesAtDatabaseScope.java
+++ /dev/null
@@ -1,46 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.sentry.tests.e2e.dbprovider;
-
-import org.apache.sentry.tests.e2e.hive.AbstractTestWithStaticConfiguration;
-import org.apache.sentry.tests.e2e.hive.TestPrivilegesAtDatabaseScope;
-import org.junit.Before;
-import org.junit.BeforeClass;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-public class TestDbPrivilegesAtDatabaseScope extends
- TestPrivilegesAtDatabaseScope {
- private static final Logger LOGGER = LoggerFactory.
- getLogger(TestDbPrivilegesAtDatabaseScope.class);
-
- @Override
- @Before
- public void setup() throws Exception {
- LOGGER.info("TestDbPrivilegesAtDatabaseScope setup");
- super.setupAdmin();
- super.setup();
- }
- @BeforeClass
- public static void setupTestStaticConfiguration() throws Exception {
- LOGGER.info("TestDbPrivilegesAtDatabaseScope setupTestStaticConfiguration");
- useSentryService = true;
- AbstractTestWithStaticConfiguration.setupTestStaticConfiguration();
- }
-
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e358fde7/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDbPrivilegesAtFunctionScope.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDbPrivilegesAtFunctionScope.java b/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDbPrivilegesAtFunctionScope.java
deleted file mode 100644
index cebad98..0000000
--- a/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDbPrivilegesAtFunctionScope.java
+++ /dev/null
@@ -1,39 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.tests.e2e.dbprovider;
-
-import org.apache.sentry.tests.e2e.hive.AbstractTestWithStaticConfiguration;
-import org.apache.sentry.tests.e2e.hive.TestPrivilegesAtFunctionScope;
-import org.junit.Before;
-import org.junit.BeforeClass;
-
-public class TestDbPrivilegesAtFunctionScope extends
- TestPrivilegesAtFunctionScope {
- @Override
- @Before
- public void setup() throws Exception {
- super.setupAdmin();
- super.setup();
- }
- @BeforeClass
- public static void setupTestStaticConfiguration() throws Exception {
- useSentryService = true;
- AbstractTestWithStaticConfiguration.setupTestStaticConfiguration();
-
- }
-
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e358fde7/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDbPrivilegesAtTableScope.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDbPrivilegesAtTableScope.java b/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDbPrivilegesAtTableScope.java
deleted file mode 100644
index a4f07df..0000000
--- a/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDbPrivilegesAtTableScope.java
+++ /dev/null
@@ -1,39 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.sentry.tests.e2e.dbprovider;
-
-import org.apache.sentry.tests.e2e.hive.AbstractTestWithStaticConfiguration;
-import org.apache.sentry.tests.e2e.hive.TestPrivilegesAtTableScope;
-import org.junit.Before;
-import org.junit.BeforeClass;
-
-public class TestDbPrivilegesAtTableScope extends TestPrivilegesAtTableScope {
- @Override
- @Before
- public void setup() throws Exception {
- super.setupAdmin();
- super.setup();
- prepareDBDataForTest();
- }
- @BeforeClass
- public static void setupTestStaticConfiguration() throws Exception {
- useSentryService = true;
- AbstractTestWithStaticConfiguration.setupTestStaticConfiguration();
- }
-
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e358fde7/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDbRuntimeMetadataRetrieval.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDbRuntimeMetadataRetrieval.java b/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDbRuntimeMetadataRetrieval.java
deleted file mode 100644
index 8d98179..0000000
--- a/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDbRuntimeMetadataRetrieval.java
+++ /dev/null
@@ -1,46 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.tests.e2e.dbprovider;
-
-import org.apache.sentry.tests.e2e.hive.AbstractTestWithStaticConfiguration;
-import org.apache.sentry.tests.e2e.hive.TestRuntimeMetadataRetrieval;
-import org.junit.Before;
-import org.junit.BeforeClass;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-public class TestDbRuntimeMetadataRetrieval extends
- TestRuntimeMetadataRetrieval {
- private static final Logger LOGGER = LoggerFactory.
- getLogger(TestDbRuntimeMetadataRetrieval.class);
-
- @Override
- @Before
- public void setup() throws Exception {
- LOGGER.info("TestDbRuntimeMetadataRetrieval setup");
- super.setupAdmin();
- super.setup();
- }
- @BeforeClass
- public static void setupTestStaticConfiguration() throws Exception {
- LOGGER.info("TestDbRuntimeMetadataRetrieval setupTestStaticConfiguration");
- useSentryService = true;
- AbstractTestWithStaticConfiguration.setupTestStaticConfiguration();
-
- }
-
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e358fde7/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDbSandboxOps.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDbSandboxOps.java b/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDbSandboxOps.java
deleted file mode 100644
index fa429e7..0000000
--- a/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDbSandboxOps.java
+++ /dev/null
@@ -1,49 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.tests.e2e.dbprovider;
-
-import org.apache.sentry.tests.e2e.hive.AbstractTestWithStaticConfiguration;
-import org.apache.sentry.tests.e2e.hive.TestSandboxOps;
-import org.junit.Before;
-import org.junit.BeforeClass;
-import org.junit.Ignore;
-import org.junit.Test;
-
-public class TestDbSandboxOps extends TestSandboxOps {
- @Override
- @Before
- public void setup() throws Exception {
- super.setupAdmin();
- super.setup();
- }
-
- @BeforeClass
- public static void setupTestStaticConfiguration() throws Exception {
- useSentryService = true;
- AbstractTestWithStaticConfiguration.setupTestStaticConfiguration();
-
- }
-
- @Ignore
- @Test
- public void testPerDbPolicyOnDFS() throws Exception {
- // TODO : Looks like the test in the base class is specifically meant for
- // File based providers... Since it is assuming that multiple policy files
- // in DFS would be handled by the provider..
- }
-
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e358fde7/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDbSentryOnFailureHookLoading.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDbSentryOnFailureHookLoading.java b/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDbSentryOnFailureHookLoading.java
deleted file mode 100644
index ee7840b..0000000
--- a/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDbSentryOnFailureHookLoading.java
+++ /dev/null
@@ -1,271 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.sentry.tests.e2e.dbprovider;
-
-import java.sql.Connection;
-import java.sql.ResultSet;
-import java.sql.SQLException;
-import java.sql.Statement;
-import java.util.ArrayList;
-import java.util.HashMap;
-import java.util.List;
-
-import org.apache.sentry.core.common.exception.SentryAccessDeniedException;
-import org.junit.Assert;
-
-import org.apache.hadoop.hive.ql.plan.HiveOperation;
-import org.apache.sentry.binding.hive.conf.HiveAuthzConf;
-import org.apache.sentry.tests.e2e.hive.DummySentryOnFailureHook;
-import org.apache.sentry.tests.e2e.hive.hiveserver.HiveServerFactory;
-import org.junit.After;
-import org.junit.Assume;
-import org.junit.BeforeClass;
-import org.junit.Test;
-
-public class TestDbSentryOnFailureHookLoading extends AbstractTestWithDbProvider {
-
-
- @BeforeClass
- public static void setup() throws Exception {
- properties = new HashMap<String, String>();
- properties.put(HiveAuthzConf.AuthzConfVars.AUTHZ_ONFAILURE_HOOKS.getVar(),
- DummySentryOnFailureHook.class.getName());
- createContext();
- DummySentryOnFailureHook.invoked = false;
-
- // Do not run these tests if run with external HiveServer2
- // This test checks for a static member, which will not
- // be set if HiveServer2 and the test run in different JVMs
- String hiveServer2Type = System
- .getProperty(HiveServerFactory.HIVESERVER2_TYPE);
- if(hiveServer2Type != null) {
- Assume.assumeTrue(HiveServerFactory.isInternalServer(
- HiveServerFactory.HiveServer2Type.valueOf(hiveServer2Type.trim())));
- }
- }
-
- @After
- public void clearDB() throws Exception {
- Connection connection;
- Statement statement;
- connection = context.createConnection(ADMIN1);
- statement = context.createStatement(connection);
- ResultSet resultSet;
- resultSet = statement.executeQuery("SHOW roles");
- List<String> roles = new ArrayList<String>();
- while ( resultSet.next()) {
- roles.add(resultSet.getString(1));
- }
- for(String role:roles) {
- statement.execute("DROP Role " + role);
- }
-
- statement.close();
- connection.close();
- if (context != null) {
- context.close();
- }
- }
-
- /* Admin creates database DB_2
- * user1 tries to drop DB_2, but it has permissions for DB_1.
- */
- @Test
- public void testOnFailureHookLoading() throws Exception {
-
- // setup db objects needed by the test
- Connection connection = context.createConnection(ADMIN1);
- Statement statement = context.createStatement(connection);
- try {
- statement.execute("DROP ROLE admin_role");
- } catch (Exception ex) {
- //It is ok if admin_role already exists
- }
- statement.execute("CREATE ROLE admin_role");
- statement.execute("GRANT ALL ON SERVER "
- + HiveServerFactory.DEFAULT_AUTHZ_SERVER_NAME + " TO ROLE admin_role");
- statement.execute("GRANT ROLE admin_role TO GROUP " + ADMINGROUP);
-
- statement.execute("DROP DATABASE IF EXISTS DB_1 CASCADE");
- statement.execute("DROP DATABASE IF EXISTS DB_2 CASCADE");
- statement.execute("CREATE DATABASE DB_1");
- statement.execute("CREATE DATABASE DB_2");
- statement.execute("CREATE TABLE db_2.tab1(a int )");
-
- statement.execute("CREATE ROLE all_db1");
- statement.execute("GRANT ALL ON DATABASE DB_1 TO ROLE all_db1");
- statement.execute("GRANT ROLE all_db1 TO GROUP " + USERGROUP1);
-
- statement.execute("CREATE ROLE lock_db2_tab1");
- statement.execute("GRANT ROLE lock_db2_tab1 TO GROUP " + USERGROUP1);
-
- statement.execute("USE db_2");
- statement.execute("GRANT LOCK ON TABLE tab1 TO ROLE lock_db2_tab1");// To give user1 privilege to do USE db_2
- statement.close();
- connection.close();
-
- // test execution
- connection = context.createConnection(USER1_1);
- statement = context.createStatement(connection);
-
- // Failure hook for create table when table doesnt exist
- verifyFailureHook(statement, "CREATE TABLE DB_2.TAB2(id INT)", HiveOperation.CREATETABLE, "db_2", null, false);
-
- // Failure hook for create table when table exist
- verifyFailureHook(statement, "CREATE TABLE DB_2.TAB1(id INT)", HiveOperation.CREATETABLE, "db_2", null, false);
-
- // Failure hook for select * from table when table exist
- verifyFailureHook(statement, "select * from db_2.tab1", HiveOperation.QUERY,
- null, null, false);
-
- //Denied alter table invokes failure hook
- statement.execute("USE DB_2");
- verifyFailureHook(statement, "ALTER TABLE tab1 CHANGE id id1 INT", HiveOperation.ALTERTABLE_RENAMECOL,
- "db_2", null, false);
-
- statement.close();
- connection.close();
-
- //test cleanup
- connection = context.createConnection(ADMIN1);
- statement = context.createStatement(connection);
- statement.execute("DROP DATABASE DB_1 CASCADE");
- statement.execute("DROP DATABASE DB_2 CASCADE");
- statement.close();
- connection.close();
- context.close();
- }
-
- /*
- * Admin creates database DB_2 user1 tries to drop DB_2, but it has
- * permissions for DB_1.
- */
- @Test
- public void testOnFailureHookForAuthDDL() throws Exception {
-
- // setup db objects needed by the test
- Connection connection = context.createConnection(ADMIN1);
- Statement statement = context.createStatement(connection);
- statement.execute("CREATE ROLE admin_role");
- statement.execute("GRANT ALL ON SERVER "
- + HiveServerFactory.DEFAULT_AUTHZ_SERVER_NAME + " TO ROLE admin_role");
- statement.execute("GRANT ROLE admin_role TO GROUP " + ADMINGROUP);
- statement.execute("DROP DATABASE IF EXISTS DB_1 CASCADE");
- statement.execute("DROP DATABASE IF EXISTS DB_2 CASCADE");
- statement.execute("CREATE DATABASE DB_1");
- statement.execute("CREATE TABLE DB_1.tab1(a int )");
- statement.execute("CREATE ROLE all_db1");
- statement.execute("GRANT ALL ON DATABASE DB_1 TO ROLE all_db1");
- statement.execute("GRANT ROLE all_db1 TO GROUP " + USERGROUP1);
- connection.close();
-
- connection = context.createConnection(USER1_1);
- statement = context.createStatement(connection);
-
- statement.execute("USE DB_1");
- statement.execute("CREATE TABLE foo (id int)");
-
- verifyFailureHook(statement, "CREATE ROLE fooTest",
- HiveOperation.CREATEROLE, null, null, true);
-
- verifyFailureHook(statement, "DROP ROLE fooTest",
- HiveOperation.DROPROLE, null, null, true);
-
- verifyFailureHook(statement,
- "GRANT ALL ON SERVER server1 TO ROLE admin_role",
- HiveOperation.GRANT_PRIVILEGE, null, null, true);
-
- verifyFailureHook(statement,
- "REVOKE ALL ON SERVER server1 FROM ROLE admin_role",
- HiveOperation.REVOKE_PRIVILEGE, null, null, true);
-
- verifyFailureHook(statement, "GRANT ROLE all_db1 TO GROUP " + USERGROUP1,
- HiveOperation.GRANT_ROLE, null, null, true);
-
- verifyFailureHook(statement,
- "REVOKE ROLE all_db1 FROM GROUP " + USERGROUP1,
- HiveOperation.REVOKE_ROLE, null, null, true);
-
- verifyFailureHook(statement, "SHOW ROLES",
- HiveOperation.SHOW_ROLES, null, null, true);
-
- verifyFailureHook(statement, "SHOW ROLE GRANT group group1",
- HiveOperation.SHOW_ROLE_GRANT, null, null, true);
-
- verifyFailureHook(statement, "SHOW GRANT role role1",
- HiveOperation.SHOW_GRANT, null, null, true);
-
- //Should pass as user1_1 is granted role all_db1
- statement.execute("SHOW GRANT role all_db1");
-
- //Grant privilege on table doesnt expose db and table objects
- verifyFailureHook(statement,
- "GRANT ALL ON TABLE db_1.tab1 TO ROLE admin_role",
- HiveOperation.GRANT_PRIVILEGE, null, null, true);
-
- //Revoke privilege on table doesnt expose db and table objects
- verifyFailureHook(statement,
- "REVOKE ALL ON TABLE db_1.tab1 FROM ROLE admin_role",
- HiveOperation.REVOKE_PRIVILEGE, null, null, true);
-
- //Grant privilege on database doesnt expose db and table objects
- verifyFailureHook(statement,
- "GRANT ALL ON Database db_1 TO ROLE admin_role",
- HiveOperation.GRANT_PRIVILEGE, null, null, true);
-
- //Revoke privilege on database doesnt expose db and table objects
- verifyFailureHook(statement,
- "REVOKE ALL ON Database db_1 FROM ROLE admin_role",
- HiveOperation.REVOKE_PRIVILEGE, null, null, true);
-
- statement.close();
- connection.close();
- context.close();
- }
-
- // run the given statement and verify that failure hook is invoked as expected
- private void verifyFailureHook(Statement statement, String sqlStr, HiveOperation expectedOp,
- String dbName, String tableName, boolean checkSentryAccessDeniedException) throws Exception {
- // negative test case: non admin user can't create role
- Assert.assertFalse(DummySentryOnFailureHook.invoked);
- try {
- statement.execute(sqlStr);
- Assert.fail("Expected SQL exception for " + sqlStr);
- } catch (SQLException e) {
- Assert.assertTrue("FailureHook is not ran : " + e.getMessage(), DummySentryOnFailureHook.invoked);
- } finally {
- DummySentryOnFailureHook.invoked = false;
- }
- if (expectedOp != null) {
- Assert.assertNotNull("Hive op is null for op: " + expectedOp, DummySentryOnFailureHook.hiveOp);
- Assert.assertTrue(expectedOp.equals(DummySentryOnFailureHook.hiveOp));
- }
- if (checkSentryAccessDeniedException) {
- Assert.assertTrue("Expected SentryDeniedException for op: " + expectedOp,
- DummySentryOnFailureHook.exception.getCause() instanceof SentryAccessDeniedException);
- }
- if(tableName != null) {
- Assert.assertNotNull("Table object is null for op: " + expectedOp, DummySentryOnFailureHook.table);
- Assert.assertTrue(tableName.equalsIgnoreCase(DummySentryOnFailureHook.table.getName()));
- }
- if(dbName != null) {
- Assert.assertNotNull("Database object is null for op: " + expectedOp, DummySentryOnFailureHook.db);
- Assert.assertTrue(dbName.equalsIgnoreCase(DummySentryOnFailureHook.db.getName()));
- }
- }
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e358fde7/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDbUriPermissions.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDbUriPermissions.java b/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDbUriPermissions.java
deleted file mode 100644
index 1a90e06..0000000
--- a/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDbUriPermissions.java
+++ /dev/null
@@ -1,45 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.tests.e2e.dbprovider;
-
-import org.apache.sentry.tests.e2e.hive.AbstractTestWithStaticConfiguration;
-import org.apache.sentry.tests.e2e.hive.TestUriPermissions;
-import org.junit.Before;
-import org.junit.BeforeClass;
-
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-public class TestDbUriPermissions extends TestUriPermissions {
- private static final Logger LOGGER = LoggerFactory.
- getLogger(TestDbUriPermissions.class);
-
- @Override
- @Before
- public void setup() throws Exception {
- LOGGER.info("TestDbUriPermissions setup");
- super.setupAdmin();
- super.setup();
- }
- @BeforeClass
- public static void setupTestStaticConfiguration() throws Exception {
- LOGGER.info("TestDbUriPermissions setupTestStaticConfiguration");
- useSentryService = true;
- AbstractTestWithStaticConfiguration.setupTestStaticConfiguration();
-
- }
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e358fde7/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestGrantUserToRole.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestGrantUserToRole.java b/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestGrantUserToRole.java
deleted file mode 100644
index 5364937..0000000
--- a/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestGrantUserToRole.java
+++ /dev/null
@@ -1,261 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.sentry.tests.e2e.dbprovider;
-
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertTrue;
-import static org.junit.Assert.fail;
-
-import java.sql.Connection;
-import java.sql.ResultSet;
-import java.sql.Statement;
-import java.util.ArrayList;
-import java.util.List;
-import java.util.Set;
-
-import org.apache.sentry.tests.e2e.hive.AbstractTestWithStaticConfiguration;
-import org.junit.Before;
-import org.junit.BeforeClass;
-import org.junit.Test;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-import com.google.common.collect.Sets;
-
-public class TestGrantUserToRole extends AbstractTestWithStaticConfiguration {
-
- private static final Logger LOGGER = LoggerFactory.getLogger(TestGrantUserToRole.class);
-
- private static String ROLENAME1 = "testGrantUserToRole_r1";
- private static String ROLENAME2 = "testGrantUserToRole_r2";
- private static String ROLENAME3 = "testGrantUserToRole_r3";
-
- @BeforeClass
- public static void setupTestStaticConfiguration() throws Exception {
- useSentryService = true;
- AbstractTestWithStaticConfiguration.setupTestStaticConfiguration();
- }
-
- @Override
- @Before
- public void setup() throws Exception {
- super.setupAdmin();
- super.setup();
- prepareTestData();
- }
-
- private void prepareTestData() throws Exception {
- Connection connection = context.createConnection(ADMIN1);
- Statement statement = context.createStatement(connection);
- statement.execute("CREATE ROLE " + ROLENAME1);
- statement.execute("CREATE ROLE " + ROLENAME2);
- statement.execute("CREATE ROLE " + ROLENAME3);
- // grant role to groups and users as the following:
- statement.execute("GRANT ROLE " + ROLENAME1 + " TO GROUP " + USERGROUP1);
- statement.execute("GRANT ROLE " + ROLENAME2 + " TO GROUP " + USERGROUP2);
- statement.execute("GRANT ROLE " + ROLENAME3 + " TO USER " + USER2_1);
- statement.execute("GRANT ROLE " + ROLENAME2 + " TO USER " + USER3_1);
- statement.execute("GRANT ROLE " + ROLENAME2 + " TO USER " + USER4_1);
- statement.execute("GRANT ROLE " + ROLENAME3 + " TO USER " + USER4_1);
- statement.close();
- connection.close();
- }
-
- @Test
- public void testAddDeleteRolesForUser() throws Exception {
- Connection connection = context.createConnection(ADMIN1);
- Statement statement = context.createStatement(connection);
- Set<String> emptyRoleSet = Sets.newHashSet();
- // admin can get all roles for users
- // user1 get the role1 for group1
- ResultSet resultSet = statement.executeQuery("SHOW ROLE GRANT USER " + USER1_1);
- verifyResultRoles(resultSet, emptyRoleSet);
-
- // user2 get the role1 for group1 and role2 for user2
- resultSet = statement.executeQuery("SHOW ROLE GRANT USER " + USER2_1);
- verifyResultRoles(resultSet, Sets.newHashSet(ROLENAME3.toLowerCase()));
-
- // user3 get the role1 for group1 and role2 for group2
- resultSet = statement.executeQuery("SHOW ROLE GRANT USER " + USER3_1);
- verifyResultRoles(resultSet, Sets.newHashSet(ROLENAME2.toLowerCase()));
-
- // user4 get the role2 for group2 and group3, role3 for user4
- resultSet = statement.executeQuery("SHOW ROLE GRANT USER " + USER4_1);
- verifyResultRoles(resultSet, Sets.newHashSet(ROLENAME2.toLowerCase(), ROLENAME3.toLowerCase()));
- statement.close();
- connection.close();
-
- connection = context.createConnection(USER1_1);
- statement = context.createStatement(connection);
- // user1 can show his own roles
- resultSet = statement.executeQuery("SHOW ROLE GRANT USER " + USER1_1);
- verifyResultRoles(resultSet, emptyRoleSet);
- // test the command : show current roles
- resultSet = statement.executeQuery("SHOW CURRENT ROLES");
- verifyResultRoles(resultSet, Sets.newHashSet(ROLENAME1.toLowerCase()));
-
- try {
- // user1 can't show other's roles if he isn't an admin
- resultSet = statement.executeQuery("SHOW ROLE GRANT USER " + USER2_1);
- fail("Can't show other's role if the user is not an admin.");
- } catch (Exception e) {
- // excepted exception
- }
- statement.close();
- connection.close();
-
- connection = context.createConnection(USER2_1);
- statement = context.createStatement(connection);
- // user2 can show his own roles
- resultSet = statement.executeQuery("SHOW ROLE GRANT USER " + USER2_1);
- verifyResultRoles(resultSet, Sets.newHashSet(ROLENAME3.toLowerCase()));
- // test the command : show current roles
- resultSet = statement.executeQuery("SHOW CURRENT ROLES");
- verifyResultRoles(resultSet, Sets.newHashSet(ROLENAME2.toLowerCase(), ROLENAME3.toLowerCase()));
- statement.close();
- connection.close();
-
- connection = context.createConnection(ADMIN1);
- statement = context.createStatement(connection);
- // revoke the role from user
- statement.execute("REVOKE ROLE " + ROLENAME3 + " FROM USER " + USER2_1);
- statement.execute("REVOKE ROLE " + ROLENAME3 + " FROM USER " + USER4_1);
-
- resultSet = statement.executeQuery("SHOW ROLE GRANT USER " + USER2_1);
- verifyResultRoles(resultSet, emptyRoleSet);
-
- resultSet = statement.executeQuery("SHOW ROLE GRANT USER " + USER4_1);
- verifyResultRoles(resultSet, Sets.newHashSet(ROLENAME2.toLowerCase()));
- statement.close();
- connection.close();
- }
-
- @Test
- public void testShowGrantNotExistGroup() throws Exception {
- Connection connection = context.createConnection(ADMIN1);
- Statement statement = context.createStatement(connection);
- //group1 does not exist in db;
- ResultSet res = statement.executeQuery("SHOW ROLE GRANT GROUP group1");
-
- List<String> expectedResult = new ArrayList<String>();
- List<String> returnedResult = new ArrayList<String>();
-
- while (res.next()) {
- returnedResult.add(res.getString(1).trim());
- }
- validateReturnedResult(expectedResult, returnedResult);
- returnedResult.clear();
- expectedResult.clear();
-
- statement.close();
- connection.close();
-
- }
-
- @Test
- public void testAuthorizationForUsersWithRoles() throws Exception {
- Connection connection = context.createConnection(ADMIN1);
- Statement statement = context.createStatement(connection);
- statement.execute("CREATE TABLE t1 (c1 string)");
- statement.execute("CREATE TABLE t2 (c1 string)");
- statement.execute("CREATE TABLE t3 (c1 string)");
- statement.execute("GRANT SELECT ON TABLE t1 TO ROLE " + ROLENAME1);
- statement.execute("GRANT SELECT ON TABLE t2 TO ROLE " + ROLENAME2);
- statement.execute("GRANT SELECT ON TABLE t3 TO ROLE " + ROLENAME3);
- statement.close();
- connection.close();
-
- // user1 can access the t1
- connection = context.createConnection(USER1_1);
- statement = context.createStatement(connection);
- statement.execute("select c1 from t1");
- try {
- statement.execute("select c1 from t2");
- fail("Can't access the table t2");
- } catch (Exception e) {
- // excepted exception
- }
- try {
- statement.execute("select c1 from t3");
- fail("Can't access the table t3");
- } catch (Exception e) {
- // excepted exception
- }
- statement.close();
- connection.close();
-
- // user2 can access the t2, t3
- connection = context.createConnection(USER2_1);
- statement = context.createStatement(connection);
- try {
- statement.execute("select c1 from t1");
- fail("Can't access the table t1");
- } catch (Exception e) {
- // excepted exception
- }
- statement.execute("select c1 from t2");
- statement.execute("select c1 from t3");
- statement.close();
- connection.close();
-
- // user3 can access the t2
- connection = context.createConnection(USER3_1);
- statement = context.createStatement(connection);
- try {
- statement.execute("select c1 from t1");
- fail("Can't access the table t1");
- } catch (Exception e) {
- // excepted exception
- }
- statement.execute("select c1 from t2");
- try {
- statement.execute("select c1 from t3");
- fail("Can't access the table t3");
- } catch (Exception e) {
- // excepted exception
- }
- statement.close();
- connection.close();
-
- // user4 can access the t2,t3
- connection = context.createConnection(USER4_1);
- statement = context.createStatement(connection);
- try {
- statement.execute("select c1 from t1");
- fail("Can't access the table t1");
- } catch (Exception e) {
- // excepted exception
- }
- statement.execute("select c1 from t2");
- statement.execute("select c1 from t3");
- statement.close();
- connection.close();
- }
-
- private void verifyResultRoles(ResultSet resultSet, Set<String> exceptedRoles) throws Exception {
- int size = 0;
- while (resultSet.next()) {
- String tempRole = resultSet.getString(1);
- LOGGER.debug("tempRole:" + tempRole);
- assertTrue(exceptedRoles.contains(tempRole));
- size++;
- }
- assertEquals(exceptedRoles.size(), size);
- resultSet.close();
- }
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e358fde7/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestPrivilegeWithGrantOption.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestPrivilegeWithGrantOption.java b/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestPrivilegeWithGrantOption.java
deleted file mode 100644
index b25fa2f..0000000
--- a/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestPrivilegeWithGrantOption.java
+++ /dev/null
@@ -1,379 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.sentry.tests.e2e.dbprovider;
-
-import java.sql.Connection;
-import java.sql.ResultSet;
-import java.sql.SQLException;
-import java.sql.Statement;
-import java.util.ArrayList;
-import java.util.List;
-
-import org.apache.sentry.core.common.exception.SentryAccessDeniedException;
-import org.junit.Assert;
-
-import org.apache.hadoop.hive.ql.plan.HiveOperation;
-import org.apache.sentry.binding.hive.conf.HiveAuthzConf;
-import org.apache.sentry.tests.e2e.hive.AbstractTestWithStaticConfiguration;
-import org.apache.sentry.tests.e2e.hive.DummySentryOnFailureHook;
-import org.apache.sentry.tests.e2e.hive.hiveserver.HiveServerFactory;
-import org.junit.Before;
-import org.junit.BeforeClass;
-import org.junit.Test;
-
-public class TestPrivilegeWithGrantOption extends AbstractTestWithStaticConfiguration {
-
- private static boolean isInternalServer = false;
- private static int SHOW_GRANT_ROLE_DB_POSITION = 1;
- private static int SHOW_GRANT_ROLE_TABLE_POSITION = 2;
- private static int SHOW_GRANT_ROLE_WITH_GRANT_POSITION = 8;
-
- @BeforeClass
- public static void setupTestStaticConfiguration() throws Exception {
- useSentryService = true;
- String hiveServer2Type = System
- .getProperty(HiveServerFactory.HIVESERVER2_TYPE);
- if ((hiveServer2Type == null)
- || HiveServerFactory.isInternalServer(HiveServerFactory.HiveServer2Type
- .valueOf(hiveServer2Type.trim()))) {
- System.setProperty(
- HiveAuthzConf.AuthzConfVars.AUTHZ_ONFAILURE_HOOKS.getVar(),
- DummySentryOnFailureHook.class.getName());
- isInternalServer = true;
- }
- AbstractTestWithStaticConfiguration.setupTestStaticConfiguration();
- }
-
- @Override
- @Before
- public void setup() throws Exception {
- DummySentryOnFailureHook.invoked = false;
- super.setupAdmin();
- super.setup();
- }
-
- @Test
- public void testOnGrantSelectColumnPrivilege() throws Exception {
- // setup db objects needed by the test
- Connection connection = context.createConnection(ADMIN1);
- Statement statement = context.createStatement(connection);
- statement.execute("DROP DATABASE IF EXISTS db_1 CASCADE");
- statement.execute("CREATE DATABASE db_1");
- statement.execute("CREATE ROLE group1_role");
- statement.execute("GRANT ALL ON DATABASE db_1 TO ROLE group1_role WITH GRANT OPTION");
- statement.execute("GRANT ROLE group1_role TO GROUP " + USERGROUP1);
- statement.execute("CREATE ROLE group2_role");
- statement.execute("GRANT ROLE group2_role TO GROUP " + USERGROUP2);
-
- connection = context.createConnection(USER1_1);
- statement = context.createStatement(connection);
-
- statement.execute("USE db_1");
- statement.execute("CREATE TABLE test_tb(s STRING, i INT)");
- statement.execute("INSERT INTO TABLE test_tb VALUES('Test', 1)");
- statement.execute("GRANT SELECT(s) ON TABLE test_tb TO ROLE group2_role");
-
- connection = context.createConnection(USER2_1);
- statement = context.createStatement(connection);
- statement.execute("USE db_1");
- //positive test for order by
- statement.execute("SELECT s FROM test_tb ORDER BY s");
- //negative test for order by
- try {
- statement.execute("SELECT s FROM test_tb ORDER BY i");
- Assert.fail("Expected SQL exception");
- } catch (SQLException e) {
- context.verifyAuthzException(e);
- }
- try {
- statement.execute("SELECT s FROM test_tb SORT BY i");
- Assert.fail("Expected SQL exception");
- } catch (SQLException e) {
- context.verifyAuthzException(e);
- }
- //positive test for group by
- statement.execute("SELECT COUNT(s) FROM test_tb GROUP BY s ");
- //negative test for group by
- try {
- statement.execute("SELECT COUNT(s) FROM test_tb GROUP BY i");
- Assert.fail("Expected SQL exception");
- } catch (SQLException e) {
- context.verifyAuthzException(e);
- }
- try {
- statement.execute("SELECT s FROM test_tb GROUP BY s HAVING SUM(i) > 1");
- Assert.fail("Expected SQL exception");
- } catch (SQLException e) {
- context.verifyAuthzException(e);
- }
- //positive test for where clause
- statement.execute("SELECT s FROM test_tb WHERE s = 'Test' ");
- //negative test fot where clause
- try {
- statement.execute("SELECT s FROM test_tb WHERE i = 1 ");
- Assert.fail("Expected SQL exception");
- } catch (SQLException e) {
- context.verifyAuthzException(e);
- }
-
- }
-
- @Test
- public void testOnGrantOrRevokeRoleToUser() throws Exception {
- // setup db objects needed by the test
- Connection connection = context.createConnection(ADMIN1);
- Statement statement = context.createStatement(connection);
- statement.execute("DROP DATABASE IF EXISTS db_1 CASCADE");
- statement.execute("DROP DATABASE IF EXISTS db_2 CASCADE");
- statement.execute("CREATE DATABASE db_1");
- statement.execute("CREATE ROLE group1_role");
- statement.execute("GRANT ROLE group1_role TO USER " + USER1_1);
- statement.execute("REVOKE ROLE group1_role FROM USER " + USER1_1);
-
- connection.close();
- }
-
- /*
- * Admin grant DB_1 user1 without grant option, grant user3 with grant option,
- * user1 tries to grant it to user2, but failed.
- * user3 can grant it to user2.
- * user1 tries to revoke, but failed.
- * user3 tries to revoke user2, user3 and user1, user3 revoke user1 will failed.
- * permissions for DB_1.
- */
- @Test
- public void testOnGrantPrivilege() throws Exception {
-
- // setup db objects needed by the test
- Connection connection = context.createConnection(ADMIN1);
- Statement statement = context.createStatement(connection);
- statement.execute("DROP DATABASE IF EXISTS db_1 CASCADE");
- statement.execute("DROP DATABASE IF EXISTS db_2 CASCADE");
- statement.execute("CREATE DATABASE db_1");
- statement.execute("CREATE ROLE group1_role");
- statement.execute("GRANT ALL ON DATABASE db_1 TO ROLE group1_role");
- statement.execute("GRANT ROLE group1_role TO GROUP " + USERGROUP1);
- statement.execute("CREATE ROLE group3_grant_role");
- statement.execute("GRANT ALL ON DATABASE db_1 TO ROLE group3_grant_role WITH GRANT OPTION");
- statement.execute("GRANT ROLE group3_grant_role TO GROUP " + USERGROUP3);
- statement.execute("CREATE ROLE group2_role");
- statement.execute("GRANT ROLE group2_role TO GROUP " + USERGROUP2);
-
- connection.close();
-
- connection = context.createConnection(USER1_1);
- statement = context.createStatement(connection);
-
- statement.execute("USE db_1");
- statement.execute("CREATE TABLE foo (id int)");
- runSQLWithError(statement, "GRANT ALL ON DATABASE db_1 TO ROLE group2_role",
- HiveOperation.GRANT_PRIVILEGE, null, null, true);
- runSQLWithError(statement,
- "GRANT ALL ON DATABASE db_1 TO ROLE group2_role WITH GRANT OPTION",
- HiveOperation.GRANT_PRIVILEGE, null, null, true);
- connection.close();
-
- connection = context.createConnection(USER3_1);
- statement = context.createStatement(connection);
- statement.execute("GRANT ALL ON DATABASE db_1 TO ROLE group2_role");
- connection.close();
-
- connection = context.createConnection(USER1_1);
- statement = context.createStatement(connection);
- runSQLWithError(statement, "REVOKE ALL ON Database db_1 FROM ROLE admin_role",
- HiveOperation.REVOKE_PRIVILEGE, null, null, true);
- runSQLWithError(statement, "REVOKE ALL ON Database db_1 FROM ROLE group2_role",
- HiveOperation.REVOKE_PRIVILEGE, null, null, true);
- runSQLWithError(statement,
- "REVOKE ALL ON Database db_1 FROM ROLE group3_grant_role",
- HiveOperation.REVOKE_PRIVILEGE, null, null, true);
- connection.close();
-
- connection = context.createConnection(USER3_1);
- statement = context.createStatement(connection);
- statement.execute("REVOKE ALL ON Database db_1 FROM ROLE group2_role");
- statement.execute("REVOKE ALL ON Database db_1 FROM ROLE group3_grant_role");
- runSQLWithError(statement, "REVOKE ALL ON Database db_1 FROM ROLE group1_role",
- HiveOperation.REVOKE_PRIVILEGE, null, null, true);
-
- connection.close();
- context.close();
- }
-
- @Test
- public void testShowRoleGrantOnUser() throws Exception {
- // setup db objects needed by the test
- Connection connection = context.createConnection(ADMIN1);
- Statement statement = context.createStatement(connection);
- statement.execute("DROP DATABASE IF EXISTS db_1 CASCADE");
- statement.execute("DROP DATABASE IF EXISTS db_2 CASCADE");
- statement.execute("CREATE DATABASE db_1");
- statement.execute("CREATE ROLE group1_role");
- statement.execute("GRANT ROLE group1_role TO USER " + USER1_1);
-
- ResultSet res = statement.executeQuery("SHOW ROLE GRANT USER " + USER1_1);
- List<String> expectedResult = new ArrayList<String>();
- List<String> returnedResult = new ArrayList<String>();
- expectedResult.add("group1_role");
- while(res.next()){
- returnedResult.add(res.getString(1));
- }
-
- validateReturnedResult(expectedResult, returnedResult);
- returnedResult.clear();
- expectedResult.clear();
- res.close();
-
- statement.close();
- connection.close();
- }
- /**
- * Test privileges with grant on parent objects are sufficient for operation
- * on child objects
- * @throws Exception
- */
- @Test
- public void testImpliedPrivilegesWithGrant() throws Exception {
- // setup db objects needed by the test
- Connection connection = context.createConnection(ADMIN1);
- Statement statement = context.createStatement(connection);
-
- statement.execute("DROP DATABASE IF EXISTS db_1 CASCADE");
- statement.execute("CREATE DATABASE db_1");
-
- statement.execute("CREATE ROLE role1");
- statement
- .execute("GRANT ALL ON DATABASE db_1 TO ROLE role1 WITH GRANT OPTION");
- statement.execute("GRANT ROLE role1 TO GROUP " + USERGROUP1);
-
- statement.execute("CREATE ROLE role2");
- statement.execute("GRANT ROLE role2 TO GROUP " + USERGROUP2);
-
- statement.execute("CREATE ROLE role3_1");
- statement.execute("GRANT ROLE role3_1 TO GROUP " + USERGROUP3);
-
- statement.execute("CREATE ROLE role3_2");
- statement.execute("GRANT ROLE role3_2 TO GROUP " + USERGROUP3);
- connection.close();
-
- connection = context.createConnection(USER1_1);
- statement = context.createStatement(connection);
-
- statement.execute("USE db_1");
- statement.execute("CREATE TABLE foo (id int)");
- // user1 with grant option of ALL on DB should be able grant ALL on TABLE
- statement.execute("GRANT ALL ON TABLE foo TO ROLE role2");
- // user1 with grant option of ALL on DB should be able grant SELECT on DB
- statement.execute("GRANT SELECT ON DATABASE db_1 TO ROLE role3_1");
- // user1 with grant option of ALL on DB should be able grant INSERT on TABLE
- statement.execute("GRANT INSERT ON TABLE foo TO ROLE role3_2");
- connection.close();
-
- connection = context.createConnection(USER2_1);
- statement = context.createStatement(connection);
- statement.execute("USE db_1");
- runSQLWithError(statement, "GRANT ALL ON TABLE foo TO ROLE role3_2",
- HiveOperation.GRANT_PRIVILEGE, null, null, true);
- connection.close();
-
- connection = context.createConnection(ADMIN1);
- statement = context.createStatement(connection);
- statement.execute("use db_1");
- verifySingleGrantWithGrantOption(statement,
- "SHOW GRANT ROLE role2 ON TABLE foo", SHOW_GRANT_ROLE_TABLE_POSITION,
- "foo");
- verifySingleGrantWithGrantOption(statement,
- "SHOW GRANT ROLE role3_1 ON DATABASE db_1",
- SHOW_GRANT_ROLE_DB_POSITION, "db_1");
- verifySingleGrantWithGrantOption(statement,
- "SHOW GRANT ROLE role3_2 ON TABLE foo", SHOW_GRANT_ROLE_TABLE_POSITION,
- "foo");
-
- // test 'with grant option' status
- verifySingleGrantWithGrantOption(statement, "show grant role role1",
- SHOW_GRANT_ROLE_WITH_GRANT_POSITION, "true");
- verifySingleGrantWithGrantOption(statement,
- "SHOW GRANT ROLE role1 ON DATABASE db_1",
- SHOW_GRANT_ROLE_WITH_GRANT_POSITION, "true");
- verifySingleGrantWithGrantOption(statement,
- "SHOW GRANT ROLE role1 ON TABLE foo",
- SHOW_GRANT_ROLE_WITH_GRANT_POSITION, "true");
- verifySingleGrantWithGrantOption(statement, "show grant role role2",
- SHOW_GRANT_ROLE_WITH_GRANT_POSITION, "false");
- verifySingleGrantWithGrantOption(statement,
- "SHOW GRANT ROLE role2 ON TABLE foo",
- SHOW_GRANT_ROLE_WITH_GRANT_POSITION, "false");
- statement.close();
- connection.close();
- }
-
- // run the given statement and verify that failure hook is invoked as expected
- private void runSQLWithError(Statement statement, String sqlStr,
- HiveOperation expectedOp, String dbName, String tableName,
- boolean checkSentryAccessDeniedException) throws Exception {
- // negative test case: non admin user can't create role
- Assert.assertFalse(DummySentryOnFailureHook.invoked);
- try {
- statement.execute(sqlStr);
- Assert.fail("Expected SQL exception for " + sqlStr);
- } catch (SQLException e) {
- verifyFailureHook(expectedOp, dbName, tableName, checkSentryAccessDeniedException);
- } finally {
- DummySentryOnFailureHook.invoked = false;
- }
-
- }
-
- // run the given statement and verify that failure hook is invoked as expected
- private void verifyFailureHook(HiveOperation expectedOp,
- String dbName, String tableName, boolean checkSentryAccessDeniedException)
- throws Exception {
- if (!isInternalServer) {
- return;
- }
-
- Assert.assertTrue(DummySentryOnFailureHook.invoked);
- if (expectedOp != null) {
- Assert.assertNotNull("Hive op is null for op: " + expectedOp, DummySentryOnFailureHook.hiveOp);
- Assert.assertTrue(expectedOp.equals(DummySentryOnFailureHook.hiveOp));
- }
- if (checkSentryAccessDeniedException) {
- Assert.assertTrue("Expected SentryDeniedException for op: " + expectedOp,
- DummySentryOnFailureHook.exception.getCause() instanceof SentryAccessDeniedException);
- }
- if(tableName != null) {
- Assert.assertNotNull("Table object is null for op: " + expectedOp, DummySentryOnFailureHook.table);
- Assert.assertTrue(tableName.equalsIgnoreCase(DummySentryOnFailureHook.table.getName()));
- }
- if(dbName != null) {
- Assert.assertNotNull("Database object is null for op: " + expectedOp, DummySentryOnFailureHook.db);
- Assert.assertTrue(dbName.equalsIgnoreCase(DummySentryOnFailureHook.db.getName()));
- }
- }
-
- // verify the expected object name at specific position in the SHOW GRANT result
- private void verifySingleGrantWithGrantOption(Statement statetment,
- String statementSql, int dbObjectPosition, String dbObjectName)
- throws Exception {
- ResultSet res = statetment.executeQuery(statementSql);
- Assert.assertTrue(res.next());
- Assert.assertEquals(dbObjectName, res.getString(dbObjectPosition));
- res.close();
- }
-
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/e358fde7/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestPrivilegeWithHAGrantOption.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestPrivilegeWithHAGrantOption.java b/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestPrivilegeWithHAGrantOption.java
deleted file mode 100644
index a1607d5..0000000
--- a/sentry-tests/sentry-tests-hive-v2/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestPrivilegeWithHAGrantOption.java
+++ /dev/null
@@ -1,160 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.sentry.tests.e2e.dbprovider;
-
-import java.sql.Connection;
-import java.sql.SQLException;
-import java.sql.Statement;
-import java.util.HashMap;
-
-import org.apache.sentry.core.common.exception.SentryAccessDeniedException;
-import org.junit.Assert;
-
-import org.apache.hadoop.hive.ql.plan.HiveOperation;
-import org.apache.sentry.binding.hive.conf.HiveAuthzConf;
-import org.apache.sentry.tests.e2e.hive.DummySentryOnFailureHook;
-import org.apache.sentry.tests.e2e.hive.hiveserver.HiveServerFactory;
-import org.junit.Assume;
-import org.junit.BeforeClass;
-import org.junit.Test;
-
-public class TestPrivilegeWithHAGrantOption extends AbstractTestWithDbProvider {
-
- @BeforeClass
- public static void setup() throws Exception {
- properties = new HashMap<String, String>();
- properties.put(HiveAuthzConf.AuthzConfVars.AUTHZ_ONFAILURE_HOOKS.getVar(),
- DummySentryOnFailureHook.class.getName());
- createContext();
- DummySentryOnFailureHook.invoked = false;
-
- // Do not run these tests if run with external HiveServer2
- // This test checks for a static member, which will not
- // be set if HiveServer2 and the test run in different JVMs
- String hiveServer2Type = System
- .getProperty(HiveServerFactory.HIVESERVER2_TYPE);
- if(hiveServer2Type != null) {
- Assume.assumeTrue(HiveServerFactory.isInternalServer(
- HiveServerFactory.HiveServer2Type.valueOf(hiveServer2Type.trim())));
- }
- }
-
- /*
- * Admin grant DB_1 user1 without grant option, grant user3 with grant option,
- * user1 tries to grant it to user2, but failed.
- * user3 can grant it to user2.
- * user1 tries to revoke, but failed.
- * user3 tries to revoke user2, user3 and user1, user3 revoke user1 will failed.
- * permissions for DB_1.
- */
- @Test
- public void testOnGrantPrivilege() throws Exception {
-
- // setup db objects needed by the test
- Connection connection = context.createConnection(ADMIN1);
- Statement statement = context.createStatement(connection);
- statement.execute("CREATE ROLE admin_role");
- statement.execute("GRANT ALL ON SERVER "
- + HiveServerFactory.DEFAULT_AUTHZ_SERVER_NAME + " TO ROLE admin_role");
- statement.execute("GRANT ROLE admin_role TO GROUP " + ADMINGROUP);
- statement.execute("DROP DATABASE IF EXISTS db_1 CASCADE");
- statement.execute("DROP DATABASE IF EXISTS db_2 CASCADE");
- statement.execute("CREATE DATABASE db_1");
- shutdownAllSentryService();
- startSentryService(1);
- statement.execute("CREATE ROLE group1_role");
- statement.execute("GRANT ALL ON DATABASE db_1 TO ROLE group1_role");
- statement.execute("GRANT ROLE group1_role TO GROUP " + USERGROUP1);
- statement.execute("CREATE ROLE group3_grant_role");
- shutdownAllSentryService();
- startSentryService(1);
- statement.execute("GRANT ALL ON DATABASE db_1 TO ROLE group3_grant_role WITH GRANT OPTION");
- statement.execute("GRANT ROLE group3_grant_role TO GROUP " + USERGROUP3);
- shutdownAllSentryService();
- startSentryService(1);
- statement.execute("CREATE ROLE group2_role");
- statement.execute("GRANT ROLE group2_role TO GROUP " + USERGROUP2);
-
- connection.close();
-
- connection = context.createConnection(USER1_1);
- statement = context.createStatement(connection);
-
- statement.execute("USE db_1");
- statement.execute("CREATE TABLE foo (id int)");
- verifyFailureHook(statement,"GRANT ALL ON DATABASE db_1 TO ROLE group2_role",HiveOperation.GRANT_PRIVILEGE,null,null,true);
- verifyFailureHook(statement,"GRANT ALL ON DATABASE db_1 TO ROLE group2_role WITH GRANT OPTION",HiveOperation.GRANT_PRIVILEGE,null,null,true);
- connection.close();
-
- connection = context.createConnection(USER3_1);
- shutdownAllSentryService();
- startSentryService(1);
- statement = context.createStatement(connection);
- statement.execute("GRANT ALL ON DATABASE db_1 TO ROLE group2_role");
- connection.close();
-
- connection = context.createConnection(USER1_1);
- statement = context.createStatement(connection);
- verifyFailureHook(statement,"REVOKE ALL ON Database db_1 FROM ROLE admin_role",HiveOperation.REVOKE_PRIVILEGE,null,null,true);
- shutdownAllSentryService();
- startSentryService(1);
- verifyFailureHook(statement,"REVOKE ALL ON Database db_1 FROM ROLE group2_role",HiveOperation.REVOKE_PRIVILEGE,null,null,true);
- verifyFailureHook(statement,"REVOKE ALL ON Database db_1 FROM ROLE group3_grant_role",HiveOperation.REVOKE_PRIVILEGE,null,null,true);
- connection.close();
-
- connection = context.createConnection(USER3_1);
- statement = context.createStatement(connection);
- statement.execute("REVOKE ALL ON Database db_1 FROM ROLE group2_role");
- statement.execute("REVOKE ALL ON Database db_1 FROM ROLE group3_grant_role");
- verifyFailureHook(statement,"REVOKE ALL ON Database db_1 FROM ROLE group1_role",HiveOperation.REVOKE_PRIVILEGE,null,null,true);
-
- connection.close();
- context.close();
- }
-
- // run the given statement and verify that failure hook is invoked as expected
- private void verifyFailureHook(Statement statement, String sqlStr, HiveOperation expectedOp,
- String dbName, String tableName, boolean checkSentryAccessDeniedException) throws Exception {
- // negative test case: non admin user can't create role
- Assert.assertFalse(DummySentryOnFailureHook.invoked);
- try {
- statement.execute(sqlStr);
- Assert.fail("Expected SQL exception for " + sqlStr);
- } catch (SQLException e) {
- Assert.assertTrue(DummySentryOnFailureHook.invoked);
- } finally {
- DummySentryOnFailureHook.invoked = false;
- }
- if (expectedOp != null) {
- Assert.assertNotNull("Hive op is null for op: " + expectedOp, DummySentryOnFailureHook.hiveOp);
- Assert.assertTrue(expectedOp.equals(DummySentryOnFailureHook.hiveOp));
- }
- if (checkSentryAccessDeniedException) {
- Assert.assertTrue("Expected SentryDeniedException for op: " + expectedOp,
- DummySentryOnFailureHook.exception.getCause() instanceof SentryAccessDeniedException);
- }
- if(tableName != null) {
- Assert.assertNotNull("Table object is null for op: " + expectedOp, DummySentryOnFailureHook.table);
- Assert.assertTrue(tableName.equalsIgnoreCase(DummySentryOnFailureHook.table.getName()));
- }
- if(dbName != null) {
- Assert.assertNotNull("Database object is null for op: " + expectedOp, DummySentryOnFailureHook.db);
- Assert.assertTrue(dbName.equalsIgnoreCase(DummySentryOnFailureHook.db.getName()));
- }
- }
-}