You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sentry.apache.org by sd...@apache.org on 2015/08/14 09:29:16 UTC
[42/50] [abbrv] incubator-sentry git commit: SENTRY-827: Server scope
always grants ALL (Ryan P via Lenni Kuff)
SENTRY-827: Server scope always grants ALL (Ryan P via Lenni Kuff)
Project: http://git-wip-us.apache.org/repos/asf/incubator-sentry/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-sentry/commit/1e26d56e
Tree: http://git-wip-us.apache.org/repos/asf/incubator-sentry/tree/1e26d56e
Diff: http://git-wip-us.apache.org/repos/asf/incubator-sentry/diff/1e26d56e
Branch: refs/heads/hive_plugin_v2
Commit: 1e26d56ef36af04dc1b58d549dea95141be243a2
Parents: 7613ede
Author: Lenni Kuff <ls...@cloudera.com>
Authored: Wed Aug 5 00:52:35 2015 -0700
Committer: Lenni Kuff <ls...@cloudera.com>
Committed: Wed Aug 5 00:52:35 2015 -0700
----------------------------------------------------------------------
.../hive/ql/exec/SentryGrantRevokeTask.java | 3 +-
.../thrift/SentryPolicyServiceClient.java | 6 +-
.../SentryPolicyServiceClientDefaultImpl.java | 8 +-
.../e2e/dbprovider/TestDatabaseProvider.java | 93 ++++++++++++++++++--
4 files changed, 95 insertions(+), 15 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/1e26d56e/sentry-binding/sentry-binding-hive/src/main/java/org/apache/hadoop/hive/ql/exec/SentryGrantRevokeTask.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/hadoop/hive/ql/exec/SentryGrantRevokeTask.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/hadoop/hive/ql/exec/SentryGrantRevokeTask.java
index 2a60a23..13c2c58 100644
--- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/hadoop/hive/ql/exec/SentryGrantRevokeTask.java
+++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/hadoop/hive/ql/exec/SentryGrantRevokeTask.java
@@ -590,7 +590,8 @@ public class SentryGrantRevokeTask extends Task<DDLWork> implements Serializable
}
} else {
if (serverName != null) {
- sentryClient.revokeServerPrivilege(subject, princ.getName(), serverName, grantOption);
+ sentryClient.revokeServerPrivilege(subject, princ.getName(), serverName,
+ toSentryAction(privDesc.getPrivilege().getPriv()), grantOption);
} else if (uriPath != null) {
sentryClient.revokeURIPrivilege(subject, princ.getName(), server, uriPath, grantOption);
} else if (tableName == null) {
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/1e26d56e/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClient.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClient.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClient.java
index 9c2d384..3c2c7c6 100644
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClient.java
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClient.java
@@ -107,11 +107,11 @@ public interface SentryPolicyServiceClient {
public void revokeURIPrivilege(String requestorUserName, String roleName, String server,
String uri, Boolean grantOption) throws SentryUserException;
- public void revokeServerPrivilege(String requestorUserName, String roleName, String server)
- throws SentryUserException;
+ public void revokeServerPrivilege(String requestorUserName, String roleName, String server,
+ String action) throws SentryUserException;
public void revokeServerPrivilege(String requestorUserName, String roleName, String server,
- Boolean grantOption) throws SentryUserException;
+ String action, Boolean grantOption) throws SentryUserException;
public void revokeDatabasePrivilege(String requestorUserName, String roleName, String server,
String db, String action) throws SentryUserException;
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/1e26d56e/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClientDefaultImpl.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClientDefaultImpl.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClientDefaultImpl.java
index 09b3d99..4afe1b4 100644
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClientDefaultImpl.java
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClientDefaultImpl.java
@@ -484,17 +484,17 @@ public class SentryPolicyServiceClientDefaultImpl implements SentryPolicyService
}
public void revokeServerPrivilege(String requestorUserName,
- String roleName, String server)
+ String roleName, String server, String action)
throws SentryUserException {
revokePrivilege(requestorUserName, roleName,
- PrivilegeScope.SERVER, server, null, null, null, null, AccessConstants.ALL);
+ PrivilegeScope.SERVER, server, null, null, null, null, action);
}
public void revokeServerPrivilege(String requestorUserName,
- String roleName, String server, Boolean grantOption)
+ String roleName, String server, String action, Boolean grantOption)
throws SentryUserException {
revokePrivilege(requestorUserName, roleName,
- PrivilegeScope.SERVER, server, null, null, null, null, AccessConstants.ALL, grantOption);
+ PrivilegeScope.SERVER, server, null, null, null, null, action, grantOption);
}
public void revokeDatabasePrivilege(String requestorUserName,
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/1e26d56e/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDatabaseProvider.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDatabaseProvider.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDatabaseProvider.java
index f9e8f80..7df32fb 100644
--- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDatabaseProvider.java
+++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDatabaseProvider.java
@@ -83,12 +83,6 @@ public class TestDatabaseProvider extends AbstractTestWithStaticConfiguration {
}
}
- @Ignore
- @Test
- public void beelineTest() throws Exception{
- while(true) {}
- }
-
@Test
public void testBasic() throws Exception {
Connection connection = context.createConnection(ADMIN1);
@@ -319,7 +313,7 @@ public class TestDatabaseProvider extends AbstractTestWithStaticConfiguration {
ResultSet resultSet = statement.executeQuery("SHOW GRANT ROLE user_role");
assertResultSize(resultSet, 2);
statement.close();
- connection.close();;
+ connection.close();
// Revoke on Server
connection = context.createConnection(ADMIN1);
@@ -2069,4 +2063,89 @@ public class TestDatabaseProvider extends AbstractTestWithStaticConfiguration {
connection.close();
}
+ /* SENTRY-827 */
+ @Test
+ public void serverActions() throws Exception {
+ String[] dbs = {DB1, DB2};
+ String tbl = TBL1;
+
+ //To test Insert
+ File dataDir = context.getDataDir();
+ File dataFile = new File(dataDir, SINGLE_TYPE_DATA_FILE_NAME);
+ FileOutputStream to = new FileOutputStream(dataFile);
+ Resources.copy(Resources.getResource(SINGLE_TYPE_DATA_FILE_NAME), to);
+ to.close();
+
+ //setup roles and group mapping
+ Connection connection = context.createConnection(ADMIN1);
+ Statement statement = context.createStatement(connection);
+
+ statement.execute("CREATE ROLE server_all");
+ statement.execute("CREATE ROLE server_select");
+ statement.execute("CREATE ROLE server_insert");
+
+ statement.execute("GRANT ALL ON SERVER server1 to ROLE server_all");
+ statement.execute("GRANT SELECT ON SERVER server1 to ROLE server_select");
+ statement.execute("GRANT INSERT ON SERVER server1 to ROLE server_insert");
+ statement.execute("GRANT ALL ON URI 'file://" + dataFile.getPath() + "' TO ROLE server_select");
+ statement.execute("GRANT ALL ON URI 'file://" + dataFile.getPath() + "' TO ROLE server_insert");
+
+ statement.execute("GRANT ROLE server_all to GROUP " + ADMINGROUP);
+ statement.execute("GRANT ROLE server_select to GROUP " + USERGROUP1);
+ statement.execute("GRANT ROLE server_insert to GROUP " + USERGROUP2);
+
+ for (String db : dbs) {
+ statement.execute("CREATE DATABASE IF NOT EXISTS " + db);
+ statement.execute("CREATE TABLE IF NOT EXISTS " + db + "." + tbl + "(a String)");
+ }
+ statement.close();
+ connection.close();
+
+ connection = context.createConnection(USER1_1);
+ statement = context.createStatement(connection);
+ //Test SELECT, ensure INSERT fails
+ for (String db : dbs) {
+ statement.execute("SELECT * FROM " + db + "." + tbl);
+ try{
+ statement.execute("LOAD DATA LOCAL INPATH '" + dataFile.getPath() +
+ "' INTO TABLE " + db + "." + tbl);
+ assertTrue("INSERT should not be capable here:",true);
+ }catch(SQLException e){}
+ }
+ statement.close();
+ connection.close();
+
+ connection = context.createConnection(USER2_1);
+ statement = context.createStatement(connection);
+ //Test INSERT, ensure SELECT fails
+ for (String db : dbs){
+ statement.execute("LOAD DATA LOCAL INPATH '" + dataFile.getPath() +
+ "' INTO TABLE " + db + "." + tbl);
+ try{
+ statement.execute("SELECT * FROM " + db + "." + tbl);
+ }catch(SQLException e){}
+ }
+
+ statement.close();
+ connection.close();
+
+ //Enusre revoke worked
+ connection = context.createConnection(ADMIN1);
+ statement = context.createStatement(connection);
+ statement.execute("REVOKE SELECT ON SERVER server1 from ROLE server_select");
+
+ statement.close();
+ connection.close();
+
+ connection = context.createConnection(USER1_1);
+ statement = context.createStatement(connection);
+
+ try {
+ statement.execute("SELECT * FROM " + dbs[0] + "." + tbl);
+ assertTrue("Revoke Select on server Failed", false);
+ } catch (SQLException e) {}
+
+ statement.close();
+ connection.close();
+ }
}